2005-04-16 22:20:36 +00:00
|
|
|
/*
|
|
|
|
|
* xfrm6_policy.c: based on xfrm4_policy.c
|
|
|
|
|
*
|
|
|
|
|
* Authors:
|
|
|
|
|
* Mitsuru KANDA @USAGI
|
|
|
|
|
* Kazunori MIYAZAWA @USAGI
|
|
|
|
|
* Kunihiro Ishiguro <kunihiro@ipinfusion.com>
|
|
|
|
|
* IPv6 support
|
|
|
|
|
* YOSHIFUJI Hideaki
|
|
|
|
|
* Split up af-specific portion
|
2007-02-09 14:24:49 +00:00
|
|
|
*
|
2005-04-16 22:20:36 +00:00
|
|
|
*/
|
|
|
|
|
|
2007-11-14 05:37:28 +00:00
|
|
|
#include <linux/err.h>
|
|
|
|
|
#include <linux/kernel.h>
|
2005-05-03 23:27:10 +00:00
|
|
|
#include <linux/netdevice.h>
|
|
|
|
|
#include <net/addrconf.h>
|
2007-11-14 05:35:32 +00:00
|
|
|
#include <net/dst.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <net/xfrm.h>
|
|
|
|
|
#include <net/ip.h>
|
|
|
|
|
#include <net/ipv6.h>
|
|
|
|
|
#include <net/ip6_route.h>
|
2012-10-29 16:23:10 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6_MIP6)
|
2006-08-24 03:39:03 +00:00
|
|
|
#include <net/mip6.h>
|
|
|
|
|
#endif
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
static struct xfrm_policy_afinfo xfrm6_policy_afinfo;
|
|
|
|
|
|
2008-11-26 01:51:25 +00:00
|
|
|
static struct dst_entry *xfrm6_dst_lookup(struct net *net, int tos,
|
2011-02-24 05:14:45 +00:00
|
|
|
const xfrm_address_t *saddr,
|
BACKPORT: net: xfrm: support setting an output mark.
On systems that use mark-based routing it may be necessary for
routing lookups to use marks in order for packets to be routed
correctly. An example of such a system is Android, which uses
socket marks to route packets via different networks.
Currently, routing lookups in tunnel mode always use a mark of
zero, making routing incorrect on such systems.
This patch adds a new output_mark element to the xfrm state and
a corresponding XFRMA_OUTPUT_MARK netlink attribute. The output
mark differs from the existing xfrm mark in two ways:
1. The xfrm mark is used to match xfrm policies and states, while
the xfrm output mark is used to set the mark (and influence
the routing) of the packets emitted by those states.
2. The existing mark is constrained to be a subset of the bits of
the originating socket or transformed packet, but the output
mark is arbitrary and depends only on the state.
The use of a separate mark provides additional flexibility. For
example:
- A packet subject to two transforms (e.g., transport mode inside
tunnel mode) can have two different output marks applied to it,
one for the transport mode SA and one for the tunnel mode SA.
- On a system where socket marks determine routing, the packets
emitted by an IPsec tunnel can be routed based on a mark that
is determined by the tunnel, not by the marks of the
unencrypted packets.
- Support for setting the output marks can be introduced without
breaking any existing setups that employ both mark-based
routing and xfrm tunnel mode. Simply changing the code to use
the xfrm mark for routing output packets could xfrm mark could
change behaviour in a way that breaks these setups.
If the output mark is unspecified or set to zero, the mark is not
set or changed.
[backport of upstream 077fbac405bfc6d41419ad6c1725804ad4e9887c]
Bug: 63589535
Test: https://android-review.googlesource.com/452776/ passes
Tested: make allyesconfig; make -j64
Tested: https://android-review.googlesource.com/452776
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Change-Id: I76120fba036e21780ced31ad390faf491ea81e52
2017-08-10 17:11:33 +00:00
|
|
|
const xfrm_address_t *daddr,
|
|
|
|
|
u32 mark)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2011-03-12 07:42:11 +00:00
|
|
|
struct flowi6 fl6;
|
2007-11-14 05:37:28 +00:00
|
|
|
struct dst_entry *dst;
|
|
|
|
|
int err;
|
|
|
|
|
|
2011-03-12 07:42:11 +00:00
|
|
|
memset(&fl6, 0, sizeof(fl6));
|
BACKPORT: net: xfrm: support setting an output mark.
On systems that use mark-based routing it may be necessary for
routing lookups to use marks in order for packets to be routed
correctly. An example of such a system is Android, which uses
socket marks to route packets via different networks.
Currently, routing lookups in tunnel mode always use a mark of
zero, making routing incorrect on such systems.
This patch adds a new output_mark element to the xfrm state and
a corresponding XFRMA_OUTPUT_MARK netlink attribute. The output
mark differs from the existing xfrm mark in two ways:
1. The xfrm mark is used to match xfrm policies and states, while
the xfrm output mark is used to set the mark (and influence
the routing) of the packets emitted by those states.
2. The existing mark is constrained to be a subset of the bits of
the originating socket or transformed packet, but the output
mark is arbitrary and depends only on the state.
The use of a separate mark provides additional flexibility. For
example:
- A packet subject to two transforms (e.g., transport mode inside
tunnel mode) can have two different output marks applied to it,
one for the transport mode SA and one for the tunnel mode SA.
- On a system where socket marks determine routing, the packets
emitted by an IPsec tunnel can be routed based on a mark that
is determined by the tunnel, not by the marks of the
unencrypted packets.
- Support for setting the output marks can be introduced without
breaking any existing setups that employ both mark-based
routing and xfrm tunnel mode. Simply changing the code to use
the xfrm mark for routing output packets could xfrm mark could
change behaviour in a way that breaks these setups.
If the output mark is unspecified or set to zero, the mark is not
set or changed.
[backport of upstream 077fbac405bfc6d41419ad6c1725804ad4e9887c]
Bug: 63589535
Test: https://android-review.googlesource.com/452776/ passes
Tested: make allyesconfig; make -j64
Tested: https://android-review.googlesource.com/452776
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Change-Id: I76120fba036e21780ced31ad390faf491ea81e52
2017-08-10 17:11:33 +00:00
|
|
|
fl6.flowi6_mark = mark;
|
2011-03-12 07:42:11 +00:00
|
|
|
memcpy(&fl6.daddr, daddr, sizeof(fl6.daddr));
|
2007-11-14 05:37:28 +00:00
|
|
|
if (saddr)
|
2011-03-12 07:42:11 +00:00
|
|
|
memcpy(&fl6.saddr, saddr, sizeof(fl6.saddr));
|
2007-11-14 05:37:28 +00:00
|
|
|
|
2011-03-12 21:22:43 +00:00
|
|
|
dst = ip6_route_output(net, NULL, &fl6);
|
2007-11-14 05:37:28 +00:00
|
|
|
|
|
|
|
|
err = dst->error;
|
|
|
|
|
if (dst->error) {
|
2006-10-17 05:10:05 +00:00
|
|
|
dst_release(dst);
|
2007-11-14 05:37:28 +00:00
|
|
|
dst = ERR_PTR(err);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return dst;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2008-11-26 01:56:49 +00:00
|
|
|
static int xfrm6_get_saddr(struct net *net,
|
BACKPORT: net: xfrm: support setting an output mark.
On systems that use mark-based routing it may be necessary for
routing lookups to use marks in order for packets to be routed
correctly. An example of such a system is Android, which uses
socket marks to route packets via different networks.
Currently, routing lookups in tunnel mode always use a mark of
zero, making routing incorrect on such systems.
This patch adds a new output_mark element to the xfrm state and
a corresponding XFRMA_OUTPUT_MARK netlink attribute. The output
mark differs from the existing xfrm mark in two ways:
1. The xfrm mark is used to match xfrm policies and states, while
the xfrm output mark is used to set the mark (and influence
the routing) of the packets emitted by those states.
2. The existing mark is constrained to be a subset of the bits of
the originating socket or transformed packet, but the output
mark is arbitrary and depends only on the state.
The use of a separate mark provides additional flexibility. For
example:
- A packet subject to two transforms (e.g., transport mode inside
tunnel mode) can have two different output marks applied to it,
one for the transport mode SA and one for the tunnel mode SA.
- On a system where socket marks determine routing, the packets
emitted by an IPsec tunnel can be routed based on a mark that
is determined by the tunnel, not by the marks of the
unencrypted packets.
- Support for setting the output marks can be introduced without
breaking any existing setups that employ both mark-based
routing and xfrm tunnel mode. Simply changing the code to use
the xfrm mark for routing output packets could xfrm mark could
change behaviour in a way that breaks these setups.
If the output mark is unspecified or set to zero, the mark is not
set or changed.
[backport of upstream 077fbac405bfc6d41419ad6c1725804ad4e9887c]
Bug: 63589535
Test: https://android-review.googlesource.com/452776/ passes
Tested: make allyesconfig; make -j64
Tested: https://android-review.googlesource.com/452776
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Change-Id: I76120fba036e21780ced31ad390faf491ea81e52
2017-08-10 17:11:33 +00:00
|
|
|
xfrm_address_t *saddr, xfrm_address_t *daddr,
|
|
|
|
|
u32 mark)
|
2006-09-19 19:57:34 +00:00
|
|
|
{
|
2007-11-14 05:37:28 +00:00
|
|
|
struct dst_entry *dst;
|
2008-08-14 22:33:21 +00:00
|
|
|
struct net_device *dev;
|
2007-11-14 05:37:28 +00:00
|
|
|
|
BACKPORT: net: xfrm: support setting an output mark.
On systems that use mark-based routing it may be necessary for
routing lookups to use marks in order for packets to be routed
correctly. An example of such a system is Android, which uses
socket marks to route packets via different networks.
Currently, routing lookups in tunnel mode always use a mark of
zero, making routing incorrect on such systems.
This patch adds a new output_mark element to the xfrm state and
a corresponding XFRMA_OUTPUT_MARK netlink attribute. The output
mark differs from the existing xfrm mark in two ways:
1. The xfrm mark is used to match xfrm policies and states, while
the xfrm output mark is used to set the mark (and influence
the routing) of the packets emitted by those states.
2. The existing mark is constrained to be a subset of the bits of
the originating socket or transformed packet, but the output
mark is arbitrary and depends only on the state.
The use of a separate mark provides additional flexibility. For
example:
- A packet subject to two transforms (e.g., transport mode inside
tunnel mode) can have two different output marks applied to it,
one for the transport mode SA and one for the tunnel mode SA.
- On a system where socket marks determine routing, the packets
emitted by an IPsec tunnel can be routed based on a mark that
is determined by the tunnel, not by the marks of the
unencrypted packets.
- Support for setting the output marks can be introduced without
breaking any existing setups that employ both mark-based
routing and xfrm tunnel mode. Simply changing the code to use
the xfrm mark for routing output packets could xfrm mark could
change behaviour in a way that breaks these setups.
If the output mark is unspecified or set to zero, the mark is not
set or changed.
[backport of upstream 077fbac405bfc6d41419ad6c1725804ad4e9887c]
Bug: 63589535
Test: https://android-review.googlesource.com/452776/ passes
Tested: make allyesconfig; make -j64
Tested: https://android-review.googlesource.com/452776
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Change-Id: I76120fba036e21780ced31ad390faf491ea81e52
2017-08-10 17:11:33 +00:00
|
|
|
dst = xfrm6_dst_lookup(net, 0, NULL, daddr, mark);
|
2007-11-14 05:37:28 +00:00
|
|
|
if (IS_ERR(dst))
|
|
|
|
|
return -EHOSTUNREACH;
|
|
|
|
|
|
2008-08-14 22:33:21 +00:00
|
|
|
dev = ip6_dst_idev(dst)->dev;
|
|
|
|
|
ipv6_dev_get_saddr(dev_net(dev), dev,
|
2008-03-25 00:37:42 +00:00
|
|
|
(struct in6_addr *)&daddr->a6, 0,
|
2008-03-03 12:44:34 +00:00
|
|
|
(struct in6_addr *)&saddr->a6);
|
2007-11-14 05:37:28 +00:00
|
|
|
dst_release(dst);
|
|
|
|
|
return 0;
|
2006-09-19 19:57:34 +00:00
|
|
|
}
|
|
|
|
|
|
2011-02-23 01:47:10 +00:00
|
|
|
static int xfrm6_get_tos(const struct flowi *fl)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2007-12-11 17:32:34 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2012-08-20 09:56:56 +00:00
|
|
|
static void xfrm6_init_dst(struct net *net, struct xfrm_dst *xdst)
|
|
|
|
|
{
|
|
|
|
|
struct rt6_info *rt = (struct rt6_info *)xdst;
|
|
|
|
|
|
|
|
|
|
rt6_init_peer(rt, net->ipv6.peers);
|
|
|
|
|
}
|
|
|
|
|
|
2007-12-21 04:41:12 +00:00
|
|
|
static int xfrm6_init_path(struct xfrm_dst *path, struct dst_entry *dst,
|
|
|
|
|
int nfheader_len)
|
|
|
|
|
{
|
|
|
|
|
if (dst->ops->family == AF_INET6) {
|
|
|
|
|
struct rt6_info *rt = (struct rt6_info*)dst;
|
2015-05-23 03:56:01 +00:00
|
|
|
path->path_cookie = rt6_get_cookie(rt);
|
2007-12-21 04:41:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
path->u.rt6.rt6i_nfheader_len = nfheader_len;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2010-03-02 02:51:56 +00:00
|
|
|
static int xfrm6_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
|
2011-02-23 01:48:57 +00:00
|
|
|
const struct flowi *fl)
|
2007-12-11 17:32:34 +00:00
|
|
|
{
|
|
|
|
|
struct rt6_info *rt = (struct rt6_info*)xdst->route;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2007-12-11 17:32:34 +00:00
|
|
|
xdst->u.dst.dev = dev;
|
|
|
|
|
dev_hold(dev);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2010-04-21 23:25:30 +00:00
|
|
|
xdst->u.rt6.rt6i_idev = in6_dev_get(dev);
|
2013-05-09 22:40:00 +00:00
|
|
|
if (!xdst->u.rt6.rt6i_idev) {
|
|
|
|
|
dev_put(dev);
|
2007-12-11 17:32:34 +00:00
|
|
|
return -ENODEV;
|
2013-05-09 22:40:00 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2012-06-10 05:36:36 +00:00
|
|
|
rt6_transfer_peer(&xdst->u.rt6, rt);
|
2011-01-26 21:41:03 +00:00
|
|
|
|
2007-12-11 17:32:34 +00:00
|
|
|
/* Sheit... I remember I did this right. Apparently,
|
|
|
|
|
* it was magically lost, so this code needs audit */
|
|
|
|
|
xdst->u.rt6.rt6i_flags = rt->rt6i_flags & (RTF_ANYCAST |
|
|
|
|
|
RTF_LOCAL);
|
|
|
|
|
xdst->u.rt6.rt6i_metric = rt->rt6i_metric;
|
|
|
|
|
xdst->u.rt6.rt6i_node = rt->rt6i_node;
|
2015-05-23 03:56:01 +00:00
|
|
|
xdst->route_cookie = rt6_get_cookie(rt);
|
2007-12-11 17:32:34 +00:00
|
|
|
xdst->u.rt6.rt6i_gateway = rt->rt6i_gateway;
|
|
|
|
|
xdst->u.rt6.rt6i_dst = rt->rt6i_dst;
|
|
|
|
|
xdst->u.rt6.rt6i_src = rt->rt6i_src;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline void
|
2007-12-12 18:44:16 +00:00
|
|
|
_decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2011-03-12 07:42:11 +00:00
|
|
|
struct flowi6 *fl6 = &fl->u.ip6;
|
2008-11-02 04:12:07 +00:00
|
|
|
int onlyproto = 0;
|
2018-05-12 09:49:30 +00:00
|
|
|
u32 offset = skb_network_header_len(skb);
|
2011-04-22 04:53:02 +00:00
|
|
|
const struct ipv6hdr *hdr = ipv6_hdr(skb);
|
2006-04-18 21:46:52 +00:00
|
|
|
struct ipv6_opt_hdr *exthdr;
|
2007-04-11 03:50:43 +00:00
|
|
|
const unsigned char *nh = skb_network_header(skb);
|
|
|
|
|
u8 nexthdr = nh[IP6CB(skb)->nhoff];
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2011-03-12 07:42:11 +00:00
|
|
|
memset(fl6, 0, sizeof(struct flowi6));
|
|
|
|
|
fl6->flowi6_mark = skb->mark;
|
2010-07-02 07:47:55 +00:00
|
|
|
|
2011-11-21 03:39:03 +00:00
|
|
|
fl6->daddr = reverse ? hdr->saddr : hdr->daddr;
|
|
|
|
|
fl6->saddr = reverse ? hdr->daddr : hdr->saddr;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2009-07-02 16:59:49 +00:00
|
|
|
while (nh + offset + 1 < skb->data ||
|
|
|
|
|
pskb_may_pull(skb, nh + offset + 1 - skb->data)) {
|
2007-04-11 03:50:43 +00:00
|
|
|
nh = skb_network_header(skb);
|
|
|
|
|
exthdr = (struct ipv6_opt_hdr *)(nh + offset);
|
2006-04-18 21:46:52 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
switch (nexthdr) {
|
2008-11-02 04:12:07 +00:00
|
|
|
case NEXTHDR_FRAGMENT:
|
|
|
|
|
onlyproto = 1;
|
2005-04-16 22:20:36 +00:00
|
|
|
case NEXTHDR_ROUTING:
|
|
|
|
|
case NEXTHDR_HOP:
|
|
|
|
|
case NEXTHDR_DEST:
|
|
|
|
|
offset += ipv6_optlen(exthdr);
|
|
|
|
|
nexthdr = exthdr->nexthdr;
|
2007-04-11 03:50:43 +00:00
|
|
|
exthdr = (struct ipv6_opt_hdr *)(nh + offset);
|
2005-04-16 22:20:36 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case IPPROTO_UDP:
|
2006-11-27 19:10:57 +00:00
|
|
|
case IPPROTO_UDPLITE:
|
2005-04-16 22:20:36 +00:00
|
|
|
case IPPROTO_TCP:
|
|
|
|
|
case IPPROTO_SCTP:
|
2005-12-19 22:03:46 +00:00
|
|
|
case IPPROTO_DCCP:
|
2009-07-02 16:59:49 +00:00
|
|
|
if (!onlyproto && (nh + offset + 4 < skb->data ||
|
|
|
|
|
pskb_may_pull(skb, nh + offset + 4 - skb->data))) {
|
2006-11-08 08:20:21 +00:00
|
|
|
__be16 *ports = (__be16 *)exthdr;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2011-03-12 21:36:19 +00:00
|
|
|
fl6->fl6_sport = ports[!!reverse];
|
|
|
|
|
fl6->fl6_dport = ports[!reverse];
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2011-03-12 07:42:11 +00:00
|
|
|
fl6->flowi6_proto = nexthdr;
|
2005-04-16 22:20:36 +00:00
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
case IPPROTO_ICMPV6:
|
2008-11-02 04:12:07 +00:00
|
|
|
if (!onlyproto && pskb_may_pull(skb, nh + offset + 2 - skb->data)) {
|
2005-04-16 22:20:36 +00:00
|
|
|
u8 *icmp = (u8 *)exthdr;
|
|
|
|
|
|
2011-03-12 21:36:19 +00:00
|
|
|
fl6->fl6_icmp_type = icmp[0];
|
|
|
|
|
fl6->fl6_icmp_code = icmp[1];
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2011-03-12 07:42:11 +00:00
|
|
|
fl6->flowi6_proto = nexthdr;
|
2005-04-16 22:20:36 +00:00
|
|
|
return;
|
|
|
|
|
|
2012-10-29 16:23:10 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6_MIP6)
|
2006-08-24 03:39:03 +00:00
|
|
|
case IPPROTO_MH:
|
2008-11-02 04:12:07 +00:00
|
|
|
if (!onlyproto && pskb_may_pull(skb, nh + offset + 3 - skb->data)) {
|
2006-08-24 03:39:03 +00:00
|
|
|
struct ip6_mh *mh;
|
|
|
|
|
mh = (struct ip6_mh *)exthdr;
|
|
|
|
|
|
2011-03-12 21:36:19 +00:00
|
|
|
fl6->fl6_mh_type = mh->ip6mh_type;
|
2006-08-24 03:39:03 +00:00
|
|
|
}
|
2011-03-12 07:42:11 +00:00
|
|
|
fl6->flowi6_proto = nexthdr;
|
2006-08-24 03:39:03 +00:00
|
|
|
return;
|
|
|
|
|
#endif
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/* XXX Why are there these headers? */
|
|
|
|
|
case IPPROTO_AH:
|
|
|
|
|
case IPPROTO_ESP:
|
|
|
|
|
case IPPROTO_COMP:
|
|
|
|
|
default:
|
2011-03-12 21:36:19 +00:00
|
|
|
fl6->fl6_ipsec_spi = 0;
|
2011-03-12 07:42:11 +00:00
|
|
|
fl6->flowi6_proto = nexthdr;
|
2005-04-16 22:20:36 +00:00
|
|
|
return;
|
2007-04-21 00:09:22 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2008-01-18 11:56:57 +00:00
|
|
|
static inline int xfrm6_garbage_collect(struct dst_ops *ops)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2010-01-25 06:47:53 +00:00
|
|
|
struct net *net = container_of(ops, struct net, xfrm.xfrm6_dst_ops);
|
|
|
|
|
|
|
|
|
|
xfrm6_policy_afinfo.garbage_collect(net);
|
2010-10-08 06:37:34 +00:00
|
|
|
return dst_entries_get_fast(ops) > ops->gc_thresh * 2;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2012-07-17 10:29:28 +00:00
|
|
|
static void xfrm6_update_pmtu(struct dst_entry *dst, struct sock *sk,
|
|
|
|
|
struct sk_buff *skb, u32 mtu)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
|
struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
|
|
|
|
|
struct dst_entry *path = xdst->route;
|
|
|
|
|
|
2012-07-17 10:29:28 +00:00
|
|
|
path->ops->update_pmtu(path, sk, skb, mtu);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2012-07-17 10:29:28 +00:00
|
|
|
static void xfrm6_redirect(struct dst_entry *dst, struct sock *sk,
|
|
|
|
|
struct sk_buff *skb)
|
2012-07-12 07:25:15 +00:00
|
|
|
{
|
|
|
|
|
struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
|
|
|
|
|
struct dst_entry *path = xdst->route;
|
|
|
|
|
|
2012-07-17 10:29:28 +00:00
|
|
|
path->ops->redirect(path, sk, skb);
|
2012-07-12 07:25:15 +00:00
|
|
|
}
|
|
|
|
|
|
2005-05-03 23:27:10 +00:00
|
|
|
static void xfrm6_dst_destroy(struct dst_entry *dst)
|
|
|
|
|
{
|
|
|
|
|
struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
|
|
|
|
|
|
|
|
|
|
if (likely(xdst->u.rt6.rt6i_idev))
|
|
|
|
|
in6_dev_put(xdst->u.rt6.rt6i_idev);
|
net: Implement read-only protection and COW'ing of metrics.
Routing metrics are now copy-on-write.
Initially a route entry points it's metrics at a read-only location.
If a routing table entry exists, it will point there. Else it will
point at the all zero metric place-holder called 'dst_default_metrics'.
The writeability state of the metrics is stored in the low bits of the
metrics pointer, we have two bits left to spare if we want to store
more states.
For the initial implementation, COW is implemented simply via kmalloc.
However future enhancements will change this to place the writable
metrics somewhere else, in order to increase sharing. Very likely
this "somewhere else" will be the inetpeer cache.
Note also that this means that metrics updates may transiently fail
if we cannot COW the metrics successfully.
But even by itself, this patch should decrease memory usage and
increase cache locality especially for routing workloads. In those
cases the read-only metric copies stay in place and never get written
to.
TCP workloads where metrics get updated, and those rare cases where
PMTU triggers occur, will take a very slight performance hit. But
that hit will be alleviated when the long-term writable metrics
move to a more sharable location.
Since the metrics storage went from a u32 array of RTAX_MAX entries to
what is essentially a pointer, some retooling of the dst_entry layout
was necessary.
Most importantly, we need to preserve the alignment of the reference
count so that it doesn't share cache lines with the read-mostly state,
as per Eric Dumazet's alignment assertion checks.
The only non-trivial bit here is the move of the 'flags' member into
the writeable cacheline. This is OK since we are always accessing the
flags around the same moment when we made a modification to the
reference count.
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-01-27 04:51:05 +00:00
|
|
|
dst_destroy_metrics_generic(dst);
|
2012-06-10 05:36:36 +00:00
|
|
|
if (rt6_has_peer(&xdst->u.rt6)) {
|
|
|
|
|
struct inet_peer *peer = rt6_peer_ptr(&xdst->u.rt6);
|
|
|
|
|
inet_putpeer(peer);
|
|
|
|
|
}
|
2005-05-03 23:27:10 +00:00
|
|
|
xfrm_dst_destroy(xdst);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void xfrm6_dst_ifdown(struct dst_entry *dst, struct net_device *dev,
|
|
|
|
|
int unregister)
|
|
|
|
|
{
|
|
|
|
|
struct xfrm_dst *xdst;
|
|
|
|
|
|
|
|
|
|
if (!unregister)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
xdst = (struct xfrm_dst *)dst;
|
|
|
|
|
if (xdst->u.rt6.rt6i_idev->dev == dev) {
|
2007-12-07 08:38:10 +00:00
|
|
|
struct inet6_dev *loopback_idev =
|
2008-03-25 12:47:49 +00:00
|
|
|
in6_dev_get(dev_net(dev)->loopback_dev);
|
2005-05-03 23:27:10 +00:00
|
|
|
BUG_ON(!loopback_idev);
|
|
|
|
|
|
|
|
|
|
do {
|
|
|
|
|
in6_dev_put(xdst->u.rt6.rt6i_idev);
|
|
|
|
|
xdst->u.rt6.rt6i_idev = loopback_idev;
|
|
|
|
|
in6_dev_hold(loopback_idev);
|
|
|
|
|
xdst = (struct xfrm_dst *)xdst->u.dst.child;
|
|
|
|
|
} while (xdst->u.dst.xfrm);
|
|
|
|
|
|
|
|
|
|
__in6_dev_put(loopback_idev);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
xfrm_dst_ifdown(dst, dev);
|
|
|
|
|
}
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
static struct dst_ops xfrm6_dst_ops = {
|
|
|
|
|
.family = AF_INET6,
|
2009-02-01 08:45:17 +00:00
|
|
|
.protocol = cpu_to_be16(ETH_P_IPV6),
|
2005-04-16 22:20:36 +00:00
|
|
|
.gc = xfrm6_garbage_collect,
|
|
|
|
|
.update_pmtu = xfrm6_update_pmtu,
|
2012-07-12 07:25:15 +00:00
|
|
|
.redirect = xfrm6_redirect,
|
net: Implement read-only protection and COW'ing of metrics.
Routing metrics are now copy-on-write.
Initially a route entry points it's metrics at a read-only location.
If a routing table entry exists, it will point there. Else it will
point at the all zero metric place-holder called 'dst_default_metrics'.
The writeability state of the metrics is stored in the low bits of the
metrics pointer, we have two bits left to spare if we want to store
more states.
For the initial implementation, COW is implemented simply via kmalloc.
However future enhancements will change this to place the writable
metrics somewhere else, in order to increase sharing. Very likely
this "somewhere else" will be the inetpeer cache.
Note also that this means that metrics updates may transiently fail
if we cannot COW the metrics successfully.
But even by itself, this patch should decrease memory usage and
increase cache locality especially for routing workloads. In those
cases the read-only metric copies stay in place and never get written
to.
TCP workloads where metrics get updated, and those rare cases where
PMTU triggers occur, will take a very slight performance hit. But
that hit will be alleviated when the long-term writable metrics
move to a more sharable location.
Since the metrics storage went from a u32 array of RTAX_MAX entries to
what is essentially a pointer, some retooling of the dst_entry layout
was necessary.
Most importantly, we need to preserve the alignment of the reference
count so that it doesn't share cache lines with the read-mostly state,
as per Eric Dumazet's alignment assertion checks.
The only non-trivial bit here is the move of the 'flags' member into
the writeable cacheline. This is OK since we are always accessing the
flags around the same moment when we made a modification to the
reference count.
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-01-27 04:51:05 +00:00
|
|
|
.cow_metrics = dst_cow_metrics_generic,
|
2005-05-03 23:27:10 +00:00
|
|
|
.destroy = xfrm6_dst_destroy,
|
|
|
|
|
.ifdown = xfrm6_dst_ifdown,
|
2007-11-14 05:43:11 +00:00
|
|
|
.local_out = __ip6_local_out,
|
2013-10-25 08:21:32 +00:00
|
|
|
.gc_thresh = 32768,
|
2005-04-16 22:20:36 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static struct xfrm_policy_afinfo xfrm6_policy_afinfo = {
|
|
|
|
|
.family = AF_INET6,
|
|
|
|
|
.dst_ops = &xfrm6_dst_ops,
|
|
|
|
|
.dst_lookup = xfrm6_dst_lookup,
|
2006-09-19 19:57:34 +00:00
|
|
|
.get_saddr = xfrm6_get_saddr,
|
2005-04-16 22:20:36 +00:00
|
|
|
.decode_session = _decode_session6,
|
2007-12-11 17:32:34 +00:00
|
|
|
.get_tos = xfrm6_get_tos,
|
2012-08-20 09:56:56 +00:00
|
|
|
.init_dst = xfrm6_init_dst,
|
2007-12-21 04:41:12 +00:00
|
|
|
.init_path = xfrm6_init_path,
|
2007-12-11 17:32:34 +00:00
|
|
|
.fill_dst = xfrm6_fill_dst,
|
2011-03-01 22:59:04 +00:00
|
|
|
.blackhole_route = ip6_blackhole_route,
|
2005-04-16 22:20:36 +00:00
|
|
|
};
|
|
|
|
|
|
2007-12-07 08:42:11 +00:00
|
|
|
static int __init xfrm6_policy_init(void)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2007-12-07 08:42:11 +00:00
|
|
|
return xfrm_policy_register_afinfo(&xfrm6_policy_afinfo);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void xfrm6_policy_fini(void)
|
|
|
|
|
{
|
|
|
|
|
xfrm_policy_unregister_afinfo(&xfrm6_policy_afinfo);
|
|
|
|
|
}
|
|
|
|
|
|
2009-08-05 03:32:16 +00:00
|
|
|
#ifdef CONFIG_SYSCTL
|
2009-07-27 08:22:46 +00:00
|
|
|
static struct ctl_table xfrm6_policy_table[] = {
|
|
|
|
|
{
|
|
|
|
|
.procname = "xfrm6_gc_thresh",
|
2010-01-25 06:47:53 +00:00
|
|
|
.data = &init_net.xfrm.xfrm6_dst_ops.gc_thresh,
|
2009-07-27 08:22:46 +00:00
|
|
|
.maxlen = sizeof(int),
|
|
|
|
|
.mode = 0644,
|
|
|
|
|
.proc_handler = proc_dointvec,
|
|
|
|
|
},
|
|
|
|
|
{ }
|
|
|
|
|
};
|
|
|
|
|
|
2013-02-06 09:46:33 +00:00
|
|
|
static int __net_init xfrm6_net_init(struct net *net)
|
|
|
|
|
{
|
|
|
|
|
struct ctl_table *table;
|
|
|
|
|
struct ctl_table_header *hdr;
|
|
|
|
|
|
|
|
|
|
table = xfrm6_policy_table;
|
|
|
|
|
if (!net_eq(net, &init_net)) {
|
|
|
|
|
table = kmemdup(table, sizeof(xfrm6_policy_table), GFP_KERNEL);
|
|
|
|
|
if (!table)
|
|
|
|
|
goto err_alloc;
|
|
|
|
|
|
|
|
|
|
table[0].data = &net->xfrm.xfrm6_dst_ops.gc_thresh;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
hdr = register_net_sysctl(net, "net/ipv6", table);
|
|
|
|
|
if (!hdr)
|
|
|
|
|
goto err_reg;
|
|
|
|
|
|
|
|
|
|
net->ipv6.sysctl.xfrm6_hdr = hdr;
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
err_reg:
|
|
|
|
|
if (!net_eq(net, &init_net))
|
|
|
|
|
kfree(table);
|
|
|
|
|
err_alloc:
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void __net_exit xfrm6_net_exit(struct net *net)
|
|
|
|
|
{
|
|
|
|
|
struct ctl_table *table;
|
|
|
|
|
|
|
|
|
|
if (net->ipv6.sysctl.xfrm6_hdr == NULL)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
table = net->ipv6.sysctl.xfrm6_hdr->ctl_table_arg;
|
|
|
|
|
unregister_net_sysctl_table(net->ipv6.sysctl.xfrm6_hdr);
|
|
|
|
|
if (!net_eq(net, &init_net))
|
|
|
|
|
kfree(table);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct pernet_operations xfrm6_net_ops = {
|
|
|
|
|
.init = xfrm6_net_init,
|
|
|
|
|
.exit = xfrm6_net_exit,
|
|
|
|
|
};
|
2009-08-05 03:32:16 +00:00
|
|
|
#endif
|
2009-07-27 08:22:46 +00:00
|
|
|
|
2007-12-07 08:42:11 +00:00
|
|
|
int __init xfrm6_init(void)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2007-12-07 08:42:11 +00:00
|
|
|
int ret;
|
2012-11-15 08:00:18 +00:00
|
|
|
|
2010-10-08 06:37:34 +00:00
|
|
|
dst_entries_init(&xfrm6_dst_ops);
|
2010-01-25 06:47:53 +00:00
|
|
|
|
|
|
|
|
ret = xfrm6_policy_init();
|
2010-10-08 06:37:34 +00:00
|
|
|
if (ret) {
|
|
|
|
|
dst_entries_destroy(&xfrm6_dst_ops);
|
2010-01-25 06:47:53 +00:00
|
|
|
goto out;
|
2010-10-08 06:37:34 +00:00
|
|
|
}
|
2010-01-25 06:47:53 +00:00
|
|
|
ret = xfrm6_state_init();
|
|
|
|
|
if (ret)
|
|
|
|
|
goto out_policy;
|
|
|
|
|
|
2009-08-05 03:32:16 +00:00
|
|
|
#ifdef CONFIG_SYSCTL
|
2013-02-06 09:46:33 +00:00
|
|
|
register_pernet_subsys(&xfrm6_net_ops);
|
2009-08-05 03:32:16 +00:00
|
|
|
#endif
|
2007-12-07 08:42:11 +00:00
|
|
|
out:
|
|
|
|
|
return ret;
|
|
|
|
|
out_policy:
|
|
|
|
|
xfrm6_policy_fini();
|
|
|
|
|
goto out;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void xfrm6_fini(void)
|
|
|
|
|
{
|
2009-08-05 03:32:16 +00:00
|
|
|
#ifdef CONFIG_SYSCTL
|
2013-02-06 09:46:33 +00:00
|
|
|
unregister_pernet_subsys(&xfrm6_net_ops);
|
2009-08-05 03:32:16 +00:00
|
|
|
#endif
|
2005-04-16 22:20:36 +00:00
|
|
|
xfrm6_policy_fini();
|
|
|
|
|
xfrm6_state_fini();
|
2010-10-08 06:37:34 +00:00
|
|
|
dst_entries_destroy(&xfrm6_dst_ops);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
