subject:"\[PATCH 40\/44\] \[XFRM\] POLICY\: sub policy support."

Re: [PATCH 40/44] [XFRM] POLICY: sub policy support.

2006-08-24 Thread Herbert Xu

David Miller <[EMAIL PROTECTED]> wrote:
> 
> Those socket policies are becomming more and more difficult to
> deal with.  I like them as a feature, but I wonder who uses
> them :-)  They do not live in the flow cache so they hurt
> performance until we find a way to place them there.  Perhaps
> we can extend the flow keying somehow to account for socket
> based policies in the flow cache.

The KM's use it to allow ISAKMP traffic to punch through IPsec.

That should definitely be the exception though.  Most apps should
have zero socket policies, especially since socket policies need
root privileges.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 40/44] [XFRM] POLICY: sub policy support.

2006-08-23 Thread David Miller

From: YOSHIFUJI Hideaki <[EMAIL PROTECTED]>
Date: Thu, 24 Aug 2006 00:02:41 +0900

> Sub policy is introduced. Main and sub policy are applied the same flow.
> (Policy that current kernel uses is named as main.)
> It is required another transformation policy management to keep IPsec
> and Mobile IPv6 lives separate.
> Policy which lives shorter time in kernel should be a sub i.e. normally
> main is for IPsec and sub is for Mobile IPv6.
> (Such usage as two IPsec policies on different database can be used, too.)
> 
> Limitation or TODOs:
>  - Sub policy is not supported for per socket one (it is always inserted as 
> main).
>  - Current kernel makes cached outbound with flowi to skip searching database.
>However this patch makes it disabled only when "two policies are used and
>the first matched one is bypass case" because neither flowi nor bundle
>information knows about transformation template size.
> 
> Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]>
> Signed-off-by: YOSHIFUJI Hideaki <[EMAIL PROTECTED]>

Applied to net-2.6.19

Those socket policies are becomming more and more difficult to
deal with.  I like them as a feature, but I wonder who uses
them :-)  They do not live in the flow cache so they hurt
performance until we find a way to place them there.  Perhaps
we can extend the flow keying somehow to account for socket
based policies in the flow cache.


-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 40/44] [XFRM] POLICY: sub policy support.

2006-08-23 Thread YOSHIFUJI Hideaki

From: Masahide NAKAMURA <[EMAIL PROTECTED]>

Sub policy is introduced. Main and sub policy are applied the same flow.
(Policy that current kernel uses is named as main.)
It is required another transformation policy management to keep IPsec
and Mobile IPv6 lives separate.
Policy which lives shorter time in kernel should be a sub i.e. normally
main is for IPsec and sub is for Mobile IPv6.
(Such usage as two IPsec policies on different database can be used, too.)

Limitation or TODOs:
 - Sub policy is not supported for per socket one (it is always inserted as 
main).
 - Current kernel makes cached outbound with flowi to skip searching database.
   However this patch makes it disabled only when "two policies are used and
   the first matched one is bypass case" because neither flowi nor bundle
   information knows about transformation template size.

Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]>
Signed-off-by: YOSHIFUJI Hideaki <[EMAIL PROTECTED]>
---
 include/linux/xfrm.h   |7 +
 include/net/xfrm.h |   45 +++--
 net/xfrm/xfrm_policy.c |  252 +---
 3 files changed, 260 insertions(+), 44 deletions(-)

diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h
index 4009f44..492fb98 100644
--- a/include/linux/xfrm.h
+++ b/include/linux/xfrm.h
@@ -104,6 +104,13 @@ struct xfrm_stats {
 
 enum
 {
+   XFRM_POLICY_TYPE_MAIN   = 0,
+   XFRM_POLICY_TYPE_SUB= 1,
+   XFRM_POLICY_TYPE_MAX= 2
+};
+
+enum
+{
XFRM_POLICY_IN  = 0,
XFRM_POLICY_OUT = 1,
XFRM_POLICY_FWD = 2,
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 00784d9..5bd6beb 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -342,6 +342,7 @@ struct xfrm_policy
atomic_trefcnt;
struct timer_list   timer;
 
+   u8  type;
u32 priority;
u32 index;
struct xfrm_selectorselector;
@@ -390,6 +391,19 @@ extern int xfrm_unregister_km(struct xfr
 
 
 extern struct xfrm_policy *xfrm_policy_list[XFRM_POLICY_MAX*2];
+#ifdef CONFIG_XFRM_SUB_POLICY
+extern struct xfrm_policy *xfrm_policy_list_sub[XFRM_POLICY_MAX*2];
+
+static inline int xfrm_policy_lists_empty(int dir)
+{
+   return (!xfrm_policy_list[dir] && !xfrm_policy_list_sub[dir]);
+}
+#else
+static inline int xfrm_policy_lists_empty(int dir)
+{
+   return (!xfrm_policy_list[dir]);
+}
+#endif
 
 static inline void xfrm_pol_hold(struct xfrm_policy *policy)
 {
@@ -405,6 +419,20 @@ static inline void xfrm_pol_put(struct x
__xfrm_policy_destroy(policy);
 }
 
+#ifdef CONFIG_XFRM_SUB_POLICY
+static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
+{
+   int i;
+   for (i = npols - 1; i >= 0; --i)
+   xfrm_pol_put(pols[i]);
+}
+#else
+static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
+{
+   xfrm_pol_put(pols[0]);
+}
+#endif
+
 #define XFRM_DST_HSIZE 1024
 
 static __inline__
@@ -738,8 +766,8 @@ static inline int xfrm_policy_check(stru
 {
if (sk && sk->sk_policy[XFRM_POLICY_IN])
return __xfrm_policy_check(sk, dir, skb, family);
-   
-   return  (!xfrm_policy_list[dir] && !skb->sp) ||
+
+   return  (xfrm_policy_lists_empty(dir) && !skb->sp) ||
(skb->dst->flags & DST_NOPOLICY) ||
__xfrm_policy_check(sk, dir, skb, family);
 }
@@ -759,7 +787,7 @@ extern int __xfrm_route_forward(struct s
 
 static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short 
family)
 {
-   return  !xfrm_policy_list[XFRM_POLICY_OUT] ||
+   return  xfrm_policy_lists_empty(XFRM_POLICY_OUT) ||
(skb->dst->flags & DST_NOXFRM) ||
__xfrm_route_forward(skb, family);
 }
@@ -1023,18 +1051,19 @@ static inline int xfrm_dst_lookup(struct
 #endif
 
 struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp);
-extern int xfrm_policy_walk(int (*func)(struct xfrm_policy *, int, int, 
void*), void *);
+extern int xfrm_policy_walk(u8 type, int (*func)(struct xfrm_policy *, int, 
int, void*), void *);
 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
-struct xfrm_policy *xfrm_policy_bysel_ctx(int dir, struct xfrm_selector *sel,
+struct xfrm_policy *xfrm_policy_bysel_ctx(u8 type, int dir,
+ struct xfrm_selector *sel,
  struct xfrm_sec_ctx *ctx, int delete);
-struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete);
-void xfrm_policy_flush(void);
+struct xfrm_policy *xfrm_policy_byid(u8, int dir, u32 id, int delete);
+void xfrm_policy_flush(u8 type);
 u32 xfrm_get_acqseq(void);
 void xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
 struct xfrm_state * xfrm_find_acq(u8 mode, u32 reqid, u8 proto, 
  xfrm_address_t *daddr, xfrm_address_t *saddr,

Re: [PATCH 40/44] [XFRM] POLICY: sub policy support.

Re: [PATCH 40/44] [XFRM] POLICY: sub policy support.

[PATCH 40/44] [XFRM] POLICY: sub policy support.

3 matches

Site Navigation

Mail list logo

Footer information