Re: Introduce ipsec_sysctl()
On Mon, Nov 13, 2017 at 01:30:43PM +0100, Martin Pieuchot wrote: > This move all IPsec tunables to netinet/ipsec_input.c without breaking > the "net.inet.ip" sysctl(3) namespace. > > The reason for this move is to properly separate IPsec and IP globals > in order to ease the removal of the NET_LOCK() in these layers. > > ok? OK bluhm@ > Index: netinet/in.h > === > RCS file: /cvs/src/sys/netinet/in.h,v > retrieving revision 1.125 > diff -u -p -r1.125 in.h > --- netinet/in.h 6 Oct 2017 21:14:55 - 1.125 > +++ netinet/in.h 13 Nov 2017 12:11:16 - > @@ -745,19 +745,19 @@ struct ip_mreq { > _hifirstauto, \ > _hilastauto, \ > _maxqueue, \ > - , \ > + NULL /* encdebug */, \ > NULL, \ > - _expire_acquire, \ > - _keep_invalid, \ > - _require_pfs, \ > - _soft_allocations, \ > - _exp_allocations, \ > - _soft_bytes, \ > - _exp_bytes, \ > - _exp_timeout, \ > - _soft_timeout, \ > - _soft_first_use, \ > - _exp_first_use, \ > + NULL /* ipsec_expire_acquire */, \ > + NULL /* ipsec_keep_invalid */, \ > + NULL /* ipsec_require_pfs */, \ > + NULL /* ipsec_soft_allocations */, \ > + NULL /* ipsec_exp_allocations */, \ > + NULL /* ipsec_soft_bytes */, \ > + NULL /* ipsec_exp_bytes */, \ > + NULL /* ipsec_exp_timeout */, \ > + NULL /* ipsec_soft_timeout */, \ > + NULL /* ipsec_soft_first_use */, \ > + NULL /* ipsec_exp_first_use */, \ > NULL, \ > NULL, \ > NULL, \ > Index: netinet/ip_input.c > === > RCS file: /cvs/src/sys/netinet/ip_input.c,v > retrieving revision 1.331 > diff -u -p -r1.331 ip_input.c > --- netinet/ip_input.c10 Nov 2017 08:55:49 - 1.331 > +++ netinet/ip_input.c13 Nov 2017 08:51:37 - > @@ -84,22 +84,6 @@ > #include > #endif > > -int encdebug = 0; > -int ipsec_keep_invalid = IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT; > -int ipsec_require_pfs = IPSEC_DEFAULT_PFS; > -int ipsec_soft_allocations = IPSEC_DEFAULT_SOFT_ALLOCATIONS; > -int ipsec_exp_allocations = IPSEC_DEFAULT_EXP_ALLOCATIONS; > -int ipsec_soft_bytes = IPSEC_DEFAULT_SOFT_BYTES; > -int ipsec_exp_bytes = IPSEC_DEFAULT_EXP_BYTES; > -int ipsec_soft_timeout = IPSEC_DEFAULT_SOFT_TIMEOUT; > -int ipsec_exp_timeout = IPSEC_DEFAULT_EXP_TIMEOUT; > -int ipsec_soft_first_use = IPSEC_DEFAULT_SOFT_FIRST_USE; > -int ipsec_exp_first_use = IPSEC_DEFAULT_EXP_FIRST_USE; > -int ipsec_expire_acquire = IPSEC_DEFAULT_EXPIRE_ACQUIRE; > -char ipsec_def_enc[20]; > -char ipsec_def_auth[20]; > -char ipsec_def_comp[20]; > - > /* values controllable via sysctl */ > int ipforwarding = 0; > int ipmforwarding = 0; > @@ -211,10 +195,6 @@ ip_init(void) > for (i = 0; defrootonlyports_udp[i] != 0; i++) > DP_SET(rootonlyports.udp, defrootonlyports_udp[i]); > > - strlcpy(ipsec_def_enc, IPSEC_DEFAULT_DEF_ENC, sizeof(ipsec_def_enc)); > - strlcpy(ipsec_def_auth, IPSEC_DEFAULT_DEF_AUTH, sizeof(ipsec_def_auth)); > - strlcpy(ipsec_def_comp, IPSEC_DEFAULT_DEF_COMP, sizeof(ipsec_def_comp)); > - > mq_init(_mq, 64, IPL_SOFTNET); > > #ifdef IPSEC > @@ -1643,26 +1623,25 @@ ip_sysctl(int *name, u_int namelen, void > ip_mtudisc_timeout); > NET_UNLOCK(); > return (error); > +#ifdef IPSEC > + case IPCTL_ENCDEBUG: > + case IPCTL_IPSEC_EXPIRE_ACQUIRE: > + case IPCTL_IPSEC_EMBRYONIC_SA_TIMEOUT: > + case IPCTL_IPSEC_REQUIRE_PFS: > + case IPCTL_IPSEC_SOFT_ALLOCATIONS: > + case IPCTL_IPSEC_ALLOCATIONS: > + case IPCTL_IPSEC_SOFT_BYTES: > + case IPCTL_IPSEC_BYTES: > + case IPCTL_IPSEC_TIMEOUT: > + case IPCTL_IPSEC_SOFT_TIMEOUT: > + case IPCTL_IPSEC_SOFT_FIRSTUSE: > + case IPCTL_IPSEC_FIRSTUSE: > case IPCTL_IPSEC_ENC_ALGORITHM: > - NET_LOCK(); > - error = sysctl_tstring(oldp, oldlenp, newp, newlen, > -ipsec_def_enc, sizeof(ipsec_def_enc)); > - NET_UNLOCK(); > - return (error); > case IPCTL_IPSEC_AUTH_ALGORITHM: > - NET_LOCK(); > - error = sysctl_tstring(oldp, oldlenp, newp, newlen, > -ipsec_def_auth, > -sizeof(ipsec_def_auth)); > - NET_UNLOCK(); > - return (error); > case IPCTL_IPSEC_IPCOMP_ALGORITHM: > - NET_LOCK(); > - error = sysctl_tstring(oldp, oldlenp, newp, newlen, > -ipsec_def_comp, > -sizeof(ipsec_def_comp)); > - NET_UNLOCK(); > - return (error); > + return (ipsec_sysctl(name, namelen, oldp, oldlenp, newp, > + newlen)); > +#endif > case IPCTL_IFQUEUE: >
Introduce ipsec_sysctl()
This move all IPsec tunables to netinet/ipsec_input.c without breaking the "net.inet.ip" sysctl(3) namespace. The reason for this move is to properly separate IPsec and IP globals in order to ease the removal of the NET_LOCK() in these layers. ok? Index: netinet/in.h === RCS file: /cvs/src/sys/netinet/in.h,v retrieving revision 1.125 diff -u -p -r1.125 in.h --- netinet/in.h6 Oct 2017 21:14:55 - 1.125 +++ netinet/in.h13 Nov 2017 12:11:16 - @@ -745,19 +745,19 @@ struct ip_mreq { _hifirstauto, \ _hilastauto, \ _maxqueue, \ - , \ + NULL /* encdebug */, \ NULL, \ - _expire_acquire, \ - _keep_invalid, \ - _require_pfs, \ - _soft_allocations, \ - _exp_allocations, \ - _soft_bytes, \ - _exp_bytes, \ - _exp_timeout, \ - _soft_timeout, \ - _soft_first_use, \ - _exp_first_use, \ + NULL /* ipsec_expire_acquire */, \ + NULL /* ipsec_keep_invalid */, \ + NULL /* ipsec_require_pfs */, \ + NULL /* ipsec_soft_allocations */, \ + NULL /* ipsec_exp_allocations */, \ + NULL /* ipsec_soft_bytes */, \ + NULL /* ipsec_exp_bytes */, \ + NULL /* ipsec_exp_timeout */, \ + NULL /* ipsec_soft_timeout */, \ + NULL /* ipsec_soft_first_use */, \ + NULL /* ipsec_exp_first_use */, \ NULL, \ NULL, \ NULL, \ Index: netinet/ip_input.c === RCS file: /cvs/src/sys/netinet/ip_input.c,v retrieving revision 1.331 diff -u -p -r1.331 ip_input.c --- netinet/ip_input.c 10 Nov 2017 08:55:49 - 1.331 +++ netinet/ip_input.c 13 Nov 2017 08:51:37 - @@ -84,22 +84,6 @@ #include #endif -int encdebug = 0; -int ipsec_keep_invalid = IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT; -int ipsec_require_pfs = IPSEC_DEFAULT_PFS; -int ipsec_soft_allocations = IPSEC_DEFAULT_SOFT_ALLOCATIONS; -int ipsec_exp_allocations = IPSEC_DEFAULT_EXP_ALLOCATIONS; -int ipsec_soft_bytes = IPSEC_DEFAULT_SOFT_BYTES; -int ipsec_exp_bytes = IPSEC_DEFAULT_EXP_BYTES; -int ipsec_soft_timeout = IPSEC_DEFAULT_SOFT_TIMEOUT; -int ipsec_exp_timeout = IPSEC_DEFAULT_EXP_TIMEOUT; -int ipsec_soft_first_use = IPSEC_DEFAULT_SOFT_FIRST_USE; -int ipsec_exp_first_use = IPSEC_DEFAULT_EXP_FIRST_USE; -int ipsec_expire_acquire = IPSEC_DEFAULT_EXPIRE_ACQUIRE; -char ipsec_def_enc[20]; -char ipsec_def_auth[20]; -char ipsec_def_comp[20]; - /* values controllable via sysctl */ intipforwarding = 0; intipmforwarding = 0; @@ -211,10 +195,6 @@ ip_init(void) for (i = 0; defrootonlyports_udp[i] != 0; i++) DP_SET(rootonlyports.udp, defrootonlyports_udp[i]); - strlcpy(ipsec_def_enc, IPSEC_DEFAULT_DEF_ENC, sizeof(ipsec_def_enc)); - strlcpy(ipsec_def_auth, IPSEC_DEFAULT_DEF_AUTH, sizeof(ipsec_def_auth)); - strlcpy(ipsec_def_comp, IPSEC_DEFAULT_DEF_COMP, sizeof(ipsec_def_comp)); - mq_init(_mq, 64, IPL_SOFTNET); #ifdef IPSEC @@ -1643,26 +1623,25 @@ ip_sysctl(int *name, u_int namelen, void ip_mtudisc_timeout); NET_UNLOCK(); return (error); +#ifdef IPSEC + case IPCTL_ENCDEBUG: + case IPCTL_IPSEC_EXPIRE_ACQUIRE: + case IPCTL_IPSEC_EMBRYONIC_SA_TIMEOUT: + case IPCTL_IPSEC_REQUIRE_PFS: + case IPCTL_IPSEC_SOFT_ALLOCATIONS: + case IPCTL_IPSEC_ALLOCATIONS: + case IPCTL_IPSEC_SOFT_BYTES: + case IPCTL_IPSEC_BYTES: + case IPCTL_IPSEC_TIMEOUT: + case IPCTL_IPSEC_SOFT_TIMEOUT: + case IPCTL_IPSEC_SOFT_FIRSTUSE: + case IPCTL_IPSEC_FIRSTUSE: case IPCTL_IPSEC_ENC_ALGORITHM: - NET_LOCK(); - error = sysctl_tstring(oldp, oldlenp, newp, newlen, - ipsec_def_enc, sizeof(ipsec_def_enc)); - NET_UNLOCK(); - return (error); case IPCTL_IPSEC_AUTH_ALGORITHM: - NET_LOCK(); - error = sysctl_tstring(oldp, oldlenp, newp, newlen, - ipsec_def_auth, - sizeof(ipsec_def_auth)); - NET_UNLOCK(); - return (error); case IPCTL_IPSEC_IPCOMP_ALGORITHM: - NET_LOCK(); - error = sysctl_tstring(oldp, oldlenp, newp, newlen, - ipsec_def_comp, - sizeof(ipsec_def_comp)); - NET_UNLOCK(); - return (error); + return (ipsec_sysctl(name, namelen, oldp, oldlenp, newp, + newlen)); +#endif case IPCTL_IFQUEUE: return (sysctl_niq(name + 1, namelen - 1, oldp, oldlenp, newp, newlen, )); Index: netinet/ip_ipsp.h