Re: Introduce ipsec_sysctl()
On Mon, Nov 13, 2017 at 01:30:43PM +0100, Martin Pieuchot wrote:
> This move all IPsec tunables to netinet/ipsec_input.c without breaking
> the "net.inet.ip" sysctl(3) namespace.
>
> The reason for this move is to properly separate IPsec and IP globals
> in order to ease the removal of the NET_LOCK() in these layers.
>
> ok?
OK bluhm@
> Index: netinet/in.h
> ===
> RCS file: /cvs/src/sys/netinet/in.h,v
> retrieving revision 1.125
> diff -u -p -r1.125 in.h
> --- netinet/in.h 6 Oct 2017 21:14:55 - 1.125
> +++ netinet/in.h 13 Nov 2017 12:11:16 -
> @@ -745,19 +745,19 @@ struct ip_mreq {
> _hifirstauto, \
> _hilastauto, \
> _maxqueue, \
> - , \
> + NULL /* encdebug */, \
> NULL, \
> - _expire_acquire, \
> - _keep_invalid, \
> - _require_pfs, \
> - _soft_allocations, \
> - _exp_allocations, \
> - _soft_bytes, \
> - _exp_bytes, \
> - _exp_timeout, \
> - _soft_timeout, \
> - _soft_first_use, \
> - _exp_first_use, \
> + NULL /* ipsec_expire_acquire */, \
> + NULL /* ipsec_keep_invalid */, \
> + NULL /* ipsec_require_pfs */, \
> + NULL /* ipsec_soft_allocations */, \
> + NULL /* ipsec_exp_allocations */, \
> + NULL /* ipsec_soft_bytes */, \
> + NULL /* ipsec_exp_bytes */, \
> + NULL /* ipsec_exp_timeout */, \
> + NULL /* ipsec_soft_timeout */, \
> + NULL /* ipsec_soft_first_use */, \
> + NULL /* ipsec_exp_first_use */, \
> NULL, \
> NULL, \
> NULL, \
> Index: netinet/ip_input.c
> ===
> RCS file: /cvs/src/sys/netinet/ip_input.c,v
> retrieving revision 1.331
> diff -u -p -r1.331 ip_input.c
> --- netinet/ip_input.c10 Nov 2017 08:55:49 - 1.331
> +++ netinet/ip_input.c13 Nov 2017 08:51:37 -
> @@ -84,22 +84,6 @@
> #include
> #endif
>
> -int encdebug = 0;
> -int ipsec_keep_invalid = IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT;
> -int ipsec_require_pfs = IPSEC_DEFAULT_PFS;
> -int ipsec_soft_allocations = IPSEC_DEFAULT_SOFT_ALLOCATIONS;
> -int ipsec_exp_allocations = IPSEC_DEFAULT_EXP_ALLOCATIONS;
> -int ipsec_soft_bytes = IPSEC_DEFAULT_SOFT_BYTES;
> -int ipsec_exp_bytes = IPSEC_DEFAULT_EXP_BYTES;
> -int ipsec_soft_timeout = IPSEC_DEFAULT_SOFT_TIMEOUT;
> -int ipsec_exp_timeout = IPSEC_DEFAULT_EXP_TIMEOUT;
> -int ipsec_soft_first_use = IPSEC_DEFAULT_SOFT_FIRST_USE;
> -int ipsec_exp_first_use = IPSEC_DEFAULT_EXP_FIRST_USE;
> -int ipsec_expire_acquire = IPSEC_DEFAULT_EXPIRE_ACQUIRE;
> -char ipsec_def_enc[20];
> -char ipsec_def_auth[20];
> -char ipsec_def_comp[20];
> -
> /* values controllable via sysctl */
> int ipforwarding = 0;
> int ipmforwarding = 0;
> @@ -211,10 +195,6 @@ ip_init(void)
> for (i = 0; defrootonlyports_udp[i] != 0; i++)
> DP_SET(rootonlyports.udp, defrootonlyports_udp[i]);
>
> - strlcpy(ipsec_def_enc, IPSEC_DEFAULT_DEF_ENC, sizeof(ipsec_def_enc));
> - strlcpy(ipsec_def_auth, IPSEC_DEFAULT_DEF_AUTH, sizeof(ipsec_def_auth));
> - strlcpy(ipsec_def_comp, IPSEC_DEFAULT_DEF_COMP, sizeof(ipsec_def_comp));
> -
> mq_init(_mq, 64, IPL_SOFTNET);
>
> #ifdef IPSEC
> @@ -1643,26 +1623,25 @@ ip_sysctl(int *name, u_int namelen, void
> ip_mtudisc_timeout);
> NET_UNLOCK();
> return (error);
> +#ifdef IPSEC
> + case IPCTL_ENCDEBUG:
> + case IPCTL_IPSEC_EXPIRE_ACQUIRE:
> + case IPCTL_IPSEC_EMBRYONIC_SA_TIMEOUT:
> + case IPCTL_IPSEC_REQUIRE_PFS:
> + case IPCTL_IPSEC_SOFT_ALLOCATIONS:
> + case IPCTL_IPSEC_ALLOCATIONS:
> + case IPCTL_IPSEC_SOFT_BYTES:
> + case IPCTL_IPSEC_BYTES:
> + case IPCTL_IPSEC_TIMEOUT:
> + case IPCTL_IPSEC_SOFT_TIMEOUT:
> + case IPCTL_IPSEC_SOFT_FIRSTUSE:
> + case IPCTL_IPSEC_FIRSTUSE:
> case IPCTL_IPSEC_ENC_ALGORITHM:
> - NET_LOCK();
> - error = sysctl_tstring(oldp, oldlenp, newp, newlen,
> -ipsec_def_enc, sizeof(ipsec_def_enc));
> - NET_UNLOCK();
> - return (error);
> case IPCTL_IPSEC_AUTH_ALGORITHM:
> - NET_LOCK();
> - error = sysctl_tstring(oldp, oldlenp, newp, newlen,
> -ipsec_def_auth,
> -sizeof(ipsec_def_auth));
> - NET_UNLOCK();
> - return (error);
> case IPCTL_IPSEC_IPCOMP_ALGORITHM:
> - NET_LOCK();
> - error = sysctl_tstring(oldp, oldlenp, newp, newlen,
> -ipsec_def_comp,
> -sizeof(ipsec_def_comp));
> - NET_UNLOCK();
> - return (error);
> + return (ipsec_sysctl(name, namelen, oldp, oldlenp, newp,
> + newlen));
> +#endif
> case IPCTL_IFQUEUE:
>
Introduce ipsec_sysctl()
This move all IPsec tunables to netinet/ipsec_input.c without breaking
the "net.inet.ip" sysctl(3) namespace.
The reason for this move is to properly separate IPsec and IP globals
in order to ease the removal of the NET_LOCK() in these layers.
ok?
Index: netinet/in.h
===
RCS file: /cvs/src/sys/netinet/in.h,v
retrieving revision 1.125
diff -u -p -r1.125 in.h
--- netinet/in.h6 Oct 2017 21:14:55 - 1.125
+++ netinet/in.h13 Nov 2017 12:11:16 -
@@ -745,19 +745,19 @@ struct ip_mreq {
_hifirstauto, \
_hilastauto, \
_maxqueue, \
- , \
+ NULL /* encdebug */, \
NULL, \
- _expire_acquire, \
- _keep_invalid, \
- _require_pfs, \
- _soft_allocations, \
- _exp_allocations, \
- _soft_bytes, \
- _exp_bytes, \
- _exp_timeout, \
- _soft_timeout, \
- _soft_first_use, \
- _exp_first_use, \
+ NULL /* ipsec_expire_acquire */, \
+ NULL /* ipsec_keep_invalid */, \
+ NULL /* ipsec_require_pfs */, \
+ NULL /* ipsec_soft_allocations */, \
+ NULL /* ipsec_exp_allocations */, \
+ NULL /* ipsec_soft_bytes */, \
+ NULL /* ipsec_exp_bytes */, \
+ NULL /* ipsec_exp_timeout */, \
+ NULL /* ipsec_soft_timeout */, \
+ NULL /* ipsec_soft_first_use */, \
+ NULL /* ipsec_exp_first_use */, \
NULL, \
NULL, \
NULL, \
Index: netinet/ip_input.c
===
RCS file: /cvs/src/sys/netinet/ip_input.c,v
retrieving revision 1.331
diff -u -p -r1.331 ip_input.c
--- netinet/ip_input.c 10 Nov 2017 08:55:49 - 1.331
+++ netinet/ip_input.c 13 Nov 2017 08:51:37 -
@@ -84,22 +84,6 @@
#include
#endif
-int encdebug = 0;
-int ipsec_keep_invalid = IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT;
-int ipsec_require_pfs = IPSEC_DEFAULT_PFS;
-int ipsec_soft_allocations = IPSEC_DEFAULT_SOFT_ALLOCATIONS;
-int ipsec_exp_allocations = IPSEC_DEFAULT_EXP_ALLOCATIONS;
-int ipsec_soft_bytes = IPSEC_DEFAULT_SOFT_BYTES;
-int ipsec_exp_bytes = IPSEC_DEFAULT_EXP_BYTES;
-int ipsec_soft_timeout = IPSEC_DEFAULT_SOFT_TIMEOUT;
-int ipsec_exp_timeout = IPSEC_DEFAULT_EXP_TIMEOUT;
-int ipsec_soft_first_use = IPSEC_DEFAULT_SOFT_FIRST_USE;
-int ipsec_exp_first_use = IPSEC_DEFAULT_EXP_FIRST_USE;
-int ipsec_expire_acquire = IPSEC_DEFAULT_EXPIRE_ACQUIRE;
-char ipsec_def_enc[20];
-char ipsec_def_auth[20];
-char ipsec_def_comp[20];
-
/* values controllable via sysctl */
intipforwarding = 0;
intipmforwarding = 0;
@@ -211,10 +195,6 @@ ip_init(void)
for (i = 0; defrootonlyports_udp[i] != 0; i++)
DP_SET(rootonlyports.udp, defrootonlyports_udp[i]);
- strlcpy(ipsec_def_enc, IPSEC_DEFAULT_DEF_ENC, sizeof(ipsec_def_enc));
- strlcpy(ipsec_def_auth, IPSEC_DEFAULT_DEF_AUTH, sizeof(ipsec_def_auth));
- strlcpy(ipsec_def_comp, IPSEC_DEFAULT_DEF_COMP, sizeof(ipsec_def_comp));
-
mq_init(_mq, 64, IPL_SOFTNET);
#ifdef IPSEC
@@ -1643,26 +1623,25 @@ ip_sysctl(int *name, u_int namelen, void
ip_mtudisc_timeout);
NET_UNLOCK();
return (error);
+#ifdef IPSEC
+ case IPCTL_ENCDEBUG:
+ case IPCTL_IPSEC_EXPIRE_ACQUIRE:
+ case IPCTL_IPSEC_EMBRYONIC_SA_TIMEOUT:
+ case IPCTL_IPSEC_REQUIRE_PFS:
+ case IPCTL_IPSEC_SOFT_ALLOCATIONS:
+ case IPCTL_IPSEC_ALLOCATIONS:
+ case IPCTL_IPSEC_SOFT_BYTES:
+ case IPCTL_IPSEC_BYTES:
+ case IPCTL_IPSEC_TIMEOUT:
+ case IPCTL_IPSEC_SOFT_TIMEOUT:
+ case IPCTL_IPSEC_SOFT_FIRSTUSE:
+ case IPCTL_IPSEC_FIRSTUSE:
case IPCTL_IPSEC_ENC_ALGORITHM:
- NET_LOCK();
- error = sysctl_tstring(oldp, oldlenp, newp, newlen,
- ipsec_def_enc, sizeof(ipsec_def_enc));
- NET_UNLOCK();
- return (error);
case IPCTL_IPSEC_AUTH_ALGORITHM:
- NET_LOCK();
- error = sysctl_tstring(oldp, oldlenp, newp, newlen,
- ipsec_def_auth,
- sizeof(ipsec_def_auth));
- NET_UNLOCK();
- return (error);
case IPCTL_IPSEC_IPCOMP_ALGORITHM:
- NET_LOCK();
- error = sysctl_tstring(oldp, oldlenp, newp, newlen,
- ipsec_def_comp,
- sizeof(ipsec_def_comp));
- NET_UNLOCK();
- return (error);
+ return (ipsec_sysctl(name, namelen, oldp, oldlenp, newp,
+ newlen));
+#endif
case IPCTL_IFQUEUE:
return (sysctl_niq(name + 1, namelen - 1,
oldp, oldlenp, newp, newlen, ));
Index: netinet/ip_ipsp.h
