aboutsummaryrefslogtreecommitdiff
path: root/sys/netipsec
diff options
context:
space:
mode:
authorAndrey V. Elsukov <ae@FreeBSD.org>2018-06-05 20:51:01 +0000
committerAndrey V. Elsukov <ae@FreeBSD.org>2018-06-05 20:51:01 +0000
commit6d8fdfa9d5e7d4871c5039b0131829f9cbefeee9 (patch)
tree0ebd65e97a5973725170f97863d5c1133dc381ce /sys/netipsec
parent56009ba0ed678cffa7bece86518aef47767b791b (diff)
downloadsrc-6d8fdfa9d5e7d4871c5039b0131829f9cbefeee9.tar.gz
src-6d8fdfa9d5e7d4871c5039b0131829f9cbefeee9.zip
Rework IP encapsulation handling code.
Currently it has several disadvantages: - it uses single mutex to protect internal structures. It is used by data- and control- path, thus there are no parallelism at all. - it uses single list to keep encap handlers for both INET and INET6 families. - struct encaptab keeps unneeded information (src, dst, masks, protosw), that isn't used by code in the source tree. - matches are prioritized and when many tunneling interfaces are registered, encapcheck handler of each interface is invoked for each packet. The search takes O(n) for n interfaces. All this work is done with exclusive lock held. What this patch includes: - the datapath is converted to be lockless using epoch(9) KPI. - struct encaptab now linked using CK_LIST. - all unused fields removed from struct encaptab. Several new fields addedr: min_length is the minimum packet length, that encapsulation handler expects to see; exact_match is maximum number of bits, that can return an encapsulation handler, when it wants to consume a packet. - IPv6 and IPv4 handlers are stored in separate lists; - added new "encap_lookup_t" method, that will be used later. It is targeted to speedup lookup of needed interface, when gif(4)/gre(4) have many interfaces. - the need to use protosw structure is eliminated. The only pr_input method was used from this structure, so I don't see the need to keep using it. - encap_input_t method changed to avoid using mbuf tags to store softc pointer. Now it is passed directly trough encap_input_t method. encap_getarg() funtions is removed. - all sockaddr structures and code that uses them removed. We don't have any code in the tree that uses them. All consumers use encap_attach_func() method, that relies on invoking of encapcheck() to determine the needed handler. - introduced struct encap_config, it contains parameters of encap handler that is going to be registered by encap_attach() function. - encap handlers are stored in lists ordered by exact_match value, thus handlers that need more bits to match will be checked first, and if encapcheck method returns exact_match value, the search will be stopped. - all current consumers changed to use new KPI. Reviewed by: mmacy Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D15617
Notes
Notes: svn path=/head/; revision=334671
Diffstat (limited to 'sys/netipsec')
-rw-r--r--sys/netipsec/xform_ipcomp.c64
1 files changed, 27 insertions, 37 deletions
diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c
index 7226e31dc191..7a4a630bb693 100644
--- a/sys/netipsec/xform_ipcomp.c
+++ b/sys/netipsec/xform_ipcomp.c
@@ -118,7 +118,7 @@ ipcomp_encapcheck(union sockaddr_union *src, union sockaddr_union *dst)
}
static int
-ipcomp_nonexp_input(struct mbuf **mp, int *offp, int proto)
+ipcomp_nonexp_input(struct mbuf *m, int off, int proto, void *arg __unused)
{
int isr;
@@ -135,13 +135,13 @@ ipcomp_nonexp_input(struct mbuf **mp, int *offp, int proto)
#endif
default:
IPCOMPSTAT_INC(ipcomps_nopf);
- m_freem(*mp);
+ m_freem(m);
return (IPPROTO_DONE);
}
- m_adj(*mp, *offp);
- IPCOMPSTAT_ADD(ipcomps_ibytes, (*mp)->m_pkthdr.len);
+ m_adj(m, off);
+ IPCOMPSTAT_ADD(ipcomps_ibytes, m->m_pkthdr.len);
IPCOMPSTAT_INC(ipcomps_input);
- netisr_dispatch(isr, *mp);
+ netisr_dispatch(isr, m);
return (IPPROTO_DONE);
}
@@ -662,19 +662,6 @@ bad:
}
#ifdef INET
-static const struct encaptab *ipe4_cookie = NULL;
-extern struct domain inetdomain;
-static struct protosw ipcomp4_protosw = {
- .pr_type = SOCK_RAW,
- .pr_domain = &inetdomain,
- .pr_protocol = 0 /* IPPROTO_IPV[46] */,
- .pr_flags = PR_ATOMIC | PR_ADDR | PR_LASTHDR,
- .pr_input = ipcomp_nonexp_input,
- .pr_output = rip_output,
- .pr_ctloutput = rip_ctloutput,
- .pr_usrreqs = &rip_usrreqs
-};
-
static int
ipcomp4_nonexp_encapcheck(const struct mbuf *m, int off, int proto,
void *arg __unused)
@@ -695,21 +682,17 @@ ipcomp4_nonexp_encapcheck(const struct mbuf *m, int off, int proto,
dst.sin.sin_addr = ip->ip_dst;
return (ipcomp_encapcheck(&src, &dst));
}
+
+static const struct encaptab *ipe4_cookie = NULL;
+static const struct encap_config ipv4_encap_cfg = {
+ .proto = -1,
+ .min_length = sizeof(struct ip),
+ .exact_match = sizeof(in_addr_t) << 4,
+ .check = ipcomp4_nonexp_encapcheck,
+ .input = ipcomp_nonexp_input
+};
#endif
#ifdef INET6
-static const struct encaptab *ipe6_cookie = NULL;
-extern struct domain inet6domain;
-static struct protosw ipcomp6_protosw = {
- .pr_type = SOCK_RAW,
- .pr_domain = &inet6domain,
- .pr_protocol = 0 /* IPPROTO_IPV[46] */,
- .pr_flags = PR_ATOMIC | PR_ADDR | PR_LASTHDR,
- .pr_input = ipcomp_nonexp_input,
- .pr_output = rip6_output,
- .pr_ctloutput = rip6_ctloutput,
- .pr_usrreqs = &rip6_usrreqs
-};
-
static int
ipcomp6_nonexp_encapcheck(const struct mbuf *m, int off, int proto,
void *arg __unused)
@@ -742,6 +725,15 @@ ipcomp6_nonexp_encapcheck(const struct mbuf *m, int off, int proto,
}
return (ipcomp_encapcheck(&src, &dst));
}
+
+static const struct encaptab *ipe6_cookie = NULL;
+static const struct encap_config ipv6_encap_cfg = {
+ .proto = -1,
+ .min_length = sizeof(struct ip6_hdr),
+ .exact_match = sizeof(struct in6_addr) << 4,
+ .check = ipcomp6_nonexp_encapcheck,
+ .input = ipcomp_nonexp_input
+};
#endif
static struct xformsw ipcomp_xformsw = {
@@ -758,12 +750,10 @@ ipcomp_attach(void)
{
#ifdef INET
- ipe4_cookie = encap_attach_func(AF_INET, -1,
- ipcomp4_nonexp_encapcheck, &ipcomp4_protosw, NULL);
+ ipe4_cookie = ip_encap_attach(&ipv4_encap_cfg, NULL, M_WAITOK);
#endif
#ifdef INET6
- ipe6_cookie = encap_attach_func(AF_INET6, -1,
- ipcomp6_nonexp_encapcheck, &ipcomp6_protosw, NULL);
+ ipe6_cookie = ip6_encap_attach(&ipv6_encap_cfg, NULL, M_WAITOK);
#endif
xform_attach(&ipcomp_xformsw);
}
@@ -773,10 +763,10 @@ ipcomp_detach(void)
{
#ifdef INET
- encap_detach(ipe4_cookie);
+ ip_encap_detach(ipe4_cookie);
#endif
#ifdef INET6
- encap_detach(ipe6_cookie);
+ ip6_encap_detach(ipe6_cookie);
#endif
xform_detach(&ipcomp_xformsw);
}