Commit 296a681d authored by David S. Miller's avatar David S. Miller
Browse files

Merge tag 'ipsec-next-2024-11-15' of... 

Merge tag 'ipsec-next-2024-11-15' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next



Steffen Klassert says:

====================

ipsec-next-11-15

1) Add support for RFC 9611 per cpu xfrm state handling.

2) Add inbound and outbound xfrm state caches to speed up
   state lookups.

3) Convert xfrm to dscp_t. From Guillaume Nault.

4) Fix error handling in build_aevent.
   From Everest K.C.

5) Replace strncpy with strscpy_pad in copy_to_user_auth.
   From Daniel Yang.

6) Fix an uninitialized symbol during acquire state insertion.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 38f83a57 a3567281

include/net/netns/xfrm.h

+1 −0
Original line number Diff line number Diff line
@@ -43,6 +43,7 @@ struct netns_xfrm { 
	struct hlist_head	__rcu *state_bysrc;

	struct hlist_head	__rcu *state_byspi;

	struct hlist_head	__rcu *state_byseq;

	struct hlist_head	 __percpu *state_cache_input;

	unsigned int		state_hmask;

	unsigned int		state_num;

	struct work_struct	state_hash_work;

include/net/xfrm.h

+14 −3
Original line number Diff line number Diff line
@@ -19,6 +19,7 @@ 


#include <net/sock.h>

#include <net/dst.h>

#include <net/inet_dscp.h>

#include <net/ip.h>

#include <net/route.h>

#include <net/ipv6.h>
@@ -184,10 +185,13 @@ struct xfrm_state { 
	};

	struct hlist_node	byspi;

	struct hlist_node	byseq;

	struct hlist_node	state_cache;

	struct hlist_node	state_cache_input;



	refcount_t		refcnt;

	spinlock_t		lock;



	u32			pcpu_num;

	struct xfrm_id		id;

	struct xfrm_selector	sel;

	struct xfrm_mark	mark;
@@ -351,7 +355,7 @@ void xfrm_if_unregister_cb(void); 


struct xfrm_dst_lookup_params {

	struct net *net;

	int tos;

	dscp_t dscp;

	int oif;

	xfrm_address_t *saddr;

	xfrm_address_t *daddr;
@@ -536,6 +540,7 @@ struct xfrm_policy_queue { 
 *	@xp_net: network namespace the policy lives in

 *	@bydst: hlist node for SPD hash table or rbtree list

 *	@byidx: hlist node for index hash table

 *	@state_cache_list: hlist head for policy cached xfrm states

 *	@lock: serialize changes to policy structure members

 *	@refcnt: reference count, freed once it reaches 0

 *	@pos: kernel internal tie-breaker to determine age of policy
@@ -566,6 +571,8 @@ struct xfrm_policy { 
	struct hlist_node	bydst;

	struct hlist_node	byidx;



	struct hlist_head	state_cache_list;



	/* This lock only affects elements except for entry. */

	rwlock_t		lock;

	refcount_t		refcnt;
@@ -1645,6 +1652,10 @@ int xfrm_state_update(struct xfrm_state *x); 
struct xfrm_state *xfrm_state_lookup(struct net *net, u32 mark,

				     const xfrm_address_t *daddr, __be32 spi,

				     u8 proto, unsigned short family);

struct xfrm_state *xfrm_input_state_lookup(struct net *net, u32 mark,

					   const xfrm_address_t *daddr,

					   __be32 spi, u8 proto,

					   unsigned short family);

struct xfrm_state *xfrm_state_lookup_byaddr(struct net *net, u32 mark,

					    const xfrm_address_t *daddr,

					    const xfrm_address_t *saddr,
@@ -1684,7 +1695,7 @@ struct xfrmk_spdinfo { 
	u32 spdhmcnt;

};



struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq);

struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq, u32 pcpu_num);

int xfrm_state_delete(struct xfrm_state *x);

int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync);

int xfrm_dev_state_flush(struct net *net, struct net_device *dev, bool task_valid);
@@ -1796,7 +1807,7 @@ int verify_spi_info(u8 proto, u32 min, u32 max, struct netlink_ext_ack *extack); 
int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi,

		   struct netlink_ext_ack *extack);

struct xfrm_state *xfrm_find_acq(struct net *net, const struct xfrm_mark *mark,

				 u8 mode, u32 reqid, u32 if_id, u8 proto,

				 u8 mode, u32 reqid, u32 if_id, u32 pcpu_num, u8 proto,

				 const xfrm_address_t *daddr,

				 const xfrm_address_t *saddr, int create,

				 unsigned short family);

include/uapi/linux/xfrm.h

+2 −0
Original line number Diff line number Diff line
@@ -322,6 +322,7 @@ enum xfrm_attr_type_t { 
	XFRMA_MTIMER_THRESH,	/* __u32 in seconds for input SA */

	XFRMA_SA_DIR,		/* __u8 */

	XFRMA_NAT_KEEPALIVE_INTERVAL,	/* __u32 in seconds for NAT keepalive */

	XFRMA_SA_PCPU,		/* __u32 */

	__XFRMA_MAX



#define XFRMA_OUTPUT_MARK XFRMA_SET_MARK	/* Compatibility */
@@ -437,6 +438,7 @@ struct xfrm_userpolicy_info { 
#define XFRM_POLICY_LOCALOK	1	/* Allow user to override global policy */

	/* Automatically expand selector to include matching ICMP payloads. */

#define XFRM_POLICY_ICMP	2

#define XFRM_POLICY_CPU_ACQUIRE	4

	__u8				share;

};

net/ipv4/esp4_offload.c

+3 −3
Original line number Diff line number Diff line
@@ -53,7 +53,7 @@ static struct sk_buff *esp4_gro_receive(struct list_head *head, 
		if (sp->len == XFRM_MAX_DEPTH)

			goto out_reset;



		x = xfrm_state_lookup(dev_net(skb->dev), skb->mark,

		x = xfrm_input_state_lookup(dev_net(skb->dev), skb->mark,

					    (xfrm_address_t *)&ip_hdr(skb)->daddr,

					    spi, IPPROTO_ESP, AF_INET);

net/ipv4/xfrm4_policy.c

+2 −1
Original line number Diff line number Diff line
@@ -14,6 +14,7 @@ 
#include <linux/inetdevice.h>

#include <net/dst.h>

#include <net/xfrm.h>

#include <net/inet_dscp.h>

#include <net/ip.h>

#include <net/l3mdev.h>
@@ -24,7 +25,7 @@ static struct dst_entry *__xfrm4_dst_lookup(struct flowi4 *fl4, 


	memset(fl4, 0, sizeof(*fl4));

	fl4->daddr = params->daddr->a4;

	fl4->flowi4_tos = params->tos;

	fl4->flowi4_tos = inet_dscp_to_dsfield(params->dscp);

	fl4->flowi4_l3mdev = l3mdev_master_ifindex_by_index(params->net,

							    params->oif);

	fl4->flowi4_mark = params->mark;