forked from luck/tmp_suning_uos_patched
b58555f176
The idea is an extension of the current policy hashing. Today only non-prefixed policies are stored in a hash table. This patch relaxes the constraints, and hashes policies whose prefix lengths are greater or equal to a configurable threshold. Each hash table (one per direction) maintains its own set of IPv4 and IPv6 thresholds (dbits4, sbits4, dbits6, sbits6), by default (32, 32, 128, 128). Example, if the output hash table is configured with values (16, 24, 56, 64): ip xfrm policy add dir out src 10.22.0.0/20 dst 10.24.1.0/24 ... => hashed ip xfrm policy add dir out src 10.22.0.0/16 dst 10.24.1.1/32 ... => hashed ip xfrm policy add dir out src 10.22.0.0/16 dst 10.24.0.0/16 ... => unhashed ip xfrm policy add dir out \ src 3ffe:304:124:2200::/60 dst 3ffe:304:124:2401::/64 ... => hashed ip xfrm policy add dir out \ src 3ffe:304:124:2200::/56 dst 3ffe:304:124:2401::2/128 ... => hashed ip xfrm policy add dir out \ src 3ffe:304:124:2200::/56 dst 3ffe:304:124:2400::/56 ... => unhashed The high order bits of the addresses (up to the threshold) are used to compute the hash key. Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
80 lines
1.9 KiB
C
80 lines
1.9 KiB
C
#ifndef __NETNS_XFRM_H
|
|
#define __NETNS_XFRM_H
|
|
|
|
#include <linux/list.h>
|
|
#include <linux/wait.h>
|
|
#include <linux/workqueue.h>
|
|
#include <linux/xfrm.h>
|
|
#include <net/dst_ops.h>
|
|
#include <net/flowcache.h>
|
|
|
|
struct ctl_table_header;
|
|
|
|
struct xfrm_policy_hash {
|
|
struct hlist_head *table;
|
|
unsigned int hmask;
|
|
u8 dbits4;
|
|
u8 sbits4;
|
|
u8 dbits6;
|
|
u8 sbits6;
|
|
};
|
|
|
|
struct netns_xfrm {
|
|
struct list_head state_all;
|
|
/*
|
|
* Hash table to find appropriate SA towards given target (endpoint of
|
|
* tunnel or destination of transport mode) allowed by selector.
|
|
*
|
|
* Main use is finding SA after policy selected tunnel or transport
|
|
* mode. Also, it can be used by ah/esp icmp error handler to find
|
|
* offending SA.
|
|
*/
|
|
struct hlist_head *state_bydst;
|
|
struct hlist_head *state_bysrc;
|
|
struct hlist_head *state_byspi;
|
|
unsigned int state_hmask;
|
|
unsigned int state_num;
|
|
struct work_struct state_hash_work;
|
|
struct hlist_head state_gc_list;
|
|
struct work_struct state_gc_work;
|
|
|
|
struct list_head policy_all;
|
|
struct hlist_head *policy_byidx;
|
|
unsigned int policy_idx_hmask;
|
|
struct hlist_head policy_inexact[XFRM_POLICY_MAX * 2];
|
|
struct xfrm_policy_hash policy_bydst[XFRM_POLICY_MAX * 2];
|
|
unsigned int policy_count[XFRM_POLICY_MAX * 2];
|
|
struct work_struct policy_hash_work;
|
|
|
|
|
|
struct sock *nlsk;
|
|
struct sock *nlsk_stash;
|
|
|
|
u32 sysctl_aevent_etime;
|
|
u32 sysctl_aevent_rseqth;
|
|
int sysctl_larval_drop;
|
|
u32 sysctl_acq_expires;
|
|
#ifdef CONFIG_SYSCTL
|
|
struct ctl_table_header *sysctl_hdr;
|
|
#endif
|
|
|
|
struct dst_ops xfrm4_dst_ops;
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
struct dst_ops xfrm6_dst_ops;
|
|
#endif
|
|
spinlock_t xfrm_state_lock;
|
|
rwlock_t xfrm_policy_lock;
|
|
struct mutex xfrm_cfg_mutex;
|
|
|
|
/* flow cache part */
|
|
struct flow_cache flow_cache_global;
|
|
atomic_t flow_cache_genid;
|
|
struct list_head flow_cache_gc_list;
|
|
spinlock_t flow_cache_gc_lock;
|
|
struct work_struct flow_cache_gc_work;
|
|
struct work_struct flow_cache_flush_work;
|
|
struct mutex flow_flush_sem;
|
|
};
|
|
|
|
#endif
|