Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next

+15

Documentation/networking/pktgen.txt

··· 108 108 MPLS_RND, VID_RND, SVID_RND 109 109 QUEUE_MAP_RND # queue map random 110 110 QUEUE_MAP_CPU # queue map mirrors smp_processor_id() 111 + IPSEC # Make IPsec encapsulation for packet 111 112 113 + pgset spi SPI_VALUE Set specific SA used to transform packet. 112 114 113 115 pgset "udp_src_min 9" set UDP source port min, If < udp_src_max, then 114 116 cycle through the port range. ··· 179 177 /proc/irq/XX/smp_affinity so the TX-interrupts gets bound to the same CPU. 180 178 as this reduces cache bouncing when freeing skb's. 181 179 180 + Enable IPsec 181 + ============ 182 + Default IPsec transformation with ESP encapsulation plus Transport mode 183 + could be enabled by simply setting: 184 + 185 + pgset "flag IPSEC" 186 + pgset "flows 1" 187 + 188 + To avoid breaking existing testbed scripts for using AH type and tunnel mode, 189 + user could use "pgset spi SPI_VALUE" to specify which formal of transformation 190 + to employ. 191 + 182 192 183 193 Current commands and configuration options 184 194 ========================================== ··· 239 225 UDPDST_RND 240 226 MACSRC_RND 241 227 MACDST_RND 228 + IPSEC 242 229 243 230 dst_min 244 231 dst_max

+2

include/net/xfrm.h

··· 1421 1421 xfrm_address_t *saddr, 1422 1422 unsigned short family, 1423 1423 u8 mode, u8 proto, u32 reqid); 1424 + struct xfrm_state *xfrm_state_lookup_byspi(struct net *net, __be32 spi, 1425 + unsigned short family); 1424 1426 int xfrm_state_check_expire(struct xfrm_state *x); 1425 1427 void xfrm_state_insert(struct xfrm_state *x); 1426 1428 int xfrm_state_add(struct xfrm_state *x);

+66 -14

net/core/pktgen.c

··· 389 389 #ifdef CONFIG_XFRM 390 390 __u8 ipsmode; /* IPSEC mode (config) */ 391 391 __u8 ipsproto; /* IPSEC type (config) */ 392 + __u32 spi; 393 + struct dst_entry dst; 394 + struct dst_ops dstops; 392 395 #endif 393 396 char result[512]; 394 397 }; ··· 657 654 } 658 655 659 656 #ifdef CONFIG_XFRM 660 - if (pkt_dev->flags & F_IPSEC_ON) 657 + if (pkt_dev->flags & F_IPSEC_ON) { 661 658 seq_printf(seq, "IPSEC "); 659 + if (pkt_dev->spi) 660 + seq_printf(seq, "spi:%u", pkt_dev->spi); 661 + } 662 662 #endif 663 663 664 664 if (pkt_dev->flags & F_MACSRC_RND) ··· 1482 1476 sprintf(pg_result, "OK: flows=%u", pkt_dev->cflows); 1483 1477 return count; 1484 1478 } 1479 + #ifdef CONFIG_XFRM 1480 + if (!strcmp(name, "spi")) { 1481 + len = num_arg(&user_buffer[i], 10, &value); 1482 + if (len < 0) 1483 + return len; 1485 1484 1485 + i += len; 1486 + pkt_dev->spi = value; 1487 + sprintf(pg_result, "OK: spi=%u", pkt_dev->spi); 1488 + return count; 1489 + } 1490 + #endif 1486 1491 if (!strcmp(name, "flowlen")) { 1487 1492 len = num_arg(&user_buffer[i], 10, &value); 1488 1493 if (len < 0) ··· 2250 2233 struct xfrm_state *x = pkt_dev->flows[flow].x; 2251 2234 struct pktgen_net *pn = net_generic(dev_net(pkt_dev->odev), pg_net_id); 2252 2235 if (!x) { 2253 - /*slow path: we dont already have xfrm_state*/ 2254 - x = xfrm_stateonly_find(pn->net, DUMMY_MARK, 2255 - (xfrm_address_t *)&pkt_dev->cur_daddr, 2256 - (xfrm_address_t *)&pkt_dev->cur_saddr, 2257 - AF_INET, 2258 - pkt_dev->ipsmode, 2259 - pkt_dev->ipsproto, 0); 2236 + 2237 + if (pkt_dev->spi) { 2238 + /* We need as quick as possible to find the right SA 2239 + * Searching with minimum criteria to archieve this. 2240 + */ 2241 + x = xfrm_state_lookup_byspi(pn->net, htonl(pkt_dev->spi), AF_INET); 2242 + } else { 2243 + /* slow path: we dont already have xfrm_state */ 2244 + x = xfrm_stateonly_find(pn->net, DUMMY_MARK, 2245 + (xfrm_address_t *)&pkt_dev->cur_daddr, 2246 + (xfrm_address_t *)&pkt_dev->cur_saddr, 2247 + AF_INET, 2248 + pkt_dev->ipsmode, 2249 + pkt_dev->ipsproto, 0); 2250 + } 2260 2251 if (x) { 2261 2252 pkt_dev->flows[flow].x = x; 2262 2253 set_pkt_overhead(pkt_dev); ··· 2500 2475 2501 2476 2502 2477 #ifdef CONFIG_XFRM 2478 + static u32 pktgen_dst_metrics[RTAX_MAX + 1] = { 2479 + 2480 + [RTAX_HOPLIMIT] = 0x5, /* Set a static hoplimit */ 2481 + }; 2482 + 2503 2483 static int pktgen_output_ipsec(struct sk_buff *skb, struct pktgen_dev *pkt_dev) 2504 2484 { 2505 2485 struct xfrm_state *x = pkt_dev->flows[pkt_dev->curfl].x; 2506 2486 int err = 0; 2487 + struct net *net = dev_net(pkt_dev->odev); 2507 2488 2508 2489 if (!x) 2509 2490 return 0; 2510 2491 /* XXX: we dont support tunnel mode for now until 2511 2492 * we resolve the dst issue */ 2512 - if (x->props.mode != XFRM_MODE_TRANSPORT) 2493 + if ((x->props.mode != XFRM_MODE_TRANSPORT) && (pkt_dev->spi == 0)) 2513 2494 return 0; 2514 2495 2515 - spin_lock(&x->lock); 2496 + /* But when user specify an valid SPI, transformation 2497 + * supports both transport/tunnel mode + ESP/AH type. 2498 + */ 2499 + if ((x->props.mode == XFRM_MODE_TUNNEL) && (pkt_dev->spi != 0)) 2500 + skb->_skb_refdst = (unsigned long)&pkt_dev->dst | SKB_DST_NOREF; 2516 2501 2502 + rcu_read_lock_bh(); 2517 2503 err = x->outer_mode->output(x, skb); 2518 - if (err) 2504 + rcu_read_unlock_bh(); 2505 + if (err) { 2506 + XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATEMODEERROR); 2519 2507 goto error; 2508 + } 2520 2509 err = x->type->output(x, skb); 2521 - if (err) 2510 + if (err) { 2511 + XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATEPROTOERROR); 2522 2512 goto error; 2523 - 2513 + } 2514 + spin_lock_bh(&x->lock); 2524 2515 x->curlft.bytes += skb->len; 2525 2516 x->curlft.packets++; 2517 + spin_unlock_bh(&x->lock); 2526 2518 error: 2527 - spin_unlock(&x->lock); 2528 2519 return err; 2529 2520 } 2530 2521 ··· 3583 3542 #ifdef CONFIG_XFRM 3584 3543 pkt_dev->ipsmode = XFRM_MODE_TRANSPORT; 3585 3544 pkt_dev->ipsproto = IPPROTO_ESP; 3545 + 3546 + /* xfrm tunnel mode needs additional dst to extract outter 3547 + * ip header protocol/ttl/id field, here creat a phony one. 3548 + * instead of looking for a valid rt, which definitely hurting 3549 + * performance under such circumstance. 3550 + */ 3551 + pkt_dev->dstops.family = AF_INET; 3552 + pkt_dev->dst.dev = pkt_dev->odev; 3553 + dst_init_metrics(&pkt_dev->dst, pktgen_dst_metrics, false); 3554 + pkt_dev->dst.child = &pkt_dev->dst; 3555 + pkt_dev->dst.ops = &pkt_dev->dstops; 3586 3556 #endif 3587 3557 3588 3558 return add_dev_to_thread(t, pkt_dev);

+3 -3

net/xfrm/xfrm_input.c

··· 67 67 case IPPROTO_COMP: 68 68 if (!pskb_may_pull(skb, sizeof(struct ip_comp_hdr))) 69 69 return -EINVAL; 70 - *spi = htonl(ntohs(*(__be16*)(skb_transport_header(skb) + 2))); 70 + *spi = htonl(ntohs(*(__be16 *)(skb_transport_header(skb) + 2))); 71 71 *seq = 0; 72 72 return 0; 73 73 default: ··· 77 77 if (!pskb_may_pull(skb, hlen)) 78 78 return -EINVAL; 79 79 80 - *spi = *(__be32*)(skb_transport_header(skb) + offset); 81 - *seq = *(__be32*)(skb_transport_header(skb) + offset_seq); 80 + *spi = *(__be32 *)(skb_transport_header(skb) + offset); 81 + *seq = *(__be32 *)(skb_transport_header(skb) + offset_seq); 82 82 return 0; 83 83 } 84 84

+16 -16

net/xfrm/xfrm_policy.c

··· 171 171 172 172 static void xfrm_policy_timer(unsigned long data) 173 173 { 174 - struct xfrm_policy *xp = (struct xfrm_policy*)data; 174 + struct xfrm_policy *xp = (struct xfrm_policy *)data; 175 175 unsigned long now = get_seconds(); 176 176 long next = LONG_MAX; 177 177 int warn = 0; ··· 1286 1286 xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family); 1287 1287 xfrm_address_t tmp; 1288 1288 1289 - for (nx=0, i = 0; i < policy->xfrm_nr; i++) { 1289 + for (nx = 0, i = 0; i < policy->xfrm_nr; i++) { 1290 1290 struct xfrm_state *x; 1291 1291 xfrm_address_t *remote = daddr; 1292 1292 xfrm_address_t *local = saddr; ··· 1316 1316 error = (x->km.state == XFRM_STATE_ERROR ? 1317 1317 -EINVAL : -EAGAIN); 1318 1318 xfrm_state_put(x); 1319 - } 1320 - else if (error == -ESRCH) 1319 + } else if (error == -ESRCH) { 1321 1320 error = -EAGAIN; 1321 + } 1322 1322 1323 1323 if (!tmpl->optional) 1324 1324 goto fail; ··· 1326 1326 return nx; 1327 1327 1328 1328 fail: 1329 - for (nx--; nx>=0; nx--) 1329 + for (nx--; nx >= 0; nx--) 1330 1330 xfrm_state_put(xfrm[nx]); 1331 1331 return error; 1332 1332 } ··· 1363 1363 return cnx; 1364 1364 1365 1365 fail: 1366 - for (cnx--; cnx>=0; cnx--) 1366 + for (cnx--; cnx >= 0; cnx--) 1367 1367 xfrm_state_put(tpp[cnx]); 1368 1368 return error; 1369 1369 ··· 1706 1706 xfrm_pols_put(pols, *num_pols); 1707 1707 return PTR_ERR(pols[1]); 1708 1708 } 1709 - (*num_pols) ++; 1709 + (*num_pols)++; 1710 1710 (*num_xfrms) += pols[1]->xfrm_nr; 1711 1711 } 1712 1712 } ··· 1760 1760 } 1761 1761 1762 1762 xdst->num_pols = num_pols; 1763 - memcpy(xdst->pols, pols, sizeof(struct xfrm_policy*) * num_pols); 1763 + memcpy(xdst->pols, pols, sizeof(struct xfrm_policy *) * num_pols); 1764 1764 xdst->policy_genid = atomic_read(&pols[0]->genid); 1765 1765 1766 1766 return xdst; ··· 2029 2029 } 2030 2030 xdst->num_pols = num_pols; 2031 2031 xdst->num_xfrms = num_xfrms; 2032 - memcpy(xdst->pols, pols, sizeof(struct xfrm_policy*) * num_pols); 2032 + memcpy(xdst->pols, pols, sizeof(struct xfrm_policy *) * num_pols); 2033 2033 2034 2034 dst_hold(&xdst->u.dst); 2035 2035 return &xdst->flo; ··· 2138 2138 2139 2139 num_pols = xdst->num_pols; 2140 2140 num_xfrms = xdst->num_xfrms; 2141 - memcpy(pols, xdst->pols, sizeof(struct xfrm_policy*) * num_pols); 2141 + memcpy(pols, xdst->pols, sizeof(struct xfrm_policy *) * num_pols); 2142 2142 route = xdst->route; 2143 2143 } 2144 2144 ··· 2334 2334 if (skb->sp) { 2335 2335 int i; 2336 2336 2337 - for (i=skb->sp->len-1; i>=0; i--) { 2337 + for (i = skb->sp->len-1; i >= 0; i--) { 2338 2338 struct xfrm_state *x = skb->sp->xvec[i]; 2339 2339 if (!xfrm_selector_match(&x->sel, &fl, family)) { 2340 2340 XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEMISMATCH); ··· 2380 2380 pol->curlft.use_time = get_seconds(); 2381 2381 2382 2382 pols[0] = pol; 2383 - npols ++; 2383 + npols++; 2384 2384 #ifdef CONFIG_XFRM_SUB_POLICY 2385 2385 if (pols[0]->type != XFRM_POLICY_TYPE_MAIN) { 2386 2386 pols[1] = xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_MAIN, ··· 2392 2392 return 0; 2393 2393 } 2394 2394 pols[1]->curlft.use_time = get_seconds(); 2395 - npols ++; 2395 + npols++; 2396 2396 } 2397 2397 } 2398 2398 #endif ··· 2989 2989 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s", 2990 2990 ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str); 2991 2991 2992 - switch(sel->family) { 2992 + switch (sel->family) { 2993 2993 case AF_INET: 2994 2994 audit_log_format(audit_buf, " src=%pI4", &sel->saddr.a4); 2995 2995 if (sel->prefixlen_s != 32) ··· 3066 3066 return false; 3067 3067 } 3068 3068 3069 - static struct xfrm_policy * xfrm_migrate_policy_find(const struct xfrm_selector *sel, 3070 - u8 dir, u8 type, struct net *net) 3069 + static struct xfrm_policy *xfrm_migrate_policy_find(const struct xfrm_selector *sel, 3070 + u8 dir, u8 type, struct net *net) 3071 3071 { 3072 3072 struct xfrm_policy *pol, *ret = NULL; 3073 3073 struct hlist_head *chain;

+1 -1

net/xfrm/xfrm_proc.c

··· 52 52 { 53 53 struct net *net = seq->private; 54 54 int i; 55 - for (i=0; xfrm_mib_list[i].name; i++) 55 + for (i = 0; xfrm_mib_list[i].name; i++) 56 56 seq_printf(seq, "%-24s\t%lu\n", xfrm_mib_list[i].name, 57 57 snmp_fold_field((void __percpu **) 58 58 net->mib.xfrm_statistics,

+33 -11

net/xfrm/xfrm_state.c

··· 382 382 return secs*HZ; 383 383 } 384 384 385 - static enum hrtimer_restart xfrm_timer_handler(struct hrtimer * me) 385 + static enum hrtimer_restart xfrm_timer_handler(struct hrtimer *me) 386 386 { 387 387 struct tasklet_hrtimer *thr = container_of(me, struct tasklet_hrtimer, timer); 388 388 struct xfrm_state *x = container_of(thr, struct xfrm_state, mtimer); ··· 448 448 if (warn) 449 449 km_state_expired(x, 0, 0); 450 450 resched: 451 - if (next != LONG_MAX){ 451 + if (next != LONG_MAX) { 452 452 tasklet_hrtimer_start(&x->mtimer, ktime_set(next, 0), HRTIMER_MODE_REL); 453 453 } 454 454 ··· 890 890 unsigned int h; 891 891 struct xfrm_state *rx = NULL, *x = NULL; 892 892 893 - spin_lock(&net->xfrm.xfrm_state_lock); 893 + spin_lock_bh(&net->xfrm.xfrm_state_lock); 894 894 h = xfrm_dst_hash(net, daddr, saddr, reqid, family); 895 895 hlist_for_each_entry(x, net->xfrm.state_bydst+h, bydst) { 896 896 if (x->props.family == family && ··· 908 908 909 909 if (rx) 910 910 xfrm_state_hold(rx); 911 - spin_unlock(&net->xfrm.xfrm_state_lock); 911 + spin_unlock_bh(&net->xfrm.xfrm_state_lock); 912 912 913 913 914 914 return rx; 915 915 } 916 916 EXPORT_SYMBOL(xfrm_stateonly_find); 917 + 918 + struct xfrm_state *xfrm_state_lookup_byspi(struct net *net, __be32 spi, 919 + unsigned short family) 920 + { 921 + struct xfrm_state *x; 922 + struct xfrm_state_walk *w; 923 + 924 + spin_lock_bh(&net->xfrm.xfrm_state_lock); 925 + list_for_each_entry(w, &net->xfrm.state_all, all) { 926 + x = container_of(w, struct xfrm_state, km); 927 + if (x->props.family != family || 928 + x->id.spi != spi) 929 + continue; 930 + 931 + spin_unlock_bh(&net->xfrm.xfrm_state_lock); 932 + xfrm_state_hold(x); 933 + return x; 934 + } 935 + spin_unlock_bh(&net->xfrm.xfrm_state_lock); 936 + return NULL; 937 + } 938 + EXPORT_SYMBOL(xfrm_state_lookup_byspi); 917 939 918 940 static void __xfrm_state_insert(struct xfrm_state *x) 919 941 { ··· 1259 1237 } 1260 1238 EXPORT_SYMBOL(xfrm_migrate_state_find); 1261 1239 1262 - struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x, 1263 - struct xfrm_migrate *m) 1240 + struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x, 1241 + struct xfrm_migrate *m) 1264 1242 { 1265 1243 struct xfrm_state *xc; 1266 1244 int err; ··· 1370 1348 if (x->curlft.bytes >= x->lft.hard_byte_limit || 1371 1349 x->curlft.packets >= x->lft.hard_packet_limit) { 1372 1350 x->km.state = XFRM_STATE_EXPIRED; 1373 - tasklet_hrtimer_start(&x->mtimer, ktime_set(0,0), HRTIMER_MODE_REL); 1351 + tasklet_hrtimer_start(&x->mtimer, ktime_set(0, 0), HRTIMER_MODE_REL); 1374 1352 return -EINVAL; 1375 1353 } 1376 1354 ··· 1564 1542 x->id.spi = minspi; 1565 1543 } else { 1566 1544 u32 spi = 0; 1567 - for (h=0; h<high-low+1; h++) { 1545 + for (h = 0; h < high-low+1; h++) { 1568 1546 spi = low + net_random()%(high-low+1); 1569 1547 x0 = xfrm_state_lookup(net, mark, &x->id.daddr, htonl(spi), x->id.proto, x->props.family); 1570 1548 if (x0 == NULL) { ··· 1652 1630 1653 1631 static void xfrm_replay_timer_handler(unsigned long data) 1654 1632 { 1655 - struct xfrm_state *x = (struct xfrm_state*)data; 1633 + struct xfrm_state *x = (struct xfrm_state *)data; 1656 1634 1657 1635 spin_lock(&x->lock); 1658 1636 ··· 2101 2079 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s", 2102 2080 ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str); 2103 2081 2104 - switch(x->props.family) { 2082 + switch (x->props.family) { 2105 2083 case AF_INET: 2106 2084 audit_log_format(audit_buf, " src=%pI4 dst=%pI4", 2107 2085 &x->props.saddr.a4, &x->id.daddr.a4); ··· 2131 2109 iph6 = ipv6_hdr(skb); 2132 2110 audit_log_format(audit_buf, 2133 2111 " src=%pI6 dst=%pI6 flowlbl=0x%x%02x%02x", 2134 - &iph6->saddr,&iph6->daddr, 2112 + &iph6->saddr, &iph6->daddr, 2135 2113 iph6->flow_lbl[0] & 0x0f, 2136 2114 iph6->flow_lbl[1], 2137 2115 iph6->flow_lbl[2]);

+3 -3

net/xfrm/xfrm_user.c

··· 1731 1731 return -EMSGSIZE; 1732 1732 1733 1733 id = nlmsg_data(nlh); 1734 - memcpy(&id->sa_id.daddr, &x->id.daddr,sizeof(x->id.daddr)); 1734 + memcpy(&id->sa_id.daddr, &x->id.daddr, sizeof(x->id.daddr)); 1735 1735 id->sa_id.spi = x->id.spi; 1736 1736 id->sa_id.family = x->props.family; 1737 1737 id->sa_id.proto = x->id.proto; 1738 - memcpy(&id->saddr, &x->props.saddr,sizeof(x->props.saddr)); 1738 + memcpy(&id->saddr, &x->props.saddr, sizeof(x->props.saddr)); 1739 1739 id->reqid = x->props.reqid; 1740 1740 id->flags = c->data.aevent; 1741 1741 ··· 1824 1824 struct net *net = sock_net(skb->sk); 1825 1825 struct xfrm_state *x; 1826 1826 struct km_event c; 1827 - int err = - EINVAL; 1827 + int err = -EINVAL; 1828 1828 u32 mark = 0; 1829 1829 struct xfrm_mark m; 1830 1830 struct xfrm_aevent_id *p = nlmsg_data(nlh);