mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-07 21:53:44 +00:00
xfrm: minor update to sdb and xfrm_policy comments
The spd is no longer maintained as a linear list. We also haven't been caching bundles in the xfrm_policy struct since 2010. While at it, add kdoc style comments for the xfrm_policy structure and extend the description of the current rbtree based search to mention why it needs to search the candidate set. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
This commit is contained in:
parent
08c2182cf0
commit
17163f2367
@ -67,13 +67,15 @@
|
|||||||
- instance of a transformer, struct xfrm_state (=SA)
|
- instance of a transformer, struct xfrm_state (=SA)
|
||||||
- template to clone xfrm_state, struct xfrm_tmpl
|
- template to clone xfrm_state, struct xfrm_tmpl
|
||||||
|
|
||||||
SPD is plain linear list of xfrm_policy rules, ordered by priority.
|
SPD is organized as hash table (for policies that meet minimum address prefix
|
||||||
|
length setting, net->xfrm.policy_hthresh). Other policies are stored in
|
||||||
|
lists, sorted into rbtree ordered by destination and source address networks.
|
||||||
|
See net/xfrm/xfrm_policy.c for details.
|
||||||
|
|
||||||
(To be compatible with existing pfkeyv2 implementations,
|
(To be compatible with existing pfkeyv2 implementations,
|
||||||
many rules with priority of 0x7fffffff are allowed to exist and
|
many rules with priority of 0x7fffffff are allowed to exist and
|
||||||
such rules are ordered in an unpredictable way, thanks to bsd folks.)
|
such rules are ordered in an unpredictable way, thanks to bsd folks.)
|
||||||
|
|
||||||
Lookup is plain linear search until the first match with selector.
|
|
||||||
|
|
||||||
If "action" is "block", then we prohibit the flow, otherwise:
|
If "action" is "block", then we prohibit the flow, otherwise:
|
||||||
if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
|
if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
|
||||||
policy entry has list of up to XFRM_MAX_DEPTH transformations,
|
policy entry has list of up to XFRM_MAX_DEPTH transformations,
|
||||||
@ -86,8 +88,6 @@
|
|||||||
|---. child .-> dst -. xfrm .-> xfrm_state #3
|
|---. child .-> dst -. xfrm .-> xfrm_state #3
|
||||||
|---. child .-> NULL
|
|---. child .-> NULL
|
||||||
|
|
||||||
Bundles are cached at xrfm_policy struct (field ->bundles).
|
|
||||||
|
|
||||||
|
|
||||||
Resolution of xrfm_tmpl
|
Resolution of xrfm_tmpl
|
||||||
-----------------------
|
-----------------------
|
||||||
@ -526,6 +526,36 @@ struct xfrm_policy_queue {
|
|||||||
unsigned long timeout;
|
unsigned long timeout;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* struct xfrm_policy - xfrm policy
|
||||||
|
* @xp_net: network namespace the policy lives in
|
||||||
|
* @bydst: hlist node for SPD hash table or rbtree list
|
||||||
|
* @byidx: hlist node for index hash table
|
||||||
|
* @lock: serialize changes to policy structure members
|
||||||
|
* @refcnt: reference count, freed once it reaches 0
|
||||||
|
* @pos: kernel internal tie-breaker to determine age of policy
|
||||||
|
* @timer: timer
|
||||||
|
* @genid: generation, used to invalidate old policies
|
||||||
|
* @priority: priority, set by userspace
|
||||||
|
* @index: policy index (autogenerated)
|
||||||
|
* @if_id: virtual xfrm interface id
|
||||||
|
* @mark: packet mark
|
||||||
|
* @selector: selector
|
||||||
|
* @lft: liftime configuration data
|
||||||
|
* @curlft: liftime state
|
||||||
|
* @walk: list head on pernet policy list
|
||||||
|
* @polq: queue to hold packets while aqcuire operaion in progress
|
||||||
|
* @bydst_reinsert: policy tree node needs to be merged
|
||||||
|
* @type: XFRM_POLICY_TYPE_MAIN or _SUB
|
||||||
|
* @action: XFRM_POLICY_ALLOW or _BLOCK
|
||||||
|
* @flags: XFRM_POLICY_LOCALOK, XFRM_POLICY_ICMP
|
||||||
|
* @xfrm_nr: number of used templates in @xfrm_vec
|
||||||
|
* @family: protocol family
|
||||||
|
* @security: SELinux security label
|
||||||
|
* @xfrm_vec: array of templates to resolve state
|
||||||
|
* @rcu: rcu head, used to defer memory release
|
||||||
|
* @xdo: hardware offload state
|
||||||
|
*/
|
||||||
struct xfrm_policy {
|
struct xfrm_policy {
|
||||||
possible_net_t xp_net;
|
possible_net_t xp_net;
|
||||||
struct hlist_node bydst;
|
struct hlist_node bydst;
|
||||||
|
@ -109,7 +109,11 @@ struct xfrm_pol_inexact_node {
|
|||||||
* 4. saddr:any list from saddr tree
|
* 4. saddr:any list from saddr tree
|
||||||
*
|
*
|
||||||
* This result set then needs to be searched for the policy with
|
* This result set then needs to be searched for the policy with
|
||||||
* the lowest priority. If two results have same prio, youngest one wins.
|
* the lowest priority. If two candidates have the same priority, the
|
||||||
|
* struct xfrm_policy pos member with the lower number is used.
|
||||||
|
*
|
||||||
|
* This replicates previous single-list-search algorithm which would
|
||||||
|
* return first matching policy in the (ordered-by-priority) list.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
struct xfrm_pol_inexact_key {
|
struct xfrm_pol_inexact_key {
|
||||||
|
Loading…
Reference in New Issue
Block a user