Date: Mon, 10 Apr 2006 15:28:00 GMT From: "George V. Neville-Neil" <gnn@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 94916 for review Message-ID: <200604101528.k3AFS0vv012005@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=94916 Change 94916 by gnn@gnn_devbox_fast_ipsec on 2006/04/10 15:27:36 Make it possible to build FAST_IPSEC with INET6. Fix an LOR in crypto.c that results from dealing with SA bundles when using direct dispatch Affected files ... .. //depot/projects/gnn_fast_ipsec/src/sys/netinet6/in6_proto.c#3 edit .. //depot/projects/gnn_fast_ipsec/src/sys/netipsec/ipsec.c#3 edit .. //depot/projects/gnn_fast_ipsec/src/sys/netipsec/ipsec.h#3 edit .. //depot/projects/gnn_fast_ipsec/src/sys/netipsec/ipsec_output.c#3 edit .. //depot/projects/gnn_fast_ipsec/src/sys/netipsec/key.c#5 edit .. //depot/projects/gnn_fast_ipsec/src/sys/netipsec/keysock.c#5 edit .. //depot/projects/gnn_fast_ipsec/src/sys/opencrypto/crypto.c#3 edit Differences ... ==== //depot/projects/gnn_fast_ipsec/src/sys/netinet6/in6_proto.c#3 (text+ko) ==== @@ -129,11 +129,6 @@ #ifdef FAST_IPSEC #include <netipsec/ipsec6.h> -#define IPSEC -#define IPSEC_ESP -#define ah6_input ipsec6_common_input -#define esp6_input ipsec6_common_input -#define ipcomp6_input ipsec6_common_input #endif /* FAST_IPSEC */ #include <netinet6/ip6protosw.h> @@ -234,7 +229,7 @@ .pr_input = frag6_input, .pr_usrreqs = &nousrreqs }, -#ifdef IPSEC +#if defined(IPSEC) { .pr_type = SOCK_RAW, .pr_domain = &inet6domain, @@ -243,7 +238,7 @@ .pr_input = ah6_input, .pr_usrreqs = &nousrreqs, }, -#ifdef IPSEC_ESP +#if defined(IPSEC_ESP) { .pr_type = SOCK_RAW, .pr_domain = &inet6domain, @@ -253,7 +248,7 @@ .pr_ctlinput = esp6_ctlinput, .pr_usrreqs = &nousrreqs, }, -#endif +#endif /* IPSEC_ESP */ { .pr_type = SOCK_RAW, .pr_domain = &inet6domain, @@ -263,6 +258,33 @@ .pr_usrreqs = &nousrreqs, }, #endif /* IPSEC */ +#if defined(FAST_IPSEC) +{ + .pr_type = SOCK_RAW, + .pr_domain = &inet6domain, + .pr_protocol = IPPROTO_AH, + .pr_flags = PR_ATOMIC|PR_ADDR, + .pr_input = ipsec6_common_input, + .pr_usrreqs = &nousrreqs, +}, +{ + .pr_type = SOCK_RAW, + .pr_domain = &inet6domain, + .pr_protocol = IPPROTO_ESP, + .pr_flags = PR_ATOMIC|PR_ADDR, + .pr_input = ipsec6_common_input, + .pr_ctlinput = esp6_ctlinput, + .pr_usrreqs = &nousrreqs, +}, +{ + .pr_type = SOCK_RAW, + .pr_domain = &inet6domain, + .pr_protocol = IPPROTO_IPCOMP, + .pr_flags = PR_ATOMIC|PR_ADDR, + .pr_input = ipsec6_common_input, + .pr_usrreqs = &nousrreqs, +}, +#endif /* FAST_IPSEC */ #ifdef INET { .pr_type = SOCK_RAW, @@ -418,9 +440,9 @@ SYSCTL_NODE(_net_inet6, IPPROTO_ICMPV6, icmp6, CTLFLAG_RW, 0, "ICMP6"); SYSCTL_NODE(_net_inet6, IPPROTO_UDP, udp6, CTLFLAG_RW, 0, "UDP6"); SYSCTL_NODE(_net_inet6, IPPROTO_TCP, tcp6, CTLFLAG_RW, 0, "TCP6"); -#ifdef IPSEC +#if defined(IPSEC) || defined(FAST_IPSEC) SYSCTL_NODE(_net_inet6, IPPROTO_ESP, ipsec6, CTLFLAG_RW, 0, "IPSEC6"); -#endif /* IPSEC */ +#endif /* IPSEC || FAST_IPSEC */ /* net.inet6.ip6 */ static int ==== //depot/projects/gnn_fast_ipsec/src/sys/netipsec/ipsec.c#3 (text+ko) ==== @@ -1,4 +1,4 @@ -/* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.12 2005/06/02 23:56:10 hmp Exp $ */ +/* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.13 2006/03/25 13:38:52 gnn Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ /*- @@ -149,7 +149,8 @@ SYSCTL_STRUCT(_net_inet_ipsec, OID_AUTO, ipsecstats, CTLFLAG_RD, &newipsecstat, newipsecstat, ""); -#ifdef INET6 +#ifdef INET6 +struct newipsecstat newipsec6stat; int ip6_esp_trans_deflev = IPSEC_LEVEL_USE; int ip6_esp_net_deflev = IPSEC_LEVEL_USE; int ip6_ah_trans_deflev = IPSEC_LEVEL_USE; @@ -180,6 +181,8 @@ debug, CTLFLAG_RW, &ipsec_debug, 0, ""); SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD, esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, 0, ""); +SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS, + ipsecstats, CTLFLAG_RD, &newipsec6stat, newipsecstat, ""); #endif /* INET6 */ static int ipsec4_setspidx_inpcb __P((struct mbuf *, struct inpcb *pcb)); ==== //depot/projects/gnn_fast_ipsec/src/sys/netipsec/ipsec.h#3 (text+ko) ==== ==== //depot/projects/gnn_fast_ipsec/src/sys/netipsec/ipsec_output.c#3 (text+ko) ==== ==== //depot/projects/gnn_fast_ipsec/src/sys/netipsec/key.c#5 (text+ko) ==== @@ -1,4 +1,4 @@ -/* $FreeBSD: src/sys/netipsec/key.c,v 1.20 2005/01/07 01:45:46 imp Exp $ */ +/* $FreeBSD: src/sys/netipsec/key.c,v 1.21 2006/03/25 13:38:52 gnn Exp $ */ /* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */ /*- @@ -6257,16 +6257,12 @@ static int key_expire(struct secasvar *sav) { - int s; int satype; struct mbuf *result = NULL, *m; int len; int error = -1; struct sadb_lifetime *lt; - /* XXX: Why do we lock ? */ - s = splnet(); /*called from softclock()*/ - IPSEC_ASSERT (sav != NULL, ("null sav")); IPSEC_ASSERT (sav->sah != NULL, ("null sa header")); @@ -6359,13 +6355,11 @@ mtod(result, struct sadb_msg *)->sadb_msg_len = PFKEY_UNIT64(result->m_pkthdr.len); - splx(s); return key_sendup_mbuf(NULL, result, KEY_SENDUP_REGISTERED); fail: if (result) m_freem(result); - splx(s); return error; } ==== //depot/projects/gnn_fast_ipsec/src/sys/netipsec/keysock.c#5 (text+ko) ==== @@ -81,7 +81,6 @@ { struct sadb_msg *msg; int len, error = 0; - int s; if (m == 0) panic("%s: NULL pointer was passed.\n", __func__); @@ -116,11 +115,8 @@ goto end; } - /*XXX giant lock*/ - s = splnet(); error = key_parse(m, so); m = NULL; - splx(s); end: if (m) m_freem(m); @@ -278,22 +274,18 @@ pfkeystat.in_total++; pfkeystat.in_bytes += m->m_pkthdr.len; if (m->m_len < sizeof(struct sadb_msg)) { -#if 1 m = m_pullup(m, sizeof(struct sadb_msg)); if (m == NULL) { pfkeystat.in_nomem++; return ENOBUFS; } -#else - /* don't bother pulling it up just for stats */ -#endif } if (m->m_len >= sizeof(struct sadb_msg)) { struct sadb_msg *msg; msg = mtod(m, struct sadb_msg *); pfkeystat.in_msgtype[msg->sadb_msg_type]++; } - + mtx_lock(&rawcb_mtx); LIST_FOREACH(rp, &rawcb_list, list) { if (rp->rcb_proto.sp_family != PF_KEY) @@ -344,11 +336,13 @@ if ((n = m_copy(m, 0, (int)M_COPYALL)) == NULL) { m_freem(m); pfkeystat.in_nomem++; + mtx_unlock(&rawcb_mtx); return ENOBUFS; } if ((error = key_sendup0(rp, n, 0)) != 0) { m_freem(m); + mtx_unlock(&rawcb_mtx); return error; } @@ -362,6 +356,7 @@ error = 0; m_freem(m); } + mtx_unlock(&rawcb_mtx); return error; } @@ -372,7 +367,6 @@ static void key_abort(struct socket *so) { - raw_usrreqs.pru_abort(so); } @@ -384,29 +378,21 @@ key_attach(struct socket *so, int proto, struct thread *td) { struct keycb *kp; - int s, error; + int error; + + KASSERT(so->so_pcb == NULL, ("key_attach: so_pcb != NULL")); - if (sotorawcb(so) != 0) - return EISCONN; /* XXX panic? */ - kp = (struct keycb *)malloc(sizeof *kp, M_PCB, M_WAITOK|M_ZERO); /* XXX */ + /* XXX */ + MALLOC(kp, struct keycb *, sizeof *kp, M_PCB, M_WAITOK | M_ZERO); if (kp == 0) return ENOBUFS; - /* - * The splnet() is necessary to block protocols from sending - * error notifications (like RTM_REDIRECT or RTM_LOSING) while - * this PCB is extant but incompletely initialized. - * Probably we should try to do more of this work beforehand and - * eliminate the spl. - */ - s = splnet(); so->so_pcb = (caddr_t)kp; - error = raw_usrreqs.pru_attach(so, proto, td); + error = raw_attach(so, proto); kp = (struct keycb *)sotorawcb(so); if (error) { free(kp, M_PCB); so->so_pcb = (caddr_t) 0; - splx(s); return error; } @@ -420,7 +406,6 @@ soisconnected(so); so->so_options |= SO_USELOOPBACK; - splx(s); return 0; } @@ -431,11 +416,7 @@ static int key_bind(struct socket *so, struct sockaddr *nam, struct thread *td) { - int s, error; - s = splnet(); - error = raw_usrreqs.pru_bind(so, nam, td); /* xxx just EINVAL */ - splx(s); - return error; + return EINVAL; } /* @@ -445,11 +426,7 @@ static int key_connect(struct socket *so, struct sockaddr *nam, struct thread *td) { - int s, error; - s = splnet(); - error = raw_usrreqs.pru_connect(so, nam, td); /* XXX just EINVAL */ - splx(s); - return error; + return EINVAL; } /* @@ -460,7 +437,6 @@ key_detach(struct socket *so) { struct keycb *kp = (struct keycb *)sotorawcb(so); - int s, error; KASSERT(kp != NULL, ("key_detach: kp == NULL")); if (kp->kp_raw.rcb_proto.sp_protocol @@ -479,11 +455,7 @@ static int key_disconnect(struct socket *so) { - int s, error; - s = splnet(); - error = raw_usrreqs.pru_disconnect(so); - splx(s); - return error; + return(raw_usrreqs.pru_disconnect(so)); } /* @@ -493,11 +465,7 @@ static int key_peeraddr(struct socket *so, struct sockaddr **nam) { - int s, error; - s = splnet(); - error = raw_usrreqs.pru_peeraddr(so, nam); - splx(s); - return error; + return(raw_usrreqs.pru_peeraddr(so, nam)); } /* @@ -508,11 +476,7 @@ key_send(struct socket *so, int flags, struct mbuf *m, struct sockaddr *nam, struct mbuf *control, struct thread *td) { - int s, error; - s = splnet(); - error = raw_usrreqs.pru_send(so, flags, m, nam, control, td); - splx(s); - return error; + return(raw_usrreqs.pru_send(so, flags, m, nam, control, td)); } /* @@ -522,11 +486,7 @@ static int key_shutdown(struct socket *so) { - int s, error; - s = splnet(); - error = raw_usrreqs.pru_shutdown(so); - splx(s); - return error; + return(raw_usrreqs.pru_shutdown(so)); } /* @@ -536,11 +496,7 @@ static int key_sockaddr(struct socket *so, struct sockaddr **nam) { - int s, error; - s = splnet(); - error = raw_usrreqs.pru_sockaddr(so, nam); - splx(s); - return error; + return(raw_usrreqs.pru_sockaddr(so, nam)); } struct pr_usrreqs key_usrreqs = { ==== //depot/projects/gnn_fast_ipsec/src/sys/opencrypto/crypto.c#3 (text+ko) ==== @@ -667,7 +667,6 @@ binuptime(&crp->crp_tstamp); #endif - CRYPTO_Q_LOCK(); if ((crp->crp_flags & CRYPTO_F_BATCH) == 0) { struct cryptocap *cap; /* @@ -689,7 +688,9 @@ * behind batch'd ops. */ crypto_drivers[hid].cc_qblocked = 1; + CRYPTO_Q_LOCK(); TAILQ_INSERT_TAIL(&crp_q, crp, crp_next); + CRYPTO_Q_UNLOCK(); cryptostats.cs_blocks++; result = 0; } @@ -698,7 +699,9 @@ * The driver is blocked, just queue the op until * it unblocks and the kernel thread gets kicked. */ + CRYPTO_Q_LOCK(); TAILQ_INSERT_TAIL(&crp_q, crp, crp_next); + CRYPTO_Q_UNLOCK(); result = 0; } } else { @@ -709,13 +712,14 @@ * when the operation is low priority and/or suitable * for batching. */ + CRYPTO_Q_LOCK(); wasempty = TAILQ_EMPTY(&crp_q); TAILQ_INSERT_TAIL(&crp_q, crp, crp_next); + CRYPTO_Q_UNLOCK(); if (wasempty) wakeup_one(&crp_q); result = 0; } - CRYPTO_Q_UNLOCK(); return result; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200604101528.k3AFS0vv012005>