Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 80c802f3 authored by Timo Teräs's avatar Timo Teräs Committed by David S. Miller
Browse files

xfrm: cache bundles instead of policies for outgoing flows 



__xfrm_lookup() is called for each packet transmitted out of
system. The xfrm_find_bundle() does a linear search which can
kill system performance depending on how many bundles are
required per policy.

This modifies __xfrm_lookup() to store bundles directly in
the flow cache. If we did not get a hit, we just create a new
bundle instead of doing slow search. This means that we can now
get multiple xfrm_dst's for same flow (on per-cpu basis).

Signed-off-by: default avatarTimo Teras <timo.teras@iki.fi>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent fe1a5f03

include/net/xfrm.h

+7 −3
Original line number Diff line number Diff line
@@ -267,7 +267,6 @@ struct xfrm_policy_afinfo { 
					       xfrm_address_t *saddr,

					       xfrm_address_t *daddr);

	int			(*get_saddr)(struct net *net, xfrm_address_t *saddr, xfrm_address_t *daddr);

	struct dst_entry	*(*find_bundle)(struct flowi *fl, struct xfrm_policy *policy);

	void			(*decode_session)(struct sk_buff *skb,

						  struct flowi *fl,

						  int reverse);
@@ -483,13 +482,13 @@ struct xfrm_policy { 
	struct timer_list	timer;



	struct flow_cache_object flo;

	atomic_t		genid;

	u32			priority;

	u32			index;

	struct xfrm_mark	mark;

	struct xfrm_selector	selector;

	struct xfrm_lifetime_cfg lft;

	struct xfrm_lifetime_cur curlft;

	struct dst_entry       *bundles;

	struct xfrm_policy_walk_entry walk;

	u8			type;

	u8			action;
@@ -879,11 +878,15 @@ struct xfrm_dst { 
		struct rt6_info		rt6;

	} u;

	struct dst_entry *route;

	struct flow_cache_object flo;

	struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];

	int num_pols, num_xfrms;

#ifdef CONFIG_XFRM_SUB_POLICY

	struct flowi *origin;

	struct xfrm_selector *partner;

#endif

	u32 genid;

	u32 xfrm_genid;

	u32 policy_genid;

	u32 route_mtu_cached;

	u32 child_mtu_cached;

	u32 route_cookie;
@@ -893,6 +896,7 @@ struct xfrm_dst { 
#ifdef CONFIG_XFRM

static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)

{

	xfrm_pols_put(xdst->pols, xdst->num_pols);

	dst_release(xdst->route);

	if (likely(xdst->u.dst.xfrm))

		xfrm_state_put(xdst->u.dst.xfrm);

net/ipv4/xfrm4_policy.c

+0 −22
Original line number Diff line number Diff line
@@ -59,27 +59,6 @@ static int xfrm4_get_saddr(struct net *net, 
	return 0;

}



static struct dst_entry *

__xfrm4_find_bundle(struct flowi *fl, struct xfrm_policy *policy)

{

	struct dst_entry *dst;



	read_lock_bh(&policy->lock);

	for (dst = policy->bundles; dst; dst = dst->next) {

		struct xfrm_dst *xdst = (struct xfrm_dst *)dst;

		if (xdst->u.rt.fl.oif == fl->oif &&	/*XXX*/

		    xdst->u.rt.fl.fl4_dst == fl->fl4_dst &&

		    xdst->u.rt.fl.fl4_src == fl->fl4_src &&

		    xdst->u.rt.fl.fl4_tos == fl->fl4_tos &&

		    xfrm_bundle_ok(policy, xdst, fl, AF_INET, 0)) {

			dst_clone(dst);

			break;

		}

	}

	read_unlock_bh(&policy->lock);

	return dst;

}



static int xfrm4_get_tos(struct flowi *fl)

{

	return fl->fl4_tos;
@@ -259,7 +238,6 @@ static struct xfrm_policy_afinfo xfrm4_policy_afinfo = { 
	.dst_ops =		&xfrm4_dst_ops,

	.dst_lookup =		xfrm4_dst_lookup,

	.get_saddr =		xfrm4_get_saddr,

	.find_bundle = 		__xfrm4_find_bundle,

	.decode_session =	_decode_session4,

	.get_tos =		xfrm4_get_tos,

	.init_path =		xfrm4_init_path,

net/ipv6/xfrm6_policy.c

+0 −31
Original line number Diff line number Diff line
@@ -67,36 +67,6 @@ static int xfrm6_get_saddr(struct net *net, 
	return 0;

}



static struct dst_entry *

__xfrm6_find_bundle(struct flowi *fl, struct xfrm_policy *policy)

{

	struct dst_entry *dst;



	/* Still not clear if we should set fl->fl6_{src,dst}... */

	read_lock_bh(&policy->lock);

	for (dst = policy->bundles; dst; dst = dst->next) {

		struct xfrm_dst *xdst = (struct xfrm_dst*)dst;

		struct in6_addr fl_dst_prefix, fl_src_prefix;



		ipv6_addr_prefix(&fl_dst_prefix,

				 &fl->fl6_dst,

				 xdst->u.rt6.rt6i_dst.plen);

		ipv6_addr_prefix(&fl_src_prefix,

				 &fl->fl6_src,

				 xdst->u.rt6.rt6i_src.plen);

		if (ipv6_addr_equal(&xdst->u.rt6.rt6i_dst.addr, &fl_dst_prefix) &&

		    ipv6_addr_equal(&xdst->u.rt6.rt6i_src.addr, &fl_src_prefix) &&

		    xfrm_bundle_ok(policy, xdst, fl, AF_INET6,

				   (xdst->u.rt6.rt6i_dst.plen != 128 ||

				    xdst->u.rt6.rt6i_src.plen != 128))) {

			dst_clone(dst);

			break;

		}

	}

	read_unlock_bh(&policy->lock);

	return dst;

}



static int xfrm6_get_tos(struct flowi *fl)

{

	return 0;
@@ -291,7 +261,6 @@ static struct xfrm_policy_afinfo xfrm6_policy_afinfo = { 
	.dst_ops =		&xfrm6_dst_ops,

	.dst_lookup =		xfrm6_dst_lookup,

	.get_saddr = 		xfrm6_get_saddr,

	.find_bundle =		__xfrm6_find_bundle,

	.decode_session =	_decode_session6,

	.get_tos =		xfrm6_get_tos,

	.init_path =		xfrm6_init_path,

net/xfrm/xfrm_policy.c

+376 −335

File changed.

Preview size limit exceeded, changes collapsed.