Remove ipsec_copy_policy and ipsec_copy_pcbpolicy. No functional change,
since we used only ipsec_copy_pcbpolicy, and it was a no-op. Originally we were using ipsec_copy_policy to optimize the IPsec-PCB cache: when an ACK was received in response to a SYN, we used to copy the SP cached in the SYN's PCB into the ACK's PCB, so that ipsec_getpolicybysock could use the cached SP instead of requerying it. Then we switched to ipsec_copy_pcbpolicy which has always been a no-op. As a result the SP cached in the SYN was/is not copied in the ACK, and the first call to ipsec_getpolicybysock had to query the SP and cache it itself. It's not totally clear to me why this change was made. But it has been this way for years, and after a conversation with Ryota Ozaki it turns out the optimization is not valid anymore due to MP-ification, so it won't be re-enabled. ok ozaki-r@
This commit is contained in:
parent
9e4ad71de9
commit
d40270d9c9
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: tcp_input.c,v 1.403 2018/03/30 08:25:06 maxv Exp $ */
|
/* $NetBSD: tcp_input.c,v 1.404 2018/04/03 09:03:59 maxv Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||||
@ -148,7 +148,7 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.403 2018/03/30 08:25:06 maxv Exp $");
|
__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.404 2018/04/03 09:03:59 maxv Exp $");
|
||||||
|
|
||||||
#ifdef _KERNEL_OPT
|
#ifdef _KERNEL_OPT
|
||||||
#include "opt_inet.h"
|
#include "opt_inet.h"
|
||||||
@ -3896,29 +3896,6 @@ syn_cache_get(struct sockaddr *src, struct sockaddr *dst,
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(IPSEC)
|
|
||||||
if (ipsec_used) {
|
|
||||||
/*
|
|
||||||
* we make a copy of policy, instead of sharing the policy, for
|
|
||||||
* better behavior in terms of SA lookup and dead SA removal.
|
|
||||||
*/
|
|
||||||
if (inp) {
|
|
||||||
/* copy old policy into new socket's */
|
|
||||||
if (ipsec_copy_pcbpolicy(sotoinpcb(oso)->inp_sp,
|
|
||||||
inp->inp_sp))
|
|
||||||
printf("tcp_input: could not copy policy\n");
|
|
||||||
}
|
|
||||||
#ifdef INET6
|
|
||||||
else if (in6p) {
|
|
||||||
/* copy old policy into new socket's */
|
|
||||||
if (ipsec_copy_pcbpolicy(sotoin6pcb(oso)->in6p_sp,
|
|
||||||
in6p->in6p_sp))
|
|
||||||
printf("tcp_input: could not copy policy\n");
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Give the new socket our cached route reference.
|
* Give the new socket our cached route reference.
|
||||||
*/
|
*/
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: ipsec.c,v 1.152 2018/03/31 19:27:14 maxv Exp $ */
|
/* $NetBSD: ipsec.c,v 1.153 2018/04/03 09:03:59 maxv Exp $ */
|
||||||
/* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */
|
/* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */
|
||||||
/* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
|
/* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
|
||||||
|
|
||||||
@ -32,7 +32,7 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.152 2018/03/31 19:27:14 maxv Exp $");
|
__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.153 2018/04/03 09:03:59 maxv Exp $");
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* IPsec controller part.
|
* IPsec controller part.
|
||||||
@ -179,9 +179,6 @@ static void ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *, int);
|
|||||||
static int ipsec6_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *);
|
static int ipsec6_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *);
|
||||||
#endif
|
#endif
|
||||||
static void ipsec_delpcbpolicy(struct inpcbpolicy *);
|
static void ipsec_delpcbpolicy(struct inpcbpolicy *);
|
||||||
#if 0 /* unused */
|
|
||||||
static struct secpolicy *ipsec_deepcopy_policy(const struct secpolicy *);
|
|
||||||
#endif
|
|
||||||
static void ipsec_destroy_policy(struct secpolicy *);
|
static void ipsec_destroy_policy(struct secpolicy *);
|
||||||
static int ipsec_sp_reject(const struct secpolicy *, const struct mbuf *);
|
static int ipsec_sp_reject(const struct secpolicy *, const struct mbuf *);
|
||||||
static void vshiftl(unsigned char *, int, int);
|
static void vshiftl(unsigned char *, int, int);
|
||||||
@ -1131,78 +1128,6 @@ ipsec_init_policy(struct socket *so, struct inpcbpolicy **policy)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
#if 0 /* unused */
|
|
||||||
/* copy old ipsec policy into new */
|
|
||||||
int
|
|
||||||
ipsec_copy_policy(const struct inpcbpolicy *old, struct inpcbpolicy *new)
|
|
||||||
{
|
|
||||||
struct secpolicy *sp;
|
|
||||||
|
|
||||||
sp = ipsec_deepcopy_policy(old->sp_in);
|
|
||||||
if (sp) {
|
|
||||||
KEY_SP_UNREF(&new->sp_in);
|
|
||||||
new->sp_in = sp;
|
|
||||||
} else
|
|
||||||
return ENOBUFS;
|
|
||||||
|
|
||||||
sp = ipsec_deepcopy_policy(old->sp_out);
|
|
||||||
if (sp) {
|
|
||||||
KEY_SP_UNREF(&new->sp_out);
|
|
||||||
new->sp_out = sp;
|
|
||||||
} else
|
|
||||||
return ENOBUFS;
|
|
||||||
|
|
||||||
new->priv = old->priv;
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* deep-copy a policy in PCB */
|
|
||||||
static struct secpolicy *
|
|
||||||
ipsec_deepcopy_policy(const struct secpolicy *src)
|
|
||||||
{
|
|
||||||
struct ipsecrequest *newchain = NULL;
|
|
||||||
const struct ipsecrequest *p;
|
|
||||||
struct ipsecrequest **q;
|
|
||||||
struct secpolicy *dst;
|
|
||||||
|
|
||||||
if (src == NULL)
|
|
||||||
return NULL;
|
|
||||||
dst = KEY_NEWSP();
|
|
||||||
if (dst == NULL)
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* deep-copy IPsec request chain. This is required since struct
|
|
||||||
* ipsecrequest is not reference counted.
|
|
||||||
*/
|
|
||||||
q = &newchain;
|
|
||||||
for (p = src->req; p; p = p->next) {
|
|
||||||
*q = kmem_zalloc(sizeof(**q), KM_SLEEP);
|
|
||||||
(*q)->next = NULL;
|
|
||||||
|
|
||||||
(*q)->saidx.proto = p->saidx.proto;
|
|
||||||
(*q)->saidx.mode = p->saidx.mode;
|
|
||||||
(*q)->level = p->level;
|
|
||||||
(*q)->saidx.reqid = p->saidx.reqid;
|
|
||||||
|
|
||||||
memcpy(&(*q)->saidx.src, &p->saidx.src, sizeof((*q)->saidx.src));
|
|
||||||
memcpy(&(*q)->saidx.dst, &p->saidx.dst, sizeof((*q)->saidx.dst));
|
|
||||||
|
|
||||||
(*q)->sp = dst;
|
|
||||||
|
|
||||||
q = &((*q)->next);
|
|
||||||
}
|
|
||||||
|
|
||||||
dst->req = newchain;
|
|
||||||
dst->state = src->state;
|
|
||||||
dst->policy = src->policy;
|
|
||||||
/* do not touch the refcnt fields */
|
|
||||||
|
|
||||||
return dst;
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
static void
|
static void
|
||||||
ipsec_destroy_policy(struct secpolicy *sp)
|
ipsec_destroy_policy(struct secpolicy *sp)
|
||||||
{
|
{
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: ipsec.h,v 1.71 2018/02/27 15:01:30 maxv Exp $ */
|
/* $NetBSD: ipsec.h,v 1.72 2018/04/03 09:03:59 maxv Exp $ */
|
||||||
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */
|
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */
|
||||||
/* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */
|
/* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */
|
||||||
|
|
||||||
@ -278,13 +278,6 @@ int ipsec4_forward(struct mbuf *, int *);
|
|||||||
int ipsec6_input(struct mbuf *);
|
int ipsec6_input(struct mbuf *);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
static __inline int
|
|
||||||
ipsec_copy_pcbpolicy(struct inpcbpolicy *oldp, struct inpcbpolicy *newp)
|
|
||||||
{
|
|
||||||
/* XXX do nothing */
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
struct inpcb;
|
struct inpcb;
|
||||||
#define ipsec_init_pcbpolicy ipsec_init_policy
|
#define ipsec_init_pcbpolicy ipsec_init_policy
|
||||||
int ipsec_init_policy(struct socket *so, struct inpcbpolicy **);
|
int ipsec_init_policy(struct socket *so, struct inpcbpolicy **);
|
||||||
|
Loading…
Reference in New Issue
Block a user