From: Florian Westphal <fw@strlen.de>
To: <netdev@vger.kernel.org>
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH ipsec-next 04/11] xfrm: policy: return NULL when inexact search needed
Date: Wed, 7 Nov 2018 23:00:34 +0100 [thread overview]
Message-ID: <20181107220041.26205-5-fw@strlen.de> (raw)
In-Reply-To: <20181107220041.26205-1-fw@strlen.de>
currently policy_hash_bysel() returns the hash bucket list
(for exact policies), or the inexact list (when policy uses a prefix).
Searching this inexact list is slow, so it might be better to pre-sort
inexact lists into a tree or another data structure for faster
searching.
However, due to 'any' policies, that need to be searched in any case,
doing so will require that 'inexact' policies need to be handled
specially to decide the best search strategy. So change hash_bysel()
and return NULL if the policy can't be handled via the policy hash
table.
Right now, we simply use the inexact list when this happens, but
future patch can then implement a different strategy.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/xfrm/xfrm_policy.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 20d6815be0d7..b00c265f6be3 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -365,7 +365,7 @@ static struct hlist_head *policy_hash_bysel(struct net *net,
hash = __sel_hash(sel, family, hmask, dbits, sbits);
if (hash == hmask + 1)
- return &net->xfrm.policy_inexact[dir];
+ return NULL;
return rcu_dereference_check(net->xfrm.policy_bydst[dir].table,
lockdep_is_held(&net->xfrm.xfrm_policy_lock)) + hash;
@@ -625,6 +625,8 @@ static void xfrm_hash_rebuild(struct work_struct *work)
chain = policy_hash_bysel(net, &policy->selector,
policy->family,
xfrm_policy_id2dir(policy->index));
+ if (!chain)
+ chain = &net->xfrm.policy_inexact[dir];
hlist_for_each_entry(pol, chain, bydst) {
if (policy->priority >= pol->priority)
newpos = &pol->bydst;
@@ -781,7 +783,12 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
spin_lock_bh(&net->xfrm.xfrm_policy_lock);
chain = policy_hash_bysel(net, &policy->selector, policy->family, dir);
- delpol = xfrm_policy_insert_list(chain, policy, excl);
+ if (chain) {
+ delpol = xfrm_policy_insert_list(chain, policy, excl);
+ } else {
+ chain = &net->xfrm.policy_inexact[dir];
+ delpol = xfrm_policy_insert_list(chain, policy, excl);
+ }
if (IS_ERR(delpol)) {
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
@@ -829,6 +836,8 @@ struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark, u32 if_id,
*err = 0;
spin_lock_bh(&net->xfrm.xfrm_policy_lock);
chain = policy_hash_bysel(net, sel, sel->family, dir);
+ if (!chain)
+ chain = &net->xfrm.policy_inexact[dir];
ret = NULL;
hlist_for_each_entry(pol, chain, bydst) {
if (pol->type == type &&
--
2.18.1
next prev parent reply other threads:[~2018-11-08 7:36 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-07 22:00 [PATCH ipsec-next 00/11] xfrm: policy: add inexact policy search tree Florian Westphal
2018-11-07 22:00 ` [PATCH ipsec-next 01/11] selftests: add xfrm policy test script Florian Westphal
2018-11-07 22:00 ` [PATCH ipsec-next 02/11] xfrm: security: iterate all, not inexact lists Florian Westphal
2018-11-07 22:00 ` [PATCH ipsec-next 03/11] xfrm: policy: split list insertion into a helper Florian Westphal
2018-11-07 22:00 ` Florian Westphal [this message]
2018-11-07 22:00 ` [PATCH ipsec-next 05/11] xfrm: policy: store inexact policies in an rhashtable Florian Westphal
2018-11-07 22:00 ` [PATCH ipsec-next 06/11] xfrm: policy: consider if_id when hashing inexact policy Florian Westphal
2018-11-07 22:00 ` [PATCH ipsec-next 07/11] xfrm: policy: add inexact policy search tree infrastructure Florian Westphal
2018-11-07 22:00 ` [PATCH ipsec-next 08/11] xfrm: policy: store inexact policies in a tree ordered by destination address Florian Westphal
2018-11-07 22:00 ` [PATCH ipsec-next 09/11] xfrm: policy: check reinserted policies match their node Florian Westphal
2018-11-07 22:00 ` [PATCH ipsec-next 10/11] xfrm: policy: store inexact policies in a tree ordered by source address Florian Westphal
2018-11-07 22:00 ` [PATCH ipsec-next 11/11] xfrm: policy: add 2nd-level saddr trees for inexact policies Florian Westphal
2018-11-09 3:00 ` [PATCH ipsec-next 00/11] xfrm: policy: add inexact policy search tree David Miller
2018-11-13 21:41 ` Steffen Klassert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181107220041.26205-5-fw@strlen.de \
--to=fw@strlen.de \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.