[IPSEC]: searching SAD without assumming L3 details

[IPSEC]: searching SAD without assumming L3 details

[jamal]

[-- Attachment #1: Type: text/plain, Size: 85 bytes --]

Against net-2.6.19

signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>

cheers,
jamal

[-- Attachment #2: sad-nl3p --]
[-- Type: text/plain, Size: 2438 bytes --]

Allow for searching the SAD from external data path points without
assumming L3 details. The only customer of this exposure currently
is pktgen.

---
commit 33d3060784e6aa55e30ae7d5efc491180e7f955d
tree 707017ff673d1161f46d69fd818035b6bc50bbdb
parent 0169ac1c2a64f04deeff3dae704f34e22ae59cb7
author Jamal Hadi Salim <hadi@cyberus.ca> Sat, 02 Sep 2006 09:38:12 -0400
committer Jamal Hadi Salim <hadi@jzny2.(none)> Sat, 02 Sep 2006 09:38:12 -0400

 include/net/xfrm.h    |    4 ++++
 net/xfrm/xfrm_state.c |   33 +++++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 0 deletions(-)

diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index bf8e2df..7b0ea47 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -895,6 +895,10 @@ extern struct xfrm_state *xfrm_state_fin
 					  struct flowi *fl, struct xfrm_tmpl *tmpl,
 					  struct xfrm_policy *pol, int *err,
 					  unsigned short family);
+extern struct xfrm_state * xfrm_stateonly_find(xfrm_address_t *daddr, 
+				 	 xfrm_address_t *saddr, 
+					 unsigned short family, 
+					 u32 reqid, u8 mode, u8 proto);
 extern int xfrm_state_check_expire(struct xfrm_state *x);
 extern void xfrm_state_insert(struct xfrm_state *x);
 extern int xfrm_state_add(struct xfrm_state *x);
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 9f63edd..2bfc04e 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -501,6 +501,39 @@ __xfrm_state_locate(struct xfrm_state *x
 }
 
 struct xfrm_state *
+xfrm_stateonly_find(xfrm_address_t *daddr, xfrm_address_t *saddr, 
+		unsigned short family, u32 reqid, u8 mode, u8 proto)
+{
+	unsigned int h = xfrm_dst_hash(daddr, saddr, 0, family);
+	struct xfrm_state *rx = NULL, *x = NULL;
+	struct hlist_node *entry;
+	
+	spin_lock(&xfrm_state_lock);
+	hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
+		if (x->props.family == family &&
+		    x->props.reqid == reqid && 
+		    xfrm_state_addr_check(x, daddr, saddr, family) &&
+		    mode == x->props.mode &&
+		    proto == x->id.proto)  { 
+
+			if (x->km.state != XFRM_STATE_VALID) 
+					continue;
+			else {
+				rx = x;
+				break; 
+			}
+		}
+	}
+	spin_unlock(&xfrm_state_lock);
+
+	if (rx)
+		xfrm_state_hold(rx);
+
+	return rx;
+}
+EXPORT_SYMBOL(xfrm_stateonly_find);
+
+struct xfrm_state *
 xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr, 
 		struct flowi *fl, struct xfrm_tmpl *tmpl,
 		struct xfrm_policy *pol, int *err,

Re: [IPSEC]: searching SAD without assumming L3 details

[James Morris]

On Sat, 2 Sep 2006, jamal wrote:

> Against net-2.6.19
> 
> signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>

+xfrm_stateonly_find(xfrm_address_t *daddr, xfrm_address_t *saddr, 
+               unsigned short family, u32 reqid, u8 mode, u8 proto)
+{
+       unsigned int h = xfrm_dst_hash(daddr, saddr, 0, family);
+       struct xfrm_state *rx = NULL, *x = NULL;
+       struct hlist_node *entry;
+       
+       spin_lock(&xfrm_state_lock);

Shouldn't this be spin_lock_bh()?

+       spin_unlock(&xfrm_state_lock);
+
+       if (rx)
+               xfrm_state_hold(rx);

I think you need to grab the reference before letting go of the lock.


Can you please include patches inline, or tell me how to get pine to 
quote attachments? :-)


-- 
James Morris
<jmorris@namei.org>

-- 
VGER BF report: U 0.5

Re: [IPSEC]: searching SAD without assumming L3 details

[jamal]

On Sat, 2006-02-09 at 11:04 -0400, James Morris wrote:
> On Sat, 2 Sep 2006, jamal wrote:

> +       
> +       spin_lock(&xfrm_state_lock);
> 
> Shouldn't this be spin_lock_bh()?
> 
> +       spin_unlock(&xfrm_state_lock);
> +

the call is made at the moment only by pktgen (kernel threads on
dev_queue_xmit level contending with softirqs essentially). I think
(although havent tried) the spin_{un}lock_bh() wont work. Thoughts?
Obviously the easy thing for me to do is change it and see what
happens;->

> +       if (rx)
> +               xfrm_state_hold(rx);
> 
> I think you need to grab the reference before letting go of the lock.
> 

I believe you are right. I will make the change, retest and repost.

> 
> Can you please include patches inline, or tell me how to get pine to 
> quote attachments? :-)

I could get evolution to inline attachments although last time i tried
it made Dave unhappy with not being to use git am or some such
reason ;-> I think some white spaces get added or some other mangling
happens.
I could try it on the repost.

Thanks for the comments James.

cheers,
jamal




-- 
VGER BF report: U 0.500005

Re: [IPSEC]: searching SAD without assumming L3 details

[jamal]

On Sat, 2006-02-09 at 13:16 -0400, jamal wrote:

> the call is made at the moment only by pktgen (kernel threads on
> dev_queue_xmit level contending with softirqs essentially). I think
> (although havent tried) the spin_{un}lock_bh() wont work. Thoughts?
> Obviously the easy thing for me to do is change it and see what
> happens;->

Both your suggestions work. Should i instead just use read_{un}lock_bh?
All i am doing is scanning to find the state.

cheers,
jamal



-- 
VGER BF report: U 0.502731

Re: [IPSEC]: searching SAD without assumming L3 details

[James Morris]

On Sat, 2 Sep 2006, jamal wrote:

> On Sat, 2006-02-09 at 11:04 -0400, James Morris wrote:
> > On Sat, 2 Sep 2006, jamal wrote:
> 
> > +       
> > +       spin_lock(&xfrm_state_lock);
> > 
> > Shouldn't this be spin_lock_bh()?
> > 
> > +       spin_unlock(&xfrm_state_lock);
> > +
> 
> the call is made at the moment only by pktgen (kernel threads on
> dev_queue_xmit level contending with softirqs essentially). I think
> (although havent tried) the spin_{un}lock_bh() wont work. Thoughts?

If bh's are already disabled when you call this, it'll be ok, but as this 
will be a generally exported function, I'd suggest using bh locking.  I 
guess you could also make a xfrm_stateonly_find_bh() to be called only 
with bh's disabled, if needed.


- James
-- 
James Morris
<jmorris@namei.org>

-- 
VGER BF report: U 0.523211

Re: [IPSEC]: searching SAD without assumming L3 details

[Herbert Xu]

On Sat, Sep 02, 2006 at 09:43:02AM -0400, jamal wrote:
>
> Allow for searching the SAD from external data path points without
> assumming L3 details. The only customer of this exposure currently
> is pktgen.

Any reason why xfrm_state_find can't be used? It doesn't look right
to add generic code that's only used by pktgen.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [IPSEC]: searching SAD without assumming L3 details

[jamal]

On Wed, 2006-06-09 at 09:38 +1000, Herbert Xu wrote:
> On Sat, Sep 02, 2006 at 09:43:02AM -0400, jamal wrote:
> >
> > Allow for searching the SAD from external data path points without
> > assumming L3 details. The only customer of this exposure currently
> > is pktgen.
> 
> Any reason why xfrm_state_find can't be used? 

xfrm_state_find is overkill (if you compare the two functionalities). 

> It doesn't look right
> to add generic code that's only used by pktgen.

The alternative would require heavy mods to xfrm_state_find to do the
minimal needed (a lot more than what i was asking for in mode output). I
could move the function to outside of xfrm_state.c but that would
require a few exports for it to use which looks less fair to me ;-> 

cheers,
jamal

Re: [IPSEC]: searching SAD without assumming L3 details

[Herbert Xu]

On Wed, Sep 06, 2006 at 07:20:39AM -0400, jamal wrote:
>
> > Any reason why xfrm_state_find can't be used? 
> 
> xfrm_state_find is overkill (if you compare the two functionalities). 

Could you show me how you plan to use this in pktgen? Perhaps we can
move it to the slow path where it wouldn't matter whether it's an
overkill or not.  There should be no reason to be looking up an SA
in the pktgen fast path.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [IPSEC]: searching SAD without assumming L3 details

[jamal]

[-- Attachment #1: Type: text/plain, Size: 839 bytes --]

On Wed, 2006-06-09 at 21:26 +1000, Herbert Xu wrote:
> On Wed, Sep 06, 2006 at 07:20:39AM -0400, jamal wrote:
> >
> > > Any reason why xfrm_state_find can't be used? 
> > 
> > xfrm_state_find is overkill (if you compare the two functionalities). 
> 
> Could you show me how you plan to use this in pktgen? 

Older patch attached - has a few bugs; just ignore them.

> Perhaps we can
> move it to the slow path where it wouldn't matter whether it's an
> overkill or not.  There should be no reason to be looking up an SA
> in the pktgen fast path.

It is needed if you want replay protection - unless you can come with
some clever way to handle it without violating the integrity. 
For non replay protection, thats easy: We just do one lookup and reclone
the packet within pktgen - maybe thats what you meant by "slow path"?

cheers,
jamal

[-- Attachment #2: pig3 --]
[-- Type: text/plain, Size: 9865 bytes --]

    Add IPSEC support to pktgen. Currently only IPV4 and ESP/Transport
    mode. IPV6 next. And Tunnel mode to follow after some discussions with
    Herbert and Dave.

---
commit 0721d8f9d3e1a9a8f5f038365ae12ec605a2d5d6
tree 3069707bec44c992c0bfdbe871c7e3bd68d37882
parent 1a4c28d2bd2fcf82b84bffdb7be47aa9224483d0
author Jamal Hadi Salim <hadi@znyx.com> Tue, 22 Aug 2006 21:43:37 -0400
committer Jamal Hadi Salim <hadi@jzny2.(none)> Tue, 22 Aug 2006 21:43:37 -0400

 net/core/pktgen.c |  169 +++++++++++++++++++++++++++++++++++++++++++++++++----
 1 files changed, 156 insertions(+), 13 deletions(-)

diff --git a/net/core/pktgen.c b/net/core/pktgen.c
index 67ed14d..5fc725d 100644
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -148,6 +148,7 @@ #include <linux/etherdevice.h>
 #include <net/checksum.h>
 #include <net/ipv6.h>
 #include <net/addrconf.h>
+#include <net/xfrm.h>
 #include <asm/byteorder.h>
 #include <linux/rcupdate.h>
 #include <asm/bitops.h>
@@ -178,6 +179,8 @@ #define F_MACDST_RND  (1<<5)	/* MAC-Dst 
 #define F_TXSIZE_RND  (1<<6)	/* Transmit size is random */
 #define F_IPV6        (1<<7)	/* Interface in IPV6 Mode */
 #define F_MPLS_RND    (1<<8)	/* Random MPLS labels */
+#define F_FLOW_RND    (1<<9)	/* Random flows */
+#define F_IPSEC_ON    (1<<10)	/* Run ipsec when possible */
 
 /* Thread control flag bits */
 #define T_TERMINATE   (1<<0)
@@ -200,6 +203,7 @@ #define MAX_CFLOWS  65536
 
 struct flow_state {
 	__u32 cur_daddr;
+	struct xfrm_state *x;
 	int count;
 };
 
@@ -226,6 +230,7 @@ struct pktgen_dev {
 
 	int min_pkt_size;	/* = ETH_ZLEN; */
 	int max_pkt_size;	/* = ETH_ZLEN; */
+	int pkt_overhead;	/* overhead in case of MPLS or IPSEC */
 	int nfrags;
 	__u32 delay_us;		/* Default delay */
 	__u32 delay_ns;
@@ -324,6 +329,8 @@ struct pktgen_dev {
 					 */
 	struct flow_state *flows;
 	unsigned cflows;	/* Concurrent flows (config) */
+	unsigned nextfl;	/* next flow when not random */
+	unsigned curfl;		/* current running flow */
 	unsigned lflow;		/* Flow length  (config) */
 	unsigned nflows;	/* accumulated flows (stats) */
 };
@@ -667,6 +674,14 @@ static int pktgen_if_show(struct seq_fil
 	if (pkt_dev->flags & F_MPLS_RND)
 		seq_printf(seq,  "MPLS_RND  ");
 
+	if (pkt_dev->flags & F_FLOW_RND)
+		seq_printf(seq,  "FLOW_RND  ");
+	else
+		seq_printf(seq,  "FLOW_SQN  "); /*in sequence */
+
+	if (pkt_dev->flags & F_IPSEC_ON)
+		seq_printf(seq,  "IPSEC_ON  ");
+
 	if (pkt_dev->flags & F_MACSRC_RND)
 		seq_printf(seq, "MACSRC_RND  ");
 
@@ -1140,6 +1155,12 @@ static ssize_t pktgen_if_write(struct fi
 		else if (strcmp(f, "!MPLS_RND") == 0)
 			pkt_dev->flags &= ~F_MPLS_RND;
 
+		else if (strcmp(f, "IPSEC_ON") == 0)
+			pkt_dev->flags |= F_IPSEC_ON;
+
+		else if (strcmp(f, "!IPSEC_ON") == 0)
+			pkt_dev->flags &= ~F_IPSEC_ON;
+
 		else {
 			sprintf(pg_result,
 				"Flag -:%s:- unknown\nAvailable flags, (prepend ! to un-set flag):\n%s",
@@ -1447,6 +1468,10 @@ static ssize_t pktgen_if_write(struct fi
 					  n == pkt_dev->nr_labels-1 ? "" : ",");
 		return count;
 	}
+	if (!strcmp(name, "ipsec")) {
+		/*XXX: Add the "OK: ipsec on" thing */
+		pkt_dev->flags |= F_IPSEC_ON;
+	}
 
 	sprintf(pkt_dev->result, "No such parameter \"%s\"", name);
 	return -EINVAL;
@@ -1879,11 +1904,26 @@ static void mod_cur_headers(struct pktge
 	__u32 imx;
 	int flow = 0;
 
+	pkt_dev->pkt_overhead = 0;
 	if (pkt_dev->cflows) {
-		flow = pktgen_random() % pkt_dev->cflows;
+		if (pkt_dev->flags & F_FLOW_RND) {
+			flow = pktgen_random() % pkt_dev->cflows;
+			if (pkt_dev->flows[flow].count > pkt_dev->lflow)
+				pkt_dev->flows[flow].count = 0;
+		} else {
+			flow = pkt_dev->nextfl;
+			if (pkt_dev->flows[flow].count > pkt_dev->lflow) {
+				/* reset time */
+				pkt_dev->nextfl+=1;
+				if (pkt_dev->nextfl > pkt_dev->cflows)
+					 pkt_dev->nextfl = 0; /*reset */
+
+				flow = pkt_dev->nextfl;
+			}
 
-		if (pkt_dev->flows[flow].count > pkt_dev->lflow)
-			pkt_dev->flows[flow].count = 0;
+		}
+		pkt_dev->curfl = flow;
+		pkt_dev->nextfl+=1;
 	}
 
 	/*  Deal with source MAC */
@@ -1947,6 +1987,9 @@ static void mod_cur_headers(struct pktge
 				pkt_dev->labels[i] = MPLS_STACK_BOTTOM |
 						     (pktgen_random() &
 						      htonl(0x000fffff));
+
+		pkt_dev->pkt_overhead+=pkt_dev->nr_labels*sizeof(u32);
+
 	}
 
 	if (pkt_dev->udp_src_min < pkt_dev->udp_src_max) {
@@ -2068,9 +2111,62 @@ static void mod_cur_headers(struct pktge
 		pkt_dev->cur_pkt_size = t;
 	}
 
+	if (pkt_dev->cflows && pkt_dev->flags & F_IPSEC_ON) {
+		struct xfrm_state *x = pkt_dev->flows[flow].x;
+	       	if (!x) {
+			/*slow path: we dont already have xfrm_state*/
+			x = xfrm_stateonly_find((xfrm_address_t *)&pkt_dev->cur_daddr, (xfrm_address_t *)&pkt_dev->cur_saddr, AF_INET,XFRM_MODE_TRANSPORT, IPPROTO_ESP);
+			if (x) {
+				pkt_dev->flows[flow].x = x;
+				pkt_dev->pkt_overhead+=x->props.header_len;
+			}
+
+		}
+	}
+
+	/* XXX: Should this be moved into if stmt above? 
+	 * Talk to Monsieur Robert
+	*/
 	pkt_dev->flows[flow].count++;
 }
 
+/* In case of errors we are gonna bail out on the packet ..
+ * Also: We only support transport mode at the moment..
+ * Talk to Herbert/Dave about making the tunnel mode pieces
+ * independent of dst ..
+ **/
+static int pktgen_handle_ipsec(struct sk_buff *skb, struct pktgen_dev *pkt_dev)
+{
+	struct xfrm_state *x = pkt_dev->flows[pkt_dev->curfl].x;
+	int err = 0;
+
+	if (!x)
+		return 0;
+	/* XXX: we dont support tunnel mode for now until
+	 * we resolve the dst issue */
+	if (x->props.mode) 
+		return 0;
+	/* error injection 
+	return -1;
+	*/ 
+	spin_lock(&x->lock);
+
+	err = x->mode->output(x, skb);
+	if (err)
+		goto error;
+	err = x->type->output(x, skb);
+	if (err)
+		goto error;
+
+	x->curlft.bytes +=skb->len;
+	x->curlft.packets++;
+	spin_unlock(&x->lock);
+
+error:
+	spin_unlock(&x->lock);
+	return err;
+}
+
 static void mpls_push(__be32 *mpls, struct pktgen_dev *pkt_dev)
 {
 	unsigned i;
@@ -2092,9 +2188,7 @@ static struct sk_buff *fill_packet_ipv4(
 	struct pktgen_hdr *pgh = NULL;
 	__be16 protocol = __constant_htons(ETH_P_IP);
 	__be32 *mpls;
-
-	if (pkt_dev->nr_labels)
-		protocol = __constant_htons(ETH_P_MPLS_UC);
+	int nhead;
 
 	/* Update any of the values, used when we're incrementing various
 	 * fields.
@@ -2102,8 +2196,12 @@ static struct sk_buff *fill_packet_ipv4(
 	mod_cur_headers(pkt_dev);
 
 	datalen = (odev->hard_header_len + 16) & ~0xf;
+
 	skb = alloc_skb(pkt_dev->cur_pkt_size + 64 + datalen +
-			pkt_dev->nr_labels*sizeof(u32), GFP_ATOMIC);
+			pkt_dev->pkt_overhead, GFP_ATOMIC);
+	/*XXX: We need to check for cases where the MTU maybe
+	 * exceeded
+	*/
 	if (!skb) {
 		sprintf(pkt_dev->result, "No memory");
 		return NULL;
@@ -2113,10 +2211,15 @@ static struct sk_buff *fill_packet_ipv4(
 
 	/*  Reserve for ethernet and IP header  */
 	eth = (__u8 *) skb_push(skb, 14);
-	mpls = (__be32 *)skb_put(skb, pkt_dev->nr_labels*sizeof(__u32));
-	if (pkt_dev->nr_labels)
+
+	if (pkt_dev->nr_labels) {
+		protocol = __constant_htons(ETH_P_MPLS_UC);
+		mpls = (__be32 *)skb_put(skb, pkt_dev->nr_labels*sizeof(__u32));
 		mpls_push(mpls, pkt_dev);
+	}
+
 	iph = (struct iphdr *)skb_put(skb, sizeof(struct iphdr));
+	skb->nh.iph = iph;
 	udph = (struct udphdr *)skb_put(skb, sizeof(struct udphdr));
 
 	memcpy(eth, pkt_dev->hh, 12);
@@ -2124,7 +2227,7 @@ static struct sk_buff *fill_packet_ipv4(
 
 	/* Eth + IPh + UDPh + mpls */
 	datalen = pkt_dev->cur_pkt_size - 14 - 20 - 8 -
-		  pkt_dev->nr_labels*sizeof(u32);
+		  pkt_dev->pkt_overhead;
 	if (datalen < sizeof(struct pktgen_hdr))
 		datalen = sizeof(struct pktgen_hdr);
 
@@ -2146,10 +2249,11 @@ static struct sk_buff *fill_packet_ipv4(
 	iph->check = 0;
 	iph->check = ip_fast_csum((void *)iph, iph->ihl);
 	skb->protocol = protocol;
-	skb->mac.raw = ((u8 *) iph) - 14 - pkt_dev->nr_labels*sizeof(u32);
+	skb->mac.raw = ((u8 *) iph) - 14 - pkt_dev->pkt_overhead;
 	skb->dev = odev;
 	skb->pkt_type = PACKET_HOST;
 
+
 	if (pkt_dev->nfrags <= 0)
 		pgh = (struct pktgen_hdr *)skb_put(skb, datalen);
 	else {
@@ -2216,6 +2320,30 @@ static struct sk_buff *fill_packet_ipv4(
 		pgh->tv_sec = htonl(timestamp.tv_sec);
 		pgh->tv_usec = htonl(timestamp.tv_usec);
 	}
+	// Finally let ipsec at it ;->
+	if (pkt_dev->flags & F_IPSEC_ON) {
+		struct xfrm_state *x = pkt_dev->flows[pkt_dev->curfl].x;
+		if (x) {
+			int ret;
+			nhead = x->props.header_len - skb_headroom(skb);
+			if (nhead >0)
+				pskb_expand_head(skb, nhead, 0, GFP_ATOMIC);
+			/* ipsec is not expecting ll header */
+			skb_pull(skb, 14);
+			ret = pktgen_handle_ipsec(skb, pkt_dev);
+			if (ret) {
+				printk("Error creating ipsec packet %d\n",ret);
+				kfree_skb(skb);
+				return NULL;	
+			}
+		 	/* restore ll */
+			eth = (__u8 *) skb_push(skb, 14);
+			memcpy(eth, pkt_dev->hh, 12);
+			*(u16 *) & eth[12] = protocol;
+
+		}
+	}
+
 	pkt_dev->seq_num++;
 
 	return skb;
@@ -3177,8 +3305,9 @@ static int pktgen_add_device(struct pktg
 
 	if (!pktgen_setup_dev(pkt_dev)) {
 		printk("pktgen: ERROR: pktgen_setup_dev failed.\n");
-		if (pkt_dev->flows)
+		if (pkt_dev->flows) {
 			vfree(pkt_dev->flows);
+		}
 		kfree(pkt_dev);
 		return -ENODEV;
 	}
@@ -3187,8 +3316,9 @@ static int pktgen_add_device(struct pktg
 	if (!pe) {
 		printk("pktgen: cannot create %s/%s procfs entry.\n",
 		       PG_PROC_DIR, ifname);
-		if (pkt_dev->flows)
+		if (pkt_dev->flows) {
 			vfree(pkt_dev->flows);
+		}
 		kfree(pkt_dev);
 		return -EINVAL;
 	}
@@ -3312,8 +3442,21 @@ static int pktgen_remove_device(struct p
 
 	remove_proc_entry(pkt_dev->ifname, pg_proc_dir);
 
+	if (pkt_dev->cflows) {
+		/* let go of the SAs if we have them */
+		int i = 0;
+		for (;  i < pkt_dev->nflows; i++){
+			struct xfrm_state *x = pkt_dev->flows[i].x;
+			if (x) {
+				xfrm_state_put(x);
+				pkt_dev->flows[i].x = NULL;
+			}
+		}
+	}
+
 	if (pkt_dev->flows)
 		vfree(pkt_dev->flows);
+
 	kfree(pkt_dev);
 	return 0;
 }

Re: [IPSEC]: searching SAD without assumming L3 details

[jamal]

On Wed, 2006-06-09 at 08:14 -0400, jamal wrote:
> maybe thats what you meant by "slow path"?

Never mind what i said above;-> what is needed to have replay protection
is calling the IPSEC fast path. The xfrm state is looked up during the
pktgen fast still because flows are created as needed on the fly. You
could argue that we need to change the architecture of pktgen so it
creates all flows first, but that is a huge change.
If i can read your mind correctly (;->)you may be thinking of splitting
xfrm_state_find() into two pieces: a slow path lookup which perhaps
involves the manager and a fast path which looks up just the SAD?
Note, theres still a lot of clunky stuff like policies and templates and
flowis etc that i dont need.

cheers,
jamal