[PATCH RFC ipsec-next v2] IPsec GRO

[PATCH RFC ipsec-next v2] IPsec GRO

[Steffen Klassert]

This adds a dummy network device so that we can use gro_cells
for IPsec GRO. We now may have a secpath at a GRO merged skb,
so we need to drop it. This is the only change to the generic
networking code.

The packet still travels two times through the stack,
but might be aggregated in the second round. We can
avoid the second round with implementing GRO callbacks
for the IPsec protocols. This will be a separate patchset
as this needs some more generic networking changes because
of the asynchronous nature of IPsec.

[PATCH RFC ipsec-next 1/2] net: Drop secpath on free after gro merge.

[Steffen Klassert]

With a followup patch, a gro merged skb can have a secpath.
So drop it before freeing or reusing the skb.

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
 net/core/dev.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/core/dev.c b/net/core/dev.c
index 56818f7..ef3a969 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -4623,6 +4623,7 @@ static gro_result_t napi_skb_finish(gro_result_t ret, struct sk_buff *skb)
 	case GRO_MERGED_FREE:
 		if (NAPI_GRO_CB(skb)->free == NAPI_GRO_FREE_STOLEN_HEAD) {
 			skb_dst_drop(skb);
+			secpath_reset(skb);
 			kmem_cache_free(skbuff_head_cache, skb);
 		} else {
 			__kfree_skb(skb);
@@ -4663,6 +4664,7 @@ static void napi_reuse_skb(struct napi_struct *napi, struct sk_buff *skb)
 	skb->encapsulation = 0;
 	skb_shinfo(skb)->gso_type = 0;
 	skb->truesize = SKB_TRUESIZE(skb_end_offset(skb));
+	secpath_reset(skb);
 
 	napi->skb = skb;
 }
-- 
1.9.1

[PATCH RFC ipsec-next 2/2] xfrm: Add a dummy network device for napi.

[Steffen Klassert]

This patch adds a dummy network device so that we can
use gro_cells for IPsec GRO. With this, we handle IPsec
GRO with no impact on the generic networking code.

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
 net/xfrm/xfrm_input.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 6e3f025..3213fe8 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -21,6 +21,9 @@
 static DEFINE_SPINLOCK(xfrm_input_afinfo_lock);
 static struct xfrm_input_afinfo __rcu *xfrm_input_afinfo[NPROTO];
 
+static struct gro_cells gro_cells;
+static struct net_device xfrm_napi_dev;
+
 int xfrm_input_register_afinfo(struct xfrm_input_afinfo *afinfo)
 {
 	int err = 0;
@@ -371,7 +374,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 
 	if (decaps) {
 		skb_dst_drop(skb);
-		netif_rx(skb);
+		gro_cells_receive(&gro_cells, skb);
 		return 0;
 	} else {
 		return x->inner_mode->afinfo->transport_finish(skb, async);
@@ -394,6 +397,13 @@ int xfrm_input_resume(struct sk_buff *skb, int nexthdr)
 
 void __init xfrm_input_init(void)
 {
+	int err;
+
+	init_dummy_netdev(&xfrm_napi_dev);
+	err = gro_cells_init(&gro_cells, &xfrm_napi_dev);
+	if (err)
+		gro_cells.cells = NULL;
+
 	secpath_cachep = kmem_cache_create("secpath_cache",
 					   sizeof(struct sec_path),
 					   0, SLAB_HWCACHE_ALIGN|SLAB_PANIC,
-- 
1.9.1

Re: [PATCH RFC ipsec-next 2/2] xfrm: Add a dummy network device for napi.

[Eric Dumazet]

On Fri, 2017-01-27 at 08:19 +0100, Steffen Klassert wrote:
> This patch adds a dummy network device so that we can
> use gro_cells for IPsec GRO. With this, we handle IPsec
> GRO with no impact on the generic networking code.
> 
> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
> ---
>  net/xfrm/xfrm_input.c | 12 +++++++++++-
>  1 file changed, 11 insertions(+), 1 deletion(-)

That is nice ;)

Re: [PATCH RFC ipsec-next 2/2] xfrm: Add a dummy network device for napi.

[David Miller]

From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Fri, 27 Jan 2017 06:46:38 -0800

> On Fri, 2017-01-27 at 08:19 +0100, Steffen Klassert wrote:
>> This patch adds a dummy network device so that we can
>> use gro_cells for IPsec GRO. With this, we handle IPsec
>> GRO with no impact on the generic networking code.
>> 
>> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
>> ---
>>  net/xfrm/xfrm_input.c | 12 +++++++++++-
>>  1 file changed, 11 insertions(+), 1 deletion(-)
> 
> That is nice ;)

I like it too.

I suspect we can do something similar for USB networking drivers.

Re: [PATCH RFC ipsec-next 2/2] xfrm: Add a dummy network device for napi.

[Eric Dumazet]

On Fri, 2017-01-27 at 09:53 -0500, David Miller wrote:
> From: Eric Dumazet <eric.dumazet@gmail.com>
> Date: Fri, 27 Jan 2017 06:46:38 -0800
> 
> > On Fri, 2017-01-27 at 08:19 +0100, Steffen Klassert wrote:
> >> This patch adds a dummy network device so that we can
> >> use gro_cells for IPsec GRO. With this, we handle IPsec
> >> GRO with no impact on the generic networking code.
> >> 
> >> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
> >> ---
> >>  net/xfrm/xfrm_input.c | 12 +++++++++++-
> >>  1 file changed, 11 insertions(+), 1 deletion(-)
> > 
> > That is nice ;)
> 
> I like it too.
> 

If XFRM makes use of gro_cells, it is time to move it in net/core,
instead of inlining it.

I can submit this trivial patch, of course.

> I suspect we can do something similar for USB networking drivers.

With some changes then, because gro_cells is per cpu at the moment,
probably overkill for one USB networking driver.

Re: [PATCH RFC ipsec-next 2/2] xfrm: Add a dummy network device for napi.

[David Miller]

From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Fri, 27 Jan 2017 07:25:54 -0800

> On Fri, 2017-01-27 at 09:53 -0500, David Miller wrote:
>> I suspect we can do something similar for USB networking drivers.
> 
> With some changes then, because gro_cells is per cpu at the moment,
> probably overkill for one USB networking driver.

Agreed.

Re: [PATCH RFC ipsec-next 2/2] xfrm: Add a dummy network device for napi.

[Steffen Klassert]

On Fri, Jan 27, 2017 at 09:53:49AM -0500, David Miller wrote:
> From: Eric Dumazet <eric.dumazet@gmail.com>
> Date: Fri, 27 Jan 2017 06:46:38 -0800
> 
> > On Fri, 2017-01-27 at 08:19 +0100, Steffen Klassert wrote:
> >> This patch adds a dummy network device so that we can
> >> use gro_cells for IPsec GRO. With this, we handle IPsec
> >> GRO with no impact on the generic networking code.
> >> 
> >> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
> >> ---
> >>  net/xfrm/xfrm_input.c | 12 +++++++++++-
> >>  1 file changed, 11 insertions(+), 1 deletion(-)
> > 
> > That is nice ;)
> 
> I like it too.

I've applied both to ipsec-next, thanks for all the feedback!