From: Florian Westphal <fw@strlen.de>
To: <netdev@vger.kernel.org>
Subject: [PATCH net-next 0/13] sk_buff: add extension infrastructure
Date: Mon, 10 Dec 2018 15:49:53 +0100 [thread overview]
Message-ID: <20181210145006.19098-1-fw@strlen.de> (raw)
The (out-of-tree) Multipath-TCP implementation needs to map logical mptcp
sequence numbers to the tcp sequence numbers used by individual subflows.
This DSS mapping is read/written from tcp option space on receive and
written to tcp option space on transmitted tcp packets that are part of
and MPTCP connection.
Increasing skb->cb[] size in mainline to store the DSS mapping
is a non-starter for memory and and performance reasons
(f.e. increase in cb size also moves several frequently-accessed fields
to other cache lines).
Extend skb_shared_info or adding a private data field to skb fclones
doesn't work for incoming skb, so a different DSS propagation method
would be required for the receive side.
The current MPTCP implementation adds an additional mptcp specific
pointer to sk_buff.
This series adds an extension infrastructure for sk_buff instead:
1. extension memory is released when the sk_buff is free'd.
2. data is shared after cloning an skb.
3. adding extension to an skb will COW the extension buffer if needed.
This is also how xfrm and bridge_nf extra data (skb->sp, skb->nf_bridge)
are handled.
MPTCP could then add a new SKB_EXT_MPTCP_DSS (or similar) to store the
mapping for tx and rx processing.
Two new members are added to sk_buff:
1. 'active_extensions' byte (filling a hole), telling which extensions
are available for this skb.
2. extension pointer, located at the end of the sk_buff.
If the active_extensions byte is 0, the pointer is undefined.
Third patch converts nf_bridge to use the extension infrastructure:
The 'nf_bridge' pointer is removed, i.e. sk_buff size remains the same.
After this, there are a few preparation patches to reduce "skb->sp"
usage by using the secpath helper functions instead.
Last patch converts skb->sp, secpath information gets stored as
new SKB_EXT_SEC_PATH, so the 'sp' pointer is removed from skbuff.
Extra code added to skb clone and free paths (to deal with refcount/free
of extension area) replace the existing code that does the same for
skb->nf_bridge and skb->secpath.
I don't see any other in-tree users that could benefit from this
infrastructure, it doesn't make sense to add an extension just for the sake
of a single flag bit (like skb->nf_trace).
Changes since RFC:
Convert secpath.
Unlike nf_bridge, the secpath struct needs to hold reference on the
xfrm state structure(s), thus handling gets more complicated when
an existing secpath extension has to be COW'd (we need to take additional
reference count on the xfrm states contained in the new copy).
Florian Westphal (13):
netfilter: avoid using skb->nf_bridge directly
sk_buff: add skb extension infrastructure
net: convert bridge_nf to use skb extension infrastructure
xfrm: change secpath_set to return secpath struct, not error value
net: move secpath_exist helper to sk_buff.h
net: use skb_sec_path helper in more places
drivers: net: intel: use secpath helpers in more places
drivers: net: ethernet: mellanox: use skb_sec_path helper
drivers: net: netdevsim: use skb_sec_path helper
xfrm: use secpath_exist where applicable
drivers: chelsio: use skb_sec_path helper
xfrm: prefer secpath_set over secpath_dup
net: switch secpath to use skb extension infrastructure
Documentation/networking/xfrm_device.txt | 7
drivers/crypto/chelsio/chcr_ipsec.c | 4
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 15
drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 5
drivers/net/ethernet/intel/ixgbevf/ipsec.c | 15
drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 2
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.c | 19 -
drivers/net/netdevsim/ipsec.c | 7
include/linux/netfilter_bridge.h | 33 +
include/linux/skbuff.h | 160 +++++++-
include/net/netfilter/br_netfilter.h | 14
include/net/xfrm.h | 40 --
net/Kconfig | 4
net/bridge/br_netfilter_hooks.c | 39 --
net/bridge/br_netfilter_ipv6.c | 4
net/core/skbuff.c | 182 +++++++++-
net/ipv4/esp4.c | 9
net/ipv4/esp4_offload.c | 15
net/ipv4/ip_output.c | 1
net/ipv4/netfilter/nf_reject_ipv4.c | 6
net/ipv6/esp6.c | 9
net/ipv6/esp6_offload.c | 15
net/ipv6/ip6_output.c | 1
net/ipv6/netfilter/nf_reject_ipv6.c | 10
net/ipv6/xfrm6_input.c | 8
net/netfilter/nf_log_common.c | 20 -
net/netfilter/nf_queue.c | 50 +-
net/netfilter/nfnetlink_queue.c | 23 -
net/netfilter/nft_meta.c | 2
net/netfilter/nft_xfrm.c | 2
net/netfilter/xt_physdev.c | 2
net/netfilter/xt_policy.c | 2
net/xfrm/Kconfig | 1
net/xfrm/xfrm_device.c | 4
net/xfrm/xfrm_input.c | 76 +---
net/xfrm/xfrm_interface.c | 2
net/xfrm/xfrm_output.c | 7
net/xfrm/xfrm_policy.c | 19 -
security/selinux/xfrm.c | 4
39 files changed, 553 insertions(+), 285 deletions(-)
next reply other threads:[~2018-12-10 14:56 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-10 14:49 Florian Westphal [this message]
2018-12-10 14:49 ` [PATCH net-next 01/13] netfilter: avoid using skb->nf_bridge directly Florian Westphal
2018-12-10 14:49 ` [PATCH net-next 02/13] sk_buff: add skb extension infrastructure Florian Westphal
[not found] ` <CAPUCuiADYwjY4kpq76-w9BKL3uiRvNjnmzKG29mCrb=b8YeesA@mail.gmail.com>
2018-12-12 0:07 ` Mat Martineau
2018-12-12 0:11 ` Florian Westphal
2018-12-12 11:59 ` Florian Westphal
2018-12-12 16:59 ` Mat Martineau
2018-12-12 14:44 ` Willem de Bruijn
2018-12-12 15:40 ` Florian Westphal
2018-12-12 15:45 ` Willem de Bruijn
2018-12-12 17:23 ` Eric Dumazet
2018-12-12 18:44 ` Florian Westphal
2018-12-12 20:17 ` Eric Dumazet
2018-12-12 20:52 ` Florian Westphal
2018-12-13 5:40 ` Eric Dumazet
2018-12-13 9:27 ` Florian Westphal
2018-12-13 10:18 ` Eric Dumazet
2018-12-13 10:39 ` Florian Westphal
2018-12-13 10:58 ` Eric Dumazet
2018-12-13 11:03 ` Florian Westphal
2018-12-13 11:16 ` Eric Dumazet
2018-12-13 11:44 ` Florian Westphal
2018-12-13 17:00 ` Christoph Paasch
2018-12-12 18:16 ` Stephen Suryaputra
2018-12-12 18:38 ` Florian Westphal
2018-12-13 0:38 ` David Miller
2018-12-10 14:49 ` [PATCH net-next 03/13] net: convert bridge_nf to use " Florian Westphal
2018-12-10 14:49 ` [PATCH net-next 04/13] xfrm: change secpath_set to return secpath struct, not error value Florian Westphal
2018-12-10 14:49 ` [PATCH net-next 05/13] net: move secpath_exist helper to sk_buff.h Florian Westphal
2018-12-10 14:49 ` [PATCH net-next 06/13] net: use skb_sec_path helper in more places Florian Westphal
2018-12-10 14:50 ` [PATCH net-next 07/13] drivers: net: intel: use secpath helpers " Florian Westphal
2018-12-10 14:50 ` [PATCH net-next 08/13] drivers: net: ethernet: mellanox: use skb_sec_path helper Florian Westphal
2018-12-10 14:50 ` [PATCH net-next 09/13] drivers: net: netdevsim: " Florian Westphal
2018-12-10 14:50 ` [PATCH net-next 10/13] xfrm: use secpath_exist where applicable Florian Westphal
2018-12-10 14:50 ` [PATCH net-next 11/13] drivers: chelsio: use skb_sec_path helper Florian Westphal
2018-12-10 14:50 ` [PATCH net-next 12/13] xfrm: prefer secpath_set over secpath_dup Florian Westphal
2018-12-10 14:50 ` [PATCH net-next 13/13] net: switch secpath to use skb extension infrastructure Florian Westphal
2018-12-11 8:06 ` Steffen Klassert
2018-12-11 10:18 ` Florian Westphal
2018-12-11 10:20 ` Steffen Klassert
2018-12-12 11:52 ` Florian Westphal
2018-12-13 4:08 ` [PATCH net-next 0/13] sk_buff: add " Shannon Nelson
-- strict thread matches above, loose matches on Subject: below --
2018-12-18 16:15 Florian Westphal
2018-12-19 19:02 ` David Miller
2018-12-19 19:47 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181210145006.19098-1-fw@strlen.de \
--to=fw@strlen.de \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).