From: Antony Antony <antony@phenome.org>
To: Christian Hopps <chopps@chopps.org>
Cc: devel@linux-ipsec.org,
Steffen Klassert <steffen.klassert@secunet.com>,
netdev@vger.kernel.org, Christian Hopps <chopps@labn.net>
Subject: Re: [devel-ipsec] [PATCH ipsec-next v2 08/17] xfrm: iptfs: add new iptfs xfrm mode impl
Date: Mon, 3 Jun 2024 19:14:10 +0200 [thread overview]
Message-ID: <Zl354nSbE5mOMC2h@Antony2201.local> (raw)
In-Reply-To: <20240520214255.2590923-9-chopps@chopps.org>
Hi Chris,
On Mon, May 20, 2024 at 05:42:46PM -0400, Christian Hopps via Devel wrote:
> From: Christian Hopps <chopps@labn.net>
>
> Add a new xfrm mode implementing AggFrag/IP-TFS from RFC9347.
>
> This utilizes the new xfrm_mode_cbs to implement demand-driven IP-TFS
> functionality. This functionality can be used to increase bandwidth
> utilization through small packet aggregation, as well as help solve PMTU
> issues through it's efficient use of fragmentation.
>
> Link: https://www.rfc-editor.org/rfc/rfc9347.txt
>
> Multiple commits follow to build the functionality into xfrm_iptfs.c
>
> Signed-off-by: Christian Hopps <chopps@labn.net>
> ---
> net/xfrm/Makefile | 1 +
> net/xfrm/xfrm_iptfs.c | 225 ++++++++++++++++++++++++++++++++++++++++++
> 2 files changed, 226 insertions(+)
> create mode 100644 net/xfrm/xfrm_iptfs.c
>
> diff --git a/net/xfrm/Makefile b/net/xfrm/Makefile
> index 547cec77ba03..cd6520d4d777 100644
> --- a/net/xfrm/Makefile
> +++ b/net/xfrm/Makefile
> @@ -20,5 +20,6 @@ obj-$(CONFIG_XFRM_USER) += xfrm_user.o
> obj-$(CONFIG_XFRM_USER_COMPAT) += xfrm_compat.o
> obj-$(CONFIG_XFRM_IPCOMP) += xfrm_ipcomp.o
> obj-$(CONFIG_XFRM_INTERFACE) += xfrm_interface.o
> +obj-$(CONFIG_XFRM_IPTFS) += xfrm_iptfs.o
> obj-$(CONFIG_XFRM_ESPINTCP) += espintcp.o
> obj-$(CONFIG_DEBUG_INFO_BTF) += xfrm_state_bpf.o
> diff --git a/net/xfrm/xfrm_iptfs.c b/net/xfrm/xfrm_iptfs.c
> new file mode 100644
> index 000000000000..e7b5546e1f6a
> --- /dev/null
> +++ b/net/xfrm/xfrm_iptfs.c
> @@ -0,0 +1,225 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/* xfrm_iptfs: IPTFS encapsulation support
> + *
> + * April 21 2022, Christian Hopps <chopps@labn.net>
> + *
> + * Copyright (c) 2022, LabN Consulting, L.L.C.
> + *
> + */
> +
> +#include <linux/kernel.h>
> +#include <linux/icmpv6.h>
> +#include <net/gro.h>
> +#include <net/icmp.h>
> +#include <net/ip6_route.h>
> +#include <net/inet_ecn.h>
> +#include <net/xfrm.h>
> +
> +#include <crypto/aead.h>
> +
> +#include "xfrm_inout.h"
> +
> +struct xfrm_iptfs_config {
> + u32 pkt_size; /* outer_packet_size or 0 */
> +};
> +
> +struct xfrm_iptfs_data {
> + struct xfrm_iptfs_config cfg;
> +
> + /* Ingress User Input */
> + struct xfrm_state *x; /* owning state */
> + u32 payload_mtu; /* max payload size */
> +};
> +
> +/* ========================== */
> +/* State Management Functions */
> +/* ========================== */
> +
> +/**
> + * iptfs_get_inner_mtu() - return inner MTU with no fragmentation.
> + * @x: xfrm state.
> + * @outer_mtu: the outer mtu
> + */
> +static u32 iptfs_get_inner_mtu(struct xfrm_state *x, int outer_mtu)
> +{
> + struct crypto_aead *aead;
> + u32 blksize;
> +
> + aead = x->data;
> + blksize = ALIGN(crypto_aead_blocksize(aead), 4);
> + return ((outer_mtu - x->props.header_len - crypto_aead_authsize(aead)) &
> + ~(blksize - 1)) - 2;
> +}
> +
> +/**
> + * iptfs_user_init() - initialize the SA with IPTFS options from netlink.
> + * @net: the net data
> + * @x: xfrm state
> + * @attrs: netlink attributes
> + * @extack: extack return data
> + */
> +static int iptfs_user_init(struct net *net, struct xfrm_state *x,
> + struct nlattr **attrs,
> + struct netlink_ext_ack *extack)
> +{
> + struct xfrm_iptfs_data *xtfs = x->mode_data;
> + struct xfrm_iptfs_config *xc;
> +
> + xc = &xtfs->cfg;
> +
> + if (attrs[XFRMA_IPTFS_PKT_SIZE]) {
> + xc->pkt_size = nla_get_u32(attrs[XFRMA_IPTFS_PKT_SIZE]);
> + if (!xc->pkt_size) {
> + xtfs->payload_mtu = 0;
> + } else if (xc->pkt_size > x->props.header_len) {
> + xtfs->payload_mtu = xc->pkt_size - x->props.header_len;
> + } else {
> + NL_SET_ERR_MSG(extack,
> + "Packet size must be 0 or greater than IPTFS/ESP header length");
> + return -EINVAL;
> + }
> + }
> + return 0;
> +}
> +
> +static unsigned int iptfs_sa_len(const struct xfrm_state *x)
> +{
> + struct xfrm_iptfs_data *xtfs = x->mode_data;
> + struct xfrm_iptfs_config *xc = &xtfs->cfg;
> + unsigned int l = 0;
> +
> + l += nla_total_size(0);
> + l += nla_total_size(sizeof(u16));
> + l += nla_total_size(sizeof(xc->pkt_size));
> + l += nla_total_size(sizeof(u32));
> + l += nla_total_size(sizeof(u32)); /* drop time usec */
> + l += nla_total_size(sizeof(u32)); /* init delay usec */
> +
> + return l;
> +}
> +
> +static int iptfs_copy_to_user(struct xfrm_state *x, struct sk_buff *skb)
> +{
> + struct xfrm_iptfs_data *xtfs = x->mode_data;
> + struct xfrm_iptfs_config *xc = &xtfs->cfg;
> + int ret;
> +
> + ret = nla_put_flag(skb, XFRMA_IPTFS_DONT_FRAG);
> + if (ret)
> + return ret;
> + ret = nla_put_u16(skb, XFRMA_IPTFS_REORDER_WINDOW, 0);
> + if (ret)
> + return ret;
> + ret = nla_put_u32(skb, XFRMA_IPTFS_PKT_SIZE, xc->pkt_size);
> + if (ret)
> + return ret;
> + ret = nla_put_u32(skb, XFRMA_IPTFS_MAX_QSIZE, 0);
> + if (ret)
> + return ret;
> +
> + ret = nla_put_u32(skb, XFRMA_IPTFS_DROP_TIME, 0);
> + if (ret)
> + return ret;
> +
> + ret = nla_put_u32(skb, XFRMA_IPTFS_INIT_DELAY, 0);
Why copy all attributes? Only copy the ones relevant to the SA direction.
Also adjust in iptfs_sa_len().
> +
> + return ret;
> +}
> +
> +static int __iptfs_init_state(struct xfrm_state *x,
> + struct xfrm_iptfs_data *xtfs)
> +{
> + /* Modify type (esp) adjustment values */
> +
> + if (x->props.family == AF_INET)
> + x->props.header_len += sizeof(struct iphdr) + sizeof(struct ip_iptfs_hdr);
> + else if (x->props.family == AF_INET6)
> + x->props.header_len += sizeof(struct ipv6hdr) + sizeof(struct ip_iptfs_hdr);
> + x->props.enc_hdr_len = sizeof(struct ip_iptfs_hdr);
> +
> + /* Always have a module reference if x->mode_data is set */
> + if (!try_module_get(x->mode_cbs->owner))
> + return -EINVAL;
> +
> + x->mode_data = xtfs;
> + xtfs->x = x;
> +
> + return 0;
> +}
> +
> +static int iptfs_clone(struct xfrm_state *x, struct xfrm_state *orig)
> +{
> + struct xfrm_iptfs_data *xtfs;
> + int err;
> +
> + xtfs = kmemdup(orig->mode_data, sizeof(*xtfs), GFP_KERNEL);
> + if (!xtfs)
> + return -ENOMEM;
> +
> + err = __iptfs_init_state(x, xtfs);
> + if (err)
> + return err;
> +
> + return 0;
> +}
> +
> +static int iptfs_create_state(struct xfrm_state *x)
> +{
> + struct xfrm_iptfs_data *xtfs;
> + int err;
> +
> + xtfs = kzalloc(sizeof(*xtfs), GFP_KERNEL);
> + if (!xtfs)
> + return -ENOMEM;
> +
> + err = __iptfs_init_state(x, xtfs);
> + if (err)
> + return err;
> +
> + return 0;
> +}
> +
> +static void iptfs_delete_state(struct xfrm_state *x)
> +{
> + struct xfrm_iptfs_data *xtfs = x->mode_data;
> +
> + if (!xtfs)
> + return;
> +
> + kfree_sensitive(xtfs);
> +
> + module_put(x->mode_cbs->owner);
> +}
> +
> +static const struct xfrm_mode_cbs iptfs_mode_cbs = {
> + .owner = THIS_MODULE,
> + .create_state = iptfs_create_state,
> + .delete_state = iptfs_delete_state,
> + .user_init = iptfs_user_init,
> + .copy_to_user = iptfs_copy_to_user,
> + .sa_len = iptfs_sa_len,
> + .clone = iptfs_clone,
> + .get_inner_mtu = iptfs_get_inner_mtu,
> +};
> +
> +static int __init xfrm_iptfs_init(void)
> +{
> + int err;
> +
> + pr_info("xfrm_iptfs: IPsec IP-TFS tunnel mode module\n");
> +
> + err = xfrm_register_mode_cbs(XFRM_MODE_IPTFS, &iptfs_mode_cbs);
> + if (err < 0)
> + pr_info("%s: can't register IP-TFS\n", __func__);
> +
> + return err;
> +}
> +
> +static void __exit xfrm_iptfs_fini(void)
> +{
> + xfrm_unregister_mode_cbs(XFRM_MODE_IPTFS);
> +}
> +
> +module_init(xfrm_iptfs_init);
> +module_exit(xfrm_iptfs_fini);
> +MODULE_LICENSE("GPL");
> --
> 2.45.1
>
> --
> Devel mailing list
> Devel@linux-ipsec.org
> https://linux-ipsec.org/mailman/listinfo/devel
next prev parent reply other threads:[~2024-06-03 17:15 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-20 21:42 [PATCH ipsec-next v1 0/8] Add IP-TFS mode to xfrm Christian Hopps
2024-05-20 21:42 ` [PATCH ipsec-next v2 01/17] xfrm: config: add CONFIG_XFRM_IPTFS Christian Hopps
2024-05-20 21:42 ` [PATCH ipsec-next v2 02/17] include: uapi: add ip_tfs_*_hdr packet formats Christian Hopps
2024-05-20 21:42 ` [PATCH ipsec-next v2 03/17] include: uapi: add IPPROTO_AGGFRAG for AGGFRAG in ESP Christian Hopps
2024-05-20 21:42 ` [PATCH ipsec-next v2 04/17] xfrm: sysctl: allow configuration of global default values Christian Hopps
2024-05-20 21:42 ` [PATCH ipsec-next v2 05/17] xfrm: netlink: add config (netlink) options Christian Hopps
2024-05-20 21:42 ` [PATCH ipsec-next v2 06/17] xfrm: add mode_cbs module functionality Christian Hopps
2024-05-20 21:42 ` [PATCH ipsec-next v2 07/17] xfrm: add generic iptfs defines and functionality Christian Hopps
2024-05-20 21:42 ` [PATCH ipsec-next v2 08/17] xfrm: iptfs: add new iptfs xfrm mode impl Christian Hopps
2024-06-03 17:14 ` Antony Antony [this message]
2024-06-07 5:49 ` [devel-ipsec] " Christian Hopps
2024-05-20 21:42 ` [PATCH ipsec-next v2 09/17] xfrm: iptfs: add user packet (tunnel ingress) handling Christian Hopps
2024-05-20 21:42 ` [PATCH ipsec-next v2 10/17] xfrm: iptfs: share page fragments of inner packets Christian Hopps
2024-05-20 21:42 ` [PATCH ipsec-next v2 11/17] xfrm: iptfs: add fragmenting of larger than MTU user packets Christian Hopps
2024-05-20 21:42 ` [PATCH ipsec-next v2 12/17] xfrm: iptfs: add basic receive packet (tunnel egress) handling Christian Hopps
2024-05-20 21:42 ` [PATCH ipsec-next v2 13/17] xfrm: iptfs: handle received fragmented inner packets Christian Hopps
2024-05-20 21:42 ` [PATCH ipsec-next v2 14/17] xfrm: iptfs: add reusing received skb for the tunnel egress packet Christian Hopps
2024-05-20 21:42 ` [PATCH ipsec-next v2 15/17] xfrm: iptfs: add skb-fragment sharing code Christian Hopps
2024-05-20 21:42 ` [PATCH ipsec-next v2 16/17] xfrm: iptfs: handle reordering of received packets Christian Hopps
2024-05-21 16:07 ` kernel test robot
2024-05-20 21:42 ` [PATCH ipsec-next v2 17/17] xfrm: iptfs: add tracepoint functionality Christian Hopps
2024-05-23 19:29 ` [PATCH ipsec-next v1 0/8] Add IP-TFS mode to xfrm Antony Antony
2024-05-20 21:45 ` [PATCH ipsec-next v2 0/17] " Christian Hopps
2024-05-23 23:04 ` Christian Hopps
2024-05-24 11:52 ` Antony Antony
2024-05-24 11:56 ` Christian Hopps
2024-05-25 5:55 ` Christian Hopps
2024-06-06 15:52 ` [devel-ipsec] " Antony Antony
2024-06-07 5:54 ` Christian Hopps
2024-06-11 6:24 ` Antony Antony
2024-06-17 15:17 ` Christian Hopps
2024-06-17 15:39 ` Nicolas Dichtel
2024-06-17 16:05 ` Christian Hopps
2024-06-17 21:24 ` Nicolas Dichtel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zl354nSbE5mOMC2h@Antony2201.local \
--to=antony@phenome.org \
--cc=chopps@chopps.org \
--cc=chopps@labn.net \
--cc=devel@linux-ipsec.org \
--cc=netdev@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).