* [PATCH ipsec-next v2 0/2] xfrm: make gc_thresh configurable in all namespaces
@ 2013-02-06 9:46 Michal Kubecek
2013-02-06 9:46 ` [PATCH ipsec-next v2 1/2] xfrm: remove unused xfrm4_policy_fini() Michal Kubecek
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Michal Kubecek @ 2013-02-06 9:46 UTC (permalink / raw)
To: Steffen Klassert; +Cc: Herbert Xu, David S. Miller, netdev
Changes from original version:
- remove unused xfrm4_fini() to avoid section mismatch
- don't mark xfrm6_net_ops as __net_initdata to avoid section mismatch
Michal Kubecek (2):
xfrm: remove unused xfrm4_policy_fini()
xfrm: make gc_thresh configurable in all namespaces
include/net/netns/ipv4.h | 1 +
include/net/netns/ipv6.h | 1 +
net/ipv4/xfrm4_policy.c | 58 ++++++++++++++++++++++++++++++++++++----------
net/ipv6/xfrm6_policy.c | 52 +++++++++++++++++++++++++++++++++++++----
4 files changed, 95 insertions(+), 17 deletions(-)
--
1.7.10.4
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH ipsec-next v2 1/2] xfrm: remove unused xfrm4_policy_fini()
2013-02-06 9:46 [PATCH ipsec-next v2 0/2] xfrm: make gc_thresh configurable in all namespaces Michal Kubecek
@ 2013-02-06 9:46 ` Michal Kubecek
2013-02-06 9:46 ` [PATCH ipsec-next v2 2/2] xfrm: make gc_thresh configurable in all namespaces Michal Kubecek
2013-02-07 10:52 ` [PATCH ipsec-next v2 0/2] " Steffen Klassert
2 siblings, 0 replies; 4+ messages in thread
From: Michal Kubecek @ 2013-02-06 9:46 UTC (permalink / raw)
To: Steffen Klassert; +Cc: Herbert Xu, David S. Miller, netdev
Function xfrm4_policy_fini() is unused since xfrm4_fini() was
removed in 2.6.11.
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
---
net/ipv4/xfrm4_policy.c | 9 ---------
1 file changed, 9 deletions(-)
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index 3be0ac2..0e28383 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -270,15 +270,6 @@ static void __init xfrm4_policy_init(void)
xfrm_policy_register_afinfo(&xfrm4_policy_afinfo);
}
-static void __exit xfrm4_policy_fini(void)
-{
-#ifdef CONFIG_SYSCTL
- if (sysctl_hdr)
- unregister_net_sysctl_table(sysctl_hdr);
-#endif
- xfrm_policy_unregister_afinfo(&xfrm4_policy_afinfo);
-}
-
void __init xfrm4_init(void)
{
dst_entries_init(&xfrm4_dst_ops);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH ipsec-next v2 2/2] xfrm: make gc_thresh configurable in all namespaces
2013-02-06 9:46 [PATCH ipsec-next v2 0/2] xfrm: make gc_thresh configurable in all namespaces Michal Kubecek
2013-02-06 9:46 ` [PATCH ipsec-next v2 1/2] xfrm: remove unused xfrm4_policy_fini() Michal Kubecek
@ 2013-02-06 9:46 ` Michal Kubecek
2013-02-07 10:52 ` [PATCH ipsec-next v2 0/2] " Steffen Klassert
2 siblings, 0 replies; 4+ messages in thread
From: Michal Kubecek @ 2013-02-06 9:46 UTC (permalink / raw)
To: Steffen Klassert; +Cc: Herbert Xu, David S. Miller, netdev
The xfrm gc threshold can be configured via xfrm{4,6}_gc_thresh
sysctl but currently only in init_net, other namespaces always
use the default value. This can substantially limit the number
of IPsec tunnels that can be effectively used.
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
---
include/net/netns/ipv4.h | 1 +
include/net/netns/ipv6.h | 1 +
net/ipv4/xfrm4_policy.c | 49 ++++++++++++++++++++++++++++++++++++++++---
net/ipv6/xfrm6_policy.c | 52 +++++++++++++++++++++++++++++++++++++++++-----
4 files changed, 95 insertions(+), 8 deletions(-)
diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
index 9b78862..2ba9de8 100644
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@ -22,6 +22,7 @@ struct netns_ipv4 {
struct ctl_table_header *frags_hdr;
struct ctl_table_header *ipv4_hdr;
struct ctl_table_header *route_hdr;
+ struct ctl_table_header *xfrm4_hdr;
#endif
struct ipv4_devconf *devconf_all;
struct ipv4_devconf *devconf_dflt;
diff --git a/include/net/netns/ipv6.h b/include/net/netns/ipv6.h
index 214cb0a..1242f37 100644
--- a/include/net/netns/ipv6.h
+++ b/include/net/netns/ipv6.h
@@ -16,6 +16,7 @@ struct netns_sysctl_ipv6 {
struct ctl_table_header *route_hdr;
struct ctl_table_header *icmp_hdr;
struct ctl_table_header *frags_hdr;
+ struct ctl_table_header *xfrm6_hdr;
#endif
int bindv6only;
int flush_delay;
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index 0e28383..9a459be 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -262,7 +262,51 @@ static struct ctl_table xfrm4_policy_table[] = {
{ }
};
-static struct ctl_table_header *sysctl_hdr;
+static int __net_init xfrm4_net_init(struct net *net)
+{
+ struct ctl_table *table;
+ struct ctl_table_header *hdr;
+
+ table = xfrm4_policy_table;
+ if (!net_eq(net, &init_net)) {
+ table = kmemdup(table, sizeof(xfrm4_policy_table), GFP_KERNEL);
+ if (!table)
+ goto err_alloc;
+
+ table[0].data = &net->xfrm.xfrm4_dst_ops.gc_thresh;
+ }
+
+ hdr = register_net_sysctl(net, "net/ipv4", table);
+ if (!hdr)
+ goto err_reg;
+
+ net->ipv4.xfrm4_hdr = hdr;
+ return 0;
+
+err_reg:
+ if (!net_eq(net, &init_net))
+ kfree(table);
+err_alloc:
+ return -ENOMEM;
+}
+
+static void __net_exit xfrm4_net_exit(struct net *net)
+{
+ struct ctl_table *table;
+
+ if (net->ipv4.xfrm4_hdr == NULL)
+ return;
+
+ table = net->ipv4.xfrm4_hdr->ctl_table_arg;
+ unregister_net_sysctl_table(net->ipv4.xfrm4_hdr);
+ if (!net_eq(net, &init_net))
+ kfree(table);
+}
+
+static struct pernet_operations __net_initdata xfrm4_net_ops = {
+ .init = xfrm4_net_init,
+ .exit = xfrm4_net_exit,
+};
#endif
static void __init xfrm4_policy_init(void)
@@ -277,8 +321,7 @@ void __init xfrm4_init(void)
xfrm4_state_init();
xfrm4_policy_init();
#ifdef CONFIG_SYSCTL
- sysctl_hdr = register_net_sysctl(&init_net, "net/ipv4",
- xfrm4_policy_table);
+ register_pernet_subsys(&xfrm4_net_ops);
#endif
}
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index 1282737..4ef7bdb 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -320,7 +320,51 @@ static struct ctl_table xfrm6_policy_table[] = {
{ }
};
-static struct ctl_table_header *sysctl_hdr;
+static int __net_init xfrm6_net_init(struct net *net)
+{
+ struct ctl_table *table;
+ struct ctl_table_header *hdr;
+
+ table = xfrm6_policy_table;
+ if (!net_eq(net, &init_net)) {
+ table = kmemdup(table, sizeof(xfrm6_policy_table), GFP_KERNEL);
+ if (!table)
+ goto err_alloc;
+
+ table[0].data = &net->xfrm.xfrm6_dst_ops.gc_thresh;
+ }
+
+ hdr = register_net_sysctl(net, "net/ipv6", table);
+ if (!hdr)
+ goto err_reg;
+
+ net->ipv6.sysctl.xfrm6_hdr = hdr;
+ return 0;
+
+err_reg:
+ if (!net_eq(net, &init_net))
+ kfree(table);
+err_alloc:
+ return -ENOMEM;
+}
+
+static void __net_exit xfrm6_net_exit(struct net *net)
+{
+ struct ctl_table *table;
+
+ if (net->ipv6.sysctl.xfrm6_hdr == NULL)
+ return;
+
+ table = net->ipv6.sysctl.xfrm6_hdr->ctl_table_arg;
+ unregister_net_sysctl_table(net->ipv6.sysctl.xfrm6_hdr);
+ if (!net_eq(net, &init_net))
+ kfree(table);
+}
+
+static struct pernet_operations xfrm6_net_ops = {
+ .init = xfrm6_net_init,
+ .exit = xfrm6_net_exit,
+};
#endif
int __init xfrm6_init(void)
@@ -339,8 +383,7 @@ int __init xfrm6_init(void)
goto out_policy;
#ifdef CONFIG_SYSCTL
- sysctl_hdr = register_net_sysctl(&init_net, "net/ipv6",
- xfrm6_policy_table);
+ register_pernet_subsys(&xfrm6_net_ops);
#endif
out:
return ret;
@@ -352,8 +395,7 @@ out_policy:
void xfrm6_fini(void)
{
#ifdef CONFIG_SYSCTL
- if (sysctl_hdr)
- unregister_net_sysctl_table(sysctl_hdr);
+ unregister_pernet_subsys(&xfrm6_net_ops);
#endif
xfrm6_policy_fini();
xfrm6_state_fini();
--
1.7.10.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH ipsec-next v2 0/2] xfrm: make gc_thresh configurable in all namespaces
2013-02-06 9:46 [PATCH ipsec-next v2 0/2] xfrm: make gc_thresh configurable in all namespaces Michal Kubecek
2013-02-06 9:46 ` [PATCH ipsec-next v2 1/2] xfrm: remove unused xfrm4_policy_fini() Michal Kubecek
2013-02-06 9:46 ` [PATCH ipsec-next v2 2/2] xfrm: make gc_thresh configurable in all namespaces Michal Kubecek
@ 2013-02-07 10:52 ` Steffen Klassert
2 siblings, 0 replies; 4+ messages in thread
From: Steffen Klassert @ 2013-02-07 10:52 UTC (permalink / raw)
To: Michal Kubecek; +Cc: Herbert Xu, David S. Miller, netdev
On Wed, Feb 06, 2013 at 10:46:13AM +0100, Michal Kubecek wrote:
> Changes from original version:
>
> - remove unused xfrm4_fini() to avoid section mismatch
> - don't mark xfrm6_net_ops as __net_initdata to avoid section mismatch
>
> Michal Kubecek (2):
> xfrm: remove unused xfrm4_policy_fini()
> xfrm: make gc_thresh configurable in all namespaces
Applied to ipsec-next, thanks!
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-02-07 10:52 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-02-06 9:46 [PATCH ipsec-next v2 0/2] xfrm: make gc_thresh configurable in all namespaces Michal Kubecek
2013-02-06 9:46 ` [PATCH ipsec-next v2 1/2] xfrm: remove unused xfrm4_policy_fini() Michal Kubecek
2013-02-06 9:46 ` [PATCH ipsec-next v2 2/2] xfrm: make gc_thresh configurable in all namespaces Michal Kubecek
2013-02-07 10:52 ` [PATCH ipsec-next v2 0/2] " Steffen Klassert
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).