Commit b27aeadb authored by Alexey Dobriyan's avatar Alexey Dobriyan Committed by David S. Miller

netns xfrm: per-netns sysctls

Make
	net.core.xfrm_aevent_etime
	net.core.xfrm_acq_expires
	net.core.xfrm_aevent_rseqth
	net.core.xfrm_larval_drop

sysctls per-netns.

For that make net_core_path[] global, register it to prevent two
/proc/net/core antries and change initcall position -- xfrm_init() is called
from fs_initcall, so this one should be fs_initcall at least.
Signed-off-by: default avatarAlexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent c68cd1a0
...@@ -187,6 +187,7 @@ extern void inet_get_local_port_range(int *low, int *high); ...@@ -187,6 +187,7 @@ extern void inet_get_local_port_range(int *low, int *high);
extern int sysctl_ip_default_ttl; extern int sysctl_ip_default_ttl;
extern int sysctl_ip_nonlocal_bind; extern int sysctl_ip_nonlocal_bind;
extern struct ctl_path net_core_path[];
extern struct ctl_path net_ipv4_ctl_path[]; extern struct ctl_path net_ipv4_ctl_path[];
/* From inetpeer.c */ /* From inetpeer.c */
......
...@@ -6,6 +6,8 @@ ...@@ -6,6 +6,8 @@
#include <linux/workqueue.h> #include <linux/workqueue.h>
#include <linux/xfrm.h> #include <linux/xfrm.h>
struct ctl_table_header;
struct xfrm_policy_hash { struct xfrm_policy_hash {
struct hlist_head *table; struct hlist_head *table;
unsigned int hmask; unsigned int hmask;
...@@ -41,6 +43,14 @@ struct netns_xfrm { ...@@ -41,6 +43,14 @@ struct netns_xfrm {
struct work_struct policy_hash_work; struct work_struct policy_hash_work;
struct sock *nlsk; struct sock *nlsk;
u32 sysctl_aevent_etime;
u32 sysctl_aevent_rseqth;
int sysctl_larval_drop;
u32 sysctl_acq_expires;
#ifdef CONFIG_SYSCTL
struct ctl_table_header *sysctl_hdr;
#endif
}; };
#endif #endif
...@@ -47,11 +47,6 @@ ...@@ -47,11 +47,6 @@
#define XFRM_INC_STATS_USER(net, field) ((void)(net)) #define XFRM_INC_STATS_USER(net, field) ((void)(net))
#endif #endif
extern u32 sysctl_xfrm_aevent_etime;
extern u32 sysctl_xfrm_aevent_rseqth;
extern int sysctl_xfrm_larval_drop;
extern u32 sysctl_xfrm_acq_expires;
extern struct mutex xfrm_cfg_mutex; extern struct mutex xfrm_cfg_mutex;
/* Organization of SPD aka "XFRM rules" /* Organization of SPD aka "XFRM rules"
...@@ -1310,6 +1305,15 @@ extern int xfrm_proc_init(struct net *net); ...@@ -1310,6 +1305,15 @@ extern int xfrm_proc_init(struct net *net);
extern void xfrm_proc_fini(struct net *net); extern void xfrm_proc_fini(struct net *net);
#endif #endif
extern int xfrm_sysctl_init(struct net *net);
#ifdef CONFIG_SYSCTL
extern void xfrm_sysctl_fini(struct net *net);
#else
static inline void xfrm_sysctl_fini(struct net *net)
{
}
#endif
extern void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto); extern void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto);
extern int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk, extern int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
int (*func)(struct xfrm_state *, int, void*), void *); int (*func)(struct xfrm_state *, int, void*), void *);
......
...@@ -12,7 +12,6 @@ ...@@ -12,7 +12,6 @@
#include <linux/netdevice.h> #include <linux/netdevice.h>
#include <linux/init.h> #include <linux/init.h>
#include <net/sock.h> #include <net/sock.h>
#include <net/xfrm.h>
static struct ctl_table net_core_table[] = { static struct ctl_table net_core_table[] = {
#ifdef CONFIG_NET #ifdef CONFIG_NET
...@@ -89,40 +88,6 @@ static struct ctl_table net_core_table[] = { ...@@ -89,40 +88,6 @@ static struct ctl_table net_core_table[] = {
.mode = 0644, .mode = 0644,
.proc_handler = proc_dointvec .proc_handler = proc_dointvec
}, },
#ifdef CONFIG_XFRM
{
.ctl_name = NET_CORE_AEVENT_ETIME,
.procname = "xfrm_aevent_etime",
.data = &sysctl_xfrm_aevent_etime,
.maxlen = sizeof(u32),
.mode = 0644,
.proc_handler = proc_dointvec
},
{
.ctl_name = NET_CORE_AEVENT_RSEQTH,
.procname = "xfrm_aevent_rseqth",
.data = &sysctl_xfrm_aevent_rseqth,
.maxlen = sizeof(u32),
.mode = 0644,
.proc_handler = proc_dointvec
},
{
.ctl_name = CTL_UNNUMBERED,
.procname = "xfrm_larval_drop",
.data = &sysctl_xfrm_larval_drop,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec
},
{
.ctl_name = CTL_UNNUMBERED,
.procname = "xfrm_acq_expires",
.data = &sysctl_xfrm_acq_expires,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec
},
#endif /* CONFIG_XFRM */
#endif /* CONFIG_NET */ #endif /* CONFIG_NET */
{ {
.ctl_name = NET_CORE_BUDGET, .ctl_name = NET_CORE_BUDGET,
...@@ -155,7 +120,7 @@ static struct ctl_table netns_core_table[] = { ...@@ -155,7 +120,7 @@ static struct ctl_table netns_core_table[] = {
{ .ctl_name = 0 } { .ctl_name = 0 }
}; };
static __net_initdata struct ctl_path net_core_path[] = { __net_initdata struct ctl_path net_core_path[] = {
{ .procname = "net", .ctl_name = CTL_NET, }, { .procname = "net", .ctl_name = CTL_NET, },
{ .procname = "core", .ctl_name = NET_CORE, }, { .procname = "core", .ctl_name = NET_CORE, },
{ }, { },
...@@ -207,8 +172,11 @@ static __net_initdata struct pernet_operations sysctl_core_ops = { ...@@ -207,8 +172,11 @@ static __net_initdata struct pernet_operations sysctl_core_ops = {
static __init int sysctl_core_init(void) static __init int sysctl_core_init(void)
{ {
static struct ctl_table empty[1];
register_sysctl_paths(net_core_path, empty);
register_net_sysctl_rotable(net_core_path, net_core_table); register_net_sysctl_rotable(net_core_path, net_core_table);
return register_pernet_subsys(&sysctl_core_ops); return register_pernet_subsys(&sysctl_core_ops);
} }
__initcall(sysctl_core_init); fs_initcall(sysctl_core_init);
...@@ -3,8 +3,8 @@ ...@@ -3,8 +3,8 @@
# #
obj-$(CONFIG_XFRM) := xfrm_policy.o xfrm_state.o xfrm_hash.o \ obj-$(CONFIG_XFRM) := xfrm_policy.o xfrm_state.o xfrm_hash.o \
xfrm_input.o xfrm_output.o xfrm_algo.o xfrm_input.o xfrm_output.o xfrm_algo.o \
xfrm_sysctl.o
obj-$(CONFIG_XFRM_STATISTICS) += xfrm_proc.o obj-$(CONFIG_XFRM_STATISTICS) += xfrm_proc.o
obj-$(CONFIG_XFRM_USER) += xfrm_user.o obj-$(CONFIG_XFRM_USER) += xfrm_user.o
obj-$(CONFIG_XFRM_IPCOMP) += xfrm_ipcomp.o obj-$(CONFIG_XFRM_IPCOMP) += xfrm_ipcomp.o
...@@ -34,8 +34,6 @@ ...@@ -34,8 +34,6 @@
#include "xfrm_hash.h" #include "xfrm_hash.h"
int sysctl_xfrm_larval_drop __read_mostly = 1;
DEFINE_MUTEX(xfrm_cfg_mutex); DEFINE_MUTEX(xfrm_cfg_mutex);
EXPORT_SYMBOL(xfrm_cfg_mutex); EXPORT_SYMBOL(xfrm_cfg_mutex);
...@@ -1671,7 +1669,7 @@ int __xfrm_lookup(struct net *net, struct dst_entry **dst_p, struct flowi *fl, ...@@ -1671,7 +1669,7 @@ int __xfrm_lookup(struct net *net, struct dst_entry **dst_p, struct flowi *fl,
if (unlikely(nx<0)) { if (unlikely(nx<0)) {
err = nx; err = nx;
if (err == -EAGAIN && sysctl_xfrm_larval_drop) { if (err == -EAGAIN && net->xfrm.sysctl_larval_drop) {
/* EREMOTE tells the caller to generate /* EREMOTE tells the caller to generate
* a one-shot blackhole route. * a one-shot blackhole route.
*/ */
...@@ -2504,8 +2502,13 @@ static int __net_init xfrm_net_init(struct net *net) ...@@ -2504,8 +2502,13 @@ static int __net_init xfrm_net_init(struct net *net)
rv = xfrm_policy_init(net); rv = xfrm_policy_init(net);
if (rv < 0) if (rv < 0)
goto out_policy; goto out_policy;
rv = xfrm_sysctl_init(net);
if (rv < 0)
goto out_sysctl;
return 0; return 0;
out_sysctl:
xfrm_policy_fini(net);
out_policy: out_policy:
xfrm_state_fini(net); xfrm_state_fini(net);
out_state: out_state:
...@@ -2516,6 +2519,7 @@ static int __net_init xfrm_net_init(struct net *net) ...@@ -2516,6 +2519,7 @@ static int __net_init xfrm_net_init(struct net *net)
static void __net_exit xfrm_net_exit(struct net *net) static void __net_exit xfrm_net_exit(struct net *net)
{ {
xfrm_sysctl_fini(net);
xfrm_policy_fini(net); xfrm_policy_fini(net);
xfrm_state_fini(net); xfrm_state_fini(net);
xfrm_statistics_fini(net); xfrm_statistics_fini(net);
......
...@@ -24,14 +24,6 @@ ...@@ -24,14 +24,6 @@
#include "xfrm_hash.h" #include "xfrm_hash.h"
u32 sysctl_xfrm_aevent_etime __read_mostly = XFRM_AE_ETIME;
EXPORT_SYMBOL(sysctl_xfrm_aevent_etime);
u32 sysctl_xfrm_aevent_rseqth __read_mostly = XFRM_AE_SEQT_SIZE;
EXPORT_SYMBOL(sysctl_xfrm_aevent_rseqth);
u32 sysctl_xfrm_acq_expires __read_mostly = 30;
/* Each xfrm_state may be linked to two tables: /* Each xfrm_state may be linked to two tables:
1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl) 1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl)
...@@ -851,8 +843,8 @@ xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr, ...@@ -851,8 +843,8 @@ xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto, family); h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto, family);
hlist_add_head(&x->byspi, net->xfrm.state_byspi+h); hlist_add_head(&x->byspi, net->xfrm.state_byspi+h);
} }
x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires; x->lft.hard_add_expires_seconds = net->xfrm.sysctl_acq_expires;
x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ; x->timer.expires = jiffies + net->xfrm.sysctl_acq_expires*HZ;
add_timer(&x->timer); add_timer(&x->timer);
net->xfrm.state_num++; net->xfrm.state_num++;
xfrm_hash_grow_check(net, x->bydst.next != NULL); xfrm_hash_grow_check(net, x->bydst.next != NULL);
...@@ -1040,9 +1032,9 @@ static struct xfrm_state *__find_acq_core(struct net *net, unsigned short family ...@@ -1040,9 +1032,9 @@ static struct xfrm_state *__find_acq_core(struct net *net, unsigned short family
x->props.family = family; x->props.family = family;
x->props.mode = mode; x->props.mode = mode;
x->props.reqid = reqid; x->props.reqid = reqid;
x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires; x->lft.hard_add_expires_seconds = net->xfrm.sysctl_acq_expires;
xfrm_state_hold(x); xfrm_state_hold(x);
x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ; x->timer.expires = jiffies + net->xfrm.sysctl_acq_expires*HZ;
add_timer(&x->timer); add_timer(&x->timer);
list_add(&x->km.all, &net->xfrm.state_all); list_add(&x->km.all, &net->xfrm.state_all);
hlist_add_head(&x->bydst, net->xfrm.state_bydst+h); hlist_add_head(&x->bydst, net->xfrm.state_bydst+h);
......
#include <linux/sysctl.h>
#include <net/net_namespace.h>
#include <net/xfrm.h>
static void __xfrm_sysctl_init(struct net *net)
{
net->xfrm.sysctl_aevent_etime = XFRM_AE_ETIME;
net->xfrm.sysctl_aevent_rseqth = XFRM_AE_SEQT_SIZE;
net->xfrm.sysctl_larval_drop = 1;
net->xfrm.sysctl_acq_expires = 30;
}
#ifdef CONFIG_SYSCTL
static struct ctl_table xfrm_table[] = {
{
.ctl_name = NET_CORE_AEVENT_ETIME,
.procname = "xfrm_aevent_etime",
.maxlen = sizeof(u32),
.mode = 0644,
.proc_handler = proc_dointvec
},
{
.ctl_name = NET_CORE_AEVENT_RSEQTH,
.procname = "xfrm_aevent_rseqth",
.maxlen = sizeof(u32),
.mode = 0644,
.proc_handler = proc_dointvec
},
{
.ctl_name = CTL_UNNUMBERED,
.procname = "xfrm_larval_drop",
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec
},
{
.ctl_name = CTL_UNNUMBERED,
.procname = "xfrm_acq_expires",
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec
},
{}
};
int __net_init xfrm_sysctl_init(struct net *net)
{
struct ctl_table *table;
__xfrm_sysctl_init(net);
table = kmemdup(xfrm_table, sizeof(xfrm_table), GFP_KERNEL);
if (!table)
goto out_kmemdup;
table[0].data = &net->xfrm.sysctl_aevent_etime;
table[1].data = &net->xfrm.sysctl_aevent_rseqth;
table[2].data = &net->xfrm.sysctl_larval_drop;
table[3].data = &net->xfrm.sysctl_acq_expires;
net->xfrm.sysctl_hdr = register_net_sysctl_table(net, net_core_path, table);
if (!net->xfrm.sysctl_hdr)
goto out_register;
return 0;
out_register:
kfree(table);
out_kmemdup:
return -ENOMEM;
}
void xfrm_sysctl_fini(struct net *net)
{
struct ctl_table *table;
table = net->xfrm.sysctl_hdr->ctl_table_arg;
unregister_net_sysctl_table(net->xfrm.sysctl_hdr);
kfree(table);
}
#else
int __net_init xfrm_sysctl_init(struct net *net)
{
__xfrm_sysctl_init(net);
return 0;
}
#endif
...@@ -368,9 +368,9 @@ static struct xfrm_state *xfrm_state_construct(struct net *net, ...@@ -368,9 +368,9 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
goto error; goto error;
x->km.seq = p->seq; x->km.seq = p->seq;
x->replay_maxdiff = sysctl_xfrm_aevent_rseqth; x->replay_maxdiff = net->xfrm.sysctl_aevent_rseqth;
/* sysctl_xfrm_aevent_etime is in 100ms units */ /* sysctl_xfrm_aevent_etime is in 100ms units */
x->replay_maxage = (sysctl_xfrm_aevent_etime*HZ)/XFRM_AE_ETH_M; x->replay_maxage = (net->xfrm.sysctl_aevent_etime*HZ)/XFRM_AE_ETH_M;
x->preplay.bitmap = 0; x->preplay.bitmap = 0;
x->preplay.seq = x->replay.seq+x->replay_maxdiff; x->preplay.seq = x->replay.seq+x->replay_maxdiff;
x->preplay.oseq = x->replay.oseq +x->replay_maxdiff; x->preplay.oseq = x->replay.oseq +x->replay_maxdiff;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment