• David S. Miller's avatar
    [XFRM]: Hash policies when non-prefixed. · 2518c7c2
    David S. Miller authored
    This idea is from Alexey Kuznetsov.
    
    It is common for policies to be non-prefixed.  And for
    that case we can optimize lookups, insert, etc. quite
    a bit.
    
    For each direction, we have a dynamically sized policy
    hash table for non-prefixed policies.  We also have a
    hash table on policy->index.
    
    For prefixed policies, we have a list per-direction which
    we will consult on lookups when a non-prefix hashtable
    lookup fails.
    
    This still isn't as efficient as I would like it.  There
    are four immediate problems:
    
    1) Lots of excessive refcounting, which can be fixed just
       like xfrm_state was
    2) We do 2 hash probes on insert, one to look for dups and
       one to allocate a unique policy->index.  Althought I wonder
       how much this matters since xfrm_state inserts do up to
       3 hash probes and that seems to perform fine.
    3) xfrm_policy_insert() is very complex because of the priority
       ordering and entry replacement logic.
    4) Lots of counter bumping, in addition to policy refcounts,
       in the form of xfrm_policy_count[].  This is merely used
       to let code path(s) know that some IPSEC rules exist.  So
       this count is indexed per-direction, maybe that is overkill.
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    2518c7c2
xfrm_policy.c 48.2 KB