PERFORCE change 94916 for review
George V. Neville-Neil
gnn at FreeBSD.org
Mon Apr 10 15:28:01 UTC 2006
http://perforce.freebsd.org/chv.cgi?CH=94916
Change 94916 by gnn at gnn_devbox_fast_ipsec on 2006/04/10 15:27:36
Make it possible to build FAST_IPSEC with INET6.
Fix an LOR in crypto.c that results from dealing with SA bundles when using direct dispatch
Affected files ...
.. //depot/projects/gnn_fast_ipsec/src/sys/netinet6/in6_proto.c#3 edit
.. //depot/projects/gnn_fast_ipsec/src/sys/netipsec/ipsec.c#3 edit
.. //depot/projects/gnn_fast_ipsec/src/sys/netipsec/ipsec.h#3 edit
.. //depot/projects/gnn_fast_ipsec/src/sys/netipsec/ipsec_output.c#3 edit
.. //depot/projects/gnn_fast_ipsec/src/sys/netipsec/key.c#5 edit
.. //depot/projects/gnn_fast_ipsec/src/sys/netipsec/keysock.c#5 edit
.. //depot/projects/gnn_fast_ipsec/src/sys/opencrypto/crypto.c#3 edit
Differences ...
==== //depot/projects/gnn_fast_ipsec/src/sys/netinet6/in6_proto.c#3 (text+ko) ====
@@ -129,11 +129,6 @@
#ifdef FAST_IPSEC
#include <netipsec/ipsec6.h>
-#define IPSEC
-#define IPSEC_ESP
-#define ah6_input ipsec6_common_input
-#define esp6_input ipsec6_common_input
-#define ipcomp6_input ipsec6_common_input
#endif /* FAST_IPSEC */
#include <netinet6/ip6protosw.h>
@@ -234,7 +229,7 @@
.pr_input = frag6_input,
.pr_usrreqs = &nousrreqs
},
-#ifdef IPSEC
+#if defined(IPSEC)
{
.pr_type = SOCK_RAW,
.pr_domain = &inet6domain,
@@ -243,7 +238,7 @@
.pr_input = ah6_input,
.pr_usrreqs = &nousrreqs,
},
-#ifdef IPSEC_ESP
+#if defined(IPSEC_ESP)
{
.pr_type = SOCK_RAW,
.pr_domain = &inet6domain,
@@ -253,7 +248,7 @@
.pr_ctlinput = esp6_ctlinput,
.pr_usrreqs = &nousrreqs,
},
-#endif
+#endif /* IPSEC_ESP */
{
.pr_type = SOCK_RAW,
.pr_domain = &inet6domain,
@@ -263,6 +258,33 @@
.pr_usrreqs = &nousrreqs,
},
#endif /* IPSEC */
+#if defined(FAST_IPSEC)
+{
+ .pr_type = SOCK_RAW,
+ .pr_domain = &inet6domain,
+ .pr_protocol = IPPROTO_AH,
+ .pr_flags = PR_ATOMIC|PR_ADDR,
+ .pr_input = ipsec6_common_input,
+ .pr_usrreqs = &nousrreqs,
+},
+{
+ .pr_type = SOCK_RAW,
+ .pr_domain = &inet6domain,
+ .pr_protocol = IPPROTO_ESP,
+ .pr_flags = PR_ATOMIC|PR_ADDR,
+ .pr_input = ipsec6_common_input,
+ .pr_ctlinput = esp6_ctlinput,
+ .pr_usrreqs = &nousrreqs,
+},
+{
+ .pr_type = SOCK_RAW,
+ .pr_domain = &inet6domain,
+ .pr_protocol = IPPROTO_IPCOMP,
+ .pr_flags = PR_ATOMIC|PR_ADDR,
+ .pr_input = ipsec6_common_input,
+ .pr_usrreqs = &nousrreqs,
+},
+#endif /* FAST_IPSEC */
#ifdef INET
{
.pr_type = SOCK_RAW,
@@ -418,9 +440,9 @@
SYSCTL_NODE(_net_inet6, IPPROTO_ICMPV6, icmp6, CTLFLAG_RW, 0, "ICMP6");
SYSCTL_NODE(_net_inet6, IPPROTO_UDP, udp6, CTLFLAG_RW, 0, "UDP6");
SYSCTL_NODE(_net_inet6, IPPROTO_TCP, tcp6, CTLFLAG_RW, 0, "TCP6");
-#ifdef IPSEC
+#if defined(IPSEC) || defined(FAST_IPSEC)
SYSCTL_NODE(_net_inet6, IPPROTO_ESP, ipsec6, CTLFLAG_RW, 0, "IPSEC6");
-#endif /* IPSEC */
+#endif /* IPSEC || FAST_IPSEC */
/* net.inet6.ip6 */
static int
==== //depot/projects/gnn_fast_ipsec/src/sys/netipsec/ipsec.c#3 (text+ko) ====
@@ -1,4 +1,4 @@
-/* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.12 2005/06/02 23:56:10 hmp Exp $ */
+/* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.13 2006/03/25 13:38:52 gnn Exp $ */
/* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
/*-
@@ -149,7 +149,8 @@
SYSCTL_STRUCT(_net_inet_ipsec, OID_AUTO,
ipsecstats, CTLFLAG_RD, &newipsecstat, newipsecstat, "");
-#ifdef INET6
+#ifdef INET6
+struct newipsecstat newipsec6stat;
int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
@@ -180,6 +181,8 @@
debug, CTLFLAG_RW, &ipsec_debug, 0, "");
SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, 0, "");
+SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
+ ipsecstats, CTLFLAG_RD, &newipsec6stat, newipsecstat, "");
#endif /* INET6 */
static int ipsec4_setspidx_inpcb __P((struct mbuf *, struct inpcb *pcb));
==== //depot/projects/gnn_fast_ipsec/src/sys/netipsec/ipsec.h#3 (text+ko) ====
==== //depot/projects/gnn_fast_ipsec/src/sys/netipsec/ipsec_output.c#3 (text+ko) ====
==== //depot/projects/gnn_fast_ipsec/src/sys/netipsec/key.c#5 (text+ko) ====
@@ -1,4 +1,4 @@
-/* $FreeBSD: src/sys/netipsec/key.c,v 1.20 2005/01/07 01:45:46 imp Exp $ */
+/* $FreeBSD: src/sys/netipsec/key.c,v 1.21 2006/03/25 13:38:52 gnn Exp $ */
/* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */
/*-
@@ -6257,16 +6257,12 @@
static int
key_expire(struct secasvar *sav)
{
- int s;
int satype;
struct mbuf *result = NULL, *m;
int len;
int error = -1;
struct sadb_lifetime *lt;
- /* XXX: Why do we lock ? */
- s = splnet(); /*called from softclock()*/
-
IPSEC_ASSERT (sav != NULL, ("null sav"));
IPSEC_ASSERT (sav->sah != NULL, ("null sa header"));
@@ -6359,13 +6355,11 @@
mtod(result, struct sadb_msg *)->sadb_msg_len =
PFKEY_UNIT64(result->m_pkthdr.len);
- splx(s);
return key_sendup_mbuf(NULL, result, KEY_SENDUP_REGISTERED);
fail:
if (result)
m_freem(result);
- splx(s);
return error;
}
==== //depot/projects/gnn_fast_ipsec/src/sys/netipsec/keysock.c#5 (text+ko) ====
@@ -81,7 +81,6 @@
{
struct sadb_msg *msg;
int len, error = 0;
- int s;
if (m == 0)
panic("%s: NULL pointer was passed.\n", __func__);
@@ -116,11 +115,8 @@
goto end;
}
- /*XXX giant lock*/
- s = splnet();
error = key_parse(m, so);
m = NULL;
- splx(s);
end:
if (m)
m_freem(m);
@@ -278,22 +274,18 @@
pfkeystat.in_total++;
pfkeystat.in_bytes += m->m_pkthdr.len;
if (m->m_len < sizeof(struct sadb_msg)) {
-#if 1
m = m_pullup(m, sizeof(struct sadb_msg));
if (m == NULL) {
pfkeystat.in_nomem++;
return ENOBUFS;
}
-#else
- /* don't bother pulling it up just for stats */
-#endif
}
if (m->m_len >= sizeof(struct sadb_msg)) {
struct sadb_msg *msg;
msg = mtod(m, struct sadb_msg *);
pfkeystat.in_msgtype[msg->sadb_msg_type]++;
}
-
+ mtx_lock(&rawcb_mtx);
LIST_FOREACH(rp, &rawcb_list, list)
{
if (rp->rcb_proto.sp_family != PF_KEY)
@@ -344,11 +336,13 @@
if ((n = m_copy(m, 0, (int)M_COPYALL)) == NULL) {
m_freem(m);
pfkeystat.in_nomem++;
+ mtx_unlock(&rawcb_mtx);
return ENOBUFS;
}
if ((error = key_sendup0(rp, n, 0)) != 0) {
m_freem(m);
+ mtx_unlock(&rawcb_mtx);
return error;
}
@@ -362,6 +356,7 @@
error = 0;
m_freem(m);
}
+ mtx_unlock(&rawcb_mtx);
return error;
}
@@ -372,7 +367,6 @@
static void
key_abort(struct socket *so)
{
-
raw_usrreqs.pru_abort(so);
}
@@ -384,29 +378,21 @@
key_attach(struct socket *so, int proto, struct thread *td)
{
struct keycb *kp;
- int s, error;
+ int error;
+
+ KASSERT(so->so_pcb == NULL, ("key_attach: so_pcb != NULL"));
- if (sotorawcb(so) != 0)
- return EISCONN; /* XXX panic? */
- kp = (struct keycb *)malloc(sizeof *kp, M_PCB, M_WAITOK|M_ZERO); /* XXX */
+ /* XXX */
+ MALLOC(kp, struct keycb *, sizeof *kp, M_PCB, M_WAITOK | M_ZERO);
if (kp == 0)
return ENOBUFS;
- /*
- * The splnet() is necessary to block protocols from sending
- * error notifications (like RTM_REDIRECT or RTM_LOSING) while
- * this PCB is extant but incompletely initialized.
- * Probably we should try to do more of this work beforehand and
- * eliminate the spl.
- */
- s = splnet();
so->so_pcb = (caddr_t)kp;
- error = raw_usrreqs.pru_attach(so, proto, td);
+ error = raw_attach(so, proto);
kp = (struct keycb *)sotorawcb(so);
if (error) {
free(kp, M_PCB);
so->so_pcb = (caddr_t) 0;
- splx(s);
return error;
}
@@ -420,7 +406,6 @@
soisconnected(so);
so->so_options |= SO_USELOOPBACK;
- splx(s);
return 0;
}
@@ -431,11 +416,7 @@
static int
key_bind(struct socket *so, struct sockaddr *nam, struct thread *td)
{
- int s, error;
- s = splnet();
- error = raw_usrreqs.pru_bind(so, nam, td); /* xxx just EINVAL */
- splx(s);
- return error;
+ return EINVAL;
}
/*
@@ -445,11 +426,7 @@
static int
key_connect(struct socket *so, struct sockaddr *nam, struct thread *td)
{
- int s, error;
- s = splnet();
- error = raw_usrreqs.pru_connect(so, nam, td); /* XXX just EINVAL */
- splx(s);
- return error;
+ return EINVAL;
}
/*
@@ -460,7 +437,6 @@
key_detach(struct socket *so)
{
struct keycb *kp = (struct keycb *)sotorawcb(so);
- int s, error;
KASSERT(kp != NULL, ("key_detach: kp == NULL"));
if (kp->kp_raw.rcb_proto.sp_protocol
@@ -479,11 +455,7 @@
static int
key_disconnect(struct socket *so)
{
- int s, error;
- s = splnet();
- error = raw_usrreqs.pru_disconnect(so);
- splx(s);
- return error;
+ return(raw_usrreqs.pru_disconnect(so));
}
/*
@@ -493,11 +465,7 @@
static int
key_peeraddr(struct socket *so, struct sockaddr **nam)
{
- int s, error;
- s = splnet();
- error = raw_usrreqs.pru_peeraddr(so, nam);
- splx(s);
- return error;
+ return(raw_usrreqs.pru_peeraddr(so, nam));
}
/*
@@ -508,11 +476,7 @@
key_send(struct socket *so, int flags, struct mbuf *m, struct sockaddr *nam,
struct mbuf *control, struct thread *td)
{
- int s, error;
- s = splnet();
- error = raw_usrreqs.pru_send(so, flags, m, nam, control, td);
- splx(s);
- return error;
+ return(raw_usrreqs.pru_send(so, flags, m, nam, control, td));
}
/*
@@ -522,11 +486,7 @@
static int
key_shutdown(struct socket *so)
{
- int s, error;
- s = splnet();
- error = raw_usrreqs.pru_shutdown(so);
- splx(s);
- return error;
+ return(raw_usrreqs.pru_shutdown(so));
}
/*
@@ -536,11 +496,7 @@
static int
key_sockaddr(struct socket *so, struct sockaddr **nam)
{
- int s, error;
- s = splnet();
- error = raw_usrreqs.pru_sockaddr(so, nam);
- splx(s);
- return error;
+ return(raw_usrreqs.pru_sockaddr(so, nam));
}
struct pr_usrreqs key_usrreqs = {
==== //depot/projects/gnn_fast_ipsec/src/sys/opencrypto/crypto.c#3 (text+ko) ====
@@ -667,7 +667,6 @@
binuptime(&crp->crp_tstamp);
#endif
- CRYPTO_Q_LOCK();
if ((crp->crp_flags & CRYPTO_F_BATCH) == 0) {
struct cryptocap *cap;
/*
@@ -689,7 +688,9 @@
* behind batch'd ops.
*/
crypto_drivers[hid].cc_qblocked = 1;
+ CRYPTO_Q_LOCK();
TAILQ_INSERT_TAIL(&crp_q, crp, crp_next);
+ CRYPTO_Q_UNLOCK();
cryptostats.cs_blocks++;
result = 0;
}
@@ -698,7 +699,9 @@
* The driver is blocked, just queue the op until
* it unblocks and the kernel thread gets kicked.
*/
+ CRYPTO_Q_LOCK();
TAILQ_INSERT_TAIL(&crp_q, crp, crp_next);
+ CRYPTO_Q_UNLOCK();
result = 0;
}
} else {
@@ -709,13 +712,14 @@
* when the operation is low priority and/or suitable
* for batching.
*/
+ CRYPTO_Q_LOCK();
wasempty = TAILQ_EMPTY(&crp_q);
TAILQ_INSERT_TAIL(&crp_q, crp, crp_next);
+ CRYPTO_Q_UNLOCK();
if (wasempty)
wakeup_one(&crp_q);
result = 0;
}
- CRYPTO_Q_UNLOCK();
return result;
}
More information about the p4-projects
mailing list