git: 97c802923e20 - main - if_ovpn: remove peer limit
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 01 Dec 2022 16:43:34 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=97c802923e20e96302dbe63fb9ca07c059d781aa
commit 97c802923e20e96302dbe63fb9ca07c059d781aa
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2022-11-28 09:16:24 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-12-01 16:42:57 +0000
if_ovpn: remove peer limit
Replace the fixed-sized array by an RB_TREE. This should both speed up
lookups and remove the 128 peer limit.
Reviewed by: zlei
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D37524
---
sys/net/if_ovpn.c | 136 +++++++++++++++++++-----------------------------------
1 file changed, 48 insertions(+), 88 deletions(-)
diff --git a/sys/net/if_ovpn.c b/sys/net/if_ovpn.c
index 276927275a2b..b8322558e0f1 100644
--- a/sys/net/if_ovpn.c
+++ b/sys/net/if_ovpn.c
@@ -122,6 +122,7 @@ struct ovpn_notification {
struct ovpn_softc;
struct ovpn_kpeer {
+ RB_ENTRY(ovpn_kpeer) tree;
int refcount;
uint32_t peerid;
@@ -141,8 +142,6 @@ struct ovpn_kpeer {
struct callout ping_rcv;
};
-#define OVPN_MAX_PEERS 128
-
struct ovpn_counters {
uint64_t lost_ctrl_pkts_in;
uint64_t lost_ctrl_pkts_out;
@@ -162,13 +161,15 @@ struct ovpn_counters {
};
#define OVPN_COUNTER_SIZE (sizeof(struct ovpn_counters)/sizeof(uint64_t))
+RB_HEAD(ovpn_kpeers, ovpn_kpeer);
+
struct ovpn_softc {
int refcount;
struct rmlock lock;
struct ifnet *ifp;
struct socket *so;
int peercount;
- struct ovpn_kpeer *peers[OVPN_MAX_PEERS]; /* XXX Hard limit for now? */
+ struct ovpn_kpeers peers;
/* Pending notification */
struct buf_ring *notifring;
@@ -187,6 +188,10 @@ static int ovpn_encap(struct ovpn_softc *, uint32_t, struct mbuf *);
static int ovpn_get_af(struct mbuf *);
static void ovpn_free_kkey_dir(struct ovpn_kkey_dir *);
static bool ovpn_check_replay(struct ovpn_kkey_dir *, uint32_t);
+static int ovpn_peer_compare(struct ovpn_kpeer *, struct ovpn_kpeer *);
+
+static RB_PROTOTYPE(ovpn_kpeers, ovpn_kpeer, tree, ovpn_peer_compare);
+static RB_GENERATE(ovpn_kpeers, ovpn_kpeer, tree, ovpn_peer_compare);
#define OVPN_MTU_MIN 576
#define OVPN_MTU_MAX (IP_MAXPACKET - sizeof(struct ip) - \
@@ -246,25 +251,22 @@ SYSCTL_INT(_net_link_openvpn, OID_AUTO, netisr_queue,
CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(async_netisr_queue), 0,
"Use netisr_queue() rather than netisr_dispatch().");
+static int
+ovpn_peer_compare(struct ovpn_kpeer *a, struct ovpn_kpeer *b)
+{
+ return (a->peerid - b->peerid);
+}
+
static struct ovpn_kpeer *
ovpn_find_peer(struct ovpn_softc *sc, uint32_t peerid)
{
- struct ovpn_kpeer *p = NULL;
+ struct ovpn_kpeer p;
OVPN_ASSERT(sc);
- for (int i = 0; i < OVPN_MAX_PEERS; i++) {
- p = sc->peers[i];
- if (p == NULL)
- continue;
-
- if (p->peerid == peerid) {
- MPASS(p->sc == sc);
- break;
- }
- }
+ p.peerid = peerid;
- return (p);
+ return (RB_FIND(ovpn_kpeers, &sc->peers, &p));
}
static struct ovpn_kpeer *
@@ -272,15 +274,7 @@ ovpn_find_only_peer(struct ovpn_softc *sc)
{
OVPN_ASSERT(sc);
- for (int i = 0; i < OVPN_MAX_PEERS; i++) {
- if (sc->peers[i] == NULL)
- continue;
- return (sc->peers[i]);
- }
-
- MPASS(false);
-
- return (NULL);
+ return (RB_ROOT(&sc->peers));
}
static uint16_t
@@ -466,7 +460,7 @@ ovpn_new_peer(struct ifnet *ifp, const nvlist_t *nvl)
struct socket *so = NULL;
int fd;
uint32_t peerid;
- int ret = 0, i;
+ int ret = 0;
if (nvl == NULL)
return (EINVAL);
@@ -586,20 +580,9 @@ ovpn_new_peer(struct ifnet *ifp, const nvlist_t *nvl)
sc->so = so;
/* Insert the peer into the list. */
- for (i = 0; i < OVPN_MAX_PEERS; i++) {
- if (sc->peers[i] != NULL)
- continue;
-
- MPASS(sc->peers[i] == NULL);
- sc->peers[i] = peer;
- sc->peercount++;
- soref(sc->so);
- break;
- }
- if (i == OVPN_MAX_PEERS) {
- ret = ENOSPC;
- goto error_locked;
- }
+ RB_INSERT(ovpn_kpeers, &sc->peers, peer);
+ sc->peercount++;
+ soref(sc->so);
ret = udp_set_kernel_tunneling(sc->so, ovpn_udp_input, NULL, sc);
if (ret == EBUSY) {
@@ -607,7 +590,7 @@ ovpn_new_peer(struct ifnet *ifp, const nvlist_t *nvl)
ret = 0;
}
if (ret != 0) {
- sc->peers[i] = NULL;
+ RB_REMOVE(ovpn_kpeers, &sc->peers, peer);
sc->peercount--;
goto error_locked;
}
@@ -633,24 +616,16 @@ static int
_ovpn_del_peer(struct ovpn_softc *sc, uint32_t peerid)
{
struct ovpn_kpeer *peer;
- int i;
OVPN_WASSERT(sc);
CURVNET_ASSERT_SET();
- for (i = 0; i < OVPN_MAX_PEERS; i++) {
- if (sc->peers[i] == NULL)
- continue;
- if (sc->peers[i]->peerid != peerid)
- continue;
-
- peer = sc->peers[i];
- break;
- }
- if (i == OVPN_MAX_PEERS)
+ peer = ovpn_find_peer(sc, peerid);
+ if (peer == NULL)
return (ENOENT);
+ peer = RB_REMOVE(ovpn_kpeers, &sc->peers, peer);
+ MPASS(peer != NULL);
- sc->peers[i] = NULL;
sc->peercount--;
ovpn_peer_release_ref(peer, true);
@@ -1362,6 +1337,8 @@ ovpn_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
struct ifdrv *ifd;
int error;
+ CURVNET_ASSERT_SET();
+
switch (cmd) {
case SIOCSDRVSPEC:
case SIOCGDRVSPEC:
@@ -1622,13 +1599,10 @@ ovpn_find_peer_by_ip(struct ovpn_softc *sc, const struct in_addr addr)
OVPN_ASSERT(sc);
- for (int i = 0; i < OVPN_MAX_PEERS; i++) {
- if (sc->peers[i] == NULL)
- continue;
- if (addr.s_addr == sc->peers[i]->vpn4.s_addr) {
- peer = sc->peers[i];
- break;
- }
+ /* TODO: Add a second RB so we can look up by IP. */
+ RB_FOREACH(peer, ovpn_kpeers, &sc->peers) {
+ if (addr.s_addr == peer->vpn4.s_addr)
+ return (peer);
}
return (peer);
@@ -1643,13 +1617,10 @@ ovpn_find_peer_by_ip6(struct ovpn_softc *sc, const struct in6_addr *addr)
OVPN_ASSERT(sc);
- for (int i = 0; i < OVPN_MAX_PEERS; i++) {
- if (sc->peers[i] == NULL)
- continue;
- if (memcmp(addr, &sc->peers[i]->vpn6, sizeof(*addr)) == 0) {
- peer = sc->peers[i];
- break;
- }
+ /* TODO: Add a third RB so we can look up by IPv6 address. */
+ RB_FOREACH(peer, ovpn_kpeers, &sc->peers) {
+ if (memcmp(addr, &peer->vpn6, sizeof(*addr)) == 0)
+ return (peer);
}
return (peer);
@@ -2281,21 +2252,16 @@ ovpn_reassign(struct ifnet *ifp, struct vnet *new_vnet __unused,
char *unused __unused)
{
struct ovpn_softc *sc = ifp->if_softc;
- int i;
+ struct ovpn_kpeer *peer, *tmppeer;
int ret __diagused;
- i = 0;
-
OVPN_WLOCK(sc);
/* Flush keys & configuration. */
- do {
- if (sc->peers[i] != NULL) {
- ret = _ovpn_del_peer(sc, sc->peers[i]->peerid);
- MPASS(ret == 0);
- }
- i++;
- } while (i < OVPN_MAX_PEERS);
+ RB_FOREACH_SAFE(peer, ovpn_kpeers, &sc->peers, tmppeer) {
+ ret = _ovpn_del_peer(sc, peer->peerid);
+ MPASS(ret == 0);
+ }
ovpn_flush_rxring(sc);
@@ -2393,9 +2359,7 @@ ovpn_clone_destroy_cb(struct epoch_context *ctx)
sc = __containerof(ctx, struct ovpn_softc, epoch_ctx);
MPASS(sc->peercount == 0);
- for (int i = 0; i < OVPN_MAX_PEERS; i++) {
- MPASS(sc->peers[i] == NULL);
- }
+ MPASS(RB_EMPTY(&sc->peers));
COUNTER_ARRAY_FREE(sc->counters, OVPN_COUNTER_SIZE);
@@ -2407,8 +2371,8 @@ static int
ovpn_clone_destroy(struct if_clone *ifc, struct ifnet *ifp, uint32_t flags)
{
struct ovpn_softc *sc;
+ struct ovpn_kpeer *peer, *tmppeer;
int unit;
- int i;
int ret __diagused;
sc = ifp->if_softc;
@@ -2421,14 +2385,10 @@ ovpn_clone_destroy(struct if_clone *ifc, struct ifnet *ifp, uint32_t flags)
return (EBUSY);
}
- i = 0;
- do {
- if (sc->peers[i] != NULL) {
- ret = _ovpn_del_peer(sc, sc->peers[i]->peerid);
- MPASS(ret == 0);
- }
- i++;
- } while (i < OVPN_MAX_PEERS);
+ RB_FOREACH_SAFE(peer, ovpn_kpeers, &sc->peers, tmppeer) {
+ ret = _ovpn_del_peer(sc, peer->peerid);
+ MPASS(ret == 0);
+ }
ovpn_flush_rxring(sc);
buf_ring_free(sc->notifring, M_OVPN);