提交 bc56b334 编写于 作者: B Benedict Wong 提交者: Steffen Klassert

xfrm: Remove xfrmi interface ID from flowi

In order to remove performance impact of having the extra u32 in every
single flowi, this change removes the flowi_xfrm struct, prefering to
take the if_id as a method parameter where needed.

In the inbound direction, if_id is only needed during the
__xfrm_check_policy() function, and the if_id can be determined at that
point based on the skb. As such, xfrmi_decode_session() is only called
with the skb in __xfrm_check_policy().

In the outbound direction, the only place where if_id is needed is the
xfrm_lookup() call in xfrmi_xmit2(). With this change, the if_id is
directly passed into the xfrm_lookup_with_ifid() call. All existing
callers can still call xfrm_lookup(), which uses a default if_id of 0.

This change does not change any behavior of XFRMIs except for improving
overall system performance via flowi size reduction.

This change has been tested against the Android Kernel Networking Tests:

https://android.googlesource.com/kernel/tests/+/master/net/testSigned-off-by: NBenedict Wong <benedictwong@google.com>
Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
上级 fcb662de
...@@ -475,6 +475,14 @@ static inline struct dst_entry *xfrm_lookup(struct net *net, ...@@ -475,6 +475,14 @@ static inline struct dst_entry *xfrm_lookup(struct net *net,
return dst_orig; return dst_orig;
} }
static inline struct dst_entry *
xfrm_lookup_with_ifid(struct net *net, struct dst_entry *dst_orig,
const struct flowi *fl, const struct sock *sk,
int flags, u32 if_id)
{
return dst_orig;
}
static inline struct dst_entry *xfrm_lookup_route(struct net *net, static inline struct dst_entry *xfrm_lookup_route(struct net *net,
struct dst_entry *dst_orig, struct dst_entry *dst_orig,
const struct flowi *fl, const struct flowi *fl,
...@@ -494,6 +502,12 @@ struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig, ...@@ -494,6 +502,12 @@ struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig,
const struct flowi *fl, const struct sock *sk, const struct flowi *fl, const struct sock *sk,
int flags); int flags);
struct dst_entry *xfrm_lookup_with_ifid(struct net *net,
struct dst_entry *dst_orig,
const struct flowi *fl,
const struct sock *sk, int flags,
u32 if_id);
struct dst_entry *xfrm_lookup_route(struct net *net, struct dst_entry *dst_orig, struct dst_entry *xfrm_lookup_route(struct net *net, struct dst_entry *dst_orig,
const struct flowi *fl, const struct sock *sk, const struct flowi *fl, const struct sock *sk,
int flags); int flags);
......
...@@ -26,10 +26,6 @@ struct flowi_tunnel { ...@@ -26,10 +26,6 @@ struct flowi_tunnel {
__be64 tun_id; __be64 tun_id;
}; };
struct flowi_xfrm {
__u32 if_id;
};
struct flowi_common { struct flowi_common {
int flowic_oif; int flowic_oif;
int flowic_iif; int flowic_iif;
...@@ -43,7 +39,6 @@ struct flowi_common { ...@@ -43,7 +39,6 @@ struct flowi_common {
#define FLOWI_FLAG_SKIP_NH_OIF 0x04 #define FLOWI_FLAG_SKIP_NH_OIF 0x04
__u32 flowic_secid; __u32 flowic_secid;
struct flowi_tunnel flowic_tun_key; struct flowi_tunnel flowic_tun_key;
struct flowi_xfrm xfrm;
kuid_t flowic_uid; kuid_t flowic_uid;
}; };
...@@ -83,7 +78,6 @@ struct flowi4 { ...@@ -83,7 +78,6 @@ struct flowi4 {
#define flowi4_secid __fl_common.flowic_secid #define flowi4_secid __fl_common.flowic_secid
#define flowi4_tun_key __fl_common.flowic_tun_key #define flowi4_tun_key __fl_common.flowic_tun_key
#define flowi4_uid __fl_common.flowic_uid #define flowi4_uid __fl_common.flowic_uid
#define flowi4_xfrm __fl_common.xfrm
/* (saddr,daddr) must be grouped, same order as in IP header */ /* (saddr,daddr) must be grouped, same order as in IP header */
__be32 saddr; __be32 saddr;
...@@ -115,7 +109,6 @@ static inline void flowi4_init_output(struct flowi4 *fl4, int oif, ...@@ -115,7 +109,6 @@ static inline void flowi4_init_output(struct flowi4 *fl4, int oif,
fl4->flowi4_flags = flags; fl4->flowi4_flags = flags;
fl4->flowi4_secid = 0; fl4->flowi4_secid = 0;
fl4->flowi4_tun_key.tun_id = 0; fl4->flowi4_tun_key.tun_id = 0;
fl4->flowi4_xfrm.if_id = 0;
fl4->flowi4_uid = uid; fl4->flowi4_uid = uid;
fl4->daddr = daddr; fl4->daddr = daddr;
fl4->saddr = saddr; fl4->saddr = saddr;
...@@ -145,7 +138,6 @@ struct flowi6 { ...@@ -145,7 +138,6 @@ struct flowi6 {
#define flowi6_secid __fl_common.flowic_secid #define flowi6_secid __fl_common.flowic_secid
#define flowi6_tun_key __fl_common.flowic_tun_key #define flowi6_tun_key __fl_common.flowic_tun_key
#define flowi6_uid __fl_common.flowic_uid #define flowi6_uid __fl_common.flowic_uid
#define flowi6_xfrm __fl_common.xfrm
struct in6_addr daddr; struct in6_addr daddr;
struct in6_addr saddr; struct in6_addr saddr;
/* Note: flowi6_tos is encoded in flowlabel, too. */ /* Note: flowi6_tos is encoded in flowlabel, too. */
...@@ -193,7 +185,6 @@ struct flowi { ...@@ -193,7 +185,6 @@ struct flowi {
#define flowi_secid u.__fl_common.flowic_secid #define flowi_secid u.__fl_common.flowic_secid
#define flowi_tun_key u.__fl_common.flowic_tun_key #define flowi_tun_key u.__fl_common.flowic_tun_key
#define flowi_uid u.__fl_common.flowic_uid #define flowi_uid u.__fl_common.flowic_uid
#define flowi_xfrm u.__fl_common.xfrm
} __attribute__((__aligned__(BITS_PER_LONG/8))); } __attribute__((__aligned__(BITS_PER_LONG/8)));
static inline struct flowi *flowi4_to_flowi(struct flowi4 *fl4) static inline struct flowi *flowi4_to_flowi(struct flowi4 *fl4)
......
...@@ -1557,7 +1557,7 @@ struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr, ...@@ -1557,7 +1557,7 @@ struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr,
const struct flowi *fl, const struct flowi *fl,
struct xfrm_tmpl *tmpl, struct xfrm_tmpl *tmpl,
struct xfrm_policy *pol, int *err, struct xfrm_policy *pol, int *err,
unsigned short family); unsigned short family, u32 if_id);
struct xfrm_state *xfrm_stateonly_find(struct net *net, u32 mark, u32 if_id, struct xfrm_state *xfrm_stateonly_find(struct net *net, u32 mark, u32 if_id,
xfrm_address_t *daddr, xfrm_address_t *daddr,
xfrm_address_t *saddr, xfrm_address_t *saddr,
......
...@@ -307,10 +307,8 @@ xfrmi_xmit2(struct sk_buff *skb, struct net_device *dev, struct flowi *fl) ...@@ -307,10 +307,8 @@ xfrmi_xmit2(struct sk_buff *skb, struct net_device *dev, struct flowi *fl)
if (!dst) if (!dst)
goto tx_err_link_failure; goto tx_err_link_failure;
fl->flowi_xfrm.if_id = xi->p.if_id;
dst_hold(dst); dst_hold(dst);
dst = xfrm_lookup(xi->net, dst, fl, NULL, 0); dst = xfrm_lookup_with_ifid(xi->net, dst, fl, NULL, 0, xi->p.if_id);
if (IS_ERR(dst)) { if (IS_ERR(dst)) {
err = PTR_ERR(dst); err = PTR_ERR(dst);
dst = NULL; dst = NULL;
......
...@@ -1068,14 +1068,14 @@ EXPORT_SYMBOL(xfrm_policy_walk_done); ...@@ -1068,14 +1068,14 @@ EXPORT_SYMBOL(xfrm_policy_walk_done);
*/ */
static int xfrm_policy_match(const struct xfrm_policy *pol, static int xfrm_policy_match(const struct xfrm_policy *pol,
const struct flowi *fl, const struct flowi *fl,
u8 type, u16 family, int dir) u8 type, u16 family, int dir, u32 if_id)
{ {
const struct xfrm_selector *sel = &pol->selector; const struct xfrm_selector *sel = &pol->selector;
int ret = -ESRCH; int ret = -ESRCH;
bool match; bool match;
if (pol->family != family || if (pol->family != family ||
pol->if_id != fl->flowi_xfrm.if_id || pol->if_id != if_id ||
(fl->flowi_mark & pol->mark.m) != pol->mark.v || (fl->flowi_mark & pol->mark.m) != pol->mark.v ||
pol->type != type) pol->type != type)
return ret; return ret;
...@@ -1090,7 +1090,8 @@ static int xfrm_policy_match(const struct xfrm_policy *pol, ...@@ -1090,7 +1090,8 @@ static int xfrm_policy_match(const struct xfrm_policy *pol,
static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type, static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type,
const struct flowi *fl, const struct flowi *fl,
u16 family, u8 dir) u16 family, u8 dir,
u32 if_id)
{ {
int err; int err;
struct xfrm_policy *pol, *ret; struct xfrm_policy *pol, *ret;
...@@ -1114,7 +1115,7 @@ static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type, ...@@ -1114,7 +1115,7 @@ static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type,
priority = ~0U; priority = ~0U;
ret = NULL; ret = NULL;
hlist_for_each_entry_rcu(pol, chain, bydst) { hlist_for_each_entry_rcu(pol, chain, bydst) {
err = xfrm_policy_match(pol, fl, type, family, dir); err = xfrm_policy_match(pol, fl, type, family, dir, if_id);
if (err) { if (err) {
if (err == -ESRCH) if (err == -ESRCH)
continue; continue;
...@@ -1133,7 +1134,7 @@ static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type, ...@@ -1133,7 +1134,7 @@ static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type,
if ((pol->priority >= priority) && ret) if ((pol->priority >= priority) && ret)
break; break;
err = xfrm_policy_match(pol, fl, type, family, dir); err = xfrm_policy_match(pol, fl, type, family, dir, if_id);
if (err) { if (err) {
if (err == -ESRCH) if (err == -ESRCH)
continue; continue;
...@@ -1158,21 +1159,25 @@ static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type, ...@@ -1158,21 +1159,25 @@ static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type,
return ret; return ret;
} }
static struct xfrm_policy * static struct xfrm_policy *xfrm_policy_lookup(struct net *net,
xfrm_policy_lookup(struct net *net, const struct flowi *fl, u16 family, u8 dir) const struct flowi *fl,
u16 family, u8 dir, u32 if_id)
{ {
#ifdef CONFIG_XFRM_SUB_POLICY #ifdef CONFIG_XFRM_SUB_POLICY
struct xfrm_policy *pol; struct xfrm_policy *pol;
pol = xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_SUB, fl, family, dir); pol = xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_SUB, fl, family,
dir, if_id);
if (pol != NULL) if (pol != NULL)
return pol; return pol;
#endif #endif
return xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_MAIN, fl, family, dir); return xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_MAIN, fl, family,
dir, if_id);
} }
static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir, static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir,
const struct flowi *fl, u16 family) const struct flowi *fl,
u16 family, u32 if_id)
{ {
struct xfrm_policy *pol; struct xfrm_policy *pol;
...@@ -1191,7 +1196,7 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir, ...@@ -1191,7 +1196,7 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir,
match = xfrm_selector_match(&pol->selector, fl, family); match = xfrm_selector_match(&pol->selector, fl, family);
if (match) { if (match) {
if ((sk->sk_mark & pol->mark.m) != pol->mark.v || if ((sk->sk_mark & pol->mark.m) != pol->mark.v ||
pol->if_id != fl->flowi_xfrm.if_id) { pol->if_id != if_id) {
pol = NULL; pol = NULL;
goto out; goto out;
} }
...@@ -1405,7 +1410,8 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl, ...@@ -1405,7 +1410,8 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl,
} }
} }
x = xfrm_state_find(remote, local, fl, tmpl, policy, &error, family); x = xfrm_state_find(remote, local, fl, tmpl, policy, &error,
family, policy->if_id);
if (x && x->km.state == XFRM_STATE_VALID) { if (x && x->km.state == XFRM_STATE_VALID) {
xfrm[nx++] = x; xfrm[nx++] = x;
...@@ -1708,7 +1714,8 @@ static int xfrm_expand_policies(const struct flowi *fl, u16 family, ...@@ -1708,7 +1714,8 @@ static int xfrm_expand_policies(const struct flowi *fl, u16 family,
pols[1] = xfrm_policy_lookup_bytype(xp_net(pols[0]), pols[1] = xfrm_policy_lookup_bytype(xp_net(pols[0]),
XFRM_POLICY_TYPE_MAIN, XFRM_POLICY_TYPE_MAIN,
fl, family, fl, family,
XFRM_POLICY_OUT); XFRM_POLICY_OUT,
pols[0]->if_id);
if (pols[1]) { if (pols[1]) {
if (IS_ERR(pols[1])) { if (IS_ERR(pols[1])) {
xfrm_pols_put(pols, *num_pols); xfrm_pols_put(pols, *num_pols);
...@@ -1942,8 +1949,10 @@ static struct xfrm_dst *xfrm_create_dummy_bundle(struct net *net, ...@@ -1942,8 +1949,10 @@ static struct xfrm_dst *xfrm_create_dummy_bundle(struct net *net,
goto out; goto out;
} }
static struct xfrm_dst * static struct xfrm_dst *xfrm_bundle_lookup(struct net *net,
xfrm_bundle_lookup(struct net *net, const struct flowi *fl, u16 family, u8 dir, struct xfrm_flo *xflo) const struct flowi *fl,
u16 family, u8 dir,
struct xfrm_flo *xflo, u32 if_id)
{ {
struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX]; struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
int num_pols = 0, num_xfrms = 0, err; int num_pols = 0, num_xfrms = 0, err;
...@@ -1952,7 +1961,7 @@ xfrm_bundle_lookup(struct net *net, const struct flowi *fl, u16 family, u8 dir, ...@@ -1952,7 +1961,7 @@ xfrm_bundle_lookup(struct net *net, const struct flowi *fl, u16 family, u8 dir,
/* Resolve policies to use if we couldn't get them from /* Resolve policies to use if we couldn't get them from
* previous cache entry */ * previous cache entry */
num_pols = 1; num_pols = 1;
pols[0] = xfrm_policy_lookup(net, fl, family, dir); pols[0] = xfrm_policy_lookup(net, fl, family, dir, if_id);
err = xfrm_expand_policies(fl, family, pols, err = xfrm_expand_policies(fl, family, pols,
&num_pols, &num_xfrms); &num_pols, &num_xfrms);
if (err < 0) if (err < 0)
...@@ -2020,14 +2029,19 @@ static struct dst_entry *make_blackhole(struct net *net, u16 family, ...@@ -2020,14 +2029,19 @@ static struct dst_entry *make_blackhole(struct net *net, u16 family,
return ret; return ret;
} }
/* Main function: finds/creates a bundle for given flow. /* Finds/creates a bundle for given flow and if_id
* *
* At the moment we eat a raw IP route. Mostly to speed up lookups * At the moment we eat a raw IP route. Mostly to speed up lookups
* on interfaces with disabled IPsec. * on interfaces with disabled IPsec.
*
* xfrm_lookup uses an if_id of 0 by default, and is provided for
* compatibility
*/ */
struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig, struct dst_entry *xfrm_lookup_with_ifid(struct net *net,
const struct flowi *fl, struct dst_entry *dst_orig,
const struct sock *sk, int flags) const struct flowi *fl,
const struct sock *sk,
int flags, u32 if_id)
{ {
struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX]; struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
struct xfrm_dst *xdst; struct xfrm_dst *xdst;
...@@ -2043,7 +2057,8 @@ struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig, ...@@ -2043,7 +2057,8 @@ struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig,
sk = sk_const_to_full_sk(sk); sk = sk_const_to_full_sk(sk);
if (sk && sk->sk_policy[XFRM_POLICY_OUT]) { if (sk && sk->sk_policy[XFRM_POLICY_OUT]) {
num_pols = 1; num_pols = 1;
pols[0] = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl, family); pols[0] = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl, family,
if_id);
err = xfrm_expand_policies(fl, family, pols, err = xfrm_expand_policies(fl, family, pols,
&num_pols, &num_xfrms); &num_pols, &num_xfrms);
if (err < 0) if (err < 0)
...@@ -2087,7 +2102,7 @@ struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig, ...@@ -2087,7 +2102,7 @@ struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig,
!net->xfrm.policy_count[XFRM_POLICY_OUT]) !net->xfrm.policy_count[XFRM_POLICY_OUT])
goto nopol; goto nopol;
xdst = xfrm_bundle_lookup(net, fl, family, dir, &xflo); xdst = xfrm_bundle_lookup(net, fl, family, dir, &xflo, if_id);
if (xdst == NULL) if (xdst == NULL)
goto nopol; goto nopol;
if (IS_ERR(xdst)) { if (IS_ERR(xdst)) {
...@@ -2168,6 +2183,19 @@ struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig, ...@@ -2168,6 +2183,19 @@ struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig,
xfrm_pols_put(pols, drop_pols); xfrm_pols_put(pols, drop_pols);
return ERR_PTR(err); return ERR_PTR(err);
} }
EXPORT_SYMBOL(xfrm_lookup_with_ifid);
/* Main function: finds/creates a bundle for given flow.
*
* At the moment we eat a raw IP route. Mostly to speed up lookups
* on interfaces with disabled IPsec.
*/
struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig,
const struct flowi *fl, const struct sock *sk,
int flags)
{
return xfrm_lookup_with_ifid(net, dst_orig, fl, sk, flags, 0);
}
EXPORT_SYMBOL(xfrm_lookup); EXPORT_SYMBOL(xfrm_lookup);
/* Callers of xfrm_lookup_route() must ensure a call to dst_output(). /* Callers of xfrm_lookup_route() must ensure a call to dst_output().
...@@ -2257,19 +2285,12 @@ int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, ...@@ -2257,19 +2285,12 @@ int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
unsigned int family, int reverse) unsigned int family, int reverse)
{ {
const struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); const struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
const struct xfrm_if_cb *ifcb = xfrm_if_get_cb();
struct xfrm_if *xi;
int err; int err;
if (unlikely(afinfo == NULL)) if (unlikely(afinfo == NULL))
return -EAFNOSUPPORT; return -EAFNOSUPPORT;
afinfo->decode_session(skb, fl, reverse); afinfo->decode_session(skb, fl, reverse);
if (ifcb) {
xi = ifcb->decode_session(skb);
if (xi)
fl->flowi_xfrm.if_id = xi->p.if_id;
}
err = security_xfrm_decode_session(skb, &fl->flowi_secid); err = security_xfrm_decode_session(skb, &fl->flowi_secid);
rcu_read_unlock(); rcu_read_unlock();
...@@ -2301,6 +2322,19 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, ...@@ -2301,6 +2322,19 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
int reverse; int reverse;
struct flowi fl; struct flowi fl;
int xerr_idx = -1; int xerr_idx = -1;
const struct xfrm_if_cb *ifcb;
struct xfrm_if *xi;
u32 if_id = 0;
rcu_read_lock();
ifcb = xfrm_if_get_cb();
if (ifcb) {
xi = ifcb->decode_session(skb);
if (xi)
if_id = xi->p.if_id;
}
rcu_read_unlock();
reverse = dir & ~XFRM_POLICY_MASK; reverse = dir & ~XFRM_POLICY_MASK;
dir &= XFRM_POLICY_MASK; dir &= XFRM_POLICY_MASK;
...@@ -2328,7 +2362,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, ...@@ -2328,7 +2362,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
pol = NULL; pol = NULL;
sk = sk_to_full_sk(sk); sk = sk_to_full_sk(sk);
if (sk && sk->sk_policy[dir]) { if (sk && sk->sk_policy[dir]) {
pol = xfrm_sk_policy_lookup(sk, dir, &fl, family); pol = xfrm_sk_policy_lookup(sk, dir, &fl, family, if_id);
if (IS_ERR(pol)) { if (IS_ERR(pol)) {
XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR); XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR);
return 0; return 0;
...@@ -2336,7 +2370,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, ...@@ -2336,7 +2370,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
} }
if (!pol) if (!pol)
pol = xfrm_policy_lookup(net, &fl, family, dir); pol = xfrm_policy_lookup(net, &fl, family, dir, if_id);
if (IS_ERR(pol)) { if (IS_ERR(pol)) {
XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR); XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR);
...@@ -2360,7 +2394,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, ...@@ -2360,7 +2394,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
if (pols[0]->type != XFRM_POLICY_TYPE_MAIN) { if (pols[0]->type != XFRM_POLICY_TYPE_MAIN) {
pols[1] = xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_MAIN, pols[1] = xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_MAIN,
&fl, family, &fl, family,
XFRM_POLICY_IN); XFRM_POLICY_IN, if_id);
if (pols[1]) { if (pols[1]) {
if (IS_ERR(pols[1])) { if (IS_ERR(pols[1])) {
XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR); XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR);
......
...@@ -930,7 +930,7 @@ struct xfrm_state * ...@@ -930,7 +930,7 @@ struct xfrm_state *
xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr, xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr,
const struct flowi *fl, struct xfrm_tmpl *tmpl, const struct flowi *fl, struct xfrm_tmpl *tmpl,
struct xfrm_policy *pol, int *err, struct xfrm_policy *pol, int *err,
unsigned short family) unsigned short family, u32 if_id)
{ {
static xfrm_address_t saddr_wildcard = { }; static xfrm_address_t saddr_wildcard = { };
struct net *net = xp_net(pol); struct net *net = xp_net(pol);
...@@ -940,7 +940,6 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr, ...@@ -940,7 +940,6 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr,
int error = 0; int error = 0;
struct xfrm_state *best = NULL; struct xfrm_state *best = NULL;
u32 mark = pol->mark.v & pol->mark.m; u32 mark = pol->mark.v & pol->mark.m;
u32 if_id = fl->flowi_xfrm.if_id;
unsigned short encap_family = tmpl->encap_family; unsigned short encap_family = tmpl->encap_family;
unsigned int sequence; unsigned int sequence;
struct km_event c; struct km_event c;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册