Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/netinet6 reduce kernel stack usage by separating struct ...
details: https://anonhg.NetBSD.org/src/rev/49579f816378
branches: trunk
changeset: 533313:49579f816378
user: itojun <itojun%NetBSD.org@localhost>
date: Thu Jun 27 12:12:49 2002 +0000
description:
reduce kernel stack usage by separating struct secasindex. sync w/kame
From: YAMAMOTO Takashi <yamt%mwd.biglobe.ne.jp@localhost>
diffstat:
sys/netinet6/ipsec.c | 211 +++++++++++++++++++++++++-------------------------
1 files changed, 104 insertions(+), 107 deletions(-)
diffs (300 lines):
diff -r 83d42f917985 -r 49579f816378 sys/netinet6/ipsec.c
--- a/sys/netinet6/ipsec.c Thu Jun 27 12:05:52 2002 +0000
+++ b/sys/netinet6/ipsec.c Thu Jun 27 12:12:49 2002 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.c,v 1.61 2002/06/22 12:27:09 itojun Exp $ */
+/* $NetBSD: ipsec.c,v 1.62 2002/06/27 12:12:49 itojun Exp $ */
/* $KAME: ipsec.c,v 1.136 2002/05/19 00:36:39 itojun Exp $ */
/*
@@ -35,7 +35,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.61 2002/06/22 12:27:09 itojun Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.62 2002/06/27 12:12:49 itojun Exp $");
#include "opt_inet.h"
#include "opt_ipsec.h"
@@ -161,6 +161,14 @@
static struct mbuf *ipsec_addaux __P((struct mbuf *));
static struct mbuf *ipsec_findaux __P((struct mbuf *));
static void ipsec_optaux __P((struct mbuf *, struct mbuf *));
+#ifdef INET
+static int ipsec4_checksa __P((struct ipsecrequest *,
+ struct ipsec_output_state *));
+#endif
+#ifdef INET6
+static int ipsec6_checksa __P((struct ipsecrequest *,
+ struct ipsec_output_state *, int));
+#endif
/*
* try to validate and use cached policy on a pcb.
@@ -2489,6 +2497,37 @@
}
#ifdef INET
+static int
+ipsec4_checksa(isr, state)
+ struct ipsecrequest *isr;
+ struct ipsec_output_state *state;
+{
+ struct ip *ip;
+ struct secasindex saidx;
+ struct sockaddr_in *sin;
+
+ /* make SA index for search proper SA */
+ ip = mtod(state->m, struct ip *);
+ bcopy(&isr->saidx, &saidx, sizeof(saidx));
+ saidx.mode = isr->saidx.mode;
+ saidx.reqid = isr->saidx.reqid;
+ sin = (struct sockaddr_in *)&saidx.src;
+ if (sin->sin_len == 0) {
+ sin->sin_len = sizeof(*sin);
+ sin->sin_family = AF_INET;
+ sin->sin_port = IPSEC_PORT_ANY;
+ bcopy(&ip->ip_src, &sin->sin_addr, sizeof(sin->sin_addr));
+ }
+ sin = (struct sockaddr_in *)&saidx.dst;
+ if (sin->sin_len == 0) {
+ sin->sin_len = sizeof(*sin);
+ sin->sin_family = AF_INET;
+ sin->sin_port = IPSEC_PORT_ANY;
+ bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(sin->sin_addr));
+ }
+
+ return key_checkrequest(isr, &saidx);
+}
/*
* IPsec output logic for IPv4.
*/
@@ -2500,11 +2539,9 @@
{
struct ip *ip = NULL;
struct ipsecrequest *isr = NULL;
- struct secasindex saidx;
int s;
int error;
struct sockaddr_in *dst4;
- struct sockaddr_in *sin;
if (!state)
panic("state == NULL in ipsec4_output");
@@ -2532,30 +2569,8 @@
&& (flags & IP_FORWARDING))
continue;
#endif
-
- /* make SA index for search proper SA */
- ip = mtod(state->m, struct ip *);
- bcopy(&isr->saidx, &saidx, sizeof(saidx));
- saidx.mode = isr->saidx.mode;
- saidx.reqid = isr->saidx.reqid;
- sin = (struct sockaddr_in *)&saidx.src;
- if (sin->sin_len == 0) {
- sin->sin_len = sizeof(*sin);
- sin->sin_family = AF_INET;
- sin->sin_port = IPSEC_PORT_ANY;
- bcopy(&ip->ip_src, &sin->sin_addr,
- sizeof(sin->sin_addr));
- }
- sin = (struct sockaddr_in *)&saidx.dst;
- if (sin->sin_len == 0) {
- sin->sin_len = sizeof(*sin);
- sin->sin_family = AF_INET;
- sin->sin_port = IPSEC_PORT_ANY;
- bcopy(&ip->ip_dst, &sin->sin_addr,
- sizeof(sin->sin_addr));
- }
-
- if ((error = key_checkrequest(isr, &saidx)) != 0) {
+ error = ipsec4_checksa(isr, state);
+ if (error != 0) {
/*
* IPsec processing is required, but no SA found.
* I assume that key_acquire() had been called
@@ -2715,6 +2730,63 @@
#endif
#ifdef INET6
+static int
+ipsec6_checksa(isr, state, tunnel)
+ struct ipsecrequest *isr;
+ struct ipsec_output_state *state;
+ int tunnel;
+{
+ struct ip6_hdr *ip6;
+ struct secasindex saidx;
+ struct sockaddr_in6 *sin6;
+
+ if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
+#ifdef DIAGNOSTIC
+ if (!tunnel)
+ panic("ipsec6_checksa/inconsistent tunnel attribute");
+#endif
+ /* When tunnel mode, SA peers must be specified. */
+ return key_checkrequest(isr, &isr->saidx);
+ }
+
+ /* make SA index for search proper SA */
+ ip6 = mtod(state->m, struct ip6_hdr *);
+ if (tunnel) {
+ bzero(&saidx, sizeof(saidx));
+ saidx.proto = isr->saidx.proto;
+ } else
+ bcopy(&isr->saidx, &saidx, sizeof(saidx));
+ saidx.mode = isr->saidx.mode;
+ saidx.reqid = isr->saidx.reqid;
+ sin6 = (struct sockaddr_in6 *)&saidx.src;
+ if (sin6->sin6_len == 0 || tunnel) {
+ sin6->sin6_len = sizeof(*sin6);
+ sin6->sin6_family = AF_INET6;
+ sin6->sin6_port = IPSEC_PORT_ANY;
+ bcopy(&ip6->ip6_src, &sin6->sin6_addr,
+ sizeof(ip6->ip6_src));
+ if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
+ /* fix scope id for comparing SPD */
+ sin6->sin6_addr.s6_addr16[1] = 0;
+ sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
+ }
+ }
+ sin6 = (struct sockaddr_in6 *)&saidx.dst;
+ if (sin6->sin6_len == 0 || tunnel) {
+ sin6->sin6_len = sizeof(*sin6);
+ sin6->sin6_family = AF_INET6;
+ sin6->sin6_port = IPSEC_PORT_ANY;
+ bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
+ sizeof(ip6->ip6_dst));
+ if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
+ /* fix scope id for comparing SPD */
+ sin6->sin6_addr.s6_addr16[1] = 0;
+ sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
+ }
+ }
+
+ return key_checkrequest(isr, &saidx);
+}
/*
* IPsec output logic for IPv6, transport mode.
*/
@@ -2729,10 +2801,8 @@
{
struct ip6_hdr *ip6;
struct ipsecrequest *isr = NULL;
- struct secasindex saidx;
int error = 0;
int plen;
- struct sockaddr_in6 *sin6;
if (!state)
panic("state == NULL in ipsec6_output_trans");
@@ -2758,39 +2828,8 @@
break;
}
- /* make SA index for search proper SA */
- ip6 = mtod(state->m, struct ip6_hdr *);
- bcopy(&isr->saidx, &saidx, sizeof(saidx));
- saidx.mode = isr->saidx.mode;
- saidx.reqid = isr->saidx.reqid;
- sin6 = (struct sockaddr_in6 *)&saidx.src;
- if (sin6->sin6_len == 0) {
- sin6->sin6_len = sizeof(*sin6);
- sin6->sin6_family = AF_INET6;
- sin6->sin6_port = IPSEC_PORT_ANY;
- bcopy(&ip6->ip6_src, &sin6->sin6_addr,
- sizeof(ip6->ip6_src));
- if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
- /* fix scope id for comparing SPD */
- sin6->sin6_addr.s6_addr16[1] = 0;
- sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
- }
- }
- sin6 = (struct sockaddr_in6 *)&saidx.dst;
- if (sin6->sin6_len == 0) {
- sin6->sin6_len = sizeof(*sin6);
- sin6->sin6_family = AF_INET6;
- sin6->sin6_port = IPSEC_PORT_ANY;
- bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
- sizeof(ip6->ip6_dst));
- if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
- /* fix scope id for comparing SPD */
- sin6->sin6_addr.s6_addr16[1] = 0;
- sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
- }
- }
-
- if (key_checkrequest(isr, &saidx) == ENOENT) {
+ error = ipsec6_checksa(isr, state, 0);
+ if (error == ENOENT) {
/*
* IPsec processing is required, but no SA found.
* I assume that key_acquire() had been called
@@ -2799,7 +2838,6 @@
* upper layer to retransmit the packet.
*/
ipsec6stat.out_nosa++;
- error = ENOENT;
/*
* Notify the fact that the packet is discarded
@@ -2904,7 +2942,6 @@
{
struct ip6_hdr *ip6;
struct ipsecrequest *isr = NULL;
- struct secasindex saidx;
int error = 0;
int plen;
struct sockaddr_in6* dst6;
@@ -2931,48 +2968,8 @@
}
for (/* already initialized */; isr; isr = isr->next) {
- if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
- /* When tunnel mode, SA peers must be specified. */
- bcopy(&isr->saidx, &saidx, sizeof(saidx));
- } else {
- /* make SA index to look for a proper SA */
- struct sockaddr_in6 *sin6;
-
- bzero(&saidx, sizeof(saidx));
- saidx.proto = isr->saidx.proto;
- saidx.mode = isr->saidx.mode;
- saidx.reqid = isr->saidx.reqid;
-
- ip6 = mtod(state->m, struct ip6_hdr *);
- sin6 = (struct sockaddr_in6 *)&saidx.src;
- if (sin6->sin6_len == 0) {
- sin6->sin6_len = sizeof(*sin6);
- sin6->sin6_family = AF_INET6;
- sin6->sin6_port = IPSEC_PORT_ANY;
- bcopy(&ip6->ip6_src, &sin6->sin6_addr,
- sizeof(ip6->ip6_src));
- if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
- /* fix scope id for comparing SPD */
- sin6->sin6_addr.s6_addr16[1] = 0;
- sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
- }
- }
- sin6 = (struct sockaddr_in6 *)&saidx.dst;
- if (sin6->sin6_len == 0) {
- sin6->sin6_len = sizeof(*sin6);
- sin6->sin6_family = AF_INET6;
- sin6->sin6_port = IPSEC_PORT_ANY;
- bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
- sizeof(ip6->ip6_dst));
- if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
- /* fix scope id for comparing SPD */
- sin6->sin6_addr.s6_addr16[1] = 0;
- sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
- }
- }
- }
-
- if (key_checkrequest(isr, &saidx) == ENOENT) {
+ error = ipsec6_checksa(isr, state, 1);
+ if (error == ENOENT) {
/*
* IPsec processing is required, but no SA found.
* I assume that key_acquire() had been called
Home |
Main Index |
Thread Index |
Old Index