Skip to content

Commit

Permalink
[XFRM]: Export SAD info.
Browse files Browse the repository at this point in the history
On a system with a lot of SAs, counting SAD entries chews useful
CPU time since you need to dump the whole SAD to user space;
i.e something like ip xfrm state ls | grep -i src | wc -l
I have seen taking literally minutes on a 40K SAs when the system
is swapping.
With this patch, some of the SAD info (that was already being tracked)
is exposed to user space. i.e you do:
ip xfrm state count
And you get the count; you can also pass -s to the command line and
get the hash info.

Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
Jamal Hadi Salim authored and davem330 committed Apr 26, 2007
1 parent 98486fa commit 28d8909
Show file tree
Hide file tree
Showing 4 changed files with 99 additions and 0 deletions.
25 changes: 25 additions & 0 deletions include/linux/xfrm.h
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,10 @@ enum {
XFRM_MSG_MIGRATE,
#define XFRM_MSG_MIGRATE XFRM_MSG_MIGRATE

XFRM_MSG_NEWSADINFO,
#define XFRM_MSG_NEWSADINFO XFRM_MSG_NEWSADINFO
XFRM_MSG_GETSADINFO,
#define XFRM_MSG_GETSADINFO XFRM_MSG_GETSADINFO
__XFRM_MSG_MAX
};
#define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1)
Expand Down Expand Up @@ -234,6 +238,17 @@ enum xfrm_ae_ftype_t {
#define XFRM_AE_MAX (__XFRM_AE_MAX - 1)
};

/* SAD Table filter flags */
enum xfrm_sad_ftype_t {
XFRM_SAD_UNSPEC,
XFRM_SAD_HMASK=1,
XFRM_SAD_HMAX=2,
XFRM_SAD_CNT=4,
__XFRM_SAD_MAX

#define XFRM_SAD_MAX (__XFRM_SAD_MAX - 1)
};

struct xfrm_userpolicy_type {
__u8 type;
__u16 reserved1;
Expand Down Expand Up @@ -265,6 +280,16 @@ enum xfrm_attr_type_t {
#define XFRMA_MAX (__XFRMA_MAX - 1)
};

enum xfrm_sadattr_type_t {
XFRMA_SAD_UNSPEC,
XFRMA_SADHMASK,
XFRMA_SADHMAX,
XFRMA_SADCNT,
__XFRMA_SAD_MAX

#define XFRMA_SAD_MAX (__XFRMA_SAD_MAX - 1)
};

struct xfrm_usersa_info {
struct xfrm_selector sel;
struct xfrm_id id;
Expand Down
8 changes: 8 additions & 0 deletions include/net/xfrm.h
Original file line number Diff line number Diff line change
Expand Up @@ -416,6 +416,13 @@ struct xfrm_audit
u32 secid;
};

/* SAD metadata, add more later */
struct xfrm_sadinfo
{
u32 sadhcnt; /* current hash bkts */
u32 sadhmcnt; /* max allowed hash bkts */
u32 sadcnt; /* current running count */
};
#ifdef CONFIG_AUDITSYSCALL
extern void xfrm_audit_log(uid_t auid, u32 secid, int type, int result,
struct xfrm_policy *xp, struct xfrm_state *x);
Expand Down Expand Up @@ -938,6 +945,7 @@ static inline int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **s
extern struct xfrm_state *xfrm_find_acq_byseq(u32 seq);
extern int xfrm_state_delete(struct xfrm_state *x);
extern void xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info);
extern void xfrm_sad_getinfo(struct xfrm_sadinfo *si);
extern int xfrm_replay_check(struct xfrm_state *x, __be32 seq);
extern void xfrm_replay_advance(struct xfrm_state *x, __be32 seq);
extern void xfrm_replay_notify(struct xfrm_state *x, int event);
Expand Down
10 changes: 10 additions & 0 deletions net/xfrm/xfrm_state.c
Original file line number Diff line number Diff line change
Expand Up @@ -421,6 +421,16 @@ void xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info)
}
EXPORT_SYMBOL(xfrm_state_flush);

void xfrm_sad_getinfo(struct xfrm_sadinfo *si)
{
spin_lock_bh(&xfrm_state_lock);
si->sadcnt = xfrm_state_num;
si->sadhcnt = xfrm_state_hmask;
si->sadhmcnt = xfrm_state_hashmax;
spin_unlock_bh(&xfrm_state_lock);
}
EXPORT_SYMBOL(xfrm_sad_getinfo);

static int
xfrm_init_tempsel(struct xfrm_state *x, struct flowi *fl,
struct xfrm_tmpl *tmpl,
Expand Down
56 changes: 56 additions & 0 deletions net/xfrm/xfrm_user.c
Original file line number Diff line number Diff line change
Expand Up @@ -672,6 +672,61 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
return skb;
}

static int build_sadinfo(struct sk_buff *skb, u32 pid, u32 seq, u32 flags)
{
struct xfrm_sadinfo si;
struct nlmsghdr *nlh;
u32 *f;

nlh = nlmsg_put(skb, pid, seq, XFRM_MSG_NEWSADINFO, sizeof(u32), 0);
if (nlh == NULL) /* shouldnt really happen ... */
return -EMSGSIZE;

f = nlmsg_data(nlh);
*f = flags;
xfrm_sad_getinfo(&si);

if (flags & XFRM_SAD_HMASK)
NLA_PUT_U32(skb, XFRMA_SADHMASK, si.sadhcnt);
if (flags & XFRM_SAD_HMAX)
NLA_PUT_U32(skb, XFRMA_SADHMAX, si.sadhmcnt);
if (flags & XFRM_SAD_CNT)
NLA_PUT_U32(skb, XFRMA_SADCNT, si.sadcnt);

return nlmsg_end(skb, nlh);

nla_put_failure:
nlmsg_cancel(skb, nlh);
return -EMSGSIZE;
}

static int xfrm_get_sadinfo(struct sk_buff *skb, struct nlmsghdr *nlh,
struct rtattr **xfrma)
{
struct sk_buff *r_skb;
u32 *flags = NLMSG_DATA(nlh);
u32 spid = NETLINK_CB(skb).pid;
u32 seq = nlh->nlmsg_seq;
int len = NLMSG_LENGTH(sizeof(u32));

if (*flags & XFRM_SAD_HMASK)
len += RTA_SPACE(sizeof(u32));
if (*flags & XFRM_SAD_HMAX)
len += RTA_SPACE(sizeof(u32));
if (*flags & XFRM_SAD_CNT)
len += RTA_SPACE(sizeof(u32));

r_skb = alloc_skb(len, GFP_ATOMIC);

if (r_skb == NULL)
return -ENOMEM;

if (build_sadinfo(r_skb, spid, seq, *flags) < 0)
BUG();

return nlmsg_unicast(xfrm_nl, r_skb, spid);
}

static int xfrm_get_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
struct rtattr **xfrma)
{
Expand Down Expand Up @@ -1850,6 +1905,7 @@ static struct xfrm_link {
[XFRM_MSG_NEWAE - XFRM_MSG_BASE] = { .doit = xfrm_new_ae },
[XFRM_MSG_GETAE - XFRM_MSG_BASE] = { .doit = xfrm_get_ae },
[XFRM_MSG_MIGRATE - XFRM_MSG_BASE] = { .doit = xfrm_do_migrate },
[XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = { .doit = xfrm_get_sadinfo },
};

static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
Expand Down

0 comments on commit 28d8909

Please sign in to comment.