From: Tobias Brunner Date: Tue, 11 May 2021 14:24:38 +0000 (+0200) Subject: kernel-netlink: Add support to enable per-CPU acquires on policies X-Git-Tag: 6.0.2dr1~5^2~25 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bdfcfea1f2393d0a719d231a2619381115b4c5c9;p=thirdparty%2Fstrongswan.git kernel-netlink: Add support to enable per-CPU acquires on policies --- diff --git a/src/libcharon/kernel/kernel_ipsec.h b/src/libcharon/kernel/kernel_ipsec.h index 8b79acac9d..6663d730b1 100644 --- a/src/libcharon/kernel/kernel_ipsec.h +++ b/src/libcharon/kernel/kernel_ipsec.h @@ -186,6 +186,8 @@ struct kernel_ipsec_manage_policy_t { uint32_t manual_prio; /** HW offload mode */ hw_offload_t hw_offload; + /** Enable per-CPU acquires */ + bool pcpu_acquires; /** Source address of the SA(s) tied to this policy */ host_t *src; /** Destination address of the SA(s) tied to this policy */ diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c index 74b33d8839..fd47e40680 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -545,6 +545,9 @@ struct policy_sa_t { /** Type of the policy */ policy_type_t type; + /** Whether to trigger per-CPU acquires for this policy */ + bool pcpu_acquires; + /** Assigned SA */ ipsec_sa_t *sa; }; @@ -565,12 +568,13 @@ struct policy_sa_out_t { }; /** - * Create a policy_sa(_in)_t object + * Create a policy_sa(_out)_t object */ static policy_sa_t *policy_sa_create(private_kernel_netlink_ipsec_t *this, policy_dir_t dir, policy_type_t type, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, mark_t mark, - uint32_t if_id, hw_offload_t hw_offload, ipsec_sa_cfg_t *cfg) + uint32_t if_id, hw_offload_t hw_offload, bool pcpu_acquires, + ipsec_sa_cfg_t *cfg) { policy_sa_t *policy; @@ -588,6 +592,7 @@ static policy_sa_t *policy_sa_create(private_kernel_netlink_ipsec_t *this, INIT(policy, .priority = 0); } policy->type = type; + policy->pcpu_acquires = pcpu_acquires; policy->sa = ipsec_sa_create(this, src, dst, mark, if_id, hw_offload, cfg); return policy; } @@ -2951,6 +2956,11 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this, policy_info->sel = policy->sel; policy_info->dir = policy->direction; + if (mapping->pcpu_acquires) + { + policy_info->flags |= XFRM_POLICY_CPU_ACQUIRE; + } + /* calculate priority based on selector size, small size = high prio */ policy_info->priority = mapping->priority; policy_info->action = mapping->type != POLICY_DROP ? XFRM_POLICY_ALLOW @@ -3007,8 +3017,9 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this, tmpl->reqid = ipsec->cfg.reqid; tmpl->id.proto = protos[i].proto; /* in order to match SAs with all matching labels, we can't have the - * SPI in the template */ - if (policy->direction == POLICY_OUT && !policy->label) + * SPI in the template, similarly for per-CPU policies and sub-SAs */ + if (policy->direction == POLICY_OUT && !policy->label && + !mapping->pcpu_acquires) { tmpl->id.spi = protos[i].spi; } @@ -3154,7 +3165,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t, /* cache the assigned IPsec SA */ assigned_sa = policy_sa_create(this, id->dir, data->type, data->src, data->dst, id->src_ts, id->dst_ts, id->mark, - id->if_id, data->hw_offload, data->sa); + id->if_id, data->hw_offload, + data->pcpu_acquires, data->sa); assigned_sa->auto_priority = get_priority(policy, data->prio, id->interface); assigned_sa->priority = this->get_priority ? this->get_priority(id, data) : data->manual_prio; @@ -3387,6 +3399,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t, if (priority == mapping->priority && auto_priority == mapping->auto_priority && data->type == mapping->type && + data->pcpu_acquires == mapping->pcpu_acquires && ipsec_sa_equals(mapping->sa, &assigned_sa)) { current->used_by->remove_at(current->used_by, enumerator);