[XFRM]: Add generation count to xfrm_state and xfrm_dst.
authorDavid S. Miller <davem@sunset.davemloft.net>
Thu, 24 Aug 2006 10:18:09 +0000 (03:18 -0700)
committerDavid S. Miller <davem@sunset.davemloft.net>
Fri, 22 Sep 2006 22:08:42 +0000 (15:08 -0700)
Each xfrm_state inserted gets a new generation counter
value.  When a bundle is created, the xfrm_dst objects
get the current generation counter of the xfrm_state
they will attach to at dst->xfrm.

xfrm_bundle_ok() will return false if it sees an
xfrm_dst with a generation count different from the
generation count of the xfrm_state that dst points to.

This provides a facility by which to passively and
cheaply invalidate cached IPSEC routes during SA
database changes.

Signed-off-by: David S. Miller <davem@davemloft.net>
include/net/xfrm.h
net/ipv4/xfrm4_policy.c
net/ipv6/xfrm6_policy.c
net/xfrm/xfrm_policy.c
net/xfrm/xfrm_state.c

index 3405e5d9d51c259f8b9fb28dddab81531ddb4ed9..fd4a300b5bafae832e883a909724c8382b7d8041 100644 (file)
@@ -104,6 +104,8 @@ struct xfrm_state
        struct xfrm_id          id;
        struct xfrm_selector    sel;
 
+       u32                     genid;
+
        /* Key manger bits */
        struct {
                u8              state;
@@ -590,6 +592,7 @@ struct xfrm_dst
                struct rt6_info         rt6;
        } u;
        struct dst_entry *route;
+       u32 genid;
        u32 route_mtu_cached;
        u32 child_mtu_cached;
        u32 route_cookie;
index 42d8ded0f96a81116dd624dd337901bb18b8f0a8..479598566f1decf0bd0374dc30d5cc43f01ece8e 100644 (file)
@@ -93,6 +93,7 @@ __xfrm4_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int
 
                xdst = (struct xfrm_dst *)dst1;
                xdst->route = &rt->u.dst;
+               xdst->genid = xfrm[i]->genid;
 
                dst1->next = dst_prev;
                dst_prev = dst1;
index 98c2fe449b3f1f0fe530668d59b6ab83b90d65e7..9391c4c94febefb2d75950697bb5a08c044889d1 100644 (file)
@@ -149,6 +149,7 @@ __xfrm6_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int
 
                xdst = (struct xfrm_dst *)dst1;
                xdst->route = &rt->u.dst;
+               xdst->genid = xfrm[i]->genid;
                if (rt->rt6i_node)
                        xdst->route_cookie = rt->rt6i_node->fn_sernum;
 
index 1732159ffd0112f8cbe07a7a55a89a8d6da617ee..7fc6944ee36f46d7f23097cdf66622835319f946 100644 (file)
@@ -1536,6 +1536,8 @@ int xfrm_bundle_ok(struct xfrm_dst *first, struct flowi *fl, int family, int str
                        return 0;
                if (dst->xfrm->km.state != XFRM_STATE_VALID)
                        return 0;
+               if (xdst->genid != dst->xfrm->genid)
+                       return 0;
 
                if (strict && fl && dst->xfrm->props.mode != XFRM_MODE_TUNNEL &&
                    !xfrm_state_addr_flow_check(dst->xfrm, fl, family))
index 445263c54c94e4405305dcf3ff327b2ff85604d0..535d43c1472008aed20b526befae16b729db3514 100644 (file)
@@ -53,6 +53,7 @@ static struct hlist_head *xfrm_state_byspi __read_mostly;
 static unsigned int xfrm_state_hmask __read_mostly;
 static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024;
 static unsigned int xfrm_state_num;
+static unsigned int xfrm_state_genid;
 
 static inline unsigned int __xfrm4_dst_hash(xfrm_address_t *addr, unsigned int hmask)
 {
@@ -745,6 +746,8 @@ static void __xfrm_state_insert(struct xfrm_state *x)
 {
        unsigned int h = xfrm_dst_hash(&x->id.daddr, x->props.family);
 
+       x->genid = ++xfrm_state_genid;
+
        hlist_add_head(&x->bydst, xfrm_state_bydst+h);
        xfrm_state_hold(x);