Skip to content

Commit 5ce90c8

Browse files
committed
Merge branch 'xfrm: speed up policy insertions'
Florian Westphal says: ==================== Policy insertions do not scale well, due to both a lienar list walk to find the insertion spot and another list walk to set the 'pos' value (a tie-breaker to detect which policy is older when there is ambiguity as to which one should be matched). First patch gets rid of the second list walk on insert. Rest of the patches get rid of the insertion walk. This list walk was only needed because when I moved the policy db implementation to rbtree I retained the old insertion method for the sake of XFRM_MIGRATE. Switching that to tree-based lookup avoids the need for the full list search. After this, insertion of a policy is largely independent of the number of pre-existing policies as long as they do not share the same source/ destination networks. Note that this is compile tested only as I did not find any tests for XFRM_MIGRATE. ==================== Signed-off-by: Steffen Klassert <[email protected]>
2 parents 54f2f78 + a54ad72 commit 5ce90c8

File tree

4 files changed

+175
-112
lines changed

4 files changed

+175
-112
lines changed

include/net/xfrm.h

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -555,7 +555,6 @@ struct xfrm_policy {
555555
u16 family;
556556
struct xfrm_sec_ctx *security;
557557
struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];
558-
struct hlist_node bydst_inexact_list;
559558
struct rcu_head rcu;
560559

561560
struct xfrm_dev_offload xdo;

net/xfrm/xfrm_policy.c

Lines changed: 91 additions & 110 deletions
Original file line numberDiff line numberDiff line change
@@ -196,8 +196,6 @@ xfrm_policy_inexact_lookup_rcu(struct net *net,
196196
static struct xfrm_policy *
197197
xfrm_policy_insert_list(struct hlist_head *chain, struct xfrm_policy *policy,
198198
bool excl);
199-
static void xfrm_policy_insert_inexact_list(struct hlist_head *chain,
200-
struct xfrm_policy *policy);
201199

202200
static bool
203201
xfrm_policy_find_inexact_candidates(struct xfrm_pol_inexact_candidates *cand,
@@ -410,7 +408,6 @@ struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp)
410408
if (policy) {
411409
write_pnet(&policy->xp_net, net);
412410
INIT_LIST_HEAD(&policy->walk.all);
413-
INIT_HLIST_NODE(&policy->bydst_inexact_list);
414411
INIT_HLIST_NODE(&policy->bydst);
415412
INIT_HLIST_NODE(&policy->byidx);
416413
rwlock_init(&policy->lock);
@@ -1228,26 +1225,31 @@ xfrm_policy_inexact_insert(struct xfrm_policy *policy, u8 dir, int excl)
12281225
return ERR_PTR(-EEXIST);
12291226
}
12301227

1231-
chain = &net->xfrm.policy_inexact[dir];
1232-
xfrm_policy_insert_inexact_list(chain, policy);
1233-
12341228
if (delpol)
12351229
__xfrm_policy_inexact_prune_bin(bin, false);
12361230

12371231
return delpol;
12381232
}
12391233

1234+
static bool xfrm_policy_is_dead_or_sk(const struct xfrm_policy *policy)
1235+
{
1236+
int dir;
1237+
1238+
if (policy->walk.dead)
1239+
return true;
1240+
1241+
dir = xfrm_policy_id2dir(policy->index);
1242+
return dir >= XFRM_POLICY_MAX;
1243+
}
1244+
12401245
static void xfrm_hash_rebuild(struct work_struct *work)
12411246
{
12421247
struct net *net = container_of(work, struct net,
12431248
xfrm.policy_hthresh.work);
1244-
unsigned int hmask;
12451249
struct xfrm_policy *pol;
12461250
struct xfrm_policy *policy;
12471251
struct hlist_head *chain;
1248-
struct hlist_head *odst;
12491252
struct hlist_node *newpos;
1250-
int i;
12511253
int dir;
12521254
unsigned seq;
12531255
u8 lbits4, rbits4, lbits6, rbits6;
@@ -1311,23 +1313,7 @@ static void xfrm_hash_rebuild(struct work_struct *work)
13111313
goto out_unlock;
13121314
}
13131315

1314-
/* reset the bydst and inexact table in all directions */
13151316
for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
1316-
struct hlist_node *n;
1317-
1318-
hlist_for_each_entry_safe(policy, n,
1319-
&net->xfrm.policy_inexact[dir],
1320-
bydst_inexact_list) {
1321-
hlist_del_rcu(&policy->bydst);
1322-
hlist_del_init(&policy->bydst_inexact_list);
1323-
}
1324-
1325-
hmask = net->xfrm.policy_bydst[dir].hmask;
1326-
odst = net->xfrm.policy_bydst[dir].table;
1327-
for (i = hmask; i >= 0; i--) {
1328-
hlist_for_each_entry_safe(policy, n, odst + i, bydst)
1329-
hlist_del_rcu(&policy->bydst);
1330-
}
13311317
if ((dir & XFRM_POLICY_MASK) == XFRM_POLICY_OUT) {
13321318
/* dir out => dst = remote, src = local */
13331319
net->xfrm.policy_bydst[dir].dbits4 = rbits4;
@@ -1352,6 +1338,9 @@ static void xfrm_hash_rebuild(struct work_struct *work)
13521338
/* skip socket policies */
13531339
continue;
13541340
}
1341+
1342+
hlist_del_rcu(&policy->bydst);
1343+
13551344
newpos = NULL;
13561345
chain = policy_hash_bysel(net, &policy->selector,
13571346
policy->family, dir);
@@ -1519,42 +1508,6 @@ static const struct rhashtable_params xfrm_pol_inexact_params = {
15191508
.automatic_shrinking = true,
15201509
};
15211510

1522-
static void xfrm_policy_insert_inexact_list(struct hlist_head *chain,
1523-
struct xfrm_policy *policy)
1524-
{
1525-
struct xfrm_policy *pol, *delpol = NULL;
1526-
struct hlist_node *newpos = NULL;
1527-
int i = 0;
1528-
1529-
hlist_for_each_entry(pol, chain, bydst_inexact_list) {
1530-
if (pol->type == policy->type &&
1531-
pol->if_id == policy->if_id &&
1532-
!selector_cmp(&pol->selector, &policy->selector) &&
1533-
xfrm_policy_mark_match(&policy->mark, pol) &&
1534-
xfrm_sec_ctx_match(pol->security, policy->security) &&
1535-
!WARN_ON(delpol)) {
1536-
delpol = pol;
1537-
if (policy->priority > pol->priority)
1538-
continue;
1539-
} else if (policy->priority >= pol->priority) {
1540-
newpos = &pol->bydst_inexact_list;
1541-
continue;
1542-
}
1543-
if (delpol)
1544-
break;
1545-
}
1546-
1547-
if (newpos && policy->xdo.type != XFRM_DEV_OFFLOAD_PACKET)
1548-
hlist_add_behind_rcu(&policy->bydst_inexact_list, newpos);
1549-
else
1550-
hlist_add_head_rcu(&policy->bydst_inexact_list, chain);
1551-
1552-
hlist_for_each_entry(pol, chain, bydst_inexact_list) {
1553-
pol->pos = i;
1554-
i++;
1555-
}
1556-
}
1557-
15581511
static struct xfrm_policy *xfrm_policy_insert_list(struct hlist_head *chain,
15591512
struct xfrm_policy *policy,
15601513
bool excl)
@@ -2294,10 +2247,52 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir,
22942247
return pol;
22952248
}
22962249

2250+
static u32 xfrm_gen_pos_slow(struct net *net)
2251+
{
2252+
struct xfrm_policy *policy;
2253+
u32 i = 0;
2254+
2255+
/* oldest entry is last in list */
2256+
list_for_each_entry_reverse(policy, &net->xfrm.policy_all, walk.all) {
2257+
if (!xfrm_policy_is_dead_or_sk(policy))
2258+
policy->pos = ++i;
2259+
}
2260+
2261+
return i;
2262+
}
2263+
2264+
static u32 xfrm_gen_pos(struct net *net)
2265+
{
2266+
const struct xfrm_policy *policy;
2267+
u32 i = 0;
2268+
2269+
/* most recently added policy is at the head of the list */
2270+
list_for_each_entry(policy, &net->xfrm.policy_all, walk.all) {
2271+
if (xfrm_policy_is_dead_or_sk(policy))
2272+
continue;
2273+
2274+
if (policy->pos == UINT_MAX)
2275+
return xfrm_gen_pos_slow(net);
2276+
2277+
i = policy->pos + 1;
2278+
break;
2279+
}
2280+
2281+
return i;
2282+
}
2283+
22972284
static void __xfrm_policy_link(struct xfrm_policy *pol, int dir)
22982285
{
22992286
struct net *net = xp_net(pol);
23002287

2288+
switch (dir) {
2289+
case XFRM_POLICY_IN:
2290+
case XFRM_POLICY_FWD:
2291+
case XFRM_POLICY_OUT:
2292+
pol->pos = xfrm_gen_pos(net);
2293+
break;
2294+
}
2295+
23012296
list_add(&pol->walk.all, &net->xfrm.policy_all);
23022297
net->xfrm.policy_count[dir]++;
23032298
xfrm_pol_hold(pol);
@@ -2314,7 +2309,6 @@ static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
23142309
/* Socket policies are not hashed. */
23152310
if (!hlist_unhashed(&pol->bydst)) {
23162311
hlist_del_rcu(&pol->bydst);
2317-
hlist_del_init(&pol->bydst_inexact_list);
23182312
hlist_del(&pol->byidx);
23192313
}
23202314

@@ -4437,63 +4431,50 @@ EXPORT_SYMBOL_GPL(xfrm_audit_policy_delete);
44374431
#endif
44384432

44394433
#ifdef CONFIG_XFRM_MIGRATE
4440-
static bool xfrm_migrate_selector_match(const struct xfrm_selector *sel_cmp,
4441-
const struct xfrm_selector *sel_tgt)
4442-
{
4443-
if (sel_cmp->proto == IPSEC_ULPROTO_ANY) {
4444-
if (sel_tgt->family == sel_cmp->family &&
4445-
xfrm_addr_equal(&sel_tgt->daddr, &sel_cmp->daddr,
4446-
sel_cmp->family) &&
4447-
xfrm_addr_equal(&sel_tgt->saddr, &sel_cmp->saddr,
4448-
sel_cmp->family) &&
4449-
sel_tgt->prefixlen_d == sel_cmp->prefixlen_d &&
4450-
sel_tgt->prefixlen_s == sel_cmp->prefixlen_s) {
4451-
return true;
4452-
}
4453-
} else {
4454-
if (memcmp(sel_tgt, sel_cmp, sizeof(*sel_tgt)) == 0) {
4455-
return true;
4456-
}
4457-
}
4458-
return false;
4459-
}
4460-
44614434
static struct xfrm_policy *xfrm_migrate_policy_find(const struct xfrm_selector *sel,
44624435
u8 dir, u8 type, struct net *net, u32 if_id)
44634436
{
44644437
struct xfrm_policy *pol, *ret = NULL;
4465-
struct hlist_head *chain;
4466-
u32 priority = ~0U;
4438+
struct flowi fl;
44674439

4468-
spin_lock_bh(&net->xfrm.xfrm_policy_lock);
4469-
chain = policy_hash_direct(net, &sel->daddr, &sel->saddr, sel->family, dir);
4470-
hlist_for_each_entry(pol, chain, bydst) {
4471-
if ((if_id == 0 || pol->if_id == if_id) &&
4472-
xfrm_migrate_selector_match(sel, &pol->selector) &&
4473-
pol->type == type) {
4474-
ret = pol;
4475-
priority = ret->priority;
4476-
break;
4477-
}
4478-
}
4479-
chain = &net->xfrm.policy_inexact[dir];
4480-
hlist_for_each_entry(pol, chain, bydst_inexact_list) {
4481-
if ((pol->priority >= priority) && ret)
4482-
break;
4440+
memset(&fl, 0, sizeof(fl));
44834441

4484-
if ((if_id == 0 || pol->if_id == if_id) &&
4485-
xfrm_migrate_selector_match(sel, &pol->selector) &&
4486-
pol->type == type) {
4487-
ret = pol;
4442+
fl.flowi_proto = sel->proto;
4443+
4444+
switch (sel->family) {
4445+
case AF_INET:
4446+
fl.u.ip4.saddr = sel->saddr.a4;
4447+
fl.u.ip4.daddr = sel->daddr.a4;
4448+
if (sel->proto == IPSEC_ULPROTO_ANY)
44884449
break;
4489-
}
4450+
fl.u.flowi4_oif = sel->ifindex;
4451+
fl.u.ip4.fl4_sport = sel->sport;
4452+
fl.u.ip4.fl4_dport = sel->dport;
4453+
break;
4454+
case AF_INET6:
4455+
fl.u.ip6.saddr = sel->saddr.in6;
4456+
fl.u.ip6.daddr = sel->daddr.in6;
4457+
if (sel->proto == IPSEC_ULPROTO_ANY)
4458+
break;
4459+
fl.u.flowi6_oif = sel->ifindex;
4460+
fl.u.ip6.fl4_sport = sel->sport;
4461+
fl.u.ip6.fl4_dport = sel->dport;
4462+
break;
4463+
default:
4464+
return ERR_PTR(-EAFNOSUPPORT);
44904465
}
44914466

4492-
xfrm_pol_hold(ret);
4467+
rcu_read_lock();
44934468

4494-
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
4469+
pol = xfrm_policy_lookup_bytype(net, type, &fl, sel->family, dir, if_id);
4470+
if (IS_ERR_OR_NULL(pol))
4471+
goto out_unlock;
44954472

4496-
return ret;
4473+
if (!xfrm_pol_hold_rcu(ret))
4474+
pol = NULL;
4475+
out_unlock:
4476+
rcu_read_unlock();
4477+
return pol;
44974478
}
44984479

44994480
static int migrate_tmpl_match(const struct xfrm_migrate *m, const struct xfrm_tmpl *t)
@@ -4630,9 +4611,9 @@ int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
46304611

46314612
/* Stage 1 - find policy */
46324613
pol = xfrm_migrate_policy_find(sel, dir, type, net, if_id);
4633-
if (!pol) {
4614+
if (IS_ERR_OR_NULL(pol)) {
46344615
NL_SET_ERR_MSG(extack, "Target policy not found");
4635-
err = -ENOENT;
4616+
err = IS_ERR(pol) ? PTR_ERR(pol) : -ENOENT;
46364617
goto out;
46374618
}
46384619

tools/testing/selftests/net/Makefile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,7 @@ TEST_PROGS += ip_local_port_range.sh
5656
TEST_PROGS += rps_default_mask.sh
5757
TEST_PROGS += big_tcp.sh
5858
TEST_PROGS += netns-sysctl.sh
59-
TEST_PROGS_EXTENDED := toeplitz_client.sh toeplitz.sh
59+
TEST_PROGS_EXTENDED := toeplitz_client.sh toeplitz.sh xfrm_policy_add_speed.sh
6060
TEST_GEN_FILES = socket nettest
6161
TEST_GEN_FILES += psock_fanout psock_tpacket msg_zerocopy reuseport_addr_any
6262
TEST_GEN_FILES += tcp_mmap tcp_inq psock_snd txring_overwrite

0 commit comments

Comments
 (0)