Commit def8b4fa authored by Alexey Dobriyan's avatar Alexey Dobriyan Committed by David S. Miller

net: reduce structures when XFRM=n

ifdef out
* struct sk_buff::sp		(pointer)
* struct dst_entry::xfrm	(pointer)
* struct sock::sk_policy	(2 pointers)
Signed-off-by: default avatarAlexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent b057efd4
...@@ -269,8 +269,9 @@ struct sk_buff { ...@@ -269,8 +269,9 @@ struct sk_buff {
struct dst_entry *dst; struct dst_entry *dst;
struct rtable *rtable; struct rtable *rtable;
}; };
#ifdef CONFIG_XFRM
struct sec_path *sp; struct sec_path *sp;
#endif
/* /*
* This is the control buffer. It is free to use for every * This is the control buffer. It is free to use for every
* layer. Please put your private variables there. If you * layer. Please put your private variables there. If you
...@@ -1864,6 +1865,18 @@ static inline void skb_copy_queue_mapping(struct sk_buff *to, const struct sk_bu ...@@ -1864,6 +1865,18 @@ static inline void skb_copy_queue_mapping(struct sk_buff *to, const struct sk_bu
to->queue_mapping = from->queue_mapping; to->queue_mapping = from->queue_mapping;
} }
#ifdef CONFIG_XFRM
static inline struct sec_path *skb_sec_path(struct sk_buff *skb)
{
return skb->sp;
}
#else
static inline struct sec_path *skb_sec_path(struct sk_buff *skb)
{
return NULL;
}
#endif
static inline int skb_is_gso(const struct sk_buff *skb) static inline int skb_is_gso(const struct sk_buff *skb)
{ {
return skb_shinfo(skb)->gso_size; return skb_shinfo(skb)->gso_size;
......
...@@ -59,8 +59,9 @@ struct dst_entry ...@@ -59,8 +59,9 @@ struct dst_entry
struct neighbour *neighbour; struct neighbour *neighbour;
struct hh_cache *hh; struct hh_cache *hh;
#ifdef CONFIG_XFRM
struct xfrm_state *xfrm; struct xfrm_state *xfrm;
#endif
int (*input)(struct sk_buff*); int (*input)(struct sk_buff*);
int (*output)(struct sk_buff*); int (*output)(struct sk_buff*);
......
...@@ -229,7 +229,9 @@ struct sock { ...@@ -229,7 +229,9 @@ struct sock {
} sk_backlog; } sk_backlog;
wait_queue_head_t *sk_sleep; wait_queue_head_t *sk_sleep;
struct dst_entry *sk_dst_cache; struct dst_entry *sk_dst_cache;
#ifdef CONFIG_XFRM
struct xfrm_policy *sk_policy[2]; struct xfrm_policy *sk_policy[2];
#endif
rwlock_t sk_dst_lock; rwlock_t sk_dst_lock;
atomic_t sk_rmem_alloc; atomic_t sk_rmem_alloc;
atomic_t sk_wmem_alloc; atomic_t sk_wmem_alloc;
......
...@@ -882,6 +882,7 @@ struct xfrm_dst ...@@ -882,6 +882,7 @@ struct xfrm_dst
u32 path_cookie; u32 path_cookie;
}; };
#ifdef CONFIG_XFRM
static inline void xfrm_dst_destroy(struct xfrm_dst *xdst) static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
{ {
dst_release(xdst->route); dst_release(xdst->route);
...@@ -894,6 +895,7 @@ static inline void xfrm_dst_destroy(struct xfrm_dst *xdst) ...@@ -894,6 +895,7 @@ static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
xdst->partner = NULL; xdst->partner = NULL;
#endif #endif
} }
#endif
extern void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev); extern void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
...@@ -1536,9 +1538,11 @@ static inline void xfrm_states_delete(struct xfrm_state **states, int n) ...@@ -1536,9 +1538,11 @@ static inline void xfrm_states_delete(struct xfrm_state **states, int n)
} }
#endif #endif
#ifdef CONFIG_XFRM
static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb) static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
{ {
return skb->sp->xvec[skb->sp->len - 1]; return skb->sp->xvec[skb->sp->len - 1];
} }
#endif
#endif /* _NET_XFRM_H */ #endif /* _NET_XFRM_H */
...@@ -489,7 +489,7 @@ static void __copy_skb_header(struct sk_buff *new, const struct sk_buff *old) ...@@ -489,7 +489,7 @@ static void __copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
new->network_header = old->network_header; new->network_header = old->network_header;
new->mac_header = old->mac_header; new->mac_header = old->mac_header;
new->dst = dst_clone(old->dst); new->dst = dst_clone(old->dst);
#ifdef CONFIG_INET #ifdef CONFIG_XFRM
new->sp = secpath_get(old->sp); new->sp = secpath_get(old->sp);
#endif #endif
memcpy(new->cb, old->cb, sizeof(old->cb)); memcpy(new->cb, old->cb, sizeof(old->cb));
......
...@@ -976,9 +976,10 @@ int icmp_rcv(struct sk_buff *skb) ...@@ -976,9 +976,10 @@ int icmp_rcv(struct sk_buff *skb)
struct net *net = dev_net(rt->u.dst.dev); struct net *net = dev_net(rt->u.dst.dev);
if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) { if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) {
struct sec_path *sp = skb_sec_path(skb);
int nh; int nh;
if (!(skb->sp && skb->sp->xvec[skb->sp->len - 1]->props.flags & if (!(sp && sp->xvec[sp->len - 1]->props.flags &
XFRM_STATE_ICMP)) XFRM_STATE_ICMP))
goto drop; goto drop;
......
...@@ -106,7 +106,7 @@ int ip_forward(struct sk_buff *skb) ...@@ -106,7 +106,7 @@ int ip_forward(struct sk_buff *skb)
* We now generate an ICMP HOST REDIRECT giving the route * We now generate an ICMP HOST REDIRECT giving the route
* we calculated. * we calculated.
*/ */
if (rt->rt_flags&RTCF_DOREDIRECT && !opt->srr && !skb->sp) if (rt->rt_flags&RTCF_DOREDIRECT && !opt->srr && !skb_sec_path(skb))
ip_rt_send_redirect(skb); ip_rt_send_redirect(skb);
skb->priority = rt_tos2priority(iph->tos); skb->priority = rt_tos2priority(iph->tos);
......
...@@ -1399,7 +1399,9 @@ void ip_rt_redirect(__be32 old_gw, __be32 daddr, __be32 new_gw, ...@@ -1399,7 +1399,9 @@ void ip_rt_redirect(__be32 old_gw, __be32 daddr, __be32 new_gw,
rt->u.dst.path = &rt->u.dst; rt->u.dst.path = &rt->u.dst;
rt->u.dst.neighbour = NULL; rt->u.dst.neighbour = NULL;
rt->u.dst.hh = NULL; rt->u.dst.hh = NULL;
#ifdef CONFIG_XFRM
rt->u.dst.xfrm = NULL; rt->u.dst.xfrm = NULL;
#endif
rt->rt_genid = rt_genid(net); rt->rt_genid = rt_genid(net);
rt->rt_flags |= RTCF_REDIRECTED; rt->rt_flags |= RTCF_REDIRECTED;
......
...@@ -646,9 +646,10 @@ static int icmpv6_rcv(struct sk_buff *skb) ...@@ -646,9 +646,10 @@ static int icmpv6_rcv(struct sk_buff *skb)
int type; int type;
if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) { if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
struct sec_path *sp = skb_sec_path(skb);
int nh; int nh;
if (!(skb->sp && skb->sp->xvec[skb->sp->len - 1]->props.flags & if (!(sp && sp->xvec[sp->len - 1]->props.flags &
XFRM_STATE_ICMP)) XFRM_STATE_ICMP))
goto drop_no_count; goto drop_no_count;
......
...@@ -490,7 +490,7 @@ int ip6_forward(struct sk_buff *skb) ...@@ -490,7 +490,7 @@ int ip6_forward(struct sk_buff *skb)
We don't send redirects to frames decapsulated from IPsec. We don't send redirects to frames decapsulated from IPsec.
*/ */
if (skb->dev == dst->dev && dst->neighbour && opt->srcrt == 0 && if (skb->dev == dst->dev && dst->neighbour && opt->srcrt == 0 &&
!skb->sp) { !skb_sec_path(skb)) {
struct in6_addr *target = NULL; struct in6_addr *target = NULL;
struct rt6_info *rt; struct rt6_info *rt;
struct neighbour *n = dst->neighbour; struct neighbour *n = dst->neighbour;
......
...@@ -4626,7 +4626,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, ...@@ -4626,7 +4626,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
* as fast and as clean as possible. */ * as fast and as clean as possible. */
if (selinux_compat_net || !selinux_policycap_netpeer) if (selinux_compat_net || !selinux_policycap_netpeer)
return selinux_ip_postroute_compat(skb, ifindex, family); return selinux_ip_postroute_compat(skb, ifindex, family);
#ifdef CONFIG_XFRM
/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
* packet transformation so allow the packet to pass without any checks * packet transformation so allow the packet to pass without any checks
* since we'll have another chance to perform access control checks * since we'll have another chance to perform access control checks
...@@ -4635,7 +4635,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, ...@@ -4635,7 +4635,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
* is NULL, in this case go ahead and apply access control. */ * is NULL, in this case go ahead and apply access control. */
if (skb->dst != NULL && skb->dst->xfrm != NULL) if (skb->dst != NULL && skb->dst->xfrm != NULL)
return NF_ACCEPT; return NF_ACCEPT;
#endif
secmark_active = selinux_secmark_enabled(); secmark_active = selinux_secmark_enabled();
peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled(); peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
if (!secmark_active && !peerlbl_active) if (!secmark_active && !peerlbl_active)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment