|
| 1 | +Subject: [PATCH ipsec-next v8 00/16] Add IP-TFS mode to xfrm |
| 2 | + |
| 3 | +* Summary of Changes: |
| 4 | + |
| 5 | +This patchset adds a new xfrm mode implementing on-demand IP-TFS. IP-TFS |
| 6 | +(AggFrag encapsulation) has been standardized in RFC9347. |
| 7 | + |
| 8 | + Link: https://www.rfc-editor.org/rfc/rfc9347.txt |
| 9 | + |
| 10 | +This feature supports demand driven (i.e., non-constant send rate) |
| 11 | +IP-TFS to take advantage of the AGGFRAG ESP payload encapsulation. This |
| 12 | +payload type supports aggregation and fragmentation of the inner IP |
| 13 | +packet stream which in turn yields higher small-packet bandwidth as well |
| 14 | +as reducing MTU/PMTU issues. Congestion control is unimplementated as |
| 15 | +the send rate is demand driven rather than constant. |
| 16 | + |
| 17 | +In order to allow loading this fucntionality as a module a set of |
| 18 | +callbacks xfrm_mode_cbs has been added to xfrm as well. |
| 19 | + |
| 20 | +Patchset Changes: |
| 21 | +----------------- |
| 22 | + |
| 23 | + include/net/xfrm.h | 44 + |
| 24 | + include/uapi/linux/in.h | 2 + |
| 25 | + include/uapi/linux/ip.h | 16 + |
| 26 | + include/uapi/linux/ipsec.h | 3 +- |
| 27 | + include/uapi/linux/snmp.h | 3 + |
| 28 | + include/uapi/linux/xfrm.h | 9 +- |
| 29 | + net/ipv4/esp4.c | 3 +- |
| 30 | + net/ipv6/esp6.c | 3 +- |
| 31 | + net/netfilter/nft_xfrm.c | 3 +- |
| 32 | + net/xfrm/Kconfig | 16 + |
| 33 | + net/xfrm/Makefile | 1 + |
| 34 | + net/xfrm/trace_iptfs.h | 218 ++++ |
| 35 | + net/xfrm/xfrm_compat.c | 10 +- |
| 36 | + net/xfrm/xfrm_device.c | 4 +- |
| 37 | + net/xfrm/xfrm_input.c | 18 +- |
| 38 | + net/xfrm/xfrm_iptfs.c | 2858 ++++++++++++++++++++++++++++++++++++++++++++ |
| 39 | + net/xfrm/xfrm_output.c | 6 + |
| 40 | + net/xfrm/xfrm_policy.c | 26 +- |
| 41 | + net/xfrm/xfrm_proc.c | 3 + |
| 42 | + net/xfrm/xfrm_state.c | 84 ++ |
| 43 | + net/xfrm/xfrm_user.c | 77 ++ |
| 44 | + 21 files changed, 3388 insertions(+), 19 deletions(-) |
| 45 | + |
| 46 | +Patchset Structure: |
| 47 | +------------------- |
| 48 | + |
| 49 | +The first 6 commits are changes to the xfrm infrastructure to support |
| 50 | +the callbacks as well as more generic IP-TFS additions that may be used |
| 51 | +outside the actual IP-TFS implementation. |
| 52 | + |
| 53 | + - xfrm: config: add CONFIG_XFRM_IPTFS |
| 54 | + - include: uapi: add ip_tfs_*_hdr packet formats |
| 55 | + - include: uapi: add IPPROTO_AGGFRAG for AGGFRAG in ESP |
| 56 | + - xfrm: netlink: add config (netlink) options |
| 57 | + - xfrm: add mode_cbs module functionality |
| 58 | + - xfrm: add generic iptfs defines and functionality |
| 59 | + |
| 60 | +The last 10 commits constitute the IP-TFS implementation constructed in |
| 61 | +layers to make review easier. The first 9 commits all apply to a single |
| 62 | +file `net/xfrm/xfrm_iptfs.c`, the last commit adds a new tracepoint |
| 63 | +header file along with the use of these new tracepoint calls. |
| 64 | + |
| 65 | + - xfrm: iptfs: add new iptfs xfrm mode impl |
| 66 | + - xfrm: iptfs: add user packet (tunnel ingress) handling |
| 67 | + - xfrm: iptfs: share page fragments of inner packets |
| 68 | + - xfrm: iptfs: add fragmenting of larger than MTU user packets |
| 69 | + - xfrm: iptfs: add basic receive packet (tunnel egress) handling |
| 70 | + - xfrm: iptfs: handle received fragmented inner packets |
| 71 | + - xfrm: iptfs: add reusing received skb for the tunnel egress packet |
| 72 | + - xfrm: iptfs: add skb-fragment sharing code |
| 73 | + - xfrm: iptfs: handle reordering of received packets |
| 74 | + - xfrm: iptfs: add tracepoint functionality |
| 75 | + |
| 76 | +Patchset History: |
| 77 | +----------------- |
| 78 | + |
| 79 | +RFCv1 (11/10/2023) |
| 80 | + |
| 81 | +RFCv1 -> RFCv2 (11/12/2023) |
| 82 | + |
| 83 | + Updates based on feedback from Simon Horman, Antony, |
| 84 | + Michael Richardson, and kernel test robot. |
| 85 | + |
| 86 | +RFCv2 -> v1 (2/19/2024) |
| 87 | + |
| 88 | + Updates based on feedback from Sabrina Dubroca, kernel test robot |
| 89 | + |
| 90 | +v1 -> v2 (5/19/2024) |
| 91 | + |
| 92 | + Updates based on feedback from Sabrina Dubroca, Simon Horman, Antony. |
| 93 | + |
| 94 | + o Add handling of new netlink SA direction attribute (Antony). |
| 95 | + o Split single patch/commit of xfrm_iptfs.c (the actual IP-TFS impl) |
| 96 | + into 9+1 distinct layered functionality commits for aiding review. |
| 97 | + - xfrm: fix return check on clone() callback |
| 98 | + - xfrm: add sa_len() callback in xfrm_mode_cbs for copy to user |
| 99 | + - iptfs: remove unneeded skb free count variable |
| 100 | + - iptfs: remove unused variable and "breadcrumb" for future code. |
| 101 | + - iptfs: use do_div() to avoid "__udivd13 missing" link failure. |
| 102 | + - iptfs: remove some BUG_ON() assertions questioned in review. |
| 103 | + |
| 104 | +v2->v3 |
| 105 | + - Git User Glitch |
| 106 | + |
| 107 | +v2->v4 (6/17/2024) |
| 108 | + |
| 109 | + - iptfs: copy only the netlink attributes to user based on the |
| 110 | + direction of the SA. |
| 111 | + |
| 112 | + - xfrm: stats: in the output path check for skb->dev == NULL prior to |
| 113 | + setting xfrm statistics on dev_net(skb->dev) as skb->dev may be NULL |
| 114 | + for locally generated packets. |
| 115 | + |
| 116 | + - xfrm: stats: fix an input use case where dev_net(skb->dev) is used |
| 117 | + to inc stats after skb is possibly NULL'd earlier. Switch to using |
| 118 | + existing saved `net` pointer. |
| 119 | + |
| 120 | +v4->v5 (7/14/2024) |
| 121 | + - uapi: add units to doc comments |
| 122 | + - iptfs: add MODULE_DESCRIPTION() |
| 123 | + - squash nl-direction-update commit |
| 124 | + |
| 125 | +v5->v6 (7/31/2024) |
| 126 | + * sysctl: removed IPTFS sysctl additions |
| 127 | + - xfrm: use array of pointers vs structs for mode callbacks |
| 128 | + - iptfs: eliminate a memleak during state alloc failure |
| 129 | + - iptfs: free send queue content on SA delete |
| 130 | + - add some kdoc and comments |
| 131 | + - cleanup a couple formatting choices per Steffen |
| 132 | + |
| 133 | +v6->v7 (8/1/2024) |
| 134 | + - Rebased on latest ipsec-next |
| 135 | + |
| 136 | +v7->v8 (8/4/2024) |
| 137 | + - Use lock and rcu to load iptfs module copy existing use pattern |
| 138 | + - fix 2 warnings from the kernel bot |
0 commit comments