NetBSD Problem Report #17932
Received: (qmail 338 invoked by uid 605); 13 Aug 2002 18:45:15 -0000
Message-Id: <20020813184504.E61E47DA4@yeah-baby.shagadelic.org>
Date: Tue, 13 Aug 2002 11:45:04 -0700 (PDT)
From: thorpej@shagadelic.org
Sender: gnats-bugs-owner@netbsd.org
Reply-To: thorpej@shagadelic.org
To: gnats-bugs@gnats.netbsd.org
Subject: IPSEC needlessly disables IP fast-forwarding
X-Send-Pr-Version: 3.95
>Number: 17932
>Category: kern
>Synopsis: IPSEC needlessly disables IP fast-forwarding
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Aug 13 18:46:00 +0000 2002
>Closed-Date: Wed May 16 07:02:24 +0000 2018
>Last-Modified: Wed May 16 07:02:24 +0000 2018
>Originator: Jason R Thorpe
>Release: NetBSD 1.6 and NetBSD 1.6F
>Organization:
Wasabi Systems, Inc.
>Environment:
System: NetBSD net4501.fast-100.shagadelic.org 1.6F NetBSD 1.6F (SHAG-NET4501) #62: Tue Aug 13 11:21:57 PDT 2002 thorpej@yeah-baby.shagadelic.org:/u1/netbsd/src/sys/arch/i386/compile/SHAG-NET4501 i386
Architecture: i386
Machine: i386
>Description:
The presence of the IPSEC option disables IP fast-fowarding:
#ifdef IPSEC
/* ipflow (IP fast forwarding) is not compatible with IPsec. */
m->m_flags &= ~M_CANFASTFWD;
#else
/*
* Assume that we can create a fast-forward IP flow entry
* based on this packet.
*/
m->m_flags |= M_CANFASTFWD;
#endif
>How-To-Repeat:
Forward packets though a NetBSD-based router with the IPSEC
option in the kernel. Observe through "netstat -s" that no
packets are fast-forwarded. Take IPSEC out of the kernel,
run the test again, and observe through "netstat -s" that
packets are fast-forwarded. Note the performance difference
between the two under heavy load.
>Fix:
The M_CANFASTFWD should only be cleared if IPsec processing is
actually required, or rather if there is an IPsec SPD entry that
covers the packet. Note that the SPD-covers-packet check will
have to be done using src/dst address only, since the fast-fowarding
code does not check proto/port.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: kern-bug-people->itojun
Responsible-Changed-By: itojun
Responsible-Changed-When: Tue Aug 13 17:25:22 PDT 2002
Responsible-Changed-Why:
guilty me
From: Jun-ichiro itojun Hagino <itojun@iijlab.net>
To: thorpej@shagadelic.org
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: kern/17932: IPSEC needlessly disables IP fast-forwarding
Date: Thu, 15 Aug 2002 00:35:52 +0900
>>Synopsis: IPSEC needlessly disables IP fast-forwarding
i thought we could switch off M_CANFASTFWD in ip_output(), however,
it is not possible. ipflow_create() checks mcopy, not m. therefore
determination has to happen before call to m_copym() in ip_forward().
need more time to think.
itojun
From: Jun-ichiro itojun Hagino <itojun@iijlab.net>
To: thorpej@shagadelic.org, gnats-bugs@gnats.netbsd.org
Cc:
Subject: Re: kern/17932: IPSEC needlessly disables IP fast-forwarding
Date: Thu, 15 Aug 2002 00:36:30 +0900
>>>Synopsis: IPSEC needlessly disables IP fast-forwarding
> i thought we could switch off M_CANFASTFWD in ip_output(), however,
> it is not possible. ipflow_create() checks mcopy, not m. therefore
> determination has to happen before call to m_copym() in ip_forward().
> need more time to think.
and how to adapt to policy table change is another issue.
(flush ipflow table on policy table change?)
itojun
From: Jason R Thorpe <thorpej@wasabisystems.com>
To: Jun-ichiro itojun Hagino <itojun@iijlab.net>
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: kern/17932: IPSEC needlessly disables IP fast-forwarding
Date: Wed, 14 Aug 2002 08:56:41 -0700
On Thu, Aug 15, 2002 at 12:36:30AM +0900, Jun-ichiro itojun Hagino wrote:
> and how to adapt to policy table change is another issue.
> (flush ipflow table on policy table change?)
Yes, invalidating the ipflow cache on SPD change is a perfectly reasonable
thing to do.
--
-- Jason R. Thorpe <thorpej@wasabisystems.com>
From: Jason R Thorpe <thorpej@wasabisystems.com>
To: Jun-ichiro itojun Hagino <itojun@iijlab.net>
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: kern/17932: IPSEC needlessly disables IP fast-forwarding
Date: Wed, 14 Aug 2002 08:57:17 -0700
On Thu, Aug 15, 2002 at 12:35:52AM +0900, Jun-ichiro itojun Hagino wrote:
> i thought we could switch off M_CANFASTFWD in ip_output(), however,
> it is not possible. ipflow_create() checks mcopy, not m. therefore
> determination has to happen before call to m_copym() in ip_forward().
> need more time to think.
ip_forward() could look up the outgoing SPD entry?
--
-- Jason R. Thorpe <thorpej@wasabisystems.com>
From: Jun-ichiro itojun Hagino <itojun@iijlab.net>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/17932
Date: Sat, 17 Aug 2002 14:58:26 +0900
the patch should enable ipflow when ipsec policy is not present,
however, i guess additional policy lookup cost will impose performance
drawback. hmm.
itojun
Index: netinet/ip_flow.c
===================================================================
RCS file: /cvsroot/syssrc/sys/netinet/ip_flow.c,v
retrieving revision 1.25
diff -u -r1.25 ip_flow.c
--- netinet/ip_flow.c 2002/06/30 22:40:34 1.25
+++ netinet/ip_flow.c 2002/08/17 05:56:21
@@ -433,3 +433,20 @@
IPFLOW_INSERT(&ipflowtable[hash], ipf);
splx(s);
}
+
+void
+ipflow_flush(void)
+{
+ struct ipflow *ipf, *next;
+ int s;
+
+ s = splnet();
+
+ ipf = LIST_FIRST(&ipflowlist);
+ while (ipf != NULL) {
+ next = LIST_NEXT(ipf, ipf_list);
+ ipflow_free(ipf);
+ ipf = next;
+ }
+ splx(s);
+}
Index: netinet/ip_input.c
===================================================================
RCS file: /cvsroot/syssrc/sys/netinet/ip_input.c,v
retrieving revision 1.155
diff -u -r1.155 ip_input.c
--- netinet/ip_input.c 2002/08/14 00:23:31 1.155
+++ netinet/ip_input.c 2002/08/17 05:56:33
@@ -524,16 +524,11 @@
m_adj(m, len - m->m_pkthdr.len);
}
-#ifdef IPSEC
- /* ipflow (IP fast forwarding) is not compatible with IPsec. */
- m->m_flags &= ~M_CANFASTFWD;
-#else
/*
* Assume that we can create a fast-forward IP flow entry
* based on this packet.
*/
m->m_flags |= M_CANFASTFWD;
-#endif
#ifdef PFIL_HOOKS
/*
@@ -1508,9 +1503,14 @@
struct ifnet *destifp;
#ifdef IPSEC
struct ifnet dummyifp;
+ struct secpolicy *sp;
#endif
/*
+ * to be passed to ip_output
+ */
+
+ /*
* Clear any in-bound checksum flags for this packet.
*/
m->m_pkthdr.csum_flags = 0;
@@ -1551,6 +1551,25 @@
}
rt = ipforward_rt.ro_rt;
}
+
+#ifdef IPSEC
+ /*
+ * If we have ipsec poilcy matching the packet, we can't fast foward it.
+ */
+ sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, IP_FORWARDING,
+ &error);
+ if (sp) {
+ switch (sp->policy) {
+ case IPSEC_POLICY_BYPASS:
+ case IPSEC_POLICY_NONE:
+ break;
+ default:
+ m->m_flags &= ~M_CANFASTFWD;
+ break;
+ }
+ } else
+ m->m_flags &= ~M_CANFASTFWD;
+#endif
/*
* Save at most 68 bytes of the packet in case
Index: netinet/ip_var.h
===================================================================
RCS file: /cvsroot/syssrc/sys/netinet/ip_var.h,v
retrieving revision 1.48
diff -u -r1.48 ip_var.h
--- netinet/ip_var.h 2002/06/30 22:40:35 1.48
+++ netinet/ip_var.h 2002/08/17 05:56:40
@@ -243,6 +243,7 @@
struct ipflow *ipflow_reap __P((int));
void ipflow_create __P((const struct route *, struct mbuf *));
void ipflow_slowtimo __P((void));
+void ipflow_flush __P((void));
#endif
#endif /* _NETINET_IP_VAR_H_ */
Index: netinet6/ipsec.c
===================================================================
RCS file: /cvsroot/syssrc/sys/netinet6/ipsec.c,v
retrieving revision 1.65
diff -u -r1.65 ipsec.c
--- netinet6/ipsec.c 2002/08/14 00:23:39 1.65
+++ netinet6/ipsec.c 2002/08/17 05:56:55
@@ -39,6 +39,7 @@
#include "opt_inet.h"
#include "opt_ipsec.h"
+#include "opt_gateway.h"
#include <sys/param.h>
#include <sys/systm.h>
@@ -318,6 +319,9 @@
ipsec_invalpcbcacheall()
{
+#ifdef GATEWAY
+ ipflow_flush();
+#endif
sp_cachegen++;
return 0;
}
Responsible-Changed-From-To: itojun->kern-bug-people
Responsible-Changed-By: wiz@netbsd.org
Responsible-Changed-When: Sat, 17 Nov 2007 13:34:03 +0000
Responsible-Changed-Why:
Back to role account.
State-Changed-From-To: open->closed
State-Changed-By: maxv@NetBSD.org
State-Changed-When: Wed, 16 May 2018 07:02:24 +0000
State-Changed-Why:
This PR can be closed, the patch was committed.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.