[net-next] xfrm: rework default policy structure

Message ID	20211118142937.5425-1-nicolas.dichtel@6wind.com (mailing list archive)
State	Awaiting Upstream
Delegated to:	Netdev Maintainers
Headers	show Return-Path: <netdev-owner@kernel.org> From: Nicolas Dichtel <nicolas.dichtel@6wind.com> To: steffen.klassert@secunet.com, herbert@gondor.apana.org.au, antony.antony@secunet.com Cc: davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org, Nicolas Dichtel <nicolas.dichtel@6wind.com> Subject: [PATCH net-next] xfrm: rework default policy structure Date: Thu, 18 Nov 2021 15:29:37 +0100 Message-Id: <20211118142937.5425-1-nicolas.dichtel@6wind.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	[net-next] xfrm: rework default policy structure \| expand [net-next] xfrm: rework default policy structure

Context	Check	Description
netdev/tree_selection	success	Clearly marked for net-next
netdev/fixes_present	success	Fixes tag not required for -next series
netdev/subject_prefix	success	Link
netdev/cover_letter	success	Single patches do not need cover letters
netdev/patch_count	success	Link
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 5072 this patch: 5072
netdev/cc_maintainers	warning	1 maintainers not CCed: a.darwish@linutronix.de
netdev/build_clang	success	Errors and warnings before: 898 this patch: 898
netdev/module_param	success	Was 0 now: 0
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/verify_fixes	success	No Fixes tag
netdev/build_allmodconfig_warn	success	Errors and warnings before: 5228 this patch: 5228
netdev/checkpatch	warning	WARNING: line length of 86 exceeds 80 columns
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0

Nicolas Dichtel Nov. 18, 2021, 2:29 p.m. UTC

This is a follow up of commit f8d858e607b2 ("xfrm: make user policy API
complete"). The goal is to align userland API to the internal structures.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---

This patch targets ipsec-next, but because ipsec-next has not yet been
rebased on top of net-next, I based the patch on top of net-next.

 include/net/netns/xfrm.h |  6 +-----
 include/net/xfrm.h       | 38 ++++++++---------------------------
 net/xfrm/xfrm_policy.c   | 10 +++++++---
 net/xfrm/xfrm_user.c     | 43 +++++++++++++++++-----------------------
 4 files changed, 34 insertions(+), 63 deletions(-)

Leon Romanovsky Nov. 18, 2021, 7:09 p.m. UTC | #1

On Thu, Nov 18, 2021 at 03:29:37PM +0100, Nicolas Dichtel wrote:
> This is a follow up of commit f8d858e607b2 ("xfrm: make user policy API
> complete"). The goal is to align userland API to the internal structures.
> 
> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
> ---
> 
> This patch targets ipsec-next, but because ipsec-next has not yet been
> rebased on top of net-next, I based the patch on top of net-next.
> 
>  include/net/netns/xfrm.h |  6 +-----
>  include/net/xfrm.h       | 38 ++++++++---------------------------
>  net/xfrm/xfrm_policy.c   | 10 +++++++---
>  net/xfrm/xfrm_user.c     | 43 +++++++++++++++++-----------------------
>  4 files changed, 34 insertions(+), 63 deletions(-)
> 
> diff --git a/include/net/netns/xfrm.h b/include/net/netns/xfrm.h
> index 947733a639a6..bd7c3be4af5d 100644
> --- a/include/net/netns/xfrm.h
> +++ b/include/net/netns/xfrm.h
> @@ -66,11 +66,7 @@ struct netns_xfrm {
>  	int			sysctl_larval_drop;
>  	u32			sysctl_acq_expires;
>  
> -	u8			policy_default;
> -#define XFRM_POL_DEFAULT_IN	1
> -#define XFRM_POL_DEFAULT_OUT	2
> -#define XFRM_POL_DEFAULT_FWD	4
> -#define XFRM_POL_DEFAULT_MASK	7
> +	u8			policy_default[XFRM_POLICY_MAX];
>  
>  #ifdef CONFIG_SYSCTL
>  	struct ctl_table_header	*sysctl_hdr;
> diff --git a/include/net/xfrm.h b/include/net/xfrm.h
> index 2308210793a0..3fd1e052927e 100644
> --- a/include/net/xfrm.h
> +++ b/include/net/xfrm.h
> @@ -1075,22 +1075,6 @@ xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, un
>  }
>  
>  #ifdef CONFIG_XFRM
> -static inline bool
> -xfrm_default_allow(struct net *net, int dir)
> -{
> -	u8 def = net->xfrm.policy_default;
> -
> -	switch (dir) {
> -	case XFRM_POLICY_IN:
> -		return def & XFRM_POL_DEFAULT_IN ? false : true;
> -	case XFRM_POLICY_OUT:
> -		return def & XFRM_POL_DEFAULT_OUT ? false : true;
> -	case XFRM_POLICY_FWD:
> -		return def & XFRM_POL_DEFAULT_FWD ? false : true;
> -	}
> -	return false;
> -}
> -
>  int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb,
>  			unsigned short family);
>  
> @@ -1104,13 +1088,10 @@ static inline int __xfrm_policy_check2(struct sock *sk, int dir,
>  	if (sk && sk->sk_policy[XFRM_POLICY_IN])
>  		return __xfrm_policy_check(sk, ndir, skb, family);
>  
> -	if (xfrm_default_allow(net, dir))
> -		return (!net->xfrm.policy_count[dir] && !secpath_exists(skb)) ||
> -		       (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) ||
> -		       __xfrm_policy_check(sk, ndir, skb, family);
> -	else
> -		return (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) ||
> -		       __xfrm_policy_check(sk, ndir, skb, family);
> +	return (net->xfrm.policy_default[dir] == XFRM_USERPOLICY_ACCEPT &&
> +		(!net->xfrm.policy_count[dir] && !secpath_exists(skb))) ||
> +	       (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) ||
> +	       __xfrm_policy_check(sk, ndir, skb, family);
>  }

This is completely unreadable. What is the advantage of writing like this?

>  
>  static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
> @@ -1162,13 +1143,10 @@ static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
>  {
>  	struct net *net = dev_net(skb->dev);
>  
> -	if (xfrm_default_allow(net, XFRM_POLICY_FWD))
> -		return !net->xfrm.policy_count[XFRM_POLICY_OUT] ||
> -			(skb_dst(skb)->flags & DST_NOXFRM) ||
> -			__xfrm_route_forward(skb, family);
> -	else
> -		return (skb_dst(skb)->flags & DST_NOXFRM) ||
> -			__xfrm_route_forward(skb, family);
> +	return (net->xfrm.policy_default[XFRM_POLICY_FWD] == XFRM_USERPOLICY_ACCEPT &&
> +		!net->xfrm.policy_count[XFRM_POLICY_OUT]) ||
> +	       (skb_dst(skb)->flags & DST_NOXFRM) ||
> +	       __xfrm_route_forward(skb, family);

Ditto.

Thanks

Nicolas Dichtel Nov. 19, 2021, 8:06 a.m. UTC | #2

Le 18/11/2021 à 20:09, Leon Romanovsky a écrit :
> On Thu, Nov 18, 2021 at 03:29:37PM +0100, Nicolas Dichtel wrote:
>> This is a follow up of commit f8d858e607b2 ("xfrm: make user policy API
>> complete"). The goal is to align userland API to the internal structures.
>>
>> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
>> ---
>>
>> This patch targets ipsec-next, but because ipsec-next has not yet been
>> rebased on top of net-next, I based the patch on top of net-next.
>>
>>  include/net/netns/xfrm.h |  6 +-----
>>  include/net/xfrm.h       | 38 ++++++++---------------------------
>>  net/xfrm/xfrm_policy.c   | 10 +++++++---
>>  net/xfrm/xfrm_user.c     | 43 +++++++++++++++++-----------------------
>>  4 files changed, 34 insertions(+), 63 deletions(-)
>>
>> diff --git a/include/net/netns/xfrm.h b/include/net/netns/xfrm.h
>> index 947733a639a6..bd7c3be4af5d 100644
>> --- a/include/net/netns/xfrm.h
>> +++ b/include/net/netns/xfrm.h
>> @@ -66,11 +66,7 @@ struct netns_xfrm {
>>  	int			sysctl_larval_drop;
>>  	u32			sysctl_acq_expires;
>>  
>> -	u8			policy_default;
>> -#define XFRM_POL_DEFAULT_IN	1
>> -#define XFRM_POL_DEFAULT_OUT	2
>> -#define XFRM_POL_DEFAULT_FWD	4
>> -#define XFRM_POL_DEFAULT_MASK	7
>> +	u8			policy_default[XFRM_POLICY_MAX];
>>  
>>  #ifdef CONFIG_SYSCTL
>>  	struct ctl_table_header	*sysctl_hdr;
>> diff --git a/include/net/xfrm.h b/include/net/xfrm.h
>> index 2308210793a0..3fd1e052927e 100644
>> --- a/include/net/xfrm.h
>> +++ b/include/net/xfrm.h
>> @@ -1075,22 +1075,6 @@ xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, un
>>  }
>>  
>>  #ifdef CONFIG_XFRM
>> -static inline bool
>> -xfrm_default_allow(struct net *net, int dir)
>> -{
>> -	u8 def = net->xfrm.policy_default;
>> -
>> -	switch (dir) {
>> -	case XFRM_POLICY_IN:
>> -		return def & XFRM_POL_DEFAULT_IN ? false : true;
>> -	case XFRM_POLICY_OUT:
>> -		return def & XFRM_POL_DEFAULT_OUT ? false : true;
>> -	case XFRM_POLICY_FWD:
>> -		return def & XFRM_POL_DEFAULT_FWD ? false : true;
>> -	}
>> -	return false;
>> -}
>> -
>>  int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb,
>>  			unsigned short family);
>>  
>> @@ -1104,13 +1088,10 @@ static inline int __xfrm_policy_check2(struct sock *sk, int dir,
>>  	if (sk && sk->sk_policy[XFRM_POLICY_IN])
>>  		return __xfrm_policy_check(sk, ndir, skb, family);
>>  
>> -	if (xfrm_default_allow(net, dir))
>> -		return (!net->xfrm.policy_count[dir] && !secpath_exists(skb)) ||
>> -		       (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) ||
>> -		       __xfrm_policy_check(sk, ndir, skb, family);
>> -	else
>> -		return (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) ||
>> -		       __xfrm_policy_check(sk, ndir, skb, family);
>> +	return (net->xfrm.policy_default[dir] == XFRM_USERPOLICY_ACCEPT &&
>> +		(!net->xfrm.policy_count[dir] && !secpath_exists(skb))) ||
>> +	       (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) ||
>> +	       __xfrm_policy_check(sk, ndir, skb, family);
>>  }
> 
> This is completely unreadable. What is the advantage of writing like this?
Yeah, I was hesitating. I was hoping that indentation could help.
At the opposite, I could also arg that having two times the "nearly" same test
is also unreadable.
I choose to drop xfrm_default_allow() to remove the negation in
xfrm_lookup_with_ifid():

-           !xfrm_default_allow(net, dir)) {
+           net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK) {


What about:

static inline bool __xfrm_check_nopolicy(struct net *net, struct sk_buff *skb,
                                         int dir)
{
        if (!net->xfrm.policy_count[dir] && !secpath_exists(skb))
                return net->xfrm.policy_default[dir] == XFRM_USERPOLICY_ACCEPT;

        return false;
}

...
static inline int __xfrm_policy_check2(struct sock *sk, int dir,
...
        return __xfrm_check_nopolicy(net, skb, dir) ||
               (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) ||
               __xfrm_policy_check(sk, ndir, skb, family);

> 
>>  
>>  static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
>> @@ -1162,13 +1143,10 @@ static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
>>  {
>>  	struct net *net = dev_net(skb->dev);
>>  
>> -	if (xfrm_default_allow(net, XFRM_POLICY_FWD))
>> -		return !net->xfrm.policy_count[XFRM_POLICY_OUT] ||
>> -			(skb_dst(skb)->flags & DST_NOXFRM) ||
>> -			__xfrm_route_forward(skb, family);
>> -	else
>> -		return (skb_dst(skb)->flags & DST_NOXFRM) ||
>> -			__xfrm_route_forward(skb, family);
>> +	return (net->xfrm.policy_default[XFRM_POLICY_FWD] == XFRM_USERPOLICY_ACCEPT &&
>> +		!net->xfrm.policy_count[XFRM_POLICY_OUT]) ||
>> +	       (skb_dst(skb)->flags & DST_NOXFRM) ||
>> +	       __xfrm_route_forward(skb, family);
> 
> Ditto.
> 
> Thanks
>

Leon Romanovsky Nov. 19, 2021, 3:41 p.m. UTC | #3

On Fri, Nov 19, 2021 at 09:06:01AM +0100, Nicolas Dichtel wrote:
> Le 18/11/2021 à 20:09, Leon Romanovsky a écrit :
> > On Thu, Nov 18, 2021 at 03:29:37PM +0100, Nicolas Dichtel wrote:
> >> This is a follow up of commit f8d858e607b2 ("xfrm: make user policy API
> >> complete"). The goal is to align userland API to the internal structures.
> >>
> >> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
> >> ---
> >>
> >> This patch targets ipsec-next, but because ipsec-next has not yet been
> >> rebased on top of net-next, I based the patch on top of net-next.
> >>
> >>  include/net/netns/xfrm.h |  6 +-----
> >>  include/net/xfrm.h       | 38 ++++++++---------------------------
> >>  net/xfrm/xfrm_policy.c   | 10 +++++++---
> >>  net/xfrm/xfrm_user.c     | 43 +++++++++++++++++-----------------------
> >>  4 files changed, 34 insertions(+), 63 deletions(-)
> >>
> >> diff --git a/include/net/netns/xfrm.h b/include/net/netns/xfrm.h
> >> index 947733a639a6..bd7c3be4af5d 100644
> >> --- a/include/net/netns/xfrm.h
> >> +++ b/include/net/netns/xfrm.h
> >> @@ -66,11 +66,7 @@ struct netns_xfrm {
> >>  	int			sysctl_larval_drop;
> >>  	u32			sysctl_acq_expires;
> >>  
> >> -	u8			policy_default;
> >> -#define XFRM_POL_DEFAULT_IN	1
> >> -#define XFRM_POL_DEFAULT_OUT	2
> >> -#define XFRM_POL_DEFAULT_FWD	4
> >> -#define XFRM_POL_DEFAULT_MASK	7
> >> +	u8			policy_default[XFRM_POLICY_MAX];
> >>  
> >>  #ifdef CONFIG_SYSCTL
> >>  	struct ctl_table_header	*sysctl_hdr;
> >> diff --git a/include/net/xfrm.h b/include/net/xfrm.h
> >> index 2308210793a0..3fd1e052927e 100644
> >> --- a/include/net/xfrm.h
> >> +++ b/include/net/xfrm.h
> >> @@ -1075,22 +1075,6 @@ xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, un
> >>  }
> >>  
> >>  #ifdef CONFIG_XFRM
> >> -static inline bool
> >> -xfrm_default_allow(struct net *net, int dir)
> >> -{
> >> -	u8 def = net->xfrm.policy_default;
> >> -
> >> -	switch (dir) {
> >> -	case XFRM_POLICY_IN:
> >> -		return def & XFRM_POL_DEFAULT_IN ? false : true;
> >> -	case XFRM_POLICY_OUT:
> >> -		return def & XFRM_POL_DEFAULT_OUT ? false : true;
> >> -	case XFRM_POLICY_FWD:
> >> -		return def & XFRM_POL_DEFAULT_FWD ? false : true;
> >> -	}
> >> -	return false;
> >> -}
> >> -
> >>  int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb,
> >>  			unsigned short family);
> >>  
> >> @@ -1104,13 +1088,10 @@ static inline int __xfrm_policy_check2(struct sock *sk, int dir,
> >>  	if (sk && sk->sk_policy[XFRM_POLICY_IN])
> >>  		return __xfrm_policy_check(sk, ndir, skb, family);
> >>  
> >> -	if (xfrm_default_allow(net, dir))
> >> -		return (!net->xfrm.policy_count[dir] && !secpath_exists(skb)) ||
> >> -		       (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) ||
> >> -		       __xfrm_policy_check(sk, ndir, skb, family);
> >> -	else
> >> -		return (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) ||
> >> -		       __xfrm_policy_check(sk, ndir, skb, family);
> >> +	return (net->xfrm.policy_default[dir] == XFRM_USERPOLICY_ACCEPT &&
> >> +		(!net->xfrm.policy_count[dir] && !secpath_exists(skb))) ||
> >> +	       (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) ||
> >> +	       __xfrm_policy_check(sk, ndir, skb, family);
> >>  }
> > 
> > This is completely unreadable. What is the advantage of writing like this?
> Yeah, I was hesitating. I was hoping that indentation could help.
> At the opposite, I could also arg that having two times the "nearly" same test
> is also unreadable.
> I choose to drop xfrm_default_allow() to remove the negation in
> xfrm_lookup_with_ifid():
> 
> -           !xfrm_default_allow(net, dir)) {
> +           net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK) {
> 
> 
> What about:
> 
> static inline bool __xfrm_check_nopolicy(struct net *net, struct sk_buff *skb,
>                                          int dir)
> {
>         if (!net->xfrm.policy_count[dir] && !secpath_exists(skb))
>                 return net->xfrm.policy_default[dir] == XFRM_USERPOLICY_ACCEPT;
> 
>         return false;
> }

It is much better, just extra "!" is not in place.
if (!net->xfrm.policy_count[dir] ... -> if (net->xfrm.policy_count[dir] ...

Thanks

Nicolas Dichtel Nov. 19, 2021, 5:31 p.m. UTC | #4

Le 19/11/2021 à 16:41, Leon Romanovsky a écrit :
[snip]
>> What about:
>>
>> static inline bool __xfrm_check_nopolicy(struct net *net, struct sk_buff *skb,
>>                                          int dir)
>> {
>>         if (!net->xfrm.policy_count[dir] && !secpath_exists(skb))
>>                 return net->xfrm.policy_default[dir] == XFRM_USERPOLICY_ACCEPT;
>>
>>         return false;
>> }
> 
> It is much better, just extra "!" is not in place.
Ok, I will send a v2 with that.

> if (!net->xfrm.policy_count[dir] ... -> if (net->xfrm.policy_count[dir] ...
Hmm, are you sure?
If "there is no policy configured" and "there is no secpath"
  then "return the default policy"

The original statement is:
       if (xfrm_default_allow(net, dir))
               return (!net->xfrm.policy_count[dir] && !secpath_exists(skb)) ||
                      (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) ||
                      __xfrm_policy_check(sk, ndir, skb, family);

Thank you,
Nicolas

Leon Romanovsky Nov. 21, 2021, 2:07 p.m. UTC | #5

On Fri, Nov 19, 2021 at 06:31:18PM +0100, Nicolas Dichtel wrote:
> Le 19/11/2021 à 16:41, Leon Romanovsky a écrit :
> [snip]
> >> What about:
> >>
> >> static inline bool __xfrm_check_nopolicy(struct net *net, struct sk_buff *skb,
> >>                                          int dir)
> >> {
> >>         if (!net->xfrm.policy_count[dir] && !secpath_exists(skb))
> >>                 return net->xfrm.policy_default[dir] == XFRM_USERPOLICY_ACCEPT;
> >>
> >>         return false;
> >> }
> > 
> > It is much better, just extra "!" is not in place.
> Ok, I will send a v2 with that.
> 
> > if (!net->xfrm.policy_count[dir] ... -> if (net->xfrm.policy_count[dir] ...
> Hmm, are you sure?

Not sure at all, maybe wrong.

Thanks

[net-next] xfrm: rework default policy structure

Checks

Commit Message

Comments

Patch