• Christophe Gouault's avatar
    xfrm: configure policy hash table thresholds by netlink · 880a6fab
    Christophe Gouault authored
    Enable to specify local and remote prefix length thresholds for the
    policy hash table via a netlink XFRM_MSG_NEWSPDINFO message.
    
    prefix length thresholds are specified by XFRMA_SPD_IPV4_HTHRESH and
    XFRMA_SPD_IPV6_HTHRESH optional attributes (struct xfrmu_spdhthresh).
    
    example:
    
        struct xfrmu_spdhthresh thresh4 = {
            .lbits = 0;
            .rbits = 24;
        };
        struct xfrmu_spdhthresh thresh6 = {
            .lbits = 0;
            .rbits = 56;
        };
        struct nlmsghdr *hdr;
        struct nl_msg *msg;
    
        msg = nlmsg_alloc();
        hdr = nlmsg_put(msg, NL_AUTO_PORT, NL_AUTO_SEQ, XFRMA_SPD_IPV4_HTHRESH, sizeof(__u32), NLM_F_REQUEST);
        nla_put(msg, XFRMA_SPD_IPV4_HTHRESH, sizeof(thresh4), &thresh4);
        nla_put(msg, XFRMA_SPD_IPV6_HTHRESH, sizeof(thresh6), &thresh6);
        nla_send_auto(sk, msg);
    
    The numbers are the policy selector minimum prefix lengths to put a
    policy in the hash table.
    
    - lbits is the local threshold (source address for out policies,
      destination address for in and fwd policies).
    
    - rbits is the remote threshold (destination address for out
      policies, source address for in and fwd policies).
    
    The default values are:
    
    XFRMA_SPD_IPV4_HTHRESH: 32 32
    XFRMA_SPD_IPV6_HTHRESH: 128 128
    
    Dynamic re-building of the SPD is performed when the thresholds values
    are changed.
    
    The current thresholds can be read via a XFRM_MSG_GETSPDINFO request:
    the kernel replies to XFRM_MSG_GETSPDINFO requests by an
    XFRM_MSG_NEWSPDINFO message, with both attributes
    XFRMA_SPD_IPV4_HTHRESH and XFRMA_SPD_IPV6_HTHRESH.
    Signed-off-by: default avatarChristophe Gouault <christophe.gouault@6wind.com>
    Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
    880a6fab
xfrm_policy.c 79.4 KB