• Christophe Gouault's avatar
    xfrm: hash prefixed policies based on preflen thresholds · b58555f1
    Christophe Gouault authored
    The idea is an extension of the current policy hashing.
    
    Today only non-prefixed policies are stored in a hash table. This
    patch relaxes the constraints, and hashes policies whose prefix
    lengths are greater or equal to a configurable threshold.
    
    Each hash table (one per direction) maintains its own set of IPv4 and
    IPv6 thresholds (dbits4, sbits4, dbits6, sbits6), by default (32, 32,
    128, 128).
    
    Example, if the output hash table is configured with values (16, 24,
    56, 64):
    
    ip xfrm policy add dir out src 10.22.0.0/20 dst 10.24.1.0/24 ... => hashed
    ip xfrm policy add dir out src 10.22.0.0/16 dst 10.24.1.1/32 ... => hashed
    ip xfrm policy add dir out src 10.22.0.0/16 dst 10.24.0.0/16 ... => unhashed
    
    ip xfrm policy add dir out \
        src 3ffe:304:124:2200::/60 dst 3ffe:304:124:2401::/64 ...    => hashed
    ip xfrm policy add dir out \
        src 3ffe:304:124:2200::/56 dst 3ffe:304:124:2401::2/128 ...  => hashed
    ip xfrm policy add dir out \
        src 3ffe:304:124:2200::/56 dst 3ffe:304:124:2400::/56 ...    => unhashed
    
    The high order bits of the addresses (up to the threshold) are used to
    compute the hash key.
    Signed-off-by: default avatarChristophe Gouault <christophe.gouault@6wind.com>
    Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
    b58555f1
xfrm.h 1.93 KB