[RFC,ipsec-next,4/8] iptfs: sysctl: allow configuration of global default values

Commit Message

Christian Hopps Nov. 10, 2023, 11:37 a.m. UTC

From: Christian Hopps <chopps@labn.net>

Add sysctls for the changing the IPTFS default SA values.

Signed-off-by: Christian Hopps <chopps@labn.net>
---
 Documentation/networking/xfrm_sysctl.rst | 29 ++++++++++++++++++
 include/net/netns/xfrm.h                 |  6 ++++
 include/net/xfrm.h                       |  7 +++++
 net/xfrm/xfrm_sysctl.c                   | 38 ++++++++++++++++++++++++
 4 files changed, 80 insertions(+)

Comments

Michael Richardson Nov. 12, 2023, 8:26 a.m. UTC | #1

>>>>> Christian Hopps <chopps@labn.net> writes:
Christian Hopps via Devel <devel@linux-ipsec.org> wrote:
    > Add sysctls for the changing the IPTFS default SA values.

Add sysctls for the changing the IPTFS default SA values.

+xfrm_iptfs_idelay - UNSIGNED INTEGER
+        The default IPTFS initial output delay. The initial output delay is the
+        amount of time prior to servicing the output queue after queueing the
+        first packet on said queue.

I'm guessing this is in miliseconds, but the documentation here does not say.

+xfrm_iptfs_rewin - UNSIGNED INTEGER
+        The default IPTFS reorder window size. The reorder window size dictates
+        the maximum number of IPTFS tunnel packets in a sequence that may arrive
+        out of order.
+
+        Default 3.

Why three?
Is there some experimental reason to pick three?
It seems that maybe the reorder window size could have been a per-SA attribute.

I read through the rest of the patches, and they seem great, but I didn't
read with a lot of comprehension.  I found the explanatory comments and
diagrams very well done!

Christian Hopps Nov. 12, 2023, 10:28 a.m. UTC | #2

Michael Richardson <mcr@sandelman.ca> writes:

> [[PGP Signed Part:Signature made by expired key 7002AEC2CCD88043 Michael Richardson <mcr+china@sandelman.ca>]]
>
>>>>>> Christian Hopps <chopps@labn.net> writes:
> Christian Hopps via Devel <devel@linux-ipsec.org> wrote:
>     > Add sysctls for the changing the IPTFS default SA values.
>
> Add sysctls for the changing the IPTFS default SA values.
>
> +xfrm_iptfs_idelay - UNSIGNED INTEGER
> +        The default IPTFS initial output delay. The initial output delay is the
> +        amount of time prior to servicing the output queue after queueing the
> +        first packet on said queue.
>
> I'm guessing this is in miliseconds, but the documentation here does not say.

It's microseconds actually, thanks for noticing this. Drop timer is the same.

> +xfrm_iptfs_rewin - UNSIGNED INTEGER
> +        The default IPTFS reorder window size. The reorder window size dictates
> +        the maximum number of IPTFS tunnel packets in a sequence that may arrive
> +        out of order.
> +
> +        Default 3.
>
> Why three?
> Is there some experimental reason to pick three?

B/c I had no idea what the right value was (guesses but no data), and so I asked the TCP guys at IETF and that's what the TCP guys told me they used. :)

> It seems that maybe the reorder window size could have been a per-SA attribute.

All of these are per-SA values. These sysctl variables adjust the defaults assigned to an SA when the user does not specify a value.

> I read through the rest of the patches, and they seem great, but I didn't
> read with a lot of comprehension.  I found the explanatory comments and
> diagrams very well done!

Thanks, :)
Chris.

Patch

diff --git a/Documentation/networking/xfrm_sysctl.rst b/Documentation/networking/xfrm_sysctl.rst
index 47b9bbdd0179..365220e4a072 100644
--- a/Documentation/networking/xfrm_sysctl.rst
+++ b/Documentation/networking/xfrm_sysctl.rst
@@ -9,3 +9,32 @@  XFRM Syscall
 
 xfrm_acq_expires - INTEGER
 	default 30 - hard timeout in seconds for acquire requests
+
+xfrm_iptfs_maxqsize - UNSIGNED INTEGER
+        The default IPTFS max output queue size. The output queue is where
+        received packets destined for output over an IPTFS tunnel are stored
+        prior to being output in aggregated/fragmented form over the IPTFS
+        tunnel.
+
+        Default 1M.
+
+xfrm_iptfs_drptime - UNSIGNED INTEGER
+        The default IPTFS drop time. The drop time is the amount of time before
+        a missing out-of-order IPTFS tunnel packet is considered lost. See also
+        the reorder window.
+
+        Default 1s (1000000).
+
+xfrm_iptfs_idelay - UNSIGNED INTEGER
+        The default IPTFS initial output delay. The initial output delay is the
+        amount of time prior to servicing the output queue after queueing the
+        first packet on said queue.
+
+        Default 0.
+
+xfrm_iptfs_rewin - UNSIGNED INTEGER
+        The default IPTFS reorder window size. The reorder window size dictates
+        the maximum number of IPTFS tunnel packets in a sequence that may arrive
+        out of order.
+
+        Default 3.
diff --git a/include/net/netns/xfrm.h b/include/net/netns/xfrm.h
index bd7c3be4af5d..d5ad2155d0bb 100644
--- a/include/net/netns/xfrm.h
+++ b/include/net/netns/xfrm.h
@@ -65,6 +65,12 @@  struct netns_xfrm {
 	u32			sysctl_aevent_rseqth;
 	int			sysctl_larval_drop;
 	u32			sysctl_acq_expires;
+#if IS_ENABLED(CONFIG_XFRM_IPTFS)
+	u32			sysctl_iptfs_drptime;
+	u32			sysctl_iptfs_idelay;
+	u32			sysctl_iptfs_maxqsize;
+	u32			sysctl_iptfs_rewin;
+#endif
 
 	u8			policy_default[XFRM_POLICY_MAX];
 
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index c9bb0f892f55..d2e87344d175 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -2190,4 +2190,11 @@  static inline int register_xfrm_interface_bpf(void)
 
 #endif
 
+#if IS_ENABLED(CONFIG_XFRM_IPTFS)
+#define XFRM_IPTFS_DEFAULT_MAX_QUEUE_SIZE (1024 * 1024)
+#define XFRM_IPTFS_DEFAULT_INIT_DELAY_USECS (0)
+#define XFRM_IPTFS_DEFAULT_DROP_TIME_USECS (1000000)
+#define XFRM_IPTFS_DEFAULT_REORDER_WINDOW (3)
+#endif
+
 #endif	/* _NET_XFRM_H */
diff --git a/net/xfrm/xfrm_sysctl.c b/net/xfrm/xfrm_sysctl.c
index 7fdeafc838a7..bf8e73a6c38e 100644
--- a/net/xfrm/xfrm_sysctl.c
+++ b/net/xfrm/xfrm_sysctl.c
@@ -10,6 +10,12 @@  static void __net_init __xfrm_sysctl_init(struct net *net)
 	net->xfrm.sysctl_aevent_rseqth = XFRM_AE_SEQT_SIZE;
 	net->xfrm.sysctl_larval_drop = 1;
 	net->xfrm.sysctl_acq_expires = 30;
+#if IS_ENABLED(CONFIG_XFRM_IPTFS)
+	net->xfrm.sysctl_iptfs_maxqsize = XFRM_IPTFS_DEFAULT_MAX_QUEUE_SIZE;
+	net->xfrm.sysctl_iptfs_drptime = XFRM_IPTFS_DEFAULT_DROP_TIME_USECS;
+	net->xfrm.sysctl_iptfs_idelay = XFRM_IPTFS_DEFAULT_INIT_DELAY_USECS;
+	net->xfrm.sysctl_iptfs_rewin = XFRM_IPTFS_DEFAULT_REORDER_WINDOW;
+#endif
 }
 
 #ifdef CONFIG_SYSCTL
@@ -38,6 +44,32 @@  static struct ctl_table xfrm_table[] = {
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec
 	},
+#if IS_ENABLED(CONFIG_XFRM_IPTFS)
+	{
+		.procname	= "xfrm_iptfs_drptime",
+		.maxlen		= sizeof(uint),
+		.mode		= 0644,
+		.proc_handler	= proc_douintvec
+	},
+	{
+		.procname	= "xfrm_iptfs_idelay",
+		.maxlen		= sizeof(uint),
+		.mode		= 0644,
+		.proc_handler	= proc_douintvec
+	},
+	{
+		.procname	= "xfrm_iptfs_maxqsize",
+		.maxlen		= sizeof(uint),
+		.mode		= 0644,
+		.proc_handler	= proc_douintvec
+	},
+	{
+		.procname	= "xfrm_iptfs_rewin",
+		.maxlen		= sizeof(uint),
+		.mode		= 0644,
+		.proc_handler	= proc_douintvec
+	},
+#endif
 	{}
 };
 
@@ -55,6 +87,12 @@  int __net_init xfrm_sysctl_init(struct net *net)
 	table[1].data = &net->xfrm.sysctl_aevent_rseqth;
 	table[2].data = &net->xfrm.sysctl_larval_drop;
 	table[3].data = &net->xfrm.sysctl_acq_expires;
+#if IS_ENABLED(CONFIG_XFRM_IPTFS)
+	table[4].data = &net->xfrm.sysctl_iptfs_drptime;
+	table[5].data = &net->xfrm.sysctl_iptfs_idelay;
+	table[6].data = &net->xfrm.sysctl_iptfs_maxqsize;
+	table[7].data = &net->xfrm.sysctl_iptfs_rewin;
+#endif
 
 	/* Don't export sysctls to unprivileged users */
 	if (net->user_ns != &init_user_ns) {