From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 46F78A04F6; Wed, 11 Dec 2019 17:14:17 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id EBFEB1BF6E; Wed, 11 Dec 2019 17:13:55 +0100 (CET) Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) by dpdk.org (Postfix) with ESMTP id 947F81B994 for ; Wed, 11 Dec 2019 17:13:52 +0100 (CET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 11 Dec 2019 08:13:52 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.69,301,1571727600"; d="scan'208";a="210813806" Received: from silpixa00400072.ir.intel.com ([10.237.222.213]) by fmsmga008.fm.intel.com with ESMTP; 11 Dec 2019 08:13:51 -0800 From: Vladimir Medvedkin To: dev@dpdk.org Cc: konstantin.ananyev@intel.com, akhil.goyal@nxp.com Date: Wed, 11 Dec 2019 16:13:45 +0000 Message-Id: <4c45de61634b8b9d533f09175e70efdfc6c9b647.1576080741.git.vladimir.medvedkin@intel.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <4697977e04cf3622d1752e171956709a3eff6e10.1576080741.git.vladimir.medvedkin@intel.com> References: <4697977e04cf3622d1752e171956709a3eff6e10.1576080741.git.vladimir.medvedkin@intel.com> In-Reply-To: <4697977e04cf3622d1752e171956709a3eff6e10.1576080741.git.vladimir.medvedkin@intel.com> References: <4697977e04cf3622d1752e171956709a3eff6e10.1576080741.git.vladimir.medvedkin@intel.com> Subject: [dpdk-dev] [PATCH 4/4] examples/ipsec-secgw: get rid of maximum sa limitation X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Parse config file and save SA's into linked list instead of flat array with predefined size. Signed-off-by: Vladimir Medvedkin --- examples/ipsec-secgw/sa.c | 78 +++++++++++++++++++++++++++++------------------ 1 file changed, 48 insertions(+), 30 deletions(-) diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index 8cc7b17..32919fe 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -20,6 +20,7 @@ #include #include #include +#include #include "ipsec.h" #include "esp.h" @@ -133,11 +134,17 @@ const struct supported_aead_algo aead_algos[] = { } }; -static struct ipsec_sa sa_out[IPSEC_SA_MAX_ENTRIES]; +struct ipsec_sa_mgmt { + STAILQ_ENTRY(ipsec_sa_mgmt) next; + struct ipsec_sa sa; +}; +STAILQ_HEAD(sa_head, ipsec_sa_mgmt); + +static struct sa_head sa_out_head = STAILQ_HEAD_INITIALIZER(sa_out_head); static uint32_t nb_sa_out; static struct ipsec_sa_cnt sa_out_cnt; -static struct ipsec_sa sa_in[IPSEC_SA_MAX_ENTRIES]; +static struct sa_head sa_in_head = STAILQ_HEAD_INITIALIZER(sa_in_head); static uint32_t nb_sa_in; static struct ipsec_sa_cnt sa_in_cnt; @@ -228,6 +235,8 @@ void parse_sa_tokens(char **tokens, uint32_t n_tokens, struct parse_status *status) { + struct ipsec_sa_mgmt *sa_mgmt; + struct sa_head *head; struct ipsec_sa *rule = NULL; struct rte_ipsec_session *ips; uint32_t ti; /*token index*/ @@ -243,27 +252,21 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, uint32_t portid_p = 0; uint32_t fallback_p = 0; + sa_mgmt = calloc(1, sizeof(struct ipsec_sa_mgmt)); + if (sa_mgmt == NULL) + return; + + rule = &sa_mgmt->sa; + if (strcmp(tokens[0], "in") == 0) { ri = &nb_sa_in; sa_cnt = &sa_in_cnt; - - APP_CHECK(*ri <= IPSEC_SA_MAX_ENTRIES - 1, status, - "too many sa rules, abort insertion\n"); - if (status->status < 0) - return; - - rule = &sa_in[*ri]; + head = &sa_in_head; rule->direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS; } else { ri = &nb_sa_out; sa_cnt = &sa_out_cnt; - - APP_CHECK(*ri <= IPSEC_SA_MAX_ENTRIES - 1, status, - "too many sa rules, abort insertion\n"); - if (status->status < 0) - return; - - rule = &sa_out[*ri]; + head = &sa_out_head; rule->direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS; } @@ -687,6 +690,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, rule->portid = -1; } + STAILQ_INSERT_TAIL(head, sa_mgmt, next); *ri = *ri + 1; } @@ -956,12 +960,13 @@ sa_add_address_inline_crypto(struct ipsec_sa *sa) } static int -sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], +sa_add_rules(struct sa_ctx *sa_ctx, struct sa_head *entries, uint32_t nb_entries, uint32_t inbound, struct socket_ctx *skt_ctx) { + struct ipsec_sa_mgmt *sa_mgmt; struct ipsec_sa *sa; - uint32_t i, idx; + uint32_t idx; uint16_t iv_length, aad_length; int inline_status; int32_t rc; @@ -970,15 +975,18 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], /* for ESN upper 32 bits of SQN also need to be part of AAD */ aad_length = (app_sa_prm.enable_esn != 0) ? sizeof(uint32_t) : 0; - for (i = 0; i < nb_entries; i++) { - idx = i; + sa_mgmt = STAILQ_FIRST(entries); + for (idx = 0; idx < nb_entries; idx++) { + if (sa_mgmt == NULL) + rte_exit(EXIT_FAILURE, "SA mgmt queue is broken\n"); + sa = &sa_ctx->sa[idx]; if (sa->spi != 0) { printf("Index %u already in use by SPI %u\n", idx, sa->spi); return -EINVAL; } - *sa = entries[i]; + *sa = sa_mgmt->sa; if (inbound) { rc = ipsec_sad_add(&sa_ctx->sad, sa); @@ -1114,20 +1122,29 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], print_one_sa_rule(sa, inbound); } + sa_mgmt = STAILQ_NEXT(sa_mgmt, next); } + for (sa_mgmt = STAILQ_FIRST(entries); sa_mgmt != NULL; + sa_mgmt = STAILQ_FIRST(entries)) { + STAILQ_REMOVE_HEAD(entries, next); + free(sa_mgmt); + } + + STAILQ_INIT(entries); + return 0; } static inline int -sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], +sa_out_add_rules(struct sa_ctx *sa_ctx, struct sa_head *entries, uint32_t nb_entries, struct socket_ctx *skt_ctx) { return sa_add_rules(sa_ctx, entries, nb_entries, 0, skt_ctx); } static inline int -sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], +sa_in_add_rules(struct sa_ctx *sa_ctx, struct sa_head *entries, uint32_t nb_entries, struct socket_ctx *skt_ctx) { return sa_add_rules(sa_ctx, entries, nb_entries, 1, skt_ctx); @@ -1363,7 +1380,7 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id) if (rc != 0) rte_exit(EXIT_FAILURE, "failed to init SAD\n"); - sa_in_add_rules(ctx->sa_in, sa_in, nb_sa_in, ctx); + sa_in_add_rules(ctx->sa_in, &sa_in_head, nb_sa_in, ctx); if (app_sa_prm.enable != 0) { rc = ipsec_satbl_init(ctx->sa_in, nb_sa_in, @@ -1383,7 +1400,7 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id) "context %s in socket %d\n", rte_errno, name, socket_id); - sa_out_add_rules(ctx->sa_out, sa_out, nb_sa_out, ctx); + sa_out_add_rules(ctx->sa_out, &sa_out_head, nb_sa_out, ctx); if (app_sa_prm.enable != 0) { rc = ipsec_satbl_init(ctx->sa_out, nb_sa_out, @@ -1451,21 +1468,22 @@ outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[], /* * Select HW offloads to be used. + * Called before sa_init, so working with mgmt queue */ int sa_check_offloads(uint16_t port_id, uint64_t *rx_offloads, uint64_t *tx_offloads) { + struct ipsec_sa_mgmt *sa_mgmt; struct ipsec_sa *rule; - uint32_t idx_sa; enum rte_security_session_action_type rule_type; *rx_offloads = 0; *tx_offloads = 0; /* Check for inbound rules that use offloads and use this port */ - for (idx_sa = 0; idx_sa < nb_sa_in; idx_sa++) { - rule = &sa_in[idx_sa]; + STAILQ_FOREACH(sa_mgmt, &sa_in_head, next) { + rule = &sa_mgmt->sa; rule_type = ipsec_get_action_type(rule); if ((rule_type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO || rule_type == @@ -1475,8 +1493,8 @@ sa_check_offloads(uint16_t port_id, uint64_t *rx_offloads, } /* Check for outbound rules that use offloads and use this port */ - for (idx_sa = 0; idx_sa < nb_sa_out; idx_sa++) { - rule = &sa_out[idx_sa]; + STAILQ_FOREACH(sa_mgmt, &sa_out_head, next) { + rule = &sa_mgmt->sa; rule_type = ipsec_get_action_type(rule); if ((rule_type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO || rule_type == -- 2.7.4