Re: [dpdk-dev] [PATCH v1 3/5] ipsec: add SAD add/delete/lookup implementation

["Medvedkin, Vladimir" <vladimir.medvedkin@intel.com>]

Hi Konstantin,

On 12/09/2019 18:58, Ananyev, Konstantin wrote:
> Hi Vladimir,
>
>> Replace rte_ipsec_sad_add(), rte_ipsec_sad_del() and
>> rte_ipsec_sad_lookup() stubs with actual implementation.
>>
>> It uses three librte_hash tables each of which contains
>> an entries for a specific SA type (either it is addressed by SPI only
>> or SPI+DIP or SPI+DIP+SIP)
>>
>> Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
>> ---
>>   lib/librte_ipsec/ipsec_sad.c | 245 ++++++++++++++++++++++++++++++++++++++++---
>>   1 file changed, 233 insertions(+), 12 deletions(-)
>>
>> diff --git a/lib/librte_ipsec/ipsec_sad.c b/lib/librte_ipsec/ipsec_sad.c
>> index 7797628..4bf2206 100644
>> --- a/lib/librte_ipsec/ipsec_sad.c
>> +++ b/lib/librte_ipsec/ipsec_sad.c
>> @@ -13,6 +13,13 @@
>>
>>   #include "rte_ipsec_sad.h"
>>
>> +/*
>> + * Rules are stored in three hash tables depending on key_type.
>> + * Each rule will also be stored in SPI_ONLY table.
>> + * for each data entry within this table last two bits are reserved to
>> + * indicate presence of entries with the same SPI in DIP and DIP+SIP tables.
>> + */
>> +
>>   #define IPSEC_SAD_NAMESIZE	64
>>   #define SAD_PREFIX		"SAD_"
>>   /* "SAD_<name>" */
>> @@ -37,20 +44,158 @@ static struct rte_tailq_elem rte_ipsec_sad_tailq = {
>>   };
>>   EAL_REGISTER_TAILQ(rte_ipsec_sad_tailq)
>>
>> +#define SET_BIT(ptr, bit)	(void *)((uintptr_t)(ptr) | (uintptr_t)(bit))
>> +#define CLEAR_BIT(ptr, bit)	(void *)((uintptr_t)(ptr) & ~(uintptr_t)(bit))
>> +#define GET_BIT(ptr, bit)	(void *)((uintptr_t)(ptr) & (uintptr_t)(bit))
>> +
>> +/*
>> + * @internal helper function
>> + * Add a rule of type SPI_DIP or SPI_DIP_SIP.
>> + * Inserts a rule into an appropriate hash table,
>> + * updates the value for a given SPI in SPI_ONLY hash table
>> + * reflecting presence of more specific rule type in two LSBs.
>> + * Updates a counter that reflects the number of rules whith the same SPI.
>> + */
>> +static inline int
>> +add_specific(struct rte_ipsec_sad *sad, void *key,
>> +		int key_type, void *sa)
>> +{
>> +	void *tmp_val;
>> +	int ret, notexist;
>> +
>> +	ret = rte_hash_lookup(sad->hash[key_type], key);
>> +	notexist = (ret == -ENOENT);
>> +	ret = rte_hash_add_key_data(sad->hash[key_type], key, sa);
>> +	if (ret != 0)
>> +		return ret;
>> +	ret = rte_hash_lookup_data(sad->hash[RTE_IPSEC_SAD_SPI_ONLY],
>> +		key, &tmp_val);
>> +	if (ret < 0)
>> +		tmp_val = NULL;
>> +	tmp_val = SET_BIT(tmp_val, key_type);
>> +	ret = rte_hash_add_key_data(sad->hash[RTE_IPSEC_SAD_SPI_ONLY],
>> +		key, tmp_val);
>> +	if (ret != 0)
>> +		return ret;
>> +	ret = rte_hash_lookup(sad->hash[RTE_IPSEC_SAD_SPI_ONLY], key);
>> +	if (key_type == RTE_IPSEC_SAD_SPI_DIP)
>> +		sad->cnt_arr[ret].cnt_2 += notexist;
>> +	else
>> +		sad->cnt_arr[ret].cnt_3 += notexist;
>> +
>> +	return 0;
>> +}
>> +
>>   int
>> -rte_ipsec_sad_add(__rte_unused struct rte_ipsec_sad *sad,
>> -		__rte_unused union rte_ipsec_sad_key *key,
>> -		__rte_unused int key_type, __rte_unused void *sa)
>> +rte_ipsec_sad_add(struct rte_ipsec_sad *sad, union rte_ipsec_sad_key *key,
>> +		int key_type, void *sa)
>> +{
>> +	void *tmp_val;
>> +	int ret;
>> +
>> +	if ((sad == NULL) || (key == NULL) || (sa == NULL) ||
>> +			/* sa must be 4 byte aligned */
>> +			(GET_BIT(sa, RTE_IPSEC_SAD_KEY_TYPE_MASK) != 0))
>> +		return -EINVAL;
>> +
>> +	/*
>> +	 * Rules are stored in three hash tables depending on key_type.
>> +	 * All rules will also have an entry in SPI_ONLY table, with entry
>> +	 * value's two LSB's also indicating presence of rule with this SPI
>> +	 * in other tables.
>> +	 */
>> +	switch (key_type) {
>> +	case(RTE_IPSEC_SAD_SPI_ONLY):
>> +		ret = rte_hash_lookup_data(sad->hash[key_type],
>> +			key, &tmp_val);
>> +		if (ret >= 0)
>> +			tmp_val = SET_BIT(sa, GET_BIT(tmp_val,
>> +				RTE_IPSEC_SAD_KEY_TYPE_MASK));
>> +		else
>> +			tmp_val = sa;
>> +		ret = rte_hash_add_key_data(sad->hash[key_type],
>> +			key, tmp_val);
>> +		return ret;
>> +	case(RTE_IPSEC_SAD_SPI_DIP):
>> +	case(RTE_IPSEC_SAD_SPI_DIP_SIP):
>> +		return add_specific(sad, key, key_type, sa);
>> +	default:
>> +		return -EINVAL;
>> +	}
>> +}
>> +
>> +/*
>> + * @internal helper function
>> + * Delete a rule of type SPI_DIP or SPI_DIP_SIP.
>> + * Deletes an entry from an appropriate hash table and decrements
>> + * an entry counter for given SPI.
>> + * If entry to remove is the last one with given SPI within the table,
>> + * then it will also update related entry in SPI_ONLY table.
>> + * Removes an entry from SPI_ONLY hash table if there no rule left
>> + * for this SPI in any table.
>> + */
>> +static inline int
>> +del_specific(struct rte_ipsec_sad *sad, void *key, int key_type)
>>   {
> const void *key
> ?
>
>> -	return -ENOTSUP;
>> +	void *tmp_val;
>> +	int ret;
>> +	uint32_t *cnt;
> Few extra comments inside that function and add_specific() wouldn't hurt.
>
>> +
>> +	ret = rte_hash_del_key(sad->hash[key_type], key);
>> +	if (ret < 0)
>> +		return ret;
>> +	ret = rte_hash_lookup_data(sad->hash[RTE_IPSEC_SAD_SPI_ONLY],
>> +		key, &tmp_val);
>> +	if (ret < 0)
>> +		return ret;
>> +	cnt = (key_type == RTE_IPSEC_SAD_SPI_DIP) ? &sad->cnt_arr[ret].cnt_2 :
>> +			&sad->cnt_arr[ret].cnt_3;
>> +	if (--(*cnt) != 0)
>> +		return 0;
>> +
>> +	tmp_val = CLEAR_BIT(tmp_val, key_type);
>> +	if (tmp_val == NULL)
>> +		ret = rte_hash_del_key(sad->hash[RTE_IPSEC_SAD_SPI_ONLY], key);
>> +	else
>> +		ret = rte_hash_add_key_data(sad->hash[RTE_IPSEC_SAD_SPI_ONLY],
>> +			key, tmp_val);
>> +	if (ret < 0)
>> +		return ret;
>> +	return 0;
>>   }
>>
>>   int
>> -rte_ipsec_sad_del(__rte_unused struct rte_ipsec_sad *sad,
>> -		__rte_unused union rte_ipsec_sad_key *key,
>> -		__rte_unused int key_type)
>> +rte_ipsec_sad_del(struct rte_ipsec_sad *sad, union rte_ipsec_sad_key *key,
> const union rte_ipsec_sad_key *key
> ?
>
>> +		int key_type)
>>   {
>> -	return -ENOTSUP;
>> +	void *tmp_val;
>> +	int ret;
>> +
>> +	if ((sad == NULL) || (key == NULL))
>> +		return -EINVAL;
>> +	switch (key_type) {
>> +	case(RTE_IPSEC_SAD_SPI_ONLY):
>> +		ret = rte_hash_lookup_data(sad->hash[key_type],
>> +			key, &tmp_val);
>> +		if (ret < 0)
>> +			return ret;
>> +		if (GET_BIT(tmp_val, RTE_IPSEC_SAD_KEY_TYPE_MASK) == 0) {
>> +			RTE_ASSERT((cnt_2 == 0) && (cnt_3 == 0));
>> +			ret = rte_hash_del_key(sad->hash[key_type],
>> +				key);
> I think something like:
> ret = ret < 0 ? ret : 0;
> is needed here.
>
>> +		} else {
>> +			tmp_val = GET_BIT(tmp_val,
>> +				RTE_IPSEC_SAD_KEY_TYPE_MASK);
>> +			ret = rte_hash_add_key_data(sad->hash[key_type],
>> +				key, tmp_val);
>> +		}
>> +		return ret;
>> +	case(RTE_IPSEC_SAD_SPI_DIP):
>> +	case(RTE_IPSEC_SAD_SPI_DIP_SIP):
>> +		return del_specific(sad, key, key_type);
>> +	default:
>> +		return -EINVAL;
>> +	}
>>   }
>>
>>   struct rte_ipsec_sad *
>> @@ -248,10 +393,86 @@ rte_ipsec_sad_free(struct rte_ipsec_sad *sad)
>>   		rte_free(te);
>>   }
>>
> Pls add a comment for that one and other internal function.
> Even if you do remember what exactly it does now, you won't a year later :)
>
>> +static int
>> +__ipsec_sad_lookup(const struct rte_ipsec_sad *sad,
>> +		const union rte_ipsec_sad_key *keys[], uint32_t n, void *sa[])
>> +{
>> +	const void *keys_2[RTE_HASH_LOOKUP_BULK_MAX];
>> +	const void *keys_3[RTE_HASH_LOOKUP_BULK_MAX];
>> +	void *vals_2[RTE_HASH_LOOKUP_BULK_MAX] = {NULL};
>> +	void *vals_3[RTE_HASH_LOOKUP_BULK_MAX] = {NULL};
>> +	uint32_t idx_2[RTE_HASH_LOOKUP_BULK_MAX];
>> +	uint32_t idx_3[RTE_HASH_LOOKUP_BULK_MAX];
>> +	uint64_t mask_1, mask_2, mask_3;
>> +	uint64_t map, map_spec;
>> +	uint32_t n_2 = 0;
>> +	uint32_t n_3 = 0;
>> +	uint32_t i;
>> +	int n_pkts = 0;
> s/n_pkts/found/
> ?
>
>> +
>> +	for (i = 0; i < n; i++)
>> +		sa[i] = NULL;
>> +
>> +	/*
>> +	 * Lookup keys in SPI only hash table first.
>> +	 */
>> +	rte_hash_lookup_bulk_data(sad->hash[RTE_IPSEC_SAD_SPI_ONLY],
>> +		(const void **)keys, n, &mask_1, sa);
>> +	for (map = mask_1; map; map &= (map - 1)) {
>> +		i = rte_bsf64(map);
>> +		/*
>> +		 * if returned value indicates presence of a rule in other
>> +		 * tables save a key for further lookup.
>> +		 */
>> +		if ((uintptr_t)sa[i] & RTE_IPSEC_SAD_SPI_DIP_SIP) {
>> +			idx_3[n_3] = i;
>> +			keys_3[n_3++] = keys[i];
>> +		}
>> +		if ((uintptr_t)sa[i] & RTE_IPSEC_SAD_SPI_DIP) {
>> +			idx_2[n_2] = i;
>> +			keys_2[n_2++] = keys[i];
>> +		}
>> +		sa[i] = CLEAR_BIT(sa[i], RTE_IPSEC_SAD_KEY_TYPE_MASK);
>> +	}
> Just as a thought - instead of setting all sa[] to NULL first, and then
> going though only found in the loop above, wouldn't it be a bit faster -
> after lookup bulk go through all sa[] and set them depending on mask value?
> Then first(zero sa[] loop) can be removed.

It turns out that this would be slower if there are keys that cause 
lookup miss.

>
>> +
>> +	if (n_2 != 0) {
>> +		rte_hash_lookup_bulk_data(sad->hash[RTE_IPSEC_SAD_SPI_DIP],
>> +			keys_2, n_2, &mask_2, vals_2);
>> +		for (map_spec = mask_2; map_spec; map_spec &= (map_spec - 1)) {
>> +			i = rte_bsf64(map_spec);
>> +			sa[idx_2[i]] = vals_2[i];
>> +		}
>> +	}
>> +	if (n_3 != 0) {
>> +		rte_hash_lookup_bulk_data(sad->hash[RTE_IPSEC_SAD_SPI_DIP_SIP],
>> +			keys_3, n_3, &mask_3, vals_3);
>> +		for (map_spec = mask_3; map_spec; map_spec &= (map_spec - 1)) {
>> +			i = rte_bsf64(map_spec);
>> +			sa[idx_3[i]] = vals_3[i];
>> +		}
>> +	}
>> +	for (i = 0; i < n; i++)
>> +		n_pkts += (sa[i] != NULL);
>> +
>> +	return n_pkts;
>> +}
>> +
>>   int
>> -rte_ipsec_sad_lookup(__rte_unused const struct rte_ipsec_sad *sad,
>> -		__rte_unused const union rte_ipsec_sad_key *keys[],
>> -		__rte_unused uint32_t n, __rte_unused void *sa[])
>> +rte_ipsec_sad_lookup(const struct rte_ipsec_sad *sad,
>> +		const union rte_ipsec_sad_key *keys[], uint32_t n, void *sa[])
> Better to follow usual parameter convention and move 'n' after pointers, i.e.:
>
> int rte_ipsec_sad_lookup(const struct rte_ipsec_sad *sad, const union rte_ipsec_sad_key *keys[], void *sa[], uint32_t n)
>
> Or provably even better:
> int rte_ipsec_sad_lookup(const struct rte_ipsec_sad *sad, const union rte_ipsec_sad_key *keys[], const void *sa[], uint32_t n)
>
>
>>   {
>> -	return -ENOTSUP;
>> +	uint32_t num, i = 0;
>> +	int n_pkts = 0;
>> +
>> +	if (unlikely((sad == NULL) || (keys == NULL) || (sa == NULL)))
>> +		return -EINVAL;
>> +
>> +	do {
>> +		num = RTE_MIN(n - i, (uint32_t)RTE_HASH_LOOKUP_BULK_MAX);
>> +		n_pkts += __ipsec_sad_lookup(sad,
>> +			&keys[i], num, &sa[i]);
>> +		i += num;
>> +	} while (i != n);
>> +
>> +	return n_pkts;
>>   }
>> --
>> 2.7.4

-- 
Regards,
Vladimir