1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright(c) 2019 Intel Corporation
7 #include <rte_eal_memconfig.h>
10 #include <rte_hash_crc.h>
11 #include <rte_malloc.h>
12 #include <rte_random.h>
13 #include <rte_rwlock.h>
14 #include <rte_tailq.h>
16 #include "rte_ipsec_sad.h"
19 * Rules are stored in three hash tables depending on key_type.
20 * Each rule will also be stored in SPI_ONLY table.
21 * for each data entry within this table last two bits are reserved to
22 * indicate presence of entries with the same SPI in DIP and DIP+SIP tables.
25 #define SAD_PREFIX "SAD_"
27 #define SAD_FORMAT SAD_PREFIX "%s"
29 #define DEFAULT_HASH_FUNC rte_hash_crc
30 #define MIN_HASH_ENTRIES 8U /* From rte_cuckoo_hash.h */
37 struct rte_ipsec_sad {
38 char name[RTE_IPSEC_SAD_NAMESIZE];
39 struct rte_hash *hash[RTE_IPSEC_SAD_KEY_TYPE_MASK];
40 uint32_t keysize[RTE_IPSEC_SAD_KEY_TYPE_MASK];
42 /* Array to track number of more specific rules
43 * (spi_dip or spi_dip_sip). Used only in add/delete
46 __extension__ struct hash_cnt cnt_arr[];
49 TAILQ_HEAD(rte_ipsec_sad_list, rte_tailq_entry);
50 static struct rte_tailq_elem rte_ipsec_sad_tailq = {
51 .name = "RTE_IPSEC_SAD",
53 EAL_REGISTER_TAILQ(rte_ipsec_sad_tailq)
55 #define SET_BIT(ptr, bit) (void *)((uintptr_t)(ptr) | (uintptr_t)(bit))
56 #define CLEAR_BIT(ptr, bit) (void *)((uintptr_t)(ptr) & ~(uintptr_t)(bit))
57 #define GET_BIT(ptr, bit) (void *)((uintptr_t)(ptr) & (uintptr_t)(bit))
60 * @internal helper function
61 * Add a rule of type SPI_DIP or SPI_DIP_SIP.
62 * Inserts a rule into an appropriate hash table,
63 * updates the value for a given SPI in SPI_ONLY hash table
64 * reflecting presence of more specific rule type in two LSBs.
65 * Updates a counter that reflects the number of rules whith the same SPI.
68 add_specific(struct rte_ipsec_sad *sad, const void *key,
69 int key_type, void *sa)
74 /* Check if the key is present in the table.
75 * Need for further accaunting in cnt_arr
77 ret = rte_hash_lookup_with_hash(sad->hash[key_type], key,
78 rte_hash_crc(key, sad->keysize[key_type], sad->init_val));
79 notexist = (ret == -ENOENT);
81 /* Add an SA to the corresponding table.*/
82 ret = rte_hash_add_key_with_hash_data(sad->hash[key_type], key,
83 rte_hash_crc(key, sad->keysize[key_type], sad->init_val), sa);
87 /* Check if there is an entry in SPI only table with the same SPI */
88 ret = rte_hash_lookup_with_hash_data(sad->hash[RTE_IPSEC_SAD_SPI_ONLY],
89 key, rte_hash_crc(key, sad->keysize[RTE_IPSEC_SAD_SPI_ONLY],
90 sad->init_val), &tmp_val);
93 tmp_val = SET_BIT(tmp_val, key_type);
95 /* Add an entry into SPI only table */
96 ret = rte_hash_add_key_with_hash_data(
97 sad->hash[RTE_IPSEC_SAD_SPI_ONLY], key,
98 rte_hash_crc(key, sad->keysize[RTE_IPSEC_SAD_SPI_ONLY],
99 sad->init_val), tmp_val);
103 /* Update a counter for a given SPI */
104 ret = rte_hash_lookup_with_hash(sad->hash[RTE_IPSEC_SAD_SPI_ONLY], key,
105 rte_hash_crc(key, sad->keysize[RTE_IPSEC_SAD_SPI_ONLY],
109 if (key_type == RTE_IPSEC_SAD_SPI_DIP)
110 sad->cnt_arr[ret].cnt_dip += notexist;
112 sad->cnt_arr[ret].cnt_dip_sip += notexist;
118 rte_ipsec_sad_add(struct rte_ipsec_sad *sad,
119 const union rte_ipsec_sad_key *key,
120 int key_type, void *sa)
125 if ((sad == NULL) || (key == NULL) || (sa == NULL) ||
126 /* sa must be 4 byte aligned */
127 (GET_BIT(sa, RTE_IPSEC_SAD_KEY_TYPE_MASK) != 0))
131 * Rules are stored in three hash tables depending on key_type.
132 * All rules will also have an entry in SPI_ONLY table, with entry
133 * value's two LSB's also indicating presence of rule with this SPI
137 case(RTE_IPSEC_SAD_SPI_ONLY):
138 ret = rte_hash_lookup_with_hash_data(sad->hash[key_type],
139 key, rte_hash_crc(key, sad->keysize[key_type],
140 sad->init_val), &tmp_val);
142 tmp_val = SET_BIT(sa, GET_BIT(tmp_val,
143 RTE_IPSEC_SAD_KEY_TYPE_MASK));
146 ret = rte_hash_add_key_with_hash_data(sad->hash[key_type],
147 key, rte_hash_crc(key, sad->keysize[key_type],
148 sad->init_val), tmp_val);
150 case(RTE_IPSEC_SAD_SPI_DIP):
151 case(RTE_IPSEC_SAD_SPI_DIP_SIP):
152 return add_specific(sad, key, key_type, sa);
159 * @internal helper function
160 * Delete a rule of type SPI_DIP or SPI_DIP_SIP.
161 * Deletes an entry from an appropriate hash table and decrements
162 * an entry counter for given SPI.
163 * If entry to remove is the last one with given SPI within the table,
164 * then it will also update related entry in SPI_ONLY table.
165 * Removes an entry from SPI_ONLY hash table if there no rule left
166 * for this SPI in any table.
169 del_specific(struct rte_ipsec_sad *sad, const void *key, int key_type)
175 /* Remove an SA from the corresponding table.*/
176 ret = rte_hash_del_key_with_hash(sad->hash[key_type], key,
177 rte_hash_crc(key, sad->keysize[key_type], sad->init_val));
181 /* Get an index of cnt_arr entry for a given SPI */
182 ret = rte_hash_lookup_with_hash_data(sad->hash[RTE_IPSEC_SAD_SPI_ONLY],
183 key, rte_hash_crc(key, sad->keysize[RTE_IPSEC_SAD_SPI_ONLY],
184 sad->init_val), &tmp_val);
187 cnt = (key_type == RTE_IPSEC_SAD_SPI_DIP) ?
188 &sad->cnt_arr[ret].cnt_dip :
189 &sad->cnt_arr[ret].cnt_dip_sip;
193 /* corresponding counter is 0, clear the bit indicating
194 * the presence of more specific rule for a given SPI.
196 tmp_val = CLEAR_BIT(tmp_val, key_type);
198 /* if there are no rules left with same SPI,
199 * remove an entry from SPI_only table
202 ret = rte_hash_del_key_with_hash(
203 sad->hash[RTE_IPSEC_SAD_SPI_ONLY], key,
204 rte_hash_crc(key, sad->keysize[RTE_IPSEC_SAD_SPI_ONLY],
207 ret = rte_hash_add_key_with_hash_data(
208 sad->hash[RTE_IPSEC_SAD_SPI_ONLY], key,
209 rte_hash_crc(key, sad->keysize[RTE_IPSEC_SAD_SPI_ONLY],
210 sad->init_val), tmp_val);
217 rte_ipsec_sad_del(struct rte_ipsec_sad *sad,
218 const union rte_ipsec_sad_key *key,
224 if ((sad == NULL) || (key == NULL))
227 case(RTE_IPSEC_SAD_SPI_ONLY):
228 ret = rte_hash_lookup_with_hash_data(sad->hash[key_type],
229 key, rte_hash_crc(key, sad->keysize[key_type],
230 sad->init_val), &tmp_val);
233 if (GET_BIT(tmp_val, RTE_IPSEC_SAD_KEY_TYPE_MASK) == 0) {
234 ret = rte_hash_del_key_with_hash(sad->hash[key_type],
235 key, rte_hash_crc(key, sad->keysize[key_type],
237 ret = ret < 0 ? ret : 0;
239 tmp_val = GET_BIT(tmp_val,
240 RTE_IPSEC_SAD_KEY_TYPE_MASK);
241 ret = rte_hash_add_key_with_hash_data(
242 sad->hash[key_type], key,
243 rte_hash_crc(key, sad->keysize[key_type],
244 sad->init_val), tmp_val);
247 case(RTE_IPSEC_SAD_SPI_DIP):
248 case(RTE_IPSEC_SAD_SPI_DIP_SIP):
249 return del_specific(sad, key, key_type);
255 struct rte_ipsec_sad *
256 rte_ipsec_sad_create(const char *name, const struct rte_ipsec_sad_conf *conf)
258 char hash_name[RTE_HASH_NAMESIZE];
259 char sad_name[RTE_IPSEC_SAD_NAMESIZE];
260 struct rte_tailq_entry *te;
261 struct rte_ipsec_sad_list *sad_list;
262 struct rte_ipsec_sad *sad, *tmp_sad = NULL;
263 struct rte_hash_parameters hash_params = {0};
267 RTE_BUILD_BUG_ON(RTE_IPSEC_SAD_KEY_TYPE_MASK != 3);
269 if ((name == NULL) || (conf == NULL) ||
270 ((conf->max_sa[RTE_IPSEC_SAD_SPI_ONLY] == 0) &&
271 (conf->max_sa[RTE_IPSEC_SAD_SPI_DIP] == 0) &&
272 (conf->max_sa[RTE_IPSEC_SAD_SPI_DIP_SIP] == 0))) {
277 ret = snprintf(sad_name, RTE_IPSEC_SAD_NAMESIZE, SAD_FORMAT, name);
278 if (ret < 0 || ret >= RTE_IPSEC_SAD_NAMESIZE) {
279 rte_errno = ENAMETOOLONG;
284 sa_sum = RTE_MAX(MIN_HASH_ENTRIES,
285 conf->max_sa[RTE_IPSEC_SAD_SPI_ONLY]) +
286 RTE_MAX(MIN_HASH_ENTRIES,
287 conf->max_sa[RTE_IPSEC_SAD_SPI_DIP]) +
288 RTE_MAX(MIN_HASH_ENTRIES,
289 conf->max_sa[RTE_IPSEC_SAD_SPI_DIP_SIP]);
290 sad = rte_zmalloc_socket(NULL, sizeof(*sad) +
291 (sizeof(struct hash_cnt) * sa_sum),
292 RTE_CACHE_LINE_SIZE, conf->socket_id);
297 memcpy(sad->name, sad_name, sizeof(sad_name));
299 hash_params.hash_func = DEFAULT_HASH_FUNC;
300 hash_params.hash_func_init_val = rte_rand();
301 sad->init_val = hash_params.hash_func_init_val;
302 hash_params.socket_id = conf->socket_id;
303 hash_params.name = hash_name;
304 if (conf->flags & RTE_IPSEC_SAD_FLAG_RW_CONCURRENCY)
305 hash_params.extra_flag = RTE_HASH_EXTRA_FLAGS_RW_CONCURRENCY;
307 /** Init hash[RTE_IPSEC_SAD_SPI_ONLY] for SPI only */
308 snprintf(hash_name, sizeof(hash_name), "sad_1_%p", sad);
309 hash_params.key_len = sizeof(((struct rte_ipsec_sadv4_key *)0)->spi);
310 sad->keysize[RTE_IPSEC_SAD_SPI_ONLY] = hash_params.key_len;
311 hash_params.entries = sa_sum;
312 sad->hash[RTE_IPSEC_SAD_SPI_ONLY] = rte_hash_create(&hash_params);
313 if (sad->hash[RTE_IPSEC_SAD_SPI_ONLY] == NULL) {
314 rte_ipsec_sad_destroy(sad);
318 /** Init hash[RTE_IPSEC_SAD_SPI_DIP] for SPI + DIP */
319 snprintf(hash_name, sizeof(hash_name), "sad_2_%p", sad);
320 if (conf->flags & RTE_IPSEC_SAD_FLAG_IPV6)
321 hash_params.key_len +=
322 sizeof(((struct rte_ipsec_sadv6_key *)0)->dip);
324 hash_params.key_len +=
325 sizeof(((struct rte_ipsec_sadv4_key *)0)->dip);
326 sad->keysize[RTE_IPSEC_SAD_SPI_DIP] = hash_params.key_len;
327 hash_params.entries = RTE_MAX(MIN_HASH_ENTRIES,
328 conf->max_sa[RTE_IPSEC_SAD_SPI_DIP]);
329 sad->hash[RTE_IPSEC_SAD_SPI_DIP] = rte_hash_create(&hash_params);
330 if (sad->hash[RTE_IPSEC_SAD_SPI_DIP] == NULL) {
331 rte_ipsec_sad_destroy(sad);
335 /** Init hash[[RTE_IPSEC_SAD_SPI_DIP_SIP] for SPI + DIP + SIP */
336 snprintf(hash_name, sizeof(hash_name), "sad_3_%p", sad);
337 if (conf->flags & RTE_IPSEC_SAD_FLAG_IPV6)
338 hash_params.key_len +=
339 sizeof(((struct rte_ipsec_sadv6_key *)0)->sip);
341 hash_params.key_len +=
342 sizeof(((struct rte_ipsec_sadv4_key *)0)->sip);
343 sad->keysize[RTE_IPSEC_SAD_SPI_DIP_SIP] = hash_params.key_len;
344 hash_params.entries = RTE_MAX(MIN_HASH_ENTRIES,
345 conf->max_sa[RTE_IPSEC_SAD_SPI_DIP_SIP]);
346 sad->hash[RTE_IPSEC_SAD_SPI_DIP_SIP] = rte_hash_create(&hash_params);
347 if (sad->hash[RTE_IPSEC_SAD_SPI_DIP_SIP] == NULL) {
348 rte_ipsec_sad_destroy(sad);
352 sad_list = RTE_TAILQ_CAST(rte_ipsec_sad_tailq.head,
354 rte_mcfg_tailq_write_lock();
355 /* guarantee there's no existing */
356 TAILQ_FOREACH(te, sad_list, next) {
357 tmp_sad = (struct rte_ipsec_sad *)te->data;
358 if (strncmp(sad_name, tmp_sad->name,
359 RTE_IPSEC_SAD_NAMESIZE) == 0)
363 rte_mcfg_tailq_write_unlock();
365 rte_ipsec_sad_destroy(sad);
369 /* allocate tailq entry */
370 te = rte_zmalloc("IPSEC_SAD_TAILQ_ENTRY", sizeof(*te), 0);
372 rte_mcfg_tailq_write_unlock();
374 rte_ipsec_sad_destroy(sad);
378 te->data = (void *)sad;
379 TAILQ_INSERT_TAIL(sad_list, te, next);
380 rte_mcfg_tailq_write_unlock();
384 struct rte_ipsec_sad *
385 rte_ipsec_sad_find_existing(const char *name)
387 char sad_name[RTE_IPSEC_SAD_NAMESIZE];
388 struct rte_ipsec_sad *sad = NULL;
389 struct rte_tailq_entry *te;
390 struct rte_ipsec_sad_list *sad_list;
393 ret = snprintf(sad_name, RTE_IPSEC_SAD_NAMESIZE, SAD_FORMAT, name);
394 if (ret < 0 || ret >= RTE_IPSEC_SAD_NAMESIZE) {
395 rte_errno = ENAMETOOLONG;
399 sad_list = RTE_TAILQ_CAST(rte_ipsec_sad_tailq.head,
402 rte_mcfg_tailq_read_lock();
403 TAILQ_FOREACH(te, sad_list, next) {
404 sad = (struct rte_ipsec_sad *) te->data;
405 if (strncmp(sad_name, sad->name, RTE_IPSEC_SAD_NAMESIZE) == 0)
408 rte_mcfg_tailq_read_unlock();
419 rte_ipsec_sad_destroy(struct rte_ipsec_sad *sad)
421 struct rte_tailq_entry *te;
422 struct rte_ipsec_sad_list *sad_list;
427 sad_list = RTE_TAILQ_CAST(rte_ipsec_sad_tailq.head,
429 rte_mcfg_tailq_write_lock();
430 TAILQ_FOREACH(te, sad_list, next) {
431 if (te->data == (void *)sad)
435 TAILQ_REMOVE(sad_list, te, next);
437 rte_mcfg_tailq_write_unlock();
439 rte_hash_free(sad->hash[RTE_IPSEC_SAD_SPI_ONLY]);
440 rte_hash_free(sad->hash[RTE_IPSEC_SAD_SPI_DIP]);
441 rte_hash_free(sad->hash[RTE_IPSEC_SAD_SPI_DIP_SIP]);
448 * @internal helper function
449 * Lookup a batch of keys in three hash tables.
450 * First lookup key in SPI_ONLY table.
451 * If there is an entry for the corresponding SPI check its value.
452 * Two least significant bits of the value indicate
453 * the presence of more specific rule in other tables.
454 * Perform additional lookup in corresponding hash tables
455 * and update the value if lookup succeeded.
458 __ipsec_sad_lookup(const struct rte_ipsec_sad *sad,
459 const union rte_ipsec_sad_key *keys[], void *sa[], uint32_t n)
461 const void *keys_2[RTE_HASH_LOOKUP_BULK_MAX];
462 const void *keys_3[RTE_HASH_LOOKUP_BULK_MAX];
463 void *vals_2[RTE_HASH_LOOKUP_BULK_MAX] = {NULL};
464 void *vals_3[RTE_HASH_LOOKUP_BULK_MAX] = {NULL};
465 uint32_t idx_2[RTE_HASH_LOOKUP_BULK_MAX];
466 uint32_t idx_3[RTE_HASH_LOOKUP_BULK_MAX];
467 uint64_t mask_1, mask_2, mask_3;
468 uint64_t map, map_spec;
473 hash_sig_t hash_sig[RTE_HASH_LOOKUP_BULK_MAX];
474 hash_sig_t hash_sig_2[RTE_HASH_LOOKUP_BULK_MAX];
475 hash_sig_t hash_sig_3[RTE_HASH_LOOKUP_BULK_MAX];
477 for (i = 0; i < n; i++) {
479 hash_sig[i] = rte_hash_crc_4byte(keys[i]->v4.spi,
484 * Lookup keys in SPI only hash table first.
486 rte_hash_lookup_with_hash_bulk_data(sad->hash[RTE_IPSEC_SAD_SPI_ONLY],
487 (const void **)keys, hash_sig, n, &mask_1, sa);
488 for (map = mask_1; map; map &= (map - 1)) {
491 * if returned value indicates presence of a rule in other
492 * tables save a key for further lookup.
494 if ((uintptr_t)sa[i] & RTE_IPSEC_SAD_SPI_DIP_SIP) {
496 hash_sig_3[n_3] = rte_hash_crc(keys[i],
497 sad->keysize[RTE_IPSEC_SAD_SPI_DIP_SIP],
499 keys_3[n_3++] = keys[i];
501 if ((uintptr_t)sa[i] & RTE_IPSEC_SAD_SPI_DIP) {
503 hash_sig_2[n_2] = rte_hash_crc(keys[i],
504 sad->keysize[RTE_IPSEC_SAD_SPI_DIP],
506 keys_2[n_2++] = keys[i];
508 /* clear 2 LSB's which indicate the presence
509 * of more specific rules
511 sa[i] = CLEAR_BIT(sa[i], RTE_IPSEC_SAD_KEY_TYPE_MASK);
514 /* Lookup for more specific rules in SPI_DIP table */
516 rte_hash_lookup_with_hash_bulk_data(
517 sad->hash[RTE_IPSEC_SAD_SPI_DIP],
518 keys_2, hash_sig_2, n_2, &mask_2, vals_2);
519 for (map_spec = mask_2; map_spec; map_spec &= (map_spec - 1)) {
520 i = rte_bsf64(map_spec);
521 sa[idx_2[i]] = vals_2[i];
524 /* Lookup for more specific rules in SPI_DIP_SIP table */
526 rte_hash_lookup_with_hash_bulk_data(
527 sad->hash[RTE_IPSEC_SAD_SPI_DIP_SIP],
528 keys_3, hash_sig_3, n_3, &mask_3, vals_3);
529 for (map_spec = mask_3; map_spec; map_spec &= (map_spec - 1)) {
530 i = rte_bsf64(map_spec);
531 sa[idx_3[i]] = vals_3[i];
535 for (i = 0; i < n; i++)
536 found += (sa[i] != NULL);
542 rte_ipsec_sad_lookup(const struct rte_ipsec_sad *sad,
543 const union rte_ipsec_sad_key *keys[], void *sa[], uint32_t n)
548 if (unlikely((sad == NULL) || (keys == NULL) || (sa == NULL)))
552 num = RTE_MIN(n - i, (uint32_t)RTE_HASH_LOOKUP_BULK_MAX);
553 found += __ipsec_sad_lookup(sad,
554 &keys[i], &sa[i], num);
git.droids-corp.org / dpdk.git / blob