X-Git-Url: http://git.droids-corp.org/?a=blobdiff_plain;f=examples%2Fipsec-secgw%2Fsa.c;h=7262ccee83db1071a21fd9ce7435ebe6820efc60;hb=5908e7e837a62fe62c48094d8c2e947242f8fac3;hp=414fcd26cf60f6f56e25d0560d3fbd860a32081e;hpb=5a032a71c6d3b061ce7ca78ac51df7e67747c0b8;p=dpdk.git diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index 414fcd26cf..7262ccee83 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -80,7 +80,7 @@ const struct supported_cipher_algo cipher_algos[] = { .keyword = "aes-128-ctr", .algo = RTE_CRYPTO_CIPHER_AES_CTR, .iv_len = 8, - .block_size = 16, /* XXX AESNI MB limition, should be 4 */ + .block_size = 4, .key_len = 20 }, { @@ -126,11 +126,11 @@ const struct supported_aead_algo aead_algos[] = { } }; -struct ipsec_sa sa_out[IPSEC_SA_MAX_ENTRIES]; -uint32_t nb_sa_out; +static struct ipsec_sa sa_out[IPSEC_SA_MAX_ENTRIES]; +static uint32_t nb_sa_out; -struct ipsec_sa sa_in[IPSEC_SA_MAX_ENTRIES]; -uint32_t nb_sa_in; +static struct ipsec_sa sa_in[IPSEC_SA_MAX_ENTRIES]; +static uint32_t nb_sa_in; static const struct supported_cipher_algo * find_match_cipher_algo(const char *cipher_keyword) @@ -631,7 +631,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, *ri = *ri + 1; } -static inline void +static void print_one_sa_rule(const struct ipsec_sa *sa, int inbound) { uint32_t i; @@ -688,7 +688,22 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound) } break; case TRANSPORT: - printf("Transport"); + printf("Transport "); + break; + } + printf(" type:"); + switch (sa->type) { + case RTE_SECURITY_ACTION_TYPE_NONE: + printf("no-offload "); + break; + case RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO: + printf("inline-crypto-offload "); + break; + case RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL: + printf("inline-protocol-offload "); + break; + case RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL: + printf("lookaside-protocol-offload "); break; } printf("\n"); @@ -716,8 +731,8 @@ sa_create(const char *name, int32_t socket_id) snprintf(s, sizeof(s), "%s_%u", name, socket_id); /* Create SA array table */ - printf("Creating SA context with %u maximum entries\n", - IPSEC_SA_MAX_ENTRIES); + printf("Creating SA context with %u maximum entries on socket %d\n", + IPSEC_SA_MAX_ENTRIES, socket_id); mz_size = sizeof(struct sa_ctx); mz = rte_memzone_reserve(s, mz_size, socket_id, @@ -936,7 +951,7 @@ get_spi_proto(uint32_t spi, enum rte_security_ipsec_sa_direction dir) if (rc6 >= 0) { RTE_LOG(ERR, IPSEC, "%s: SPI %u used simultaeously by " - "IPv4(%d) and IPv6 (%d) SP rules\n", + "RTE_IPV4(%d) and IPv6 (%d) SP rules\n", __func__, spi, rc4, rc6); return -EINVAL; } else @@ -952,7 +967,7 @@ get_spi_proto(uint32_t spi, enum rte_security_ipsec_sa_direction dir) static int fill_ipsec_sa_prm(struct rte_ipsec_sa_prm *prm, const struct ipsec_sa *ss, - const struct ipv4_hdr *v4, struct ipv6_hdr *v6) + const struct rte_ipv4_hdr *v4, struct rte_ipv6_hdr *v6) { int32_t rc; @@ -1023,15 +1038,15 @@ ipsec_sa_init(struct ipsec_sa *lsa, struct rte_ipsec_sa *sa, uint32_t sa_size) { int rc; struct rte_ipsec_sa_prm prm; - struct ipv4_hdr v4 = { + struct rte_ipv4_hdr v4 = { .version_ihl = IPVERSION << 4 | - sizeof(v4) / IPV4_IHL_MULTIPLIER, + sizeof(v4) / RTE_IPV4_IHL_MULTIPLIER, .time_to_live = IPDEFTTL, .next_proto_id = IPPROTO_ESP, .src_addr = lsa->src.ip.ip4, .dst_addr = lsa->dst.ip.ip4, }; - struct ipv6_hdr v6 = { + struct rte_ipv6_hdr v6 = { .vtc_flow = htonl(IP6_VERSION << 28), .proto = IPPROTO_ESP, }; @@ -1101,6 +1116,31 @@ ipsec_satbl_init(struct sa_ctx *ctx, const struct ipsec_sa *ent, return rc; } +/* + * Walk through all SA rules to find an SA with given SPI + */ +int +sa_spi_present(uint32_t spi, int inbound) +{ + uint32_t i, num; + const struct ipsec_sa *sar; + + if (inbound != 0) { + sar = sa_in; + num = nb_sa_in; + } else { + sar = sa_out; + num = nb_sa_out; + } + + for (i = 0; i != num; i++) { + if (sar[i].spi == spi) + return i; + } + + return -ENOENT; +} + void sa_init(struct socket_ctx *ctx, int32_t socket_id) { @@ -1179,7 +1219,7 @@ static inline void single_inbound_lookup(struct ipsec_sa *sadb, struct rte_mbuf *pkt, struct ipsec_sa **sa_ret) { - struct esp_hdr *esp; + struct rte_esp_hdr *esp; struct ip *ip; uint32_t *src4_addr; uint8_t *src6_addr; @@ -1188,10 +1228,7 @@ single_inbound_lookup(struct ipsec_sa *sadb, struct rte_mbuf *pkt, *sa_ret = NULL; ip = rte_pktmbuf_mtod(pkt, struct ip *); - if (ip->ip_v == IPVERSION) - esp = (struct esp_hdr *)(ip + 1); - else - esp = (struct esp_hdr *)(((struct ip6_hdr *)ip) + 1); + esp = rte_pktmbuf_mtod_offset(pkt, struct rte_esp_hdr *, pkt->l3_len); if (esp->spi == INVALID_SPI) return;