X-Git-Url: http://git.droids-corp.org/?a=blobdiff_plain;f=examples%2Fipsec-secgw%2Fsp4.c;h=3871c6cc10e20b7d4862bd193aab3b80284e1c41;hb=bd711af366273ddcb78d4a877feac578b7040e81;hp=d1dc64baded9683db4a0cc42f6f8e8e45b4554c4;hpb=5a032a71c6d3b061ce7ca78ac51df7e67747c0b8;p=dpdk.git diff --git a/examples/ipsec-secgw/sp4.c b/examples/ipsec-secgw/sp4.c index d1dc64bade..3871c6cc10 100644 --- a/examples/ipsec-secgw/sp4.c +++ b/examples/ipsec-secgw/sp4.c @@ -17,6 +17,18 @@ #define MAX_ACL_RULE_NUM 1024 +#define IPV4_DST_FROM_SP(acr) \ + (rte_cpu_to_be_32((acr).field[DST_FIELD_IPV4].value.u32)) + +#define IPV4_SRC_FROM_SP(acr) \ + (rte_cpu_to_be_32((acr).field[SRC_FIELD_IPV4].value.u32)) + +#define IPV4_DST_MASK_FROM_SP(acr) \ + ((acr).field[DST_FIELD_IPV4].mask_range.u32) + +#define IPV4_SRC_MASK_FROM_SP(acr) \ + ((acr).field[SRC_FIELD_IPV4].mask_range.u32) + /* * Rule and trace formats definitions. */ @@ -99,6 +111,7 @@ parse_sp4_tokens(char **tokens, uint32_t n_tokens, uint32_t *ri = NULL; /* rule index */ uint32_t ti = 0; /* token index */ + uint32_t tv; uint32_t esp_p = 0; uint32_t protect_p = 0; @@ -169,8 +182,12 @@ parse_sp4_tokens(char **tokens, uint32_t n_tokens, if (status->status < 0) return; - rule_ipv4->data.userdata = - PROTECT(atoi(tokens[ti])); + tv = atoi(tokens[ti]); + APP_CHECK(tv != DISCARD && tv != BYPASS, status, + "invalid SPI: %s", tokens[ti]); + if (status->status < 0) + return; + rule_ipv4->data.userdata = tv; protect_p = 1; continue; @@ -472,6 +489,36 @@ acl4_init(const char *name, int32_t socketid, const struct acl4_rules *rules, return ctx; } +/* + * check that for each rule it's SPI has a correspondent entry in SAD + */ +static int +check_spi_value(int inbound) +{ + uint32_t i, num, spi; + const struct acl4_rules *acr; + + if (inbound != 0) { + acr = acl4_rules_in; + num = nb_acl4_rules_in; + } else { + acr = acl4_rules_out; + num = nb_acl4_rules_out; + } + + for (i = 0; i != num; i++) { + spi = acr[i].data.userdata; + if (spi != DISCARD && spi != BYPASS && + sa_spi_present(spi, inbound) < 0) { + RTE_LOG(ERR, IPSEC, "SPI %u is not present in SAD\n", + spi); + return -ENOENT; + } + } + + return 0; +} + void sp4_init(struct socket_ctx *ctx, int32_t socket_id) { @@ -488,6 +535,14 @@ sp4_init(struct socket_ctx *ctx, int32_t socket_id) rte_exit(EXIT_FAILURE, "Outbound SP DB for socket %u already " "initialized\n", socket_id); + if (check_spi_value(1) < 0) + rte_exit(EXIT_FAILURE, + "Inbound IPv4 SP DB has unmatched in SAD SPIs\n"); + + if (check_spi_value(0) < 0) + rte_exit(EXIT_FAILURE, + "Outbound IPv4 SP DB has unmatched in SAD SPIs\n"); + if (nb_acl4_rules_in > 0) { name = "sp_ip4_in"; ctx->sp_ip4_in = (struct sp_ctx *)acl4_init(name, @@ -509,7 +564,8 @@ sp4_init(struct socket_ctx *ctx, int32_t socket_id) * Search though SP rules for given SPI. */ int -sp4_spi_present(uint32_t spi, int inbound) +sp4_spi_present(uint32_t spi, int inbound, struct ip_addr ip_addr[2], + uint32_t mask[2]) { uint32_t i, num; const struct acl4_rules *acr; @@ -523,8 +579,15 @@ sp4_spi_present(uint32_t spi, int inbound) } for (i = 0; i != num; i++) { - if (acr[i].data.userdata == PROTECT(spi)) + if (acr[i].data.userdata == spi) { + if (NULL != ip_addr && NULL != mask) { + ip_addr[0].ip.ip4 = IPV4_SRC_FROM_SP(acr[i]); + ip_addr[1].ip.ip4 = IPV4_DST_FROM_SP(acr[i]); + mask[0] = IPV4_SRC_MASK_FROM_SP(acr[i]); + mask[1] = IPV4_DST_MASK_FROM_SP(acr[i]); + } return i; + } } return -ENOENT;