X-Git-Url: http://git.droids-corp.org/?a=blobdiff_plain;f=examples%2Fipsec-secgw%2Fsp6.c;h=328e0852882e5c78ea5a93ca6205d021b04ad2d3;hb=41515403f1841c7444c648c21dc355c6fe258709;hp=6002afef3094c19075456be8d1adcfa461f91202;hpb=3998e2a07220844d3f3c17f76a781ced3efe0de0;p=dpdk.git diff --git a/examples/ipsec-secgw/sp6.c b/examples/ipsec-secgw/sp6.c index 6002afef30..328e085288 100644 --- a/examples/ipsec-secgw/sp6.c +++ b/examples/ipsec-secgw/sp6.c @@ -15,7 +15,37 @@ #include "ipsec.h" #include "parser.h" -#define MAX_ACL_RULE_NUM 1024 +#define INIT_ACL_RULE_NUM 128 + +#define IPV6_FROM_SP(acr, fidx_low, fidx_high) \ + (((uint64_t)(acr).field[(fidx_high)].value.u32 << 32) | \ + (acr).field[(fidx_low)].value.u32) + +#define IPV6_DST_FROM_SP(addr, acr) do {\ + (addr).ip.ip6.ip6[0] = rte_cpu_to_be_64(IPV6_FROM_SP((acr), \ + IP6_DST1, IP6_DST0));\ + (addr).ip.ip6.ip6[1] = rte_cpu_to_be_64(IPV6_FROM_SP((acr), \ + IP6_DST3, IP6_DST2));\ + } while (0) + +#define IPV6_SRC_FROM_SP(addr, acr) do {\ + (addr).ip.ip6.ip6[0] = rte_cpu_to_be_64(IPV6_FROM_SP((acr), \ + IP6_SRC1, IP6_SRC0));\ + (addr).ip.ip6.ip6[1] = rte_cpu_to_be_64(IPV6_FROM_SP((acr), \ + IP6_SRC3, IP6_SRC2));\ + } while (0) + +#define IPV6_DST_MASK_FROM_SP(mask, acr) \ + ((mask) = (acr).field[IP6_DST0].mask_range.u32 + \ + (acr).field[IP6_DST1].mask_range.u32 + \ + (acr).field[IP6_DST2].mask_range.u32 + \ + (acr).field[IP6_DST3].mask_range.u32) + +#define IPV6_SRC_MASK_FROM_SP(mask, acr) \ + ((mask) = (acr).field[IP6_SRC0].mask_range.u32 + \ + (acr).field[IP6_SRC1].mask_range.u32 + \ + (acr).field[IP6_SRC2].mask_range.u32 + \ + (acr).field[IP6_SRC3].mask_range.u32) enum { IP6_PROTO, @@ -34,7 +64,7 @@ enum { #define IP6_ADDR_SIZE 16 -struct rte_acl_field_def ip6_defs[IP6_NUM] = { +static struct rte_acl_field_def ip6_defs[IP6_NUM] = { { .type = RTE_ACL_FIELD_TYPE_BITMASK, .size = sizeof(uint8_t), @@ -116,11 +146,38 @@ struct rte_acl_field_def ip6_defs[IP6_NUM] = { RTE_ACL_RULE_DEF(acl6_rules, RTE_DIM(ip6_defs)); -struct acl6_rules acl6_rules_out[MAX_ACL_RULE_NUM]; -uint32_t nb_acl6_rules_out; +static struct acl6_rules *acl6_rules_out; +static uint32_t nb_acl6_rules_out; +static uint32_t sp_out_sz; -struct acl6_rules acl6_rules_in[MAX_ACL_RULE_NUM]; -uint32_t nb_acl6_rules_in; +static struct acl6_rules *acl6_rules_in; +static uint32_t nb_acl6_rules_in; +static uint32_t sp_in_sz; + +static int +extend_sp_arr(struct acl6_rules **sp_tbl, uint32_t cur_cnt, uint32_t *cur_sz) +{ + if (*sp_tbl == NULL) { + *sp_tbl = calloc(INIT_ACL_RULE_NUM, sizeof(struct acl6_rules)); + if (*sp_tbl == NULL) + return -1; + *cur_sz = INIT_ACL_RULE_NUM; + return 0; + } + + if (cur_cnt >= *cur_sz) { + *sp_tbl = realloc(*sp_tbl, + *cur_sz * sizeof(struct acl6_rules) * 2); + if (*sp_tbl == NULL) + return -1; + /* clean reallocated extra space */ + memset(&(*sp_tbl)[*cur_sz], 0, + *cur_sz * sizeof(struct acl6_rules)); + *cur_sz *= 2; + } + + return 0; +} void parse_sp6_tokens(char **tokens, uint32_t n_tokens, @@ -130,6 +187,7 @@ parse_sp6_tokens(char **tokens, uint32_t n_tokens, uint32_t *ri = NULL; /* rule index */ uint32_t ti = 0; /* token index */ + uint32_t tv; uint32_t esp_p = 0; uint32_t protect_p = 0; @@ -145,9 +203,8 @@ parse_sp6_tokens(char **tokens, uint32_t n_tokens, if (strcmp(tokens[1], "in") == 0) { ri = &nb_acl6_rules_in; - APP_CHECK(*ri <= MAX_ACL_RULE_NUM - 1, status, "too " - "many sp rules, abort insertion\n"); - if (status->status < 0) + if (extend_sp_arr(&acl6_rules_in, nb_acl6_rules_in, + &sp_in_sz) < 0) return; rule_ipv6 = &acl6_rules_in[*ri]; @@ -155,9 +212,8 @@ parse_sp6_tokens(char **tokens, uint32_t n_tokens, } else if (strcmp(tokens[1], "out") == 0) { ri = &nb_acl6_rules_out; - APP_CHECK(*ri <= MAX_ACL_RULE_NUM - 1, status, "too " - "many sp rules, abort insertion\n"); - if (status->status < 0) + if (extend_sp_arr(&acl6_rules_out, nb_acl6_rules_out, + &sp_out_sz) < 0) return; rule_ipv6 = &acl6_rules_out[*ri]; @@ -202,8 +258,12 @@ parse_sp6_tokens(char **tokens, uint32_t n_tokens, if (status->status < 0) return; - rule_ipv6->data.userdata = - PROTECT(atoi(tokens[ti])); + tv = atoi(tokens[ti]); + APP_CHECK(tv != DISCARD && tv != BYPASS, status, + "invalid SPI: %s", tokens[ti]); + if (status->status < 0) + return; + rule_ipv6->data.userdata = tv; protect_p = 1; continue; @@ -548,7 +608,7 @@ acl6_init(const char *name, int32_t socketid, const struct acl6_rules *rules, struct rte_acl_config acl_build_param; struct rte_acl_ctx *ctx; - printf("Creating SP context with %u max rules\n", MAX_ACL_RULE_NUM); + printf("Creating SP context with %u rules\n", rules_nb); memset(&acl_param, 0, sizeof(acl_param)); @@ -561,7 +621,7 @@ acl6_init(const char *name, int32_t socketid, const struct acl6_rules *rules, acl_param.name = s; acl_param.socket_id = socketid; acl_param.rule_size = RTE_ACL_RULE_SZ(RTE_DIM(ip6_defs)); - acl_param.max_rule_num = MAX_ACL_RULE_NUM; + acl_param.max_rule_num = rules_nb; ctx = rte_acl_create(&acl_param); if (ctx == NULL) @@ -586,6 +646,42 @@ acl6_init(const char *name, int32_t socketid, const struct acl6_rules *rules, return ctx; } +/* + * check that for each rule it's SPI has a correspondent entry in SAD + */ +static int +check_spi_value(struct sa_ctx *sa_ctx, int inbound) +{ + uint32_t i, num, spi; + int32_t spi_idx; + struct acl6_rules *acr; + + if (inbound != 0) { + acr = acl6_rules_in; + num = nb_acl6_rules_in; + } else { + acr = acl6_rules_out; + num = nb_acl6_rules_out; + } + + for (i = 0; i != num; i++) { + spi = acr[i].data.userdata; + if (spi != DISCARD && spi != BYPASS) { + spi_idx = sa_spi_present(sa_ctx, spi, inbound); + if (spi_idx < 0) { + RTE_LOG(ERR, IPSEC, + "SPI %u is not present in SAD\n", + spi); + return -ENOENT; + } + /* Update userdata with spi index */ + acr[i].data.userdata = spi_idx + 1; + } + } + + return 0; +} + void sp6_init(struct socket_ctx *ctx, int32_t socket_id) { @@ -602,6 +698,14 @@ sp6_init(struct socket_ctx *ctx, int32_t socket_id) rte_exit(EXIT_FAILURE, "Outbound IPv6 SP DB for socket %u " "already initialized\n", socket_id); + if (check_spi_value(ctx->sa_in, 1) < 0) + rte_exit(EXIT_FAILURE, + "Inbound IPv6 SP DB has unmatched in SAD SPIs\n"); + + if (check_spi_value(ctx->sa_out, 0) < 0) + rte_exit(EXIT_FAILURE, + "Outbound IPv6 SP DB has unmatched in SAD SPIs\n"); + if (nb_acl6_rules_in > 0) { name = "sp_ip6_in"; ctx->sp_ip6_in = (struct sp_ctx *)acl6_init(name, @@ -618,3 +722,57 @@ sp6_init(struct socket_ctx *ctx, int32_t socket_id) RTE_LOG(WARNING, IPSEC, "No IPv6 SP Outbound rule " "specified\n"); } + +static int +sp_cmp(const void *p, const void *q) +{ + uint32_t spi1 = ((const struct acl6_rules *)p)->data.userdata; + uint32_t spi2 = ((const struct acl6_rules *)q)->data.userdata; + + return (int)(spi1 - spi2); +} + +/* + * Search though SP rules for given SPI. + */ +int +sp6_spi_present(uint32_t spi, int inbound, struct ip_addr ip_addr[2], + uint32_t mask[2]) +{ + uint32_t num; + struct acl6_rules *rule; + const struct acl6_rules *acr; + struct acl6_rules tmpl; + + if (inbound != 0) { + acr = acl6_rules_in; + num = nb_acl6_rules_in; + } else { + acr = acl6_rules_out; + num = nb_acl6_rules_out; + } + + tmpl.data.userdata = spi; + + rule = bsearch(&tmpl, acr, num, sizeof(struct acl6_rules), sp_cmp); + if (rule != NULL) { + if (NULL != ip_addr && NULL != mask) { + IPV6_SRC_FROM_SP(ip_addr[0], *rule); + IPV6_DST_FROM_SP(ip_addr[1], *rule); + IPV6_SRC_MASK_FROM_SP(mask[0], *rule); + IPV6_DST_MASK_FROM_SP(mask[1], *rule); + } + return RTE_PTR_DIFF(rule, acr) / sizeof(struct acl6_rules); + } + + return -ENOENT; +} + +void +sp6_sort_arr(void) +{ + qsort(acl6_rules_in, nb_acl6_rules_in, sizeof(struct acl6_rules), + sp_cmp); + qsort(acl6_rules_out, nb_acl6_rules_out, sizeof(struct acl6_rules), + sp_cmp); +}