examples/ipsec-secgw: fix SPD no-match case
acl_classify() returns zero value when no matching rule was found.
Currently ipsec-secgw treats it as a valid SPI value, though it has
to discard such packets.
Error could be easily observed by sending outbound unmatched packets,
user will see something like that in the log:
IPSEC: No cryptodev: core 7, cipher_algo 0, auth_algo 0, aead_algo 0
To fix it we need to treat packets with zero result from acl_classify()
as invalid ones. Also we can change DISCARD and BYPASS values to
simplify checks and save some extra space for valid SPI values.
To summarize the approach:
1. have special SPI values for DISCARD and BYPASS.
2. store in SPD full SPI value.
3. after acl_classify(), first check SPI value for DISCARD and BYPASS,
then convert it in SA index.
4. add check at initilisation time that for each SPD rule there is a
corresponding SA entry (with the same SPI).
Also marked few global variables as *static*.
Fixes:
906257e965b7 ("examples/ipsec-secgw: support IPv6")
Fixes:
2a5106af132b ("examples/ipsec-secgw: fix corner case for SPI value")
Cc: stable@dpdk.org
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
git.droids-corp.org / dpdk.git / commit