diff options
| author |   Ricardo Salveti <ricardo.salveti@linaro.org> | 2016-07-18 15:30:53 -0300 |
|---|---|---|
| committer | Ricardo Salveti <ricardo.salveti@linaro.org> | 2016-07-18 15:31:22 -0300 |
| commit | 5d4e5dcd8a186778b3d78e27c81550d07a288fd2 (patch) | |
| tree | b84800fce31e7233445a7997c19df409c2a364ea /examples/ipsec-secgw/ipsec-secgw.c | |
| parent | a41e6ff15809d40e0f9bbc9576bf8f7f80fbec1d (diff) | |
Imported Upstream version 16.07-rc3
Change-Id: I321148bfa234858ba1986d109470b7aa280cd429
Signed-off-by: Ricardo Salveti <ricardo.salveti@linaro.org>
Diffstat (limited to 'examples/ipsec-secgw/ipsec-secgw.c')
| -rw-r--r-- | examples/ipsec-secgw/ipsec-secgw.c | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c index f78743d0..1ca144b8 100644 --- a/examples/ipsec-secgw/ipsec-secgw.c +++ b/examples/ipsec-secgw/ipsec-secgw.c @@ -384,7 +384,8 @@ send_single_packet(struct rte_mbuf *m, uint8_t port) } static inline void -inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip) +inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip, + uint16_t lim) { struct rte_mbuf *m; uint32_t i, j, res, sa_idx; @@ -399,15 +400,15 @@ inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip) for (i = 0; i < ip->num; i++) { m = ip->pkts[i]; res = ip->res[i]; - if (res & DISCARD) { - rte_pktmbuf_free(m); - continue; - } if (res & BYPASS) { ip->pkts[j++] = m; continue; } - /* Check return SA SPI matches pkt SPI */ + if (res & DISCARD || i < lim) { + rte_pktmbuf_free(m); + continue; + } + /* Only check SPI match for processed IPSec packets */ sa_idx = ip->res[i] & PROTECT_MASK; if (sa_idx == 0 || !inbound_sa_check(sa, m, sa_idx)) { rte_pktmbuf_free(m); @@ -423,11 +424,14 @@ process_pkts_inbound(struct ipsec_ctx *ipsec_ctx, struct ipsec_traffic *traffic) { struct rte_mbuf *m; - uint16_t idx, nb_pkts_in, i; + uint16_t idx, nb_pkts_in, i, n_ip4, n_ip6; nb_pkts_in = ipsec_inbound(ipsec_ctx, traffic->ipsec.pkts, traffic->ipsec.num, MAX_PKT_BURST); + n_ip4 = traffic->ip4.num; + n_ip6 = traffic->ip6.num; + /* SP/ACL Inbound check ipsec and ip4 */ for (i = 0; i < nb_pkts_in; i++) { m = traffic->ipsec.pkts[i]; @@ -447,9 +451,11 @@ process_pkts_inbound(struct ipsec_ctx *ipsec_ctx, rte_pktmbuf_free(m); } - inbound_sp_sa(ipsec_ctx->sp4_ctx, ipsec_ctx->sa_ctx, &traffic->ip4); + inbound_sp_sa(ipsec_ctx->sp4_ctx, ipsec_ctx->sa_ctx, &traffic->ip4, + n_ip4); - inbound_sp_sa(ipsec_ctx->sp6_ctx, ipsec_ctx->sa_ctx, &traffic->ip6); + inbound_sp_sa(ipsec_ctx->sp6_ctx, ipsec_ctx->sa_ctx, &traffic->ip6, + n_ip6); } static inline void |