diff options
author | Luca Boccassi <luca.boccassi@gmail.com> | 2018-08-14 18:52:30 +0100 |
---|---|---|
committer | Luca Boccassi <luca.boccassi@gmail.com> | 2018-08-14 18:53:17 +0100 |
commit | b63264c8342e6a1b6971c79550d2af2024b6a4de (patch) | |
tree | 83114aac64286fe616506c0b3dfaec2ab86ef835 /examples/ipsec-secgw | |
parent | ca33590b6af032bff57d9cc70455660466a654b2 (diff) |
New upstream version 18.08upstream/18.08
Change-Id: I32fdf5e5016556d9c0a6d88ddaf1fc468961790a
Signed-off-by: Luca Boccassi <luca.boccassi@gmail.com>
Diffstat (limited to 'examples/ipsec-secgw')
-rw-r--r-- | examples/ipsec-secgw/ipsec-secgw.c | 248 | ||||
-rw-r--r-- | examples/ipsec-secgw/ipsec.c | 75 | ||||
-rw-r--r-- | examples/ipsec-secgw/ipsec.h | 5 | ||||
-rw-r--r-- | examples/ipsec-secgw/parser.c | 23 | ||||
-rw-r--r-- | examples/ipsec-secgw/sa.c | 2 |
5 files changed, 216 insertions, 137 deletions
diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c index 3a8562ee..b45b87bd 100644 --- a/examples/ipsec-secgw/ipsec-secgw.c +++ b/examples/ipsec-secgw/ipsec-secgw.c @@ -40,6 +40,7 @@ #include <rte_hash.h> #include <rte_jhash.h> #include <rte_cryptodev.h> +#include <rte_security.h> #include "ipsec.h" #include "parser.h" @@ -58,10 +59,6 @@ #define CDEV_MP_CACHE_SZ 64 #define MAX_QUEUE_PAIRS 1 -#define OPTION_CONFIG "config" -#define OPTION_SINGLE_SA "single-sa" -#define OPTION_CRYPTODEV_MASK "cryptodev_mask" - #define BURST_TX_DRAIN_US 100 /* TX drain every ~100us */ #define NB_SOCKETS 4 @@ -124,6 +121,29 @@ struct ethaddr_info ethaddr_tbl[RTE_MAX_ETHPORTS] = { { 0, ETHADDR(0x00, 0x16, 0x3e, 0x49, 0x9e, 0xdd) } }; +#define CMD_LINE_OPT_CONFIG "config" +#define CMD_LINE_OPT_SINGLE_SA "single-sa" +#define CMD_LINE_OPT_CRYPTODEV_MASK "cryptodev_mask" + +enum { + /* long options mapped to a short option */ + + /* first long only option value must be >= 256, so that we won't + * conflict with short options + */ + CMD_LINE_OPT_MIN_NUM = 256, + CMD_LINE_OPT_CONFIG_NUM, + CMD_LINE_OPT_SINGLE_SA_NUM, + CMD_LINE_OPT_CRYPTODEV_MASK_NUM, +}; + +static const struct option lgopts[] = { + {CMD_LINE_OPT_CONFIG, 1, 0, CMD_LINE_OPT_CONFIG_NUM}, + {CMD_LINE_OPT_SINGLE_SA, 1, 0, CMD_LINE_OPT_SINGLE_SA_NUM}, + {CMD_LINE_OPT_CRYPTODEV_MASK, 1, 0, CMD_LINE_OPT_CRYPTODEV_MASK_NUM}, + {NULL, 0, 0, 0} +}; + /* mask of enabled ports */ static uint32_t enabled_port_mask; static uint64_t enabled_cryptodev_mask = UINT64_MAX; @@ -179,7 +199,6 @@ static struct rte_eth_conf port_conf = { .split_hdr_size = 0, .offloads = DEV_RX_OFFLOAD_CHECKSUM | DEV_RX_OFFLOAD_CRC_STRIP, - .ignore_offload_bitfield = 1, }, .rx_adv_conf = { .rss_conf = { @@ -311,6 +330,7 @@ prepare_tx_pkt(struct rte_mbuf *pkt, uint16_t port) pkt->l3_len = sizeof(struct ip); pkt->l2_len = ETHER_HDR_LEN; + ip->ip_sum = 0; ethhdr->ether_type = rte_cpu_to_be_16(ETHER_TYPE_IPv4); } else { pkt->ol_flags |= PKT_TX_IPV6; @@ -490,11 +510,13 @@ outbound_sp(struct sp_ctx *sp, struct traffic_type *ip, sa_idx = ip->res[i] & PROTECT_MASK; if (ip->res[i] & DISCARD) rte_pktmbuf_free(m); + else if (ip->res[i] & BYPASS) + ip->pkts[j++] = m; else if (sa_idx < IPSEC_SA_MAX_ENTRIES) { ipsec->res[ipsec->num] = sa_idx; ipsec->pkts[ipsec->num++] = m; - } else /* BYPASS */ - ip->pkts[j++] = m; + } else /* invalid SA idx */ + rte_pktmbuf_free(m); } ip->num = j; } @@ -848,7 +870,7 @@ static int32_t check_params(void) { uint8_t lcore; - uint16_t portid, nb_ports; + uint16_t portid; uint16_t i; int32_t socket_id; @@ -857,8 +879,6 @@ check_params(void) return -1; } - nb_ports = rte_eth_dev_count(); - for (i = 0; i < nb_lcore_params; ++i) { lcore = lcore_params[i].lcore_id; if (!rte_lcore_is_enabled(lcore)) { @@ -877,7 +897,7 @@ check_params(void) printf("port %u is not enabled in port mask\n", portid); return -1; } - if (portid >= nb_ports) { + if (!rte_eth_dev_is_valid_port(portid)) { printf("port %u is not present on the board\n", portid); return -1; } @@ -926,20 +946,28 @@ init_lcore_rx_queues(void) static void print_usage(const char *prgname) { - printf("%s [EAL options] -- -p PORTMASK -P -u PORTMASK" - " --"OPTION_CONFIG" (port,queue,lcore)[,(port,queue,lcore]" - " --single-sa SAIDX -f CONFIG_FILE\n" - " -p PORTMASK: hexadecimal bitmask of ports to configure\n" - " -P : enable promiscuous mode\n" - " -u PORTMASK: hexadecimal bitmask of unprotected ports\n" - " -j FRAMESIZE: jumbo frame maximum size\n" - " --"OPTION_CONFIG": (port,queue,lcore): " - "rx queues configuration\n" - " --single-sa SAIDX: use single SA index for outbound, " - "bypassing the SP\n" - " --cryptodev_mask MASK: hexadecimal bitmask of the " - "crypto devices to configure\n" - " -f CONFIG_FILE: Configuration file path\n", + fprintf(stderr, "%s [EAL options] --" + " -p PORTMASK" + " [-P]" + " [-u PORTMASK]" + " [-j FRAMESIZE]" + " -f CONFIG_FILE" + " --config (port,queue,lcore)[,(port,queue,lcore)]" + " [--single-sa SAIDX]" + " [--cryptodev_mask MASK]" + "\n\n" + " -p PORTMASK: Hexadecimal bitmask of ports to configure\n" + " -P : Enable promiscuous mode\n" + " -u PORTMASK: Hexadecimal bitmask of unprotected ports\n" + " -j FRAMESIZE: Enable jumbo frame with 'FRAMESIZE' as maximum\n" + " packet size\n" + " -f CONFIG_FILE: Configuration file\n" + " --config (port,queue,lcore): Rx queue configuration\n" + " --single-sa SAIDX: Use single SA index for outbound traffic,\n" + " bypassing the SP\n" + " --cryptodev_mask MASK: Hexadecimal bitmask of the crypto\n" + " devices to configure\n" + "\n", prgname); } @@ -1029,42 +1057,6 @@ parse_config(const char *q_arg) return 0; } -#define __STRNCMP(name, opt) (!strncmp(name, opt, sizeof(opt))) -static int32_t -parse_args_long_options(struct option *lgopts, int32_t option_index) -{ - int32_t ret = -1; - const char *optname = lgopts[option_index].name; - - if (__STRNCMP(optname, OPTION_CONFIG)) { - ret = parse_config(optarg); - if (ret) - printf("invalid config\n"); - } - - if (__STRNCMP(optname, OPTION_SINGLE_SA)) { - ret = parse_decimal(optarg); - if (ret != -1) { - single_sa = 1; - single_sa_idx = ret; - printf("Configured with single SA index %u\n", - single_sa_idx); - ret = 0; - } - } - - if (__STRNCMP(optname, OPTION_CRYPTODEV_MASK)) { - ret = parse_portmask(optarg); - if (ret != -1) { - enabled_cryptodev_mask = ret; - ret = 0; - } - } - - return ret; -} -#undef __STRNCMP - static int32_t parse_args(int32_t argc, char **argv) { @@ -1072,12 +1064,6 @@ parse_args(int32_t argc, char **argv) char **argvopt; int32_t option_index; char *prgname = argv[0]; - static struct option lgopts[] = { - {OPTION_CONFIG, 1, 0, 0}, - {OPTION_SINGLE_SA, 1, 0, 0}, - {OPTION_CRYPTODEV_MASK, 1, 0, 0}, - {NULL, 0, 0, 0} - }; int32_t f_present = 0; argvopt = argv; @@ -1138,11 +1124,38 @@ parse_args(int32_t argc, char **argv) } printf("Enabled jumbo frames size %u\n", frame_size); break; - case 0: - if (parse_args_long_options(lgopts, option_index)) { + case CMD_LINE_OPT_CONFIG_NUM: + ret = parse_config(optarg); + if (ret) { + printf("Invalid config\n"); + print_usage(prgname); + return -1; + } + break; + case CMD_LINE_OPT_SINGLE_SA_NUM: + ret = parse_decimal(optarg); + if (ret == -1) { + printf("Invalid argument[sa_idx]\n"); print_usage(prgname); return -1; } + + /* else */ + single_sa = 1; + single_sa_idx = ret; + printf("Configured with single SA index %u\n", + single_sa_idx); + break; + case CMD_LINE_OPT_CRYPTODEV_MASK_NUM: + ret = parse_portmask(optarg); + if (ret == -1) { + printf("Invalid argument[portmask]\n"); + print_usage(prgname); + return -1; + } + + /* else */ + enabled_cryptodev_mask = ret; break; default: print_usage(prgname); @@ -1173,7 +1186,7 @@ print_ethaddr(const char *name, const struct ether_addr *eth_addr) /* Check the link status of all ports in up to 9s, and print them finally */ static void -check_all_ports_link_status(uint16_t port_num, uint32_t port_mask) +check_all_ports_link_status(uint32_t port_mask) { #define CHECK_INTERVAL 100 /* 100ms */ #define MAX_CHECK_TIME 90 /* 9s (90 * 100ms) in total */ @@ -1185,7 +1198,7 @@ check_all_ports_link_status(uint16_t port_num, uint32_t port_mask) fflush(stdout); for (count = 0; count <= MAX_CHECK_TIME; count++) { all_ports_up = 1; - for (portid = 0; portid < port_num; portid++) { + RTE_ETH_FOREACH_DEV(portid) { if ((port_mask & (1 << portid)) == 0) continue; memset(&link, 0, sizeof(link)); @@ -1379,11 +1392,11 @@ cryptodevs_init(void) uint32_t max_sess_sz = 0, sess_sz; for (cdev_id = 0; cdev_id < rte_cryptodev_count(); cdev_id++) { - sess_sz = rte_cryptodev_get_private_session_size(cdev_id); + sess_sz = rte_cryptodev_sym_get_private_session_size(cdev_id); if (sess_sz > max_sess_sz) max_sess_sz = sess_sz; } - for (port_id = 0; port_id < rte_eth_dev_count(); port_id++) { + RTE_ETH_FOREACH_DEV(port_id) { void *sec_ctx; if ((enabled_port_mask & (1 << port_id)) == 0) @@ -1429,6 +1442,12 @@ cryptodevs_init(void) dev_conf.socket_id = rte_cryptodev_socket_id(cdev_id); dev_conf.nb_queue_pairs = qp; + uint32_t dev_max_sess = cdev_info.sym.max_nb_sessions; + if (dev_max_sess != 0 && dev_max_sess < (CDEV_MP_NB_OBJS / 2)) + rte_exit(EXIT_FAILURE, + "Device does not support at least %u " + "sessions", CDEV_MP_NB_OBJS / 2); + if (!socket_ctx[dev_conf.socket_id].session_pool) { char mp_name[RTE_MEMPOOL_NAMESIZE]; struct rte_mempool *sess_mp; @@ -1470,7 +1489,7 @@ cryptodevs_init(void) } /* create session pools for eth devices that implement security */ - for (port_id = 0; port_id < rte_eth_dev_count(); port_id++) { + RTE_ETH_FOREACH_DEV(port_id) { if ((enabled_port_mask & (1 << port_id)) && rte_eth_dev_get_sec_ctx(port_id)) { int socket_id = rte_eth_dev_socket_id(port_id); @@ -1555,6 +1574,18 @@ port_init(uint16_t portid) if (dev_info.tx_offload_capa & DEV_TX_OFFLOAD_MBUF_FAST_FREE) local_port_conf.txmode.offloads |= DEV_TX_OFFLOAD_MBUF_FAST_FREE; + + local_port_conf.rx_adv_conf.rss_conf.rss_hf &= + dev_info.flow_type_rss_offloads; + if (local_port_conf.rx_adv_conf.rss_conf.rss_hf != + port_conf.rx_adv_conf.rss_conf.rss_hf) { + printf("Port %u modified RSS hash function based on hardware support," + "requested:%#"PRIx64" configured:%#"PRIx64"\n", + portid, + port_conf.rx_adv_conf.rss_conf.rss_hf, + local_port_conf.rx_adv_conf.rss_conf.rss_hf); + } + ret = rte_eth_dev_configure(portid, nb_rx_queue, nb_tx_queue, &local_port_conf); if (ret < 0) @@ -1581,7 +1612,6 @@ port_init(uint16_t portid) printf("Setup txq=%u,%d,%d\n", lcore_id, tx_queueid, socket_id); txconf = &dev_info.default_txconf; - txconf->txq_flags = ETH_TXQ_FLAGS_IGNORE; txconf->offloads = local_port_conf.txmode.offloads; ret = rte_eth_tx_queue_setup(portid, tx_queueid, nb_txd, @@ -1640,13 +1670,68 @@ pool_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t nb_mbuf) printf("Allocated mbuf pool on socket %d\n", socket_id); } +static inline int +inline_ipsec_event_esn_overflow(struct rte_security_ctx *ctx, uint64_t md) +{ + struct ipsec_sa *sa; + + /* For inline protocol processing, the metadata in the event will + * uniquely identify the security session which raised the event. + * Application would then need the userdata it had registered with the + * security session to process the event. + */ + + sa = (struct ipsec_sa *)rte_security_get_userdata(ctx, md); + + if (sa == NULL) { + /* userdata could not be retrieved */ + return -1; + } + + /* Sequence number over flow. SA need to be re-established */ + RTE_SET_USED(sa); + return 0; +} + +static int +inline_ipsec_event_callback(uint16_t port_id, enum rte_eth_event_type type, + void *param, void *ret_param) +{ + uint64_t md; + struct rte_eth_event_ipsec_desc *event_desc = NULL; + struct rte_security_ctx *ctx = (struct rte_security_ctx *) + rte_eth_dev_get_sec_ctx(port_id); + + RTE_SET_USED(param); + + if (type != RTE_ETH_EVENT_IPSEC) + return -1; + + event_desc = ret_param; + if (event_desc == NULL) { + printf("Event descriptor not set\n"); + return -1; + } + + md = event_desc->metadata; + + if (event_desc->subtype == RTE_ETH_EVENT_IPSEC_ESN_OVERFLOW) + return inline_ipsec_event_esn_overflow(ctx, md); + else if (event_desc->subtype >= RTE_ETH_EVENT_IPSEC_MAX) { + printf("Invalid IPsec event reported\n"); + return -1; + } + + return -1; +} + int32_t main(int32_t argc, char **argv) { int32_t ret; uint32_t lcore_id; uint8_t socket_id; - uint16_t portid, nb_ports; + uint16_t portid; /* init EAL */ ret = rte_eal_init(argc, argv); @@ -1665,8 +1750,6 @@ main(int32_t argc, char **argv) rte_exit(EXIT_FAILURE, "Invalid unprotected portmask 0x%x\n", unprotected_port_mask); - nb_ports = rte_eth_dev_count(); - if (check_params() < 0) rte_exit(EXIT_FAILURE, "check_params failed\n"); @@ -1700,7 +1783,7 @@ main(int32_t argc, char **argv) pool_init(&socket_ctx[socket_id], socket_id, NB_MBUF); } - for (portid = 0; portid < nb_ports; portid++) { + RTE_ETH_FOREACH_DEV(portid) { if ((enabled_port_mask & (1 << portid)) == 0) continue; @@ -1710,7 +1793,7 @@ main(int32_t argc, char **argv) cryptodevs_init(); /* start ports */ - for (portid = 0; portid < nb_ports; portid++) { + RTE_ETH_FOREACH_DEV(portid) { if ((enabled_port_mask & (1 << portid)) == 0) continue; @@ -1727,9 +1810,12 @@ main(int32_t argc, char **argv) */ if (promiscuous_on) rte_eth_promiscuous_enable(portid); + + rte_eth_dev_callback_register(portid, + RTE_ETH_EVENT_IPSEC, inline_ipsec_event_callback, NULL); } - check_all_ports_link_status(nb_ports, enabled_port_mask); + check_all_ports_link_status(enabled_port_mask); /* launch per-lcore init on every lcore */ rte_eal_mp_remote_launch(main_loop, NULL, CALL_MASTER); diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index 5fb5bc16..3d415f1a 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -36,6 +36,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) } /* TODO support for Transport and IPV6 tunnel */ } + ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; } static inline int @@ -186,14 +187,8 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) .rss_key_len = 40, }; struct rte_eth_dev *eth_dev; - union { - struct rte_flow_action_rss rss; - struct { - const struct rte_eth_rss_conf *rss_conf; - uint16_t num; - uint16_t queue[RTE_MAX_QUEUES_PER_PORT]; - } local; - } action_rss; + uint16_t queue[RTE_MAX_QUEUES_PER_PORT]; + struct rte_flow_action_rss action_rss; unsigned int i; unsigned int j; @@ -207,9 +202,14 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) for (i = 0, j = 0; i < eth_dev->data->nb_rx_queues; ++i) if (eth_dev->data->rx_queues[i]) - action_rss.local.queue[j++] = i; - action_rss.local.num = j; - action_rss.local.rss_conf = &rss_conf; + queue[j++] = i; + action_rss = (struct rte_flow_action_rss){ + .types = rss_conf.rss_hf, + .key_len = rss_conf.rss_key_len, + .queue_num = j, + .key = rss_key, + .queue = queue, + }; ret = rte_flow_validate(sa->portid, &sa->attr, sa->pattern, sa->action, &err); @@ -270,11 +270,14 @@ flow_create_failure: * the packet is received, this userdata will be * retrieved using the metadata from the packet. * - * This is required only for inbound SAs. + * The PMD is expected to set similar metadata for other + * operations, like rte_eth_event, which are tied to + * security session. In such cases, the userdata could + * be obtained to uniquely identify the security + * parameters denoted. */ - if (sa->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) - sess_conf.userdata = (void *) sa; + sess_conf.userdata = (void *) sa; sa->sec_session = rte_security_session_create(ctx, &sess_conf, ipsec_ctx->session_pool); @@ -324,18 +327,6 @@ flow_create_failure: rte_cryptodev_info_get(ipsec_ctx->tbl[cdev_id_qp].id, &cdev_info); - if (cdev_info.sym.max_nb_sessions_per_qp > 0) { - ret = rte_cryptodev_queue_pair_attach_sym_session( - ipsec_ctx->tbl[cdev_id_qp].id, - ipsec_ctx->tbl[cdev_id_qp].qp, - sa->crypto_session); - if (ret < 0) { - RTE_LOG(ERR, IPSEC, - "Session cannot be attached to qp %u\n", - ipsec_ctx->tbl[cdev_id_qp].qp); - return -1; - } - } } sa->cdev_id_qp = cdev_id_qp; @@ -345,13 +336,19 @@ flow_create_failure: static inline void enqueue_cop(struct cdev_qp *cqp, struct rte_crypto_op *cop) { - int32_t ret, i; + int32_t ret = 0, i; cqp->buf[cqp->len++] = cop; if (cqp->len == MAX_PKT_BURST) { - ret = rte_cryptodev_enqueue_burst(cqp->id, cqp->qp, - cqp->buf, cqp->len); + int enq_size = cqp->len; + if ((cqp->in_flight + enq_size) > MAX_INFLIGHT) + enq_size -= + (int)((cqp->in_flight + enq_size) - MAX_INFLIGHT); + + if (enq_size > 0) + ret = rte_cryptodev_enqueue_burst(cqp->id, cqp->qp, + cqp->buf, enq_size); if (ret < cqp->len) { RTE_LOG_DP(DEBUG, IPSEC, "Cryptodev %u queue %u:" " enqueued %u crypto ops out of %u\n", @@ -486,9 +483,12 @@ ipsec_dequeue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa; struct rte_mbuf *pkt; - for (i = 0; i < ipsec_ctx->nb_qps && nb_pkts < max_pkts;) { + for (i = 0; i < ipsec_ctx->nb_qps && nb_pkts < max_pkts; i++) { struct cdev_qp *cqp; - cqp = &ipsec_ctx->tbl[ipsec_ctx->last_qp]; + + cqp = &ipsec_ctx->tbl[ipsec_ctx->last_qp++]; + if (ipsec_ctx->last_qp == ipsec_ctx->nb_qps) + ipsec_ctx->last_qp %= ipsec_ctx->nb_qps; while (ipsec_ctx->ol_pkts_cnt > 0 && nb_pkts < max_pkts) { pkt = ipsec_ctx->ol_pkts[--ipsec_ctx->ol_pkts_cnt]; @@ -503,13 +503,8 @@ ipsec_dequeue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, pkts[nb_pkts++] = pkt; } - if (cqp->in_flight == 0) { - ipsec_ctx->last_qp++; - if (ipsec_ctx->last_qp == ipsec_ctx->nb_qps) - ipsec_ctx->last_qp %= ipsec_ctx->nb_qps; - i++; + if (cqp->in_flight == 0) continue; - } nb_cops = rte_cryptodev_dequeue_burst(cqp->id, cqp->qp, cops, max_pkts - nb_pkts); @@ -533,12 +528,6 @@ ipsec_dequeue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, } } pkts[nb_pkts++] = pkt; - if (cqp->in_flight < max_pkts) { - ipsec_ctx->last_qp++; - if (ipsec_ctx->last_qp == ipsec_ctx->nb_qps) - ipsec_ctx->last_qp %= ipsec_ctx->nb_qps; - i++; - } } } diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h index 6059f6cc..c998c807 100644 --- a/examples/ipsec-secgw/ipsec.h +++ b/examples/ipsec-secgw/ipsec.h @@ -17,10 +17,13 @@ #define RTE_LOGTYPE_IPSEC_IPIP RTE_LOGTYPE_USER3 #define MAX_PKT_BURST 32 +#define MAX_INFLIGHT 128 #define MAX_QP_PER_LCORE 256 #define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */ +#define IPSEC_OFFLOAD_ESN_SOFTLIMIT 0xffffff00 + #define IV_OFFSET (sizeof(struct rte_crypto_op) + \ sizeof(struct rte_crypto_sym_op)) @@ -188,7 +191,7 @@ ipsec_metadata_size(void) static inline struct ipsec_mbuf_metadata * get_priv(struct rte_mbuf *m) { - return RTE_PTR_ADD(m, sizeof(struct rte_mbuf)); + return rte_mbuf_to_priv(m); } static inline void * diff --git a/examples/ipsec-secgw/parser.c b/examples/ipsec-secgw/parser.c index 2403b564..91282ca9 100644 --- a/examples/ipsec-secgw/parser.c +++ b/examples/ipsec-secgw/parser.c @@ -3,6 +3,7 @@ */ #include <rte_common.h> #include <rte_crypto.h> +#include <rte_string_fns.h> #include <cmdline_parse_string.h> #include <cmdline_parse_num.h> @@ -207,23 +208,24 @@ inet_pton6(const char *src, unsigned char *dst) int parse_ipv4_addr(const char *token, struct in_addr *ipv4, uint32_t *mask) { - char ip_str[256] = {0}; + char ip_str[INET_ADDRSTRLEN] = {0}; char *pch; pch = strchr(token, '/'); if (pch != NULL) { - strncpy(ip_str, token, pch - token); + strlcpy(ip_str, token, + RTE_MIN((unsigned int long)(pch - token + 1), + sizeof(ip_str))); pch += 1; if (is_str_num(pch) != 0) return -EINVAL; if (mask) *mask = atoi(pch); } else { - strncpy(ip_str, token, sizeof(ip_str) - 1); + strlcpy(ip_str, token, sizeof(ip_str)); if (mask) *mask = 0; } - if (strlen(ip_str) >= INET_ADDRSTRLEN) return -EINVAL; @@ -241,14 +243,16 @@ parse_ipv6_addr(const char *token, struct in6_addr *ipv6, uint32_t *mask) pch = strchr(token, '/'); if (pch != NULL) { - strncpy(ip_str, token, pch - token); + strlcpy(ip_str, token, + RTE_MIN((unsigned int long)(pch - token + 1), + sizeof(ip_str))); pch += 1; if (is_str_num(pch) != 0) return -EINVAL; if (mask) *mask = atoi(pch); } else { - strncpy(ip_str, token, sizeof(ip_str) - 1); + strlcpy(ip_str, token, sizeof(ip_str)); if (mask) *mask = 0; } @@ -515,9 +519,7 @@ parse_cfg_file(const char *cfg_filename) goto error_exit; } - strncpy(str + strlen(str), oneline, - strlen(oneline)); - + strcpy(str + strlen(str), oneline); continue; } @@ -528,8 +530,7 @@ parse_cfg_file(const char *cfg_filename) cfg_filename, line_num); goto error_exit; } - strncpy(str + strlen(str), oneline, - strlen(oneline)); + strcpy(str + strlen(str), oneline); str[strlen(str)] = '\n'; if (cmdline_parse(cl, str) < 0) { diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index d9dcc0e0..4ab8e098 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -939,7 +939,7 @@ inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx) { struct ipsec_mbuf_metadata *priv; - priv = RTE_PTR_ADD(m, sizeof(struct rte_mbuf)); + priv = get_priv(m); return (sa_ctx->sa[sa_idx].spi == priv->sa->spi); } |