ipsec: improve fast path policy searching performance

Type: improvement Signed-off-by: Xiaoming Jiang <jiangxiaoming@outlook.com> Change-Id: Ib8bb300f5b62648f6b634046415742bdf5365982
author: Xiaoming Jiang <jiangxiaoming@outlook.com> 2023-04-26 11:58:25 +0000
committer: Fan Zhang <fanzhang.oss@gmail.com> 2023-09-12 12:42:56 +0000
commit: 7a726586655854773e7e9f816508e139ea3e0477 (patch)
tree: 62008d16c2a8105e349b25d72b2a9942d571f37a /src/vnet/ipsec
parent: 139aba204780f6cc2845b311820a0b4c47517d02 (diff)
2 files changed, 59 insertions, 35 deletions
diff --git a/src/vnet/ipsec/ipsec_spd_fp_lookup.h b/src/vnet/ipsec/ipsec_spd_fp_lookup.h
index 71260855317..2bbd7c664f9 100644
--- a/src/vnet/ipsec/ipsec_spd_fp_lookup.h
+++ b/src/vnet/ipsec/ipsec_spd_fp_lookup.h
@@ -196,13 +196,16 @@ ipsec_fp_in_ip6_policy_match_n (void *spd_fp, ipsec_fp_5tuple_t *tuples,
 		    {
 		      policy = im->policies + *policy_id;
 
-		      if ((last_priority[i] < policy->priority) &&
-			  (single_rule_in_match_5tuple (policy, match)))
+		      if (single_rule_in_match_5tuple (policy, match))
 			{
-			  last_priority[i] = policy->priority;
-			  if (policies[i] == 0)
-			    counter++;
-			  policies[i] = policy;
+			  if (last_priority[i] < policy->priority)
+			    {
+			      last_priority[i] = policy->priority;
+			      if (policies[i] == 0)
+				counter++;
+			      policies[i] = policy;
+			    }
+			  break;
 			}
 		    }
 		}
@@ -291,13 +294,16 @@ ipsec_fp_in_ip4_policy_match_n (void *spd_fp, ipsec_fp_5tuple_t *tuples,
 		    {
 		      policy = im->policies + *policy_id;
 
-		      if ((last_priority[i] < policy->priority) &&
-			  (single_rule_in_match_5tuple (policy, match)))
+		      if (single_rule_in_match_5tuple (policy, match))
 			{
-			  last_priority[i] = policy->priority;
-			  if (policies[i] == 0)
-			    counter++;
-			  policies[i] = policy;
+			  if (last_priority[i] < policy->priority)
+			    {
+			      last_priority[i] = policy->priority;
+			      if (policies[i] == 0)
+				counter++;
+			      policies[i] = policy;
+			    }
+			  break;
 			}
 		    }
 		}
@@ -418,6 +424,7 @@ ipsec_fp_out_ip6_policy_match_n (void *spd_fp, ipsec_fp_5tuple_t *tuples,
 			      policies[i] = policy;
 			      ids[i] = *policy_id;
 			    }
+			  break;
 			}
 		    }
 		}
@@ -511,14 +518,17 @@ ipsec_fp_out_ip4_policy_match_n (void *spd_fp, ipsec_fp_5tuple_t *tuples,
 		    {
 		      policy = im->policies + *policy_id;
 
-		      if ((last_priority[i] < policy->priority) &&
-			  (single_rule_out_match_5tuple (policy, match)))
+		      if (single_rule_out_match_5tuple (policy, match))
 			{
-			  last_priority[i] = policy->priority;
-			  if (policies[i] == 0)
-			    counter++;
-			  policies[i] = policy;
-			  ids[i] = *policy_id;
+			  if (last_priority[i] < policy->priority)
+			    {
+			      last_priority[i] = policy->priority;
+			      if (policies[i] == 0)
+				counter++;
+			      policies[i] = policy;
+			      ids[i] = *policy_id;
+			    }
+			  break;
 			}
 		    }
 		}
diff --git a/src/vnet/ipsec/ipsec_spd_policy.c b/src/vnet/ipsec/ipsec_spd_policy.c
index 6a66a2de269..08acad2b291 100644
--- a/src/vnet/ipsec/ipsec_spd_policy.c
+++ b/src/vnet/ipsec/ipsec_spd_policy.c
@@ -617,17 +617,24 @@ ipsec_fp_ip4_add_policy (ipsec_main_t *im, ipsec_spd_fp_t *fp_spd,
     }
   else
     {
+      u32 i;
+      u32 *old_fp_policies_ids = result_val->fp_policies_ids;
 
-      if (vec_max_len (result_val->fp_policies_ids) !=
-	  vec_len (result_val->fp_policies_ids))
+      vec_foreach_index (i, result_val->fp_policies_ids)
 	{
-	  /* no need to resize */
-	  vec_add1 (result_val->fp_policies_ids, policy_index);
+	  ipsec_policy_t *p =
+	    pool_elt_at_index (im->policies, result_val->fp_policies_ids[i]);
+
+	  if (p->priority <= policy->priority)
+	    {
+	      break;
+	    }
 	}
-      else
-	{
-	  vec_add1 (result_val->fp_policies_ids, policy_index);
 
+      vec_insert_elts (result_val->fp_policies_ids, &policy_index, 1, i);
+
+      if (result_val->fp_policies_ids != old_fp_policies_ids)
+	{
 	  res = clib_bihash_add_del_16_8 (bihash_table, &result, 1);
 
 	  if (res != 0)
@@ -721,17 +728,24 @@ ipsec_fp_ip6_add_policy (ipsec_main_t *im, ipsec_spd_fp_t *fp_spd,
     }
   else
     {
+      u32 i;
+      u32 *old_fp_policies_ids = result_val->fp_policies_ids;
 
-      if (vec_max_len (result_val->fp_policies_ids) !=
-	  vec_len (result_val->fp_policies_ids))
+      vec_foreach_index (i, result_val->fp_policies_ids)
 	{
-	  /* no need to resize */
-	  vec_add1 (result_val->fp_policies_ids, policy_index);
+	  ipsec_policy_t *p =
+	    pool_elt_at_index (im->policies, result_val->fp_policies_ids[i]);
+
+	  if (p->priority <= policy->priority)
+	    {
+	      break;
+	    }
 	}
-      else
-	{
-	  vec_add1 (result_val->fp_policies_ids, policy_index);
 
+      vec_insert_elts (result_val->fp_policies_ids, &policy_index, 1, i);
+
+      if (result_val->fp_policies_ids != old_fp_policies_ids)
+	{
 	  res = clib_bihash_add_del_40_8 (bihash_table, &result, 1);
 
 	  if (res != 0)
@@ -806,7 +820,7 @@ ipsec_fp_ip6_del_policy (ipsec_main_t *im, ipsec_spd_fp_t *fp_spd,
 	      clib_bihash_add_del_40_8 (bihash_table, &result, 0);
 	    }
 	  else
-	    vec_del1 (result_val->fp_policies_ids, ii);
+	    vec_delete (result_val->fp_policies_ids, 1, ii);
 
 	  vec_foreach_index (imt, fp_spd->fp_mask_ids[policy->type])
 	    {
@@ -870,7 +884,7 @@ ipsec_fp_ip4_del_policy (ipsec_main_t *im, ipsec_spd_fp_t *fp_spd,
 	      clib_bihash_add_del_16_8 (bihash_table, &result, 0);
 	    }
 	  else
-	    vec_del1 (result_val->fp_policies_ids, ii);
+	    vec_delete (result_val->fp_policies_ids, 1, ii);
 
 	  vec_foreach_index (imt, fp_spd->fp_mask_ids[policy->type])
 	    {
author	Xiaoming Jiang <jiangxiaoming@outlook.com>	2023-04-26 11:58:25 +0000
committer	Fan Zhang <fanzhang.oss@gmail.com>	2023-09-12 12:42:56 +0000
commit	7a726586655854773e7e9f816508e139ea3e0477 (patch)
tree	62008d16c2a8105e349b25d72b2a9942d571f37a /src/vnet/ipsec
parent	139aba204780f6cc2845b311820a0b4c47517d02 (diff)