summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec
diff options
context:
space:
mode:
Diffstat (limited to 'src/vnet/ipsec')
-rw-r--r--src/vnet/ipsec/esp_decrypt.c65
-rw-r--r--src/vnet/ipsec/esp_encrypt.c39
2 files changed, 50 insertions, 54 deletions
diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index c13657d0819..ec6d9811806 100644
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -1024,7 +1024,7 @@ esp_decrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b = bufs;
vlib_buffer_t *sync_bufs[VLIB_FRAME_SIZE];
u16 sync_nexts[VLIB_FRAME_SIZE], *sync_next = sync_nexts, n_sync = 0;
- u16 async_nexts[VLIB_FRAME_SIZE], *async_next = async_nexts, n_async = 0;
+ u16 async_nexts[VLIB_FRAME_SIZE], *async_next = async_nexts;
u16 noop_nexts[VLIB_FRAME_SIZE], *noop_next = noop_nexts, n_noop = 0;
u32 sync_bi[VLIB_FRAME_SIZE];
u32 noop_bi[VLIB_FRAME_SIZE];
@@ -1100,22 +1100,6 @@ esp_decrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
is_async = im->async_mode | ipsec_sa_is_set_IS_ASYNC (sa0);
}
- if (is_async)
- {
- async_op = sa0->crypto_async_dec_op_id;
-
- /* get a frame for this op if we don't yet have one or it's full
- */
- if (NULL == async_frames[async_op] ||
- vnet_crypto_async_frame_is_full (async_frames[async_op]))
- {
- async_frames[async_op] =
- vnet_crypto_async_get_frame (vm, async_op);
- /* Save the frame to the list we'll submit at the end */
- vec_add1 (ptd->async_frames, async_frames[async_op]);
- }
- }
-
if (PREDICT_FALSE (~0 == sa0->thread_index))
{
/* this is the first packet to use this SA, claim the SA
@@ -1186,6 +1170,18 @@ esp_decrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
if (is_async)
{
+ async_op = sa0->crypto_async_dec_op_id;
+
+ /* get a frame for this op if we don't yet have one or it's full
+ */
+ if (NULL == async_frames[async_op] ||
+ vnet_crypto_async_frame_is_full (async_frames[async_op]))
+ {
+ async_frames[async_op] =
+ vnet_crypto_async_get_frame (vm, async_op);
+ /* Save the frame to the list we'll submit at the end */
+ vec_add1 (ptd->async_frames, async_frames[async_op]);
+ }
err = esp_decrypt_prepare_async_frame (
vm, node, ptd, async_frames[async_op], sa0, payload, len,
@@ -1219,10 +1215,8 @@ esp_decrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
pd2 += 1;
}
else
- {
- n_async++;
- async_next++;
- }
+ async_next++;
+
n_left -= 1;
b += 1;
}
@@ -1232,21 +1226,24 @@ esp_decrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
current_sa_index, current_sa_pkts,
current_sa_bytes);
- if (n_async)
- {
- /* submit all of the open frames */
- vnet_crypto_async_frame_t **async_frame;
+ /* submit or free all of the open frames */
+ vnet_crypto_async_frame_t **async_frame;
- vec_foreach (async_frame, ptd->async_frames)
+ vec_foreach (async_frame, ptd->async_frames)
+ {
+ /* free frame and move on if no ops were successfully added */
+ if (PREDICT_FALSE (!(*async_frame)->n_elts))
{
- if (vnet_crypto_async_submit_open_frame (vm, *async_frame) < 0)
- {
- n_noop += esp_async_recycle_failed_submit (
- vm, *async_frame, node, ESP_DECRYPT_ERROR_CRYPTO_ENGINE_ERROR,
- n_sync, noop_bi, noop_nexts, ESP_DECRYPT_NEXT_DROP);
- vnet_crypto_async_reset_frame (*async_frame);
- vnet_crypto_async_free_frame (vm, *async_frame);
- }
+ vnet_crypto_async_free_frame (vm, *async_frame);
+ continue;
+ }
+ if (vnet_crypto_async_submit_open_frame (vm, *async_frame) < 0)
+ {
+ n_noop += esp_async_recycle_failed_submit (
+ vm, *async_frame, node, ESP_DECRYPT_ERROR_CRYPTO_ENGINE_ERROR,
+ n_sync, noop_bi, noop_nexts, ESP_DECRYPT_NEXT_DROP);
+ vnet_crypto_async_reset_frame (*async_frame);
+ vnet_crypto_async_free_frame (vm, *async_frame);
}
}
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c
index 214cf674c75..30c2bf9a8ac 100644
--- a/src/vnet/ipsec/esp_encrypt.c
+++ b/src/vnet/ipsec/esp_encrypt.c
@@ -665,22 +665,6 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
is_async = im->async_mode | ipsec_sa_is_set_IS_ASYNC (sa0);
}
- if (is_async)
- {
- async_op = sa0->crypto_async_enc_op_id;
-
- /* get a frame for this op if we don't yet have one or it's full
- */
- if (NULL == async_frames[async_op] ||
- vnet_crypto_async_frame_is_full (async_frames[async_op]))
- {
- async_frames[async_op] =
- vnet_crypto_async_get_frame (vm, async_op);
- /* Save the frame to the list we'll submit at the end */
- vec_add1 (ptd->async_frames, async_frames[async_op]);
- }
- }
-
if (PREDICT_FALSE (~0 == sa0->thread_index))
{
/* this is the first packet to use this SA, claim the SA
@@ -951,10 +935,25 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
esp->seq = clib_net_to_host_u32 (sa0->seq);
if (is_async)
- esp_prepare_async_frame (vm, ptd, async_frames[async_op], sa0, b[0],
- esp, payload, payload_len, iv_sz, icv_sz,
- from[b - bufs], sync_next[0], hdr_len,
- async_next_node, lb);
+ {
+ async_op = sa0->crypto_async_enc_op_id;
+
+ /* get a frame for this op if we don't yet have one or it's full
+ */
+ if (NULL == async_frames[async_op] ||
+ vnet_crypto_async_frame_is_full (async_frames[async_op]))
+ {
+ async_frames[async_op] =
+ vnet_crypto_async_get_frame (vm, async_op);
+ /* Save the frame to the list we'll submit at the end */
+ vec_add1 (ptd->async_frames, async_frames[async_op]);
+ }
+
+ esp_prepare_async_frame (vm, ptd, async_frames[async_op], sa0, b[0],
+ esp, payload, payload_len, iv_sz, icv_sz,
+ from[b - bufs], sync_next[0], hdr_len,
+ async_next_node, lb);
+ }
else
esp_prepare_sync_op (vm, ptd, crypto_ops, integ_ops, sa0, payload,
payload_len, iv_sz, icv_sz, n_sync, b, lb,