diff options
Diffstat (limited to 'src/vnet')
-rw-r--r-- | src/vnet/ipsec/ipsec.h | 8 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_cli.c | 8 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_tun.c | 52 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_tun.h | 52 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_tun_in.c | 44 |
5 files changed, 83 insertions, 81 deletions
diff --git a/src/vnet/ipsec/ipsec.h b/src/vnet/ipsec/ipsec.h index fe44b80b321..97ef6262f71 100644 --- a/src/vnet/ipsec/ipsec.h +++ b/src/vnet/ipsec/ipsec.h @@ -26,9 +26,9 @@ #include <vnet/ipsec/ipsec_spd_policy.h> #include <vnet/ipsec/ipsec_sa.h> -#include <vppinfra/bihash_8_8.h> +#include <vppinfra/bihash_8_16.h> -#include <vppinfra/bihash_24_8.h> +#include <vppinfra/bihash_24_16.h> typedef clib_error_t *(*add_del_sa_sess_cb_t) (u32 sa_index, u8 is_add); typedef clib_error_t *(*check_support_cb_t) (ipsec_sa_t * sa); @@ -130,8 +130,8 @@ typedef struct uword *ipsec_if_real_dev_by_show_dev; uword *ipsec_if_by_sw_if_index; - clib_bihash_8_8_t tun4_protect_by_key; - clib_bihash_24_8_t tun6_protect_by_key; + clib_bihash_8_16_t tun4_protect_by_key; + clib_bihash_24_16_t tun6_protect_by_key; /* node indices */ u32 error_drop_node_index; diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c index 7d265f7e64d..d7378534eb8 100644 --- a/src/vnet/ipsec/ipsec_cli.c +++ b/src/vnet/ipsec/ipsec_cli.c @@ -1040,7 +1040,7 @@ VLIB_CLI_COMMAND (ipsec_tun_protect_show_node, static) = /* *INDENT-ON* */ static int -ipsec_tun_protect4_hash_show_one (clib_bihash_kv_8_8_t * kv, void *arg) +ipsec_tun_protect4_hash_show_one (clib_bihash_kv_8_16_t * kv, void *arg) { ipsec4_tunnel_kv_t *ikv = (ipsec4_tunnel_kv_t *) kv; vlib_main_t *vm = arg; @@ -1051,7 +1051,7 @@ ipsec_tun_protect4_hash_show_one (clib_bihash_kv_8_8_t * kv, void *arg) } static int -ipsec_tun_protect6_hash_show_one (clib_bihash_kv_24_8_t * kv, void *arg) +ipsec_tun_protect6_hash_show_one (clib_bihash_kv_24_16_t * kv, void *arg) { ipsec6_tunnel_kv_t *ikv = (ipsec6_tunnel_kv_t *) kv; vlib_main_t *vm = arg; @@ -1071,12 +1071,12 @@ ipsec_tun_protect_hash_show (vlib_main_t * vm, { vlib_cli_output (vm, "IPv4:"); - clib_bihash_foreach_key_value_pair_8_8 + clib_bihash_foreach_key_value_pair_8_16 (&im->tun4_protect_by_key, ipsec_tun_protect4_hash_show_one, vm); vlib_cli_output (vm, "IPv6:"); - clib_bihash_foreach_key_value_pair_24_8 + clib_bihash_foreach_key_value_pair_24_16 (&im->tun6_protect_by_key, ipsec_tun_protect6_hash_show_one, vm); } diff --git a/src/vnet/ipsec/ipsec_tun.c b/src/vnet/ipsec/ipsec_tun.c index 4985c549ccc..c4c8fa7d262 100644 --- a/src/vnet/ipsec/ipsec_tun.c +++ b/src/vnet/ipsec/ipsec_tun.c @@ -23,6 +23,12 @@ #include <vnet/adj/adj_midchain.h> #include <vnet/teib/teib.h> +/* instantiate the bihash functions */ +#include <vppinfra/bihash_8_16.h> +#include <vppinfra/bihash_template.c> +#include <vppinfra/bihash_24_16.h> +#include <vppinfra/bihash_template.c> + #define IPSEC_TUN_DEFAULT_HASH_NUM_BUCKETS (64 * 1024) #define IPSEC_TUN_DEFAULT_HASH_MEMORY_SIZE 512 << 20 @@ -224,6 +230,8 @@ ipsec_tun_protect_rx_db_add (ipsec_main_t * im, ipsec_tun_lkup_result_t res = { .tun_index = itp - ipsec_tun_protect_pool, .sa_index = sai, + .flags = itp->itp_flags, + .sw_if_index = itp->itp_sw_if_index, }; /* @@ -235,18 +243,18 @@ ipsec_tun_protect_rx_db_add (ipsec_main_t * im, ipsec4_tunnel_kv_t key = { .value = res, }; - clib_bihash_kv_8_8_t *bkey = (clib_bihash_kv_8_8_t*)&key; + clib_bihash_kv_8_16_t *bkey = (clib_bihash_kv_8_16_t*)&key; ipsec4_tunnel_mk_key(&key, &itp->itp_crypto.dst.ip4, clib_host_to_net_u32 (sa->spi)); if (!im->tun4_protect_by_key.nbuckets) - clib_bihash_init_8_8 (&im->tun4_protect_by_key, + clib_bihash_init_8_16 (&im->tun4_protect_by_key, "IPSec IPv4 tunnels", IPSEC_TUN_DEFAULT_HASH_NUM_BUCKETS, IPSEC_TUN_DEFAULT_HASH_MEMORY_SIZE); - clib_bihash_add_del_8_8 (&im->tun4_protect_by_key, bkey, 1); + clib_bihash_add_del_8_16 (&im->tun4_protect_by_key, bkey, 1); ipsec_tun_register_nodes(AF_IP4); } else @@ -258,14 +266,14 @@ ipsec_tun_protect_rx_db_add (ipsec_main_t * im, }, .value = res, }; - clib_bihash_kv_24_8_t *bkey = (clib_bihash_kv_24_8_t*)&key; + clib_bihash_kv_24_16_t *bkey = (clib_bihash_kv_24_16_t*)&key; if (!im->tun4_protect_by_key.nbuckets) - clib_bihash_init_24_8 (&im->tun6_protect_by_key, + clib_bihash_init_24_16 (&im->tun6_protect_by_key, "IPSec IPv6 tunnels", IPSEC_TUN_DEFAULT_HASH_NUM_BUCKETS, IPSEC_TUN_DEFAULT_HASH_MEMORY_SIZE); - clib_bihash_add_del_24_8 (&im->tun6_protect_by_key, bkey, 1); + clib_bihash_add_del_24_16 (&im->tun6_protect_by_key, bkey, 1); ipsec_tun_register_nodes(AF_IP6); } })) @@ -355,14 +363,14 @@ ipsec_tun_protect_rx_db_remove (ipsec_main_t * im, if (ip46_address_is_ip4 (&itp->itp_crypto.dst)) { ipsec4_tunnel_kv_t key; - clib_bihash_kv_8_8_t res, *bkey = (clib_bihash_kv_8_8_t*)&key; + clib_bihash_kv_8_16_t res, *bkey = (clib_bihash_kv_8_16_t*)&key; ipsec4_tunnel_mk_key(&key, &itp->itp_crypto.dst.ip4, clib_host_to_net_u32 (sa->spi)); - if (!clib_bihash_search_8_8 (&im->tun4_protect_by_key, bkey, &res)) + if (!clib_bihash_search_8_16 (&im->tun4_protect_by_key, bkey, &res)) { - clib_bihash_add_del_8_8 (&im->tun4_protect_by_key, bkey, 0); + clib_bihash_add_del_8_16 (&im->tun4_protect_by_key, bkey, 0); ipsec_tun_unregister_nodes(AF_IP4); } } @@ -374,11 +382,11 @@ ipsec_tun_protect_rx_db_remove (ipsec_main_t * im, .spi = clib_host_to_net_u32 (sa->spi), }, }; - clib_bihash_kv_24_8_t res, *bkey = (clib_bihash_kv_24_8_t*)&key; + clib_bihash_kv_24_16_t res, *bkey = (clib_bihash_kv_24_16_t*)&key; - if (!clib_bihash_search_24_8 (&im->tun6_protect_by_key, bkey, &res)) + if (!clib_bihash_search_24_16 (&im->tun6_protect_by_key, bkey, &res)) { - clib_bihash_add_del_24_8 (&im->tun6_protect_by_key, bkey, 0); + clib_bihash_add_del_24_16 (&im->tun6_protect_by_key, bkey, 0); ipsec_tun_unregister_nodes(AF_IP6); } } @@ -971,11 +979,11 @@ ipsec_tun_table_init (ip_address_family_t af, uword table_size, u32 n_buckets) im = &ipsec_main; if (AF_IP4 == af) - clib_bihash_init_8_8 (&im->tun4_protect_by_key, - "IPSec IPv4 tunnels", n_buckets, table_size); + clib_bihash_init_8_16 (&im->tun4_protect_by_key, + "IPSec IPv4 tunnels", n_buckets, table_size); else - clib_bihash_init_24_8 (&im->tun6_protect_by_key, - "IPSec IPv6 tunnels", n_buckets, table_size); + clib_bihash_init_24_16 (&im->tun6_protect_by_key, + "IPSec IPv6 tunnels", n_buckets, table_size); } clib_error_t * @@ -984,14 +992,14 @@ ipsec_tunnel_protect_init (vlib_main_t * vm) ipsec_main_t *im; im = &ipsec_main; - clib_bihash_init_24_8 (&im->tun6_protect_by_key, - "IPSec IPv6 tunnels", + clib_bihash_init_24_16 (&im->tun6_protect_by_key, + "IPSec IPv6 tunnels", + IPSEC_TUN_DEFAULT_HASH_NUM_BUCKETS, + IPSEC_TUN_DEFAULT_HASH_MEMORY_SIZE); + clib_bihash_init_8_16 (&im->tun4_protect_by_key, + "IPSec IPv4 tunnels", IPSEC_TUN_DEFAULT_HASH_NUM_BUCKETS, IPSEC_TUN_DEFAULT_HASH_MEMORY_SIZE); - clib_bihash_init_8_8 (&im->tun4_protect_by_key, - "IPSec IPv4 tunnels", - IPSEC_TUN_DEFAULT_HASH_NUM_BUCKETS, - IPSEC_TUN_DEFAULT_HASH_MEMORY_SIZE); /* set up feature nodes to drop outbound packets with no crypto alg set */ im->esp4_no_crypto_tun_node_index = diff --git a/src/vnet/ipsec/ipsec_tun.h b/src/vnet/ipsec/ipsec_tun.h index 0d911a2876c..b8e80d3565f 100644 --- a/src/vnet/ipsec/ipsec_tun.h +++ b/src/vnet/ipsec/ipsec_tun.h @@ -17,20 +17,31 @@ #include <vnet/ipsec/ipsec.h> +#define foreach_ipsec_protect_flags \ + _(L2, 1, "l2") \ + _(ENCAPED, 2, "encapped") \ + _(ITF, 4, "itf") \ + +typedef enum ipsec_protect_flags_t_ +{ + IPSEC_PROTECT_NONE = 0, +#define _(a,b,c) IPSEC_PROTECT_##a = b, + foreach_ipsec_protect_flags +#undef _ +} __clib_packed ipsec_protect_flags_t; + +extern u8 *format_ipsec_tun_protect_flags (u8 * s, va_list * args); + /** * result of a lookup in the protection bihash */ typedef struct ipsec_tun_lkup_result_t_ { - union - { - struct - { - u32 tun_index; - u32 sa_index; - }; - u64 as_u64; - }; + u32 tun_index; + u32 sa_index; + u32 sw_if_index; + ipsec_protect_flags_t flags; + u8 __pad[3]; } ipsec_tun_lkup_result_t; typedef struct ipsec4_tunnel_kv_t @@ -43,9 +54,9 @@ typedef struct ipsec4_tunnel_kv_t ipsec_tun_lkup_result_t value; } __clib_packed ipsec4_tunnel_kv_t; -STATIC_ASSERT_SIZEOF (ipsec4_tunnel_kv_t, sizeof (clib_bihash_kv_8_8_t)); +STATIC_ASSERT_SIZEOF (ipsec4_tunnel_kv_t, sizeof (clib_bihash_kv_8_16_t)); STATIC_ASSERT_OFFSET_OF (ipsec4_tunnel_kv_t, value, - STRUCT_OFFSET_OF (clib_bihash_kv_8_8_t, value)); + STRUCT_OFFSET_OF (clib_bihash_kv_8_16_t, value)); static inline void ipsec4_tunnel_mk_key (ipsec4_tunnel_kv_t * k, @@ -77,28 +88,13 @@ typedef struct ipsec6_tunnel_kv_t_ ipsec_tun_lkup_result_t value; } __clib_packed ipsec6_tunnel_kv_t; -STATIC_ASSERT_SIZEOF (ipsec6_tunnel_kv_t, sizeof (clib_bihash_kv_24_8_t)); +STATIC_ASSERT_SIZEOF (ipsec6_tunnel_kv_t, sizeof (clib_bihash_kv_24_16_t)); STATIC_ASSERT_OFFSET_OF (ipsec6_tunnel_kv_t, value, - STRUCT_OFFSET_OF (clib_bihash_kv_24_8_t, value)); + STRUCT_OFFSET_OF (clib_bihash_kv_24_16_t, value)); extern u8 *format_ipsec4_tunnel_kv (u8 * s, va_list * args); extern u8 *format_ipsec6_tunnel_kv (u8 * s, va_list * args); -#define foreach_ipsec_protect_flags \ - _(L2, 1, "l2") \ - _(ENCAPED, 2, "encapped") \ - _(ITF, 4, "itf") \ - -typedef enum ipsec_protect_flags_t_ -{ - IPSEC_PROTECT_NONE = 0, -#define _(a,b,c) IPSEC_PROTECT_##a = b, - foreach_ipsec_protect_flags -#undef _ -} __clib_packed ipsec_protect_flags_t; - -extern u8 *format_ipsec_tun_protect_flags (u8 * s, va_list * args); - typedef struct ipsec_ep_t_ { ip46_address_t src; diff --git a/src/vnet/ipsec/ipsec_tun_in.c b/src/vnet/ipsec/ipsec_tun_in.c index 804c7299c6f..6b7abce2866 100644 --- a/src/vnet/ipsec/ipsec_tun_in.c +++ b/src/vnet/ipsec/ipsec_tun_in.c @@ -149,10 +149,10 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, }; ipsec4_tunnel_kv_t last_key4; ipsec6_tunnel_kv_t last_key6; + ipsec_tun_lkup_result_t itr0; vlib_combined_counter_main_t *rx_counter; vlib_combined_counter_main_t *drop_counter; - ipsec_tun_protect_t *itp0; if (is_ip6) clib_memset (&last_key6, 0xff, sizeof (last_key6)); @@ -165,9 +165,8 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, while (n_left_from > 0) { u32 sw_if_index0, len0, hdr_sz0; - ipsec_tun_lkup_result_t itr0; - clib_bihash_kv_24_8_t bkey60; - clib_bihash_kv_8_8_t bkey40; + clib_bihash_kv_24_16_t bkey60; + clib_bihash_kv_8_16_t bkey40; ipsec4_tunnel_kv_t *key40; ipsec6_tunnel_kv_t *key60; ip4_header_t *ip40; @@ -231,17 +230,18 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, if (memcmp (key60, &last_key6, sizeof (last_key6)) == 0) { - itr0 = last_result; + clib_memcpy_fast (&itr0, &last_result, sizeof (itr0)); } else { int rv = - clib_bihash_search_inline_24_8 (&im->tun6_protect_by_key, - &bkey60); + clib_bihash_search_inline_24_16 (&im->tun6_protect_by_key, + &bkey60); if (!rv) { - itr0.as_u64 = bkey60.value; - last_result = itr0; + clib_memcpy_fast (&itr0, &bkey60.value, sizeof (itr0)); + clib_memcpy_fast (&last_result, &bkey60.value, + sizeof (last_result)); clib_memcpy_fast (&last_key6, key60, sizeof (last_key6)); } else @@ -258,17 +258,18 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, if (key40->key == last_key4.key) { - itr0 = last_result; + clib_memcpy_fast (&itr0, &last_result, sizeof (itr0)); } else { int rv = - clib_bihash_search_inline_8_8 (&im->tun4_protect_by_key, - &bkey40); + clib_bihash_search_inline_8_16 (&im->tun4_protect_by_key, + &bkey40); if (!rv) { - itr0.as_u64 = bkey40.value; - last_result = itr0; + clib_memcpy_fast (&itr0, &bkey40.value, sizeof (itr0)); + clib_memcpy_fast (&last_result, &bkey40.value, + sizeof (last_result)); last_key4.key = key40->key; } else @@ -281,11 +282,10 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, } } - itp0 = pool_elt_at_index (ipsec_tun_protect_pool, itr0.tun_index); vnet_buffer (b[0])->ipsec.sad_index = itr0.sa_index; vnet_buffer (b[0])->ipsec.protect_index = itr0.tun_index; - sw_if_index0 = itp0->itp_sw_if_index; + sw_if_index0 = itr0.sw_if_index; vnet_buffer (b[0])->sw_if_index[VLIB_RX] = sw_if_index0; if (PREDICT_FALSE (!vnet_sw_interface_is_admin_up (vnm, sw_if_index0))) @@ -306,7 +306,7 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, } else { - if (n_packets && !(itp0->itp_flags & IPSEC_PROTECT_ENCAPED)) + if (n_packets && !(itr0.flags & IPSEC_PROTECT_ENCAPED)) { vlib_increment_combined_counter (rx_counter, thread_index, last_sw_if_index, @@ -344,12 +344,10 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, n_left_from -= 1; } - if (n_packets && !(itp0->itp_flags & IPSEC_PROTECT_ENCAPED)) - { - vlib_increment_combined_counter (rx_counter, - thread_index, - last_sw_if_index, n_packets, n_bytes); - } + if (n_packets && !(itr0.flags & IPSEC_PROTECT_ENCAPED)) + vlib_increment_combined_counter (rx_counter, + thread_index, + last_sw_if_index, n_packets, n_bytes); vlib_node_increment_counter (vm, node->node_index, IPSEC_TUN_PROTECT_INPUT_ERROR_RX, |