From 86f8208af43efaa71b8e1c0a5ff86fc233456d9d Mon Sep 17 00:00:00 2001
From: Piotr Bronowski <piotrx.bronowski@intel.com>
Date: Fri, 8 Jul 2022 12:45:05 +0000
Subject: ipsec: fast path outbound policy matching implementation for ipv6

With this patch fast path for ipv6 policy lookup is enabled.
This impelentation scales and outperforms original implementation when
the number of defined flows is higher thatn 100k.

Type: feature
Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com>
Change-Id: I9364b5b8db4fc708790d48c538add272c7cea400
---
 src/vnet/ipsec/ipsec_output.c | 85 -------------------------------------------
 1 file changed, 85 deletions(-)

(limited to 'src/vnet/ipsec/ipsec_output.c')

diff --git a/src/vnet/ipsec/ipsec_output.c b/src/vnet/ipsec/ipsec_output.c
index 96c6f27fee1..028d9761c07 100644
--- a/src/vnet/ipsec/ipsec_output.c
+++ b/src/vnet/ipsec/ipsec_output.c
@@ -64,91 +64,6 @@ format_ipsec_output_trace (u8 * s, va_list * args)
   return s;
 }
 
-always_inline uword
-ip6_addr_match_range (ip6_address_t * a, ip6_address_t * la,
-		      ip6_address_t * ua)
-{
-  if ((memcmp (a->as_u64, la->as_u64, 2 * sizeof (u64)) >= 0) &&
-      (memcmp (a->as_u64, ua->as_u64, 2 * sizeof (u64)) <= 0))
-    return 1;
-  return 0;
-}
-
-always_inline void
-ipsec_fp_5tuple_from_ip6_range (ipsec_fp_5tuple_t *tuple, ip6_address_t *la,
-				ip6_address_t *ra, u16 lp, u16 rp, u8 pr)
-
-{
-  clib_memcpy_fast (&tuple->ip6_laddr, la, sizeof (ip6_address_t));
-  clib_memcpy_fast (&tuple->ip6_laddr, la, sizeof (ip6_address_t));
-
-  tuple->lport = lp;
-  tuple->rport = rp;
-  tuple->protocol = pr;
-  tuple->is_ipv6 = 1;
-}
-
-always_inline ipsec_policy_t *
-ipsec6_output_policy_match (ipsec_spd_t * spd,
-			    ip6_address_t * la,
-			    ip6_address_t * ra, u16 lp, u16 rp, u8 pr)
-{
-  ipsec_main_t *im = &ipsec_main;
-  ipsec_policy_t *p;
-  ipsec_policy_t *policies[1];
-  ipsec_fp_5tuple_t tuples[1];
-  u32 fp_policy_ids[1];
-
-  u32 *i;
-
-  if (!spd)
-    return 0;
-
-  ipsec_fp_5tuple_from_ip6_range (&tuples[0], la, ra, lp, rp, pr);
-  if (im->fp_spd_is_enabled &&
-      (0 == ipsec_fp_out_policy_match_n (&spd->fp_spd, 1, tuples, policies,
-					 fp_policy_ids, 1)))
-    {
-      p = policies[0];
-      i = fp_policy_ids;
-    }
-
-  vec_foreach (i, spd->policies[IPSEC_SPD_POLICY_IP6_OUTBOUND])
-  {
-    p = pool_elt_at_index (im->policies, *i);
-    if (PREDICT_FALSE ((p->protocol != IPSEC_POLICY_PROTOCOL_ANY) &&
-		       (p->protocol != pr)))
-      continue;
-
-    if (!ip6_addr_match_range (ra, &p->raddr.start.ip6, &p->raddr.stop.ip6))
-      continue;
-
-    if (!ip6_addr_match_range (la, &p->laddr.start.ip6, &p->laddr.stop.ip6))
-      continue;
-
-    if (PREDICT_FALSE
-	((pr != IP_PROTOCOL_TCP) && (pr != IP_PROTOCOL_UDP)
-	 && (pr != IP_PROTOCOL_SCTP)))
-      return p;
-
-    if (lp < p->lport.start)
-      continue;
-
-    if (lp > p->lport.stop)
-      continue;
-
-    if (rp < p->rport.start)
-      continue;
-
-    if (rp > p->rport.stop)
-      continue;
-
-    return p;
-  }
-
-  return 0;
-}
-
 static inline uword
 ipsec_output_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 		     vlib_frame_t * from_frame, int is_ipv6)
-- 
cgit 1.2.3-korg