From f16e9a5507c33642ac04d4b1a8712f8fac238828 Mon Sep 17 00:00:00 2001 From: Neale Ranns Date: Thu, 25 Feb 2021 19:09:24 +0000 Subject: ipsec: Support async mode per-SA Type: feature This feautre only applies to ESP not AH SAs. As well as the gobal switch for ayncs mode, allow individual SAs to be async. If global async is on, all SAs are async. If global async mode is off, then if then an SA can be individually set to async. This preserves the global switch behaviour. the stratergy in the esp encrypt.decrypt nodes is to separate the frame into, 1) sync buffers, 2) async buffers and 3) no-op buffers. Sync buffer will undergo a cyrpto/ath operation, no-op will not, they are dropped or handed-off. Signed-off-by: Neale Ranns Change-Id: Ifc15b10b870b19413ad030ce7f92ed56275d6791 --- src/vnet/ipsec/ipsec_sa.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'src/vnet/ipsec/ipsec_sa.c') diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c index 7e2dc20ef90..b1e337470ab 100644 --- a/src/vnet/ipsec/ipsec_sa.c +++ b/src/vnet/ipsec/ipsec_sa.c @@ -245,7 +245,15 @@ ipsec_sa_add_and_lock (u32 id, u32 spi, ipsec_protocol_t proto, if (im->async_mode) sa->crypto_op_data = sa->async_op_data.data; else - sa->crypto_op_data = sa->sync_op_data.data; + { + if (ipsec_sa_is_set_IS_ASYNC (sa)) + { + vnet_crypto_request_async_mode (1); + sa->crypto_op_data = sa->async_op_data.data; + } + else + sa->crypto_op_data = sa->sync_op_data.data; + } err = ipsec_check_support_cb (im, sa); if (err) @@ -332,6 +340,8 @@ ipsec_sa_del (ipsec_sa_t * sa) /* no recovery possible when deleting an SA */ (void) ipsec_call_add_del_callbacks (im, sa, sa_index, 0); + if (ipsec_sa_is_set_IS_ASYNC (sa)) + vnet_crypto_request_async_mode (0); if (ipsec_sa_is_set_UDP_ENCAP (sa) && ipsec_sa_is_set_IS_INBOUND (sa)) ipsec_unregister_udp_port (clib_net_to_host_u16 (sa->udp_hdr.dst_port)); -- cgit 1.2.3-korg