From 14bf6a8fb03545b587d99e9db36871cc62b5729d Mon Sep 17 00:00:00 2001 From: Piotr Bronowski Date: Sun, 9 Oct 2022 23:05:00 +0000 Subject: ipsec: remove redundant policy array in fast path spd Fast path spd was explicitely storing array of policy id vectors. This information was redundand, as this inofrmation is already stored in bihash table. This additional array was affecting performance when adding and removing fast path policies. The other place that needed refactoring after removing this array was cli command showing fast path policies. Type: feature Signed-off-by: Piotr Bronowski Change-Id: I78d45653f71539e7ba90ff5d2834451f83ead4be --- src/vnet/ipsec/ipsec_spd_policy.c | 125 +++++++++++++------------------------- 1 file changed, 42 insertions(+), 83 deletions(-) (limited to 'src/vnet/ipsec/ipsec_spd_policy.c') diff --git a/src/vnet/ipsec/ipsec_spd_policy.c b/src/vnet/ipsec/ipsec_spd_policy.c index d5310a61cbd..4a17062b80e 100644 --- a/src/vnet/ipsec/ipsec_spd_policy.c +++ b/src/vnet/ipsec/ipsec_spd_policy.c @@ -622,7 +622,6 @@ ipsec_fp_ip4_add_policy (ipsec_main_t *im, ipsec_spd_fp_t *fp_spd, (fp_spd->fp_mask_ids[policy->type] + searched_idx)->refcount++; mte->refcount++; - vec_add1 (fp_spd->fp_policies[policy->type], policy_index); clib_memcpy (vp, policy, sizeof (*vp)); return 0; @@ -727,7 +726,6 @@ ipsec_fp_ip6_add_policy (ipsec_main_t *im, ipsec_spd_fp_t *fp_spd, (fp_spd->fp_mask_ids[policy->type] + searched_idx)->refcount++; mte->refcount++; - vec_add1 (fp_spd->fp_policies[policy->type], policy_index); clib_memcpy (vp, policy, sizeof (*vp)); return 0; @@ -756,7 +754,7 @@ ipsec_fp_ip6_del_policy (ipsec_main_t *im, ipsec_spd_fp_t *fp_spd, fp_spd->ip6_out_lookup_hash_idx); ipsec_policy_t *vp; - u32 ii, iii, imt; + u32 ii, imt; ipsec_fp_ip6_get_policy_mask (policy, &mask, inbound); ipsec_fp_get_policy_5tuple (policy, &policy_5tuple, inbound); @@ -765,57 +763,38 @@ ipsec_fp_ip6_del_policy (ipsec_main_t *im, ipsec_spd_fp_t *fp_spd, if (res != 0) return -1; - res = -1; vec_foreach_index (ii, result_val->fp_policies_ids) { vp = pool_elt_at_index (im->policies, *(result_val->fp_policies_ids + ii)); if (ipsec_policy_is_equal (vp, policy)) { - vec_foreach_index (iii, fp_spd->fp_policies[policy->type]) + if (vec_len (result_val->fp_policies_ids) == 1) { - if (*(fp_spd->fp_policies[policy->type] + iii) == - *(result_val->fp_policies_ids + ii)) + vec_free (result_val->fp_policies_ids); + clib_bihash_add_del_40_8 (bihash_table, &result, 0); + } + else + vec_del1 (result_val->fp_policies_ids, ii); + + vec_foreach_index (imt, fp_spd->fp_mask_ids[policy->type]) + { + if ((fp_spd->fp_mask_ids[policy->type] + imt)->mask_type_idx == + vp->fp_mask_type_id) { - if (vec_len (result_val->fp_policies_ids) == 1) - { - vec_free (result_val->fp_policies_ids); - clib_bihash_add_del_40_8 (bihash_table, &result, 0); - } - else - { - vec_del1 (result_val->fp_policies_ids, ii); - } - vec_del1 (fp_spd->fp_policies[policy->type], iii); - - vec_foreach_index (imt, fp_spd->fp_mask_ids[policy->type]) - { - if ((fp_spd->fp_mask_ids[policy->type] + imt) - ->mask_type_idx == vp->fp_mask_type_id) - { - - if ((fp_spd->fp_mask_ids[policy->type] + imt) - ->refcount-- == 1) - vec_del1 (fp_spd->fp_mask_ids[policy->type], imt); - - break; - } - } - - res = 0; + + if ((fp_spd->fp_mask_ids[policy->type] + imt)->refcount-- == + 1) + vec_del1 (fp_spd->fp_mask_ids[policy->type], imt); + break; } } - if (res != 0) - continue; - else - { - ipsec_fp_release_mask_type (im, vp->fp_mask_type_id); - ipsec_sa_unlock (vp->sa_index); - pool_put (im->policies, vp); - return 0; - } + ipsec_fp_release_mask_type (im, vp->fp_mask_type_id); + ipsec_sa_unlock (vp->sa_index); + pool_put (im->policies, vp); + return 0; } } return -1; @@ -833,7 +812,7 @@ ipsec_fp_ip4_del_policy (ipsec_main_t *im, ipsec_spd_fp_t *fp_spd, (ipsec_fp_lookup_value_t *) &result.value; bool inbound = ipsec_is_policy_inbound (policy); ipsec_policy_t *vp; - u32 ii, iii, imt; + u32 ii, imt; clib_bihash_16_8_t *bihash_table = inbound ? pool_elt_at_index (im->fp_ip4_lookup_hashes_pool, fp_spd->ip4_in_lookup_hash_idx) : @@ -848,57 +827,37 @@ ipsec_fp_ip4_del_policy (ipsec_main_t *im, ipsec_spd_fp_t *fp_spd, if (res != 0) return -1; - res = -1; vec_foreach_index (ii, result_val->fp_policies_ids) { vp = pool_elt_at_index (im->policies, *(result_val->fp_policies_ids + ii)); if (ipsec_policy_is_equal (vp, policy)) { - vec_foreach_index (iii, fp_spd->fp_policies[policy->type]) + if (vec_len (result_val->fp_policies_ids) == 1) { - if (*(fp_spd->fp_policies[policy->type] + iii) == - *(result_val->fp_policies_ids + ii)) - { - if (vec_len (result_val->fp_policies_ids) == 1) - { - vec_free (result_val->fp_policies_ids); - clib_bihash_add_del_16_8 (bihash_table, &result, 0); - } - else - { - vec_del1 (result_val->fp_policies_ids, ii); - } - vec_del1 (fp_spd->fp_policies[policy->type], iii); - - vec_foreach_index (imt, fp_spd->fp_mask_ids[policy->type]) - { - if ((fp_spd->fp_mask_ids[policy->type] + imt) - ->mask_type_idx == vp->fp_mask_type_id) - { - - if ((fp_spd->fp_mask_ids[policy->type] + imt) - ->refcount-- == 1) - vec_del1 (fp_spd->fp_mask_ids[policy->type], imt); - - break; - } - } - - res = 0; - break; - } + vec_free (result_val->fp_policies_ids); + clib_bihash_add_del_16_8 (bihash_table, &result, 0); } - - if (res != 0) - continue; else + vec_del1 (result_val->fp_policies_ids, ii); + + vec_foreach_index (imt, fp_spd->fp_mask_ids[policy->type]) { - ipsec_fp_release_mask_type (im, vp->fp_mask_type_id); - ipsec_sa_unlock (vp->sa_index); - pool_put (im->policies, vp); - return 0; + if ((fp_spd->fp_mask_ids[policy->type] + imt)->mask_type_idx == + vp->fp_mask_type_id) + { + + if ((fp_spd->fp_mask_ids[policy->type] + imt)->refcount-- == + 1) + vec_del1 (fp_spd->fp_mask_ids[policy->type], imt); + + break; + } } + ipsec_fp_release_mask_type (im, vp->fp_mask_type_id); + ipsec_sa_unlock (vp->sa_index); + pool_put (im->policies, vp); + return 0; } } return -1; -- cgit 1.2.3-korg