1
2
3
4
5#ifndef __SAD_H__
6#define __SAD_H__
7
8#include <rte_ipsec_sad.h>
9
10#define SA_CACHE_SZ 128
11#define SPI2IDX(spi, mask) ((spi) & (mask))
12
13struct ipsec_sad_cache {
14 struct ipsec_sa **v4;
15 struct ipsec_sa **v6;
16 uint32_t mask;
17};
18
19RTE_DECLARE_PER_LCORE(struct ipsec_sad_cache, sad_cache);
20
21int ipsec_sad_create(const char *name, struct ipsec_sad *sad,
22 int socket_id, struct ipsec_sa_cnt *sa_cnt);
23
24int ipsec_sad_add(struct ipsec_sad *sad, struct ipsec_sa *sa);
25
26int ipsec_sad_lcore_cache_init(uint32_t nb_cache_ent);
27
28static inline int
29cmp_sa_key(struct ipsec_sa *sa, int is_v4, struct rte_ipv4_hdr *ipv4,
30 struct rte_ipv6_hdr *ipv6)
31{
32 int sa_type = WITHOUT_TRANSPORT_VERSION(sa->flags);
33 if ((sa_type == TRANSPORT) ||
34
35 (is_v4 && (sa_type == IP4_TUNNEL) &&
36 (sa->src.ip.ip4 == ipv4->src_addr) &&
37 (sa->dst.ip.ip4 == ipv4->dst_addr)) ||
38
39 (!is_v4 && (sa_type == IP6_TUNNEL) &&
40 (!memcmp(sa->src.ip.ip6.ip6, ipv6->src_addr, 16)) &&
41 (!memcmp(sa->dst.ip.ip6.ip6, ipv6->dst_addr, 16))))
42 return 1;
43
44 return 0;
45}
46
47static inline void
48sa_cache_update(struct ipsec_sa **sa_cache, struct ipsec_sa *sa, uint32_t mask)
49{
50 uint32_t cache_idx;
51
52
53 if (mask == 0)
54 return;
55
56 cache_idx = SPI2IDX(sa->spi, mask);
57 sa_cache[cache_idx] = sa;
58}
59
60static inline void
61sad_lookup(struct ipsec_sad *sad, struct rte_mbuf *pkts[],
62 void *sa[], uint16_t nb_pkts)
63{
64 uint32_t i;
65 uint32_t nb_v4 = 0, nb_v6 = 0;
66 struct rte_esp_hdr *esp;
67 struct rte_ipv4_hdr *ipv4;
68 struct rte_ipv6_hdr *ipv6;
69 struct rte_ipsec_sadv4_key v4[nb_pkts];
70 struct rte_ipsec_sadv6_key v6[nb_pkts];
71 int v4_idxes[nb_pkts];
72 int v6_idxes[nb_pkts];
73 const union rte_ipsec_sad_key *keys_v4[nb_pkts];
74 const union rte_ipsec_sad_key *keys_v6[nb_pkts];
75 void *v4_res[nb_pkts];
76 void *v6_res[nb_pkts];
77 uint32_t spi, cache_idx;
78 struct ipsec_sad_cache *cache;
79 struct ipsec_sa *cached_sa;
80 int is_ipv4;
81
82 cache = &RTE_PER_LCORE(sad_cache);
83
84
85 for (i = 0; i < nb_pkts; i++) {
86 ipv4 = rte_pktmbuf_mtod(pkts[i], struct rte_ipv4_hdr *);
87 ipv6 = rte_pktmbuf_mtod(pkts[i], struct rte_ipv6_hdr *);
88 esp = rte_pktmbuf_mtod_offset(pkts[i], struct rte_esp_hdr *,
89 pkts[i]->l3_len);
90
91 is_ipv4 = pkts[i]->packet_type & RTE_PTYPE_L3_IPV4;
92 spi = rte_be_to_cpu_32(esp->spi);
93 cache_idx = SPI2IDX(spi, cache->mask);
94
95 if (is_ipv4) {
96 cached_sa = (cache->mask != 0) ?
97 cache->v4[cache_idx] : NULL;
98
99 if ((cached_sa != NULL) && (cached_sa->spi == spi)) {
100 if (cmp_sa_key(cached_sa, 1, ipv4, ipv6)) {
101
102 sa[i] = cached_sa;
103 continue;
104 }
105 }
106
107
108
109
110 v4[nb_v4].spi = esp->spi;
111 v4[nb_v4].dip = ipv4->dst_addr;
112 v4[nb_v4].sip = ipv4->src_addr;
113 keys_v4[nb_v4] = (const union rte_ipsec_sad_key *)
114 &v4[nb_v4];
115 v4_idxes[nb_v4++] = i;
116 } else {
117 cached_sa = (cache->mask != 0) ?
118 cache->v6[cache_idx] : NULL;
119 if ((cached_sa != NULL) && (cached_sa->spi == spi)) {
120 if (cmp_sa_key(cached_sa, 0, ipv4, ipv6)) {
121 sa[i] = cached_sa;
122 continue;
123 }
124 }
125 v6[nb_v6].spi = esp->spi;
126 memcpy(v6[nb_v6].dip, ipv6->dst_addr,
127 sizeof(ipv6->dst_addr));
128 memcpy(v6[nb_v6].sip, ipv6->src_addr,
129 sizeof(ipv6->src_addr));
130 keys_v6[nb_v6] = (const union rte_ipsec_sad_key *)
131 &v6[nb_v6];
132 v6_idxes[nb_v6++] = i;
133 }
134 }
135
136 if (nb_v4 != 0)
137 rte_ipsec_sad_lookup(sad->sad_v4, keys_v4, v4_res, nb_v4);
138 if (nb_v6 != 0)
139 rte_ipsec_sad_lookup(sad->sad_v6, keys_v6, v6_res, nb_v6);
140
141 for (i = 0; i < nb_v4; i++) {
142 ipv4 = rte_pktmbuf_mtod(pkts[v4_idxes[i]],
143 struct rte_ipv4_hdr *);
144 if ((v4_res[i] != NULL) &&
145 (cmp_sa_key(v4_res[i], 1, ipv4, NULL))) {
146 sa[v4_idxes[i]] = v4_res[i];
147 sa_cache_update(cache->v4, (struct ipsec_sa *)v4_res[i],
148 cache->mask);
149 } else
150 sa[v4_idxes[i]] = NULL;
151 }
152 for (i = 0; i < nb_v6; i++) {
153 ipv6 = rte_pktmbuf_mtod(pkts[v6_idxes[i]],
154 struct rte_ipv6_hdr *);
155 if ((v6_res[i] != NULL) &&
156 (cmp_sa_key(v6_res[i], 0, NULL, ipv6))) {
157 sa[v6_idxes[i]] = v6_res[i];
158 sa_cache_update(cache->v6, (struct ipsec_sa *)v6_res[i],
159 cache->mask);
160 } else
161 sa[v6_idxes[i]] = NULL;
162 }
163}
164
165#endif
166