From c64278c0c18bd87242ff3fd12891a095cecdbf58 Mon Sep 17 00:00:00 2001 From: Sergio Gonzalez Monroy Date: Thu, 9 Jun 2016 09:42:45 +0100 Subject: [PATCH] examples/ipsec-secgw: rework processing loop Rework implementation moving from function pointers approach, where each function implements very specific functionality, to a generic function approach. Signed-off-by: Sergio Gonzalez Monroy Acked-by: Pablo de Lara --- examples/ipsec-secgw/esp.c | 9 +- examples/ipsec-secgw/esp.h | 9 +- examples/ipsec-secgw/ipsec.c | 36 +++-- examples/ipsec-secgw/ipsec.h | 2 - examples/ipsec-secgw/sa.c | 272 +++++++++++++++-------------------- 5 files changed, 145 insertions(+), 183 deletions(-) diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c index 7dce78cec4..2ca97ad013 100644 --- a/examples/ipsec-secgw/esp.c +++ b/examples/ipsec-secgw/esp.c @@ -67,9 +67,8 @@ random_iv_u64(uint64_t *buf, uint16_t n) *((uint32_t *)&buf[i]) = (uint32_t)lrand48(); } -/* IPv4 Tunnel */ int -esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, +esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa, struct rte_crypto_op *cop) { int32_t payload_len; @@ -117,7 +116,7 @@ esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, } int -esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, +esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa, struct rte_crypto_op *cop) { uint8_t *nexthdr, *pad_len; @@ -155,7 +154,7 @@ esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, } int -esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, +esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa, struct rte_crypto_op *cop) { uint16_t pad_payload_len, pad_len; @@ -234,7 +233,7 @@ esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, } int -esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m __rte_unused, +esp_outbound_post(struct rte_mbuf *m __rte_unused, struct ipsec_sa *sa __rte_unused, struct rte_crypto_op *cop) { diff --git a/examples/ipsec-secgw/esp.h b/examples/ipsec-secgw/esp.h index 3101882332..fa5cc8af0e 100644 --- a/examples/ipsec-secgw/esp.h +++ b/examples/ipsec-secgw/esp.h @@ -46,21 +46,20 @@ struct esp_hdr { /* Integrity Check Value - ICV */ }; -/* IPv4 Tunnel */ int -esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, +esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa, struct rte_crypto_op *cop); int -esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, +esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa, struct rte_crypto_op *cop); int -esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, +esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa, struct rte_crypto_op *cop); int -esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, +esp_outbound_post(struct rte_mbuf *m, struct ipsec_sa *sa, struct rte_crypto_op *cop); #endif /* __RTE_IPSEC_XFORM_ESP_H__ */ diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index 3ffa77a889..90a9a86675 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -42,6 +42,7 @@ #include #include "ipsec.h" +#include "esp.h" static inline int create_session(struct ipsec_ctx *ipsec_ctx __rte_unused, struct ipsec_sa *sa) @@ -99,15 +100,14 @@ enqueue_cop(struct cdev_qp *cqp, struct rte_crypto_op *cop) } } -static inline uint16_t -ipsec_processing(struct ipsec_ctx *ipsec_ctx, struct rte_mbuf *pkts[], - struct ipsec_sa *sas[], uint16_t nb_pkts, uint16_t max_pkts) +static inline void +ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, + struct rte_mbuf *pkts[], struct ipsec_sa *sas[], + uint16_t nb_pkts) { - int ret = 0, i, j, nb_cops; + int ret = 0, i; struct ipsec_mbuf_metadata *priv; - struct rte_crypto_op *cops[max_pkts]; struct ipsec_sa *sa; - struct rte_mbuf *pkt; for (i = 0; i < nb_pkts; i++) { rte_prefetch0(sas[i]); @@ -133,7 +133,7 @@ ipsec_processing(struct ipsec_ctx *ipsec_ctx, struct rte_mbuf *pkts[], rte_crypto_op_attach_sym_session(&priv->cop, sa->crypto_session); - ret = sa->pre_crypto(pkts[i], sa, &priv->cop); + ret = xform_func(pkts[i], sa, &priv->cop); if (unlikely(ret)) { rte_pktmbuf_free(pkts[i]); continue; @@ -142,8 +142,18 @@ ipsec_processing(struct ipsec_ctx *ipsec_ctx, struct rte_mbuf *pkts[], RTE_ASSERT(sa->cdev_id_qp < ipsec_ctx->nb_qps); enqueue_cop(&ipsec_ctx->tbl[sa->cdev_id_qp], &priv->cop); } +} + +static inline int +ipsec_dequeue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, + struct rte_mbuf *pkts[], uint16_t max_pkts) +{ + int nb_pkts = 0, ret = 0, i, j, nb_cops; + struct ipsec_mbuf_metadata *priv; + struct rte_crypto_op *cops[max_pkts]; + struct ipsec_sa *sa; + struct rte_mbuf *pkt; - nb_pkts = 0; for (i = 0; i < ipsec_ctx->nb_qps && nb_pkts < max_pkts; i++) { struct cdev_qp *cqp; @@ -168,7 +178,7 @@ ipsec_processing(struct ipsec_ctx *ipsec_ctx, struct rte_mbuf *pkts[], RTE_ASSERT(sa != NULL); - ret = sa->post_crypto(pkt, sa, cops[j]); + ret = xform_func(pkt, sa, cops[j]); if (unlikely(ret)) rte_pktmbuf_free(pkt); else @@ -188,7 +198,9 @@ ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], inbound_sa_lookup(ctx->sa_ctx, pkts, sas, nb_pkts); - return ipsec_processing(ctx, pkts, sas, nb_pkts, len); + ipsec_enqueue(esp_inbound, ctx, pkts, sas, nb_pkts); + + return ipsec_dequeue(esp_inbound_post, ctx, pkts, len); } uint16_t @@ -199,5 +211,7 @@ ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], outbound_sa_lookup(ctx->sa_ctx, sa_idx, sas, nb_pkts); - return ipsec_processing(ctx, pkts, sas, nb_pkts, len); + ipsec_enqueue(esp_outbound, ctx, pkts, sas, nb_pkts); + + return ipsec_dequeue(esp_outbound_post, ctx, pkts, len); } diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h index e60fae674e..74ef6fc515 100644 --- a/examples/ipsec-secgw/ipsec.h +++ b/examples/ipsec-secgw/ipsec.h @@ -86,8 +86,6 @@ struct ipsec_sa { uint32_t dst; struct rte_cryptodev_sym_session *crypto_session; struct rte_crypto_sym_xform *xforms; - ipsec_xform_fn pre_crypto; - ipsec_xform_fn post_crypto; enum rte_crypto_cipher_algorithm cipher_algo; enum rte_crypto_auth_algorithm auth_algo; uint16_t digest_len; diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index b6260ede0e..a193bdfc3d 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -47,160 +47,112 @@ #include "ipsec.h" #include "esp.h" -/* SAs EP0 Outbound */ -const struct ipsec_sa sa_ep0_out[] = { - { 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5), - NULL, NULL, - esp4_tunnel_outbound_pre_crypto, - esp4_tunnel_outbound_post_crypto, - RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, - 12, 16, 16, - 0, 0 }, - { 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6), - NULL, NULL, - esp4_tunnel_outbound_pre_crypto, - esp4_tunnel_outbound_post_crypto, - RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, - 12, 16, 16, - 0, 0 }, - { 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7), - NULL, NULL, - esp4_tunnel_outbound_pre_crypto, - esp4_tunnel_outbound_post_crypto, - RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, - 12, 16, 16, - 0, 0 }, - { 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8), - NULL, NULL, - esp4_tunnel_outbound_pre_crypto, - esp4_tunnel_outbound_post_crypto, - RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, - 12, 16, 16, - 0, 0 }, - { 9, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5), - NULL, NULL, - esp4_tunnel_outbound_pre_crypto, - esp4_tunnel_outbound_post_crypto, - RTE_CRYPTO_CIPHER_NULL, RTE_CRYPTO_AUTH_NULL, - 0, 0, 4, - 0, 0 }, +/* SAs Outbound */ +const struct ipsec_sa sa_out[] = { + { + .spi = 5, + .src = IPv4(172, 16, 1, 5), + .dst = IPv4(172, 16, 2, 5), + .cipher_algo = RTE_CRYPTO_CIPHER_AES_CBC, + .auth_algo = RTE_CRYPTO_AUTH_SHA1_HMAC, + .digest_len = 12, + .iv_len = 16, + .block_size = 16, + }, + { + .spi = 6, + .src = IPv4(172, 16, 1, 6), + .dst = IPv4(172, 16, 2, 6), + .cipher_algo = RTE_CRYPTO_CIPHER_AES_CBC, + .auth_algo = RTE_CRYPTO_AUTH_SHA1_HMAC, + .digest_len = 12, + .iv_len = 16, + .block_size = 16, + }, + { + .spi = 7, + .src = IPv4(172, 16, 1, 7), + .dst = IPv4(172, 16, 2, 7), + .cipher_algo = RTE_CRYPTO_CIPHER_AES_CBC, + .auth_algo = RTE_CRYPTO_AUTH_SHA1_HMAC, + .digest_len = 12, + .iv_len = 16, + .block_size = 16, + }, + { + .spi = 8, + .src = IPv4(172, 16, 1, 8), + .dst = IPv4(172, 16, 2, 8), + .cipher_algo = RTE_CRYPTO_CIPHER_AES_CBC, + .auth_algo = RTE_CRYPTO_AUTH_SHA1_HMAC, + .digest_len = 12, + .iv_len = 16, + .block_size = 16, + }, + { + .spi = 9, + .src = IPv4(172, 16, 1, 9), + .dst = IPv4(172, 16, 2, 9), + .cipher_algo = RTE_CRYPTO_CIPHER_NULL, + .auth_algo = RTE_CRYPTO_AUTH_NULL, + .digest_len = 0, + .iv_len = 0, + .block_size = 4, + } }; -/* SAs EP0 Inbound */ -const struct ipsec_sa sa_ep0_in[] = { - { 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5), - NULL, NULL, - esp4_tunnel_inbound_pre_crypto, - esp4_tunnel_inbound_post_crypto, - RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, - 12, 16, 16, - 0, 0 }, - { 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6), - NULL, NULL, - esp4_tunnel_inbound_pre_crypto, - esp4_tunnel_inbound_post_crypto, - RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, - 12, 16, 16, - 0, 0 }, - { 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7), - NULL, NULL, - esp4_tunnel_inbound_pre_crypto, - esp4_tunnel_inbound_post_crypto, - RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, - 12, 16, 16, - 0, 0 }, - { 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8), - NULL, NULL, - esp4_tunnel_inbound_pre_crypto, - esp4_tunnel_inbound_post_crypto, - RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, - 12, 16, 16, - 0, 0 }, - { 9, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5), - NULL, NULL, - esp4_tunnel_inbound_pre_crypto, - esp4_tunnel_inbound_post_crypto, - RTE_CRYPTO_CIPHER_NULL, RTE_CRYPTO_AUTH_NULL, - 0, 0, 4, - 0, 0 }, -}; - -/* SAs EP1 Outbound */ -const struct ipsec_sa sa_ep1_out[] = { - { 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5), - NULL, NULL, - esp4_tunnel_outbound_pre_crypto, - esp4_tunnel_outbound_post_crypto, - RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, - 12, 16, 16, - 0, 0 }, - { 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6), - NULL, NULL, - esp4_tunnel_outbound_pre_crypto, - esp4_tunnel_outbound_post_crypto, - RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, - 12, 16, 16, - 0, 0 }, - { 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7), - NULL, NULL, - esp4_tunnel_outbound_pre_crypto, - esp4_tunnel_outbound_post_crypto, - RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, - 12, 16, 16, - 0, 0 }, - { 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8), - NULL, NULL, - esp4_tunnel_outbound_pre_crypto, - esp4_tunnel_outbound_post_crypto, - RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, - 12, 16, 16, - 0, 0 }, - { 9, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5), - NULL, NULL, - esp4_tunnel_outbound_pre_crypto, - esp4_tunnel_outbound_post_crypto, - RTE_CRYPTO_CIPHER_NULL, RTE_CRYPTO_AUTH_NULL, - 0, 0, 4, - 0, 0 }, -}; - -/* SAs EP1 Inbound */ -const struct ipsec_sa sa_ep1_in[] = { - { 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5), - NULL, NULL, - esp4_tunnel_inbound_pre_crypto, - esp4_tunnel_inbound_post_crypto, - RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, - 12, 16, 16, - 0, 0 }, - { 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6), - NULL, NULL, - esp4_tunnel_inbound_pre_crypto, - esp4_tunnel_inbound_post_crypto, - RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, - 12, 16, 16, - 0, 0 }, - { 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7), - NULL, NULL, - esp4_tunnel_inbound_pre_crypto, - esp4_tunnel_inbound_post_crypto, - RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, - 12, 16, 16, - 0, 0 }, - { 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8), - NULL, NULL, - esp4_tunnel_inbound_pre_crypto, - esp4_tunnel_inbound_post_crypto, - RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, - 12, 16, 16, - 0, 0 }, - { 9, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5), - NULL, NULL, - esp4_tunnel_inbound_pre_crypto, - esp4_tunnel_inbound_post_crypto, - RTE_CRYPTO_CIPHER_NULL, RTE_CRYPTO_AUTH_NULL, - 0, 0, 4, - 0, 0 }, +/* SAs Inbound */ +const struct ipsec_sa sa_in[] = { + { + .spi = 55, + .src = IPv4(172, 16, 2, 5), + .dst = IPv4(172, 16, 1, 5), + .cipher_algo = RTE_CRYPTO_CIPHER_AES_CBC, + .auth_algo = RTE_CRYPTO_AUTH_SHA1_HMAC, + .digest_len = 12, + .iv_len = 16, + .block_size = 16, + }, + { + .spi = 56, + .src = IPv4(172, 16, 2, 6), + .dst = IPv4(172, 16, 1, 6), + .cipher_algo = RTE_CRYPTO_CIPHER_AES_CBC, + .auth_algo = RTE_CRYPTO_AUTH_SHA1_HMAC, + .digest_len = 12, + .iv_len = 16, + .block_size = 16, + }, + { + .spi = 57, + .src = IPv4(172, 16, 2, 7), + .dst = IPv4(172, 16, 1, 7), + .cipher_algo = RTE_CRYPTO_CIPHER_AES_CBC, + .auth_algo = RTE_CRYPTO_AUTH_SHA1_HMAC, + .digest_len = 12, + .iv_len = 16, + .block_size = 16, + }, + { + .spi = 58, + .src = IPv4(172, 16, 2, 8), + .dst = IPv4(172, 16, 1, 8), + .cipher_algo = RTE_CRYPTO_CIPHER_AES_CBC, + .auth_algo = RTE_CRYPTO_AUTH_SHA1_HMAC, + .digest_len = 12, + .iv_len = 16, + .block_size = 16, + }, + { + .spi = 59, + .src = IPv4(172, 16, 2, 9), + .dst = IPv4(172, 16, 1, 9), + .cipher_algo = RTE_CRYPTO_CIPHER_NULL, + .auth_algo = RTE_CRYPTO_AUTH_NULL, + .digest_len = 0, + .iv_len = 0, + .block_size = 4, + } }; static uint8_t cipher_key[256] = "sixteenbytes key"; @@ -368,15 +320,15 @@ sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep) "initialized\n", socket_id); if (ep == 0) { - sa_out_entries = sa_ep0_out; - nb_out_entries = RTE_DIM(sa_ep0_out); - sa_in_entries = sa_ep0_in; - nb_in_entries = RTE_DIM(sa_ep0_in); + sa_out_entries = sa_out; + nb_out_entries = RTE_DIM(sa_out); + sa_in_entries = sa_in; + nb_in_entries = RTE_DIM(sa_in); } else if (ep == 1) { - sa_out_entries = sa_ep1_out; - nb_out_entries = RTE_DIM(sa_ep1_out); - sa_in_entries = sa_ep1_in; - nb_in_entries = RTE_DIM(sa_ep1_in); + sa_out_entries = sa_in; + nb_out_entries = RTE_DIM(sa_in); + sa_in_entries = sa_out; + nb_in_entries = RTE_DIM(sa_out); } else rte_exit(EXIT_FAILURE, "Invalid EP value %u. " "Only 0 or 1 supported.\n", ep);