#include <vnet/ip/ip.h>
#include <vnet/ipsec/ipsec.h>
+#include <vnet/ipsec/ipsec_io.h>
#if WITH_LIBSSL > 0
while (n_left_from > 0)
{
- u32 bi0, pi0;
- vlib_buffer_t *b0;
+ u32 bi0, pi0, bi1;
+ vlib_buffer_t *b0, *b1;
ipsec_policy_t *p0;
ip4_header_t *ip0;
ip6_header_t *ip6_0 = 0;
bi0 = from[0];
b0 = vlib_get_buffer (vm, bi0);
+ if (n_left_from > 1)
+ {
+ bi1 = from[1];
+ b1 = vlib_get_buffer (vm, bi1);
+ CLIB_PREFETCH (b1, CLIB_CACHE_LINE_BYTES * 2, STORE);
+ vlib_prefetch_buffer_data (b1, LOAD);
+ }
sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_TX];
iph_offset = vnet_buffer (b0)->ip.save_rewrite_length;
ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0)
if (PREDICT_FALSE (last_sw_if_index != sw_if_index0))
{
uword *p = hash_get (im->spd_index_by_sw_if_index, sw_if_index0);
- ASSERT (p);
+ ALWAYS_ASSERT (p);
spd_index0 = p[0];
spd0 = pool_elt_at_index (im->spds, spd_index0);
last_sw_if_index = sw_if_index0;
{
ipsec_sa_t *sa = 0;
nc_protect++;
- sa = pool_elt_at_index (im->sad, p0->sa_index);
+ sa = ipsec_sa_get (p0->sa_index);
if (sa->protocol == IPSEC_PROTOCOL_ESP)
if (is_ipv6)
next_node_index = im->esp6_encrypt_node_index;
next_node_index = im->ah4_encrypt_node_index;
vnet_buffer (b0)->ipsec.sad_index = p0->sa_index;
- if (is_ipv6)
+ if (PREDICT_FALSE (b0->flags & VNET_BUFFER_F_OFFLOAD))
{
- if (PREDICT_FALSE
- (b0->flags & VNET_BUFFER_F_OFFLOAD_TCP_CKSUM))
- {
- tcp0->checksum =
- ip6_tcp_udp_icmp_compute_checksum (vm, b0, ip6_0,
- &bogus);
- b0->flags &= ~VNET_BUFFER_F_OFFLOAD_TCP_CKSUM;
- }
- if (PREDICT_FALSE
- (b0->flags & VNET_BUFFER_F_OFFLOAD_UDP_CKSUM))
- {
- udp0->checksum =
- ip6_tcp_udp_icmp_compute_checksum (vm, b0, ip6_0,
- &bogus);
- b0->flags &= ~VNET_BUFFER_F_OFFLOAD_UDP_CKSUM;
- }
- }
- else
- {
- if (b0->flags & VNET_BUFFER_F_OFFLOAD_IP_CKSUM)
- {
- ip0->checksum = ip4_header_checksum (ip0);
- b0->flags &= ~VNET_BUFFER_F_OFFLOAD_IP_CKSUM;
- }
- if (PREDICT_FALSE
- (b0->flags & VNET_BUFFER_F_OFFLOAD_TCP_CKSUM))
+ u32 oflags = vnet_buffer2 (b0)->oflags;
+
+ /*
+ * Clearing offload flags before checksum is computed
+ * It guarantees the cache hit!
+ */
+ vnet_buffer_offload_flags_clear (b0, oflags);
+
+ if (is_ipv6)
{
- tcp0->checksum =
- ip4_tcp_udp_compute_checksum (vm, b0, ip0);
- b0->flags &= ~VNET_BUFFER_F_OFFLOAD_TCP_CKSUM;
+ if (PREDICT_FALSE (oflags &
+ VNET_BUFFER_OFFLOAD_F_TCP_CKSUM))
+ {
+ tcp0->checksum = ip6_tcp_udp_icmp_compute_checksum (
+ vm, b0, ip6_0, &bogus);
+ }
+ if (PREDICT_FALSE (oflags &
+ VNET_BUFFER_OFFLOAD_F_UDP_CKSUM))
+ {
+ udp0->checksum = ip6_tcp_udp_icmp_compute_checksum (
+ vm, b0, ip6_0, &bogus);
+ }
}
- if (PREDICT_FALSE
- (b0->flags & VNET_BUFFER_F_OFFLOAD_UDP_CKSUM))
+ else
{
- udp0->checksum =
- ip4_tcp_udp_compute_checksum (vm, b0, ip0);
- b0->flags &= ~VNET_BUFFER_F_OFFLOAD_UDP_CKSUM;
+ if (PREDICT_FALSE (oflags &
+ VNET_BUFFER_OFFLOAD_F_IP_CKSUM))
+ {
+ ip0->checksum = ip4_header_checksum (ip0);
+ }
+ if (PREDICT_FALSE (oflags &
+ VNET_BUFFER_OFFLOAD_F_TCP_CKSUM))
+ {
+ tcp0->checksum =
+ ip4_tcp_udp_compute_checksum (vm, b0, ip0);
+ }
+ if (PREDICT_FALSE (oflags &
+ VNET_BUFFER_OFFLOAD_F_UDP_CKSUM))
+ {
+ udp0->checksum =
+ ip4_tcp_udp_compute_checksum (vm, b0, ip0);
+ }
}
}
vlib_buffer_advance (b0, iph_offset);
ipsec_output_node_fn (vlib_main_t * vm,
vlib_node_runtime_t * node, vlib_frame_t * frame)
{
- clib_warning ("IPSec disabled");
return 0;
}