Code Review / vpp.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
ipsec: fast path outbound policy matching implementation for ipv6
[vpp.git] / src / vnet / ipsec / ipsec_spd.c
diff --git a/src/vnet/ipsec/ipsec_spd.c b/src/vnet/ipsec/ipsec_spd.c
index 7e17bb9..22dddfd 100644 (file)
--- a/src/vnet/ipsec/ipsec_spd.c
+++ b/src/vnet/ipsec/ipsec_spd.c
@@ -14,6 +14,7 @@
  */
 
 #include <vnet/ipsec/ipsec.h>
+#include <vnet/ipsec/ipsec_io.h>
 
 int
 ipsec_add_del_spd (vlib_main_t * vm, u32 spd_id, int is_add)
@@ -42,20 +43,51 @@ ipsec_add_del_spd (vlib_main_t * vm, u32 spd_id, int is_add)
       }));
       /* *INDENT-ON* */
       hash_unset (im->spd_index_by_spd_id, spd_id);
-      pool_free (spd->policies);
-      vec_free (spd->ipv4_outbound_policies);
-      vec_free (spd->ipv6_outbound_policies);
-      vec_free (spd->ipv4_inbound_protect_policy_indices);
-      vec_free (spd->ipv4_inbound_policy_discard_and_bypass_indices);
+#define _(s,v) vec_free(spd->policies[IPSEC_SPD_POLICY_##s]);
+      foreach_ipsec_spd_policy_type
+#undef _
+       if (im->ipv4_fp_spd_is_enabled)
+      {
+       ipsec_spd_fp_t *fp_spd = &spd->fp_spd;
+
+       clib_bihash_free_16_8 (&fp_spd->fp_ip4_lookup_hash);
+      }
+
+      if (im->ipv6_fp_spd_is_enabled)
+       {
+         ipsec_spd_fp_t *fp_spd = &spd->fp_spd;
+
+         clib_bihash_free_40_8 (&fp_spd->fp_ip6_lookup_hash);
+       }
+
       pool_put (im->spds, spd);
     }
-  else                         /* create new SPD */
+  else /* create new SPD */
     {
       pool_get (im->spds, spd);
       clib_memset (spd, 0, sizeof (*spd));
       spd_index = spd - im->spds;
       spd->id = spd_id;
       hash_set (im->spd_index_by_spd_id, spd_id, spd_index);
+      if (im->ipv4_fp_spd_is_enabled)
+       {
+         ipsec_spd_fp_t *fp_spd = &spd->fp_spd;
+
+         clib_bihash_init_16_8 (
+           &fp_spd->fp_ip4_lookup_hash, "SPD_FP ip4 rules lookup bihash",
+           im->fp_lookup_hash_buckets,
+           im->fp_lookup_hash_buckets * IPSEC_FP_IP4_HASH_MEM_PER_BUCKET);
+       }
+      if (im->ipv6_fp_spd_is_enabled)
+       {
+         ipsec_spd_fp_t *fp_spd = &spd->fp_spd;
+
+         clib_bihash_init_40_8 (
+           &fp_spd->fp_ip6_lookup_hash, "SPD_FP ip6 rules lookup bihash",
+           im->fp_lookup_hash_buckets,
+           im->fp_lookup_hash_buckets * IPSEC_FP_IP6_HASH_MEM_PER_BUCKET);
+         fp_spd->fp_ip6_lookup_hash_initialized = 1;
+       }
     }
   return 0;
 }
@@ -78,7 +110,7 @@ ipsec_set_interface_spd (vlib_main_t * vm, u32 sw_if_index, u32 spd_id,
 
   p = hash_get (im->spd_index_by_sw_if_index, sw_if_index);
   if (p && is_add)
-    return VNET_API_ERROR_SYSCALL_ERROR_1;     /* spd already assigned */
+    return VNET_API_ERROR_SYSCALL_ERROR_2;     /* spd already assigned */
 
   if (is_add)
     {
@@ -89,9 +121,6 @@ ipsec_set_interface_spd (vlib_main_t * vm, u32 sw_if_index, u32 spd_id,
       hash_unset (im->spd_index_by_sw_if_index, sw_if_index);
     }
 
-  clib_warning ("sw_if_index %u spd_id %u spd_index %u",
-               sw_if_index, spd_id, spd_index);
-
   /* enable IPsec on TX */
   vnet_feature_enable_disable ("ip4-output", "ipsec4-output-feature",
                               sw_if_index, is_add, 0, 0);
Vector Packet Processing