X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fipsec_output.c;h=23a86de0744acfae51430161c6e756a6ff0bae06;hb=c5fe57dac12a46fa618259643909afaec1ac5aae;hp=83ab629453dd4553c98c77fc4309266084a2c8fe;hpb=231c4696872cb344f28648949603840136c0795d;p=vpp.git diff --git a/src/vnet/ipsec/ipsec_output.c b/src/vnet/ipsec/ipsec_output.c index 83ab629453d..23a86de0744 100644 --- a/src/vnet/ipsec/ipsec_output.c +++ b/src/vnet/ipsec/ipsec_output.c @@ -82,16 +82,16 @@ ipsec_output_policy_match (ipsec_spd_t * spd, u8 pr, u32 la, u32 ra, u16 lp, if (PREDICT_FALSE (p->protocol && (p->protocol != pr))) continue; - if (ra < p->raddr.start.ip4.as_u32) + if (ra < clib_net_to_host_u32 (p->raddr.start.ip4.as_u32)) continue; - if (ra > p->raddr.stop.ip4.as_u32) + if (ra > clib_net_to_host_u32 (p->raddr.stop.ip4.as_u32)) continue; - if (la < p->laddr.start.ip4.as_u32) + if (la < clib_net_to_host_u32 (p->laddr.start.ip4.as_u32)) continue; - if (la > p->laddr.stop.ip4.as_u32) + if (la > clib_net_to_host_u32 (p->laddr.stop.ip4.as_u32)) continue; if (PREDICT_FALSE @@ -194,8 +194,8 @@ ipsec_output_inline (vlib_main_t * vm, vlib_node_runtime_t * node, while (n_left_from > 0) { - u32 bi0, pi0; - vlib_buffer_t *b0; + u32 bi0, pi0, bi1; + vlib_buffer_t *b0, *b1; ipsec_policy_t *p0; ip4_header_t *ip0; ip6_header_t *ip6_0 = 0; @@ -206,6 +206,13 @@ ipsec_output_inline (vlib_main_t * vm, vlib_node_runtime_t * node, bi0 = from[0]; b0 = vlib_get_buffer (vm, bi0); + if (n_left_from > 1) + { + bi1 = from[1]; + b1 = vlib_get_buffer (vm, bi1); + CLIB_PREFETCH (b1, CLIB_CACHE_LINE_BYTES * 2, STORE); + vlib_prefetch_buffer_data (b1, LOAD); + } sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_TX]; iph_offset = vnet_buffer (b0)->ip.save_rewrite_length; ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) @@ -215,7 +222,7 @@ ipsec_output_inline (vlib_main_t * vm, vlib_node_runtime_t * node, if (PREDICT_FALSE (last_sw_if_index != sw_if_index0)) { uword *p = hash_get (im->spd_index_by_sw_if_index, sw_if_index0); - ASSERT (p); + ALWAYS_ASSERT (p); spd_index0 = p[0]; spd0 = pool_elt_at_index (im->spds, spd_index0); last_sw_if_index = sw_if_index0; @@ -239,8 +246,10 @@ ipsec_output_inline (vlib_main_t * vm, vlib_node_runtime_t * node, p0 = ipsec6_output_policy_match (spd0, &ip6_0->src_address, &ip6_0->dst_address, - udp0->src_port, - udp0->dst_port, ip6_0->protocol); + clib_net_to_host_u16 + (udp0->src_port), + clib_net_to_host_u16 + (udp0->dst_port), ip6_0->protocol); } else { @@ -256,9 +265,14 @@ ipsec_output_inline (vlib_main_t * vm, vlib_node_runtime_t * node, #endif p0 = ipsec_output_policy_match (spd0, ip0->protocol, - ip0->src_address.as_u32, - ip0->dst_address.as_u32, - udp0->src_port, udp0->dst_port); + clib_net_to_host_u32 + (ip0->src_address.as_u32), + clib_net_to_host_u32 + (ip0->dst_address.as_u32), + clib_net_to_host_u16 + (udp0->src_port), + clib_net_to_host_u16 + (udp0->dst_port)); } tcp0 = (void *) udp0; @@ -283,7 +297,7 @@ ipsec_output_inline (vlib_main_t * vm, vlib_node_runtime_t * node, { ipsec_sa_t *sa = 0; nc_protect++; - sa = pool_elt_at_index (im->sad, p0->sa_index); + sa = ipsec_sa_get (p0->sa_index); if (sa->protocol == IPSEC_PROTOCOL_ESP) if (is_ipv6) next_node_index = im->esp6_encrypt_node_index; @@ -295,45 +309,50 @@ ipsec_output_inline (vlib_main_t * vm, vlib_node_runtime_t * node, next_node_index = im->ah4_encrypt_node_index; vnet_buffer (b0)->ipsec.sad_index = p0->sa_index; - if (is_ipv6) + if (PREDICT_FALSE (b0->flags & VNET_BUFFER_F_OFFLOAD)) { - if (PREDICT_FALSE - (b0->flags & VNET_BUFFER_F_OFFLOAD_TCP_CKSUM)) - { - tcp0->checksum = - ip6_tcp_udp_icmp_compute_checksum (vm, b0, ip6_0, - &bogus); - b0->flags &= ~VNET_BUFFER_F_OFFLOAD_TCP_CKSUM; - } - if (PREDICT_FALSE - (b0->flags & VNET_BUFFER_F_OFFLOAD_UDP_CKSUM)) - { - udp0->checksum = - ip6_tcp_udp_icmp_compute_checksum (vm, b0, ip6_0, - &bogus); - b0->flags &= ~VNET_BUFFER_F_OFFLOAD_UDP_CKSUM; - } - } - else - { - if (b0->flags & VNET_BUFFER_F_OFFLOAD_IP_CKSUM) - { - ip0->checksum = ip4_header_checksum (ip0); - b0->flags &= ~VNET_BUFFER_F_OFFLOAD_IP_CKSUM; - } - if (PREDICT_FALSE - (b0->flags & VNET_BUFFER_F_OFFLOAD_TCP_CKSUM)) + u32 oflags = vnet_buffer2 (b0)->oflags; + + /* + * Clearing offload flags before checksum is computed + * It guarantees the cache hit! + */ + vnet_buffer_offload_flags_clear (b0, oflags); + + if (is_ipv6) { - tcp0->checksum = - ip4_tcp_udp_compute_checksum (vm, b0, ip0); - b0->flags &= ~VNET_BUFFER_F_OFFLOAD_TCP_CKSUM; + if (PREDICT_FALSE (oflags & + VNET_BUFFER_OFFLOAD_F_TCP_CKSUM)) + { + tcp0->checksum = ip6_tcp_udp_icmp_compute_checksum ( + vm, b0, ip6_0, &bogus); + } + if (PREDICT_FALSE (oflags & + VNET_BUFFER_OFFLOAD_F_UDP_CKSUM)) + { + udp0->checksum = ip6_tcp_udp_icmp_compute_checksum ( + vm, b0, ip6_0, &bogus); + } } - if (PREDICT_FALSE - (b0->flags & VNET_BUFFER_F_OFFLOAD_UDP_CKSUM)) + else { - udp0->checksum = - ip4_tcp_udp_compute_checksum (vm, b0, ip0); - b0->flags &= ~VNET_BUFFER_F_OFFLOAD_UDP_CKSUM; + if (PREDICT_FALSE (oflags & + VNET_BUFFER_OFFLOAD_F_IP_CKSUM)) + { + ip0->checksum = ip4_header_checksum (ip0); + } + if (PREDICT_FALSE (oflags & + VNET_BUFFER_OFFLOAD_F_TCP_CKSUM)) + { + tcp0->checksum = + ip4_tcp_udp_compute_checksum (vm, b0, ip0); + } + if (PREDICT_FALSE (oflags & + VNET_BUFFER_OFFLOAD_F_UDP_CKSUM)) + { + udp0->checksum = + ip4_tcp_udp_compute_checksum (vm, b0, ip0); + } } } vlib_buffer_advance (b0, iph_offset); @@ -466,7 +485,6 @@ static uword ipsec_output_node_fn (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) { - clib_warning ("IPSec disabled"); return 0; }