From patchwork Fri Oct 20 17:00:02 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Github ODP bot <odpbot@yandex.ru>
X-Patchwork-Id: 116520
Delivered-To: patch@linaro.org
Received: by 10.140.22.164 with SMTP id 33csp1907946qgn;
 Fri, 20 Oct 2017 10:02:32 -0700 (PDT)
X-Google-Smtp-Source: ABhQp+RHceAnNbIBGBPA9rNWM7NqiJP5KjVj9ChS1sSMR48oVu9l78ZbcqpojZhWtaJc1O947t85
X-Received: by 10.200.9.43 with SMTP id t40mr8533772qth.257.1508518952247;
 Fri, 20 Oct 2017 10:02:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1508518952; cv=none;
 d=google.com; s=arc-20160816;
 b=y6Kc0fkf62uxA7B8TiARaOUVMlc/sZvn5fkFAj+tyde7fRyKse62+8WiNmf2Px5iH+
 MgBFuQpOyLD5DhmoEIsoYI4iPqOjTX1rJsRJ147p1zCy+qaNkG4oFRMfTkO5JjBcOwOV
 xGTZ0BU7Ip+04p3W1s7C8l0PzV2REasZnlegtE9ngBdoWAVbqkoxurbhejjfgMmF9VnQ
 1MEOLS32R39OH747Z3DQBWdIXZtppiLGI3ndRwN2ZBhIlmIc3C6gq5igQbVOH/3G/Uke
 /v/tQk0/9Aq/1+ZFYPdoQ355Jm4apTM164sAv6Wse33A8rY0EVRHOVO5Atv33J7zfdXP
 Nt3Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:subject:github-pr-num
 :references:in-reply-to:message-id:date:to:from:delivered-to
 :arc-authentication-results;
 bh=dNZNEcCB75T2L0RWMAxg20iVmG/ICW+kpuhlWiDchpw=;
 b=0K6sP1sOmy56h15Qdhdv7hTaHZfLbuo0HVj6VBwUny2lXpqPpPFLITKKIjXMLUtPQw
 IL6ih0H4w0J7K4/ZQH8NuWPxTiiuuEk2Y8r/8zXFOdaulZXV4xTZMkJeVSWRfZI6wOXg
 S7db8m929Yd/9kn45mh0U8w3VIz2BO3mkikLI53+Y6NiyXPxG7oE9XPSbhtDgYX0wEoW
 luZdgv9Hv7hz3DcJNHUAILbZp72p4EJt7RjEtf/7ieoiIPznnsEmc/4lr28ylu8wa4/7
 09ygeJMwTWbMyq1SBuebmY/paHfOdXT0yuLptG3362rHsV7jo6o/WTNtGlguANnU0lib
 eD+Q==
ARC-Authentication-Results: i=1; mx.google.com;
 spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org
 designates 54.197.127.237 as permitted sender)
 smtp.mailfrom=lng-odp-bounces@lists.linaro.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru
Return-Path: <lng-odp-bounces@lists.linaro.org>
Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com.
 [54.197.127.237])
 by mx.google.com with ESMTP id r22si891438qta.124.2017.10.20.10.02.32;
 Fri, 20 Oct 2017 10:02:32 -0700 (PDT)
Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org
 designates 54.197.127.237 as permitted sender)
 client-ip=54.197.127.237; 
Authentication-Results: mx.google.com;
 spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org
 designates 54.197.127.237 as permitted sender)
 smtp.mailfrom=lng-odp-bounces@lists.linaro.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru
Received: by lists.linaro.org (Postfix, from userid 109)
 id EE57E6102E; Fri, 20 Oct 2017 17:02:31 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
 RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,URIBL_BLOCKED
 autolearn=disabled version=3.4.0
Received: from [127.0.0.1] (localhost [127.0.0.1])
 by lists.linaro.org (Postfix) with ESMTP id 29B3B61001;
 Fri, 20 Oct 2017 17:00:33 +0000 (UTC)
X-Original-To: lng-odp@lists.linaro.org
Delivered-To: lng-odp@lists.linaro.org
Received: by lists.linaro.org (Postfix, from userid 109)
 id 22F7761021; Fri, 20 Oct 2017 17:00:24 +0000 (UTC)
Received: from forward106o.mail.yandex.net (forward106o.mail.yandex.net
 [37.140.190.187])
 by lists.linaro.org (Postfix) with ESMTPS id 7B06861006
 for <lng-odp@lists.linaro.org>; Fri, 20 Oct 2017 17:00:19 +0000 (UTC)
Received: from mxback9j.mail.yandex.net (mxback9j.mail.yandex.net
 [IPv6:2a02:6b8:0:1619::112])
 by forward106o.mail.yandex.net (Yandex) with ESMTP id 26BB5784350
 for <lng-odp@lists.linaro.org>; Fri, 20 Oct 2017 20:00:18 +0300 (MSK)
Received: from smtp4j.mail.yandex.net (smtp4j.mail.yandex.net
 [2a02:6b8:0:1619::15:6])
 by mxback9j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id
 Ib5x6wFm1Y-0Ia4HQMT; Fri, 20 Oct 2017 20:00:18 +0300
Received: by smtp4j.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id
 PUWZGflejI-0HmKI0Vh; Fri, 20 Oct 2017 20:00:17 +0300
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
 (Client certificate not present)
From: Github ODP bot <odpbot@yandex.ru>
To: lng-odp@lists.linaro.org
Date: Fri, 20 Oct 2017 20:00:02 +0300
Message-Id: <1508518809-27877-5-git-send-email-odpbot@yandex.ru>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1508518809-27877-1-git-send-email-odpbot@yandex.ru>
References: <1508518809-27877-1-git-send-email-odpbot@yandex.ru>
Github-pr-num: 243
Subject: [lng-odp] [PATCH API-NEXT v2 4/11] linux-gen: ipsec: fix soft/hard
 limits check
X-BeenThere: lng-odp@lists.linaro.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: "The OpenDataPlane \(ODP\) List" <lng-odp.lists.linaro.org>
List-Unsubscribe: <https://lists.linaro.org/mailman/options/lng-odp>,
 <mailto:lng-odp-request@lists.linaro.org?subject=unsubscribe>
List-Archive: <http://lists.linaro.org/pipermail/lng-odp/>
List-Post: <mailto:lng-odp@lists.linaro.org>
List-Help: <mailto:lng-odp-request@lists.linaro.org?subject=help>
List-Subscribe: <https://lists.linaro.org/mailman/listinfo/lng-odp>,
 <mailto:lng-odp-request@lists.linaro.org?subject=subscribe>
Errors-To: lng-odp-bounces@lists.linaro.org
Sender: "lng-odp" <lng-odp-bounces@lists.linaro.org>

From: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>

Split count expiration check into two phases:
 - optional precheck, run before crypto, which fails only if hard limit
   is already breached
 - update, run after crypto in INBOUND case, so that limits will not be
   updated for packets failing ICV check.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>
---
/** Email created from pull request 243 (lumag:ipsec-packet-impl-3)
 ** https://github.com/Linaro/odp/pull/243
 ** Patch: https://github.com/Linaro/odp/pull/243.patch
 ** Base sha: e3108af2f0b58c2ceca422b418439bba5de04b11
 ** Merge commit sha: 1ac4107a19a46e35c46e3a96416279c6ef0a33d1
 **/
 .../linux-generic/include/odp_ipsec_internal.h     | 10 +++++++++-
 platform/linux-generic/odp_ipsec.c                 | 12 +++++------
 platform/linux-generic/odp_ipsec_sad.c             | 23 +++++++++++++++++++++-
 3 files changed, 37 insertions(+), 8 deletions(-)

diff --git a/platform/linux-generic/include/odp_ipsec_internal.h b/platform/linux-generic/include/odp_ipsec_internal.h
index afc2f686e..68ab195c7 100644
--- a/platform/linux-generic/include/odp_ipsec_internal.h
+++ b/platform/linux-generic/include/odp_ipsec_internal.h
@@ -185,11 +185,19 @@ void _odp_ipsec_sa_unuse(ipsec_sa_t *ipsec_sa);
 ipsec_sa_t *_odp_ipsec_sa_lookup(const ipsec_sa_lookup_t *lookup);
 
 /**
+ * Run pre-check on SA usage statistics.
+ *
+ * @retval <0 if hard limits were breached
+ */
+int _odp_ipsec_sa_stats_precheck(ipsec_sa_t *ipsec_sa,
+				 odp_ipsec_op_status_t *status);
+
+/**
  * Update SA usage statistics, filling respective status for the packet.
  *
  * @retval <0 if hard limits were breached
  */
-int _odp_ipsec_sa_update_stats(ipsec_sa_t *ipsec_sa, uint32_t len,
+int _odp_ipsec_sa_stats_update(ipsec_sa_t *ipsec_sa, uint32_t len,
 			       odp_ipsec_op_status_t *status);
 
 /**
diff --git a/platform/linux-generic/odp_ipsec.c b/platform/linux-generic/odp_ipsec.c
index 1aa437b8e..55b60162d 100644
--- a/platform/linux-generic/odp_ipsec.c
+++ b/platform/linux-generic/odp_ipsec.c
@@ -412,9 +412,7 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
 		goto out;
 	}
 
-	if (_odp_ipsec_sa_update_stats(ipsec_sa,
-				       stats_length,
-				       status) < 0)
+	if (_odp_ipsec_sa_stats_precheck(ipsec_sa, status) < 0)
 		goto out;
 
 	param.session = ipsec_sa->session;
@@ -449,6 +447,9 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
 		goto out;
 	}
 
+	if (_odp_ipsec_sa_stats_update(ipsec_sa, stats_length, status) < 0)
+		goto out;
+
 	ip_offset = odp_packet_l3_offset(pkt);
 	ip = odp_packet_l3_ptr(pkt, NULL);
 	ip_hdr_len = ipv4_hdr_len(ip);
@@ -835,9 +836,8 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt,
 		goto out;
 	}
 
-	if (_odp_ipsec_sa_update_stats(ipsec_sa,
-				       stats_length,
-				       status) < 0)
+	/* No need to run precheck here, we know that packet is authentic */
+	if (_odp_ipsec_sa_stats_update(ipsec_sa, stats_length, status) < 0)
 		goto out;
 
 	param.session = ipsec_sa->session;
diff --git a/platform/linux-generic/odp_ipsec_sad.c b/platform/linux-generic/odp_ipsec_sad.c
index 5d20bb66c..fe8dfd0e4 100644
--- a/platform/linux-generic/odp_ipsec_sad.c
+++ b/platform/linux-generic/odp_ipsec_sad.c
@@ -476,7 +476,28 @@ ipsec_sa_t *_odp_ipsec_sa_lookup(const ipsec_sa_lookup_t *lookup)
 	return best;
 }
 
-int _odp_ipsec_sa_update_stats(ipsec_sa_t *ipsec_sa, uint32_t len,
+int _odp_ipsec_sa_stats_precheck(ipsec_sa_t *ipsec_sa,
+				 odp_ipsec_op_status_t *status)
+{
+	uint64_t bytes = odp_atomic_load_u64(&ipsec_sa->bytes);
+	uint64_t packets = odp_atomic_load_u64(&ipsec_sa->packets);
+	int rc = 0;
+
+	if (ipsec_sa->hard_limit_bytes > 0 &&
+	    bytes > ipsec_sa->hard_limit_bytes) {
+		status->error.hard_exp_bytes = 1;
+		rc = -1;
+	}
+	if (ipsec_sa->hard_limit_packets > 0 &&
+	    packets > ipsec_sa->hard_limit_packets) {
+		status->error.hard_exp_packets = 1;
+		rc = -1;
+	}
+
+	return rc;
+}
+
+int _odp_ipsec_sa_stats_update(ipsec_sa_t *ipsec_sa, uint32_t len,
 			       odp_ipsec_op_status_t *status)
 {
 	uint64_t bytes = odp_atomic_fetch_add_u64(&ipsec_sa->bytes, len) + len;