[v4,4/9] examples/ipsec-secgw: fix outbound codepath for single SA
Checks
Commit Message
Looking at process_pkts_outbound_nosp() there seems few issues:
- accessing mbuf after it was freed
- invoking ipsec_outbound() for ipv4 packets only
- copying number of packets, but not the mbuf pointers itself
that patch provides fixes for that issues.
Fixes: 906257e965b7 ("examples/ipsec-secgw: support IPv6")
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>
---
examples/ipsec-secgw/ipsec-secgw.c | 32 ++++++++++++++++++++----------
1 file changed, 22 insertions(+), 10 deletions(-)
Comments
On 12/14/2018 10:10 PM, Konstantin Ananyev wrote:
> Looking at process_pkts_outbound_nosp() there seems few issues:
> - accessing mbuf after it was freed
> - invoking ipsec_outbound() for ipv4 packets only
> - copying number of packets, but not the mbuf pointers itself
>
> that patch provides fixes for that issues.
>
> Fixes: 906257e965b7 ("examples/ipsec-secgw: support IPv6")
>
> Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> Acked-by: Radu Nicolau <radu.nicolau@intel.com>
> ---
> examples/ipsec-secgw/ipsec-secgw.c | 32 ++++++++++++++++++++----------
> 1 file changed, 22 insertions(+), 10 deletions(-)
>
> diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
> index 62443172a..d1da2d5ce 100644
> --- a/examples/ipsec-secgw/ipsec-secgw.c
> +++ b/examples/ipsec-secgw/ipsec-secgw.c
> @@ -616,32 +616,44 @@ process_pkts_outbound_nosp(struct ipsec_ctx *ipsec_ctx,
> struct ipsec_traffic *traffic)
> {
> struct rte_mbuf *m;
> - uint32_t nb_pkts_out, i;
> + uint32_t nb_pkts_out, i, n;
> struct ip *ip;
>
> /* Drop any IPsec traffic from protected ports */
> for (i = 0; i < traffic->ipsec.num; i++)
> rte_pktmbuf_free(traffic->ipsec.pkts[i]);
>
> - traffic->ipsec.num = 0;
> + n = 0;
>
> - for (i = 0; i < traffic->ip4.num; i++)
> - traffic->ip4.res[i] = single_sa_idx;
> + for (i = 0; i < traffic->ip4.num; i++) {
> + traffic->ipsec.pkts[n] = traffic->ip4.pkts[i];
> + traffic->ipsec.res[n++] = single_sa_idx;
> + }
>
> - for (i = 0; i < traffic->ip6.num; i++)
> - traffic->ip6.res[i] = single_sa_idx;
> + for (i = 0; i < traffic->ip6.num; i++) {
> + traffic->ipsec.pkts[n] = traffic->ip6.pkts[i];
> + traffic->ipsec.res[n++] = single_sa_idx;
> + }
> +
> + traffic->ip4.num = 0;
> + traffic->ip6.num = 0;
> + traffic->ipsec.num = n;
>
> - nb_pkts_out = ipsec_outbound(ipsec_ctx, traffic->ip4.pkts,
> - traffic->ip4.res, traffic->ip4.num,
> + nb_pkts_out = ipsec_outbound(ipsec_ctx, traffic->ipsec.pkts,
> + traffic->ipsec.res, traffic->ipsec.num,
> MAX_PKT_BURST);
>
> /* They all sue the same SA (ip4 or ip6 tunnel) */
> m = traffic->ipsec.pkts[i];
> ip = rte_pktmbuf_mtod(m, struct ip *);
> - if (ip->ip_v == IPVERSION)
> + if (ip->ip_v == IPVERSION) {
> traffic->ip4.num = nb_pkts_out;
> - else
> + for (i = 0; i < nb_pkts_out; i++)
> + traffic->ip4.pkts[i] = traffic->ipsec.pkts[i];
> + } else {
> traffic->ip6.num = nb_pkts_out;
> + traffic->ip6.pkts[i] = traffic->ipsec.pkts[i];
you don't need a for loop here??
> + }
> }
>
> static inline int32_t
> -----Original Message-----
> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
> Sent: Friday, December 21, 2018 2:26 PM
> To: Ananyev, Konstantin <konstantin.ananyev@intel.com>; dev@dpdk.org
> Cc: Nicolau, Radu <radu.nicolau@intel.com>
> Subject: Re: [dpdk-dev] [PATCH v4 4/9] examples/ipsec-secgw: fix outbound codepath for single SA
>
>
>
> On 12/14/2018 10:10 PM, Konstantin Ananyev wrote:
> > Looking at process_pkts_outbound_nosp() there seems few issues:
> > - accessing mbuf after it was freed
> > - invoking ipsec_outbound() for ipv4 packets only
> > - copying number of packets, but not the mbuf pointers itself
> >
> > that patch provides fixes for that issues.
> >
> > Fixes: 906257e965b7 ("examples/ipsec-secgw: support IPv6")
> >
> > Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> > Acked-by: Radu Nicolau <radu.nicolau@intel.com>
> > ---
> > examples/ipsec-secgw/ipsec-secgw.c | 32 ++++++++++++++++++++----------
> > 1 file changed, 22 insertions(+), 10 deletions(-)
> >
> > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
> > index 62443172a..d1da2d5ce 100644
> > --- a/examples/ipsec-secgw/ipsec-secgw.c
> > +++ b/examples/ipsec-secgw/ipsec-secgw.c
> > @@ -616,32 +616,44 @@ process_pkts_outbound_nosp(struct ipsec_ctx *ipsec_ctx,
> > struct ipsec_traffic *traffic)
> > {
> > struct rte_mbuf *m;
> > - uint32_t nb_pkts_out, i;
> > + uint32_t nb_pkts_out, i, n;
> > struct ip *ip;
> >
> > /* Drop any IPsec traffic from protected ports */
> > for (i = 0; i < traffic->ipsec.num; i++)
> > rte_pktmbuf_free(traffic->ipsec.pkts[i]);
> >
> > - traffic->ipsec.num = 0;
> > + n = 0;
> >
> > - for (i = 0; i < traffic->ip4.num; i++)
> > - traffic->ip4.res[i] = single_sa_idx;
> > + for (i = 0; i < traffic->ip4.num; i++) {
> > + traffic->ipsec.pkts[n] = traffic->ip4.pkts[i];
> > + traffic->ipsec.res[n++] = single_sa_idx;
> > + }
> >
> > - for (i = 0; i < traffic->ip6.num; i++)
> > - traffic->ip6.res[i] = single_sa_idx;
> > + for (i = 0; i < traffic->ip6.num; i++) {
> > + traffic->ipsec.pkts[n] = traffic->ip6.pkts[i];
> > + traffic->ipsec.res[n++] = single_sa_idx;
> > + }
> > +
> > + traffic->ip4.num = 0;
> > + traffic->ip6.num = 0;
> > + traffic->ipsec.num = n;
> >
> > - nb_pkts_out = ipsec_outbound(ipsec_ctx, traffic->ip4.pkts,
> > - traffic->ip4.res, traffic->ip4.num,
> > + nb_pkts_out = ipsec_outbound(ipsec_ctx, traffic->ipsec.pkts,
> > + traffic->ipsec.res, traffic->ipsec.num,
> > MAX_PKT_BURST);
> >
> > /* They all sue the same SA (ip4 or ip6 tunnel) */
> > m = traffic->ipsec.pkts[i];
> > ip = rte_pktmbuf_mtod(m, struct ip *);
> > - if (ip->ip_v == IPVERSION)
> > + if (ip->ip_v == IPVERSION) {
> > traffic->ip4.num = nb_pkts_out;
> > - else
> > + for (i = 0; i < nb_pkts_out; i++)
> > + traffic->ip4.pkts[i] = traffic->ipsec.pkts[i];
> > + } else {
> > traffic->ip6.num = nb_pkts_out;
> > + traffic->ip6.pkts[i] = traffic->ipsec.pkts[i];
> you don't need a for loop here??
> > + }
Yep, missed that.
Will update.
> > }
> >
> > static inline int32_t
@@ -616,32 +616,44 @@ process_pkts_outbound_nosp(struct ipsec_ctx *ipsec_ctx,
struct ipsec_traffic *traffic)
{
struct rte_mbuf *m;
- uint32_t nb_pkts_out, i;
+ uint32_t nb_pkts_out, i, n;
struct ip *ip;
/* Drop any IPsec traffic from protected ports */
for (i = 0; i < traffic->ipsec.num; i++)
rte_pktmbuf_free(traffic->ipsec.pkts[i]);
- traffic->ipsec.num = 0;
+ n = 0;
- for (i = 0; i < traffic->ip4.num; i++)
- traffic->ip4.res[i] = single_sa_idx;
+ for (i = 0; i < traffic->ip4.num; i++) {
+ traffic->ipsec.pkts[n] = traffic->ip4.pkts[i];
+ traffic->ipsec.res[n++] = single_sa_idx;
+ }
- for (i = 0; i < traffic->ip6.num; i++)
- traffic->ip6.res[i] = single_sa_idx;
+ for (i = 0; i < traffic->ip6.num; i++) {
+ traffic->ipsec.pkts[n] = traffic->ip6.pkts[i];
+ traffic->ipsec.res[n++] = single_sa_idx;
+ }
+
+ traffic->ip4.num = 0;
+ traffic->ip6.num = 0;
+ traffic->ipsec.num = n;
- nb_pkts_out = ipsec_outbound(ipsec_ctx, traffic->ip4.pkts,
- traffic->ip4.res, traffic->ip4.num,
+ nb_pkts_out = ipsec_outbound(ipsec_ctx, traffic->ipsec.pkts,
+ traffic->ipsec.res, traffic->ipsec.num,
MAX_PKT_BURST);
/* They all sue the same SA (ip4 or ip6 tunnel) */
m = traffic->ipsec.pkts[i];
ip = rte_pktmbuf_mtod(m, struct ip *);
- if (ip->ip_v == IPVERSION)
+ if (ip->ip_v == IPVERSION) {
traffic->ip4.num = nb_pkts_out;
- else
+ for (i = 0; i < nb_pkts_out; i++)
+ traffic->ip4.pkts[i] = traffic->ipsec.pkts[i];
+ } else {
traffic->ip6.num = nb_pkts_out;
+ traffic->ip6.pkts[i] = traffic->ipsec.pkts[i];
+ }
}
static inline int32_t