Re: [dpdk-dev] [PATCH v1 3/5] ipsec: add SAD add/delete/lookup implementation

["Ananyev, Konstantin" <konstantin.ananyev@intel.com>]

Hi Vladimir,

> 
> Replace rte_ipsec_sad_add(), rte_ipsec_sad_del() and
> rte_ipsec_sad_lookup() stubs with actual implementation.
> 
> It uses three librte_hash tables each of which contains
> an entries for a specific SA type (either it is addressed by SPI only
> or SPI+DIP or SPI+DIP+SIP)
> 
> Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
> ---
>  lib/librte_ipsec/ipsec_sad.c | 245 ++++++++++++++++++++++++++++++++++++++++---
>  1 file changed, 233 insertions(+), 12 deletions(-)
> 
> diff --git a/lib/librte_ipsec/ipsec_sad.c b/lib/librte_ipsec/ipsec_sad.c
> index 7797628..4bf2206 100644
> --- a/lib/librte_ipsec/ipsec_sad.c
> +++ b/lib/librte_ipsec/ipsec_sad.c
> @@ -13,6 +13,13 @@
> 
>  #include "rte_ipsec_sad.h"
> 
> +/*
> + * Rules are stored in three hash tables depending on key_type.
> + * Each rule will also be stored in SPI_ONLY table.
> + * for each data entry within this table last two bits are reserved to
> + * indicate presence of entries with the same SPI in DIP and DIP+SIP tables.
> + */
> +
>  #define IPSEC_SAD_NAMESIZE	64
>  #define SAD_PREFIX		"SAD_"
>  /* "SAD_<name>" */
> @@ -37,20 +44,158 @@ static struct rte_tailq_elem rte_ipsec_sad_tailq = {
>  };
>  EAL_REGISTER_TAILQ(rte_ipsec_sad_tailq)
> 
> +#define SET_BIT(ptr, bit)	(void *)((uintptr_t)(ptr) | (uintptr_t)(bit))
> +#define CLEAR_BIT(ptr, bit)	(void *)((uintptr_t)(ptr) & ~(uintptr_t)(bit))
> +#define GET_BIT(ptr, bit)	(void *)((uintptr_t)(ptr) & (uintptr_t)(bit))
> +
> +/*
> + * @internal helper function
> + * Add a rule of type SPI_DIP or SPI_DIP_SIP.
> + * Inserts a rule into an appropriate hash table,
> + * updates the value for a given SPI in SPI_ONLY hash table
> + * reflecting presence of more specific rule type in two LSBs.
> + * Updates a counter that reflects the number of rules whith the same SPI.
> + */
> +static inline int
> +add_specific(struct rte_ipsec_sad *sad, void *key,
> +		int key_type, void *sa)
> +{
> +	void *tmp_val;
> +	int ret, notexist;
> +
> +	ret = rte_hash_lookup(sad->hash[key_type], key);
> +	notexist = (ret == -ENOENT);
> +	ret = rte_hash_add_key_data(sad->hash[key_type], key, sa);
> +	if (ret != 0)
> +		return ret;
> +	ret = rte_hash_lookup_data(sad->hash[RTE_IPSEC_SAD_SPI_ONLY],
> +		key, &tmp_val);
> +	if (ret < 0)
> +		tmp_val = NULL;
> +	tmp_val = SET_BIT(tmp_val, key_type);
> +	ret = rte_hash_add_key_data(sad->hash[RTE_IPSEC_SAD_SPI_ONLY],
> +		key, tmp_val);
> +	if (ret != 0)
> +		return ret;
> +	ret = rte_hash_lookup(sad->hash[RTE_IPSEC_SAD_SPI_ONLY], key);
> +	if (key_type == RTE_IPSEC_SAD_SPI_DIP)
> +		sad->cnt_arr[ret].cnt_2 += notexist;
> +	else
> +		sad->cnt_arr[ret].cnt_3 += notexist;
> +
> +	return 0;
> +}
> +
>  int
> -rte_ipsec_sad_add(__rte_unused struct rte_ipsec_sad *sad,
> -		__rte_unused union rte_ipsec_sad_key *key,
> -		__rte_unused int key_type, __rte_unused void *sa)
> +rte_ipsec_sad_add(struct rte_ipsec_sad *sad, union rte_ipsec_sad_key *key,
> +		int key_type, void *sa)
> +{
> +	void *tmp_val;
> +	int ret;
> +
> +	if ((sad == NULL) || (key == NULL) || (sa == NULL) ||
> +			/* sa must be 4 byte aligned */
> +			(GET_BIT(sa, RTE_IPSEC_SAD_KEY_TYPE_MASK) != 0))
> +		return -EINVAL;
> +
> +	/*
> +	 * Rules are stored in three hash tables depending on key_type.
> +	 * All rules will also have an entry in SPI_ONLY table, with entry
> +	 * value's two LSB's also indicating presence of rule with this SPI
> +	 * in other tables.
> +	 */
> +	switch (key_type) {
> +	case(RTE_IPSEC_SAD_SPI_ONLY):
> +		ret = rte_hash_lookup_data(sad->hash[key_type],
> +			key, &tmp_val);
> +		if (ret >= 0)
> +			tmp_val = SET_BIT(sa, GET_BIT(tmp_val,
> +				RTE_IPSEC_SAD_KEY_TYPE_MASK));
> +		else
> +			tmp_val = sa;
> +		ret = rte_hash_add_key_data(sad->hash[key_type],
> +			key, tmp_val);
> +		return ret;
> +	case(RTE_IPSEC_SAD_SPI_DIP):
> +	case(RTE_IPSEC_SAD_SPI_DIP_SIP):
> +		return add_specific(sad, key, key_type, sa);
> +	default:
> +		return -EINVAL;
> +	}
> +}
> +
> +/*
> + * @internal helper function
> + * Delete a rule of type SPI_DIP or SPI_DIP_SIP.
> + * Deletes an entry from an appropriate hash table and decrements
> + * an entry counter for given SPI.
> + * If entry to remove is the last one with given SPI within the table,
> + * then it will also update related entry in SPI_ONLY table.
> + * Removes an entry from SPI_ONLY hash table if there no rule left
> + * for this SPI in any table.
> + */
> +static inline int
> +del_specific(struct rte_ipsec_sad *sad, void *key, int key_type)
>  {

const void *key
? 

> -	return -ENOTSUP;
> +	void *tmp_val;
> +	int ret;
> +	uint32_t *cnt;

Few extra comments inside that function and add_specific() wouldn't hurt.

> +
> +	ret = rte_hash_del_key(sad->hash[key_type], key);
> +	if (ret < 0)
> +		return ret;
> +	ret = rte_hash_lookup_data(sad->hash[RTE_IPSEC_SAD_SPI_ONLY],
> +		key, &tmp_val);
> +	if (ret < 0)
> +		return ret;
> +	cnt = (key_type == RTE_IPSEC_SAD_SPI_DIP) ? &sad->cnt_arr[ret].cnt_2 :
> +			&sad->cnt_arr[ret].cnt_3;
> +	if (--(*cnt) != 0)
> +		return 0;
> +
> +	tmp_val = CLEAR_BIT(tmp_val, key_type);
> +	if (tmp_val == NULL)
> +		ret = rte_hash_del_key(sad->hash[RTE_IPSEC_SAD_SPI_ONLY], key);
> +	else
> +		ret = rte_hash_add_key_data(sad->hash[RTE_IPSEC_SAD_SPI_ONLY],
> +			key, tmp_val);
> +	if (ret < 0)
> +		return ret;
> +	return 0;
>  }
> 
>  int
> -rte_ipsec_sad_del(__rte_unused struct rte_ipsec_sad *sad,
> -		__rte_unused union rte_ipsec_sad_key *key,
> -		__rte_unused int key_type)
> +rte_ipsec_sad_del(struct rte_ipsec_sad *sad, union rte_ipsec_sad_key *key,

const union rte_ipsec_sad_key *key
?

> +		int key_type)
>  {
> -	return -ENOTSUP;
> +	void *tmp_val;
> +	int ret;
> +
> +	if ((sad == NULL) || (key == NULL))
> +		return -EINVAL;
> +	switch (key_type) {
> +	case(RTE_IPSEC_SAD_SPI_ONLY):
> +		ret = rte_hash_lookup_data(sad->hash[key_type],
> +			key, &tmp_val);
> +		if (ret < 0)
> +			return ret;
> +		if (GET_BIT(tmp_val, RTE_IPSEC_SAD_KEY_TYPE_MASK) == 0) {
> +			RTE_ASSERT((cnt_2 == 0) && (cnt_3 == 0));
> +			ret = rte_hash_del_key(sad->hash[key_type],
> +				key);

I think something like:
ret = ret < 0 ? ret : 0;
is needed here.

> +		} else {
> +			tmp_val = GET_BIT(tmp_val,
> +				RTE_IPSEC_SAD_KEY_TYPE_MASK);
> +			ret = rte_hash_add_key_data(sad->hash[key_type],
> +				key, tmp_val);
> +		}
> +		return ret;
> +	case(RTE_IPSEC_SAD_SPI_DIP):
> +	case(RTE_IPSEC_SAD_SPI_DIP_SIP):
> +		return del_specific(sad, key, key_type);
> +	default:
> +		return -EINVAL;
> +	}
>  }
> 
>  struct rte_ipsec_sad *
> @@ -248,10 +393,86 @@ rte_ipsec_sad_free(struct rte_ipsec_sad *sad)
>  		rte_free(te);
>  }
> 

Pls add a comment for that one and other internal function.
Even if you do remember what exactly it does now, you won't a year later :)

> +static int
> +__ipsec_sad_lookup(const struct rte_ipsec_sad *sad,
> +		const union rte_ipsec_sad_key *keys[], uint32_t n, void *sa[])
> +{
> +	const void *keys_2[RTE_HASH_LOOKUP_BULK_MAX];
> +	const void *keys_3[RTE_HASH_LOOKUP_BULK_MAX];
> +	void *vals_2[RTE_HASH_LOOKUP_BULK_MAX] = {NULL};
> +	void *vals_3[RTE_HASH_LOOKUP_BULK_MAX] = {NULL};
> +	uint32_t idx_2[RTE_HASH_LOOKUP_BULK_MAX];
> +	uint32_t idx_3[RTE_HASH_LOOKUP_BULK_MAX];
> +	uint64_t mask_1, mask_2, mask_3;
> +	uint64_t map, map_spec;
> +	uint32_t n_2 = 0;
> +	uint32_t n_3 = 0;
> +	uint32_t i;
> +	int n_pkts = 0;

s/n_pkts/found/
?

> +
> +	for (i = 0; i < n; i++)
> +		sa[i] = NULL;
> +
> +	/*
> +	 * Lookup keys in SPI only hash table first.
> +	 */
> +	rte_hash_lookup_bulk_data(sad->hash[RTE_IPSEC_SAD_SPI_ONLY],
> +		(const void **)keys, n, &mask_1, sa);
> +	for (map = mask_1; map; map &= (map - 1)) {
> +		i = rte_bsf64(map);
> +		/*
> +		 * if returned value indicates presence of a rule in other
> +		 * tables save a key for further lookup.
> +		 */
> +		if ((uintptr_t)sa[i] & RTE_IPSEC_SAD_SPI_DIP_SIP) {
> +			idx_3[n_3] = i;
> +			keys_3[n_3++] = keys[i];
> +		}
> +		if ((uintptr_t)sa[i] & RTE_IPSEC_SAD_SPI_DIP) {
> +			idx_2[n_2] = i;
> +			keys_2[n_2++] = keys[i];
> +		}
> +		sa[i] = CLEAR_BIT(sa[i], RTE_IPSEC_SAD_KEY_TYPE_MASK);
> +	}

Just as a thought - instead of setting all sa[] to NULL first, and then
going though only found in the loop above, wouldn't it be a bit faster -
after lookup bulk go through all sa[] and set them depending on mask value?
Then first(zero sa[] loop) can be removed.

> +
> +	if (n_2 != 0) {
> +		rte_hash_lookup_bulk_data(sad->hash[RTE_IPSEC_SAD_SPI_DIP],
> +			keys_2, n_2, &mask_2, vals_2);
> +		for (map_spec = mask_2; map_spec; map_spec &= (map_spec - 1)) {
> +			i = rte_bsf64(map_spec);
> +			sa[idx_2[i]] = vals_2[i];
> +		}
> +	}
> +	if (n_3 != 0) {
> +		rte_hash_lookup_bulk_data(sad->hash[RTE_IPSEC_SAD_SPI_DIP_SIP],
> +			keys_3, n_3, &mask_3, vals_3);
> +		for (map_spec = mask_3; map_spec; map_spec &= (map_spec - 1)) {
> +			i = rte_bsf64(map_spec);
> +			sa[idx_3[i]] = vals_3[i];
> +		}
> +	}
> +	for (i = 0; i < n; i++)
> +		n_pkts += (sa[i] != NULL);
> +
> +	return n_pkts;
> +}
> +
>  int
> -rte_ipsec_sad_lookup(__rte_unused const struct rte_ipsec_sad *sad,
> -		__rte_unused const union rte_ipsec_sad_key *keys[],
> -		__rte_unused uint32_t n, __rte_unused void *sa[])
> +rte_ipsec_sad_lookup(const struct rte_ipsec_sad *sad,
> +		const union rte_ipsec_sad_key *keys[], uint32_t n, void *sa[])

Better to follow usual parameter convention and move 'n' after pointers, i.e.:

int rte_ipsec_sad_lookup(const struct rte_ipsec_sad *sad, const union rte_ipsec_sad_key *keys[], void *sa[], uint32_t n)

Or provably even better:
int rte_ipsec_sad_lookup(const struct rte_ipsec_sad *sad, const union rte_ipsec_sad_key *keys[], const void *sa[], uint32_t n)


>  {
> -	return -ENOTSUP;
> +	uint32_t num, i = 0;
> +	int n_pkts = 0;
> +
> +	if (unlikely((sad == NULL) || (keys == NULL) || (sa == NULL)))
> +		return -EINVAL;
> +
> +	do {
> +		num = RTE_MIN(n - i, (uint32_t)RTE_HASH_LOOKUP_BULK_MAX);
> +		n_pkts += __ipsec_sad_lookup(sad,
> +			&keys[i], num, &sa[i]);
> +		i += num;
> +	} while (i != n);
> +
> +	return n_pkts;
>  }
> --
> 2.7.4