On Thu, May 4, 2017 at 11:25 AM, Dmitry Eremin-Solenikov < [email protected]> wrote:
> Hello, > > I have been working on limits support in IPsec. Now I have several > questions: > > - Is hard limit crossing fatal? IOW, should I start returning > unprocessed packets after crossing it? > The reason for having soft and hard limits is this distinction. When a soft limit is reached a notification event should be issued. When a hard limit is reached the SA is treated as disabled. So an operation against an SA that's reached it's hard limit should be treated the same as an operation against a disabled SA. > > - Does 'bytes' limit count packet bytes before or IPsec operation? Does > it count 'usefull' payload or the whole odp_packet_len()? > It's typically easier to just count packets and not be overly concerned about trying to cut off packets mid-stream on byte limits. For byte counting the SA would simply count the number of bytes processed for each operation and compare that to the limits as the operation finishes up. Limits are statistical in nature and as such if the odd in-flight packet or byte slips past it's not something to worry about. > > -- > With best wishes > Dmitry >
