On 04.05.2017 19:35, Bill Fischofer wrote: > > > On Thu, May 4, 2017 at 11:25 AM, Dmitry Eremin-Solenikov > <[email protected] > <mailto:[email protected]>> wrote: > > Hello, > > I have been working on limits support in IPsec. Now I have several > questions: > > - Is hard limit crossing fatal? IOW, should I start returning > unprocessed packets after crossing it? > > > The reason for having soft and hard limits is this distinction. When a > soft limit is reached a notification event should be issued. When a hard > limit is reached the SA is treated as disabled. So an operation against > an SA that's reached it's hard limit should be treated the same as an > operation against a disabled SA.
Argh. There is no 'event' for soft limits, just a status in the error flags. BTW: should we move soft_exp_* to flags instead of errors? And also there is no way to treat hard-expired SA as disabled. We should report hard_exp_* through result errors. > - Does 'bytes' limit count packet bytes before or IPsec operation? Does > it count 'usefull' payload or the whole odp_packet_len()? > > > It's typically easier to just count packets and not be overly concerned > about trying to cut off packets mid-stream on byte limits. For byte > counting the SA would simply count the number of bytes processed for > each operation and compare that to the limits as the operation finishes > up. Limits are statistical in nature and as such if the odd in-flight > packet or byte slips past it's not something to worry about. Ack. I'll count odp_packet_len() then. -- With best wishes Dmitry
