On Thu, May 4, 2017 at 11:44 AM, Dmitry Eremin-Solenikov < [email protected]> wrote:
> On 04.05.2017 19:35, Bill Fischofer wrote: > > > > > > On Thu, May 4, 2017 at 11:25 AM, Dmitry Eremin-Solenikov > > <[email protected] > > <mailto:[email protected]>> wrote: > > > > Hello, > > > > I have been working on limits support in IPsec. Now I have several > > questions: > > > > - Is hard limit crossing fatal? IOW, should I start returning > > unprocessed packets after crossing it? > > > > > > The reason for having soft and hard limits is this distinction. When a > > soft limit is reached a notification event should be issued. When a hard > > limit is reached the SA is treated as disabled. So an operation against > > an SA that's reached it's hard limit should be treated the same as an > > operation against a disabled SA. > > Argh. There is no 'event' for soft limits, just a status in the error > flags. BTW: should we move soft_exp_* to flags instead of errors? > This is one of the "to do" areas we'll hopefully cover next week. Reaching a soft limit should result in an odp_ipsec_status_t event being issued to alert the application that the soft limit was reached. > > And also there is no way to treat hard-expired SA as disabled. We should > report hard_exp_* through result errors. > That's fine. The point is the operation fails. It's an error to continue to process packets against an SA that's reached a hard limit. > > > - Does 'bytes' limit count packet bytes before or IPsec operation? > Does > > it count 'usefull' payload or the whole odp_packet_len()? > > > > > > It's typically easier to just count packets and not be overly concerned > > about trying to cut off packets mid-stream on byte limits. For byte > > counting the SA would simply count the number of bytes processed for > > each operation and compare that to the limits as the operation finishes > > up. Limits are statistical in nature and as such if the odd in-flight > > packet or byte slips past it's not something to worry about. > > Ack. I'll count odp_packet_len() then. > > -- > With best wishes > Dmitry >
