From: Marcin Smoczynski <marcinx.smoczynski@intel.com>
To: anoobj@marvell.com, akhil.goyal@nxp.com, konstantin.ananyev@intel.com
Cc: dev@dpdk.org, Marcin Smoczynski <marcinx.smoczynski@intel.com>
Subject: [dpdk-dev] [PATCH v5 1/4] examples/ipsec-secgw: ipsec_sa structure cleanup
Date: Fri, 27 Sep 2019 17:54:43 +0200 [thread overview]
Message-ID: <20190927155446.19136-2-marcinx.smoczynski@intel.com> (raw)
In-Reply-To: <20190927155446.19136-1-marcinx.smoczynski@intel.com>
Cleanup ipsec_sa structure by removing every field that is already in
the rte_ipsec_session structure:
* cryptodev/security session union
* action type
* offload flags
* security context
References to abovementioned fields are changed to direct references
to matching fields of rte_ipsec_session structure.
Such refactoring is needed to introduce many sessions per SA feature,
e.g. fallback session for inline offload processing.
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
---
examples/ipsec-secgw/esp.c | 35 +++++++----
examples/ipsec-secgw/ipsec.c | 91 +++++++++++++++-------------
examples/ipsec-secgw/ipsec.h | 27 ++++++---
examples/ipsec-secgw/ipsec_process.c | 30 ++++-----
examples/ipsec-secgw/sa.c | 66 ++++++++++----------
5 files changed, 137 insertions(+), 112 deletions(-)
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index d6d7b1256..c1b49da1e 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -30,7 +30,8 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
int32_t payload_len, ip_hdr_len;
RTE_ASSERT(sa != NULL);
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)
+ if (ipsec_get_action_type(sa) ==
+ RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)
return 0;
RTE_ASSERT(m != NULL);
@@ -148,13 +149,16 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
uint8_t *nexthdr, *pad_len;
uint8_t *padding;
uint16_t i;
+ struct rte_ipsec_session *ips;
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
RTE_ASSERT(cop != NULL);
- if ((sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
- (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
+ ips = ipsec_get_session(sa);
+
+ if ((ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
+ (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
if (m->ol_flags & PKT_RX_SEC_OFFLOAD) {
if (m->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED)
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
@@ -169,8 +173,8 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
return -1;
}
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
- sa->ol_flags & RTE_SECURITY_RX_HW_TRAILER_OFFLOAD) {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
+ ips->security.ol_flags & RTE_SECURITY_RX_HW_TRAILER_OFFLOAD) {
nexthdr = &m->inner_esp_next_proto;
} else {
nexthdr = rte_pktmbuf_mtod_offset(m, uint8_t*,
@@ -225,10 +229,12 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
struct rte_crypto_sym_op *sym_cop;
int32_t i;
uint16_t pad_payload_len, pad_len, ip_hdr_len;
+ struct rte_ipsec_session *ips;
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
+ ips = ipsec_get_session(sa);
ip_hdr_len = 0;
ip4 = rte_pktmbuf_mtod(m, struct ip *);
@@ -277,9 +283,10 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
}
/* Add trailer padding if it is not constructed by HW */
- if (sa->type != RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
- (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
- !(sa->ol_flags & RTE_SECURITY_TX_HW_TRAILER_OFFLOAD))) {
+ if (ips->type != RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
+ (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
+ !(ips->security.ol_flags &
+ RTE_SECURITY_TX_HW_TRAILER_OFFLOAD))) {
padding = (uint8_t *)rte_pktmbuf_append(m, pad_len +
sa->digest_len);
if (unlikely(padding == NULL)) {
@@ -344,8 +351,9 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
}
}
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
- if (sa->ol_flags & RTE_SECURITY_TX_HW_TRAILER_OFFLOAD) {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
+ if (ips->security.ol_flags &
+ RTE_SECURITY_TX_HW_TRAILER_OFFLOAD) {
/* Set the inner esp next protocol for HW trailer */
m->inner_esp_next_proto = nlp;
m->packet_type |= RTE_PTYPE_TUNNEL_ESP;
@@ -448,11 +456,14 @@ esp_outbound_post(struct rte_mbuf *m,
struct ipsec_sa *sa,
struct rte_crypto_op *cop)
{
+ enum rte_security_session_action_type type;
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
- if ((sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
- (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
+ type = ipsec_get_action_type(sa);
+
+ if ((type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
+ (type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
m->ol_flags |= PKT_TX_SEC_OFFLOAD;
} else {
RTE_ASSERT(cop != NULL);
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index dc85adfe5..8c60bd84b 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -40,7 +40,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)
}
int
-create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
+create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa,
+ struct rte_ipsec_session *ips)
{
struct rte_cryptodev_info cdev_info;
unsigned long cdev_id_qp = 0;
@@ -71,9 +72,9 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
ipsec_ctx->tbl[cdev_id_qp].id,
ipsec_ctx->tbl[cdev_id_qp].qp);
- if (sa->type != RTE_SECURITY_ACTION_TYPE_NONE) {
+ if (ips->type != RTE_SECURITY_ACTION_TYPE_NONE) {
struct rte_security_session_conf sess_conf = {
- .action_type = sa->type,
+ .action_type = ips->type,
.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
{.ipsec = {
.spi = sa->spi,
@@ -90,7 +91,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
};
- if (sa->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) {
struct rte_security_ctx *ctx = (struct rte_security_ctx *)
rte_cryptodev_get_sec_ctx(
ipsec_ctx->tbl[cdev_id_qp].id);
@@ -98,9 +99,9 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
/* Set IPsec parameters in conf */
set_ipsec_conf(sa, &(sess_conf.ipsec));
- sa->sec_session = rte_security_session_create(ctx,
+ ips->security.ses = rte_security_session_create(ctx,
&sess_conf, ipsec_ctx->session_priv_pool);
- if (sa->sec_session == NULL) {
+ if (ips->security.ses == NULL) {
RTE_LOG(ERR, IPSEC,
"SEC Session init failed: err: %d\n", ret);
return -1;
@@ -110,10 +111,10 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
return -1;
}
} else {
- sa->crypto_session = rte_cryptodev_sym_session_create(
+ ips->crypto.ses = rte_cryptodev_sym_session_create(
ipsec_ctx->session_pool);
rte_cryptodev_sym_session_init(ipsec_ctx->tbl[cdev_id_qp].id,
- sa->crypto_session, sa->xforms,
+ ips->crypto.ses, sa->xforms,
ipsec_ctx->session_priv_pool);
rte_cryptodev_info_get(ipsec_ctx->tbl[cdev_id_qp].id,
@@ -126,12 +127,13 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
}
int
-create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa)
+create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
+ struct rte_ipsec_session *ips)
{
int32_t ret = 0;
struct rte_security_ctx *sec_ctx;
struct rte_security_session_conf sess_conf = {
- .action_type = sa->type,
+ .action_type = ips->type,
.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
{.ipsec = {
.spi = sa->spi,
@@ -151,7 +153,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa)
RTE_LOG_DP(DEBUG, IPSEC, "Create session for SA spi %u on port %u\n",
sa->spi, sa->portid);
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
struct rte_flow_error err;
const struct rte_security_capability *sec_cap;
int ret = 0;
@@ -165,9 +167,9 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa)
return -1;
}
- sa->sec_session = rte_security_session_create(sec_ctx,
+ ips->security.ses = rte_security_session_create(sec_ctx,
&sess_conf, skt_ctx->session_pool);
- if (sa->sec_session == NULL) {
+ if (ips->security.ses == NULL) {
RTE_LOG(ERR, IPSEC,
"SEC Session init failed: err: %d\n", ret);
return -1;
@@ -177,7 +179,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa)
/* iterate until ESP tunnel*/
while (sec_cap->action != RTE_SECURITY_ACTION_TYPE_NONE) {
- if (sec_cap->action == sa->type &&
+ if (sec_cap->action == ips->type &&
sec_cap->protocol ==
RTE_SECURITY_PROTOCOL_IPSEC &&
sec_cap->ipsec.mode ==
@@ -193,8 +195,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa)
return -1;
}
- sa->ol_flags = sec_cap->ol_flags;
- sa->security_ctx = sec_ctx;
+ ips->security.ol_flags = sec_cap->ol_flags;
+ ips->security.ctx = sec_ctx;
sa->pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH;
if (IS_IP6(sa->flags)) {
@@ -223,7 +225,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa)
sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END;
sa->action[0].type = RTE_FLOW_ACTION_TYPE_SECURITY;
- sa->action[0].conf = sa->sec_session;
+ sa->action[0].conf = ips->security.ses;
sa->action[1].type = RTE_FLOW_ACTION_TYPE_END;
@@ -282,8 +284,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa)
if (ret)
goto flow_create_failure;
} else if (sa->attr.egress &&
- (sa->ol_flags &
- RTE_SECURITY_TX_HW_TRAILER_OFFLOAD)) {
+ (ips->security.ol_flags &
+ RTE_SECURITY_TX_HW_TRAILER_OFFLOAD)) {
sa->action[1].type =
RTE_FLOW_ACTION_TYPE_PASSTHRU;
sa->action[2].type =
@@ -299,7 +301,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa)
err.message);
return -1;
}
- } else if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) {
+ } else if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) {
const struct rte_security_capability *sec_cap;
sec_ctx = (struct rte_security_ctx *)
@@ -327,9 +329,9 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa)
sess_conf.userdata = (void *) sa;
- sa->sec_session = rte_security_session_create(sec_ctx,
+ ips->security.ses = rte_security_session_create(sec_ctx,
&sess_conf, skt_ctx->session_pool);
- if (sa->sec_session == NULL) {
+ if (ips->security.ses == NULL) {
RTE_LOG(ERR, IPSEC,
"SEC Session init failed: err: %d\n", ret);
return -1;
@@ -345,7 +347,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa)
/* iterate until ESP tunnel*/
while (sec_cap->action !=
RTE_SECURITY_ACTION_TYPE_NONE) {
- if (sec_cap->action == sa->type &&
+ if (sec_cap->action == ips->type &&
sec_cap->protocol ==
RTE_SECURITY_PROTOCOL_IPSEC &&
sec_cap->ipsec.mode ==
@@ -361,8 +363,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa)
return -1;
}
- sa->ol_flags = sec_cap->ol_flags;
- sa->security_ctx = sec_ctx;
+ ips->security.ol_flags = sec_cap->ol_flags;
+ ips->security.ctx = sec_ctx;
}
sa->cdev_id_qp = 0;
@@ -409,6 +411,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
struct ipsec_mbuf_metadata *priv;
struct rte_crypto_sym_op *sym_cop;
struct ipsec_sa *sa;
+ struct rte_ipsec_session *ips;
for (i = 0; i < nb_pkts; i++) {
if (unlikely(sas[i] == NULL)) {
@@ -422,16 +425,17 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
priv = get_priv(pkts[i]);
sa = sas[i];
priv->sa = sa;
+ ips = ipsec_get_session(sa);
- switch (sa->type) {
+ switch (ips->type) {
case RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL:
priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC;
priv->cop.status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
rte_prefetch0(&priv->sym_cop);
- if ((unlikely(sa->sec_session == NULL)) &&
- create_lookaside_session(ipsec_ctx, sa)) {
+ if ((unlikely(ips->security.ses == NULL)) &&
+ create_lookaside_session(ipsec_ctx, sa, ips)) {
rte_pktmbuf_free(pkts[i]);
continue;
}
@@ -440,7 +444,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
sym_cop->m_src = pkts[i];
rte_security_attach_session(&priv->cop,
- sa->sec_session);
+ ips->security.ses);
break;
case RTE_SECURITY_ACTION_TYPE_NONE:
@@ -449,14 +453,14 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
rte_prefetch0(&priv->sym_cop);
- if ((unlikely(sa->crypto_session == NULL)) &&
- create_lookaside_session(ipsec_ctx, sa)) {
+ if ((unlikely(ips->crypto.ses == NULL)) &&
+ create_lookaside_session(ipsec_ctx, sa, ips)) {
rte_pktmbuf_free(pkts[i]);
continue;
}
rte_crypto_op_attach_sym_session(&priv->cop,
- sa->crypto_session);
+ ips->crypto.ses);
ret = xform_func(pkts[i], sa, &priv->cop);
if (unlikely(ret)) {
@@ -465,21 +469,22 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
}
break;
case RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL:
- RTE_ASSERT(sa->sec_session != NULL);
+ RTE_ASSERT(ips->security.ses != NULL);
ipsec_ctx->ol_pkts[ipsec_ctx->ol_pkts_cnt++] = pkts[i];
- if (sa->ol_flags & RTE_SECURITY_TX_OLOAD_NEED_MDATA)
+ if (ips->security.ol_flags &
+ RTE_SECURITY_TX_OLOAD_NEED_MDATA)
rte_security_set_pkt_metadata(
- sa->security_ctx,
- sa->sec_session, pkts[i], NULL);
+ ips->security.ctx, ips->security.ses,
+ pkts[i], NULL);
continue;
case RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO:
- RTE_ASSERT(sa->sec_session != NULL);
+ RTE_ASSERT(ips->security.ses != NULL);
priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC;
priv->cop.status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
rte_prefetch0(&priv->sym_cop);
rte_security_attach_session(&priv->cop,
- sa->sec_session);
+ ips->security.ses);
ret = xform_func(pkts[i], sa, &priv->cop);
if (unlikely(ret)) {
@@ -488,10 +493,11 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
}
ipsec_ctx->ol_pkts[ipsec_ctx->ol_pkts_cnt++] = pkts[i];
- if (sa->ol_flags & RTE_SECURITY_TX_OLOAD_NEED_MDATA)
+ if (ips->security.ol_flags &
+ RTE_SECURITY_TX_OLOAD_NEED_MDATA)
rte_security_set_pkt_metadata(
- sa->security_ctx,
- sa->sec_session, pkts[i], NULL);
+ ips->security.ctx, ips->security.ses,
+ pkts[i], NULL);
continue;
}
@@ -560,7 +566,8 @@ ipsec_dequeue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
RTE_ASSERT(sa != NULL);
- if (sa->type == RTE_SECURITY_ACTION_TYPE_NONE) {
+ if (ipsec_get_action_type(sa) ==
+ RTE_SECURITY_ACTION_TYPE_NONE) {
ret = xform_func(pkt, sa, cops[j]);
if (unlikely(ret)) {
rte_pktmbuf_free(pkt);
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index 1efa6e488..a4ad81b0e 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -87,10 +87,6 @@ struct ipsec_sa {
uint32_t cdev_id_qp;
uint64_t seq;
uint32_t salt;
- union {
- struct rte_cryptodev_sym_session *crypto_session;
- struct rte_security_session *sec_session;
- };
enum rte_crypto_cipher_algorithm cipher_algo;
enum rte_crypto_auth_algorithm auth_algo;
enum rte_crypto_aead_algorithm aead_algo;
@@ -114,11 +110,8 @@ struct ipsec_sa {
struct rte_crypto_sym_xform *xforms;
struct rte_security_ipsec_xform *sec_xform;
};
- enum rte_security_session_action_type type;
enum rte_security_ipsec_sa_direction direction;
uint16_t portid;
- struct rte_security_ctx *security_ctx;
- uint32_t ol_flags;
#define MAX_RTE_FLOW_PATTERN (4)
#define MAX_RTE_FLOW_ACTIONS (3)
@@ -284,6 +277,20 @@ get_sym_cop(struct rte_crypto_op *cop)
return (cop + 1);
}
+static inline struct rte_ipsec_session *
+ipsec_get_session(struct ipsec_sa *sa)
+{
+ return &sa->ips;
+}
+
+static inline enum rte_security_session_action_type
+ipsec_get_action_type(struct ipsec_sa *sa)
+{
+ struct rte_ipsec_session *ips;
+ ips = ipsec_get_session(sa);
+ return ips->type;
+}
+
int
inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx);
@@ -338,9 +345,11 @@ void
enqueue_cop_burst(struct cdev_qp *cqp);
int
-create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa);
+create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa,
+ struct rte_ipsec_session *ips);
int
-create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa);
+create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
+ struct rte_ipsec_session *ips);
#endif /* __IPSEC_H__ */
diff --git a/examples/ipsec-secgw/ipsec_process.c b/examples/ipsec-secgw/ipsec_process.c
index 868f1a28d..239d81ef6 100644
--- a/examples/ipsec-secgw/ipsec_process.c
+++ b/examples/ipsec-secgw/ipsec_process.c
@@ -94,22 +94,16 @@ fill_ipsec_session(struct rte_ipsec_session *ss, struct ipsec_ctx *ctx,
/* setup crypto section */
if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE) {
- if (sa->crypto_session == NULL) {
- rc = create_lookaside_session(ctx, sa);
- if (rc != 0)
- return rc;
- }
- ss->crypto.ses = sa->crypto_session;
+ RTE_ASSERT(ss->crypto.ses == NULL);
+ rc = create_lookaside_session(ctx, sa, ss);
+ if (rc != 0)
+ return rc;
/* setup session action type */
- } else if (sa->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) {
- if (sa->sec_session == NULL) {
- rc = create_lookaside_session(ctx, sa);
- if (rc != 0)
- return rc;
- }
- ss->security.ses = sa->sec_session;
- ss->security.ctx = sa->security_ctx;
- ss->security.ol_flags = sa->ol_flags;
+ } else if (ss->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) {
+ RTE_ASSERT(ss->security.ses == NULL);
+ rc = create_lookaside_session(ctx, sa, ss);
+ if (rc != 0)
+ return rc;
} else
RTE_ASSERT(0);
@@ -218,7 +212,7 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf)
pg = grp + i;
sa = pg->id.ptr;
- ips = &sa->ips;
+ ips = ipsec_get_session(sa);
/* no valid HW session for that SA, try to create one */
if (sa == NULL || (ips->crypto.ses == NULL &&
@@ -226,8 +220,8 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf)
k = 0;
/* process packets inline */
- else if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
- sa->type ==
+ else if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
+ ips->type ==
RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) {
satp = rte_ipsec_sa_type(ips->sa);
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index c3cf3bd1f..a3d8e4545 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -224,6 +224,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
struct parse_status *status)
{
struct ipsec_sa *rule = NULL;
+ struct rte_ipsec_session *ips;
uint32_t ti; /*token index*/
uint32_t *ri /*rule index*/;
uint32_t cipher_algo_p = 0;
@@ -262,6 +263,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
if (atoi(tokens[1]) == INVALID_SPI)
return;
rule->spi = atoi(tokens[1]);
+ ips = ipsec_get_session(rule);
for (ti = 2; ti < n_tokens; ti++) {
if (strcmp(tokens[ti], "mode") == 0) {
@@ -558,18 +560,18 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
return;
if (strcmp(tokens[ti], "inline-crypto-offload") == 0)
- rule->type =
+ ips->type =
RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO;
else if (strcmp(tokens[ti],
"inline-protocol-offload") == 0)
- rule->type =
+ ips->type =
RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL;
else if (strcmp(tokens[ti],
"lookaside-protocol-offload") == 0)
- rule->type =
+ ips->type =
RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
else if (strcmp(tokens[ti], "no-offload") == 0)
- rule->type = RTE_SECURITY_ACTION_TYPE_NONE;
+ ips->type = RTE_SECURITY_ACTION_TYPE_NONE;
else {
APP_CHECK(0, status, "Invalid input \"%s\"",
tokens[ti]);
@@ -624,11 +626,11 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
if (status->status < 0)
return;
- if ((rule->type != RTE_SECURITY_ACTION_TYPE_NONE) && (portid_p == 0))
+ if ((ips->type != RTE_SECURITY_ACTION_TYPE_NONE) && (portid_p == 0))
printf("Missing portid option, falling back to non-offload\n");
if (!type_p || !portid_p) {
- rule->type = RTE_SECURITY_ACTION_TYPE_NONE;
+ ips->type = RTE_SECURITY_ACTION_TYPE_NONE;
rule->portid = -1;
}
@@ -640,6 +642,7 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound)
{
uint32_t i;
uint8_t a, b, c, d;
+ const struct rte_ipsec_session *ips;
printf("\tspi_%s(%3u):", inbound?"in":"out", sa->spi);
@@ -695,8 +698,10 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound)
printf("Transport ");
break;
}
+
+ ips = &sa->ips;
printf(" type:");
- switch (sa->type) {
+ switch (ips->type) {
case RTE_SECURITY_ACTION_TYPE_NONE:
printf("no-offload ");
break;
@@ -876,6 +881,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
uint16_t iv_length, aad_length;
int inline_status;
int32_t rc;
+ struct rte_ipsec_session *ips;
/* for ESN upper 32 bits of SQN also need to be part of AAD */
aad_length = (app_sa_prm.enable_esn != 0) ? sizeof(uint32_t) : 0;
@@ -890,9 +896,10 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
}
*sa = entries[i];
sa->seq = 0;
+ ips = ipsec_get_session(sa);
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL ||
- sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL ||
+ ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
if (check_eth_dev_caps(sa->portid, inbound))
return -EINVAL;
}
@@ -907,7 +914,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
sa->dst.ip.ip4 = rte_cpu_to_be_32(sa->dst.ip.ip4);
break;
case TRANSPORT:
- if (sa->type ==
+ if (ips->type ==
RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
inline_status =
sa_add_address_inline_crypto(sa);
@@ -918,6 +925,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
}
if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) {
+ struct rte_ipsec_session *ips;
iv_length = 16;
sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_AEAD;
@@ -938,11 +946,12 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
sa->xforms = &sa_ctx->xf[idx].a;
- if (sa->type ==
+ ips = ipsec_get_session(sa);
+ if (ips->type ==
RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL ||
- sa->type ==
+ ips->type ==
RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
- rc = create_inline_session(skt_ctx, sa);
+ rc = create_inline_session(skt_ctx, sa, ips);
if (rc != 0) {
RTE_LOG(ERR, IPSEC_ESP,
"create_inline_session() failed\n");
@@ -1100,23 +1109,11 @@ fill_ipsec_sa_prm(struct rte_ipsec_sa_prm *prm, const struct ipsec_sa *ss,
}
static int
-fill_ipsec_session(struct rte_ipsec_session *ss, struct rte_ipsec_sa *sa,
- const struct ipsec_sa *lsa)
+fill_ipsec_session(struct rte_ipsec_session *ss, struct rte_ipsec_sa *sa)
{
int32_t rc = 0;
ss->sa = sa;
- ss->type = lsa->type;
-
- /* setup crypto section */
- if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE) {
- ss->crypto.ses = lsa->crypto_session;
- /* setup session action type */
- } else {
- ss->security.ses = lsa->sec_session;
- ss->security.ctx = lsa->security_ctx;
- ss->security.ol_flags = lsa->ol_flags;
- }
if (ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) {
@@ -1138,6 +1135,7 @@ ipsec_sa_init(struct ipsec_sa *lsa, struct rte_ipsec_sa *sa, uint32_t sa_size)
{
int rc;
struct rte_ipsec_sa_prm prm;
+ struct rte_ipsec_session *ips;
struct rte_ipv4_hdr v4 = {
.version_ihl = IPVERSION << 4 |
sizeof(v4) / RTE_IPV4_IHL_MULTIPLIER,
@@ -1162,7 +1160,10 @@ ipsec_sa_init(struct ipsec_sa *lsa, struct rte_ipsec_sa *sa, uint32_t sa_size)
if (rc < 0)
return rc;
- rc = fill_ipsec_session(&lsa->ips, sa, lsa);
+ /* init processing session */
+ ips = ipsec_get_session(lsa);
+ rc = fill_ipsec_session(ips, sa);
+
return rc;
}
@@ -1386,6 +1387,7 @@ sa_check_offloads(uint16_t port_id, uint64_t *rx_offloads,
{
struct ipsec_sa *rule;
uint32_t idx_sa;
+ enum rte_security_session_action_type rule_type;
*rx_offloads = 0;
*tx_offloads = 0;
@@ -1393,8 +1395,9 @@ sa_check_offloads(uint16_t port_id, uint64_t *rx_offloads,
/* Check for inbound rules that use offloads and use this port */
for (idx_sa = 0; idx_sa < nb_sa_in; idx_sa++) {
rule = &sa_in[idx_sa];
- if ((rule->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
- rule->type ==
+ rule_type = ipsec_get_action_type(rule);
+ if ((rule_type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
+ rule_type ==
RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL)
&& rule->portid == port_id)
*rx_offloads |= DEV_RX_OFFLOAD_SECURITY;
@@ -1403,8 +1406,9 @@ sa_check_offloads(uint16_t port_id, uint64_t *rx_offloads,
/* Check for outbound rules that use offloads and use this port */
for (idx_sa = 0; idx_sa < nb_sa_out; idx_sa++) {
rule = &sa_out[idx_sa];
- if ((rule->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
- rule->type ==
+ rule_type = ipsec_get_action_type(rule);
+ if ((rule_type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
+ rule_type ==
RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL)
&& rule->portid == port_id)
*tx_offloads |= DEV_TX_OFFLOAD_SECURITY;
--
2.17.1
next prev parent reply other threads:[~2019-09-27 15:55 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-14 20:48 [dpdk-dev] [PATCH v1 0/2] examples/ipsec-secgw: add fallback session Marcin Smoczynski
2019-08-14 20:48 ` [dpdk-dev] [PATCH v1 1/2] examples/ipsec-secgw: ipsec_sa structure cleanup Marcin Smoczynski
2019-08-14 20:48 ` [dpdk-dev] [PATCH v1 2/2] examples/ipsec-secgw: add fallback session feature Marcin Smoczynski
2019-09-04 14:16 ` [dpdk-dev] [PATCH v2 0/3] examples/ipsec-secgw: add fallback session Marcin Smoczynski
2019-09-04 14:16 ` [dpdk-dev] [PATCH v2 1/3] examples/ipsec-secgw: ipsec_sa structure cleanup Marcin Smoczynski
2019-09-04 14:16 ` [dpdk-dev] [PATCH v2 2/3] examples/ipsec-secgw: add fallback session feature Marcin Smoczynski
2019-09-04 14:16 ` [dpdk-dev] [PATCH v2 3/3] examples/ipsec-secgw: add offload fallback tests Marcin Smoczynski
2019-09-18 6:45 ` [dpdk-dev] [PATCH v2 0/3] examples/ipsec-secgw: add fallback session Anoob Joseph
2019-09-18 8:46 ` Ananyev, Konstantin
2019-09-18 11:40 ` Anoob Joseph
2019-09-18 22:19 ` Ananyev, Konstantin
2019-09-19 2:50 ` Anoob Joseph
2019-09-19 7:33 ` Ananyev, Konstantin
2019-09-19 10:53 ` Anoob Joseph
2019-09-23 11:44 ` [dpdk-dev] [PATCH v3 0/3] " Marcin Smoczynski
2019-09-23 11:44 ` [dpdk-dev] [PATCH v3 1/3] examples/ipsec-secgw: ipsec_sa structure cleanup Marcin Smoczynski
2019-09-23 16:47 ` Ananyev, Konstantin
2019-09-23 11:44 ` [dpdk-dev] [PATCH v3 2/3] examples/ipsec-secgw: add fallback session feature Marcin Smoczynski
2019-09-23 16:49 ` Ananyev, Konstantin
2019-09-23 11:44 ` [dpdk-dev] [PATCH v3 3/3] examples/ipsec-secgw: add offload fallback tests Marcin Smoczynski
2019-09-23 16:50 ` Ananyev, Konstantin
2019-09-23 12:51 ` [dpdk-dev] [PATCH v3 0/3] add fallback session Smoczynski, MarcinX
2019-09-26 9:04 ` Anoob Joseph
2019-09-26 12:38 ` Ananyev, Konstantin
2019-09-29 14:29 ` Anoob Joseph
2019-09-30 13:31 ` Ananyev, Konstantin
2019-10-02 10:14 ` Anoob Joseph
2019-10-03 14:46 ` Ananyev, Konstantin
2019-10-09 15:36 ` Anoob Joseph
2019-10-10 10:55 ` Ananyev, Konstantin
2019-10-13 12:47 ` Anoob Joseph
2019-10-16 12:02 ` Ananyev, Konstantin
2019-10-16 13:36 ` Ananyev, Konstantin
2019-09-27 9:10 ` [dpdk-dev] [PATCH v4 0/4] " Marcin Smoczynski
2019-09-27 9:10 ` [dpdk-dev] [PATCH v4 1/4] examples/ipsec-secgw: ipsec_sa structure cleanup Marcin Smoczynski
2019-09-27 9:10 ` [dpdk-dev] [PATCH v4 2/4] examples/ipsec-secgw: add fallback session feature Marcin Smoczynski
2019-09-27 9:10 ` [dpdk-dev] [PATCH v4 3/4] examples/ipsec-secgw: add frag TTL cmdline option Marcin Smoczynski
2019-09-27 9:10 ` [dpdk-dev] [PATCH v4 4/4] examples/ipsec-secgw: add offload fallback tests Marcin Smoczynski
2019-09-27 15:54 ` [dpdk-dev] [PATCH v5 0/4] add fallback session Marcin Smoczynski
2019-09-27 15:54 ` Marcin Smoczynski [this message]
2019-10-02 15:43 ` [dpdk-dev] [PATCH v5 1/4] examples/ipsec-secgw: ipsec_sa structure cleanup Nicolau, Radu
2019-10-03 16:35 ` Iremonger, Bernard
2019-09-27 15:54 ` [dpdk-dev] [PATCH v5 2/4] examples/ipsec-secgw: add fallback session feature Marcin Smoczynski
2019-09-29 17:03 ` Ananyev, Konstantin
2019-09-30 9:13 ` Smoczynski, MarcinX
2019-10-03 16:36 ` Iremonger, Bernard
2019-09-27 15:54 ` [dpdk-dev] [PATCH v5 3/4] examples/ipsec-secgw: add frag TTL cmdline option Marcin Smoczynski
2019-09-30 10:16 ` Ananyev, Konstantin
2019-09-27 15:54 ` [dpdk-dev] [PATCH v5 4/4] examples/ipsec-secgw: add offload fallback tests Marcin Smoczynski
2019-10-03 16:46 ` Iremonger, Bernard
2019-10-07 13:02 ` [dpdk-dev] [PATCH v6 0/4] add fallback session Marcin Smoczynski
2019-10-07 13:02 ` [dpdk-dev] [PATCH v6 1/4] examples/ipsec-secgw: sa structure cleanup Marcin Smoczynski
2019-10-07 13:02 ` [dpdk-dev] [PATCH v6 2/4] examples/ipsec-secgw: add fallback session feature Marcin Smoczynski
2019-10-11 14:40 ` Akhil Goyal
2019-10-11 15:06 ` Ananyev, Konstantin
2019-10-15 14:33 ` Akhil Goyal
2019-10-16 10:37 ` Ananyev, Konstantin
2019-10-07 13:02 ` [dpdk-dev] [PATCH v6 3/4] examples/ipsec-secgw: add frag TTL cmdline option Marcin Smoczynski
2019-10-07 13:02 ` [dpdk-dev] [PATCH v6 4/4] examples/ipsec-secgw: add offload fallback tests Marcin Smoczynski
2019-10-14 13:48 ` [dpdk-dev] [PATCH v7 0/4] add fallback session Marcin Smoczynski
2019-10-14 13:48 ` [dpdk-dev] [PATCH v7 1/4] examples/ipsec-secgw: sa structure cleanup Marcin Smoczynski
2019-10-14 13:48 ` [dpdk-dev] [PATCH v7 2/4] examples/ipsec-secgw: add fallback session feature Marcin Smoczynski
2019-10-14 13:48 ` [dpdk-dev] [PATCH v7 3/4] examples/ipsec-secgw: add frag TTL cmdline option Marcin Smoczynski
2019-10-14 13:48 ` [dpdk-dev] [PATCH v7 4/4] examples/ipsec-secgw: add offload fallback tests Marcin Smoczynski
2019-10-21 12:29 ` [dpdk-dev] [PATCH v7 0/4] add fallback session Mcnamara, John
2019-10-21 12:32 ` Akhil Goyal
2019-11-05 12:20 ` Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190927155446.19136-2-marcinx.smoczynski@intel.com \
--to=marcinx.smoczynski@intel.com \
--cc=akhil.goyal@nxp.com \
--cc=anoobj@marvell.com \
--cc=dev@dpdk.org \
--cc=konstantin.ananyev@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).