From: Anoob Joseph <anoob.joseph@caviumnetworks.com>
To: Akhil Goyal <akhil.goyal@nxp.com>,
Declan Doherty <declan.doherty@intel.com>,
Radu Nicolau <radu.nicolau@intel.com>
Cc: Anoob Joseph <anoob.joseph@caviumnetworks.com>,
Jerin Jacob <jerin.jacob@caviumnetworks.com>,
Narayana Prasad <narayanaprasad.athreya@caviumnetworks.com>,
Nelio Laranjeiro <nelio.laranjeiro@6wind.com>,
dev@dpdk.org
Subject: [PATCH v2 4/5] examples/ipsec-secgw: handle ESN soft limit event
Date: Thu, 1 Mar 2018 14:51:42 +0530 [thread overview]
Message-ID: <1519896103-32479-5-git-send-email-anoob.joseph@caviumnetworks.com> (raw)
In-Reply-To: <1519896103-32479-1-git-send-email-anoob.joseph@caviumnetworks.com>
For inline protocol processing, the PMD/device is required to maintain
the ESN. But the application is required to monitor ESN overflow to
initiate SA expiry.
For such cases, application would set the ESN soft limit. An IPsec event
would be raised by rte_eth_event framework, when ESN hits the soft limit
set by the application.
Signed-off-by: Anoob Joseph <anoob.joseph@caviumnetworks.com>
---
v2:
* No change
examples/ipsec-secgw/ipsec-secgw.c | 56 ++++++++++++++++++++++++++++++++++++++
examples/ipsec-secgw/ipsec.c | 10 +++++--
examples/ipsec-secgw/ipsec.h | 2 ++
3 files changed, 65 insertions(+), 3 deletions(-)
diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
index 3a8562e..5726fd3 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -40,6 +40,7 @@
#include <rte_hash.h>
#include <rte_jhash.h>
#include <rte_cryptodev.h>
+#include <rte_security.h>
#include "ipsec.h"
#include "parser.h"
@@ -1640,6 +1641,58 @@ pool_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t nb_mbuf)
printf("Allocated mbuf pool on socket %d\n", socket_id);
}
+static inline int
+inline_ipsec_event_esn_overflow(struct rte_security_ctx *ctx, uint64_t md)
+{
+ struct ipsec_sa *sa;
+
+ /* For inline protocol processing, the metadata in the event will
+ * uniquely identify the security session which raised the event.
+ * Application would then need the userdata it had registered with the
+ * security session to process the event.
+ */
+
+ sa = (struct ipsec_sa *)rte_security_get_userdata(ctx, md);
+
+ if (sa == NULL) {
+ /* userdata could not be retrieved */
+ return -1;
+ }
+
+ /* Sequence number over flow. SA need to be re-established */
+ RTE_SET_USED(sa);
+ return 0;
+}
+
+static int
+inline_ipsec_event_callback(uint16_t port_id, enum rte_eth_event_type type,
+ void *param, void *ret_param)
+{
+ struct rte_eth_event_ipsec_desc *event_desc = NULL;
+ struct rte_security_ctx *ctx = (struct rte_security_ctx *)
+ rte_eth_dev_get_sec_ctx(port_id);
+
+ RTE_SET_USED(param);
+
+ if (type != RTE_ETH_EVENT_IPSEC)
+ return -1;
+
+ event_desc = ret_param;
+ if (event_desc == NULL) {
+ printf("Event descriptor not set\n");
+ return -1;
+ }
+
+ if (event_desc->stype == RTE_ETH_EVENT_IPSEC_ESN_OVERFLOW)
+ return inline_ipsec_event_esn_overflow(ctx, event_desc->md);
+ else if (event_desc->stype >= RTE_ETH_EVENT_IPSEC_MAX) {
+ printf("Invalid IPsec event reported\n");
+ return -1;
+ }
+
+ return -1;
+}
+
int32_t
main(int32_t argc, char **argv)
{
@@ -1727,6 +1780,9 @@ main(int32_t argc, char **argv)
*/
if (promiscuous_on)
rte_eth_promiscuous_enable(portid);
+
+ rte_eth_dev_callback_register(portid,
+ RTE_ETH_EVENT_IPSEC, inline_ipsec_event_callback, NULL);
}
check_all_ports_link_status(nb_ports, enabled_port_mask);
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index 5fb5bc1..acdd189 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -36,6 +36,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)
}
/* TODO support for Transport and IPV6 tunnel */
}
+ ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
}
static inline int
@@ -270,11 +271,14 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
* the packet is received, this userdata will be
* retrieved using the metadata from the packet.
*
- * This is required only for inbound SAs.
+ * The PMD is expected to set similar metadata for other
+ * operations, like rte_eth_event, which are tied to
+ * security session. In such cases, the userdata could
+ * be obtained to uniquely identify the security
+ * parameters denoted.
*/
- if (sa->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
- sess_conf.userdata = (void *) sa;
+ sess_conf.userdata = (void *) sa;
sa->sec_session = rte_security_session_create(ctx,
&sess_conf, ipsec_ctx->session_pool);
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index 6059f6c..c1450f6 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -21,6 +21,8 @@
#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
+#define IPSEC_OFFLOAD_ESN_SOFTLIMIT 0xffffff00
+
#define IV_OFFSET (sizeof(struct rte_crypto_op) + \
sizeof(struct rte_crypto_sym_op))
--
2.7.4
next prev parent reply other threads:[~2018-03-01 9:22 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1516626668-9031-0-git-send-email-anoob.joseph@caviumnetworks.com>
2018-02-21 5:37 ` [PATCH 0/5] handle seq no overflow in IPsec offload Anoob Joseph
2018-02-21 5:37 ` [PATCH 1/5] lib/ethdev: support for inline IPsec events Anoob Joseph
2018-02-26 9:35 ` Nicolau, Radu
2018-02-27 6:56 ` Anoob Joseph
2018-02-27 10:19 ` Nicolau, Radu
2018-02-27 11:32 ` Anoob Joseph
2018-02-28 9:30 ` Nicolau, Radu
2018-02-21 5:37 ` [PATCH 2/5] lib/security: add ESN soft limit in conf Anoob Joseph
2018-02-21 5:37 ` [PATCH 3/5] lib/security: extend userdata for IPsec events Anoob Joseph
2018-02-21 5:37 ` [PATCH 4/5] examples/ipsec-secgw: handle ESN soft limit event Anoob Joseph
2018-02-21 5:37 ` [PATCH 5/5] app/testpmd: support for IPsec event Anoob Joseph
2018-03-01 9:21 ` [PATCH v2 0/5] handle seq no overflow in IPsec offload Anoob Joseph
2018-03-01 9:21 ` [PATCH v2 1/5] lib/ethdev: support for inline IPsec events Anoob Joseph
2018-03-01 9:21 ` [PATCH v2 2/5] lib/security: add ESN soft limit in conf Anoob Joseph
2018-03-13 12:19 ` Akhil Goyal
2018-03-14 5:15 ` Anoob Joseph
2018-03-01 9:21 ` [PATCH v2 3/5] lib/security: extend userdata for IPsec events Anoob Joseph
2018-03-01 9:21 ` Anoob Joseph [this message]
2018-03-13 12:24 ` [PATCH v2 4/5] examples/ipsec-secgw: handle ESN soft limit event Akhil Goyal
2018-03-14 6:06 ` Anoob Joseph
2018-03-21 5:20 ` Anoob Joseph
2018-03-21 7:30 ` Akhil Goyal
2018-03-01 9:21 ` [PATCH v2 5/5] app/testpmd: support for IPsec event Anoob Joseph
2018-03-08 5:57 ` [PATCH v2 0/5] handle seq no overflow in IPsec offload Anoob Joseph
2018-03-21 11:11 ` Anoob Joseph
2018-03-21 11:11 ` [PATCH v3 1/5] lib/ethdev: support for inline IPsec events Anoob Joseph
2018-03-21 11:42 ` Akhil Goyal
2018-04-03 14:27 ` Anoob Joseph
2018-04-10 5:10 ` Anoob Joseph
2018-04-10 9:11 ` Thomas Monjalon
2018-03-21 11:11 ` [PATCH v3 2/5] lib/security: add ESN soft limit in conf Anoob Joseph
2018-04-03 14:27 ` Anoob Joseph
2018-03-21 11:11 ` [PATCH v3 3/5] lib/security: extend userdata for IPsec events Anoob Joseph
2018-04-03 14:28 ` Anoob Joseph
2018-03-21 11:11 ` [PATCH v3 4/5] examples/ipsec-secgw: handle ESN soft limit event Anoob Joseph
2018-04-03 14:28 ` Anoob Joseph
2018-03-21 11:11 ` [PATCH v3 5/5] app/testpmd: support for IPsec event Anoob Joseph
2018-04-03 14:29 ` Anoob Joseph
2018-04-03 14:26 ` [PATCH v3 0/5] handle seq no overflow in IPsec offload Anoob Joseph
2018-04-11 6:40 ` [PATCH v4 " Anoob Joseph
2018-04-11 6:40 ` [PATCH v4 1/5] lib/ethdev: support for inline IPsec events Anoob Joseph
2018-04-19 9:15 ` Anoob Joseph
2018-04-20 15:14 ` Stephen Hemminger
2018-04-19 10:26 ` Thomas Monjalon
2018-04-11 6:40 ` [PATCH v4 2/5] lib/security: add ESN soft limit in conf Anoob Joseph
2018-04-11 6:40 ` [PATCH v4 3/5] lib/security: extend userdata for IPsec events Anoob Joseph
2018-04-11 6:40 ` [PATCH v4 4/5] examples/ipsec-secgw: handle ESN soft limit event Anoob Joseph
2018-04-11 6:40 ` [PATCH v4 5/5] app/testpmd: support for IPsec event Anoob Joseph
2018-04-19 15:44 ` [PATCH v4 0/5] handle seq no overflow in IPsec offload De Lara Guarch, Pablo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1519896103-32479-5-git-send-email-anoob.joseph@caviumnetworks.com \
--to=anoob.joseph@caviumnetworks.com \
--cc=akhil.goyal@nxp.com \
--cc=declan.doherty@intel.com \
--cc=dev@dpdk.org \
--cc=jerin.jacob@caviumnetworks.com \
--cc=narayanaprasad.athreya@caviumnetworks.com \
--cc=nelio.laranjeiro@6wind.com \
--cc=radu.nicolau@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.