From: Marcin Smoczynski <marcinx.smoczynski@intel.com>
To: anoobj@marvell.com, akhil.goyal@nxp.com, konstantin.ananyev@intel.com
Cc: dev@dpdk.org, Marcin Smoczynski <marcinx.smoczynski@intel.com>
Subject: [dpdk-dev] [PATCH v3 1/3] examples/ipsec-secgw: ipsec_sa structure cleanup
Date: Mon, 23 Sep 2019 13:44:12 +0200 [thread overview]
Message-ID: <20190923114415.17932-2-marcinx.smoczynski@intel.com> (raw)
In-Reply-To: <20190923114415.17932-1-marcinx.smoczynski@intel.com>
Cleanup ipsec_sa structure by removing every field that is already in
the rte_ipsec_session structure:
* cryptodev/security session union
* action type
* offload flags
* security context
References to abovementioned fields are changed to direct references
to matching fields of rte_ipsec_session structure.
Such refactoring is needed to introduce many sessions per SA feature,
e.g. fallback session for inline offload processing.
Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
---
examples/ipsec-secgw/esp.c | 35 +++++++----
examples/ipsec-secgw/ipsec.c | 91 +++++++++++++++-------------
examples/ipsec-secgw/ipsec.h | 27 ++++++---
examples/ipsec-secgw/ipsec_process.c | 30 ++++-----
examples/ipsec-secgw/sa.c | 66 ++++++++++----------
5 files changed, 137 insertions(+), 112 deletions(-)
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index d6d7b1256..c1b49da1e 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -30,7 +30,8 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
int32_t payload_len, ip_hdr_len;
RTE_ASSERT(sa != NULL);
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)
+ if (ipsec_get_action_type(sa) ==
+ RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)
return 0;
RTE_ASSERT(m != NULL);
@@ -148,13 +149,16 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
uint8_t *nexthdr, *pad_len;
uint8_t *padding;
uint16_t i;
+ struct rte_ipsec_session *ips;
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
RTE_ASSERT(cop != NULL);
- if ((sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
- (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
+ ips = ipsec_get_session(sa);
+
+ if ((ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
+ (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
if (m->ol_flags & PKT_RX_SEC_OFFLOAD) {
if (m->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED)
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
@@ -169,8 +173,8 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
return -1;
}
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
- sa->ol_flags & RTE_SECURITY_RX_HW_TRAILER_OFFLOAD) {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
+ ips->security.ol_flags & RTE_SECURITY_RX_HW_TRAILER_OFFLOAD) {
nexthdr = &m->inner_esp_next_proto;
} else {
nexthdr = rte_pktmbuf_mtod_offset(m, uint8_t*,
@@ -225,10 +229,12 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
struct rte_crypto_sym_op *sym_cop;
int32_t i;
uint16_t pad_payload_len, pad_len, ip_hdr_len;
+ struct rte_ipsec_session *ips;
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
+ ips = ipsec_get_session(sa);
ip_hdr_len = 0;
ip4 = rte_pktmbuf_mtod(m, struct ip *);
@@ -277,9 +283,10 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
}
/* Add trailer padding if it is not constructed by HW */
- if (sa->type != RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
- (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
- !(sa->ol_flags & RTE_SECURITY_TX_HW_TRAILER_OFFLOAD))) {
+ if (ips->type != RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
+ (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
+ !(ips->security.ol_flags &
+ RTE_SECURITY_TX_HW_TRAILER_OFFLOAD))) {
padding = (uint8_t *)rte_pktmbuf_append(m, pad_len +
sa->digest_len);
if (unlikely(padding == NULL)) {
@@ -344,8 +351,9 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
}
}
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
- if (sa->ol_flags & RTE_SECURITY_TX_HW_TRAILER_OFFLOAD) {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
+ if (ips->security.ol_flags &
+ RTE_SECURITY_TX_HW_TRAILER_OFFLOAD) {
/* Set the inner esp next protocol for HW trailer */
m->inner_esp_next_proto = nlp;
m->packet_type |= RTE_PTYPE_TUNNEL_ESP;
@@ -448,11 +456,14 @@ esp_outbound_post(struct rte_mbuf *m,
struct ipsec_sa *sa,
struct rte_crypto_op *cop)
{
+ enum rte_security_session_action_type type;
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
- if ((sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
- (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
+ type = ipsec_get_action_type(sa);
+
+ if ((type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
+ (type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
m->ol_flags |= PKT_TX_SEC_OFFLOAD;
} else {
RTE_ASSERT(cop != NULL);
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index dc85adfe5..8c60bd84b 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -40,7 +40,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)
}
int
-create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
+create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa,
+ struct rte_ipsec_session *ips)
{
struct rte_cryptodev_info cdev_info;
unsigned long cdev_id_qp = 0;
@@ -71,9 +72,9 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
ipsec_ctx->tbl[cdev_id_qp].id,
ipsec_ctx->tbl[cdev_id_qp].qp);
- if (sa->type != RTE_SECURITY_ACTION_TYPE_NONE) {
+ if (ips->type != RTE_SECURITY_ACTION_TYPE_NONE) {
struct rte_security_session_conf sess_conf = {
- .action_type = sa->type,
+ .action_type = ips->type,
.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
{.ipsec = {
.spi = sa->spi,
@@ -90,7 +91,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
};
- if (sa->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) {
struct rte_security_ctx *ctx = (struct rte_security_ctx *)
rte_cryptodev_get_sec_ctx(
ipsec_ctx->tbl[cdev_id_qp].id);
@@ -98,9 +99,9 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
/* Set IPsec parameters in conf */
set_ipsec_conf(sa, &(sess_conf.ipsec));
- sa->sec_session = rte_security_session_create(ctx,
+ ips->security.ses = rte_security_session_create(ctx,
&sess_conf, ipsec_ctx->session_priv_pool);
- if (sa->sec_session == NULL) {
+ if (ips->security.ses == NULL) {
RTE_LOG(ERR, IPSEC,
"SEC Session init failed: err: %d\n", ret);
return -1;
@@ -110,10 +111,10 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
return -1;
}
} else {
- sa->crypto_session = rte_cryptodev_sym_session_create(
+ ips->crypto.ses = rte_cryptodev_sym_session_create(
ipsec_ctx->session_pool);
rte_cryptodev_sym_session_init(ipsec_ctx->tbl[cdev_id_qp].id,
- sa->crypto_session, sa->xforms,
+ ips->crypto.ses, sa->xforms,
ipsec_ctx->session_priv_pool);
rte_cryptodev_info_get(ipsec_ctx->tbl[cdev_id_qp].id,
@@ -126,12 +127,13 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
}
int
-create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa)
+create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
+ struct rte_ipsec_session *ips)
{
int32_t ret = 0;
struct rte_security_ctx *sec_ctx;
struct rte_security_session_conf sess_conf = {
- .action_type = sa->type,
+ .action_type = ips->type,
.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
{.ipsec = {
.spi = sa->spi,
@@ -151,7 +153,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa)
RTE_LOG_DP(DEBUG, IPSEC, "Create session for SA spi %u on port %u\n",
sa->spi, sa->portid);
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
struct rte_flow_error err;
const struct rte_security_capability *sec_cap;
int ret = 0;
@@ -165,9 +167,9 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa)
return -1;
}
- sa->sec_session = rte_security_session_create(sec_ctx,
+ ips->security.ses = rte_security_session_create(sec_ctx,
&sess_conf, skt_ctx->session_pool);
- if (sa->sec_session == NULL) {
+ if (ips->security.ses == NULL) {
RTE_LOG(ERR, IPSEC,
"SEC Session init failed: err: %d\n", ret);
return -1;
@@ -177,7 +179,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa)
/* iterate until ESP tunnel*/
while (sec_cap->action != RTE_SECURITY_ACTION_TYPE_NONE) {
- if (sec_cap->action == sa->type &&
+ if (sec_cap->action == ips->type &&
sec_cap->protocol ==
RTE_SECURITY_PROTOCOL_IPSEC &&
sec_cap->ipsec.mode ==
@@ -193,8 +195,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa)
return -1;
}
- sa->ol_flags = sec_cap->ol_flags;
- sa->security_ctx = sec_ctx;
+ ips->security.ol_flags = sec_cap->ol_flags;
+ ips->security.ctx = sec_ctx;
sa->pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH;
if (IS_IP6(sa->flags)) {
@@ -223,7 +225,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa)
sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END;
sa->action[0].type = RTE_FLOW_ACTION_TYPE_SECURITY;
- sa->action[0].conf = sa->sec_session;
+ sa->action[0].conf = ips->security.ses;
sa->action[1].type = RTE_FLOW_ACTION_TYPE_END;
@@ -282,8 +284,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa)
if (ret)
goto flow_create_failure;
} else if (sa->attr.egress &&
- (sa->ol_flags &
- RTE_SECURITY_TX_HW_TRAILER_OFFLOAD)) {
+ (ips->security.ol_flags &
+ RTE_SECURITY_TX_HW_TRAILER_OFFLOAD)) {
sa->action[1].type =
RTE_FLOW_ACTION_TYPE_PASSTHRU;
sa->action[2].type =
@@ -299,7 +301,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa)
err.message);
return -1;
}
- } else if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) {
+ } else if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) {
const struct rte_security_capability *sec_cap;
sec_ctx = (struct rte_security_ctx *)
@@ -327,9 +329,9 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa)
sess_conf.userdata = (void *) sa;
- sa->sec_session = rte_security_session_create(sec_ctx,
+ ips->security.ses = rte_security_session_create(sec_ctx,
&sess_conf, skt_ctx->session_pool);
- if (sa->sec_session == NULL) {
+ if (ips->security.ses == NULL) {
RTE_LOG(ERR, IPSEC,
"SEC Session init failed: err: %d\n", ret);
return -1;
@@ -345,7 +347,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa)
/* iterate until ESP tunnel*/
while (sec_cap->action !=
RTE_SECURITY_ACTION_TYPE_NONE) {
- if (sec_cap->action == sa->type &&
+ if (sec_cap->action == ips->type &&
sec_cap->protocol ==
RTE_SECURITY_PROTOCOL_IPSEC &&
sec_cap->ipsec.mode ==
@@ -361,8 +363,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa)
return -1;
}
- sa->ol_flags = sec_cap->ol_flags;
- sa->security_ctx = sec_ctx;
+ ips->security.ol_flags = sec_cap->ol_flags;
+ ips->security.ctx = sec_ctx;
}
sa->cdev_id_qp = 0;
@@ -409,6 +411,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
struct ipsec_mbuf_metadata *priv;
struct rte_crypto_sym_op *sym_cop;
struct ipsec_sa *sa;
+ struct rte_ipsec_session *ips;
for (i = 0; i < nb_pkts; i++) {
if (unlikely(sas[i] == NULL)) {
@@ -422,16 +425,17 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
priv = get_priv(pkts[i]);
sa = sas[i];
priv->sa = sa;
+ ips = ipsec_get_session(sa);
- switch (sa->type) {
+ switch (ips->type) {
case RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL:
priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC;
priv->cop.status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
rte_prefetch0(&priv->sym_cop);
- if ((unlikely(sa->sec_session == NULL)) &&
- create_lookaside_session(ipsec_ctx, sa)) {
+ if ((unlikely(ips->security.ses == NULL)) &&
+ create_lookaside_session(ipsec_ctx, sa, ips)) {
rte_pktmbuf_free(pkts[i]);
continue;
}
@@ -440,7 +444,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
sym_cop->m_src = pkts[i];
rte_security_attach_session(&priv->cop,
- sa->sec_session);
+ ips->security.ses);
break;
case RTE_SECURITY_ACTION_TYPE_NONE:
@@ -449,14 +453,14 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
rte_prefetch0(&priv->sym_cop);
- if ((unlikely(sa->crypto_session == NULL)) &&
- create_lookaside_session(ipsec_ctx, sa)) {
+ if ((unlikely(ips->crypto.ses == NULL)) &&
+ create_lookaside_session(ipsec_ctx, sa, ips)) {
rte_pktmbuf_free(pkts[i]);
continue;
}
rte_crypto_op_attach_sym_session(&priv->cop,
- sa->crypto_session);
+ ips->crypto.ses);
ret = xform_func(pkts[i], sa, &priv->cop);
if (unlikely(ret)) {
@@ -465,21 +469,22 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
}
break;
case RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL:
- RTE_ASSERT(sa->sec_session != NULL);
+ RTE_ASSERT(ips->security.ses != NULL);
ipsec_ctx->ol_pkts[ipsec_ctx->ol_pkts_cnt++] = pkts[i];
- if (sa->ol_flags & RTE_SECURITY_TX_OLOAD_NEED_MDATA)
+ if (ips->security.ol_flags &
+ RTE_SECURITY_TX_OLOAD_NEED_MDATA)
rte_security_set_pkt_metadata(
- sa->security_ctx,
- sa->sec_session, pkts[i], NULL);
+ ips->security.ctx, ips->security.ses,
+ pkts[i], NULL);
continue;
case RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO:
- RTE_ASSERT(sa->sec_session != NULL);
+ RTE_ASSERT(ips->security.ses != NULL);
priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC;
priv->cop.status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
rte_prefetch0(&priv->sym_cop);
rte_security_attach_session(&priv->cop,
- sa->sec_session);
+ ips->security.ses);
ret = xform_func(pkts[i], sa, &priv->cop);
if (unlikely(ret)) {
@@ -488,10 +493,11 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
}
ipsec_ctx->ol_pkts[ipsec_ctx->ol_pkts_cnt++] = pkts[i];
- if (sa->ol_flags & RTE_SECURITY_TX_OLOAD_NEED_MDATA)
+ if (ips->security.ol_flags &
+ RTE_SECURITY_TX_OLOAD_NEED_MDATA)
rte_security_set_pkt_metadata(
- sa->security_ctx,
- sa->sec_session, pkts[i], NULL);
+ ips->security.ctx, ips->security.ses,
+ pkts[i], NULL);
continue;
}
@@ -560,7 +566,8 @@ ipsec_dequeue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
RTE_ASSERT(sa != NULL);
- if (sa->type == RTE_SECURITY_ACTION_TYPE_NONE) {
+ if (ipsec_get_action_type(sa) ==
+ RTE_SECURITY_ACTION_TYPE_NONE) {
ret = xform_func(pkt, sa, cops[j]);
if (unlikely(ret)) {
rte_pktmbuf_free(pkt);
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index 1efa6e488..a4ad81b0e 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -87,10 +87,6 @@ struct ipsec_sa {
uint32_t cdev_id_qp;
uint64_t seq;
uint32_t salt;
- union {
- struct rte_cryptodev_sym_session *crypto_session;
- struct rte_security_session *sec_session;
- };
enum rte_crypto_cipher_algorithm cipher_algo;
enum rte_crypto_auth_algorithm auth_algo;
enum rte_crypto_aead_algorithm aead_algo;
@@ -114,11 +110,8 @@ struct ipsec_sa {
struct rte_crypto_sym_xform *xforms;
struct rte_security_ipsec_xform *sec_xform;
};
- enum rte_security_session_action_type type;
enum rte_security_ipsec_sa_direction direction;
uint16_t portid;
- struct rte_security_ctx *security_ctx;
- uint32_t ol_flags;
#define MAX_RTE_FLOW_PATTERN (4)
#define MAX_RTE_FLOW_ACTIONS (3)
@@ -284,6 +277,20 @@ get_sym_cop(struct rte_crypto_op *cop)
return (cop + 1);
}
+static inline struct rte_ipsec_session *
+ipsec_get_session(struct ipsec_sa *sa)
+{
+ return &sa->ips;
+}
+
+static inline enum rte_security_session_action_type
+ipsec_get_action_type(struct ipsec_sa *sa)
+{
+ struct rte_ipsec_session *ips;
+ ips = ipsec_get_session(sa);
+ return ips->type;
+}
+
int
inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx);
@@ -338,9 +345,11 @@ void
enqueue_cop_burst(struct cdev_qp *cqp);
int
-create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa);
+create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa,
+ struct rte_ipsec_session *ips);
int
-create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa);
+create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
+ struct rte_ipsec_session *ips);
#endif /* __IPSEC_H__ */
diff --git a/examples/ipsec-secgw/ipsec_process.c b/examples/ipsec-secgw/ipsec_process.c
index 868f1a28d..239d81ef6 100644
--- a/examples/ipsec-secgw/ipsec_process.c
+++ b/examples/ipsec-secgw/ipsec_process.c
@@ -94,22 +94,16 @@ fill_ipsec_session(struct rte_ipsec_session *ss, struct ipsec_ctx *ctx,
/* setup crypto section */
if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE) {
- if (sa->crypto_session == NULL) {
- rc = create_lookaside_session(ctx, sa);
- if (rc != 0)
- return rc;
- }
- ss->crypto.ses = sa->crypto_session;
+ RTE_ASSERT(ss->crypto.ses == NULL);
+ rc = create_lookaside_session(ctx, sa, ss);
+ if (rc != 0)
+ return rc;
/* setup session action type */
- } else if (sa->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) {
- if (sa->sec_session == NULL) {
- rc = create_lookaside_session(ctx, sa);
- if (rc != 0)
- return rc;
- }
- ss->security.ses = sa->sec_session;
- ss->security.ctx = sa->security_ctx;
- ss->security.ol_flags = sa->ol_flags;
+ } else if (ss->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) {
+ RTE_ASSERT(ss->security.ses == NULL);
+ rc = create_lookaside_session(ctx, sa, ss);
+ if (rc != 0)
+ return rc;
} else
RTE_ASSERT(0);
@@ -218,7 +212,7 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf)
pg = grp + i;
sa = pg->id.ptr;
- ips = &sa->ips;
+ ips = ipsec_get_session(sa);
/* no valid HW session for that SA, try to create one */
if (sa == NULL || (ips->crypto.ses == NULL &&
@@ -226,8 +220,8 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf)
k = 0;
/* process packets inline */
- else if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
- sa->type ==
+ else if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
+ ips->type ==
RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) {
satp = rte_ipsec_sa_type(ips->sa);
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index c3cf3bd1f..a3d8e4545 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -224,6 +224,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
struct parse_status *status)
{
struct ipsec_sa *rule = NULL;
+ struct rte_ipsec_session *ips;
uint32_t ti; /*token index*/
uint32_t *ri /*rule index*/;
uint32_t cipher_algo_p = 0;
@@ -262,6 +263,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
if (atoi(tokens[1]) == INVALID_SPI)
return;
rule->spi = atoi(tokens[1]);
+ ips = ipsec_get_session(rule);
for (ti = 2; ti < n_tokens; ti++) {
if (strcmp(tokens[ti], "mode") == 0) {
@@ -558,18 +560,18 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
return;
if (strcmp(tokens[ti], "inline-crypto-offload") == 0)
- rule->type =
+ ips->type =
RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO;
else if (strcmp(tokens[ti],
"inline-protocol-offload") == 0)
- rule->type =
+ ips->type =
RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL;
else if (strcmp(tokens[ti],
"lookaside-protocol-offload") == 0)
- rule->type =
+ ips->type =
RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
else if (strcmp(tokens[ti], "no-offload") == 0)
- rule->type = RTE_SECURITY_ACTION_TYPE_NONE;
+ ips->type = RTE_SECURITY_ACTION_TYPE_NONE;
else {
APP_CHECK(0, status, "Invalid input \"%s\"",
tokens[ti]);
@@ -624,11 +626,11 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
if (status->status < 0)
return;
- if ((rule->type != RTE_SECURITY_ACTION_TYPE_NONE) && (portid_p == 0))
+ if ((ips->type != RTE_SECURITY_ACTION_TYPE_NONE) && (portid_p == 0))
printf("Missing portid option, falling back to non-offload\n");
if (!type_p || !portid_p) {
- rule->type = RTE_SECURITY_ACTION_TYPE_NONE;
+ ips->type = RTE_SECURITY_ACTION_TYPE_NONE;
rule->portid = -1;
}
@@ -640,6 +642,7 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound)
{
uint32_t i;
uint8_t a, b, c, d;
+ const struct rte_ipsec_session *ips;
printf("\tspi_%s(%3u):", inbound?"in":"out", sa->spi);
@@ -695,8 +698,10 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound)
printf("Transport ");
break;
}
+
+ ips = &sa->ips;
printf(" type:");
- switch (sa->type) {
+ switch (ips->type) {
case RTE_SECURITY_ACTION_TYPE_NONE:
printf("no-offload ");
break;
@@ -876,6 +881,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
uint16_t iv_length, aad_length;
int inline_status;
int32_t rc;
+ struct rte_ipsec_session *ips;
/* for ESN upper 32 bits of SQN also need to be part of AAD */
aad_length = (app_sa_prm.enable_esn != 0) ? sizeof(uint32_t) : 0;
@@ -890,9 +896,10 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
}
*sa = entries[i];
sa->seq = 0;
+ ips = ipsec_get_session(sa);
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL ||
- sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL ||
+ ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
if (check_eth_dev_caps(sa->portid, inbound))
return -EINVAL;
}
@@ -907,7 +914,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
sa->dst.ip.ip4 = rte_cpu_to_be_32(sa->dst.ip.ip4);
break;
case TRANSPORT:
- if (sa->type ==
+ if (ips->type ==
RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
inline_status =
sa_add_address_inline_crypto(sa);
@@ -918,6 +925,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
}
if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) {
+ struct rte_ipsec_session *ips;
iv_length = 16;
sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_AEAD;
@@ -938,11 +946,12 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
sa->xforms = &sa_ctx->xf[idx].a;
- if (sa->type ==
+ ips = ipsec_get_session(sa);
+ if (ips->type ==
RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL ||
- sa->type ==
+ ips->type ==
RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
- rc = create_inline_session(skt_ctx, sa);
+ rc = create_inline_session(skt_ctx, sa, ips);
if (rc != 0) {
RTE_LOG(ERR, IPSEC_ESP,
"create_inline_session() failed\n");
@@ -1100,23 +1109,11 @@ fill_ipsec_sa_prm(struct rte_ipsec_sa_prm *prm, const struct ipsec_sa *ss,
}
static int
-fill_ipsec_session(struct rte_ipsec_session *ss, struct rte_ipsec_sa *sa,
- const struct ipsec_sa *lsa)
+fill_ipsec_session(struct rte_ipsec_session *ss, struct rte_ipsec_sa *sa)
{
int32_t rc = 0;
ss->sa = sa;
- ss->type = lsa->type;
-
- /* setup crypto section */
- if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE) {
- ss->crypto.ses = lsa->crypto_session;
- /* setup session action type */
- } else {
- ss->security.ses = lsa->sec_session;
- ss->security.ctx = lsa->security_ctx;
- ss->security.ol_flags = lsa->ol_flags;
- }
if (ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) {
@@ -1138,6 +1135,7 @@ ipsec_sa_init(struct ipsec_sa *lsa, struct rte_ipsec_sa *sa, uint32_t sa_size)
{
int rc;
struct rte_ipsec_sa_prm prm;
+ struct rte_ipsec_session *ips;
struct rte_ipv4_hdr v4 = {
.version_ihl = IPVERSION << 4 |
sizeof(v4) / RTE_IPV4_IHL_MULTIPLIER,
@@ -1162,7 +1160,10 @@ ipsec_sa_init(struct ipsec_sa *lsa, struct rte_ipsec_sa *sa, uint32_t sa_size)
if (rc < 0)
return rc;
- rc = fill_ipsec_session(&lsa->ips, sa, lsa);
+ /* init processing session */
+ ips = ipsec_get_session(lsa);
+ rc = fill_ipsec_session(ips, sa);
+
return rc;
}
@@ -1386,6 +1387,7 @@ sa_check_offloads(uint16_t port_id, uint64_t *rx_offloads,
{
struct ipsec_sa *rule;
uint32_t idx_sa;
+ enum rte_security_session_action_type rule_type;
*rx_offloads = 0;
*tx_offloads = 0;
@@ -1393,8 +1395,9 @@ sa_check_offloads(uint16_t port_id, uint64_t *rx_offloads,
/* Check for inbound rules that use offloads and use this port */
for (idx_sa = 0; idx_sa < nb_sa_in; idx_sa++) {
rule = &sa_in[idx_sa];
- if ((rule->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
- rule->type ==
+ rule_type = ipsec_get_action_type(rule);
+ if ((rule_type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
+ rule_type ==
RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL)
&& rule->portid == port_id)
*rx_offloads |= DEV_RX_OFFLOAD_SECURITY;
@@ -1403,8 +1406,9 @@ sa_check_offloads(uint16_t port_id, uint64_t *rx_offloads,
/* Check for outbound rules that use offloads and use this port */
for (idx_sa = 0; idx_sa < nb_sa_out; idx_sa++) {
rule = &sa_out[idx_sa];
- if ((rule->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
- rule->type ==
+ rule_type = ipsec_get_action_type(rule);
+ if ((rule_type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
+ rule_type ==
RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL)
&& rule->portid == port_id)
*tx_offloads |= DEV_TX_OFFLOAD_SECURITY;
--
2.17.1
next prev parent reply other threads:[~2019-09-23 11:45 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-14 20:48 [dpdk-dev] [PATCH v1 0/2] examples/ipsec-secgw: add fallback session Marcin Smoczynski
2019-08-14 20:48 ` [dpdk-dev] [PATCH v1 1/2] examples/ipsec-secgw: ipsec_sa structure cleanup Marcin Smoczynski
2019-08-14 20:48 ` [dpdk-dev] [PATCH v1 2/2] examples/ipsec-secgw: add fallback session feature Marcin Smoczynski
2019-09-04 14:16 ` [dpdk-dev] [PATCH v2 0/3] examples/ipsec-secgw: add fallback session Marcin Smoczynski
2019-09-04 14:16 ` [dpdk-dev] [PATCH v2 1/3] examples/ipsec-secgw: ipsec_sa structure cleanup Marcin Smoczynski
2019-09-04 14:16 ` [dpdk-dev] [PATCH v2 2/3] examples/ipsec-secgw: add fallback session feature Marcin Smoczynski
2019-09-04 14:16 ` [dpdk-dev] [PATCH v2 3/3] examples/ipsec-secgw: add offload fallback tests Marcin Smoczynski
2019-09-18 6:45 ` [dpdk-dev] [PATCH v2 0/3] examples/ipsec-secgw: add fallback session Anoob Joseph
2019-09-18 8:46 ` Ananyev, Konstantin
2019-09-18 11:40 ` Anoob Joseph
2019-09-18 22:19 ` Ananyev, Konstantin
2019-09-19 2:50 ` Anoob Joseph
2019-09-19 7:33 ` Ananyev, Konstantin
2019-09-19 10:53 ` Anoob Joseph
2019-09-23 11:44 ` [dpdk-dev] [PATCH v3 0/3] " Marcin Smoczynski
2019-09-23 11:44 ` Marcin Smoczynski [this message]
2019-09-23 16:47 ` [dpdk-dev] [PATCH v3 1/3] examples/ipsec-secgw: ipsec_sa structure cleanup Ananyev, Konstantin
2019-09-23 11:44 ` [dpdk-dev] [PATCH v3 2/3] examples/ipsec-secgw: add fallback session feature Marcin Smoczynski
2019-09-23 16:49 ` Ananyev, Konstantin
2019-09-23 11:44 ` [dpdk-dev] [PATCH v3 3/3] examples/ipsec-secgw: add offload fallback tests Marcin Smoczynski
2019-09-23 16:50 ` Ananyev, Konstantin
2019-09-23 12:51 ` [dpdk-dev] [PATCH v3 0/3] add fallback session Smoczynski, MarcinX
2019-09-26 9:04 ` Anoob Joseph
2019-09-26 12:38 ` Ananyev, Konstantin
2019-09-29 14:29 ` Anoob Joseph
2019-09-30 13:31 ` Ananyev, Konstantin
2019-10-02 10:14 ` Anoob Joseph
2019-10-03 14:46 ` Ananyev, Konstantin
2019-10-09 15:36 ` Anoob Joseph
2019-10-10 10:55 ` Ananyev, Konstantin
2019-10-13 12:47 ` Anoob Joseph
2019-10-16 12:02 ` Ananyev, Konstantin
2019-10-16 13:36 ` Ananyev, Konstantin
2019-09-27 9:10 ` [dpdk-dev] [PATCH v4 0/4] " Marcin Smoczynski
2019-09-27 9:10 ` [dpdk-dev] [PATCH v4 1/4] examples/ipsec-secgw: ipsec_sa structure cleanup Marcin Smoczynski
2019-09-27 9:10 ` [dpdk-dev] [PATCH v4 2/4] examples/ipsec-secgw: add fallback session feature Marcin Smoczynski
2019-09-27 9:10 ` [dpdk-dev] [PATCH v4 3/4] examples/ipsec-secgw: add frag TTL cmdline option Marcin Smoczynski
2019-09-27 9:10 ` [dpdk-dev] [PATCH v4 4/4] examples/ipsec-secgw: add offload fallback tests Marcin Smoczynski
2019-09-27 15:54 ` [dpdk-dev] [PATCH v5 0/4] add fallback session Marcin Smoczynski
2019-09-27 15:54 ` [dpdk-dev] [PATCH v5 1/4] examples/ipsec-secgw: ipsec_sa structure cleanup Marcin Smoczynski
2019-10-02 15:43 ` Nicolau, Radu
2019-10-03 16:35 ` Iremonger, Bernard
2019-09-27 15:54 ` [dpdk-dev] [PATCH v5 2/4] examples/ipsec-secgw: add fallback session feature Marcin Smoczynski
2019-09-29 17:03 ` Ananyev, Konstantin
2019-09-30 9:13 ` Smoczynski, MarcinX
2019-10-03 16:36 ` Iremonger, Bernard
2019-09-27 15:54 ` [dpdk-dev] [PATCH v5 3/4] examples/ipsec-secgw: add frag TTL cmdline option Marcin Smoczynski
2019-09-30 10:16 ` Ananyev, Konstantin
2019-09-27 15:54 ` [dpdk-dev] [PATCH v5 4/4] examples/ipsec-secgw: add offload fallback tests Marcin Smoczynski
2019-10-03 16:46 ` Iremonger, Bernard
2019-10-07 13:02 ` [dpdk-dev] [PATCH v6 0/4] add fallback session Marcin Smoczynski
2019-10-07 13:02 ` [dpdk-dev] [PATCH v6 1/4] examples/ipsec-secgw: sa structure cleanup Marcin Smoczynski
2019-10-07 13:02 ` [dpdk-dev] [PATCH v6 2/4] examples/ipsec-secgw: add fallback session feature Marcin Smoczynski
2019-10-11 14:40 ` Akhil Goyal
2019-10-11 15:06 ` Ananyev, Konstantin
2019-10-15 14:33 ` Akhil Goyal
2019-10-16 10:37 ` Ananyev, Konstantin
2019-10-07 13:02 ` [dpdk-dev] [PATCH v6 3/4] examples/ipsec-secgw: add frag TTL cmdline option Marcin Smoczynski
2019-10-07 13:02 ` [dpdk-dev] [PATCH v6 4/4] examples/ipsec-secgw: add offload fallback tests Marcin Smoczynski
2019-10-14 13:48 ` [dpdk-dev] [PATCH v7 0/4] add fallback session Marcin Smoczynski
2019-10-14 13:48 ` [dpdk-dev] [PATCH v7 1/4] examples/ipsec-secgw: sa structure cleanup Marcin Smoczynski
2019-10-14 13:48 ` [dpdk-dev] [PATCH v7 2/4] examples/ipsec-secgw: add fallback session feature Marcin Smoczynski
2019-10-14 13:48 ` [dpdk-dev] [PATCH v7 3/4] examples/ipsec-secgw: add frag TTL cmdline option Marcin Smoczynski
2019-10-14 13:48 ` [dpdk-dev] [PATCH v7 4/4] examples/ipsec-secgw: add offload fallback tests Marcin Smoczynski
2019-10-21 12:29 ` [dpdk-dev] [PATCH v7 0/4] add fallback session Mcnamara, John
2019-10-21 12:32 ` Akhil Goyal
2019-11-05 12:20 ` Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190923114415.17932-2-marcinx.smoczynski@intel.com \
--to=marcinx.smoczynski@intel.com \
--cc=akhil.goyal@nxp.com \
--cc=anoobj@marvell.com \
--cc=dev@dpdk.org \
--cc=konstantin.ananyev@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.