From mboxrd@z Thu Jan 1 00:00:00 1970 From: Akhil Goyal Subject: Re: [PATCH v2 4/5] examples/ipsec-secgw: handle ESN soft limit event Date: Tue, 13 Mar 2018 17:54:14 +0530 Message-ID: <3b57c323-69c0-a20e-b846-d686576ac1da@nxp.com> References: <1519191430-19201-1-git-send-email-anoob.joseph@caviumnetworks.com> <1519896103-32479-1-git-send-email-anoob.joseph@caviumnetworks.com> <1519896103-32479-5-git-send-email-anoob.joseph@caviumnetworks.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Cc: Jerin Jacob , Narayana Prasad , Nelio Laranjeiro , dev@dpdk.org To: Anoob Joseph , Declan Doherty , Radu Nicolau Return-path: Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on0060.outbound.protection.outlook.com [104.47.0.60]) by dpdk.org (Postfix) with ESMTP id 7534B548B for ; Tue, 13 Mar 2018 13:24:48 +0100 (CET) In-Reply-To: <1519896103-32479-5-git-send-email-anoob.joseph@caviumnetworks.com> Content-Language: en-US List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Hi Anoob, On 3/1/2018 2:51 PM, Anoob Joseph wrote: > For inline protocol processing, the PMD/device is required to maintain > the ESN. But the application is required to monitor ESN overflow to > initiate SA expiry. > > For such cases, application would set the ESN soft limit. An IPsec event > would be raised by rte_eth_event framework, when ESN hits the soft limit > set by the application. > > Signed-off-by: Anoob Joseph > --- > v2: > * No change > > examples/ipsec-secgw/ipsec-secgw.c | 56 ++++++++++++++++++++++++++++++++++++++ > examples/ipsec-secgw/ipsec.c | 10 +++++-- > examples/ipsec-secgw/ipsec.h | 2 ++ > 3 files changed, 65 insertions(+), 3 deletions(-) > > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c > index 3a8562e..5726fd3 100644 > --- a/examples/ipsec-secgw/ipsec-secgw.c > +++ b/examples/ipsec-secgw/ipsec-secgw.c > @@ -40,6 +40,7 @@ > #include > #include > #include > +#include > > #include "ipsec.h" > #include "parser.h" > @@ -1640,6 +1641,58 @@ pool_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t nb_mbuf) > printf("Allocated mbuf pool on socket %d\n", socket_id); > } > > +static inline int > +inline_ipsec_event_esn_overflow(struct rte_security_ctx *ctx, uint64_t md) > +{ > + struct ipsec_sa *sa; > + > + /* For inline protocol processing, the metadata in the event will > + * uniquely identify the security session which raised the event. > + * Application would then need the userdata it had registered with the > + * security session to process the event. > + */ > + > + sa = (struct ipsec_sa *)rte_security_get_userdata(ctx, md); > + > + if (sa == NULL) { > + /* userdata could not be retrieved */ > + return -1; > + } > + > + /* Sequence number over flow. SA need to be re-established */ With this patchset, application will be able to get notification if the error has occurred. But it is not re-configuring the SA. Do you intend to add the same? > + RTE_SET_USED(sa); > + return 0; > +} > + > +static int > +inline_ipsec_event_callback(uint16_t port_id, enum rte_eth_event_type type, > + void *param, void *ret_param) > +{ > + struct rte_eth_event_ipsec_desc *event_desc = NULL; > + struct rte_security_ctx *ctx = (struct rte_security_ctx *) > + rte_eth_dev_get_sec_ctx(port_id); > + > + RTE_SET_USED(param); > + > + if (type != RTE_ETH_EVENT_IPSEC) > + return -1; > + > + event_desc = ret_param; > + if (event_desc == NULL) { > + printf("Event descriptor not set\n"); > + return -1; > + } > + > + if (event_desc->stype == RTE_ETH_EVENT_IPSEC_ESN_OVERFLOW) > + return inline_ipsec_event_esn_overflow(ctx, event_desc->md); > + else if (event_desc->stype >= RTE_ETH_EVENT_IPSEC_MAX) { > + printf("Invalid IPsec event reported\n"); > + return -1; > + } > + > + return -1; > +} > + > int32_t > main(int32_t argc, char **argv) > { > @@ -1727,6 +1780,9 @@ main(int32_t argc, char **argv) > */ > if (promiscuous_on) > rte_eth_promiscuous_enable(portid); > + > + rte_eth_dev_callback_register(portid, > + RTE_ETH_EVENT_IPSEC, inline_ipsec_event_callback, NULL); > } > > check_all_ports_link_status(nb_ports, enabled_port_mask); > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c > index 5fb5bc1..acdd189 100644 > --- a/examples/ipsec-secgw/ipsec.c > +++ b/examples/ipsec-secgw/ipsec.c > @@ -36,6 +36,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) > } > /* TODO support for Transport and IPV6 tunnel */ > } > + ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; > } > > static inline int > @@ -270,11 +271,14 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) > * the packet is received, this userdata will be > * retrieved using the metadata from the packet. > * > - * This is required only for inbound SAs. > + * The PMD is expected to set similar metadata for other > + * operations, like rte_eth_event, which are tied to > + * security session. In such cases, the userdata could > + * be obtained to uniquely identify the security > + * parameters denoted. > */ > > - if (sa->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) > - sess_conf.userdata = (void *) sa; > + sess_conf.userdata = (void *) sa; > > sa->sec_session = rte_security_session_create(ctx, > &sess_conf, ipsec_ctx->session_pool); > diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h > index 6059f6c..c1450f6 100644 > --- a/examples/ipsec-secgw/ipsec.h > +++ b/examples/ipsec-secgw/ipsec.h > @@ -21,6 +21,8 @@ > > #define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */ > > +#define IPSEC_OFFLOAD_ESN_SOFTLIMIT 0xffffff00 > + > #define IV_OFFSET (sizeof(struct rte_crypto_op) + \ > sizeof(struct rte_crypto_sym_op)) > >