From: Radu Nicolau <radu.nicolau@intel.com>
To: Anoob Joseph <anoob.joseph@caviumnetworks.com>,
Akhil Goyal <akhil.goyal@nxp.com>,
Declan Doherty <declan.doherty@intel.com>,
Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Cc: Narayana Prasad <narayanaprasad.athreya@caviumnetworks.com>,
Jerin Jacob <jerin.jacob@caviumnetworks.com>,
dev@dpdk.org
Subject: Re: [PATCH v2] examples/ipsec-secgw: fix usage of incorrect port
Date: Tue, 14 Nov 2017 16:16:19 +0000 [thread overview]
Message-ID: <6c2f2972-f491-dc26-285c-d3471b614802@intel.com> (raw)
In-Reply-To: <1510673823-24475-1-git-send-email-anoob.joseph@caviumnetworks.com>
On 11/14/2017 3:37 PM, Anoob Joseph wrote:
> When security offload is enabled, the packet should be forwarded on the
> port configured in the SA. Security session will be configured on that
> port only, and sending the packet on other ports could result in
> unencrypted packets being sent out.
>
> This would have performance improvements too, as the per packet LPM
> lookup would be avoided for IPsec packets, in inline mode.
>
> Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload")
>
> Signed-off-by: Anoob Joseph <anoob.joseph@caviumnetworks.com>
> ---
> v2:
> * Updated documentation with the change in behavior for outbound inline
> offloaded packets.
>
> doc/guides/sample_app_ug/ipsec_secgw.rst | 10 +++-
> examples/ipsec-secgw/ipsec-secgw.c | 92 +++++++++++++++++++++++++++-----
> 2 files changed, 87 insertions(+), 15 deletions(-)
>
> diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst
> index d6cfdbf..d04e153 100644
> --- a/doc/guides/sample_app_ug/ipsec_secgw.rst
> +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
> @@ -61,6 +61,12 @@ In case of complete protocol offload, the processing of headers(ESP and outer
> IP header) is done by the hardware and the application does not need to
> add/remove them during outbound/inbound processing.
>
> +For inline offloaded outbound traffic, the application need not do the LPM
> +lookup for routing, as the port on which the packet has to be forwarded, will
extra
comma......................................................................................................................^here
And maybe change need not to will not, to reflect the actual behavior.
> <snip>
>
> @@ -619,26 +660,49 @@ route6_pkts(struct rt_ctx *rt_ctx, struct rte_mbuf *pkts[], uint8_t nb_pkts)
> int32_t hop[MAX_PKT_BURST * 2];
> uint8_t dst_ip[MAX_PKT_BURST * 2][16];
> uint8_t *ip6_dst;
> + int32_t pkt_hop = 0;
> uint16_t i, offset;
> + uint16_t lpm_pkts = 0;
>
> if (nb_pkts == 0)
> return;
>
> + /* Need to do an LPM lookup for non-offload packets. Offload packets
> + * will have port ID in the SA
> + */
> +
> for (i = 0; i < nb_pkts; i++) {
> - offset = offsetof(struct ip6_hdr, ip6_dst);
> - ip6_dst = rte_pktmbuf_mtod_offset(pkts[i], uint8_t *, offset);
> - memcpy(&dst_ip[i][0], ip6_dst, 16);
> + if (!(pkts[i]->ol_flags & PKT_TX_SEC_OFFLOAD)) {
> + /* Security offload not enabled. So an LPM lookup is
> + * required to get the hop
> + */
> + offset = offsetof(struct ip6_hdr, ip6_dst);
> + ip6_dst = rte_pktmbuf_mtod_offset(pkts[i], uint8_t *,
> + offset);
> + memcpy(&dst_ip[lpm_pkts][0], ip6_dst, 16);
> + lpm_pkts++;
> + }
> }
>
> - rte_lpm6_lookup_bulk_func((struct rte_lpm6 *)rt_ctx, dst_ip,
> - hop, nb_pkts);
> + rte_lpm6_lookup_bulk_func((struct rte_lpm6 *)rt_ctx, dst_ip, hop,
> + lpm_pkts);
> +
> + lpm_pkts = 0;
>
> for (i = 0; i < nb_pkts; i++) {
> - if (hop[i] == -1) {
> + if ((pkts[i]->ol_flags & PKT_TX_SEC_OFFLOAD) == 0) {
The if condition is wrong here.
> + /* Read hop from the SA */
> + pkt_hop = get_hop_for_offload_pkt(pkts[i]);
> + } else {
> + /* Need to use hop returned by lookup */
> + pkt_hop = hop[lpm_pkts++];
> + }
> +
> + if (pkt_hop == -1) {
> rte_pktmbuf_free(pkts[i]);
> continue;
> }
> - send_single_packet(pkts[i], hop[i] & 0xff);
> + send_single_packet(pkts[i], pkt_hop & 0xff);
> }
> }
>
next prev parent reply other threads:[~2017-11-14 16:16 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-13 16:13 [PATCH] examples/ipsec-secgw: fix usage of incorrect port Anoob Joseph
2017-11-13 17:23 ` Radu Nicolau
2017-11-13 19:24 ` Anoob Joseph
2017-11-14 12:01 ` Nicolau, Radu
2017-11-14 15:37 ` [PATCH v2] " Anoob Joseph
2017-11-14 16:16 ` Radu Nicolau [this message]
2017-11-15 9:41 ` [PATCH v3] " Anoob Joseph
2017-11-24 9:28 ` Akhil Goyal
2017-11-24 9:58 ` Anoob
2017-11-24 10:49 ` Akhil Goyal
2017-11-29 4:21 ` Anoob Joseph
2017-12-04 7:49 ` Akhil Goyal
2017-12-06 11:08 ` Anoob
2017-12-11 10:26 ` Radu Nicolau
2017-12-11 10:38 ` Anoob Joseph
2017-12-11 15:35 ` [PATCH v4] " Anoob Joseph
2017-12-12 6:54 ` Anoob Joseph
2017-12-12 7:34 ` Akhil Goyal
2017-12-12 8:32 ` [PATCH v5] " Anoob Joseph
2017-12-12 11:27 ` Radu Nicolau
2017-12-14 9:01 ` De Lara Guarch, Pablo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6c2f2972-f491-dc26-285c-d3471b614802@intel.com \
--to=radu.nicolau@intel.com \
--cc=akhil.goyal@nxp.com \
--cc=anoob.joseph@caviumnetworks.com \
--cc=declan.doherty@intel.com \
--cc=dev@dpdk.org \
--cc=jerin.jacob@caviumnetworks.com \
--cc=narayanaprasad.athreya@caviumnetworks.com \
--cc=sergio.gonzalez.monroy@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.