From: "Iremonger, Bernard" <bernard.iremonger@intel.com>
To: Akhil Goyal <akhil.goyal@nxp.com>, "dev@dpdk.org" <dev@dpdk.org>,
"Ananyev, Konstantin" <konstantin.ananyev@intel.com>
Cc: "stable@dpdk.org" <stable@dpdk.org>
Subject: Re: [dpdk-dev] [PATCH v3 1/2] examples/ipsec-secgw: fix 1st packet dropped for inline crypto
Date: Wed, 17 Apr 2019 12:53:43 +0000 [thread overview]
Message-ID: <8CEF83825BEC744B83065625E567D7C260D89D9F@IRSMSX108.ger.corp.intel.com> (raw)
In-Reply-To: <VI1PR04MB4893D4761707A6310E10929DE6250@VI1PR04MB4893.eurprd04.prod.outlook.com>
Hi Akhil,
> -----Original Message-----
> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
> Sent: Wednesday, April 17, 2019 12:52 PM
> To: Iremonger, Bernard <bernard.iremonger@intel.com>; dev@dpdk.org;
> Ananyev, Konstantin <konstantin.ananyev@intel.com>
> Cc: stable@dpdk.org
> Subject: RE: [PATCH v3 1/2] examples/ipsec-secgw: fix 1st packet dropped
> for inline crypto
>
> >
> > Inline crypto installs a flow rule in the NIC. This flow rule must be
> > installed before the first inbound packet is received.
> >
> > The create_session() function installs the flow rule.
> >
> > Refactor ipsec-secgw.c, sa.c, ipsec.h and ipsec.c to create sessions
> > at startup to fix the issue of the first packet being dropped for
> > inline crypto.
> >
> > The create_session() function is now called at initialisation in
> > sa_add_rules() which is called from sa_init().
> > The return code for add_rules is checked.
> > Calls to create_session() in other functions are dropped.
> >
> > Add crypto_devid_fill() in ipsec-secgw.c Add max_session_size() in
> > ipsec-secgw.c Add check_cryptodev_capability() in ipsec.c Add
> > check_cryptodev_aead_capability() in ipsec.c Add create_sec_session()
> > and create_crypto_session() in ipsec.c
> >
> > The crypto_dev_fill() function has been added to find the enabled
> > crypto devices.
> >
> > The max_session_size() function has been added to calculate memory
> > requirements.
> >
> > The check_cryptodev_capability() and check_cryptodev_aead_capability()
> > functions have been added to check that the SA is supported by the
> > crypto device.
> >
> > The create_session() function is refactored to use the
> > create_sec_session() and create_crypto_session() functions.
> >
> > The cryprodev_init() function has been refactored to drop calls to
> > rte_mempool_create() and to drop calculation of memory requirements.
> >
> > The main() function has been refactored to call crypto_devid_fill()
> > and max_session_size() and to call session_pool_init() and
> > session_priv_pool_init().
> > The ports are started now before adding a flow rule in main().
> > The sa_init(), sp4_init(), sp6_init() and rt_init() functions are now
> > called after the ports have been started.
> >
> > Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload")
> > Fixes: d299106e8e31 ("examples/ipsec-secgw: add IPsec sample
> > application")
> > Cc: stable@dpdk.org
> >
> > Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com>
> > ---
> > examples/ipsec-secgw/ipsec-secgw.c | 271 +++++++++--------
> > examples/ipsec-secgw/ipsec.c | 569 +++++++++++++++++++-----------
> -----
> > examples/ipsec-secgw/ipsec.h | 10 +-
> > examples/ipsec-secgw/ipsec_process.c | 38 +--
> > examples/ipsec-secgw/sa.c | 42 ++-
> > 5 files changed, 495 insertions(+), 435 deletions(-)
> >
> > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-
> > secgw/ipsec-secgw.c index ffbd00b..cc8bb57 100644
> > --- a/examples/ipsec-secgw/ipsec-secgw.c
> > +++ b/examples/ipsec-secgw/ipsec-secgw.c
> > @@ -182,6 +182,14 @@ struct lcore_params {
> > uint8_t lcore_id;
> > } __rte_cache_aligned;
> >
> > +/*
> > + * Number of enabled crypto devices
> > + * This number is needed when checking crypto device capabilities */
> > +uint8_t crypto_dev_num;
> > +/* array of crypto device ID's */
> > +uint8_t crypto_devid[RTE_CRYPTO_MAX_DEVS];
> > +
> > static struct lcore_params lcore_params_array[MAX_LCORE_PARAMS];
> >
> > static struct lcore_params *lcore_params; @@ -1623,13 +1631,27 @@
> > check_cryptodev_mask(uint8_t cdev_id)
> > return -1;
> > }
> >
> > +static void
> > +crypto_devid_fill(void)
> > +{
> > + uint32_t i, n;
> > +
> > + n = rte_cryptodev_count();
> > +
> > + for (i = 0; i != n; i++) {
> > + if (check_cryptodev_mask(i) == 0)
> > + crypto_devid[crypto_dev_num++] = i;
> > + }
> > +}
> > +
> > static int32_t
> > cryptodevs_init(void)
> > {
> > struct rte_cryptodev_config dev_conf;
> > struct rte_cryptodev_qp_conf qp_conf;
> > uint16_t idx, max_nb_qps, qp, i;
> > - int16_t cdev_id, port_id;
> > + int16_t cdev_id;
> > + uint32_t dev_max_sess;
> > struct rte_hash_parameters params = { 0 };
> >
> > params.entries = CDEV_MAP_ENTRIES;
> > @@ -1652,45 +1674,6 @@ cryptodevs_init(void)
> >
> > printf("lcore/cryptodev/qp mappings:\n");
> >
> > - uint32_t max_sess_sz = 0, sess_sz;
> > - for (cdev_id = 0; cdev_id < rte_cryptodev_count(); cdev_id++) {
> > - void *sec_ctx;
> > -
> > - /* Get crypto priv session size */
> > - sess_sz =
> rte_cryptodev_sym_get_private_session_size(cdev_id);
> > - if (sess_sz > max_sess_sz)
> > - max_sess_sz = sess_sz;
> > -
> > - /*
> > - * If crypto device is security capable, need to check the
> > - * size of security session as well.
> > - */
> > -
> > - /* Get security context of the crypto device */
> > - sec_ctx = rte_cryptodev_get_sec_ctx(cdev_id);
> > - if (sec_ctx == NULL)
> > - continue;
> > -
> > - /* Get size of security session */
> > - sess_sz = rte_security_session_get_size(sec_ctx);
> > - if (sess_sz > max_sess_sz)
> > - max_sess_sz = sess_sz;
> > - }
> > - RTE_ETH_FOREACH_DEV(port_id) {
> > - void *sec_ctx;
> > -
> > - if ((enabled_port_mask & (1 << port_id)) == 0)
> > - continue;
> > -
> > - sec_ctx = rte_eth_dev_get_sec_ctx(port_id);
> > - if (sec_ctx == NULL)
> > - continue;
> > -
> > - sess_sz = rte_security_session_get_size(sec_ctx);
> > - if (sess_sz > max_sess_sz)
> > - max_sess_sz = sess_sz;
> > - }
> > -
> > idx = 0;
> > for (cdev_id = 0; cdev_id < rte_cryptodev_count(); cdev_id++) {
> > struct rte_cryptodev_info cdev_info; @@ -1722,51 +1705,12
> @@
> > cryptodevs_init(void)
> > dev_conf.socket_id = rte_cryptodev_socket_id(cdev_id);
> > dev_conf.nb_queue_pairs = qp;
> >
> > - uint32_t dev_max_sess = cdev_info.sym.max_nb_sessions;
> > + dev_max_sess = cdev_info.sym.max_nb_sessions;
> > if (dev_max_sess != 0 && dev_max_sess <
> CDEV_MP_NB_OBJS)
> > rte_exit(EXIT_FAILURE,
> > "Device does not support at least %u "
> > "sessions", CDEV_MP_NB_OBJS);
> >
> > - if (!socket_ctx[dev_conf.socket_id].session_pool) {
> > - char mp_name[RTE_MEMPOOL_NAMESIZE];
> > - struct rte_mempool *sess_mp;
> > -
> > - snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
> > - "sess_mp_%u", dev_conf.socket_id);
> > - sess_mp =
> rte_cryptodev_sym_session_pool_create(
> > - mp_name, CDEV_MP_NB_OBJS,
> > - 0, CDEV_MP_CACHE_SZ, 0,
> > - dev_conf.socket_id);
> > - socket_ctx[dev_conf.socket_id].session_pool =
> > sess_mp;
> > - }
> > -
> > - if (!socket_ctx[dev_conf.socket_id].session_priv_pool) {
> > - char mp_name[RTE_MEMPOOL_NAMESIZE];
> > - struct rte_mempool *sess_mp;
> > -
> > - snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
> > - "sess_mp_priv_%u",
> > dev_conf.socket_id);
> > - sess_mp = rte_mempool_create(mp_name,
> > - CDEV_MP_NB_OBJS,
> > - max_sess_sz,
> > - CDEV_MP_CACHE_SZ,
> > - 0, NULL, NULL, NULL,
> > - NULL, dev_conf.socket_id,
> > - 0);
> > - socket_ctx[dev_conf.socket_id].session_priv_pool =
> > - sess_mp;
> > - }
> > -
> > - if (!socket_ctx[dev_conf.socket_id].session_priv_pool ||
> > -
> !socket_ctx[dev_conf.socket_id].session_pool)
> > - rte_exit(EXIT_FAILURE,
> > - "Cannot create session pool on socket %d\n",
> > - dev_conf.socket_id);
> > - else
> > - printf("Allocated session pool on socket %d\n",
> > - dev_conf.socket_id);
> > -
> > if (rte_cryptodev_configure(cdev_id, &dev_conf))
> > rte_panic("Failed to initialize cryptodev %u\n",
> > cdev_id);
> > @@ -1787,38 +1731,6 @@ cryptodevs_init(void)
> > cdev_id);
> > }
> >
> > - /* create session pools for eth devices that implement security */
> > - RTE_ETH_FOREACH_DEV(port_id) {
> > - if ((enabled_port_mask & (1 << port_id)) &&
> > - rte_eth_dev_get_sec_ctx(port_id)) {
> > - int socket_id = rte_eth_dev_socket_id(port_id);
> > -
> > - if (!socket_ctx[socket_id].session_pool) {
> > - char mp_name[RTE_MEMPOOL_NAMESIZE];
> > - struct rte_mempool *sess_mp;
> > -
> > - snprintf(mp_name,
> RTE_MEMPOOL_NAMESIZE,
> > - "sess_mp_%u", socket_id);
> > - sess_mp = rte_mempool_create(mp_name,
> > - (CDEV_MP_NB_OBJS * 2),
> > - max_sess_sz,
> > - CDEV_MP_CACHE_SZ,
> > - 0, NULL, NULL, NULL,
> > - NULL, socket_id,
> > - 0);
> > - if (sess_mp == NULL)
> > - rte_exit(EXIT_FAILURE,
> > - "Cannot create session pool "
> > - "on socket %d\n", socket_id);
> > - else
> > - printf("Allocated session pool "
> > - "on socket %d\n", socket_id);
> > - socket_ctx[socket_id].session_pool =
> sess_mp;
> > - }
> > - }
> > - }
> > -
> > -
> > printf("\n");
> >
> > return 0;
> > @@ -1984,6 +1896,98 @@ port_init(uint16_t portid, uint64_t
> > req_rx_offloads, uint64_t req_tx_offloads)
> > printf("\n");
> > }
> >
> > +static size_t
> > +max_session_size(void)
> > +{
> > + size_t max_sz, sz;
> > + void *sec_ctx;
> > + int16_t cdev_id, port_id, n;
> > +
> > + max_sz = 0;
> > + n = rte_cryptodev_count();
> > + for (cdev_id = 0; cdev_id != n; cdev_id++) {
> > + sz = rte_cryptodev_sym_get_private_session_size(cdev_id);
> > + if (sz > max_sz)
> > + max_sz = sz;
> > + /*
> > + * If crypto device is security capable, need to check the
> > + * size of security session as well.
> > + */
> > +
> > + /* Get security context of the crypto device */
> > + sec_ctx = rte_cryptodev_get_sec_ctx(cdev_id);
> > + if (sec_ctx == NULL)
> > + continue;
> > +
> > + /* Get size of security session */
> > + sz = rte_security_session_get_size(sec_ctx);
> > + if (sz > max_sz)
> > + max_sz = sz;
> > + }
> > +
> > + RTE_ETH_FOREACH_DEV(port_id) {
> > + if ((enabled_port_mask & (1 << port_id)) == 0)
> > + continue;
> > +
> > + sec_ctx = rte_eth_dev_get_sec_ctx(port_id);
> > + if (sec_ctx == NULL)
> > + continue;
> > +
> > + sz = rte_security_session_get_size(sec_ctx);
> > + if (sz > max_sz)
> > + max_sz = sz;
> > + }
> > +
> > + return max_sz;
> > +}
> > +
> > +static void
> > +session_pool_init(struct socket_ctx *ctx, int32_t socket_id, size_t
> > +sess_sz) {
> > + char mp_name[RTE_MEMPOOL_NAMESIZE];
> > + struct rte_mempool *sess_mp;
> > +
> > + snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
> > + "sess_mp_%u", socket_id);
> > + sess_mp = rte_cryptodev_sym_session_pool_create(
> > + mp_name, CDEV_MP_NB_OBJS,
> > + sess_sz, CDEV_MP_CACHE_SZ, 0,
> > + socket_id);
> > + ctx->session_pool = sess_mp;
> > +
> > + if (ctx->session_pool == NULL)
> > + rte_exit(EXIT_FAILURE,
> > + "Cannot init session pool on socket %d\n",
> socket_id);
> > + else
> > + printf("Allocated session pool on socket %d\n",
> socket_id);
> > +}
> > +
> > +static void
> > +session_priv_pool_init(struct socket_ctx *ctx, int32_t socket_id,
> > + size_t sess_sz)
> > +{
> > + char mp_name[RTE_MEMPOOL_NAMESIZE];
> > + struct rte_mempool *sess_mp;
> > +
> > + snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
> > + "sess_mp_priv_%u", socket_id);
> > + sess_mp = rte_mempool_create(mp_name,
> > + CDEV_MP_NB_OBJS,
> > + sess_sz,
> > + CDEV_MP_CACHE_SZ,
> > + 0, NULL, NULL, NULL,
> > + NULL, socket_id,
> > + 0);
> > + ctx->session_priv_pool = sess_mp;
> > + if (ctx->session_priv_pool == NULL)
> > + rte_exit(EXIT_FAILURE,
> > + "Cannot init session priv pool on socket %d\n",
> > + socket_id);
> > + else
> > + printf("Allocated session priv pool on socket %d\n",
> > + socket_id);
> > +}
> > +
> > static void
> > pool_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t
> > nb_mbuf) { @@ -2064,9 +2068,11 @@ main(int32_t argc, char **argv) {
> > int32_t ret;
> > uint32_t lcore_id;
> > + uint32_t i;
> > uint8_t socket_id;
> > uint16_t portid;
> > uint64_t req_rx_offloads, req_tx_offloads;
> > + size_t sess_sz;
> >
> > /* init EAL */
> > ret = rte_eal_init(argc, argv);
> > @@ -2094,7 +2100,10 @@ main(int32_t argc, char **argv)
> >
> > nb_lcores = rte_lcore_count();
> >
> > - /* Replicate each context per socket */
> > + crypto_devid_fill();
> > +
> > + sess_sz = max_session_size();
> > +
> > for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) {
> > if (rte_lcore_is_enabled(lcore_id) == 0)
> > continue;
> > @@ -2104,20 +2113,17 @@ main(int32_t argc, char **argv)
> > else
> > socket_id = 0;
> >
> > + /* mbuf_pool is initialised by the pool_init() function*/
> > if (socket_ctx[socket_id].mbuf_pool)
> > continue;
> >
> > - /* initilaze SPD */
> > - sp4_init(&socket_ctx[socket_id], socket_id);
> > -
> > - sp6_init(&socket_ctx[socket_id], socket_id);
> > -
> > - /* initilaze SAD */
> > - sa_init(&socket_ctx[socket_id], socket_id);
> > -
> > - rt_init(&socket_ctx[socket_id], socket_id);
> > -
> > pool_init(&socket_ctx[socket_id], socket_id, NB_MBUF);
> > + session_pool_init(&socket_ctx[socket_id], socket_id,
> sess_sz);
> > + session_priv_pool_init(&socket_ctx[socket_id], socket_id,
> > + sess_sz);
> > +
> > + if (!numa_on)
> > + break;
> > }
> >
> > RTE_ETH_FOREACH_DEV(portid) {
> > @@ -2135,7 +2141,11 @@ main(int32_t argc, char **argv)
> > if ((enabled_port_mask & (1 << portid)) == 0)
> > continue;
> >
> > - /* Start device */
> > + /*
> > + * Start device
> > + * note: device must be started before a flow rule
> > + * can be installed.
> > + */
> > ret = rte_eth_dev_start(portid);
> > if (ret < 0)
> > rte_exit(EXIT_FAILURE, "rte_eth_dev_start: "
> > @@ -2153,6 +2163,19 @@ main(int32_t argc, char **argv)
> > RTE_ETH_EVENT_IPSEC, inline_ipsec_event_callback,
> NULL);
> > }
> >
> > + /* Replicate each context per socket */
> > + for (i = 0; i < NB_SOCKETS && i < rte_socket_count(); i++) {
> > + socket_id = rte_socket_id_by_idx(i);
> > + if ((socket_ctx[socket_id].mbuf_pool != NULL) &&
> > + (socket_ctx[socket_id].sa_in == NULL) &&
> > + (socket_ctx[socket_id].sa_out == NULL)) {
> > + sa_init(&socket_ctx[socket_id], socket_id);
> > + sp4_init(&socket_ctx[socket_id], socket_id);
> > + sp6_init(&socket_ctx[socket_id], socket_id);
> > + rt_init(&socket_ctx[socket_id], socket_id);
> > + }
> > + }
> > +
> > check_all_ports_link_status(enabled_port_mask);
> >
> > /* launch per-lcore init on every lcore */ diff --git
> > a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index
> > 4352cb8..e31d472 100644
> > --- a/examples/ipsec-secgw/ipsec.c
> > +++ b/examples/ipsec-secgw/ipsec.c
> > @@ -39,42 +39,17 @@ set_ipsec_conf(struct ipsec_sa *sa, struct
> > rte_security_ipsec_xform *ipsec)
> > ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; }
> >
> > -int
> > -create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
> > +static int
> > +create_sec_session(struct ipsec_sa *sa, struct rte_mempool *pool)
> > {
> > - struct rte_cryptodev_info cdev_info;
> > - unsigned long cdev_id_qp = 0;
> > + const struct rte_security_capability *sec_cap;
> > + struct rte_security_ctx *ctx;
> > int32_t ret = 0;
> > - struct cdev_key key = { 0 };
> > -
> > - key.lcore_id = (uint8_t)rte_lcore_id();
> > -
> > - key.cipher_algo = (uint8_t)sa->cipher_algo;
> > - key.auth_algo = (uint8_t)sa->auth_algo;
> > - key.aead_algo = (uint8_t)sa->aead_algo;
> > -
> > - if (sa->type == RTE_SECURITY_ACTION_TYPE_NONE) {
> > - ret = rte_hash_lookup_data(ipsec_ctx->cdev_map, &key,
> > - (void **)&cdev_id_qp);
> > - if (ret < 0) {
> > - RTE_LOG(ERR, IPSEC,
> > - "No cryptodev: core %u, cipher_algo %u, "
> > - "auth_algo %u, aead_algo %u\n",
> > - key.lcore_id,
> > - key.cipher_algo,
> > - key.auth_algo,
> > - key.aead_algo);
> > - return -1;
> > - }
> > - }
> >
> > - RTE_LOG_DP(DEBUG, IPSEC, "Create session for SA spi %u on
> cryptodev
> > "
> > - "%u qp %u\n", sa->spi,
> > - ipsec_ctx->tbl[cdev_id_qp].id,
> > - ipsec_ctx->tbl[cdev_id_qp].qp);
> > + if ((sa == NULL) || (pool == NULL))
> > + return -EINVAL;
> >
> > - if (sa->type != RTE_SECURITY_ACTION_TYPE_NONE) {
> > - struct rte_security_session_conf sess_conf = {
> > + struct rte_security_session_conf sess_conf = {
> > .action_type = sa->type,
> > .protocol = RTE_SECURITY_PROTOCOL_IPSEC,
> > {.ipsec = {
> > @@ -90,247 +65,340 @@ create_session(struct ipsec_ctx *ipsec_ctx,
> > struct ipsec_sa *sa)
> > } },
> > .crypto_xform = sa->xforms,
> > .userdata = NULL,
> > -
> > };
> >
> > - if (sa->type ==
> > RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) {
> > - struct rte_security_ctx *ctx = (struct rte_security_ctx
> *)
> > -
> > rte_cryptodev_get_sec_ctx(
> > - ipsec_ctx-
> > >tbl[cdev_id_qp].id);
> > -
> > - /* Set IPsec parameters in conf */
> > - set_ipsec_conf(sa, &(sess_conf.ipsec));
> > -
> > - sa->sec_session = rte_security_session_create(ctx,
> > - &sess_conf, ipsec_ctx-
> >session_pool);
> > - if (sa->sec_session == NULL) {
> > - RTE_LOG(ERR, IPSEC,
> > - "SEC Session init failed: err: %d\n", ret);
> > - return -1;
> > - }
> > - } else if (sa->type ==
> > RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
> > - struct rte_flow_error err;
> > - struct rte_security_ctx *ctx = (struct rte_security_ctx
> *)
> > -
> > rte_eth_dev_get_sec_ctx(
> > - sa->portid);
> > - const struct rte_security_capability *sec_cap;
> > - int ret = 0;
> > -
> > - sa->sec_session = rte_security_session_create(ctx,
> > - &sess_conf, ipsec_ctx-
> >session_pool);
> > - if (sa->sec_session == NULL) {
> > - RTE_LOG(ERR, IPSEC,
> > - "SEC Session init failed: err: %d\n", ret);
> > - return -1;
> > - }
> > + if (sa->type ==
> RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) {
> > + ctx = (struct rte_security_ctx *)
> > + rte_eth_dev_get_sec_ctx(sa->portid);
> >
> > - sec_cap = rte_security_capabilities_get(ctx);
> > + /* Set IPsec parameters in conf */
> > + set_ipsec_conf(sa, &(sess_conf.ipsec));
> >
> > - /* iterate until ESP tunnel*/
> > - while (sec_cap->action !=
> > -
> RTE_SECURITY_ACTION_TYPE_NONE)
> > {
> > + sa->sec_session = rte_security_session_create(ctx,
> > + &sess_conf, pool);
> > + if (sa->sec_session == NULL) {
> > + RTE_LOG(ERR, IPSEC,
> > + "SEC Session init failed: err: %d\n",
> > + ret);
> > + return -1;
> > + }
> > + } else if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)
> {
> > + struct rte_flow_error err;
> > + ctx = (struct rte_security_ctx *)
> > + rte_eth_dev_get_sec_ctx(sa->portid);
> > + sa->sec_session = rte_security_session_create(ctx,
> > + &sess_conf, pool);
> > + if (sa->sec_session == NULL) {
> > + RTE_LOG(ERR, IPSEC, "SEC Session init failed\n");
> > + return -1;
> > + }
> >
> > - if (sec_cap->action == sa->type &&
> > - sec_cap->protocol ==
> > - RTE_SECURITY_PROTOCOL_IPSEC &&
> > - sec_cap->ipsec.mode ==
> > -
> > RTE_SECURITY_IPSEC_SA_MODE_TUNNEL &&
> > - sec_cap->ipsec.direction == sa->direction)
> > - break;
> > - sec_cap++;
> > - }
> > + sec_cap = rte_security_capabilities_get(ctx);
> > +
> > + /* iterate until ESP tunnel*/
> > + while (sec_cap->action !=
> RTE_SECURITY_ACTION_TYPE_NONE)
> > {
> > + if (sec_cap->action == sa->type &&
> > + sec_cap->protocol ==
> > + RTE_SECURITY_PROTOCOL_IPSEC &&
> > + sec_cap->ipsec.mode ==
> > + RTE_SECURITY_IPSEC_SA_MODE_TUNNEL
> &&
> > + sec_cap->ipsec.direction == sa->direction)
> > + break;
> > + sec_cap++;
> > + }
> >
> > - if (sec_cap->action ==
> > RTE_SECURITY_ACTION_TYPE_NONE) {
> > - RTE_LOG(ERR, IPSEC,
> > + if (sec_cap->action == RTE_SECURITY_ACTION_TYPE_NONE)
> {
> > + RTE_LOG(ERR, IPSEC,
> > "No suitable security capability found\n");
> > return -1;
> > - }
> > + }
> >
> > - sa->ol_flags = sec_cap->ol_flags;
> > - sa->security_ctx = ctx;
> > - sa->pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH;
> > -
> > - sa->pattern[1].type = RTE_FLOW_ITEM_TYPE_IPV4;
> > - sa->pattern[1].mask = &rte_flow_item_ipv4_mask;
> > - if (sa->flags & IP6_TUNNEL) {
> > - sa->pattern[1].spec = &sa->ipv6_spec;
> > - memcpy(sa->ipv6_spec.hdr.dst_addr,
> > - sa->dst.ip.ip6.ip6_b, 16);
> > - memcpy(sa->ipv6_spec.hdr.src_addr,
> > - sa->src.ip.ip6.ip6_b, 16);
> > - } else {
> > - sa->pattern[1].spec = &sa->ipv4_spec;
> > - sa->ipv4_spec.hdr.dst_addr = sa->dst.ip.ip4;
> > - sa->ipv4_spec.hdr.src_addr = sa->src.ip.ip4;
> > - }
> > + sa->ol_flags = sec_cap->ol_flags;
> > + sa->security_ctx = ctx;
> > + sa->pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH;
> > +
> > + sa->pattern[1].type = RTE_FLOW_ITEM_TYPE_IPV4;
> > + sa->pattern[1].mask = &rte_flow_item_ipv4_mask;
> > + if (sa->flags & IP6_TUNNEL) {
> > + sa->pattern[1].spec = &sa->ipv6_spec;
> > + memcpy(sa->ipv6_spec.hdr.dst_addr,
> > + sa->dst.ip.ip6.ip6_b, 16);
> > + memcpy(sa->ipv6_spec.hdr.src_addr,
> > + sa->src.ip.ip6.ip6_b, 16);
> > + } else {
> > + sa->pattern[1].spec = &sa->ipv4_spec;
> > + sa->ipv4_spec.hdr.dst_addr = sa->dst.ip.ip4;
> > + sa->ipv4_spec.hdr.src_addr = sa->src.ip.ip4;
> > + }
> >
> > - sa->pattern[2].type = RTE_FLOW_ITEM_TYPE_ESP;
> > - sa->pattern[2].spec = &sa->esp_spec;
> > - sa->pattern[2].mask = &rte_flow_item_esp_mask;
> > - sa->esp_spec.hdr.spi = rte_cpu_to_be_32(sa->spi);
> > + sa->pattern[2].type = RTE_FLOW_ITEM_TYPE_ESP;
> > + sa->pattern[2].spec = &sa->esp_spec;
> > + sa->pattern[2].mask = &rte_flow_item_esp_mask;
> > + sa->esp_spec.hdr.spi = rte_cpu_to_be_32(sa->spi);
> >
> > - sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END;
> > + sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END;
> >
> > - sa->action[0].type =
> > RTE_FLOW_ACTION_TYPE_SECURITY;
> > - sa->action[0].conf = sa->sec_session;
> > + sa->action[0].type = RTE_FLOW_ACTION_TYPE_SECURITY;
> > + sa->action[0].conf = sa->sec_session;
> >
> > - sa->action[1].type = RTE_FLOW_ACTION_TYPE_END;
> > + sa->action[1].type = RTE_FLOW_ACTION_TYPE_END;
> >
> > - sa->attr.egress = (sa->direction ==
> > + sa->attr.egress = (sa->direction ==
> >
> > RTE_SECURITY_IPSEC_SA_DIR_EGRESS);
> > - sa->attr.ingress = (sa->direction ==
> > + sa->attr.ingress = (sa->direction ==
> >
> > RTE_SECURITY_IPSEC_SA_DIR_INGRESS);
> > - if (sa->attr.ingress) {
> > - uint8_t rss_key[40];
> > - struct rte_eth_rss_conf rss_conf = {
> > - .rss_key = rss_key,
> > - .rss_key_len = 40,
> > - };
> > - struct rte_eth_dev *eth_dev;
> > - uint16_t
> > queue[RTE_MAX_QUEUES_PER_PORT];
> > - struct rte_flow_action_rss action_rss;
> > - unsigned int i;
> > - unsigned int j;
> > -
> > - sa->action[2].type =
> > RTE_FLOW_ACTION_TYPE_END;
> > - /* Try RSS. */
> > - sa->action[1].type =
> > RTE_FLOW_ACTION_TYPE_RSS;
> > - sa->action[1].conf = &action_rss;
> > - eth_dev = ctx->device;
> > - rte_eth_dev_rss_hash_conf_get(sa->portid,
> > - &rss_conf);
> > - for (i = 0, j = 0;
> > - i < eth_dev->data->nb_rx_queues; ++i)
> > - if (eth_dev->data->rx_queues[i])
> > - queue[j++] = i;
> > + if (sa->attr.ingress) {
> > + uint8_t rss_key[40];
> > + struct rte_eth_rss_conf rss_conf = {
> > + .rss_key = rss_key,
> > + .rss_key_len = 40,
> > + };
> > + struct rte_eth_dev *eth_dev;
> > + uint16_t queue[RTE_MAX_QUEUES_PER_PORT];
> > + struct rte_flow_action_rss action_rss;
> > + unsigned int i;
> > + unsigned int j;
> > +
> > + sa->action[2].type = RTE_FLOW_ACTION_TYPE_END;
> > + /* Try RSS. */
> > + sa->action[1].type = RTE_FLOW_ACTION_TYPE_RSS;
> > + sa->action[1].conf = &action_rss;
> > + eth_dev = ctx->device;
> > + rte_eth_dev_rss_hash_conf_get(sa->portid,
> > + &rss_conf);
> > + for (i = 0, j = 0; i < eth_dev->data->nb_rx_queues;
> > + ++i)
> > + if (eth_dev->data->rx_queues[i])
> > + queue[j++] = i;
> Compilation error
>
> /home/akhil/up/dpdk-next-crypto/examples/ipsec-secgw/ipsec.c: In
> function 'create_sec_session':
> /home/akhil/up/dpdk-next-crypto/examples/ipsec-secgw/ipsec.c:169:4:
> error: this 'for' clause does not guard... [-Werror=misleading-indentation]
> for (i = 0, j = 0; i < eth_dev->data->nb_rx_queues;
> ^~~
> /home/akhil/up/dpdk-next-crypto/examples/ipsec-secgw/ipsec.c:173:5:
> note: ...this statement, but the latter is misleadingly indented as if it is
> guarded by the 'for'
> action_rss = (struct rte_flow_action_rss){
> ^~~~~~~~~~
>
<snip>
I will send a v4.
What compiler are you using?
Regards,
Bernard.
next prev parent reply other threads:[~2019-04-17 12:53 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-06 16:00 [PATCH 0/6] examples/ipsec-secgw: fix 1st pkt dropped Bernard Iremonger
2019-03-06 16:00 ` [PATCH 1/6] examples/ipsec-secgw: fix 1st pkt dropped for inline crypto Bernard Iremonger
2019-03-06 16:00 ` [PATCH 2/6] examples/ipsec-secgw: fix 1st packet dropped patch two Bernard Iremonger
2019-03-06 19:39 ` Ananyev, Konstantin
2019-03-07 9:54 ` Iremonger, Bernard
2019-03-06 16:00 ` [PATCH 3/6] examples/ipsec-secgw: fix 1st packet dropped patch three Bernard Iremonger
2019-03-06 16:00 ` [PATCH 4/6] examples/ipsec-secgw: fix debug in esp.c Bernard Iremonger
2019-03-06 16:00 ` [PATCH 5/6] examples/ipsec-secgw: fix debug in sa.c Bernard Iremonger
2019-03-06 16:00 ` [PATCH 6/6] examples/ipsec-secgw: fix debug in ipsec-secgw.c Bernard Iremonger
2019-03-06 16:14 ` [PATCH 0/6] examples/ipsec-secgw: fix 1st pkt dropped Akhil Goyal
2019-03-07 10:06 ` Iremonger, Bernard
2019-03-07 14:57 ` [PATCH v2 0/2] " Bernard Iremonger
2019-03-08 15:35 ` Ananyev, Konstantin
2019-04-04 13:28 ` [PATCH v3 " Bernard Iremonger
2019-04-05 11:15 ` [dpdk-dev] " Ananyev, Konstantin
2019-04-17 13:42 ` [dpdk-dev] [PATCH v4 " Bernard Iremonger
2019-06-06 11:12 ` [dpdk-dev] [PATCH v5 " Bernard Iremonger
2019-06-12 14:51 ` [dpdk-dev] [PATCH v6 " Bernard Iremonger
2019-07-10 11:23 ` [dpdk-dev] [PATCH v7 " Bernard Iremonger
2019-07-19 12:53 ` Akhil Goyal
2019-07-19 13:03 ` Iremonger, Bernard
2019-07-19 15:40 ` Iremonger, Bernard
2019-07-10 11:23 ` [dpdk-dev] [PATCH v7 1/2] examples/ipsec-secgw: fix 1st pkt dropped for inline crypto Bernard Iremonger
2019-07-10 11:23 ` [dpdk-dev] [PATCH v7 2/2] examples/ipsec-secgw/test: fix inline test scripts Bernard Iremonger
2019-06-12 14:52 ` [dpdk-dev] [PATCH v6 1/2] examples/ipsec-secgw: fix 1st pkt dropped for inline crypto Bernard Iremonger
2019-06-13 12:34 ` Ananyev, Konstantin
2019-07-03 10:04 ` Akhil Goyal
2019-07-03 10:13 ` Iremonger, Bernard
2019-07-03 10:18 ` Akhil Goyal
2019-07-03 10:30 ` Iremonger, Bernard
2019-07-03 10:32 ` Akhil Goyal
2019-06-12 14:52 ` [dpdk-dev] [PATCH v6 2/2] examples/ipsec-secgw/test: fix inline test scripts Bernard Iremonger
2019-06-13 12:34 ` Ananyev, Konstantin
2019-06-06 11:12 ` [dpdk-dev] [PATCH v5 1/2] examples/ipsec-secgw: fix 1st pkt dropped for inline crypto Bernard Iremonger
2019-06-11 15:29 ` Ananyev, Konstantin
2019-06-12 9:29 ` Iremonger, Bernard
2019-06-06 11:12 ` [dpdk-dev] [PATCH v5 2/2] examples/ipsec-secgw/test: fix inline test scripts Bernard Iremonger
2019-04-17 13:42 ` [dpdk-dev] [PATCH v4 1/2] examples/ipsec-secgw: fix 1st packet dropped for inline crypto Bernard Iremonger
2019-04-17 13:42 ` [dpdk-dev] [PATCH v4 2/2] examples/ipsec-secgw/test: fix inline test scripts Bernard Iremonger
2019-04-04 13:28 ` [PATCH v3 1/2] examples/ipsec-secgw: fix 1st packet dropped for inline crypto Bernard Iremonger
2019-04-17 11:51 ` [dpdk-dev] " Akhil Goyal
2019-04-17 12:53 ` Iremonger, Bernard [this message]
2019-04-17 13:01 ` [dpdk-dev] [EXT] " Akhil Goyal
2019-04-04 13:28 ` [PATCH v3 2/2] examples/ipsec-secgw/test: fix inline test scripts Bernard Iremonger
2019-03-07 14:57 ` [PATCH v2 1/2] examples/ipsec-secgw: fix 1st pkt dropped for inline crypto Bernard Iremonger
2019-03-22 13:18 ` Akhil Goyal
2019-03-26 10:22 ` Iremonger, Bernard
2019-03-26 11:04 ` Akhil Goyal
2019-03-26 11:41 ` Iremonger, Bernard
2019-03-26 11:48 ` Akhil Goyal
2019-03-26 12:29 ` Ananyev, Konstantin
2019-03-26 12:55 ` Akhil Goyal
2019-03-07 14:57 ` [PATCH v2 2/2] examples/ipsec-secgw/test: fix inline test scripts Bernard Iremonger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8CEF83825BEC744B83065625E567D7C260D89D9F@IRSMSX108.ger.corp.intel.com \
--to=bernard.iremonger@intel.com \
--cc=akhil.goyal@nxp.com \
--cc=dev@dpdk.org \
--cc=konstantin.ananyev@intel.com \
--cc=stable@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.