[PATCH 01/11] examples/ipsec-secgw: updated MAINTAINERS file

[PATCH 01/11] examples/ipsec-secgw: updated MAINTAINERS file

[aviadye]

From: Aviad Yehezkel <aviadye@mellanox.com>

As agreed with Sergio and Pablo

Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
---
 MAINTAINERS | 1 +
 1 file changed, 1 insertion(+)

diff --git a/MAINTAINERS b/MAINTAINERS
index c00d6d8..d814ac1 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -919,6 +919,7 @@ F: examples/helloworld/
 F: doc/guides/sample_app_ug/hello_world.rst
 
 M: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
+M: Aviad Shaul Yehezkel <aviadye@mellanox.com>
 F: examples/ipsec-secgw/
 F: doc/guides/sample_app_ug/ipsec_secgw.rst
 
-- 
2.7.4

[PATCH 02/11] examples/ipsec-secgw: Fixed init of aead crypto devices

[aviadye]

From: Aviad Yehezkel <aviadye@mellanox.com>

This was broken since new aead xfrom was introduced

Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
---
 examples/ipsec-secgw/ipsec-secgw.c | 29 +++++++++++++++++++----------
 examples/ipsec-secgw/ipsec.h       |  1 +
 2 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
index 99dc270..7bf692c 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -1113,7 +1113,8 @@ add_mapping(struct rte_hash *map, const char *str, uint16_t cdev_id,
 		uint16_t qp, struct lcore_params *params,
 		struct ipsec_ctx *ipsec_ctx,
 		const struct rte_cryptodev_capabilities *cipher,
-		const struct rte_cryptodev_capabilities *auth)
+		const struct rte_cryptodev_capabilities *auth,
+		const struct rte_cryptodev_capabilities *aead)
 {
 	int32_t ret = 0;
 	unsigned long i;
@@ -1124,6 +1125,8 @@ add_mapping(struct rte_hash *map, const char *str, uint16_t cdev_id,
 		key.cipher_algo = cipher->sym.cipher.algo;
 	if (auth)
 		key.auth_algo = auth->sym.auth.algo;
+	if (aead)
+		key.aead_algo = aead->sym.aead.algo;
 
 	ret = rte_hash_lookup(map, &key);
 	if (ret != -ENOENT)
@@ -1192,19 +1195,25 @@ add_cdev_mapping(struct rte_cryptodev_info *dev_info, uint16_t cdev_id,
 		if (i->op != RTE_CRYPTO_OP_TYPE_SYMMETRIC)
 			continue;
 
-		if (i->sym.xform_type != RTE_CRYPTO_SYM_XFORM_CIPHER)
+		if (i->sym.xform_type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+			ret |= add_mapping(map, str, cdev_id, qp, params,
+					ipsec_ctx, NULL, NULL, i);
 			continue;
+		}
 
-		for (j = dev_info->capabilities;
-				j->op != RTE_CRYPTO_OP_TYPE_UNDEFINED; j++) {
-			if (j->op != RTE_CRYPTO_OP_TYPE_SYMMETRIC)
-				continue;
+		if (i->sym.xform_type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
+			for (j = dev_info->capabilities;
+					j->op != RTE_CRYPTO_OP_TYPE_UNDEFINED; j++) {
+				if (j->op != RTE_CRYPTO_OP_TYPE_SYMMETRIC)
+					continue;
 
-			if (j->sym.xform_type != RTE_CRYPTO_SYM_XFORM_AUTH)
-				continue;
+				if (j->sym.xform_type != RTE_CRYPTO_SYM_XFORM_AUTH)
+					continue;
 
-			ret |= add_mapping(map, str, cdev_id, qp, params,
-					ipsec_ctx, i, j);
+				ret |= add_mapping(map, str, cdev_id, qp, params,
+						ipsec_ctx, i, j, NULL);
+			}
+			continue;
 		}
 	}
 
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index da1fb1b..7d057ae 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -150,6 +150,7 @@ struct cdev_key {
 	uint16_t lcore_id;
 	uint8_t cipher_algo;
 	uint8_t auth_algo;
+	uint8_t aead_algo;
 };
 
 struct socket_ctx {
-- 
2.7.4

[PATCH 03/11] examples/ipsec-secgw: Fixed create session also for aead

[aviadye]

From: Aviad Yehezkel <aviadye@mellanox.com>

Search for session also with aead key

Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
---
 examples/ipsec-secgw/ipsec.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index 0afb9d6..daa1d7b 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -56,13 +56,17 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
 
 	key.cipher_algo = (uint8_t)sa->cipher_algo;
 	key.auth_algo = (uint8_t)sa->auth_algo;
+	key.aead_algo = (uint8_t)sa->aead_algo;
 
 	ret = rte_hash_lookup_data(ipsec_ctx->cdev_map, &key,
 			(void **)&cdev_id_qp);
 	if (ret < 0) {
 		RTE_LOG(ERR, IPSEC, "No cryptodev: core %u, cipher_algo %u, "
-				"auth_algo %u\n", key.lcore_id, key.cipher_algo,
-				key.auth_algo);
+			"auth_algo %u aead_algo %u\n",
+			key.lcore_id,
+			key.cipher_algo,
+			key.auth_algo,
+			key.aead_algo);
 		return -1;
 	}
 
-- 
2.7.4

[PATCH 04/11] examples/ipsec-secgw: Fix aad_len for for aes-gcm support

[aviadye]

From: Aviad Yehezkel <aviadye@mellanox.com>

This cause auth failure issue
Seems like this was broken for aes-gcm for a long time

Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
---
 examples/ipsec-secgw/sa.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index 7be0e62..ef94475 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -431,7 +431,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
 			rule->aead_algo = algo->algo;
 			rule->cipher_key_len = algo->key_len;
 			rule->digest_len = algo->digest_len;
-			rule->aad_len = algo->key_len;
+			rule->aad_len = algo->aad_len;
 			rule->block_size = algo->block_size;
 			rule->iv_len = algo->iv_len;
 
-- 
2.7.4

[PATCH 05/11] examples/ipsec-secgw: Fixed transport

[aviadye]

From: Aviad Yehezkel <aviadye@mellanox.com>

Seems like transport was broken for a long time

Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
---
 examples/ipsec-secgw/esp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index 70bb81f..56ad7a0 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -306,8 +306,8 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 				sizeof(struct esp_hdr) + sa->iv_len);
 		memmove(new_ip, ip4, ip_hdr_len);
 		esp = (struct esp_hdr *)(new_ip + ip_hdr_len);
+		ip4 = (struct ip *)new_ip;
 		if (likely(ip4->ip_v == IPVERSION)) {
-			ip4 = (struct ip *)new_ip;
 			ip4->ip_p = IPPROTO_ESP;
 			ip4->ip_len = htons(rte_pktmbuf_data_len(m));
 		} else {
-- 
2.7.4

[PATCH 06/11] examples/ipsec-secgw: Added correct padding to tunnel mode

[aviadye]

From: Aviad Yehezkel <aviadye@mellanox.com>

Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
---
 examples/ipsec-secgw/esp.c | 51 ++++++++++++++++++++++++++--------------------
 1 file changed, 29 insertions(+), 22 deletions(-)

diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index 56ad7a0..689e917 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -229,25 +229,26 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 	uint8_t *padding, *new_ip, nlp;
 	struct rte_crypto_sym_op *sym_cop;
 	int32_t i;
-	uint16_t pad_payload_len, pad_len, ip_hdr_len;
+	uint16_t pad_payload_len, pad_len = 0;
+	uint16_t inner_ip_hdr_len = 0, ip_hdr_len = 0;
 
 	RTE_ASSERT(m != NULL);
 	RTE_ASSERT(sa != NULL);
+	RTE_ASSERT(sa->flags == IP4_TUNNEL || sa->flags == IP6_TUNNEL ||
+		   sa->flags == TRANSPORT);
 	RTE_ASSERT(cop != NULL);
 
-	ip_hdr_len = 0;
-
 	ip4 = rte_pktmbuf_mtod(m, struct ip *);
 	if (likely(ip4->ip_v == IPVERSION)) {
-		if (unlikely(sa->flags == TRANSPORT)) {
-			ip_hdr_len = ip4->ip_hl * 4;
+		ip_hdr_len = ip4->ip_hl * 4;
+		if (unlikely(sa->flags == TRANSPORT))
 			nlp = ip4->ip_p;
-		} else
+		else
 			nlp = IPPROTO_IPIP;
 	} else if (ip4->ip_v == IP6_VERSION) {
+		/* XXX No option headers supported */
+		ip_hdr_len = sizeof(struct ip6_hdr);
 		if (unlikely(sa->flags == TRANSPORT)) {
-			/* XXX No option headers supported */
-			ip_hdr_len = sizeof(struct ip6_hdr);
 			ip6 = (struct ip6_hdr *)ip4;
 			nlp = ip6->ip6_nxt;
 		} else
@@ -259,22 +260,28 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 	}
 
 	/* Padded payload length */
-	pad_payload_len = RTE_ALIGN_CEIL(rte_pktmbuf_pkt_len(m) -
-			ip_hdr_len + 2, sa->block_size);
-	pad_len = pad_payload_len + ip_hdr_len - rte_pktmbuf_pkt_len(m);
-
-	RTE_ASSERT(sa->flags == IP4_TUNNEL || sa->flags == IP6_TUNNEL ||
-			sa->flags == TRANSPORT);
-
-	if (likely(sa->flags == IP4_TUNNEL))
+	if (unlikely(sa->flags == TRANSPORT)) {
+		pad_payload_len = RTE_ALIGN_CEIL(rte_pktmbuf_pkt_len(m) +
+						 sizeof(nlp) + 1 - ip_hdr_len,
+						 sa->block_size);
+		pad_len = pad_payload_len + ip_hdr_len - rte_pktmbuf_pkt_len(m);
+	} else {
+		inner_ip_hdr_len = ip_hdr_len;
 		ip_hdr_len = sizeof(struct ip);
-	else if (sa->flags == IP6_TUNNEL)
-		ip_hdr_len = sizeof(struct ip6_hdr);
-	else if (sa->flags != TRANSPORT) {
-		RTE_LOG(ERR, IPSEC_ESP, "Unsupported SA flags: 0x%x\n",
-				sa->flags);
-		return -EINVAL;
+		if (sa->flags == IP6_TUNNEL)
+			ip_hdr_len = sizeof(struct ip6_hdr);
+
+		pad_payload_len = RTE_ALIGN_CEIL(rte_pktmbuf_pkt_len(m) +
+						 sizeof(nlp) + 1,
+						 sa->block_size);
+		pad_len = pad_payload_len - rte_pktmbuf_pkt_len(m);
 	}
+	RTE_LOG(DEBUG, IPSEC_ESP, "rte_pktmbuf_pkt_len=%u "
+		"inner_ip_hdr_len=%u ip_hdr_len=%u "
+		"pad_payload_len=%u pad_len=%u\n",
+		rte_pktmbuf_pkt_len(m),
+		inner_ip_hdr_len, ip_hdr_len,
+		pad_payload_len, pad_len);
 
 	/* Check maximum packet size */
 	if (unlikely(ip_hdr_len + sizeof(struct esp_hdr) + sa->iv_len +
-- 
2.7.4

[PATCH 07/11] examples/ipsec-secgw: Fixed phyiscal address of aad

[aviadye]

From: Aviad Yehezkel <aviadye@mellanox.com>

Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
---
 examples/ipsec-secgw/esp.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index 689e917..aa2233d 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -355,8 +355,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 		aad = get_aad(m);
 		memcpy(aad, esp, 8);
 		sym_cop->aead.aad.data = aad;
-		sym_cop->aead.aad.phys_addr = rte_pktmbuf_mtophys_offset(m,
-				aad - rte_pktmbuf_mtod(m, uint8_t *));
+		sym_cop->aead.aad.phys_addr = rte_mem_virt2phy(aad);
 
 		sym_cop->aead.digest.data = rte_pktmbuf_mtod_offset(m, uint8_t *,
 			rte_pktmbuf_pkt_len(m) - sa->digest_len);
-- 
2.7.4

[PATCH 08/11] examples/ipsec-secgw: iv should be be64

[aviadye]

From: Aviad Yehezkel <aviadye@mellanox.com>

To be compatibile with Linux kernel

Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
---
 examples/ipsec-secgw/esp.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index aa2233d..81ebf55 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -336,7 +336,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 	if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) {
 		uint8_t *aad;
 
-		*iv = sa->seq;
+		*iv = rte_cpu_to_be_64(sa->seq);
 		sym_cop->aead.data.offset = ip_hdr_len +
 			sizeof(struct esp_hdr) + sa->iv_len;
 		sym_cop->aead.data.length = pad_payload_len;
@@ -349,7 +349,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 
 		struct cnt_blk *icb = get_cnt_blk(m);
 		icb->salt = sa->salt;
-		icb->iv = sa->seq;
+		icb->iv = rte_cpu_to_be_64(sa->seq);
 		icb->cnt = rte_cpu_to_be_32(1);
 
 		aad = get_aad(m);
@@ -371,7 +371,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 			sym_cop->cipher.data.length = pad_payload_len + sa->iv_len;
 			break;
 		case RTE_CRYPTO_CIPHER_AES_CTR:
-			*iv = sa->seq;
+			*iv = rte_cpu_to_be_64(sa->seq);
 			sym_cop->cipher.data.offset = ip_hdr_len +
 				sizeof(struct esp_hdr) + sa->iv_len;
 			sym_cop->cipher.data.length = pad_payload_len;
@@ -390,7 +390,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 
 		struct cnt_blk *icb = get_cnt_blk(m);
 		icb->salt = sa->salt;
-		icb->iv = sa->seq;
+		icb->iv = rte_cpu_to_be_64(sa->seq);
 		icb->cnt = rte_cpu_to_be_32(1);
 
 		switch (sa->auth_algo) {
-- 
2.7.4

[PATCH 09/11] examples/ipsec-secgw: Fixed ip length in case of transport

[aviadye]

From: Aviad Yehezkel <aviadye@mellanox.com>

IP length was incorrect causing corrupted ICMP packets for example

Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
---
 examples/ipsec-secgw/esp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index 81ebf55..12c6f8c 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -205,13 +205,13 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
 		if (likely(ip->ip_v == IPVERSION)) {
 			memmove(ip4, ip, ip->ip_hl * 4);
 			ip4->ip_p = *nexthdr;
-			ip4->ip_len = htons(rte_pktmbuf_data_len(m));
+			ip4->ip_len = htons(rte_pktmbuf_pkt_len(m));
 		} else {
 			ip6 = (struct ip6_hdr *)ip4;
 			/* XXX No option headers supported */
 			memmove(ip6, ip, sizeof(struct ip6_hdr));
 			ip6->ip6_nxt = *nexthdr;
-			ip6->ip6_plen = htons(rte_pktmbuf_data_len(m));
+			ip6->ip6_plen = htons(rte_pktmbuf_pkt_len(m));
 		}
 	} else
 		ipip_inbound(m, sizeof(struct esp_hdr) + sa->iv_len);
-- 
2.7.4

[PATCH 10/11] app/testpmd: compile even if ixgbe anf bnxt pmds are not compiling

[aviadye]

From: Aviad Yehezkel <aviadye@mellanox.com>

Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
Signed-off-by: Nicolai Radu <radu.nicolai@intel.com>
---
 app/test-pmd/cmdline.c | 13 ++++++++++---
 app/test-pmd/config.c  | 12 +++++++++++-
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/app/test-pmd/cmdline.c b/app/test-pmd/cmdline.c
index bb19d72..e4a636e 100644
--- a/app/test-pmd/cmdline.c
+++ b/app/test-pmd/cmdline.c
@@ -7377,11 +7377,17 @@ struct cmd_set_vf_rxmode {
 };
 
 static void
-cmd_set_vf_rxmode_parsed(void *parsed_result,
-		       __attribute__((unused)) struct cmdline *cl,
-		       __attribute__((unused)) void *data)
+cmd_set_vf_rxmode_parsed(
+#if defined(RTE_LIBRTE_IXGBE_PMD) || defined(RTE_LIBRTE_BNXT_PMD)
+		void *parsed_result,
+#else
+		__attribute__((unused)) void *parsed_result,
+#endif
+		__attribute__((unused)) struct cmdline *cl,
+		__attribute__((unused)) void *data)
 {
 	int ret = -ENOTSUP;
+#if defined(RTE_LIBRTE_IXGBE_PMD) || defined(RTE_LIBRTE_BNXT_PMD)
 	uint16_t rx_mode = 0;
 	struct cmd_set_vf_rxmode *res = parsed_result;
 
@@ -7396,6 +7402,7 @@ cmd_set_vf_rxmode_parsed(void *parsed_result,
 		else if (!strncmp(res->mode, "MPE",3))
 			rx_mode |= ETH_VMDQ_ACCEPT_MULTICAST;
 	}
+#endif
 
 #ifdef RTE_LIBRTE_IXGBE_PMD
 	if (ret == -ENOTSUP)
diff --git a/app/test-pmd/config.c b/app/test-pmd/config.c
index bafe76c..d38ba82 100644
--- a/app/test-pmd/config.c
+++ b/app/test-pmd/config.c
@@ -3181,7 +3181,17 @@ set_queue_rate_limit(portid_t port_id, uint16_t queue_idx, uint16_t rate)
 }
 
 int
-set_vf_rate_limit(portid_t port_id, uint16_t vf, uint16_t rate, uint64_t q_msk)
+set_vf_rate_limit(
+		portid_t port_id,
+#if defined(RTE_LIBRTE_IXGBE_PMD) || defined(RTE_LIBRTE_BNXT_PMD)
+		uint16_t vf,
+		uint16_t rate,
+		uint64_t q_msk)
+#else
+		__attribute__((unused)) uint16_t vf,
+		__attribute__((unused)) uint16_t rate,
+		__attribute__((unused)) uint64_t q_msk)
+#endif
 {
 	int diag = -ENOTSUP;
 
-- 
2.7.4

[PATCH 11/11] examples/ipsec-secgw: Ethernet MAC configuration is now dynamic throw conf file

[aviadye]

From: Aviad Yehezkel <aviadye@mellanox.com>

Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
---
 examples/ipsec-secgw/Makefile      |   1 +
 examples/ipsec-secgw/ep0.cfg       |   6 +
 examples/ipsec-secgw/ep1.cfg       |   6 +
 examples/ipsec-secgw/eth.c         | 238 +++++++++++++++++++++++++++++++++++++
 examples/ipsec-secgw/ipsec-secgw.c |  79 +++---------
 examples/ipsec-secgw/ipsec.h       |   8 ++
 examples/ipsec-secgw/parser.c      |  69 +++++++++++
 examples/ipsec-secgw/parser.h      |  35 ++++++
 8 files changed, 378 insertions(+), 64 deletions(-)
 create mode 100644 examples/ipsec-secgw/eth.c

diff --git a/examples/ipsec-secgw/Makefile b/examples/ipsec-secgw/Makefile
index 17e9155..0dacd3c 100644
--- a/examples/ipsec-secgw/Makefile
+++ b/examples/ipsec-secgw/Makefile
@@ -60,6 +60,7 @@ SRCS-y += sp4.c
 SRCS-y += sp6.c
 SRCS-y += sa.c
 SRCS-y += rt.c
+SRCS-y += eth.c
 SRCS-y += ipsec-secgw.c
 
 include $(RTE_SDK)/mk/rte.extapp.mk
diff --git a/examples/ipsec-secgw/ep0.cfg b/examples/ipsec-secgw/ep0.cfg
index 299aa9e..eda4499 100644
--- a/examples/ipsec-secgw/ep0.cfg
+++ b/examples/ipsec-secgw/ep0.cfg
@@ -158,3 +158,9 @@ rt ipv6 dst ffff:0000:0000:0000:5555:5555:0000:0000/116 port 2
 rt ipv6 dst ffff:0000:0000:0000:6666:6666:0000:0000/116 port 3
 rt ipv6 dst ffff:0000:1111:1111:0000:0000:0000:0000/116 port 2
 rt ipv6 dst ffff:0000:1111:1111:1111:1111:0000:0000/116 port 3
+
+#ETH Addresses
+eth addr src 00:00:00:00:00:00 dst 00:16:3e:7e:94:9a port 0
+eth addr src 00:00:00:00:00:00 dst 00:16:3e:22:a1:d9 port 1
+eth addr src 00:00:00:00:00:00 dst 00:16:3e:08:69:26 port 2
+eth addr src 00:00:00:00:00:00 dst 00:16:3e:49:9e:dd port 3
diff --git a/examples/ipsec-secgw/ep1.cfg b/examples/ipsec-secgw/ep1.cfg
index 3f6ff81..e6d4e26 100644
--- a/examples/ipsec-secgw/ep1.cfg
+++ b/examples/ipsec-secgw/ep1.cfg
@@ -158,3 +158,9 @@ rt ipv6 dst 0000:0000:0000:0000:5555:5555:0000:0000/116 port 2
 rt ipv6 dst 0000:0000:0000:0000:6666:6666:0000:0000/116 port 3
 rt ipv6 dst 0000:0000:1111:1111:0000:0000:0000:0000/116 port 2
 rt ipv6 dst 0000:0000:1111:1111:1111:1111:0000:0000/116 port 3
+
+#ETH Addresses
+eth addr src 00:00:00:00:00:00 dst 00:16:3e:7e:94:9a port 0
+eth addr src 00:00:00:00:00:00 dst 00:16:3e:22:a1:d9 port 1
+eth addr src 00:00:00:00:00:00 dst 00:16:3e:08:69:26 port 2
+eth addr src 00:00:00:00:00:00 dst 00:16:3e:49:9e:dd port 3
diff --git a/examples/ipsec-secgw/eth.c b/examples/ipsec-secgw/eth.c
new file mode 100644
index 0000000..b4f7120
--- /dev/null
+++ b/examples/ipsec-secgw/eth.c
@@ -0,0 +1,238 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Ethernet Address
+ */
+#include <stdint.h>
+#include <sys/types.h>
+#include <rte_ether.h>
+#include <rte_errno.h>
+#include <rte_ethdev.h>
+
+#include "ipsec.h"
+#include "parser.h"
+
+#define ETH_DST_MAX_RULES	1024
+
+struct addr {
+	uint8_t port;
+	struct ether_addr src;
+	struct ether_addr dst;
+};
+
+struct addr eth_addr[ETH_DST_MAX_RULES];
+uint32_t nb_eth_addr;
+
+void
+parse_eth_tokens(char **tokens, uint32_t n_tokens,
+	struct parse_status *status)
+{
+	uint32_t ti;
+	uint32_t *n_addr = NULL;
+	struct addr *addr = NULL;
+
+	if (strcmp(tokens[0], "addr") == 0) {
+		n_addr = &nb_eth_addr;
+		addr = &eth_addr[*n_addr];
+
+		APP_CHECK(*n_addr <= ETH_DST_MAX_RULES - 1, status,
+			"too many eth dst rules, abort insertion\n");
+		if (status->status < 0)
+			return;
+	} else {
+		APP_CHECK(0, status, "unrecognized input \"%s\"",
+			tokens[0]);
+		return;
+	}
+
+	for (ti = 1; ti < n_tokens; ti++) {
+		if (strcmp(tokens[ti], "src") == 0) {
+			INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
+			if (status->status < 0)
+				return;
+
+			if (addr != NULL) {
+				APP_CHECK(parse_eth_addr(tokens[ti],
+					  &addr->src) == 0, status,
+					  "unrecognized input \"%s\", "
+					  "expect valid src addr",
+					  tokens[ti]);
+				if (status->status < 0)
+					return;
+			} else {
+				APP_CHECK(0, status, "addr is NULL");
+			}
+		}
+
+		if (strcmp(tokens[ti], "dst") == 0) {
+			INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
+			if (status->status < 0)
+				return;
+
+			if (addr != NULL) {
+				APP_CHECK(parse_eth_addr(tokens[ti],
+					  &addr->dst) == 0, status,
+					  "unrecognized input \"%s\", "
+					  "expect valid dst addr",
+					  tokens[ti]);
+				if (status->status < 0)
+					return;
+			} else {
+				APP_CHECK(0, status, "addr is NULL");
+			}
+		}
+
+		if (strcmp(tokens[ti], "port") == 0) {
+			INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
+			if (status->status < 0)
+				return;
+
+			APP_CHECK_TOKEN_IS_NUM(tokens, ti, status);
+			if (status->status < 0)
+				return;
+
+			if (addr != NULL)
+				addr->port = atoi(tokens[ti]);
+			else
+				APP_CHECK(0, status, "addr is NULL");
+		}
+	}
+
+	*n_addr = *n_addr + 1;
+}
+
+static struct eth_ctx *
+eth_create(const char *name, int32_t socket_id)
+{
+	char s[PATH_MAX];
+	struct eth_ctx *eth_ctx;
+	uint32_t mz_size;
+	const struct rte_memzone *mz;
+
+	snprintf(s, sizeof(s), "%s_%u", name, socket_id);
+
+	/* Create SA array table */
+	printf("Creating ETH context with %u maximum entries\n",
+			RTE_MAX_ETHPORTS);
+
+	mz_size = sizeof(struct eth_ctx) * RTE_MAX_ETHPORTS;
+	mz = rte_memzone_reserve(s, mz_size, socket_id,
+			RTE_MEMZONE_1GB | RTE_MEMZONE_SIZE_HINT_ONLY);
+	if (mz == NULL) {
+		printf("Failed to allocate SA DB memory\n");
+		rte_errno = -ENOMEM;
+		return NULL;
+	}
+	memset(mz->addr, 0, mz_size);
+
+	eth_ctx = (struct eth_ctx *)mz->addr;
+	return eth_ctx;
+}
+
+static void
+eth_ctx_dump(struct eth_ctx *eth_addr, uint32_t mask)
+{
+	char name[256];
+	uint32_t nb_ports;
+	uint8_t port;
+
+	nb_ports = rte_eth_dev_count();
+	for (port = 0; port < nb_ports; ++port) {
+		if ((mask & (1 << port)) == 0)
+			continue;
+
+		if (rte_eth_dev_get_name_by_port(port, name) < 0)
+			rte_exit(EXIT_FAILURE, "Unable to find name "
+					"to port=%d\n", port);
+
+		printf("%s-dst-0x%lx\n", name, eth_addr[port].dst);
+		printf("%s-src-0x%lx\n", name, eth_addr[port].src);
+	}
+}
+
+void
+eth_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t mask)
+{
+	const char *name;
+	uint32_t i, nb_ports;
+	uint8_t port;
+	struct ether_addr ethaddr;
+
+	if (ctx == NULL)
+		rte_exit(EXIT_FAILURE, "NULL context.\n");
+
+	if (ctx->eth_addr != NULL)
+		rte_exit(EXIT_FAILURE, "ETH Address Table for socket %u "
+			"already initialized\n", socket_id);
+
+	if (nb_eth_addr == 0)
+		RTE_LOG(WARNING, IPSEC, "No ETH address rule specified\n");
+
+	/* create the ETH table */
+	name = "eth_addr";
+	ctx->eth_addr = eth_create(name, socket_id);
+	if (ctx->eth_addr == NULL)
+		rte_exit(EXIT_FAILURE, "Error [%d] creating ETH "
+				"context %s in socket %d\n", rte_errno,
+				name, socket_id);
+
+	/* populate the ETH table */
+	for (i = 0; i < nb_eth_addr; ++i) {
+		port = eth_addr[i].port;
+
+		if (ctx->eth_addr[port].dst != 0)
+			rte_exit(EXIT_FAILURE, "ETH destination address "
+					"for port %u already in use\n",
+					port);
+		if (ctx->eth_addr[port].src != 0)
+			rte_exit(EXIT_FAILURE, "ETH source address "
+					"for port %u already in use\n",
+					port);
+
+		ctx->eth_addr[port].dst = ETHADDR_TO_UINT64(eth_addr[i].dst);
+		ctx->eth_addr[port].src = ETHADDR_TO_UINT64(eth_addr[i].src);
+	}
+
+	nb_ports = rte_eth_dev_count();
+	for (port = 0; port < nb_ports; ++port) {
+		if ((mask & (1 << port)) == 0)
+			continue;
+
+		if (ctx->eth_addr[port].src == 0) {
+			rte_eth_macaddr_get(port, &ethaddr);
+			ctx->eth_addr[port].src = ETHADDR_TO_UINT64(ethaddr);
+		}
+	}
+	eth_ctx_dump(ctx->eth_addr, mask);
+}
diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
index 7bf692c..787e14a 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -112,47 +112,6 @@
 static uint16_t nb_rxd = IPSEC_SECGW_RX_DESC_DEFAULT;
 static uint16_t nb_txd = IPSEC_SECGW_TX_DESC_DEFAULT;
 
-#if RTE_BYTE_ORDER != RTE_LITTLE_ENDIAN
-#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \
-	(((uint64_t)((a) & 0xff) << 56) | \
-	((uint64_t)((b) & 0xff) << 48) | \
-	((uint64_t)((c) & 0xff) << 40) | \
-	((uint64_t)((d) & 0xff) << 32) | \
-	((uint64_t)((e) & 0xff) << 24) | \
-	((uint64_t)((f) & 0xff) << 16) | \
-	((uint64_t)((g) & 0xff) << 8)  | \
-	((uint64_t)(h) & 0xff))
-#else
-#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \
-	(((uint64_t)((h) & 0xff) << 56) | \
-	((uint64_t)((g) & 0xff) << 48) | \
-	((uint64_t)((f) & 0xff) << 40) | \
-	((uint64_t)((e) & 0xff) << 32) | \
-	((uint64_t)((d) & 0xff) << 24) | \
-	((uint64_t)((c) & 0xff) << 16) | \
-	((uint64_t)((b) & 0xff) << 8) | \
-	((uint64_t)(a) & 0xff))
-#endif
-#define ETHADDR(a, b, c, d, e, f) (__BYTES_TO_UINT64(a, b, c, d, e, f, 0, 0))
-
-#define ETHADDR_TO_UINT64(addr) __BYTES_TO_UINT64( \
-		addr.addr_bytes[0], addr.addr_bytes[1], \
-		addr.addr_bytes[2], addr.addr_bytes[3], \
-		addr.addr_bytes[4], addr.addr_bytes[5], \
-		0, 0)
-
-/* port/source ethernet addr and destination ethernet addr */
-struct ethaddr_info {
-	uint64_t src, dst;
-};
-
-struct ethaddr_info ethaddr_tbl[RTE_MAX_ETHPORTS] = {
-	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x7e, 0x94, 0x9a) },
-	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x22, 0xa1, 0xd9) },
-	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x08, 0x69, 0x26) },
-	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x49, 0x9e, 0xdd) }
-};
-
 /* mask of enabled ports */
 static uint32_t enabled_port_mask;
 static uint32_t unprotected_port_mask;
@@ -195,6 +154,7 @@ struct lcore_conf {
 	struct ipsec_ctx outbound;
 	struct rt_ctx *rt4_ctx;
 	struct rt_ctx *rt6_ctx;
+	struct eth_ctx *eth_addr;
 } __rte_cache_aligned;
 
 static struct lcore_conf lcore_conf[RTE_MAX_LCORE];
@@ -290,7 +250,7 @@ prepare_traffic(struct rte_mbuf **pkts, struct ipsec_traffic *t,
 }
 
 static inline void
-prepare_tx_pkt(struct rte_mbuf *pkt, uint8_t port)
+prepare_tx_pkt(struct rte_mbuf *pkt, uint64_t *src, uint64_t *dst)
 {
 	struct ip *ip;
 	struct ether_hdr *ethhdr;
@@ -313,25 +273,24 @@ prepare_tx_pkt(struct rte_mbuf *pkt, uint8_t port)
 		ethhdr->ether_type = rte_cpu_to_be_16(ETHER_TYPE_IPv6);
 	}
 
-	memcpy(&ethhdr->s_addr, &ethaddr_tbl[port].src,
-			sizeof(struct ether_addr));
-	memcpy(&ethhdr->d_addr, &ethaddr_tbl[port].dst,
-			sizeof(struct ether_addr));
+	memcpy(&ethhdr->s_addr, src, sizeof(struct ether_addr));
+	memcpy(&ethhdr->d_addr, dst, sizeof(struct ether_addr));
 }
 
 static inline void
-prepare_tx_burst(struct rte_mbuf *pkts[], uint16_t nb_pkts, uint8_t port)
+prepare_tx_burst(struct rte_mbuf *pkts[], uint64_t *src, uint64_t *dst,
+		 uint16_t nb_pkts)
 {
 	int32_t i;
 	const int32_t prefetch_offset = 2;
 
 	for (i = 0; i < (nb_pkts - prefetch_offset); i++) {
 		rte_mbuf_prefetch_part2(pkts[i + prefetch_offset]);
-		prepare_tx_pkt(pkts[i], port);
+		prepare_tx_pkt(pkts[i], src, dst);
 	}
 	/* Process left packets */
 	for (; i < nb_pkts; i++)
-		prepare_tx_pkt(pkts[i], port);
+		prepare_tx_pkt(pkts[i], src, dst);
 }
 
 /* Send burst of packets on an output interface */
@@ -341,11 +300,14 @@ send_burst(struct lcore_conf *qconf, uint16_t n, uint8_t port)
 	struct rte_mbuf **m_table;
 	int32_t ret;
 	uint16_t queueid;
+	uint64_t *src, *dst;
 
 	queueid = qconf->tx_queue_id[port];
 	m_table = (struct rte_mbuf **)qconf->tx_mbufs[port].m_table;
+	src = &qconf->eth_addr[port].src;
+	dst = &qconf->eth_addr[port].dst;
 
-	prepare_tx_burst(m_table, n, port);
+	prepare_tx_burst(m_table, src, dst, n);
 
 	ret = rte_eth_tx_burst(port, queueid, m_table, n);
 	if (unlikely(ret < n)) {
@@ -706,6 +668,7 @@ main_loop(__attribute__((unused)) void *dummy)
 
 	qconf->rt4_ctx = socket_ctx[socket_id].rt_ip4;
 	qconf->rt6_ctx = socket_ctx[socket_id].rt_ip6;
+	qconf->eth_addr = socket_ctx[socket_id].eth_addr;
 	qconf->inbound.sp4_ctx = socket_ctx[socket_id].sp_ip4_in;
 	qconf->inbound.sp6_ctx = socket_ctx[socket_id].sp_ip6_in;
 	qconf->inbound.sa_ctx = socket_ctx[socket_id].sa_in;
@@ -1045,14 +1008,6 @@ parse_args(int32_t argc, char **argv)
 	return ret;
 }
 
-static void
-print_ethaddr(const char *name, const struct ether_addr *eth_addr)
-{
-	char buf[ETHER_ADDR_FMT_SIZE];
-	ether_format_addr(buf, ETHER_ADDR_FMT_SIZE, eth_addr);
-	printf("%s%s", name, buf);
-}
-
 /* Check the link status of all ports in up to 9s, and print them finally */
 static void
 check_all_ports_link_status(uint8_t port_num, uint32_t port_mask)
@@ -1339,17 +1294,11 @@ port_init(uint8_t portid)
 	uint16_t tx_queueid, rx_queueid, queue, lcore_id;
 	int32_t ret, socket_id;
 	struct lcore_conf *qconf;
-	struct ether_addr ethaddr;
 
 	rte_eth_dev_info_get(portid, &dev_info);
 
 	printf("Configuring device port %u:\n", portid);
 
-	rte_eth_macaddr_get(portid, &ethaddr);
-	ethaddr_tbl[portid].src = ETHADDR_TO_UINT64(ethaddr);
-	print_ethaddr("Address: ", &ethaddr);
-	printf("\n");
-
 	nb_rx_queue = get_port_nb_rx_queues(portid);
 	nb_tx_queue = nb_lcores;
 
@@ -1499,6 +1448,8 @@ main(int32_t argc, char **argv)
 
 		rt_init(&socket_ctx[socket_id], socket_id);
 
+		eth_init(&socket_ctx[socket_id], socket_id, enabled_port_mask);
+
 		pool_init(&socket_ctx[socket_id], socket_id, NB_MBUF);
 	}
 
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index 7d057ae..9e22b1b 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -153,6 +153,10 @@ struct cdev_key {
 	uint8_t aead_algo;
 };
 
+struct eth_ctx {
+	uint64_t src, dst;
+};
+
 struct socket_ctx {
 	struct sa_ctx *sa_in;
 	struct sa_ctx *sa_out;
@@ -162,6 +166,7 @@ struct socket_ctx {
 	struct sp_ctx *sp_ip6_out;
 	struct rt_ctx *rt_ip4;
 	struct rt_ctx *rt_ip6;
+	struct eth_ctx *eth_addr;
 	struct rte_mempool *mbuf_pool;
 	struct rte_mempool *session_pool;
 };
@@ -237,4 +242,7 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id);
 void
 rt_init(struct socket_ctx *ctx, int32_t socket_id);
 
+void
+eth_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t mask);
+
 #endif /* __IPSEC_H__ */
diff --git a/examples/ipsec-secgw/parser.c b/examples/ipsec-secgw/parser.c
index 9d0ea46..24ca8c2 100644
--- a/examples/ipsec-secgw/parser.c
+++ b/examples/ipsec-secgw/parser.c
@@ -292,6 +292,30 @@ parse_ipv6_addr(const char *token, struct in6_addr *ipv6, uint32_t *mask)
 }
 
 int
+parse_eth_addr(const char *token, struct ether_addr *addr)
+{
+	char addr_str[256] = {0};
+	int i, values[6];
+
+	if (strlen(token) >= 256)
+		return -EINVAL;
+
+	strncpy(addr_str, token, strlen(token));
+
+	if (6 != sscanf(addr_str, "%02X:%02X:%02X:%02X:%02X:%02X",
+			&values[0], &values[1],
+			&values[2], &values[3],
+			&values[4], &values[5])) {
+		return -EINVAL;
+	}
+
+	for (i = 0; i < 6; ++i)
+		addr->addr_bytes[i] = (uint8_t)values[i];
+
+	return 0;
+}
+
+int
 parse_range(const char *token, uint16_t *low, uint16_t *high)
 {
 	char ch;
@@ -469,11 +493,55 @@ cmdline_parse_inst_t cfg_rt_add_rule = {
 	},
 };
 
+/* eth add parse */
+struct cfg_eth_add_cfg_item {
+	cmdline_fixed_string_t eth_keyword;
+	cmdline_multi_string_t multi_string;
+};
+
+static void
+cfg_eth_add_cfg_item_parsed(void *parsed_result,
+	__rte_unused struct cmdline *cl, void *data)
+{
+	struct cfg_eth_add_cfg_item *params = parsed_result;
+	char *tokens[32];
+	uint32_t n_tokens = RTE_DIM(tokens);
+	struct parse_status *status = (struct parse_status *)data;
+
+	APP_CHECK(parse_tokenize_string(
+		params->multi_string, tokens, &n_tokens) == 0,
+		status, "too many arguments\n");
+	if (status->status < 0)
+		return;
+
+	parse_eth_tokens(tokens, n_tokens, status);
+}
+
+static cmdline_parse_token_string_t cfg_eth_add_eth_str =
+	TOKEN_STRING_INITIALIZER(struct cfg_eth_add_cfg_item,
+		eth_keyword, "eth");
+
+static cmdline_parse_token_string_t cfg_eth_add_multi_str =
+	TOKEN_STRING_INITIALIZER(struct cfg_eth_add_cfg_item, multi_string,
+		TOKEN_STRING_MULTI);
+
+cmdline_parse_inst_t cfg_eth_add_rule = {
+	.f = cfg_eth_add_cfg_item_parsed,
+	.data = NULL,
+	.help_str = "",
+	.tokens = {
+		(void *) &cfg_eth_add_eth_str,
+		(void *) &cfg_eth_add_multi_str,
+		NULL,
+	},
+};
+
 /** set of cfg items */
 cmdline_parse_ctx_t ipsec_ctx[] = {
 	(cmdline_parse_inst_t *)&cfg_sp_add_rule,
 	(cmdline_parse_inst_t *)&cfg_sa_add_rule,
 	(cmdline_parse_inst_t *)&cfg_rt_add_rule,
+	(cmdline_parse_inst_t *)&cfg_eth_add_rule,
 	NULL,
 };
 
@@ -499,6 +567,7 @@ parse_cfg_file(const char *cfg_filename)
 	cfg_sp_add_rule.data = &status;
 	cfg_sa_add_rule.data = &status;
 	cfg_rt_add_rule.data = &status;
+	cfg_eth_add_rule.data = &status;
 
 	do {
 		char oneline[1024];
diff --git a/examples/ipsec-secgw/parser.h b/examples/ipsec-secgw/parser.h
index d31ae01..daa7997 100644
--- a/examples/ipsec-secgw/parser.h
+++ b/examples/ipsec-secgw/parser.h
@@ -85,6 +85,34 @@ do {									\
 	index++;							\
 } while (0)
 
+#if RTE_BYTE_ORDER != RTE_LITTLE_ENDIAN
+#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \
+	(((uint64_t)((a) & 0xff) << 56) | \
+	((uint64_t)((b) & 0xff) << 48) | \
+	((uint64_t)((c) & 0xff) << 40) | \
+	((uint64_t)((d) & 0xff) << 32) | \
+	((uint64_t)((e) & 0xff) << 24) | \
+	((uint64_t)((f) & 0xff) << 16) | \
+	((uint64_t)((g) & 0xff) << 8)  | \
+	((uint64_t)(h) & 0xff))
+#else
+#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \
+	(((uint64_t)((h) & 0xff) << 56) | \
+	((uint64_t)((g) & 0xff) << 48) | \
+	((uint64_t)((f) & 0xff) << 40) | \
+	((uint64_t)((e) & 0xff) << 32) | \
+	((uint64_t)((d) & 0xff) << 24) | \
+	((uint64_t)((c) & 0xff) << 16) | \
+	((uint64_t)((b) & 0xff) << 8) | \
+	((uint64_t)(a) & 0xff))
+#endif
+
+#define ETHADDR_TO_UINT64(addr) __BYTES_TO_UINT64( \
+		addr.addr_bytes[0], addr.addr_bytes[1], \
+		addr.addr_bytes[2], addr.addr_bytes[3], \
+		addr.addr_bytes[4], addr.addr_bytes[5], \
+		0, 0)
+
 int
 parse_ipv4_addr(const char *token, struct in_addr *ipv4, uint32_t *mask);
 
@@ -92,6 +120,9 @@ int
 parse_ipv6_addr(const char *token, struct in6_addr *ipv6, uint32_t *mask);
 
 int
+parse_eth_addr(const char *token, struct ether_addr *addr);
+
+int
 parse_range(const char *token, uint16_t *low, uint16_t *high);
 
 void
@@ -110,6 +141,10 @@ void
 parse_rt_tokens(char **tokens, uint32_t n_tokens,
 	struct parse_status *status);
 
+void
+parse_eth_tokens(char **tokens, uint32_t n_tokens,
+	struct parse_status *status);
+
 int
 parse_cfg_file(const char *cfg_filename);
 
-- 
2.7.4

Re: [PATCH 01/11] examples/ipsec-secgw: updated MAINTAINERS file

[Aviad Yehezkel]

On 10/14/2017 4:27 PM, aviadye@dev.mellanox.co.il wrote:
> From: Aviad Yehezkel <aviadye@mellanox.com>
>
> As agreed with Sergio and Pablo
>
> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
> ---
>   MAINTAINERS | 1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/MAINTAINERS b/MAINTAINERS
> index c00d6d8..d814ac1 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -919,6 +919,7 @@ F: examples/helloworld/
>   F: doc/guides/sample_app_ug/hello_world.rst
>   
>   M: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
> +M: Aviad Shaul Yehezkel <aviadye@mellanox.com>
>   F: examples/ipsec-secgw/
>   F: doc/guides/sample_app_ug/ipsec_secgw.rst
>   

Tested-by: Aviad Yehezkel <aviadye@mellanox.com>

Re: [PATCH 02/11] examples/ipsec-secgw: Fixed init of aead crypto devices

[Aviad Yehezkel]

On 10/14/2017 4:27 PM, aviadye@dev.mellanox.co.il wrote:
> From: Aviad Yehezkel <aviadye@mellanox.com>
>
> This was broken since new aead xfrom was introduced
>
> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
> ---
>   examples/ipsec-secgw/ipsec-secgw.c | 29 +++++++++++++++++++----------
>   examples/ipsec-secgw/ipsec.h       |  1 +
>   2 files changed, 20 insertions(+), 10 deletions(-)
>
> diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
> index 99dc270..7bf692c 100644
> --- a/examples/ipsec-secgw/ipsec-secgw.c
> +++ b/examples/ipsec-secgw/ipsec-secgw.c
> @@ -1113,7 +1113,8 @@ add_mapping(struct rte_hash *map, const char *str, uint16_t cdev_id,
>   		uint16_t qp, struct lcore_params *params,
>   		struct ipsec_ctx *ipsec_ctx,
>   		const struct rte_cryptodev_capabilities *cipher,
> -		const struct rte_cryptodev_capabilities *auth)
> +		const struct rte_cryptodev_capabilities *auth,
> +		const struct rte_cryptodev_capabilities *aead)
>   {
>   	int32_t ret = 0;
>   	unsigned long i;
> @@ -1124,6 +1125,8 @@ add_mapping(struct rte_hash *map, const char *str, uint16_t cdev_id,
>   		key.cipher_algo = cipher->sym.cipher.algo;
>   	if (auth)
>   		key.auth_algo = auth->sym.auth.algo;
> +	if (aead)
> +		key.aead_algo = aead->sym.aead.algo;
>   
>   	ret = rte_hash_lookup(map, &key);
>   	if (ret != -ENOENT)
> @@ -1192,19 +1195,25 @@ add_cdev_mapping(struct rte_cryptodev_info *dev_info, uint16_t cdev_id,
>   		if (i->op != RTE_CRYPTO_OP_TYPE_SYMMETRIC)
>   			continue;
>   
> -		if (i->sym.xform_type != RTE_CRYPTO_SYM_XFORM_CIPHER)
> +		if (i->sym.xform_type == RTE_CRYPTO_SYM_XFORM_AEAD) {
> +			ret |= add_mapping(map, str, cdev_id, qp, params,
> +					ipsec_ctx, NULL, NULL, i);
>   			continue;
> +		}
>   
> -		for (j = dev_info->capabilities;
> -				j->op != RTE_CRYPTO_OP_TYPE_UNDEFINED; j++) {
> -			if (j->op != RTE_CRYPTO_OP_TYPE_SYMMETRIC)
> -				continue;
> +		if (i->sym.xform_type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
> +			for (j = dev_info->capabilities;
> +					j->op != RTE_CRYPTO_OP_TYPE_UNDEFINED; j++) {
> +				if (j->op != RTE_CRYPTO_OP_TYPE_SYMMETRIC)
> +					continue;
>   
> -			if (j->sym.xform_type != RTE_CRYPTO_SYM_XFORM_AUTH)
> -				continue;
> +				if (j->sym.xform_type != RTE_CRYPTO_SYM_XFORM_AUTH)
> +					continue;
>   
> -			ret |= add_mapping(map, str, cdev_id, qp, params,
> -					ipsec_ctx, i, j);
> +				ret |= add_mapping(map, str, cdev_id, qp, params,
> +						ipsec_ctx, i, j, NULL);
> +			}
> +			continue;
>   		}
>   	}
>   
> diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
> index da1fb1b..7d057ae 100644
> --- a/examples/ipsec-secgw/ipsec.h
> +++ b/examples/ipsec-secgw/ipsec.h
> @@ -150,6 +150,7 @@ struct cdev_key {
>   	uint16_t lcore_id;
>   	uint8_t cipher_algo;
>   	uint8_t auth_algo;
> +	uint8_t aead_algo;
>   };
>   
>   struct socket_ctx {

Tested-by: Aviad Yehezkel <aviadye@mellanox.com>

Re: [PATCH 03/11] examples/ipsec-secgw: Fixed create session also for aead

[Aviad Yehezkel]

On 10/14/2017 4:27 PM, aviadye@dev.mellanox.co.il wrote:
> From: Aviad Yehezkel <aviadye@mellanox.com>
>
> Search for session also with aead key
>
> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
> ---
>   examples/ipsec-secgw/ipsec.c | 8 ++++++--
>   1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
> index 0afb9d6..daa1d7b 100644
> --- a/examples/ipsec-secgw/ipsec.c
> +++ b/examples/ipsec-secgw/ipsec.c
> @@ -56,13 +56,17 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
>   
>   	key.cipher_algo = (uint8_t)sa->cipher_algo;
>   	key.auth_algo = (uint8_t)sa->auth_algo;
> +	key.aead_algo = (uint8_t)sa->aead_algo;
>   
>   	ret = rte_hash_lookup_data(ipsec_ctx->cdev_map, &key,
>   			(void **)&cdev_id_qp);
>   	if (ret < 0) {
>   		RTE_LOG(ERR, IPSEC, "No cryptodev: core %u, cipher_algo %u, "
> -				"auth_algo %u\n", key.lcore_id, key.cipher_algo,
> -				key.auth_algo);
> +			"auth_algo %u aead_algo %u\n",
> +			key.lcore_id,
> +			key.cipher_algo,
> +			key.auth_algo,
> +			key.aead_algo);
>   		return -1;
>   	}
>   

Tested-by: Aviad Yehezkel <aviadye@mellanox.com>

Re: [PATCH 04/11] examples/ipsec-secgw: Fix aad_len for for aes-gcm support

[Aviad Yehezkel]

On 10/14/2017 4:27 PM, aviadye@dev.mellanox.co.il wrote:
> From: Aviad Yehezkel <aviadye@mellanox.com>
>
> This cause auth failure issue
> Seems like this was broken for aes-gcm for a long time
>
> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
> ---
>   examples/ipsec-secgw/sa.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
> index 7be0e62..ef94475 100644
> --- a/examples/ipsec-secgw/sa.c
> +++ b/examples/ipsec-secgw/sa.c
> @@ -431,7 +431,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
>   			rule->aead_algo = algo->algo;
>   			rule->cipher_key_len = algo->key_len;
>   			rule->digest_len = algo->digest_len;
> -			rule->aad_len = algo->key_len;
> +			rule->aad_len = algo->aad_len;
>   			rule->block_size = algo->block_size;
>   			rule->iv_len = algo->iv_len;
>   

Tested-by: Aviad Yehezkel <aviadye@mellanox.com>

Re: [PATCH 05/11] examples/ipsec-secgw: Fixed transport

[Aviad Yehezkel]

On 10/14/2017 4:27 PM, aviadye@dev.mellanox.co.il wrote:
> From: Aviad Yehezkel <aviadye@mellanox.com>
>
> Seems like transport was broken for a long time
>
> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
> ---
>   examples/ipsec-secgw/esp.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
> index 70bb81f..56ad7a0 100644
> --- a/examples/ipsec-secgw/esp.c
> +++ b/examples/ipsec-secgw/esp.c
> @@ -306,8 +306,8 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
>   				sizeof(struct esp_hdr) + sa->iv_len);
>   		memmove(new_ip, ip4, ip_hdr_len);
>   		esp = (struct esp_hdr *)(new_ip + ip_hdr_len);
> +		ip4 = (struct ip *)new_ip;
>   		if (likely(ip4->ip_v == IPVERSION)) {
> -			ip4 = (struct ip *)new_ip;
>   			ip4->ip_p = IPPROTO_ESP;
>   			ip4->ip_len = htons(rte_pktmbuf_data_len(m));
>   		} else {

Tested-by: Aviad Yehezkel <aviadye@mellanox.com>

Re: [PATCH 06/11] examples/ipsec-secgw: Added correct padding to tunnel mode

[Aviad Yehezkel]

On 10/14/2017 4:27 PM, aviadye@dev.mellanox.co.il wrote:
> From: Aviad Yehezkel <aviadye@mellanox.com>
>
> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
> ---
>   examples/ipsec-secgw/esp.c | 51 ++++++++++++++++++++++++++--------------------
>   1 file changed, 29 insertions(+), 22 deletions(-)
>
> diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
> index 56ad7a0..689e917 100644
> --- a/examples/ipsec-secgw/esp.c
> +++ b/examples/ipsec-secgw/esp.c
> @@ -229,25 +229,26 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
>   	uint8_t *padding, *new_ip, nlp;
>   	struct rte_crypto_sym_op *sym_cop;
>   	int32_t i;
> -	uint16_t pad_payload_len, pad_len, ip_hdr_len;
> +	uint16_t pad_payload_len, pad_len = 0;
> +	uint16_t inner_ip_hdr_len = 0, ip_hdr_len = 0;
>   
>   	RTE_ASSERT(m != NULL);
>   	RTE_ASSERT(sa != NULL);
> +	RTE_ASSERT(sa->flags == IP4_TUNNEL || sa->flags == IP6_TUNNEL ||
> +		   sa->flags == TRANSPORT);
>   	RTE_ASSERT(cop != NULL);
>   
> -	ip_hdr_len = 0;
> -
>   	ip4 = rte_pktmbuf_mtod(m, struct ip *);
>   	if (likely(ip4->ip_v == IPVERSION)) {
> -		if (unlikely(sa->flags == TRANSPORT)) {
> -			ip_hdr_len = ip4->ip_hl * 4;
> +		ip_hdr_len = ip4->ip_hl * 4;
> +		if (unlikely(sa->flags == TRANSPORT))
>   			nlp = ip4->ip_p;
> -		} else
> +		else
>   			nlp = IPPROTO_IPIP;
>   	} else if (ip4->ip_v == IP6_VERSION) {
> +		/* XXX No option headers supported */
> +		ip_hdr_len = sizeof(struct ip6_hdr);
>   		if (unlikely(sa->flags == TRANSPORT)) {
> -			/* XXX No option headers supported */
> -			ip_hdr_len = sizeof(struct ip6_hdr);
>   			ip6 = (struct ip6_hdr *)ip4;
>   			nlp = ip6->ip6_nxt;
>   		} else
> @@ -259,22 +260,28 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
>   	}
>   
>   	/* Padded payload length */
> -	pad_payload_len = RTE_ALIGN_CEIL(rte_pktmbuf_pkt_len(m) -
> -			ip_hdr_len + 2, sa->block_size);
> -	pad_len = pad_payload_len + ip_hdr_len - rte_pktmbuf_pkt_len(m);
> -
> -	RTE_ASSERT(sa->flags == IP4_TUNNEL || sa->flags == IP6_TUNNEL ||
> -			sa->flags == TRANSPORT);
> -
> -	if (likely(sa->flags == IP4_TUNNEL))
> +	if (unlikely(sa->flags == TRANSPORT)) {
> +		pad_payload_len = RTE_ALIGN_CEIL(rte_pktmbuf_pkt_len(m) +
> +						 sizeof(nlp) + 1 - ip_hdr_len,
> +						 sa->block_size);
> +		pad_len = pad_payload_len + ip_hdr_len - rte_pktmbuf_pkt_len(m);
> +	} else {
> +		inner_ip_hdr_len = ip_hdr_len;
>   		ip_hdr_len = sizeof(struct ip);
> -	else if (sa->flags == IP6_TUNNEL)
> -		ip_hdr_len = sizeof(struct ip6_hdr);
> -	else if (sa->flags != TRANSPORT) {
> -		RTE_LOG(ERR, IPSEC_ESP, "Unsupported SA flags: 0x%x\n",
> -				sa->flags);
> -		return -EINVAL;
> +		if (sa->flags == IP6_TUNNEL)
> +			ip_hdr_len = sizeof(struct ip6_hdr);
> +
> +		pad_payload_len = RTE_ALIGN_CEIL(rte_pktmbuf_pkt_len(m) +
> +						 sizeof(nlp) + 1,
> +						 sa->block_size);
> +		pad_len = pad_payload_len - rte_pktmbuf_pkt_len(m);
>   	}
> +	RTE_LOG(DEBUG, IPSEC_ESP, "rte_pktmbuf_pkt_len=%u "
> +		"inner_ip_hdr_len=%u ip_hdr_len=%u "
> +		"pad_payload_len=%u pad_len=%u\n",
> +		rte_pktmbuf_pkt_len(m),
> +		inner_ip_hdr_len, ip_hdr_len,
> +		pad_payload_len, pad_len);
>   
>   	/* Check maximum packet size */
>   	if (unlikely(ip_hdr_len + sizeof(struct esp_hdr) + sa->iv_len +

Tested-by: Aviad Yehezkel <aviadye@mellanox.com>

Re: [PATCH 07/11] examples/ipsec-secgw: Fixed phyiscal address of aad

[Aviad Yehezkel]

On 10/14/2017 4:27 PM, aviadye@dev.mellanox.co.il wrote:
> From: Aviad Yehezkel <aviadye@mellanox.com>
>
> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
> ---
>   examples/ipsec-secgw/esp.c | 3 +--
>   1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
> index 689e917..aa2233d 100644
> --- a/examples/ipsec-secgw/esp.c
> +++ b/examples/ipsec-secgw/esp.c
> @@ -355,8 +355,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
>   		aad = get_aad(m);
>   		memcpy(aad, esp, 8);
>   		sym_cop->aead.aad.data = aad;
> -		sym_cop->aead.aad.phys_addr = rte_pktmbuf_mtophys_offset(m,
> -				aad - rte_pktmbuf_mtod(m, uint8_t *));
> +		sym_cop->aead.aad.phys_addr = rte_mem_virt2phy(aad);
>   
>   		sym_cop->aead.digest.data = rte_pktmbuf_mtod_offset(m, uint8_t *,
>   			rte_pktmbuf_pkt_len(m) - sa->digest_len);

Tested-by: Aviad Yehezkel <aviadye@mellanox.com>

Re: [PATCH 08/11] examples/ipsec-secgw: iv should be be64

[Aviad Yehezkel]

On 10/14/2017 4:28 PM, aviadye@dev.mellanox.co.il wrote:
> From: Aviad Yehezkel <aviadye@mellanox.com>
>
> To be compatibile with Linux kernel
>
> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
> ---
>   examples/ipsec-secgw/esp.c | 8 ++++----
>   1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
> index aa2233d..81ebf55 100644
> --- a/examples/ipsec-secgw/esp.c
> +++ b/examples/ipsec-secgw/esp.c
> @@ -336,7 +336,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
>   	if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) {
>   		uint8_t *aad;
>   
> -		*iv = sa->seq;
> +		*iv = rte_cpu_to_be_64(sa->seq);
>   		sym_cop->aead.data.offset = ip_hdr_len +
>   			sizeof(struct esp_hdr) + sa->iv_len;
>   		sym_cop->aead.data.length = pad_payload_len;
> @@ -349,7 +349,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
>   
>   		struct cnt_blk *icb = get_cnt_blk(m);
>   		icb->salt = sa->salt;
> -		icb->iv = sa->seq;
> +		icb->iv = rte_cpu_to_be_64(sa->seq);
>   		icb->cnt = rte_cpu_to_be_32(1);
>   
>   		aad = get_aad(m);
> @@ -371,7 +371,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
>   			sym_cop->cipher.data.length = pad_payload_len + sa->iv_len;
>   			break;
>   		case RTE_CRYPTO_CIPHER_AES_CTR:
> -			*iv = sa->seq;
> +			*iv = rte_cpu_to_be_64(sa->seq);
>   			sym_cop->cipher.data.offset = ip_hdr_len +
>   				sizeof(struct esp_hdr) + sa->iv_len;
>   			sym_cop->cipher.data.length = pad_payload_len;
> @@ -390,7 +390,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
>   
>   		struct cnt_blk *icb = get_cnt_blk(m);
>   		icb->salt = sa->salt;
> -		icb->iv = sa->seq;
> +		icb->iv = rte_cpu_to_be_64(sa->seq);
>   		icb->cnt = rte_cpu_to_be_32(1);
>   
>   		switch (sa->auth_algo) {

Tested-by: Aviad Yehezkel <aviadye@mellanox.com>

Re: [PATCH 09/11] examples/ipsec-secgw: Fixed ip length in case of transport

[Aviad Yehezkel]

On 10/14/2017 4:28 PM, aviadye@dev.mellanox.co.il wrote:
> From: Aviad Yehezkel <aviadye@mellanox.com>
>
> IP length was incorrect causing corrupted ICMP packets for example
>
> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
> ---
>   examples/ipsec-secgw/esp.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
> index 81ebf55..12c6f8c 100644
> --- a/examples/ipsec-secgw/esp.c
> +++ b/examples/ipsec-secgw/esp.c
> @@ -205,13 +205,13 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
>   		if (likely(ip->ip_v == IPVERSION)) {
>   			memmove(ip4, ip, ip->ip_hl * 4);
>   			ip4->ip_p = *nexthdr;
> -			ip4->ip_len = htons(rte_pktmbuf_data_len(m));
> +			ip4->ip_len = htons(rte_pktmbuf_pkt_len(m));
>   		} else {
>   			ip6 = (struct ip6_hdr *)ip4;
>   			/* XXX No option headers supported */
>   			memmove(ip6, ip, sizeof(struct ip6_hdr));
>   			ip6->ip6_nxt = *nexthdr;
> -			ip6->ip6_plen = htons(rte_pktmbuf_data_len(m));
> +			ip6->ip6_plen = htons(rte_pktmbuf_pkt_len(m));
>   		}
>   	} else
>   		ipip_inbound(m, sizeof(struct esp_hdr) + sa->iv_len);

Tested-by: Aviad Yehezkel <aviadye@mellanox.com>

Re: [PATCH 10/11] app/testpmd: compile even if ixgbe anf bnxt pmds are not compiling

[Aviad Yehezkel]

On 10/14/2017 4:28 PM, aviadye@dev.mellanox.co.il wrote:
> From: Aviad Yehezkel <aviadye@mellanox.com>
>
> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
> Signed-off-by: Nicolai Radu <radu.nicolai@intel.com>
> ---
>   app/test-pmd/cmdline.c | 13 ++++++++++---
>   app/test-pmd/config.c  | 12 +++++++++++-
>   2 files changed, 21 insertions(+), 4 deletions(-)
>
> diff --git a/app/test-pmd/cmdline.c b/app/test-pmd/cmdline.c
> index bb19d72..e4a636e 100644
> --- a/app/test-pmd/cmdline.c
> +++ b/app/test-pmd/cmdline.c
> @@ -7377,11 +7377,17 @@ struct cmd_set_vf_rxmode {
>   };
>   
>   static void
> -cmd_set_vf_rxmode_parsed(void *parsed_result,
> -		       __attribute__((unused)) struct cmdline *cl,
> -		       __attribute__((unused)) void *data)
> +cmd_set_vf_rxmode_parsed(
> +#if defined(RTE_LIBRTE_IXGBE_PMD) || defined(RTE_LIBRTE_BNXT_PMD)
> +		void *parsed_result,
> +#else
> +		__attribute__((unused)) void *parsed_result,
> +#endif
> +		__attribute__((unused)) struct cmdline *cl,
> +		__attribute__((unused)) void *data)
>   {
>   	int ret = -ENOTSUP;
> +#if defined(RTE_LIBRTE_IXGBE_PMD) || defined(RTE_LIBRTE_BNXT_PMD)
>   	uint16_t rx_mode = 0;
>   	struct cmd_set_vf_rxmode *res = parsed_result;
>   
> @@ -7396,6 +7402,7 @@ cmd_set_vf_rxmode_parsed(void *parsed_result,
>   		else if (!strncmp(res->mode, "MPE",3))
>   			rx_mode |= ETH_VMDQ_ACCEPT_MULTICAST;
>   	}
> +#endif
>   
>   #ifdef RTE_LIBRTE_IXGBE_PMD
>   	if (ret == -ENOTSUP)
> diff --git a/app/test-pmd/config.c b/app/test-pmd/config.c
> index bafe76c..d38ba82 100644
> --- a/app/test-pmd/config.c
> +++ b/app/test-pmd/config.c
> @@ -3181,7 +3181,17 @@ set_queue_rate_limit(portid_t port_id, uint16_t queue_idx, uint16_t rate)
>   }
>   
>   int
> -set_vf_rate_limit(portid_t port_id, uint16_t vf, uint16_t rate, uint64_t q_msk)
> +set_vf_rate_limit(
> +		portid_t port_id,
> +#if defined(RTE_LIBRTE_IXGBE_PMD) || defined(RTE_LIBRTE_BNXT_PMD)
> +		uint16_t vf,
> +		uint16_t rate,
> +		uint64_t q_msk)
> +#else
> +		__attribute__((unused)) uint16_t vf,
> +		__attribute__((unused)) uint16_t rate,
> +		__attribute__((unused)) uint64_t q_msk)
> +#endif
>   {
>   	int diag = -ENOTSUP;
>   

Tested-by: Aviad Yehezkel <aviadye@mellanox.com>

Re: [PATCH 11/11] examples/ipsec-secgw: Ethernet MAC configuration is now dynamic throw conf file

[Aviad Yehezkel]

On 10/14/2017 4:28 PM, aviadye@dev.mellanox.co.il wrote:
> From: Aviad Yehezkel <aviadye@mellanox.com>
>
> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
> ---
>   examples/ipsec-secgw/Makefile      |   1 +
>   examples/ipsec-secgw/ep0.cfg       |   6 +
>   examples/ipsec-secgw/ep1.cfg       |   6 +
>   examples/ipsec-secgw/eth.c         | 238 +++++++++++++++++++++++++++++++++++++
>   examples/ipsec-secgw/ipsec-secgw.c |  79 +++---------
>   examples/ipsec-secgw/ipsec.h       |   8 ++
>   examples/ipsec-secgw/parser.c      |  69 +++++++++++
>   examples/ipsec-secgw/parser.h      |  35 ++++++
>   8 files changed, 378 insertions(+), 64 deletions(-)
>   create mode 100644 examples/ipsec-secgw/eth.c
>
> diff --git a/examples/ipsec-secgw/Makefile b/examples/ipsec-secgw/Makefile
> index 17e9155..0dacd3c 100644
> --- a/examples/ipsec-secgw/Makefile
> +++ b/examples/ipsec-secgw/Makefile
> @@ -60,6 +60,7 @@ SRCS-y += sp4.c
>   SRCS-y += sp6.c
>   SRCS-y += sa.c
>   SRCS-y += rt.c
> +SRCS-y += eth.c
>   SRCS-y += ipsec-secgw.c
>   
>   include $(RTE_SDK)/mk/rte.extapp.mk
> diff --git a/examples/ipsec-secgw/ep0.cfg b/examples/ipsec-secgw/ep0.cfg
> index 299aa9e..eda4499 100644
> --- a/examples/ipsec-secgw/ep0.cfg
> +++ b/examples/ipsec-secgw/ep0.cfg
> @@ -158,3 +158,9 @@ rt ipv6 dst ffff:0000:0000:0000:5555:5555:0000:0000/116 port 2
>   rt ipv6 dst ffff:0000:0000:0000:6666:6666:0000:0000/116 port 3
>   rt ipv6 dst ffff:0000:1111:1111:0000:0000:0000:0000/116 port 2
>   rt ipv6 dst ffff:0000:1111:1111:1111:1111:0000:0000/116 port 3
> +
> +#ETH Addresses
> +eth addr src 00:00:00:00:00:00 dst 00:16:3e:7e:94:9a port 0
> +eth addr src 00:00:00:00:00:00 dst 00:16:3e:22:a1:d9 port 1
> +eth addr src 00:00:00:00:00:00 dst 00:16:3e:08:69:26 port 2
> +eth addr src 00:00:00:00:00:00 dst 00:16:3e:49:9e:dd port 3
> diff --git a/examples/ipsec-secgw/ep1.cfg b/examples/ipsec-secgw/ep1.cfg
> index 3f6ff81..e6d4e26 100644
> --- a/examples/ipsec-secgw/ep1.cfg
> +++ b/examples/ipsec-secgw/ep1.cfg
> @@ -158,3 +158,9 @@ rt ipv6 dst 0000:0000:0000:0000:5555:5555:0000:0000/116 port 2
>   rt ipv6 dst 0000:0000:0000:0000:6666:6666:0000:0000/116 port 3
>   rt ipv6 dst 0000:0000:1111:1111:0000:0000:0000:0000/116 port 2
>   rt ipv6 dst 0000:0000:1111:1111:1111:1111:0000:0000/116 port 3
> +
> +#ETH Addresses
> +eth addr src 00:00:00:00:00:00 dst 00:16:3e:7e:94:9a port 0
> +eth addr src 00:00:00:00:00:00 dst 00:16:3e:22:a1:d9 port 1
> +eth addr src 00:00:00:00:00:00 dst 00:16:3e:08:69:26 port 2
> +eth addr src 00:00:00:00:00:00 dst 00:16:3e:49:9e:dd port 3
> diff --git a/examples/ipsec-secgw/eth.c b/examples/ipsec-secgw/eth.c
> new file mode 100644
> index 0000000..b4f7120
> --- /dev/null
> +++ b/examples/ipsec-secgw/eth.c
> @@ -0,0 +1,238 @@
> +/*-
> + *   BSD LICENSE
> + *
> + *   Copyright(c) 2016 Intel Corporation. All rights reserved.
> + *   All rights reserved.
> + *
> + *   Redistribution and use in source and binary forms, with or without
> + *   modification, are permitted provided that the following conditions
> + *   are met:
> + *
> + *     * Redistributions of source code must retain the above copyright
> + *       notice, this list of conditions and the following disclaimer.
> + *     * Redistributions in binary form must reproduce the above copyright
> + *       notice, this list of conditions and the following disclaimer in
> + *       the documentation and/or other materials provided with the
> + *       distribution.
> + *     * Neither the name of Intel Corporation nor the names of its
> + *       contributors may be used to endorse or promote products derived
> + *       from this software without specific prior written permission.
> + *
> + *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> + *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> + *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
> + *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
> + *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> + *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> + *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> + *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> + *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> + *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> + *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> + */
> +
> +/*
> + * Ethernet Address
> + */
> +#include <stdint.h>
> +#include <sys/types.h>
> +#include <rte_ether.h>
> +#include <rte_errno.h>
> +#include <rte_ethdev.h>
> +
> +#include "ipsec.h"
> +#include "parser.h"
> +
> +#define ETH_DST_MAX_RULES	1024
> +
> +struct addr {
> +	uint8_t port;
> +	struct ether_addr src;
> +	struct ether_addr dst;
> +};
> +
> +struct addr eth_addr[ETH_DST_MAX_RULES];
> +uint32_t nb_eth_addr;
> +
> +void
> +parse_eth_tokens(char **tokens, uint32_t n_tokens,
> +	struct parse_status *status)
> +{
> +	uint32_t ti;
> +	uint32_t *n_addr = NULL;
> +	struct addr *addr = NULL;
> +
> +	if (strcmp(tokens[0], "addr") == 0) {
> +		n_addr = &nb_eth_addr;
> +		addr = &eth_addr[*n_addr];
> +
> +		APP_CHECK(*n_addr <= ETH_DST_MAX_RULES - 1, status,
> +			"too many eth dst rules, abort insertion\n");
> +		if (status->status < 0)
> +			return;
> +	} else {
> +		APP_CHECK(0, status, "unrecognized input \"%s\"",
> +			tokens[0]);
> +		return;
> +	}
> +
> +	for (ti = 1; ti < n_tokens; ti++) {
> +		if (strcmp(tokens[ti], "src") == 0) {
> +			INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
> +			if (status->status < 0)
> +				return;
> +
> +			if (addr != NULL) {
> +				APP_CHECK(parse_eth_addr(tokens[ti],
> +					  &addr->src) == 0, status,
> +					  "unrecognized input \"%s\", "
> +					  "expect valid src addr",
> +					  tokens[ti]);
> +				if (status->status < 0)
> +					return;
> +			} else {
> +				APP_CHECK(0, status, "addr is NULL");
> +			}
> +		}
> +
> +		if (strcmp(tokens[ti], "dst") == 0) {
> +			INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
> +			if (status->status < 0)
> +				return;
> +
> +			if (addr != NULL) {
> +				APP_CHECK(parse_eth_addr(tokens[ti],
> +					  &addr->dst) == 0, status,
> +					  "unrecognized input \"%s\", "
> +					  "expect valid dst addr",
> +					  tokens[ti]);
> +				if (status->status < 0)
> +					return;
> +			} else {
> +				APP_CHECK(0, status, "addr is NULL");
> +			}
> +		}
> +
> +		if (strcmp(tokens[ti], "port") == 0) {
> +			INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
> +			if (status->status < 0)
> +				return;
> +
> +			APP_CHECK_TOKEN_IS_NUM(tokens, ti, status);
> +			if (status->status < 0)
> +				return;
> +
> +			if (addr != NULL)
> +				addr->port = atoi(tokens[ti]);
> +			else
> +				APP_CHECK(0, status, "addr is NULL");
> +		}
> +	}
> +
> +	*n_addr = *n_addr + 1;
> +}
> +
> +static struct eth_ctx *
> +eth_create(const char *name, int32_t socket_id)
> +{
> +	char s[PATH_MAX];
> +	struct eth_ctx *eth_ctx;
> +	uint32_t mz_size;
> +	const struct rte_memzone *mz;
> +
> +	snprintf(s, sizeof(s), "%s_%u", name, socket_id);
> +
> +	/* Create SA array table */
> +	printf("Creating ETH context with %u maximum entries\n",
> +			RTE_MAX_ETHPORTS);
> +
> +	mz_size = sizeof(struct eth_ctx) * RTE_MAX_ETHPORTS;
> +	mz = rte_memzone_reserve(s, mz_size, socket_id,
> +			RTE_MEMZONE_1GB | RTE_MEMZONE_SIZE_HINT_ONLY);
> +	if (mz == NULL) {
> +		printf("Failed to allocate SA DB memory\n");
> +		rte_errno = -ENOMEM;
> +		return NULL;
> +	}
> +	memset(mz->addr, 0, mz_size);
> +
> +	eth_ctx = (struct eth_ctx *)mz->addr;
> +	return eth_ctx;
> +}
> +
> +static void
> +eth_ctx_dump(struct eth_ctx *eth_addr, uint32_t mask)
> +{
> +	char name[256];
> +	uint32_t nb_ports;
> +	uint8_t port;
> +
> +	nb_ports = rte_eth_dev_count();
> +	for (port = 0; port < nb_ports; ++port) {
> +		if ((mask & (1 << port)) == 0)
> +			continue;
> +
> +		if (rte_eth_dev_get_name_by_port(port, name) < 0)
> +			rte_exit(EXIT_FAILURE, "Unable to find name "
> +					"to port=%d\n", port);
> +
> +		printf("%s-dst-0x%lx\n", name, eth_addr[port].dst);
> +		printf("%s-src-0x%lx\n", name, eth_addr[port].src);
> +	}
> +}
> +
> +void
> +eth_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t mask)
> +{
> +	const char *name;
> +	uint32_t i, nb_ports;
> +	uint8_t port;
> +	struct ether_addr ethaddr;
> +
> +	if (ctx == NULL)
> +		rte_exit(EXIT_FAILURE, "NULL context.\n");
> +
> +	if (ctx->eth_addr != NULL)
> +		rte_exit(EXIT_FAILURE, "ETH Address Table for socket %u "
> +			"already initialized\n", socket_id);
> +
> +	if (nb_eth_addr == 0)
> +		RTE_LOG(WARNING, IPSEC, "No ETH address rule specified\n");
> +
> +	/* create the ETH table */
> +	name = "eth_addr";
> +	ctx->eth_addr = eth_create(name, socket_id);
> +	if (ctx->eth_addr == NULL)
> +		rte_exit(EXIT_FAILURE, "Error [%d] creating ETH "
> +				"context %s in socket %d\n", rte_errno,
> +				name, socket_id);
> +
> +	/* populate the ETH table */
> +	for (i = 0; i < nb_eth_addr; ++i) {
> +		port = eth_addr[i].port;
> +
> +		if (ctx->eth_addr[port].dst != 0)
> +			rte_exit(EXIT_FAILURE, "ETH destination address "
> +					"for port %u already in use\n",
> +					port);
> +		if (ctx->eth_addr[port].src != 0)
> +			rte_exit(EXIT_FAILURE, "ETH source address "
> +					"for port %u already in use\n",
> +					port);
> +
> +		ctx->eth_addr[port].dst = ETHADDR_TO_UINT64(eth_addr[i].dst);
> +		ctx->eth_addr[port].src = ETHADDR_TO_UINT64(eth_addr[i].src);
> +	}
> +
> +	nb_ports = rte_eth_dev_count();
> +	for (port = 0; port < nb_ports; ++port) {
> +		if ((mask & (1 << port)) == 0)
> +			continue;
> +
> +		if (ctx->eth_addr[port].src == 0) {
> +			rte_eth_macaddr_get(port, &ethaddr);
> +			ctx->eth_addr[port].src = ETHADDR_TO_UINT64(ethaddr);
> +		}
> +	}
> +	eth_ctx_dump(ctx->eth_addr, mask);
> +}
> diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
> index 7bf692c..787e14a 100644
> --- a/examples/ipsec-secgw/ipsec-secgw.c
> +++ b/examples/ipsec-secgw/ipsec-secgw.c
> @@ -112,47 +112,6 @@
>   static uint16_t nb_rxd = IPSEC_SECGW_RX_DESC_DEFAULT;
>   static uint16_t nb_txd = IPSEC_SECGW_TX_DESC_DEFAULT;
>   
> -#if RTE_BYTE_ORDER != RTE_LITTLE_ENDIAN
> -#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \
> -	(((uint64_t)((a) & 0xff) << 56) | \
> -	((uint64_t)((b) & 0xff) << 48) | \
> -	((uint64_t)((c) & 0xff) << 40) | \
> -	((uint64_t)((d) & 0xff) << 32) | \
> -	((uint64_t)((e) & 0xff) << 24) | \
> -	((uint64_t)((f) & 0xff) << 16) | \
> -	((uint64_t)((g) & 0xff) << 8)  | \
> -	((uint64_t)(h) & 0xff))
> -#else
> -#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \
> -	(((uint64_t)((h) & 0xff) << 56) | \
> -	((uint64_t)((g) & 0xff) << 48) | \
> -	((uint64_t)((f) & 0xff) << 40) | \
> -	((uint64_t)((e) & 0xff) << 32) | \
> -	((uint64_t)((d) & 0xff) << 24) | \
> -	((uint64_t)((c) & 0xff) << 16) | \
> -	((uint64_t)((b) & 0xff) << 8) | \
> -	((uint64_t)(a) & 0xff))
> -#endif
> -#define ETHADDR(a, b, c, d, e, f) (__BYTES_TO_UINT64(a, b, c, d, e, f, 0, 0))
> -
> -#define ETHADDR_TO_UINT64(addr) __BYTES_TO_UINT64( \
> -		addr.addr_bytes[0], addr.addr_bytes[1], \
> -		addr.addr_bytes[2], addr.addr_bytes[3], \
> -		addr.addr_bytes[4], addr.addr_bytes[5], \
> -		0, 0)
> -
> -/* port/source ethernet addr and destination ethernet addr */
> -struct ethaddr_info {
> -	uint64_t src, dst;
> -};
> -
> -struct ethaddr_info ethaddr_tbl[RTE_MAX_ETHPORTS] = {
> -	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x7e, 0x94, 0x9a) },
> -	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x22, 0xa1, 0xd9) },
> -	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x08, 0x69, 0x26) },
> -	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x49, 0x9e, 0xdd) }
> -};
> -
>   /* mask of enabled ports */
>   static uint32_t enabled_port_mask;
>   static uint32_t unprotected_port_mask;
> @@ -195,6 +154,7 @@ struct lcore_conf {
>   	struct ipsec_ctx outbound;
>   	struct rt_ctx *rt4_ctx;
>   	struct rt_ctx *rt6_ctx;
> +	struct eth_ctx *eth_addr;
>   } __rte_cache_aligned;
>   
>   static struct lcore_conf lcore_conf[RTE_MAX_LCORE];
> @@ -290,7 +250,7 @@ prepare_traffic(struct rte_mbuf **pkts, struct ipsec_traffic *t,
>   }
>   
>   static inline void
> -prepare_tx_pkt(struct rte_mbuf *pkt, uint8_t port)
> +prepare_tx_pkt(struct rte_mbuf *pkt, uint64_t *src, uint64_t *dst)
>   {
>   	struct ip *ip;
>   	struct ether_hdr *ethhdr;
> @@ -313,25 +273,24 @@ prepare_tx_pkt(struct rte_mbuf *pkt, uint8_t port)
>   		ethhdr->ether_type = rte_cpu_to_be_16(ETHER_TYPE_IPv6);
>   	}
>   
> -	memcpy(&ethhdr->s_addr, &ethaddr_tbl[port].src,
> -			sizeof(struct ether_addr));
> -	memcpy(&ethhdr->d_addr, &ethaddr_tbl[port].dst,
> -			sizeof(struct ether_addr));
> +	memcpy(&ethhdr->s_addr, src, sizeof(struct ether_addr));
> +	memcpy(&ethhdr->d_addr, dst, sizeof(struct ether_addr));
>   }
>   
>   static inline void
> -prepare_tx_burst(struct rte_mbuf *pkts[], uint16_t nb_pkts, uint8_t port)
> +prepare_tx_burst(struct rte_mbuf *pkts[], uint64_t *src, uint64_t *dst,
> +		 uint16_t nb_pkts)
>   {
>   	int32_t i;
>   	const int32_t prefetch_offset = 2;
>   
>   	for (i = 0; i < (nb_pkts - prefetch_offset); i++) {
>   		rte_mbuf_prefetch_part2(pkts[i + prefetch_offset]);
> -		prepare_tx_pkt(pkts[i], port);
> +		prepare_tx_pkt(pkts[i], src, dst);
>   	}
>   	/* Process left packets */
>   	for (; i < nb_pkts; i++)
> -		prepare_tx_pkt(pkts[i], port);
> +		prepare_tx_pkt(pkts[i], src, dst);
>   }
>   
>   /* Send burst of packets on an output interface */
> @@ -341,11 +300,14 @@ send_burst(struct lcore_conf *qconf, uint16_t n, uint8_t port)
>   	struct rte_mbuf **m_table;
>   	int32_t ret;
>   	uint16_t queueid;
> +	uint64_t *src, *dst;
>   
>   	queueid = qconf->tx_queue_id[port];
>   	m_table = (struct rte_mbuf **)qconf->tx_mbufs[port].m_table;
> +	src = &qconf->eth_addr[port].src;
> +	dst = &qconf->eth_addr[port].dst;
>   
> -	prepare_tx_burst(m_table, n, port);
> +	prepare_tx_burst(m_table, src, dst, n);
>   
>   	ret = rte_eth_tx_burst(port, queueid, m_table, n);
>   	if (unlikely(ret < n)) {
> @@ -706,6 +668,7 @@ main_loop(__attribute__((unused)) void *dummy)
>   
>   	qconf->rt4_ctx = socket_ctx[socket_id].rt_ip4;
>   	qconf->rt6_ctx = socket_ctx[socket_id].rt_ip6;
> +	qconf->eth_addr = socket_ctx[socket_id].eth_addr;
>   	qconf->inbound.sp4_ctx = socket_ctx[socket_id].sp_ip4_in;
>   	qconf->inbound.sp6_ctx = socket_ctx[socket_id].sp_ip6_in;
>   	qconf->inbound.sa_ctx = socket_ctx[socket_id].sa_in;
> @@ -1045,14 +1008,6 @@ parse_args(int32_t argc, char **argv)
>   	return ret;
>   }
>   
> -static void
> -print_ethaddr(const char *name, const struct ether_addr *eth_addr)
> -{
> -	char buf[ETHER_ADDR_FMT_SIZE];
> -	ether_format_addr(buf, ETHER_ADDR_FMT_SIZE, eth_addr);
> -	printf("%s%s", name, buf);
> -}
> -
>   /* Check the link status of all ports in up to 9s, and print them finally */
>   static void
>   check_all_ports_link_status(uint8_t port_num, uint32_t port_mask)
> @@ -1339,17 +1294,11 @@ port_init(uint8_t portid)
>   	uint16_t tx_queueid, rx_queueid, queue, lcore_id;
>   	int32_t ret, socket_id;
>   	struct lcore_conf *qconf;
> -	struct ether_addr ethaddr;
>   
>   	rte_eth_dev_info_get(portid, &dev_info);
>   
>   	printf("Configuring device port %u:\n", portid);
>   
> -	rte_eth_macaddr_get(portid, &ethaddr);
> -	ethaddr_tbl[portid].src = ETHADDR_TO_UINT64(ethaddr);
> -	print_ethaddr("Address: ", &ethaddr);
> -	printf("\n");
> -
>   	nb_rx_queue = get_port_nb_rx_queues(portid);
>   	nb_tx_queue = nb_lcores;
>   
> @@ -1499,6 +1448,8 @@ main(int32_t argc, char **argv)
>   
>   		rt_init(&socket_ctx[socket_id], socket_id);
>   
> +		eth_init(&socket_ctx[socket_id], socket_id, enabled_port_mask);
> +
>   		pool_init(&socket_ctx[socket_id], socket_id, NB_MBUF);
>   	}
>   
> diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
> index 7d057ae..9e22b1b 100644
> --- a/examples/ipsec-secgw/ipsec.h
> +++ b/examples/ipsec-secgw/ipsec.h
> @@ -153,6 +153,10 @@ struct cdev_key {
>   	uint8_t aead_algo;
>   };
>   
> +struct eth_ctx {
> +	uint64_t src, dst;
> +};
> +
>   struct socket_ctx {
>   	struct sa_ctx *sa_in;
>   	struct sa_ctx *sa_out;
> @@ -162,6 +166,7 @@ struct socket_ctx {
>   	struct sp_ctx *sp_ip6_out;
>   	struct rt_ctx *rt_ip4;
>   	struct rt_ctx *rt_ip6;
> +	struct eth_ctx *eth_addr;
>   	struct rte_mempool *mbuf_pool;
>   	struct rte_mempool *session_pool;
>   };
> @@ -237,4 +242,7 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id);
>   void
>   rt_init(struct socket_ctx *ctx, int32_t socket_id);
>   
> +void
> +eth_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t mask);
> +
>   #endif /* __IPSEC_H__ */
> diff --git a/examples/ipsec-secgw/parser.c b/examples/ipsec-secgw/parser.c
> index 9d0ea46..24ca8c2 100644
> --- a/examples/ipsec-secgw/parser.c
> +++ b/examples/ipsec-secgw/parser.c
> @@ -292,6 +292,30 @@ parse_ipv6_addr(const char *token, struct in6_addr *ipv6, uint32_t *mask)
>   }
>   
>   int
> +parse_eth_addr(const char *token, struct ether_addr *addr)
> +{
> +	char addr_str[256] = {0};
> +	int i, values[6];
> +
> +	if (strlen(token) >= 256)
> +		return -EINVAL;
> +
> +	strncpy(addr_str, token, strlen(token));
> +
> +	if (6 != sscanf(addr_str, "%02X:%02X:%02X:%02X:%02X:%02X",
> +			&values[0], &values[1],
> +			&values[2], &values[3],
> +			&values[4], &values[5])) {
> +		return -EINVAL;
> +	}
> +
> +	for (i = 0; i < 6; ++i)
> +		addr->addr_bytes[i] = (uint8_t)values[i];
> +
> +	return 0;
> +}
> +
> +int
>   parse_range(const char *token, uint16_t *low, uint16_t *high)
>   {
>   	char ch;
> @@ -469,11 +493,55 @@ cmdline_parse_inst_t cfg_rt_add_rule = {
>   	},
>   };
>   
> +/* eth add parse */
> +struct cfg_eth_add_cfg_item {
> +	cmdline_fixed_string_t eth_keyword;
> +	cmdline_multi_string_t multi_string;
> +};
> +
> +static void
> +cfg_eth_add_cfg_item_parsed(void *parsed_result,
> +	__rte_unused struct cmdline *cl, void *data)
> +{
> +	struct cfg_eth_add_cfg_item *params = parsed_result;
> +	char *tokens[32];
> +	uint32_t n_tokens = RTE_DIM(tokens);
> +	struct parse_status *status = (struct parse_status *)data;
> +
> +	APP_CHECK(parse_tokenize_string(
> +		params->multi_string, tokens, &n_tokens) == 0,
> +		status, "too many arguments\n");
> +	if (status->status < 0)
> +		return;
> +
> +	parse_eth_tokens(tokens, n_tokens, status);
> +}
> +
> +static cmdline_parse_token_string_t cfg_eth_add_eth_str =
> +	TOKEN_STRING_INITIALIZER(struct cfg_eth_add_cfg_item,
> +		eth_keyword, "eth");
> +
> +static cmdline_parse_token_string_t cfg_eth_add_multi_str =
> +	TOKEN_STRING_INITIALIZER(struct cfg_eth_add_cfg_item, multi_string,
> +		TOKEN_STRING_MULTI);
> +
> +cmdline_parse_inst_t cfg_eth_add_rule = {
> +	.f = cfg_eth_add_cfg_item_parsed,
> +	.data = NULL,
> +	.help_str = "",
> +	.tokens = {
> +		(void *) &cfg_eth_add_eth_str,
> +		(void *) &cfg_eth_add_multi_str,
> +		NULL,
> +	},
> +};
> +
>   /** set of cfg items */
>   cmdline_parse_ctx_t ipsec_ctx[] = {
>   	(cmdline_parse_inst_t *)&cfg_sp_add_rule,
>   	(cmdline_parse_inst_t *)&cfg_sa_add_rule,
>   	(cmdline_parse_inst_t *)&cfg_rt_add_rule,
> +	(cmdline_parse_inst_t *)&cfg_eth_add_rule,
>   	NULL,
>   };
>   
> @@ -499,6 +567,7 @@ parse_cfg_file(const char *cfg_filename)
>   	cfg_sp_add_rule.data = &status;
>   	cfg_sa_add_rule.data = &status;
>   	cfg_rt_add_rule.data = &status;
> +	cfg_eth_add_rule.data = &status;
>   
>   	do {
>   		char oneline[1024];
> diff --git a/examples/ipsec-secgw/parser.h b/examples/ipsec-secgw/parser.h
> index d31ae01..daa7997 100644
> --- a/examples/ipsec-secgw/parser.h
> +++ b/examples/ipsec-secgw/parser.h
> @@ -85,6 +85,34 @@ do {									\
>   	index++;							\
>   } while (0)
>   
> +#if RTE_BYTE_ORDER != RTE_LITTLE_ENDIAN
> +#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \
> +	(((uint64_t)((a) & 0xff) << 56) | \
> +	((uint64_t)((b) & 0xff) << 48) | \
> +	((uint64_t)((c) & 0xff) << 40) | \
> +	((uint64_t)((d) & 0xff) << 32) | \
> +	((uint64_t)((e) & 0xff) << 24) | \
> +	((uint64_t)((f) & 0xff) << 16) | \
> +	((uint64_t)((g) & 0xff) << 8)  | \
> +	((uint64_t)(h) & 0xff))
> +#else
> +#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \
> +	(((uint64_t)((h) & 0xff) << 56) | \
> +	((uint64_t)((g) & 0xff) << 48) | \
> +	((uint64_t)((f) & 0xff) << 40) | \
> +	((uint64_t)((e) & 0xff) << 32) | \
> +	((uint64_t)((d) & 0xff) << 24) | \
> +	((uint64_t)((c) & 0xff) << 16) | \
> +	((uint64_t)((b) & 0xff) << 8) | \
> +	((uint64_t)(a) & 0xff))
> +#endif
> +
> +#define ETHADDR_TO_UINT64(addr) __BYTES_TO_UINT64( \
> +		addr.addr_bytes[0], addr.addr_bytes[1], \
> +		addr.addr_bytes[2], addr.addr_bytes[3], \
> +		addr.addr_bytes[4], addr.addr_bytes[5], \
> +		0, 0)
> +
>   int
>   parse_ipv4_addr(const char *token, struct in_addr *ipv4, uint32_t *mask);
>   
> @@ -92,6 +120,9 @@ int
>   parse_ipv6_addr(const char *token, struct in6_addr *ipv6, uint32_t *mask);
>   
>   int
> +parse_eth_addr(const char *token, struct ether_addr *addr);
> +
> +int
>   parse_range(const char *token, uint16_t *low, uint16_t *high);
>   
>   void
> @@ -110,6 +141,10 @@ void
>   parse_rt_tokens(char **tokens, uint32_t n_tokens,
>   	struct parse_status *status);
>   
> +void
> +parse_eth_tokens(char **tokens, uint32_t n_tokens,
> +	struct parse_status *status);
> +
>   int
>   parse_cfg_file(const char *cfg_filename);
>   

Tested-by: Aviad Yehezkel <aviadye@mellanox.com>

Re: [PATCH 01/11] examples/ipsec-secgw: updated MAINTAINERS file

[De Lara Guarch, Pablo]

Hi Aviad,

> -----Original Message-----
> From: Aviad Yehezkel [mailto:aviadye@dev.mellanox.co.il]
> Sent: Sunday, October 15, 2017 1:54 PM
> To: dev@dpdk.org; Gonzalez Monroy, Sergio
> <sergio.gonzalez.monroy@intel.com>; De Lara Guarch, Pablo
> <pablo.de.lara.guarch@intel.com>; aviadye@mellanox.com
> Cc: borisp@mellanox.com; akhil.goyal@nxp.com;
> hemant.agrawal@nxp.com; Nicolau, Radu <radu.nicolau@intel.com>;
> Doherty, Declan <declan.doherty@intel.com>; liranl@mellanox.com;
> nelio.laranjeiro@6wind.com; thomas@monjalon.net
> Subject: Re: [dpdk-dev][PATCH 01/11] examples/ipsec-secgw: updated
> MAINTAINERS file
> 
> 
> 
> On 10/14/2017 4:27 PM, aviadye@dev.mellanox.co.il wrote:
> > From: Aviad Yehezkel <aviadye@mellanox.com>
> >
> > As agreed with Sergio and Pablo
> >
> > Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
> > ---
> >   MAINTAINERS | 1 +
> >   1 file changed, 1 insertion(+)
> >
> > diff --git a/MAINTAINERS b/MAINTAINERS index c00d6d8..d814ac1
> 100644
> > --- a/MAINTAINERS
> > +++ b/MAINTAINERS
> > @@ -919,6 +919,7 @@ F: examples/helloworld/
> >   F: doc/guides/sample_app_ug/hello_world.rst
> >
> >   M: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
> > +M: Aviad Shaul Yehezkel <aviadye@mellanox.com>
> >   F: examples/ipsec-secgw/
> >   F: doc/guides/sample_app_ug/ipsec_secgw.rst
> >
> 
> Tested-by: Aviad Yehezkel <aviadye@mellanox.com>

"Tested" tag does not make sense here. Also, for patches where
you are the author, you are not expected to reply to those patches.
It is expected that, being the author, you have verified that the patch works.

So, the tags "Reviewed-by", "Acked-by" and "Tested-by" have to be used
by the rest of the community.

Thanks,
Pablo

Re: [PATCH 01/11] examples/ipsec-secgw: updated MAINTAINERS file

[Sergio Gonzalez Monroy]

Hi Aviad,

On 14/10/2017 14:27, aviadye@dev.mellanox.co.il wrote:
> From: Aviad Yehezkel <aviadye@mellanox.com>
>
> As agreed with Sergio and Pablo

I don't think the commit message is relevant.
Either me or Pablo acking the patch would have the same meaning.

Thanks,
Sergio

> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
> ---
>   MAINTAINERS | 1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/MAINTAINERS b/MAINTAINERS
> index c00d6d8..d814ac1 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -919,6 +919,7 @@ F: examples/helloworld/
>   F: doc/guides/sample_app_ug/hello_world.rst
>   
>   M: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
> +M: Aviad Shaul Yehezkel <aviadye@mellanox.com>
>   F: examples/ipsec-secgw/
>   F: doc/guides/sample_app_ug/ipsec_secgw.rst
>   

Re: [PATCH 05/11] examples/ipsec-secgw: Fixed transport

[Sergio Gonzalez Monroy]

On 14/10/2017 14:27, aviadye@dev.mellanox.co.il wrote:
> From: Aviad Yehezkel <aviadye@mellanox.com>
>
> Seems like transport was broken for a long time

Commit message needs to be improved. Just mentioned what is wrong or how 
do you fix it.
Given that it is a fix, you should start the commit title with "fix ..." 
then also add the 'fixes' line with commit that added the bug.
That way you can easily see since when it was introduced.

Thanks,
Sergio

> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
> ---
>   examples/ipsec-secgw/esp.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
> index 70bb81f..56ad7a0 100644
> --- a/examples/ipsec-secgw/esp.c
> +++ b/examples/ipsec-secgw/esp.c
> @@ -306,8 +306,8 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
>   				sizeof(struct esp_hdr) + sa->iv_len);
>   		memmove(new_ip, ip4, ip_hdr_len);
>   		esp = (struct esp_hdr *)(new_ip + ip_hdr_len);
> +		ip4 = (struct ip *)new_ip;
>   		if (likely(ip4->ip_v == IPVERSION)) {
> -			ip4 = (struct ip *)new_ip;
>   			ip4->ip_p = IPPROTO_ESP;
>   			ip4->ip_len = htons(rte_pktmbuf_data_len(m));
>   		} else {

Re: [PATCH 06/11] examples/ipsec-secgw: Added correct padding to tunnel mode

[Sergio Gonzalez Monroy]

Could you provide the cases where the padding is wrong in tunnel mode?

Thanks,
Sergio

On 14/10/2017 14:27, aviadye@dev.mellanox.co.il wrote:
> From: Aviad Yehezkel <aviadye@mellanox.com>
>
> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
> ---
>   examples/ipsec-secgw/esp.c | 51 ++++++++++++++++++++++++++--------------------
>   1 file changed, 29 insertions(+), 22 deletions(-)
>
> diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
> index 56ad7a0..689e917 100644
> --- a/examples/ipsec-secgw/esp.c
> +++ b/examples/ipsec-secgw/esp.c
> @@ -229,25 +229,26 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
>   	uint8_t *padding, *new_ip, nlp;
>   	struct rte_crypto_sym_op *sym_cop;
>   	int32_t i;
> -	uint16_t pad_payload_len, pad_len, ip_hdr_len;
> +	uint16_t pad_payload_len, pad_len = 0;
> +	uint16_t inner_ip_hdr_len = 0, ip_hdr_len = 0;
>   
>   	RTE_ASSERT(m != NULL);
>   	RTE_ASSERT(sa != NULL);
> +	RTE_ASSERT(sa->flags == IP4_TUNNEL || sa->flags == IP6_TUNNEL ||
> +		   sa->flags == TRANSPORT);
>   	RTE_ASSERT(cop != NULL);
>   
> -	ip_hdr_len = 0;
> -
>   	ip4 = rte_pktmbuf_mtod(m, struct ip *);
>   	if (likely(ip4->ip_v == IPVERSION)) {
> -		if (unlikely(sa->flags == TRANSPORT)) {
> -			ip_hdr_len = ip4->ip_hl * 4;
> +		ip_hdr_len = ip4->ip_hl * 4;
> +		if (unlikely(sa->flags == TRANSPORT))
>   			nlp = ip4->ip_p;
> -		} else
> +		else
>   			nlp = IPPROTO_IPIP;
>   	} else if (ip4->ip_v == IP6_VERSION) {
> +		/* XXX No option headers supported */
> +		ip_hdr_len = sizeof(struct ip6_hdr);
>   		if (unlikely(sa->flags == TRANSPORT)) {
> -			/* XXX No option headers supported */
> -			ip_hdr_len = sizeof(struct ip6_hdr);
>   			ip6 = (struct ip6_hdr *)ip4;
>   			nlp = ip6->ip6_nxt;
>   		} else
> @@ -259,22 +260,28 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
>   	}
>   
>   	/* Padded payload length */
> -	pad_payload_len = RTE_ALIGN_CEIL(rte_pktmbuf_pkt_len(m) -
> -			ip_hdr_len + 2, sa->block_size);
> -	pad_len = pad_payload_len + ip_hdr_len - rte_pktmbuf_pkt_len(m);
> -
> -	RTE_ASSERT(sa->flags == IP4_TUNNEL || sa->flags == IP6_TUNNEL ||
> -			sa->flags == TRANSPORT);
> -
> -	if (likely(sa->flags == IP4_TUNNEL))
> +	if (unlikely(sa->flags == TRANSPORT)) {
> +		pad_payload_len = RTE_ALIGN_CEIL(rte_pktmbuf_pkt_len(m) +
> +						 sizeof(nlp) + 1 - ip_hdr_len,
> +						 sa->block_size);
> +		pad_len = pad_payload_len + ip_hdr_len - rte_pktmbuf_pkt_len(m);
> +	} else {
> +		inner_ip_hdr_len = ip_hdr_len;
>   		ip_hdr_len = sizeof(struct ip);
> -	else if (sa->flags == IP6_TUNNEL)
> -		ip_hdr_len = sizeof(struct ip6_hdr);
> -	else if (sa->flags != TRANSPORT) {
> -		RTE_LOG(ERR, IPSEC_ESP, "Unsupported SA flags: 0x%x\n",
> -				sa->flags);
> -		return -EINVAL;
> +		if (sa->flags == IP6_TUNNEL)
> +			ip_hdr_len = sizeof(struct ip6_hdr);
> +
> +		pad_payload_len = RTE_ALIGN_CEIL(rte_pktmbuf_pkt_len(m) +
> +						 sizeof(nlp) + 1,
> +						 sa->block_size);
> +		pad_len = pad_payload_len - rte_pktmbuf_pkt_len(m);
>   	}
> +	RTE_LOG(DEBUG, IPSEC_ESP, "rte_pktmbuf_pkt_len=%u "
> +		"inner_ip_hdr_len=%u ip_hdr_len=%u "
> +		"pad_payload_len=%u pad_len=%u\n",
> +		rte_pktmbuf_pkt_len(m),
> +		inner_ip_hdr_len, ip_hdr_len,
> +		pad_payload_len, pad_len);
>   
>   	/* Check maximum packet size */
>   	if (unlikely(ip_hdr_len + sizeof(struct esp_hdr) + sa->iv_len +

Re: [PATCH 07/11] examples/ipsec-secgw: Fixed phyiscal address of aad

[Sergio Gonzalez Monroy]

On 14/10/2017 14:27, aviadye@dev.mellanox.co.il wrote:
> From: Aviad Yehezkel <aviadye@mellanox.com>
>
> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
> ---
>   examples/ipsec-secgw/esp.c | 3 +--
>   1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
> index 689e917..aa2233d 100644
> --- a/examples/ipsec-secgw/esp.c
> +++ b/examples/ipsec-secgw/esp.c
> @@ -355,8 +355,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
>   		aad = get_aad(m);
>   		memcpy(aad, esp, 8);
>   		sym_cop->aead.aad.data = aad;
> -		sym_cop->aead.aad.phys_addr = rte_pktmbuf_mtophys_offset(m,
> -				aad - rte_pktmbuf_mtod(m, uint8_t *));
> +		sym_cop->aead.aad.phys_addr = rte_mem_virt2phy(aad);
>   

That function is very expensive and should not be used in data path.
You should use the phys_addr in the crypto_op to calculate proper value.

Thanks,
Sergio

>   		sym_cop->aead.digest.data = rte_pktmbuf_mtod_offset(m, uint8_t *,
>   			rte_pktmbuf_pkt_len(m) - sa->digest_len);

Re: [PATCH 08/11] examples/ipsec-secgw: iv should be be64

[Sergio Gonzalez Monroy]

On 14/10/2017 14:28, aviadye@dev.mellanox.co.il wrote:
> From: Aviad Yehezkel <aviadye@mellanox.com>
>
> To be compatibile with Linux kernel

I am not sure what you are trying to achieve with this change.
The requirement is that the IV is unique, IMO changing the endianess is 
irrelevant here.
Can you provide case/example where current code does not work?

Thanks,
Sergio

> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
> ---
>   examples/ipsec-secgw/esp.c | 8 ++++----
>   1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
> index aa2233d..81ebf55 100644
> --- a/examples/ipsec-secgw/esp.c
> +++ b/examples/ipsec-secgw/esp.c
> @@ -336,7 +336,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
>   	if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) {
>   		uint8_t *aad;
>   
> -		*iv = sa->seq;
> +		*iv = rte_cpu_to_be_64(sa->seq);
>   		sym_cop->aead.data.offset = ip_hdr_len +
>   			sizeof(struct esp_hdr) + sa->iv_len;
>   		sym_cop->aead.data.length = pad_payload_len;
> @@ -349,7 +349,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
>   
>   		struct cnt_blk *icb = get_cnt_blk(m);
>   		icb->salt = sa->salt;
> -		icb->iv = sa->seq;
> +		icb->iv = rte_cpu_to_be_64(sa->seq);
>   		icb->cnt = rte_cpu_to_be_32(1);
>   
>   		aad = get_aad(m);
> @@ -371,7 +371,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
>   			sym_cop->cipher.data.length = pad_payload_len + sa->iv_len;
>   			break;
>   		case RTE_CRYPTO_CIPHER_AES_CTR:
> -			*iv = sa->seq;
> +			*iv = rte_cpu_to_be_64(sa->seq);
>   			sym_cop->cipher.data.offset = ip_hdr_len +
>   				sizeof(struct esp_hdr) + sa->iv_len;
>   			sym_cop->cipher.data.length = pad_payload_len;
> @@ -390,7 +390,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
>   
>   		struct cnt_blk *icb = get_cnt_blk(m);
>   		icb->salt = sa->salt;
> -		icb->iv = sa->seq;
> +		icb->iv = rte_cpu_to_be_64(sa->seq);
>   		icb->cnt = rte_cpu_to_be_32(1);
>   
>   		switch (sa->auth_algo) {

Re: [PATCH 09/11] examples/ipsec-secgw: Fixed ip length in case of transport

[Sergio Gonzalez Monroy]

On 14/10/2017 14:28, aviadye@dev.mellanox.co.il wrote:
> From: Aviad Yehezkel <aviadye@mellanox.com>
>
> IP length was incorrect causing corrupted ICMP packets for example
>
> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
> ---
>   examples/ipsec-secgw/esp.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
> index 81ebf55..12c6f8c 100644
> --- a/examples/ipsec-secgw/esp.c
> +++ b/examples/ipsec-secgw/esp.c
> @@ -205,13 +205,13 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
>   		if (likely(ip->ip_v == IPVERSION)) {
>   			memmove(ip4, ip, ip->ip_hl * 4);
>   			ip4->ip_p = *nexthdr;
> -			ip4->ip_len = htons(rte_pktmbuf_data_len(m));
> +			ip4->ip_len = htons(rte_pktmbuf_pkt_len(m));
>   		} else {
>   			ip6 = (struct ip6_hdr *)ip4;
>   			/* XXX No option headers supported */
>   			memmove(ip6, ip, sizeof(struct ip6_hdr));
>   			ip6->ip6_nxt = *nexthdr;
> -			ip6->ip6_plen = htons(rte_pktmbuf_data_len(m));
> +			ip6->ip6_plen = htons(rte_pktmbuf_pkt_len(m));
>   		}
>   	} else
>   		ipip_inbound(m, sizeof(struct esp_hdr) + sa->iv_len);

AFAIK the app does not support multi-segments (chain mbufs), so data_len 
should be the same as pkt_len.
Is that not the case?

Thanks,
Sergio

Re: [PATCH 10/11] app/testpmd: compile even if ixgbe anf bnxt pmds are not compiling

[Sergio Gonzalez Monroy]

On 14/10/2017 14:28, aviadye@dev.mellanox.co.il wrote:
> From: Aviad Yehezkel <aviadye@mellanox.com>
>
> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
> Signed-off-by: Nicolai Radu <radu.nicolai@intel.com>
> ---
>   app/test-pmd/cmdline.c | 13 ++++++++++---
>   app/test-pmd/config.c  | 12 +++++++++++-
>   2 files changed, 21 insertions(+), 4 deletions(-)

This patch is modifying a different app, should be on its own.

Thanks,
Sergio

> diff --git a/app/test-pmd/cmdline.c b/app/test-pmd/cmdline.c
> index bb19d72..e4a636e 100644
> --- a/app/test-pmd/cmdline.c
> +++ b/app/test-pmd/cmdline.c
> @@ -7377,11 +7377,17 @@ struct cmd_set_vf_rxmode {
>   };
>   
>   static void
> -cmd_set_vf_rxmode_parsed(void *parsed_result,
> -		       __attribute__((unused)) struct cmdline *cl,
> -		       __attribute__((unused)) void *data)
> +cmd_set_vf_rxmode_parsed(
> +#if defined(RTE_LIBRTE_IXGBE_PMD) || defined(RTE_LIBRTE_BNXT_PMD)
> +		void *parsed_result,
> +#else
> +		__attribute__((unused)) void *parsed_result,
> +#endif
> +		__attribute__((unused)) struct cmdline *cl,
> +		__attribute__((unused)) void *data)
>   {
>   	int ret = -ENOTSUP;
> +#if defined(RTE_LIBRTE_IXGBE_PMD) || defined(RTE_LIBRTE_BNXT_PMD)
>   	uint16_t rx_mode = 0;
>   	struct cmd_set_vf_rxmode *res = parsed_result;
>   
> @@ -7396,6 +7402,7 @@ cmd_set_vf_rxmode_parsed(void *parsed_result,
>   		else if (!strncmp(res->mode, "MPE",3))
>   			rx_mode |= ETH_VMDQ_ACCEPT_MULTICAST;
>   	}
> +#endif
>   
>   #ifdef RTE_LIBRTE_IXGBE_PMD
>   	if (ret == -ENOTSUP)
> diff --git a/app/test-pmd/config.c b/app/test-pmd/config.c
> index bafe76c..d38ba82 100644
> --- a/app/test-pmd/config.c
> +++ b/app/test-pmd/config.c
> @@ -3181,7 +3181,17 @@ set_queue_rate_limit(portid_t port_id, uint16_t queue_idx, uint16_t rate)
>   }
>   
>   int
> -set_vf_rate_limit(portid_t port_id, uint16_t vf, uint16_t rate, uint64_t q_msk)
> +set_vf_rate_limit(
> +		portid_t port_id,
> +#if defined(RTE_LIBRTE_IXGBE_PMD) || defined(RTE_LIBRTE_BNXT_PMD)
> +		uint16_t vf,
> +		uint16_t rate,
> +		uint64_t q_msk)
> +#else
> +		__attribute__((unused)) uint16_t vf,
> +		__attribute__((unused)) uint16_t rate,
> +		__attribute__((unused)) uint64_t q_msk)
> +#endif
>   {
>   	int diag = -ENOTSUP;
>   

Re: [PATCH 08/11] examples/ipsec-secgw: iv should be be64

[Aviad Yehezkel]

On 10/16/2017 12:42 PM, Sergio Gonzalez Monroy wrote:
> On 14/10/2017 14:28, aviadye@dev.mellanox.co.il wrote:
>> From: Aviad Yehezkel <aviadye@mellanox.com>
>>
>> To be compatibile with Linux kernel
>
> I am not sure what you are trying to achieve with this change.
> The requirement is that the IV is unique, IMO changing the endianess 
> is irrelevant here.
> Can you provide case/example where current code does not work?
>
> Thanks,
> Sergio
You are right, according to rfc4106 the IV should be unique and can be
implemented as counter.
The changed was created because I put analyzer on wire and compare
packets generated by this application and Linux kernel.
Linux kernel sets IV as BE, so I thought it is worth to do the same for
future debug / comparison.

Thanks,
Aviad.

>
>> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
>> ---
>>   examples/ipsec-secgw/esp.c | 8 ++++----
>>   1 file changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
>> index aa2233d..81ebf55 100644
>> --- a/examples/ipsec-secgw/esp.c
>> +++ b/examples/ipsec-secgw/esp.c
>> @@ -336,7 +336,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa 
>> *sa,
>>       if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) {
>>           uint8_t *aad;
>>   -        *iv = sa->seq;
>> +        *iv = rte_cpu_to_be_64(sa->seq);
>>           sym_cop->aead.data.offset = ip_hdr_len +
>>               sizeof(struct esp_hdr) + sa->iv_len;
>>           sym_cop->aead.data.length = pad_payload_len;
>> @@ -349,7 +349,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa 
>> *sa,
>>             struct cnt_blk *icb = get_cnt_blk(m);
>>           icb->salt = sa->salt;
>> -        icb->iv = sa->seq;
>> +        icb->iv = rte_cpu_to_be_64(sa->seq);
>>           icb->cnt = rte_cpu_to_be_32(1);
>>             aad = get_aad(m);
>> @@ -371,7 +371,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa 
>> *sa,
>>               sym_cop->cipher.data.length = pad_payload_len + 
>> sa->iv_len;
>>               break;
>>           case RTE_CRYPTO_CIPHER_AES_CTR:
>> -            *iv = sa->seq;
>> +            *iv = rte_cpu_to_be_64(sa->seq);
>>               sym_cop->cipher.data.offset = ip_hdr_len +
>>                   sizeof(struct esp_hdr) + sa->iv_len;
>>               sym_cop->cipher.data.length = pad_payload_len;
>> @@ -390,7 +390,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa 
>> *sa,
>>             struct cnt_blk *icb = get_cnt_blk(m);
>>           icb->salt = sa->salt;
>> -        icb->iv = sa->seq;
>> +        icb->iv = rte_cpu_to_be_64(sa->seq);
>>           icb->cnt = rte_cpu_to_be_32(1);
>>             switch (sa->auth_algo) {
>
>

Re: [PATCH 10/11] app/testpmd: compile even if ixgbe anf bnxt pmds are not compiling

[Aviad Yehezkel]

On 10/16/2017 12:44 PM, Sergio Gonzalez Monroy wrote:
> On 14/10/2017 14:28, aviadye@dev.mellanox.co.il wrote:
>> From: Aviad Yehezkel <aviadye@mellanox.com>
>>
>> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
>> Signed-off-by: Nicolai Radu <radu.nicolai@intel.com>
>> ---
>>   app/test-pmd/cmdline.c | 13 ++++++++++---
>>   app/test-pmd/config.c  | 12 +++++++++++-
>>   2 files changed, 21 insertions(+), 4 deletions(-)
>
> This patch is modifying a different app, should be on its own.
>
> Thanks,
> Sergio
Agreed. Will send as different patch in next version with fixes.

Thanks,
Aviad.


>> diff --git a/app/test-pmd/cmdline.c b/app/test-pmd/cmdline.c
>> index bb19d72..e4a636e 100644
>> --- a/app/test-pmd/cmdline.c
>> +++ b/app/test-pmd/cmdline.c
>> @@ -7377,11 +7377,17 @@ struct cmd_set_vf_rxmode {
>>   };
>>     static void
>> -cmd_set_vf_rxmode_parsed(void *parsed_result,
>> -               __attribute__((unused)) struct cmdline *cl,
>> -               __attribute__((unused)) void *data)
>> +cmd_set_vf_rxmode_parsed(
>> +#if defined(RTE_LIBRTE_IXGBE_PMD) || defined(RTE_LIBRTE_BNXT_PMD)
>> +        void *parsed_result,
>> +#else
>> +        __attribute__((unused)) void *parsed_result,
>> +#endif
>> +        __attribute__((unused)) struct cmdline *cl,
>> +        __attribute__((unused)) void *data)
>>   {
>>       int ret = -ENOTSUP;
>> +#if defined(RTE_LIBRTE_IXGBE_PMD) || defined(RTE_LIBRTE_BNXT_PMD)
>>       uint16_t rx_mode = 0;
>>       struct cmd_set_vf_rxmode *res = parsed_result;
>>   @@ -7396,6 +7402,7 @@ cmd_set_vf_rxmode_parsed(void *parsed_result,
>>           else if (!strncmp(res->mode, "MPE",3))
>>               rx_mode |= ETH_VMDQ_ACCEPT_MULTICAST;
>>       }
>> +#endif
>>     #ifdef RTE_LIBRTE_IXGBE_PMD
>>       if (ret == -ENOTSUP)
>> diff --git a/app/test-pmd/config.c b/app/test-pmd/config.c
>> index bafe76c..d38ba82 100644
>> --- a/app/test-pmd/config.c
>> +++ b/app/test-pmd/config.c
>> @@ -3181,7 +3181,17 @@ set_queue_rate_limit(portid_t port_id, 
>> uint16_t queue_idx, uint16_t rate)
>>   }
>>     int
>> -set_vf_rate_limit(portid_t port_id, uint16_t vf, uint16_t rate, 
>> uint64_t q_msk)
>> +set_vf_rate_limit(
>> +        portid_t port_id,
>> +#if defined(RTE_LIBRTE_IXGBE_PMD) || defined(RTE_LIBRTE_BNXT_PMD)
>> +        uint16_t vf,
>> +        uint16_t rate,
>> +        uint64_t q_msk)
>> +#else
>> +        __attribute__((unused)) uint16_t vf,
>> +        __attribute__((unused)) uint16_t rate,
>> +        __attribute__((unused)) uint64_t q_msk)
>> +#endif
>>   {
>>       int diag = -ENOTSUP;
>
>

Re: [PATCH 05/11] examples/ipsec-secgw: Fixed transport

[Aviad Yehezkel]

On 10/16/2017 12:30 PM, Sergio Gonzalez Monroy wrote:
> On 14/10/2017 14:27, aviadye@dev.mellanox.co.il wrote:
>> From: Aviad Yehezkel <aviadye@mellanox.com>
>>
>> Seems like transport was broken for a long time
>
> Commit message needs to be improved. Just mentioned what is wrong or 
> how do you fix it.
> Given that it is a fix, you should start the commit title with "fix 
> ..." then also add the 'fixes' line with commit that added the bug.
> That way you can easily see since when it was introduced.
>
> Thanks,
> Sergio
Will create such commit messages for future fixes as you instructed above.
I will remove this patch from next version of fixes since there is a 
similar fix
already provided by Tomasz Duszynski which I will review.

Thanks,
Aviad.


>> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
>> ---
>>   examples/ipsec-secgw/esp.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
>> index 70bb81f..56ad7a0 100644
>> --- a/examples/ipsec-secgw/esp.c
>> +++ b/examples/ipsec-secgw/esp.c
>> @@ -306,8 +306,8 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa 
>> *sa,
>>                   sizeof(struct esp_hdr) + sa->iv_len);
>>           memmove(new_ip, ip4, ip_hdr_len);
>>           esp = (struct esp_hdr *)(new_ip + ip_hdr_len);
>> +        ip4 = (struct ip *)new_ip;
>>           if (likely(ip4->ip_v == IPVERSION)) {
>> -            ip4 = (struct ip *)new_ip;
>>               ip4->ip_p = IPPROTO_ESP;
>>               ip4->ip_len = htons(rte_pktmbuf_data_len(m));
>>           } else {
>
>

Re: [PATCH 01/11] examples/ipsec-secgw: updated MAINTAINERS file

[Aviad Yehezkel]

On 10/16/2017 12:27 PM, Sergio Gonzalez Monroy wrote:
> Hi Aviad,
>
> On 14/10/2017 14:27, aviadye@dev.mellanox.co.il wrote:
>> From: Aviad Yehezkel <aviadye@mellanox.com>
>>
>> As agreed with Sergio and Pablo
>
> I don't think the commit message is relevant.
> Either me or Pablo acking the patch would have the same meaning.
>
> Thanks,
> Sergio

Will fix.

Thanks,
Aviad.

>> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
>> ---
>>   MAINTAINERS | 1 +
>>   1 file changed, 1 insertion(+)
>>
>> diff --git a/MAINTAINERS b/MAINTAINERS
>> index c00d6d8..d814ac1 100644
>> --- a/MAINTAINERS
>> +++ b/MAINTAINERS
>> @@ -919,6 +919,7 @@ F: examples/helloworld/
>>   F: doc/guides/sample_app_ug/hello_world.rst
>>     M: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
>> +M: Aviad Shaul Yehezkel <aviadye@mellanox.com>
>>   F: examples/ipsec-secgw/
>>   F: doc/guides/sample_app_ug/ipsec_secgw.rst
>
>

Re: [PATCH 09/11] examples/ipsec-secgw: Fixed ip length in case of transport

[Aviad Yehezkel]

On 10/16/2017 12:43 PM, Sergio Gonzalez Monroy wrote:
> On 14/10/2017 14:28, aviadye@dev.mellanox.co.il wrote:
>> From: Aviad Yehezkel <aviadye@mellanox.com>
>>
>> IP length was incorrect causing corrupted ICMP packets for example
>>
>> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
>> ---
>>   examples/ipsec-secgw/esp.c | 4 ++--
>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
>> index 81ebf55..12c6f8c 100644
>> --- a/examples/ipsec-secgw/esp.c
>> +++ b/examples/ipsec-secgw/esp.c
>> @@ -205,13 +205,13 @@ esp_inbound_post(struct rte_mbuf *m, struct 
>> ipsec_sa *sa,
>>           if (likely(ip->ip_v == IPVERSION)) {
>>               memmove(ip4, ip, ip->ip_hl * 4);
>>               ip4->ip_p = *nexthdr;
>> -            ip4->ip_len = htons(rte_pktmbuf_data_len(m));
>> +            ip4->ip_len = htons(rte_pktmbuf_pkt_len(m));
>>           } else {
>>               ip6 = (struct ip6_hdr *)ip4;
>>               /* XXX No option headers supported */
>>               memmove(ip6, ip, sizeof(struct ip6_hdr));
>>               ip6->ip6_nxt = *nexthdr;
>> -            ip6->ip6_plen = htons(rte_pktmbuf_data_len(m));
>> +            ip6->ip6_plen = htons(rte_pktmbuf_pkt_len(m));
>>           }
>>       } else
>>           ipip_inbound(m, sizeof(struct esp_hdr) + sa->iv_len);
>
> AFAIK the app does not support multi-segments (chain mbufs), so 
> data_len should be the same as pkt_len.
> Is that not the case?
>
This is the inbound function (RX side), so mbufs are allocated by PMD.
PMD is allocating mbuf with additional 14 bytes for ETH header but trim 
it before passing the mbuf.
As a result seg len is 14 bytes smaller than data len.

Thanks,
Aviad

> Thanks,
> Sergio

Re: [PATCH 08/11] examples/ipsec-secgw: iv should be be64

[Sergio Gonzalez Monroy]

On 16/10/2017 11:35, Aviad Yehezkel wrote:
>
> On 10/16/2017 12:42 PM, Sergio Gonzalez Monroy wrote:
>> On 14/10/2017 14:28, aviadye@dev.mellanox.co.il wrote:
>>> From: Aviad Yehezkel <aviadye@mellanox.com>
>>>
>>> To be compatibile with Linux kernel
>>
>> I am not sure what you are trying to achieve with this change.
>> The requirement is that the IV is unique, IMO changing the endianess 
>> is irrelevant here.
>> Can you provide case/example where current code does not work?
>>
>> Thanks,
>> Sergio
> You are right, according to rfc4106 the IV should be unique and can be
> implemented as counter.
> The changed was created because I put analyzer on wire and compare
> packets generated by this application and Linux kernel.
> Linux kernel sets IV as BE, so I thought it is worth to do the same for
> future debug / comparison.
>

I guess the performance impact is small (for LE platforms), so it would 
be good to add this (or similar) information to the commit message.

Thanks,
Sergio

> Thanks,
> Aviad.
>
>>
>>> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
>>> ---
>>>   examples/ipsec-secgw/esp.c | 8 ++++----
>>>   1 file changed, 4 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
>>> index aa2233d..81ebf55 100644
>>> --- a/examples/ipsec-secgw/esp.c
>>> +++ b/examples/ipsec-secgw/esp.c
>>> @@ -336,7 +336,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa 
>>> *sa,
>>>       if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) {
>>>           uint8_t *aad;
>>>   -        *iv = sa->seq;
>>> +        *iv = rte_cpu_to_be_64(sa->seq);
>>>           sym_cop->aead.data.offset = ip_hdr_len +
>>>               sizeof(struct esp_hdr) + sa->iv_len;
>>>           sym_cop->aead.data.length = pad_payload_len;
>>> @@ -349,7 +349,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa 
>>> *sa,
>>>             struct cnt_blk *icb = get_cnt_blk(m);
>>>           icb->salt = sa->salt;
>>> -        icb->iv = sa->seq;
>>> +        icb->iv = rte_cpu_to_be_64(sa->seq);
>>>           icb->cnt = rte_cpu_to_be_32(1);
>>>             aad = get_aad(m);
>>> @@ -371,7 +371,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa 
>>> *sa,
>>>               sym_cop->cipher.data.length = pad_payload_len + 
>>> sa->iv_len;
>>>               break;
>>>           case RTE_CRYPTO_CIPHER_AES_CTR:
>>> -            *iv = sa->seq;
>>> +            *iv = rte_cpu_to_be_64(sa->seq);
>>>               sym_cop->cipher.data.offset = ip_hdr_len +
>>>                   sizeof(struct esp_hdr) + sa->iv_len;
>>>               sym_cop->cipher.data.length = pad_payload_len;
>>> @@ -390,7 +390,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa 
>>> *sa,
>>>             struct cnt_blk *icb = get_cnt_blk(m);
>>>           icb->salt = sa->salt;
>>> -        icb->iv = sa->seq;
>>> +        icb->iv = rte_cpu_to_be_64(sa->seq);
>>>           icb->cnt = rte_cpu_to_be_32(1);
>>>             switch (sa->auth_algo) {
>>
>>
>

Re: [PATCH 09/11] examples/ipsec-secgw: Fixed ip length in case of transport

[Sergio Gonzalez Monroy]

On 16/10/2017 12:44, Aviad Yehezkel wrote:
> On 10/16/2017 12:43 PM, Sergio Gonzalez Monroy wrote:
>> On 14/10/2017 14:28, aviadye@dev.mellanox.co.il wrote:
>>> From: Aviad Yehezkel <aviadye@mellanox.com>
>>>
>>> IP length was incorrect causing corrupted ICMP packets for example
>>>
>>> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
>>> ---
>>>   examples/ipsec-secgw/esp.c | 4 ++--
>>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
>>> index 81ebf55..12c6f8c 100644
>>> --- a/examples/ipsec-secgw/esp.c
>>> +++ b/examples/ipsec-secgw/esp.c
>>> @@ -205,13 +205,13 @@ esp_inbound_post(struct rte_mbuf *m, struct 
>>> ipsec_sa *sa,
>>>           if (likely(ip->ip_v == IPVERSION)) {
>>>               memmove(ip4, ip, ip->ip_hl * 4);
>>>               ip4->ip_p = *nexthdr;
>>> -            ip4->ip_len = htons(rte_pktmbuf_data_len(m));
>>> +            ip4->ip_len = htons(rte_pktmbuf_pkt_len(m));
>>>           } else {
>>>               ip6 = (struct ip6_hdr *)ip4;
>>>               /* XXX No option headers supported */
>>>               memmove(ip6, ip, sizeof(struct ip6_hdr));
>>>               ip6->ip6_nxt = *nexthdr;
>>> -            ip6->ip6_plen = htons(rte_pktmbuf_data_len(m));
>>> +            ip6->ip6_plen = htons(rte_pktmbuf_pkt_len(m));
>>>           }
>>>       } else
>>>           ipip_inbound(m, sizeof(struct esp_hdr) + sa->iv_len);
>>
>> AFAIK the app does not support multi-segments (chain mbufs), so 
>> data_len should be the same as pkt_len.
>> Is that not the case?
>>
> This is the inbound function (RX side), so mbufs are allocated by PMD.
> PMD is allocating mbuf with additional 14 bytes for ETH header but 
> trim it before passing the mbuf.
> As a result seg len is 14 bytes smaller than data len.
>

Sorry, I am still missing something here.
rte_pktmbuf_trim updates both data_len and pkt_len, so how can they not 
be the same when we have a single mbuf?

I think to remember using data_len instead of pkt_len so it is easy to 
see that the application does not support multi-segments (aka. chained 
mbufs)

Thanks,
Sergio

> Thanks,
> Aviad
>
>> Thanks,
>> Sergio
>

Re: [PATCH 01/11] examples/ipsec-secgw: updated MAINTAINERS file

[De Lara Guarch, Pablo]

Hi Aviad,

> -----Original Message-----
> From: Aviad Yehezkel [mailto:aviadye@dev.mellanox.co.il]
> Sent: Monday, October 16, 2017 11:44 AM
> To: Gonzalez Monroy, Sergio <sergio.gonzalez.monroy@intel.com>;
> dev@dpdk.org; De Lara Guarch, Pablo <pablo.de.lara.guarch@intel.com>;
> aviadye@mellanox.com
> Cc: borisp@mellanox.com; akhil.goyal@nxp.com;
> hemant.agrawal@nxp.com; Nicolau, Radu <radu.nicolau@intel.com>;
> Doherty, Declan <declan.doherty@intel.com>; liranl@mellanox.com;
> nelio.laranjeiro@6wind.com; thomas@monjalon.net
> Subject: Re: [dpdk-dev][PATCH 01/11] examples/ipsec-secgw: updated
> MAINTAINERS file
> 
> 
> 
> On 10/16/2017 12:27 PM, Sergio Gonzalez Monroy wrote:
> > Hi Aviad,
> >
> > On 14/10/2017 14:27, aviadye@dev.mellanox.co.il wrote:
> >> From: Aviad Yehezkel <aviadye@mellanox.com>
> >>
> >> As agreed with Sergio and Pablo
> >
> > I don't think the commit message is relevant.
> > Either me or Pablo acking the patch would have the same meaning.
> >
> > Thanks,
> > Sergio
> 
> Will fix.

Actually, it is too early for you to take ownership on this app,
as you have recently started contributing to DPDK, so I have to NACK this patch.
Sorry for the confusion.

Said that, anyone from the rest of the developers of rte_security (with past contributions)
that would like to volunteer to maintain this app?

Thanks,
Pablo

> 
> Thanks,
> Aviad.

Re: [PATCH 02/11] examples/ipsec-secgw: Fixed init of aead crypto devices

[De Lara Guarch, Pablo]

Hi Aviad,

> -----Original Message-----
> From: Aviad Yehezkel [mailto:aviadye@dev.mellanox.co.il]
> Sent: Sunday, October 15, 2017 1:54 PM
> To: dev@dpdk.org; Gonzalez Monroy, Sergio
> <sergio.gonzalez.monroy@intel.com>; De Lara Guarch, Pablo
> <pablo.de.lara.guarch@intel.com>; aviadye@mellanox.com
> Cc: borisp@mellanox.com; akhil.goyal@nxp.com;
> hemant.agrawal@nxp.com; Nicolau, Radu <radu.nicolau@intel.com>;
> Doherty, Declan <declan.doherty@intel.com>; liranl@mellanox.com;
> nelio.laranjeiro@6wind.com; thomas@monjalon.net
> Subject: Re: [dpdk-dev][PATCH 02/11] examples/ipsec-secgw: Fixed init of
> aead crypto devices
> 

Commit titles should start with infinitive and not with lowercase.
e.g. examples/ipsec-secgw: fix init of aead crypto devices

Also, since this is a fix, you should include a Fixes line with the commit id
where the issues was introduced, and CC stable, if the issue was not introduced 
in the current release.

Take a look at the following document, that explains in detail the contribution guidelines:
http://dpdk.org/doc/guides/contributing/patches.html

Also, I have a comment below.

Thanks,
Pablo


> 
> 
> On 10/14/2017 4:27 PM, aviadye@dev.mellanox.co.il wrote:
> > From: Aviad Yehezkel <aviadye@mellanox.com>
> >
> > This was broken since new aead xfrom was introduced
> >
> > Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>

...

> >   	if (ret != -ENOENT)
> > @@ -1192,19 +1195,25 @@ add_cdev_mapping(struct
> rte_cryptodev_info *dev_info, uint16_t cdev_id,
> >   		if (i->op != RTE_CRYPTO_OP_TYPE_SYMMETRIC)
> >   			continue;
> >


I think it is simpler to leave the code as it is, and add:

+		if (i->sym.xform_type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+			ret |= add_mapping(map, str, cdev_id, qp, params,
+					ipsec_ctx, NULL, NULL, i);
+			continue;
+		}

And just add NULL in the existing add_mapping() function, without modifying the for loop.
The other changes were OK to me.

> > -		if (i->sym.xform_type !=
> RTE_CRYPTO_SYM_XFORM_CIPHER)
> > +		if (i->sym.xform_type == RTE_CRYPTO_SYM_XFORM_AEAD)
> {
> > +			ret |= add_mapping(map, str, cdev_id, qp, params,
> > +					ipsec_ctx, NULL, NULL, i);
> >   			continue;
> > +		}

Re: [PATCH 03/11] examples/ipsec-secgw: Fixed create session also for aead

[De Lara Guarch, Pablo]

> -----Original Message-----
> From: aviadye@dev.mellanox.co.il [mailto:aviadye@dev.mellanox.co.il]
> Sent: Saturday, October 14, 2017 2:28 PM
> To: dev@dpdk.org; Gonzalez Monroy, Sergio
> <sergio.gonzalez.monroy@intel.com>; De Lara Guarch, Pablo
> <pablo.de.lara.guarch@intel.com>; aviadye@mellanox.com
> Cc: borisp@mellanox.com; akhil.goyal@nxp.com;
> hemant.agrawal@nxp.com; Nicolau, Radu <radu.nicolau@intel.com>;
> Doherty, Declan <declan.doherty@intel.com>; aviadye@dev.mellanox.co.il;
> liranl@mellanox.com; nelio.laranjeiro@6wind.com; thomas@monjalon.net
> Subject: [dpdk-dev][PATCH 03/11] examples/ipsec-secgw: Fixed create
> session also for aead
> 
> From: Aviad Yehezkel <aviadye@mellanox.com>
> 
> Search for session also with aead key
> 
> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com

...

 %u, cipher_algo
> %u, "
> -				"auth_algo %u\n", key.lcore_id,
> key.cipher_algo,
> -				key.auth_algo);
> +			"auth_algo %u aead_algo %u\n",

You are missing a comma between auth_algo and aead_algo.

Pablo

Re: [PATCH 01/11] examples/ipsec-secgw: updated MAINTAINERS file

[Hemant Agrawal]

On 10/16/2017 7:09 PM, De Lara Guarch, Pablo wrote:
> Hi Aviad,
>
>> -----Original Message-----
>> From: Aviad Yehezkel [mailto:aviadye@dev.mellanox.co.il]
>> Sent: Monday, October 16, 2017 11:44 AM
>> To: Gonzalez Monroy, Sergio <sergio.gonzalez.monroy@intel.com>;
>> dev@dpdk.org; De Lara Guarch, Pablo <pablo.de.lara.guarch@intel.com>;
>> aviadye@mellanox.com
>> Cc: borisp@mellanox.com; akhil.goyal@nxp.com;
>> hemant.agrawal@nxp.com; Nicolau, Radu <radu.nicolau@intel.com>;
>> Doherty, Declan <declan.doherty@intel.com>; liranl@mellanox.com;
>> nelio.laranjeiro@6wind.com; thomas@monjalon.net
>> Subject: Re: [dpdk-dev][PATCH 01/11] examples/ipsec-secgw: updated
>> MAINTAINERS file
>>
>>
>>
>> On 10/16/2017 12:27 PM, Sergio Gonzalez Monroy wrote:
>>> Hi Aviad,
>>>
>>> On 14/10/2017 14:27, aviadye@dev.mellanox.co.il wrote:
>>>> From: Aviad Yehezkel <aviadye@mellanox.com>
>>>>
>>>> As agreed with Sergio and Pablo
>>>
>>> I don't think the commit message is relevant.
>>> Either me or Pablo acking the patch would have the same meaning.
>>>
>>> Thanks,
>>> Sergio
>>
>> Will fix.
>
> Actually, it is too early for you to take ownership on this app,
> as you have recently started contributing to DPDK, so I have to NACK this patch.
> Sorry for the confusion.
>
> Said that, anyone from the rest of the developers of rte_security (with past contributions)
> that would like to volunteer to maintain this app?
>

I want to ask Akhil, if he agrees to commit time to do this work?

Regards,
Hemant

> Thanks,
> Pablo
>
>>
>> Thanks,
>> Aviad.
>

Re: [PATCH 01/11] examples/ipsec-secgw: updated MAINTAINERS file

[De Lara Guarch, Pablo]

> -----Original Message-----
> From: Hemant Agrawal [mailto:hemant.agrawal@nxp.com]
> Sent: Tuesday, October 17, 2017 1:37 PM
> To: De Lara Guarch, Pablo <pablo.de.lara.guarch@intel.com>; Aviad
> Yehezkel <aviadye@dev.mellanox.co.il>; Gonzalez Monroy, Sergio
> <sergio.gonzalez.monroy@intel.com>; dev@dpdk.org;
> aviadye@mellanox.com
> Cc: borisp@mellanox.com; akhil.goyal@nxp.com; Nicolau, Radu
> <radu.nicolau@intel.com>; Doherty, Declan <declan.doherty@intel.com>;
> liranl@mellanox.com; nelio.laranjeiro@6wind.com; thomas@monjalon.net
> Subject: Re: [PATCH 01/11] examples/ipsec-secgw: updated MAINTAINERS
> file
> 
> On 10/16/2017 7:09 PM, De Lara Guarch, Pablo wrote:
> > Hi Aviad,
> >
> >> -----Original Message-----
> >> From: Aviad Yehezkel [mailto:aviadye@dev.mellanox.co.il]
> >> Sent: Monday, October 16, 2017 11:44 AM
> >> To: Gonzalez Monroy, Sergio <sergio.gonzalez.monroy@intel.com>;
> >> dev@dpdk.org; De Lara Guarch, Pablo
> <pablo.de.lara.guarch@intel.com>;
> >> aviadye@mellanox.com
> >> Cc: borisp@mellanox.com; akhil.goyal@nxp.com;
> hemant.agrawal@nxp.com;
> >> Nicolau, Radu <radu.nicolau@intel.com>; Doherty, Declan
> >> <declan.doherty@intel.com>; liranl@mellanox.com;
> >> nelio.laranjeiro@6wind.com; thomas@monjalon.net
> >> Subject: Re: [dpdk-dev][PATCH 01/11] examples/ipsec-secgw: updated
> >> MAINTAINERS file
> >>
> >>
> >>
> >> On 10/16/2017 12:27 PM, Sergio Gonzalez Monroy wrote:
> >>> Hi Aviad,
> >>>
> >>> On 14/10/2017 14:27, aviadye@dev.mellanox.co.il wrote:
> >>>> From: Aviad Yehezkel <aviadye@mellanox.com>
> >>>>
> >>>> As agreed with Sergio and Pablo
> >>>
> >>> I don't think the commit message is relevant.
> >>> Either me or Pablo acking the patch would have the same meaning.
> >>>
> >>> Thanks,
> >>> Sergio
> >>
> >> Will fix.
> >
> > Actually, it is too early for you to take ownership on this app, as
> > you have recently started contributing to DPDK, so I have to NACK this
> patch.
> > Sorry for the confusion.
> >
> > Said that, anyone from the rest of the developers of rte_security
> > (with past contributions) that would like to volunteer to maintain this
> app?
> >
> 
> I want to ask Akhil, if he agrees to commit time to do this work?

I would support that decision :)

Thanks,
Pablo

> 
> Regards,
> Hemant
> 
> > Thanks,
> > Pablo
> >
> >>
> >> Thanks,
> >> Aviad.
> >

Re: [PATCH 05/11] examples/ipsec-secgw: Fixed transport

[De Lara Guarch, Pablo]

> -----Original Message-----
> From: Aviad Yehezkel [mailto:aviadye@dev.mellanox.co.il]
> Sent: Monday, October 16, 2017 11:42 AM
> To: Gonzalez Monroy, Sergio <sergio.gonzalez.monroy@intel.com>;
> dev@dpdk.org; De Lara Guarch, Pablo <pablo.de.lara.guarch@intel.com>;
> aviadye@mellanox.com
> Cc: borisp@mellanox.com; akhil.goyal@nxp.com;
> hemant.agrawal@nxp.com; Nicolau, Radu <radu.nicolau@intel.com>;
> Doherty, Declan <declan.doherty@intel.com>; liranl@mellanox.com;
> nelio.laranjeiro@6wind.com; thomas@monjalon.net
> Subject: Re: [dpdk-dev][PATCH 05/11] examples/ipsec-secgw: Fixed
> transport
> 
> 
> On 10/16/2017 12:30 PM, Sergio Gonzalez Monroy wrote:
> > On 14/10/2017 14:27, aviadye@dev.mellanox.co.il wrote:
> >> From: Aviad Yehezkel <aviadye@mellanox.com>
> >>
> >> Seems like transport was broken for a long time
> >
> > Commit message needs to be improved. Just mentioned what is wrong or
> > how do you fix it.
> > Given that it is a fix, you should start the commit title with "fix
> > ..." then also add the 'fixes' line with commit that added the bug.
> > That way you can easily see since when it was introduced.
> >
> > Thanks,
> > Sergio
> Will create such commit messages for future fixes as you instructed above.
> I will remove this patch from next version of fixes since there is a similar fix
> already provided by Tomasz Duszynski which I will review.
> 
> Thanks,
> Aviad.

Hi Aviad,

Will you send a v2 of this patchset soon?

Thanks,
Pablo

Re: [PATCH 05/11] examples/ipsec-secgw: Fixed transport

[Aviad Yehezkel]

Yes, just finished my testing.

Will send v2 in a moment and Akhil will send v5 rebased above them for 
rte_security.


Thanks!

On 10/19/2017 9:16 PM, De Lara Guarch, Pablo wrote:
>
>> -----Original Message-----
>> From: Aviad Yehezkel [mailto:aviadye@dev.mellanox.co.il]
>> Sent: Monday, October 16, 2017 11:42 AM
>> To: Gonzalez Monroy, Sergio <sergio.gonzalez.monroy@intel.com>;
>> dev@dpdk.org; De Lara Guarch, Pablo <pablo.de.lara.guarch@intel.com>;
>> aviadye@mellanox.com
>> Cc: borisp@mellanox.com; akhil.goyal@nxp.com;
>> hemant.agrawal@nxp.com; Nicolau, Radu <radu.nicolau@intel.com>;
>> Doherty, Declan <declan.doherty@intel.com>; liranl@mellanox.com;
>> nelio.laranjeiro@6wind.com; thomas@monjalon.net
>> Subject: Re: [dpdk-dev][PATCH 05/11] examples/ipsec-secgw: Fixed
>> transport
>>
>>
>> On 10/16/2017 12:30 PM, Sergio Gonzalez Monroy wrote:
>>> On 14/10/2017 14:27, aviadye@dev.mellanox.co.il wrote:
>>>> From: Aviad Yehezkel <aviadye@mellanox.com>
>>>>
>>>> Seems like transport was broken for a long time
>>> Commit message needs to be improved. Just mentioned what is wrong or
>>> how do you fix it.
>>> Given that it is a fix, you should start the commit title with "fix
>>> ..." then also add the 'fixes' line with commit that added the bug.
>>> That way you can easily see since when it was introduced.
>>>
>>> Thanks,
>>> Sergio
>> Will create such commit messages for future fixes as you instructed above.
>> I will remove this patch from next version of fixes since there is a similar fix
>> already provided by Tomasz Duszynski which I will review.
>>
>> Thanks,
>> Aviad.
> Hi Aviad,
>
> Will you send a v2 of this patchset soon?
>
> Thanks,
> Pablo

Re: [PATCH 09/11] examples/ipsec-secgw: Fixed ip length in case of transport

[Aviad Yehezkel]

Solved that issue, this was an issue with mlx5 PMD with the new inline 
ipsec code.

The PMD wasn't updating mbuf->data_len correctly.


Thanks!


On 10/16/2017 3:03 PM, Sergio Gonzalez Monroy wrote:
> On 16/10/2017 12:44, Aviad Yehezkel wrote:
>> On 10/16/2017 12:43 PM, Sergio Gonzalez Monroy wrote:
>>> On 14/10/2017 14:28, aviadye@dev.mellanox.co.il wrote:
>>>> From: Aviad Yehezkel <aviadye@mellanox.com>
>>>>
>>>> IP length was incorrect causing corrupted ICMP packets for example
>>>>
>>>> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
>>>> ---
>>>>   examples/ipsec-secgw/esp.c | 4 ++--
>>>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
>>>> index 81ebf55..12c6f8c 100644
>>>> --- a/examples/ipsec-secgw/esp.c
>>>> +++ b/examples/ipsec-secgw/esp.c
>>>> @@ -205,13 +205,13 @@ esp_inbound_post(struct rte_mbuf *m, struct 
>>>> ipsec_sa *sa,
>>>>           if (likely(ip->ip_v == IPVERSION)) {
>>>>               memmove(ip4, ip, ip->ip_hl * 4);
>>>>               ip4->ip_p = *nexthdr;
>>>> -            ip4->ip_len = htons(rte_pktmbuf_data_len(m));
>>>> +            ip4->ip_len = htons(rte_pktmbuf_pkt_len(m));
>>>>           } else {
>>>>               ip6 = (struct ip6_hdr *)ip4;
>>>>               /* XXX No option headers supported */
>>>>               memmove(ip6, ip, sizeof(struct ip6_hdr));
>>>>               ip6->ip6_nxt = *nexthdr;
>>>> -            ip6->ip6_plen = htons(rte_pktmbuf_data_len(m));
>>>> +            ip6->ip6_plen = htons(rte_pktmbuf_pkt_len(m));
>>>>           }
>>>>       } else
>>>>           ipip_inbound(m, sizeof(struct esp_hdr) + sa->iv_len);
>>>
>>> AFAIK the app does not support multi-segments (chain mbufs), so 
>>> data_len should be the same as pkt_len.
>>> Is that not the case?
>>>
>> This is the inbound function (RX side), so mbufs are allocated by PMD.
>> PMD is allocating mbuf with additional 14 bytes for ETH header but 
>> trim it before passing the mbuf.
>> As a result seg len is 14 bytes smaller than data len.
>>
>
> Sorry, I am still missing something here.
> rte_pktmbuf_trim updates both data_len and pkt_len, so how can they 
> not be the same when we have a single mbuf?
>
> I think to remember using data_len instead of pkt_len so it is easy to 
> see that the application does not support multi-segments (aka. chained 
> mbufs)
>
> Thanks,
> Sergio
>
>> Thanks,
>> Aviad
>>
>>> Thanks,
>>> Sergio
>>
>

[PATCH v2 1/6] examples/ipsec-secgw: fix initialization of aead crypto devices

[aviadye]

From: Aviad Yehezkel <aviadye@mellanox.com>

Fixes: 501e9c226adf ("examples/ipsec-secgw: add AEAD parameters")
Cc: pablo.de.lara.guarch@intel.com

Issue: None
Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
--
v2:
* Fix commit message.
* Address feedbacks.
---
 examples/ipsec-secgw/ipsec-secgw.c | 13 +++++++++++--
 examples/ipsec-secgw/ipsec.h       |  1 +
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
index d451b3d..1a5e9c0 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -1115,7 +1115,8 @@ add_mapping(struct rte_hash *map, const char *str, uint16_t cdev_id,
 		uint16_t qp, struct lcore_params *params,
 		struct ipsec_ctx *ipsec_ctx,
 		const struct rte_cryptodev_capabilities *cipher,
-		const struct rte_cryptodev_capabilities *auth)
+		const struct rte_cryptodev_capabilities *auth,
+		const struct rte_cryptodev_capabilities *aead)
 {
 	int32_t ret = 0;
 	unsigned long i;
@@ -1126,6 +1127,8 @@ add_mapping(struct rte_hash *map, const char *str, uint16_t cdev_id,
 		key.cipher_algo = cipher->sym.cipher.algo;
 	if (auth)
 		key.auth_algo = auth->sym.auth.algo;
+	if (aead)
+		key.aead_algo = aead->sym.aead.algo;
 
 	ret = rte_hash_lookup(map, &key);
 	if (ret != -ENOENT)
@@ -1194,6 +1197,12 @@ add_cdev_mapping(struct rte_cryptodev_info *dev_info, uint16_t cdev_id,
 		if (i->op != RTE_CRYPTO_OP_TYPE_SYMMETRIC)
 			continue;
 
+		if (i->sym.xform_type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+			ret |= add_mapping(map, str, cdev_id, qp, params,
+					ipsec_ctx, NULL, NULL, i);
+			continue;
+		}
+
 		if (i->sym.xform_type != RTE_CRYPTO_SYM_XFORM_CIPHER)
 			continue;
 
@@ -1206,7 +1215,7 @@ add_cdev_mapping(struct rte_cryptodev_info *dev_info, uint16_t cdev_id,
 				continue;
 
 			ret |= add_mapping(map, str, cdev_id, qp, params,
-					ipsec_ctx, i, j);
+						ipsec_ctx, i, j, NULL);
 		}
 	}
 
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index da1fb1b..7d057ae 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -150,6 +150,7 @@ struct cdev_key {
 	uint16_t lcore_id;
 	uint8_t cipher_algo;
 	uint8_t auth_algo;
+	uint8_t aead_algo;
 };
 
 struct socket_ctx {
-- 
2.7.4

[PATCH v2 2/6] examples/ipsec-secgw: fix create session also for aead

[aviadye]

From: Aviad Yehezkel <aviadye@mellanox.com>

Search for session also with aead key

Issue: None
Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
--
v2:
* Fix commit message.
* Addressed feedback.
---
 examples/ipsec-secgw/ipsec.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index 0afb9d6..36fb8c8 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -56,13 +56,17 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
 
 	key.cipher_algo = (uint8_t)sa->cipher_algo;
 	key.auth_algo = (uint8_t)sa->auth_algo;
+	key.aead_algo = (uint8_t)sa->aead_algo;
 
 	ret = rte_hash_lookup_data(ipsec_ctx->cdev_map, &key,
 			(void **)&cdev_id_qp);
 	if (ret < 0) {
 		RTE_LOG(ERR, IPSEC, "No cryptodev: core %u, cipher_algo %u, "
-				"auth_algo %u\n", key.lcore_id, key.cipher_algo,
-				key.auth_algo);
+			"auth_algo %u, aead_algo %u\n",
+			key.lcore_id,
+			key.cipher_algo,
+			key.auth_algo,
+			key.aead_algo);
 		return -1;
 	}
 
-- 
2.7.4

[PATCH v2 3/6] examples/ipsec-secgw: fix aad_len for for aes-gcm

[aviadye]

From: Aviad Yehezkel <aviadye@mellanox.com>

This cause auth failure issue

Fixes: 501e9c226adf ("examples/ipsec-secgw: add AEAD parameters")
Cc: pablo.de.lara.guarch@intel.com

Issue: None
Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
--
v2:
* Fix commit message
---
 examples/ipsec-secgw/sa.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index 7be0e62..ef94475 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -431,7 +431,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
 			rule->aead_algo = algo->algo;
 			rule->cipher_key_len = algo->key_len;
 			rule->digest_len = algo->digest_len;
-			rule->aad_len = algo->key_len;
+			rule->aad_len = algo->aad_len;
 			rule->block_size = algo->block_size;
 			rule->iv_len = algo->iv_len;
 
-- 
2.7.4

[PATCH v2 4/6] examples/ipsec-secgw: add correct padding to tunnel mode

[aviadye]

From: Aviad Yehezkel <aviadye@mellanox.com>

Issue: None
Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
--
v2:
* Fix commit message
---
 examples/ipsec-secgw/esp.c | 51 ++++++++++++++++++++++++++--------------------
 1 file changed, 29 insertions(+), 22 deletions(-)

diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index 70bb81f..6215ad4 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -229,25 +229,26 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 	uint8_t *padding, *new_ip, nlp;
 	struct rte_crypto_sym_op *sym_cop;
 	int32_t i;
-	uint16_t pad_payload_len, pad_len, ip_hdr_len;
+	uint16_t pad_payload_len, pad_len = 0;
+	uint16_t inner_ip_hdr_len = 0, ip_hdr_len = 0;
 
 	RTE_ASSERT(m != NULL);
 	RTE_ASSERT(sa != NULL);
+	RTE_ASSERT(sa->flags == IP4_TUNNEL || sa->flags == IP6_TUNNEL ||
+		   sa->flags == TRANSPORT);
 	RTE_ASSERT(cop != NULL);
 
-	ip_hdr_len = 0;
-
 	ip4 = rte_pktmbuf_mtod(m, struct ip *);
 	if (likely(ip4->ip_v == IPVERSION)) {
-		if (unlikely(sa->flags == TRANSPORT)) {
-			ip_hdr_len = ip4->ip_hl * 4;
+		ip_hdr_len = ip4->ip_hl * 4;
+		if (unlikely(sa->flags == TRANSPORT))
 			nlp = ip4->ip_p;
-		} else
+		else
 			nlp = IPPROTO_IPIP;
 	} else if (ip4->ip_v == IP6_VERSION) {
+		/* XXX No option headers supported */
+		ip_hdr_len = sizeof(struct ip6_hdr);
 		if (unlikely(sa->flags == TRANSPORT)) {
-			/* XXX No option headers supported */
-			ip_hdr_len = sizeof(struct ip6_hdr);
 			ip6 = (struct ip6_hdr *)ip4;
 			nlp = ip6->ip6_nxt;
 		} else
@@ -259,22 +260,28 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 	}
 
 	/* Padded payload length */
-	pad_payload_len = RTE_ALIGN_CEIL(rte_pktmbuf_pkt_len(m) -
-			ip_hdr_len + 2, sa->block_size);
-	pad_len = pad_payload_len + ip_hdr_len - rte_pktmbuf_pkt_len(m);
-
-	RTE_ASSERT(sa->flags == IP4_TUNNEL || sa->flags == IP6_TUNNEL ||
-			sa->flags == TRANSPORT);
-
-	if (likely(sa->flags == IP4_TUNNEL))
+	if (unlikely(sa->flags == TRANSPORT)) {
+		pad_payload_len = RTE_ALIGN_CEIL(rte_pktmbuf_pkt_len(m) +
+						 sizeof(nlp) + 1 - ip_hdr_len,
+						 sa->block_size);
+		pad_len = pad_payload_len + ip_hdr_len - rte_pktmbuf_pkt_len(m);
+	} else {
+		inner_ip_hdr_len = ip_hdr_len;
 		ip_hdr_len = sizeof(struct ip);
-	else if (sa->flags == IP6_TUNNEL)
-		ip_hdr_len = sizeof(struct ip6_hdr);
-	else if (sa->flags != TRANSPORT) {
-		RTE_LOG(ERR, IPSEC_ESP, "Unsupported SA flags: 0x%x\n",
-				sa->flags);
-		return -EINVAL;
+		if (sa->flags == IP6_TUNNEL)
+			ip_hdr_len = sizeof(struct ip6_hdr);
+
+		pad_payload_len = RTE_ALIGN_CEIL(rte_pktmbuf_pkt_len(m) +
+						 sizeof(nlp) + 1,
+						 sa->block_size);
+		pad_len = pad_payload_len - rte_pktmbuf_pkt_len(m);
 	}
+	RTE_LOG(DEBUG, IPSEC_ESP, "rte_pktmbuf_pkt_len=%u "
+		"inner_ip_hdr_len=%u ip_hdr_len=%u "
+		"pad_payload_len=%u pad_len=%u\n",
+		rte_pktmbuf_pkt_len(m),
+		inner_ip_hdr_len, ip_hdr_len,
+		pad_payload_len, pad_len);
 
 	/* Check maximum packet size */
 	if (unlikely(ip_hdr_len + sizeof(struct esp_hdr) + sa->iv_len +
-- 
2.7.4

[PATCH v2 5/6] examples/ipsec-secgw: iv should be be64

[aviadye]

From: Aviad Yehezkel <aviadye@mellanox.com>

According to rfc4106 the IV should be unique
and can be implemented as counter.
The changed was created because putting an analyzer
on wire and comparing packets generated by this
application and Linux kernel.
Linux kernel sets IV as BE, so it is worth to do
the same for future debug / comparison.

Issue: None
Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
--
v2:
* Fix commit message
---
 examples/ipsec-secgw/esp.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index 6215ad4..de55c35 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -336,7 +336,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 	if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) {
 		uint8_t *aad;
 
-		*iv = sa->seq;
+		*iv = rte_cpu_to_be_64(sa->seq);
 		sym_cop->aead.data.offset = ip_hdr_len +
 			sizeof(struct esp_hdr) + sa->iv_len;
 		sym_cop->aead.data.length = pad_payload_len;
@@ -349,7 +349,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 
 		struct cnt_blk *icb = get_cnt_blk(m);
 		icb->salt = sa->salt;
-		icb->iv = sa->seq;
+		icb->iv = rte_cpu_to_be_64(sa->seq);
 		icb->cnt = rte_cpu_to_be_32(1);
 
 		aad = get_aad(m);
@@ -372,7 +372,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 			sym_cop->cipher.data.length = pad_payload_len + sa->iv_len;
 			break;
 		case RTE_CRYPTO_CIPHER_AES_CTR:
-			*iv = sa->seq;
+			*iv = rte_cpu_to_be_64(sa->seq);
 			sym_cop->cipher.data.offset = ip_hdr_len +
 				sizeof(struct esp_hdr) + sa->iv_len;
 			sym_cop->cipher.data.length = pad_payload_len;
@@ -391,7 +391,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 
 		struct cnt_blk *icb = get_cnt_blk(m);
 		icb->salt = sa->salt;
-		icb->iv = sa->seq;
+		icb->iv = rte_cpu_to_be_64(sa->seq);
 		icb->cnt = rte_cpu_to_be_32(1);
 
 		switch (sa->auth_algo) {
-- 
2.7.4

[PATCH v2 6/6] examples/ipsec-secgw: config ethernet MACs dynamically

[aviadye]

From: Aviad Yehezkel <aviadye@mellanox.com>

Issue: None
Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
--
v2:
* Fix commit message
---
 examples/ipsec-secgw/Makefile      |   1 +
 examples/ipsec-secgw/ep0.cfg       |   6 +
 examples/ipsec-secgw/ep1.cfg       |   6 +
 examples/ipsec-secgw/eth.c         | 238 +++++++++++++++++++++++++++++++++++++
 examples/ipsec-secgw/ipsec-secgw.c |  79 +++---------
 examples/ipsec-secgw/ipsec.h       |   8 ++
 examples/ipsec-secgw/parser.c      |  69 +++++++++++
 examples/ipsec-secgw/parser.h      |  35 ++++++
 8 files changed, 378 insertions(+), 64 deletions(-)
 create mode 100644 examples/ipsec-secgw/eth.c

diff --git a/examples/ipsec-secgw/Makefile b/examples/ipsec-secgw/Makefile
index 17e9155..0dacd3c 100644
--- a/examples/ipsec-secgw/Makefile
+++ b/examples/ipsec-secgw/Makefile
@@ -60,6 +60,7 @@ SRCS-y += sp4.c
 SRCS-y += sp6.c
 SRCS-y += sa.c
 SRCS-y += rt.c
+SRCS-y += eth.c
 SRCS-y += ipsec-secgw.c
 
 include $(RTE_SDK)/mk/rte.extapp.mk
diff --git a/examples/ipsec-secgw/ep0.cfg b/examples/ipsec-secgw/ep0.cfg
index 299aa9e..eda4499 100644
--- a/examples/ipsec-secgw/ep0.cfg
+++ b/examples/ipsec-secgw/ep0.cfg
@@ -158,3 +158,9 @@ rt ipv6 dst ffff:0000:0000:0000:5555:5555:0000:0000/116 port 2
 rt ipv6 dst ffff:0000:0000:0000:6666:6666:0000:0000/116 port 3
 rt ipv6 dst ffff:0000:1111:1111:0000:0000:0000:0000/116 port 2
 rt ipv6 dst ffff:0000:1111:1111:1111:1111:0000:0000/116 port 3
+
+#ETH Addresses
+eth addr src 00:00:00:00:00:00 dst 00:16:3e:7e:94:9a port 0
+eth addr src 00:00:00:00:00:00 dst 00:16:3e:22:a1:d9 port 1
+eth addr src 00:00:00:00:00:00 dst 00:16:3e:08:69:26 port 2
+eth addr src 00:00:00:00:00:00 dst 00:16:3e:49:9e:dd port 3
diff --git a/examples/ipsec-secgw/ep1.cfg b/examples/ipsec-secgw/ep1.cfg
index 3f6ff81..e6d4e26 100644
--- a/examples/ipsec-secgw/ep1.cfg
+++ b/examples/ipsec-secgw/ep1.cfg
@@ -158,3 +158,9 @@ rt ipv6 dst 0000:0000:0000:0000:5555:5555:0000:0000/116 port 2
 rt ipv6 dst 0000:0000:0000:0000:6666:6666:0000:0000/116 port 3
 rt ipv6 dst 0000:0000:1111:1111:0000:0000:0000:0000/116 port 2
 rt ipv6 dst 0000:0000:1111:1111:1111:1111:0000:0000/116 port 3
+
+#ETH Addresses
+eth addr src 00:00:00:00:00:00 dst 00:16:3e:7e:94:9a port 0
+eth addr src 00:00:00:00:00:00 dst 00:16:3e:22:a1:d9 port 1
+eth addr src 00:00:00:00:00:00 dst 00:16:3e:08:69:26 port 2
+eth addr src 00:00:00:00:00:00 dst 00:16:3e:49:9e:dd port 3
diff --git a/examples/ipsec-secgw/eth.c b/examples/ipsec-secgw/eth.c
new file mode 100644
index 0000000..b4f7120
--- /dev/null
+++ b/examples/ipsec-secgw/eth.c
@@ -0,0 +1,238 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Ethernet Address
+ */
+#include <stdint.h>
+#include <sys/types.h>
+#include <rte_ether.h>
+#include <rte_errno.h>
+#include <rte_ethdev.h>
+
+#include "ipsec.h"
+#include "parser.h"
+
+#define ETH_DST_MAX_RULES	1024
+
+struct addr {
+	uint8_t port;
+	struct ether_addr src;
+	struct ether_addr dst;
+};
+
+struct addr eth_addr[ETH_DST_MAX_RULES];
+uint32_t nb_eth_addr;
+
+void
+parse_eth_tokens(char **tokens, uint32_t n_tokens,
+	struct parse_status *status)
+{
+	uint32_t ti;
+	uint32_t *n_addr = NULL;
+	struct addr *addr = NULL;
+
+	if (strcmp(tokens[0], "addr") == 0) {
+		n_addr = &nb_eth_addr;
+		addr = &eth_addr[*n_addr];
+
+		APP_CHECK(*n_addr <= ETH_DST_MAX_RULES - 1, status,
+			"too many eth dst rules, abort insertion\n");
+		if (status->status < 0)
+			return;
+	} else {
+		APP_CHECK(0, status, "unrecognized input \"%s\"",
+			tokens[0]);
+		return;
+	}
+
+	for (ti = 1; ti < n_tokens; ti++) {
+		if (strcmp(tokens[ti], "src") == 0) {
+			INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
+			if (status->status < 0)
+				return;
+
+			if (addr != NULL) {
+				APP_CHECK(parse_eth_addr(tokens[ti],
+					  &addr->src) == 0, status,
+					  "unrecognized input \"%s\", "
+					  "expect valid src addr",
+					  tokens[ti]);
+				if (status->status < 0)
+					return;
+			} else {
+				APP_CHECK(0, status, "addr is NULL");
+			}
+		}
+
+		if (strcmp(tokens[ti], "dst") == 0) {
+			INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
+			if (status->status < 0)
+				return;
+
+			if (addr != NULL) {
+				APP_CHECK(parse_eth_addr(tokens[ti],
+					  &addr->dst) == 0, status,
+					  "unrecognized input \"%s\", "
+					  "expect valid dst addr",
+					  tokens[ti]);
+				if (status->status < 0)
+					return;
+			} else {
+				APP_CHECK(0, status, "addr is NULL");
+			}
+		}
+
+		if (strcmp(tokens[ti], "port") == 0) {
+			INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
+			if (status->status < 0)
+				return;
+
+			APP_CHECK_TOKEN_IS_NUM(tokens, ti, status);
+			if (status->status < 0)
+				return;
+
+			if (addr != NULL)
+				addr->port = atoi(tokens[ti]);
+			else
+				APP_CHECK(0, status, "addr is NULL");
+		}
+	}
+
+	*n_addr = *n_addr + 1;
+}
+
+static struct eth_ctx *
+eth_create(const char *name, int32_t socket_id)
+{
+	char s[PATH_MAX];
+	struct eth_ctx *eth_ctx;
+	uint32_t mz_size;
+	const struct rte_memzone *mz;
+
+	snprintf(s, sizeof(s), "%s_%u", name, socket_id);
+
+	/* Create SA array table */
+	printf("Creating ETH context with %u maximum entries\n",
+			RTE_MAX_ETHPORTS);
+
+	mz_size = sizeof(struct eth_ctx) * RTE_MAX_ETHPORTS;
+	mz = rte_memzone_reserve(s, mz_size, socket_id,
+			RTE_MEMZONE_1GB | RTE_MEMZONE_SIZE_HINT_ONLY);
+	if (mz == NULL) {
+		printf("Failed to allocate SA DB memory\n");
+		rte_errno = -ENOMEM;
+		return NULL;
+	}
+	memset(mz->addr, 0, mz_size);
+
+	eth_ctx = (struct eth_ctx *)mz->addr;
+	return eth_ctx;
+}
+
+static void
+eth_ctx_dump(struct eth_ctx *eth_addr, uint32_t mask)
+{
+	char name[256];
+	uint32_t nb_ports;
+	uint8_t port;
+
+	nb_ports = rte_eth_dev_count();
+	for (port = 0; port < nb_ports; ++port) {
+		if ((mask & (1 << port)) == 0)
+			continue;
+
+		if (rte_eth_dev_get_name_by_port(port, name) < 0)
+			rte_exit(EXIT_FAILURE, "Unable to find name "
+					"to port=%d\n", port);
+
+		printf("%s-dst-0x%lx\n", name, eth_addr[port].dst);
+		printf("%s-src-0x%lx\n", name, eth_addr[port].src);
+	}
+}
+
+void
+eth_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t mask)
+{
+	const char *name;
+	uint32_t i, nb_ports;
+	uint8_t port;
+	struct ether_addr ethaddr;
+
+	if (ctx == NULL)
+		rte_exit(EXIT_FAILURE, "NULL context.\n");
+
+	if (ctx->eth_addr != NULL)
+		rte_exit(EXIT_FAILURE, "ETH Address Table for socket %u "
+			"already initialized\n", socket_id);
+
+	if (nb_eth_addr == 0)
+		RTE_LOG(WARNING, IPSEC, "No ETH address rule specified\n");
+
+	/* create the ETH table */
+	name = "eth_addr";
+	ctx->eth_addr = eth_create(name, socket_id);
+	if (ctx->eth_addr == NULL)
+		rte_exit(EXIT_FAILURE, "Error [%d] creating ETH "
+				"context %s in socket %d\n", rte_errno,
+				name, socket_id);
+
+	/* populate the ETH table */
+	for (i = 0; i < nb_eth_addr; ++i) {
+		port = eth_addr[i].port;
+
+		if (ctx->eth_addr[port].dst != 0)
+			rte_exit(EXIT_FAILURE, "ETH destination address "
+					"for port %u already in use\n",
+					port);
+		if (ctx->eth_addr[port].src != 0)
+			rte_exit(EXIT_FAILURE, "ETH source address "
+					"for port %u already in use\n",
+					port);
+
+		ctx->eth_addr[port].dst = ETHADDR_TO_UINT64(eth_addr[i].dst);
+		ctx->eth_addr[port].src = ETHADDR_TO_UINT64(eth_addr[i].src);
+	}
+
+	nb_ports = rte_eth_dev_count();
+	for (port = 0; port < nb_ports; ++port) {
+		if ((mask & (1 << port)) == 0)
+			continue;
+
+		if (ctx->eth_addr[port].src == 0) {
+			rte_eth_macaddr_get(port, &ethaddr);
+			ctx->eth_addr[port].src = ETHADDR_TO_UINT64(ethaddr);
+		}
+	}
+	eth_ctx_dump(ctx->eth_addr, mask);
+}
diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
index 1a5e9c0..227bc81 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -112,47 +112,6 @@
 static uint16_t nb_rxd = IPSEC_SECGW_RX_DESC_DEFAULT;
 static uint16_t nb_txd = IPSEC_SECGW_TX_DESC_DEFAULT;
 
-#if RTE_BYTE_ORDER != RTE_LITTLE_ENDIAN
-#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \
-	(((uint64_t)((a) & 0xff) << 56) | \
-	((uint64_t)((b) & 0xff) << 48) | \
-	((uint64_t)((c) & 0xff) << 40) | \
-	((uint64_t)((d) & 0xff) << 32) | \
-	((uint64_t)((e) & 0xff) << 24) | \
-	((uint64_t)((f) & 0xff) << 16) | \
-	((uint64_t)((g) & 0xff) << 8)  | \
-	((uint64_t)(h) & 0xff))
-#else
-#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \
-	(((uint64_t)((h) & 0xff) << 56) | \
-	((uint64_t)((g) & 0xff) << 48) | \
-	((uint64_t)((f) & 0xff) << 40) | \
-	((uint64_t)((e) & 0xff) << 32) | \
-	((uint64_t)((d) & 0xff) << 24) | \
-	((uint64_t)((c) & 0xff) << 16) | \
-	((uint64_t)((b) & 0xff) << 8) | \
-	((uint64_t)(a) & 0xff))
-#endif
-#define ETHADDR(a, b, c, d, e, f) (__BYTES_TO_UINT64(a, b, c, d, e, f, 0, 0))
-
-#define ETHADDR_TO_UINT64(addr) __BYTES_TO_UINT64( \
-		addr.addr_bytes[0], addr.addr_bytes[1], \
-		addr.addr_bytes[2], addr.addr_bytes[3], \
-		addr.addr_bytes[4], addr.addr_bytes[5], \
-		0, 0)
-
-/* port/source ethernet addr and destination ethernet addr */
-struct ethaddr_info {
-	uint64_t src, dst;
-};
-
-struct ethaddr_info ethaddr_tbl[RTE_MAX_ETHPORTS] = {
-	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x7e, 0x94, 0x9a) },
-	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x22, 0xa1, 0xd9) },
-	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x08, 0x69, 0x26) },
-	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x49, 0x9e, 0xdd) }
-};
-
 /* mask of enabled ports */
 static uint32_t enabled_port_mask;
 static uint32_t unprotected_port_mask;
@@ -195,6 +154,7 @@ struct lcore_conf {
 	struct ipsec_ctx outbound;
 	struct rt_ctx *rt4_ctx;
 	struct rt_ctx *rt6_ctx;
+	struct eth_ctx *eth_addr;
 } __rte_cache_aligned;
 
 static struct lcore_conf lcore_conf[RTE_MAX_LCORE];
@@ -290,7 +250,7 @@ prepare_traffic(struct rte_mbuf **pkts, struct ipsec_traffic *t,
 }
 
 static inline void
-prepare_tx_pkt(struct rte_mbuf *pkt, uint16_t port)
+prepare_tx_pkt(struct rte_mbuf *pkt, uint64_t *src, uint64_t *dst)
 {
 	struct ip *ip;
 	struct ether_hdr *ethhdr;
@@ -313,25 +273,24 @@ prepare_tx_pkt(struct rte_mbuf *pkt, uint16_t port)
 		ethhdr->ether_type = rte_cpu_to_be_16(ETHER_TYPE_IPv6);
 	}
 
-	memcpy(&ethhdr->s_addr, &ethaddr_tbl[port].src,
-			sizeof(struct ether_addr));
-	memcpy(&ethhdr->d_addr, &ethaddr_tbl[port].dst,
-			sizeof(struct ether_addr));
+	memcpy(&ethhdr->s_addr, src, sizeof(struct ether_addr));
+	memcpy(&ethhdr->d_addr, dst, sizeof(struct ether_addr));
 }
 
 static inline void
-prepare_tx_burst(struct rte_mbuf *pkts[], uint16_t nb_pkts, uint16_t port)
+prepare_tx_burst(struct rte_mbuf *pkts[], uint64_t *src, uint64_t *dst,
+		 uint16_t nb_pkts)
 {
 	int32_t i;
 	const int32_t prefetch_offset = 2;
 
 	for (i = 0; i < (nb_pkts - prefetch_offset); i++) {
 		rte_mbuf_prefetch_part2(pkts[i + prefetch_offset]);
-		prepare_tx_pkt(pkts[i], port);
+		prepare_tx_pkt(pkts[i], src, dst);
 	}
 	/* Process left packets */
 	for (; i < nb_pkts; i++)
-		prepare_tx_pkt(pkts[i], port);
+		prepare_tx_pkt(pkts[i], src, dst);
 }
 
 /* Send burst of packets on an output interface */
@@ -341,11 +300,14 @@ send_burst(struct lcore_conf *qconf, uint16_t n, uint16_t port)
 	struct rte_mbuf **m_table;
 	int32_t ret;
 	uint16_t queueid;
+	uint64_t *src, *dst;
 
 	queueid = qconf->tx_queue_id[port];
 	m_table = (struct rte_mbuf **)qconf->tx_mbufs[port].m_table;
+	src = &qconf->eth_addr[port].src;
+	dst = &qconf->eth_addr[port].dst;
 
-	prepare_tx_burst(m_table, n, port);
+	prepare_tx_burst(m_table, src, dst, n);
 
 	ret = rte_eth_tx_burst(port, queueid, m_table, n);
 	if (unlikely(ret < n)) {
@@ -707,6 +669,7 @@ main_loop(__attribute__((unused)) void *dummy)
 
 	qconf->rt4_ctx = socket_ctx[socket_id].rt_ip4;
 	qconf->rt6_ctx = socket_ctx[socket_id].rt_ip6;
+	qconf->eth_addr = socket_ctx[socket_id].eth_addr;
 	qconf->inbound.sp4_ctx = socket_ctx[socket_id].sp_ip4_in;
 	qconf->inbound.sp6_ctx = socket_ctx[socket_id].sp_ip6_in;
 	qconf->inbound.sa_ctx = socket_ctx[socket_id].sa_in;
@@ -1047,14 +1010,6 @@ parse_args(int32_t argc, char **argv)
 	return ret;
 }
 
-static void
-print_ethaddr(const char *name, const struct ether_addr *eth_addr)
-{
-	char buf[ETHER_ADDR_FMT_SIZE];
-	ether_format_addr(buf, ETHER_ADDR_FMT_SIZE, eth_addr);
-	printf("%s%s", name, buf);
-}
-
 /* Check the link status of all ports in up to 9s, and print them finally */
 static void
 check_all_ports_link_status(uint16_t port_num, uint32_t port_mask)
@@ -1341,17 +1296,11 @@ port_init(uint16_t portid)
 	uint16_t tx_queueid, rx_queueid, queue, lcore_id;
 	int32_t ret, socket_id;
 	struct lcore_conf *qconf;
-	struct ether_addr ethaddr;
 
 	rte_eth_dev_info_get(portid, &dev_info);
 
 	printf("Configuring device port %u:\n", portid);
 
-	rte_eth_macaddr_get(portid, &ethaddr);
-	ethaddr_tbl[portid].src = ETHADDR_TO_UINT64(ethaddr);
-	print_ethaddr("Address: ", &ethaddr);
-	printf("\n");
-
 	nb_rx_queue = get_port_nb_rx_queues(portid);
 	nb_tx_queue = nb_lcores;
 
@@ -1502,6 +1451,8 @@ main(int32_t argc, char **argv)
 
 		rt_init(&socket_ctx[socket_id], socket_id);
 
+		eth_init(&socket_ctx[socket_id], socket_id, enabled_port_mask);
+
 		pool_init(&socket_ctx[socket_id], socket_id, NB_MBUF);
 	}
 
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index 7d057ae..9e22b1b 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -153,6 +153,10 @@ struct cdev_key {
 	uint8_t aead_algo;
 };
 
+struct eth_ctx {
+	uint64_t src, dst;
+};
+
 struct socket_ctx {
 	struct sa_ctx *sa_in;
 	struct sa_ctx *sa_out;
@@ -162,6 +166,7 @@ struct socket_ctx {
 	struct sp_ctx *sp_ip6_out;
 	struct rt_ctx *rt_ip4;
 	struct rt_ctx *rt_ip6;
+	struct eth_ctx *eth_addr;
 	struct rte_mempool *mbuf_pool;
 	struct rte_mempool *session_pool;
 };
@@ -237,4 +242,7 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id);
 void
 rt_init(struct socket_ctx *ctx, int32_t socket_id);
 
+void
+eth_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t mask);
+
 #endif /* __IPSEC_H__ */
diff --git a/examples/ipsec-secgw/parser.c b/examples/ipsec-secgw/parser.c
index 9d0ea46..24ca8c2 100644
--- a/examples/ipsec-secgw/parser.c
+++ b/examples/ipsec-secgw/parser.c
@@ -292,6 +292,30 @@ parse_ipv6_addr(const char *token, struct in6_addr *ipv6, uint32_t *mask)
 }
 
 int
+parse_eth_addr(const char *token, struct ether_addr *addr)
+{
+	char addr_str[256] = {0};
+	int i, values[6];
+
+	if (strlen(token) >= 256)
+		return -EINVAL;
+
+	strncpy(addr_str, token, strlen(token));
+
+	if (6 != sscanf(addr_str, "%02X:%02X:%02X:%02X:%02X:%02X",
+			&values[0], &values[1],
+			&values[2], &values[3],
+			&values[4], &values[5])) {
+		return -EINVAL;
+	}
+
+	for (i = 0; i < 6; ++i)
+		addr->addr_bytes[i] = (uint8_t)values[i];
+
+	return 0;
+}
+
+int
 parse_range(const char *token, uint16_t *low, uint16_t *high)
 {
 	char ch;
@@ -469,11 +493,55 @@ cmdline_parse_inst_t cfg_rt_add_rule = {
 	},
 };
 
+/* eth add parse */
+struct cfg_eth_add_cfg_item {
+	cmdline_fixed_string_t eth_keyword;
+	cmdline_multi_string_t multi_string;
+};
+
+static void
+cfg_eth_add_cfg_item_parsed(void *parsed_result,
+	__rte_unused struct cmdline *cl, void *data)
+{
+	struct cfg_eth_add_cfg_item *params = parsed_result;
+	char *tokens[32];
+	uint32_t n_tokens = RTE_DIM(tokens);
+	struct parse_status *status = (struct parse_status *)data;
+
+	APP_CHECK(parse_tokenize_string(
+		params->multi_string, tokens, &n_tokens) == 0,
+		status, "too many arguments\n");
+	if (status->status < 0)
+		return;
+
+	parse_eth_tokens(tokens, n_tokens, status);
+}
+
+static cmdline_parse_token_string_t cfg_eth_add_eth_str =
+	TOKEN_STRING_INITIALIZER(struct cfg_eth_add_cfg_item,
+		eth_keyword, "eth");
+
+static cmdline_parse_token_string_t cfg_eth_add_multi_str =
+	TOKEN_STRING_INITIALIZER(struct cfg_eth_add_cfg_item, multi_string,
+		TOKEN_STRING_MULTI);
+
+cmdline_parse_inst_t cfg_eth_add_rule = {
+	.f = cfg_eth_add_cfg_item_parsed,
+	.data = NULL,
+	.help_str = "",
+	.tokens = {
+		(void *) &cfg_eth_add_eth_str,
+		(void *) &cfg_eth_add_multi_str,
+		NULL,
+	},
+};
+
 /** set of cfg items */
 cmdline_parse_ctx_t ipsec_ctx[] = {
 	(cmdline_parse_inst_t *)&cfg_sp_add_rule,
 	(cmdline_parse_inst_t *)&cfg_sa_add_rule,
 	(cmdline_parse_inst_t *)&cfg_rt_add_rule,
+	(cmdline_parse_inst_t *)&cfg_eth_add_rule,
 	NULL,
 };
 
@@ -499,6 +567,7 @@ parse_cfg_file(const char *cfg_filename)
 	cfg_sp_add_rule.data = &status;
 	cfg_sa_add_rule.data = &status;
 	cfg_rt_add_rule.data = &status;
+	cfg_eth_add_rule.data = &status;
 
 	do {
 		char oneline[1024];
diff --git a/examples/ipsec-secgw/parser.h b/examples/ipsec-secgw/parser.h
index d31ae01..daa7997 100644
--- a/examples/ipsec-secgw/parser.h
+++ b/examples/ipsec-secgw/parser.h
@@ -85,6 +85,34 @@ do {									\
 	index++;							\
 } while (0)
 
+#if RTE_BYTE_ORDER != RTE_LITTLE_ENDIAN
+#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \
+	(((uint64_t)((a) & 0xff) << 56) | \
+	((uint64_t)((b) & 0xff) << 48) | \
+	((uint64_t)((c) & 0xff) << 40) | \
+	((uint64_t)((d) & 0xff) << 32) | \
+	((uint64_t)((e) & 0xff) << 24) | \
+	((uint64_t)((f) & 0xff) << 16) | \
+	((uint64_t)((g) & 0xff) << 8)  | \
+	((uint64_t)(h) & 0xff))
+#else
+#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \
+	(((uint64_t)((h) & 0xff) << 56) | \
+	((uint64_t)((g) & 0xff) << 48) | \
+	((uint64_t)((f) & 0xff) << 40) | \
+	((uint64_t)((e) & 0xff) << 32) | \
+	((uint64_t)((d) & 0xff) << 24) | \
+	((uint64_t)((c) & 0xff) << 16) | \
+	((uint64_t)((b) & 0xff) << 8) | \
+	((uint64_t)(a) & 0xff))
+#endif
+
+#define ETHADDR_TO_UINT64(addr) __BYTES_TO_UINT64( \
+		addr.addr_bytes[0], addr.addr_bytes[1], \
+		addr.addr_bytes[2], addr.addr_bytes[3], \
+		addr.addr_bytes[4], addr.addr_bytes[5], \
+		0, 0)
+
 int
 parse_ipv4_addr(const char *token, struct in_addr *ipv4, uint32_t *mask);
 
@@ -92,6 +120,9 @@ int
 parse_ipv6_addr(const char *token, struct in6_addr *ipv6, uint32_t *mask);
 
 int
+parse_eth_addr(const char *token, struct ether_addr *addr);
+
+int
 parse_range(const char *token, uint16_t *low, uint16_t *high);
 
 void
@@ -110,6 +141,10 @@ void
 parse_rt_tokens(char **tokens, uint32_t n_tokens,
 	struct parse_status *status);
 
+void
+parse_eth_tokens(char **tokens, uint32_t n_tokens,
+	struct parse_status *status);
+
 int
 parse_cfg_file(const char *cfg_filename);
 
-- 
2.7.4

Re: [PATCH v2 4/6] examples/ipsec-secgw: add correct padding to tunnel mode

[Sergio Gonzalez Monroy]

Hi Aviad,

I think you missed my question on v1 for this patch.

Could you provide an example where the pad calculation with the current 
code is wrong?

Thanks,
Sergio

On 19/10/2017 19:53, aviadye@dev.mellanox.co.il wrote:
> From: Aviad Yehezkel <aviadye@mellanox.com>
>
> Issue: None
> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
> --
> v2:
> * Fix commit message
> ---
>   examples/ipsec-secgw/esp.c | 51 ++++++++++++++++++++++++++--------------------
>   1 file changed, 29 insertions(+), 22 deletions(-)
>
> diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
> index 70bb81f..6215ad4 100644
> --- a/examples/ipsec-secgw/esp.c
> +++ b/examples/ipsec-secgw/esp.c
> @@ -229,25 +229,26 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
>   	uint8_t *padding, *new_ip, nlp;
>   	struct rte_crypto_sym_op *sym_cop;
>   	int32_t i;
> -	uint16_t pad_payload_len, pad_len, ip_hdr_len;
> +	uint16_t pad_payload_len, pad_len = 0;
> +	uint16_t inner_ip_hdr_len = 0, ip_hdr_len = 0;
>   
>   	RTE_ASSERT(m != NULL);
>   	RTE_ASSERT(sa != NULL);
> +	RTE_ASSERT(sa->flags == IP4_TUNNEL || sa->flags == IP6_TUNNEL ||
> +		   sa->flags == TRANSPORT);
>   	RTE_ASSERT(cop != NULL);
>   
> -	ip_hdr_len = 0;
> -
>   	ip4 = rte_pktmbuf_mtod(m, struct ip *);
>   	if (likely(ip4->ip_v == IPVERSION)) {
> -		if (unlikely(sa->flags == TRANSPORT)) {
> -			ip_hdr_len = ip4->ip_hl * 4;
> +		ip_hdr_len = ip4->ip_hl * 4;
> +		if (unlikely(sa->flags == TRANSPORT))
>   			nlp = ip4->ip_p;
> -		} else
> +		else
>   			nlp = IPPROTO_IPIP;
>   	} else if (ip4->ip_v == IP6_VERSION) {
> +		/* XXX No option headers supported */
> +		ip_hdr_len = sizeof(struct ip6_hdr);
>   		if (unlikely(sa->flags == TRANSPORT)) {
> -			/* XXX No option headers supported */
> -			ip_hdr_len = sizeof(struct ip6_hdr);
>   			ip6 = (struct ip6_hdr *)ip4;
>   			nlp = ip6->ip6_nxt;
>   		} else
> @@ -259,22 +260,28 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
>   	}
>   
>   	/* Padded payload length */
> -	pad_payload_len = RTE_ALIGN_CEIL(rte_pktmbuf_pkt_len(m) -
> -			ip_hdr_len + 2, sa->block_size);
> -	pad_len = pad_payload_len + ip_hdr_len - rte_pktmbuf_pkt_len(m);
> -
> -	RTE_ASSERT(sa->flags == IP4_TUNNEL || sa->flags == IP6_TUNNEL ||
> -			sa->flags == TRANSPORT);
> -
> -	if (likely(sa->flags == IP4_TUNNEL))
> +	if (unlikely(sa->flags == TRANSPORT)) {
> +		pad_payload_len = RTE_ALIGN_CEIL(rte_pktmbuf_pkt_len(m) +
> +						 sizeof(nlp) + 1 - ip_hdr_len,
> +						 sa->block_size);
> +		pad_len = pad_payload_len + ip_hdr_len - rte_pktmbuf_pkt_len(m);
> +	} else {
> +		inner_ip_hdr_len = ip_hdr_len;
>   		ip_hdr_len = sizeof(struct ip);
> -	else if (sa->flags == IP6_TUNNEL)
> -		ip_hdr_len = sizeof(struct ip6_hdr);
> -	else if (sa->flags != TRANSPORT) {
> -		RTE_LOG(ERR, IPSEC_ESP, "Unsupported SA flags: 0x%x\n",
> -				sa->flags);
> -		return -EINVAL;
> +		if (sa->flags == IP6_TUNNEL)
> +			ip_hdr_len = sizeof(struct ip6_hdr);
> +
> +		pad_payload_len = RTE_ALIGN_CEIL(rte_pktmbuf_pkt_len(m) +
> +						 sizeof(nlp) + 1,
> +						 sa->block_size);
> +		pad_len = pad_payload_len - rte_pktmbuf_pkt_len(m);
>   	}
> +	RTE_LOG(DEBUG, IPSEC_ESP, "rte_pktmbuf_pkt_len=%u "
> +		"inner_ip_hdr_len=%u ip_hdr_len=%u "
> +		"pad_payload_len=%u pad_len=%u\n",
> +		rte_pktmbuf_pkt_len(m),
> +		inner_ip_hdr_len, ip_hdr_len,
> +		pad_payload_len, pad_len);
>   
>   	/* Check maximum packet size */
>   	if (unlikely(ip_hdr_len + sizeof(struct esp_hdr) + sa->iv_len +

Re: [PATCH v2 1/6] examples/ipsec-secgw: fix initialization of aead crypto devices

[De Lara Guarch, Pablo]

> -----Original Message-----
> From: aviadye@dev.mellanox.co.il [mailto:aviadye@dev.mellanox.co.il]
> Sent: Thursday, October 19, 2017 7:53 PM
> To: dev@dpdk.org; Gonzalez Monroy, Sergio
> <sergio.gonzalez.monroy@intel.com>; De Lara Guarch, Pablo
> <pablo.de.lara.guarch@intel.com>; aviadye@mellanox.com
> Cc: borisp@mellanox.com; akhil.goyal@nxp.com;
> hemant.agrawal@nxp.com; Nicolau, Radu <radu.nicolau@intel.com>;
> Doherty, Declan <declan.doherty@intel.com>; aviadye@dev.mellanox.co.il;
> liranl@mellanox.com; nelio.laranjeiro@6wind.com; thomas@monjalon.net
> Subject: [dpdk-dev][PATCH v2 1/6] examples/ipsec-secgw: fix initialization
> of aead crypto devices
> 
> From: Aviad Yehezkel <aviadye@mellanox.com>
> 
> Fixes: 501e9c226adf ("examples/ipsec-secgw: add AEAD parameters")
> Cc: pablo.de.lara.guarch@intel.com

You should CC stable here.
> 
> Issue: None

What does this mean? This is a fix to an existing issue,
so this doesn't make sense.

Apart from this:

Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>

Re: [PATCH v2 3/6] examples/ipsec-secgw: fix aad_len for for aes-gcm

[De Lara Guarch, Pablo]

> -----Original Message-----
> From: aviadye@dev.mellanox.co.il [mailto:aviadye@dev.mellanox.co.il]
> Sent: Thursday, October 19, 2017 7:53 PM
> To: dev@dpdk.org; Gonzalez Monroy, Sergio
> <sergio.gonzalez.monroy@intel.com>; De Lara Guarch, Pablo
> <pablo.de.lara.guarch@intel.com>; aviadye@mellanox.com
> Cc: borisp@mellanox.com; akhil.goyal@nxp.com;
> hemant.agrawal@nxp.com; Nicolau, Radu <radu.nicolau@intel.com>;
> Doherty, Declan <declan.doherty@intel.com>; aviadye@dev.mellanox.co.il;
> liranl@mellanox.com; nelio.laranjeiro@6wind.com; thomas@monjalon.net
> Subject: [dpdk-dev][PATCH v2 3/6] examples/ipsec-secgw: fix aad_len for
> for aes-gcm
> 
> From: Aviad Yehezkel <aviadye@mellanox.com>
> 
> This cause auth failure issue
> 
> Fixes: 501e9c226adf ("examples/ipsec-secgw: add AEAD parameters")
> Cc: pablo.de.lara.guarch@intel.com
> 
> Issue: None
> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>

Same comments as in patch 1, and also fix the commit title
("for" duplicated) and avoid "_".

For the rest of the patch:

Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>

Re: [PATCH v2 3/6] examples/ipsec-secgw: fix aad_len for for aes-gcm

[Thomas Monjalon]

20/10/2017 11:52, De Lara Guarch, Pablo:
> Same comments as in patch 1, and also fix the commit title
> ("for" duplicated) and avoid "_".

The underscore is forbidden in titles to avoid naming variable or
function names instead of giving a clear scope understandable
without digging in the code.
Here "aad_len" can probably be replaced by "AAD length".

Re: [PATCH v2 5/6] examples/ipsec-secgw: iv should be be64

[Radu Nicolau]

On 10/19/2017 7:53 PM, aviadye@dev.mellanox.co.il wrote:
> From: Aviad Yehezkel <aviadye@mellanox.com>
>
> According to rfc4106 the IV should be unique
> and can be implemented as counter.
> The changed was created because putting an analyzer
> on wire and comparing packets generated by this
> application and Linux kernel.
> Linux kernel sets IV as BE, so it is worth to do
> the same for future debug / comparison.
>
> Issue: None
> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
> --
> v2:
> * Fix commit message
> ---
>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>

Re: [PATCH v2 6/6] examples/ipsec-secgw: config ethernet MACs dynamically

[Nicolau, Radu]

Hi,

I think this should be a separate patch, not bundled with a series of fixes.
The guide has to be updated as well.
And probably it's best to make the MAC configuration optional, keep a default hardcoded table.

Regards,
Radu

> -----Original Message-----
> From: aviadye@dev.mellanox.co.il [mailto:aviadye@dev.mellanox.co.il]
> Sent: Thursday, October 19, 2017 7:53 PM
> To: dev@dpdk.org; Gonzalez Monroy, Sergio
> <sergio.gonzalez.monroy@intel.com>; De Lara Guarch, Pablo
> <pablo.de.lara.guarch@intel.com>; aviadye@mellanox.com
> Cc: borisp@mellanox.com; akhil.goyal@nxp.com;
> hemant.agrawal@nxp.com; Nicolau, Radu <radu.nicolau@intel.com>;
> Doherty, Declan <declan.doherty@intel.com>; aviadye@dev.mellanox.co.il;
> liranl@mellanox.com; nelio.laranjeiro@6wind.com; thomas@monjalon.net
> Subject: [dpdk-dev][PATCH v2 6/6] examples/ipsec-secgw: config ethernet
> MACs dynamically
> 
> From: Aviad Yehezkel <aviadye@mellanox.com>
> 
> Issue: None
> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
> --
> v2:
<snip>

Re: [PATCH 01/11] examples/ipsec-secgw: updated MAINTAINERS file

[Akhil Goyal]

On 10/17/2017 6:47 PM, De Lara Guarch, Pablo wrote:
> 
> 
>> -----Original Message-----
>> From: Hemant Agrawal [mailto:hemant.agrawal@nxp.com]
>> Sent: Tuesday, October 17, 2017 1:37 PM
>> To: De Lara Guarch, Pablo <pablo.de.lara.guarch@intel.com>; Aviad
>> Yehezkel <aviadye@dev.mellanox.co.il>; Gonzalez Monroy, Sergio
>> <sergio.gonzalez.monroy@intel.com>; dev@dpdk.org;
>> aviadye@mellanox.com
>> Cc: borisp@mellanox.com; akhil.goyal@nxp.com; Nicolau, Radu
>> <radu.nicolau@intel.com>; Doherty, Declan <declan.doherty@intel.com>;
>> liranl@mellanox.com; nelio.laranjeiro@6wind.com; thomas@monjalon.net
>> Subject: Re: [PATCH 01/11] examples/ipsec-secgw: updated MAINTAINERS
>> file
>>
>> On 10/16/2017 7:09 PM, De Lara Guarch, Pablo wrote:
>>> Hi Aviad,
>>>
>>>> -----Original Message-----
>>>> From: Aviad Yehezkel [mailto:aviadye@dev.mellanox.co.il]
>>>> Sent: Monday, October 16, 2017 11:44 AM
>>>> To: Gonzalez Monroy, Sergio <sergio.gonzalez.monroy@intel.com>;
>>>> dev@dpdk.org; De Lara Guarch, Pablo
>> <pablo.de.lara.guarch@intel.com>;
>>>> aviadye@mellanox.com
>>>> Cc: borisp@mellanox.com; akhil.goyal@nxp.com;
>> hemant.agrawal@nxp.com;
>>>> Nicolau, Radu <radu.nicolau@intel.com>; Doherty, Declan
>>>> <declan.doherty@intel.com>; liranl@mellanox.com;
>>>> nelio.laranjeiro@6wind.com; thomas@monjalon.net
>>>> Subject: Re: [dpdk-dev][PATCH 01/11] examples/ipsec-secgw: updated
>>>> MAINTAINERS file
>>>>
>>>>
>>>>
>>>> On 10/16/2017 12:27 PM, Sergio Gonzalez Monroy wrote:
>>>>> Hi Aviad,
>>>>>
>>>>> On 14/10/2017 14:27, aviadye@dev.mellanox.co.il wrote:
>>>>>> From: Aviad Yehezkel <aviadye@mellanox.com>
>>>>>>
>>>>>> As agreed with Sergio and Pablo
>>>>>
>>>>> I don't think the commit message is relevant.
>>>>> Either me or Pablo acking the patch would have the same meaning.
>>>>>
>>>>> Thanks,
>>>>> Sergio
>>>>
>>>> Will fix.
>>>
>>> Actually, it is too early for you to take ownership on this app, as
>>> you have recently started contributing to DPDK, so I have to NACK this
>> patch.
>>> Sorry for the confusion.
>>>
>>> Said that, anyone from the rest of the developers of rte_security
>>> (with past contributions) that would like to volunteer to maintain this
>> app?
>>>
>>
>> I want to ask Akhil, if he agrees to commit time to do this work?
I can, but I think Radu is already added as a co maintainer.

> 
> I would support that decision :)
> 
Thanks for your support Pablo.

-Akhil

Re: [PATCH v2 1/6] examples/ipsec-secgw: fix initialization of aead crypto devices

[Aviad Yehezkel]

On 10/20/2017 12:50 PM, De Lara Guarch, Pablo wrote:
>
>> -----Original Message-----
>> From: aviadye@dev.mellanox.co.il [mailto:aviadye@dev.mellanox.co.il]
>> Sent: Thursday, October 19, 2017 7:53 PM
>> To: dev@dpdk.org; Gonzalez Monroy, Sergio
>> <sergio.gonzalez.monroy@intel.com>; De Lara Guarch, Pablo
>> <pablo.de.lara.guarch@intel.com>; aviadye@mellanox.com
>> Cc: borisp@mellanox.com; akhil.goyal@nxp.com;
>> hemant.agrawal@nxp.com; Nicolau, Radu <radu.nicolau@intel.com>;
>> Doherty, Declan <declan.doherty@intel.com>; aviadye@dev.mellanox.co.il;
>> liranl@mellanox.com; nelio.laranjeiro@6wind.com; thomas@monjalon.net
>> Subject: [dpdk-dev][PATCH v2 1/6] examples/ipsec-secgw: fix initialization
>> of aead crypto devices
>>
>> From: Aviad Yehezkel <aviadye@mellanox.com>
>>
>> Fixes: 501e9c226adf ("examples/ipsec-secgw: add AEAD parameters")
>> Cc: pablo.de.lara.guarch@intel.com
> You should CC stable here.
You referred me to http://dpdk.org/doc/guides/contributing/patches.html
I followed the documentation:
"
When fixing a regression, it is required to reference the id of the 
commit which introduced the bug, and put the original author of that 
commit on CC. Yiu can generate the required lines using the following 
git alias, which print the commit SHA and the author of the original code:
git config alias.fixline "log -1 --abbrev=12 --format='Fixes: %h 
(\"%s\")%nCc: %ae'"
"
Please explain when to use above alias and when to put stable or 
something else.

Thanks!
>> Issue: None
> What does this mean? This is a fix to an existing issue,
> so this doesn't make sense.
This is leftovers from my internal git continuous integration system. It 
refers to internal bug in my local bugzilla.
Will remove that and automate next patches not to include it.

Thanks!
>
> Apart from this:
>
> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>

Re: [PATCH v2 1/6] examples/ipsec-secgw: fix initialization of aead crypto devices

[Thomas Monjalon]

22/10/2017 09:21, Aviad Yehezkel:
> On 10/20/2017 12:50 PM, De Lara Guarch, Pablo wrote:
> > From: aviadye@dev.mellanox.co.il
> >> From: Aviad Yehezkel <aviadye@mellanox.com>
> >>
> >> Fixes: 501e9c226adf ("examples/ipsec-secgw: add AEAD parameters")
> >> Cc: pablo.de.lara.guarch@intel.com
> > 
> > You should CC stable here.
> 
> You referred me to http://dpdk.org/doc/guides/contributing/patches.html
> I followed the documentation:
> "
> When fixing a regression, it is required to reference the id of the 
> commit which introduced the bug, and put the original author of that 
> commit on CC. Yiu can generate the required lines using the following 
> git alias, which print the commit SHA and the author of the original code:
> git config alias.fixline "log -1 --abbrev=12 --format='Fixes: %h 
> (\"%s\")%nCc: %ae'"
> "
> Please explain when to use above alias and when to put stable or 
> something else.

It seems it is not described in the chapter 5.
It is mentioned only in chapter 6:
	http://dpdk.org/doc/guides/contributing/stable.html#the-stable-mailing-list

But when running devtools/check-git-log.sh as described in chapter 5:
	http://dpdk.org/doc/guides/contributing/patches.html#checking-the-patches
You should see this:
	Is it candidate for Cc: stable@dpdk.org backport?
It is using devtools/git-log-fixes.sh to get patches which are fixing
older releases.

Short answer:
You must add "Cc: stable@dpdk.org" just below "Fixes:" if the bug
was introduced in an older release.
It will trigger the patch to be backported in maintenance releases.

It is the responsibility of the tree maintainer to check this tag,
and add or remove it, if he thinks the backport requirement was not
properly considered.

Re: [PATCH 01/11] examples/ipsec-secgw: updated MAINTAINERS file

[Sergio Gonzalez Monroy]

On 21/10/2017 18:12, Akhil Goyal wrote:
> On 10/17/2017 6:47 PM, De Lara Guarch, Pablo wrote:
>>
>>
>>> -----Original Message-----
>>> From: Hemant Agrawal [mailto:hemant.agrawal@nxp.com]
>>> Sent: Tuesday, October 17, 2017 1:37 PM
>>> To: De Lara Guarch, Pablo <pablo.de.lara.guarch@intel.com>; Aviad
>>> Yehezkel <aviadye@dev.mellanox.co.il>; Gonzalez Monroy, Sergio
>>> <sergio.gonzalez.monroy@intel.com>; dev@dpdk.org;
>>> aviadye@mellanox.com
>>> Cc: borisp@mellanox.com; akhil.goyal@nxp.com; Nicolau, Radu
>>> <radu.nicolau@intel.com>; Doherty, Declan <declan.doherty@intel.com>;
>>> liranl@mellanox.com; nelio.laranjeiro@6wind.com; thomas@monjalon.net
>>> Subject: Re: [PATCH 01/11] examples/ipsec-secgw: updated MAINTAINERS
>>> file
>>>
>>> On 10/16/2017 7:09 PM, De Lara Guarch, Pablo wrote:
>>>> Hi Aviad,
>>>>
>>>>> -----Original Message-----
>>>>> From: Aviad Yehezkel [mailto:aviadye@dev.mellanox.co.il]
>>>>> Sent: Monday, October 16, 2017 11:44 AM
>>>>> To: Gonzalez Monroy, Sergio <sergio.gonzalez.monroy@intel.com>;
>>>>> dev@dpdk.org; De Lara Guarch, Pablo
>>> <pablo.de.lara.guarch@intel.com>;
>>>>> aviadye@mellanox.com
>>>>> Cc: borisp@mellanox.com; akhil.goyal@nxp.com;
>>> hemant.agrawal@nxp.com;
>>>>> Nicolau, Radu <radu.nicolau@intel.com>; Doherty, Declan
>>>>> <declan.doherty@intel.com>; liranl@mellanox.com;
>>>>> nelio.laranjeiro@6wind.com; thomas@monjalon.net
>>>>> Subject: Re: [dpdk-dev][PATCH 01/11] examples/ipsec-secgw: updated
>>>>> MAINTAINERS file
>>>>>
>>>>>
>>>>>
>>>>> On 10/16/2017 12:27 PM, Sergio Gonzalez Monroy wrote:
>>>>>> Hi Aviad,
>>>>>>
>>>>>> On 14/10/2017 14:27, aviadye@dev.mellanox.co.il wrote:
>>>>>>> From: Aviad Yehezkel <aviadye@mellanox.com>
>>>>>>>
>>>>>>> As agreed with Sergio and Pablo
>>>>>>
>>>>>> I don't think the commit message is relevant.
>>>>>> Either me or Pablo acking the patch would have the same meaning.
>>>>>>
>>>>>> Thanks,
>>>>>> Sergio
>>>>>
>>>>> Will fix.
>>>>
>>>> Actually, it is too early for you to take ownership on this app, as
>>>> you have recently started contributing to DPDK, so I have to NACK this
>>> patch.
>>>> Sorry for the confusion.
>>>>
>>>> Said that, anyone from the rest of the developers of rte_security
>>>> (with past contributions) that would like to volunteer to maintain 
>>>> this
>>> app?
>>>>
>>>
>>> I want to ask Akhil, if he agrees to commit time to do this work?
> I can, but I think Radu is already added as a co maintainer.
>

No issue with having another co-maintainer.

Thanks,
Sergio

>>
>> I would support that decision :)
>>
> Thanks for your support Pablo.
>
> -Akhil

Re: [PATCH v2 4/6] examples/ipsec-secgw: add correct padding to tunnel mode

[De Lara Guarch, Pablo]

Hi Aviad,

> -----Original Message-----
> From: Gonzalez Monroy, Sergio
> Sent: Friday, October 20, 2017 6:56 AM
> To: aviadye@dev.mellanox.co.il; dev@dpdk.org; De Lara Guarch, Pablo
> <pablo.de.lara.guarch@intel.com>; aviadye@mellanox.com
> Cc: borisp@mellanox.com; akhil.goyal@nxp.com;
> hemant.agrawal@nxp.com; Nicolau, Radu <radu.nicolau@intel.com>;
> Doherty, Declan <declan.doherty@intel.com>; liranl@mellanox.com;
> nelio.laranjeiro@6wind.com; thomas@monjalon.net
> Subject: Re: [dpdk-dev][PATCH v2 4/6] examples/ipsec-secgw: add correct
> padding to tunnel mode
> 
> Hi Aviad,
> 
> I think you missed my question on v1 for this patch.
> 
> Could you provide an example where the pad calculation with the current
> code is wrong?
> 

Could you reply to the comments from Sergio and Radu?
We should try to get this merged ASAP.

Thanks,
Pablo

Re: [PATCH v2 4/6] examples/ipsec-secgw: add correct padding to tunnel mode

[Aviad Yehezkel]

I talked with Akhil. I will send v3 of patches by EOD and hold back this 
patch.

The reason I don't have time to deep dive regression tests and get back 
with an example in the upcoming days.

Thanks!


On 10/23/2017 1:54 PM, De Lara Guarch, Pablo wrote:
> Hi Aviad,
>
>> -----Original Message-----
>> From: Gonzalez Monroy, Sergio
>> Sent: Friday, October 20, 2017 6:56 AM
>> To: aviadye@dev.mellanox.co.il; dev@dpdk.org; De Lara Guarch, Pablo
>> <pablo.de.lara.guarch@intel.com>; aviadye@mellanox.com
>> Cc: borisp@mellanox.com; akhil.goyal@nxp.com;
>> hemant.agrawal@nxp.com; Nicolau, Radu <radu.nicolau@intel.com>;
>> Doherty, Declan <declan.doherty@intel.com>; liranl@mellanox.com;
>> nelio.laranjeiro@6wind.com; thomas@monjalon.net
>> Subject: Re: [dpdk-dev][PATCH v2 4/6] examples/ipsec-secgw: add correct
>> padding to tunnel mode
>>
>> Hi Aviad,
>>
>> I think you missed my question on v1 for this patch.
>>
>> Could you provide an example where the pad calculation with the current
>> code is wrong?
>>
> Could you reply to the comments from Sergio and Radu?
> We should try to get this merged ASAP.
>
> Thanks,
> Pablo
>

[PATCH v3 1/4] examples/ipsec-secgw: fix initialization of aead crypto devices

[aviadye]

From: Aviad Yehezkel <aviadye@mellanox.com>

Fixes: 501e9c226adf ("examples/ipsec-secgw: add AEAD parameters")
Cc: stable@dpdk.org

Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
--
v3:
* Address feedbacks.
v2:
* Fix commit message.
* Address feedbacks.
---
 examples/ipsec-secgw/ipsec-secgw.c | 13 +++++++++++--
 examples/ipsec-secgw/ipsec.h       |  1 +
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
index 39f81cb..6abf852 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -1132,7 +1132,8 @@ add_mapping(struct rte_hash *map, const char *str, uint16_t cdev_id,
 		uint16_t qp, struct lcore_params *params,
 		struct ipsec_ctx *ipsec_ctx,
 		const struct rte_cryptodev_capabilities *cipher,
-		const struct rte_cryptodev_capabilities *auth)
+		const struct rte_cryptodev_capabilities *auth,
+		const struct rte_cryptodev_capabilities *aead)
 {
 	int32_t ret = 0;
 	unsigned long i;
@@ -1143,6 +1144,8 @@ add_mapping(struct rte_hash *map, const char *str, uint16_t cdev_id,
 		key.cipher_algo = cipher->sym.cipher.algo;
 	if (auth)
 		key.auth_algo = auth->sym.auth.algo;
+	if (aead)
+		key.aead_algo = aead->sym.aead.algo;
 
 	ret = rte_hash_lookup(map, &key);
 	if (ret != -ENOENT)
@@ -1211,6 +1214,12 @@ add_cdev_mapping(struct rte_cryptodev_info *dev_info, uint16_t cdev_id,
 		if (i->op != RTE_CRYPTO_OP_TYPE_SYMMETRIC)
 			continue;
 
+		if (i->sym.xform_type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+			ret |= add_mapping(map, str, cdev_id, qp, params,
+					ipsec_ctx, NULL, NULL, i);
+			continue;
+		}
+
 		if (i->sym.xform_type != RTE_CRYPTO_SYM_XFORM_CIPHER)
 			continue;
 
@@ -1223,7 +1232,7 @@ add_cdev_mapping(struct rte_cryptodev_info *dev_info, uint16_t cdev_id,
 				continue;
 
 			ret |= add_mapping(map, str, cdev_id, qp, params,
-					ipsec_ctx, i, j);
+						ipsec_ctx, i, j, NULL);
 		}
 	}
 
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index da1fb1b..7d057ae 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -150,6 +150,7 @@ struct cdev_key {
 	uint16_t lcore_id;
 	uint8_t cipher_algo;
 	uint8_t auth_algo;
+	uint8_t aead_algo;
 };
 
 struct socket_ctx {
-- 
2.7.4

[PATCH v3 2/4] examples/ipsec-secgw: fix create session also for aead

[aviadye]

From: Aviad Yehezkel <aviadye@mellanox.com>

Search for session also with aead key

Fixes: 501e9c226adf ("examples/ipsec-secgw: add AEAD parameters")
Cc: stable@dpdk.org

Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
--
v3:
* Added fixes string in commit message.
v2:
* Fix commit message.
* Addressed feedback.
---
 examples/ipsec-secgw/ipsec.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index 0afb9d6..36fb8c8 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -56,13 +56,17 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
 
 	key.cipher_algo = (uint8_t)sa->cipher_algo;
 	key.auth_algo = (uint8_t)sa->auth_algo;
+	key.aead_algo = (uint8_t)sa->aead_algo;
 
 	ret = rte_hash_lookup_data(ipsec_ctx->cdev_map, &key,
 			(void **)&cdev_id_qp);
 	if (ret < 0) {
 		RTE_LOG(ERR, IPSEC, "No cryptodev: core %u, cipher_algo %u, "
-				"auth_algo %u\n", key.lcore_id, key.cipher_algo,
-				key.auth_algo);
+			"auth_algo %u, aead_algo %u\n",
+			key.lcore_id,
+			key.cipher_algo,
+			key.auth_algo,
+			key.aead_algo);
 		return -1;
 	}
 
-- 
2.7.4

[PATCH v3 3/4] examples/ipsec-secgw: fix AAD length for aes-gcm

[aviadye]

From: Aviad Yehezkel <aviadye@mellanox.com>

This cause auth failure issue

Fixes: 501e9c226adf ("examples/ipsec-secgw: add AEAD parameters")
Cc: stable@dpdk.org

Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
--
v3:
* Address feedbacks.
v2:
* Fix commit message.
---
 examples/ipsec-secgw/sa.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index 7be0e62..ef94475 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -431,7 +431,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
 			rule->aead_algo = algo->algo;
 			rule->cipher_key_len = algo->key_len;
 			rule->digest_len = algo->digest_len;
-			rule->aad_len = algo->key_len;
+			rule->aad_len = algo->aad_len;
 			rule->block_size = algo->block_size;
 			rule->iv_len = algo->iv_len;
 
-- 
2.7.4

[PATCH v3 4/4] examples/ipsec-secgw: iv should be be64

[aviadye]

From: Aviad Yehezkel <aviadye@mellanox.com>

According to rfc4106 the IV should be unique and can be implemented
as counter.
The changed was created because putting an analyzer on wire and
comparing packets generated by this application and Linux kernel.
Linux kernel sets IV as BE, so it is worth to do the same for
future debug / comparison.

Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
--
v3:
* Fix commit message.
v2:
* Fix commit message.
---
 examples/ipsec-secgw/esp.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index 063e63f..a63fb95 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -331,7 +331,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 	if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) {
 		uint8_t *aad;
 
-		*iv = sa->seq;
+		*iv = rte_cpu_to_be_64(sa->seq);
 		sym_cop->aead.data.offset = ip_hdr_len +
 			sizeof(struct esp_hdr) + sa->iv_len;
 		sym_cop->aead.data.length = pad_payload_len;
@@ -344,7 +344,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 
 		struct cnt_blk *icb = get_cnt_blk(m);
 		icb->salt = sa->salt;
-		icb->iv = sa->seq;
+		icb->iv = rte_cpu_to_be_64(sa->seq);
 		icb->cnt = rte_cpu_to_be_32(1);
 
 		aad = get_aad(m);
@@ -367,7 +367,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 			sym_cop->cipher.data.length = pad_payload_len + sa->iv_len;
 			break;
 		case RTE_CRYPTO_CIPHER_AES_CTR:
-			*iv = sa->seq;
+			*iv = rte_cpu_to_be_64(sa->seq);
 			sym_cop->cipher.data.offset = ip_hdr_len +
 				sizeof(struct esp_hdr) + sa->iv_len;
 			sym_cop->cipher.data.length = pad_payload_len;
@@ -386,7 +386,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 
 		struct cnt_blk *icb = get_cnt_blk(m);
 		icb->salt = sa->salt;
-		icb->iv = sa->seq;
+		icb->iv = rte_cpu_to_be_64(sa->seq);
 		icb->cnt = rte_cpu_to_be_32(1);
 
 		switch (sa->auth_algo) {
-- 
2.7.4

Re: [PATCH v3 1/4] examples/ipsec-secgw: fix initialization of aead crypto devices

[Radu Nicolau]

On 10/24/2017 1:48 PM, aviadye@dev.mellanox.co.il wrote:
> From: Aviad Yehezkel <aviadye@mellanox.com>
>
> Fixes: 501e9c226adf ("examples/ipsec-secgw: add AEAD parameters")
> Cc: stable@dpdk.org
>
> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
> --
> v3:
> * Address feedbacks.
> v2:
> * Fix commit message.
> * Address feedbacks.
> ---
>
Series-acked-by: Radu Nicolau <radu.nicolau@intel.com>

Re: [PATCH v3 1/4] examples/ipsec-secgw: fix initialization of aead crypto devices

[De Lara Guarch, Pablo]

> From: Nicolau, Radu
> Sent: Tuesday, October 24, 2017 3:06 PM
> To: aviadye@dev.mellanox.co.il; dev@dpdk.org; Gonzalez Monroy, Sergio
> <sergio.gonzalez.monroy@intel.com>; De Lara Guarch, Pablo
> <pablo.de.lara.guarch@intel.com>; aviadye@mellanox.com
> Cc: borisp@mellanox.com; akhil.goyal@nxp.com;
> hemant.agrawal@nxp.com; Doherty, Declan <declan.doherty@intel.com>;
> liranl@mellanox.com; nelio.laranjeiro@6wind.com; thomas@monjalon.net
> Subject: Re: [dpdk-dev][PATCH v3 1/4] examples/ipsec-secgw: fix
> initialization of aead crypto devices
> 
> 
> On 10/24/2017 1:48 PM, aviadye@dev.mellanox.co.il wrote:
> From: Aviad Yehezkel <aviadye@mellanox.com>
> 
> Fixes: 501e9c226adf ("examples/ipsec-secgw: add AEAD parameters")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
> --
> v3:
> * Address feedbacks.
> v2:
> * Fix commit message.
> * Address feedbacks.
> ---
> 
> Series-acked-by: Radu Nicolau <radu.nicolau@intel.com

Series applied to dpdk-next-crypto.
Thanks,

Pablo

Re: [PATCH v2 6/6] examples/ipsec-secgw: config ethernet MACs dynamically

[Ferruh Yigit]

On 10/20/2017 5:34 PM, radu.nicolau at intel.com (Nicolau, Radu) wrote:
> Hi,
> 
> I think this should be a separate patch, not bundled with a series of fixes.
> The guide has to be updated as well.
> And probably it's best to make the MAC configuration optional, keep a default hardcoded table.

The comment is outstanding since 2017, meanwhile 'ipsec-secgw' changed in between.
I am marking the patch as rejected, if it is still relevant please send a
new version on top of latest repo.

Sorry for any inconvenience caused.

For reference patch:
https://patches.dpdk.org/patch/30613/

> 
> Regards,
> Radu
> 
>> -----Original Message-----
>> From: aviadye at dev.mellanox.co.il [mailto:aviadye at dev.mellanox.co.il]
>> Sent: Thursday, October 19, 2017 7:53 PM
>> To: dev at dpdk.org; Gonzalez Monroy, Sergio
>> <sergio.gonzalez.monroy at intel.com>; De Lara Guarch, Pablo
>> <pablo.de.lara.guarch at intel.com>; aviadye at mellanox.com
>> Cc: borisp at mellanox.com; akhil.goyal at nxp.com;
>> hemant.agrawal at nxp.com; Nicolau, Radu <radu.nicolau at intel.com>;
>> Doherty, Declan <declan.doherty at intel.com>; aviadye at dev.mellanox.co.il;
>> liranl at mellanox.com; nelio.laranjeiro at 6wind.com; thomas at monjalon.net
>> Subject: [dpdk-dev][PATCH v2 6/6] examples/ipsec-secgw: config ethernet
>> MACs dynamically
>>
>> From: Aviad Yehezkel <aviadye at mellanox.com>
>>
>> Issue: None
>> Signed-off-by: Aviad Yehezkel <aviadye at mellanox.com>
>> --
>> v2:
> <snip>
> 
>