From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Ananyev, Konstantin" Subject: Re: [PATCH 2/6] examples/ipsec-secgw: fix 1st packet dropped patch two Date: Wed, 6 Mar 2019 19:39:58 +0000 Message-ID: <2601191342CEEE43887BDE71AB9772580124140E49@irsmsx105.ger.corp.intel.com> References: <1551888011-27692-1-git-send-email-bernard.iremonger@intel.com> <1551888011-27692-3-git-send-email-bernard.iremonger@intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Cc: "stable@dpdk.org" To: "Iremonger, Bernard" , "dev@dpdk.org" , "akhil.goyal@nxp.com" Return-path: In-Reply-To: <1551888011-27692-3-git-send-email-bernard.iremonger@intel.com> Content-Language: en-US List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Hi Bernard, >=20 > Call create_inline_session() at initialisition in sa.c > Call rte_ipsec_session_prepare() in fill_ipsec_session() for inline. Here and in other places - it probably worth to explain what is the purpose for these changes.=20 As a side notice, as these series fixes that problem, it probably worse to = add a patch into series that removes the following: # to overcome problem with ipsec-secgw for inline mode, # when first packet(s) will be always dropped. # note that ping will fail here ssh ${REMOTE_HOST} ping -c 1 ${LOCAL_IPV4} from examples/ipsec-secgw/test/(tun|trs)_aesgcm_defs.sh Konstantin >=20 > Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload") > Cc: stable@dpdk.org > Signed-off-by: Bernard Iremonger > --- > examples/ipsec-secgw/sa.c | 46 ++++++++++++++++++++++++++++++++++++-----= ----- > 1 file changed, 36 insertions(+), 10 deletions(-) >=20 > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c > index 414fcd2..7fb1929 100644 > --- a/examples/ipsec-secgw/sa.c > +++ b/examples/ipsec-secgw/sa.c > @@ -762,11 +762,13 @@ check_eth_dev_caps(uint16_t portid, uint32_t inboun= d) >=20 > static int > sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], > - uint32_t nb_entries, uint32_t inbound) > + uint32_t nb_entries, uint32_t inbound, > + struct socket_ctx *skt_ctx) > { > struct ipsec_sa *sa; > uint32_t i, idx; > uint16_t iv_length, aad_length; > + int32_t rc; >=20 > /* for ESN upper 32 bits of SQN also need to be part of AAD */ > aad_length =3D (app_sa_prm.enable_esn !=3D 0) ? sizeof(uint32_t) : 0; > @@ -819,6 +821,17 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ips= ec_sa entries[], >=20 > sa->xforms =3D &sa_ctx->xf[idx].a; >=20 > + if (sa->type =3D=3D > + RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL || > + sa->type =3D=3D > + RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { > + rc =3D create_inline_session(skt_ctx, sa); > + if (rc !=3D 0) { > + RTE_LOG(ERR, IPSEC_ESP, > + "create_inline_session() failed\n"); > + return -EINVAL; > + } > + } > print_one_sa_rule(sa, inbound); > } else { > switch (sa->cipher_algo) { > @@ -894,16 +907,16 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ip= sec_sa entries[], >=20 > static inline int > sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], > - uint32_t nb_entries) > + uint32_t nb_entries, struct socket_ctx *skt_ctx) > { > - return sa_add_rules(sa_ctx, entries, nb_entries, 0); > + return sa_add_rules(sa_ctx, entries, nb_entries, 0, skt_ctx); > } >=20 > static inline int > sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], > - uint32_t nb_entries) > + uint32_t nb_entries, struct socket_ctx *skt_ctx) > { > - return sa_add_rules(sa_ctx, entries, nb_entries, 1); > + return sa_add_rules(sa_ctx, entries, nb_entries, 1, skt_ctx); > } >=20 > /* > @@ -997,10 +1010,12 @@ fill_ipsec_sa_prm(struct rte_ipsec_sa_prm *prm, co= nst struct ipsec_sa *ss, > return 0; > } >=20 > -static void > +static int > fill_ipsec_session(struct rte_ipsec_session *ss, struct rte_ipsec_sa *sa= , > const struct ipsec_sa *lsa) > { > + int32_t rc =3D 0; > + > ss->sa =3D sa; > ss->type =3D lsa->type; >=20 > @@ -1013,6 +1028,17 @@ fill_ipsec_session(struct rte_ipsec_session *ss, s= truct rte_ipsec_sa *sa, > ss->security.ctx =3D lsa->security_ctx; > ss->security.ol_flags =3D lsa->ol_flags; > } > + > + if (ss->type =3D=3D RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO || > + ss->type =3D=3D RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) { > + if (ss->security.ses !=3D NULL) { > + rc =3D rte_ipsec_session_prepare(ss); > + if (rc !=3D 0) > + memset(ss, 0, sizeof(*ss)); > + } > + } > + > + return rc; > } >=20 > /* > @@ -1047,8 +1073,8 @@ ipsec_sa_init(struct ipsec_sa *lsa, struct rte_ipse= c_sa *sa, uint32_t sa_size) > if (rc < 0) > return rc; >=20 > - fill_ipsec_session(&lsa->ips, sa, lsa); > - return 0; > + rc =3D fill_ipsec_session(&lsa->ips, sa, lsa); > + return rc; > } >=20 > /* > @@ -1126,7 +1152,7 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id) > "context %s in socket %d\n", rte_errno, > name, socket_id); >=20 > - sa_in_add_rules(ctx->sa_in, sa_in, nb_sa_in); > + sa_in_add_rules(ctx->sa_in, sa_in, nb_sa_in, ctx); >=20 > if (app_sa_prm.enable !=3D 0) { > rc =3D ipsec_satbl_init(ctx->sa_in, sa_in, nb_sa_in, > @@ -1146,7 +1172,7 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id) > "context %s in socket %d\n", rte_errno, > name, socket_id); >=20 > - sa_out_add_rules(ctx->sa_out, sa_out, nb_sa_out); > + sa_out_add_rules(ctx->sa_out, sa_out, nb_sa_out, ctx); >=20 > if (app_sa_prm.enable !=3D 0) { > rc =3D ipsec_satbl_init(ctx->sa_out, sa_out, nb_sa_out, > -- > 2.7.4