From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <nelio.laranjeiro@6wind.com>
Received: from mail-wr0-f170.google.com (mail-wr0-f170.google.com
 [209.85.128.170]) by dpdk.org (Postfix) with ESMTP id C66271D90
 for <dev@dpdk.org>; Wed, 13 Dec 2017 11:02:06 +0100 (CET)
Received: by mail-wr0-f170.google.com with SMTP id a41so1552571wra.6
 for <dev@dpdk.org>; Wed, 13 Dec 2017 02:02:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=6wind-com.20150623.gappssmtp.com; s=20150623;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-disposition:content-transfer-encoding:in-reply-to
 :user-agent; bh=NNaeFSiXafzWmpBa1vcQalXifUvDoacKDRyE0UhKaHM=;
 b=B0lDc+uOCp/0Ven8o4Hpu+ipsymineYlO5SzGVQZKzHzRuiBkzCq1aFk3QWZjujhbg
 TmzOPUWxxy865g7nvz4ZvNkXNyzhhahkdNonpVlUyPpOF15s4+t86agkd7FXkm/WKnYn
 XT8X+H3N62EgeNX6pxeg/fGFTqDiimstWpOFqd49+ZwjHuUnLmuYXWFs6Yuwr9Jl3h9A
 RfdrUHWaOBuQ8BQe8Fb40tKSGd7c/dyyCfO7RVmXGrV1xjky8mUzYLcKpbRgZK1UP7F5
 8n4nMS0cxtANlGnvrbXzgQgkeOzl1pmtBVU/JVx8xT7jakJejIB2aL1q/XS4qQF2z4If
 +5xg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:from:to:cc:subject:message-id:references
 :mime-version:content-disposition:content-transfer-encoding
 :in-reply-to:user-agent;
 bh=NNaeFSiXafzWmpBa1vcQalXifUvDoacKDRyE0UhKaHM=;
 b=skeY3FqMhmctmiYazcC4oudKL8mQ3p8hf7BUJ9I73PiZMgpyEwf02wr2OqPe679+ew
 n/h0B/rsYwFQ++t1AcdWTZs1QviSk2Yc9iHezO9+pO2zJe4lWkFRmcKrGoXQK9Euwhjp
 4KyTnz1pA2K3kB7xdtS26s/Hp3KVT2+BnunMrNHl9VvDdxapbzQF39gN9dYXh9XZ3S7L
 7UYvVNcGHn4P7UCkG/XDka9NfQcHgb+qavzqJCLvOAW+9q0uHrH5mCOJWKbllSnSNWeB
 /e8h+lSzzx8ZL/X3y+Aq3Bs7WW1W1a8GbBU78enSeU+TEhxb7p3iYZroWhO5lFgToIgK
 WJpA==
X-Gm-Message-State: AKGB3mIvyHsHaUZ8jaiOndzq8F/zCPMi0mBdn4kh2Rn5MIksOEjaR3M3
 0Q48UYgtwm/07wNswd/GbEKu
X-Google-Smtp-Source: ACJfBotEQNU/y8KYCNV/mQG0VaBgrUvr2hpCed7FfvkUiL5Apk8hH8VIiGyG/WoeFrbjW6KrxOWCqw==
X-Received: by 10.223.161.222 with SMTP id v30mr1760217wrv.191.1513159326431; 
 Wed, 13 Dec 2017 02:02:06 -0800 (PST)
Received: from laranjeiro-vm.dev.6wind.com
 (host.78.145.23.62.rev.coltfrance.com. [62.23.145.78])
 by smtp.gmail.com with ESMTPSA id k2sm684226wrg.4.2017.12.13.02.02.05
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Wed, 13 Dec 2017 02:02:05 -0800 (PST)
Date: Wed, 13 Dec 2017 11:02:37 +0100
From: Nelio Laranjeiro <nelio.laranjeiro@6wind.com>
To: Anoob Joseph <anoob.joseph@caviumnetworks.com>
Cc: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>,
 Radu Nicolau <radu.nicolau@intel.com>, dev@dpdk.org
Message-ID: <20171213100237.uvpbg2qewhxqgaln@laranjeiro-vm.dev.6wind.com>
References: <cd13bbdab7f86507e1928805a93c4e5c4491aa6d.1512396570.git.nelio.laranjeiro@6wind.com>
 <5d3fdd0c05d5f8afd3f8e38ca03eaf25187d5c98.1513000931.git.nelio.laranjeiro@6wind.com>
 <5777791b-3dd6-f746-aa37-d572c108f042@caviumnetworks.com>
 <20171212134456.4x3uaus2poovddlf@laranjeiro-vm.dev.6wind.com>
 <a8761918-7b0f-6156-b264-338ea5fd285d@caviumnetworks.com>
 <20171212143800.ggdtdfnbknttr45g@laranjeiro-vm.dev.6wind.com>
 <047cadcf-13dc-5368-4ad5-a27ff25c42f8@caviumnetworks.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <047cadcf-13dc-5368-4ad5-a27ff25c42f8@caviumnetworks.com>
User-Agent: NeoMutt/20170113 (1.7.2)
Subject: Re: [dpdk-dev] [PATCH v3 2/2] examples/ipsec-secgw: add target
 queues in flow actions
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Dec 2017 10:02:06 -0000

Hi Anoob,

On Wed, Dec 13, 2017 at 12:11:18PM +0530, Anoob Joseph wrote:
> Hi Nelio,
> 
> 
> On 12/12/2017 08:08 PM, Nelio Laranjeiro wrote:
> > Hi Anoob,
> > 
> > On Tue, Dec 12, 2017 at 07:34:31PM +0530, Anoob Joseph wrote:
> > > Hi Nelio,
> > > 
> > > 
> > > On 12/12/2017 07:14 PM, Nelio Laranjeiro wrote:
> > > > Hi Anoob,
> > > > 
> > > > On Tue, Dec 12, 2017 at 06:13:08PM +0530, Anoob Joseph wrote:
> > > > > Hi Nelio,
> > > > > 
> > > > > 
> > > > > On 12/11/2017 07:34 PM, Nelio Laranjeiro wrote:
> > > > > > Mellanox INNOVA NIC needs to have final target queue actions to perform
> > > > > > inline crypto.
> > > > > > 
> > > > > > Signed-off-by: Nelio Laranjeiro <nelio.laranjeiro@6wind.com>
> > > > > > 
> > > > > > ---
> > > > > > 
> > > > > > Changes in v3:
> > > > > > 
> > > > > >     * removed PASSTHRU test for ingress.
> > > > > >     * removed check on configured queues for the queue action.
> > > > > > 
> > > > > > Changes in v2:
> > > > > > 
> > > > > >     * Test the rule by PASSTHRU/RSS/QUEUE and apply the first one validated.
> > > > > > ---
> > > > > >     examples/ipsec-secgw/ipsec.c | 57 ++++++++++++++++++++++++++++++++++++++++++--
> > > > > >     examples/ipsec-secgw/ipsec.h |  2 +-
> > > > > >     2 files changed, 56 insertions(+), 3 deletions(-)
> > > > > > 
> > > > > > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
> > > > > > index 17bd7620d..1b8b251c8 100644
> > > > > > --- a/examples/ipsec-secgw/ipsec.c
> > > > > > +++ b/examples/ipsec-secgw/ipsec.c
> > > > > > @@ -142,6 +142,7 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
> > > > > >     							rte_eth_dev_get_sec_ctx(
> > > > > >     							sa->portid);
> > > > > >     			const struct rte_security_capability *sec_cap;
> > > > > > +			int ret = 0;
> > > > > >     			sa->sec_session = rte_security_session_create(ctx,
> > > > > >     					&sess_conf, ipsec_ctx->session_pool);
> > > > > > @@ -201,15 +202,67 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
> > > > > >     			sa->action[0].type = RTE_FLOW_ACTION_TYPE_SECURITY;
> > > > > >     			sa->action[0].conf = sa->sec_session;
> > > > > > -			sa->action[1].type = RTE_FLOW_ACTION_TYPE_END;
> > > > > > -
> > > > > >     			sa->attr.egress = (sa->direction ==
> > > > > >     					RTE_SECURITY_IPSEC_SA_DIR_EGRESS);
> > > > > >     			sa->attr.ingress = (sa->direction ==
> > > > > >     					RTE_SECURITY_IPSEC_SA_DIR_INGRESS);
> > > > > > +			if (sa->attr.ingress) {
> > > > > > +				uint8_t rss_key[40];
> > > > > > +				struct rte_eth_rss_conf rss_conf = {
> > > > > > +					.rss_key = rss_key,
> > > > > > +					.rss_key_len = 40,
> > > > > > +				};
> > > > > > +				struct rte_eth_dev *eth_dev;
> > > > > > +				union {
> > > > > > +					struct rte_flow_action_rss rss;
> > > > > > +					struct {
> > > > > > +					const struct rte_eth_rss_conf *rss_conf;
> > > > > > +					uint16_t num;
> > > > > > +					uint16_t queue[RTE_MAX_QUEUES_PER_PORT];
> > > > > > +					} local;
> > > > > > +				} action_rss;
> > > > > > +				unsigned int i;
> > > > > > +				unsigned int j;
> > > > > > +
> > > > > > +				sa->action[2].type = RTE_FLOW_ACTION_TYPE_END;
> > > > > > +				/* Try RSS. */
> > > > > > +				sa->action[1].type = RTE_FLOW_ACTION_TYPE_RSS;
> > > > > > +				sa->action[1].conf = &action_rss;
> > > > > > +				eth_dev = ctx->device;
> > > > > > +				rte_eth_dev_rss_hash_conf_get(sa->portid,
> > > > > > +							      &rss_conf);
> > > > > > +				for (i = 0, j = 0;
> > > > > > +				     i < eth_dev->data->nb_rx_queues; ++i)
> > > > > > +					if (eth_dev->data->rx_queues[i])
> > > > > > +						action_rss.local.queue[j++] = i;
> > > > > > +				action_rss.local.num = j;
> > > > > > +				action_rss.local.rss_conf = &rss_conf;
> > > > > > +				ret = rte_flow_validate(sa->portid, &sa->attr,
> > > > > > +							sa->pattern, sa->action,
> > > > > > +							&err);
> > > > > > +				if (!ret)
> > > > > > +					goto flow_create;
> > > > > > +				/* Try Queue. */
> > > > > > +				sa->action[1].type = RTE_FLOW_ACTION_TYPE_QUEUE;
> > > > > > +				sa->action[1].conf =
> > > > > > +					&(struct rte_flow_action_queue){
> > > > > > +					.index = 0,
> > > > > > +				};
> > > > > > +				ret = rte_flow_validate(sa->portid, &sa->attr,
> > > > > > +							sa->pattern, sa->action,
> > > > > > +							&err);
> > > > > > +				if (ret)
> > > > > > +					goto flow_create_failure;
> > > > > > +			} else {
> > > > > > +				sa->action[1].type =
> > > > > > +					RTE_FLOW_ACTION_TYPE_PASSTHRU;
> > > > > > +				sa->action[2].type = RTE_FLOW_ACTION_TYPE_END;
> > > > > We would need flow validate here also. And, for egress, the application will
> > > > > be able to set metadata (set_pkt_metadata API) per packet. So flow may not
> > > > > be required for such cases. But if the flow create fails, the session create
> > > > > would also fail. It might be better if we check whether the PMD would need
> > > > > metadata (part of the sec_cap->ol_flags).
> > > > Seems what you are describing is outside of this scope which is only
> > > > related to correctly implement the generic flow API with terminal
> > > > actions.
> > > Since SECURITY+PASSTHRU won't be terminal, this code segment might be
> > > misleading.
> > Well, I don't mind adding an extra verification even if the create
> > should fail if the validate fails, as there is no other option it
> > is just like adding another if statement considering  the validate()
> > cannot guarantee the flow will be created(), other errors like ENOMEM
> > are still possible in the creation stage.
> Good point. I was thinking of a scenario when flow for egress itself would
> be optional.
> > 
> > > > I'll suggest to add it in another patch.
> > > > 
> > > > Anyway, the flow validate is useful in the ingress to select the best
> > > > behavior RSS/Queue, if the flow validate may fail, the flow create
> > > > should also fail for the same reasons.
> > > > 
> > > > > If the driver doesn't need metadata and the flow create fails, then
> > > > > the create session should fail. Any thoughts?
> > > > How the create_session() can fail without having all the informations
> > > > (pattern, metadata, ...) the application wants to offload?
> > > Is flow mandatory for the egress traffic? My understanding is, it's not.
> > > "set_pkt_metadata" API gives application the ability to do the lookup and
> > > pass the info along with the packet. In such cases, flow creation is not
> > > necessary.
> > Some NIC need to apply a flow rule for Egress and they don't need
> > metadata for the packet.
> Understood. In that case, what I proposed could be a separate patch. The
> ingress path is proper with this patch, but we can keep egress open for
> improvements.

What do you mean with "keep egrees open for improvements"?

> > > I do agree that this is outside the scope of this patch, but I was just
> > > curious about the behavior since you touched the topic.
> > > > > > +			}
> > > > > > +flow_create:
> > > > > >     			sa->flow = rte_flow_create(sa->portid,
> > > > > >     				&sa->attr, sa->pattern, sa->action, &err);
> > > > > >     			if (sa->flow == NULL) {
> > > > > > +flow_create_failure:
> > > > > >     				RTE_LOG(ERR, IPSEC,
> > > > > >     					"Failed to create ipsec flow msg: %s\n",
> > > > > >     					err.message);
> > > > > > diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
> > > > > > index 775b316ff..3c367d392 100644
> > > > > > --- a/examples/ipsec-secgw/ipsec.h
> > > > > > +++ b/examples/ipsec-secgw/ipsec.h
> > > > > > @@ -133,7 +133,7 @@ struct ipsec_sa {
> > > > > >     	uint32_t ol_flags;
> > > > > >     #define MAX_RTE_FLOW_PATTERN (4)
> > > > > > -#define MAX_RTE_FLOW_ACTIONS (2)
> > > > > > +#define MAX_RTE_FLOW_ACTIONS (3)
> > > > > >     	struct rte_flow_item pattern[MAX_RTE_FLOW_PATTERN];
> > > > > >     	struct rte_flow_action action[MAX_RTE_FLOW_ACTIONS];
> > > > > >     	struct rte_flow_attr attr;
> > > > Thanks,
> > Regards,
> > 
> 

-- 
Nélio Laranjeiro
6WIND