From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by dpdk.space (Postfix) with ESMTP id A78F9A00E6 for ; Wed, 17 Apr 2019 14:53:51 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 80DB01B607; Wed, 17 Apr 2019 14:53:50 +0200 (CEST) Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by dpdk.org (Postfix) with ESMTP id 89F041B114; Wed, 17 Apr 2019 14:53:47 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Apr 2019 05:53:46 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.60,362,1549958400"; d="scan'208";a="132144667" Received: from irsmsx101.ger.corp.intel.com ([163.33.3.153]) by orsmga007.jf.intel.com with ESMTP; 17 Apr 2019 05:53:44 -0700 Received: from irsmsx108.ger.corp.intel.com ([169.254.11.82]) by IRSMSX101.ger.corp.intel.com ([169.254.1.115]) with mapi id 14.03.0415.000; Wed, 17 Apr 2019 13:53:43 +0100 From: "Iremonger, Bernard" To: Akhil Goyal , "dev@dpdk.org" , "Ananyev, Konstantin" CC: "stable@dpdk.org" Thread-Topic: [PATCH v3 1/2] examples/ipsec-secgw: fix 1st packet dropped for inline crypto Thread-Index: AQHU6upTWbsA00wDeUu9/465Dk2RX6ZAQVSAgAAXyaA= Date: Wed, 17 Apr 2019 12:53:43 +0000 Message-ID: <8CEF83825BEC744B83065625E567D7C260D89D9F@IRSMSX108.ger.corp.intel.com> References: <1551970666-23557-1-git-send-email-bernard.iremonger@intel.com> <1554384495-7936-2-git-send-email-bernard.iremonger@intel.com> In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNGZhMWY2NmItOWFhOS00NzllLWI1MWMtYjE5ZGQ2OGNhZTY3IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiNk0zOUJOd2Y2dUVOR25FWHd2SFYxSkRma01VamQ2XC9YdUtrWWlzMHpPYlBMQXZCZW5OQzhHVlJEdVNTWmxmaGMifQ== x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.0.600.7 dlp-reaction: no-action x-originating-ip: [163.33.239.180] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [dpdk-dev] [PATCH v3 1/2] examples/ipsec-secgw: fix 1st packet dropped for inline crypto X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Message-ID: <20190417125343.LCN9-o5dpAkTpqKuZxRx7QNyh2E5FsTRPbF7TMnDT0s@z> Hi Akhil, > -----Original Message----- > From: Akhil Goyal [mailto:akhil.goyal@nxp.com] > Sent: Wednesday, April 17, 2019 12:52 PM > To: Iremonger, Bernard ; dev@dpdk.org; > Ananyev, Konstantin > Cc: stable@dpdk.org > Subject: RE: [PATCH v3 1/2] examples/ipsec-secgw: fix 1st packet dropped > for inline crypto >=20 > > > > Inline crypto installs a flow rule in the NIC. This flow rule must be > > installed before the first inbound packet is received. > > > > The create_session() function installs the flow rule. > > > > Refactor ipsec-secgw.c, sa.c, ipsec.h and ipsec.c to create sessions > > at startup to fix the issue of the first packet being dropped for > > inline crypto. > > > > The create_session() function is now called at initialisation in > > sa_add_rules() which is called from sa_init(). > > The return code for add_rules is checked. > > Calls to create_session() in other functions are dropped. > > > > Add crypto_devid_fill() in ipsec-secgw.c Add max_session_size() in > > ipsec-secgw.c Add check_cryptodev_capability() in ipsec.c Add > > check_cryptodev_aead_capability() in ipsec.c Add create_sec_session() > > and create_crypto_session() in ipsec.c > > > > The crypto_dev_fill() function has been added to find the enabled > > crypto devices. > > > > The max_session_size() function has been added to calculate memory > > requirements. > > > > The check_cryptodev_capability() and check_cryptodev_aead_capability() > > functions have been added to check that the SA is supported by the > > crypto device. > > > > The create_session() function is refactored to use the > > create_sec_session() and create_crypto_session() functions. > > > > The cryprodev_init() function has been refactored to drop calls to > > rte_mempool_create() and to drop calculation of memory requirements. > > > > The main() function has been refactored to call crypto_devid_fill() > > and max_session_size() and to call session_pool_init() and > > session_priv_pool_init(). > > The ports are started now before adding a flow rule in main(). > > The sa_init(), sp4_init(), sp6_init() and rt_init() functions are now > > called after the ports have been started. > > > > Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload") > > Fixes: d299106e8e31 ("examples/ipsec-secgw: add IPsec sample > > application") > > Cc: stable@dpdk.org > > > > Signed-off-by: Bernard Iremonger > > --- > > examples/ipsec-secgw/ipsec-secgw.c | 271 +++++++++-------- > > examples/ipsec-secgw/ipsec.c | 569 +++++++++++++++++++--------= --- > ----- > > examples/ipsec-secgw/ipsec.h | 10 +- > > examples/ipsec-secgw/ipsec_process.c | 38 +-- > > examples/ipsec-secgw/sa.c | 42 ++- > > 5 files changed, 495 insertions(+), 435 deletions(-) > > > > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec- > > secgw/ipsec-secgw.c index ffbd00b..cc8bb57 100644 > > --- a/examples/ipsec-secgw/ipsec-secgw.c > > +++ b/examples/ipsec-secgw/ipsec-secgw.c > > @@ -182,6 +182,14 @@ struct lcore_params { > > uint8_t lcore_id; > > } __rte_cache_aligned; > > > > +/* > > + * Number of enabled crypto devices > > + * This number is needed when checking crypto device capabilities */ > > +uint8_t crypto_dev_num; > > +/* array of crypto device ID's */ > > +uint8_t crypto_devid[RTE_CRYPTO_MAX_DEVS]; > > + > > static struct lcore_params lcore_params_array[MAX_LCORE_PARAMS]; > > > > static struct lcore_params *lcore_params; @@ -1623,13 +1631,27 @@ > > check_cryptodev_mask(uint8_t cdev_id) > > return -1; > > } > > > > +static void > > +crypto_devid_fill(void) > > +{ > > + uint32_t i, n; > > + > > + n =3D rte_cryptodev_count(); > > + > > + for (i =3D 0; i !=3D n; i++) { > > + if (check_cryptodev_mask(i) =3D=3D 0) > > + crypto_devid[crypto_dev_num++] =3D i; > > + } > > +} > > + > > static int32_t > > cryptodevs_init(void) > > { > > struct rte_cryptodev_config dev_conf; > > struct rte_cryptodev_qp_conf qp_conf; > > uint16_t idx, max_nb_qps, qp, i; > > - int16_t cdev_id, port_id; > > + int16_t cdev_id; > > + uint32_t dev_max_sess; > > struct rte_hash_parameters params =3D { 0 }; > > > > params.entries =3D CDEV_MAP_ENTRIES; > > @@ -1652,45 +1674,6 @@ cryptodevs_init(void) > > > > printf("lcore/cryptodev/qp mappings:\n"); > > > > - uint32_t max_sess_sz =3D 0, sess_sz; > > - for (cdev_id =3D 0; cdev_id < rte_cryptodev_count(); cdev_id++) { > > - void *sec_ctx; > > - > > - /* Get crypto priv session size */ > > - sess_sz =3D > rte_cryptodev_sym_get_private_session_size(cdev_id); > > - if (sess_sz > max_sess_sz) > > - max_sess_sz =3D sess_sz; > > - > > - /* > > - * If crypto device is security capable, need to check the > > - * size of security session as well. > > - */ > > - > > - /* Get security context of the crypto device */ > > - sec_ctx =3D rte_cryptodev_get_sec_ctx(cdev_id); > > - if (sec_ctx =3D=3D NULL) > > - continue; > > - > > - /* Get size of security session */ > > - sess_sz =3D rte_security_session_get_size(sec_ctx); > > - if (sess_sz > max_sess_sz) > > - max_sess_sz =3D sess_sz; > > - } > > - RTE_ETH_FOREACH_DEV(port_id) { > > - void *sec_ctx; > > - > > - if ((enabled_port_mask & (1 << port_id)) =3D=3D 0) > > - continue; > > - > > - sec_ctx =3D rte_eth_dev_get_sec_ctx(port_id); > > - if (sec_ctx =3D=3D NULL) > > - continue; > > - > > - sess_sz =3D rte_security_session_get_size(sec_ctx); > > - if (sess_sz > max_sess_sz) > > - max_sess_sz =3D sess_sz; > > - } > > - > > idx =3D 0; > > for (cdev_id =3D 0; cdev_id < rte_cryptodev_count(); cdev_id++) { > > struct rte_cryptodev_info cdev_info; @@ -1722,51 +1705,12 > @@ > > cryptodevs_init(void) > > dev_conf.socket_id =3D rte_cryptodev_socket_id(cdev_id); > > dev_conf.nb_queue_pairs =3D qp; > > > > - uint32_t dev_max_sess =3D cdev_info.sym.max_nb_sessions; > > + dev_max_sess =3D cdev_info.sym.max_nb_sessions; > > if (dev_max_sess !=3D 0 && dev_max_sess < > CDEV_MP_NB_OBJS) > > rte_exit(EXIT_FAILURE, > > "Device does not support at least %u " > > "sessions", CDEV_MP_NB_OBJS); > > > > - if (!socket_ctx[dev_conf.socket_id].session_pool) { > > - char mp_name[RTE_MEMPOOL_NAMESIZE]; > > - struct rte_mempool *sess_mp; > > - > > - snprintf(mp_name, RTE_MEMPOOL_NAMESIZE, > > - "sess_mp_%u", dev_conf.socket_id); > > - sess_mp =3D > rte_cryptodev_sym_session_pool_create( > > - mp_name, CDEV_MP_NB_OBJS, > > - 0, CDEV_MP_CACHE_SZ, 0, > > - dev_conf.socket_id); > > - socket_ctx[dev_conf.socket_id].session_pool =3D > > sess_mp; > > - } > > - > > - if (!socket_ctx[dev_conf.socket_id].session_priv_pool) { > > - char mp_name[RTE_MEMPOOL_NAMESIZE]; > > - struct rte_mempool *sess_mp; > > - > > - snprintf(mp_name, RTE_MEMPOOL_NAMESIZE, > > - "sess_mp_priv_%u", > > dev_conf.socket_id); > > - sess_mp =3D rte_mempool_create(mp_name, > > - CDEV_MP_NB_OBJS, > > - max_sess_sz, > > - CDEV_MP_CACHE_SZ, > > - 0, NULL, NULL, NULL, > > - NULL, dev_conf.socket_id, > > - 0); > > - socket_ctx[dev_conf.socket_id].session_priv_pool =3D > > - sess_mp; > > - } > > - > > - if (!socket_ctx[dev_conf.socket_id].session_priv_pool || > > - > !socket_ctx[dev_conf.socket_id].session_pool) > > - rte_exit(EXIT_FAILURE, > > - "Cannot create session pool on socket %d\n", > > - dev_conf.socket_id); > > - else > > - printf("Allocated session pool on socket %d\n", > > - dev_conf.socket_id); > > - > > if (rte_cryptodev_configure(cdev_id, &dev_conf)) > > rte_panic("Failed to initialize cryptodev %u\n", > > cdev_id); > > @@ -1787,38 +1731,6 @@ cryptodevs_init(void) > > cdev_id); > > } > > > > - /* create session pools for eth devices that implement security */ > > - RTE_ETH_FOREACH_DEV(port_id) { > > - if ((enabled_port_mask & (1 << port_id)) && > > - rte_eth_dev_get_sec_ctx(port_id)) { > > - int socket_id =3D rte_eth_dev_socket_id(port_id); > > - > > - if (!socket_ctx[socket_id].session_pool) { > > - char mp_name[RTE_MEMPOOL_NAMESIZE]; > > - struct rte_mempool *sess_mp; > > - > > - snprintf(mp_name, > RTE_MEMPOOL_NAMESIZE, > > - "sess_mp_%u", socket_id); > > - sess_mp =3D rte_mempool_create(mp_name, > > - (CDEV_MP_NB_OBJS * 2), > > - max_sess_sz, > > - CDEV_MP_CACHE_SZ, > > - 0, NULL, NULL, NULL, > > - NULL, socket_id, > > - 0); > > - if (sess_mp =3D=3D NULL) > > - rte_exit(EXIT_FAILURE, > > - "Cannot create session pool " > > - "on socket %d\n", socket_id); > > - else > > - printf("Allocated session pool " > > - "on socket %d\n", socket_id); > > - socket_ctx[socket_id].session_pool =3D > sess_mp; > > - } > > - } > > - } > > - > > - > > printf("\n"); > > > > return 0; > > @@ -1984,6 +1896,98 @@ port_init(uint16_t portid, uint64_t > > req_rx_offloads, uint64_t req_tx_offloads) > > printf("\n"); > > } > > > > +static size_t > > +max_session_size(void) > > +{ > > + size_t max_sz, sz; > > + void *sec_ctx; > > + int16_t cdev_id, port_id, n; > > + > > + max_sz =3D 0; > > + n =3D rte_cryptodev_count(); > > + for (cdev_id =3D 0; cdev_id !=3D n; cdev_id++) { > > + sz =3D rte_cryptodev_sym_get_private_session_size(cdev_id); > > + if (sz > max_sz) > > + max_sz =3D sz; > > + /* > > + * If crypto device is security capable, need to check the > > + * size of security session as well. > > + */ > > + > > + /* Get security context of the crypto device */ > > + sec_ctx =3D rte_cryptodev_get_sec_ctx(cdev_id); > > + if (sec_ctx =3D=3D NULL) > > + continue; > > + > > + /* Get size of security session */ > > + sz =3D rte_security_session_get_size(sec_ctx); > > + if (sz > max_sz) > > + max_sz =3D sz; > > + } > > + > > + RTE_ETH_FOREACH_DEV(port_id) { > > + if ((enabled_port_mask & (1 << port_id)) =3D=3D 0) > > + continue; > > + > > + sec_ctx =3D rte_eth_dev_get_sec_ctx(port_id); > > + if (sec_ctx =3D=3D NULL) > > + continue; > > + > > + sz =3D rte_security_session_get_size(sec_ctx); > > + if (sz > max_sz) > > + max_sz =3D sz; > > + } > > + > > + return max_sz; > > +} > > + > > +static void > > +session_pool_init(struct socket_ctx *ctx, int32_t socket_id, size_t > > +sess_sz) { > > + char mp_name[RTE_MEMPOOL_NAMESIZE]; > > + struct rte_mempool *sess_mp; > > + > > + snprintf(mp_name, RTE_MEMPOOL_NAMESIZE, > > + "sess_mp_%u", socket_id); > > + sess_mp =3D rte_cryptodev_sym_session_pool_create( > > + mp_name, CDEV_MP_NB_OBJS, > > + sess_sz, CDEV_MP_CACHE_SZ, 0, > > + socket_id); > > + ctx->session_pool =3D sess_mp; > > + > > + if (ctx->session_pool =3D=3D NULL) > > + rte_exit(EXIT_FAILURE, > > + "Cannot init session pool on socket %d\n", > socket_id); > > + else > > + printf("Allocated session pool on socket %d\n", > socket_id); > > +} > > + > > +static void > > +session_priv_pool_init(struct socket_ctx *ctx, int32_t socket_id, > > + size_t sess_sz) > > +{ > > + char mp_name[RTE_MEMPOOL_NAMESIZE]; > > + struct rte_mempool *sess_mp; > > + > > + snprintf(mp_name, RTE_MEMPOOL_NAMESIZE, > > + "sess_mp_priv_%u", socket_id); > > + sess_mp =3D rte_mempool_create(mp_name, > > + CDEV_MP_NB_OBJS, > > + sess_sz, > > + CDEV_MP_CACHE_SZ, > > + 0, NULL, NULL, NULL, > > + NULL, socket_id, > > + 0); > > + ctx->session_priv_pool =3D sess_mp; > > + if (ctx->session_priv_pool =3D=3D NULL) > > + rte_exit(EXIT_FAILURE, > > + "Cannot init session priv pool on socket %d\n", > > + socket_id); > > + else > > + printf("Allocated session priv pool on socket %d\n", > > + socket_id); > > +} > > + > > static void > > pool_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t > > nb_mbuf) { @@ -2064,9 +2068,11 @@ main(int32_t argc, char **argv) { > > int32_t ret; > > uint32_t lcore_id; > > + uint32_t i; > > uint8_t socket_id; > > uint16_t portid; > > uint64_t req_rx_offloads, req_tx_offloads; > > + size_t sess_sz; > > > > /* init EAL */ > > ret =3D rte_eal_init(argc, argv); > > @@ -2094,7 +2100,10 @@ main(int32_t argc, char **argv) > > > > nb_lcores =3D rte_lcore_count(); > > > > - /* Replicate each context per socket */ > > + crypto_devid_fill(); > > + > > + sess_sz =3D max_session_size(); > > + > > for (lcore_id =3D 0; lcore_id < RTE_MAX_LCORE; lcore_id++) { > > if (rte_lcore_is_enabled(lcore_id) =3D=3D 0) > > continue; > > @@ -2104,20 +2113,17 @@ main(int32_t argc, char **argv) > > else > > socket_id =3D 0; > > > > + /* mbuf_pool is initialised by the pool_init() function*/ > > if (socket_ctx[socket_id].mbuf_pool) > > continue; > > > > - /* initilaze SPD */ > > - sp4_init(&socket_ctx[socket_id], socket_id); > > - > > - sp6_init(&socket_ctx[socket_id], socket_id); > > - > > - /* initilaze SAD */ > > - sa_init(&socket_ctx[socket_id], socket_id); > > - > > - rt_init(&socket_ctx[socket_id], socket_id); > > - > > pool_init(&socket_ctx[socket_id], socket_id, NB_MBUF); > > + session_pool_init(&socket_ctx[socket_id], socket_id, > sess_sz); > > + session_priv_pool_init(&socket_ctx[socket_id], socket_id, > > + sess_sz); > > + > > + if (!numa_on) > > + break; > > } > > > > RTE_ETH_FOREACH_DEV(portid) { > > @@ -2135,7 +2141,11 @@ main(int32_t argc, char **argv) > > if ((enabled_port_mask & (1 << portid)) =3D=3D 0) > > continue; > > > > - /* Start device */ > > + /* > > + * Start device > > + * note: device must be started before a flow rule > > + * can be installed. > > + */ > > ret =3D rte_eth_dev_start(portid); > > if (ret < 0) > > rte_exit(EXIT_FAILURE, "rte_eth_dev_start: " > > @@ -2153,6 +2163,19 @@ main(int32_t argc, char **argv) > > RTE_ETH_EVENT_IPSEC, inline_ipsec_event_callback, > NULL); > > } > > > > + /* Replicate each context per socket */ > > + for (i =3D 0; i < NB_SOCKETS && i < rte_socket_count(); i++) { > > + socket_id =3D rte_socket_id_by_idx(i); > > + if ((socket_ctx[socket_id].mbuf_pool !=3D NULL) && > > + (socket_ctx[socket_id].sa_in =3D=3D NULL) && > > + (socket_ctx[socket_id].sa_out =3D=3D NULL)) { > > + sa_init(&socket_ctx[socket_id], socket_id); > > + sp4_init(&socket_ctx[socket_id], socket_id); > > + sp6_init(&socket_ctx[socket_id], socket_id); > > + rt_init(&socket_ctx[socket_id], socket_id); > > + } > > + } > > + > > check_all_ports_link_status(enabled_port_mask); > > > > /* launch per-lcore init on every lcore */ diff --git > > a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index > > 4352cb8..e31d472 100644 > > --- a/examples/ipsec-secgw/ipsec.c > > +++ b/examples/ipsec-secgw/ipsec.c > > @@ -39,42 +39,17 @@ set_ipsec_conf(struct ipsec_sa *sa, struct > > rte_security_ipsec_xform *ipsec) > > ipsec->esn_soft_limit =3D IPSEC_OFFLOAD_ESN_SOFTLIMIT; } > > > > -int > > -create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) > > +static int > > +create_sec_session(struct ipsec_sa *sa, struct rte_mempool *pool) > > { > > - struct rte_cryptodev_info cdev_info; > > - unsigned long cdev_id_qp =3D 0; > > + const struct rte_security_capability *sec_cap; > > + struct rte_security_ctx *ctx; > > int32_t ret =3D 0; > > - struct cdev_key key =3D { 0 }; > > - > > - key.lcore_id =3D (uint8_t)rte_lcore_id(); > > - > > - key.cipher_algo =3D (uint8_t)sa->cipher_algo; > > - key.auth_algo =3D (uint8_t)sa->auth_algo; > > - key.aead_algo =3D (uint8_t)sa->aead_algo; > > - > > - if (sa->type =3D=3D RTE_SECURITY_ACTION_TYPE_NONE) { > > - ret =3D rte_hash_lookup_data(ipsec_ctx->cdev_map, &key, > > - (void **)&cdev_id_qp); > > - if (ret < 0) { > > - RTE_LOG(ERR, IPSEC, > > - "No cryptodev: core %u, cipher_algo %u, " > > - "auth_algo %u, aead_algo %u\n", > > - key.lcore_id, > > - key.cipher_algo, > > - key.auth_algo, > > - key.aead_algo); > > - return -1; > > - } > > - } > > > > - RTE_LOG_DP(DEBUG, IPSEC, "Create session for SA spi %u on > cryptodev > > " > > - "%u qp %u\n", sa->spi, > > - ipsec_ctx->tbl[cdev_id_qp].id, > > - ipsec_ctx->tbl[cdev_id_qp].qp); > > + if ((sa =3D=3D NULL) || (pool =3D=3D NULL)) > > + return -EINVAL; > > > > - if (sa->type !=3D RTE_SECURITY_ACTION_TYPE_NONE) { > > - struct rte_security_session_conf sess_conf =3D { > > + struct rte_security_session_conf sess_conf =3D { > > .action_type =3D sa->type, > > .protocol =3D RTE_SECURITY_PROTOCOL_IPSEC, > > {.ipsec =3D { > > @@ -90,247 +65,340 @@ create_session(struct ipsec_ctx *ipsec_ctx, > > struct ipsec_sa *sa) > > } }, > > .crypto_xform =3D sa->xforms, > > .userdata =3D NULL, > > - > > }; > > > > - if (sa->type =3D=3D > > RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) { > > - struct rte_security_ctx *ctx =3D (struct rte_security_ctx > *) > > - > > rte_cryptodev_get_sec_ctx( > > - ipsec_ctx- > > >tbl[cdev_id_qp].id); > > - > > - /* Set IPsec parameters in conf */ > > - set_ipsec_conf(sa, &(sess_conf.ipsec)); > > - > > - sa->sec_session =3D rte_security_session_create(ctx, > > - &sess_conf, ipsec_ctx- > >session_pool); > > - if (sa->sec_session =3D=3D NULL) { > > - RTE_LOG(ERR, IPSEC, > > - "SEC Session init failed: err: %d\n", ret); > > - return -1; > > - } > > - } else if (sa->type =3D=3D > > RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { > > - struct rte_flow_error err; > > - struct rte_security_ctx *ctx =3D (struct rte_security_ctx > *) > > - > > rte_eth_dev_get_sec_ctx( > > - sa->portid); > > - const struct rte_security_capability *sec_cap; > > - int ret =3D 0; > > - > > - sa->sec_session =3D rte_security_session_create(ctx, > > - &sess_conf, ipsec_ctx- > >session_pool); > > - if (sa->sec_session =3D=3D NULL) { > > - RTE_LOG(ERR, IPSEC, > > - "SEC Session init failed: err: %d\n", ret); > > - return -1; > > - } > > + if (sa->type =3D=3D > RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) { > > + ctx =3D (struct rte_security_ctx *) > > + rte_eth_dev_get_sec_ctx(sa->portid); > > > > - sec_cap =3D rte_security_capabilities_get(ctx); > > + /* Set IPsec parameters in conf */ > > + set_ipsec_conf(sa, &(sess_conf.ipsec)); > > > > - /* iterate until ESP tunnel*/ > > - while (sec_cap->action !=3D > > - > RTE_SECURITY_ACTION_TYPE_NONE) > > { > > + sa->sec_session =3D rte_security_session_create(ctx, > > + &sess_conf, pool); > > + if (sa->sec_session =3D=3D NULL) { > > + RTE_LOG(ERR, IPSEC, > > + "SEC Session init failed: err: %d\n", > > + ret); > > + return -1; > > + } > > + } else if (sa->type =3D=3D RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) > { > > + struct rte_flow_error err; > > + ctx =3D (struct rte_security_ctx *) > > + rte_eth_dev_get_sec_ctx(sa->portid); > > + sa->sec_session =3D rte_security_session_create(ctx, > > + &sess_conf, pool); > > + if (sa->sec_session =3D=3D NULL) { > > + RTE_LOG(ERR, IPSEC, "SEC Session init failed\n"); > > + return -1; > > + } > > > > - if (sec_cap->action =3D=3D sa->type && > > - sec_cap->protocol =3D=3D > > - RTE_SECURITY_PROTOCOL_IPSEC && > > - sec_cap->ipsec.mode =3D=3D > > - > > RTE_SECURITY_IPSEC_SA_MODE_TUNNEL && > > - sec_cap->ipsec.direction =3D=3D sa->direction) > > - break; > > - sec_cap++; > > - } > > + sec_cap =3D rte_security_capabilities_get(ctx); > > + > > + /* iterate until ESP tunnel*/ > > + while (sec_cap->action !=3D > RTE_SECURITY_ACTION_TYPE_NONE) > > { > > + if (sec_cap->action =3D=3D sa->type && > > + sec_cap->protocol =3D=3D > > + RTE_SECURITY_PROTOCOL_IPSEC && > > + sec_cap->ipsec.mode =3D=3D > > + RTE_SECURITY_IPSEC_SA_MODE_TUNNEL > && > > + sec_cap->ipsec.direction =3D=3D sa->direction) > > + break; > > + sec_cap++; > > + } > > > > - if (sec_cap->action =3D=3D > > RTE_SECURITY_ACTION_TYPE_NONE) { > > - RTE_LOG(ERR, IPSEC, > > + if (sec_cap->action =3D=3D RTE_SECURITY_ACTION_TYPE_NONE) > { > > + RTE_LOG(ERR, IPSEC, > > "No suitable security capability found\n"); > > return -1; > > - } > > + } > > > > - sa->ol_flags =3D sec_cap->ol_flags; > > - sa->security_ctx =3D ctx; > > - sa->pattern[0].type =3D RTE_FLOW_ITEM_TYPE_ETH; > > - > > - sa->pattern[1].type =3D RTE_FLOW_ITEM_TYPE_IPV4; > > - sa->pattern[1].mask =3D &rte_flow_item_ipv4_mask; > > - if (sa->flags & IP6_TUNNEL) { > > - sa->pattern[1].spec =3D &sa->ipv6_spec; > > - memcpy(sa->ipv6_spec.hdr.dst_addr, > > - sa->dst.ip.ip6.ip6_b, 16); > > - memcpy(sa->ipv6_spec.hdr.src_addr, > > - sa->src.ip.ip6.ip6_b, 16); > > - } else { > > - sa->pattern[1].spec =3D &sa->ipv4_spec; > > - sa->ipv4_spec.hdr.dst_addr =3D sa->dst.ip.ip4; > > - sa->ipv4_spec.hdr.src_addr =3D sa->src.ip.ip4; > > - } > > + sa->ol_flags =3D sec_cap->ol_flags; > > + sa->security_ctx =3D ctx; > > + sa->pattern[0].type =3D RTE_FLOW_ITEM_TYPE_ETH; > > + > > + sa->pattern[1].type =3D RTE_FLOW_ITEM_TYPE_IPV4; > > + sa->pattern[1].mask =3D &rte_flow_item_ipv4_mask; > > + if (sa->flags & IP6_TUNNEL) { > > + sa->pattern[1].spec =3D &sa->ipv6_spec; > > + memcpy(sa->ipv6_spec.hdr.dst_addr, > > + sa->dst.ip.ip6.ip6_b, 16); > > + memcpy(sa->ipv6_spec.hdr.src_addr, > > + sa->src.ip.ip6.ip6_b, 16); > > + } else { > > + sa->pattern[1].spec =3D &sa->ipv4_spec; > > + sa->ipv4_spec.hdr.dst_addr =3D sa->dst.ip.ip4; > > + sa->ipv4_spec.hdr.src_addr =3D sa->src.ip.ip4; > > + } > > > > - sa->pattern[2].type =3D RTE_FLOW_ITEM_TYPE_ESP; > > - sa->pattern[2].spec =3D &sa->esp_spec; > > - sa->pattern[2].mask =3D &rte_flow_item_esp_mask; > > - sa->esp_spec.hdr.spi =3D rte_cpu_to_be_32(sa->spi); > > + sa->pattern[2].type =3D RTE_FLOW_ITEM_TYPE_ESP; > > + sa->pattern[2].spec =3D &sa->esp_spec; > > + sa->pattern[2].mask =3D &rte_flow_item_esp_mask; > > + sa->esp_spec.hdr.spi =3D rte_cpu_to_be_32(sa->spi); > > > > - sa->pattern[3].type =3D RTE_FLOW_ITEM_TYPE_END; > > + sa->pattern[3].type =3D RTE_FLOW_ITEM_TYPE_END; > > > > - sa->action[0].type =3D > > RTE_FLOW_ACTION_TYPE_SECURITY; > > - sa->action[0].conf =3D sa->sec_session; > > + sa->action[0].type =3D RTE_FLOW_ACTION_TYPE_SECURITY; > > + sa->action[0].conf =3D sa->sec_session; > > > > - sa->action[1].type =3D RTE_FLOW_ACTION_TYPE_END; > > + sa->action[1].type =3D RTE_FLOW_ACTION_TYPE_END; > > > > - sa->attr.egress =3D (sa->direction =3D=3D > > + sa->attr.egress =3D (sa->direction =3D=3D > > > > RTE_SECURITY_IPSEC_SA_DIR_EGRESS); > > - sa->attr.ingress =3D (sa->direction =3D=3D > > + sa->attr.ingress =3D (sa->direction =3D=3D > > > > RTE_SECURITY_IPSEC_SA_DIR_INGRESS); > > - if (sa->attr.ingress) { > > - uint8_t rss_key[40]; > > - struct rte_eth_rss_conf rss_conf =3D { > > - .rss_key =3D rss_key, > > - .rss_key_len =3D 40, > > - }; > > - struct rte_eth_dev *eth_dev; > > - uint16_t > > queue[RTE_MAX_QUEUES_PER_PORT]; > > - struct rte_flow_action_rss action_rss; > > - unsigned int i; > > - unsigned int j; > > - > > - sa->action[2].type =3D > > RTE_FLOW_ACTION_TYPE_END; > > - /* Try RSS. */ > > - sa->action[1].type =3D > > RTE_FLOW_ACTION_TYPE_RSS; > > - sa->action[1].conf =3D &action_rss; > > - eth_dev =3D ctx->device; > > - rte_eth_dev_rss_hash_conf_get(sa->portid, > > - &rss_conf); > > - for (i =3D 0, j =3D 0; > > - i < eth_dev->data->nb_rx_queues; ++i) > > - if (eth_dev->data->rx_queues[i]) > > - queue[j++] =3D i; > > + if (sa->attr.ingress) { > > + uint8_t rss_key[40]; > > + struct rte_eth_rss_conf rss_conf =3D { > > + .rss_key =3D rss_key, > > + .rss_key_len =3D 40, > > + }; > > + struct rte_eth_dev *eth_dev; > > + uint16_t queue[RTE_MAX_QUEUES_PER_PORT]; > > + struct rte_flow_action_rss action_rss; > > + unsigned int i; > > + unsigned int j; > > + > > + sa->action[2].type =3D RTE_FLOW_ACTION_TYPE_END; > > + /* Try RSS. */ > > + sa->action[1].type =3D RTE_FLOW_ACTION_TYPE_RSS; > > + sa->action[1].conf =3D &action_rss; > > + eth_dev =3D ctx->device; > > + rte_eth_dev_rss_hash_conf_get(sa->portid, > > + &rss_conf); > > + for (i =3D 0, j =3D 0; i < eth_dev->data->nb_rx_queues; > > + ++i) > > + if (eth_dev->data->rx_queues[i]) > > + queue[j++] =3D i; > Compilation error >=20 > /home/akhil/up/dpdk-next-crypto/examples/ipsec-secgw/ipsec.c: In > function 'create_sec_session': > /home/akhil/up/dpdk-next-crypto/examples/ipsec-secgw/ipsec.c:169:4: > error: this 'for' clause does not guard... [-Werror=3Dmisleading-indentat= ion] > for (i =3D 0, j =3D 0; i < eth_dev->data->nb_rx_queues; > ^~~ > /home/akhil/up/dpdk-next-crypto/examples/ipsec-secgw/ipsec.c:173:5: > note: ...this statement, but the latter is misleadingly indented as if it= is > guarded by the 'for' > action_rss =3D (struct rte_flow_action_rss){ > ^~~~~~~~~~ >=20 I will send a v4. What compiler are you using? Regards, Bernard.