From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <konstantin.ananyev@intel.com>
Received: from mga05.intel.com (mga05.intel.com [192.55.52.43])
 by dpdk.org (Postfix) with ESMTP id E55972B87;
 Wed,  6 Mar 2019 20:40:07 +0100 (CET)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga006.jf.intel.com ([10.7.209.51])
 by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 06 Mar 2019 11:40:02 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.58,448,1544515200"; d="scan'208";a="121563999"
Received: from irsmsx103.ger.corp.intel.com ([163.33.3.157])
 by orsmga006.jf.intel.com with ESMTP; 06 Mar 2019 11:40:00 -0800
Received: from irsmsx105.ger.corp.intel.com ([169.254.7.72]) by
 IRSMSX103.ger.corp.intel.com ([169.254.3.199]) with mapi id 14.03.0415.000;
 Wed, 6 Mar 2019 19:39:59 +0000
From: "Ananyev, Konstantin" <konstantin.ananyev@intel.com>
To: "Iremonger, Bernard" <bernard.iremonger@intel.com>, "dev@dpdk.org"
 <dev@dpdk.org>, "akhil.goyal@nxp.com" <akhil.goyal@nxp.com>
CC: "stable@dpdk.org" <stable@dpdk.org>
Thread-Topic: [PATCH 2/6] examples/ipsec-secgw: fix 1st packet dropped patch
 two
Thread-Index: AQHU1DXUMjRbd1kHhka2ffPZAFFVHKX+/yNg
Date: Wed, 6 Mar 2019 19:39:58 +0000
Message-ID: <2601191342CEEE43887BDE71AB9772580124140E49@irsmsx105.ger.corp.intel.com>
References: <1551888011-27692-1-git-send-email-bernard.iremonger@intel.com>
 <1551888011-27692-3-git-send-email-bernard.iremonger@intel.com>
In-Reply-To: <1551888011-27692-3-git-send-email-bernard.iremonger@intel.com>
Accept-Language: en-IE, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNzdjOTRjOTctZDEzNC00ZTM3LWI4NjItYmIxNjg2NDQ1YjFjIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoia2JzSndZa2phTFpUVWFtS3MrXC90VXg2T1NDdGJTNE5mVjhxNnUyY1NKVDgrK0pGcFNhY1BEWUd4MmNQQ1d5dmIifQ==
x-ctpclassification: CTP_NT
dlp-product: dlpe-windows
dlp-version: 11.0.400.15
dlp-reaction: no-action
x-originating-ip: [163.33.239.180]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [dpdk-dev] [PATCH 2/6] examples/ipsec-secgw: fix 1st packet
 dropped patch two
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2019 19:40:08 -0000


Hi Bernard,

>=20
> Call create_inline_session() at initialisition in sa.c
> Call rte_ipsec_session_prepare() in fill_ipsec_session() for inline.

Here and in other places - it probably worth to explain what is the purpose
for  these changes.=20
As a side notice, as these series fixes that problem, it probably worse to =
add a patch
into series that removes the following:

       # to overcome problem with ipsec-secgw for inline mode,
        # when first packet(s) will be always dropped.
        # note that ping will fail here
        ssh ${REMOTE_HOST} ping -c 1 ${LOCAL_IPV4}

from examples/ipsec-secgw/test/(tun|trs)_aesgcm_defs.sh
Konstantin

>=20
> Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload")
> Cc: stable@dpdk.org
> Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com>
> ---
>  examples/ipsec-secgw/sa.c | 46 ++++++++++++++++++++++++++++++++++++-----=
-----
>  1 file changed, 36 insertions(+), 10 deletions(-)
>=20
> diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
> index 414fcd2..7fb1929 100644
> --- a/examples/ipsec-secgw/sa.c
> +++ b/examples/ipsec-secgw/sa.c
> @@ -762,11 +762,13 @@ check_eth_dev_caps(uint16_t portid, uint32_t inboun=
d)
>=20
>  static int
>  sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
> -		uint32_t nb_entries, uint32_t inbound)
> +		uint32_t nb_entries, uint32_t inbound,
> +		struct socket_ctx *skt_ctx)
>  {
>  	struct ipsec_sa *sa;
>  	uint32_t i, idx;
>  	uint16_t iv_length, aad_length;
> +	int32_t rc;
>=20
>  	/* for ESN upper 32 bits of SQN also need to be part of AAD */
>  	aad_length =3D (app_sa_prm.enable_esn !=3D 0) ? sizeof(uint32_t) : 0;
> @@ -819,6 +821,17 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ips=
ec_sa entries[],
>=20
>  			sa->xforms =3D &sa_ctx->xf[idx].a;
>=20
> +			if (sa->type =3D=3D
> +				RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL ||
> +				sa->type =3D=3D
> +				RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
> +				rc =3D create_inline_session(skt_ctx, sa);
> +				if (rc !=3D 0) {
> +					RTE_LOG(ERR, IPSEC_ESP,
> +						"create_inline_session() failed\n");
> +					return -EINVAL;
> +				}
> +			}
>  			print_one_sa_rule(sa, inbound);
>  		} else {
>  			switch (sa->cipher_algo) {
> @@ -894,16 +907,16 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ip=
sec_sa entries[],
>=20
>  static inline int
>  sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
> -		uint32_t nb_entries)
> +		uint32_t nb_entries, struct socket_ctx *skt_ctx)
>  {
> -	return sa_add_rules(sa_ctx, entries, nb_entries, 0);
> +	return sa_add_rules(sa_ctx, entries, nb_entries, 0, skt_ctx);
>  }
>=20
>  static inline int
>  sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
> -		uint32_t nb_entries)
> +		uint32_t nb_entries, struct socket_ctx *skt_ctx)
>  {
> -	return sa_add_rules(sa_ctx, entries, nb_entries, 1);
> +	return sa_add_rules(sa_ctx, entries, nb_entries, 1, skt_ctx);
>  }
>=20
>  /*
> @@ -997,10 +1010,12 @@ fill_ipsec_sa_prm(struct rte_ipsec_sa_prm *prm, co=
nst struct ipsec_sa *ss,
>  	return 0;
>  }
>=20
> -static void
> +static int
>  fill_ipsec_session(struct rte_ipsec_session *ss, struct rte_ipsec_sa *sa=
,
>  	const struct ipsec_sa *lsa)
>  {
> +	int32_t rc =3D 0;
> +
>  	ss->sa =3D sa;
>  	ss->type =3D lsa->type;
>=20
> @@ -1013,6 +1028,17 @@ fill_ipsec_session(struct rte_ipsec_session *ss, s=
truct rte_ipsec_sa *sa,
>  		ss->security.ctx =3D lsa->security_ctx;
>  		ss->security.ol_flags =3D lsa->ol_flags;
>  	}
> +
> +	if (ss->type =3D=3D RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
> +		ss->type =3D=3D RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) {
> +		if (ss->security.ses !=3D NULL) {
> +			rc =3D rte_ipsec_session_prepare(ss);
> +			if (rc !=3D 0)
> +				memset(ss, 0, sizeof(*ss));
> +		}
> +	}
> +
> +	return rc;
>  }
>=20
>  /*
> @@ -1047,8 +1073,8 @@ ipsec_sa_init(struct ipsec_sa *lsa, struct rte_ipse=
c_sa *sa, uint32_t sa_size)
>  	if (rc < 0)
>  		return rc;
>=20
> -	fill_ipsec_session(&lsa->ips, sa, lsa);
> -	return 0;
> +	rc =3D fill_ipsec_session(&lsa->ips, sa, lsa);
> +	return rc;
>  }
>=20
>  /*
> @@ -1126,7 +1152,7 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id)
>  				"context %s in socket %d\n", rte_errno,
>  				name, socket_id);
>=20
> -		sa_in_add_rules(ctx->sa_in, sa_in, nb_sa_in);
> +		sa_in_add_rules(ctx->sa_in, sa_in, nb_sa_in, ctx);
>=20
>  		if (app_sa_prm.enable !=3D 0) {
>  			rc =3D ipsec_satbl_init(ctx->sa_in, sa_in, nb_sa_in,
> @@ -1146,7 +1172,7 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id)
>  				"context %s in socket %d\n", rte_errno,
>  				name, socket_id);
>=20
> -		sa_out_add_rules(ctx->sa_out, sa_out, nb_sa_out);
> +		sa_out_add_rules(ctx->sa_out, sa_out, nb_sa_out, ctx);
>=20
>  		if (app_sa_prm.enable !=3D 0) {
>  			rc =3D ipsec_satbl_init(ctx->sa_out, sa_out, nb_sa_out,
> --
> 2.7.4