From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id ACD4AA0471 for ; Sun, 8 Sep 2019 13:45:57 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 925661EA65; Sun, 8 Sep 2019 13:45:56 +0200 (CEST) Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by dpdk.org (Postfix) with ESMTP id 77F721EA62 for ; Sun, 8 Sep 2019 13:45:53 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 08 Sep 2019 04:45:52 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.64,481,1559545200"; d="scan'208";a="384684759" Received: from irsmsx104.ger.corp.intel.com ([163.33.3.159]) by fmsmga006.fm.intel.com with ESMTP; 08 Sep 2019 04:45:52 -0700 Received: from irsmsx105.ger.corp.intel.com ([169.254.7.164]) by IRSMSX104.ger.corp.intel.com ([169.254.5.103]) with mapi id 14.03.0439.000; Sun, 8 Sep 2019 12:45:51 +0100 From: "Ananyev, Konstantin" To: "Nicolau, Radu" , "dev@dpdk.org" CC: "Lu, Wenzhuo" , "Doherty, Declan" Thread-Topic: [PATCH] net/ixgbe: add security statistics Thread-Index: AQHVZNIGCSI3OXKjrk+5wRlyOHZq9achqzZA Date: Sun, 8 Sep 2019 11:45:50 +0000 Message-ID: <2601191342CEEE43887BDE71AB977258019195D348@irsmsx105.ger.corp.intel.com> References: <1567788116-16952-1-git-send-email-radu.nicolau@intel.com> In-Reply-To: <1567788116-16952-1-git-send-email-radu.nicolau@intel.com> Accept-Language: en-IE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiODBkOTYwNTYtNzQ4YS00YzcwLTg3ZWItNzk5MWZmMDEwOGJmIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoid1JWUnVQbjBHbjdyb0ZOeFhqY2llWDdCS3lQZ0hDVVAyMER6RTU1clRFM0l1aUZNQ1ZSRUdwVnB3Z1Jqbm1QYyJ9 x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [163.33.239.181] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [dpdk-dev] [PATCH] net/ixgbe: add security statistics X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Hi Radu, >=20 > Update IXGBE PMD with support for IPsec statistics. The proposed approach - have a new hash table per device, plus parse each packet on RX and TX and do hash lookup seems way too heavy to put it into PMD. Wonder why we need to do that? If HW doesn't provide such statistic info, why not to leave it to the upper layer to collect/maintain? In many cases SW will already have that infrastructure and I don't see to put all these heavy-weight operations into ixgbe rx/tx path. =20 Konstantin >=20 > Signed-off-by: Radu Nicolau > --- > drivers/net/ixgbe/ixgbe_ipsec.c | 244 +++++++++++++++++++++++++++= +++++- > drivers/net/ixgbe/ixgbe_ipsec.h | 17 ++- > drivers/net/ixgbe/ixgbe_rxtx.c | 18 +++ > drivers/net/ixgbe/ixgbe_rxtx.h | 4 + > drivers/net/ixgbe/ixgbe_rxtx_vec_sse.c | 6 + > 5 files changed, 285 insertions(+), 4 deletions(-) >=20 > diff --git a/drivers/net/ixgbe/ixgbe_ipsec.c b/drivers/net/ixgbe/ixgbe_ip= sec.c > index 48f5082..94daf92 100644 > --- a/drivers/net/ixgbe/ixgbe_ipsec.c > +++ b/drivers/net/ixgbe/ixgbe_ipsec.c > @@ -9,6 +9,7 @@ > #include > #include > #include > +#include >=20 > #include "base/ixgbe_type.h" > #include "base/ixgbe_api.h" > @@ -94,6 +95,7 @@ ixgbe_crypto_add_sa(struct ixgbe_crypto_session *ic_ses= sion) > dev->data->dev_private); > uint32_t reg_val; > int sa_index =3D -1; > + struct ixgbe_crypto_sess_htable_key tbl_key =3D {0}; >=20 > if (ic_session->op =3D=3D IXGBE_OP_AUTHENTICATED_DECRYPTION) { > int i, ip_index =3D -1; > @@ -158,9 +160,14 @@ ixgbe_crypto_add_sa(struct ixgbe_crypto_session *ic_= session) > if (ic_session->dst_ip.type =3D=3D IPv6) { > priv->rx_sa_tbl[sa_index].mode |=3D IPSRXMOD_IPV6; > priv->rx_ip_tbl[ip_index].ip.type =3D IPv6; > - } else if (ic_session->dst_ip.type =3D=3D IPv4) > + memcpy(&tbl_key.ip.ipv6, &ic_session->dst_ip.ipv6, > + sizeof(ic_session->dst_ip.ipv6)); > + } else if (ic_session->dst_ip.type =3D=3D IPv4) { > priv->rx_ip_tbl[ip_index].ip.type =3D IPv4; > + tbl_key.ip.ipv4 =3D ic_session->dst_ip.ipv4; > + } >=20 > + tbl_key.spi =3D priv->rx_sa_tbl[sa_index].spi; > priv->rx_sa_tbl[sa_index].used =3D 1; >=20 > /* write IP table entry*/ > @@ -238,6 +245,7 @@ ixgbe_crypto_add_sa(struct ixgbe_crypto_session *ic_s= ession) >=20 > priv->tx_sa_tbl[sa_index].spi =3D > rte_cpu_to_be_32(ic_session->spi); > + tbl_key.spi =3D priv->tx_sa_tbl[sa_index].spi; > priv->tx_sa_tbl[i].used =3D 1; > ic_session->sa_index =3D sa_index; >=20 > @@ -264,6 +272,7 @@ ixgbe_crypto_add_sa(struct ixgbe_crypto_session *ic_s= ession) > free(key); > } >=20 > + rte_hash_add_key_data(priv->session_tbl, &tbl_key, ic_session); > return 0; > } >=20 > @@ -276,6 +285,7 @@ ixgbe_crypto_remove_sa(struct rte_eth_dev *dev, > IXGBE_DEV_PRIVATE_TO_IPSEC(dev->data->dev_private); > uint32_t reg_val; > int sa_index =3D -1; > + struct ixgbe_crypto_sess_htable_key tbl_key =3D {0}; >=20 > if (ic_session->op =3D=3D IXGBE_OP_AUTHENTICATED_DECRYPTION) { > int i, ip_index =3D -1; > @@ -324,6 +334,13 @@ ixgbe_crypto_remove_sa(struct rte_eth_dev *dev, > IXGBE_WRITE_REG(hw, IXGBE_IPSRXMOD, 0); > IXGBE_WAIT_RWRITE; > priv->rx_sa_tbl[sa_index].used =3D 0; > + if (priv->rx_sa_tbl[sa_index].mode & IPSRXMOD_IPV6) { > + memcpy(&tbl_key.ip.ipv6, &ic_session->dst_ip.ipv6, > + sizeof(ic_session->dst_ip.ipv6)); > + } else { > + tbl_key.ip.ipv4 =3D ic_session->dst_ip.ipv4; > + } > + tbl_key.spi =3D priv->rx_sa_tbl[sa_index].spi; >=20 > /* If last used then clear the IP table entry*/ > priv->rx_ip_tbl[ip_index].ref_count--; > @@ -361,8 +378,10 @@ ixgbe_crypto_remove_sa(struct rte_eth_dev *dev, > IXGBE_WAIT_TWRITE; >=20 > priv->tx_sa_tbl[sa_index].used =3D 0; > + tbl_key.spi =3D priv->tx_sa_tbl[sa_index].spi; > } >=20 > + rte_hash_del_key(priv->session_tbl, &tbl_key); > return 0; > } >=20 > @@ -376,6 +395,8 @@ ixgbe_crypto_create_session(void *device, > struct ixgbe_crypto_session *ic_session =3D NULL; > struct rte_crypto_aead_xform *aead_xform; > struct rte_eth_conf *dev_conf =3D ð_dev->data->dev_conf; > + struct ixgbe_ipsec *priv =3D > + IXGBE_DEV_PRIVATE_TO_IPSEC(eth_dev->data->dev_private); >=20 > if (rte_mempool_get(mempool, (void **)&ic_session)) { > PMD_DRV_LOG(ERR, "Cannot get object from ic_session mempool"); > @@ -426,6 +447,40 @@ ixgbe_crypto_create_session(void *device, > } > } >=20 > + if (conf->ipsec.options.stats) { > + ic_session->stats_enabled =3D 1; > + priv->per_session_stats_active++; > + } > + > + return 0; > +} > + > +static int > +ixgbe_crypto_stats_get(__rte_unused void *device, > + struct rte_security_session *sess, > + struct rte_security_stats *stats) > +{ > + struct rte_eth_dev *eth_dev =3D device; > + struct ixgbe_ipsec *priv =3D > + IXGBE_DEV_PRIVATE_TO_IPSEC(eth_dev->data->dev_private); > + volatile struct rte_security_ipsec_stats *ixgbe_stats; > + > + if (sess) { > + struct ixgbe_crypto_session *ic_session =3D > + (struct ixgbe_crypto_session *) > + get_sec_session_private_data(sess); > + ixgbe_stats =3D &ic_session->stats; > + } else { > + ixgbe_stats =3D &priv->stats; > + } > + > + stats->ipsec.ipackets =3D ixgbe_stats->ipackets; > + stats->ipsec.opackets =3D ixgbe_stats->opackets; > + stats->ipsec.ibytes =3D ixgbe_stats->ibytes; > + stats->ipsec.obytes =3D ixgbe_stats->obytes; > + stats->ipsec.ierrors =3D ixgbe_stats->ierrors; > + stats->ipsec.oerrors =3D ixgbe_stats->oerrors; > + > return 0; > } >=20 > @@ -444,6 +499,8 @@ ixgbe_crypto_remove_session(void *device, > (struct ixgbe_crypto_session *) > get_sec_session_private_data(session); > struct rte_mempool *mempool =3D rte_mempool_from_obj(ic_session); > + struct ixgbe_ipsec *priv =3D > + IXGBE_DEV_PRIVATE_TO_IPSEC(eth_dev->data->dev_private); >=20 > if (eth_dev !=3D ic_session->dev) { > PMD_DRV_LOG(ERR, "Session not bound to this device\n"); > @@ -455,11 +512,44 @@ ixgbe_crypto_remove_session(void *device, > return -EFAULT; > } >=20 > + if (ic_session->stats_enabled && priv->per_session_stats_active > 0) > + priv->per_session_stats_active--; > + > rte_mempool_put(mempool, (void *)ic_session); >=20 > return 0; > } >=20 > +static int > +ixgbe_crypto_update_session(void *device, > + struct rte_security_session *session, > + struct rte_security_session_conf *conf) > +{ > + struct rte_eth_dev *eth_dev =3D device; > + struct ixgbe_crypto_session *ic_session =3D > + (struct ixgbe_crypto_session *) > + get_sec_session_private_data(session); > + struct ixgbe_ipsec *priv =3D > + IXGBE_DEV_PRIVATE_TO_IPSEC(eth_dev->data->dev_private); > + > + if (eth_dev !=3D ic_session->dev) { > + PMD_DRV_LOG(ERR, "Session not bound to this device\n"); > + return -ENODEV; > + } > + > + /* Enable/disable per session stats */ > + if (ic_session->stats_enabled && !conf->ipsec.options.stats) { > + ic_session->stats_enabled =3D 0; > + if (priv->per_session_stats_active > 0) > + priv->per_session_stats_active--; > + } else if (!ic_session->stats_enabled && conf->ipsec.options.stats) { > + ic_session->stats_enabled =3D 1; > + priv->per_session_stats_active++; > + } > + > + return 0; > +} > + > static inline uint8_t > ixgbe_crypto_compute_pad_len(struct rte_mbuf *m) > { > @@ -624,6 +714,8 @@ int > ixgbe_crypto_enable_ipsec(struct rte_eth_dev *dev) > { > struct ixgbe_hw *hw =3D IXGBE_DEV_PRIVATE_TO_HW(dev->data->dev_private)= ; > + struct ixgbe_ipsec *priv =3D > + IXGBE_DEV_PRIVATE_TO_IPSEC(dev->data->dev_private); > uint32_t reg; > uint64_t rx_offloads; > uint64_t tx_offloads; > @@ -676,6 +768,23 @@ ixgbe_crypto_enable_ipsec(struct rte_eth_dev *dev) >=20 > ixgbe_crypto_clear_ipsec_tables(dev); >=20 > + if (priv->session_tbl =3D=3D NULL) { > + char session_tbl_hash_name[RTE_HASH_NAMESIZE]; > + struct rte_hash_parameters params =3D { > + .name =3D session_tbl_hash_name, > + .entries =3D IPSEC_MAX_SA_COUNT * 2, > + .key_len =3D sizeof(struct ixgbe_crypto_sess_htable_key), > + .hash_func =3D rte_hash_crc, > + .socket_id =3D rte_socket_id(), > + }; > + snprintf(session_tbl_hash_name, RTE_HASH_NAMESIZE, > + "session_tbl_hash_%s", dev->device->name); > + > + priv->session_tbl =3D rte_hash_create(¶ms); > + } else { > + rte_hash_reset(priv->session_tbl); > + } > + > return 0; > } >=20 > @@ -709,11 +818,140 @@ ixgbe_crypto_add_ingress_sa_from_flow(const void *= sess, > return 0; > } >=20 > +void > +ixgbe_crypto_update_rx_stats(struct ixgbe_ipsec *ixgbe_ipsec, > + struct rte_mbuf **mbufs, > + uint16_t count) > +{ > + uint16_t i; > + uint32_t ipackets =3D 0, ibytes =3D 0, ierrors =3D 0; > + > + if (ixgbe_ipsec->per_session_stats_active) { > + struct ip *ip; > + struct rte_esp_hdr *esp; > + struct ixgbe_crypto_session *sess; > + struct ixgbe_crypto_sess_htable_key tbl_key =3D {0}; > + > + for (i =3D 0; i < count; i++) { > + if ((mbufs[i]->ol_flags & PKT_RX_SEC_OFFLOAD) =3D=3D 0) > + continue; > + ip =3D rte_pktmbuf_mtod_offset(mbufs[i], > + struct ip *, > + sizeof(struct rte_ether_hdr)); > + if (ip->ip_v =3D=3D IPVERSION) { > + tbl_key.ip.ipv4 =3D ip->ip_dst.s_addr; > + esp =3D rte_pktmbuf_mtod_offset(mbufs[i], > + struct rte_esp_hdr *, > + sizeof(struct rte_ether_hdr) + > + ip->ip_hl * 4); > + } else { > + struct ip6_hdr *ip6 =3D (struct ip6_hdr *)ip; > + memcpy(&tbl_key.ip.ipv6, &ip6->ip6_dst, 16); > + esp =3D rte_pktmbuf_mtod_offset(mbufs[i], > + struct rte_esp_hdr *, > + sizeof(struct rte_ether_hdr) + > + sizeof(struct ip6_hdr)); > + } > + tbl_key.spi =3D esp->spi; > + if (rte_hash_lookup_data(ixgbe_ipsec->session_tbl, > + &tbl_key, (void **)&sess) < 0) > + sess =3D NULL; > + if (mbufs[i]->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED) { > + if (sess && sess->stats_enabled) > + sess->stats.ierrors++; > + ierrors++; > + } else { > + if (sess && sess->stats_enabled) { > + sess->stats.ipackets++; > + sess->stats.ibytes +=3D > + rte_pktmbuf_pkt_len(mbufs[i]); > + } > + ipackets++; > + ibytes +=3D rte_pktmbuf_pkt_len(mbufs[i]); > + } > + } > + } else { /* Global stats only */ > + for (i =3D 0; i < count; i++) { > + if (mbufs[i]->ol_flags & PKT_RX_SEC_OFFLOAD) { > + if (mbufs[i]->ol_flags & > + PKT_RX_SEC_OFFLOAD_FAILED) { > + ierrors++; > + } else { > + ipackets++; > + ibytes +=3D rte_pktmbuf_pkt_len(mbufs[i]); > + } > + } > + } > + } > + > + /* Update global stats */ > + ixgbe_ipsec->stats.ipackets +=3D ipackets; > + ixgbe_ipsec->stats.ibytes +=3D ibytes; > + ixgbe_ipsec->stats.ierrors +=3D ierrors; > +} > + > +void > +ixgbe_crypto_update_tx_stats(struct ixgbe_ipsec *ixgbe_ipsec, > + struct rte_mbuf **mbufs, > + uint16_t count) > +{ > + uint16_t i; > + uint32_t opackets =3D 0, obytes =3D 0; > + > + if (ixgbe_ipsec->per_session_stats_active) { > + struct ip *ip; > + struct rte_esp_hdr *esp; > + struct ixgbe_crypto_session *sess; > + struct ixgbe_crypto_sess_htable_key tbl_key =3D {0}; > + > + for (i =3D 0; i < count; i++) { > + if ((mbufs[i]->ol_flags & PKT_TX_SEC_OFFLOAD) =3D=3D 0) > + continue; > + ip =3D rte_pktmbuf_mtod_offset(mbufs[i], > + struct ip *, > + sizeof(struct rte_ether_hdr)); > + if (ip->ip_v =3D=3D IPVERSION) { > + esp =3D rte_pktmbuf_mtod_offset(mbufs[i], > + struct rte_esp_hdr *, > + sizeof(struct rte_ether_hdr) + > + ip->ip_hl * 4); > + } else { > + esp =3D rte_pktmbuf_mtod_offset(mbufs[i], > + struct rte_esp_hdr *, > + sizeof(struct rte_ether_hdr) + > + sizeof(struct ip6_hdr)); > + } > + tbl_key.spi =3D esp->spi; > + if (rte_hash_lookup_data(ixgbe_ipsec->session_tbl, > + &tbl_key, (void **)&sess) < 0) > + sess =3D NULL; > + if (sess && sess->stats_enabled) { > + sess->stats.opackets++; > + sess->stats.obytes +=3D > + rte_pktmbuf_pkt_len(mbufs[i]); > + } > + opackets++; > + obytes +=3D rte_pktmbuf_pkt_len(mbufs[i]); > + } > + } else { /* Global stats only */ > + for (i =3D 0; i < count; i++) { > + if (mbufs[i]->ol_flags & PKT_RX_SEC_OFFLOAD) { > + opackets++; > + obytes +=3D rte_pktmbuf_pkt_len(mbufs[i]); > + } > + } > + } > + > + /* Update global stats */ > + ixgbe_ipsec->stats.opackets +=3D opackets; > + ixgbe_ipsec->stats.obytes +=3D obytes; > +} > + > static struct rte_security_ops ixgbe_security_ops =3D { > .session_create =3D ixgbe_crypto_create_session, > - .session_update =3D NULL, > + .session_update =3D ixgbe_crypto_update_session, > .session_get_size =3D ixgbe_crypto_session_get_size, > - .session_stats_get =3D NULL, > + .session_stats_get =3D ixgbe_crypto_stats_get, > .session_destroy =3D ixgbe_crypto_remove_session, > .set_pkt_metadata =3D ixgbe_crypto_update_mb, > .capabilities_get =3D ixgbe_crypto_capabilities_get > diff --git a/drivers/net/ixgbe/ixgbe_ipsec.h b/drivers/net/ixgbe/ixgbe_ip= sec.h > index e218c0a..a4ff8b6 100644 > --- a/drivers/net/ixgbe/ixgbe_ipsec.h > +++ b/drivers/net/ixgbe/ixgbe_ipsec.h > @@ -70,6 +70,8 @@ struct ixgbe_crypto_session { > struct ipaddr src_ip; > struct ipaddr dst_ip; > struct rte_eth_dev *dev; > + volatile struct rte_security_ipsec_stats stats; > + uint8_t stats_enabled; > } __rte_cache_aligned; >=20 > struct ixgbe_crypto_rx_ip_table { > @@ -100,10 +102,18 @@ union ixgbe_crypto_tx_desc_md { > }; > }; >=20 > +struct ixgbe_crypto_sess_htable_key { > + uint32_t spi; > + struct ipaddr ip; > +}; > + > struct ixgbe_ipsec { > struct ixgbe_crypto_rx_ip_table rx_ip_tbl[IPSEC_MAX_RX_IP_COUNT]; > struct ixgbe_crypto_rx_sa_table rx_sa_tbl[IPSEC_MAX_SA_COUNT]; > struct ixgbe_crypto_tx_sa_table tx_sa_tbl[IPSEC_MAX_SA_COUNT]; > + volatile struct rte_security_ipsec_stats stats; > + volatile uint16_t per_session_stats_active; > + struct rte_hash *session_tbl; > }; >=20 >=20 > @@ -112,7 +122,12 @@ int ixgbe_crypto_enable_ipsec(struct rte_eth_dev *de= v); > int ixgbe_crypto_add_ingress_sa_from_flow(const void *sess, > const void *ip_spec, > uint8_t is_ipv6); > - > +void ixgbe_crypto_update_rx_stats(struct ixgbe_ipsec *ixgbe_ipsec, > + struct rte_mbuf **mbufs, > + uint16_t count); > +void ixgbe_crypto_update_tx_stats(struct ixgbe_ipsec *ixgbe_ipsec, > + struct rte_mbuf **mbufs, > + uint16_t count); >=20 >=20 > #endif /*IXGBE_IPSEC_H_*/ > diff --git a/drivers/net/ixgbe/ixgbe_rxtx.c b/drivers/net/ixgbe/ixgbe_rxt= x.c > index edcfa60..cde012f 100644 > --- a/drivers/net/ixgbe/ixgbe_rxtx.c > +++ b/drivers/net/ixgbe/ixgbe_rxtx.c > @@ -956,6 +956,12 @@ ixgbe_xmit_pkts(void *tx_queue, struct rte_mbuf **tx= _pkts, > IXGBE_PCI_REG_WRITE_RELAXED(txq->tdt_reg_addr, tx_id); > txq->tx_tail =3D tx_id; >=20 > +#ifdef RTE_LIBRTE_SECURITY > + if (unlikely(txq->using_ipsec)) > + ixgbe_crypto_update_tx_stats(txq->ixgbe_ipsec, > + &tx_pkts[-nb_tx], nb_tx); > +#endif > + > return nb_tx; > } >=20 > @@ -1643,6 +1649,12 @@ ixgbe_rx_fill_from_stage(struct ixgbe_rx_queue *rx= q, struct rte_mbuf **rx_pkts, > rxq->rx_nb_avail =3D (uint16_t)(rxq->rx_nb_avail - nb_pkts); > rxq->rx_next_avail =3D (uint16_t)(rxq->rx_next_avail + nb_pkts); >=20 > +#ifdef RTE_LIBRTE_SECURITY > + if (unlikely(rxq->using_ipsec)) > + ixgbe_crypto_update_rx_stats(rxq->ixgbe_ipsec, > + rx_pkts, nb_pkts); > +#endif > + > return nb_pkts; > } >=20 > @@ -2618,6 +2630,9 @@ ixgbe_dev_tx_queue_setup(struct rte_eth_dev *dev, > #ifdef RTE_LIBRTE_SECURITY > txq->using_ipsec =3D !!(dev->data->dev_conf.txmode.offloads & > DEV_TX_OFFLOAD_SECURITY); > + if (txq->using_ipsec) > + txq->ixgbe_ipsec =3D > + IXGBE_DEV_PRIVATE_TO_IPSEC(dev->data->dev_private); > #endif >=20 > /* > @@ -4730,6 +4745,9 @@ ixgbe_set_rx_function(struct rte_eth_dev *dev) > #ifdef RTE_LIBRTE_SECURITY > rxq->using_ipsec =3D !!(dev->data->dev_conf.rxmode.offloads & > DEV_RX_OFFLOAD_SECURITY); > + if (rxq->using_ipsec) > + rxq->ixgbe_ipsec =3D > + IXGBE_DEV_PRIVATE_TO_IPSEC(dev->data->dev_private); > #endif > } > } > diff --git a/drivers/net/ixgbe/ixgbe_rxtx.h b/drivers/net/ixgbe/ixgbe_rxt= x.h > index 505d344..b5f130d 100644 > --- a/drivers/net/ixgbe/ixgbe_rxtx.h > +++ b/drivers/net/ixgbe/ixgbe_rxtx.h > @@ -114,6 +114,8 @@ struct ixgbe_rx_queue { > #ifdef RTE_LIBRTE_SECURITY > uint8_t using_ipsec; > /**< indicates that IPsec RX feature is in use */ > + struct ixgbe_ipsec *ixgbe_ipsec; > + /**< IXGBE IPsec internals */ > #endif > #ifdef RTE_IXGBE_INC_VECTOR > uint16_t rxrearm_nb; /**< number of remaining to be re-a= rmed */ > @@ -231,6 +233,8 @@ struct ixgbe_tx_queue { > #ifdef RTE_LIBRTE_SECURITY > uint8_t using_ipsec; > /**< indicates that IPsec TX feature is in use */ > + struct ixgbe_ipsec *ixgbe_ipsec; > + /**< IXGBE IPsec internals */ > #endif > }; >=20 > diff --git a/drivers/net/ixgbe/ixgbe_rxtx_vec_sse.c b/drivers/net/ixgbe/i= xgbe_rxtx_vec_sse.c > index 599ba30..b92d1a9 100644 > --- a/drivers/net/ixgbe/ixgbe_rxtx_vec_sse.c > +++ b/drivers/net/ixgbe/ixgbe_rxtx_vec_sse.c > @@ -553,6 +553,12 @@ _recv_raw_pkts_vec(struct ixgbe_rx_queue *rxq, struc= t rte_mbuf **rx_pkts, > rxq->rx_tail =3D (uint16_t)(rxq->rx_tail & (rxq->nb_rx_desc - 1)); > rxq->rxrearm_nb =3D (uint16_t)(rxq->rxrearm_nb + nb_pkts_recd); >=20 > +#ifdef RTE_LIBRTE_SECURITY > + if (unlikely(use_ipsec)) > + ixgbe_crypto_update_rx_stats(rxq->ixgbe_ipsec, > + rx_pkts, nb_pkts_recd); > +#endif > + > return nb_pkts_recd; > } >=20 > -- > 2.7.4