From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 5E314A0567; Fri, 13 Mar 2020 08:06:08 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 1F99B1C011; Fri, 13 Mar 2020 08:06:08 +0100 (CET) Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by dpdk.org (Postfix) with ESMTP id 48EE01C00E for ; Fri, 13 Mar 2020 08:06:06 +0100 (CET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Mar 2020 00:06:04 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,547,1574150400"; d="scan'208";a="444217907" Received: from orsmsx103.amr.corp.intel.com ([10.22.225.130]) by fmsmga006.fm.intel.com with ESMTP; 13 Mar 2020 00:06:04 -0700 Received: from orsmsx155.amr.corp.intel.com (10.22.240.21) by ORSMSX103.amr.corp.intel.com (10.22.225.130) with Microsoft SMTP Server (TLS) id 14.3.439.0; Fri, 13 Mar 2020 00:06:04 -0700 Received: from ORSEDG001.ED.cps.intel.com (10.7.248.4) by ORSMSX155.amr.corp.intel.com (10.22.240.21) with Microsoft SMTP Server (TLS) id 14.3.439.0; Fri, 13 Mar 2020 00:06:03 -0700 Received: from NAM04-SN1-obe.outbound.protection.outlook.com (104.47.44.52) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (TLS) id 14.3.439.0; Fri, 13 Mar 2020 00:06:04 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RmcMDX4/oM4VUghg+l0P8WAsT3vvWKGLTt1h2vSnhyvX1GXeq9K1RKINg4ZYLMdskALeqIziGXxIoF20xTyZOns2+SGkItcbIAmo8cz3wg8kG0wZGTSe2BEXS31lOH6Z+qZt7XGhah1OfkC99MgEZ5X1o8etQ3l0imgb1/thJEy1h+ALcsJnBeDMucuFAiLEgPoMUDYyP6G1UHh0T8oDMMUjGpav3XIB7XHnMI+A+GUL7jAJ/RjISD0aIG0CM5RahSi8ThyS7PcJojXXdzze4A7MsCefk7Ojolit4kFel6gmJarxdkAN/FcvZNK9tW2CQ3CKGoCSB7Zk1yj3WVKrew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3PeMGMOYVXe9z6NmdUgYFVIC677Pfl1O816GYt2OMZk=; b=BGCFqg1NqgpdLdrQfxB9y72p91a1PdyXUDa5DGGUrKGTTSlGq6Zm8dPatFkoss00hVTxOQvmJMoCFu/+KxDbeUBbt2KCRmOwhvGQh5X59UiYT8JD/UnmftfmO3DyvdZpVcZkqdGzB7syUsDFjlNcaKrFtM33TKgpxfp/RKtBnoM9MEUY3BpjgC/3nFRYy1gfAOSIBEFVSHk2cOPPnSvWGk7ZfVhrjsZ4PQ7jEUah5EzL7oD6ENAqh06y61t+U0NZz040b4UQ4a8TjdlDZLS9DxdhmrykoWOeY2YSlSU1bJtjamG1XC8QQyDGKvJ/cv1nnU5RZIcVyZj3h68AOv0sTA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3PeMGMOYVXe9z6NmdUgYFVIC677Pfl1O816GYt2OMZk=; b=EX0HgyYXuj5f1/psT48TQWvJBZZQ7wnkWyemSldfND9I0lwMNYB4IMZv7pmcEGyAtZ2paKxxBotXcsTfxMWRj6wP/whaSqRuj/s+8TsGA1VKlOhCxSAhzkGOw9yeRxsGZ5AvgYlZonjm9Sbs8ULKNAj0lKglOmE13n7IYkhAEsk= Received: from BN7PR11MB2531.namprd11.prod.outlook.com (52.135.243.22) by BN7PR11MB2659.namprd11.prod.outlook.com (52.135.253.152) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2793.17; Fri, 13 Mar 2020 07:05:59 +0000 Received: from BN7PR11MB2531.namprd11.prod.outlook.com ([fe80::6c63:49a2:665:cd8c]) by BN7PR11MB2531.namprd11.prod.outlook.com ([fe80::6c63:49a2:665:cd8c%6]) with mapi id 15.20.2814.007; Fri, 13 Mar 2020 07:05:59 +0000 From: "Shetty, Praveen" To: Anoob Joseph , "Doherty, Declan" , "Ananyev, Konstantin" , "Iremonger, Bernard" , "dev@dpdk.org" Thread-Topic: [dpdk-dev] [PATCH v1] examples/ipsec-secgw: support flow director feature Thread-Index: AQHV97U+oNWqhhg8hEGUKXk6ZC1tBKhEy5SAgAAuy4CAACWAkIAAID0QgADS81A= Date: Fri, 13 Mar 2020 07:05:59 +0000 Message-ID: References: <20200311145529.40221-1-praveen.shetty@intel.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiMTRlYzc1NDctYjRiYS00Nzk0LTgwNDctN2NlNzc1ZDZiNDdkIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiU2d4c05wWUdRckl6WWUxeEVLUVNOVTJaSDVzMXNQaGlhSkRWZitSNkN3d1wvNm4zOEphTkRaSTQ3dlVKYWdPSGkifQ== dlp-product: dlpe-windows dlp-reaction: no-action dlp-version: 11.2.0.6 x-ctpclassification: CTP_NT authentication-results: spf=none (sender IP is ) smtp.mailfrom=praveen.shetty@intel.com; x-originating-ip: [192.55.79.122] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 460b891a-9f35-4b23-a91e-08d7c71cfc0a x-ms-traffictypediagnostic: BN7PR11MB2659: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-forefront-prvs: 034119E4F6 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(136003)(366004)(346002)(39860400002)(376002)(199004)(71200400001)(7696005)(86362001)(66446008)(186003)(55016002)(66946007)(5660300002)(76116006)(53546011)(66476007)(66556008)(9686003)(6506007)(52536014)(64756008)(26005)(81156014)(33656002)(478600001)(2906002)(30864003)(110136005)(316002)(8936002)(81166006); DIR:OUT; SFP:1102; SCL:1; SRVR:BN7PR11MB2659; H:BN7PR11MB2531.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: jgvGaFEH4uiClbLyKqAqpEnnVhmYm+cwpSVOKTvYbfmBITx48ju+k/7s3GLtJzb842hZreKTgNPIWmajJx1xLhOb4aA8P8+lkd+Zmrj7hJ/ifSVx2xuaDELQWT8WsRUAkTRPozgnTW4wLSAtW56Y+ds254iqsKlMdrcjYWdDaMO2IankWFv+QGiFXsUdzIQQL8orFyu8NiPzvlW9Ah3gEClpKztgAqp190v/zuhbMmJKkEgULmUu08LmmqKGFxXklvGEDsRPhntOuBs0Wm4LqWT/kwWDaN0z738iWLLDd43T0dmuALjpnWUlQoPvmMw3Yi6tqfdS0JkwoV/abl4ZhK8IStokzgS0EdZziVuWFABOnOedDJtuDETxdmHwDBM89qhG4vWW9KLXHQ0f6hnTnYpOrw5bHqC+SbCbdWh+euVjip7MeVhbAzPVA0FcREap x-ms-exchange-antispam-messagedata: CCY4tfMgkvvYWNqStUEJ+P+JanBP5UmTsJFRL64BjdNeYrm1MMoWErCDLnZgaUlH28WlziAjEwzKCTfUELbHwTQLfDREJ+MDdZ1coJHHTj4dOlwDgWKOaneLz4J/JYeR7qnp7JFFrC/PfRIJWQ4FMg== Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-Network-Message-Id: 460b891a-9f35-4b23-a91e-08d7c71cfc0a X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Mar 2020 07:05:59.5704 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: EnOwqpJ9QsIUNn9obtoWSJWT4CqmNVXoHFNzhOWrlb3MILYNf/1cpyjZPv0MbcqKdczkHBPYeKo1F87KLPBXjC7HOp4opNI6+fKUc7B6eUw= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR11MB2659 X-OriginatorOrg: intel.com Subject: Re: [dpdk-dev] [PATCH v1] examples/ipsec-secgw: support flow director feature X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Hi Anoob, Thank you. Please see my answers below. Regards, Praveen -----Original Message----- From: Anoob Joseph Sent: Thursday, March 12, 2020 4:31 PM To: Shetty, Praveen ; dev@dpdk.org; Doherty, Decl= an ; Iremonger, Bernard ; Ananyev, Konstantin Subject: RE: [dpdk-dev] [PATCH v1] examples/ipsec-secgw: support flow direc= tor feature Hi Praveen, I do have some review comments on the code. Before that, can you give a bri= ef overview of what is being targeted? My understanding is that the primary= objective is to use rte_flow (or flow director) to redirect a specific flo= w(/SA) to a specific queue. Can you confirm? >>>> Yes, your understanding is correct, the main objective is to support l= oad distribution in ipsec-secgw application. >>>> flow director and RSS features are used achieve the load distribution. >>>> flow director is used to redirect the specified inbound ipsec flow to = a specified queue. Couple of questions, 1. I would assume the new option of "flow-direction" is optional and is det= ermined per SA. In that case, can I assume that RSS would be active for the= other flows (or SAs). Let's say, I just want to add a SA for which I would= like to enable "flow-direction" but leave the rest as is. How is that hand= led? [Praveen] >>>> We are using fdir_flag to differentiate the mix of SA's(SA's with and = without flow-direction). >>>> fdir_flag will be "set" for the SA which has configured with flow-dire= ction option(SA rule syntax is extended to add new options = ). >>>> flow creation is called only for the SA's with fdir_flag is set. 2. I see that the changes are only applicable for LOOKASIDE_PROTOCOL. The s= ame feature would be useful for other modes as well, right? [Praveen] >>>> We are adding this feature for i40e NIC and the i40e NIC doesn't sup= port either encryption or decryption, that's why we used only LOOKASIDE_PRO= TOCOL in this case. 3. I'm not sure "flow-direction" is the right wording for the option. This = is just specifying the "rx-queue" per SA. @Akhil, Konstantin, comments? >>>> @Declan, @Konstantin , @Bernard, @Akhil Could you please suggest a = name on which we can all agree upon? Thanks, Anoob > -----Original Message----- > From: dev On Behalf Of Praveen Shetty > Sent: Wednesday, March 11, 2020 8:25 PM > To: dev@dpdk.org; declan.doherty@intel.com;=20 > bernard.iremonger@intel.com; konstantin.ananyev@intel.com > Subject: [dpdk-dev] [PATCH v1] examples/ipsec-secgw: support flow=20 > director feature >=20 > Modified Secuirty gateway application to support configuration of flow=20 > director rule to direct inbound IPsec SA to a specified queue. >=20 > Signed-off-by: Praveen Shetty > --- > examples/ipsec-secgw/ep0.cfg | 11 +++++ > examples/ipsec-secgw/ipsec-secgw.c | 56 ++++++++++++++++++++++++- > examples/ipsec-secgw/ipsec.c | 67 ++++++++++++++++++++++++++++++ > examples/ipsec-secgw/ipsec.h | 11 +++++ > examples/ipsec-secgw/sa.c | 50 +++++++++++++++++++++- > 5 files changed, 192 insertions(+), 3 deletions(-) >=20 > diff --git a/examples/ipsec-secgw/ep0.cfg=20 > b/examples/ipsec-secgw/ep0.cfg index dfd4aca7d..c9f80e81b 100644 > --- a/examples/ipsec-secgw/ep0.cfg > +++ b/examples/ipsec-secgw/ep0.cfg > @@ -29,6 +29,7 @@ sp ipv4 in esp protect 111 pri 1 dst > 192.168.186.0/24 sport > 0:65535 dport 0:6553 sp ipv4 in esp protect 115 pri 1 dst > 192.168.210.0/24 sport > 0:65535 dport 0:65535 sp ipv4 in esp protect 116 pri 1 dst > 192.168.211.0/24 sport 0:65535 dport 0:65535 sp ipv4 in esp protect > 115 pri 1 dst > 192.168.210.0/24 sport 0:65535 dport 0:65535 > +sp ipv4 in esp protect 117 pri 1 dst 192.168.212.0/24 sport 0:65535=20 > +dport 0:65535 > sp ipv4 in esp protect 125 pri 1 dst 192.168.65.0/24 sport 0:65535=20 > dport 0:65535 sp ipv4 in esp protect 125 pri 1 dst 192.168.65.0/24=20 > sport 0:65535 dport 0:65535 sp ipv4 in esp protect 126 pri 1 dst > 192.168.66.0/24 sport 0:65535 dport 0:65535 @@ -61,6 +62,8 @@ sp ipv6=20 > in esp protect 125 pri 1 dst > ffff:0000:0000:0000:aaaa:aaaa:0000:0000/96 > sport 0:65535 dport 0:65535 > sp ipv6 in esp protect 126 pri 1 dst > ffff:0000:0000:0000:bbbb:bbbb:0000:0000/96 \ sport 0:65535 dport > 0:65535 > +sp ipv6 in esp protect 127 pri 1 dst > +ffff:0000:0000:0000:cccc:dddd:0000:0000/96 \ sport 0:65535 dport > +0:65535 >=20 > #SA rules > sa out 5 cipher_algo aes-128-cbc cipher_key > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ @@ -118,6 +121,9 @@ dst 172.16.1.5 >=20 > sa in 116 cipher_algo null auth_algo null mode ipv4-tunnel src > 172.16.2.6 dst > 172.16.1.6 >=20 > +sa in 117 cipher_algo null auth_algo null mode ipv4-tunnel src > +172.16.2.7 \ dst 172.16.1.7 flow-direction 0 2 port_id 0 type=20 > +lookaside-protocol-offload > + > sa in 125 cipher_algo aes-128-cbc cipher_key=20 > c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\ > c3:c3:c3:c3:c3 auth_algo sha1-hmac auth_key=20 > c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\ > c3:c3:c3:c3:c3:c3:c3:c3:c3 mode ipv6-tunnel \ @@ -130,6 +136,11 @@ sa=20 > in > 126 cipher_algo aes-128-cbc cipher_key=20 > 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\ > src 2222:2222:2222:2222:2222:2222:2222:6666 \ dst > 1111:1111:1111:1111:1111:1111:1111:6666 >=20 > +sa in 127 cipher_algo null auth_algo null mode ipv6-tunnel \ src > +2222:2222:2222:2222:2222:2222:2222:7777 \ dst > +1111:1111:1111:1111:1111:1111:1111:7777 \ flow-direction 0 3 port_id > +0 type lookaside-protocol-offload > + > #Routing rules > rt ipv4 dst 172.16.2.5/32 port 0 > rt ipv4 dst 172.16.2.6/32 port 1 > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-=20 > secgw/ipsec-secgw.c index 4799bc90c..132484422 100644 > --- a/examples/ipsec-secgw/ipsec-secgw.c > +++ b/examples/ipsec-secgw/ipsec-secgw.c > @@ -166,7 +166,6 @@ static const struct option lgopts[] =3D { > {CMD_LINE_OPT_FRAG_TTL, 1, 0, CMD_LINE_OPT_FRAG_TTL_NUM}, > {NULL, 0, 0, 0} > }; > - > /* mask of enabled ports */ > static uint32_t enabled_port_mask; > static uint64_t enabled_cryptodev_mask =3D UINT64_MAX; @@ -259,6 > +258,30 @@ static struct rte_eth_conf port_conf =3D { > .txmode =3D { > .mq_mode =3D ETH_MQ_TX_NONE, > }, > + .fdir_conf =3D { > + .mode =3D RTE_FDIR_MODE_NONE, > + .pballoc =3D RTE_FDIR_PBALLOC_64K, > + .status =3D RTE_FDIR_REPORT_STATUS, > + .mask =3D { > + .vlan_tci_mask =3D 0xFFEF, > + .ipv4_mask =3D { > + .src_ip =3D 0xFFFFFFFF, > + .dst_ip =3D 0xFFFFFFFF, > + }, > + .ipv6_mask =3D { > + .src_ip =3D {0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, > + 0xFFFFFFFF}, > + .dst_ip =3D {0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, > + 0xFFFFFFFF}, > + }, > + .src_port_mask =3D 0xFFFF, > + .dst_port_mask =3D 0xFFFF, > + .mac_addr_byte_mask =3D 0xFF, > + .tunnel_type_mask =3D 1, > + .tunnel_id_mask =3D 0xFFFFFFFF, > + }, > + .drop_queue =3D 127, > + } > }; >=20 > static struct socket_ctx socket_ctx[NB_SOCKETS]; @@ -1184,7 +1207,6=20 > @@ > main_loop(__attribute__((unused)) void *dummy) >=20 > if (nb_rx > 0) > process_pkts(qconf, pkts, nb_rx, portid); > - > /* dequeue and process completed crypto-ops */ > if (UNPROTECTED_PORT(portid)) > drain_inbound_crypto_queues(qconf, > @@ -1196,6 +1218,27 @@ main_loop(__attribute__((unused)) void *dummy) > } > } >=20 > +int check_flow_params(uint16_t fdir_portid, uint8_t fdir_qid) { > + uint16_t i; > + uint16_t portid; > + uint8_t queueid; > + > + for (i =3D 0; i < nb_lcore_params; ++i) { > + portid =3D lcore_params_array[i].port_id; > + if (portid =3D=3D fdir_portid) { > + queueid =3D lcore_params_array[i].queue_id; > + if (queueid =3D=3D fdir_qid) > + break; > + } > + > + if (i =3D=3D nb_lcore_params - 1) > + return -1; > + } > + > + return 1; > +} > + > static int32_t > check_params(void) > { > @@ -2503,6 +2546,15 @@ main(int32_t argc, char **argv) > continue; >=20 > sa_check_offloads(portid, &req_rx_offloads, &req_tx_offloads); > + /* check if FDIR is configured on the port */ > + if (check_fdir_configured(portid)) { > + /* Enable FDIR */ > + port_conf.fdir_conf.mode =3D > RTE_FDIR_MODE_PERFECT; > + /* Disable RSS */ > + port_conf.rxmode.mq_mode =3D ETH_MQ_RX_NONE; > + port_conf.rx_adv_conf.rss_conf.rss_hf =3D 0; > + port_conf.rx_adv_conf.rss_conf.rss_key =3D NULL; > + } > port_init(portid, req_rx_offloads, req_tx_offloads); > } >=20 > diff --git a/examples/ipsec-secgw/ipsec.c=20 > b/examples/ipsec-secgw/ipsec.c index 6e8120702..363809cfd 100644 > --- a/examples/ipsec-secgw/ipsec.c > +++ b/examples/ipsec-secgw/ipsec.c > @@ -415,6 +415,73 @@ create_inline_session(struct socket_ctx *skt_ctx,=20 > struct ipsec_sa *sa, > return 0; > } >=20 > +int > +create_ipsec_esp_flow(struct ipsec_sa *sa) { > + int ret =3D 0; > + struct rte_flow_error err; > + if (sa->direction =3D=3D RTE_SECURITY_IPSEC_SA_DIR_EGRESS) > + return 0; /* No Flow director rules for Egress traffic */ > + if (sa->flags =3D=3D TRANSPORT) { > + RTE_LOG(ERR, IPSEC, > + "No Flow director rule for transport mode:"); > + return -1; > + } > + sa->action[0].type =3D RTE_FLOW_ACTION_TYPE_QUEUE; > + sa->pattern[0].type =3D RTE_FLOW_ITEM_TYPE_ETH; > + sa->action[0].conf =3D > + &(struct rte_flow_action_queue){ > + .index =3D sa->fdir_qid, > + }; > + sa->attr.egress =3D 0; > + sa->attr.ingress =3D 1; > + if (IS_IP6(sa->flags)) { > + sa->pattern[1].mask =3D &rte_flow_item_ipv6_mask; > + sa->pattern[1].type =3D RTE_FLOW_ITEM_TYPE_IPV6; > + sa->pattern[1].spec =3D &sa->ipv6_spec; > + memcpy(sa->ipv6_spec.hdr.dst_addr, > + sa->dst.ip.ip6.ip6_b, IPV6_ADDR_LEN); > + memcpy(sa->ipv6_spec.hdr.src_addr, > + sa->src.ip.ip6.ip6_b, IPV6_ADDR_LEN); > + sa->pattern[2].type =3D RTE_FLOW_ITEM_TYPE_ESP; > + sa->pattern[2].spec =3D &sa->esp_spec; > + sa->pattern[2].mask =3D &rte_flow_item_esp_mask; > + sa->esp_spec.hdr.spi =3D rte_cpu_to_be_32(sa->spi); > + sa->pattern[3].type =3D RTE_FLOW_ITEM_TYPE_END; > + } else if (IS_IP4(sa->flags)) { > + sa->pattern[1].mask =3D &rte_flow_item_ipv4_mask; > + sa->pattern[1].type =3D RTE_FLOW_ITEM_TYPE_IPV4; > + sa->pattern[1].spec =3D &sa->ipv4_spec; > + sa->ipv4_spec.hdr.dst_addr =3D sa->dst.ip.ip4; > + sa->ipv4_spec.hdr.src_addr =3D sa->src.ip.ip4; > + sa->pattern[2].type =3D RTE_FLOW_ITEM_TYPE_ESP; > + sa->pattern[2].spec =3D &sa->esp_spec; > + sa->pattern[2].mask =3D &rte_flow_item_esp_mask; > + sa->esp_spec.hdr.spi =3D rte_cpu_to_be_32(sa->spi); > + sa->pattern[3].type =3D RTE_FLOW_ITEM_TYPE_END; > + } > + sa->action[1].type =3D RTE_FLOW_ACTION_TYPE_END; > + > + ret =3D rte_flow_validate(sa->fdir_portid, &sa->attr, > + sa->pattern, sa->action, > + &err); > + if (ret < 0) { > + RTE_LOG(ERR, IPSEC, > + "Flow Validation failed\n"); > + return ret; > + } > + sa->flow =3D rte_flow_create(sa->fdir_portid, > + &sa->attr, sa->pattern, sa->action, > + &err); > + if (!sa->flow) { > + RTE_LOG(ERR, IPSEC, > + "Flow Creation failed\n"); > + return -1; > + } > + > + return 0; > +} > + > /* > * queue crypto-ops into PMD queue. > */ > diff --git a/examples/ipsec-secgw/ipsec.h=20 > b/examples/ipsec-secgw/ipsec.h index 4f2fd6184..00147895a 100644 > --- a/examples/ipsec-secgw/ipsec.h > +++ b/examples/ipsec-secgw/ipsec.h > @@ -46,6 +46,8 @@ >=20 > #define IP6_VERSION (6) >=20 > +#define IPV6_ADDR_LEN 16 > + > struct rte_crypto_xform; > struct ipsec_xform; > struct rte_mbuf; > @@ -138,6 +140,9 @@ struct ipsec_sa { > }; > enum rte_security_ipsec_sa_direction direction; > uint16_t portid; > + uint16_t fdir_portid; > + uint8_t fdir_qid; > + uint8_t fdir_flag; >=20 > #define MAX_RTE_FLOW_PATTERN (4) > #define MAX_RTE_FLOW_ACTIONS (3) > @@ -383,5 +388,11 @@ create_lookaside_session(struct ipsec_ctx=20 > *ipsec_ctx, struct ipsec_sa *sa, int create_inline_session(struct=20 > socket_ctx *skt_ctx, struct ipsec_sa *sa, > struct rte_ipsec_session *ips); > +int > +check_flow_params(uint16_t fdir_portid, uint8_t fdir_qid); > + > +int > +create_ipsec_esp_flow(struct ipsec_sa *sa); >=20 > +int check_fdir_configured(uint16_t portid); > #endif /* __IPSEC_H__ */ > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c=20 > index 4822d6bda..9955dfcbe 100644 > --- a/examples/ipsec-secgw/sa.c > +++ b/examples/ipsec-secgw/sa.c > @@ -20,6 +20,9 @@ > #include > #include > #include > +#include > +#include > +#include >=20 > #include "ipsec.h" > #include "esp.h" > @@ -271,6 +274,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, > uint32_t type_p =3D 0; > uint32_t portid_p =3D 0; > uint32_t fallback_p =3D 0; > + int16_t status_p =3D 0; >=20 > if (strcmp(tokens[0], "in") =3D=3D 0) { > ri =3D &nb_sa_in; > @@ -681,6 +685,25 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, > fallback_p =3D 1; > continue; > } > + if (strcmp(tokens[ti], "flow-direction") =3D=3D 0) { > + rule->fdir_flag =3D 1; > + INCREMENT_TOKEN_INDEX(ti, n_tokens, status); > + if (status->status < 0) > + return; > + rule->fdir_portid =3D atoi(tokens[ti]); > + INCREMENT_TOKEN_INDEX(ti, n_tokens, status); > + if (status->status < 0) > + return; > + rule->fdir_qid =3D atoi(tokens[ti]); > + /* validating portid and queueid */ > + status_p =3D check_flow_params(rule->fdir_portid, > + rule->fdir_qid); > + if (status_p < 0) { > + printf("port id %u / queue id %u is not valid\n", > + rule->fdir_portid, rule->fdir_qid); > + } > + continue; > + } >=20 > /* unrecognizeable input */ > APP_CHECK(0, status, "unrecognized input \"%s\"", @@ -823,6 > +846,9 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound) > break; > } > } > + if (sa->fdir_flag =3D=3D 1) > + printf("flow-direction %d %d", sa->fdir_portid, sa->fdir_qid); > + > printf("\n"); > } >=20 > @@ -1153,7 +1179,15 @@ sa_add_rules(struct sa_ctx *sa_ctx, const=20 > struct ipsec_sa entries[], > return -EINVAL; > } > } > - > + if (sa->fdir_flag && > + ips->type =3D=3D > + RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL > && > + inbound) { > + rc =3D create_ipsec_esp_flow(sa); > + if (rc !=3D 0) > + RTE_LOG(ERR, IPSEC_ESP, > + "create_ipsec_esp flow failed\n"); > + } > print_one_sa_rule(sa, inbound); > } >=20 > @@ -1256,6 +1290,20 @@ fill_ipsec_session(struct rte_ipsec_session=20 > *ss, struct rte_ipsec_sa *sa) > return rc; > } >=20 > +int > +check_fdir_configured(uint16_t portid) { > + struct ipsec_sa *sa =3D NULL; > + uint32_t idx_sa =3D 0; > + > + for (idx_sa =3D 0; idx_sa < nb_sa_in; idx_sa++) { > + sa =3D &sa_in[idx_sa]; > + if (sa->fdir_portid =3D=3D portid) > + return sa->fdir_flag; > + } > + return 0; > +} > + > /* > * Initialise related rte_ipsec_sa object. > */ > -- > 2.17.1