From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 09FACA057B; Thu, 2 Apr 2020 13:15:45 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id D7A811BE91; Thu, 2 Apr 2020 13:15:38 +0200 (CEST) Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) by dpdk.org (Postfix) with ESMTP id 728C02B8B for ; Thu, 2 Apr 2020 13:15:36 +0200 (CEST) IronPort-SDR: qJZI7uFOtebj/vj9gHLIaSHtapnO6uvzoIqyY3VNhUQG7jKyCEuJP94tqj48er1gV1XNgFlMP9 MMxG5mZ7LZKw== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Apr 2020 04:15:35 -0700 IronPort-SDR: Gaek8GXfIsS++4F4tMhRBGVLY/94WQ5SrZhdNcSxcY9NRYcP9GaIU1Q41pQHBcGmeLBdB/cxjW 0ul4KovWa5Rg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.72,335,1580803200"; d="scan'208";a="238494445" Received: from fmsmsx108.amr.corp.intel.com ([10.18.124.206]) by orsmga007.jf.intel.com with ESMTP; 02 Apr 2020 04:15:34 -0700 Received: from fmsmsx102.amr.corp.intel.com (10.18.124.200) by FMSMSX108.amr.corp.intel.com (10.18.124.206) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 2 Apr 2020 04:15:34 -0700 Received: from FMSEDG001.ED.cps.intel.com (10.1.192.133) by FMSMSX102.amr.corp.intel.com (10.18.124.200) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 2 Apr 2020 04:15:34 -0700 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (104.47.70.107) by edgegateway.intel.com (192.55.55.68) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 2 Apr 2020 04:15:34 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jtb5ercRoG31ZXCIbjjmkOhbRRUbwa4mvjeaX94gfcravJeI/kqnSxGzoepoNBtjQIOkOV01x5QVMPXAO9/xFYxt3W8H/pLNB0zmEYHkWiqAgDnEXXUnvHZfvandmdJ/Gsr47GDgiJu2nRl3DHq/FNaejB2+v5dt6svRdzaA6twkEKBeNKt3YjwgOwthP2DzAMogFSqhXJTlp70O8ABf88bB7GNSCGBHELvmQdxHNyfPtXrsnaZD8f5OeGBUIdKjrGUjaJPhzjtjSqtAyGfSGNcjBUsvY0J6pkMZwUGz6+zg1S0qj+x1rv+kYYFAIbzCwUcSr1QjRvmXasGfV9OsNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nhrCBZ0Iu5m0y7ao/5ip+N/062SWESDkt+e5w6/iRQo=; b=MJY15zHhXVdgEEFMzoUjWSD6RF/9X7xW9p5SVgmOLBD5z+ML1BnvUN5Coh5a3P4n12G6SxyBpgSJZEU+yhezI4ZEglAxX0H2rLh8sNT92ddXUzsCUqTq9GraeVkzMQiSadRaoVFj53SLCLHk3c2DZpdyPTMnaEvMsgzo/P7oskmjo4gOto5GlIEr0itWLcJAMkocTwdwM9WIwdXZBQBoLcfYHmp2Dlr5ABx3ToZ2476L3e8XXf5kq1XxYBoVh3zsOmG8fkThMmPjM+i0zqYuwvaO8bvFe6AEIGXoAQb6OdNc8+ALgh8KpSS8f8uPG/hctm+eLvj9dB2ZIeEpgi3HYQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nhrCBZ0Iu5m0y7ao/5ip+N/062SWESDkt+e5w6/iRQo=; b=iEvgfR4psCi7moh1b/nDf8HNdL/n2IuS1wCuuih8uiekgMVdYSj4lf2i+xUOgMSBoLwMAhgzCiUhUzJu7v6YzvB/DgUGWDL06kSxCPf24mEZkY8xr2REcqYeuz1vyFjyiU6USrUjgPEdTNULryBSliAVQwRte/Y6OpzJlwylJO4= Received: from CY4PR1101MB2326.namprd11.prod.outlook.com (2603:10b6:903:b3::23) by CY4PR1101MB2149.namprd11.prod.outlook.com (2603:10b6:910:1a::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.15; Thu, 2 Apr 2020 11:15:31 +0000 Received: from CY4PR1101MB2326.namprd11.prod.outlook.com ([fe80::58c7:7df:1b11:9c56]) by CY4PR1101MB2326.namprd11.prod.outlook.com ([fe80::58c7:7df:1b11:9c56%4]) with mapi id 15.20.2878.016; Thu, 2 Apr 2020 11:15:31 +0000 From: "Shetty, Praveen" To: Akhil Goyal , Anoob Joseph , "dev@dpdk.org" , "Doherty, Declan" CC: "Iremonger, Bernard" , "Ananyev, Konstantin" Thread-Topic: [dpdk-dev] [PATCH v3] examples/ipsec-secgw: support flow director feature Thread-Index: AQHWB21j5HkqDy6rKEmMZa4tRnuQr6hkQZWAgAAB+wCAAAeLAIABVj9A Date: Thu, 2 Apr 2020 11:15:31 +0000 Message-ID: References: <20200319162145.28906-1-praveen.shetty@intel.com> <20200331130211.24761-1-praveen.shetty@intel.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiOTA2ZmFjMWItYTY1Ny00OTZkLThjNDEtNDg2ZWI4ZWIwZDAxIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoia0ZYNnhIZzFtUUxLYWhSaWo5dVNmTHpEZ2VMWllpbWNYd1dZak03aUFBc1JFV1wvKzZVSVVOT3JvM3VIV1pFWWEifQ== dlp-product: dlpe-windows dlp-reaction: no-action dlp-version: 11.2.0.6 x-ctpclassification: CTP_NT authentication-results: spf=none (sender IP is ) smtp.mailfrom=praveen.shetty@intel.com; x-originating-ip: [192.55.79.119] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 88b48c19-68f3-486b-a002-08d7d6f72858 x-ms-traffictypediagnostic: CY4PR1101MB2149: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:4941; x-forefront-prvs: 0361212EA8 x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY4PR1101MB2326.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10019020)(366004)(39860400002)(396003)(376002)(346002)(136003)(71200400001)(33656002)(7696005)(5660300002)(53546011)(30864003)(6506007)(86362001)(52536014)(186003)(316002)(2906002)(81166006)(107886003)(81156014)(66946007)(6636002)(54906003)(478600001)(9686003)(55016002)(66446008)(76116006)(4326008)(66556008)(26005)(110136005)(8936002)(66476007)(64756008); DIR:OUT; SFP:1102; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: y8GTTqQF1apMTQN1VPuuwRqLEBa8M340L+oJ71TP9iqhbSUwj6EfNzJxAjnT8hYbT7SPyVcEt4CZ2pPg/Y2+GjdS34/gHHxFH2cYbgsKdTfdeQXEli8ZIvVIxtcZ2oFwsNAyN+ciXugSSYlEvAX5OU1wI3Vl1f1gJkUSlUyBKmZ/O7ulROVZQQJaukLbulMt356h4u0hzY3XK7dekCSV20VPUimXj5RI1rjUPF446A+D2gnWoc8QB8kpYvObnOtL7a1nFFnRgTOxngaETR80rzVJa62L9QBE+IC/V75TrP3XFDhMEGx8xCKZ/H/T0Rg6mSxStr3E3OCc832ZY05tbSi4Lah/DN8bbdu+YNf/iGrOgHfx0a9cahuCNWx1/KqiGR1rYbpux31pqnA3U5QM5RtSrXatW5FWVXFf/ehaxX0Whe79Q0m7vPPzSDTcgfrf x-ms-exchange-antispam-messagedata: Xxbu2arMDIMBijbhF2NbiCM3wJ0ZxMAyh0GDexG3TMNLD5/xos4kK0ipRsAa5oy8LNxibTwAMFBIjW8sRGBEfq257KV16IG4Nv0ay1DX8UHc0eWPTzyArfnNtPtuRQ1ho3dN0CP8FPw5aIiyoAywuA== Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-Network-Message-Id: 88b48c19-68f3-486b-a002-08d7d6f72858 X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Apr 2020 11:15:31.6128 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: CBnGb7x7516WHooprRdh2rwsJ6J6PygYQgkXWJ8DNZiRfM0Nl5JgHKoy3PFBzSwdfS/4bFMP846G6sIzuE3pVlLtoCGh/XQh1oUk3FVzYTc= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1101MB2149 X-OriginatorOrg: intel.com Subject: Re: [dpdk-dev] [PATCH v3] examples/ipsec-secgw: support flow director feature X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" -----Original Message----- From: Akhil Goyal =20 Sent: Wednesday, April 1, 2020 7:24 PM To: Anoob Joseph ; Shetty, Praveen ; dev@dpdk.org; Doherty, Declan Cc: Iremonger, Bernard ; Ananyev, Konstantin <= konstantin.ananyev@intel.com> Subject: RE: [dpdk-dev] [PATCH v3] examples/ipsec-secgw: support flow direc= tor feature > -----Original Message----- > From: Anoob Joseph > Sent: Wednesday, April 1, 2020 6:57 PM > To: Akhil Goyal ; Praveen Shetty=20 > ; dev@dpdk.org; declan.doherty@intel.com > Cc: bernard.iremonger@intel.com; konstantin.ananyev@intel.com > Subject: RE: [dpdk-dev] [PATCH v3] examples/ipsec-secgw: support flow=20 > director feature >=20 > Hi Akhil, Praveen, >=20 > Can't rte_flow and RSS co-exist? In rte_flow there is an ACTION type=20 > RSS in addition to QUEUE. With this patch, if rte_flow is enabled on=20 > any SA, then RSS would be disabled for the entire port. Is that the=20 > right behavior? And if we have to address this later, what would be the c= ourse of action? >=20 Yes they can co-exist I believe. What this patch is doing is assigning a fi= xed queue to A flow which user can control for an SA. RSS is based on hash = and user doesnot have Control on it. Removing RSS on entire port is not desirable and it should not be done. Pro= bably there Should be a mechanism to disable RSS on that particular flow. [Praveen] We will remove the code which disables RSS on entire port in V4.= =20 meanwhile we will also explore a way to disable the RSS on the queue which = the SA is associated with.=20 future the idea would be only to disable the queue which the SA is associat= ed with > Also, is flow director the right name we should use? Internally it is rte= _flow, right? Name can be anything, I don't feel issue in either flow director or rte_flo= w. >=20 > Thanks, > Anoob >=20 > > -----Original Message----- > > From: Akhil Goyal > > Sent: Wednesday, April 1, 2020 6:50 PM > > To: Praveen Shetty ; dev@dpdk.org;=20 > > declan.doherty@intel.com; Anoob Joseph > > Cc: bernard.iremonger@intel.com; konstantin.ananyev@intel.com > > Subject: [EXT] RE: [dpdk-dev] [PATCH v3] examples/ipsec-secgw:=20 > > support flow director feature > > > > External Email > > > > -------------------------------------------------------------------- > > -- > > Hi Praveen, > > > > Sorry for being late to reply on this, Please delegate the patches=20 > > properly from next time in patchworks. > > This patch was neither delegated to me, nor I was in to/cc. So it got m= issed. [Praveen] sorry , I forgot to include you. Will do it from next time. > > > > > > > > Support load distribution in security gateway application using=20 > > > NIC load distribution feature(Flow Director). > > > Flow Director is used to redirect the specified inbound ipsec flow=20 > > > to a specified queue.This is achieved by extending the SA rule=20 > > > syntax to support specification by adding new action_type of=20 > > > to a specified . > > > > > > > Please add documentation (doc/guides/sample_app_ug/ipsec_secgw.rst) > > changes to explain the new parameter. [Praveen] Will do it in v4. > > > > > Signed-off-by: Praveen Shetty > > > --- > > > v3 changes: > > > Incorporated Anoob review comments on v2. > > > > > > > > > > > > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-=20 > > > secgw/ipsec-secgw.c index ce36e6d9c..4400b075c 100644 > > > --- a/examples/ipsec-secgw/ipsec-secgw.c > > > +++ b/examples/ipsec-secgw/ipsec-secgw.c > > > @@ -246,6 +246,30 @@ static struct rte_eth_conf port_conf =3D { > > > .txmode =3D { > > > .mq_mode =3D ETH_MQ_TX_NONE, > > > }, > > > + .fdir_conf =3D { > > > > Fdir_conf is a deprecated parameter. It is not good to introduce=20 > > Something > new > > in the application with a deprecated parameter. > > Please use the recommended way to configure flows. [Praveen] We will check and do it in v4. > > > > > + .mode =3D RTE_FDIR_MODE_NONE, > > > + .pballoc =3D RTE_FDIR_PBALLOC_64K, > > > + .status =3D RTE_FDIR_REPORT_STATUS, > > > + .mask =3D { > > > + .vlan_tci_mask =3D 0xFFEF, > > > + .ipv4_mask =3D { > > > + .src_ip =3D 0xFFFFFFFF, > > > + .dst_ip =3D 0xFFFFFFFF, > > > + }, > > > + .ipv6_mask =3D { > > > + .src_ip =3D {0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, > > > + 0xFFFFFFFF}, > > > + .dst_ip =3D {0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, > > > + 0xFFFFFFFF}, > > > + }, > > > + .src_port_mask =3D 0xFFFF, > > > + .dst_port_mask =3D 0xFFFF, > > > + .mac_addr_byte_mask =3D 0xFF, > > > + .tunnel_type_mask =3D 1, > > > + .tunnel_id_mask =3D 0xFFFFFFFF, > > > + }, > > > + .drop_queue =3D 127, > > > + } > > > }; > > > > > > struct socket_ctx socket_ctx[NB_SOCKETS]; @@ -1183,6 +1207,28 @@ > > > ipsec_poll_mode_worker(void) > > > } > > > } > > > > > > +int > > > +check_flow_params(uint16_t fdir_portid, uint8_t fdir_qid) { > > > + uint16_t i; > > > + uint16_t portid; > > > + uint8_t queueid; > > > + > > > + for (i =3D 0; i < nb_lcore_params; ++i) { > > > + portid =3D lcore_params_array[i].port_id; > > > + if (portid =3D=3D fdir_portid) { > > > + queueid =3D lcore_params_array[i].queue_id; > > > + if (queueid =3D=3D fdir_qid) > > > + break; > > > + } > > > + > > > + if (i =3D=3D nb_lcore_params - 1) > > > + return -1; > > > + } > > > + > > > + return 1; > > > +} > > > + > > > static int32_t > > > check_poll_mode_params(struct eh_conf *eh_conf) { @@ -2813,6 > > > +2859,15 @@ main(int32_t argc, char **argv) > > > > > > sa_check_offloads(portid, &req_rx_offloads[portid], > > > &req_tx_offloads[portid]); > > > + /* check if FDIR is configured on the port */ > > > + if (check_fdir_configured(portid)) { > > > + /* Enable FDIR */ > > > + port_conf.fdir_conf.mode =3D > > > RTE_FDIR_MODE_PERFECT; > > > + /* Disable RSS */ > > > + port_conf.rxmode.mq_mode =3D ETH_MQ_RX_NONE; > > > + port_conf.rx_adv_conf.rss_conf.rss_hf =3D 0; > > > + port_conf.rx_adv_conf.rss_conf.rss_key =3D NULL; > > > + } > > > port_init(portid, req_rx_offloads[portid], > > > req_tx_offloads[portid]); > > > } > > > diff --git a/examples/ipsec-secgw/ipsec.c=20 > > > b/examples/ipsec-secgw/ipsec.c index d40657102..76ee9dbcf 100644 > > > --- a/examples/ipsec-secgw/ipsec.c > > > +++ b/examples/ipsec-secgw/ipsec.c > > > @@ -418,6 +418,73 @@ create_inline_session(struct socket_ctx=20 > > > *skt_ctx, struct ipsec_sa *sa, > > > return 0; > > > } > > > > > > +int > > > +create_ipsec_esp_flow(struct ipsec_sa *sa) { > > > + int ret =3D 0; > > > + struct rte_flow_error err; > > > + if (sa->direction =3D=3D RTE_SECURITY_IPSEC_SA_DIR_EGRESS) > > > + return 0; /* No Flow director rules for Egress traffic */ > > > + if (sa->flags =3D=3D TRANSPORT) { > > > + RTE_LOG(ERR, IPSEC, > > > + "No Flow director rule for transport mode:"); > > > + return -1; > > > + } > > > + sa->action[0].type =3D RTE_FLOW_ACTION_TYPE_QUEUE; > > > + sa->pattern[0].type =3D RTE_FLOW_ITEM_TYPE_ETH; > > > + sa->action[0].conf =3D > > > + &(struct rte_flow_action_queue){ > > > + .index =3D sa->fdir_qid, > > > + }; > > > + sa->attr.egress =3D 0; > > > + sa->attr.ingress =3D 1; > > > + if (IS_IP6(sa->flags)) { > > > + sa->pattern[1].mask =3D &rte_flow_item_ipv6_mask; > > > + sa->pattern[1].type =3D RTE_FLOW_ITEM_TYPE_IPV6; > > > + sa->pattern[1].spec =3D &sa->ipv6_spec; > > > + memcpy(sa->ipv6_spec.hdr.dst_addr, > > > + sa->dst.ip.ip6.ip6_b, sizeof(sa->dst.ip.ip6.ip6_b)); > > > + memcpy(sa->ipv6_spec.hdr.src_addr, > > > + sa->src.ip.ip6.ip6_b, sizeof(sa->src.ip.ip6.ip6_b)); > > > + sa->pattern[2].type =3D RTE_FLOW_ITEM_TYPE_ESP; > > > + sa->pattern[2].spec =3D &sa->esp_spec; > > > + sa->pattern[2].mask =3D &rte_flow_item_esp_mask; > > > + sa->esp_spec.hdr.spi =3D rte_cpu_to_be_32(sa->spi); > > > + sa->pattern[3].type =3D RTE_FLOW_ITEM_TYPE_END; > > > + } else if (IS_IP4(sa->flags)) { > > > + sa->pattern[1].mask =3D &rte_flow_item_ipv4_mask; > > > + sa->pattern[1].type =3D RTE_FLOW_ITEM_TYPE_IPV4; > > > + sa->pattern[1].spec =3D &sa->ipv4_spec; > > > + sa->ipv4_spec.hdr.dst_addr =3D sa->dst.ip.ip4; > > > + sa->ipv4_spec.hdr.src_addr =3D sa->src.ip.ip4; > > > + sa->pattern[2].type =3D RTE_FLOW_ITEM_TYPE_ESP; > > > + sa->pattern[2].spec =3D &sa->esp_spec; > > > + sa->pattern[2].mask =3D &rte_flow_item_esp_mask; > > > + sa->esp_spec.hdr.spi =3D rte_cpu_to_be_32(sa->spi); > > > + sa->pattern[3].type =3D RTE_FLOW_ITEM_TYPE_END; > > > + } > > > + sa->action[1].type =3D RTE_FLOW_ACTION_TYPE_END; > > > + > > > + ret =3D rte_flow_validate(sa->portid, &sa->attr, > > > + sa->pattern, sa->action, > > > + &err); > > > + if (ret < 0) { > > > + RTE_LOG(ERR, IPSEC, > > > + "Flow Validation failed\n"); > > > + return ret; > > > + } > > > + sa->flow =3D rte_flow_create(sa->portid, > > > + &sa->attr, sa->pattern, sa->action, > > > + &err); > > > + if (!sa->flow) { > > > + RTE_LOG(ERR, IPSEC, > > > + "Flow Creation failed\n"); > > > + return -1; > > > + } > > > + > > > + return 0; > > > +} > > > + > > > /* > > > * queue crypto-ops into PMD queue. > > > */ > > > diff --git a/examples/ipsec-secgw/ipsec.h=20 > > > b/examples/ipsec-secgw/ipsec.h index f8f29f9b1..b0e9f45cb 100644 > > > --- a/examples/ipsec-secgw/ipsec.h > > > +++ b/examples/ipsec-secgw/ipsec.h > > > @@ -144,6 +144,8 @@ struct ipsec_sa { > > > }; > > > enum rte_security_ipsec_sa_direction direction; > > > uint16_t portid; > > > + uint8_t fdir_qid; > > > + uint8_t fdir_flag; > > > > > > #define MAX_RTE_FLOW_PATTERN (4) > > > #define MAX_RTE_FLOW_ACTIONS (3) > > > @@ -408,5 +410,12 @@ create_lookaside_session(struct ipsec_ctx=20 > > > *ipsec_ctx, struct ipsec_sa *sa, int =20 > > > create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa= , > > > struct rte_ipsec_session *ips); > > > +int > > > +check_flow_params(uint16_t fdir_portid, uint8_t fdir_qid); > > > + > > > +int > > > +create_ipsec_esp_flow(struct ipsec_sa *sa); > > > > > > +int > > > +check_fdir_configured(uint16_t portid); > > > #endif /* __IPSEC_H__ */ > > > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c=20 > > > index 0eb52d141..ddd275142 100644 > > > --- a/examples/ipsec-secgw/sa.c > > > +++ b/examples/ipsec-secgw/sa.c > > > @@ -271,6 +271,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, > > > uint32_t type_p =3D 0; > > > uint32_t portid_p =3D 0; > > > uint32_t fallback_p =3D 0; > > > + int16_t status_p =3D 0; > > > > > > if (strcmp(tokens[0], "in") =3D=3D 0) { > > > ri =3D &nb_sa_in; > > > @@ -295,6 +296,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, > > > if (atoi(tokens[1]) =3D=3D INVALID_SPI) > > > return; > > > rule->spi =3D atoi(tokens[1]); > > > + rule->portid =3D UINT16_MAX; > > > ips =3D ipsec_get_primary_session(rule); > > > > > > for (ti =3D 2; ti < n_tokens; ti++) { @@ -636,9 +638,14 @@=20 > > > parse_sa_tokens(char **tokens, uint32_t n_tokens, > > > INCREMENT_TOKEN_INDEX(ti, n_tokens, status); > > > if (status->status < 0) > > > return; > > > - rule->portid =3D atoi(tokens[ti]); > > > - if (status->status < 0) > > > + if (rule->portid =3D=3D UINT16_MAX) > > > + rule->portid =3D atoi(tokens[ti]); > > > + else if (rule->portid !=3D atoi(tokens[ti])) { > > > + APP_CHECK(0, status, "portid %s " > > > + "not matching with already assigned portid > > %u", > > > + tokens[ti], rule->portid); > > > return; > > > + } > > > portid_p =3D 1; > > > continue; > > > } > > > @@ -681,6 +688,43 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens= , > > > fallback_p =3D 1; > > > continue; > > > } > > > + if (strcmp(tokens[ti], "flow-direction") =3D=3D 0) { > > > + if (ips->type =3D=3D > > > + > > > RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL || > > > + ips->type =3D=3D > > > + > > > RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL || > > > + ips->type =3D=3D > > > + > > > RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { > > > + APP_CHECK(0, status, "Flow Director not " > > > + "supported for security session " > > > + "type:%d", ips->type); > > > + return; > > > + } > > It means it is supported in cpu crypto as well?=20 [Praveen] As of now we have validated only on "RTE_SECURITY_ACTION_TYPE_NON= E" and CPU crypto is independent of the IO device similar to action type NO= NE. And also it should be supported in other crypto devices as well but we have= not included them here because we have not validated. > >Better to have a check for the supported Action types, as in the future = there may be some other action types. [Praveen] We will fix this in V4. > > > > > + rule->fdir_flag =3D 1; > > > + INCREMENT_TOKEN_INDEX(ti, n_tokens, status); > > > + if (status->status < 0) > > > + return; > > > + if (rule->portid =3D=3D UINT16_MAX) > > > + rule->portid =3D atoi(tokens[ti]); > > > + else if (rule->portid !=3D atoi(tokens[ti])) { > > > + APP_CHECK(0, status, "portid %s " > > > + "not matching with already assigned portid > > %u", > > > + tokens[ti], rule->portid); > > > + return; > > > + } > > > + INCREMENT_TOKEN_INDEX(ti, n_tokens, status); > > > + if (status->status < 0) > > > + return; > > > + rule->fdir_qid =3D atoi(tokens[ti]); > > > + /* validating portid and queueid */ > > > + status_p =3D check_flow_params(rule->portid, > > > + rule->fdir_qid); > > > + if (status_p < 0) { > > > + printf("port id %u / queue id %u is not valid\n", > > > + rule->portid, rule->fdir_qid); > > > + } > > > + continue; > > > + } > > > > > > /* unrecognizeable input */ > > > APP_CHECK(0, status, "unrecognized input \"%s\"", @@ -719,7 > > +763,6 > > > @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, > > > if (!type_p || (!portid_p && ips->type !=3D > > > RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO)) { > > > ips->type =3D RTE_SECURITY_ACTION_TYPE_NONE; > > > - rule->portid =3D -1; > > > } > > > > > > *ri =3D *ri + 1; > > > @@ -823,6 +866,9 @@ print_one_sa_rule(const struct ipsec_sa *sa,=20 > > > int > > inbound) > > > break; > > > } > > > } > > > + if (sa->fdir_flag =3D=3D 1) > > > + printf("flow-direction %d %d", sa->portid, sa->fdir_qid); > > > > Better to print like below. > > printf("flow-direction port %d queue %d ", sa->portid, sa->fdir_qid) [Praveen] Will do it in V4. > > > > > + > > > printf("\n"); > > > } > > >