From: "Shetty, Praveen" <praveen.shetty@intel.com>
To: "dev@dpdk.org" <dev@dpdk.org>,
"Doherty, Declan" <declan.doherty@intel.com>,
"akhil.goyal@nxp.com" <akhil.goyal@nxp.com>,
"anoobj@marvell.com" <anoobj@marvell.com>
Cc: "Iremonger, Bernard" <bernard.iremonger@intel.com>,
"Ananyev, Konstantin" <konstantin.ananyev@intel.com>
Subject: Re: [dpdk-dev] [PATCH v5] examples/ipsec-secgw: support flow director feature
Date: Tue, 14 Apr 2020 07:33:35 +0000 [thread overview]
Message-ID: <CY4PR1101MB2326B9012721CD3F49A1734D9DDA0@CY4PR1101MB2326.namprd11.prod.outlook.com> (raw)
In-Reply-To: <20200409100950.37292-1-praveen.shetty@intel.com>
Hi Akhil/Anoob
Do you have any further review comments ?
Regards,
Praveen
-----Original Message-----
From: dev <dev-bounces@dpdk.org> On Behalf Of Praveen Shetty
Sent: Thursday, April 9, 2020 3:40 PM
To: dev@dpdk.org; Doherty, Declan <declan.doherty@intel.com>; akhil.goyal@nxp.com; anoobj@marvell.com
Cc: Iremonger, Bernard <bernard.iremonger@intel.com>; Ananyev, Konstantin <konstantin.ananyev@intel.com>
Subject: [dpdk-dev] [PATCH v5] examples/ipsec-secgw: support flow director feature
Support load distribution in security gateway application using NIC load distribution feature(Flow Director).
Flow Director is used to redirect the specified inbound ipsec flow to a specified queue.This is achieved by extending the SA rule syntax to support specification by adding new action_type of <flow-direction> to a specified <port_id> <queue_id>.
Signed-off-by: Praveen Shetty <praveen.shetty@intel.com>
---
v5 changes:
Small change in condtional handling in sa.c file.
v4 changes:
1. Removed flow director configuration changes as they are not
required anymore.
2. Addressed all the review comments from Akhil and Anoob.
3. Included update to the ipsec-secgw user guide and update to release notes.
doc/guides/rel_notes/release_20_05.rst | 4 ++
doc/guides/sample_app_ug/ipsec_secgw.rst | 16 ++++++
examples/ipsec-secgw/ep0.cfg | 11 ++++
examples/ipsec-secgw/ipsec-secgw.c | 22 ++++++++
examples/ipsec-secgw/ipsec.c | 67 ++++++++++++++++++++++++
examples/ipsec-secgw/ipsec.h | 7 +++
examples/ipsec-secgw/sa.c | 63 ++++++++++++++++++++--
7 files changed, 186 insertions(+), 4 deletions(-)
diff --git a/doc/guides/rel_notes/release_20_05.rst b/doc/guides/rel_notes/release_20_05.rst
index 6b1a7c58c..a9ec163cf 100644
--- a/doc/guides/rel_notes/release_20_05.rst
+++ b/doc/guides/rel_notes/release_20_05.rst
@@ -81,6 +81,10 @@ New Features
by making use of the event device capabilities. The event mode currently supports
only inline IPsec protocol offload.
+* **Updated ipsec-secgw application.**
+
+ Added IPsec inbound load-distribution support for ipsec-secgw
+ application using NIC load distribution feature(Flow Director).
Removed Items
-------------
diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst
index 038f593f4..12f921d76 100644
--- a/doc/guides/sample_app_ug/ipsec_secgw.rst
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -506,6 +506,7 @@ The SA rule syntax is shown as follows:
sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key>
<mode> <src_ip> <dst_ip> <action_type> <port_id> <fallback>
+ <flow-direction> <port_id> <queue_id>
where each options means:
@@ -698,6 +699,18 @@ where each options means:
* *fallback lookaside-none*
+``<flow-direction>``
+
+ * Action type is for redirecting the specific inbound ipsec-flow to
+ a specified queue.
+
+ * Optional: Yes.
+
+ * Available options:
+
+ * *port_id*: Port ID of the NIC for which the SA is configured.
+ * *queue_id*: Queue ID to which traffic should be redirected.
+
Example SA rules:
.. code-block:: console
@@ -727,6 +740,9 @@ Example SA rules:
mode ipv4-tunnel src 172.16.2.5 dst 172.16.1.5 \
type inline-crypto-offload port_id 0
+ sa in 117 cipher_algo null auth_algo null mode ipv4-tunnel src 172.16.2.7 \
+ dst 172.16.1.7 flow-direction 0 2
+
Routing rule syntax
^^^^^^^^^^^^^^^^^^^
diff --git a/examples/ipsec-secgw/ep0.cfg b/examples/ipsec-secgw/ep0.cfg index dfd4aca7d..6f8d5aa53 100644
--- a/examples/ipsec-secgw/ep0.cfg
+++ b/examples/ipsec-secgw/ep0.cfg
@@ -29,6 +29,7 @@ sp ipv4 in esp protect 111 pri 1 dst 192.168.186.0/24 sport 0:65535 dport 0:6553 sp ipv4 in esp protect 115 pri 1 dst 192.168.210.0/24 sport 0:65535 dport 0:65535 sp ipv4 in esp protect 116 pri 1 dst 192.168.211.0/24 sport 0:65535 dport 0:65535 sp ipv4 in esp protect 115 pri 1 dst 192.168.210.0/24 sport 0:65535 dport 0:65535
+sp ipv4 in esp protect 117 pri 1 dst 192.168.212.0/24 sport 0:65535
+dport 0:65535
sp ipv4 in esp protect 125 pri 1 dst 192.168.65.0/24 sport 0:65535 dport 0:65535 sp ipv4 in esp protect 125 pri 1 dst 192.168.65.0/24 sport 0:65535 dport 0:65535 sp ipv4 in esp protect 126 pri 1 dst 192.168.66.0/24 sport 0:65535 dport 0:65535 @@ -61,6 +62,8 @@ sp ipv6 in esp protect 125 pri 1 dst ffff:0000:0000:0000:aaaa:aaaa:0000:0000/96
sport 0:65535 dport 0:65535
sp ipv6 in esp protect 126 pri 1 dst ffff:0000:0000:0000:bbbb:bbbb:0000:0000/96 \ sport 0:65535 dport 0:65535
+sp ipv6 in esp protect 127 pri 1 dst
+ffff:0000:0000:0000:cccc:dddd:0000:0000/96 \ sport 0:65535 dport
+0:65535
#SA rules
sa out 5 cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ @@ -118,6 +121,9 @@ dst 172.16.1.5
sa in 116 cipher_algo null auth_algo null mode ipv4-tunnel src 172.16.2.6 dst 172.16.1.6
+sa in 117 cipher_algo null auth_algo null mode ipv4-tunnel src
+172.16.2.7 \ dst 172.16.1.7 flow-direction 0 2
+
sa in 125 cipher_algo aes-128-cbc cipher_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\
c3:c3:c3:c3:c3 auth_algo sha1-hmac auth_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\
c3:c3:c3:c3:c3:c3:c3:c3:c3 mode ipv6-tunnel \ @@ -130,6 +136,11 @@ sa in 126 cipher_algo aes-128-cbc cipher_key 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\
src 2222:2222:2222:2222:2222:2222:2222:6666 \ dst 1111:1111:1111:1111:1111:1111:1111:6666
+sa in 127 cipher_algo null auth_algo null mode ipv6-tunnel \ src
+2222:2222:2222:2222:2222:2222:2222:7777 \ dst
+1111:1111:1111:1111:1111:1111:1111:7777 \ flow-direction 0 3
+
#Routing rules
rt ipv4 dst 172.16.2.5/32 port 0
rt ipv4 dst 172.16.2.6/32 port 1
diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
index 5fde4f728..6d02341de 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -1183,6 +1183,28 @@ ipsec_poll_mode_worker(void)
}
}
+int
+check_flow_params(uint16_t fdir_portid, uint8_t fdir_qid) {
+ uint16_t i;
+ uint16_t portid;
+ uint8_t queueid;
+
+ for (i = 0; i < nb_lcore_params; ++i) {
+ portid = lcore_params_array[i].port_id;
+ if (portid == fdir_portid) {
+ queueid = lcore_params_array[i].queue_id;
+ if (queueid == fdir_qid)
+ break;
+ }
+
+ if (i == nb_lcore_params - 1)
+ return -1;
+ }
+
+ return 1;
+}
+
static int32_t
check_poll_mode_params(struct eh_conf *eh_conf) { diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index d40657102..461fae461 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -418,6 +418,73 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
return 0;
}
+int
+create_ipsec_esp_flow(struct ipsec_sa *sa) {
+ int ret = 0;
+ struct rte_flow_error err;
+ if (sa->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+ RTE_LOG(ERR, IPSEC,
+ "No Flow director rule for Egress traffic\n");
+ return -1;
+ }
+ if (sa->flags == TRANSPORT) {
+ RTE_LOG(ERR, IPSEC,
+ "No Flow director rule for transport mode\n");
+ return -1;
+ }
+ sa->action[0].type = RTE_FLOW_ACTION_TYPE_QUEUE;
+ sa->pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH;
+ sa->action[0].conf =
+ &(struct rte_flow_action_queue){
+ .index = sa->fdir_qid,
+ };
+ sa->attr.egress = 0;
+ sa->attr.ingress = 1;
+ if (IS_IP6(sa->flags)) {
+ sa->pattern[1].mask = &rte_flow_item_ipv6_mask;
+ sa->pattern[1].type = RTE_FLOW_ITEM_TYPE_IPV6;
+ sa->pattern[1].spec = &sa->ipv6_spec;
+ memcpy(sa->ipv6_spec.hdr.dst_addr,
+ sa->dst.ip.ip6.ip6_b, sizeof(sa->dst.ip.ip6.ip6_b));
+ memcpy(sa->ipv6_spec.hdr.src_addr,
+ sa->src.ip.ip6.ip6_b, sizeof(sa->src.ip.ip6.ip6_b));
+ sa->pattern[2].type = RTE_FLOW_ITEM_TYPE_ESP;
+ sa->pattern[2].spec = &sa->esp_spec;
+ sa->pattern[2].mask = &rte_flow_item_esp_mask;
+ sa->esp_spec.hdr.spi = rte_cpu_to_be_32(sa->spi);
+ sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END;
+ } else if (IS_IP4(sa->flags)) {
+ sa->pattern[1].mask = &rte_flow_item_ipv4_mask;
+ sa->pattern[1].type = RTE_FLOW_ITEM_TYPE_IPV4;
+ sa->pattern[1].spec = &sa->ipv4_spec;
+ sa->ipv4_spec.hdr.dst_addr = sa->dst.ip.ip4;
+ sa->ipv4_spec.hdr.src_addr = sa->src.ip.ip4;
+ sa->pattern[2].type = RTE_FLOW_ITEM_TYPE_ESP;
+ sa->pattern[2].spec = &sa->esp_spec;
+ sa->pattern[2].mask = &rte_flow_item_esp_mask;
+ sa->esp_spec.hdr.spi = rte_cpu_to_be_32(sa->spi);
+ sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END;
+ }
+ sa->action[1].type = RTE_FLOW_ACTION_TYPE_END;
+
+ ret = rte_flow_validate(sa->portid, &sa->attr, sa->pattern, sa->action,
+ &err);
+ if (ret < 0) {
+ RTE_LOG(ERR, IPSEC, "Flow validation failed %s\n", err.message);
+ return ret;
+ }
+
+ sa->flow = rte_flow_create(sa->portid, &sa->attr, sa->pattern,
+ sa->action, &err);
+ if (!sa->flow) {
+ RTE_LOG(ERR, IPSEC, "Flow creation failed %s\n", err.message);
+ return -1;
+ }
+
+ return 0;
+}
+
/*
* queue crypto-ops into PMD queue.
*/
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h index f8f29f9b1..1790a93ca 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -144,6 +144,8 @@ struct ipsec_sa {
};
enum rte_security_ipsec_sa_direction direction;
uint16_t portid;
+ uint8_t fdir_qid;
+ uint8_t fdir_flag;
#define MAX_RTE_FLOW_PATTERN (4)
#define MAX_RTE_FLOW_ACTIONS (3)
@@ -408,5 +410,10 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa, int create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
struct rte_ipsec_session *ips);
+int
+check_flow_params(uint16_t fdir_portid, uint8_t fdir_qid);
+
+int
+create_ipsec_esp_flow(struct ipsec_sa *sa);
#endif /* __IPSEC_H__ */
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index a6bf5e8b1..06bb25b3e 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -271,6 +271,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
uint32_t type_p = 0;
uint32_t portid_p = 0;
uint32_t fallback_p = 0;
+ int16_t status_p = 0;
if (strcmp(tokens[0], "in") == 0) {
ri = &nb_sa_in;
@@ -295,6 +296,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
if (atoi(tokens[1]) == INVALID_SPI)
return;
rule->spi = atoi(tokens[1]);
+ rule->portid = UINT16_MAX;
ips = ipsec_get_primary_session(rule);
for (ti = 2; ti < n_tokens; ti++) {
@@ -636,9 +638,14 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
if (status->status < 0)
return;
- rule->portid = atoi(tokens[ti]);
- if (status->status < 0)
+ if (rule->portid == UINT16_MAX)
+ rule->portid = atoi(tokens[ti]);
+ else if (rule->portid != atoi(tokens[ti])) {
+ APP_CHECK(0, status, "portid %s not matching "
+ "with already assigned portid %u",
+ tokens[ti], rule->portid);
return;
+ }
portid_p = 1;
continue;
}
@@ -683,6 +690,44 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
fallback_p = 1;
continue;
}
+ if (strcmp(tokens[ti], "flow-direction") == 0) {
+ if (ips->type ==
+ RTE_SECURITY_ACTION_TYPE_NONE ||
+ ips->type ==
+ RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
+ rule->fdir_flag = 1;
+ INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
+ if (status->status < 0)
+ return;
+ if (rule->portid == UINT16_MAX)
+ rule->portid = atoi(tokens[ti]);
+ else if (rule->portid != atoi(tokens[ti])) {
+ APP_CHECK(0, status, "portid %s "
+ "not matching with already "
+ "assigned portid %u",
+ tokens[ti], rule->portid);
+ return;
+ }
+ INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
+ if (status->status < 0)
+ return;
+ rule->fdir_qid = atoi(tokens[ti]);
+ /* validating portid and queueid */
+ status_p = check_flow_params(rule->portid,
+ rule->fdir_qid);
+ if (status_p < 0) {
+ printf("port id %u / queue id %u is "
+ "not valid\n", rule->portid,
+ rule->fdir_qid);
+ }
+ } else {
+ APP_CHECK(0, status, "flow director not "
+ "supported for security session "
+ "type:%d", ips->type);
+ return;
+ }
+ continue;
+ }
/* unrecognizeable input */
APP_CHECK(0, status, "unrecognized input \"%s\"", @@ -721,7 +766,6 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
if (!type_p || (!portid_p && ips->type !=
RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO)) {
ips->type = RTE_SECURITY_ACTION_TYPE_NONE;
- rule->portid = -1;
}
*ri = *ri + 1;
@@ -806,7 +850,7 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound)
printf("lookaside-protocol-offload ");
break;
case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO:
- printf("cpu-crypto-accelerated");
+ printf("cpu-crypto-accelerated ");
break;
}
@@ -825,6 +869,10 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound)
break;
}
}
+ if (sa->fdir_flag == 1)
+ printf("flow-direction port %d queue %d", sa->portid,
+ sa->fdir_qid);
+
printf("\n");
}
@@ -1143,6 +1191,13 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
}
}
+ if (sa->fdir_flag && inbound) {
+ rc = create_ipsec_esp_flow(sa);
+ if (rc != 0)
+ RTE_LOG(ERR, IPSEC_ESP,
+ "create_ipsec_esp_flow() failed %s\n",
+ strerror(rc));
+ }
print_one_sa_rule(sa, inbound);
}
--
2.17.1
next prev parent reply other threads:[~2020-04-14 7:33 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-11 14:55 [dpdk-dev] [PATCH v1] " Praveen Shetty
2020-03-12 11:00 ` Anoob Joseph
[not found] ` <BN7PR11MB25310A9A6B9C3BE91A411AA29DFD0@BN7PR11MB2531.namprd11.prod.outlook.com>
[not found] ` <BN7PR11MB2531E92F9B078563A947615F9DFD0@BN7PR11MB2531.namprd11.prod.outlook.com>
[not found] ` <BN7PR11MB2531ABDDAE26D1FD3B216E259DFD0@BN7PR11MB2531.namprd11.prod.outlook.com>
2020-03-13 7:05 ` Shetty, Praveen
2020-03-13 10:51 ` Anoob Joseph
2020-03-13 12:21 ` Shetty, Praveen
2020-03-19 16:21 ` [dpdk-dev] [PATCH v2] " Praveen Shetty
2020-03-20 8:15 ` Anoob Joseph
2020-03-23 11:24 ` Shetty, Praveen
2020-03-31 13:02 ` [dpdk-dev] [PATCH v3] " Praveen Shetty
2020-04-01 13:19 ` Akhil Goyal
2020-04-01 13:26 ` Anoob Joseph
2020-04-01 13:53 ` Akhil Goyal
2020-04-02 11:15 ` Shetty, Praveen
2020-04-02 13:39 ` [dpdk-dev] [EXT] " Anoob Joseph
2020-04-02 17:56 ` Shetty, Praveen
2020-04-03 5:14 ` Anoob Joseph
2020-04-03 5:52 ` Akhil Goyal
2020-04-03 10:21 ` Shetty, Praveen
2020-04-03 10:28 ` Anoob Joseph
2020-04-08 14:13 ` [dpdk-dev] [PATCH v4] " Praveen Shetty
2020-04-09 10:09 ` [dpdk-dev] [PATCH v5] " Praveen Shetty
2020-04-14 7:33 ` Shetty, Praveen [this message]
2020-04-15 18:59 ` Akhil Goyal
2020-04-16 11:49 ` Shetty, Praveen
2020-04-16 16:47 ` [dpdk-dev] [PATCH v6] " Praveen Shetty
2020-04-17 20:58 ` Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CY4PR1101MB2326B9012721CD3F49A1734D9DDA0@CY4PR1101MB2326.namprd11.prod.outlook.com \
--to=praveen.shetty@intel.com \
--cc=akhil.goyal@nxp.com \
--cc=anoobj@marvell.com \
--cc=bernard.iremonger@intel.com \
--cc=declan.doherty@intel.com \
--cc=dev@dpdk.org \
--cc=konstantin.ananyev@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).