From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 4DB6AA0562; Thu, 2 Apr 2020 19:57:00 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id A65BE2BCE; Thu, 2 Apr 2020 19:56:59 +0200 (CEST) Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by dpdk.org (Postfix) with ESMTP id 5F56C2BAF for ; Thu, 2 Apr 2020 19:56:57 +0200 (CEST) IronPort-SDR: 95jx5MuRlkwiy2A0yFY18gmnLfsXu/mAWEXBJuP5lLr+dI9h8OECuBwJ9ugyI3uuFbVscaivtq UAPQIuMRkqaA== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Apr 2020 10:56:56 -0700 IronPort-SDR: mnaVTgUKEeRuntwJ/iSJ8LXTzBpNgY/THY02VeWCSiU5ZahJ+/NK4WkNHTxvEvSaeSFdfRMPq+ E/Dm2/rORU4Q== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.72,336,1580803200"; d="scan'208";a="238607820" Received: from orsmsx101.amr.corp.intel.com ([10.22.225.128]) by orsmga007.jf.intel.com with ESMTP; 02 Apr 2020 10:56:55 -0700 Received: from orsmsx151.amr.corp.intel.com (10.22.226.38) by ORSMSX101.amr.corp.intel.com (10.22.225.128) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 2 Apr 2020 10:56:55 -0700 Received: from ORSEDG001.ED.cps.intel.com (10.7.248.4) by ORSMSX151.amr.corp.intel.com (10.22.226.38) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 2 Apr 2020 10:56:55 -0700 Received: from NAM12-DM6-obe.outbound.protection.outlook.com (104.47.59.176) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 2 Apr 2020 10:56:55 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=I/UD5UoNgJ8fv2tl8zQlgrPk/ZiEWkvJRRiOLLU49NMAKnRVuPtlIFf1KxSWfVjqLBTIN/Vi9cH53PpOUdwf+5KvxIU9bw0AS4nmBRE047YoaQJfC3KPan4scetH0x695DI+MZLOdivF2lQpOWc+vibAFLitaMoukxs0DVwhe4WAdzq8aLO85NfzneRkqhTkyFaafxQwK3nyTEynPf1fxKa0rFC/SJGbIir+UarfPxWZ4GWP8QAmJzfIbaGK8kHr7Oopu2AdIN0uRylgQWJp3iR3vMW2qsbNY057J9V0s8CBxs/g2F7T0firDozwrhw+wMboSaw1w77d2RAraMt6rQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RSaytxPC3RzpRbFX7jsBQo7w8BxTVhaPShyQRLk+dhM=; b=cfV5Gaod+5Papb77hTfHrFnerm7O14E4OPWPBdwwF9ZWI2qXEXi5nNsbIbkMhYQ06dDfN0RFQpoNuIlbMS7mnPqyqGPiLDSth2jKVTHsW7/LhagEIi+OJDqzxWUC4QAiHjeCop3maeA1/QFO04asp7i1kK5bVo0hdz6+dpOd2wmZA3up802sOpqVsMWoRLISFHSk8jHi7k5vkXgDNxJwcs708wmZPr5bAzDLFvzDSrjrGom7JqN82sHNQPLW4szRQLkeAba2O6Uv+2yqJ33fxtcILaNtd7acHa3wAmKZamQnFHRE6QE8fq/VNhq+6/7ImjZ9XQnRiG/9QH3oSktbQQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RSaytxPC3RzpRbFX7jsBQo7w8BxTVhaPShyQRLk+dhM=; b=h+8+P1ufAQiVaF+CMm5Z3TvB4wwkqViqoUTLmuWrg+Sp3hTo9dJX6FYG/8BfAJEuHoTKXxYK25m/nSFlRUvXCIQ9rhqv2nRIvJzA/mjy37EU+XngFM9oGsFYCOaCZ/ytj0KA3oPYTBv6PHlvfQWpzBhHC/eNQu9U6EOtTuDZfps= Received: from CY4PR1101MB2326.namprd11.prod.outlook.com (2603:10b6:903:b3::23) by CY4PR1101MB2071.namprd11.prod.outlook.com (2603:10b6:910:1a::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.15; Thu, 2 Apr 2020 17:56:53 +0000 Received: from CY4PR1101MB2326.namprd11.prod.outlook.com ([fe80::58c7:7df:1b11:9c56]) by CY4PR1101MB2326.namprd11.prod.outlook.com ([fe80::58c7:7df:1b11:9c56%4]) with mapi id 15.20.2878.016; Thu, 2 Apr 2020 17:56:52 +0000 From: "Shetty, Praveen" To: Anoob Joseph , "dev@dpdk.org" , "Doherty, Declan" , Akhil Goyal CC: "Iremonger, Bernard" , "Ananyev, Konstantin" Thread-Topic: [EXT] [PATCH v3] examples/ipsec-secgw: support flow director feature Thread-Index: AQHWCPQpLqUoUgdSfEq3yQYJ22MHy6hmGf0w Date: Thu, 2 Apr 2020 17:56:52 +0000 Message-ID: References: <20200319162145.28906-1-praveen.shetty@intel.com> <20200331130211.24761-1-praveen.shetty@intel.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiMzc5NDI5ZjctMTZjZC00ZDBhLTgzOTQtNTQ5Nzg3MjA1NGI4IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiV1FSN0p0MUNKeExmMllCWEZDXC9wY0M5eUlaVmFadjBDUWdyUGUweWVISythZERWSkxYOGhMcnhyczBKUVdlcmIifQ== dlp-product: dlpe-windows dlp-reaction: no-action dlp-version: 11.2.0.6 x-ctpclassification: CTP_NT authentication-results: spf=none (sender IP is ) smtp.mailfrom=praveen.shetty@intel.com; x-originating-ip: [192.55.79.119] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 2aff641f-d55c-4f26-5e34-08d7d72f39d6 x-ms-traffictypediagnostic: CY4PR1101MB2071: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:1728; x-forefront-prvs: 0361212EA8 x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY4PR1101MB2326.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10019020)(136003)(346002)(376002)(366004)(396003)(39860400002)(66946007)(26005)(66476007)(7696005)(66446008)(54906003)(66556008)(6506007)(110136005)(71200400001)(4326008)(64756008)(33656002)(478600001)(86362001)(186003)(107886003)(2906002)(76116006)(5660300002)(53546011)(30864003)(52536014)(316002)(8676002)(9686003)(81156014)(8936002)(81166006)(55016002); DIR:OUT; SFP:1102; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: ovTuwM1n9SJ9qHtuHna6Ca8qzyGQN9X/uRZ349XT+zck82LVGjsqtRIi8vjIW7QZ0bCWFebPfhKDRanM08G2kVfzrhkxnzGsHyCwtrfxd4cAyftoD2idC6VAQX/aQyVt8PuZK+dUPyf8zTG3/6MOlooBcBEU9fSi7qTEAdN2Rn3DbN9yjOJG5ToSyKwQs3YkpsePN7aABE4FBxQcKaH8F9TdNXczpcTP8T9Ny9bdOaOAcmAZsENjWM5CUJKpxXQT86FDHYRBiilbQLn702xFsxMLOEasTGvz4zmncGEPipJiq8VJtqFGWDyE27IkhAkboHZ9p6gyEAMTPCsPNcCRw7uvrRvIHzoF8pAnnOEANQrs6nSGsd/YYJm7X7dKLwCQCQdRJf1b5t54ERduMTXEsC83NyFEVMZZ5T8+UaW44mj4Qu3SuyRTTleb/9wM1qYD x-ms-exchange-antispam-messagedata: 6dV3AFnqWIV21b8J2L4KK0D4m//1w68wzR8IbsIKe7YSlkfGkEQecUlLZcsx0/KXmfNz9/L1SajP+7CTBhesPyMs2Xfmbfxl/qih5w+7w0+oOa3SVChEobIGv/ZSKOS6lMIiRmeG1WkuyE1Div0HBQ== Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-Network-Message-Id: 2aff641f-d55c-4f26-5e34-08d7d72f39d6 X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Apr 2020 17:56:52.7460 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: cAbaV3XfWD2zSxUv9Nh4r7LDxvMBKX9YO3jllFi08dTvLsLLCz9/XqqV5F9KkriaOussylNGeXjs56n2ILenaelPcDjvMd7q0FaHbbc565o= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1101MB2071 X-OriginatorOrg: intel.com Subject: Re: [dpdk-dev] [EXT] [PATCH v3] examples/ipsec-secgw: support flow director feature X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Hi Anoob, See my response inline. Regards, Praveen -----Original Message----- From: Anoob Joseph =20 Sent: Thursday, April 2, 2020 7:09 PM To: Shetty, Praveen ; dev@dpdk.org; Doherty, Decl= an Cc: Iremonger, Bernard ; Ananyev, Konstantin <= konstantin.ananyev@intel.com> Subject: RE: [EXT] [PATCH v3] examples/ipsec-secgw: support flow director f= eature Hi Praveen, I've few minor comments. Please see inline. Thanks, Anoob > -----Original Message----- > From: Praveen Shetty > Sent: Tuesday, March 31, 2020 6:32 PM > To: dev@dpdk.org; declan.doherty@intel.com; Anoob Joseph=20 > > Cc: bernard.iremonger@intel.com; konstantin.ananyev@intel.com > Subject: [EXT] [PATCH v3] examples/ipsec-secgw: support flow director=20 > feature >=20 > External Email >=20 > ---------------------------------------------------------------------- > Support load distribution in security gateway application using NIC=20 > load distribution feature(Flow Director). > Flow Director is used to redirect the specified inbound ipsec flow to=20 > a specified queue.This is achieved by extending the SA rule syntax to=20 > support specification by adding new action_type of to=20 > a specified . >=20 > Signed-off-by: Praveen Shetty > --- > v3 changes: > Incorporated Anoob review comments on v2. >=20 > examples/ipsec-secgw/ep0.cfg | 11 +++++ > examples/ipsec-secgw/ipsec-secgw.c | 55 +++++++++++++++++++++++ > examples/ipsec-secgw/ipsec.c | 67 +++++++++++++++++++++++++++ > examples/ipsec-secgw/ipsec.h | 9 ++++ > examples/ipsec-secgw/sa.c | 72 ++++++++++++++++++++++++++++-- > 5 files changed, 211 insertions(+), 3 deletions(-) >=20 > diff --git a/examples/ipsec-secgw/ep0.cfg=20 > b/examples/ipsec-secgw/ep0.cfg index dfd4aca7d..6f8d5aa53 100644 > --- a/examples/ipsec-secgw/ep0.cfg > +++ b/examples/ipsec-secgw/ep0.cfg > @@ -29,6 +29,7 @@ sp ipv4 in esp protect 111 pri 1 dst=20 > 192.168.186.0/24 sport > 0:65535 dport 0:6553 sp ipv4 in esp protect 115 pri 1 dst=20 > 192.168.210.0/24 sport > 0:65535 dport 0:65535 sp ipv4 in esp protect 116 pri 1 dst=20 > 192.168.211.0/24 sport 0:65535 dport 0:65535 sp ipv4 in esp protect=20 > 115 pri 1 dst > 192.168.210.0/24 sport 0:65535 dport 0:65535 > +sp ipv4 in esp protect 117 pri 1 dst 192.168.212.0/24 sport 0:65535=20 > +dport 0:65535 > sp ipv4 in esp protect 125 pri 1 dst 192.168.65.0/24 sport 0:65535=20 > dport 0:65535 sp ipv4 in esp protect 125 pri 1 dst 192.168.65.0/24=20 > sport 0:65535 dport 0:65535 sp ipv4 in esp protect 126 pri 1 dst=20 > 192.168.66.0/24 sport 0:65535 dport 0:65535 @@ -61,6 +62,8 @@ sp ipv6=20 > in esp protect 125 pri 1 dst > ffff:0000:0000:0000:aaaa:aaaa:0000:0000/96 > sport 0:65535 dport 0:65535 > sp ipv6 in esp protect 126 pri 1 dst > ffff:0000:0000:0000:bbbb:bbbb:0000:0000/96 \ sport 0:65535 dport=20 > 0:65535 > +sp ipv6 in esp protect 127 pri 1 dst > +ffff:0000:0000:0000:cccc:dddd:0000:0000/96 \ sport 0:65535 dport > +0:65535 >=20 > #SA rules > sa out 5 cipher_algo aes-128-cbc cipher_key=20 > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ @@ -118,6 +121,9 @@ dst 172.16.1.5 >=20 > sa in 116 cipher_algo null auth_algo null mode ipv4-tunnel src=20 > 172.16.2.6 dst > 172.16.1.6 >=20 > +sa in 117 cipher_algo null auth_algo null mode ipv4-tunnel src > +172.16.2.7 \ dst 172.16.1.7 flow-direction 0 2 > + > sa in 125 cipher_algo aes-128-cbc cipher_key=20 > c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\ > c3:c3:c3:c3:c3 auth_algo sha1-hmac auth_key=20 > c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\ > c3:c3:c3:c3:c3:c3:c3:c3:c3 mode ipv6-tunnel \ @@ -130,6 +136,11 @@ sa=20 > in > 126 cipher_algo aes-128-cbc cipher_key=20 > 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\ > src 2222:2222:2222:2222:2222:2222:2222:6666 \ dst > 1111:1111:1111:1111:1111:1111:1111:6666 >=20 > +sa in 127 cipher_algo null auth_algo null mode ipv6-tunnel \ src > +2222:2222:2222:2222:2222:2222:2222:7777 \ dst > +1111:1111:1111:1111:1111:1111:1111:7777 \ flow-direction 0 3 > + > #Routing rules > rt ipv4 dst 172.16.2.5/32 port 0 > rt ipv4 dst 172.16.2.6/32 port 1 > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-=20 > secgw/ipsec-secgw.c index ce36e6d9c..4400b075c 100644 > --- a/examples/ipsec-secgw/ipsec-secgw.c > +++ b/examples/ipsec-secgw/ipsec-secgw.c > @@ -246,6 +246,30 @@ static struct rte_eth_conf port_conf =3D { > .txmode =3D { > .mq_mode =3D ETH_MQ_TX_NONE, > }, > + .fdir_conf =3D { > + .mode =3D RTE_FDIR_MODE_NONE, > + .pballoc =3D RTE_FDIR_PBALLOC_64K, > + .status =3D RTE_FDIR_REPORT_STATUS, > + .mask =3D { > + .vlan_tci_mask =3D 0xFFEF, > + .ipv4_mask =3D { > + .src_ip =3D 0xFFFFFFFF, > + .dst_ip =3D 0xFFFFFFFF, > + }, > + .ipv6_mask =3D { > + .src_ip =3D {0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, > + 0xFFFFFFFF}, > + .dst_ip =3D {0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, > + 0xFFFFFFFF}, > + }, > + .src_port_mask =3D 0xFFFF, > + .dst_port_mask =3D 0xFFFF, > + .mac_addr_byte_mask =3D 0xFF, > + .tunnel_type_mask =3D 1, > + .tunnel_id_mask =3D 0xFFFFFFFF, > + }, > + .drop_queue =3D 127, > + } > }; >=20 > struct socket_ctx socket_ctx[NB_SOCKETS]; @@ -1183,6 +1207,28 @@ > ipsec_poll_mode_worker(void) > } > } >=20 > +int > +check_flow_params(uint16_t fdir_portid, uint8_t fdir_qid) { > + uint16_t i; > + uint16_t portid; > + uint8_t queueid; > + > + for (i =3D 0; i < nb_lcore_params; ++i) { > + portid =3D lcore_params_array[i].port_id; > + if (portid =3D=3D fdir_portid) { > + queueid =3D lcore_params_array[i].queue_id; > + if (queueid =3D=3D fdir_qid) > + break; > + } > + > + if (i =3D=3D nb_lcore_params - 1) > + return -1; > + } > + > + return 1; > +} > + > static int32_t > check_poll_mode_params(struct eh_conf *eh_conf) { @@ -2813,6=20 > +2859,15 @@ main(int32_t argc, char **argv) >=20 > sa_check_offloads(portid, &req_rx_offloads[portid], > &req_tx_offloads[portid]); > + /* check if FDIR is configured on the port */ > + if (check_fdir_configured(portid)) { > + /* Enable FDIR */ > + port_conf.fdir_conf.mode =3D > RTE_FDIR_MODE_PERFECT; > + /* Disable RSS */ > + port_conf.rxmode.mq_mode =3D ETH_MQ_RX_NONE; > + port_conf.rx_adv_conf.rss_conf.rss_hf =3D 0; > + port_conf.rx_adv_conf.rss_conf.rss_key =3D NULL; > + } > port_init(portid, req_rx_offloads[portid], > req_tx_offloads[portid]); > } > diff --git a/examples/ipsec-secgw/ipsec.c=20 > b/examples/ipsec-secgw/ipsec.c index d40657102..76ee9dbcf 100644 > --- a/examples/ipsec-secgw/ipsec.c > +++ b/examples/ipsec-secgw/ipsec.c > @@ -418,6 +418,73 @@ create_inline_session(struct socket_ctx *skt_ctx,=20 > struct ipsec_sa *sa, > return 0; > } >=20 > +int > +create_ipsec_esp_flow(struct ipsec_sa *sa) { > + int ret =3D 0; > + struct rte_flow_error err; > + if (sa->direction =3D=3D RTE_SECURITY_IPSEC_SA_DIR_EGRESS) > + return 0; /* No Flow director rules for Egress traffic */ [Anoob] Any reason why this is not relevant for Egress.=20 [Praveen] we don't see an use case for load distribution across ingress que= ues for outbound IPsec traffic therefore we have limited this configuration= to inbound IPsec processing, as this is the only use case we can verify. As for the code I would suggest something like, /* No flow director rules for Egress traffic */ if (sa->direction =3D=3D RTE_SECURITY_IPSEC_SA_DIR_EGRESS) return 0; ... =20 > + if (sa->flags =3D=3D TRANSPORT) { > + RTE_LOG(ERR, IPSEC, > + "No Flow director rule for transport mode:"); [Anoob] Is the ending : required in the line above? And do might need a \n? [Praveen] Will fix this in v4. Also, why is one case returning 0 (EGRESS) and another (TRANSPORT) is retur= ning -1? One is treated as error and other is not? [Praveen] It should be -1(error) for both the cases , will fix this in v4. =20 > + return -1; > + } > + sa->action[0].type =3D RTE_FLOW_ACTION_TYPE_QUEUE; > + sa->pattern[0].type =3D RTE_FLOW_ITEM_TYPE_ETH; > + sa->action[0].conf =3D > + &(struct rte_flow_action_queue){ > + .index =3D sa->fdir_qid, > + }; > + sa->attr.egress =3D 0; > + sa->attr.ingress =3D 1; > + if (IS_IP6(sa->flags)) { > + sa->pattern[1].mask =3D &rte_flow_item_ipv6_mask; > + sa->pattern[1].type =3D RTE_FLOW_ITEM_TYPE_IPV6; > + sa->pattern[1].spec =3D &sa->ipv6_spec; > + memcpy(sa->ipv6_spec.hdr.dst_addr, > + sa->dst.ip.ip6.ip6_b, sizeof(sa->dst.ip.ip6.ip6_b)); > + memcpy(sa->ipv6_spec.hdr.src_addr, > + sa->src.ip.ip6.ip6_b, sizeof(sa->src.ip.ip6.ip6_b)); > + sa->pattern[2].type =3D RTE_FLOW_ITEM_TYPE_ESP; > + sa->pattern[2].spec =3D &sa->esp_spec; > + sa->pattern[2].mask =3D &rte_flow_item_esp_mask; > + sa->esp_spec.hdr.spi =3D rte_cpu_to_be_32(sa->spi); > + sa->pattern[3].type =3D RTE_FLOW_ITEM_TYPE_END; > + } else if (IS_IP4(sa->flags)) { > + sa->pattern[1].mask =3D &rte_flow_item_ipv4_mask; > + sa->pattern[1].type =3D RTE_FLOW_ITEM_TYPE_IPV4; > + sa->pattern[1].spec =3D &sa->ipv4_spec; > + sa->ipv4_spec.hdr.dst_addr =3D sa->dst.ip.ip4; > + sa->ipv4_spec.hdr.src_addr =3D sa->src.ip.ip4; > + sa->pattern[2].type =3D RTE_FLOW_ITEM_TYPE_ESP; > + sa->pattern[2].spec =3D &sa->esp_spec; > + sa->pattern[2].mask =3D &rte_flow_item_esp_mask; > + sa->esp_spec.hdr.spi =3D rte_cpu_to_be_32(sa->spi); > + sa->pattern[3].type =3D RTE_FLOW_ITEM_TYPE_END; > + } > + sa->action[1].type =3D RTE_FLOW_ACTION_TYPE_END; > + > + ret =3D rte_flow_validate(sa->portid, &sa->attr, > + sa->pattern, sa->action, > + &err); > + if (ret < 0) { > + RTE_LOG(ERR, IPSEC, > + "Flow Validation failed\n"); [Anoob] The above should fit into one line. Also V should be small. [Praveen] Okay. Will fix this in v4. =20 > + return ret; > + } > + sa->flow =3D rte_flow_create(sa->portid, > + &sa->attr, sa->pattern, sa->action, > + &err); [Anoob] Start breaking into multiple lines when you exceed 80 char limits. = In the earlier line, &sa->attr should fit into the line above. Also, having a blank line above rte_flow_create() line would be good. [Praveen] Okay. Will fix it in v4 =20 > + if (!sa->flow) { > + RTE_LOG(ERR, IPSEC, > + "Flow Creation failed\n"); [Anoob] Above should fit into one line. Also C should be small. [Praveen] okay. Will fix this in v4. > + return -1; > + } > + > + return 0; > +} > + > /* > * queue crypto-ops into PMD queue. > */ > diff --git a/examples/ipsec-secgw/ipsec.h=20 > b/examples/ipsec-secgw/ipsec.h index f8f29f9b1..b0e9f45cb 100644 > --- a/examples/ipsec-secgw/ipsec.h > +++ b/examples/ipsec-secgw/ipsec.h > @@ -144,6 +144,8 @@ struct ipsec_sa { > }; > enum rte_security_ipsec_sa_direction direction; > uint16_t portid; > + uint8_t fdir_qid; > + uint8_t fdir_flag; >=20 > #define MAX_RTE_FLOW_PATTERN (4) > #define MAX_RTE_FLOW_ACTIONS (3) > @@ -408,5 +410,12 @@ create_lookaside_session(struct ipsec_ctx=20 > *ipsec_ctx, struct ipsec_sa *sa, int create_inline_session(struct=20 > socket_ctx *skt_ctx, struct ipsec_sa *sa, > struct rte_ipsec_session *ips); > +int > +check_flow_params(uint16_t fdir_portid, uint8_t fdir_qid); > + > +int > +create_ipsec_esp_flow(struct ipsec_sa *sa); >=20 > +int > +check_fdir_configured(uint16_t portid); > #endif /* __IPSEC_H__ */ > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c=20 > index > 0eb52d141..ddd275142 100644 > --- a/examples/ipsec-secgw/sa.c > +++ b/examples/ipsec-secgw/sa.c > @@ -271,6 +271,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, > uint32_t type_p =3D 0; > uint32_t portid_p =3D 0; > uint32_t fallback_p =3D 0; > + int16_t status_p =3D 0; >=20 > if (strcmp(tokens[0], "in") =3D=3D 0) { > ri =3D &nb_sa_in; > @@ -295,6 +296,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, > if (atoi(tokens[1]) =3D=3D INVALID_SPI) > return; > rule->spi =3D atoi(tokens[1]); > + rule->portid =3D UINT16_MAX; > ips =3D ipsec_get_primary_session(rule); >=20 > for (ti =3D 2; ti < n_tokens; ti++) { > @@ -636,9 +638,14 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, > INCREMENT_TOKEN_INDEX(ti, n_tokens, status); > if (status->status < 0) > return; > - rule->portid =3D atoi(tokens[ti]); > - if (status->status < 0) > + if (rule->portid =3D=3D UINT16_MAX) > + rule->portid =3D atoi(tokens[ti]); > + else if (rule->portid !=3D atoi(tokens[ti])) { > + APP_CHECK(0, status, "portid %s " > + "not matching with already assigned portid > %u", > + tokens[ti], rule->portid); > return; [Anoob] Alignment for APP_CHECK's broken up parts are not following the con= vention. [Praveen] Will fix this in v4. > + } > portid_p =3D 1; > continue; > } > @@ -681,6 +688,43 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, > fallback_p =3D 1; > continue; > } > + if (strcmp(tokens[ti], "flow-direction") =3D=3D 0) { > + if (ips->type =3D=3D > + > RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL || > + ips->type =3D=3D > + > RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL || > + ips->type =3D=3D > + > RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { > + APP_CHECK(0, status, "Flow Director not " > + "supported for security session " > + "type:%d", ips->type); > + return; > + } > + rule->fdir_flag =3D 1; > + INCREMENT_TOKEN_INDEX(ti, n_tokens, status); > + if (status->status < 0) > + return; > + if (rule->portid =3D=3D UINT16_MAX) > + rule->portid =3D atoi(tokens[ti]); > + else if (rule->portid !=3D atoi(tokens[ti])) { > + APP_CHECK(0, status, "portid %s " > + "not matching with already assigned portid > %u", > + tokens[ti], rule->portid); > + return; > + } > + INCREMENT_TOKEN_INDEX(ti, n_tokens, status); > + if (status->status < 0) > + return; > + rule->fdir_qid =3D atoi(tokens[ti]); > + /* validating portid and queueid */ > + status_p =3D check_flow_params(rule->portid, > + rule->fdir_qid); > + if (status_p < 0) { > + printf("port id %u / queue id %u is not valid\n", > + rule->portid, rule->fdir_qid); > + } > + continue; > + } >=20 > /* unrecognizeable input */ > APP_CHECK(0, status, "unrecognized input \"%s\"", @@ -719,7 > +763,6 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, > if (!type_p || (!portid_p && ips->type !=3D > RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO)) { > ips->type =3D RTE_SECURITY_ACTION_TYPE_NONE; > - rule->portid =3D -1; > } >=20 > *ri =3D *ri + 1; > @@ -823,6 +866,9 @@ print_one_sa_rule(const struct ipsec_sa *sa, int > inbound) > break; > } > } > + if (sa->fdir_flag =3D=3D 1) > + printf("flow-direction %d %d", sa->portid, sa->fdir_qid); > + > printf("\n"); > } >=20 > @@ -1141,6 +1187,12 @@ sa_add_rules(struct sa_ctx *sa_ctx, const=20 > struct ipsec_sa entries[], > } > } >=20 > + if (sa->fdir_flag && inbound) { > + rc =3D create_ipsec_esp_flow(sa); > + if (rc !=3D 0) > + RTE_LOG(ERR, IPSEC_ESP, > + "create_ipsec_esp flow failed\n"); [Anoob] Instead of function name, can you give the description of what actu= ally failed? [Praveen] Can be done , will do it in v4. > + } > print_one_sa_rule(sa, inbound); > } >=20 > @@ -1243,6 +1295,20 @@ fill_ipsec_session(struct rte_ipsec_session=20 > *ss, struct rte_ipsec_sa *sa) > return rc; > } >=20 > +int > +check_fdir_configured(uint16_t portid) { > + struct ipsec_sa *sa =3D NULL; > + uint32_t idx_sa =3D 0; > + > + for (idx_sa =3D 0; idx_sa < nb_sa_in; idx_sa++) { > + sa =3D &sa_in[idx_sa]; > + if (sa->portid =3D=3D portid) > + return sa->fdir_flag; > + } > + return 0; > +} > + > /* > * Initialise related rte_ipsec_sa object. > */ > -- > 2.17.1