From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 04D4AA057B; Wed, 1 Apr 2020 15:19:53 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id D225B1BEAE; Wed, 1 Apr 2020 15:19:52 +0200 (CEST) Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20057.outbound.protection.outlook.com [40.107.2.57]) by dpdk.org (Postfix) with ESMTP id 3429D1BE99 for ; Wed, 1 Apr 2020 15:19:51 +0200 (CEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=S+HIzJEdPBjTjn1Ysabbf/8q0i5JMbo/cHaMzu011YA6bQuDfGtc4RcS4joIN0eB3G/vVIGmPY/Jk3/Vu1yEABrSKuCXv47Se+0F5q6xh/oyHaWyBuBzOm7h5C7plDn1htVSrkENw+hpbgzRKxQZbDF5X9lVCiHBvdj4D2U/WeZgdYejgStpYG0EEHrDgPN68EaaemL0W8P0GNEKwsG3YLJ5VGJrS6lO76tW0BH1QXbWdwl5bcW9RV5jo1x/TDtPdt29t0HxN0xTRDyBbhgJ+lfDn/kPgtIP+LN4cxO+m0CwLwJp8uVOuAeAhZTJ3xuK/7ntcFeumg8HHoKkg9DjMw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kuDI6cS1/uV3gFyKKUClVcyf0BvnCGweefL/MIgjOyM=; b=CrM4SrDo4KzcaZaTgNSO1fk5DU9pPzZ1/SUXQ+xFnCVTU9T7KVSeL3062S/AoL4+OYFDlcyb2farfhGK2gtxPIyAsOOuWRynqWon9dOsRvN9JhEyvv6q2c33IvbxFbHcxt1xerl5V0hBWW6ix3ZsxMz5IRyYHwykYOfAkzAZ9410lm3ZBxcXX6lIF+qbIpXc8aF97+aCXpjknZChRPRr1DLoqXpi9Iq9Btuxt22aNuM71QmAbUawOT1SlIJj54ttFzMtSck893OW0uBpfzd139I42KA/HP2HYZ2XmA9tam2Gn46grYNA/N+vZsEBjjoqhyo5BbTT06lEyY1BaziSPA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nxp.com; dmarc=pass action=none header.from=nxp.com; dkim=pass header.d=nxp.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kuDI6cS1/uV3gFyKKUClVcyf0BvnCGweefL/MIgjOyM=; b=hl9sJDds031d/P95wap7zGkyCJAHWkgwvx5zeQC11FWLQPFt3wCOdEIcQVGDmCRipkyt+FlVm3WF3dXIrQLon/sPS+GqojBW8lypRXThYNTAI8Ptf6pDbGH+EIEhgUuHX/8+mfsCnbg5ECstAQi511IspOPcFB5ZKWcvdwwUYec= Received: from DB8PR04MB6635.eurprd04.prod.outlook.com (20.179.251.20) by DB8PR04MB7049.eurprd04.prod.outlook.com (52.135.63.215) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2856.20; Wed, 1 Apr 2020 13:19:49 +0000 Received: from DB8PR04MB6635.eurprd04.prod.outlook.com ([fe80::18c:1d00:b49e:f733]) by DB8PR04MB6635.eurprd04.prod.outlook.com ([fe80::18c:1d00:b49e:f733%7]) with mapi id 15.20.2856.019; Wed, 1 Apr 2020 13:19:49 +0000 From: Akhil Goyal To: Praveen Shetty , "dev@dpdk.org" , "declan.doherty@intel.com" , "anoobj@marvell.com" CC: "bernard.iremonger@intel.com" , "konstantin.ananyev@intel.com" Thread-Topic: [dpdk-dev] [PATCH v3] examples/ipsec-secgw: support flow director feature Thread-Index: AQHWB1yfMGAO/tSum0iOsoN+SeJNrKhkPQ2A Date: Wed, 1 Apr 2020 13:19:49 +0000 Message-ID: References: <20200319162145.28906-1-praveen.shetty@intel.com> <20200331130211.24761-1-praveen.shetty@intel.com> In-Reply-To: <20200331130211.24761-1-praveen.shetty@intel.com> Accept-Language: en-IN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=akhil.goyal@nxp.com; x-originating-ip: [45.118.166.84] x-ms-publictraffictype: Email x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: b0d7059d-b235-4a6b-1a9b-08d7d63f5b26 x-ms-traffictypediagnostic: DB8PR04MB7049: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:962; x-forefront-prvs: 03607C04F0 x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB8PR04MB6635.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(396003)(39860400002)(346002)(376002)(366004)(136003)(6506007)(26005)(8936002)(2906002)(9686003)(44832011)(55016002)(33656002)(478600001)(81156014)(81166006)(66476007)(64756008)(186003)(76116006)(66946007)(66446008)(66556008)(71200400001)(4326008)(110136005)(316002)(52536014)(86362001)(7696005)(5660300002)(54906003); DIR:OUT; SFP:1101; received-spf: None (protection.outlook.com: nxp.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: aqSnpnQche/2h+TawXZIncOjDI2WGH0NDRklDeWmY2AqkQEZ7UIF8I+aG9NPO13E/aj+dTstUY9rejLIIqeW44pi+bxOcKzdyidbE1nV2qdushhwu6l3yEWXgtP0J5QFVfLEP9ZNUaCe+YmmZ/UydSlActCiTr7PJSzITaHygcS4pQTJMKE3y/vVTf4FD5E9VgZhfQsF6m2ipwUljkMHSjsYJn3lJmsipbRUD5w8ZpoZdVbok5tPcoQMAw2q+0XxbRKxLVi9biQbNR0M5KCLs5xt5ABPCxovuuf1cx+RbqWA6PqhS9p5hC8HC8Ae6Gx5G7T/E64XCo1Bozj4HG8CuxTbM4Vp2jmpBuWW5UOjc2GQLz9WS9wwZbPg0Mt/Pv7UoianYccb2HNMYHL6vnTyTFsyPAdMHyks3MeOMxoqnreVcjNAFt/IE5YIK9hdgVfb x-ms-exchange-antispam-messagedata: gmV56y6TJUwyE362omX6V6truZPCGUKMdCCVWAeAfrli5ZYre1OITUCBlq29l4nsG+Ob6DwMuGXCSqknhuBB58mu036XYAQwYvJ5Ilww1U9cLEgOWXOPT4lnMr5aLdJwBNboxR1pqbDTq/qiWdfsmA== x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: b0d7059d-b235-4a6b-1a9b-08d7d63f5b26 X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Apr 2020 13:19:49.5402 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 3wsN1Zs8i2hG6wFD+Axe/iyBZYkfwEo7ZcKKKjGGSFCizHxnNJMxGABta5+yJbMusp3HfamLe5u8FfVY8CUJOg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR04MB7049 Subject: Re: [dpdk-dev] [PATCH v3] examples/ipsec-secgw: support flow director feature X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Hi Praveen, Sorry for being late to reply on this, Please delegate the patches properly= from next time in patchworks. This patch was neither delegated to me, nor I was in to/cc. So it got misse= d. >=20 > Support load distribution in security gateway application using > NIC load distribution feature(Flow Director). > Flow Director is used to redirect the specified inbound ipsec flow > to a specified queue.This is achieved by extending the SA rule syntax > to support specification by adding new action_type of > to a specified . >=20 Please add documentation (doc/guides/sample_app_ug/ipsec_secgw.rst) changes to explain the new parameter. > Signed-off-by: Praveen Shetty > --- > v3 changes: > Incorporated Anoob review comments on v2. >=20 > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec- > secgw/ipsec-secgw.c > index ce36e6d9c..4400b075c 100644 > --- a/examples/ipsec-secgw/ipsec-secgw.c > +++ b/examples/ipsec-secgw/ipsec-secgw.c > @@ -246,6 +246,30 @@ static struct rte_eth_conf port_conf =3D { > .txmode =3D { > .mq_mode =3D ETH_MQ_TX_NONE, > }, > + .fdir_conf =3D { Fdir_conf is a deprecated parameter. It is not good to introduce=20 Something new in the application with a deprecated parameter. Please use the recommended way to configure flows. > + .mode =3D RTE_FDIR_MODE_NONE, > + .pballoc =3D RTE_FDIR_PBALLOC_64K, > + .status =3D RTE_FDIR_REPORT_STATUS, > + .mask =3D { > + .vlan_tci_mask =3D 0xFFEF, > + .ipv4_mask =3D { > + .src_ip =3D 0xFFFFFFFF, > + .dst_ip =3D 0xFFFFFFFF, > + }, > + .ipv6_mask =3D { > + .src_ip =3D {0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, > + 0xFFFFFFFF}, > + .dst_ip =3D {0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, > + 0xFFFFFFFF}, > + }, > + .src_port_mask =3D 0xFFFF, > + .dst_port_mask =3D 0xFFFF, > + .mac_addr_byte_mask =3D 0xFF, > + .tunnel_type_mask =3D 1, > + .tunnel_id_mask =3D 0xFFFFFFFF, > + }, > + .drop_queue =3D 127, > + } > }; >=20 > struct socket_ctx socket_ctx[NB_SOCKETS]; > @@ -1183,6 +1207,28 @@ ipsec_poll_mode_worker(void) > } > } >=20 > +int > +check_flow_params(uint16_t fdir_portid, uint8_t fdir_qid) > +{ > + uint16_t i; > + uint16_t portid; > + uint8_t queueid; > + > + for (i =3D 0; i < nb_lcore_params; ++i) { > + portid =3D lcore_params_array[i].port_id; > + if (portid =3D=3D fdir_portid) { > + queueid =3D lcore_params_array[i].queue_id; > + if (queueid =3D=3D fdir_qid) > + break; > + } > + > + if (i =3D=3D nb_lcore_params - 1) > + return -1; > + } > + > + return 1; > +} > + > static int32_t > check_poll_mode_params(struct eh_conf *eh_conf) > { > @@ -2813,6 +2859,15 @@ main(int32_t argc, char **argv) >=20 > sa_check_offloads(portid, &req_rx_offloads[portid], > &req_tx_offloads[portid]); > + /* check if FDIR is configured on the port */ > + if (check_fdir_configured(portid)) { > + /* Enable FDIR */ > + port_conf.fdir_conf.mode =3D > RTE_FDIR_MODE_PERFECT; > + /* Disable RSS */ > + port_conf.rxmode.mq_mode =3D ETH_MQ_RX_NONE; > + port_conf.rx_adv_conf.rss_conf.rss_hf =3D 0; > + port_conf.rx_adv_conf.rss_conf.rss_key =3D NULL; > + } > port_init(portid, req_rx_offloads[portid], > req_tx_offloads[portid]); > } > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c > index d40657102..76ee9dbcf 100644 > --- a/examples/ipsec-secgw/ipsec.c > +++ b/examples/ipsec-secgw/ipsec.c > @@ -418,6 +418,73 @@ create_inline_session(struct socket_ctx *skt_ctx, > struct ipsec_sa *sa, > return 0; > } >=20 > +int > +create_ipsec_esp_flow(struct ipsec_sa *sa) > +{ > + int ret =3D 0; > + struct rte_flow_error err; > + if (sa->direction =3D=3D RTE_SECURITY_IPSEC_SA_DIR_EGRESS) > + return 0; /* No Flow director rules for Egress traffic */ > + if (sa->flags =3D=3D TRANSPORT) { > + RTE_LOG(ERR, IPSEC, > + "No Flow director rule for transport mode:"); > + return -1; > + } > + sa->action[0].type =3D RTE_FLOW_ACTION_TYPE_QUEUE; > + sa->pattern[0].type =3D RTE_FLOW_ITEM_TYPE_ETH; > + sa->action[0].conf =3D > + &(struct rte_flow_action_queue){ > + .index =3D sa->fdir_qid, > + }; > + sa->attr.egress =3D 0; > + sa->attr.ingress =3D 1; > + if (IS_IP6(sa->flags)) { > + sa->pattern[1].mask =3D &rte_flow_item_ipv6_mask; > + sa->pattern[1].type =3D RTE_FLOW_ITEM_TYPE_IPV6; > + sa->pattern[1].spec =3D &sa->ipv6_spec; > + memcpy(sa->ipv6_spec.hdr.dst_addr, > + sa->dst.ip.ip6.ip6_b, sizeof(sa->dst.ip.ip6.ip6_b)); > + memcpy(sa->ipv6_spec.hdr.src_addr, > + sa->src.ip.ip6.ip6_b, sizeof(sa->src.ip.ip6.ip6_b)); > + sa->pattern[2].type =3D RTE_FLOW_ITEM_TYPE_ESP; > + sa->pattern[2].spec =3D &sa->esp_spec; > + sa->pattern[2].mask =3D &rte_flow_item_esp_mask; > + sa->esp_spec.hdr.spi =3D rte_cpu_to_be_32(sa->spi); > + sa->pattern[3].type =3D RTE_FLOW_ITEM_TYPE_END; > + } else if (IS_IP4(sa->flags)) { > + sa->pattern[1].mask =3D &rte_flow_item_ipv4_mask; > + sa->pattern[1].type =3D RTE_FLOW_ITEM_TYPE_IPV4; > + sa->pattern[1].spec =3D &sa->ipv4_spec; > + sa->ipv4_spec.hdr.dst_addr =3D sa->dst.ip.ip4; > + sa->ipv4_spec.hdr.src_addr =3D sa->src.ip.ip4; > + sa->pattern[2].type =3D RTE_FLOW_ITEM_TYPE_ESP; > + sa->pattern[2].spec =3D &sa->esp_spec; > + sa->pattern[2].mask =3D &rte_flow_item_esp_mask; > + sa->esp_spec.hdr.spi =3D rte_cpu_to_be_32(sa->spi); > + sa->pattern[3].type =3D RTE_FLOW_ITEM_TYPE_END; > + } > + sa->action[1].type =3D RTE_FLOW_ACTION_TYPE_END; > + > + ret =3D rte_flow_validate(sa->portid, &sa->attr, > + sa->pattern, sa->action, > + &err); > + if (ret < 0) { > + RTE_LOG(ERR, IPSEC, > + "Flow Validation failed\n"); > + return ret; > + } > + sa->flow =3D rte_flow_create(sa->portid, > + &sa->attr, sa->pattern, sa->action, > + &err); > + if (!sa->flow) { > + RTE_LOG(ERR, IPSEC, > + "Flow Creation failed\n"); > + return -1; > + } > + > + return 0; > +} > + > /* > * queue crypto-ops into PMD queue. > */ > diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h > index f8f29f9b1..b0e9f45cb 100644 > --- a/examples/ipsec-secgw/ipsec.h > +++ b/examples/ipsec-secgw/ipsec.h > @@ -144,6 +144,8 @@ struct ipsec_sa { > }; > enum rte_security_ipsec_sa_direction direction; > uint16_t portid; > + uint8_t fdir_qid; > + uint8_t fdir_flag; >=20 > #define MAX_RTE_FLOW_PATTERN (4) > #define MAX_RTE_FLOW_ACTIONS (3) > @@ -408,5 +410,12 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx= , > struct ipsec_sa *sa, > int > create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa, > struct rte_ipsec_session *ips); > +int > +check_flow_params(uint16_t fdir_portid, uint8_t fdir_qid); > + > +int > +create_ipsec_esp_flow(struct ipsec_sa *sa); >=20 > +int > +check_fdir_configured(uint16_t portid); > #endif /* __IPSEC_H__ */ > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c > index 0eb52d141..ddd275142 100644 > --- a/examples/ipsec-secgw/sa.c > +++ b/examples/ipsec-secgw/sa.c > @@ -271,6 +271,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, > uint32_t type_p =3D 0; > uint32_t portid_p =3D 0; > uint32_t fallback_p =3D 0; > + int16_t status_p =3D 0; >=20 > if (strcmp(tokens[0], "in") =3D=3D 0) { > ri =3D &nb_sa_in; > @@ -295,6 +296,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, > if (atoi(tokens[1]) =3D=3D INVALID_SPI) > return; > rule->spi =3D atoi(tokens[1]); > + rule->portid =3D UINT16_MAX; > ips =3D ipsec_get_primary_session(rule); >=20 > for (ti =3D 2; ti < n_tokens; ti++) { > @@ -636,9 +638,14 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, > INCREMENT_TOKEN_INDEX(ti, n_tokens, status); > if (status->status < 0) > return; > - rule->portid =3D atoi(tokens[ti]); > - if (status->status < 0) > + if (rule->portid =3D=3D UINT16_MAX) > + rule->portid =3D atoi(tokens[ti]); > + else if (rule->portid !=3D atoi(tokens[ti])) { > + APP_CHECK(0, status, "portid %s " > + "not matching with already assigned portid %u", > + tokens[ti], rule->portid); > return; > + } > portid_p =3D 1; > continue; > } > @@ -681,6 +688,43 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, > fallback_p =3D 1; > continue; > } > + if (strcmp(tokens[ti], "flow-direction") =3D=3D 0) { > + if (ips->type =3D=3D > + > RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL || > + ips->type =3D=3D > + > RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL || > + ips->type =3D=3D > + > RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { > + APP_CHECK(0, status, "Flow Director not " > + "supported for security session " > + "type:%d", ips->type); > + return; > + } It means it is supported in cpu crypto as well? Better to have a check for = the supported Action types, as in the future there may be some other action types. > + rule->fdir_flag =3D 1; > + INCREMENT_TOKEN_INDEX(ti, n_tokens, status); > + if (status->status < 0) > + return; > + if (rule->portid =3D=3D UINT16_MAX) > + rule->portid =3D atoi(tokens[ti]); > + else if (rule->portid !=3D atoi(tokens[ti])) { > + APP_CHECK(0, status, "portid %s " > + "not matching with already assigned portid %u", > + tokens[ti], rule->portid); > + return; > + } > + INCREMENT_TOKEN_INDEX(ti, n_tokens, status); > + if (status->status < 0) > + return; > + rule->fdir_qid =3D atoi(tokens[ti]); > + /* validating portid and queueid */ > + status_p =3D check_flow_params(rule->portid, > + rule->fdir_qid); > + if (status_p < 0) { > + printf("port id %u / queue id %u is not valid\n", > + rule->portid, rule->fdir_qid); > + } > + continue; > + } >=20 > /* unrecognizeable input */ > APP_CHECK(0, status, "unrecognized input \"%s\"", > @@ -719,7 +763,6 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, > if (!type_p || (!portid_p && ips->type !=3D > RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO)) { > ips->type =3D RTE_SECURITY_ACTION_TYPE_NONE; > - rule->portid =3D -1; > } >=20 > *ri =3D *ri + 1; > @@ -823,6 +866,9 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbo= und) > break; > } > } > + if (sa->fdir_flag =3D=3D 1) > + printf("flow-direction %d %d", sa->portid, sa->fdir_qid); Better to print like below. printf("flow-direction port %d queue %d ", sa->portid, sa->fdir_qid) > + > printf("\n"); > } >=20