From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by dpdk.space (Postfix) with ESMTP id 03B63A046B for ; Wed, 26 Jun 2019 09:06:39 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id CD5CF4F94; Wed, 26 Jun 2019 09:06:38 +0200 (CEST) Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30054.outbound.protection.outlook.com [40.107.3.54]) by dpdk.org (Postfix) with ESMTP id 637FD2C4F for ; Wed, 26 Jun 2019 09:06:37 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=R6AYCiAIqj/GIIE9RALl22zS8BIUT7JhY9FS3xthNoE=; b=hAsfJ/4Of+ngoFZcEG9rsnJVY1UuWfMFXNx6qok7tgY7+oL0d871e0h1tGWWVIDr2+1/IH2fM29Zmon3nT69CTNZmTjnd/WP8fIY0OeC3vqTizS24163Irxv3u5qzkzP9uJan9HAX6RXG4Hd83r3bOVvS0ijK1hKPDfRnUbJ0iQ= Received: from VE1PR04MB6639.eurprd04.prod.outlook.com (20.179.235.82) by VE1PR04MB6413.eurprd04.prod.outlook.com (20.179.232.94) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2008.16; Wed, 26 Jun 2019 07:06:35 +0000 Received: from VE1PR04MB6639.eurprd04.prod.outlook.com ([fe80::a929:3d03:7bb7:d5e0]) by VE1PR04MB6639.eurprd04.prod.outlook.com ([fe80::a929:3d03:7bb7:d5e0%7]) with mapi id 15.20.2008.014; Wed, 26 Jun 2019 07:06:35 +0000 From: Akhil Goyal To: "Drost, MariuszX" , "Nicolau, Radu" , "Lu, Wenzhuo" , "Ananyev, Konstantin" CC: "dev@dpdk.org" Thread-Topic: [PATCH 2/2] examples/ipsec-secgw: fix not working inline ipsec modes Thread-Index: AQHVGr3DdcEXM2VZZU+3H8wl2EMgbqakm8kAgAfeY7CAAAmpAIABIJ0Q Date: Wed, 26 Jun 2019 07:06:35 +0000 Message-ID: References: <20190604100644.13724-1-mariuszx.drost@intel.com> <20190604100644.13724-3-mariuszx.drost@intel.com> <3BB8A5892AABB64DA03CD11BE7165E2B075539C5@HASMSX110.ger.corp.intel.com> In-Reply-To: <3BB8A5892AABB64DA03CD11BE7165E2B075539C5@HASMSX110.ger.corp.intel.com> Accept-Language: en-IN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=akhil.goyal@nxp.com; x-originating-ip: [92.120.1.65] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 6b0bbfbe-bd07-4ff6-66d6-08d6fa04d3a6 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:VE1PR04MB6413; x-ms-traffictypediagnostic: VE1PR04MB6413: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-forefront-prvs: 00808B16F3 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(136003)(39860400002)(376002)(366004)(346002)(13464003)(51444003)(199004)(189003)(2906002)(5660300002)(52536014)(486006)(68736007)(81166006)(11346002)(64756008)(66556008)(66946007)(66476007)(66446008)(71200400001)(14444005)(81156014)(74316002)(305945005)(478600001)(3846002)(110136005)(6116002)(14454004)(76116006)(73956011)(71190400001)(33656002)(256004)(316002)(186003)(6436002)(7736002)(55016002)(7696005)(446003)(53936002)(86362001)(99286004)(76176011)(9686003)(8936002)(4326008)(8676002)(44832011)(102836004)(53546011)(66066001)(6506007)(229853002)(26005)(6246003)(25786009)(476003)(21314003); DIR:OUT; SFP:1101; SCL:1; SRVR:VE1PR04MB6413; H:VE1PR04MB6639.eurprd04.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: nxp.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: taRuSY9Vxccx5D3S9uJd0n831s9f2Mm4en5+9+hA2xJNVIDQ0wYZvg22g7cgIVqURLS1OrrENxsA6M8iOVYLIXxcdDa04rThutDh1EiE/62zlDeAZeHrOvlrjWKAjgctUsa12u/kABwgitK2CxmUGy1Nl4GW5XYhotT+ZLjFTXPly3AzcJwiTCpyrZybr8Oh9HvTHCI2e6kfjtPa8K3zSvU39WrSwcPAkvUC4tQBtemHmzXqkFEHHAuja4D3JbhaCMlPbN3miI3pId0YpRabYHT2LimHxtlaSMtpxUy7J3Hjp+5+v+AJmJGHHcCguZ7O6yGz27pWoC8S5OqVtjzOObrJpxSge0xH/WYzwcFfBN4FTEXq8BfInU8XuAEdTkJYgbm2ysH1RQPKbvx5szrIbZBcEkzv2orXAIRNdKgkFCs= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: 6b0bbfbe-bd07-4ff6-66d6-08d6fa04d3a6 X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jun 2019 07:06:35.5815 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: akhil.goyal@nxp.com X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1PR04MB6413 Subject: Re: [dpdk-dev] [PATCH 2/2] examples/ipsec-secgw: fix not working inline ipsec modes X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Hi Marius, >=20 > Hi, >=20 > About your comments: >=20 > 1) I used macros around sa->flags where it was needed. Not all checks for= that > set of flags use information if it is transport mode. As for macro > WITHOUT_TRANSPORT_VERSION, it was set only for checks that required > information from set of flags without taking into account new transport f= lags -> > I can set it in more places (like initialization stage), but I do not see= a point of > that, besides being uniform. I think it would be better if we are adding certain flags to simplify code,= we should add In all the checks. I can see that in single if else sequence there are 2 different ways to che= ck for the values Of sa->flags. I think that this can be avoided. >=20 > 2) WITHOUT_TRANSPORT_VERSION is a macro which masks sa->flags as they > were before change. It cuts newly proposed flags for transport mode, so > behavior of switches, where such flags were used before as variable, is > unchanged. I will provide a comment to the macro. >=20 > I will provide patch as soon as possible (probably tomorrow). >=20 > Kind regards, > Mariusz Drost. >=20 > -----Original Message----- > From: Akhil Goyal [mailto:akhil.goyal@nxp.com] > Sent: Tuesday, June 25, 2019 3:15 PM > To: Akhil Goyal ; Drost, MariuszX > ; Nicolau, Radu ; Lu, > Wenzhuo ; Ananyev, Konstantin > > Cc: dev@dpdk.org > Subject: RE: [PATCH 2/2] examples/ipsec-secgw: fix not working inline ips= ec > modes >=20 > Hi Marius, >=20 > Could you please send the updated patch soon, so that they can be applied > before RC1. >=20 > Thanks, > Akhil >=20 > > > > Hi Marius, > > > > > > > Application ipsec-secgw is not working for IPv4 transport mode and > > > for > > > IPv6 both transport and tunnel mode. > > > > > > IPv6 tunnel mode is not working due to wrongly assigned fields of > > > security association patterns, as it was IPv4, during creation of > > > inline crypto session. > > > > > > IPv6 and IPv4 transport mode is iterating through security > > > capabilities until it reaches tunnel, which causes session to be > > > created as tunnel, instead of transport. Another issue, is that > > > config file does not provide source and destination ip addresses for > > > transport mode, which are required by NIC to perform inline crypto. > > > It uses default addresses stored in security association (all > > > zeroes), which causes dropped packages. > > > > > > To fix that, reorganization of code in create_session() is needed, > > > to behave appropriately to given protocol (IPv6/IPv4). Change in > > > iteration through security capabilities is also required, to check > > > for expected mode (not only tunnel). > > > > > > For lack of addresses issue, some resolving mechanism is needed. > > > Approach is to store addresses in security association, as it is for > > > tunnel mode. Difference is that they are obtained from sp rules, > > > instead of config file. To do that, sp[4/6]_spi_present() function > > > is used to find addresses based on spi value, and then stored in > > > corresponding sa rule. This approach assumes, that every sp rule for > > > inline crypto have valid addresses, as well as range of addresses is > > > not supported. > > > > > > New flags for ipsec_sa structure are required to distinguish between > > > IPv4 and IPv6 transport modes. Because of that, there is need to > > > change all checks done on these flags, so they work as expected. > > > > > > Fixes: ec17993a145a ("examples/ipsec-secgw: support security > > > offload") > > > Fixes: 9a0752f498d2 ("net/ixgbe: enable inline IPsec") > > > > > This is a very well written description. Thanks. This helps in review o= f the patch. > > > > I have a few small comments, rest all is fine. > > > > > Signed-off-by: Mariusz Drost > > > --- > > > examples/ipsec-secgw/esp.c | 12 +-- > > > examples/ipsec-secgw/ipsec.c | 19 +++-- > > > examples/ipsec-secgw/ipsec.h | 21 +++++- > > > examples/ipsec-secgw/sa.c | 142 ++++++++++++++++++++++++++-------= -- > > > examples/ipsec-secgw/sp4.c | 24 +++++- > > > examples/ipsec-secgw/sp6.c | 42 ++++++++++- > > > 6 files changed, 205 insertions(+), 55 deletions(-) > > > > > > diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c > > > index f11d095ba..764e08dcf 100644 > > > --- a/examples/ipsec-secgw/esp.c > > > +++ b/examples/ipsec-secgw/esp.c > > > @@ -192,7 +192,7 @@ esp_inbound_post(struct rte_mbuf *m, struct > > > ipsec_sa *sa, > > > } > > > } > > > > > > - if (unlikely(sa->flags =3D=3D TRANSPORT)) { > > > + if (unlikely(IS_TRANSPORT(sa->flags))) { > > > ip =3D rte_pktmbuf_mtod(m, struct ip *); > > > ip4 =3D (struct ip *)rte_pktmbuf_adj(m, > > > sizeof(struct rte_esp_hdr) + sa->iv_len); @@ - > 233,13 +233,13 @@ > > > esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa, > > > > > > ip4 =3D rte_pktmbuf_mtod(m, struct ip *); > > > if (likely(ip4->ip_v =3D=3D IPVERSION)) { > > > - if (unlikely(sa->flags =3D=3D TRANSPORT)) { > > > + if (unlikely(IS_TRANSPORT(sa->flags))) { > > > ip_hdr_len =3D ip4->ip_hl * 4; > > > nlp =3D ip4->ip_p; > > > } else > > > nlp =3D IPPROTO_IPIP; > > > } else if (ip4->ip_v =3D=3D IP6_VERSION) { > > > - if (unlikely(sa->flags =3D=3D TRANSPORT)) { > > > + if (unlikely(IS_TRANSPORT(sa->flags))) { > > > /* XXX No option headers supported */ > > > ip_hdr_len =3D sizeof(struct ip6_hdr); > > > ip6 =3D (struct ip6_hdr *)ip4; > > > @@ -258,13 +258,13 @@ esp_outbound(struct rte_mbuf *m, struct > > > ipsec_sa *sa, > > > pad_len =3D pad_payload_len + ip_hdr_len - rte_pktmbuf_pkt_len(m); > > > > > > RTE_ASSERT(sa->flags =3D=3D IP4_TUNNEL || sa->flags =3D=3D IP6_TUNN= EL || > > > - sa->flags =3D=3D TRANSPORT); > > > + IS_TRANSPORT(sa->flags)); > > I can see that at multiple places, sa->flags are accessed without your > > defined macros. Could you please update this at all places, so that it > > will be uniform across the application. > > > > > > > > if (likely(sa->flags =3D=3D IP4_TUNNEL)) > > > ip_hdr_len =3D sizeof(struct ip); > > > else if (sa->flags =3D=3D IP6_TUNNEL) > > > ip_hdr_len =3D sizeof(struct ip6_hdr); > > > - else if (sa->flags !=3D TRANSPORT) { > > > + else if (!IS_TRANSPORT(sa->flags)) { > > > RTE_LOG(ERR, IPSEC_ESP, "Unsupported SA flags: 0x%x\n", > > > sa->flags); > > > return -EINVAL; > > > @@ -291,7 +291,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa > *sa, > > > rte_prefetch0(padding); > > > } > > > > > > - switch (sa->flags) { > > > + switch (WITHOUT_TRANSPORT_VERSION(sa->flags)) { > > I do not get the intent of this macro " WITHOUT_TRANSPORT_VERSION ". > > could you explain this in comments or some better name of the macro. > > > > > case IP4_TUNNEL: > > > ip4 =3D ip4ip_outbound(m, sizeof(struct rte_esp_hdr) + sa->iv_len, > > > &sa->src, &sa->dst); > > > > > > Regards, > > Akhil