From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id B6F09A0563; Wed, 15 Apr 2020 20:59:59 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 937441D9D1; Wed, 15 Apr 2020 20:59:59 +0200 (CEST) Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80057.outbound.protection.outlook.com [40.107.8.57]) by dpdk.org (Postfix) with ESMTP id 97F721D97C for ; Wed, 15 Apr 2020 20:59:58 +0200 (CEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oKnb5Rm1S8n2HrtMSGkNq+ThRBnqnHjMU0pYGpeCJ3FVP94zuUHssI/4eQ228faKDiOl9oSHe2+VbTAO3ywgMvwPhL5E3WHZmPyeTgWuuJPoAqR9gEK5tUnUt7RfdHel50EYsZmmCp/ZubVVQN9zfADnlkbU03n2UGwctsNl9nkzrN6N+HiGr0ArYc/yEQywV43Y7bnzyBZYFejUJoD5Lpk8QJB1PNneLw3VDzIRcrH8ffJyB5ivjczkhPZXus1XnXXl6OtOA07t5lBdGSjqF/mCxoV/j53KWHbzefJT+MDkMlJTfCdMVlfVcBo/wOgiBXOdlSKe7c66Fcyk8qMnqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=edHuxTRxl/P0qk2SOJTPrE2U+581/lEg3Yzp+Fbi544=; b=LzrBh7hgIYPzE+BHUEiw74pwVnvForDuUHuTyTOEe90dFjjgXZKREIB+nl5/7l0xQmj2RRjpgMvbVKHDpTQjAWjq5O9IYTpKzVHigI13SCdEXDEPZSXmSirKQUvCWgeLuacVhXcvSTEXV4j1pxmUHZieOOVq9zmMgpIKGVLazt9Lw+PorHmRZdfdsWD2qR6Rkdc51Yh3FTqAt19qKX8BksUIcV9eLtaBdieH0eT307oMZiZRR47C63vrmcXgTvUPaHDi2oPBEyTTNVc5PEzetPxBdeB291C8bwGKKJA8GKYN7C3x9X7fICYtYIN7vMTMTz/QwBsDU9G6Phz80tZABA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nxp.com; dmarc=pass action=none header.from=nxp.com; dkim=pass header.d=nxp.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=edHuxTRxl/P0qk2SOJTPrE2U+581/lEg3Yzp+Fbi544=; b=chUETWU9Mn0Jxuw1fcmU74REHe2i6FdEV0kAUGX3jcpx2WquokIBaTabAJYnJDN7GdjHPWmv1J6OhkrvtYH4Kc3sb2OWt5RUaA7Nm8AnblVt5bryq2Z2UKAmbTNPx28FzDzt+U2ZI51F8kLSL1zf/g6FzQdagcvRLDl9Mm7ZDw0= Received: from VI1PR04MB3168.eurprd04.prod.outlook.com (2603:10a6:802:6::10) by VI1PR04MB5518.eurprd04.prod.outlook.com (2603:10a6:803:d2::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.17; Wed, 15 Apr 2020 18:59:57 +0000 Received: from VI1PR04MB3168.eurprd04.prod.outlook.com ([fe80::8c03:2f5:3b48:ba74]) by VI1PR04MB3168.eurprd04.prod.outlook.com ([fe80::8c03:2f5:3b48:ba74%7]) with mapi id 15.20.2900.028; Wed, 15 Apr 2020 18:59:57 +0000 From: Akhil Goyal To: Praveen Shetty , "dev@dpdk.org" , "declan.doherty@intel.com" , "anoobj@marvell.com" CC: "bernard.iremonger@intel.com" , "konstantin.ananyev@intel.com" Thread-Topic: [PATCH v5] examples/ipsec-secgw: support flow director feature Thread-Index: AQHWDlcHrvq0X1Dsi0GuUU1+xw7hGKh6jg5A Date: Wed, 15 Apr 2020 18:59:57 +0000 Message-ID: References: <20200408141342.29573-1-praveen.shetty@intel.com> <20200409100950.37292-1-praveen.shetty@intel.com> In-Reply-To: <20200409100950.37292-1-praveen.shetty@intel.com> Accept-Language: en-IN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=akhil.goyal@nxp.com; x-originating-ip: [45.118.166.69] x-ms-publictraffictype: Email x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: 32facf37-0695-40f5-6f4b-08d7e16f30d4 x-ms-traffictypediagnostic: VI1PR04MB5518: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:655; x-forefront-prvs: 0374433C81 x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR04MB3168.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(136003)(346002)(376002)(366004)(39860400002)(396003)(8676002)(66556008)(7696005)(30864003)(478600001)(186003)(64756008)(66446008)(66946007)(8936002)(81156014)(76116006)(86362001)(66476007)(44832011)(2906002)(4326008)(110136005)(9686003)(33656002)(54906003)(6506007)(52536014)(55016002)(71200400001)(316002)(5660300002)(26005); DIR:OUT; SFP:1101; received-spf: None (protection.outlook.com: nxp.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: O3W+WLBsaY2vXC+zQv3wiaY8vxigLZDOhuXw/5ZlUXWXDWjLy7Fr8vyj7VeRaV4/yrQoDMIsf59SvH6KXFmuqWsPvTczemQ4Lryhv6K6HAQDP6PM59OELlMQknMzP9VAspXiw78Q23VzvbE8GsBLDFl7RLVFkX8TPGTd/EAgq0+6wRcb44Bafoio64NTQmbGb418Ef/WYw3RtAUG9xmf1C2rWBdO7wR5QjKPhglcBq0hUadK/SY5jkRQl4P4tALihfRr1vIMDXt5wJ9K0zniZfCs4iDtpxuBimV9gdohcSvEEbmiMgSh5rIlvfgO/Ne/i4+piD8jTu2j+w//jUE5/R+Dr+Xbr2GgB8+qA2H4HJxAmokFyeqGzY5k2nd11bJ27LWdB6t9P8tLK8f7IbmAVJ2EZd08jLJmNc7tQ0kIXFqEAL2bUAlw4MAfc5wBLQ95 x-ms-exchange-antispam-messagedata: L5cEfaPAbhy9NG3zOp4+o3N384dShIKABpSZk56zDEaDYGt93eOnWkTknCSezOMeGU2Nvp5c5T6rlPwq1nQEAvbVvVxwkCde5KPvbMXKwG50jEVkBBGOXHCE/oJ4rGMSpUShNiO04MZrhev50PSACg== x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: 32facf37-0695-40f5-6f4b-08d7e16f30d4 X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Apr 2020 18:59:57.2033 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: /lEm8WY9myy2DjzIJDdDMbm4c55Dyrl4zKmTkO3CQI1QsQrdf/FuZnzxSPHLTEeQ/3HFkqFMoMpTxSINlayUyg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR04MB5518 Subject: Re: [dpdk-dev] [PATCH v5] examples/ipsec-secgw: support flow director feature X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Hi Praveen, >=20 > Support load distribution in security gateway application using > NIC load distribution feature(Flow Director). > Flow Director is used to redirect the specified inbound ipsec flow > to a specified queue.This is achieved by extending the SA rule syntax > to support specification by adding new action_type of > to a specified . >=20 > Signed-off-by: Praveen Shetty Please fix a few minor comments below. Apart from that, Acked-by: Akhil Goyal > --- > v5 changes: > Small change in condtional handling in sa.c file. >=20 > v4 changes: > 1. Removed flow director configuration changes as they are not > required anymore. > 2. Addressed all the review comments from Akhil and Anoob. > 3. Included update to the ipsec-secgw user guide and update to release no= tes. >=20 > doc/guides/rel_notes/release_20_05.rst | 4 ++ > doc/guides/sample_app_ug/ipsec_secgw.rst | 16 ++++++ > examples/ipsec-secgw/ep0.cfg | 11 ++++ > examples/ipsec-secgw/ipsec-secgw.c | 22 ++++++++ > examples/ipsec-secgw/ipsec.c | 67 ++++++++++++++++++++++++ > examples/ipsec-secgw/ipsec.h | 7 +++ > examples/ipsec-secgw/sa.c | 63 ++++++++++++++++++++-- > 7 files changed, 186 insertions(+), 4 deletions(-) >=20 > diff --git a/doc/guides/rel_notes/release_20_05.rst > b/doc/guides/rel_notes/release_20_05.rst > index 6b1a7c58c..a9ec163cf 100644 > --- a/doc/guides/rel_notes/release_20_05.rst > +++ b/doc/guides/rel_notes/release_20_05.rst > @@ -81,6 +81,10 @@ New Features > by making use of the event device capabilities. The event mode current= ly > supports > only inline IPsec protocol offload. >=20 > +* **Updated ipsec-secgw application.** > + > + Added IPsec inbound load-distribution support for ipsec-secgw applicat= ion > using NIC > + load distribution feature(Flow Director). There is one more item in release notes for ipsec-secgw for event mode. You should add a bullet in that for this feature. >=20 > Removed Items > ------------- > diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst > b/doc/guides/sample_app_ug/ipsec_secgw.rst > index 038f593f4..12f921d76 100644 > --- a/doc/guides/sample_app_ug/ipsec_secgw.rst > +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst > @@ -506,6 +506,7 @@ The SA rule syntax is shown as follows: >=20 > sa > > + >=20 > where each options means: >=20 > @@ -698,6 +699,18 @@ where each options means: >=20 > * *fallback lookaside-none* >=20 > +```` > + > + * Action type is for redirecting the specific inbound ipsec-flow to > + a specified queue. Flow direction is not an action type. You can re-phrase it as Option for redirecting a specific inbound ipsec flow of a port to a specifi= c queue of that port.=20 > + > + * Optional: Yes. > + > + * Available options: > + > + * *port_id*: Port ID of the NIC for which the SA is configured. > + * *queue_id*: Queue ID to which traffic should be redirected. > + > Example SA rules: >=20 > .. code-block:: console > @@ -727,6 +740,9 @@ Example SA rules: > mode ipv4-tunnel src 172.16.2.5 dst 172.16.1.5 \ > type inline-crypto-offload port_id 0 >=20 > + sa in 117 cipher_algo null auth_algo null mode ipv4-tunnel src 172.1= 6.2.7 \ > + dst 172.16.1.7 flow-direction 0 2 > + > Routing rule syntax > ^^^^^^^^^^^^^^^^^^^ >=20 > diff --git a/examples/ipsec-secgw/ep0.cfg b/examples/ipsec-secgw/ep0.cfg > index dfd4aca7d..6f8d5aa53 100644 > --- a/examples/ipsec-secgw/ep0.cfg > +++ b/examples/ipsec-secgw/ep0.cfg > @@ -29,6 +29,7 @@ sp ipv4 in esp protect 111 pri 1 dst 192.168.186.0/24 s= port > 0:65535 dport 0:6553 > sp ipv4 in esp protect 115 pri 1 dst 192.168.210.0/24 sport 0:65535 dpor= t > 0:65535 > sp ipv4 in esp protect 116 pri 1 dst 192.168.211.0/24 sport 0:65535 dpor= t > 0:65535 > sp ipv4 in esp protect 115 pri 1 dst 192.168.210.0/24 sport 0:65535 dpor= t > 0:65535 > +sp ipv4 in esp protect 117 pri 1 dst 192.168.212.0/24 sport 0:65535 dpor= t > 0:65535 > sp ipv4 in esp protect 125 pri 1 dst 192.168.65.0/24 sport 0:65535 dport= 0:65535 > sp ipv4 in esp protect 125 pri 1 dst 192.168.65.0/24 sport 0:65535 dport= 0:65535 > sp ipv4 in esp protect 126 pri 1 dst 192.168.66.0/24 sport 0:65535 dport= 0:65535 > @@ -61,6 +62,8 @@ sp ipv6 in esp protect 125 pri 1 dst > ffff:0000:0000:0000:aaaa:aaaa:0000:0000/96 > sport 0:65535 dport 0:65535 > sp ipv6 in esp protect 126 pri 1 dst > ffff:0000:0000:0000:bbbb:bbbb:0000:0000/96 \ > sport 0:65535 dport 0:65535 > +sp ipv6 in esp protect 127 pri 1 dst > ffff:0000:0000:0000:cccc:dddd:0000:0000/96 \ > +sport 0:65535 dport 0:65535 >=20 > #SA rules > sa out 5 cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:= 0:0 \ > @@ -118,6 +121,9 @@ dst 172.16.1.5 >=20 > sa in 116 cipher_algo null auth_algo null mode ipv4-tunnel src 172.16.2.= 6 dst > 172.16.1.6 >=20 > +sa in 117 cipher_algo null auth_algo null mode ipv4-tunnel src 172.16.2.= 7 \ > +dst 172.16.1.7 flow-direction 0 2 > + > sa in 125 cipher_algo aes-128-cbc cipher_key c3:c3:c3:c3:c3:c3:c3:c3:c3:= c3:c3:\ > c3:c3:c3:c3:c3 auth_algo sha1-hmac auth_key > c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\ > c3:c3:c3:c3:c3:c3:c3:c3:c3 mode ipv6-tunnel \ > @@ -130,6 +136,11 @@ sa in 126 cipher_algo aes-128-cbc cipher_key > 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\ > src 2222:2222:2222:2222:2222:2222:2222:6666 \ > dst 1111:1111:1111:1111:1111:1111:1111:6666 >=20 > +sa in 127 cipher_algo null auth_algo null mode ipv6-tunnel \ > +src 2222:2222:2222:2222:2222:2222:2222:7777 \ > +dst 1111:1111:1111:1111:1111:1111:1111:7777 \ > +flow-direction 0 3 > + > #Routing rules > rt ipv4 dst 172.16.2.5/32 port 0 > rt ipv4 dst 172.16.2.6/32 port 1 > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec- > secgw/ipsec-secgw.c > index 5fde4f728..6d02341de 100644 > --- a/examples/ipsec-secgw/ipsec-secgw.c > +++ b/examples/ipsec-secgw/ipsec-secgw.c > @@ -1183,6 +1183,28 @@ ipsec_poll_mode_worker(void) > } > } >=20 > +int > +check_flow_params(uint16_t fdir_portid, uint8_t fdir_qid) > +{ > + uint16_t i; > + uint16_t portid; > + uint8_t queueid; > + > + for (i =3D 0; i < nb_lcore_params; ++i) { > + portid =3D lcore_params_array[i].port_id; > + if (portid =3D=3D fdir_portid) { > + queueid =3D lcore_params_array[i].queue_id; > + if (queueid =3D=3D fdir_qid) > + break; > + } > + > + if (i =3D=3D nb_lcore_params - 1) > + return -1; > + } > + > + return 1; > +} > + > static int32_t > check_poll_mode_params(struct eh_conf *eh_conf) > { > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c > index d40657102..461fae461 100644 > --- a/examples/ipsec-secgw/ipsec.c > +++ b/examples/ipsec-secgw/ipsec.c > @@ -418,6 +418,73 @@ create_inline_session(struct socket_ctx *skt_ctx, > struct ipsec_sa *sa, > return 0; > } >=20 > +int > +create_ipsec_esp_flow(struct ipsec_sa *sa) > +{ > + int ret =3D 0; > + struct rte_flow_error err; > + if (sa->direction =3D=3D RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { > + RTE_LOG(ERR, IPSEC, > + "No Flow director rule for Egress traffic\n"); > + return -1; > + } > + if (sa->flags =3D=3D TRANSPORT) { > + RTE_LOG(ERR, IPSEC, > + "No Flow director rule for transport mode\n"); > + return -1; > + } > + sa->action[0].type =3D RTE_FLOW_ACTION_TYPE_QUEUE; > + sa->pattern[0].type =3D RTE_FLOW_ITEM_TYPE_ETH; > + sa->action[0].conf =3D > + &(struct rte_flow_action_queue){ > + .index =3D sa->fdir_qid, > + }; Unnecessary line break, spacing before '{' > + sa->attr.egress =3D 0; > + sa->attr.ingress =3D 1; > + if (IS_IP6(sa->flags)) { > + sa->pattern[1].mask =3D &rte_flow_item_ipv6_mask; > + sa->pattern[1].type =3D RTE_FLOW_ITEM_TYPE_IPV6; > + sa->pattern[1].spec =3D &sa->ipv6_spec; > + memcpy(sa->ipv6_spec.hdr.dst_addr, > + sa->dst.ip.ip6.ip6_b, sizeof(sa->dst.ip.ip6.ip6_b)); > + memcpy(sa->ipv6_spec.hdr.src_addr, > + sa->src.ip.ip6.ip6_b, sizeof(sa->src.ip.ip6.ip6_b)); > + sa->pattern[2].type =3D RTE_FLOW_ITEM_TYPE_ESP; > + sa->pattern[2].spec =3D &sa->esp_spec; > + sa->pattern[2].mask =3D &rte_flow_item_esp_mask; > + sa->esp_spec.hdr.spi =3D rte_cpu_to_be_32(sa->spi); > + sa->pattern[3].type =3D RTE_FLOW_ITEM_TYPE_END; > + } else if (IS_IP4(sa->flags)) { > + sa->pattern[1].mask =3D &rte_flow_item_ipv4_mask; > + sa->pattern[1].type =3D RTE_FLOW_ITEM_TYPE_IPV4; > + sa->pattern[1].spec =3D &sa->ipv4_spec; > + sa->ipv4_spec.hdr.dst_addr =3D sa->dst.ip.ip4; > + sa->ipv4_spec.hdr.src_addr =3D sa->src.ip.ip4; > + sa->pattern[2].type =3D RTE_FLOW_ITEM_TYPE_ESP; > + sa->pattern[2].spec =3D &sa->esp_spec; > + sa->pattern[2].mask =3D &rte_flow_item_esp_mask; > + sa->esp_spec.hdr.spi =3D rte_cpu_to_be_32(sa->spi); > + sa->pattern[3].type =3D RTE_FLOW_ITEM_TYPE_END; > + } > + sa->action[1].type =3D RTE_FLOW_ACTION_TYPE_END; > + > + ret =3D rte_flow_validate(sa->portid, &sa->attr, sa->pattern, sa->actio= n, > + &err); > + if (ret < 0) { > + RTE_LOG(ERR, IPSEC, "Flow validation failed %s\n", > err.message); > + return ret; > + } > + > + sa->flow =3D rte_flow_create(sa->portid, &sa->attr, sa->pattern, > + sa->action, &err); > + if (!sa->flow) { > + RTE_LOG(ERR, IPSEC, "Flow creation failed %s\n", err.message); > + return -1; > + } > + > + return 0; > +} > + > /* > * queue crypto-ops into PMD queue. > */ > diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h > index f8f29f9b1..1790a93ca 100644 > --- a/examples/ipsec-secgw/ipsec.h > +++ b/examples/ipsec-secgw/ipsec.h > @@ -144,6 +144,8 @@ struct ipsec_sa { > }; > enum rte_security_ipsec_sa_direction direction; > uint16_t portid; > + uint8_t fdir_qid; > + uint8_t fdir_flag; >=20 > #define MAX_RTE_FLOW_PATTERN (4) > #define MAX_RTE_FLOW_ACTIONS (3) > @@ -408,5 +410,10 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx= , > struct ipsec_sa *sa, > int > create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa, > struct rte_ipsec_session *ips); > +int > +check_flow_params(uint16_t fdir_portid, uint8_t fdir_qid); > + > +int > +create_ipsec_esp_flow(struct ipsec_sa *sa); >=20 > #endif /* __IPSEC_H__ */ > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c > index a6bf5e8b1..06bb25b3e 100644 > --- a/examples/ipsec-secgw/sa.c > +++ b/examples/ipsec-secgw/sa.c > @@ -271,6 +271,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, > uint32_t type_p =3D 0; > uint32_t portid_p =3D 0; > uint32_t fallback_p =3D 0; > + int16_t status_p =3D 0; >=20 > if (strcmp(tokens[0], "in") =3D=3D 0) { > ri =3D &nb_sa_in; > @@ -295,6 +296,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, > if (atoi(tokens[1]) =3D=3D INVALID_SPI) > return; > rule->spi =3D atoi(tokens[1]); > + rule->portid =3D UINT16_MAX; > ips =3D ipsec_get_primary_session(rule); >=20 > for (ti =3D 2; ti < n_tokens; ti++) { > @@ -636,9 +638,14 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, > INCREMENT_TOKEN_INDEX(ti, n_tokens, status); > if (status->status < 0) > return; > - rule->portid =3D atoi(tokens[ti]); > - if (status->status < 0) > + if (rule->portid =3D=3D UINT16_MAX) > + rule->portid =3D atoi(tokens[ti]); > + else if (rule->portid !=3D atoi(tokens[ti])) { > + APP_CHECK(0, status, "portid %s not matching > " > + "with already assigned portid %u", > + tokens[ti], rule->portid); Please do not split strings which are printed as the output on console. It will make it difficult to grep while debugging. > return; > + } > portid_p =3D 1; > continue; > } > @@ -683,6 +690,44 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, > fallback_p =3D 1; > continue; > } > + if (strcmp(tokens[ti], "flow-direction") =3D=3D 0) { > + if (ips->type =3D=3D > + RTE_SECURITY_ACTION_TYPE_NONE || > + ips->type =3D=3D > + RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) { The code is not readable here. Either a switch case or a separate function if the indentation it going bey= ond. > + rule->fdir_flag =3D 1; > + INCREMENT_TOKEN_INDEX(ti, n_tokens, > status); > + if (status->status < 0) > + return; > + if (rule->portid =3D=3D UINT16_MAX) > + rule->portid =3D atoi(tokens[ti]); > + else if (rule->portid !=3D atoi(tokens[ti])) { > + APP_CHECK(0, status, "portid %s " > + "not matching with already " > + "assigned portid %u", > + tokens[ti], rule->portid); Same here, do not split strings which are printed. You should have the complete string on a separate line. Checkpatch will not= trouble for more than 80. > + return; > + } > + INCREMENT_TOKEN_INDEX(ti, n_tokens, > status); > + if (status->status < 0) > + return; > + rule->fdir_qid =3D atoi(tokens[ti]); > + /* validating portid and queueid */ > + status_p =3D check_flow_params(rule->portid, > + rule->fdir_qid); > + if (status_p < 0) { > + printf("port id %u / queue id %u is " > + "not valid\n", rule->portid, > + rule->fdir_qid); > + } > + } else { > + APP_CHECK(0, status, "flow director not " > + "supported for security session " > + "type:%d", ips->type); > + return; > + } > + continue; > + } >=20 > /* unrecognizeable input */ > APP_CHECK(0, status, "unrecognized input \"%s\"", > @@ -721,7 +766,6 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, > if (!type_p || (!portid_p && ips->type !=3D > RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO)) { > ips->type =3D RTE_SECURITY_ACTION_TYPE_NONE; > - rule->portid =3D -1; > } >=20 > *ri =3D *ri + 1; > @@ -806,7 +850,7 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbo= und) > printf("lookaside-protocol-offload "); > break; > case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO: > - printf("cpu-crypto-accelerated"); > + printf("cpu-crypto-accelerated "); > break; > } >=20 > @@ -825,6 +869,10 @@ print_one_sa_rule(const struct ipsec_sa *sa, int > inbound) > break; > } > } > + if (sa->fdir_flag =3D=3D 1) > + printf("flow-direction port %d queue %d", sa->portid, > + sa->fdir_qid); > + > printf("\n"); > } >=20 > @@ -1143,6 +1191,13 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct > ipsec_sa entries[], > } > } >=20 > + if (sa->fdir_flag && inbound) { > + rc =3D create_ipsec_esp_flow(sa); > + if (rc !=3D 0) > + RTE_LOG(ERR, IPSEC_ESP, > + "create_ipsec_esp_flow() failed %s\n", > + strerror(rc)); > + } > print_one_sa_rule(sa, inbound); > } >=20 > -- > 2.17.1