From: Anoob <anoob.joseph@caviumnetworks.com>
To: Nelio Laranjeiro <nelio.laranjeiro@6wind.com>
Cc: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>,
Radu Nicolau <radu.nicolau@intel.com>,
dev@dpdk.org,
Narayana Prasad <narayanaprasad.athreya@caviumnetworks.com>,
Jerin Jacob <jerin.jacob@caviumnetworks.com>
Subject: Re: [dpdk-dev] [PATCH 2/2] examples/ipsec-secgw: add target queues in flow actions
Date: Thu, 30 Nov 2017 16:16:23 +0530 [thread overview]
Message-ID: <b7f4aecb-cbd6-e8e4-3061-2993be5de944@caviumnetworks.com> (raw)
In-Reply-To: <20171129125045.lqfs6xmqradolz4x@laranjeiro-vm.dev.6wind.com>
Hi Nelio,
Please see inline.
Thanks,
Anoob
On 11/29/2017 06:20 PM, Nelio Laranjeiro wrote:
> Hi Anoob,
>
> On Wed, Nov 29, 2017 at 06:00:38PM +0530, Anoob wrote:
>> Hi Nelio,
>>
>> Since support of RSS with inline crypto/protocol is hardware
>> implementation dependent, it would be better if there is some sort of
>> capability check before setting the flow parameters in the application.
>>
>> If the hardware doesn't support RSS with inline processing, then the RSS
>> flow action will have to be ignored in the driver. This wouldn't look
>> right from application's point of view. And also the PMD would need
>> application-specific logic to handle such cases, which may not scale well.
> There is a real issue here, RTE_FLOW API needs a terminal action, security is
> not one [1] you must have one of the followings: QUEUE, DROP, RSS, PF,
> VF or PASSTHRU.
>
> Flow API does not work with "capabilities" as the application can verify
> the rule using the validate(). If it cannot be validated the
> application can test another kind of rule until the PMD returns a
> success.
>
> Here, I am proposing the RSS as RSS with a single queue is equivalent to queue.
>
> On Mellanox NIC we need the RSS or QUEUE in ingress and for Egress PASSTHRU
> is good.
>
> What are your needs?
Thanks for the clarification. Understood the issue here. On Cavium
hardware SECURITY will be terminating. So a better approach would be to
first check from the application (using rte_flow_verify()) if SECURITY
is terminating action. If it fails, then application can do RSS/QUEUE.
That should solve the issue.
>
> Regards,
>
>> Thanks,
>> Anoob
>>
>> On 11/23/2017 08:42 PM, Nelio Laranjeiro wrote:
>>
>> Mellanox INNOVA NIC needs to have final target queue actions to perform
>> inline crypto.
>>
>> Signed-off-by: Nelio Laranjeiro [1]<nelio.laranjeiro@6wind.com>
>> ---
>> examples/ipsec-secgw/ipsec.c | 27 ++++++++++++++++++++++++++-
>> examples/ipsec-secgw/ipsec.h | 2 +-
>> 2 files changed, 27 insertions(+), 2 deletions(-)
>>
>> diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
>> index 17bd7620d..e967f88b3 100644
>> --- a/examples/ipsec-secgw/ipsec.c
>> +++ b/examples/ipsec-secgw/ipsec.c
>> @@ -142,6 +142,22 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
>> rte_eth_dev_get_sec_ctx(
>> sa->portid);
>> const struct rte_security_capability *sec_cap;
>> + uint8_t rss_key[40];
>> + struct rte_eth_rss_conf rss_conf = {
>> + .rss_key = rss_key,
>> + .rss_key_len = 40,
>> + };
>> + struct rte_eth_dev *eth_dev;
>> + union {
>> + struct rte_flow_action_rss rss;
>> + struct {
>> + const struct rte_eth_rss_conf *rss_conf;
>> + uint16_t num;
>> + uint16_t queue[RTE_MAX_QUEUES_PER_PORT];
>> + } local;
>> + } action_rss;
>> + unsigned int i;
>> + unsigned int j;
>>
>> sa->sec_session = rte_security_session_create(ctx,
>> &sess_conf, ipsec_ctx->session_pool);
>> @@ -201,7 +217,16 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
>> sa->action[0].type = RTE_FLOW_ACTION_TYPE_SECURITY;
>> sa->action[0].conf = sa->sec_session;
>>
>> - sa->action[1].type = RTE_FLOW_ACTION_TYPE_END;
>> + sa->action[1].type = RTE_FLOW_ACTION_TYPE_RSS;
>> + sa->action[1].conf = &action_rss;
>> + eth_dev = ctx->device;
>> + rte_eth_dev_rss_hash_conf_get(sa->portid, &rss_conf);
>> + for (i = 0, j = 0; i < eth_dev->data->nb_rx_queues; ++i)
>> + if (eth_dev->data->rx_queues[i])
>> + action_rss.local.queue[j++] = i;
>> + action_rss.local.num = j;
>> + action_rss.local.rss_conf = &rss_conf;
>> + sa->action[2].type = RTE_FLOW_ACTION_TYPE_END;
>>
>> sa->attr.egress = (sa->direction ==
>> RTE_SECURITY_IPSEC_SA_DIR_EGRESS);
>> diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
>> index 775b316ff..82ffc1c6d 100644
>> --- a/examples/ipsec-secgw/ipsec.h
>> +++ b/examples/ipsec-secgw/ipsec.h
>> @@ -133,7 +133,7 @@ struct ipsec_sa {
>> uint32_t ol_flags;
>>
>> #define MAX_RTE_FLOW_PATTERN (4)
>> -#define MAX_RTE_FLOW_ACTIONS (2)
>> +#define MAX_RTE_FLOW_ACTIONS (4)
>> struct rte_flow_item pattern[MAX_RTE_FLOW_PATTERN];
>> struct rte_flow_action action[MAX_RTE_FLOW_ACTIONS];
>> struct rte_flow_attr attr;
>>
>> References
>>
>> Visible links
>> 1. mailto:nelio.laranjeiro@6wind.com
> [1] http://dpdk.org/doc/guides/prog_guide/rte_flow.html?highlight=rte_flow#actions
>
next prev parent reply other threads:[~2017-11-30 10:46 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-23 15:12 [dpdk-dev] [PATCH 1/2] examples/ipsec-secgw: fix missing ingress flow attribute Nelio Laranjeiro
2017-11-23 15:12 ` [dpdk-dev] [PATCH 2/2] examples/ipsec-secgw: add target queues in flow actions Nelio Laranjeiro
2017-11-29 12:30 ` Anoob
2017-11-29 12:50 ` Nelio Laranjeiro
2017-11-30 10:46 ` Anoob [this message]
2017-11-30 12:28 ` Nelio Laranjeiro
2017-12-01 15:04 ` Anoob Joseph
2017-12-01 16:26 ` Nelio Laranjeiro
2017-12-04 14:11 ` [dpdk-dev] [PATCH v2 1/2] examples/ipsec-secgw: fix missing ingress flow attribute Nelio Laranjeiro
2017-12-11 11:50 ` Radu Nicolau
2017-12-04 14:11 ` [dpdk-dev] [PATCH v2 2/2] examples/ipsec-secgw: add target queues in flow actions Nelio Laranjeiro
2017-12-07 9:47 ` Anoob
2017-12-07 12:22 ` Nelio Laranjeiro
2017-12-08 14:00 ` Anoob
2017-12-08 14:40 ` Nelio Laranjeiro
2017-12-08 16:40 ` Anoob Joseph
2017-12-11 8:21 ` Nelio Laranjeiro
2017-12-11 9:00 ` Anoob
2017-12-11 14:04 ` [dpdk-dev] [PATCH v3 1/2] examples/ipsec-secgw: fix missing ingress flow attribute Nelio Laranjeiro
2017-12-12 7:14 ` Anoob Joseph
2017-12-11 14:04 ` [dpdk-dev] [PATCH v3 2/2] examples/ipsec-secgw: add target queues in flow actions Nelio Laranjeiro
2017-12-12 12:43 ` Anoob Joseph
2017-12-12 13:44 ` Nelio Laranjeiro
2017-12-12 14:04 ` Anoob Joseph
2017-12-12 14:38 ` Nelio Laranjeiro
2017-12-13 6:41 ` Anoob Joseph
2017-12-13 10:02 ` Nelio Laranjeiro
2017-12-13 11:38 ` Anoob Joseph
2017-12-13 12:53 ` Nelio Laranjeiro
2017-12-13 13:53 ` Anoob Joseph
2017-12-13 14:47 ` Nelio Laranjeiro
2017-12-20 16:19 ` Boris Pismenny
2017-12-21 8:06 ` Anoob Joseph
2017-12-21 10:12 ` Boris Pismenny
2017-12-21 14:22 ` Adrien Mazarguil
2018-01-05 6:18 ` Anoob Joseph
2018-01-09 12:48 ` Nelio Laranjeiro
2018-01-10 6:21 ` Anoob Joseph
2018-01-05 5:52 ` Anoob Joseph
2017-12-14 15:14 ` [dpdk-dev] [PATCH v4 1/3] examples/ipsec-secgw: fix missing ingress flow attribute Nelio Laranjeiro
2017-12-14 15:14 ` [dpdk-dev] [PATCH v4 2/3] examples/ipsec-secgw: add target queues in flow actions Nelio Laranjeiro
2017-12-18 8:23 ` Anoob Joseph
2017-12-18 9:57 ` Nélio Laranjeiro
2017-12-14 15:14 ` [dpdk-dev] [PATCH v4 3/3] examples/ipsec-secgw: add Egress " Nelio Laranjeiro
2017-12-15 9:05 ` Anoob Joseph
2017-12-15 13:53 ` Nelio Laranjeiro
2017-12-15 15:39 ` Anoob Joseph
2017-12-15 16:53 ` Nelio Laranjeiro
2017-12-15 17:01 ` Anoob Joseph
2017-12-18 10:24 ` [dpdk-dev] [PATCH v5 1/3] examples/ipsec-secgw: fix missing ingress flow attribute Nelio Laranjeiro
2018-01-18 14:50 ` De Lara Guarch, Pablo
2017-12-18 10:24 ` [dpdk-dev] [PATCH v5 2/3] examples/ipsec-secgw: add target queues in flow actions Nelio Laranjeiro
2017-12-19 6:22 ` Anoob Joseph
2017-12-18 10:24 ` [dpdk-dev] [PATCH v5 3/3] examples/ipsec-secgw: add Egress " Nelio Laranjeiro
2018-01-08 16:13 ` De Lara Guarch, Pablo
2018-01-16 16:12 ` Nicolau, Radu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b7f4aecb-cbd6-e8e4-3061-2993be5de944@caviumnetworks.com \
--to=anoob.joseph@caviumnetworks.com \
--cc=dev@dpdk.org \
--cc=jerin.jacob@caviumnetworks.com \
--cc=narayanaprasad.athreya@caviumnetworks.com \
--cc=nelio.laranjeiro@6wind.com \
--cc=radu.nicolau@intel.com \
--cc=sergio.gonzalez.monroy@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).