From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <yliu@fridaylinux.org>
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com
 [66.111.4.28]) by dpdk.org (Postfix) with ESMTP id BE70D1B1BD
 for <stable@dpdk.org>; Wed, 24 Jan 2018 16:42:01 +0100 (CET)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
 by mailout.nyi.internal (Postfix) with ESMTP id 71D5F2271E;
 Wed, 24 Jan 2018 10:42:01 -0500 (EST)
Received: from frontend1 ([10.202.2.160])
 by compute1.internal (MEProxy); Wed, 24 Jan 2018 10:42:01 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fridaylinux.org;
 h=cc:date:from:in-reply-to:message-id:references:subject:to
 :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=LHMBIwrnWyCc3nNL9
 +X8vigvBlb+G7qp0/7SM7CRB3g=; b=bqsngl4D12QVdX7RW+x7NXWk+V/mP2/Jj
 lFopUPK+JqXexJBPp3V9lYOv6Tov61f2142SnY90tHGN0ujcGiFMiaN97IxaI1k8
 jEPsLcJjDDKGQpGXaKhyouQU9GyqZvCEX766eofbfodkFDB8o8bMlpkPkZhdN7yT
 pi7PAKG5JZega9FXeoa6B0jqxwP1Omy9B/gZV89aGObkOWvQT3kXZWDChDPsblTH
 Zvi+4ahZEyPI1j8nfh1HDXViAoGVErFmcZhTR7C4FExuwEI7ry0u9OqMS3lySl+x
 8jeLLiZP7yKeAUBgBScrLICkN6AftfKkF6BNUIzsIQ4BlUEK5GGCA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:date:from:in-reply-to:message-id
 :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=
 fm1; bh=LHMBIwrnWyCc3nNL9+X8vigvBlb+G7qp0/7SM7CRB3g=; b=F9WC6PqC
 kPM9GQ0bmZRIdGLOKlw1PksripO6AJ7cGBsTj5xXJ0RtV2UIwpjObRiay7X2Rxjw
 1ABwJpOB0W/l5WNECApReYAc30EGl0Q5STgXB2k+xmvp4AMTVetGKb4XZdb71aJx
 Kz6MAbClToHTx7d3EZ2Y1IA9e5YkJn+jcpGM5X4SOeuD0dfyxXhnCx9cwrXJSwhf
 lWXbhXq7D85Ob8kyrNULDRRXt7JTT4PbBl4h1+gp+a+6RJ0ykw601Vy3Fx9zd/yi
 4v9wgkr7QnHjCVlFRZJa61i6biy3QW10JcpluJFDZ62JnX/w4Xhub36P0uZabysz
 fkvj6g8AFHkidg==
X-ME-Sender: <xms:SaloWitarZk_O0vNt9-TGUfBIV4F6xLTmPrSjw6djlZJdFVs6Lf0Dw>
Received: from localhost.localdomain (unknown [115.150.27.206])
 by mail.messagingengine.com (Postfix) with ESMTPA id E1D6A7E3D6;
 Wed, 24 Jan 2018 10:41:58 -0500 (EST)
From: Yuanhan Liu <yliu@fridaylinux.org>
To: Anoob Joseph <anoob.joseph@caviumnetworks.com>
Cc: Akhil Goyal <akhil.goyal@nxp.com>, Radu Nicolau <radu.nicolau@intel.com>,
 dpdk stable <stable@dpdk.org>
Date: Wed, 24 Jan 2018 23:33:25 +0800
Message-Id: <1516808026-25523-137-git-send-email-yliu@fridaylinux.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1516808026-25523-1-git-send-email-yliu@fridaylinux.org>
References: <1516808026-25523-1-git-send-email-yliu@fridaylinux.org>
Subject: [dpdk-stable] patch 'examples/ipsec-secgw: fix usage of incorrect
	port' has been queued to LTS release 17.11.1
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://dpdk.org/ml/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://dpdk.org/ml/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jan 2018 15:42:02 -0000

Hi,

FYI, your patch has been queued to LTS release 17.11.1

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 01/26/18. So please
shout if anyone has objections.

Thanks.

	--yliu

---
>>From 24c54aaf0970b969bddea44485d6ea7180e37dee Mon Sep 17 00:00:00 2001
From: Anoob Joseph <anoob.joseph@caviumnetworks.com>
Date: Tue, 12 Dec 2017 08:32:25 +0000
Subject: [PATCH] examples/ipsec-secgw: fix usage of incorrect port

[ upstream commit 3de3a0418c35deb9a0dd657701b6a22fb6dcb4db ]

When security offload is enabled, the packet should be forwarded on the
port configured in the SA. Security session will be configured on that
port only, and sending the packet on other ports could result in
unencrypted packets being sent out.

This would have performance improvements too, as the per packet LPM
lookup would be avoided for IPsec packets, in inline mode.

Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload")

Signed-off-by: Anoob Joseph <anoob.joseph@caviumnetworks.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>
---
 doc/guides/sample_app_ug/ipsec_secgw.rst |  10 ++-
 examples/ipsec-secgw/ipsec-secgw.c       | 101 ++++++++++++++++++++++++++-----
 2 files changed, 96 insertions(+), 15 deletions(-)

diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst
index d6cfdbf..ae18acd 100644
--- a/doc/guides/sample_app_ug/ipsec_secgw.rst
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -61,6 +61,12 @@ In case of complete protocol offload, the processing of headers(ESP and outer
 IP header) is done by the hardware and the application does not need to
 add/remove them during outbound/inbound processing.
 
+For inline offloaded outbound traffic, the application will not do the LPM
+lookup for routing, as the port on which the packet has to be forwarded will be
+part of the SA. Security parameters will be configured on that port only, and
+sending the packet on other ports could result in unencrypted packets being
+sent out.
+
 The Path for IPsec Inbound traffic is:
 
 *  Read packets from the port.
@@ -543,7 +549,9 @@ where each options means:
  ``<port_id>``
 
  * Port/device ID of the ethernet/crypto accelerator for which the SA is
-   configured. This option is used when *type* is NOT *no-offload*
+   configured. For *inline-crypto-offload* and *inline-protocol-offload*, this
+   port will be used for routing. The routing table will not be referred in
+   this case.
 
  * Optional: No, if *type* is not *no-offload*
 
diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
index c98454a..2a406ab 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -585,31 +585,81 @@ process_pkts_outbound_nosp(struct ipsec_ctx *ipsec_ctx,
 		traffic->ip6.num = nb_pkts_out;
 }
 
+static inline int32_t
+get_hop_for_offload_pkt(struct rte_mbuf *pkt, int is_ipv6)
+{
+	struct ipsec_mbuf_metadata *priv;
+	struct ipsec_sa *sa;
+
+	priv = get_priv(pkt);
+
+	sa = priv->sa;
+	if (unlikely(sa == NULL)) {
+		RTE_LOG(ERR, IPSEC, "SA not saved in private data\n");
+		goto fail;
+	}
+
+	if (is_ipv6)
+		return sa->portid;
+
+	/* else */
+	return (sa->portid | RTE_LPM_LOOKUP_SUCCESS);
+
+fail:
+	if (is_ipv6)
+		return -1;
+
+	/* else */
+	return 0;
+}
+
 static inline void
 route4_pkts(struct rt_ctx *rt_ctx, struct rte_mbuf *pkts[], uint8_t nb_pkts)
 {
 	uint32_t hop[MAX_PKT_BURST * 2];
 	uint32_t dst_ip[MAX_PKT_BURST * 2];
+	int32_t pkt_hop = 0;
 	uint16_t i, offset;
+	uint16_t lpm_pkts = 0;
 
 	if (nb_pkts == 0)
 		return;
 
+	/* Need to do an LPM lookup for non-inline packets. Inline packets will
+	 * have port ID in the SA
+	 */
+
 	for (i = 0; i < nb_pkts; i++) {
-		offset = offsetof(struct ip, ip_dst);
-		dst_ip[i] = *rte_pktmbuf_mtod_offset(pkts[i],
-				uint32_t *, offset);
-		dst_ip[i] = rte_be_to_cpu_32(dst_ip[i]);
+		if (!(pkts[i]->ol_flags & PKT_TX_SEC_OFFLOAD)) {
+			/* Security offload not enabled. So an LPM lookup is
+			 * required to get the hop
+			 */
+			offset = offsetof(struct ip, ip_dst);
+			dst_ip[lpm_pkts] = *rte_pktmbuf_mtod_offset(pkts[i],
+					uint32_t *, offset);
+			dst_ip[lpm_pkts] = rte_be_to_cpu_32(dst_ip[lpm_pkts]);
+			lpm_pkts++;
+		}
 	}
 
-	rte_lpm_lookup_bulk((struct rte_lpm *)rt_ctx, dst_ip, hop, nb_pkts);
+	rte_lpm_lookup_bulk((struct rte_lpm *)rt_ctx, dst_ip, hop, lpm_pkts);
+
+	lpm_pkts = 0;
 
 	for (i = 0; i < nb_pkts; i++) {
-		if ((hop[i] & RTE_LPM_LOOKUP_SUCCESS) == 0) {
+		if (pkts[i]->ol_flags & PKT_TX_SEC_OFFLOAD) {
+			/* Read hop from the SA */
+			pkt_hop = get_hop_for_offload_pkt(pkts[i], 0);
+		} else {
+			/* Need to use hop returned by lookup */
+			pkt_hop = hop[lpm_pkts++];
+		}
+
+		if ((pkt_hop & RTE_LPM_LOOKUP_SUCCESS) == 0) {
 			rte_pktmbuf_free(pkts[i]);
 			continue;
 		}
-		send_single_packet(pkts[i], hop[i] & 0xff);
+		send_single_packet(pkts[i], pkt_hop & 0xff);
 	}
 }
 
@@ -619,26 +669,49 @@ route6_pkts(struct rt_ctx *rt_ctx, struct rte_mbuf *pkts[], uint8_t nb_pkts)
 	int32_t hop[MAX_PKT_BURST * 2];
 	uint8_t dst_ip[MAX_PKT_BURST * 2][16];
 	uint8_t *ip6_dst;
+	int32_t pkt_hop = 0;
 	uint16_t i, offset;
+	uint16_t lpm_pkts = 0;
 
 	if (nb_pkts == 0)
 		return;
 
+	/* Need to do an LPM lookup for non-inline packets. Inline packets will
+	 * have port ID in the SA
+	 */
+
 	for (i = 0; i < nb_pkts; i++) {
-		offset = offsetof(struct ip6_hdr, ip6_dst);
-		ip6_dst = rte_pktmbuf_mtod_offset(pkts[i], uint8_t *, offset);
-		memcpy(&dst_ip[i][0], ip6_dst, 16);
+		if (!(pkts[i]->ol_flags & PKT_TX_SEC_OFFLOAD)) {
+			/* Security offload not enabled. So an LPM lookup is
+			 * required to get the hop
+			 */
+			offset = offsetof(struct ip6_hdr, ip6_dst);
+			ip6_dst = rte_pktmbuf_mtod_offset(pkts[i], uint8_t *,
+					offset);
+			memcpy(&dst_ip[lpm_pkts][0], ip6_dst, 16);
+			lpm_pkts++;
+		}
 	}
 
-	rte_lpm6_lookup_bulk_func((struct rte_lpm6 *)rt_ctx, dst_ip,
-			hop, nb_pkts);
+	rte_lpm6_lookup_bulk_func((struct rte_lpm6 *)rt_ctx, dst_ip, hop,
+			lpm_pkts);
+
+	lpm_pkts = 0;
 
 	for (i = 0; i < nb_pkts; i++) {
-		if (hop[i] == -1) {
+		if (pkts[i]->ol_flags & PKT_TX_SEC_OFFLOAD) {
+			/* Read hop from the SA */
+			pkt_hop = get_hop_for_offload_pkt(pkts[i], 1);
+		} else {
+			/* Need to use hop returned by lookup */
+			pkt_hop = hop[lpm_pkts++];
+		}
+
+		if (pkt_hop == -1) {
 			rte_pktmbuf_free(pkts[i]);
 			continue;
 		}
-		send_single_packet(pkts[i], hop[i] & 0xff);
+		send_single_packet(pkts[i], pkt_hop & 0xff);
 	}
 }
 
-- 
2.7.4