From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <konstantin.ananyev@intel.com>
Received: from mga05.intel.com (mga05.intel.com [192.55.52.43])
by dpdk.org (Postfix) with ESMTP id E55972B87;
Wed, 6 Mar 2019 20:40:07 +0100 (CET)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga006.jf.intel.com ([10.7.209.51])
by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
06 Mar 2019 11:40:02 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.58,448,1544515200"; d="scan'208";a="121563999"
Received: from irsmsx103.ger.corp.intel.com ([163.33.3.157])
by orsmga006.jf.intel.com with ESMTP; 06 Mar 2019 11:40:00 -0800
Received: from irsmsx105.ger.corp.intel.com ([169.254.7.72]) by
IRSMSX103.ger.corp.intel.com ([169.254.3.199]) with mapi id 14.03.0415.000;
Wed, 6 Mar 2019 19:39:59 +0000
From: "Ananyev, Konstantin" <konstantin.ananyev@intel.com>
To: "Iremonger, Bernard" <bernard.iremonger@intel.com>, "dev@dpdk.org"
<dev@dpdk.org>, "akhil.goyal@nxp.com" <akhil.goyal@nxp.com>
CC: "stable@dpdk.org" <stable@dpdk.org>
Thread-Topic: [PATCH 2/6] examples/ipsec-secgw: fix 1st packet dropped patch
two
Thread-Index: AQHU1DXUMjRbd1kHhka2ffPZAFFVHKX+/yNg
Date: Wed, 6 Mar 2019 19:39:58 +0000
Message-ID: <2601191342CEEE43887BDE71AB9772580124140E49@irsmsx105.ger.corp.intel.com>
References: <1551888011-27692-1-git-send-email-bernard.iremonger@intel.com>
<1551888011-27692-3-git-send-email-bernard.iremonger@intel.com>
In-Reply-To: <1551888011-27692-3-git-send-email-bernard.iremonger@intel.com>
Accept-Language: en-IE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNzdjOTRjOTctZDEzNC00ZTM3LWI4NjItYmIxNjg2NDQ1YjFjIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoia2JzSndZa2phTFpUVWFtS3MrXC90VXg2T1NDdGJTNE5mVjhxNnUyY1NKVDgrK0pGcFNhY1BEWUd4MmNQQ1d5dmIifQ==
x-ctpclassification: CTP_NT
dlp-product: dlpe-windows
dlp-version: 11.0.400.15
dlp-reaction: no-action
x-originating-ip: [163.33.239.180]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [dpdk-dev] [PATCH 2/6] examples/ipsec-secgw: fix 1st packet
dropped patch two
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
<mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
<mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2019 19:40:08 -0000
Hi Bernard,
>=20
> Call create_inline_session() at initialisition in sa.c
> Call rte_ipsec_session_prepare() in fill_ipsec_session() for inline.
Here and in other places - it probably worth to explain what is the purpose
for these changes.=20
As a side notice, as these series fixes that problem, it probably worse to =
add a patch
into series that removes the following:
# to overcome problem with ipsec-secgw for inline mode,
# when first packet(s) will be always dropped.
# note that ping will fail here
ssh ${REMOTE_HOST} ping -c 1 ${LOCAL_IPV4}
from examples/ipsec-secgw/test/(tun|trs)_aesgcm_defs.sh
Konstantin
>=20
> Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload")
> Cc: stable@dpdk.org
> Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com>
> ---
> examples/ipsec-secgw/sa.c | 46 ++++++++++++++++++++++++++++++++++++-----=
-----
> 1 file changed, 36 insertions(+), 10 deletions(-)
>=20
> diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
> index 414fcd2..7fb1929 100644
> --- a/examples/ipsec-secgw/sa.c
> +++ b/examples/ipsec-secgw/sa.c
> @@ -762,11 +762,13 @@ check_eth_dev_caps(uint16_t portid, uint32_t inboun=
d)
>=20
> static int
> sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
> - uint32_t nb_entries, uint32_t inbound)
> + uint32_t nb_entries, uint32_t inbound,
> + struct socket_ctx *skt_ctx)
> {
> struct ipsec_sa *sa;
> uint32_t i, idx;
> uint16_t iv_length, aad_length;
> + int32_t rc;
>=20
> /* for ESN upper 32 bits of SQN also need to be part of AAD */
> aad_length =3D (app_sa_prm.enable_esn !=3D 0) ? sizeof(uint32_t) : 0;
> @@ -819,6 +821,17 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ips=
ec_sa entries[],
>=20
> sa->xforms =3D &sa_ctx->xf[idx].a;
>=20
> + if (sa->type =3D=3D
> + RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL ||
> + sa->type =3D=3D
> + RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
> + rc =3D create_inline_session(skt_ctx, sa);
> + if (rc !=3D 0) {
> + RTE_LOG(ERR, IPSEC_ESP,
> + "create_inline_session() failed\n");
> + return -EINVAL;
> + }
> + }
> print_one_sa_rule(sa, inbound);
> } else {
> switch (sa->cipher_algo) {
> @@ -894,16 +907,16 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ip=
sec_sa entries[],
>=20
> static inline int
> sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
> - uint32_t nb_entries)
> + uint32_t nb_entries, struct socket_ctx *skt_ctx)
> {
> - return sa_add_rules(sa_ctx, entries, nb_entries, 0);
> + return sa_add_rules(sa_ctx, entries, nb_entries, 0, skt_ctx);
> }
>=20
> static inline int
> sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
> - uint32_t nb_entries)
> + uint32_t nb_entries, struct socket_ctx *skt_ctx)
> {
> - return sa_add_rules(sa_ctx, entries, nb_entries, 1);
> + return sa_add_rules(sa_ctx, entries, nb_entries, 1, skt_ctx);
> }
>=20
> /*
> @@ -997,10 +1010,12 @@ fill_ipsec_sa_prm(struct rte_ipsec_sa_prm *prm, co=
nst struct ipsec_sa *ss,
> return 0;
> }
>=20
> -static void
> +static int
> fill_ipsec_session(struct rte_ipsec_session *ss, struct rte_ipsec_sa *sa=
,
> const struct ipsec_sa *lsa)
> {
> + int32_t rc =3D 0;
> +
> ss->sa =3D sa;
> ss->type =3D lsa->type;
>=20
> @@ -1013,6 +1028,17 @@ fill_ipsec_session(struct rte_ipsec_session *ss, s=
truct rte_ipsec_sa *sa,
> ss->security.ctx =3D lsa->security_ctx;
> ss->security.ol_flags =3D lsa->ol_flags;
> }
> +
> + if (ss->type =3D=3D RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
> + ss->type =3D=3D RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) {
> + if (ss->security.ses !=3D NULL) {
> + rc =3D rte_ipsec_session_prepare(ss);
> + if (rc !=3D 0)
> + memset(ss, 0, sizeof(*ss));
> + }
> + }
> +
> + return rc;
> }
>=20
> /*
> @@ -1047,8 +1073,8 @@ ipsec_sa_init(struct ipsec_sa *lsa, struct rte_ipse=
c_sa *sa, uint32_t sa_size)
> if (rc < 0)
> return rc;
>=20
> - fill_ipsec_session(&lsa->ips, sa, lsa);
> - return 0;
> + rc =3D fill_ipsec_session(&lsa->ips, sa, lsa);
> + return rc;
> }
>=20
> /*
> @@ -1126,7 +1152,7 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id)
> "context %s in socket %d\n", rte_errno,
> name, socket_id);
>=20
> - sa_in_add_rules(ctx->sa_in, sa_in, nb_sa_in);
> + sa_in_add_rules(ctx->sa_in, sa_in, nb_sa_in, ctx);
>=20
> if (app_sa_prm.enable !=3D 0) {
> rc =3D ipsec_satbl_init(ctx->sa_in, sa_in, nb_sa_in,
> @@ -1146,7 +1172,7 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id)
> "context %s in socket %d\n", rte_errno,
> name, socket_id);
>=20
> - sa_out_add_rules(ctx->sa_out, sa_out, nb_sa_out);
> + sa_out_add_rules(ctx->sa_out, sa_out, nb_sa_out, ctx);
>=20
> if (app_sa_prm.enable !=3D 0) {
> rc =3D ipsec_satbl_init(ctx->sa_out, sa_out, nb_sa_out,
> --
> 2.7.4