From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by dpdk.space (Postfix) with ESMTP id D0573A00E6 for ; Tue, 11 Jun 2019 17:29:29 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 046C81C438; Tue, 11 Jun 2019 17:29:28 +0200 (CEST) Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by dpdk.org (Postfix) with ESMTP id 650DD1C434; Tue, 11 Jun 2019 17:29:25 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 11 Jun 2019 08:29:24 -0700 X-ExtLoop1: 1 Received: from irsmsx102.ger.corp.intel.com ([163.33.3.155]) by fmsmga005.fm.intel.com with ESMTP; 11 Jun 2019 08:29:22 -0700 Received: from irsmsx112.ger.corp.intel.com (10.108.20.5) by IRSMSX102.ger.corp.intel.com (163.33.3.155) with Microsoft SMTP Server (TLS) id 14.3.408.0; Tue, 11 Jun 2019 16:29:22 +0100 Received: from irsmsx104.ger.corp.intel.com ([169.254.5.227]) by irsmsx112.ger.corp.intel.com ([169.254.1.21]) with mapi id 14.03.0415.000; Tue, 11 Jun 2019 16:29:22 +0100 From: "Ananyev, Konstantin" To: "Iremonger, Bernard" , "dev@dpdk.org" , "akhil.goyal@nxp.com" CC: "stable@dpdk.org" Thread-Topic: [PATCH v5 1/2] examples/ipsec-secgw: fix 1st pkt dropped for inline crypto Thread-Index: AQHVHFjEaxB4uLaPQUCCjP5rnVZxqaaWmFZA Date: Tue, 11 Jun 2019 15:29:21 +0000 Message-ID: <2601191342CEEE43887BDE71AB97725801688E3672@IRSMSX104.ger.corp.intel.com> References: <1555508563-2752-1-git-send-email-bernard.iremonger@intel.com> <1559819547-20742-2-git-send-email-bernard.iremonger@intel.com> In-Reply-To: <1559819547-20742-2-git-send-email-bernard.iremonger@intel.com> Accept-Language: en-IE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiZjE2MTZmY2ItZDBlMC00OWM4LTgwNDMtNjdjNzA0YTFhNTc1IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiRjRHNDlPR2NSN0xZWlZzOWxKTkV6d2lNQzdYdnl1MDBoWmN0NWQrSVNcL3NXa0V0bGphU3dYTnl1bnRCVjR3NEIifQ== x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [163.33.239.180] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [dpdk-dev] [PATCH v5 1/2] examples/ipsec-secgw: fix 1st pkt dropped for inline crypto X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Hi Bernard, Few small comments below. Konstantin > Inline crypto installs a flow rule in the NIC. This flow > rule must be installed before the first inbound packet is > received. >=20 > The create_session() function installs the flow rule, > create_session() has been refactored into create_inline_session() > and create_lookaside_session(). The create_inline_session() function > uses the socket_ctx data and is now called at initialisation in > sa_add_rules(). >=20 > The max_session_size() function has been added to calculate memory > requirements. >=20 > The cryprodev_init() function has been refactored to drop calls to > rte_mempool_create() and to drop calculation of memory requirements. >=20 > The main() function has been refactored to call max_session_size() and > to call session_pool_init() and session_priv_pool_init() earlier. > The ports are started now before adding a flow rule in main(). > The sa_init(), sp4_init(), sp6_init() and rt_init() functions are > now called after the ports have been started. >=20 > The rte_ipsec_session_prepare() function is called in fill_ipsec_session(= ) > for inline which is called from the ipsec_sa_init() function. >=20 > Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload") > Fixes: d299106e8e31 ("examples/ipsec-secgw: add IPsec sample application"= ) > Cc: stable@dpdk.org >=20 > Signed-off-by: Bernard Iremonger > --- > examples/ipsec-secgw/ipsec-secgw.c | 244 +++++++++++++++++------------= ------ > examples/ipsec-secgw/ipsec.c | 122 ++++++++++++------ > examples/ipsec-secgw/ipsec.h | 5 +- > examples/ipsec-secgw/ipsec_process.c | 9 +- > examples/ipsec-secgw/sa.c | 46 +++++-- > 5 files changed, 245 insertions(+), 181 deletions(-) >=20 > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ip= sec-secgw.c > index 6c626fa..24876ba 100644 > --- a/examples/ipsec-secgw/ipsec-secgw.c > +++ b/examples/ipsec-secgw/ipsec-secgw.c > @@ -1628,7 +1628,7 @@ cryptodevs_init(void) > struct rte_cryptodev_config dev_conf; > struct rte_cryptodev_qp_conf qp_conf; > uint16_t idx, max_nb_qps, qp, i; > - int16_t cdev_id, port_id; > + int16_t cdev_id; > struct rte_hash_parameters params =3D { 0 }; >=20 > params.entries =3D CDEV_MAP_ENTRIES; > @@ -1651,45 +1651,6 @@ cryptodevs_init(void) >=20 > printf("lcore/cryptodev/qp mappings:\n"); >=20 > - uint32_t max_sess_sz =3D 0, sess_sz; > - for (cdev_id =3D 0; cdev_id < rte_cryptodev_count(); cdev_id++) { > - void *sec_ctx; > - > - /* Get crypto priv session size */ > - sess_sz =3D rte_cryptodev_sym_get_private_session_size(cdev_id); > - if (sess_sz > max_sess_sz) > - max_sess_sz =3D sess_sz; > - > - /* > - * If crypto device is security capable, need to check the > - * size of security session as well. > - */ > - > - /* Get security context of the crypto device */ > - sec_ctx =3D rte_cryptodev_get_sec_ctx(cdev_id); > - if (sec_ctx =3D=3D NULL) > - continue; > - > - /* Get size of security session */ > - sess_sz =3D rte_security_session_get_size(sec_ctx); > - if (sess_sz > max_sess_sz) > - max_sess_sz =3D sess_sz; > - } > - RTE_ETH_FOREACH_DEV(port_id) { > - void *sec_ctx; > - > - if ((enabled_port_mask & (1 << port_id)) =3D=3D 0) > - continue; > - > - sec_ctx =3D rte_eth_dev_get_sec_ctx(port_id); > - if (sec_ctx =3D=3D NULL) > - continue; > - > - sess_sz =3D rte_security_session_get_size(sec_ctx); > - if (sess_sz > max_sess_sz) > - max_sess_sz =3D sess_sz; > - } > - > idx =3D 0; > for (cdev_id =3D 0; cdev_id < rte_cryptodev_count(); cdev_id++) { > struct rte_cryptodev_info cdev_info; > @@ -1727,45 +1688,6 @@ cryptodevs_init(void) > "Device does not support at least %u " > "sessions", CDEV_MP_NB_OBJS); >=20 > - if (!socket_ctx[dev_conf.socket_id].session_pool) { > - char mp_name[RTE_MEMPOOL_NAMESIZE]; > - struct rte_mempool *sess_mp; > - > - snprintf(mp_name, RTE_MEMPOOL_NAMESIZE, > - "sess_mp_%u", dev_conf.socket_id); > - sess_mp =3D rte_cryptodev_sym_session_pool_create( > - mp_name, CDEV_MP_NB_OBJS, > - 0, CDEV_MP_CACHE_SZ, 0, > - dev_conf.socket_id); > - socket_ctx[dev_conf.socket_id].session_pool =3D sess_mp; > - } > - > - if (!socket_ctx[dev_conf.socket_id].session_priv_pool) { > - char mp_name[RTE_MEMPOOL_NAMESIZE]; > - struct rte_mempool *sess_mp; > - > - snprintf(mp_name, RTE_MEMPOOL_NAMESIZE, > - "sess_mp_priv_%u", dev_conf.socket_id); > - sess_mp =3D rte_mempool_create(mp_name, > - CDEV_MP_NB_OBJS, > - max_sess_sz, > - CDEV_MP_CACHE_SZ, > - 0, NULL, NULL, NULL, > - NULL, dev_conf.socket_id, > - 0); > - socket_ctx[dev_conf.socket_id].session_priv_pool =3D > - sess_mp; > - } > - > - if (!socket_ctx[dev_conf.socket_id].session_priv_pool || > - !socket_ctx[dev_conf.socket_id].session_pool) > - rte_exit(EXIT_FAILURE, > - "Cannot create session pool on socket %d\n", > - dev_conf.socket_id); > - else > - printf("Allocated session pool on socket %d\n", > - dev_conf.socket_id); > - > if (rte_cryptodev_configure(cdev_id, &dev_conf)) > rte_panic("Failed to initialize cryptodev %u\n", > cdev_id); > @@ -1786,39 +1708,6 @@ cryptodevs_init(void) > cdev_id); > } >=20 > - /* create session pools for eth devices that implement security */ > - RTE_ETH_FOREACH_DEV(port_id) { > - if ((enabled_port_mask & (1 << port_id)) && > - rte_eth_dev_get_sec_ctx(port_id)) { > - int socket_id =3D rte_eth_dev_socket_id(port_id); > - > - if (!socket_ctx[socket_id].session_priv_pool) { > - char mp_name[RTE_MEMPOOL_NAMESIZE]; > - struct rte_mempool *sess_mp; > - > - snprintf(mp_name, RTE_MEMPOOL_NAMESIZE, > - "sess_mp_%u", socket_id); > - sess_mp =3D rte_mempool_create(mp_name, > - (CDEV_MP_NB_OBJS * 2), > - max_sess_sz, > - CDEV_MP_CACHE_SZ, > - 0, NULL, NULL, NULL, > - NULL, socket_id, > - 0); > - if (sess_mp =3D=3D NULL) > - rte_exit(EXIT_FAILURE, > - "Cannot create session pool " > - "on socket %d\n", socket_id); > - else > - printf("Allocated session pool " > - "on socket %d\n", socket_id); > - socket_ctx[socket_id].session_priv_pool =3D > - sess_mp; > - } > - } > - } > - > - > printf("\n"); >=20 > return 0; > @@ -1984,6 +1873,99 @@ port_init(uint16_t portid, uint64_t req_rx_offload= s, uint64_t req_tx_offloads) > printf("\n"); > } >=20 > +static size_t > +max_session_size(void) > +{ > + size_t max_sz, sz; > + void *sec_ctx; > + int16_t cdev_id, port_id, n; > + > + max_sz =3D 0; > + n =3D rte_cryptodev_count(); > + for (cdev_id =3D 0; cdev_id !=3D n; cdev_id++) { > + sz =3D rte_cryptodev_sym_get_private_session_size(cdev_id); > + if (sz > max_sz) > + max_sz =3D sz; > + /* > + * If crypto device is security capable, need to check the > + * size of security session as well. > + */ > + > + /* Get security context of the crypto device */ > + sec_ctx =3D rte_cryptodev_get_sec_ctx(cdev_id); > + if (sec_ctx =3D=3D NULL) > + continue; > + > + /* Get size of security session */ > + sz =3D rte_security_session_get_size(sec_ctx); > + if (sz > max_sz) > + max_sz =3D sz; > + } > + > + RTE_ETH_FOREACH_DEV(port_id) { > + if ((enabled_port_mask & (1 << port_id)) =3D=3D 0) > + continue; > + > + sec_ctx =3D rte_eth_dev_get_sec_ctx(port_id); > + if (sec_ctx =3D=3D NULL) > + continue; > + > + sz =3D rte_security_session_get_size(sec_ctx); > + if (sz > max_sz) > + max_sz =3D sz; > + } > + > + return max_sz; > +} > + > +static void > +session_pool_init(struct socket_ctx *ctx, int32_t socket_id, size_t sess= _sz) > +{ > + char mp_name[RTE_MEMPOOL_NAMESIZE]; > + struct rte_mempool *sess_mp; > + > + snprintf(mp_name, RTE_MEMPOOL_NAMESIZE, > + "sess_mp_%u", socket_id); > + sess_mp =3D rte_cryptodev_sym_session_pool_create( > + mp_name, CDEV_MP_NB_OBJS, > + sess_sz, CDEV_MP_CACHE_SZ, 0, > + socket_id); > + ctx->session_pool =3D sess_mp; > + > + if (ctx->session_pool =3D=3D NULL) > + rte_exit(EXIT_FAILURE, > + "Cannot init session pool on socket %d\n", socket_id); > + else > + printf("Allocated session pool on socket %d\n", socket_id); > +} > + > +static void > +session_priv_pool_init(struct socket_ctx *ctx, int32_t socket_id, > + size_t sess_sz) > +{ > + char mp_name[RTE_MEMPOOL_NAMESIZE]; > + struct rte_mempool *sess_mp; > + > + snprintf(mp_name, RTE_MEMPOOL_NAMESIZE, > + "sess_mp_priv_%u", socket_id); > + sess_mp =3D rte_mempool_create(mp_name, > + CDEV_MP_NB_OBJS, > + sess_sz, > + CDEV_MP_CACHE_SZ, > + 0, NULL, NULL, NULL, > + NULL, socket_id, > + 0); > + ctx->session_priv_pool =3D sess_mp; > + > + if (ctx->session_priv_pool =3D=3D NULL) > + rte_exit(EXIT_FAILURE, > + "Cannot init session priv pool on socket %d\n", > + socket_id); > + else > + printf("Allocated session priv pool on socket %d\n", > + socket_id); > +} > + > static void > pool_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t nb_mbuf) > { > @@ -2064,9 +2046,11 @@ main(int32_t argc, char **argv) > { > int32_t ret; > uint32_t lcore_id; > + uint32_t i; > uint8_t socket_id; > uint16_t portid; > uint64_t req_rx_offloads, req_tx_offloads; > + size_t sess_sz; >=20 > /* init EAL */ > ret =3D rte_eal_init(argc, argv); > @@ -2094,7 +2078,8 @@ main(int32_t argc, char **argv) >=20 > nb_lcores =3D rte_lcore_count(); >=20 > - /* Replicate each context per socket */ > + sess_sz =3D max_session_size(); > + > for (lcore_id =3D 0; lcore_id < RTE_MAX_LCORE; lcore_id++) { > if (rte_lcore_is_enabled(lcore_id) =3D=3D 0) > continue; > @@ -2104,20 +2089,14 @@ main(int32_t argc, char **argv) > else > socket_id =3D 0; >=20 > + /* mbuf_pool is initialised by the pool_init() function*/ > if (socket_ctx[socket_id].mbuf_pool) > continue; >=20 > - /* initilaze SPD */ > - sp4_init(&socket_ctx[socket_id], socket_id); > - > - sp6_init(&socket_ctx[socket_id], socket_id); > - > - /* initilaze SAD */ > - sa_init(&socket_ctx[socket_id], socket_id); > - > - rt_init(&socket_ctx[socket_id], socket_id); > - > pool_init(&socket_ctx[socket_id], socket_id, NB_MBUF); > + session_pool_init(&socket_ctx[socket_id], socket_id, sess_sz); > + session_priv_pool_init(&socket_ctx[socket_id], socket_id, > + sess_sz); > } >=20 > RTE_ETH_FOREACH_DEV(portid) { > @@ -2135,7 +2114,11 @@ main(int32_t argc, char **argv) > if ((enabled_port_mask & (1 << portid)) =3D=3D 0) > continue; >=20 > - /* Start device */ > + /* > + * Start device > + * note: device must be started before a flow rule > + * can be installed. > + */ > ret =3D rte_eth_dev_start(portid); > if (ret < 0) > rte_exit(EXIT_FAILURE, "rte_eth_dev_start: " > @@ -2153,6 +2136,19 @@ main(int32_t argc, char **argv) > RTE_ETH_EVENT_IPSEC, inline_ipsec_event_callback, NULL); > } >=20 > + /* Replicate each context per socket */ > + for (i =3D 0; i < NB_SOCKETS && i < rte_socket_count(); i++) { > + socket_id =3D rte_socket_id_by_idx(i); > + if ((socket_ctx[socket_id].mbuf_pool !=3D NULL) && > + (socket_ctx[socket_id].sa_in =3D=3D NULL) && > + (socket_ctx[socket_id].sa_out =3D=3D NULL)) { > + sa_init(&socket_ctx[socket_id], socket_id); > + sp4_init(&socket_ctx[socket_id], socket_id); > + sp6_init(&socket_ctx[socket_id], socket_id); > + rt_init(&socket_ctx[socket_id], socket_id); > + } > + } > + > check_all_ports_link_status(enabled_port_mask); >=20 > /* launch per-lcore init on every lcore */ > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c > index 7b85330..40a6123 100644 > --- a/examples/ipsec-secgw/ipsec.c > +++ b/examples/ipsec-secgw/ipsec.c > @@ -40,7 +40,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security= _ipsec_xform *ipsec) > } >=20 > int > -create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) > +create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *s= a) > { > struct rte_cryptodev_info cdev_info; > unsigned long cdev_id_qp =3D 0; Actually looking at it a bit closer: if (sa->type =3D=3D RTE_SECURITY_ACTION_TYPE_NONE) { I think we need to remove that line above, otherwise cdev_id_qp Would not be initialized for LOOKASIDE_PROTO. BTW, as I can see, same problem exists in current code. ret =3D rte_hash_lookup_data(ipsec_ctx->cdev_map, &key, (void **)&cdev_id_qp); if (ret < 0) { RTE_LOG(ERR, IPSEC, "No cryptodev: core %u, cipher_algo %u, " "auth_algo %u, aead_algo %u\n", key.lcore_id, key.cipher_algo, key.auth_algo, key.aead_algo); return -1; } } > @@ -108,23 +108,81 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct = ipsec_sa *sa) > "SEC Session init failed: err: %d\n", ret); > return -1; > } > - } else if (sa->type =3D=3D RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { > + } else if ( > + (sa->type =3D=3D RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) || > + (sa->type =3D=3D RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) > + ) { > + RTE_LOG(ERR, IPSEC, "Inline not supported\n"); > + return -1; > + } > + } else { > + sa->crypto_session =3D rte_cryptodev_sym_session_create( > + ipsec_ctx->session_pool); > + rte_cryptodev_sym_session_init(ipsec_ctx->tbl[cdev_id_qp].id, > + sa->crypto_session, sa->xforms, > + ipsec_ctx->session_priv_pool); > + > + rte_cryptodev_info_get(ipsec_ctx->tbl[cdev_id_qp].id, > + &cdev_info); > + } > + > + sa->cdev_id_qp =3D cdev_id_qp; > + > + return 0; > +} > + > +int > +create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa) > +{ > + unsigned long cdev_id_qp =3D 0; This var is not really used in this function. > + int32_t ret =3D 0; > + struct rte_security_ctx *sec_ctx; > + > + RTE_LOG_DP(DEBUG, IPSEC, "Create session for SA spi %u on port %u\n", > + sa->spi, sa->portid); > + > + if (sa->type !=3D RTE_SECURITY_ACTION_TYPE_NONE) { I think this always be true here and could be removed. > + struct rte_security_session_conf sess_conf =3D { > + .action_type =3D sa->type, > + .protocol =3D RTE_SECURITY_PROTOCOL_IPSEC, > + {.ipsec =3D { > + .spi =3D sa->spi, > + .salt =3D sa->salt, > + .options =3D { 0 }, > + .direction =3D sa->direction, > + .proto =3D RTE_SECURITY_IPSEC_SA_PROTO_ESP, > + .mode =3D (sa->flags =3D=3D IP4_TUNNEL || > + sa->flags =3D=3D IP6_TUNNEL) ? > + RTE_SECURITY_IPSEC_SA_MODE_TUNNEL : > + RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT, > + } }, > + .crypto_xform =3D sa->xforms, > + .userdata =3D NULL, > + }; > + > + if (sa->type =3D=3D RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { > struct rte_flow_error err; > - struct rte_security_ctx *ctx =3D (struct rte_security_ctx *) > - rte_eth_dev_get_sec_ctx( > - sa->portid); > const struct rte_security_capability *sec_cap; > int ret =3D 0; >=20 > - sa->sec_session =3D rte_security_session_create(ctx, > - &sess_conf, ipsec_ctx->session_priv_pool); > + sec_ctx =3D (struct rte_security_ctx *) > + rte_eth_dev_get_sec_ctx( > + sa->portid); > + if (sec_ctx =3D=3D NULL) { > + RTE_LOG(ERR, IPSEC, > + " rte_eth_dev_get_sec_ctx failed\n"); > + return -1; > + } > + > + sa->sec_session =3D rte_security_session_create(sec_ctx, > + &sess_conf, skt_ctx->session_pool); > if (sa->sec_session =3D=3D NULL) { > RTE_LOG(ERR, IPSEC, > "SEC Session init failed: err: %d\n", ret); > return -1; > } >=20 > - sec_cap =3D rte_security_capabilities_get(ctx); > + sec_cap =3D rte_security_capabilities_get(sec_ctx); >=20 > /* iterate until ESP tunnel*/ > while (sec_cap->action !=3D > @@ -147,7 +205,7 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ip= sec_sa *sa) > } >=20 > sa->ol_flags =3D sec_cap->ol_flags; > - sa->security_ctx =3D ctx; > + sa->security_ctx =3D sec_ctx; > sa->pattern[0].type =3D RTE_FLOW_ITEM_TYPE_ETH; >=20 > sa->pattern[1].type =3D RTE_FLOW_ITEM_TYPE_IPV4; > @@ -196,7 +254,7 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ip= sec_sa *sa) > /* Try RSS. */ > sa->action[1].type =3D RTE_FLOW_ACTION_TYPE_RSS; > sa->action[1].conf =3D &action_rss; > - eth_dev =3D ctx->device; > + eth_dev =3D sec_ctx->device; > rte_eth_dev_rss_hash_conf_get(sa->portid, > &rss_conf); > for (i =3D 0, j =3D 0; > @@ -252,12 +310,12 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct = ipsec_sa *sa) > } > } else if (sa->type =3D=3D > RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) { > - struct rte_security_ctx *ctx =3D > - (struct rte_security_ctx *) > - rte_eth_dev_get_sec_ctx(sa->portid); > const struct rte_security_capability *sec_cap; >=20 > - if (ctx =3D=3D NULL) { > + sec_ctx =3D (struct rte_security_ctx *) > + rte_eth_dev_get_sec_ctx(sa->portid); > + > + if (sec_ctx =3D=3D NULL) { > RTE_LOG(ERR, IPSEC, > "Ethernet device doesn't have security features registered\n"); > return -1; > @@ -279,15 +337,15 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct = ipsec_sa *sa) >=20 > sess_conf.userdata =3D (void *) sa; >=20 > - sa->sec_session =3D rte_security_session_create(ctx, > - &sess_conf, ipsec_ctx->session_pool); > + sa->sec_session =3D rte_security_session_create(sec_ctx, > + &sess_conf, skt_ctx->session_pool); > if (sa->sec_session =3D=3D NULL) { > RTE_LOG(ERR, IPSEC, > "SEC Session init failed: err: %d\n", ret); > return -1; > } >=20 > - sec_cap =3D rte_security_capabilities_get(ctx); > + sec_cap =3D rte_security_capabilities_get(sec_ctx); >=20 > if (sec_cap =3D=3D NULL) { > RTE_LOG(ERR, IPSEC, > @@ -316,17 +374,8 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct i= psec_sa *sa) > } >=20 > sa->ol_flags =3D sec_cap->ol_flags; > - sa->security_ctx =3D ctx; > + sa->security_ctx =3D sec_ctx; > } > - } else { > - sa->crypto_session =3D rte_cryptodev_sym_session_create( > - ipsec_ctx->session_pool); > - rte_cryptodev_sym_session_init(ipsec_ctx->tbl[cdev_id_qp].id, > - sa->crypto_session, sa->xforms, > - ipsec_ctx->session_priv_pool); > - > - rte_cryptodev_info_get(ipsec_ctx->tbl[cdev_id_qp].id, > - &cdev_info); > } > sa->cdev_id_qp =3D cdev_id_qp; >=20 > @@ -395,7 +444,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec= _ctx *ipsec_ctx, > rte_prefetch0(&priv->sym_cop); >=20 > if ((unlikely(sa->sec_session =3D=3D NULL)) && > - create_session(ipsec_ctx, sa)) { > + create_lookaside_session(ipsec_ctx, sa)) { > rte_pktmbuf_free(pkts[i]); > continue; > } > @@ -414,7 +463,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec= _ctx *ipsec_ctx, > rte_prefetch0(&priv->sym_cop); >=20 > if ((unlikely(sa->crypto_session =3D=3D NULL)) && > - create_session(ipsec_ctx, sa)) { > + create_lookaside_session(ipsec_ctx, sa)) { > rte_pktmbuf_free(pkts[i]); > continue; > } > @@ -429,12 +478,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipse= c_ctx *ipsec_ctx, > } > break; > case RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL: > - if ((unlikely(sa->sec_session =3D=3D NULL)) && > - create_session(ipsec_ctx, sa)) { > - rte_pktmbuf_free(pkts[i]); > - continue; > - } > - > + RTE_ASSERT(sa->sec_session !=3D NULL); > ipsec_ctx->ol_pkts[ipsec_ctx->ol_pkts_cnt++] =3D pkts[i]; > if (sa->ol_flags & RTE_SECURITY_TX_OLOAD_NEED_MDATA) > rte_security_set_pkt_metadata( > @@ -442,17 +486,11 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ips= ec_ctx *ipsec_ctx, > sa->sec_session, pkts[i], NULL); > continue; > case RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO: > + RTE_ASSERT(sa->sec_session !=3D NULL); > priv->cop.type =3D RTE_CRYPTO_OP_TYPE_SYMMETRIC; > priv->cop.status =3D RTE_CRYPTO_OP_STATUS_NOT_PROCESSED; >=20 > rte_prefetch0(&priv->sym_cop); > - > - if ((unlikely(sa->sec_session =3D=3D NULL)) && > - create_session(ipsec_ctx, sa)) { > - rte_pktmbuf_free(pkts[i]); > - continue; > - } > - > rte_security_attach_session(&priv->cop, > sa->sec_session); >=20 > diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h > index e9272d7..41bac0b 100644 > --- a/examples/ipsec-secgw/ipsec.h > +++ b/examples/ipsec-secgw/ipsec.h > @@ -312,6 +312,9 @@ void > enqueue_cop_burst(struct cdev_qp *cqp); >=20 > int > -create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa); > +create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *s= a); > + > +int > +create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa); >=20 > #endif /* __IPSEC_H__ */ > diff --git a/examples/ipsec-secgw/ipsec_process.c b/examples/ipsec-secgw/= ipsec_process.c > index 3f9cacb..868f1a2 100644 > --- a/examples/ipsec-secgw/ipsec_process.c > +++ b/examples/ipsec-secgw/ipsec_process.c > @@ -95,22 +95,23 @@ fill_ipsec_session(struct rte_ipsec_session *ss, stru= ct ipsec_ctx *ctx, > /* setup crypto section */ > if (ss->type =3D=3D RTE_SECURITY_ACTION_TYPE_NONE) { > if (sa->crypto_session =3D=3D NULL) { > - rc =3D create_session(ctx, sa); > + rc =3D create_lookaside_session(ctx, sa); > if (rc !=3D 0) > return rc; > } > ss->crypto.ses =3D sa->crypto_session; > /* setup session action type */ > - } else { > + } else if (sa->type =3D=3D RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL)= { > if (sa->sec_session =3D=3D NULL) { > - rc =3D create_session(ctx, sa); > + rc =3D create_lookaside_session(ctx, sa); > if (rc !=3D 0) > return rc; > } > ss->security.ses =3D sa->sec_session; > ss->security.ctx =3D sa->security_ctx; > ss->security.ol_flags =3D sa->ol_flags; > - } > + } else > + RTE_ASSERT(0); >=20 > rc =3D rte_ipsec_session_prepare(ss); > if (rc !=3D 0) > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c > index 8d47d1d..e8e55bf 100644 > --- a/examples/ipsec-secgw/sa.c > +++ b/examples/ipsec-secgw/sa.c > @@ -777,11 +777,13 @@ check_eth_dev_caps(uint16_t portid, uint32_t inboun= d) >=20 > static int > sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], > - uint32_t nb_entries, uint32_t inbound) > + uint32_t nb_entries, uint32_t inbound, > + struct socket_ctx *skt_ctx) > { > struct ipsec_sa *sa; > uint32_t i, idx; > uint16_t iv_length, aad_length; > + int32_t rc; >=20 > /* for ESN upper 32 bits of SQN also need to be part of AAD */ > aad_length =3D (app_sa_prm.enable_esn !=3D 0) ? sizeof(uint32_t) : 0; > @@ -834,6 +836,17 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ips= ec_sa entries[], >=20 > sa->xforms =3D &sa_ctx->xf[idx].a; >=20 > + if (sa->type =3D=3D > + RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL || > + sa->type =3D=3D > + RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { > + rc =3D create_inline_session(skt_ctx, sa); > + if (rc !=3D 0) { > + RTE_LOG(ERR, IPSEC_ESP, > + "create_inline_session() failed\n"); > + return -EINVAL; > + } > + } > print_one_sa_rule(sa, inbound); > } else { > switch (sa->cipher_algo) { > @@ -909,16 +922,16 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ip= sec_sa entries[], >=20 > static inline int > sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], > - uint32_t nb_entries) > + uint32_t nb_entries, struct socket_ctx *skt_ctx) > { > - return sa_add_rules(sa_ctx, entries, nb_entries, 0); > + return sa_add_rules(sa_ctx, entries, nb_entries, 0, skt_ctx); > } >=20 > static inline int > sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], > - uint32_t nb_entries) > + uint32_t nb_entries, struct socket_ctx *skt_ctx) > { > - return sa_add_rules(sa_ctx, entries, nb_entries, 1); > + return sa_add_rules(sa_ctx, entries, nb_entries, 1, skt_ctx); > } >=20 > /* > @@ -1012,10 +1025,12 @@ fill_ipsec_sa_prm(struct rte_ipsec_sa_prm *prm, c= onst struct ipsec_sa *ss, > return 0; > } >=20 > -static void > +static int > fill_ipsec_session(struct rte_ipsec_session *ss, struct rte_ipsec_sa *sa= , > const struct ipsec_sa *lsa) > { > + int32_t rc =3D 0; > + > ss->sa =3D sa; > ss->type =3D lsa->type; >=20 > @@ -1028,6 +1043,17 @@ fill_ipsec_session(struct rte_ipsec_session *ss, s= truct rte_ipsec_sa *sa, > ss->security.ctx =3D lsa->security_ctx; > ss->security.ol_flags =3D lsa->ol_flags; > } > + > + if (ss->type =3D=3D RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO || > + ss->type =3D=3D RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) { > + if (ss->security.ses !=3D NULL) { > + rc =3D rte_ipsec_session_prepare(ss); > + if (rc !=3D 0) > + memset(ss, 0, sizeof(*ss)); > + } > + } > + > + return rc; > } >=20 > /* > @@ -1062,8 +1088,8 @@ ipsec_sa_init(struct ipsec_sa *lsa, struct rte_ipse= c_sa *sa, uint32_t sa_size) > if (rc < 0) > return rc; >=20 > - fill_ipsec_session(&lsa->ips, sa, lsa); > - return 0; > + rc =3D fill_ipsec_session(&lsa->ips, sa, lsa); > + return rc; > } >=20 > /* > @@ -1166,7 +1192,7 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id) > "context %s in socket %d\n", rte_errno, > name, socket_id); >=20 > - sa_in_add_rules(ctx->sa_in, sa_in, nb_sa_in); > + sa_in_add_rules(ctx->sa_in, sa_in, nb_sa_in, ctx); >=20 > if (app_sa_prm.enable !=3D 0) { > rc =3D ipsec_satbl_init(ctx->sa_in, sa_in, nb_sa_in, > @@ -1186,7 +1212,7 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id) > "context %s in socket %d\n", rte_errno, > name, socket_id); >=20 > - sa_out_add_rules(ctx->sa_out, sa_out, nb_sa_out); > + sa_out_add_rules(ctx->sa_out, sa_out, nb_sa_out, ctx); >=20 > if (app_sa_prm.enable !=3D 0) { > rc =3D ipsec_satbl_init(ctx->sa_out, sa_out, nb_sa_out, > -- > 2.7.4