Re: [dpdk-dev] [PATCH v5 00/10] examples/ipsec-secgw: make app to use ipsec library

Re: [dpdk-dev] [PATCH v5 00/10] examples/ipsec-secgw: make app to use ipsec library

[Ananyev, Konstantin]

Hi Akhil,

> Hi Konstantin,
> 
> I just got results on running the ipsec-secgw on NXP hardware.

Thanks for doing that.
We don't have NXP HW, so would need more help from you.

> 
> with -l option, I got a seg fault while running traffic. gdb suggest
> that pkt_func is not filled up and is NULL.
> #1  0x00000000004689bc in rte_ipsec_pkt_crypto_prepare (ss=0x17ad82d80,
> mb=0xffffffffe498, cop=0xffffffffdfc0, num=1)
>      at
> /home/akhil/netperf/dpdk_up/dpdk-next-crypto/arm64-dpaa-linuxapp-gcc/include/rte_ipsec.h:115
> (gdb)  p /x *ss
> $1 = {sa = 0x17ad7ea40, type = 0x3, {crypto = {ses = 0x165a4e900},
> security = {ses = 0x165a4e900, ctx = 0x0, ol_flags = 0x0}}, pkt_func = {
>      prepare = 0x0, process = 0x0}}
> 

I guess I understand the reason:
right now rte_ipsec_session_prepare() expects that
for all modes except RTE_SECURITY_ACTION_TYPE_NONE
security.ctx to be not NULL.
Which as I understand is not necessary for lookaside-proto.
Could you try the fix below?
If it would work as expected, I'll include these changes into v6?
Konstantin

---
 examples/ipsec-secgw/ipsec_process.c | 24 ++++++++++++++++++++----
 lib/librte_ipsec/ses.c               | 11 +++++++++--
 2 files changed, 29 insertions(+), 6 deletions(-)

diff --git a/examples/ipsec-secgw/ipsec_process.c b/examples/ipsec-secgw/ipsec_process.c
index 7ab378f6a..e403c461a 100644
--- a/examples/ipsec-secgw/ipsec_process.c
+++ b/examples/ipsec-secgw/ipsec_process.c
@@ -87,19 +87,36 @@ enqueue_cop_bulk(struct cdev_qp *cqp, struct rte_crypto_op *cop[], uint32_t num)
 }
 
 static inline int
-fill_ipsec_session(struct rte_ipsec_session *ss, const struct ipsec_sa *sa)
+fill_ipsec_session(struct rte_ipsec_session *ss, struct ipsec_ctx *ctx,
+	struct ipsec_sa *sa)
 {
+	int32_t rc;
+
 	/* setup crypto section */
 	if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE) {
+		if (sa->crypto_session == NULL) {
+			rc = create_session(ctx, sa);
+			if (rc != 0)
+				return rc;
+		}
 		ss->crypto.ses = sa->crypto_session;
 	/* setup session action type */
 	} else {
+		if (sa->sec_session == NULL) {
+			rc = create_session(ctx, sa);
+			if (rc != 0)
+				return rc;
+		}
 		ss->security.ses = sa->sec_session;
 		ss->security.ctx = sa->security_ctx;
 		ss->security.ol_flags = sa->ol_flags;
 	}
 
-	return rte_ipsec_session_prepare(ss);
+	rc = rte_ipsec_session_prepare(ss);
+	if (rc != 0)
+		memset(ss, 0, sizeof(*ss));
+
+	return rc;
 }
 
 /*
@@ -209,8 +226,7 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf)
 
 		/* no valid HW session for that SA, try to create one */
 		if (ips->crypto.ses == NULL &&
-				(create_session(ctx, sa) != 0 ||
-				fill_ipsec_session(ips, sa) != 0))
+				fill_ipsec_session(ips, ctx, sa) != 0)
 			k = 0;
 
 		/* process packets inline */
diff --git a/lib/librte_ipsec/ses.c b/lib/librte_ipsec/ses.c
index 562c1423e..11580970e 100644
--- a/lib/librte_ipsec/ses.c
+++ b/lib/librte_ipsec/ses.c
@@ -14,8 +14,15 @@ session_check(struct rte_ipsec_session *ss)
 	if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE) {
 		if (ss->crypto.ses == NULL)
 			return -EINVAL;
-	} else if (ss->security.ses == NULL || ss->security.ctx == NULL)
-		return -EINVAL;
+	} else {
+		if (ss->security.ses == NULL)
+			return -EINVAL;
+		if ((ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
+				ss->type ==
+				RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) &&
+				ss->security.ctx == NULL)
+			return -EINVAL;
+	}
 
 	return 0;
 }
-- 
2.17.1

Re: [dpdk-dev] [PATCH v5 00/10] examples/ipsec-secgw: make app to use ipsec library

[Akhil Goyal]

On 1/2/2019 6:31 PM, Ananyev, Konstantin wrote:
> Hi Akhil,
>
>> Hi Konstantin,
>>
>> I just got results on running the ipsec-secgw on NXP hardware.
> Thanks for doing that.
> We don't have NXP HW, so would need more help from you.
>
>> with -l option, I got a seg fault while running traffic. gdb suggest
>> that pkt_func is not filled up and is NULL.
>> #1  0x00000000004689bc in rte_ipsec_pkt_crypto_prepare (ss=0x17ad82d80,
>> mb=0xffffffffe498, cop=0xffffffffdfc0, num=1)
>>       at
>> /home/akhil/netperf/dpdk_up/dpdk-next-crypto/arm64-dpaa-linuxapp-gcc/include/rte_ipsec.h:115
>> (gdb)  p /x *ss
>> $1 = {sa = 0x17ad7ea40, type = 0x3, {crypto = {ses = 0x165a4e900},
>> security = {ses = 0x165a4e900, ctx = 0x0, ol_flags = 0x0}}, pkt_func = {
>>       prepare = 0x0, process = 0x0}}
>>
> I guess I understand the reason:
> right now rte_ipsec_session_prepare() expects that
> for all modes except RTE_SECURITY_ACTION_TYPE_NONE
> security.ctx to be not NULL.
> Which as I understand is not necessary for lookaside-proto.
> Could you try the fix below?
> If it would work as expected, I'll include these changes into v6?
It did not crash this time with the below fix but the performance is 
very very poor(~95% drop) if I use -l option with lookaside mode.
I have not analyzed the issue yet. Will be doing it on Friday.
> Konstantin
>
> ---
>   examples/ipsec-secgw/ipsec_process.c | 24 ++++++++++++++++++++----
>   lib/librte_ipsec/ses.c               | 11 +++++++++--
>   2 files changed, 29 insertions(+), 6 deletions(-)
>
> diff --git a/examples/ipsec-secgw/ipsec_process.c b/examples/ipsec-secgw/ipsec_process.c
> index 7ab378f6a..e403c461a 100644
> --- a/examples/ipsec-secgw/ipsec_process.c
> +++ b/examples/ipsec-secgw/ipsec_process.c
> @@ -87,19 +87,36 @@ enqueue_cop_bulk(struct cdev_qp *cqp, struct rte_crypto_op *cop[], uint32_t num)
>   }
>   
>   static inline int
> -fill_ipsec_session(struct rte_ipsec_session *ss, const struct ipsec_sa *sa)
> +fill_ipsec_session(struct rte_ipsec_session *ss, struct ipsec_ctx *ctx,
> +	struct ipsec_sa *sa)
>   {
> +	int32_t rc;
> +
>   	/* setup crypto section */
>   	if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE) {
> +		if (sa->crypto_session == NULL) {
> +			rc = create_session(ctx, sa);
> +			if (rc != 0)
> +				return rc;
> +		}
>   		ss->crypto.ses = sa->crypto_session;
>   	/* setup session action type */
>   	} else {
> +		if (sa->sec_session == NULL) {
> +			rc = create_session(ctx, sa);
> +			if (rc != 0)
> +				return rc;
> +		}
>   		ss->security.ses = sa->sec_session;
>   		ss->security.ctx = sa->security_ctx;
>   		ss->security.ol_flags = sa->ol_flags;
>   	}
>   
> -	return rte_ipsec_session_prepare(ss);
> +	rc = rte_ipsec_session_prepare(ss);
> +	if (rc != 0)
> +		memset(ss, 0, sizeof(*ss));
> +
> +	return rc;
>   }
>   
>   /*
> @@ -209,8 +226,7 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf)
>   
>   		/* no valid HW session for that SA, try to create one */
>   		if (ips->crypto.ses == NULL &&
> -				(create_session(ctx, sa) != 0 ||
> -				fill_ipsec_session(ips, sa) != 0))
> +				fill_ipsec_session(ips, ctx, sa) != 0)
>   			k = 0;
>   
>   		/* process packets inline */
> diff --git a/lib/librte_ipsec/ses.c b/lib/librte_ipsec/ses.c
> index 562c1423e..11580970e 100644
> --- a/lib/librte_ipsec/ses.c
> +++ b/lib/librte_ipsec/ses.c
> @@ -14,8 +14,15 @@ session_check(struct rte_ipsec_session *ss)
>   	if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE) {
>   		if (ss->crypto.ses == NULL)
>   			return -EINVAL;
> -	} else if (ss->security.ses == NULL || ss->security.ctx == NULL)
> -		return -EINVAL;
> +	} else {
> +		if (ss->security.ses == NULL)
> +			return -EINVAL;
> +		if ((ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
> +				ss->type ==
> +				RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) &&
> +				ss->security.ctx == NULL)
> +			return -EINVAL;
> +	}
>   
>   	return 0;
>   }

Re: [dpdk-dev] [PATCH v5 00/10] examples/ipsec-secgw: make app to use ipsec library

[Ananyev, Konstantin]

> -----Original Message-----
> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
> Sent: Wednesday, January 2, 2019 2:29 PM
> To: Ananyev, Konstantin <konstantin.ananyev@intel.com>; dev@dpdk.org
> Subject: Re: [dpdk-dev] [PATCH v5 00/10] examples/ipsec-secgw: make app to use ipsec library
> 
> 
> 
> On 1/2/2019 6:31 PM, Ananyev, Konstantin wrote:
> > Hi Akhil,
> >
> >> Hi Konstantin,
> >>
> >> I just got results on running the ipsec-secgw on NXP hardware.
> > Thanks for doing that.
> > We don't have NXP HW, so would need more help from you.
> >
> >> with -l option, I got a seg fault while running traffic. gdb suggest
> >> that pkt_func is not filled up and is NULL.
> >> #1  0x00000000004689bc in rte_ipsec_pkt_crypto_prepare (ss=0x17ad82d80,
> >> mb=0xffffffffe498, cop=0xffffffffdfc0, num=1)
> >>       at
> >> /home/akhil/netperf/dpdk_up/dpdk-next-crypto/arm64-dpaa-linuxapp-gcc/include/rte_ipsec.h:115
> >> (gdb)  p /x *ss
> >> $1 = {sa = 0x17ad7ea40, type = 0x3, {crypto = {ses = 0x165a4e900},
> >> security = {ses = 0x165a4e900, ctx = 0x0, ol_flags = 0x0}}, pkt_func = {
> >>       prepare = 0x0, process = 0x0}}
> >>
> > I guess I understand the reason:
> > right now rte_ipsec_session_prepare() expects that
> > for all modes except RTE_SECURITY_ACTION_TYPE_NONE
> > security.ctx to be not NULL.
> > Which as I understand is not necessary for lookaside-proto.
> > Could you try the fix below?
> > If it would work as expected, I'll include these changes into v6?
> It did not crash this time with the below fix but the performance is
> very very poor(~95% drop) if I use -l option with lookaside mode.
> I have not analyzed the issue yet. Will be doing it on Friday.

Did you run it with your previous change applied?
With drain_crypto_queues() moved under 'if (unlikely(diff_tsc > drain_tsc))'
condition?
If so, that could be the reason for such slowdown, see my other mail
regarding it.
Can you try to revert it (yes it would mean 5% drop for legacy mode)
and  try again ((yes it would mean 5% drop for legacy mode,
but we can deal with it later)?

Konstantin

> >
> > ---
> >   examples/ipsec-secgw/ipsec_process.c | 24 ++++++++++++++++++++----
> >   lib/librte_ipsec/ses.c               | 11 +++++++++--
> >   2 files changed, 29 insertions(+), 6 deletions(-)
> >
> > diff --git a/examples/ipsec-secgw/ipsec_process.c b/examples/ipsec-secgw/ipsec_process.c
> > index 7ab378f6a..e403c461a 100644
> > --- a/examples/ipsec-secgw/ipsec_process.c
> > +++ b/examples/ipsec-secgw/ipsec_process.c
> > @@ -87,19 +87,36 @@ enqueue_cop_bulk(struct cdev_qp *cqp, struct rte_crypto_op *cop[], uint32_t num)
> >   }
> >
> >   static inline int
> > -fill_ipsec_session(struct rte_ipsec_session *ss, const struct ipsec_sa *sa)
> > +fill_ipsec_session(struct rte_ipsec_session *ss, struct ipsec_ctx *ctx,
> > +	struct ipsec_sa *sa)
> >   {
> > +	int32_t rc;
> > +
> >   	/* setup crypto section */
> >   	if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE) {
> > +		if (sa->crypto_session == NULL) {
> > +			rc = create_session(ctx, sa);
> > +			if (rc != 0)
> > +				return rc;
> > +		}
> >   		ss->crypto.ses = sa->crypto_session;
> >   	/* setup session action type */
> >   	} else {
> > +		if (sa->sec_session == NULL) {
> > +			rc = create_session(ctx, sa);
> > +			if (rc != 0)
> > +				return rc;
> > +		}
> >   		ss->security.ses = sa->sec_session;
> >   		ss->security.ctx = sa->security_ctx;
> >   		ss->security.ol_flags = sa->ol_flags;
> >   	}
> >
> > -	return rte_ipsec_session_prepare(ss);
> > +	rc = rte_ipsec_session_prepare(ss);
> > +	if (rc != 0)
> > +		memset(ss, 0, sizeof(*ss));
> > +
> > +	return rc;
> >   }
> >
> >   /*
> > @@ -209,8 +226,7 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf)
> >
> >   		/* no valid HW session for that SA, try to create one */
> >   		if (ips->crypto.ses == NULL &&
> > -				(create_session(ctx, sa) != 0 ||
> > -				fill_ipsec_session(ips, sa) != 0))
> > +				fill_ipsec_session(ips, ctx, sa) != 0)
> >   			k = 0;
> >
> >   		/* process packets inline */
> > diff --git a/lib/librte_ipsec/ses.c b/lib/librte_ipsec/ses.c
> > index 562c1423e..11580970e 100644
> > --- a/lib/librte_ipsec/ses.c
> > +++ b/lib/librte_ipsec/ses.c
> > @@ -14,8 +14,15 @@ session_check(struct rte_ipsec_session *ss)
> >   	if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE) {
> >   		if (ss->crypto.ses == NULL)
> >   			return -EINVAL;
> > -	} else if (ss->security.ses == NULL || ss->security.ctx == NULL)
> > -		return -EINVAL;
> > +	} else {
> > +		if (ss->security.ses == NULL)
> > +			return -EINVAL;
> > +		if ((ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
> > +				ss->type ==
> > +				RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) &&
> > +				ss->security.ctx == NULL)
> > +			return -EINVAL;
> > +	}
> >
> >   	return 0;
> >   }

[dpdk-dev] [PATCH v4 1/9] examples/ipsec-secgw: avoid to request unused TX offloads

[Konstantin Ananyev]

ipsec-secgw always enables TX offloads
(DEV_TX_OFFLOAD_MULTI_SEGS, DEV_TX_OFFLOAD_SECURITY),
even when they are not requested by the config.
That causes many PMD to choose full-featured TX function,
which in many cases is much slower then one without offloads.
That patch adds checks to enabled extra HW offloads, only when
they were requested.
Plus it enables DEV_TX_OFFLOAD_IPV4_CKSUM,
only when other HW TX ofloads are going to be enabled.
Otherwise SW version of ip cksum calculation is used.
That allows to use vector TX function, when inline-ipsec is not
requested.

Signed-off-by: Remy Horton <remy.horton@intel.com>
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>
---
 examples/ipsec-secgw/ipsec-secgw.c | 44 +++++++++++++++--------
 examples/ipsec-secgw/ipsec.h       |  6 ++++
 examples/ipsec-secgw/sa.c          | 56 ++++++++++++++++++++++++++++++
 3 files changed, 91 insertions(+), 15 deletions(-)

diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
index 1bc0b5b50..cfc2b05e5 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -208,8 +208,6 @@ static struct rte_eth_conf port_conf = {
 	},
 	.txmode = {
 		.mq_mode = ETH_MQ_TX_NONE,
-		.offloads = (DEV_TX_OFFLOAD_IPV4_CKSUM |
-			     DEV_TX_OFFLOAD_MULTI_SEGS),
 	},
 };
 
@@ -315,7 +313,8 @@ prepare_traffic(struct rte_mbuf **pkts, struct ipsec_traffic *t,
 }
 
 static inline void
-prepare_tx_pkt(struct rte_mbuf *pkt, uint16_t port)
+prepare_tx_pkt(struct rte_mbuf *pkt, uint16_t port,
+		const struct lcore_conf *qconf)
 {
 	struct ip *ip;
 	struct ether_hdr *ethhdr;
@@ -325,14 +324,19 @@ prepare_tx_pkt(struct rte_mbuf *pkt, uint16_t port)
 	ethhdr = (struct ether_hdr *)rte_pktmbuf_prepend(pkt, ETHER_HDR_LEN);
 
 	if (ip->ip_v == IPVERSION) {
-		pkt->ol_flags |= PKT_TX_IP_CKSUM | PKT_TX_IPV4;
+		pkt->ol_flags |= qconf->outbound.ipv4_offloads;
 		pkt->l3_len = sizeof(struct ip);
 		pkt->l2_len = ETHER_HDR_LEN;
 
 		ip->ip_sum = 0;
+
+		/* calculate IPv4 cksum in SW */
+		if ((pkt->ol_flags & PKT_TX_IP_CKSUM) == 0)
+			ip->ip_sum = rte_ipv4_cksum((struct ipv4_hdr *)ip);
+
 		ethhdr->ether_type = rte_cpu_to_be_16(ETHER_TYPE_IPv4);
 	} else {
-		pkt->ol_flags |= PKT_TX_IPV6;
+		pkt->ol_flags |= qconf->outbound.ipv6_offloads;
 		pkt->l3_len = sizeof(struct ip6_hdr);
 		pkt->l2_len = ETHER_HDR_LEN;
 
@@ -346,18 +350,19 @@ prepare_tx_pkt(struct rte_mbuf *pkt, uint16_t port)
 }
 
 static inline void
-prepare_tx_burst(struct rte_mbuf *pkts[], uint16_t nb_pkts, uint16_t port)
+prepare_tx_burst(struct rte_mbuf *pkts[], uint16_t nb_pkts, uint16_t port,
+		const struct lcore_conf *qconf)
 {
 	int32_t i;
 	const int32_t prefetch_offset = 2;
 
 	for (i = 0; i < (nb_pkts - prefetch_offset); i++) {
 		rte_mbuf_prefetch_part2(pkts[i + prefetch_offset]);
-		prepare_tx_pkt(pkts[i], port);
+		prepare_tx_pkt(pkts[i], port, qconf);
 	}
 	/* Process left packets */
 	for (; i < nb_pkts; i++)
-		prepare_tx_pkt(pkts[i], port);
+		prepare_tx_pkt(pkts[i], port, qconf);
 }
 
 /* Send burst of packets on an output interface */
@@ -371,7 +376,7 @@ send_burst(struct lcore_conf *qconf, uint16_t n, uint16_t port)
 	queueid = qconf->tx_queue_id[port];
 	m_table = (struct rte_mbuf **)qconf->tx_mbufs[port].m_table;
 
-	prepare_tx_burst(m_table, n, port);
+	prepare_tx_burst(m_table, n, port, qconf);
 
 	ret = rte_eth_tx_burst(port, queueid, m_table, n);
 	if (unlikely(ret < n)) {
@@ -1543,7 +1548,7 @@ cryptodevs_init(void)
 }
 
 static void
-port_init(uint16_t portid)
+port_init(uint16_t portid, uint64_t req_rx_offloads, uint64_t req_tx_offloads)
 {
 	struct rte_eth_dev_info dev_info;
 	struct rte_eth_txconf *txconf;
@@ -1584,10 +1589,10 @@ port_init(uint16_t portid)
 		local_port_conf.rxmode.offloads |= DEV_RX_OFFLOAD_JUMBO_FRAME;
 	}
 
-	if (dev_info.rx_offload_capa & DEV_RX_OFFLOAD_SECURITY)
-		local_port_conf.rxmode.offloads |= DEV_RX_OFFLOAD_SECURITY;
-	if (dev_info.tx_offload_capa & DEV_TX_OFFLOAD_SECURITY)
-		local_port_conf.txmode.offloads |= DEV_TX_OFFLOAD_SECURITY;
+	/* Capabilities will already have been checked.. */
+	local_port_conf.rxmode.offloads |= req_rx_offloads;
+	local_port_conf.txmode.offloads |= req_tx_offloads;
+
 	if (dev_info.tx_offload_capa & DEV_TX_OFFLOAD_MBUF_FAST_FREE)
 		local_port_conf.txmode.offloads |=
 			DEV_TX_OFFLOAD_MBUF_FAST_FREE;
@@ -1639,6 +1644,13 @@ port_init(uint16_t portid)
 
 		qconf = &lcore_conf[lcore_id];
 		qconf->tx_queue_id[portid] = tx_queueid;
+
+		/* Pre-populate pkt offloads based on capabilities */
+		qconf->outbound.ipv4_offloads = PKT_TX_IPV4;
+		qconf->outbound.ipv6_offloads = PKT_TX_IPV6;
+		if (req_tx_offloads & DEV_TX_OFFLOAD_IPV4_CKSUM)
+			qconf->outbound.ipv4_offloads |= PKT_TX_IP_CKSUM;
+
 		tx_queueid++;
 
 		/* init RX queues */
@@ -1749,6 +1761,7 @@ main(int32_t argc, char **argv)
 	uint32_t lcore_id;
 	uint8_t socket_id;
 	uint16_t portid;
+	uint64_t req_rx_offloads, req_tx_offloads;
 
 	/* init EAL */
 	ret = rte_eal_init(argc, argv);
@@ -1804,7 +1817,8 @@ main(int32_t argc, char **argv)
 		if ((enabled_port_mask & (1 << portid)) == 0)
 			continue;
 
-		port_init(portid);
+		sa_check_offloads(portid, &req_rx_offloads, &req_tx_offloads);
+		port_init(portid, req_rx_offloads, req_tx_offloads);
 	}
 
 	cryptodevs_init();
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index c998c8076..9b1586f52 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -146,6 +146,8 @@ struct ipsec_ctx {
 	struct rte_mempool *session_pool;
 	struct rte_mbuf *ol_pkts[MAX_PKT_BURST] __rte_aligned(sizeof(void *));
 	uint16_t ol_pkts_cnt;
+	uint64_t ipv4_offloads;
+	uint64_t ipv6_offloads;
 };
 
 struct cdev_key {
@@ -239,4 +241,8 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id);
 void
 rt_init(struct socket_ctx *ctx, int32_t socket_id);
 
+int
+sa_check_offloads(uint16_t port_id, uint64_t *rx_offloads,
+		uint64_t *tx_offloads);
+
 #endif /* __IPSEC_H__ */
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index d2d3550a4..ff8c4b829 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -1017,3 +1017,59 @@ outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[],
 	for (i = 0; i < nb_pkts; i++)
 		sa[i] = &sa_ctx->sa[sa_idx[i]];
 }
+
+/*
+ * Select HW offloads to be used.
+ */
+int
+sa_check_offloads(uint16_t port_id, uint64_t *rx_offloads,
+		uint64_t *tx_offloads)
+{
+	struct ipsec_sa *rule;
+	uint32_t idx_sa;
+	struct rte_eth_dev_info dev_info;
+
+	rte_eth_dev_info_get(port_id, &dev_info);
+
+	*rx_offloads = 0;
+	*tx_offloads = 0;
+
+	/* Check for inbound rules that use offloads and use this port */
+	for (idx_sa = 0; idx_sa < nb_sa_in; idx_sa++) {
+		rule = &sa_in[idx_sa];
+		if ((rule->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
+				rule->type ==
+				RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL)
+				&& rule->portid == port_id) {
+			if ((dev_info.rx_offload_capa & DEV_RX_OFFLOAD_SECURITY)
+					== 0) {
+				RTE_LOG(WARNING, PORT,
+					"HW RX IPSec is not supported\n");
+				return -EINVAL;
+			}
+			*rx_offloads |= DEV_RX_OFFLOAD_SECURITY;
+		}
+	}
+
+	/* Check for outbound rules that use offloads and use this port */
+	for (idx_sa = 0; idx_sa < nb_sa_out; idx_sa++) {
+		rule = &sa_out[idx_sa];
+		if ((rule->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
+				rule->type ==
+				RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL)
+				&& rule->portid == port_id) {
+			if ((dev_info.tx_offload_capa & DEV_TX_OFFLOAD_SECURITY)
+					== 0) {
+				RTE_LOG(WARNING, PORT,
+					"HW TX IPSec is not supported\n");
+				return -EINVAL;
+			}
+			*tx_offloads |= DEV_TX_OFFLOAD_SECURITY;
+			/* Enable HW IPv4 cksum as well, if it is available */
+			if (dev_info.tx_offload_capa &
+					DEV_TX_OFFLOAD_IPV4_CKSUM)
+				*tx_offloads |= DEV_TX_OFFLOAD_IPV4_CKSUM;
+		}
+	}
+	return 0;
+}
-- 
2.17.1

[dpdk-dev] [PATCH v5 00/10] examples/ipsec-secgw: make app to use ipsec library

[Konstantin Ananyev]

This patch series depends on the patch series:

ipsec: new library for IPsec data-path processing
http://patches.dpdk.org/patch/49332/
http://patches.dpdk.org/patch/49333/
http://patches.dpdk.org/patch/49334/
http://patches.dpdk.org/patch/49335/
http://patches.dpdk.org/patch/49336/
http://patches.dpdk.org/patch/49337/
http://patches.dpdk.org/patch/49338/
http://patches.dpdk.org/patch/49339/
http://patches.dpdk.org/patch/49340/
http://patches.dpdk.org/patch/49341/

to be applied first.

v4 -> v5
- Address Akhil comments:
     documentation update
     spell checks spacing etc.
     introduce rxoffload/txoffload parameters
     single SA for ipv6
     update Makefile

v3 -> v4
 - fix few issues with the test scripts
 - update docs

v2 -> v3
 - add IPv6 cases into test scripts
 - fixes for IPv6 support
 - fixes for inline-crypto support
 - some code restructuring

v1 -> v2
 - Several bug fixes

That series contians few bug-fixes and changes to make ipsec-secgw
to utilize librte_ipsec library:
     - changes in the related data structures.
     - changes in the initialization code.
     - changes in the data-path code.
     - new command-line parameters to enable librte_ipsec codepath
       and related features.
     - test scripts to help automate ipsec-secgw functional testing.

Note that right now by default current (non-librte_ipsec) code-path
will be used. User has to run application with new command-line option
('-l')
to enable new codepath.
The main reason for that:
  - current librte_ipsec doesn't support all ipsec algorithms
    and features that the app does.
  - allow users to run both versions in parallel for some time
    to figure out any functional or performance degradation with the
    new code.

Test scripts were run with the following crypto devices:
 - aesni_mb
 - aesni_gcm
 - qat

Konstantin Ananyev (10):
  examples/ipsec-secgw: allow user to disable some RX/TX offloads
  examples/ipsec-secgw: allow to specify neighbour mac address
  examples/ipsec-secgw: fix crypto-op might never get dequeued
  examples/ipsec-secgw: fix outbound codepath for single SA
  examples/ipsec-secgw: make local variables static
  examples/ipsec-secgw: fix inbound SA checking
  examples/ipsec-secgw: make app to use ipsec library
  examples/ipsec-secgw: make data-path to use ipsec library
  examples/ipsec-secgw: add scripts for functional test
  doc: update ipsec-secgw guide and relelase notes

 doc/guides/rel_notes/release_19_02.rst        |  14 +
 doc/guides/sample_app_ug/ipsec_secgw.rst      | 159 +++++-
 examples/ipsec-secgw/Makefile                 |   5 +-
 examples/ipsec-secgw/ipsec-secgw.c            | 480 ++++++++++++++----
 examples/ipsec-secgw/ipsec.c                  |  62 ++-
 examples/ipsec-secgw/ipsec.h                  |  67 +++
 examples/ipsec-secgw/ipsec_process.c          | 341 +++++++++++++
 examples/ipsec-secgw/meson.build              |   6 +-
 examples/ipsec-secgw/parser.c                 |  91 ++++
 examples/ipsec-secgw/parser.h                 |   8 +-
 examples/ipsec-secgw/sa.c                     | 263 +++++++++-
 examples/ipsec-secgw/sp4.c                    |  35 +-
 examples/ipsec-secgw/sp6.c                    |  35 +-
 examples/ipsec-secgw/test/common_defs.sh      | 153 ++++++
 examples/ipsec-secgw/test/data_rxtx.sh        |  62 +++
 examples/ipsec-secgw/test/linux_test4.sh      |  63 +++
 examples/ipsec-secgw/test/linux_test6.sh      |  64 +++
 examples/ipsec-secgw/test/run_test.sh         |  80 +++
 .../test/trs_aescbc_sha1_common_defs.sh       |  69 +++
 .../ipsec-secgw/test/trs_aescbc_sha1_defs.sh  |  67 +++
 .../test/trs_aescbc_sha1_esn_atom_defs.sh     |   5 +
 .../test/trs_aescbc_sha1_esn_defs.sh          |  66 +++
 .../test/trs_aescbc_sha1_old_defs.sh          |   5 +
 .../test/trs_aesgcm_common_defs.sh            |  60 +++
 examples/ipsec-secgw/test/trs_aesgcm_defs.sh  |  66 +++
 .../test/trs_aesgcm_esn_atom_defs.sh          |   5 +
 .../ipsec-secgw/test/trs_aesgcm_esn_defs.sh   |  66 +++
 .../ipsec-secgw/test/trs_aesgcm_old_defs.sh   |   5 +
 .../test/tun_aescbc_sha1_common_defs.sh       |  68 +++
 .../ipsec-secgw/test/tun_aescbc_sha1_defs.sh  |  70 +++
 .../test/tun_aescbc_sha1_esn_atom_defs.sh     |   5 +
 .../test/tun_aescbc_sha1_esn_defs.sh          |  70 +++
 .../test/tun_aescbc_sha1_old_defs.sh          |   5 +
 .../test/tun_aesgcm_common_defs.sh            |  60 +++
 examples/ipsec-secgw/test/tun_aesgcm_defs.sh  |  70 +++
 .../test/tun_aesgcm_esn_atom_defs.sh          |   5 +
 .../ipsec-secgw/test/tun_aesgcm_esn_defs.sh   |  70 +++
 .../ipsec-secgw/test/tun_aesgcm_old_defs.sh   |   5 +
 38 files changed, 2685 insertions(+), 145 deletions(-)
 create mode 100644 examples/ipsec-secgw/ipsec_process.c
 create mode 100644 examples/ipsec-secgw/test/common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/data_rxtx.sh
 create mode 100644 examples/ipsec-secgw/test/linux_test4.sh
 create mode 100644 examples/ipsec-secgw/test/linux_test6.sh
 create mode 100644 examples/ipsec-secgw/test/run_test.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_old_defs.sh

-- 
2.17.1

Re: [dpdk-dev] [PATCH v5 00/10] examples/ipsec-secgw: make app to use ipsec library

[Akhil Goyal]

Hi Konstantin,

I just got results on running the ipsec-secgw on NXP hardware.

it seems there is a drop of around 10% for lookaside proto with normal 
command(i.e. without -l option)

with -l option, I got a seg fault while running traffic. gdb suggest 
that pkt_func is not filled up and is NULL.
#1  0x00000000004689bc in rte_ipsec_pkt_crypto_prepare (ss=0x17ad82d80, 
mb=0xffffffffe498, cop=0xffffffffdfc0, num=1)
     at 
/home/akhil/netperf/dpdk_up/dpdk-next-crypto/arm64-dpaa-linuxapp-gcc/include/rte_ipsec.h:115
(gdb)  p /x *ss
$1 = {sa = 0x17ad7ea40, type = 0x3, {crypto = {ses = 0x165a4e900}, 
security = {ses = 0x165a4e900, ctx = 0x0, ol_flags = 0x0}}, pkt_func = {
     prepare = 0x0, process = 0x0}}




On 12/28/2018 9:03 PM, Konstantin Ananyev wrote:
> This patch series depends on the patch series:
>
> ipsec: new library for IPsec data-path processing
> http://patches.dpdk.org/patch/49332/
> http://patches.dpdk.org/patch/49333/
> http://patches.dpdk.org/patch/49334/
> http://patches.dpdk.org/patch/49335/
> http://patches.dpdk.org/patch/49336/
> http://patches.dpdk.org/patch/49337/
> http://patches.dpdk.org/patch/49338/
> http://patches.dpdk.org/patch/49339/
> http://patches.dpdk.org/patch/49340/
> http://patches.dpdk.org/patch/49341/
>
> to be applied first.
>
> v4 -> v5
> - Address Akhil comments:
>       documentation update
>       spell checks spacing etc.
>       introduce rxoffload/txoffload parameters
>       single SA for ipv6
>       update Makefile
>
> v3 -> v4
>   - fix few issues with the test scripts
>   - update docs
>
> v2 -> v3
>   - add IPv6 cases into test scripts
>   - fixes for IPv6 support
>   - fixes for inline-crypto support
>   - some code restructuring
>
> v1 -> v2
>   - Several bug fixes
>
> That series contians few bug-fixes and changes to make ipsec-secgw
> to utilize librte_ipsec library:
>       - changes in the related data structures.
>       - changes in the initialization code.
>       - changes in the data-path code.
>       - new command-line parameters to enable librte_ipsec codepath
>         and related features.
>       - test scripts to help automate ipsec-secgw functional testing.
>
> Note that right now by default current (non-librte_ipsec) code-path
> will be used. User has to run application with new command-line option
> ('-l')
> to enable new codepath.
> The main reason for that:
>    - current librte_ipsec doesn't support all ipsec algorithms
>      and features that the app does.
>    - allow users to run both versions in parallel for some time
>      to figure out any functional or performance degradation with the
>      new code.
>
> Test scripts were run with the following crypto devices:
>   - aesni_mb
>   - aesni_gcm
>   - qat
>
> Konstantin Ananyev (10):
>    examples/ipsec-secgw: allow user to disable some RX/TX offloads
>    examples/ipsec-secgw: allow to specify neighbour mac address
>    examples/ipsec-secgw: fix crypto-op might never get dequeued
>    examples/ipsec-secgw: fix outbound codepath for single SA
>    examples/ipsec-secgw: make local variables static
>    examples/ipsec-secgw: fix inbound SA checking
>    examples/ipsec-secgw: make app to use ipsec library
>    examples/ipsec-secgw: make data-path to use ipsec library
>    examples/ipsec-secgw: add scripts for functional test
>    doc: update ipsec-secgw guide and relelase notes
>
>   doc/guides/rel_notes/release_19_02.rst        |  14 +
>   doc/guides/sample_app_ug/ipsec_secgw.rst      | 159 +++++-
>   examples/ipsec-secgw/Makefile                 |   5 +-
>   examples/ipsec-secgw/ipsec-secgw.c            | 480 ++++++++++++++----
>   examples/ipsec-secgw/ipsec.c                  |  62 ++-
>   examples/ipsec-secgw/ipsec.h                  |  67 +++
>   examples/ipsec-secgw/ipsec_process.c          | 341 +++++++++++++
>   examples/ipsec-secgw/meson.build              |   6 +-
>   examples/ipsec-secgw/parser.c                 |  91 ++++
>   examples/ipsec-secgw/parser.h                 |   8 +-
>   examples/ipsec-secgw/sa.c                     | 263 +++++++++-
>   examples/ipsec-secgw/sp4.c                    |  35 +-
>   examples/ipsec-secgw/sp6.c                    |  35 +-
>   examples/ipsec-secgw/test/common_defs.sh      | 153 ++++++
>   examples/ipsec-secgw/test/data_rxtx.sh        |  62 +++
>   examples/ipsec-secgw/test/linux_test4.sh      |  63 +++
>   examples/ipsec-secgw/test/linux_test6.sh      |  64 +++
>   examples/ipsec-secgw/test/run_test.sh         |  80 +++
>   .../test/trs_aescbc_sha1_common_defs.sh       |  69 +++
>   .../ipsec-secgw/test/trs_aescbc_sha1_defs.sh  |  67 +++
>   .../test/trs_aescbc_sha1_esn_atom_defs.sh     |   5 +
>   .../test/trs_aescbc_sha1_esn_defs.sh          |  66 +++
>   .../test/trs_aescbc_sha1_old_defs.sh          |   5 +
>   .../test/trs_aesgcm_common_defs.sh            |  60 +++
>   examples/ipsec-secgw/test/trs_aesgcm_defs.sh  |  66 +++
>   .../test/trs_aesgcm_esn_atom_defs.sh          |   5 +
>   .../ipsec-secgw/test/trs_aesgcm_esn_defs.sh   |  66 +++
>   .../ipsec-secgw/test/trs_aesgcm_old_defs.sh   |   5 +
>   .../test/tun_aescbc_sha1_common_defs.sh       |  68 +++
>   .../ipsec-secgw/test/tun_aescbc_sha1_defs.sh  |  70 +++
>   .../test/tun_aescbc_sha1_esn_atom_defs.sh     |   5 +
>   .../test/tun_aescbc_sha1_esn_defs.sh          |  70 +++
>   .../test/tun_aescbc_sha1_old_defs.sh          |   5 +
>   .../test/tun_aesgcm_common_defs.sh            |  60 +++
>   examples/ipsec-secgw/test/tun_aesgcm_defs.sh  |  70 +++
>   .../test/tun_aesgcm_esn_atom_defs.sh          |   5 +
>   .../ipsec-secgw/test/tun_aesgcm_esn_defs.sh   |  70 +++
>   .../ipsec-secgw/test/tun_aesgcm_old_defs.sh   |   5 +
>   38 files changed, 2685 insertions(+), 145 deletions(-)
>   create mode 100644 examples/ipsec-secgw/ipsec_process.c
>   create mode 100644 examples/ipsec-secgw/test/common_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/data_rxtx.sh
>   create mode 100644 examples/ipsec-secgw/test/linux_test4.sh
>   create mode 100644 examples/ipsec-secgw/test/linux_test6.sh
>   create mode 100644 examples/ipsec-secgw/test/run_test.sh
>   create mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_common_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_esn_atom_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_esn_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_old_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_esn_atom_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_esn_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_old_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_common_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_esn_atom_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_esn_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_old_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_esn_atom_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_esn_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_old_defs.sh
>