From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by dpdk.org (Postfix) with ESMTP id 23A131B257 for ; Tue, 14 Nov 2017 17:16:22 +0100 (CET) Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Nov 2017 08:16:21 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.44,395,1505804400"; d="scan'208";a="2557166" Received: from rnicolau-mobl.ger.corp.intel.com (HELO [10.237.221.73]) ([10.237.221.73]) by fmsmga001.fm.intel.com with ESMTP; 14 Nov 2017 08:16:20 -0800 To: Anoob Joseph , Akhil Goyal , Declan Doherty , Sergio Gonzalez Monroy Cc: Narayana Prasad , Jerin Jacob , dev@dpdk.org References: <1510589635-8868-1-git-send-email-anoob.joseph@cavium.com> <1510673823-24475-1-git-send-email-anoob.joseph@caviumnetworks.com> From: Radu Nicolau Message-ID: <6c2f2972-f491-dc26-285c-d3471b614802@intel.com> Date: Tue, 14 Nov 2017 16:16:19 +0000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <1510673823-24475-1-git-send-email-anoob.joseph@caviumnetworks.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Subject: Re: [dpdk-dev] [PATCH v2] examples/ipsec-secgw: fix usage of incorrect port X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Nov 2017 16:16:23 -0000 On 11/14/2017 3:37 PM, Anoob Joseph wrote: > When security offload is enabled, the packet should be forwarded on the > port configured in the SA. Security session will be configured on that > port only, and sending the packet on other ports could result in > unencrypted packets being sent out. > > This would have performance improvements too, as the per packet LPM > lookup would be avoided for IPsec packets, in inline mode. > > Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload") > > Signed-off-by: Anoob Joseph > --- > v2: > * Updated documentation with the change in behavior for outbound inline > offloaded packets. > > doc/guides/sample_app_ug/ipsec_secgw.rst | 10 +++- > examples/ipsec-secgw/ipsec-secgw.c | 92 +++++++++++++++++++++++++++----- > 2 files changed, 87 insertions(+), 15 deletions(-) > > diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst > index d6cfdbf..d04e153 100644 > --- a/doc/guides/sample_app_ug/ipsec_secgw.rst > +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst > @@ -61,6 +61,12 @@ In case of complete protocol offload, the processing of headers(ESP and outer > IP header) is done by the hardware and the application does not need to > add/remove them during outbound/inbound processing. > > +For inline offloaded outbound traffic, the application need not do the LPM > +lookup for routing, as the port on which the packet has to be forwarded, will extra comma......................................................................................................................^here And maybe change need not to will not, to reflect the actual behavior. > > > @@ -619,26 +660,49 @@ route6_pkts(struct rt_ctx *rt_ctx, struct rte_mbuf *pkts[], uint8_t nb_pkts) > int32_t hop[MAX_PKT_BURST * 2]; > uint8_t dst_ip[MAX_PKT_BURST * 2][16]; > uint8_t *ip6_dst; > + int32_t pkt_hop = 0; > uint16_t i, offset; > + uint16_t lpm_pkts = 0; > > if (nb_pkts == 0) > return; > > + /* Need to do an LPM lookup for non-offload packets. Offload packets > + * will have port ID in the SA > + */ > + > for (i = 0; i < nb_pkts; i++) { > - offset = offsetof(struct ip6_hdr, ip6_dst); > - ip6_dst = rte_pktmbuf_mtod_offset(pkts[i], uint8_t *, offset); > - memcpy(&dst_ip[i][0], ip6_dst, 16); > + if (!(pkts[i]->ol_flags & PKT_TX_SEC_OFFLOAD)) { > + /* Security offload not enabled. So an LPM lookup is > + * required to get the hop > + */ > + offset = offsetof(struct ip6_hdr, ip6_dst); > + ip6_dst = rte_pktmbuf_mtod_offset(pkts[i], uint8_t *, > + offset); > + memcpy(&dst_ip[lpm_pkts][0], ip6_dst, 16); > + lpm_pkts++; > + } > } > > - rte_lpm6_lookup_bulk_func((struct rte_lpm6 *)rt_ctx, dst_ip, > - hop, nb_pkts); > + rte_lpm6_lookup_bulk_func((struct rte_lpm6 *)rt_ctx, dst_ip, hop, > + lpm_pkts); > + > + lpm_pkts = 0; > > for (i = 0; i < nb_pkts; i++) { > - if (hop[i] == -1) { > + if ((pkts[i]->ol_flags & PKT_TX_SEC_OFFLOAD) == 0) { The if condition is wrong here. > + /* Read hop from the SA */ > + pkt_hop = get_hop_for_offload_pkt(pkts[i]); > + } else { > + /* Need to use hop returned by lookup */ > + pkt_hop = hop[lpm_pkts++]; > + } > + > + if (pkt_hop == -1) { > rte_pktmbuf_free(pkts[i]); > continue; > } > - send_single_packet(pkts[i], hop[i] & 0xff); > + send_single_packet(pkts[i], pkt_hop & 0xff); > } > } >