From: "Iremonger, Bernard" <bernard.iremonger@intel.com>
To: Akhil Goyal <akhil.goyal@nxp.com>, "dev@dpdk.org" <dev@dpdk.org>,
"Ananyev, Konstantin" <konstantin.ananyev@intel.com>
Cc: "stable@dpdk.org" <stable@dpdk.org>
Subject: Re: [dpdk-dev] [PATCH v3 1/2] examples/ipsec-secgw: fix 1st packet dropped for inline crypto
Date: Wed, 17 Apr 2019 12:53:43 +0000 [thread overview]
Message-ID: <8CEF83825BEC744B83065625E567D7C260D89D9F@IRSMSX108.ger.corp.intel.com> (raw)
In-Reply-To: <VI1PR04MB4893D4761707A6310E10929DE6250@VI1PR04MB4893.eurprd04.prod.outlook.com>
Hi Akhil,
> -----Original Message-----
> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
> Sent: Wednesday, April 17, 2019 12:52 PM
> To: Iremonger, Bernard <bernard.iremonger@intel.com>; dev@dpdk.org;
> Ananyev, Konstantin <konstantin.ananyev@intel.com>
> Cc: stable@dpdk.org
> Subject: RE: [PATCH v3 1/2] examples/ipsec-secgw: fix 1st packet dropped
> for inline crypto
>
> >
> > Inline crypto installs a flow rule in the NIC. This flow rule must be
> > installed before the first inbound packet is received.
> >
> > The create_session() function installs the flow rule.
> >
> > Refactor ipsec-secgw.c, sa.c, ipsec.h and ipsec.c to create sessions
> > at startup to fix the issue of the first packet being dropped for
> > inline crypto.
> >
> > The create_session() function is now called at initialisation in
> > sa_add_rules() which is called from sa_init().
> > The return code for add_rules is checked.
> > Calls to create_session() in other functions are dropped.
> >
> > Add crypto_devid_fill() in ipsec-secgw.c Add max_session_size() in
> > ipsec-secgw.c Add check_cryptodev_capability() in ipsec.c Add
> > check_cryptodev_aead_capability() in ipsec.c Add create_sec_session()
> > and create_crypto_session() in ipsec.c
> >
> > The crypto_dev_fill() function has been added to find the enabled
> > crypto devices.
> >
> > The max_session_size() function has been added to calculate memory
> > requirements.
> >
> > The check_cryptodev_capability() and check_cryptodev_aead_capability()
> > functions have been added to check that the SA is supported by the
> > crypto device.
> >
> > The create_session() function is refactored to use the
> > create_sec_session() and create_crypto_session() functions.
> >
> > The cryprodev_init() function has been refactored to drop calls to
> > rte_mempool_create() and to drop calculation of memory requirements.
> >
> > The main() function has been refactored to call crypto_devid_fill()
> > and max_session_size() and to call session_pool_init() and
> > session_priv_pool_init().
> > The ports are started now before adding a flow rule in main().
> > The sa_init(), sp4_init(), sp6_init() and rt_init() functions are now
> > called after the ports have been started.
> >
> > Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload")
> > Fixes: d299106e8e31 ("examples/ipsec-secgw: add IPsec sample
> > application")
> > Cc: stable@dpdk.org
> >
> > Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com>
> > ---
> > examples/ipsec-secgw/ipsec-secgw.c | 271 +++++++++--------
> > examples/ipsec-secgw/ipsec.c | 569 +++++++++++++++++++-----------
> -----
> > examples/ipsec-secgw/ipsec.h | 10 +-
> > examples/ipsec-secgw/ipsec_process.c | 38 +--
> > examples/ipsec-secgw/sa.c | 42 ++-
> > 5 files changed, 495 insertions(+), 435 deletions(-)
> >
> > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-
> > secgw/ipsec-secgw.c index ffbd00b..cc8bb57 100644
> > --- a/examples/ipsec-secgw/ipsec-secgw.c
> > +++ b/examples/ipsec-secgw/ipsec-secgw.c
> > @@ -182,6 +182,14 @@ struct lcore_params {
> > uint8_t lcore_id;
> > } __rte_cache_aligned;
> >
> > +/*
> > + * Number of enabled crypto devices
> > + * This number is needed when checking crypto device capabilities */
> > +uint8_t crypto_dev_num;
> > +/* array of crypto device ID's */
> > +uint8_t crypto_devid[RTE_CRYPTO_MAX_DEVS];
> > +
> > static struct lcore_params lcore_params_array[MAX_LCORE_PARAMS];
> >
> > static struct lcore_params *lcore_params; @@ -1623,13 +1631,27 @@
> > check_cryptodev_mask(uint8_t cdev_id)
> > return -1;
> > }
> >
> > +static void
> > +crypto_devid_fill(void)
> > +{
> > + uint32_t i, n;
> > +
> > + n = rte_cryptodev_count();
> > +
> > + for (i = 0; i != n; i++) {
> > + if (check_cryptodev_mask(i) == 0)
> > + crypto_devid[crypto_dev_num++] = i;
> > + }
> > +}
> > +
> > static int32_t
> > cryptodevs_init(void)
> > {
> > struct rte_cryptodev_config dev_conf;
> > struct rte_cryptodev_qp_conf qp_conf;
> > uint16_t idx, max_nb_qps, qp, i;
> > - int16_t cdev_id, port_id;
> > + int16_t cdev_id;
> > + uint32_t dev_max_sess;
> > struct rte_hash_parameters params = { 0 };
> >
> > params.entries = CDEV_MAP_ENTRIES;
> > @@ -1652,45 +1674,6 @@ cryptodevs_init(void)
> >
> > printf("lcore/cryptodev/qp mappings:\n");
> >
> > - uint32_t max_sess_sz = 0, sess_sz;
> > - for (cdev_id = 0; cdev_id < rte_cryptodev_count(); cdev_id++) {
> > - void *sec_ctx;
> > -
> > - /* Get crypto priv session size */
> > - sess_sz =
> rte_cryptodev_sym_get_private_session_size(cdev_id);
> > - if (sess_sz > max_sess_sz)
> > - max_sess_sz = sess_sz;
> > -
> > - /*
> > - * If crypto device is security capable, need to check the
> > - * size of security session as well.
> > - */
> > -
> > - /* Get security context of the crypto device */
> > - sec_ctx = rte_cryptodev_get_sec_ctx(cdev_id);
> > - if (sec_ctx == NULL)
> > - continue;
> > -
> > - /* Get size of security session */
> > - sess_sz = rte_security_session_get_size(sec_ctx);
> > - if (sess_sz > max_sess_sz)
> > - max_sess_sz = sess_sz;
> > - }
> > - RTE_ETH_FOREACH_DEV(port_id) {
> > - void *sec_ctx;
> > -
> > - if ((enabled_port_mask & (1 << port_id)) == 0)
> > - continue;
> > -
> > - sec_ctx = rte_eth_dev_get_sec_ctx(port_id);
> > - if (sec_ctx == NULL)
> > - continue;
> > -
> > - sess_sz = rte_security_session_get_size(sec_ctx);
> > - if (sess_sz > max_sess_sz)
> > - max_sess_sz = sess_sz;
> > - }
> > -
> > idx = 0;
> > for (cdev_id = 0; cdev_id < rte_cryptodev_count(); cdev_id++) {
> > struct rte_cryptodev_info cdev_info; @@ -1722,51 +1705,12
> @@
> > cryptodevs_init(void)
> > dev_conf.socket_id = rte_cryptodev_socket_id(cdev_id);
> > dev_conf.nb_queue_pairs = qp;
> >
> > - uint32_t dev_max_sess = cdev_info.sym.max_nb_sessions;
> > + dev_max_sess = cdev_info.sym.max_nb_sessions;
> > if (dev_max_sess != 0 && dev_max_sess <
> CDEV_MP_NB_OBJS)
> > rte_exit(EXIT_FAILURE,
> > "Device does not support at least %u "
> > "sessions", CDEV_MP_NB_OBJS);
> >
> > - if (!socket_ctx[dev_conf.socket_id].session_pool) {
> > - char mp_name[RTE_MEMPOOL_NAMESIZE];
> > - struct rte_mempool *sess_mp;
> > -
> > - snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
> > - "sess_mp_%u", dev_conf.socket_id);
> > - sess_mp =
> rte_cryptodev_sym_session_pool_create(
> > - mp_name, CDEV_MP_NB_OBJS,
> > - 0, CDEV_MP_CACHE_SZ, 0,
> > - dev_conf.socket_id);
> > - socket_ctx[dev_conf.socket_id].session_pool =
> > sess_mp;
> > - }
> > -
> > - if (!socket_ctx[dev_conf.socket_id].session_priv_pool) {
> > - char mp_name[RTE_MEMPOOL_NAMESIZE];
> > - struct rte_mempool *sess_mp;
> > -
> > - snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
> > - "sess_mp_priv_%u",
> > dev_conf.socket_id);
> > - sess_mp = rte_mempool_create(mp_name,
> > - CDEV_MP_NB_OBJS,
> > - max_sess_sz,
> > - CDEV_MP_CACHE_SZ,
> > - 0, NULL, NULL, NULL,
> > - NULL, dev_conf.socket_id,
> > - 0);
> > - socket_ctx[dev_conf.socket_id].session_priv_pool =
> > - sess_mp;
> > - }
> > -
> > - if (!socket_ctx[dev_conf.socket_id].session_priv_pool ||
> > -
> !socket_ctx[dev_conf.socket_id].session_pool)
> > - rte_exit(EXIT_FAILURE,
> > - "Cannot create session pool on socket %d\n",
> > - dev_conf.socket_id);
> > - else
> > - printf("Allocated session pool on socket %d\n",
> > - dev_conf.socket_id);
> > -
> > if (rte_cryptodev_configure(cdev_id, &dev_conf))
> > rte_panic("Failed to initialize cryptodev %u\n",
> > cdev_id);
> > @@ -1787,38 +1731,6 @@ cryptodevs_init(void)
> > cdev_id);
> > }
> >
> > - /* create session pools for eth devices that implement security */
> > - RTE_ETH_FOREACH_DEV(port_id) {
> > - if ((enabled_port_mask & (1 << port_id)) &&
> > - rte_eth_dev_get_sec_ctx(port_id)) {
> > - int socket_id = rte_eth_dev_socket_id(port_id);
> > -
> > - if (!socket_ctx[socket_id].session_pool) {
> > - char mp_name[RTE_MEMPOOL_NAMESIZE];
> > - struct rte_mempool *sess_mp;
> > -
> > - snprintf(mp_name,
> RTE_MEMPOOL_NAMESIZE,
> > - "sess_mp_%u", socket_id);
> > - sess_mp = rte_mempool_create(mp_name,
> > - (CDEV_MP_NB_OBJS * 2),
> > - max_sess_sz,
> > - CDEV_MP_CACHE_SZ,
> > - 0, NULL, NULL, NULL,
> > - NULL, socket_id,
> > - 0);
> > - if (sess_mp == NULL)
> > - rte_exit(EXIT_FAILURE,
> > - "Cannot create session pool "
> > - "on socket %d\n", socket_id);
> > - else
> > - printf("Allocated session pool "
> > - "on socket %d\n", socket_id);
> > - socket_ctx[socket_id].session_pool =
> sess_mp;
> > - }
> > - }
> > - }
> > -
> > -
> > printf("\n");
> >
> > return 0;
> > @@ -1984,6 +1896,98 @@ port_init(uint16_t portid, uint64_t
> > req_rx_offloads, uint64_t req_tx_offloads)
> > printf("\n");
> > }
> >
> > +static size_t
> > +max_session_size(void)
> > +{
> > + size_t max_sz, sz;
> > + void *sec_ctx;
> > + int16_t cdev_id, port_id, n;
> > +
> > + max_sz = 0;
> > + n = rte_cryptodev_count();
> > + for (cdev_id = 0; cdev_id != n; cdev_id++) {
> > + sz = rte_cryptodev_sym_get_private_session_size(cdev_id);
> > + if (sz > max_sz)
> > + max_sz = sz;
> > + /*
> > + * If crypto device is security capable, need to check the
> > + * size of security session as well.
> > + */
> > +
> > + /* Get security context of the crypto device */
> > + sec_ctx = rte_cryptodev_get_sec_ctx(cdev_id);
> > + if (sec_ctx == NULL)
> > + continue;
> > +
> > + /* Get size of security session */
> > + sz = rte_security_session_get_size(sec_ctx);
> > + if (sz > max_sz)
> > + max_sz = sz;
> > + }
> > +
> > + RTE_ETH_FOREACH_DEV(port_id) {
> > + if ((enabled_port_mask & (1 << port_id)) == 0)
> > + continue;
> > +
> > + sec_ctx = rte_eth_dev_get_sec_ctx(port_id);
> > + if (sec_ctx == NULL)
> > + continue;
> > +
> > + sz = rte_security_session_get_size(sec_ctx);
> > + if (sz > max_sz)
> > + max_sz = sz;
> > + }
> > +
> > + return max_sz;
> > +}
> > +
> > +static void
> > +session_pool_init(struct socket_ctx *ctx, int32_t socket_id, size_t
> > +sess_sz) {
> > + char mp_name[RTE_MEMPOOL_NAMESIZE];
> > + struct rte_mempool *sess_mp;
> > +
> > + snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
> > + "sess_mp_%u", socket_id);
> > + sess_mp = rte_cryptodev_sym_session_pool_create(
> > + mp_name, CDEV_MP_NB_OBJS,
> > + sess_sz, CDEV_MP_CACHE_SZ, 0,
> > + socket_id);
> > + ctx->session_pool = sess_mp;
> > +
> > + if (ctx->session_pool == NULL)
> > + rte_exit(EXIT_FAILURE,
> > + "Cannot init session pool on socket %d\n",
> socket_id);
> > + else
> > + printf("Allocated session pool on socket %d\n",
> socket_id);
> > +}
> > +
> > +static void
> > +session_priv_pool_init(struct socket_ctx *ctx, int32_t socket_id,
> > + size_t sess_sz)
> > +{
> > + char mp_name[RTE_MEMPOOL_NAMESIZE];
> > + struct rte_mempool *sess_mp;
> > +
> > + snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
> > + "sess_mp_priv_%u", socket_id);
> > + sess_mp = rte_mempool_create(mp_name,
> > + CDEV_MP_NB_OBJS,
> > + sess_sz,
> > + CDEV_MP_CACHE_SZ,
> > + 0, NULL, NULL, NULL,
> > + NULL, socket_id,
> > + 0);
> > + ctx->session_priv_pool = sess_mp;
> > + if (ctx->session_priv_pool == NULL)
> > + rte_exit(EXIT_FAILURE,
> > + "Cannot init session priv pool on socket %d\n",
> > + socket_id);
> > + else
> > + printf("Allocated session priv pool on socket %d\n",
> > + socket_id);
> > +}
> > +
> > static void
> > pool_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t
> > nb_mbuf) { @@ -2064,9 +2068,11 @@ main(int32_t argc, char **argv) {
> > int32_t ret;
> > uint32_t lcore_id;
> > + uint32_t i;
> > uint8_t socket_id;
> > uint16_t portid;
> > uint64_t req_rx_offloads, req_tx_offloads;
> > + size_t sess_sz;
> >
> > /* init EAL */
> > ret = rte_eal_init(argc, argv);
> > @@ -2094,7 +2100,10 @@ main(int32_t argc, char **argv)
> >
> > nb_lcores = rte_lcore_count();
> >
> > - /* Replicate each context per socket */
> > + crypto_devid_fill();
> > +
> > + sess_sz = max_session_size();
> > +
> > for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) {
> > if (rte_lcore_is_enabled(lcore_id) == 0)
> > continue;
> > @@ -2104,20 +2113,17 @@ main(int32_t argc, char **argv)
> > else
> > socket_id = 0;
> >
> > + /* mbuf_pool is initialised by the pool_init() function*/
> > if (socket_ctx[socket_id].mbuf_pool)
> > continue;
> >
> > - /* initilaze SPD */
> > - sp4_init(&socket_ctx[socket_id], socket_id);
> > -
> > - sp6_init(&socket_ctx[socket_id], socket_id);
> > -
> > - /* initilaze SAD */
> > - sa_init(&socket_ctx[socket_id], socket_id);
> > -
> > - rt_init(&socket_ctx[socket_id], socket_id);
> > -
> > pool_init(&socket_ctx[socket_id], socket_id, NB_MBUF);
> > + session_pool_init(&socket_ctx[socket_id], socket_id,
> sess_sz);
> > + session_priv_pool_init(&socket_ctx[socket_id], socket_id,
> > + sess_sz);
> > +
> > + if (!numa_on)
> > + break;
> > }
> >
> > RTE_ETH_FOREACH_DEV(portid) {
> > @@ -2135,7 +2141,11 @@ main(int32_t argc, char **argv)
> > if ((enabled_port_mask & (1 << portid)) == 0)
> > continue;
> >
> > - /* Start device */
> > + /*
> > + * Start device
> > + * note: device must be started before a flow rule
> > + * can be installed.
> > + */
> > ret = rte_eth_dev_start(portid);
> > if (ret < 0)
> > rte_exit(EXIT_FAILURE, "rte_eth_dev_start: "
> > @@ -2153,6 +2163,19 @@ main(int32_t argc, char **argv)
> > RTE_ETH_EVENT_IPSEC, inline_ipsec_event_callback,
> NULL);
> > }
> >
> > + /* Replicate each context per socket */
> > + for (i = 0; i < NB_SOCKETS && i < rte_socket_count(); i++) {
> > + socket_id = rte_socket_id_by_idx(i);
> > + if ((socket_ctx[socket_id].mbuf_pool != NULL) &&
> > + (socket_ctx[socket_id].sa_in == NULL) &&
> > + (socket_ctx[socket_id].sa_out == NULL)) {
> > + sa_init(&socket_ctx[socket_id], socket_id);
> > + sp4_init(&socket_ctx[socket_id], socket_id);
> > + sp6_init(&socket_ctx[socket_id], socket_id);
> > + rt_init(&socket_ctx[socket_id], socket_id);
> > + }
> > + }
> > +
> > check_all_ports_link_status(enabled_port_mask);
> >
> > /* launch per-lcore init on every lcore */ diff --git
> > a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index
> > 4352cb8..e31d472 100644
> > --- a/examples/ipsec-secgw/ipsec.c
> > +++ b/examples/ipsec-secgw/ipsec.c
> > @@ -39,42 +39,17 @@ set_ipsec_conf(struct ipsec_sa *sa, struct
> > rte_security_ipsec_xform *ipsec)
> > ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; }
> >
> > -int
> > -create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
> > +static int
> > +create_sec_session(struct ipsec_sa *sa, struct rte_mempool *pool)
> > {
> > - struct rte_cryptodev_info cdev_info;
> > - unsigned long cdev_id_qp = 0;
> > + const struct rte_security_capability *sec_cap;
> > + struct rte_security_ctx *ctx;
> > int32_t ret = 0;
> > - struct cdev_key key = { 0 };
> > -
> > - key.lcore_id = (uint8_t)rte_lcore_id();
> > -
> > - key.cipher_algo = (uint8_t)sa->cipher_algo;
> > - key.auth_algo = (uint8_t)sa->auth_algo;
> > - key.aead_algo = (uint8_t)sa->aead_algo;
> > -
> > - if (sa->type == RTE_SECURITY_ACTION_TYPE_NONE) {
> > - ret = rte_hash_lookup_data(ipsec_ctx->cdev_map, &key,
> > - (void **)&cdev_id_qp);
> > - if (ret < 0) {
> > - RTE_LOG(ERR, IPSEC,
> > - "No cryptodev: core %u, cipher_algo %u, "
> > - "auth_algo %u, aead_algo %u\n",
> > - key.lcore_id,
> > - key.cipher_algo,
> > - key.auth_algo,
> > - key.aead_algo);
> > - return -1;
> > - }
> > - }
> >
> > - RTE_LOG_DP(DEBUG, IPSEC, "Create session for SA spi %u on
> cryptodev
> > "
> > - "%u qp %u\n", sa->spi,
> > - ipsec_ctx->tbl[cdev_id_qp].id,
> > - ipsec_ctx->tbl[cdev_id_qp].qp);
> > + if ((sa == NULL) || (pool == NULL))
> > + return -EINVAL;
> >
> > - if (sa->type != RTE_SECURITY_ACTION_TYPE_NONE) {
> > - struct rte_security_session_conf sess_conf = {
> > + struct rte_security_session_conf sess_conf = {
> > .action_type = sa->type,
> > .protocol = RTE_SECURITY_PROTOCOL_IPSEC,
> > {.ipsec = {
> > @@ -90,247 +65,340 @@ create_session(struct ipsec_ctx *ipsec_ctx,
> > struct ipsec_sa *sa)
> > } },
> > .crypto_xform = sa->xforms,
> > .userdata = NULL,
> > -
> > };
> >
> > - if (sa->type ==
> > RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) {
> > - struct rte_security_ctx *ctx = (struct rte_security_ctx
> *)
> > -
> > rte_cryptodev_get_sec_ctx(
> > - ipsec_ctx-
> > >tbl[cdev_id_qp].id);
> > -
> > - /* Set IPsec parameters in conf */
> > - set_ipsec_conf(sa, &(sess_conf.ipsec));
> > -
> > - sa->sec_session = rte_security_session_create(ctx,
> > - &sess_conf, ipsec_ctx-
> >session_pool);
> > - if (sa->sec_session == NULL) {
> > - RTE_LOG(ERR, IPSEC,
> > - "SEC Session init failed: err: %d\n", ret);
> > - return -1;
> > - }
> > - } else if (sa->type ==
> > RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
> > - struct rte_flow_error err;
> > - struct rte_security_ctx *ctx = (struct rte_security_ctx
> *)
> > -
> > rte_eth_dev_get_sec_ctx(
> > - sa->portid);
> > - const struct rte_security_capability *sec_cap;
> > - int ret = 0;
> > -
> > - sa->sec_session = rte_security_session_create(ctx,
> > - &sess_conf, ipsec_ctx-
> >session_pool);
> > - if (sa->sec_session == NULL) {
> > - RTE_LOG(ERR, IPSEC,
> > - "SEC Session init failed: err: %d\n", ret);
> > - return -1;
> > - }
> > + if (sa->type ==
> RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) {
> > + ctx = (struct rte_security_ctx *)
> > + rte_eth_dev_get_sec_ctx(sa->portid);
> >
> > - sec_cap = rte_security_capabilities_get(ctx);
> > + /* Set IPsec parameters in conf */
> > + set_ipsec_conf(sa, &(sess_conf.ipsec));
> >
> > - /* iterate until ESP tunnel*/
> > - while (sec_cap->action !=
> > -
> RTE_SECURITY_ACTION_TYPE_NONE)
> > {
> > + sa->sec_session = rte_security_session_create(ctx,
> > + &sess_conf, pool);
> > + if (sa->sec_session == NULL) {
> > + RTE_LOG(ERR, IPSEC,
> > + "SEC Session init failed: err: %d\n",
> > + ret);
> > + return -1;
> > + }
> > + } else if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)
> {
> > + struct rte_flow_error err;
> > + ctx = (struct rte_security_ctx *)
> > + rte_eth_dev_get_sec_ctx(sa->portid);
> > + sa->sec_session = rte_security_session_create(ctx,
> > + &sess_conf, pool);
> > + if (sa->sec_session == NULL) {
> > + RTE_LOG(ERR, IPSEC, "SEC Session init failed\n");
> > + return -1;
> > + }
> >
> > - if (sec_cap->action == sa->type &&
> > - sec_cap->protocol ==
> > - RTE_SECURITY_PROTOCOL_IPSEC &&
> > - sec_cap->ipsec.mode ==
> > -
> > RTE_SECURITY_IPSEC_SA_MODE_TUNNEL &&
> > - sec_cap->ipsec.direction == sa->direction)
> > - break;
> > - sec_cap++;
> > - }
> > + sec_cap = rte_security_capabilities_get(ctx);
> > +
> > + /* iterate until ESP tunnel*/
> > + while (sec_cap->action !=
> RTE_SECURITY_ACTION_TYPE_NONE)
> > {
> > + if (sec_cap->action == sa->type &&
> > + sec_cap->protocol ==
> > + RTE_SECURITY_PROTOCOL_IPSEC &&
> > + sec_cap->ipsec.mode ==
> > + RTE_SECURITY_IPSEC_SA_MODE_TUNNEL
> &&
> > + sec_cap->ipsec.direction == sa->direction)
> > + break;
> > + sec_cap++;
> > + }
> >
> > - if (sec_cap->action ==
> > RTE_SECURITY_ACTION_TYPE_NONE) {
> > - RTE_LOG(ERR, IPSEC,
> > + if (sec_cap->action == RTE_SECURITY_ACTION_TYPE_NONE)
> {
> > + RTE_LOG(ERR, IPSEC,
> > "No suitable security capability found\n");
> > return -1;
> > - }
> > + }
> >
> > - sa->ol_flags = sec_cap->ol_flags;
> > - sa->security_ctx = ctx;
> > - sa->pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH;
> > -
> > - sa->pattern[1].type = RTE_FLOW_ITEM_TYPE_IPV4;
> > - sa->pattern[1].mask = &rte_flow_item_ipv4_mask;
> > - if (sa->flags & IP6_TUNNEL) {
> > - sa->pattern[1].spec = &sa->ipv6_spec;
> > - memcpy(sa->ipv6_spec.hdr.dst_addr,
> > - sa->dst.ip.ip6.ip6_b, 16);
> > - memcpy(sa->ipv6_spec.hdr.src_addr,
> > - sa->src.ip.ip6.ip6_b, 16);
> > - } else {
> > - sa->pattern[1].spec = &sa->ipv4_spec;
> > - sa->ipv4_spec.hdr.dst_addr = sa->dst.ip.ip4;
> > - sa->ipv4_spec.hdr.src_addr = sa->src.ip.ip4;
> > - }
> > + sa->ol_flags = sec_cap->ol_flags;
> > + sa->security_ctx = ctx;
> > + sa->pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH;
> > +
> > + sa->pattern[1].type = RTE_FLOW_ITEM_TYPE_IPV4;
> > + sa->pattern[1].mask = &rte_flow_item_ipv4_mask;
> > + if (sa->flags & IP6_TUNNEL) {
> > + sa->pattern[1].spec = &sa->ipv6_spec;
> > + memcpy(sa->ipv6_spec.hdr.dst_addr,
> > + sa->dst.ip.ip6.ip6_b, 16);
> > + memcpy(sa->ipv6_spec.hdr.src_addr,
> > + sa->src.ip.ip6.ip6_b, 16);
> > + } else {
> > + sa->pattern[1].spec = &sa->ipv4_spec;
> > + sa->ipv4_spec.hdr.dst_addr = sa->dst.ip.ip4;
> > + sa->ipv4_spec.hdr.src_addr = sa->src.ip.ip4;
> > + }
> >
> > - sa->pattern[2].type = RTE_FLOW_ITEM_TYPE_ESP;
> > - sa->pattern[2].spec = &sa->esp_spec;
> > - sa->pattern[2].mask = &rte_flow_item_esp_mask;
> > - sa->esp_spec.hdr.spi = rte_cpu_to_be_32(sa->spi);
> > + sa->pattern[2].type = RTE_FLOW_ITEM_TYPE_ESP;
> > + sa->pattern[2].spec = &sa->esp_spec;
> > + sa->pattern[2].mask = &rte_flow_item_esp_mask;
> > + sa->esp_spec.hdr.spi = rte_cpu_to_be_32(sa->spi);
> >
> > - sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END;
> > + sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END;
> >
> > - sa->action[0].type =
> > RTE_FLOW_ACTION_TYPE_SECURITY;
> > - sa->action[0].conf = sa->sec_session;
> > + sa->action[0].type = RTE_FLOW_ACTION_TYPE_SECURITY;
> > + sa->action[0].conf = sa->sec_session;
> >
> > - sa->action[1].type = RTE_FLOW_ACTION_TYPE_END;
> > + sa->action[1].type = RTE_FLOW_ACTION_TYPE_END;
> >
> > - sa->attr.egress = (sa->direction ==
> > + sa->attr.egress = (sa->direction ==
> >
> > RTE_SECURITY_IPSEC_SA_DIR_EGRESS);
> > - sa->attr.ingress = (sa->direction ==
> > + sa->attr.ingress = (sa->direction ==
> >
> > RTE_SECURITY_IPSEC_SA_DIR_INGRESS);
> > - if (sa->attr.ingress) {
> > - uint8_t rss_key[40];
> > - struct rte_eth_rss_conf rss_conf = {
> > - .rss_key = rss_key,
> > - .rss_key_len = 40,
> > - };
> > - struct rte_eth_dev *eth_dev;
> > - uint16_t
> > queue[RTE_MAX_QUEUES_PER_PORT];
> > - struct rte_flow_action_rss action_rss;
> > - unsigned int i;
> > - unsigned int j;
> > -
> > - sa->action[2].type =
> > RTE_FLOW_ACTION_TYPE_END;
> > - /* Try RSS. */
> > - sa->action[1].type =
> > RTE_FLOW_ACTION_TYPE_RSS;
> > - sa->action[1].conf = &action_rss;
> > - eth_dev = ctx->device;
> > - rte_eth_dev_rss_hash_conf_get(sa->portid,
> > - &rss_conf);
> > - for (i = 0, j = 0;
> > - i < eth_dev->data->nb_rx_queues; ++i)
> > - if (eth_dev->data->rx_queues[i])
> > - queue[j++] = i;
> > + if (sa->attr.ingress) {
> > + uint8_t rss_key[40];
> > + struct rte_eth_rss_conf rss_conf = {
> > + .rss_key = rss_key,
> > + .rss_key_len = 40,
> > + };
> > + struct rte_eth_dev *eth_dev;
> > + uint16_t queue[RTE_MAX_QUEUES_PER_PORT];
> > + struct rte_flow_action_rss action_rss;
> > + unsigned int i;
> > + unsigned int j;
> > +
> > + sa->action[2].type = RTE_FLOW_ACTION_TYPE_END;
> > + /* Try RSS. */
> > + sa->action[1].type = RTE_FLOW_ACTION_TYPE_RSS;
> > + sa->action[1].conf = &action_rss;
> > + eth_dev = ctx->device;
> > + rte_eth_dev_rss_hash_conf_get(sa->portid,
> > + &rss_conf);
> > + for (i = 0, j = 0; i < eth_dev->data->nb_rx_queues;
> > + ++i)
> > + if (eth_dev->data->rx_queues[i])
> > + queue[j++] = i;
> Compilation error
>
> /home/akhil/up/dpdk-next-crypto/examples/ipsec-secgw/ipsec.c: In
> function 'create_sec_session':
> /home/akhil/up/dpdk-next-crypto/examples/ipsec-secgw/ipsec.c:169:4:
> error: this 'for' clause does not guard... [-Werror=misleading-indentation]
> for (i = 0, j = 0; i < eth_dev->data->nb_rx_queues;
> ^~~
> /home/akhil/up/dpdk-next-crypto/examples/ipsec-secgw/ipsec.c:173:5:
> note: ...this statement, but the latter is misleadingly indented as if it is
> guarded by the 'for'
> action_rss = (struct rte_flow_action_rss){
> ^~~~~~~~~~
>
<snip>
I will send a v4.
What compiler are you using?
Regards,
Bernard.
next prev parent reply other threads:[~2019-04-17 12:53 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-06 16:00 [dpdk-dev] [PATCH 0/6] examples/ipsec-secgw: fix 1st pkt dropped Bernard Iremonger
2019-03-06 16:00 ` [dpdk-dev] [PATCH 1/6] examples/ipsec-secgw: fix 1st pkt dropped for inline crypto Bernard Iremonger
2019-03-06 16:00 ` [dpdk-dev] [PATCH 2/6] examples/ipsec-secgw: fix 1st packet dropped patch two Bernard Iremonger
2019-03-06 19:39 ` Ananyev, Konstantin
2019-03-07 9:54 ` Iremonger, Bernard
2019-03-06 16:00 ` [dpdk-dev] [PATCH 3/6] examples/ipsec-secgw: fix 1st packet dropped patch three Bernard Iremonger
2019-03-06 16:00 ` [dpdk-dev] [PATCH 4/6] examples/ipsec-secgw: fix debug in esp.c Bernard Iremonger
2019-03-06 16:00 ` [dpdk-dev] [PATCH 5/6] examples/ipsec-secgw: fix debug in sa.c Bernard Iremonger
2019-03-06 16:00 ` [dpdk-dev] [PATCH 6/6] examples/ipsec-secgw: fix debug in ipsec-secgw.c Bernard Iremonger
2019-03-06 16:14 ` [dpdk-dev] [PATCH 0/6] examples/ipsec-secgw: fix 1st pkt dropped Akhil Goyal
2019-03-07 10:06 ` Iremonger, Bernard
2019-03-07 14:57 ` [dpdk-dev] [PATCH v2 0/2] " Bernard Iremonger
2019-03-08 15:35 ` Ananyev, Konstantin
2019-04-04 13:28 ` [dpdk-dev] [PATCH v3 " Bernard Iremonger
2019-04-04 13:28 ` Bernard Iremonger
2019-04-05 11:15 ` Ananyev, Konstantin
2019-04-05 11:15 ` Ananyev, Konstantin
2019-04-17 13:42 ` [dpdk-dev] [PATCH v4 " Bernard Iremonger
2019-04-17 13:42 ` Bernard Iremonger
2019-06-06 11:12 ` [dpdk-dev] [PATCH v5 " Bernard Iremonger
2019-06-12 14:51 ` [dpdk-dev] [PATCH v6 " Bernard Iremonger
2019-07-10 11:23 ` [dpdk-dev] [PATCH v7 " Bernard Iremonger
2019-07-19 12:53 ` Akhil Goyal
2019-07-19 13:03 ` Iremonger, Bernard
2019-07-19 15:40 ` Iremonger, Bernard
2019-07-10 11:23 ` [dpdk-dev] [PATCH v7 1/2] examples/ipsec-secgw: fix 1st pkt dropped for inline crypto Bernard Iremonger
2019-07-10 11:23 ` [dpdk-dev] [PATCH v7 2/2] examples/ipsec-secgw/test: fix inline test scripts Bernard Iremonger
2019-06-12 14:52 ` [dpdk-dev] [PATCH v6 1/2] examples/ipsec-secgw: fix 1st pkt dropped for inline crypto Bernard Iremonger
2019-06-13 12:34 ` Ananyev, Konstantin
2019-07-03 10:04 ` Akhil Goyal
2019-07-03 10:13 ` Iremonger, Bernard
2019-07-03 10:18 ` Akhil Goyal
2019-07-03 10:30 ` Iremonger, Bernard
2019-07-03 10:32 ` Akhil Goyal
2019-06-12 14:52 ` [dpdk-dev] [PATCH v6 2/2] examples/ipsec-secgw/test: fix inline test scripts Bernard Iremonger
2019-06-13 12:34 ` Ananyev, Konstantin
2019-06-06 11:12 ` [dpdk-dev] [PATCH v5 1/2] examples/ipsec-secgw: fix 1st pkt dropped for inline crypto Bernard Iremonger
2019-06-11 15:29 ` Ananyev, Konstantin
2019-06-12 9:29 ` Iremonger, Bernard
2019-06-06 11:12 ` [dpdk-dev] [PATCH v5 2/2] examples/ipsec-secgw/test: fix inline test scripts Bernard Iremonger
2019-04-17 13:42 ` [dpdk-dev] [PATCH v4 1/2] examples/ipsec-secgw: fix 1st packet dropped for inline crypto Bernard Iremonger
2019-04-17 13:42 ` Bernard Iremonger
2019-04-17 13:42 ` [dpdk-dev] [PATCH v4 2/2] examples/ipsec-secgw/test: fix inline test scripts Bernard Iremonger
2019-04-17 13:42 ` Bernard Iremonger
2019-04-04 13:28 ` [dpdk-dev] [PATCH v3 1/2] examples/ipsec-secgw: fix 1st packet dropped for inline crypto Bernard Iremonger
2019-04-04 13:28 ` Bernard Iremonger
2019-04-17 11:51 ` Akhil Goyal
2019-04-17 11:51 ` Akhil Goyal
2019-04-17 12:53 ` Iremonger, Bernard [this message]
2019-04-17 12:53 ` Iremonger, Bernard
2019-04-17 13:01 ` [dpdk-dev] [EXT] " Akhil Goyal
2019-04-17 13:01 ` Akhil Goyal
2019-04-04 13:28 ` [dpdk-dev] [PATCH v3 2/2] examples/ipsec-secgw/test: fix inline test scripts Bernard Iremonger
2019-04-04 13:28 ` Bernard Iremonger
2019-03-07 14:57 ` [dpdk-dev] [PATCH v2 1/2] examples/ipsec-secgw: fix 1st pkt dropped for inline crypto Bernard Iremonger
2019-03-22 13:18 ` Akhil Goyal
2019-03-22 13:18 ` Akhil Goyal
2019-03-26 10:22 ` Iremonger, Bernard
2019-03-26 10:22 ` Iremonger, Bernard
2019-03-26 11:04 ` Akhil Goyal
2019-03-26 11:04 ` Akhil Goyal
2019-03-26 11:41 ` Iremonger, Bernard
2019-03-26 11:41 ` Iremonger, Bernard
2019-03-26 11:48 ` Akhil Goyal
2019-03-26 11:48 ` Akhil Goyal
2019-03-26 12:29 ` Ananyev, Konstantin
2019-03-26 12:29 ` Ananyev, Konstantin
2019-03-26 12:55 ` Akhil Goyal
2019-03-26 12:55 ` Akhil Goyal
2019-03-07 14:57 ` [dpdk-dev] [PATCH v2 2/2] examples/ipsec-secgw/test: fix inline test scripts Bernard Iremonger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8CEF83825BEC744B83065625E567D7C260D89D9F@IRSMSX108.ger.corp.intel.com \
--to=bernard.iremonger@intel.com \
--cc=akhil.goyal@nxp.com \
--cc=dev@dpdk.org \
--cc=konstantin.ananyev@intel.com \
--cc=stable@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).