Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/66547/?format=api
{ "id": 66547, "url": "http://patchwork.dpdk.org/api/patches/66547/?format=api", "web_url": "http://patchwork.dpdk.org/project/dpdk/patch/20200311145529.40221-1-praveen.shetty@intel.com/", "project": { "id": 1, "url": "http://patchwork.dpdk.org/api/projects/1/?format=api", "name": "DPDK", "link_name": "dpdk", "list_id": "dev.dpdk.org", "list_email": "dev@dpdk.org", "web_url": "http://core.dpdk.org", "scm_url": "git://dpdk.org/dpdk", "webscm_url": "http://git.dpdk.org/dpdk", "list_archive_url": "https://inbox.dpdk.org/dev", "list_archive_url_format": "https://inbox.dpdk.org/dev/{}", "commit_url_format": "" }, "msgid": "<20200311145529.40221-1-praveen.shetty@intel.com>", "list_archive_url": "https://inbox.dpdk.org/dev/20200311145529.40221-1-praveen.shetty@intel.com", "date": "2020-03-11T14:55:29", "name": "[v1] examples/ipsec-secgw: support flow director feature", "commit_ref": null, "pull_url": null, "state": "superseded", "archived": true, "hash": "58f95a5ad98835ec8c8ecb4e22ca1b25a0e830e3", "submitter": { "id": 1521, "url": "http://patchwork.dpdk.org/api/people/1521/?format=api", "name": "Shetty, Praveen", "email": "praveen.shetty@intel.com" }, "delegate": { "id": 6690, "url": "http://patchwork.dpdk.org/api/users/6690/?format=api", "username": "akhil", "first_name": "akhil", "last_name": "goyal", "email": "gakhil@marvell.com" }, "mbox": "http://patchwork.dpdk.org/project/dpdk/patch/20200311145529.40221-1-praveen.shetty@intel.com/mbox/", "series": [ { "id": 8886, "url": "http://patchwork.dpdk.org/api/series/8886/?format=api", "web_url": "http://patchwork.dpdk.org/project/dpdk/list/?series=8886", "date": "2020-03-11T14:55:29", "name": "[v1] examples/ipsec-secgw: support flow director feature", "version": 1, "mbox": "http://patchwork.dpdk.org/series/8886/mbox/" } ], "comments": "http://patchwork.dpdk.org/api/patches/66547/comments/", "check": "success", "checks": "http://patchwork.dpdk.org/api/patches/66547/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<dev-bounces@dpdk.org>", "X-Original-To": "patchwork@inbox.dpdk.org", "Delivered-To": "patchwork@inbox.dpdk.org", "Received": [ "from dpdk.org (dpdk.org [92.243.14.124])\n\tby inbox.dpdk.org (Postfix) with ESMTP id 44517A0569;\n\tWed, 11 Mar 2020 15:55:38 +0100 (CET)", "from [92.243.14.124] (localhost [127.0.0.1])\n\tby dpdk.org (Postfix) with ESMTP id 8404B1BF7F;\n\tWed, 11 Mar 2020 15:55:37 +0100 (CET)", "from mga01.intel.com (mga01.intel.com [192.55.52.88])\n by dpdk.org (Postfix) with ESMTP id 13BB62BE6\n for <dev@dpdk.org>; Wed, 11 Mar 2020 15:55:34 +0100 (CET)", "from fmsmga004.fm.intel.com ([10.253.24.48])\n by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;\n 11 Mar 2020 07:55:33 -0700", "from silpixa00399416.ir.intel.com (HELO\n silpixa00399416.ger.corp.intel.com) ([10.237.223.137])\n by fmsmga004.fm.intel.com with ESMTP; 11 Mar 2020 07:55:32 -0700" ], "X-Amp-Result": "SKIPPED(no attachment in message)", "X-Amp-File-Uploaded": "False", "X-ExtLoop1": "1", "X-IronPort-AV": "E=Sophos;i=\"5.70,541,1574150400\"; d=\"scan'208\";a=\"266006111\"", "From": "Praveen Shetty <praveen.shetty@intel.com>", "To": "dev@dpdk.org, declan.doherty@intel.com, bernard.iremonger@intel.com,\n konstantin.ananyev@intel.com", "Date": "Wed, 11 Mar 2020 14:55:29 +0000", "Message-Id": "<20200311145529.40221-1-praveen.shetty@intel.com>", "X-Mailer": "git-send-email 2.17.1", "Subject": "[dpdk-dev] [PATCH v1] examples/ipsec-secgw: support flow director\n\tfeature", "X-BeenThere": "dev@dpdk.org", "X-Mailman-Version": "2.1.15", "Precedence": "list", "List-Id": "DPDK patches and discussions <dev.dpdk.org>", "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n <mailto:dev-request@dpdk.org?subject=unsubscribe>", "List-Archive": "<http://mails.dpdk.org/archives/dev/>", "List-Post": "<mailto:dev@dpdk.org>", "List-Help": "<mailto:dev-request@dpdk.org?subject=help>", "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n <mailto:dev-request@dpdk.org?subject=subscribe>", "Errors-To": "dev-bounces@dpdk.org", "Sender": "\"dev\" <dev-bounces@dpdk.org>" }, "content": "Modified Secuirty gateway application to support configuration of\nflow director rule to direct inbound IPsec SA to a specified queue.\n\nSigned-off-by: Praveen Shetty <praveen.shetty@intel.com>\n---\n examples/ipsec-secgw/ep0.cfg | 11 +++++\n examples/ipsec-secgw/ipsec-secgw.c | 56 ++++++++++++++++++++++++-\n examples/ipsec-secgw/ipsec.c | 67 ++++++++++++++++++++++++++++++\n examples/ipsec-secgw/ipsec.h | 11 +++++\n examples/ipsec-secgw/sa.c | 50 +++++++++++++++++++++-\n 5 files changed, 192 insertions(+), 3 deletions(-)", "diff": "diff --git a/examples/ipsec-secgw/ep0.cfg b/examples/ipsec-secgw/ep0.cfg\nindex dfd4aca7d..c9f80e81b 100644\n--- a/examples/ipsec-secgw/ep0.cfg\n+++ b/examples/ipsec-secgw/ep0.cfg\n@@ -29,6 +29,7 @@ sp ipv4 in esp protect 111 pri 1 dst 192.168.186.0/24 sport 0:65535 dport 0:6553\n sp ipv4 in esp protect 115 pri 1 dst 192.168.210.0/24 sport 0:65535 dport 0:65535\n sp ipv4 in esp protect 116 pri 1 dst 192.168.211.0/24 sport 0:65535 dport 0:65535\n sp ipv4 in esp protect 115 pri 1 dst 192.168.210.0/24 sport 0:65535 dport 0:65535\n+sp ipv4 in esp protect 117 pri 1 dst 192.168.212.0/24 sport 0:65535 dport 0:65535\n sp ipv4 in esp protect 125 pri 1 dst 192.168.65.0/24 sport 0:65535 dport 0:65535\n sp ipv4 in esp protect 125 pri 1 dst 192.168.65.0/24 sport 0:65535 dport 0:65535\n sp ipv4 in esp protect 126 pri 1 dst 192.168.66.0/24 sport 0:65535 dport 0:65535\n@@ -61,6 +62,8 @@ sp ipv6 in esp protect 125 pri 1 dst ffff:0000:0000:0000:aaaa:aaaa:0000:0000/96\n sport 0:65535 dport 0:65535\n sp ipv6 in esp protect 126 pri 1 dst ffff:0000:0000:0000:bbbb:bbbb:0000:0000/96 \\\n sport 0:65535 dport 0:65535\n+sp ipv6 in esp protect 127 pri 1 dst ffff:0000:0000:0000:cccc:dddd:0000:0000/96 \\\n+sport 0:65535 dport 0:65535\n \n #SA rules\n sa out 5 cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \\\n@@ -118,6 +121,9 @@ dst 172.16.1.5\n \n sa in 116 cipher_algo null auth_algo null mode ipv4-tunnel src 172.16.2.6 dst 172.16.1.6\n \n+sa in 117 cipher_algo null auth_algo null mode ipv4-tunnel src 172.16.2.7 \\\n+dst 172.16.1.7 flow-direction 0 2 port_id 0 type lookaside-protocol-offload\n+\n sa in 125 cipher_algo aes-128-cbc cipher_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\\\n c3:c3:c3:c3:c3 auth_algo sha1-hmac auth_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\\\n c3:c3:c3:c3:c3:c3:c3:c3:c3 mode ipv6-tunnel \\\n@@ -130,6 +136,11 @@ sa in 126 cipher_algo aes-128-cbc cipher_key 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\\\n src 2222:2222:2222:2222:2222:2222:2222:6666 \\\n dst 1111:1111:1111:1111:1111:1111:1111:6666\n \n+sa in 127 cipher_algo null auth_algo null mode ipv6-tunnel \\\n+src 2222:2222:2222:2222:2222:2222:2222:7777 \\\n+dst 1111:1111:1111:1111:1111:1111:1111:7777 \\\n+flow-direction 0 3 port_id 0 type lookaside-protocol-offload\n+\n #Routing rules\n rt ipv4 dst 172.16.2.5/32 port 0\n rt ipv4 dst 172.16.2.6/32 port 1\ndiff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c\nindex 4799bc90c..132484422 100644\n--- a/examples/ipsec-secgw/ipsec-secgw.c\n+++ b/examples/ipsec-secgw/ipsec-secgw.c\n@@ -166,7 +166,6 @@ static const struct option lgopts[] = {\n \t{CMD_LINE_OPT_FRAG_TTL, 1, 0, CMD_LINE_OPT_FRAG_TTL_NUM},\n \t{NULL, 0, 0, 0}\n };\n-\n /* mask of enabled ports */\n static uint32_t enabled_port_mask;\n static uint64_t enabled_cryptodev_mask = UINT64_MAX;\n@@ -259,6 +258,30 @@ static struct rte_eth_conf port_conf = {\n \t.txmode = {\n \t\t.mq_mode = ETH_MQ_TX_NONE,\n \t},\n+\t.fdir_conf = {\n+\t.mode = RTE_FDIR_MODE_NONE,\n+\t.pballoc = RTE_FDIR_PBALLOC_64K,\n+\t.status = RTE_FDIR_REPORT_STATUS,\n+\t.mask = {\n+\t\t.vlan_tci_mask = 0xFFEF,\n+\t\t.ipv4_mask = {\n+\t\t\t.src_ip = 0xFFFFFFFF,\n+\t\t\t.dst_ip = 0xFFFFFFFF,\n+\t\t},\n+\t\t.ipv6_mask = {\n+\t\t\t.src_ip = {0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,\n+\t\t\t\t\t\t0xFFFFFFFF},\n+\t\t\t.dst_ip = {0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,\n+\t\t\t\t\t\t0xFFFFFFFF},\n+\t\t},\n+\t\t.src_port_mask = 0xFFFF,\n+\t\t.dst_port_mask = 0xFFFF,\n+\t\t.mac_addr_byte_mask = 0xFF,\n+\t\t.tunnel_type_mask = 1,\n+\t\t.tunnel_id_mask = 0xFFFFFFFF,\n+\t},\n+\t.drop_queue = 127,\n+\t}\n };\n \n static struct socket_ctx socket_ctx[NB_SOCKETS];\n@@ -1184,7 +1207,6 @@ main_loop(__attribute__((unused)) void *dummy)\n \n \t\t\tif (nb_rx > 0)\n \t\t\t\tprocess_pkts(qconf, pkts, nb_rx, portid);\n-\n \t\t\t/* dequeue and process completed crypto-ops */\n \t\t\tif (UNPROTECTED_PORT(portid))\n \t\t\t\tdrain_inbound_crypto_queues(qconf,\n@@ -1196,6 +1218,27 @@ main_loop(__attribute__((unused)) void *dummy)\n \t}\n }\n \n+int check_flow_params(uint16_t fdir_portid, uint8_t fdir_qid)\n+{\n+\tuint16_t i;\n+\tuint16_t portid;\n+\tuint8_t queueid;\n+\n+\tfor (i = 0; i < nb_lcore_params; ++i) {\n+\t\tportid = lcore_params_array[i].port_id;\n+\t\tif (portid == fdir_portid) {\n+\t\t\tqueueid = lcore_params_array[i].queue_id;\n+\t\t\tif (queueid == fdir_qid)\n+\t\t\t\tbreak;\n+\t\t}\n+\n+\t\tif (i == nb_lcore_params - 1)\n+\t\t\treturn -1;\n+\t}\n+\n+\treturn 1;\n+}\n+\n static int32_t\n check_params(void)\n {\n@@ -2503,6 +2546,15 @@ main(int32_t argc, char **argv)\n \t\t\tcontinue;\n \n \t\tsa_check_offloads(portid, &req_rx_offloads, &req_tx_offloads);\n+\t\t/* check if FDIR is configured on the port */\n+\t\tif (check_fdir_configured(portid)) {\n+\t\t\t/* Enable FDIR */\n+\t\t\tport_conf.fdir_conf.mode = RTE_FDIR_MODE_PERFECT;\n+\t\t\t/* Disable RSS */\n+\t\t\tport_conf.rxmode.mq_mode = ETH_MQ_RX_NONE;\n+\t\t\tport_conf.rx_adv_conf.rss_conf.rss_hf = 0;\n+\t\t\tport_conf.rx_adv_conf.rss_conf.rss_key = NULL;\n+\t\t}\n \t\tport_init(portid, req_rx_offloads, req_tx_offloads);\n \t}\n \ndiff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c\nindex 6e8120702..363809cfd 100644\n--- a/examples/ipsec-secgw/ipsec.c\n+++ b/examples/ipsec-secgw/ipsec.c\n@@ -415,6 +415,73 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,\n \treturn 0;\n }\n \n+int\n+create_ipsec_esp_flow(struct ipsec_sa *sa)\n+{\n+\tint ret = 0;\n+\tstruct rte_flow_error err;\n+\tif (sa->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS)\n+\t\treturn 0; /* No Flow director rules for Egress traffic */\n+\tif (sa->flags == TRANSPORT) {\n+\t\tRTE_LOG(ERR, IPSEC,\n+\t\t\t\"No Flow director rule for transport mode:\");\n+\t\t\treturn -1;\n+\t}\n+\tsa->action[0].type = RTE_FLOW_ACTION_TYPE_QUEUE;\n+\tsa->pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH;\n+\tsa->action[0].conf =\n+\t\t\t&(struct rte_flow_action_queue){\n+\t\t\t\t.index = sa->fdir_qid,\n+\t};\n+\tsa->attr.egress = 0;\n+\tsa->attr.ingress = 1;\n+\tif (IS_IP6(sa->flags)) {\n+\t\tsa->pattern[1].mask = &rte_flow_item_ipv6_mask;\n+\t\tsa->pattern[1].type = RTE_FLOW_ITEM_TYPE_IPV6;\n+\t\tsa->pattern[1].spec = &sa->ipv6_spec;\n+\t\tmemcpy(sa->ipv6_spec.hdr.dst_addr,\n+\t\t\t\tsa->dst.ip.ip6.ip6_b, IPV6_ADDR_LEN);\n+\t\tmemcpy(sa->ipv6_spec.hdr.src_addr,\n+\t\t\t\tsa->src.ip.ip6.ip6_b, IPV6_ADDR_LEN);\n+\t\tsa->pattern[2].type = RTE_FLOW_ITEM_TYPE_ESP;\n+\t\tsa->pattern[2].spec = &sa->esp_spec;\n+\t\tsa->pattern[2].mask = &rte_flow_item_esp_mask;\n+\t\tsa->esp_spec.hdr.spi = rte_cpu_to_be_32(sa->spi);\n+\t\tsa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END;\n+\t} else if (IS_IP4(sa->flags)) {\n+\t\tsa->pattern[1].mask = &rte_flow_item_ipv4_mask;\n+\t\tsa->pattern[1].type = RTE_FLOW_ITEM_TYPE_IPV4;\n+\t\tsa->pattern[1].spec = &sa->ipv4_spec;\n+\t\tsa->ipv4_spec.hdr.dst_addr = sa->dst.ip.ip4;\n+\t\tsa->ipv4_spec.hdr.src_addr = sa->src.ip.ip4;\n+\t\tsa->pattern[2].type = RTE_FLOW_ITEM_TYPE_ESP;\n+\t\tsa->pattern[2].spec = &sa->esp_spec;\n+\t\tsa->pattern[2].mask = &rte_flow_item_esp_mask;\n+\t\tsa->esp_spec.hdr.spi = rte_cpu_to_be_32(sa->spi);\n+\t\tsa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END;\n+\t}\n+\tsa->action[1].type = RTE_FLOW_ACTION_TYPE_END;\n+\n+\tret = rte_flow_validate(sa->fdir_portid, &sa->attr,\n+\t\t\t\tsa->pattern, sa->action,\n+\t\t\t\t&err);\n+\tif (ret < 0) {\n+\t\tRTE_LOG(ERR, IPSEC,\n+\t\t\t\"Flow Validation failed\\n\");\n+\t\treturn ret;\n+\t}\n+\tsa->flow = rte_flow_create(sa->fdir_portid,\n+\t\t\t\t&sa->attr, sa->pattern, sa->action,\n+\t\t\t\t&err);\n+\tif (!sa->flow) {\n+\t\tRTE_LOG(ERR, IPSEC,\n+\t\t\t\"Flow Creation failed\\n\");\n+\t\treturn -1;\n+\t}\n+\n+\treturn 0;\n+}\n+\n /*\n * queue crypto-ops into PMD queue.\n */\ndiff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h\nindex 4f2fd6184..00147895a 100644\n--- a/examples/ipsec-secgw/ipsec.h\n+++ b/examples/ipsec-secgw/ipsec.h\n@@ -46,6 +46,8 @@\n \n #define IP6_VERSION (6)\n \n+#define IPV6_ADDR_LEN 16\n+\n struct rte_crypto_xform;\n struct ipsec_xform;\n struct rte_mbuf;\n@@ -138,6 +140,9 @@ struct ipsec_sa {\n \t};\n \tenum rte_security_ipsec_sa_direction direction;\n \tuint16_t portid;\n+\tuint16_t fdir_portid;\n+\tuint8_t fdir_qid;\n+\tuint8_t fdir_flag;\n \n #define MAX_RTE_FLOW_PATTERN (4)\n #define MAX_RTE_FLOW_ACTIONS (3)\n@@ -383,5 +388,11 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa,\n int\n create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,\n \t\tstruct rte_ipsec_session *ips);\n+int\n+check_flow_params(uint16_t fdir_portid, uint8_t fdir_qid);\n+\n+int\n+create_ipsec_esp_flow(struct ipsec_sa *sa);\n \n+int check_fdir_configured(uint16_t portid);\n #endif /* __IPSEC_H__ */\ndiff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c\nindex 4822d6bda..9955dfcbe 100644\n--- a/examples/ipsec-secgw/sa.c\n+++ b/examples/ipsec-secgw/sa.c\n@@ -20,6 +20,9 @@\n #include <rte_random.h>\n #include <rte_ethdev.h>\n #include <rte_malloc.h>\n+#include <rte_common.h>\n+#include <rte_string_fns.h>\n+#include <rte_ethdev_driver.h>\n \n #include \"ipsec.h\"\n #include \"esp.h\"\n@@ -271,6 +274,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,\n \tuint32_t type_p = 0;\n \tuint32_t portid_p = 0;\n \tuint32_t fallback_p = 0;\n+\tint16_t status_p = 0;\n \n \tif (strcmp(tokens[0], \"in\") == 0) {\n \t\tri = &nb_sa_in;\n@@ -681,6 +685,25 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,\n \t\t\tfallback_p = 1;\n \t\t\tcontinue;\n \t\t}\n+\t\tif (strcmp(tokens[ti], \"flow-direction\") == 0) {\n+\t\t\trule->fdir_flag = 1;\n+\t\t\tINCREMENT_TOKEN_INDEX(ti, n_tokens, status);\n+\t\t\tif (status->status < 0)\n+\t\t\t\treturn;\n+\t\t\trule->fdir_portid = atoi(tokens[ti]);\n+\t\t\tINCREMENT_TOKEN_INDEX(ti, n_tokens, status);\n+\t\t\tif (status->status < 0)\n+\t\t\t\treturn;\n+\t\t\trule->fdir_qid = atoi(tokens[ti]);\n+\t\t\t/* validating portid and queueid */\n+\t\t\tstatus_p = check_flow_params(rule->fdir_portid,\n+\t\t\t\t\trule->fdir_qid);\n+\t\t\tif (status_p < 0) {\n+\t\t\t\tprintf(\"port id %u / queue id %u is not valid\\n\",\n+\t\t\t\t\trule->fdir_portid, rule->fdir_qid);\n+\t\t\t}\n+\t\t\tcontinue;\n+\t\t}\n \n \t\t/* unrecognizeable input */\n \t\tAPP_CHECK(0, status, \"unrecognized input \\\"%s\\\"\",\n@@ -823,6 +846,9 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound)\n \t\t\tbreak;\n \t\t}\n \t}\n+\tif (sa->fdir_flag == 1)\n+\t\tprintf(\"flow-direction %d %d\", sa->fdir_portid, sa->fdir_qid);\n+\n \tprintf(\"\\n\");\n }\n \n@@ -1153,7 +1179,15 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],\n \t\t\t\treturn -EINVAL;\n \t\t\t}\n \t\t}\n-\n+\t\tif (sa->fdir_flag &&\n+\t\t\tips->type ==\n+\t\t\tRTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL &&\n+\t\t\tinbound) {\n+\t\t\trc = create_ipsec_esp_flow(sa);\n+\t\t\tif (rc != 0)\n+\t\t\t\tRTE_LOG(ERR, IPSEC_ESP,\n+\t\t\t\t\t\"create_ipsec_esp flow failed\\n\");\n+\t\t\t}\n \t\tprint_one_sa_rule(sa, inbound);\n \t}\n \n@@ -1256,6 +1290,20 @@ fill_ipsec_session(struct rte_ipsec_session *ss, struct rte_ipsec_sa *sa)\n \treturn rc;\n }\n \n+int\n+check_fdir_configured(uint16_t portid)\n+{\n+\tstruct ipsec_sa *sa = NULL;\n+\tuint32_t idx_sa = 0;\n+\n+\tfor (idx_sa = 0; idx_sa < nb_sa_in; idx_sa++) {\n+\t\tsa = &sa_in[idx_sa];\n+\t\tif (sa->fdir_portid == portid)\n+\t\t\treturn sa->fdir_flag;\n+\t}\n+\treturn 0;\n+}\n+\n /*\n * Initialise related rte_ipsec_sa object.\n */\n", "prefixes": [ "v1" ] }