From patchwork Mon Oct 14 13:48:39 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marcin Smoczynski X-Patchwork-Id: 61117 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 3E30B1C25E; Mon, 14 Oct 2019 15:48:55 +0200 (CEST) Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by dpdk.org (Postfix) with ESMTP id 54EB01C227 for ; Mon, 14 Oct 2019 15:48:49 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Oct 2019 06:48:48 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.67,295,1566889200"; d="scan'208";a="207970613" Received: from msmoczyx-mobl.ger.corp.intel.com ([10.103.104.110]) by fmsmga001.fm.intel.com with ESMTP; 14 Oct 2019 06:48:46 -0700 From: Marcin Smoczynski To: anoobj@marvell.com, akhil.goyal@nxp.com, konstantin.ananyev@intel.com Cc: dev@dpdk.org, Marcin Smoczynski , Radu Nicolau , Bernard Iremonger Date: Mon, 14 Oct 2019 15:48:39 +0200 Message-Id: <20191014134842.3084-2-marcinx.smoczynski@intel.com> X-Mailer: git-send-email 2.21.0.windows.1 In-Reply-To: <20191014134842.3084-1-marcinx.smoczynski@intel.com> References: <20191007130254.3064-1-marcinx.smoczynski@intel.com> <20191014134842.3084-1-marcinx.smoczynski@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH v7 1/4] examples/ipsec-secgw: sa structure cleanup X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Cleanup ipsec_sa structure by removing every field that is already in the rte_ipsec_session structure: * cryptodev/security session union * action type * offload flags * security context References to abovementioned fields are changed to direct references to matching fields of rte_ipsec_session structure. Such refactoring is needed to introduce many sessions per SA feature, e.g. fallback session for inline offload processing. Acked-by: Konstantin Ananyev Acked-by: Radu Nicolau Tested-by: Bernard Iremonger Signed-off-by: Marcin Smoczynski --- examples/ipsec-secgw/esp.c | 35 +++++++---- examples/ipsec-secgw/ipsec.c | 93 +++++++++++++++------------- examples/ipsec-secgw/ipsec.h | 27 +++++--- examples/ipsec-secgw/ipsec_process.c | 30 ++++----- examples/ipsec-secgw/sa.c | 66 ++++++++++---------- 5 files changed, 138 insertions(+), 113 deletions(-) diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c index d6d7b1256..c1b49da1e 100644 --- a/examples/ipsec-secgw/esp.c +++ b/examples/ipsec-secgw/esp.c @@ -30,7 +30,8 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa, int32_t payload_len, ip_hdr_len; RTE_ASSERT(sa != NULL); - if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) + if (ipsec_get_action_type(sa) == + RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) return 0; RTE_ASSERT(m != NULL); @@ -148,13 +149,16 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa, uint8_t *nexthdr, *pad_len; uint8_t *padding; uint16_t i; + struct rte_ipsec_session *ips; RTE_ASSERT(m != NULL); RTE_ASSERT(sa != NULL); RTE_ASSERT(cop != NULL); - if ((sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) || - (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) { + ips = ipsec_get_session(sa); + + if ((ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) || + (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) { if (m->ol_flags & PKT_RX_SEC_OFFLOAD) { if (m->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED) cop->status = RTE_CRYPTO_OP_STATUS_ERROR; @@ -169,8 +173,8 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa, return -1; } - if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO && - sa->ol_flags & RTE_SECURITY_RX_HW_TRAILER_OFFLOAD) { + if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO && + ips->security.ol_flags & RTE_SECURITY_RX_HW_TRAILER_OFFLOAD) { nexthdr = &m->inner_esp_next_proto; } else { nexthdr = rte_pktmbuf_mtod_offset(m, uint8_t*, @@ -225,10 +229,12 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa, struct rte_crypto_sym_op *sym_cop; int32_t i; uint16_t pad_payload_len, pad_len, ip_hdr_len; + struct rte_ipsec_session *ips; RTE_ASSERT(m != NULL); RTE_ASSERT(sa != NULL); + ips = ipsec_get_session(sa); ip_hdr_len = 0; ip4 = rte_pktmbuf_mtod(m, struct ip *); @@ -277,9 +283,10 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa, } /* Add trailer padding if it is not constructed by HW */ - if (sa->type != RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO || - (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO && - !(sa->ol_flags & RTE_SECURITY_TX_HW_TRAILER_OFFLOAD))) { + if (ips->type != RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO || + (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO && + !(ips->security.ol_flags & + RTE_SECURITY_TX_HW_TRAILER_OFFLOAD))) { padding = (uint8_t *)rte_pktmbuf_append(m, pad_len + sa->digest_len); if (unlikely(padding == NULL)) { @@ -344,8 +351,9 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa, } } - if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { - if (sa->ol_flags & RTE_SECURITY_TX_HW_TRAILER_OFFLOAD) { + if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { + if (ips->security.ol_flags & + RTE_SECURITY_TX_HW_TRAILER_OFFLOAD) { /* Set the inner esp next protocol for HW trailer */ m->inner_esp_next_proto = nlp; m->packet_type |= RTE_PTYPE_TUNNEL_ESP; @@ -448,11 +456,14 @@ esp_outbound_post(struct rte_mbuf *m, struct ipsec_sa *sa, struct rte_crypto_op *cop) { + enum rte_security_session_action_type type; RTE_ASSERT(m != NULL); RTE_ASSERT(sa != NULL); - if ((sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) || - (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) { + type = ipsec_get_action_type(sa); + + if ((type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) || + (type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) { m->ol_flags |= PKT_TX_SEC_OFFLOAD; } else { RTE_ASSERT(cop != NULL); diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index 51fb22e8a..5b63a13fd 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -52,7 +52,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) } int -create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) +create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa, + struct rte_ipsec_session *ips) { struct rte_cryptodev_info cdev_info; unsigned long cdev_id_qp = 0; @@ -83,9 +84,9 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) ipsec_ctx->tbl[cdev_id_qp].id, ipsec_ctx->tbl[cdev_id_qp].qp); - if (sa->type != RTE_SECURITY_ACTION_TYPE_NONE) { + if (ips->type != RTE_SECURITY_ACTION_TYPE_NONE) { struct rte_security_session_conf sess_conf = { - .action_type = sa->type, + .action_type = ips->type, .protocol = RTE_SECURITY_PROTOCOL_IPSEC, {.ipsec = { .spi = sa->spi, @@ -102,7 +103,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) }; - if (sa->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) { + if (ips->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) { struct rte_security_ctx *ctx = (struct rte_security_ctx *) rte_cryptodev_get_sec_ctx( ipsec_ctx->tbl[cdev_id_qp].id); @@ -110,9 +111,9 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) /* Set IPsec parameters in conf */ set_ipsec_conf(sa, &(sess_conf.ipsec)); - sa->sec_session = rte_security_session_create(ctx, + ips->security.ses = rte_security_session_create(ctx, &sess_conf, ipsec_ctx->session_priv_pool); - if (sa->sec_session == NULL) { + if (ips->security.ses == NULL) { RTE_LOG(ERR, IPSEC, "SEC Session init failed: err: %d\n", ret); return -1; @@ -122,10 +123,10 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) return -1; } } else { - sa->crypto_session = rte_cryptodev_sym_session_create( + ips->crypto.ses = rte_cryptodev_sym_session_create( ipsec_ctx->session_pool); rte_cryptodev_sym_session_init(ipsec_ctx->tbl[cdev_id_qp].id, - sa->crypto_session, sa->xforms, + ips->crypto.ses, sa->xforms, ipsec_ctx->session_priv_pool); rte_cryptodev_info_get(ipsec_ctx->tbl[cdev_id_qp].id, @@ -138,12 +139,13 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) } int -create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa) +create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa, + struct rte_ipsec_session *ips) { int32_t ret = 0; struct rte_security_ctx *sec_ctx; struct rte_security_session_conf sess_conf = { - .action_type = sa->type, + .action_type = ips->type, .protocol = RTE_SECURITY_PROTOCOL_IPSEC, {.ipsec = { .spi = sa->spi, @@ -163,7 +165,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa) RTE_LOG_DP(DEBUG, IPSEC, "Create session for SA spi %u on port %u\n", sa->spi, sa->portid); - if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { + if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { struct rte_flow_error err; const struct rte_security_capability *sec_cap; int ret = 0; @@ -177,9 +179,9 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa) return -1; } - sa->sec_session = rte_security_session_create(sec_ctx, + ips->security.ses = rte_security_session_create(sec_ctx, &sess_conf, skt_ctx->session_pool); - if (sa->sec_session == NULL) { + if (ips->security.ses == NULL) { RTE_LOG(ERR, IPSEC, "SEC Session init failed: err: %d\n", ret); return -1; @@ -189,7 +191,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa) /* iterate until ESP tunnel*/ while (sec_cap->action != RTE_SECURITY_ACTION_TYPE_NONE) { - if (sec_cap->action == sa->type && + if (sec_cap->action == ips->type && sec_cap->protocol == RTE_SECURITY_PROTOCOL_IPSEC && sec_cap->ipsec.mode == @@ -205,8 +207,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa) return -1; } - sa->ol_flags = sec_cap->ol_flags; - sa->security_ctx = sec_ctx; + ips->security.ol_flags = sec_cap->ol_flags; + ips->security.ctx = sec_ctx; sa->pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH; if (IS_IP6(sa->flags)) { @@ -235,7 +237,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa) sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END; sa->action[0].type = RTE_FLOW_ACTION_TYPE_SECURITY; - sa->action[0].conf = sa->sec_session; + sa->action[0].conf = ips->security.ses; sa->action[1].type = RTE_FLOW_ACTION_TYPE_END; @@ -308,8 +310,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa) if (ret) goto flow_create_failure; } else if (sa->attr.egress && - (sa->ol_flags & - RTE_SECURITY_TX_HW_TRAILER_OFFLOAD)) { + (ips->security.ol_flags & + RTE_SECURITY_TX_HW_TRAILER_OFFLOAD)) { sa->action[1].type = RTE_FLOW_ACTION_TYPE_PASSTHRU; sa->action[2].type = @@ -325,7 +327,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa) err.message); return -1; } - } else if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) { + } else if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) { const struct rte_security_capability *sec_cap; sec_ctx = (struct rte_security_ctx *) @@ -353,9 +355,9 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa) sess_conf.userdata = (void *) sa; - sa->sec_session = rte_security_session_create(sec_ctx, + ips->security.ses = rte_security_session_create(sec_ctx, &sess_conf, skt_ctx->session_pool); - if (sa->sec_session == NULL) { + if (ips->security.ses == NULL) { RTE_LOG(ERR, IPSEC, "SEC Session init failed: err: %d\n", ret); return -1; @@ -371,7 +373,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa) /* iterate until ESP tunnel*/ while (sec_cap->action != RTE_SECURITY_ACTION_TYPE_NONE) { - if (sec_cap->action == sa->type && + if (sec_cap->action == ips->type && sec_cap->protocol == RTE_SECURITY_PROTOCOL_IPSEC && sec_cap->ipsec.mode == @@ -387,8 +389,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa) return -1; } - sa->ol_flags = sec_cap->ol_flags; - sa->security_ctx = sec_ctx; + ips->security.ol_flags = sec_cap->ol_flags; + ips->security.ctx = sec_ctx; } sa->cdev_id_qp = 0; @@ -435,6 +437,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, struct ipsec_mbuf_metadata *priv; struct rte_crypto_sym_op *sym_cop; struct ipsec_sa *sa; + struct rte_ipsec_session *ips; for (i = 0; i < nb_pkts; i++) { if (unlikely(sas[i] == NULL)) { @@ -448,16 +451,17 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, priv = get_priv(pkts[i]); sa = sas[i]; priv->sa = sa; + ips = ipsec_get_session(sa); - switch (sa->type) { + switch (ips->type) { case RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL: priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC; priv->cop.status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED; rte_prefetch0(&priv->sym_cop); - if ((unlikely(sa->sec_session == NULL)) && - create_lookaside_session(ipsec_ctx, sa)) { + if ((unlikely(ips->security.ses == NULL)) && + create_lookaside_session(ipsec_ctx, sa, ips)) { rte_pktmbuf_free(pkts[i]); continue; } @@ -466,7 +470,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, sym_cop->m_src = pkts[i]; rte_security_attach_session(&priv->cop, - sa->sec_session); + ips->security.ses); break; case RTE_SECURITY_ACTION_TYPE_NONE: @@ -475,14 +479,14 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, rte_prefetch0(&priv->sym_cop); - if ((unlikely(sa->crypto_session == NULL)) && - create_lookaside_session(ipsec_ctx, sa)) { + if ((unlikely(ips->crypto.ses == NULL)) && + create_lookaside_session(ipsec_ctx, sa, ips)) { rte_pktmbuf_free(pkts[i]); continue; } rte_crypto_op_attach_sym_session(&priv->cop, - sa->crypto_session); + ips->crypto.ses); ret = xform_func(pkts[i], sa, &priv->cop); if (unlikely(ret)) { @@ -491,21 +495,22 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, } break; case RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL: - RTE_ASSERT(sa->sec_session != NULL); + RTE_ASSERT(ips->security.ses != NULL); ipsec_ctx->ol_pkts[ipsec_ctx->ol_pkts_cnt++] = pkts[i]; - if (sa->ol_flags & RTE_SECURITY_TX_OLOAD_NEED_MDATA) + if (ips->security.ol_flags & + RTE_SECURITY_TX_OLOAD_NEED_MDATA) rte_security_set_pkt_metadata( - sa->security_ctx, - sa->sec_session, pkts[i], NULL); + ips->security.ctx, ips->security.ses, + pkts[i], NULL); continue; case RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO: - RTE_ASSERT(sa->sec_session != NULL); + RTE_ASSERT(ips->security.ses != NULL); priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC; priv->cop.status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED; rte_prefetch0(&priv->sym_cop); rte_security_attach_session(&priv->cop, - sa->sec_session); + ips->security.ses); ret = xform_func(pkts[i], sa, &priv->cop); if (unlikely(ret)) { @@ -514,10 +519,11 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, } ipsec_ctx->ol_pkts[ipsec_ctx->ol_pkts_cnt++] = pkts[i]; - if (sa->ol_flags & RTE_SECURITY_TX_OLOAD_NEED_MDATA) + if (ips->security.ol_flags & + RTE_SECURITY_TX_OLOAD_NEED_MDATA) rte_security_set_pkt_metadata( - sa->security_ctx, - sa->sec_session, pkts[i], NULL); + ips->security.ctx, ips->security.ses, + pkts[i], NULL); continue; } @@ -586,13 +592,14 @@ ipsec_dequeue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, RTE_ASSERT(sa != NULL); - if (sa->type == RTE_SECURITY_ACTION_TYPE_NONE) { + if (ipsec_get_action_type(sa) == + RTE_SECURITY_ACTION_TYPE_NONE) { ret = xform_func(pkt, sa, cops[j]); if (unlikely(ret)) { rte_pktmbuf_free(pkt); continue; } - } else if (sa->type == + } else if (ipsec_get_action_type(sa) == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) { if (cops[j]->status) { rte_pktmbuf_free(pkt); diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h index 1efa6e488..a4ad81b0e 100644 --- a/examples/ipsec-secgw/ipsec.h +++ b/examples/ipsec-secgw/ipsec.h @@ -87,10 +87,6 @@ struct ipsec_sa { uint32_t cdev_id_qp; uint64_t seq; uint32_t salt; - union { - struct rte_cryptodev_sym_session *crypto_session; - struct rte_security_session *sec_session; - }; enum rte_crypto_cipher_algorithm cipher_algo; enum rte_crypto_auth_algorithm auth_algo; enum rte_crypto_aead_algorithm aead_algo; @@ -114,11 +110,8 @@ struct ipsec_sa { struct rte_crypto_sym_xform *xforms; struct rte_security_ipsec_xform *sec_xform; }; - enum rte_security_session_action_type type; enum rte_security_ipsec_sa_direction direction; uint16_t portid; - struct rte_security_ctx *security_ctx; - uint32_t ol_flags; #define MAX_RTE_FLOW_PATTERN (4) #define MAX_RTE_FLOW_ACTIONS (3) @@ -284,6 +277,20 @@ get_sym_cop(struct rte_crypto_op *cop) return (cop + 1); } +static inline struct rte_ipsec_session * +ipsec_get_session(struct ipsec_sa *sa) +{ + return &sa->ips; +} + +static inline enum rte_security_session_action_type +ipsec_get_action_type(struct ipsec_sa *sa) +{ + struct rte_ipsec_session *ips; + ips = ipsec_get_session(sa); + return ips->type; +} + int inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx); @@ -338,9 +345,11 @@ void enqueue_cop_burst(struct cdev_qp *cqp); int -create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa); +create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa, + struct rte_ipsec_session *ips); int -create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa); +create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa, + struct rte_ipsec_session *ips); #endif /* __IPSEC_H__ */ diff --git a/examples/ipsec-secgw/ipsec_process.c b/examples/ipsec-secgw/ipsec_process.c index 868f1a28d..239d81ef6 100644 --- a/examples/ipsec-secgw/ipsec_process.c +++ b/examples/ipsec-secgw/ipsec_process.c @@ -94,22 +94,16 @@ fill_ipsec_session(struct rte_ipsec_session *ss, struct ipsec_ctx *ctx, /* setup crypto section */ if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE) { - if (sa->crypto_session == NULL) { - rc = create_lookaside_session(ctx, sa); - if (rc != 0) - return rc; - } - ss->crypto.ses = sa->crypto_session; + RTE_ASSERT(ss->crypto.ses == NULL); + rc = create_lookaside_session(ctx, sa, ss); + if (rc != 0) + return rc; /* setup session action type */ - } else if (sa->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) { - if (sa->sec_session == NULL) { - rc = create_lookaside_session(ctx, sa); - if (rc != 0) - return rc; - } - ss->security.ses = sa->sec_session; - ss->security.ctx = sa->security_ctx; - ss->security.ol_flags = sa->ol_flags; + } else if (ss->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) { + RTE_ASSERT(ss->security.ses == NULL); + rc = create_lookaside_session(ctx, sa, ss); + if (rc != 0) + return rc; } else RTE_ASSERT(0); @@ -218,7 +212,7 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf) pg = grp + i; sa = pg->id.ptr; - ips = &sa->ips; + ips = ipsec_get_session(sa); /* no valid HW session for that SA, try to create one */ if (sa == NULL || (ips->crypto.ses == NULL && @@ -226,8 +220,8 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf) k = 0; /* process packets inline */ - else if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO || - sa->type == + else if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO || + ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) { satp = rte_ipsec_sa_type(ips->sa); diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index 14ee94731..52752e15f 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -224,6 +224,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, struct parse_status *status) { struct ipsec_sa *rule = NULL; + struct rte_ipsec_session *ips; uint32_t ti; /*token index*/ uint32_t *ri /*rule index*/; uint32_t cipher_algo_p = 0; @@ -262,6 +263,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, if (atoi(tokens[1]) == INVALID_SPI) return; rule->spi = atoi(tokens[1]); + ips = ipsec_get_session(rule); for (ti = 2; ti < n_tokens; ti++) { if (strcmp(tokens[ti], "mode") == 0) { @@ -558,18 +560,18 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, return; if (strcmp(tokens[ti], "inline-crypto-offload") == 0) - rule->type = + ips->type = RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO; else if (strcmp(tokens[ti], "inline-protocol-offload") == 0) - rule->type = + ips->type = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL; else if (strcmp(tokens[ti], "lookaside-protocol-offload") == 0) - rule->type = + ips->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL; else if (strcmp(tokens[ti], "no-offload") == 0) - rule->type = RTE_SECURITY_ACTION_TYPE_NONE; + ips->type = RTE_SECURITY_ACTION_TYPE_NONE; else { APP_CHECK(0, status, "Invalid input \"%s\"", tokens[ti]); @@ -624,11 +626,11 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, if (status->status < 0) return; - if ((rule->type != RTE_SECURITY_ACTION_TYPE_NONE) && (portid_p == 0)) + if ((ips->type != RTE_SECURITY_ACTION_TYPE_NONE) && (portid_p == 0)) printf("Missing portid option, falling back to non-offload\n"); if (!type_p || !portid_p) { - rule->type = RTE_SECURITY_ACTION_TYPE_NONE; + ips->type = RTE_SECURITY_ACTION_TYPE_NONE; rule->portid = -1; } @@ -640,6 +642,7 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound) { uint32_t i; uint8_t a, b, c, d; + const struct rte_ipsec_session *ips; printf("\tspi_%s(%3u):", inbound?"in":"out", sa->spi); @@ -695,8 +698,10 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound) printf("Transport "); break; } + + ips = &sa->ips; printf(" type:"); - switch (sa->type) { + switch (ips->type) { case RTE_SECURITY_ACTION_TYPE_NONE: printf("no-offload "); break; @@ -884,6 +889,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], uint16_t iv_length, aad_length; int inline_status; int32_t rc; + struct rte_ipsec_session *ips; /* for ESN upper 32 bits of SQN also need to be part of AAD */ aad_length = (app_sa_prm.enable_esn != 0) ? sizeof(uint32_t) : 0; @@ -898,9 +904,10 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], } *sa = entries[i]; sa->seq = 0; + ips = ipsec_get_session(sa); - if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL || - sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { + if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL || + ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { if (check_eth_dev_caps(sa->portid, inbound)) return -EINVAL; } @@ -915,7 +922,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], sa->dst.ip.ip4 = rte_cpu_to_be_32(sa->dst.ip.ip4); break; case TRANSPORT: - if (sa->type == + if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { inline_status = sa_add_address_inline_crypto(sa); @@ -926,6 +933,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], } if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) { + struct rte_ipsec_session *ips; iv_length = 16; sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_AEAD; @@ -946,11 +954,12 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], sa->xforms = &sa_ctx->xf[idx].a; - if (sa->type == + ips = ipsec_get_session(sa); + if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL || - sa->type == + ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { - rc = create_inline_session(skt_ctx, sa); + rc = create_inline_session(skt_ctx, sa, ips); if (rc != 0) { RTE_LOG(ERR, IPSEC_ESP, "create_inline_session() failed\n"); @@ -1108,23 +1117,11 @@ fill_ipsec_sa_prm(struct rte_ipsec_sa_prm *prm, const struct ipsec_sa *ss, } static int -fill_ipsec_session(struct rte_ipsec_session *ss, struct rte_ipsec_sa *sa, - const struct ipsec_sa *lsa) +fill_ipsec_session(struct rte_ipsec_session *ss, struct rte_ipsec_sa *sa) { int32_t rc = 0; ss->sa = sa; - ss->type = lsa->type; - - /* setup crypto section */ - if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE) { - ss->crypto.ses = lsa->crypto_session; - /* setup session action type */ - } else { - ss->security.ses = lsa->sec_session; - ss->security.ctx = lsa->security_ctx; - ss->security.ol_flags = lsa->ol_flags; - } if (ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO || ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) { @@ -1146,6 +1143,7 @@ ipsec_sa_init(struct ipsec_sa *lsa, struct rte_ipsec_sa *sa, uint32_t sa_size) { int rc; struct rte_ipsec_sa_prm prm; + struct rte_ipsec_session *ips; struct rte_ipv4_hdr v4 = { .version_ihl = IPVERSION << 4 | sizeof(v4) / RTE_IPV4_IHL_MULTIPLIER, @@ -1170,7 +1168,10 @@ ipsec_sa_init(struct ipsec_sa *lsa, struct rte_ipsec_sa *sa, uint32_t sa_size) if (rc < 0) return rc; - rc = fill_ipsec_session(&lsa->ips, sa, lsa); + /* init processing session */ + ips = ipsec_get_session(lsa); + rc = fill_ipsec_session(ips, sa); + return rc; } @@ -1394,6 +1395,7 @@ sa_check_offloads(uint16_t port_id, uint64_t *rx_offloads, { struct ipsec_sa *rule; uint32_t idx_sa; + enum rte_security_session_action_type rule_type; *rx_offloads = 0; *tx_offloads = 0; @@ -1401,8 +1403,9 @@ sa_check_offloads(uint16_t port_id, uint64_t *rx_offloads, /* Check for inbound rules that use offloads and use this port */ for (idx_sa = 0; idx_sa < nb_sa_in; idx_sa++) { rule = &sa_in[idx_sa]; - if ((rule->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO || - rule->type == + rule_type = ipsec_get_action_type(rule); + if ((rule_type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO || + rule_type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) && rule->portid == port_id) *rx_offloads |= DEV_RX_OFFLOAD_SECURITY; @@ -1411,8 +1414,9 @@ sa_check_offloads(uint16_t port_id, uint64_t *rx_offloads, /* Check for outbound rules that use offloads and use this port */ for (idx_sa = 0; idx_sa < nb_sa_out; idx_sa++) { rule = &sa_out[idx_sa]; - if ((rule->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO || - rule->type == + rule_type = ipsec_get_action_type(rule); + if ((rule_type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO || + rule_type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) && rule->portid == port_id) *tx_offloads |= DEV_TX_OFFLOAD_SECURITY; From patchwork Mon Oct 14 13:48:40 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marcin Smoczynski X-Patchwork-Id: 61118 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 590001C2A4; Mon, 14 Oct 2019 15:48:58 +0200 (CEST) Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by dpdk.org (Postfix) with ESMTP id 7937F2BE5 for ; Mon, 14 Oct 2019 15:48:51 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Oct 2019 06:48:51 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.67,295,1566889200"; d="scan'208";a="207970623" Received: from msmoczyx-mobl.ger.corp.intel.com ([10.103.104.110]) by fmsmga001.fm.intel.com with ESMTP; 14 Oct 2019 06:48:49 -0700 From: Marcin Smoczynski To: anoobj@marvell.com, akhil.goyal@nxp.com, konstantin.ananyev@intel.com Cc: dev@dpdk.org, Marcin Smoczynski , Bernard Iremonger Date: Mon, 14 Oct 2019 15:48:40 +0200 Message-Id: <20191014134842.3084-3-marcinx.smoczynski@intel.com> X-Mailer: git-send-email 2.21.0.windows.1 In-Reply-To: <20191014134842.3084-1-marcinx.smoczynski@intel.com> References: <20191007130254.3064-1-marcinx.smoczynski@intel.com> <20191014134842.3084-1-marcinx.smoczynski@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH v7 2/4] examples/ipsec-secgw: add fallback session feature X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Inline processing is limited to a specified subset of traffic. It is often unable to handle more complicated situations, such as fragmented traffic. When using inline processing such traffic is dropped. Introduce fallback session for inline crypto processing allowing handling packets that normally would be dropped. A fallback session is configured by adding 'fallback' keyword with 'lookaside-none' parameter to an SA configuration. Only 'inline-crypto-offload" as a primary session and 'lookaside-none' as a fall-back session combination is supported by this patch. Fallback session feature is not available in the legacy mode. Acked-by: Konstantin Ananyev Tested-by: Bernard Iremonger Signed-off-by: Marcin Smoczynski --- doc/guides/rel_notes/release_19_11.rst | 8 ++ doc/guides/sample_app_ug/ipsec_secgw.rst | 22 ++++- examples/ipsec-secgw/esp.c | 4 +- examples/ipsec-secgw/ipsec-secgw.c | 16 ++-- examples/ipsec-secgw/ipsec.c | 10 +-- examples/ipsec-secgw/ipsec.h | 40 +++++++-- examples/ipsec-secgw/ipsec_process.c | 85 ++++++++++++------ examples/ipsec-secgw/sa.c | 105 +++++++++++++++++++---- 8 files changed, 226 insertions(+), 64 deletions(-) diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst index 85953b962..7e1205be7 100644 --- a/doc/guides/rel_notes/release_19_11.rst +++ b/doc/guides/rel_notes/release_19_11.rst @@ -115,6 +115,14 @@ New Features Added eBPF JIT support for arm64 architecture to improve the eBPF program performance. +* **Updated the IPSec library and IPsec Security Gateway application.** + + Added the following features to ``librte_ipsec`` and the ``ipsec-secgw`` + sample application: + + * Support fragmented packets in inline crypto processing mode with fallback + ``lookaside-none`` session. + Removed Items ------------- diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst index ad2d79e75..cb6fadb35 100644 --- a/doc/guides/sample_app_ug/ipsec_secgw.rst +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst @@ -401,7 +401,7 @@ The SA rule syntax is shown as follows: .. code-block:: console sa - + where each options means: @@ -573,6 +573,26 @@ where each options means: * *port_id X* X is a valid device number in decimal + ```` + + * Action type for ingress IPsec packets that inline processor failed to + process. Only a combination of *inline-crypto-offload* as a primary + session and *lookaside-none* as a fall-back session is supported at the + moment. + + If used in conjunction with IPsec window, its width needs be increased + due to different processing times of inline and lookaside modes which + results in packet reordering. + + * Optional: Yes. + + * Available options: + + * *lookaside-none*: use automatically chosen cryptodev to process packets + + * Syntax: + + * *fallback lookaside-none* Example SA rules: diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c index c1b49da1e..bfa7ff721 100644 --- a/examples/ipsec-secgw/esp.c +++ b/examples/ipsec-secgw/esp.c @@ -155,7 +155,7 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa, RTE_ASSERT(sa != NULL); RTE_ASSERT(cop != NULL); - ips = ipsec_get_session(sa); + ips = ipsec_get_primary_session(sa); if ((ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) || (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) { @@ -234,7 +234,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa, RTE_ASSERT(m != NULL); RTE_ASSERT(sa != NULL); - ips = ipsec_get_session(sa); + ips = ipsec_get_primary_session(sa); ip_hdr_len = 0; ip4 = rte_pktmbuf_mtod(m, struct ip *); diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c index f52ca5297..904ee65d9 100644 --- a/examples/ipsec-secgw/ipsec-secgw.c +++ b/examples/ipsec-secgw/ipsec-secgw.c @@ -189,6 +189,7 @@ static uint32_t mtu_size = RTE_ETHER_MTU; /* application wide librte_ipsec/SA parameters */ struct app_sa_prm app_sa_prm = {.enable = 0}; +static const char *cfgfile; struct lcore_rx_queue { uint16_t port_id; @@ -1465,12 +1466,7 @@ parse_args(int32_t argc, char **argv) print_usage(prgname); return -1; } - if (parse_cfg_file(optarg) < 0) { - printf("parsing file \"%s\" failed\n", - optarg); - print_usage(prgname); - return -1; - } + cfgfile = optarg; f_present = 1; break; case 'j': @@ -2418,6 +2414,14 @@ main(int32_t argc, char **argv) if (ret < 0) rte_exit(EXIT_FAILURE, "Invalid parameters\n"); + /* parse configuration file */ + if (parse_cfg_file(cfgfile) < 0) { + printf("parsing file \"%s\" failed\n", + optarg); + print_usage(argv[0]); + return -1; + } + if ((unprotected_port_mask & enabled_port_mask) != unprotected_port_mask) rte_exit(EXIT_FAILURE, "Invalid unprotected portmask 0x%x\n", diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index 5b63a13fd..d7761e966 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -430,7 +430,7 @@ enqueue_cop(struct cdev_qp *cqp, struct rte_crypto_op *cop) static inline void ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, - struct rte_mbuf *pkts[], struct ipsec_sa *sas[], + struct rte_mbuf *pkts[], void *sas[], uint16_t nb_pkts) { int32_t ret = 0, i; @@ -449,9 +449,9 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, rte_prefetch0(pkts[i]); priv = get_priv(pkts[i]); - sa = sas[i]; + sa = ipsec_mask_saptr(sas[i]); priv->sa = sa; - ips = ipsec_get_session(sa); + ips = ipsec_get_primary_session(sa); switch (ips->type) { case RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL: @@ -618,7 +618,7 @@ uint16_t ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], uint16_t nb_pkts, uint16_t len) { - struct ipsec_sa *sas[nb_pkts]; + void *sas[nb_pkts]; inbound_sa_lookup(ctx->sa_ctx, pkts, sas, nb_pkts); @@ -638,7 +638,7 @@ uint16_t ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len) { - struct ipsec_sa *sas[nb_pkts]; + void *sas[nb_pkts]; outbound_sa_lookup(ctx->sa_ctx, sa_idx, sas, nb_pkts); diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h index a4ad81b0e..8e075216c 100644 --- a/examples/ipsec-secgw/ipsec.h +++ b/examples/ipsec-secgw/ipsec.h @@ -81,12 +81,32 @@ struct app_sa_prm { extern struct app_sa_prm app_sa_prm; +enum { + IPSEC_SESSION_PRIMARY = 0, + IPSEC_SESSION_FALLBACK = 1, + IPSEC_SESSION_MAX +}; + +#define IPSEC_SA_OFFLOAD_FALLBACK_FLAG (1) + +static inline struct ipsec_sa * +ipsec_mask_saptr(void *ptr) +{ + uintptr_t i = (uintptr_t)ptr; + static const uintptr_t mask = IPSEC_SA_OFFLOAD_FALLBACK_FLAG; + + i &= ~mask; + + return (struct ipsec_sa *)i; +} + struct ipsec_sa { - struct rte_ipsec_session ips; /* one session per sa for now */ + struct rte_ipsec_session sessions[IPSEC_SESSION_MAX]; uint32_t spi; uint32_t cdev_id_qp; uint64_t seq; uint32_t salt; + uint32_t fallback_sessions; enum rte_crypto_cipher_algorithm cipher_algo; enum rte_crypto_auth_algorithm auth_algo; enum rte_crypto_aead_algorithm aead_algo; @@ -210,7 +230,7 @@ struct cnt_blk { struct traffic_type { const uint8_t *data[MAX_PKT_BURST * 2]; struct rte_mbuf *pkts[MAX_PKT_BURST * 2]; - struct ipsec_sa *saptr[MAX_PKT_BURST * 2]; + void *saptr[MAX_PKT_BURST * 2]; uint32_t res[MAX_PKT_BURST * 2]; uint32_t num; }; @@ -278,16 +298,22 @@ get_sym_cop(struct rte_crypto_op *cop) } static inline struct rte_ipsec_session * -ipsec_get_session(struct ipsec_sa *sa) +ipsec_get_primary_session(struct ipsec_sa *sa) +{ + return &sa->sessions[IPSEC_SESSION_PRIMARY]; +} + +static inline struct rte_ipsec_session * +ipsec_get_fallback_session(struct ipsec_sa *sa) { - return &sa->ips; + return &sa->sessions[IPSEC_SESSION_FALLBACK]; } static inline enum rte_security_session_action_type ipsec_get_action_type(struct ipsec_sa *sa) { struct rte_ipsec_session *ips; - ips = ipsec_get_session(sa); + ips = ipsec_get_primary_session(sa); return ips->type; } @@ -296,11 +322,11 @@ inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx); void inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[], - struct ipsec_sa *sa[], uint16_t nb_pkts); + void *sa[], uint16_t nb_pkts); void outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[], - struct ipsec_sa *sa[], uint16_t nb_pkts); + void *sa[], uint16_t nb_pkts); void sp4_init(struct socket_ctx *ctx, int32_t socket_id); diff --git a/examples/ipsec-secgw/ipsec_process.c b/examples/ipsec-secgw/ipsec_process.c index 239d81ef6..2eb5c8b34 100644 --- a/examples/ipsec-secgw/ipsec_process.c +++ b/examples/ipsec-secgw/ipsec_process.c @@ -18,7 +18,6 @@ (((t) & RTE_IPSEC_SATP_IPV_MASK) == RTE_IPSEC_SATP_IPV4)) || \ ((t) & RTE_IPSEC_SATP_MODE_MASK) == RTE_IPSEC_SATP_MODE_TUNLV4) - /* helper routine to free bulk of packets */ static inline void free_pkts(struct rte_mbuf *mb[], uint32_t n) @@ -118,7 +117,7 @@ fill_ipsec_session(struct rte_ipsec_session *ss, struct ipsec_ctx *ctx, * group input packets byt the SA they belong to. */ static uint32_t -sa_group(struct ipsec_sa *sa_ptr[], struct rte_mbuf *pkts[], +sa_group(void *sa_ptr[], struct rte_mbuf *pkts[], struct rte_ipsec_group grp[], uint32_t num) { uint32_t i, n, spi; @@ -185,6 +184,37 @@ copy_to_trf(struct ipsec_traffic *trf, uint64_t satp, struct rte_mbuf *mb[], out->num += num; } +static uint32_t +ipsec_prepare_crypto_group(struct ipsec_ctx *ctx, struct ipsec_sa *sa, + struct rte_ipsec_session *ips, struct rte_mbuf **m, + unsigned int cnt) +{ + struct cdev_qp *cqp; + struct rte_crypto_op *cop[cnt]; + uint32_t j, k; + struct ipsec_mbuf_metadata *priv; + + cqp = &ctx->tbl[sa->cdev_id_qp]; + + /* for that app each mbuf has it's own crypto op */ + for (j = 0; j != cnt; j++) { + priv = get_priv(m[j]); + cop[j] = &priv->cop; + /* + * this is just to satisfy inbound_sa_check() + * should be removed in future. + */ + priv->sa = sa; + } + + /* prepare and enqueue crypto ops */ + k = rte_ipsec_pkt_crypto_prepare(ips, m, cop, cnt); + if (k != 0) + enqueue_cop_bulk(cqp, cop, k); + + return k; +} + /* * Process ipsec packets. * If packet belong to SA that is subject of inline-crypto, @@ -201,18 +231,15 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf) struct ipsec_mbuf_metadata *priv; struct rte_ipsec_group *pg; struct rte_ipsec_session *ips; - struct cdev_qp *cqp; - struct rte_crypto_op *cop[RTE_DIM(trf->ipsec.pkts)]; struct rte_ipsec_group grp[RTE_DIM(trf->ipsec.pkts)]; n = sa_group(trf->ipsec.saptr, trf->ipsec.pkts, grp, trf->ipsec.num); for (i = 0; i != n; i++) { - pg = grp + i; - sa = pg->id.ptr; + sa = ipsec_mask_saptr(pg->id.ptr); - ips = ipsec_get_session(sa); + ips = ipsec_get_primary_session(sa); /* no valid HW session for that SA, try to create one */ if (sa == NULL || (ips->crypto.ses == NULL && @@ -224,6 +251,7 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf) ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) { + /* get SA type */ satp = rte_ipsec_sa_type(ips->sa); /* @@ -236,30 +264,33 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf) priv->sa = sa; } - k = rte_ipsec_pkt_process(ips, pg->m, pg->cnt); - copy_to_trf(trf, satp, pg->m, k); + /* fallback to cryptodev with RX packets which inline + * processor was unable to process + */ + if (pg->id.val & IPSEC_SA_OFFLOAD_FALLBACK_FLAG) { + /* offload packets to cryptodev */ + struct rte_ipsec_session *fallback; + + fallback = ipsec_get_fallback_session(sa); + if (fallback->crypto.ses == NULL && + fill_ipsec_session(fallback, ctx, sa) + != 0) + k = 0; + else + k = ipsec_prepare_crypto_group(ctx, sa, + fallback, pg->m, pg->cnt); + } else { + /* finish processing of packets successfully + * decrypted by an inline processor + */ + k = rte_ipsec_pkt_process(ips, pg->m, pg->cnt); + copy_to_trf(trf, satp, pg->m, k); + } /* enqueue packets to crypto dev */ } else { - - cqp = &ctx->tbl[sa->cdev_id_qp]; - - /* for that app each mbuf has it's own crypto op */ - for (j = 0; j != pg->cnt; j++) { - priv = get_priv(pg->m[j]); - cop[j] = &priv->cop; - /* - * this is just to satisfy inbound_sa_check() - * should be removed in future. - */ - priv->sa = sa; - } - - /* prepare and enqueue crypto ops */ - k = rte_ipsec_pkt_crypto_prepare(ips, pg->m, cop, + k = ipsec_prepare_crypto_group(ctx, sa, ips, pg->m, pg->cnt); - if (k != 0) - enqueue_cop_bulk(cqp, cop, k); } /* drop packets that cannot be enqueued/processed */ diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index 52752e15f..4cb90857c 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -31,6 +31,8 @@ #define IP6_FULL_MASK (sizeof(((struct ip_addr *)NULL)->ip.ip6.ip6) * CHAR_BIT) +#define MBUF_NO_SEC_OFFLOAD(m) ((m->ol_flags & PKT_RX_SEC_OFFLOAD) == 0) + struct supported_cipher_algo { const char *keyword; enum rte_crypto_cipher_algorithm algo; @@ -235,6 +237,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, uint32_t mode_p = 0; uint32_t type_p = 0; uint32_t portid_p = 0; + uint32_t fallback_p = 0; if (strcmp(tokens[0], "in") == 0) { ri = &nb_sa_in; @@ -245,6 +248,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, return; rule = &sa_in[*ri]; + rule->direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS; } else { ri = &nb_sa_out; @@ -254,6 +258,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, return; rule = &sa_out[*ri]; + rule->direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS; } /* spi number */ @@ -263,7 +268,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, if (atoi(tokens[1]) == INVALID_SPI) return; rule->spi = atoi(tokens[1]); - ips = ipsec_get_session(rule); + ips = ipsec_get_primary_session(rule); for (ti = 2; ti < n_tokens; ti++) { if (strcmp(tokens[ti], "mode") == 0) { @@ -596,6 +601,45 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, continue; } + if (strcmp(tokens[ti], "fallback") == 0) { + struct rte_ipsec_session *fb; + + APP_CHECK(app_sa_prm.enable, status, "Fallback session " + "not allowed for legacy mode."); + if (status->status < 0) + return; + APP_CHECK(ips->type == + RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO, status, + "Fallback session allowed if primary session " + "is of type inline-crypto-offload only."); + if (status->status < 0) + return; + APP_CHECK(rule->direction == + RTE_SECURITY_IPSEC_SA_DIR_INGRESS, status, + "Fallback session not allowed for egress " + "rule"); + if (status->status < 0) + return; + APP_CHECK_PRESENCE(fallback_p, tokens[ti], status); + if (status->status < 0) + return; + INCREMENT_TOKEN_INDEX(ti, n_tokens, status); + if (status->status < 0) + return; + fb = ipsec_get_fallback_session(rule); + if (strcmp(tokens[ti], "lookaside-none") == 0) { + fb->type = RTE_SECURITY_ACTION_TYPE_NONE; + } else { + APP_CHECK(0, status, "unrecognized fallback " + "type %s.", tokens[ti]); + return; + } + + rule->fallback_sessions = 1; + fallback_p = 1; + continue; + } + /* unrecognizeable input */ APP_CHECK(0, status, "unrecognized input \"%s\"", tokens[ti]); @@ -643,6 +687,7 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound) uint32_t i; uint8_t a, b, c, d; const struct rte_ipsec_session *ips; + const struct rte_ipsec_session *fallback_ips; printf("\tspi_%s(%3u):", inbound?"in":"out", sa->spi); @@ -699,7 +744,7 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound) break; } - ips = &sa->ips; + ips = &sa->sessions[IPSEC_SESSION_PRIMARY]; printf(" type:"); switch (ips->type) { case RTE_SECURITY_ACTION_TYPE_NONE: @@ -715,6 +760,15 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound) printf("lookaside-protocol-offload "); break; } + + fallback_ips = &sa->sessions[IPSEC_SESSION_FALLBACK]; + if (fallback_ips != NULL && sa->fallback_sessions > 0) { + printf("inline fallback: "); + if (fallback_ips->type == RTE_SECURITY_ACTION_TYPE_NONE) + printf("lookaside-none"); + else + printf("invalid"); + } printf("\n"); } @@ -904,7 +958,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], } *sa = entries[i]; sa->seq = 0; - ips = ipsec_get_session(sa); + ips = ipsec_get_primary_session(sa); if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL || ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { @@ -912,9 +966,6 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], return -EINVAL; } - sa->direction = (inbound == 1) ? - RTE_SECURITY_IPSEC_SA_DIR_INGRESS : - RTE_SECURITY_IPSEC_SA_DIR_EGRESS; switch (WITHOUT_TRANSPORT_VERSION(sa->flags)) { case IP4_TUNNEL: @@ -954,7 +1005,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], sa->xforms = &sa_ctx->xf[idx].a; - ips = ipsec_get_session(sa); + ips = ipsec_get_primary_session(sa); if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL || ips->type == @@ -1168,9 +1219,15 @@ ipsec_sa_init(struct ipsec_sa *lsa, struct rte_ipsec_sa *sa, uint32_t sa_size) if (rc < 0) return rc; - /* init processing session */ - ips = ipsec_get_session(lsa); + /* init primary processing session */ + ips = ipsec_get_primary_session(lsa); rc = fill_ipsec_session(ips, sa); + if (rc != 0) + return rc; + + /* init inline fallback processing session */ + if (lsa->fallback_sessions == 1) + rc = fill_ipsec_session(ipsec_get_fallback_session(lsa), sa); return rc; } @@ -1326,13 +1383,14 @@ inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx) static inline void single_inbound_lookup(struct ipsec_sa *sadb, struct rte_mbuf *pkt, - struct ipsec_sa **sa_ret) + void **sa_ret) { struct rte_esp_hdr *esp; struct ip *ip; uint32_t *src4_addr; uint8_t *src6_addr; struct ipsec_sa *sa; + void *result_sa; *sa_ret = NULL; @@ -1342,33 +1400,48 @@ single_inbound_lookup(struct ipsec_sa *sadb, struct rte_mbuf *pkt, if (esp->spi == INVALID_SPI) return; - sa = &sadb[SPI2IDX(rte_be_to_cpu_32(esp->spi))]; + result_sa = sa = &sadb[SPI2IDX(rte_be_to_cpu_32(esp->spi))]; if (rte_be_to_cpu_32(esp->spi) != sa->spi) return; + /* + * Mark need for inline offload fallback on the LSB of SA pointer. + * Thanks to packet grouping mechanism which ipsec_process is using + * packets marked for fallback processing will form separate group. + * + * Because it is not safe to use SA pointer it is casted to generic + * pointer to prevent from unintentional use. Use ipsec_mask_saptr + * to get valid struct pointer. + */ + if (MBUF_NO_SEC_OFFLOAD(pkt) && sa->fallback_sessions > 0) { + uintptr_t intsa = (uintptr_t)sa; + intsa |= IPSEC_SA_OFFLOAD_FALLBACK_FLAG; + result_sa = (void *)intsa; + } + switch (WITHOUT_TRANSPORT_VERSION(sa->flags)) { case IP4_TUNNEL: src4_addr = RTE_PTR_ADD(ip, offsetof(struct ip, ip_src)); if ((ip->ip_v == IPVERSION) && (sa->src.ip.ip4 == *src4_addr) && (sa->dst.ip.ip4 == *(src4_addr + 1))) - *sa_ret = sa; + *sa_ret = result_sa; break; case IP6_TUNNEL: src6_addr = RTE_PTR_ADD(ip, offsetof(struct ip6_hdr, ip6_src)); if ((ip->ip_v == IP6_VERSION) && !memcmp(&sa->src.ip.ip6.ip6, src6_addr, 16) && !memcmp(&sa->dst.ip.ip6.ip6, src6_addr + 16, 16)) - *sa_ret = sa; + *sa_ret = result_sa; break; case TRANSPORT: - *sa_ret = sa; + *sa_ret = result_sa; } } void inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[], - struct ipsec_sa *sa[], uint16_t nb_pkts) + void *sa[], uint16_t nb_pkts) { uint32_t i; @@ -1378,7 +1451,7 @@ inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[], void outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[], - struct ipsec_sa *sa[], uint16_t nb_pkts) + void *sa[], uint16_t nb_pkts) { uint32_t i; From patchwork Mon Oct 14 13:48:41 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marcin Smoczynski X-Patchwork-Id: 61119 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 0691F1C2DD; Mon, 14 Oct 2019 15:49:01 +0200 (CEST) Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by dpdk.org (Postfix) with ESMTP id 8DFA61C23C for ; Mon, 14 Oct 2019 15:48:53 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Oct 2019 06:48:53 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.67,295,1566889200"; d="scan'208";a="207970628" Received: from msmoczyx-mobl.ger.corp.intel.com ([10.103.104.110]) by fmsmga001.fm.intel.com with ESMTP; 14 Oct 2019 06:48:51 -0700 From: Marcin Smoczynski To: anoobj@marvell.com, akhil.goyal@nxp.com, konstantin.ananyev@intel.com Cc: dev@dpdk.org, Marcin Smoczynski Date: Mon, 14 Oct 2019 15:48:41 +0200 Message-Id: <20191014134842.3084-4-marcinx.smoczynski@intel.com> X-Mailer: git-send-email 2.21.0.windows.1 In-Reply-To: <20191014134842.3084-1-marcinx.smoczynski@intel.com> References: <20191007130254.3064-1-marcinx.smoczynski@intel.com> <20191014134842.3084-1-marcinx.smoczynski@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH v7 3/4] examples/ipsec-secgw: add frag TTL cmdline option X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Due to fragment loss on highly saturated links and long fragment lifetime, ipsec-secgw application quickly runs out of free reassembly buckets. As a result new fragments are being dropped. Introduce --frag-ttl option which allow user to lower default fragment lifitime which solves problem of saturated reassembly buckets with high bandwidth fragmented traffic. Acked-by: Konstantin Ananyev Tested-by: Konstantin Ananyev Signed-off-by: Marcin Smoczynski --- doc/guides/sample_app_ug/ipsec_secgw.rst | 7 +++++ examples/ipsec-secgw/ipsec-secgw.c | 40 ++++++++++++++++++------ 2 files changed, 37 insertions(+), 10 deletions(-) diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst index cb6fadb35..c1e8a0bda 100644 --- a/doc/guides/sample_app_ug/ipsec_secgw.rst +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst @@ -154,6 +154,13 @@ Where: Incoming packets with length bigger then MTU will be discarded. Default value: 1500. +* ``--frag-ttl FRAG_TTL_NS``: fragment lifetime (in nanoseconds). + If packet is not reassembled within this time, received fragments + will be discarded. Fragment lifetime should be decreased when + there is a high fragmented traffic loss in high bandwidth networks. + Should be lower for for low number of reassembly buckets. + Valid values: from 1 ns to 10 s. Default value: 10000000 (10 s). + * ``--reassemble NUM``: max number of entries in reassemble fragment table. Zero value disables reassembly functionality. Default value: 0. diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c index 904ee65d9..b12936470 100644 --- a/examples/ipsec-secgw/ipsec-secgw.c +++ b/examples/ipsec-secgw/ipsec-secgw.c @@ -112,7 +112,7 @@ static uint16_t nb_txd = IPSEC_SECGW_TX_DESC_DEFAULT; 0, 0) #define FRAG_TBL_BUCKET_ENTRIES 4 -#define FRAG_TTL_MS (10 * MS_PER_S) +#define MAX_FRAG_TTL_NS (10LL * NS_PER_S) #define MTU_TO_FRAMELEN(x) ((x) + RTE_ETHER_HDR_LEN + RTE_ETHER_CRC_LEN) @@ -135,6 +135,7 @@ struct ethaddr_info ethaddr_tbl[RTE_MAX_ETHPORTS] = { #define CMD_LINE_OPT_TX_OFFLOAD "txoffload" #define CMD_LINE_OPT_REASSEMBLE "reassemble" #define CMD_LINE_OPT_MTU "mtu" +#define CMD_LINE_OPT_FRAG_TTL "frag-ttl" enum { /* long options mapped to a short option */ @@ -150,6 +151,7 @@ enum { CMD_LINE_OPT_TX_OFFLOAD_NUM, CMD_LINE_OPT_REASSEMBLE_NUM, CMD_LINE_OPT_MTU_NUM, + CMD_LINE_OPT_FRAG_TTL_NUM, }; static const struct option lgopts[] = { @@ -160,6 +162,7 @@ static const struct option lgopts[] = { {CMD_LINE_OPT_TX_OFFLOAD, 1, 0, CMD_LINE_OPT_TX_OFFLOAD_NUM}, {CMD_LINE_OPT_REASSEMBLE, 1, 0, CMD_LINE_OPT_REASSEMBLE_NUM}, {CMD_LINE_OPT_MTU, 1, 0, CMD_LINE_OPT_MTU_NUM}, + {CMD_LINE_OPT_FRAG_TTL, 1, 0, CMD_LINE_OPT_FRAG_TTL_NUM}, {NULL, 0, 0, 0} }; @@ -186,6 +189,7 @@ static uint64_t dev_tx_offload = UINT64_MAX; static uint32_t frag_tbl_sz; static uint32_t frame_buf_size = RTE_MBUF_DEFAULT_BUF_SIZE; static uint32_t mtu_size = RTE_ETHER_MTU; +static uint64_t frag_ttl_ns = MAX_FRAG_TTL_NS; /* application wide librte_ipsec/SA parameters */ struct app_sa_prm app_sa_prm = {.enable = 0}; @@ -1305,6 +1309,9 @@ print_usage(const char *prgname) ": MTU value on all ports (default value: 1500)\n" " outgoing packets with bigger size will be fragmented\n" " incoming packets with bigger size will be discarded\n" + " --" CMD_LINE_OPT_FRAG_TTL " FRAG_TTL_NS" + ": fragments lifetime in nanoseconds, default\n" + " and maximum value is 10.000.000.000 ns (10 s)\n" "\n", prgname); } @@ -1341,14 +1348,15 @@ parse_portmask(const char *portmask) return pm; } -static int32_t +static int64_t parse_decimal(const char *str) { char *end = NULL; - unsigned long num; + uint64_t num; - num = strtoul(str, &end, 10); - if ((str[0] == '\0') || (end == NULL) || (*end != '\0')) + num = strtoull(str, &end, 10); + if ((str[0] == '\0') || (end == NULL) || (*end != '\0') + || num > INT64_MAX) return -1; return num; @@ -1422,12 +1430,14 @@ print_app_sa_prm(const struct app_sa_prm *prm) printf("replay window size: %u\n", prm->window_size); printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled"); printf("SA flags: %#" PRIx64 "\n", prm->flags); + printf("Frag TTL: %" PRIu64 " ns\n", frag_ttl_ns); } static int32_t parse_args(int32_t argc, char **argv) { - int32_t opt, ret; + int opt; + int64_t ret; char **argvopt; int32_t option_index; char *prgname = argv[0]; @@ -1506,7 +1516,7 @@ parse_args(int32_t argc, char **argv) break; case CMD_LINE_OPT_SINGLE_SA_NUM: ret = parse_decimal(optarg); - if (ret == -1) { + if (ret == -1 || ret > UINT32_MAX) { printf("Invalid argument[sa_idx]\n"); print_usage(prgname); return -1; @@ -1549,7 +1559,7 @@ parse_args(int32_t argc, char **argv) break; case CMD_LINE_OPT_REASSEMBLE_NUM: ret = parse_decimal(optarg); - if (ret < 0) { + if (ret < 0 || ret > UINT32_MAX) { printf("Invalid argument for \'%s\': %s\n", CMD_LINE_OPT_REASSEMBLE, optarg); print_usage(prgname); @@ -1567,6 +1577,16 @@ parse_args(int32_t argc, char **argv) } mtu_size = ret; break; + case CMD_LINE_OPT_FRAG_TTL_NUM: + ret = parse_decimal(optarg); + if (ret < 0 || ret > MAX_FRAG_TTL_NS) { + printf("Invalid argument for \'%s\': %s\n", + CMD_LINE_OPT_MTU, optarg); + print_usage(prgname); + return -1; + } + frag_ttl_ns = ret; + break; default: print_usage(prgname); return -1; @@ -2344,8 +2364,8 @@ reassemble_lcore_init(struct lcore_conf *lc, uint32_t cid) /* create fragment table */ sid = rte_lcore_to_socket_id(cid); - frag_cycles = (rte_get_tsc_hz() + MS_PER_S - 1) / - MS_PER_S * FRAG_TTL_MS; + frag_cycles = (rte_get_tsc_hz() + NS_PER_S - 1) / + NS_PER_S * frag_ttl_ns; lc->frag.tbl = rte_ip_frag_table_create(frag_tbl_sz, FRAG_TBL_BUCKET_ENTRIES, frag_tbl_sz, frag_cycles, sid); From patchwork Mon Oct 14 13:48:42 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marcin Smoczynski X-Patchwork-Id: 61120 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id D91631C2E9; Mon, 14 Oct 2019 15:49:04 +0200 (CEST) Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by dpdk.org (Postfix) with ESMTP id 15AFA1C242 for ; Mon, 14 Oct 2019 15:48:54 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Oct 2019 06:48:54 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.67,295,1566889200"; d="scan'208";a="207970632" Received: from msmoczyx-mobl.ger.corp.intel.com ([10.103.104.110]) by fmsmga001.fm.intel.com with ESMTP; 14 Oct 2019 06:48:53 -0700 From: Marcin Smoczynski To: anoobj@marvell.com, akhil.goyal@nxp.com, konstantin.ananyev@intel.com Cc: dev@dpdk.org, Marcin Smoczynski , Bernard Iremonger Date: Mon, 14 Oct 2019 15:48:42 +0200 Message-Id: <20191014134842.3084-5-marcinx.smoczynski@intel.com> X-Mailer: git-send-email 2.21.0.windows.1 In-Reply-To: <20191014134842.3084-1-marcinx.smoczynski@intel.com> References: <20191007130254.3064-1-marcinx.smoczynski@intel.com> <20191014134842.3084-1-marcinx.smoczynski@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH v7 4/4] examples/ipsec-secgw: add offload fallback tests X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add tests for offload fallback feature; add inbound config modificator SGW_CFG_XPRM_IN (offload fallback setting can be set only for inbound SAs). Tests are using cryptodev for outbound SA. To test fragmentation with QAT set: MULTI_SEG_TEST="--reassemble=4096 --cryptodev_mask=0x5555" Acked-by: Konstantin Ananyev Tested-by: Bernard Iremonger Signed-off-by: Marcin Smoczynski --- doc/guides/sample_app_ug/ipsec_secgw.rst | 5 +++++ examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh | 4 ++-- .../test/trs_aesgcm_inline_crypto_fallback_defs.sh | 5 +++++ examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh | 6 ++++-- .../test/tun_aesgcm_inline_crypto_fallback_defs.sh | 5 +++++ 5 files changed, 21 insertions(+), 4 deletions(-) create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst index c1e8a0bda..ae8cce235 100644 --- a/doc/guides/sample_app_ug/ipsec_secgw.rst +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst @@ -753,6 +753,11 @@ Also the user can optionally setup: * ``CRYPTO_DEV``: crypto device to be used ('-w '). If none specified appropriate vdevs will be created by the script +* ``MULTI_SEG_TEST``: ipsec-secgw option to enable reassembly support and + specify size of reassembly table (e.g. + ``MULTI_SEG_TEST='--reassemble 128'``). This option must be set for + fallback session tests. + Note that most of the tests require the appropriate crypto PMD/device to be available. diff --git a/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh b/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh index f6c5bf5a7..17f2f86d2 100644 --- a/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh +++ b/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh @@ -29,11 +29,11 @@ sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 #SA in rules sa in 7 aead_algo aes-128-gcm \ aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport ${SGW_CFG_XPRM} +mode transport ${SGW_CFG_XPRM} ${SGW_CFG_XPRM_IN} sa in 9 aead_algo aes-128-gcm \ aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport ${SGW_CFG_XPRM} +mode transport ${SGW_CFG_XPRM} ${SGW_CFG_XPRM_IN} #SA out rules sa out 7 aead_algo aes-128-gcm \ diff --git a/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh b/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh new file mode 100644 index 000000000..875a7457d --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aesgcm_defs.sh + +SGW_CFG_XPRM_IN='port_id 0 type inline-crypto-offload fallback lookaside-none' diff --git a/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh index 278377967..7490baded 100644 --- a/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh +++ b/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh @@ -29,11 +29,13 @@ sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 #SA in rules sa in 7 aead_algo aes-128-gcm \ aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM} +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM} \ +${SGW_CFG_XPRM_IN} sa in 9 aead_algo aes-128-gcm \ aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM} +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM} \ +${SGW_CFG_XPRM_IN} #SA out rules sa out 7 aead_algo aes-128-gcm \ diff --git a/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh new file mode 100644 index 000000000..696848432 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aesgcm_defs.sh + +SGW_CFG_XPRM_IN='port_id 0 type inline-crypto-offload fallback lookaside-none'