examples/ipsec-secgw: fix offload flag used for TSO IPv6

RTE_MBUF_F_TX_OUTER_IP_CKSUM should not be set for IPv6 packets.

Fixes: a7f32947a316 ("examples/ipsec-secgw: support TCP TSO")
Cc: stable@dp

examples/ipsec-secgw: fix offload flag used for TSO IPv6

RTE_MBUF_F_TX_OUTER_IP_CKSUM should not be set for IPv6 packets.

Fixes: a7f32947a316 ("examples/ipsec-secgw: support TCP TSO")
Cc: [email protected]

Signed-off-by: Radu Nicolau <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: fix L4 length for TSO packets

Using RTE_MBUF_F_TX_TCP_SEG requires L4 length to be set.

Fixes: a7f32947a316 ("examples/ipsec-secgw: support TCP TSO")

Signed-off-by: Radu Nico

examples/ipsec-secgw: fix L4 length for TSO packets

Using RTE_MBUF_F_TX_TCP_SEG requires L4 length to be set.

Fixes: a7f32947a316 ("examples/ipsec-secgw: support TCP TSO")

Signed-off-by: Radu Nicolau <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: support TCP TSO

Add support to allow user to specific MSS for TCP TSO offload on a per SA
basis. MSS configuration in the context of IPsec is only supported for
outbound SA's i

examples/ipsec-secgw: support TCP TSO

Add support to allow user to specific MSS for TCP TSO offload on a per SA
basis. MSS configuration in the context of IPsec is only supported for
outbound SA's in the context of an inline IPsec Crypto offload.

Signed-off-by: Declan Doherty <[email protected]>
Signed-off-by: Radu Nicolau <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: add per-core packet statistics

Adding per core packet handling stats to analyze traffic distribution
when multiple cores are engaged.

Since aggregating the packet stats across

examples/ipsec-secgw: add per-core packet statistics

Adding per core packet handling stats to analyze traffic distribution
when multiple cores are engaged.

Since aggregating the packet stats across cores would affect
performance, keeping the feature disabled using compile time flags.

Signed-off-by: Anoob Joseph <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-gw: fix gcc 10 maybe-uninitialized warning

gcc 10.0.1 reports:

../examples/ipsec-secgw/ipsec_process.c: In function ‘ipsec_process’:
../examples/ipsec-secgw/ipsec_process.c:132:34:
e

examples/ipsec-gw: fix gcc 10 maybe-uninitialized warning

gcc 10.0.1 reports:

../examples/ipsec-secgw/ipsec_process.c: In function ‘ipsec_process’:
../examples/ipsec-secgw/ipsec_process.c:132:34:
error: ‘grp.m’ may be used uninitialized in this function
[-Werror=maybe-uninitialized]
132 | grp[n].cnt = pkts + i - grp[n].m;
| ~~~~~~^~

This is a correct warning for the initial execution of the statement.
However, it is the design of the loop that grp[0].cnt will later be
written with the correct value using an initialized grp[0].m before it
is used.

In order to remove the warning, initialize grp[0].m for the initial and
unused calculation of grp[0].cnt.

Fixes: 3e5f4625dc17 ("examples/ipsec-secgw: make data-path to use IPsec library")
Cc: [email protected]

Suggested-by: Konstantin Ananyev <[email protected]>
Signed-off-by: Kevin Traynor <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>

show more ...

examples/ipsec-secgw: support CPU crypto

Add support for CPU accelerated crypto. 'cpu-crypto' SA type has
been introduced in configuration allowing to use abovementioned
acceleration.

Legacy mode i

examples/ipsec-secgw: support CPU crypto

Add support for CPU accelerated crypto. 'cpu-crypto' SA type has
been introduced in configuration allowing to use abovementioned
acceleration.

Legacy mode is not currently supported.

Signed-off-by: Konstantin Ananyev <[email protected]>
Signed-off-by: Marcin Smoczynski <[email protected]>
Acked-by: Fan Zhang <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: support fallback session

Inline processing is limited to a specified subset of traffic. It is
often unable to handle more complicated situations, such as fragmented
traffic. Wh

examples/ipsec-secgw: support fallback session

Inline processing is limited to a specified subset of traffic. It is
often unable to handle more complicated situations, such as fragmented
traffic. When using inline processing such traffic is dropped.

Introduce fallback session for inline crypto processing allowing
handling packets that normally would be dropped. A fallback session is
configured by adding 'fallback' keyword with 'lookaside-none' parameter
to an SA configuration. Only 'inline-crypto-offload" as a primary
session and 'lookaside-none' as a fall-back session combination is
supported by this patch.

Fallback session feature is not available in the legacy mode.

Signed-off-by: Marcin Smoczynski <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>
Tested-by: Bernard Iremonger <[email protected]>

show more ...

examples/ipsec-secgw: clean SA structure

Cleanup ipsec_sa structure by removing every field that is already in
the rte_ipsec_session structure:
* cryptodev/security session union
* action type
*

examples/ipsec-secgw: clean SA structure

Cleanup ipsec_sa structure by removing every field that is already in
the rte_ipsec_session structure:
* cryptodev/security session union
* action type
* offload flags
* security context
References to abovementioned fields are changed to direct references
to matching fields of rte_ipsec_session structure.

Such refactoring is needed to introduce many sessions per SA feature,
e.g. fallback session for inline offload processing.

Signed-off-by: Marcin Smoczynski <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Radu Nicolau <[email protected]>
Acked-by: Akhil Goyal <[email protected]>
Tested-by: Bernard Iremonger <[email protected]>

show more ...

examples/ipsec-secgw: fix first packet with inline crypto

Inline crypto installs a flow rule in the NIC. This flow
rule must be installed before the first inbound packet is
received.

The create_ses

examples/ipsec-secgw: fix first packet with inline crypto

Inline crypto installs a flow rule in the NIC. This flow
rule must be installed before the first inbound packet is
received.

The create_session() function installs the flow rule,
create_session() has been refactored into create_inline_session()
and create_lookaside_session(). The create_inline_session() function
uses the socket_ctx data and is now called at initialisation in
sa_add_rules().

The max_session_size() function has been added to calculate memory
requirements.

The cryprodev_init() function has been refactored to drop calls to
rte_mempool_create() and to drop calculation of memory requirements.

The main() function has been refactored to call max_session_size() and
to call session_pool_init() and session_priv_pool_init() earlier.
The ports are started now before adding a flow rule in main().
The sa_init(), sp4_init(), sp6_init() and rt_init() functions are
now called after the ports have been started.

The rte_ipsec_session_prepare() function is called in fill_ipsec_session()
for inline which is called from the ipsec_sa_init() function.

Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload")
Fixes: d299106e8e31 ("examples/ipsec-secgw: add IPsec sample application")
Cc: [email protected]

Signed-off-by: Bernard Iremonger <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec_secgw: fix possible null dereference

Coverity issue: 336844
Fixes: 3e5f4625dc17 ("examples/ipsec-secgw: make data-path to use IPsec library")
Cc: [email protected]

Signed-off-by: Konst

examples/ipsec_secgw: fix possible null dereference

Coverity issue: 336844
Fixes: 3e5f4625dc17 ("examples/ipsec-secgw: make data-path to use IPsec library")
Cc: [email protected]

Signed-off-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: make data-path to use IPsec library

Changes to make ipsec-secgw data-path code to utilize librte_ipsec library.
Note that right now by default current (non-librte_ipsec) code-p

examples/ipsec-secgw: make data-path to use IPsec library

Changes to make ipsec-secgw data-path code to utilize librte_ipsec library.
Note that right now by default current (non-librte_ipsec) code-path will
be used. User has to run application with new command-line option ('-l')
to enable new codepath.

Signed-off-by: Mohammad Abdul Awal <[email protected]>
Signed-off-by: Bernard Iremonger <[email protected]>
Signed-off-by: Konstantin Ananyev <[email protected]>
Acked-by: Radu Nicolau <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...