examples/ipsec-secgw: fix dequeue count from cryptodev

Setting dequeue packet count to max of MAX_PKT_BURST
size instead of MAX_PKTS.

Dequeue from cryptodev is called with MAX_PKTS but
routing func

examples/ipsec-secgw: fix dequeue count from cryptodev

Setting dequeue packet count to max of MAX_PKT_BURST
size instead of MAX_PKTS.

Dequeue from cryptodev is called with MAX_PKTS but
routing functions allocate hop/dst_ip arrays of
size MAX_PKT_BURST. This can corrupt stack causing
stack smashing error when more than MAX_PKT_BURST
packets are returned from cryptodev.

Fixes: a2b445b810ac ("examples/ipsec-secgw: allow larger burst size for vectors")
Cc: stable@dpdk.org

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

examples/ipsec-secgw: update stats when freeing packets

Instead of freeing directly, use commonly used function which also
updates stats.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by:

examples/ipsec-secgw: update stats when freeing packets

Instead of freeing directly, use commonly used function which also
updates stats.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

examples/ipsec-secgw: create lookaside sessions at init

In event lookaside mode same session could be handled with multiple
cores, and session creation in datapath will cause situation where
multipl

examples/ipsec-secgw: create lookaside sessions at init

In event lookaside mode same session could be handled with multiple
cores, and session creation in datapath will cause situation where
multiple cores will try to create same session simultaneously.
To avoid such case and enable event lookaside mode in future, lookaside
sessions are now created at initialization in sa_add_rules().

All sessions(inline and lookaside) now created during init process, so
session pool information was removed from ipsec context. Core id was
added to obtain correct crypto device queue pair for the current core.

Signed-off-by: Volodymyr Fialko <vfialko@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

examples/ipsec-secgw: move fast path helper functions

Move fast path helper functions to header file for easy access.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
Acked-by: Akhil Goya

examples/ipsec-secgw: move fast path helper functions

Move fast path helper functions to header file for easy access.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

examples/ipsec-secgw: fix offload flag used for TSO IPv6

RTE_MBUF_F_TX_OUTER_IP_CKSUM should not be set for IPv6 packets.

Fixes: a7f32947a316 ("examples/ipsec-secgw: support TCP TSO")
Cc: stable@dp

examples/ipsec-secgw: fix offload flag used for TSO IPv6

RTE_MBUF_F_TX_OUTER_IP_CKSUM should not be set for IPv6 packets.

Fixes: a7f32947a316 ("examples/ipsec-secgw: support TCP TSO")
Cc: stable@dpdk.org

Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

examples/ipsec-secgw: fix L4 length for TSO packets

Using RTE_MBUF_F_TX_TCP_SEG requires L4 length to be set.

Fixes: a7f32947a316 ("examples/ipsec-secgw: support TCP TSO")

Signed-off-by: Radu Nico

examples/ipsec-secgw: fix L4 length for TSO packets

Using RTE_MBUF_F_TX_TCP_SEG requires L4 length to be set.

Fixes: a7f32947a316 ("examples/ipsec-secgw: support TCP TSO")

Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

examples/ipsec-secgw: support TCP TSO

Add support to allow user to specific MSS for TCP TSO offload on a per SA
basis. MSS configuration in the context of IPsec is only supported for
outbound SA's i

examples/ipsec-secgw: support TCP TSO

Add support to allow user to specific MSS for TCP TSO offload on a per SA
basis. MSS configuration in the context of IPsec is only supported for
outbound SA's in the context of an inline IPsec Crypto offload.

Signed-off-by: Declan Doherty <declan.doherty@intel.com>
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

examples/ipsec-secgw: add per-core packet statistics

Adding per core packet handling stats to analyze traffic distribution
when multiple cores are engaged.

Since aggregating the packet stats across

examples/ipsec-secgw: add per-core packet statistics

Adding per core packet handling stats to analyze traffic distribution
when multiple cores are engaged.

Since aggregating the packet stats across cores would affect
performance, keeping the feature disabled using compile time flags.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>

show more ...

examples/ipsec-gw: fix gcc 10 maybe-uninitialized warning

gcc 10.0.1 reports:

../examples/ipsec-secgw/ipsec_process.c: In function ‘ipsec_process’:
../examples/ipsec-secgw/ipsec_process.c:132:34:
e

examples/ipsec-gw: fix gcc 10 maybe-uninitialized warning

gcc 10.0.1 reports:

../examples/ipsec-secgw/ipsec_process.c: In function ‘ipsec_process’:
../examples/ipsec-secgw/ipsec_process.c:132:34:
error: ‘grp.m’ may be used uninitialized in this function
[-Werror=maybe-uninitialized]
132 | grp[n].cnt = pkts + i - grp[n].m;
| ~~~~~~^~

This is a correct warning for the initial execution of the statement.
However, it is the design of the loop that grp[0].cnt will later be
written with the correct value using an initialized grp[0].m before it
is used.

In order to remove the warning, initialize grp[0].m for the initial and
unused calculation of grp[0].cnt.

Fixes: 3e5f4625dc17 ("examples/ipsec-secgw: make data-path to use IPsec library")
Cc: stable@dpdk.org

Suggested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Signed-off-by: Kevin Traynor <ktraynor@redhat.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>

show more ...

examples/ipsec-secgw: support CPU crypto

Add support for CPU accelerated crypto. 'cpu-crypto' SA type has
been introduced in configuration allowing to use abovementioned
acceleration.

Legacy mode i

examples/ipsec-secgw: support CPU crypto

Add support for CPU accelerated crypto. 'cpu-crypto' SA type has
been introduced in configuration allowing to use abovementioned
acceleration.

Legacy mode is not currently supported.

Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Acked-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>

show more ...

examples/ipsec-secgw: support fallback session

Inline processing is limited to a specified subset of traffic. It is
often unable to handle more complicated situations, such as fragmented
traffic. Wh

examples/ipsec-secgw: support fallback session

Inline processing is limited to a specified subset of traffic. It is
often unable to handle more complicated situations, such as fragmented
traffic. When using inline processing such traffic is dropped.

Introduce fallback session for inline crypto processing allowing
handling packets that normally would be dropped. A fallback session is
configured by adding 'fallback' keyword with 'lookaside-none' parameter
to an SA configuration. Only 'inline-crypto-offload" as a primary
session and 'lookaside-none' as a fall-back session combination is
supported by this patch.

Fallback session feature is not available in the legacy mode.

Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Tested-by: Bernard Iremonger <bernard.iremonger@intel.com>

show more ...

examples/ipsec-secgw: clean SA structure

Cleanup ipsec_sa structure by removing every field that is already in
the rte_ipsec_session structure:
* cryptodev/security session union
* action type
*

examples/ipsec-secgw: clean SA structure

Cleanup ipsec_sa structure by removing every field that is already in
the rte_ipsec_session structure:
* cryptodev/security session union
* action type
* offload flags
* security context
References to abovementioned fields are changed to direct references
to matching fields of rte_ipsec_session structure.

Such refactoring is needed to introduce many sessions per SA feature,
e.g. fallback session for inline offload processing.

Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Tested-by: Bernard Iremonger <bernard.iremonger@intel.com>

show more ...

examples/ipsec-secgw: fix first packet with inline crypto

Inline crypto installs a flow rule in the NIC. This flow
rule must be installed before the first inbound packet is
received.

The create_ses

examples/ipsec-secgw: fix first packet with inline crypto

Inline crypto installs a flow rule in the NIC. This flow
rule must be installed before the first inbound packet is
received.

The create_session() function installs the flow rule,
create_session() has been refactored into create_inline_session()
and create_lookaside_session(). The create_inline_session() function
uses the socket_ctx data and is now called at initialisation in
sa_add_rules().

The max_session_size() function has been added to calculate memory
requirements.

The cryprodev_init() function has been refactored to drop calls to
rte_mempool_create() and to drop calculation of memory requirements.

The main() function has been refactored to call max_session_size() and
to call session_pool_init() and session_priv_pool_init() earlier.
The ports are started now before adding a flow rule in main().
The sa_init(), sp4_init(), sp6_init() and rt_init() functions are
now called after the ports have been started.

The rte_ipsec_session_prepare() function is called in fill_ipsec_session()
for inline which is called from the ipsec_sa_init() function.

Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload")
Fixes: d299106e8e31 ("examples/ipsec-secgw: add IPsec sample application")
Cc: stable@dpdk.org

Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>

show more ...

examples/ipsec_secgw: fix possible null dereference

Coverity issue: 336844
Fixes: 3e5f4625dc17 ("examples/ipsec-secgw: make data-path to use IPsec library")
Cc: stable@dpdk.org

Signed-off-by: Konst

examples/ipsec_secgw: fix possible null dereference

Coverity issue: 336844
Fixes: 3e5f4625dc17 ("examples/ipsec-secgw: make data-path to use IPsec library")
Cc: stable@dpdk.org

Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>

show more ...

examples/ipsec-secgw: make data-path to use IPsec library

Changes to make ipsec-secgw data-path code to utilize librte_ipsec library.
Note that right now by default current (non-librte_ipsec) code-p

examples/ipsec-secgw: make data-path to use IPsec library

Changes to make ipsec-secgw data-path code to utilize librte_ipsec library.
Note that right now by default current (non-librte_ipsec) code-path will
be used. User has to run application with new command-line option ('-l')
to enable new codepath.

Signed-off-by: Mohammad Abdul Awal <mohammad.abdul.awal@intel.com>
Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com>
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>

show more ...