Commit Graph

223 Commits

Author SHA1 Message Date
Anoob Joseph
8e693616fc examples/ipsec-secgw: enable flow based distribution
RTE_FLOW API allows hardware parsing and steering of packets to specific
queues which helps in distributing ingress traffic across various cores.
Adding 'flow' rules allows user to specify the distribution required.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-07-20 14:51:31 +05:30
Anoob Joseph
1329602b6c examples/ipsec-secgw: add per-core packet statistics
Adding per core packet handling stats to analyze traffic distribution
when multiple cores are engaged.

Since aggregating the packet stats across cores would affect
performance, keeping the feature disabled using compile time flags.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-07-08 00:15:35 +02:00
Bruce Richardson
8549295db0 build/pkg-config: improve static linking flags
Rather than setting -Bstatic in the linker flags when doing a static link,
and then having to explicitly set -Bdynamic again afterwards, we can update
the pkg-config file to use -l:libfoo.a syntax to explicitly refer to the
static library in question. Since this syntax is not supported by meson's
pkg-config module directly, we can post-process the .pc files instead to
adjust them.

Once done, we can simplify the examples' makefiles and the docs by removing
the explicit static flag.

Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Acked-by: Luca Boccassi <bluca@debian.org>
Acked-by: Sunil Pai G <sunil.pai.g@intel.com>
Signed-off-by: Thomas Monjalon <thomas@monjalon.net>
2020-07-01 19:30:52 +02:00
Ivan Dyukov
c81e3f21d1 examples: remove extra new line after link duplex
This patch removes extra 'new line' in few app examples.

Fixes: d3641ae863 ("examples: update link status checks")
Fixes: 387259bd6c ("examples/l2fwd-crypto: add sample application")
Fixes: 4ff457986f ("examples/l2fwd-event: add default poll mode routines")
Fixes: e64833f227 ("examples/l2fwd-keepalive: add sample application")
Fixes: 204896f8d6 ("examples/l2fwd-jobstats: add new example")
Fixes: c8e6ceeceb ("examples/ioat: add new sample app for ioat driver")
Fixes: cc8f4d020c ("examples/ip_reassembly: initial import")
Fixes: d299106e8e ("examples/ipsec-secgw: add IPsec sample application")
Fixes: 39aad0e88c ("examples/flow_distributor: new example to demonstrate EFD")
Fixes: d48415e1fe ("examples/performance-thread: add l3fwd-thread app")
Fixes: 20c78ac9ee ("examples/vm_power_mgr: add port initialisation")
Fixes: 361b2e9559 ("acl: new sample l3fwd-acl")
Fixes: de3cfa2c98 ("sched: initial import")
Fixes: d7937e2e3d ("power: initial import")
Fixes: 3fc5ca2f63 ("kni: initial import")
Cc: stable@dpdk.org

Signed-off-by: Ivan Dyukov <i.dyukov@samsung.com>
2020-05-12 04:07:29 +02:00
Vladimir Medvedkin
04fa1906fc examples/ipsec-secgw: remove limitation for crypto sessions
Get rid of hardcoded limit of cryptodev sessions.

Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-05-11 13:17:43 +02:00
Praveen Shetty
5ec3eb3b83 examples/ipsec-secgw: fix ESP flow error log
Function create_ipsec_esp_flow returns a negative number in case of any
failure and we are passing this to strerror to display the error message.
But strerror()'s argument cannot be negative.
In case of failure, displaying exact error message to console is handled
in create_ipsec_esp_flow function.
So it is not required to print the error message again using strerror.
This patch will remove the unnecessary calling of strerror function
to fix the negative argument passing to strerror issue.

Coverity issue: 357691
Fixes: 6738c0a956 ("examples/ipsec-secgw: support flow director")

Signed-off-by: Praveen Shetty <praveen.shetty@intel.com>
Acked-by: Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
2020-05-11 13:17:43 +02:00
Mariusz Drost
9dbc4e21e7 examples/ipsec-secgw: clean up test scripts
As more test cases are defined for execution, test scripts structure
needs to be reorganized, so fewer files are needed to describe the test.
To achieve that, new environment variables are incorporated into the
scripts.
Additionally, tests for mixed tunnel protocols are added.

Signed-off-by: Mariusz Drost <mariuszx.drost@intel.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2020-05-11 13:17:43 +02:00
Kevin Traynor
f8afd29247 examples/ipsec-gw: fix gcc 10 maybe-uninitialized warning
gcc 10.0.1 reports:

../examples/ipsec-secgw/ipsec_process.c: In function ‘ipsec_process’:
../examples/ipsec-secgw/ipsec_process.c:132:34:
error: ‘grp.m’ may be used uninitialized in this function
 [-Werror=maybe-uninitialized]
  132 |    grp[n].cnt = pkts + i - grp[n].m;
      |                            ~~~~~~^~

This is a correct warning for the initial execution of the statement.
However, it is the design of the loop that grp[0].cnt will later be
written with the correct value using an initialized grp[0].m before it
is used.

In order to remove the warning, initialize grp[0].m for the initial and
unused calculation of grp[0].cnt.

Fixes: 3e5f4625dc ("examples/ipsec-secgw: make data-path to use IPsec library")
Cc: stable@dpdk.org

Suggested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Signed-off-by: Kevin Traynor <ktraynor@redhat.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2020-05-06 11:18:36 +02:00
Ankur Dwivedi
f5ad501686 examples/ipsec-secgw: check event adapter errors
The return values of functions are checked before proceeding further.

Coverity issue: 355670, 355671, 355672, 355673
Fixes: 1d89ccf323 ("examples/ipsec-secgw: support event Tx adapter")

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-04-19 17:15:14 +02:00
Ankur Dwivedi
ab722af65d examples/ipsec-secgw: remove duplicated check
The two if check does the same task, so removing one.

Coverity issue: 355669
Fixes: 9ad50c29d0 ("examples/ipsec-secgw: add app mode worker")

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-04-19 17:15:14 +02:00
Praveen Shetty
6738c0a956 examples/ipsec-secgw: support flow director
Support load distribution in security gateway application using
NIC load distribution feature (Flow Director).
Flow Director is used to redirect the specified inbound ipsec flow
to a specified queue. This is achieved by extending the SA rule syntax
to support specification by adding new action_type of <flow-direction>
to a specified <port_id> <queue_id>.

Signed-off-by: Praveen Shetty <praveen.shetty@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-04-19 17:15:14 +02:00
Anoob Joseph
a8af994b41 examples/ipsec-secgw: support 192/256 AES key sizes
Adding support for the following,
1. AES-192-GCM
2. AES-256-GCM
3. AES-192-CBC

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-04-19 17:15:14 +02:00
Thomas Monjalon
ef5baf3486 replace packed attributes
There is a common macro __rte_packed for packing structs,
which is now used where appropriate for consistency.

Signed-off-by: Thomas Monjalon <thomas@monjalon.net>
2020-04-16 18:16:46 +02:00
Mariusz Drost
053e1f3c13 examples/ipsec-secgw: enable CPU crypto fallback
Added cpu-crypto fallback option parsing as well as tests for it

Signed-off-by: Mariusz Drost <mariuszx.drost@intel.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2020-04-05 18:38:51 +02:00
Lukasz Bartosik
844baa1039 examples/ipsec-secgw: reserve crypto queues in event mode
Reserve minimum number of crypto queues equal to number of ports.
This is to fulfill inline protocol offload requirements.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Lukasz Bartosik <lbartosik@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-04-05 18:26:04 +02:00
Lukasz Bartosik
7338a34e01 examples/ipsec-secgw: make number of buffers dynamic
Make number of buffers in a pool nb_mbuf_in_pool dependent on number
of ports, cores and crypto queues. Add command line option -s which
when used overrides dynamic calculation of number of buffers in a pool.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Lukasz Bartosik <lbartosik@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-04-05 18:26:04 +02:00
Lukasz Bartosik
9ad50c29d0 examples/ipsec-secgw: add app mode worker
Add application inbound/outbound worker thread and
IPsec application processing code for event mode.

Example ipsec-secgw command in app mode:
ipsec-secgw -w 0002:02:00.0,ipsec_in_max_spi=128
-w 0002:03:00.0,ipsec_in_max_spi=128 -w 0002:0e:00.0 -w 0002:10:00.1
--log-level=8 -c 0x1 -- -P -p 0x3 -u 0x1 -f aes-gcm.cfg
--transfer-mode event --event-schedule-type parallel

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Lukasz Bartosik <lbartosik@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-04-05 18:26:04 +02:00
Lukasz Bartosik
4965dda045 examples/ipsec-secgw: add driver mode worker
Add driver inbound and outbound worker thread for ipsec-secgw. In driver
mode application does as little as possible. It simply forwards packets
back to port from which traffic was received instructing HW to apply
inline security processing using first outbound SA configured for
a given port. If a port does not have SA configured outbound traffic
on that port will be silently dropped. The aim of this mode is to
measure HW capabilities. Driver mode is selected with single-sa option.
The single-sa option accepts SA index however in event mode the SA
index is ignored.

Example command to run ipsec-secgw in driver mode:
ipsec-secgw -w 0002:02:00.0,ipsec_in_max_spi=128
-w 0002:03:00.0,ipsec_in_max_spi=128 -w 0002:0e:00.0 -w 0002:10:00.1
--log-level=8 -c 0x1 -- -P -p 0x3 -u 0x1 -f aes-gcm.cfg
--transfer-mode event --event-schedule-type parallel --single-sa 0

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Lukasz Bartosik <lbartosik@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-04-05 18:26:04 +02:00
Lukasz Bartosik
65e3a202ac examples/ipsec-secgw: add event mode
Add eventmode support to ipsec-secgw. With the aid of event helper
configure and use the eventmode capabilities.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Lukasz Bartosik <lbartosik@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-04-05 18:26:04 +02:00
Lukasz Bartosik
bc33e9c7b2 examples/ipsec-secgw: add event helper config init/uninit
Add eventmode helper eh_conf_init and eh_conf_uninit
functions which purpose is to initialize and
uninitialize eventmode helper configuration.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Lukasz Bartosik <lbartosik@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-04-05 17:53:13 +02:00
Lukasz Bartosik
ec3cc53f5a examples/ipsec-secgw: support internal ports for events
Add support for Rx and Tx internal ports. When internal ports are
available then a packet can be received from eth port and forwarded
to event queue by HW without any software intervention. The same
applies to Tx side where a packet sent to an event queue can by
forwarded by HW to eth port without any software intervention.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Lukasz Bartosik <lbartosik@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-04-05 17:53:47 +02:00
Lukasz Bartosik
1bf6baac4a examples/ipsec-secgw: add event worker launch
In eventmode workers can be drafted differently according to the
capabilities of the underlying event device. The added functions will
receive an array of such workers and probe the eventmode properties to
choose the worker.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Lukasz Bartosik <lbartosik@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-04-05 17:53:13 +02:00
Anoob Joseph
4ce384793f examples/ipsec-secgw: add event config display
Add routines to display the eventmode configuration and provide
an overview of the devices used.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Lukasz Bartosik <lbartosik@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-04-05 17:53:13 +02:00
Anoob Joseph
1d89ccf323 examples/ipsec-secgw: support event Tx adapter
Add Tx adapter support. The event helper init routine will initialize
the Tx adapter according to the configuration. If Tx adapter config
is not present it will generate a default config.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Lukasz Bartosik <lbartosik@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-04-05 17:53:34 +02:00
Anoob Joseph
02afed5925 examples/ipsec-secgw: support event Rx adapter
Add Rx adapter support. The event helper init routine will initialize
the Rx adapter according to the configuration. If Rx adapter config
is not present it will generate a default config. If there are enough
event queues available it will map eth ports and event queues 1:1
(one eth port will be connected to one event queue). Otherwise it
will map all eth ports to one event queue.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Lukasz Bartosik <lbartosik@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-04-05 17:53:13 +02:00
Anoob Joseph
d7bcfb9707 examples/ipsec-secgw: add event port-lcore link
Add event device port-lcore link and specify which event queues should
be connected to the event port. Generate a default config for event
port-lcore links if it is not specified in the configuration. This
routine will check the number of available ports and then create links
according to the number of cores available. This patch also adds a new
entry in the eventmode conf to denote that all queues are to be linked
with every port. This enables one core to receive packets from all
ethernet ports.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Lukasz Bartosik <lbartosik@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-04-01 12:07:08 +02:00
Anoob Joseph
e0b0e55c8f examples/ipsec-secgw: add framework for event helper
Add framework for eventmode helper. Event mode involves
initialization of multiple devices like eventdev, ethdev
and etc. Add routines to initialize and uninitialize event
device. Generate a default config for event device if it
is not specified in the configuration. Currently event
helper supports single event device only.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Lukasz Bartosik <lbartosik@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-04-01 12:07:07 +02:00
Ankur Dwivedi
513f192b5f examples/ipsec-secgw: add default flow for inline Rx
The default flow created would enable security processing on all ESP
packets. If the default flow is created, SA based rte_flow creation
would be skipped.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-04-01 12:07:07 +02:00
Ankur Dwivedi
b685f931e1 examples/ipsec-secgw: extend inline session to non AES-GCM
This patch extends creation of inline session to all the algorithms.
Previously the inline session was enabled only for AES-GCM cipher.

Fixes: 3a690d5a65 ("examples/ipsec-secgw: fix first packet with inline crypto")
Cc: stable@dpdk.org

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-02-20 11:16:46 +01:00
Marcin Smoczynski
68c28400ec examples/ipsec-secgw: add missing SPDX license tag
Add missing BSD-3 license tag to inline fallback testing scripts.

Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2020-02-13 12:41:04 +01:00
Marcin Smoczynski
850fc3eade examples/ipsec-secgw: test CPU crypto
Enable cpu-crypto mode testing by adding dedicated environmental
variable CRYPTO_PRIM_TYPE. Setting it to 'type cpu-crypto' allows
to run test scenario with cpu crypto acceleration.

Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Acked-by: Fan Zhang <roy.fan.zhang@intel.com>
2020-02-05 15:29:14 +01:00
Marcin Smoczynski
5139d5d9e3 examples/ipsec-secgw: support CPU crypto
Add support for CPU accelerated crypto. 'cpu-crypto' SA type has
been introduced in configuration allowing to use abovementioned
acceleration.

Legacy mode is not currently supported.

Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Acked-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-02-05 15:30:16 +01:00
Vladimir Medvedkin
1291e11e95 examples/ipsec-secgw: set and use packet type
Set mbuf ptype in prepare_one_packet() after parsing ether_type.
Use mbuf ptype after to recognize packet's address family.

Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-02-05 15:20:51 +01:00
Vladimir Medvedkin
2cf67788ae examples/ipsec-secgw: add SAD cache
Introduce SAD cache.
Stores the most recent SA in a per lcore cache.
Cache represents flat array containing SA's indexed by SPI.

Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
2020-02-05 15:20:51 +01:00
Vladimir Medvedkin
b0806375ae examples/ipsec-secgw: get rid of maximum SP limitation
Get rid of maximum SP limitation.
Keep parsed SP's into the sorted by SPI value array.
Use binary search in the sorted SP array to find appropriate SP
for a given SPI.

Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
2020-02-05 15:20:51 +01:00
Vladimir Medvedkin
e1143d7dbb examples/ipsec-secgw: get rid of maximum SA limitation
Get rid of maximum SA limitation.
Keep parsed SA's into the sorted by SPI value array.
Use binary search in the sorted SA array to find appropriate SA
for a given SPI.

Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
2020-02-05 15:20:51 +01:00
Vladimir Medvedkin
df3e1d9489 examples/ipsec-secgw: integrate inbound SAD
Integrate ipsec SAD support into secgw app:

1. Use SAD library for inbound SA lookup
2. Changes in struct sa_ctx:
  - sa array allocates dynamically depending on number of configured sa
  - All SA's are kept one by one without using SPI2IDX
3. SP's userdata now contain index of SA in sa_ctx instead of SPI
4. Get rid of SPI2IDX macro

Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
2020-02-05 15:20:51 +01:00
Vladimir Medvedkin
8e499dff73 examples/ipsec-secgw: implement inbound SAD
Add initial support for librte_ipsec SAD library

Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
2020-02-05 15:20:51 +01:00
Savinay Dharmappa
71d9e6fb2a examples/ipsec-secgw: fix crash on unsupported algo
If algo is NULL set the status to error and return. This change
prevent crashing of ipsec-secgw application when a specific
cipher/auth/aead algo are not supported by application.

Fixes: 0d547ed037 ("examples/ipsec-secgw: support configuration file")
Cc: stable@dpdk.org

Signed-off-by: Savinay Dharmappa <savinay.dharmappa@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2020-01-15 16:45:04 +01:00
Bruce Richardson
69b1bb49ed examples: hide error for missing pkg-config path flag
Some versions of pkg-config don't support the --path flag, which is not a
fatal error when building the apps. Without the flag, the makefile just
cannot track the .pc file of DPDK as a dependency of the build. Therefore,
we can ignore the error and suppress it by redirecting to /dev/null the
stderr from that call to pkg-config.

Fixes: 22119c4591 ("examples: use pkg-config in makefiles")
Cc: stable@dpdk.org

Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Tested-by: Ferruh Yigit <ferruh.yigit@intel.com>
2019-11-20 22:48:32 +01:00
Bruce Richardson
12a652a02b examples: fix build with old pkg-config
Not all versions of pkg-config in distros have support for the
--define-prefix flag [1], causing errors when building examples manually or
with test-meson-builds.sh script [2].

For the former case, we need to remove the hard-coded use of the flag in
the Makefiles.

For the latter case, the flag is necessary for builds to succeed, so we
skip the tests when it's not present, passing it as part of the pkg-config
command if it is supported.

[1]
CentOS Linux release 7.7.1908 (Core)
pkg-config version 0.27.1

[2]
 ## Building cmdline
Unknown option --define-prefix
gmake: Entering directory
`...ild-x86-default/install-root/usr/local/share/dpdk/examples/cmdline'
rm -f build/cmdline build/cmdline-static build/cmdline-shared
test -d build && rmdir -p build || true
Unknown option --define-prefix
Unknown option --define-prefix
gcc -O3  main.c commands.c parse_obj_list.c -o build/cmdline-shared
main.c:14:28: fatal error: cmdline_rdline.h: No such file or directory

Fixes: ca9268529d ("examples: support relocated DPDK install")
Fixes: 7f80a2102b ("devtools: test pkg-config file")
Cc: stable@dpdk.org

Reported-by: Ferruh Yigit <ferruh.yigit@intel.com>
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Tested-by: Ferruh Yigit <ferruh.yigit@intel.com>
2019-11-20 22:47:15 +01:00
Stephen Hemminger
1dc48bce51 examples/ipsec-segw: add SPDX license tag
Add missing BSD license tag to IPsec examples.

Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2019-11-20 12:35:51 +01:00
Lukasz Bartosik
742be57872 examples/ipsec-secgw: fix default configuration
Update default configuration of ipsec-secgw:
1.In ep0.cfg change SPI value used by two inbound IPv6 security
policies from 15 to 115 and 16 to 116 to point to existing inbound
SAs. There are no inbound SAs with SPI value 15, 16.
- In ep1.cfg change SPI value used by two outbound IPv6 security
policies from 15 to 115 and 16 to 116 to point to existing outbound
SAs. There are no outbound SAs with SPI value 15, 16. Add missing
priority parameter in two inbound IPv4 security policies.

Fixes: 60a94afefc ("examples/ipsec-secgw: add sample configuration files")
Cc: stable@dpdk.org

Signed-off-by: Lukasz Bartosik <lbartosik@marvell.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-11-20 12:35:51 +01:00
Konstantin Ananyev
6909014946 examples/ipsec-secgw: fix library mode selection in tests
Right now majority of lib mode functional tests enable
library mode with '-w N' option.
It worked till recently, as legacy mode didn't support replay window.
Now it changed.
To fix - use '-l' option to enable library mode explicitly.

Fixes: 9297844520 ("examples/ipsec-secgw: add scripts for functional test")

Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2019-11-08 13:51:16 +01:00
Hemant Agrawal
0f56ca1aae ipsec: remove redundant replay window size
The rte_security lib has introduced replay_win_sz,
so it can be removed from the rte_ipsec lib.

The relevant tests, app are also update to reflect
the usages.

Note that esn and anti-replay fileds were earlier used
only for ipsec library, they were enabling the libipsec
by default. With this change esn and anti-replay setting
will not automatically enabled libipsec.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-11-08 13:51:16 +01:00
Vakul Garg
2fcf3f70d1 examples/ipsec-secgw: fix SHA256-HMAC digest length
As per RFC4868, SHA-256 should use 128 bits of ICV.
Fixes: b5350285ce ("examples/ipsec-secgw: support SHA256 HMAC")
Cc: stable@dpdk.org

Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-11-08 13:51:16 +01:00
Marcin Smoczynski
ce00b504f1 examples/ipsec-secgw: fix GCM IV length
The example IPsec application does not work properly when using
AES-GCM with crypto_openssl.

ESP with AES-GCM uses standard 96bit long algorithm IV ([1]) which
later concatenated with be32(1) forms a J0 block. GCM specification
([2], chapter 7.1) states that when length of IV is different than
96b, in order to format a J0 block, GHASH function must be used.

According to specification ([2], chapter 5.1.1) GCM implementations
should support standard 96bit IVs, other lengths are optional. Every
DPDK cryptodev supports 96bit IV and few of them supports 128bit
IV as well (openssl, mrvl, ccp). When passing iv::length=16 to a
cryptodev which does support standard IVs only (e.g. qat) it
implicitly uses starting 96 bits. On the other hand, openssl follows
specification and uses GHASH to compute J0 for that case which results
in different than expected J0 values used for encryption/decryption.

Fix an inability to use AES-GCM with crypto_openssl by changing IV
length to the standard value of 12.

[1] RFC4106, section "4. Nonce format" and "3.1. Initialization Vector"
    https://tools.ietf.org/html/rfc4106
[2] NIST SP800-38D
    https://csrc.nist.gov/publications/detail/sp/800-38d/final

Fixes: 0fbd75a99f ("cryptodev: move IV parameters to session")
Cc: stable@dpdk.org

Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-11-08 13:51:16 +01:00
Marcin Smoczynski
403e9d914b examples/ipsec-secgw: add offload fallback tests
Add tests for offload fallback feature; add inbound config modificator
SGW_CFG_XPRM_IN (offload fallback setting can be set only for inbound
SAs). Tests are using cryptodev for outbound SA.

To test fragmentation with QAT set:
MULTI_SEG_TEST="--reassemble=4096 --cryptodev_mask=0x5555"

Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Tested-by: Bernard Iremonger <bernard.iremonger@intel.com>
2019-11-08 13:51:16 +01:00
Marcin Smoczynski
bba1db3520 examples/ipsec-secgw: add fragment TTL option
Due to fragment loss on highly saturated links and long fragment
lifetime, ipsec-secgw application quickly runs out of free reassembly
buckets. As a result new fragments are being dropped.

Introduce --frag-ttl option which allow user to lower default fragment
lifetime which solves problem of saturated reassembly buckets with high
bandwidth fragmented traffic.

Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2019-11-08 13:51:16 +01:00
Marcin Smoczynski
ba66534fc7 examples/ipsec-secgw: support fallback session
Inline processing is limited to a specified subset of traffic. It is
often unable to handle more complicated situations, such as fragmented
traffic. When using inline processing such traffic is dropped.

Introduce fallback session for inline crypto processing allowing
handling packets that normally would be dropped. A fallback session is
configured by adding 'fallback' keyword with 'lookaside-none' parameter
to an SA configuration. Only 'inline-crypto-offload" as a primary
session and 'lookaside-none' as a fall-back session combination is
supported by this patch.

Fallback session feature is not available in the legacy mode.

Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Tested-by: Bernard Iremonger <bernard.iremonger@intel.com>
2019-11-08 13:51:16 +01:00