Increase the default RX/TX ring sizes to 1024/1024 to
accommodate for NICs with higher throughput (25G, 40G etc)
Signed-off-by: Kevin Laatz <kevin.laatz@intel.com>
Acked-by: Bruce Richardson <bruce.richardson@intel.com>
Acked-by: Adrien Mazarguil <adrien.mazarguil@6wind.com>
Since the DPDK build now includes both static and shared libraries, we need
a new way to enable building the examples using either method from the one
installation. To do this, we add in a default "shared" target, and a
separate "static" target which links in the DPDK static libraries. In both
cases, the final application name is symlinked to the last-built static or
shared target, with both binaries able to co-exist in the build directory.
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Acked-by: Luca Boccassi <bluca@debian.org>
Change the example app Makefiles to query if DPDK is installed and
registered using pkg-config. If so, build directly using pkg-config info,
otherwise fall back to using the original build system with RTE_SDK and
RTE_TARGET
This commit changes the makefiles for the basic examples, i.e. those which
do not have multiple subdirectories underneath the main examples dir.
Examples not covered are:
* ethtool
* multi_process
* performance-thread
* quota_watermark
* netmap_compat
* server_node_efd
* vm_power_manager
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Reviewed-by: Luca Boccassi <bluca@debian.org>
Reorder the text in the makefiles, so that the app name and the source
files are listed first. This then will allow them to be shared later in a
combined makefile building with pkg-config and RTE_SDK-based build system.
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Reviewed-by: Luca Boccassi <bluca@debian.org>
Add support for having selected example apps built as part of a meson,
ninja build. By default none are built, and those to be built should be
named directly in the -Dexamples='' meson configuration argument.
This is useful for developers working on a feature who want to use a
suitable example, or examples, to test that feature, as they can compile
everything up in one go, and run the example without having to do a ninja
install first.
This commit adds examples which don't consist of multiple apps in
subdirectories to the meson build, so they can be built by default by
passing -Dexamples parameter to meson.
Not included are the following examples:
* ethtool
* multi-process
* netmap_compat
* performance-thread
* quota_watermark
* server_node_efd
* vm_power_manager
To test the apps added here, use the following command, merged to one line,
to add them to your meson build (command to be run inside the build
directory):
meson configure -Dexamples=bbdev_app,bond,cmdline,distributor,\
eventdev_pipeline_sw_pmd, exception_path,helloworld,\
ip_fragmentation,ip_pipeline,ip_reassembly, ipsec-secgw,\
ipv4_multicast,kni,l2fwd-cat,l2fwd-crypto,l2fwd-jobstats,\
l2fwd-keepalive,l2fwd,l3fwd-acl,l3fwd-power,l3fwd-vf,l3fwd,\
link_status_interrupt,load_balancer,packet_ordering,ptpclient,\
qos_meter,qos_sched,rxtx_callbacks,skeleton,tep_termination,\
timer,vhost,vhost_scsi,vmdq,vmdq_dcb
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Reviewed-by: Luca Boccassi <bluca@debian.org>
Fixes: 3da37f6821 ("examples/ipsec_secgw: create session mempools for ethdevs")
Some NICs do not have the rte_security context, this patch fixes the segment fault
caused by this.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>
Add checks during build to ensure that all symbols in the EXPERIMENTAL
version map section have __experimental tags on their definitions, and
enable the warnings needed to announce their use. Also add an
ALLOW_EXPERIMENTAL_APIS define to allow individual libraries and files
to declare the acceptability of experimental api usage
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Thomas Monjalon <thomas@monjalon.net>
After trying RSS and Queue also try End for flow action
to allow for HW that don't support flow features with
inline crypto.
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
Reviewed-by: Akhil Goyal <akhil.goyal@nxp.com>
SPI field is defined in the RFC2406 [1] as a big endian field it should be
provided in its final form to the drivers through RTE flow.
[1] https://tools.ietf.org/html/rfc2406
Fixes: ec17993a14 ("examples/ipsec-secgw: support security offload")
Cc: stable@dpdk.org
Signed-off-by: Nelio Laranjeiro <nelio.laranjeiro@6wind.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Mellanox INNOVA NIC needs to have final target queue actions to perform
inline crypto.
Signed-off-by: Nelio Laranjeiro <nelio.laranjeiro@6wind.com>
Acked-by: Anoob Joseph <anoob.joseph@caviumnetworks.com>
Generic flow API have both direction bits, ingress and egress for rules
which may work on both sides.
Fixes: ec17993a14 ("examples/ipsec-secgw: support security offload")
Cc: stable@dpdk.org
Signed-off-by: Nelio Laranjeiro <nelio.laranjeiro@6wind.com>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>
Acked-by: Anoob Joseph <anoob.joseph@caviumnetworks.com>
IPSec application is using index 0 of SA table as error,
with current value of IPSEC_SA_MAX_ENTRIES(128) it can
not support SA with spi = 128, as it uses sa_idx = 0
in the SA table.
With this patch, sa_idx = 0 can also be used.
PS: spi = 0 is an invalid SPI and application throws error
for it.
Fixes: d299106e8e ("examples/ipsec-secgw: add IPsec sample application")
Cc: stable@dpdk.org
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>
Since the processing of crypto operations may take time
due to hardware offload, all the packets may not be available
in the single dequeue command.
So it may happen that there is leakage of cops, and there is
nobody to dequeue the packets because dequeue of crypto ops is
done only once for a particular queue pair even if it has more
packets in flight.
This patch dequeue the packets again if the inflight packets are
more than the max packet burst.
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>
When TTL is decremented or ecn is updated in IP header
before forwarding the packet, checksum needs to be updated.
In this patch an incremental checksum is added for ipv4 case.
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>
Packet_type should be updated to remove/add L4 type for
encrypted/decrypted packet
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>
Previously, ipsec-secgw application did not give user the
flexibility to decide which crypto device(s) will be used.
In this patch, a new cryptodev_mask option is added to the
application. Same as portmask, the cryptodev_mask avails the
user to mask out the unwanted crypto devices in the system.
This patch is similar to the support added in l2fwd-crypto
(d2797f51cc: examples/l2fwd-crypto: add cryptodev mask option)
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Adding support for inline protocol processing
In ingress side, application will receive regular IP packets, without
any IPsec related info. Application will do a selector check (SP-SA
check) by making use of the metadata from the packet. The
device-specific metadata in mbuf would aid in determing the security
session which processed the packet.
In egress side, the plain packet would be submitted to the driver. The
packet will have optional metadata, which could be used to identify the
security session associated with the packet.
Signed-off-by: Anoob Joseph <anoob.joseph@caviumnetworks.com>
Reviewed-by: Akhil Goyal <akhil.goyal@nxp.com>
When security offload is enabled, the packet should be forwarded on the
port configured in the SA. Security session will be configured on that
port only, and sending the packet on other ports could result in
unencrypted packets being sent out.
This would have performance improvements too, as the per packet LPM
lookup would be avoided for IPsec packets, in inline mode.
Fixes: ec17993a14 ("examples/ipsec-secgw: support security offload")
Signed-off-by: Anoob Joseph <anoob.joseph@caviumnetworks.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>
Replace the BSD license header with the SPDX tag for files
with only an Intel copyright on them.
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
On SUSE11 with gcc 4.5.1 the following build error occurred,
most likely because of improper handling of annonymous unions:
examples/ipsec-secgw/ipsec.c:87:4 error:
unknown field ‘ipsec’ specified in initializer
Fixes: ec17993a14 ("examples/ipsec-secgw: support security offload")
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
All PCI functionality should be hidden from apps via the PCI bus driver,
the EAL and individual device drivers. Therefore remove the inclusion of
rte_pci.h from sample apps.
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
The following inline functions and macros have been renamed to be
consistent with the IOVA wording:
rte_mbuf_data_dma_addr -> rte_mbuf_data_iova
rte_mbuf_data_dma_addr_default -> rte_mbuf_data_iova_default
rte_pktmbuf_mtophys -> rte_pktmbuf_iova
rte_pktmbuf_mtophys_offset -> rte_pktmbuf_iova_offset
The deprecated functions and macros are kept to avoid breaking the API.
Signed-off-by: Thomas Monjalon <thomas@monjalon.net>
Acked-by: Olivier Matz <olivier.matz@6wind.com>
Build fails when rte_security is disabled; make rte_security mandatory
Fixes: ec17993a14 ("examples/ipsec-secgw: support security offload")
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
Tested-by: David Marchand <david.marchand@6wind.com>
Ipsec-secgw application is modified so that it can support
following type of actions for crypto operations
1. full protocol offload using crypto devices.
2. inline ipsec using ethernet devices to perform crypto operations
3. full protocol offload using ethernet devices.
4. non protocol offload
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
Signed-off-by: Boris Pismenny <borisp@mellanox.com>
Signed-off-by: Declan Doherty <declan.doherty@intel.com>
Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
According to rfc4106 the IV should be unique and can be implemented
as counter.
The changed was created because putting an analyzer on wire and
comparing packets generated by this application and Linux kernel.
Linux kernel sets IV as BE, so it is worth to do the same for
future debug / comparison.
Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>
Search for session also with AEAD algorithms.
Fixes: 501e9c226a ("examples/ipsec-secgw: add AEAD parameters")
Cc: stable@dpdk.org
Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
AEAD algorithms were not being added in the mapping
between algorithms and crypto devices, only cipher and
authentication chained algorithms.
Fixes: 501e9c226a ("examples/ipsec-secgw: add AEAD parameters")
Cc: stable@dpdk.org
Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
IPv6 payload length header field should contain only the number of bytes
following the IPv6 header and not the entire packet size.
Fixes: f159e70b09 ("examples/ipsec-secgw: support transport mode")
Fixes: 906257e965 ("examples/ipsec-secgw: support IPv6")
Cc: stable@dpdk.org
Signed-off-by: Tomasz Duszynski <tdu@semihalf.com>
Acked-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Since new_ip and ip4 are overlapping buffers copying ip4 over new_ip
using memmove() might overwrite memory at ip4. This could happen if
following condition holds:
ip_hdr_len > sizeof(struct esp_hdr) + sa->iv_len
Thus using ip4 to check ip version is wrong as it might not contain
proper value.
Fixes: f159e70b09 ("examples/ipsec-secgw: support transport mode")
Cc: stable@dpdk.org
Signed-off-by: Tomasz Duszynski <tdu@semihalf.com>
Acked-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Reviewed-by: Aviad Yehezkel <aviadye@mellanox.com>
Additional Authenticated Data (AAD) is called "aad" in most
places of cryptodev, but it was called "add_auth_data"
in the AEAD transform transform (aead_xform).
This field is renamed to "aad_length" in order to keep
consistency.
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Fiona Trahe <fiona.trahe@intel.com>
The session mempool pointer is needed in each queue pair,
if session-less operations are being handled.
Therefore, the API is changed to accept this parameter,
as the session mempool is created outside the
device configuration function, similar to what ethdev
does with the rx queues.
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Change crypto device's session management to make it
device independent and simplify architecture when session
is intended to be used on more than one device.
Sessions private data is agnostic to underlying device
by adding an indirection in the sessions private data
using the crypto driver identifier.
A single session can contain indirections to multiple device types.
New function rte_cryptodev_sym_session_init has been created,
to initialize the driver private session data per driver to be
used on a same session, and rte_cryptodev_sym_session_clear
to clear this data before calling rte_cryptodev_sym_session_free.
Signed-off-by: Slawomir Mrozowicz <slawomirx.mrozowicz@intel.com>
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Device id is going to be removed from session,
as the session will be device independent.
Therefore, the functions that attach/dettach a session
to a queue pair need to be updated, to accept the device id
as a parameter, apart from the queue pair id and the session.
Signed-off-by: Slawomir Mrozowicz <slawomirx.mrozowicz@intel.com>
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Instead of creating the session mempool while configuring
the crypto device, apps will create the mempool themselves.
This way, it gives flexibility to the user to have a single
mempool for all devices (as long as the objects are big
enough to contain the biggest private session size) or
separate mempools for different drivers.
Also, since the mempool is now created outside the
device configuration function, now it needs to be passed
through this function, which will be eventually passed
when setting up the queue pairs, as ethernet devices do.
Signed-off-by: Slawomir Mrozowicz <slawomirx.mrozowicz@intel.com>
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Cryptodev session structure was a duplication of the
cryptodev symmetric structure.
It was used by some PMDs that should use the symmetric
structure instead.
Since this structure was internal, there is no deprecation
notice required.
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Now that all the structures/functions for AEAD algorithms
are in place, migrate the two supported algorithms
AES-GCM and AES-CCM to these, instead of using
cipher and authentication parameters.
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Fiona Trahe <fiona.trahe@intel.com>
Since there is a new operation type (AEAD), add parameters
for this in the application.
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Fiona Trahe <fiona.trahe@intel.com>
Digest length was duplicated in the authentication transform
and the crypto operation structures.
Since digest length is not expected to change in a same
session, it is removed from the crypto operation.
Also, the length has been shrunk to 16 bits,
which should be sufficient for any digest.
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Fiona Trahe <fiona.trahe@intel.com>
Additional authenticated data (AAD) information was duplicated
in the authentication transform and in the crypto
operation structures.
Since AAD length is not meant to be changed in a same session,
it is removed from the crypto operation structure.
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Fiona Trahe <fiona.trahe@intel.com>
Since IV parameters (offset and length) should not
change for operations in the same session, these parameters
are moved to the crypto transform structure, so they will
be stored in the sessions.
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Fiona Trahe <fiona.trahe@intel.com>
Since IV now is copied after the crypto operation, in
its private size, IV can be passed only with offset
and length.
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Fiona Trahe <fiona.trahe@intel.com>
