Increase the default RX/TX ring sizes to 1024/1024 to
accommodate for NICs with higher throughput (25G, 40G etc)
Signed-off-by: Kevin Laatz <kevin.laatz@intel.com>
Acked-by: Bruce Richardson <bruce.richardson@intel.com>
Acked-by: Adrien Mazarguil <adrien.mazarguil@6wind.com>
Fixes: 3da37f6821 ("examples/ipsec_secgw: create session mempools for ethdevs")
Some NICs do not have the rte_security context, this patch fixes the segment fault
caused by this.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>
IPSec application is using index 0 of SA table as error,
with current value of IPSEC_SA_MAX_ENTRIES(128) it can
not support SA with spi = 128, as it uses sa_idx = 0
in the SA table.
With this patch, sa_idx = 0 can also be used.
PS: spi = 0 is an invalid SPI and application throws error
for it.
Fixes: d299106e8e ("examples/ipsec-secgw: add IPsec sample application")
Cc: stable@dpdk.org
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>
Previously, ipsec-secgw application did not give user the
flexibility to decide which crypto device(s) will be used.
In this patch, a new cryptodev_mask option is added to the
application. Same as portmask, the cryptodev_mask avails the
user to mask out the unwanted crypto devices in the system.
This patch is similar to the support added in l2fwd-crypto
(d2797f51cc: examples/l2fwd-crypto: add cryptodev mask option)
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Adding support for inline protocol processing
In ingress side, application will receive regular IP packets, without
any IPsec related info. Application will do a selector check (SP-SA
check) by making use of the metadata from the packet. The
device-specific metadata in mbuf would aid in determing the security
session which processed the packet.
In egress side, the plain packet would be submitted to the driver. The
packet will have optional metadata, which could be used to identify the
security session associated with the packet.
Signed-off-by: Anoob Joseph <anoob.joseph@caviumnetworks.com>
Reviewed-by: Akhil Goyal <akhil.goyal@nxp.com>
When security offload is enabled, the packet should be forwarded on the
port configured in the SA. Security session will be configured on that
port only, and sending the packet on other ports could result in
unencrypted packets being sent out.
This would have performance improvements too, as the per packet LPM
lookup would be avoided for IPsec packets, in inline mode.
Fixes: ec17993a14 ("examples/ipsec-secgw: support security offload")
Signed-off-by: Anoob Joseph <anoob.joseph@caviumnetworks.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>
Replace the BSD license header with the SPDX tag for files
with only an Intel copyright on them.
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
All PCI functionality should be hidden from apps via the PCI bus driver,
the EAL and individual device drivers. Therefore remove the inclusion of
rte_pci.h from sample apps.
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Ipsec-secgw application is modified so that it can support
following type of actions for crypto operations
1. full protocol offload using crypto devices.
2. inline ipsec using ethernet devices to perform crypto operations
3. full protocol offload using ethernet devices.
4. non protocol offload
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
Signed-off-by: Boris Pismenny <borisp@mellanox.com>
Signed-off-by: Declan Doherty <declan.doherty@intel.com>
Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
AEAD algorithms were not being added in the mapping
between algorithms and crypto devices, only cipher and
authentication chained algorithms.
Fixes: 501e9c226a ("examples/ipsec-secgw: add AEAD parameters")
Cc: stable@dpdk.org
Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
The session mempool pointer is needed in each queue pair,
if session-less operations are being handled.
Therefore, the API is changed to accept this parameter,
as the session mempool is created outside the
device configuration function, similar to what ethdev
does with the rx queues.
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Change crypto device's session management to make it
device independent and simplify architecture when session
is intended to be used on more than one device.
Sessions private data is agnostic to underlying device
by adding an indirection in the sessions private data
using the crypto driver identifier.
A single session can contain indirections to multiple device types.
New function rte_cryptodev_sym_session_init has been created,
to initialize the driver private session data per driver to be
used on a same session, and rte_cryptodev_sym_session_clear
to clear this data before calling rte_cryptodev_sym_session_free.
Signed-off-by: Slawomir Mrozowicz <slawomirx.mrozowicz@intel.com>
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Instead of creating the session mempool while configuring
the crypto device, apps will create the mempool themselves.
This way, it gives flexibility to the user to have a single
mempool for all devices (as long as the objects are big
enough to contain the biggest private session size) or
separate mempools for different drivers.
Also, since the mempool is now created outside the
device configuration function, now it needs to be passed
through this function, which will be eventually passed
when setting up the queue pairs, as ethernet devices do.
Signed-off-by: Slawomir Mrozowicz <slawomirx.mrozowicz@intel.com>
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Since VF can not disable/enable HW CRC strip for non-DPDK PF drivers,
and kernel driver almost default enable that feature, if disable it in
example app's rxmode, VF driver will report the VF launch failure. So
this patch default to enable HW CRC strip to let VF launch successful.
Cc: stable@dpdk.org
Signed-off-by: Jeff Guo <jia.guo@intel.com>
Acked-by: Jingjing Wu <jingjing.wu@intel.com>
This patch extend next_hop field from 8-bits to 21-bits in LPM library
for IPv6.
Added versioning symbols to functions and updated
library and applications that have a dependency on LPM library.
Signed-off-by: Vladyslav Buslov <vladyslav.buslov@harmonicinc.com>
Acked-by: Bruce Richardson <bruce.richardson@intel.com>
The variable optind should be reset to one not zero.
From the man page:
"The variable optind is the index of the next element to be processed in
argv. The system initializes this value to 1.
The caller can reset it to 1 to restart scanning of the same argv, or when
scanning a new argument vector.”
The problem I saw with my application was trying to parse the wrong
option, which can happen as DPDK parses the first part of the command line
and the application parses the second part. If you call getopt() multiple
times in the same execution, the behavior is not maintained when using
zero for optind.
Signed-off-by: Keith Wiles <keith.wiles@intel.com>
Introduce a specific cryptodev queue size macro.
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Application will segfault if there is IPv4 or IPv6 and no SP/ACL rules
for IPv4 or IPv6 respectively.
Avoid checking the ACL/SP in such cases.
Fixes: 906257e965 ("examples/ipsec-secgw: support IPv6")
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
This patch adds the configuration file support to ipsec_secgw
sample application. Instead of hard-coded rules, the users can
specify their own SP, SA, and routing rules in the configuration
file. A command line option "-f" is added to pass the
configuration file location to the application.
Configuration item formats:
SP rule format:
sp <ip_ver> <dir> esp <action> <priority> <src_ip> <dst_ip> \
<proto> <sport> <dport>
SA rule format:
sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key> \
<mode> <src_ip> <dst_ip>
Routing rule format:
rt <ip_ver> <src_ip> <dst_ip> <port>
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
The usual device sequence is configure, queue setup and start.
Crypto device should be started before use.
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Signed-off-by: Thomas Monjalon <thomas.monjalon@6wind.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
When sending Inbound non IPSec traffic that matches an Inbound Security
Policy set to Protect, the code will check that the SPI of the packet
and the associated Security Association match.
That check should only be done for IPSec packets and results in SEGFAULT
when done on non IPSec packets.
Fixes: 906257e965 ("examples/ipsec-secgw: support IPv6")
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Support IPSec IPv6 allowing IPv4/IPv6 traffic in IPv4 or IPv6 tunnel.
We need separate Routing (LPM) and SP (ACL) tables for IPv4 and IPv6,
but a common SA table.
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Some architectures (ex: Power8) have a cache line size of 128 bytes,
so the drivers should not expect that prefetching the second part of
the mbuf with rte_prefetch0(&m->cacheline1) is valid.
This commit add helpers that can be used by drivers to prefetch the
rx or tx part of the mbuf, whatever the cache line size.
Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
Reviewed-by: Jerin Jacob <jerin.jacob@caviumnetworks.com>
The rte_eth_dev_count() function will never return a value greater
than RTE_MAX_ETHPORTS, so that checking is useless.
Signed-off-by: Mauricio Vasquez B <mauricio.vasquezbernal@studenti.polito.it>
Acked-by: Ferruh Yigit <ferruh.yigit@intel.com>
Define and use ETH_LINK_UP and ETH_LINK_DOWN where appropriate.
Signed-off-by: Marc Sune <marcdevel@gmail.com>
Signed-off-by: Thomas Monjalon <thomas.monjalon@6wind.com>
In FreeBSD, sys/types.h and netinet/in.h need to be included before
netinet/ip.h
There were missed typedef for u_char - <sys/types.h>
There were missed network definitions - <netinet/in.h>
Failure #13: http://dpdk.org/ml/archives/test-report/2016-March/001896.html
Fixes: d299106e8e ("examples/ipsec-secgw: add IPsec sample application")
Signed-off-by: Daniel Mrzyglod <danielx.t.mrzyglod@intel.com>
Acked-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Sample app implementing an IPsec Security Geteway.
The main goal of this app is to show the use of cryptodev framework
in a "real world" application.
Currently only supported static IPv4 ESP IPsec tunnels for the following
algorithms:
- Cipher: AES-CBC, NULL
- Authentication: HMAC-SHA1, NULL
Not supported:
- SA auto negotiation (No IKE implementation)
- chained mbufs
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
