Commit Graph

20097 Commits

Author SHA1 Message Date
Kiran Kumar K
87195879a0 net/octeontx2: support enabling switch type
Adding support to configure specific switch types like high2 and dsa
on a port. When this switch type is configured, it is expected that
all the traffic on that port should be of specific type only.

Signed-off-by: Kiran Kumar K <kirankumark@marvell.com>
Acked-by: Jerin Jacob <jerinj@marvell.com>
2019-11-08 23:15:04 +01:00
Vamsi Attunuru
8f3afc1359 net/octeontx2: skip flow control on LBK ports
LBK interface does not support any flow control related
HW configurations.

Skip flow control set requests on LBK bound ethports.

Signed-off-by: Harman Kalra <hkalra@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Acked-by: Jerin Jacob <jerinj@marvell.com>
2019-11-08 23:15:04 +01:00
Vamsi Attunuru
25c6855d41 net/octeontx2: fix VF index in VF action
VF index needs to be checked against maxvf count
before incrementing it for preparing pf_func.

Fixes: 520270d518 ("net/octeontx2: support PF and VF action")
Cc: stable@dpdk.org

Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Acked-by: Jerin Jacob <jerinj@marvell.com>
2019-11-08 23:15:04 +01:00
Shahed Shaikh
30b170b4a5 net/qede: fix setting VLAN strip mode
Commit 9a6d30ae6d ("net/qede: refactoring vport handling code")
deleted the code as part of refactoring which sets vlan strip mode.
Revert it back and fix vlan strip feature.

Fixes: 9a6d30ae6d ("net/qede: refactoring vport handling code")
Cc: stable@dpdk.org

Signed-off-by: Shahed Shaikh <shshaikh@marvell.com>
Reviewed-by: Rasesh Mody <rmody@marvell.com>
2019-11-08 23:15:04 +01:00
Shahed Shaikh
29bb154ff0 net/qede: fix setting MTU
New MTU value is not propagated to vport in HW when MTU update request
is sent while ports are stopped.

This patch fixes the logic error for above mentioned condition.

Fixes: d121a6b5f7 ("net/qede: fix VF MTU update")
Cc: stable@dpdk.org

Signed-off-by: Shahed Shaikh <shshaikh@marvell.com>
Reviewed-by: Rasesh Mody <rmody@marvell.com>
2019-11-08 23:15:04 +01:00
Rasesh Mody
58bb1ee4a5 net/qede/base: update FW to 8.40.33.0
In our testing we have identified a critical FW bug. Performance
is degraded significantly for certain packet sizes with 8.40.25.0 FW.

This patch updates the FW to version 8.40.33.0. The updated FW has a
fix to performance issue.

The patch also adds initialization for FW overlay RAM as part of
hardware initialization which is required by the new FW.

Fixes: 3b307c55f2 ("net/qede/base: update FW to 8.40.25.0")
Cc: stable@dpdk.org

Signed-off-by: Rasesh Mody <rmody@marvell.com>
2019-11-08 23:15:04 +01:00
Igor Chauskin
05817057fa net/ena: fix indication of bad L4 Rx checksums
Add checking of l4_csum_checked and frag flags before checking the
l4_csum_error flag.

In case of IP fragment/unchecked L4 csum - add PKT_RX_L4_CKSUM_UNKNOWN
flag to the indicated mbuf.

Fixes: 1173fca25a ("ena: add polling-mode driver")
Cc: stable@dpdk.org

Signed-off-by: Igor Chauskin <igorch@amazon.com>
Reviewed-by: Maciej Bielski <mba@semihalf.com>
Reviewed-by: Michal Krawczyk <mk@semihalf.com>
2019-11-08 23:15:04 +01:00
Ying A Wang
05e7bdf57a net/ice: fix flow director
Flow director rule can't be created when the flow table is nearly full.
The patch fixed this issue to enable created flows reaching the maximum
number.

Fixes: 1a2fc1799f ("net/ice: reject duplicated flow for flow director")

Signed-off-by: Ying A Wang <ying.a.wang@intel.com>
Acked-by: Xiaolong Ye <xiaolong.ye@intel.com>
2019-11-08 23:15:04 +01:00
Simei Su
16e255c4b9 net/ice: correct key length and queues check for RSS
This patch corrects key_len and queues check. The key_len and queues
are not supported to configure for RSS in rte_flow.

Fixes: 5ad3db8d4b ("net/ice: enable advanced RSS")

Signed-off-by: Simei Su <simei.su@intel.com>
Acked-by: Qi Zhang <qi.z.zhang@intel.com>
Acked-by: Xiaolong Ye <xiaolong.ye@intel.com>
2019-11-08 23:15:04 +01:00
Qi Zhang
fe33a6a65f net/ice/base: fix ptype mapping pollution from GTP flow
A new gtp flow's profile will capture other profile's non-gtp ptypes
which is unexpected. For example, a RSS flow for inner IP / UDP on
regular tunnel packet's behaviour will be changed by a following GTP RSS
rule where inner IP is the only inputset, since all tunnel ptypes have
been shifted from the first profile to the second one.

The patch fixes the issue by correcting the ptype mapping that prevents
the ptype shift.

Fixes: d1c2f76b44 ("net/ice/base: support GTP and PPPoE protocols")

Signed-off-by: Qi Zhang <qi.z.zhang@intel.com>
Tested-by: Simei Su <simei.su@intel.com>
Acked-by: Xiaolong Ye <xiaolong.ye@intel.com>
2019-11-08 23:15:04 +01:00
Simei Su
e5cc4e13f6 net/ice: fix RSS types check
This patch corrects logic error for checking rss->types to match
pattern in RSS action parser.

Fixes: 5ad3db8d4b ("net/ice: enable advanced RSS")

Signed-off-by: Simei Su <simei.su@intel.com>
Acked-by: Qi Zhang <qi.z.zhang@intel.com>
Acked-by: Xiaolong Ye <xiaolong.ye@intel.com>
2019-11-08 23:15:04 +01:00
Junyu Jiang
588ae95e79 net/bonding: fix port ID check
Port validation should be prior to getting device data
to avoid segment fault. This patch fixed the segment fault
caused by invalid port using.

Fixes: 6d72657ce3 ("net/bonding: add other aggregator modes")
Fixes: 112891cd27 ("net/bonding: add dedicated HW queues for LACP control")
Cc: stable@dpdk.org

Signed-off-by: Junyu Jiang <junyux.jiang@intel.com>
Acked-by: Chas Williams <chas3@att.com>
2019-11-08 23:15:04 +01:00
Dekel Peled
2eb5dce8c0 net/mlx5: fix LRO dependency to include DV flow
Rx queue for LRO is created using DevX. Flows created on this queue
must use the DV flow engine.

This patch adds check of dv_flow_en=1 when configuring LRO support
on device spawn.
Documentation is updated accordingly.

Fixes: 175f1c21d0 ("net/mlx5: check conditions to enable LRO")
Cc: stable@dpdk.org

Signed-off-by: Dekel Peled <dekelp@mellanox.com>
Acked-by: Viacheslav Ovsiienko <viacheslavo@mellanox.com>
2019-11-08 23:15:04 +01:00
Dekel Peled
af0b0743e2 net/mlx5: fix compilation directive
Glue function mlx5_glue_devx_qp_query() uses wrong directive
HAVE_IBV_DEVX_ASYNC by mistake.
This patch replaces the directive to HAVE_IBV_DEVX_OBJ, as required.

Fixes: 62d6f70f30 ("net/mlx5: add glue for queue query via DevX")
Cc: stable@dpdk.org

Signed-off-by: Dekel Peled <dekelp@mellanox.com>
Acked-by: Viacheslav Ovsiienko <viacheslavo@mellanox.com>
Acked-by: Matan Azrad <matan@mellanox.com>
2019-11-08 23:15:04 +01:00
Ying A Wang
4e27d3ed02 net/ice: fix flow API framework
In non-pipeline mode, switch should be used as FDIR'S backup.
The patch fixed rule can't be created when FDIR'S flow table is full.

Fixes: 7615a68950 ("net/ice: rework for generic flow enabling")

Signed-off-by: Ying A Wang <ying.a.wang@intel.com>
Acked-by: Qi Zhang <qi.z.zhang@intel.com>
Reviewed-by: Xiaolong Ye <xiaolong.ye@intel.com>
2019-11-08 23:15:04 +01:00
Shweta Choudaha
260dd69526 net/igb: fix PHY status if PHY reset is not blocked
When PHY reset is blocked as is the case when BMC is connected via NC-SI
do not set GO_LINKD bit in PHY power management register in dev_stop as
this will disconnect the PHY. Also, in dev_close clear the GO_LINKD
bit only if PHY reset is not blocked

Fixes: 3af34dec0b ("igb: force phy power up/down")
Cc: stable@dpdk.org

Signed-off-by: Shweta Choudaha <shweta.choudaha@att.com>
Reviewed-by: Xiaolong Ye <xiaolong.ye@intel.com>
2019-11-08 23:15:04 +01:00
Ying A Wang
4cf29798b4 net/ice: fix packet type table
The original packet type table's hw-ptype index to sw-ptype
mapping is wrong. This patch fixed the issue.

Fixes: ab9dccf09a ("net/ice: support packet type getting")
Cc: stable@dpdk.org

Signed-off-by: Ying A Wang <ying.a.wang@intel.com>
Reviewed-by: Xiaolong Ye <xiaolong.ye@intel.com>
2019-11-08 23:15:04 +01:00
Xiao Wang
84fff3425b net/fm10k: fix mbuf free in vector Rx
There's a corner case that all the Rx queue mbufs are allocated but none
of them is used, this patch fixes mbuf free for this case.

Fixes: b6719f8a04 ("fm10k: release mbuf for vector Rx")
Cc: stable@dpdk.org

Signed-off-by: Xiao Wang <xiao.w.wang@intel.com>
Signed-off-by: Anna Lukin <annal@silicom.co.il>
Reviewed-by: Xiaolong Ye <xiaolong.ye@intel.com>
2019-11-08 23:15:04 +01:00
Bruce Richardson
5ed3766981 drivers: process shared link dependencies as for libs
For the public APIs of DPDK libraries we run checks for correct use of
experimental tags, and also do dynamic generation of the version file to
its window's equivalent. Although must drivers don't export APIs, some do,
so these checks are relevant and should be copied from lib/meson.build to
drivers/meson.build.

Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Acked-by: Luca Boccassi <bluca@debian.org>
2019-11-09 21:17:44 +01:00
Bruce Richardson
ff962da373 lib: check experimental symbols with meson
Call check-experimental-syms.sh script as part of the meson build to ensure
that all functions are correctly tagged.

Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Acked-by: Luca Boccassi <bluca@debian.org>
2019-11-09 21:17:12 +01:00
Bruce Richardson
7b3a6d7e35 buildtools: remove make-specific from symbols check
The check-experimental-syms.sh script was finding the map-list-symbol.sh
script using $RTE_SDK, which is the variable set when using the "make"
build system. To make this script more independent, we just use the current
path of the script as the location to find its companion script.

Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Acked-by: Luca Boccassi <bluca@debian.org>
2019-11-09 21:09:04 +01:00
Artur Trybula
6bbc5a9236 test/compress: refactor unit tests
Core engine refactoring (test_deflate_comp_decomp function).
Smaller specialized functions created.

Signed-off-by: Artur Trybula <arturx.trybula@intel.com>
Acked-by: Adam Dybkowski <adamx.dybkowski@intel.com>
Acked-by: Shally Verma <shallyv@marvell.com>
2019-11-08 13:53:09 +01:00
Thierry Herbelot
67ab783b5d crypto/openssl: use local copy for session contexts
Session contexts are used for temporary storage when processing a
packet.
If packets for the same session are to be processed simultaneously on
multiple cores, separate contexts must be used.

Note: with openssl 1.1.1 EVP_CIPHER_CTX can no longer be defined as a
variable on the stack: it must be allocated. This in turn reduces the
performance.

Fixes: d61f70b4c9 ("crypto/libcrypto: add driver for OpenSSL library")
Cc: stable@dpdk.org

Signed-off-by: Thierry Herbelot <thierry.herbelot@6wind.com>
2019-11-08 13:51:16 +01:00
Nipun Gupta
3ffce51a1f crypto/dpaa2_sec: add enqueue retry timeout
This patch adds retry in the DPAA2 SEC packet enqueue API

Signed-off-by: Nipun Gupta <nipun.gupta@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-11-08 13:51:16 +01:00
Hemant Agrawal
a37ce227a8 crypto/dpaax_sec: enable anti replay window config
This patch usages the anti replay window size to config
the anti replay checking  in decap path for lookaside
IPSEC offload

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-11-08 13:51:16 +01:00
Konstantin Ananyev
6909014946 examples/ipsec-secgw: fix library mode selection in tests
Right now majority of lib mode functional tests enable
library mode with '-w N' option.
It worked till recently, as legacy mode didn't support replay window.
Now it changed.
To fix - use '-l' option to enable library mode explicitly.

Fixes: 9297844520 ("examples/ipsec-secgw: add scripts for functional test")

Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2019-11-08 13:51:16 +01:00
Hemant Agrawal
0f56ca1aae ipsec: remove redundant replay window size
The rte_security lib has introduced replay_win_sz,
so it can be removed from the rte_ipsec lib.

The relevant tests, app are also update to reflect
the usages.

Note that esn and anti-replay fileds were earlier used
only for ipsec library, they were enabling the libipsec
by default. With this change esn and anti-replay setting
will not automatically enabled libipsec.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-11-08 13:51:16 +01:00
Hemant Agrawal
d5411b9a3d security: add anti replay window size
At present the ipsec xfrom is missing the important step
to configure the anti replay window size.
The newly added field will also help in to enable or disable
the anti replay checking, if available in offload by means
of non-zero or zero value.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-11-08 13:51:16 +01:00
Vakul Garg
2fcf3f70d1 examples/ipsec-secgw: fix SHA256-HMAC digest length
As per RFC4868, SHA-256 should use 128 bits of ICV.
Fixes: b5350285ce ("examples/ipsec-secgw: support SHA256 HMAC")
Cc: stable@dpdk.org

Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-11-08 13:51:16 +01:00
Vakul Garg
1cdfbb0b83 crypto/dpaax_sec: enable IPsec AES-CTR to use nonce
The protocol aware ipsec descriptor has been modified to
use ctr_initial value of 1 and salt configured for ipsec SA.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-11-08 13:51:16 +01:00
Vakul Garg
5906b0ad0f crypto/dpaax_sec: use AES-CTR initial counter as 1
As per RFC3686, the initial aes-ctr counter value should be '1' for use
in ipsec. The patches changes SEC descriptor for using correct counter
value. In addition, it drops a redundant parameter for passing IV while
creating the descriptor.

This patch adds changes for all NXP crypto PMDs

Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-11-08 13:51:16 +01:00
Gagandeep Singh
fd900d3853 crypto/dpaa_sec: use macros in queue attach and detach
Align the cleanup and allocation for the queues.

Signed-off-by: Gagandeep Singh <g.singh@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-11-08 13:51:16 +01:00
Gagandeep Singh
686bbb70cf crypto/dpaa2_sec: remove redundant checks
This patch remove redundant context type checks.

Signed-off-by: Gagandeep Singh <g.singh@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-11-08 13:51:16 +01:00
Hemant Agrawal
247b69083e crypto/dpaax_sec: warn on truncated SHA-256
This patch throw the warning when using truncated digest
len for SHA256 case.
As per RFC4868, SHA-256 should use 128 bits of ICV.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-11-08 13:51:16 +01:00
Hemant Agrawal
cd60a8680f test/crypto: enable additional cases for dpaax
This patch enables short buffer and 12 bit IV AES-CTR cases
for dpaax_sec pmds.

Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-11-08 13:51:16 +01:00
Hemant Agrawal
2c318722fe crypto/dpaa_sec: support AES-GCM for lookaside protocol
This patch add support for AES-128-GCM, when used in
lookaside protocol offload case.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-11-08 13:51:16 +01:00
Hemant Agrawal
c1ff974908 crypto/dpaa2_sec: support AES-GCM for lookaside protocol
AES-GCM is now supported for lookaside protocol offload also.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-11-08 13:51:16 +01:00
Hemant Agrawal
f73d6928e0 crypto/dpaa_sec: support null cipher and null auth
These are supported when using protocol offload mode or when
in chain mode.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-11-08 13:51:16 +01:00
Hemant Agrawal
a4e4a71cb1 crypto/dpaa2_sec: support null cipher and null auth
These are supported when using protocol offload mode or in chain mode.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-11-08 13:51:16 +01:00
Hemant Agrawal
e1e52232b5 crypto/dpaa_sec: add check for session validity
Check if the session is not null during processing.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-11-08 13:51:16 +01:00
Hemant Agrawal
447a5d4029 crypto/dpaa2_sec: add check for session validity
Check if the session is not null during processing.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-11-08 13:51:16 +01:00
Hemant Agrawal
91413a88e7 crypto/dpaa_sec: fix PDCP capability flags
set the pdcp capa_flags to 0 by default.

Fixes: a1173d5559 ("crypto/dpaa_sec: support PDCP offload")
Cc: stable@dpdk.org

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-11-08 13:51:16 +01:00
Pablo de Lara
4b70152374 crypto/aesni_gcm: support in-place chained mbufs
IPSec Multi buffer library supports encryption on multiple segments.
When dealing with chained buffers (multiple segments), as long as
the operation is in-place, the destination buffer does not have to
be contiguous (unlike in the case of out-of-place operation).
Therefore, the limitation of not supporting in-place chained mbuf
can be removed.

Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2019-11-08 13:51:16 +01:00
Pablo de Lara
d91dc58356 doc: support IPsec Multi-buffer lib v0.53
Updated AESNI MB and AESNI GCM PMD documentation guides
with information about the latest Intel IPSec Multi-buffer
library supported.

Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2019-11-08 13:51:16 +01:00
Marcin Smoczynski
ce00b504f1 examples/ipsec-secgw: fix GCM IV length
The example IPsec application does not work properly when using
AES-GCM with crypto_openssl.

ESP with AES-GCM uses standard 96bit long algorithm IV ([1]) which
later concatenated with be32(1) forms a J0 block. GCM specification
([2], chapter 7.1) states that when length of IV is different than
96b, in order to format a J0 block, GHASH function must be used.

According to specification ([2], chapter 5.1.1) GCM implementations
should support standard 96bit IVs, other lengths are optional. Every
DPDK cryptodev supports 96bit IV and few of them supports 128bit
IV as well (openssl, mrvl, ccp). When passing iv::length=16 to a
cryptodev which does support standard IVs only (e.g. qat) it
implicitly uses starting 96 bits. On the other hand, openssl follows
specification and uses GHASH to compute J0 for that case which results
in different than expected J0 values used for encryption/decryption.

Fix an inability to use AES-GCM with crypto_openssl by changing IV
length to the standard value of 12.

[1] RFC4106, section "4. Nonce format" and "3.1. Initialization Vector"
    https://tools.ietf.org/html/rfc4106
[2] NIST SP800-38D
    https://csrc.nist.gov/publications/detail/sp/800-38d/final

Fixes: 0fbd75a99f ("cryptodev: move IV parameters to session")
Cc: stable@dpdk.org

Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-11-08 13:51:16 +01:00
Akhil Goyal
4bc65cf119 crypto/dpaa2_sec: fix length retrieved from hardware
FD retrieved from SEC after crypto processing provides
an updated length of the buffer which need to be updated
in mbuf. The difference in length can be negative hence
changing diff to int32_t from uint32_t.

Fixes: 0a23d4b6f4 ("crypto/dpaa2_sec: support protocol offload IPsec")
Cc: stable@dpdk.org

Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-11-08 13:51:16 +01:00
Vladimir Medvedkin
3e43647cd6 app/test-sad: add sanity checks
Coverity reported about two division by zero:
*** CID 350344:  Incorrect expression  (DIVIDE_BY_ZERO)
Although in fact these dividers will never be equal to 0,
adding explicit checks in lookup() to make coverity happy
will not affect the execution speed.

Fixes: 908be0651a ("app/test-sad: add test application for IPsec SAD")

Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2019-11-08 13:51:16 +01:00
Marcin Smoczynski
403e9d914b examples/ipsec-secgw: add offload fallback tests
Add tests for offload fallback feature; add inbound config modificator
SGW_CFG_XPRM_IN (offload fallback setting can be set only for inbound
SAs). Tests are using cryptodev for outbound SA.

To test fragmentation with QAT set:
MULTI_SEG_TEST="--reassemble=4096 --cryptodev_mask=0x5555"

Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Tested-by: Bernard Iremonger <bernard.iremonger@intel.com>
2019-11-08 13:51:16 +01:00
Marcin Smoczynski
bba1db3520 examples/ipsec-secgw: add fragment TTL option
Due to fragment loss on highly saturated links and long fragment
lifetime, ipsec-secgw application quickly runs out of free reassembly
buckets. As a result new fragments are being dropped.

Introduce --frag-ttl option which allow user to lower default fragment
lifetime which solves problem of saturated reassembly buckets with high
bandwidth fragmented traffic.

Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2019-11-08 13:51:16 +01:00
Marcin Smoczynski
ba66534fc7 examples/ipsec-secgw: support fallback session
Inline processing is limited to a specified subset of traffic. It is
often unable to handle more complicated situations, such as fragmented
traffic. When using inline processing such traffic is dropped.

Introduce fallback session for inline crypto processing allowing
handling packets that normally would be dropped. A fallback session is
configured by adding 'fallback' keyword with 'lookaside-none' parameter
to an SA configuration. Only 'inline-crypto-offload" as a primary
session and 'lookaside-none' as a fall-back session combination is
supported by this patch.

Fallback session feature is not available in the legacy mode.

Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Tested-by: Bernard Iremonger <bernard.iremonger@intel.com>
2019-11-08 13:51:16 +01:00