rte_eth_dev_info_get() return value was changed from void to
int, so this patch modify rte_eth_dev_info_get() usage across
examples/ipsec-secgw according to its new return type.
Signed-off-by: Ivan Ilchenko <ivan.ilchenko@oktetlabs.ru>
Signed-off-by: Andrew Rybchenko <arybchenko@solarflare.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Update Scapy version requirement from 2.4.3rc1 to 2.4.3, which has been
used because 2.4.2 had a bug which made this version unable to install.
Accept future versions of Scapy too.
Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
When sending an encrypted packet which size after encapsulation exceeds
MTU, ipsec-secgw application tries to fragment it. If --reassemble
option has not been set it results with a segmantation fault, because
fragmentation buckets have not been initialized.
Fix crashing by adding extra check if --ressemble option has not been
set and packet exceeds MTU after encapsulation - drop it.
Fixes: b01d1cd213 ("examples/ipsec-secgw: support fragmentation and reassembly")
Cc: stable@dpdk.org
Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
IPv6 tunnels are already supported in case of inline and
lookaside none cases. In case of protocol offload, the details
for IPv6 header need to be added in session configuration
for security session create.
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
For unknown/unsupported packets, the packet would get checked for inline
offloads after the packet is freed.
Fixes: 0ccfd14bc10d ("examples/ipsec-secgw: support inline protocol")
Cc: stable@dpdk.org
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Check the return value of the rte_eth_dev_rss_hash_conf_get function.
Coverity issue: 344970
Fixes: 3a690d5a65e2 ("examples/ipsec-secgw: fix first packet with inline crypto")
Cc: stable@dpdk.org
Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Remove workaround in tun_aesgcm_defs.sh and trs_aesgcm_defs.sh
to get around the bug where the first inbound packet is dropped
for inline crypto.
Fixes: 929784452094 ("examples/ipsec-secgw: add scripts for functional test")
Cc: stable@dpdk.org
Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Inline crypto installs a flow rule in the NIC. This flow
rule must be installed before the first inbound packet is
received.
The create_session() function installs the flow rule,
create_session() has been refactored into create_inline_session()
and create_lookaside_session(). The create_inline_session() function
uses the socket_ctx data and is now called at initialisation in
sa_add_rules().
The max_session_size() function has been added to calculate memory
requirements.
The cryprodev_init() function has been refactored to drop calls to
rte_mempool_create() and to drop calculation of memory requirements.
The main() function has been refactored to call max_session_size() and
to call session_pool_init() and session_priv_pool_init() earlier.
The ports are started now before adding a flow rule in main().
The sa_init(), sp4_init(), sp6_init() and rt_init() functions are
now called after the ports have been started.
The rte_ipsec_session_prepare() function is called in fill_ipsec_session()
for inline which is called from the ipsec_sa_init() function.
Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload")
Fixes: d299106e8e31 ("examples/ipsec-secgw: add IPsec sample application")
Cc: stable@dpdk.org
Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
This patch add parameter --mtu parse key and enumeration value.
Fixes: b01d1cd213d2 ("examples/ipsec-secgw: support fragmentation and reassembly")
Signed-off-by: Tao Zhu <taox.zhu@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Modify ipsec-secgw example app to use rte_eth_dev_info_get instead of
rte_eth_dev.
Apps should not be using internal DPDK data structures directly.
Fixes: a4677f78368b ("examples/ipsec-secgw: add target queues in flow actions")
Cc: stable@dpdk.org
Signed-off-by: Marcin Zapolski <marcinx.a.zapolski@intel.com>
Reviewed-by: Bruce Richardson <bruce.richardson@intel.com>
Acked-by: Nelio Laranjeiro <nelio.laranjeiro@6wind.com>
This patch updates the ipsec-secgw application to support
header reconstruction. In addition a series of tests have
been added to prove the implementation's correctness.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Add simple test-case with all traffic in BYPASS mode.
Useful for some basic test of your network environment.
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Add optional ability to fragment packet bigger then mtu,
and reassemble fragmented packet.
To minimize possible performance effect, reassembly is
implemented as RX callback.
To support these features ipsec-secgw relies on librte_ipsec ability
to handle multi-segment packets.
Also when reassemble/fragmentation support is enabled, attached
crypto devices have to support 'In Place SGL' offload capability.
To enable/disable this functionality, two new optional command-line
options are introduced:
--reassemble <val> - number of entries in reassemble table
--mtu <val> - MTU value for all attached ports
As separate '--mtu' option is introduced, '-j <val>' option is now used
to specify mbuf data buffer size only.
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
for packets smaller then 64B some NICs reports pkt_len=64B.
As ipsec-secgw (and librte_ipsec) relies on pkt_len value to determine
payload length, that causes problems for small packets.
To fix the issue, check that pkt_len matches values in IPv4/IPv6 header
and re-adjust pkt_len if necessary.
Fixes: 906257e965b7 ("examples/ipsec-secgw: support IPv6")
Fixes: d299106e8e31 ("examples/ipsec-secgw: add IPsec sample application")
Cc: stable@dpdk.org
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Application ipsec-secgw is not working for IPv4 transport mode and for
IPv6 both transport and tunnel mode.
IPv6 tunnel mode is not working due to wrongly assigned fields of
security association patterns, as it was IPv4, during creation of
inline crypto session.
IPv6 and IPv4 transport mode is iterating through security capabilities
until it reaches tunnel, which causes session to be created as tunnel,
instead of transport. Another issue, is that config file does not
provide source and destination ip addresses for transport mode, which
are required by NIC to perform inline crypto. It uses default addresses
stored in security association (all zeroes), which causes dropped
packages.
To fix that, reorganization of code in create_session() is needed,
to behave appropriately to given protocol (IPv6/IPv4). Change in
iteration through security capabilities is also required, to check
for expected mode (not only tunnel).
For lack of addresses issue, some resolving mechanism is needed.
Approach is to store addresses in security association, as it is
for tunnel mode. Difference is that they are obtained from sp rules,
instead of config file. To do that, sp[4/6]_spi_present() function
is used to find addresses based on spi value, and then stored in
corresponding sa rule. This approach assumes, that every sp rule
for inline crypto have valid addresses, as well as range of addresses
is not supported.
New flags for ipsec_sa structure are required to distinguish between
IPv4 and IPv6 transport modes. Because of that, there is need to
change all checks done on these flags, so they work as expected.
Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload")
Fixes: 9a0752f498d2 ("net/ixgbe: enable inline IPsec")
Cc: stable@dpdk.org
Signed-off-by: Mariusz Drost <mariuszx.drost@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Add new unittest-like mechanism which uses scapy to craft custom
packets and a set of assertions to check how ipsec-secgw example
application is processing them. Python3 with scapy module is
required by pkttest.sh to run test scripts.
A new mechanism is used to test IPv6 transport mode traffic with
header extensions (trs_ipv6opts.py).
Fix incomplete test log problem by disabling buffering of ipsec-secgw
standard output with stdbuf application.
Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Using transport with IPv6 and header extensions requires calculating
total header length including extensions up to ESP header which is
achieved with iteratively parsing extensions when preparing traffic
for processing. Calculated l3_len is later used to determine SPI
field offset for an inbound traffic and to reconstruct L3 header by
librte_ipsec.
Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Adding a new field, ff_disable, to allow applications to control the
features enabled on the crypto device. This would allow for efficient
usage of HW/SW offloads.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Make versions before 4.2 did not have support for the .SHELLSTATUS
variable, so use another method to detect shell success.
Fixes: 22119c4591a0 ("examples: use pkg-config in makefiles")
Cc: stable@dpdk.org
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Acked-by: Luca Boccassi <bluca@debian.org>
For testing of DPDK, we want to override the prefix given by the
pkg-config file, so that we can get correct paths for DPDK installed
in an unusual location.
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Acked-by: Luca Boccassi <bluca@debian.org>
Since we change these macros, we might as well avoid triggering complaints
from checkpatch because of mixed case.
old=RTE_IPv4
new=RTE_IPV4
git grep -lw $old | xargs sed -i -e "s/\<$old\>/$new/g"
old=RTE_ETHER_TYPE_IPv4
new=RTE_ETHER_TYPE_IPV4
git grep -lw $old | xargs sed -i -e "s/\<$old\>/$new/g"
old=RTE_ETHER_TYPE_IPv6
new=RTE_ETHER_TYPE_IPV6
git grep -lw $old | xargs sed -i -e "s/\<$old\>/$new/g"
Signed-off-by: David Marchand <david.marchand@redhat.com>
Reviewed-by: Olivier Matz <olivier.matz@6wind.com>
Add 'RTE_' prefix to defines:
- rename ETHER_ADDR_LEN as RTE_ETHER_ADDR_LEN.
- rename ETHER_TYPE_LEN as RTE_ETHER_TYPE_LEN.
- rename ETHER_CRC_LEN as RTE_ETHER_CRC_LEN.
- rename ETHER_HDR_LEN as RTE_ETHER_HDR_LEN.
- rename ETHER_MIN_LEN as RTE_ETHER_MIN_LEN.
- rename ETHER_MAX_LEN as RTE_ETHER_MAX_LEN.
- rename ETHER_MTU as RTE_ETHER_MTU.
- rename ETHER_MAX_VLAN_FRAME_LEN as RTE_ETHER_MAX_VLAN_FRAME_LEN.
- rename ETHER_MAX_VLAN_ID as RTE_ETHER_MAX_VLAN_ID.
- rename ETHER_MAX_JUMBO_FRAME_LEN as RTE_ETHER_MAX_JUMBO_FRAME_LEN.
- rename ETHER_MIN_MTU as RTE_ETHER_MIN_MTU.
- rename ETHER_LOCAL_ADMIN_ADDR as RTE_ETHER_LOCAL_ADMIN_ADDR.
- rename ETHER_GROUP_ADDR as RTE_ETHER_GROUP_ADDR.
- rename ETHER_TYPE_IPv4 as RTE_ETHER_TYPE_IPv4.
- rename ETHER_TYPE_IPv6 as RTE_ETHER_TYPE_IPv6.
- rename ETHER_TYPE_ARP as RTE_ETHER_TYPE_ARP.
- rename ETHER_TYPE_VLAN as RTE_ETHER_TYPE_VLAN.
- rename ETHER_TYPE_RARP as RTE_ETHER_TYPE_RARP.
- rename ETHER_TYPE_QINQ as RTE_ETHER_TYPE_QINQ.
- rename ETHER_TYPE_ETAG as RTE_ETHER_TYPE_ETAG.
- rename ETHER_TYPE_1588 as RTE_ETHER_TYPE_1588.
- rename ETHER_TYPE_SLOW as RTE_ETHER_TYPE_SLOW.
- rename ETHER_TYPE_TEB as RTE_ETHER_TYPE_TEB.
- rename ETHER_TYPE_LLDP as RTE_ETHER_TYPE_LLDP.
- rename ETHER_TYPE_MPLS as RTE_ETHER_TYPE_MPLS.
- rename ETHER_TYPE_MPLSM as RTE_ETHER_TYPE_MPLSM.
- rename ETHER_VXLAN_HLEN as RTE_ETHER_VXLAN_HLEN.
- rename ETHER_ADDR_FMT_SIZE as RTE_ETHER_ADDR_FMT_SIZE.
- rename VXLAN_GPE_TYPE_IPV4 as RTE_VXLAN_GPE_TYPE_IPV4.
- rename VXLAN_GPE_TYPE_IPV6 as RTE_VXLAN_GPE_TYPE_IPV6.
- rename VXLAN_GPE_TYPE_ETH as RTE_VXLAN_GPE_TYPE_ETH.
- rename VXLAN_GPE_TYPE_NSH as RTE_VXLAN_GPE_TYPE_NSH.
- rename VXLAN_GPE_TYPE_MPLS as RTE_VXLAN_GPE_TYPE_MPLS.
- rename VXLAN_GPE_TYPE_GBP as RTE_VXLAN_GPE_TYPE_GBP.
- rename VXLAN_GPE_TYPE_VBNG as RTE_VXLAN_GPE_TYPE_VBNG.
- rename ETHER_VXLAN_GPE_HLEN as RTE_ETHER_VXLAN_GPE_HLEN.
Do not update the command line library to avoid adding a dependency to
librte_net.
Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
Reviewed-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Reviewed-by: Ferruh Yigit <ferruh.yigit@intel.com>
Add 'rte_' prefix to structures:
- rename struct ether_addr as struct rte_ether_addr.
- rename struct ether_hdr as struct rte_ether_hdr.
- rename struct vlan_hdr as struct rte_vlan_hdr.
- rename struct vxlan_hdr as struct rte_vxlan_hdr.
- rename struct vxlan_gpe_hdr as struct rte_vxlan_gpe_hdr.
Do not update the command line library to avoid adding a dependency to
librte_net.
Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
Reviewed-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Reviewed-by: Ferruh Yigit <ferruh.yigit@intel.com>
The "make clean" command had a number of issues:
- the "--ignore-fail-on-non-empty" flag is not present on BSD
- the call to remove the build folder would fail if there was no build
folder present.
These are fixed by only removing the build folder if it exists, and by
using -p flag to rmdir in place of --ignore-fail-on-non-empty
Fixes: 22119c4591a0 ("examples: use pkg-config in makefiles")
Cc: stable@dpdk.org
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Acked-by: Luca Boccassi <bluca@debian.org>
Fix invalid indentation - extra whitespace before error directive which
is causing syntax error when no pkgconfig file for the DPDK is found and
RTE_SDK is not specified.
Fixes: d299106e8e31 ("examples/ipsec-secgw: add IPsec sample application")
Cc: stable@dpdk.org
Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Currently, two separate mempools are being used for creating crypto
sessions and its private data.
crypto sessions are created and initialized separately, so a separate
mempool is passed to each API, but in case of security sessions, where
only one API create and initialize the private data as well.
So if session mempool is passed to create a security session, the
mempool element size is not sufficient enough to hold the private
data as well.
As a perfect solution, the security session create API should take 2
mempools for header and private data and initiatlize accordingly,
but that would mean an API breakage, which will be done in the next
release cycle. So introducing this patch as a workaround to resolve this
issue.
Fixes: 261bbff75e34 ("examples: use separate crypto session mempools")
Cc: stable@dpdk.org
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
acl_classify() returns zero value when no matching rule was found.
Currently ipsec-secgw treats it as a valid SPI value, though it has
to discard such packets.
Error could be easily observed by sending outbound unmatched packets,
user will see something like that in the log:
IPSEC: No cryptodev: core 7, cipher_algo 0, auth_algo 0, aead_algo 0
To fix it we need to treat packets with zero result from acl_classify()
as invalid ones. Also we can change DISCARD and BYPASS values to
simplify checks and save some extra space for valid SPI values.
To summarize the approach:
1. have special SPI values for DISCARD and BYPASS.
2. store in SPD full SPI value.
3. after acl_classify(), first check SPI value for DISCARD and BYPASS,
then convert it in SA index.
4. add check at initilisation time that for each SPD rule there is a
corresponding SA entry (with the same SPI).
Also marked few global variables as *static*.
Fixes: 906257e965b7 ("examples/ipsec-secgw: support IPv6")
Fixes: 2a5106af132b ("examples/ipsec-secgw: fix corner case for SPI value")
Cc: stable@dpdk.org
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Most examples have in their makefiles a default RTE_TARGET directory to be
used in case RTE_TARGET is not set. Rather than just using a hard-coded
default, we can instead detect what the build directory is relative to
RTE_SDK directory.
This fixes a potential issue for anyone who continues to build using
"make install T=x86_64-native-linuxapp-gcc" and skips setting RTE_TARGET
explicitly, instead relying on the fact that they were building in a
directory which corresponded to the example default path - which was
changed to "x86_64-native-linux-gcc" by commit 218c4e68c1d9 ("mk: use
linux and freebsd in config names").
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Acked-by: Ferruh Yigit <ferruh.yigit@intel.com>
This patch adds the functional test scripts to ipsec-secgw
sample application for both transport and tunnel working
mode.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
This patch adds the functional test scripts to ipsec-secgw
sample application for both transport and tunnel working
mode.
Updated a bit on common_defs to use "mktemp" instead of "tempfile"
as Fedora does not like the command.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Improve debug code in esp.c, sa.c and ipsec-secgw.c
Fixes: f159e70b0922 ("examples/ipsec-secgw: support transport mode")
Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload")
Fixes: 0d547ed03717 ("examples/ipsec-secgw: support configuration file")
Fixes: 906257e965b7 ("examples/ipsec-secgw: support IPv6")
Cc: stable@dpdk.org
Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
This patch fixes the incorrect block size for AES-CTR in
legacy mode. Originally, wrong block size will cause
esp_inbound() drop AES-CTR encrypted packets if the payload
sizes not equal to multiple times of 16.
Fixes: 4470c22de2e1 ("examples/ipsec-secgw: add AES-CTR")
Cc: stable@dpdk.org
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Rather than using linuxapp and bsdapp everywhere, we can change things to
use the, more readable, terms "linux" and "freebsd" in our build configs.
Rather than renaming the configs we can just duplicate the existing ones
with the new names using symlinks, and use the new names exclusively
internally. ["make showconfigs" also only shows the new names to keep the
list short] The result is that backward compatibility is kept fully but any
new builds or development can be done using the newer names, i.e. both
"make config T=x86_64-native-linuxapp-gcc" and "T=x86_64-native-linux-gcc"
work.
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
The purpose of these scripts is to automate ipsec-secgw functional testing.
The scripts require two machines (SUT and DUT) connected through
at least 2 NICs and running linux (so far tested only on Ubuntu 18.04).
Introduced test-cases for the following scenarios:
- Transport/Tunnel modes
- AES-CBC SHA1
- AES-GCM
- ESN on/off
- legacy/librte_ipsec code path
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Changes to make ipsec-secgw data-path code to utilize librte_ipsec library.
Note that right now by default current (non-librte_ipsec) code-path will
be used. User has to run application with new command-line option ('-l')
to enable new codepath.
Signed-off-by: Mohammad Abdul Awal <mohammad.abdul.awal@intel.com>
Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com>
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Changes to make ipsec-secgw to utilize librte_ipsec library.
That patch provides:
- changes in the related data structures.
- changes in the initialization code.
- new command-line parameters to enable librte_ipsec codepath
and related features.
Note that right now by default current (non-librte_ipsec) code-path will
be used. User has to run application with new command-line option ('-l')
to enable new codepath.
The main reason for that:
- current librte_ipsec doesn't support all ipsec algorithms
and features that the app does.
- allow users to run both versions in parallel for some time
to figure out any functional or performance degradation with the
new code.
It is planned to deprecate and remove non-librte_ipsec code path
in future releases.
Signed-off-by: Mohammad Abdul Awal <mohammad.abdul.awal@intel.com>
Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com>
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
In the inbound_sa_check() make sure that sa pointer stored
inside mbuf private area is not NULL.
Fixes: d299106e8e31 ("examples/ipsec-secgw: add IPsec sample application")
Cc: stable@dpdk.org
Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
in sp4.c and sp6.c there are few globals that used only locally.
Define them as static ones.
Cc: stable@dpdk.org
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Looking at process_pkts_outbound_nosp() there seems few issues:
- accessing mbuf after it was freed
- invoking ipsec_outbound() for ipv4 packets only
- copying number of packets, but not the mbuf pointers itself
that patch provides fixes for that issues.
Fixes: 906257e965b7 ("examples/ipsec-secgw: support IPv6")
Cc: stable@dpdk.org
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
In some cases crypto-ops could never be dequeued from the crypto-device.
The easiest way to reproduce:
start ipsec-secgw with crypto-dev and send to it less then 32 packets.
none packets will be forwarded.
Reason for that is that the application does dequeue() from crypto-queues
only when new packets arrive.
This patch makes the app to call dequeue() on a regular basis.
Also to make code cleaner and easier to understand,
it separates crypto-dev enqueue() and dequeue() code paths.
pkt_process() now only enqueues packets into crypto device,
dequeuing and final processing is done by drain_crypto_queues().
Fixes: c64278c0c18b ("examples/ipsec-secgw: rework processing loop")
Cc: stable@dpdk.org
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
