In inline protocol inbound SA's, plain IPv4 and IPv6 packets are
delivered to application unlike inline crypto or lookaside.
Hence fix the application to not drop them when working in
single SA mode.
Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
Remove the unnecessary header file rte_atomic.h
included in example module.
Signed-off-by: Joyce Kong <joyce.kong@arm.com>
Signed-off-by: Dharmik Thakkar <dharmik.thakkar@arm.com>
Reviewed-by: Ruifeng Wang <ruifeng.wang@arm.com>
Use mbuf packet type for traffic identification as
packet is parsed already by HW before and HW/PMD updates
necessary info in mbuf packet type of the found protocols.
This change is specifically for event mode.
Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
Definition of `rte_ether_addr` structure used a workaround allowing DPDK
and Windows SDK headers to be used in the same file, because Windows SDK
defines `s_addr` as a macro. Rename `s_addr` to `src_addr` and `d_addr`
to `dst_addr` to avoid the conflict and remove the workaround.
Deprecation notice:
https://mails.dpdk.org/archives/dev/2021-July/215270.html
Signed-off-by: Dmitry Kozlyuk <dmitry.kozliuk@gmail.com>
Soft expiry is not a mandatory IPsec feature. It is verified separately
with IPsec unit tests. So configuration of the same is not required.
Also, soft expiry tracking can cause perf degradation with some PMDs.
Since a separate UT is available and the same setting in ipsec-secgw is
not verifying the functionality, remove the same by clearing life
configuration.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
Add SA lifetime configuration to register soft and hard expiry limits.
Expiry can be in units of number of packets or bytes. Crypto op
status is also updated to include new field, aux_flags, which can be
used to indicate cases such as soft expiry in case of lookaside
protocol operations.
In case of soft expiry, the packets are successfully IPsec processed but
the soft expiry would indicate that SA needs to be reconfigured. For
inline protocol capable ethdev, this would result in an eth event while
for lookaside protocol capable cryptodev, this can be communicated via
`rte_crypto_op.aux_flags` field.
In case of hard expiry, the packets will not be IPsec processed and
would result in error.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
Documentation specifies that flow port & queue is provided as,
<...> port 0 queue 0
But code is expecting the same as,
<...> port 0 0
Fix the above to match documentation.
Fixes: 8e693616fcb2 ("examples/ipsec-secgw: enable flow based distribution")
Cc: stable@dpdk.org
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
Update mbuf.l2_len with L2 header size for outbound
inline processing.
This patch also fixes a bug in arg parsing.
Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
Recent patch to support UDP encapsulation introduced problem with
handling inbound IPv6 packets with header extensions.
This patch aims to fix the issue.
Bugzilla ID: 695
Fixes: 9a1cc8f1ed74 ("examples/ipsec-secgw: support UDP encapsulation")
Reported-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
Move pkg-config override to beginning in the Makefile to allow
use PKGCONF variable to detect the libdpdk availability.
Fixes: fda34680eb9a ("examples: remove legacy sections of makefiles")
Cc: stable@dpdk.org
Signed-off-by: Jerin Jacob <jerinj@marvell.com>
Acked-by: Bruce Richardson <bruce.richardson@intel.com>
According to the programming guide, the rte_eal_init should be used pairs
with rte_eal_cleanup.
This patch add rte_eal_cleanup to examples to encourage new users of
DPDK to use it.
Fixes: aec9c13c5257 ("eal: add function to release internal resources")
Fixes: 3d0fad56b74a ("examples/fips_validation: add crypto FIPS application")
Fixes: c8e6ceecebc1 ("examples/ioat: add new sample app for ioat driver")
Fixes: 4ff457986f76 ("examples/l2fwd-event: add default poll mode routines")
Fixes: 08bd1a174461 ("examples/l3fwd-graph: add graph-based l3fwd skeleton")
Fixes: c5eebf85badc ("examples/ntb: add example for NTB")
Fixes: b77f66002812 ("examples/pipeline: add new example application")
Fixes: edbed86d1cc3 ("examples/vdpa: introduce a new sample for vDPA")
Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample")
Fixes: f5188211c721 ("examples/vhost_crypto: add sample application")
Cc: stable@dpdk.org
Signed-off-by: Chengchang Tang <tangchengchang@huawei.com>
As with the lib and drivers directories, we can use "continue" keyword to
reduce the indentation level of the majority of the foreach block. At the
same time, we can also replace tab indentation with spaces.
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Adding lookaside IPsec UDP encapsulation support
for NAT traversal.
Application has to add udp-encap option to sa config file
to enable UDP encapsulation on the SA.
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Since the examples are designed to be built by end-users using Make, we
can detect and warn about broken pkg-config on the user's system as part
of the build process.
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Replace -w / --pci-whitelist with -a / --allow options
and --pci-blacklist with --block.
The -b short option remains unchanged.
Allow the old options for now, but print a nag
warning since old options are deprecated.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Luca Boccassi <bluca@debian.org>
Signed-off-by: Thomas Monjalon <thomas@monjalon.net>
flow.c: In function ‘parse_flow_tokens’:
flow.c:153:23: error: taking address of packed member of ‘struct
rte_ipv4_hdr’ may result in an unaligned pointer value
[-Werror=address-of-packed-member]
153 | if (ipv4_addr_cpy(&rule->ipv4.spec.hdr.src_addr,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
flow.c:154:9: error: taking address of packed member of ‘struct
rte_ipv4_hdr’ may result in an unaligned pointer value
[-Werror=address-of-packed-member]
154 | &rule->ipv4.mask.hdr.src_addr,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
flow.c:170:23: error: taking address of packed member of ‘struct
rte_ipv4_hdr’ may result in an unaligned pointer value
[-Werror=address-of-packed-member]
170 | if (ipv4_addr_cpy(&rule->ipv4.spec.hdr.dst_addr,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
flow.c:171:9: error: taking address of packed member of ‘struct
rte_ipv4_hdr’ may result in an unaligned pointer value
[-Werror=address-of-packed-member]
171 | &rule->ipv4.mask.hdr.dst_addr,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
Meson build is fine since we waive those warnings.
Replicate it for make.
Fixes: 8e693616fcb2 ("examples/ipsec-secgw: enable flow based distribution")
Cc: stable@dpdk.org
Signed-off-by: David Marchand <david.marchand@redhat.com>
Acked-by: Bruce Richardson <bruce.richardson@intel.com>
cmdline_numtype member names clash with Windows system identifiers.
Add RTE_ prefix to cmdline constants to avoid this and possible
future conflicts.
Suggested-by: Ranjit Menon <ranjit.menon@intel.com>
Signed-off-by: Dmitry Kozlyuk <dmitry.kozliuk@gmail.com>
Acked-by: Ranjit Menon <ranjit.menon@intel.com>
Acked-by: Jie Zhou <jizh@microsoft.com>
Tested-by: Jie Zhou <jizh@microsoft.com>
Acked-by: Olivier Matz <olivier.matz@6wind.com>
Creation of a session mempool may fail in the case of a single lcore
and a low number of SA.
In case when there is only one lcore and number of configures SA less
then (0.5 * CDEV_MP_CACHE_SZ) then creation of the mempool fails with
EINVAL. This is because the number of requested items is less than
(cache size * CDEV_MP_CACHE_MULTIPLIER).
Hence, the number of elements in mempool is increased in such cases.
Fixes: e30b2833c47c ("security: update session create API")
Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
The device-specific metadata was stored in the deprecated field udata64.
It is moved to a dynamic mbuf field in order to allow removal of udata64.
The name rte_security_dynfield is not very descriptive
but it should be replaced later by separate fields for each type of data
that drivers pass to the upper layer.
Signed-off-by: Thomas Monjalon <thomas@monjalon.net>
Acked-by: Haiyue Wang <haiyue.wang@intel.com>
inet_pton4 and inet_pton6 was reimplemented. Replace implementation of
inet_pton4 and inet_pton6 with libc inet_pton function
Bugzilla ID: 365
Fixes: 0d547ed03717 ("examples/ipsec-secgw: support configuration file")
Reported-by: David Marchand <david.marchand@redhat.com>
Signed-off-by: Ibtisam Tariq <ibtisam.tariq@emumba.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: David Marchand <david.marchand@redhat.com>
Replace master lcore with main lcore and
replace slave lcore with worker lcore.
Keep the old functions and macros but mark them as deprecated
for this release.
The "--master-lcore" command line option is also deprecated
and any usage will print a warning and use "--main-lcore"
as replacement.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Anatoly Burakov <anatoly.burakov@intel.com>
The API ``rte_security_session_create`` takes only single
mempool for session and session private data. So the
application need to create mempool for twice the number of
sessions needed and will also lead to wastage of memory as
session private data need more memory compared to session.
Hence the API is modified to take two mempool pointers
- one for session and one for private data.
This is very similar to crypto based session create APIs.
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Reviewed-by: Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>
Tested-by: Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>
rte_eth_dev_stop() return value was changed from void to int,
so this patch modify usage of this function across examples
according to new return type.
Signed-off-by: Ivan Ilchenko <ivan.ilchenko@oktetlabs.ru>
Signed-off-by: Andrew Rybchenko <arybchenko@solarflare.com>
Add usage of rte_eth_link_to_str function to example
applications.
Signed-off-by: Ivan Dyukov <i.dyukov@samsung.com>
Reviewed-by: Ferruh Yigit <ferruh.yigit@intel.com>
Remove the references to RTE_SDK and RTE_TARGET environment variables from
the build instructions in the comments of the various BPF files, and in
the ipsec-secgw common definition script.
Signed-off-by: Ciara Power <ciara.power@intel.com>
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
The example app makefiles contained sections using the legacy method of
compiling with make. These are no longer needed, and are removed,
leaving only the section that uses pkg-config for the make build.
Signed-off-by: Ciara Power <ciara.power@intel.com>
Acked-by: Nicolas Chautru <nicolas.chautru@intel.com>
RTE_FLOW API allows hardware parsing and steering of packets to specific
queues which helps in distributing ingress traffic across various cores.
Adding 'flow' rules allows user to specify the distribution required.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Adding per core packet handling stats to analyze traffic distribution
when multiple cores are engaged.
Since aggregating the packet stats across cores would affect
performance, keeping the feature disabled using compile time flags.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Rather than setting -Bstatic in the linker flags when doing a static link,
and then having to explicitly set -Bdynamic again afterwards, we can update
the pkg-config file to use -l:libfoo.a syntax to explicitly refer to the
static library in question. Since this syntax is not supported by meson's
pkg-config module directly, we can post-process the .pc files instead to
adjust them.
Once done, we can simplify the examples' makefiles and the docs by removing
the explicit static flag.
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Acked-by: Luca Boccassi <bluca@debian.org>
Acked-by: Sunil Pai G <sunil.pai.g@intel.com>
Signed-off-by: Thomas Monjalon <thomas@monjalon.net>
Get rid of hardcoded limit of cryptodev sessions.
Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Function create_ipsec_esp_flow returns a negative number in case of any
failure and we are passing this to strerror to display the error message.
But strerror()'s argument cannot be negative.
In case of failure, displaying exact error message to console is handled
in create_ipsec_esp_flow function.
So it is not required to print the error message again using strerror.
This patch will remove the unnecessary calling of strerror function
to fix the negative argument passing to strerror issue.
Coverity issue: 357691
Fixes: 6738c0a95695 ("examples/ipsec-secgw: support flow director")
Signed-off-by: Praveen Shetty <praveen.shetty@intel.com>
Acked-by: Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
As more test cases are defined for execution, test scripts structure
needs to be reorganized, so fewer files are needed to describe the test.
To achieve that, new environment variables are incorporated into the
scripts.
Additionally, tests for mixed tunnel protocols are added.
Signed-off-by: Mariusz Drost <mariuszx.drost@intel.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
gcc 10.0.1 reports:
../examples/ipsec-secgw/ipsec_process.c: In function ‘ipsec_process’:
../examples/ipsec-secgw/ipsec_process.c:132:34:
error: ‘grp.m’ may be used uninitialized in this function
[-Werror=maybe-uninitialized]
132 | grp[n].cnt = pkts + i - grp[n].m;
| ~~~~~~^~
This is a correct warning for the initial execution of the statement.
However, it is the design of the loop that grp[0].cnt will later be
written with the correct value using an initialized grp[0].m before it
is used.
In order to remove the warning, initialize grp[0].m for the initial and
unused calculation of grp[0].cnt.
Fixes: 3e5f4625dc17 ("examples/ipsec-secgw: make data-path to use IPsec library")
Cc: stable@dpdk.org
Suggested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Signed-off-by: Kevin Traynor <ktraynor@redhat.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
The two if check does the same task, so removing one.
Coverity issue: 355669
Fixes: 9ad50c29d01d ("examples/ipsec-secgw: add app mode worker")
Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Support load distribution in security gateway application using
NIC load distribution feature (Flow Director).
Flow Director is used to redirect the specified inbound ipsec flow
to a specified queue. This is achieved by extending the SA rule syntax
to support specification by adding new action_type of <flow-direction>
to a specified <port_id> <queue_id>.
Signed-off-by: Praveen Shetty <praveen.shetty@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
There is a common macro __rte_packed for packing structs,
which is now used where appropriate for consistency.
Signed-off-by: Thomas Monjalon <thomas@monjalon.net>
Added cpu-crypto fallback option parsing as well as tests for it
Signed-off-by: Mariusz Drost <mariuszx.drost@intel.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Reserve minimum number of crypto queues equal to number of ports.
This is to fulfill inline protocol offload requirements.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Lukasz Bartosik <lbartosik@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Make number of buffers in a pool nb_mbuf_in_pool dependent on number
of ports, cores and crypto queues. Add command line option -s which
when used overrides dynamic calculation of number of buffers in a pool.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Lukasz Bartosik <lbartosik@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Add driver inbound and outbound worker thread for ipsec-secgw. In driver
mode application does as little as possible. It simply forwards packets
back to port from which traffic was received instructing HW to apply
inline security processing using first outbound SA configured for
a given port. If a port does not have SA configured outbound traffic
on that port will be silently dropped. The aim of this mode is to
measure HW capabilities. Driver mode is selected with single-sa option.
The single-sa option accepts SA index however in event mode the SA
index is ignored.
Example command to run ipsec-secgw in driver mode:
ipsec-secgw -w 0002:02:00.0,ipsec_in_max_spi=128
-w 0002:03:00.0,ipsec_in_max_spi=128 -w 0002:0e:00.0 -w 0002:10:00.1
--log-level=8 -c 0x1 -- -P -p 0x3 -u 0x1 -f aes-gcm.cfg
--transfer-mode event --event-schedule-type parallel --single-sa 0
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Lukasz Bartosik <lbartosik@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Add eventmode support to ipsec-secgw. With the aid of event helper
configure and use the eventmode capabilities.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Lukasz Bartosik <lbartosik@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Add eventmode helper eh_conf_init and eh_conf_uninit
functions which purpose is to initialize and
uninitialize eventmode helper configuration.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Lukasz Bartosik <lbartosik@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Add support for Rx and Tx internal ports. When internal ports are
available then a packet can be received from eth port and forwarded
to event queue by HW without any software intervention. The same
applies to Tx side where a packet sent to an event queue can by
forwarded by HW to eth port without any software intervention.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Lukasz Bartosik <lbartosik@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
In eventmode workers can be drafted differently according to the
capabilities of the underlying event device. The added functions will
receive an array of such workers and probe the eventmode properties to
choose the worker.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Lukasz Bartosik <lbartosik@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Add routines to display the eventmode configuration and provide
an overview of the devices used.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Lukasz Bartosik <lbartosik@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
