Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/101325/?format=api
{ "id": 101325, "url": "http://patches.dpdk.org/api/patches/101325/?format=api", "web_url": "http://patches.dpdk.org/project/dpdk/patch/20211013121331.300245-8-radu.nicolau@intel.com/", "project": { "id": 1, "url": "http://patches.dpdk.org/api/projects/1/?format=api", "name": "DPDK", "link_name": "dpdk", "list_id": "dev.dpdk.org", "list_email": "dev@dpdk.org", "web_url": "http://core.dpdk.org", "scm_url": "git://dpdk.org/dpdk", "webscm_url": "http://git.dpdk.org/dpdk", "list_archive_url": "https://inbox.dpdk.org/dev", "list_archive_url_format": "https://inbox.dpdk.org/dev/{}", "commit_url_format": "" }, "msgid": "<20211013121331.300245-8-radu.nicolau@intel.com>", "list_archive_url": "https://inbox.dpdk.org/dev/20211013121331.300245-8-radu.nicolau@intel.com", "date": "2021-10-13T12:13:28", "name": "[v9,07/10] ipsec: add support for SA telemetry", "commit_ref": null, "pull_url": null, "state": "superseded", "archived": true, "hash": "5001b890eda59c87356441b2fab8ae26aff7f3c3", "submitter": { "id": 743, "url": "http://patches.dpdk.org/api/people/743/?format=api", "name": "Radu Nicolau", "email": "radu.nicolau@intel.com" }, "delegate": { "id": 6690, "url": "http://patches.dpdk.org/api/users/6690/?format=api", "username": "akhil", "first_name": "akhil", "last_name": "goyal", "email": "gakhil@marvell.com" }, "mbox": "http://patches.dpdk.org/project/dpdk/patch/20211013121331.300245-8-radu.nicolau@intel.com/mbox/", "series": [ { "id": 19593, "url": "http://patches.dpdk.org/api/series/19593/?format=api", "web_url": "http://patches.dpdk.org/project/dpdk/list/?series=19593", "date": "2021-10-13T12:13:21", "name": "new features for ipsec and security libraries", "version": 9, "mbox": "http://patches.dpdk.org/series/19593/mbox/" } ], "comments": "http://patches.dpdk.org/api/patches/101325/comments/", "check": "success", "checks": "http://patches.dpdk.org/api/patches/101325/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<dev-bounces@dpdk.org>", "X-Original-To": "patchwork@inbox.dpdk.org", "Delivered-To": "patchwork@inbox.dpdk.org", "Received": [ "from mails.dpdk.org (mails.dpdk.org [217.70.189.124])\n\tby inbox.dpdk.org (Postfix) with ESMTP id 31753A0C55;\n\tWed, 13 Oct 2021 14:26:10 +0200 (CEST)", "from [217.70.189.124] (localhost [127.0.0.1])\n\tby mails.dpdk.org (Postfix) with ESMTP id 1F75B4115A;\n\tWed, 13 Oct 2021 14:26:10 +0200 (CEST)", "from mga02.intel.com (mga02.intel.com [134.134.136.20])\n by mails.dpdk.org (Postfix) with ESMTP id AAC0E40E64\n for <dev@dpdk.org>; Wed, 13 Oct 2021 14:26:07 +0200 (CEST)", "from orsmga001.jf.intel.com ([10.7.209.18])\n by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 13 Oct 2021 05:25:52 -0700", "from silpixa00400884.ir.intel.com ([10.243.22.82])\n by orsmga001.jf.intel.com with ESMTP; 13 Oct 2021 05:25:48 -0700" ], "X-IronPort-AV": [ "E=McAfee;i=\"6200,9189,10135\"; a=\"214564526\"", "E=Sophos;i=\"5.85,370,1624345200\"; d=\"scan'208\";a=\"214564526\"", "E=Sophos;i=\"5.85,370,1624345200\"; d=\"scan'208\";a=\"524607769\"" ], "X-ExtLoop1": "1", "From": "Radu Nicolau <radu.nicolau@intel.com>", "To": "Konstantin Ananyev <konstantin.ananyev@intel.com>,\n Bernard Iremonger <bernard.iremonger@intel.com>,\n Vladimir Medvedkin <vladimir.medvedkin@intel.com>,\n Ray Kinsella <mdr@ashroe.eu>", "Cc": "dev@dpdk.org, bruce.richardson@intel.com, roy.fan.zhang@intel.com,\n hemant.agrawal@nxp.com, gakhil@marvell.com, anoobj@marvell.com,\n declan.doherty@intel.com, abhijit.sinha@intel.com,\n daniel.m.buckley@intel.com, marchana@marvell.com, ktejasree@marvell.com,\n matan@nvidia.com, Radu Nicolau <radu.nicolau@intel.com>", "Date": "Wed, 13 Oct 2021 13:13:28 +0100", "Message-Id": "<20211013121331.300245-8-radu.nicolau@intel.com>", "X-Mailer": "git-send-email 2.25.1", "In-Reply-To": "<20211013121331.300245-1-radu.nicolau@intel.com>", "References": "<20210713133542.3550525-1-radu.nicolau@intel.com>\n <20211013121331.300245-1-radu.nicolau@intel.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "Subject": "[dpdk-dev] [PATCH v9 07/10] ipsec: add support for SA telemetry", "X-BeenThere": "dev@dpdk.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "DPDK patches and discussions <dev.dpdk.org>", "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n <mailto:dev-request@dpdk.org?subject=unsubscribe>", "List-Archive": "<http://mails.dpdk.org/archives/dev/>", "List-Post": "<mailto:dev@dpdk.org>", "List-Help": "<mailto:dev-request@dpdk.org?subject=help>", "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n <mailto:dev-request@dpdk.org?subject=subscribe>", "Errors-To": "dev-bounces@dpdk.org", "Sender": "\"dev\" <dev-bounces@dpdk.org>" }, "content": "Add telemetry support for ipsec SAs\n\nSigned-off-by: Declan Doherty <declan.doherty@intel.com>\nSigned-off-by: Radu Nicolau <radu.nicolau@intel.com>\nSigned-off-by: Abhijit Sinha <abhijit.sinha@intel.com>\nSigned-off-by: Daniel Martin Buckley <daniel.m.buckley@intel.com>\nAcked-by: Fan Zhang <roy.fan.zhang@intel.com>\nAcked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>\n---\n doc/guides/prog_guide/ipsec_lib.rst | 7 +\n doc/guides/rel_notes/release_21_11.rst | 1 +\n lib/ipsec/esp_inb.c | 18 +-\n lib/ipsec/esp_outb.c | 12 +-\n lib/ipsec/ipsec_telemetry.c | 244 +++++++++++++++++++++++++\n lib/ipsec/meson.build | 6 +-\n lib/ipsec/rte_ipsec.h | 23 +++\n lib/ipsec/sa.c | 10 +-\n lib/ipsec/sa.h | 9 +\n lib/ipsec/version.map | 9 +\n 10 files changed, 328 insertions(+), 11 deletions(-)\n create mode 100644 lib/ipsec/ipsec_telemetry.c", "diff": "diff --git a/doc/guides/prog_guide/ipsec_lib.rst b/doc/guides/prog_guide/ipsec_lib.rst\nindex fc0af5eadb..2a262f8c51 100644\n--- a/doc/guides/prog_guide/ipsec_lib.rst\n+++ b/doc/guides/prog_guide/ipsec_lib.rst\n@@ -321,6 +321,13 @@ Supported features\n AES_GMAC, HMAC-SHA1, NULL.\n \n \n+Telemetry support\n+------------------\n+Telemetry support implements SA details and IPsec packet add data counters\n+statistics. Per SA telemetry statistics can be enabled using\n+``rte_ipsec_telemetry_sa_add`` and disabled using\n+``rte_ipsec_telemetry_sa_del``. Note that these calls are not thread safe.\n+\n Limitations\n -----------\n \ndiff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst\nindex 0a9c71d92e..70932fc8a9 100644\n--- a/doc/guides/rel_notes/release_21_11.rst\n+++ b/doc/guides/rel_notes/release_21_11.rst\n@@ -159,6 +159,7 @@ New Features\n * Added support for AEAD algorithms AES_CCM, CHACHA20_POLY1305 and AES_GMAC.\n * Added support for NAT-T / UDP encapsulated ESP\n * Added support TSO offload support; only supported for inline crypto mode.\n+ * Added support for SA telemetry.\n \n \n Removed Items\ndiff --git a/lib/ipsec/esp_inb.c b/lib/ipsec/esp_inb.c\nindex d66c88f05d..6fbe468a61 100644\n--- a/lib/ipsec/esp_inb.c\n+++ b/lib/ipsec/esp_inb.c\n@@ -15,7 +15,7 @@\n #include \"misc.h\"\n #include \"pad.h\"\n \n-typedef uint16_t (*esp_inb_process_t)(const struct rte_ipsec_sa *sa,\n+typedef uint16_t (*esp_inb_process_t)(struct rte_ipsec_sa *sa,\n \tstruct rte_mbuf *mb[], uint32_t sqn[], uint32_t dr[], uint16_t num,\n \tuint8_t sqh_len);\n \n@@ -573,10 +573,10 @@ tun_process_step3(struct rte_mbuf *mb, uint64_t txof_msk, uint64_t txof_val)\n * *process* function for tunnel packets\n */\n static inline uint16_t\n-tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],\n+tun_process(struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],\n \t uint32_t sqn[], uint32_t dr[], uint16_t num, uint8_t sqh_len)\n {\n-\tuint32_t adj, i, k, tl;\n+\tuint32_t adj, i, k, tl, bytes;\n \tuint32_t hl[num], to[num];\n \tstruct rte_esp_tail espt[num];\n \tstruct rte_mbuf *ml[num];\n@@ -598,6 +598,7 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],\n \t\tprocess_step1(mb[i], tlen, &ml[i], &espt[i], &hl[i], &to[i]);\n \n \tk = 0;\n+\tbytes = 0;\n \tfor (i = 0; i != num; i++) {\n \n \t\tadj = hl[i] + cofs;\n@@ -621,10 +622,13 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],\n \t\t\ttun_process_step3(mb[i], sa->tx_offload.msk,\n \t\t\t\tsa->tx_offload.val);\n \t\t\tk++;\n+\t\t\tbytes += mb[i]->pkt_len;\n \t\t} else\n \t\t\tdr[i - k] = i;\n \t}\n \n+\tsa->statistics.count += k;\n+\tsa->statistics.bytes += bytes;\n \treturn k;\n }\n \n@@ -632,11 +636,11 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],\n * *process* function for tunnel packets\n */\n static inline uint16_t\n-trs_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],\n+trs_process(struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],\n \tuint32_t sqn[], uint32_t dr[], uint16_t num, uint8_t sqh_len)\n {\n \tchar *np;\n-\tuint32_t i, k, l2, tl;\n+\tuint32_t i, k, l2, tl, bytes;\n \tuint32_t hl[num], to[num];\n \tstruct rte_esp_tail espt[num];\n \tstruct rte_mbuf *ml[num];\n@@ -656,6 +660,7 @@ trs_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],\n \t\tprocess_step1(mb[i], tlen, &ml[i], &espt[i], &hl[i], &to[i]);\n \n \tk = 0;\n+\tbytes = 0;\n \tfor (i = 0; i != num; i++) {\n \n \t\ttl = tlen + espt[i].pad_len;\n@@ -674,10 +679,13 @@ trs_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],\n \t\t\t/* update mbuf's metadata */\n \t\t\ttrs_process_step3(mb[i]);\n \t\t\tk++;\n+\t\t\tbytes += mb[i]->pkt_len;\n \t\t} else\n \t\t\tdr[i - k] = i;\n \t}\n \n+\tsa->statistics.count += k;\n+\tsa->statistics.bytes += bytes;\n \treturn k;\n }\n \ndiff --git a/lib/ipsec/esp_outb.c b/lib/ipsec/esp_outb.c\nindex d327c32a38..812ba1e5ec 100644\n--- a/lib/ipsec/esp_outb.c\n+++ b/lib/ipsec/esp_outb.c\n@@ -623,7 +623,7 @@ uint16_t\n esp_outb_sqh_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[],\n \tuint16_t num)\n {\n-\tuint32_t i, k, icv_len, *icv;\n+\tuint32_t i, k, icv_len, *icv, bytes;\n \tstruct rte_mbuf *ml;\n \tstruct rte_ipsec_sa *sa;\n \tuint32_t dr[num];\n@@ -632,6 +632,7 @@ esp_outb_sqh_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[],\n \n \tk = 0;\n \ticv_len = sa->icv_len;\n+\tbytes = 0;\n \n \tfor (i = 0; i != num; i++) {\n \t\tif ((mb[i]->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED) == 0) {\n@@ -642,10 +643,13 @@ esp_outb_sqh_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[],\n \t\t\ticv = rte_pktmbuf_mtod_offset(ml, void *,\n \t\t\t\tml->data_len - icv_len);\n \t\t\tremove_sqh(icv, icv_len);\n+\t\t\tbytes += mb[i]->pkt_len;\n \t\t\tk++;\n \t\t} else\n \t\t\tdr[i - k] = i;\n \t}\n+\tsa->statistics.count += k;\n+\tsa->statistics.bytes += bytes;\n \n \t/* handle unprocessed mbufs */\n \tif (k != num) {\n@@ -665,16 +669,20 @@ static inline void\n inline_outb_mbuf_prepare(const struct rte_ipsec_session *ss,\n \tstruct rte_mbuf *mb[], uint16_t num)\n {\n-\tuint32_t i, ol_flags;\n+\tuint32_t i, ol_flags, bytes;\n \n \tol_flags = ss->security.ol_flags & RTE_SECURITY_TX_OLOAD_NEED_MDATA;\n+\tbytes = 0;\n \tfor (i = 0; i != num; i++) {\n \n \t\tmb[i]->ol_flags |= PKT_TX_SEC_OFFLOAD;\n+\t\tbytes += mb[i]->pkt_len;\n \t\tif (ol_flags != 0)\n \t\t\trte_security_set_pkt_metadata(ss->security.ctx,\n \t\t\t\tss->security.ses, mb[i], NULL);\n \t}\n+\tss->sa->statistics.count += num;\n+\tss->sa->statistics.bytes += bytes;\n }\n \n \ndiff --git a/lib/ipsec/ipsec_telemetry.c b/lib/ipsec/ipsec_telemetry.c\nnew file mode 100644\nindex 0000000000..713da75f38\n--- /dev/null\n+++ b/lib/ipsec/ipsec_telemetry.c\n@@ -0,0 +1,244 @@\n+/* SPDX-License-Identifier: BSD-3-Clause\n+ * Copyright(c) 2021 Intel Corporation\n+ */\n+\n+#include <rte_ipsec.h>\n+#include <rte_telemetry.h>\n+#include <rte_malloc.h>\n+#include \"sa.h\"\n+\n+\n+struct ipsec_telemetry_entry {\n+\tLIST_ENTRY(ipsec_telemetry_entry) next;\n+\tconst struct rte_ipsec_sa *sa;\n+};\n+static LIST_HEAD(ipsec_telemetry_head, ipsec_telemetry_entry)\n+\t\tipsec_telemetry_list = LIST_HEAD_INITIALIZER();\n+\n+static int\n+handle_telemetry_cmd_ipsec_sa_list(const char *cmd __rte_unused,\n+\t\tconst char *params __rte_unused,\n+\t\tstruct rte_tel_data *data)\n+{\n+\tstruct ipsec_telemetry_entry *entry;\n+\trte_tel_data_start_array(data, RTE_TEL_U64_VAL);\n+\n+\tLIST_FOREACH(entry, &ipsec_telemetry_list, next) {\n+\t\tconst struct rte_ipsec_sa *sa = entry->sa;\n+\t\trte_tel_data_add_array_u64(data, rte_be_to_cpu_32(sa->spi));\n+\t}\n+\n+\treturn 0;\n+}\n+\n+/**\n+ * Handle IPsec SA statistics telemetry request\n+ *\n+ * Return dict of SA's with dict of key/value counters\n+ *\n+ * {\n+ * \"SA_SPI_XX\": {\"count\": 0, \"bytes\": 0, \"errors\": 0},\n+ * \"SA_SPI_YY\": {\"count\": 0, \"bytes\": 0, \"errors\": 0}\n+ * }\n+ *\n+ */\n+static int\n+handle_telemetry_cmd_ipsec_sa_stats(const char *cmd __rte_unused,\n+\t\tconst char *params,\n+\t\tstruct rte_tel_data *data)\n+{\n+\tstruct ipsec_telemetry_entry *entry;\n+\tconst struct rte_ipsec_sa *sa;\n+\tuint32_t sa_spi = 0;\n+\n+\tif (params) {\n+\t\tsa_spi = rte_cpu_to_be_32((uint32_t)strtoul(params, NULL, 0));\n+\t\tif (sa_spi == 0)\n+\t\t\treturn -EINVAL;\n+\t}\n+\n+\trte_tel_data_start_dict(data);\n+\n+\tLIST_FOREACH(entry, &ipsec_telemetry_list, next) {\n+\t\tchar sa_name[64];\n+\t\tsa = entry->sa;\n+\t\tstatic const char *name_pkt_cnt = \"count\";\n+\t\tstatic const char *name_byte_cnt = \"bytes\";\n+\t\tstatic const char *name_error_cnt = \"errors\";\n+\t\tstruct rte_tel_data *sa_data;\n+\n+\t\t/* If user provided SPI only get telemetry for that SA */\n+\t\tif (sa_spi && (sa_spi != sa->spi))\n+\t\t\tcontinue;\n+\n+\t\t/* allocate telemetry data struct for SA telemetry */\n+\t\tsa_data = rte_tel_data_alloc();\n+\t\tif (!sa_data)\n+\t\t\treturn -ENOMEM;\n+\n+\t\trte_tel_data_start_dict(sa_data);\n+\n+\t\t/* add telemetry key/values pairs */\n+\t\trte_tel_data_add_dict_u64(sa_data, name_pkt_cnt,\n+\t\t\t\t\tsa->statistics.count);\n+\n+\t\trte_tel_data_add_dict_u64(sa_data, name_byte_cnt,\n+\t\t\t\t\tsa->statistics.bytes -\n+\t\t\t\t\t(sa->statistics.count * sa->hdr_len));\n+\n+\t\trte_tel_data_add_dict_u64(sa_data, name_error_cnt,\n+\t\t\t\t\tsa->statistics.errors.count);\n+\n+\t\t/* generate telemetry label */\n+\t\tsnprintf(sa_name, sizeof(sa_name), \"SA_SPI_%i\",\n+\t\t\t\trte_be_to_cpu_32(sa->spi));\n+\n+\t\t/* add SA telemetry to dictionary container */\n+\t\trte_tel_data_add_dict_container(data, sa_name, sa_data, 0);\n+\t}\n+\n+\treturn 0;\n+}\n+\n+static int\n+handle_telemetry_cmd_ipsec_sa_details(const char *cmd __rte_unused,\n+\t\tconst char *params,\n+\t\tstruct rte_tel_data *data)\n+{\n+\tstruct ipsec_telemetry_entry *entry;\n+\tconst struct rte_ipsec_sa *sa;\n+\tuint32_t sa_spi = 0;\n+\n+\tif (params)\n+\t\tsa_spi = rte_cpu_to_be_32((uint32_t)strtoul(params, NULL, 0));\n+\t/* valid SPI needed */\n+\tif (sa_spi == 0)\n+\t\treturn -EINVAL;\n+\n+\n+\trte_tel_data_start_dict(data);\n+\n+\tLIST_FOREACH(entry, &ipsec_telemetry_list, next) {\n+\t\tuint64_t mode;\n+\t\tsa = entry->sa;\n+\t\tif (sa_spi != sa->spi)\n+\t\t\tcontinue;\n+\n+\t\t/* add SA configuration key/values pairs */\n+\t\trte_tel_data_add_dict_string(data, \"Type\",\n+\t\t\t(sa->type & RTE_IPSEC_SATP_PROTO_MASK) ==\n+\t\t\tRTE_IPSEC_SATP_PROTO_AH ? \"AH\" : \"ESP\");\n+\n+\t\trte_tel_data_add_dict_string(data, \"Direction\",\n+\t\t\t(sa->type & RTE_IPSEC_SATP_DIR_MASK) ==\n+\t\t\tRTE_IPSEC_SATP_DIR_IB ?\t\"Inbound\" : \"Outbound\");\n+\n+\t\tmode = sa->type & RTE_IPSEC_SATP_MODE_MASK;\n+\n+\t\tif (mode == RTE_IPSEC_SATP_MODE_TRANS) {\n+\t\t\trte_tel_data_add_dict_string(data, \"Mode\", \"Transport\");\n+\t\t} else {\n+\t\t\trte_tel_data_add_dict_string(data, \"Mode\", \"Tunnel\");\n+\n+\t\t\tif ((sa->type & RTE_IPSEC_SATP_NATT_MASK) ==\n+\t\t\t\tRTE_IPSEC_SATP_NATT_ENABLE) {\n+\t\t\t\tif (sa->type & RTE_IPSEC_SATP_MODE_TUNLV4) {\n+\t\t\t\t\trte_tel_data_add_dict_string(data,\n+\t\t\t\t\t\t\"Tunnel-Type\",\n+\t\t\t\t\t\t\"IPv4-UDP\");\n+\t\t\t\t} else if (sa->type &\n+\t\t\t\t\t\tRTE_IPSEC_SATP_MODE_TUNLV6) {\n+\t\t\t\t\trte_tel_data_add_dict_string(data,\n+\t\t\t\t\t\t\"Tunnel-Type\",\n+\t\t\t\t\t\t\"IPv4-UDP\");\n+\t\t\t\t}\n+\t\t\t} else {\n+\t\t\t\tif (sa->type & RTE_IPSEC_SATP_MODE_TUNLV4) {\n+\t\t\t\t\trte_tel_data_add_dict_string(data,\n+\t\t\t\t\t\t\"Tunnel-Type\",\n+\t\t\t\t\t\t\"IPv4-UDP\");\n+\t\t\t\t} else if (sa->type &\n+\t\t\t\t\t\tRTE_IPSEC_SATP_MODE_TUNLV6) {\n+\t\t\t\t\trte_tel_data_add_dict_string(data,\n+\t\t\t\t\t\t\"Tunnel-Type\",\n+\t\t\t\t\t\t\"IPv4-UDP\");\n+\t\t\t\t}\n+\t\t\t}\n+\t\t}\n+\n+\t\trte_tel_data_add_dict_string(data,\n+\t\t\t\t\"extended-sequence-number\",\n+\t\t\t\t(sa->type & RTE_IPSEC_SATP_ESN_MASK) ==\n+\t\t\t\t RTE_IPSEC_SATP_ESN_ENABLE ?\n+\t\t\t\t\"enabled\" : \"disabled\");\n+\n+\t\tif ((sa->type & RTE_IPSEC_SATP_DIR_MASK) ==\n+\t\t\tRTE_IPSEC_SATP_DIR_IB)\n+\n+\t\t\tif (sa->sqn.inb.rsn[sa->sqn.inb.rdidx])\n+\t\t\t\trte_tel_data_add_dict_u64(data,\n+\t\t\t\t\"sequence-number\",\n+\t\t\t\tsa->sqn.inb.rsn[sa->sqn.inb.rdidx]->sqn);\n+\t\t\telse\n+\t\t\t\trte_tel_data_add_dict_u64(data,\n+\t\t\t\t\t\"sequence-number\", 0);\n+\t\telse\n+\t\t\trte_tel_data_add_dict_u64(data, \"sequence-number\",\n+\t\t\t\t\tsa->sqn.outb);\n+\n+\t\trte_tel_data_add_dict_string(data,\n+\t\t\t\t\"explicit-congestion-notification\",\n+\t\t\t\t(sa->type & RTE_IPSEC_SATP_ECN_MASK) ==\n+\t\t\t\tRTE_IPSEC_SATP_ECN_ENABLE ?\n+\t\t\t\t\"enabled\" : \"disabled\");\n+\n+\t\trte_tel_data_add_dict_string(data,\n+\t\t\t\t\"copy-DSCP\",\n+\t\t\t\t(sa->type & RTE_IPSEC_SATP_DSCP_MASK) ==\n+\t\t\t\tRTE_IPSEC_SATP_DSCP_ENABLE ?\n+\t\t\t\t\"enabled\" : \"disabled\");\n+\t}\n+\n+\treturn 0;\n+}\n+\n+\n+int\n+rte_ipsec_telemetry_sa_add(const struct rte_ipsec_sa *sa)\n+{\n+\tstruct ipsec_telemetry_entry *entry = rte_zmalloc(NULL,\n+\t\t\tsizeof(struct ipsec_telemetry_entry), 0);\n+\tif (entry == NULL)\n+\t\treturn -ENOMEM;\n+\tentry->sa = sa;\n+\tLIST_INSERT_HEAD(&ipsec_telemetry_list, entry, next);\n+\treturn 0;\n+}\n+\n+void\n+rte_ipsec_telemetry_sa_del(const struct rte_ipsec_sa *sa)\n+{\n+\tstruct ipsec_telemetry_entry *entry;\n+\tLIST_FOREACH(entry, &ipsec_telemetry_list, next) {\n+\t\tif (sa == entry->sa) {\n+\t\t\tLIST_REMOVE(entry, next);\n+\t\t\trte_free(entry);\n+\t\t\treturn;\n+\t\t}\n+\t}\n+}\n+\n+\n+RTE_INIT(rte_ipsec_telemetry_init)\n+{\n+\trte_telemetry_register_cmd(\"/ipsec/sa/list\",\n+\t\thandle_telemetry_cmd_ipsec_sa_list,\n+\t\t\"Return list of IPsec SAs with telemetry enabled.\");\n+\trte_telemetry_register_cmd(\"/ipsec/sa/stats\",\n+\t\thandle_telemetry_cmd_ipsec_sa_stats,\n+\t\t\"Returns IPsec SA stastistics. Parameters: int sa_spi\");\n+\trte_telemetry_register_cmd(\"/ipsec/sa/details\",\n+\t\thandle_telemetry_cmd_ipsec_sa_details,\n+\t\t\"Returns IPsec SA configuration. Parameters: int sa_spi\");\n+}\n+\ndiff --git a/lib/ipsec/meson.build b/lib/ipsec/meson.build\nindex 1497f573bb..ddb9ea1767 100644\n--- a/lib/ipsec/meson.build\n+++ b/lib/ipsec/meson.build\n@@ -1,9 +1,11 @@\n # SPDX-License-Identifier: BSD-3-Clause\n # Copyright(c) 2018 Intel Corporation\n \n-sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c')\n+sources = files('esp_inb.c', 'esp_outb.c',\n+ 'sa.c', 'ses.c', 'ipsec_sad.c',\n+ 'ipsec_telemetry.c')\n \n headers = files('rte_ipsec.h', 'rte_ipsec_sa.h', 'rte_ipsec_sad.h')\n indirect_headers += files('rte_ipsec_group.h')\n \n-deps += ['mbuf', 'net', 'cryptodev', 'security', 'hash']\n+deps += ['mbuf', 'net', 'cryptodev', 'security', 'hash', 'telemetry']\ndiff --git a/lib/ipsec/rte_ipsec.h b/lib/ipsec/rte_ipsec.h\nindex dd60d95915..5308f250a7 100644\n--- a/lib/ipsec/rte_ipsec.h\n+++ b/lib/ipsec/rte_ipsec.h\n@@ -158,6 +158,29 @@ rte_ipsec_pkt_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[],\n \treturn ss->pkt_func.process(ss, mb, num);\n }\n \n+\n+/**\n+ * Enable per SA telemetry for a specific SA.\n+ * Note that this function is not thread safe\n+ * @param sa\n+ * Pointer to the *rte_ipsec_sa* object that will have telemetry enabled.\n+ * @return\n+ * 0 on success, negative value otherwise.\n+ */\n+__rte_experimental\n+int\n+rte_ipsec_telemetry_sa_add(const struct rte_ipsec_sa *sa);\n+\n+/**\n+ * Disable per SA telemetry for a specific SA.\n+ * Note that this function is not thread safe\n+ * @param sa\n+ * Pointer to the *rte_ipsec_sa* object that will have telemetry disabled.\n+ */\n+__rte_experimental\n+void\n+rte_ipsec_telemetry_sa_del(const struct rte_ipsec_sa *sa);\n+\n #include <rte_ipsec_group.h>\n \n #ifdef __cplusplus\ndiff --git a/lib/ipsec/sa.c b/lib/ipsec/sa.c\nindex 2830506385..d767b2036a 100644\n--- a/lib/ipsec/sa.c\n+++ b/lib/ipsec/sa.c\n@@ -656,19 +656,25 @@ uint16_t\n pkt_flag_process(const struct rte_ipsec_session *ss,\n \t\tstruct rte_mbuf *mb[], uint16_t num)\n {\n-\tuint32_t i, k;\n+\tuint32_t i, k, bytes;\n \tuint32_t dr[num];\n \n \tRTE_SET_USED(ss);\n \n \tk = 0;\n+\tbytes = 0;\n \tfor (i = 0; i != num; i++) {\n-\t\tif ((mb[i]->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED) == 0)\n+\t\tif ((mb[i]->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED) == 0) {\n \t\t\tk++;\n+\t\t\tbytes += mb[i]->pkt_len;\n+\t\t}\n \t\telse\n \t\t\tdr[i - k] = i;\n \t}\n \n+\tss->sa->statistics.count += k;\n+\tss->sa->statistics.bytes += bytes;\n+\n \t/* handle unprocessed mbufs */\n \tif (k != num) {\n \t\trte_errno = EBADMSG;\ndiff --git a/lib/ipsec/sa.h b/lib/ipsec/sa.h\nindex 107ebd1519..6e59f18e16 100644\n--- a/lib/ipsec/sa.h\n+++ b/lib/ipsec/sa.h\n@@ -132,6 +132,15 @@ struct rte_ipsec_sa {\n \t\t\tstruct replay_sqn *rsn[REPLAY_SQN_NUM];\n \t\t} inb;\n \t} sqn;\n+\t/* Statistics */\n+\tstruct {\n+\t\tuint64_t count;\n+\t\tuint64_t bytes;\n+\t\tstruct {\n+\t\t\tuint64_t count;\n+\t\t\tuint64_t authentication_failed;\n+\t\t} errors;\n+\t} statistics;\n \n } __rte_cache_aligned;\n \ndiff --git a/lib/ipsec/version.map b/lib/ipsec/version.map\nindex ba8753eac4..0af27ffd60 100644\n--- a/lib/ipsec/version.map\n+++ b/lib/ipsec/version.map\n@@ -19,3 +19,12 @@ DPDK_22 {\n \n \tlocal: *;\n };\n+\n+EXPERIMENTAL {\n+\tglobal:\n+\n+\t# added in 21.11\n+\trte_ipsec_telemetry_sa_add;\n+\trte_ipsec_telemetry_sa_del;\n+\n+};\n", "prefixes": [ "v9", "07/10" ] }