Patch Detail

HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 117820,
    "url": "http://patches.dpdk.org/api/patches/117820/?format=api",
    "web_url": "http://patches.dpdk.org/project/dpdk/patch/20221010165629.17744-4-vfialko@marvell.com/",
    "project": {
        "id": 1,
        "url": "http://patches.dpdk.org/api/projects/1/?format=api",
        "name": "DPDK",
        "link_name": "dpdk",
        "list_id": "dev.dpdk.org",
        "list_email": "dev@dpdk.org",
        "web_url": "http://core.dpdk.org",
        "scm_url": "git://dpdk.org/dpdk",
        "webscm_url": "http://git.dpdk.org/dpdk",
        "list_archive_url": "https://inbox.dpdk.org/dev",
        "list_archive_url_format": "https://inbox.dpdk.org/dev/{}",
        "commit_url_format": ""
    },
    "msgid": "<20221010165629.17744-4-vfialko@marvell.com>",
    "list_archive_url": "https://inbox.dpdk.org/dev/20221010165629.17744-4-vfialko@marvell.com",
    "date": "2022-10-10T16:56:26",
    "name": "[v3,3/6] examples/ipsec-secgw: add lookaside event mode",
    "commit_ref": null,
    "pull_url": null,
    "state": "accepted",
    "archived": true,
    "hash": "3dc0bfb8df49abcf1ae204c7a2950baaf5dc4f9b",
    "submitter": {
        "id": 2390,
        "url": "http://patches.dpdk.org/api/people/2390/?format=api",
        "name": "Volodymyr Fialko",
        "email": "vfialko@marvell.com"
    },
    "delegate": {
        "id": 6690,
        "url": "http://patches.dpdk.org/api/users/6690/?format=api",
        "username": "akhil",
        "first_name": "akhil",
        "last_name": "goyal",
        "email": "gakhil@marvell.com"
    },
    "mbox": "http://patches.dpdk.org/project/dpdk/patch/20221010165629.17744-4-vfialko@marvell.com/mbox/",
    "series": [
        {
            "id": 25083,
            "url": "http://patches.dpdk.org/api/series/25083/?format=api",
            "web_url": "http://patches.dpdk.org/project/dpdk/list/?series=25083",
            "date": "2022-10-10T16:56:23",
            "name": "examples/ipsec-secgw: add lookaside event mode",
            "version": 3,
            "mbox": "http://patches.dpdk.org/series/25083/mbox/"
        }
    ],
    "comments": "http://patches.dpdk.org/api/patches/117820/comments/",
    "check": "success",
    "checks": "http://patches.dpdk.org/api/patches/117820/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "<dev-bounces@dpdk.org>",
        "X-Original-To": "patchwork@inbox.dpdk.org",
        "Delivered-To": "patchwork@inbox.dpdk.org",
        "Received": [
            "from mails.dpdk.org (mails.dpdk.org [217.70.189.124])\n\tby inbox.dpdk.org (Postfix) with ESMTP id 1D074A0544;\n\tMon, 10 Oct 2022 18:56:58 +0200 (CEST)",
            "from [217.70.189.124] (localhost [127.0.0.1])\n\tby mails.dpdk.org (Postfix) with ESMTP id 1D3F3427FF;\n\tMon, 10 Oct 2022 18:56:54 +0200 (CEST)",
            "from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com\n [67.231.148.174])\n by mails.dpdk.org (Postfix) with ESMTP id BB24B427F1\n for <dev@dpdk.org>; Mon, 10 Oct 2022 18:56:52 +0200 (CEST)",
            "from pps.filterd (m0045849.ppops.net [127.0.0.1])\n by mx0a-0016f401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id\n 29AD0LgH009845;\n Mon, 10 Oct 2022 09:56:52 -0700",
            "from dc5-exch01.marvell.com ([199.233.59.181])\n by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3k36jppjkr-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT);\n Mon, 10 Oct 2022 09:56:51 -0700",
            "from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com\n (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.2;\n Mon, 10 Oct 2022 09:56:50 -0700",
            "from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com\n (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.2 via Frontend\n Transport; Mon, 10 Oct 2022 09:56:50 -0700",
            "from localhost.localdomain (unknown [10.28.34.39])\n by maili.marvell.com (Postfix) with ESMTP id E84583F7083;\n Mon, 10 Oct 2022 09:56:47 -0700 (PDT)"
        ],
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com;\n h=from : to : cc :\n subject : date : message-id : in-reply-to : references : mime-version :\n content-transfer-encoding : content-type; s=pfpt0220;\n bh=jVSdalJcARNRkLJIDf15kLcv3nCZuu3Q1eI/BwGMsaU=;\n b=I06ayqe82/0yXUsBZwEY84SX1DIO96WbYvUeGqRfovPjeq7RYdPv98/Y5J2hfgluAsZj\n UBgfwCiockQSQ0xBO6cHcV3vKGkjOinEmaQ7E8e9L/4L1gRTL/z6RKKKPU3CKDEXFpDD\n 4yWpkKv1t9/SttLhqRT4P6dSTtzjHQuzBorGIqd3npIL5MjEvBRppYGsPHJh/MH6GmoL\n nwE0TnvQochhLg8MwP6NZIYe4PvA484ZJRaNJgqBA/s27NvDvoKyqvQFKASUq5SxA/OD\n mrUMazs4Do/ALAsBargFiFK1lryq7fCYKk6oUJREpjQwLA89n588A7YydUQBetbPCH1F Rg==",
        "From": "Volodymyr Fialko <vfialko@marvell.com>",
        "To": "<dev@dpdk.org>, Radu Nicolau <radu.nicolau@intel.com>, Akhil Goyal\n <gakhil@marvell.com>",
        "CC": "<jerinj@marvell.com>, <anoobj@marvell.com>, <suanmingm@nvidia.com>,\n Volodymyr Fialko <vfialko@marvell.com>",
        "Subject": "[PATCH v3 3/6] examples/ipsec-secgw: add lookaside event mode",
        "Date": "Mon, 10 Oct 2022 18:56:26 +0200",
        "Message-ID": "<20221010165629.17744-4-vfialko@marvell.com>",
        "X-Mailer": "git-send-email 2.25.1",
        "In-Reply-To": "<20221010165629.17744-1-vfialko@marvell.com>",
        "References": "<20221010123102.3962719-1-vfialko@marvell.com>\n <20221010165629.17744-1-vfialko@marvell.com>",
        "MIME-Version": "1.0",
        "Content-Transfer-Encoding": "8bit",
        "Content-Type": "text/plain",
        "X-Proofpoint-GUID": "h5XGFNgCEtQezzvg13PtlcJ2CPfyQ732",
        "X-Proofpoint-ORIG-GUID": "h5XGFNgCEtQezzvg13PtlcJ2CPfyQ732",
        "X-Proofpoint-Virus-Version": "vendor=baseguard\n engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.528,FMLib:17.11.122.1\n definitions=2022-10-10_10,2022-10-10_02,2022-06-22_01",
        "X-BeenThere": "dev@dpdk.org",
        "X-Mailman-Version": "2.1.29",
        "Precedence": "list",
        "List-Id": "DPDK patches and discussions <dev.dpdk.org>",
        "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n <mailto:dev-request@dpdk.org?subject=unsubscribe>",
        "List-Archive": "<http://mails.dpdk.org/archives/dev/>",
        "List-Post": "<mailto:dev@dpdk.org>",
        "List-Help": "<mailto:dev-request@dpdk.org?subject=help>",
        "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n <mailto:dev-request@dpdk.org?subject=subscribe>",
        "Errors-To": "dev-bounces@dpdk.org"
    },
    "content": "Add base support for lookaside event mode. Events that are coming from\nethdev will be enqueued to the event crypto adapter, processed and\nenqueued back to ethdev for the transmission.\n\nSigned-off-by: Volodymyr Fialko <vfialko@marvell.com>\n---\n doc/guides/rel_notes/release_22_11.rst   |   5 +\n doc/guides/sample_app_ug/ipsec_secgw.rst |   4 +-\n examples/ipsec-secgw/ipsec-secgw.c       |   3 +-\n examples/ipsec-secgw/ipsec.c             |  36 +++-\n examples/ipsec-secgw/ipsec.h             |   8 +-\n examples/ipsec-secgw/ipsec_worker.c      | 241 +++++++++++++++++++++--\n examples/ipsec-secgw/sa.c                |  37 ++--\n 7 files changed, 293 insertions(+), 41 deletions(-)",
    "diff": "diff --git a/doc/guides/rel_notes/release_22_11.rst b/doc/guides/rel_notes/release_22_11.rst\nindex b0b981578b..f1bfba2af6 100644\n--- a/doc/guides/rel_notes/release_22_11.rst\n+++ b/doc/guides/rel_notes/release_22_11.rst\n@@ -218,6 +218,11 @@ New Features\n   and appears as a promising alternative to traditional approaches\n   such as packet sampling.\n \n+* **Updated ipsec-secgw sample application.**\n+\n+  Added support for lookaside sessions in event mode.\n+  See the :doc:`../sample_app_ug/ipsec_secgw` for more details.\n+\n \n Removed Items\n -------------\ndiff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst\nindex 07686d2285..c7b87889f1 100644\n--- a/doc/guides/sample_app_ug/ipsec_secgw.rst\n+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst\n@@ -83,8 +83,8 @@ The application supports two modes of operation: poll mode and event mode.\n   every type of event device without affecting existing paths/use cases. The worker\n   to be used will be determined by the operating conditions and the underlying device\n   capabilities. **Currently the application provides non-burst, internal port worker\n-  threads and supports inline protocol only.** It also provides infrastructure for\n-  non-internal port however does not define any worker threads.\n+  threads.** It also provides infrastructure for non-internal port however does not\n+  define any worker threads.\n \n   Event mode also supports event vectorization. The event devices, ethernet device\n   pairs which support the capability ``RTE_EVENT_ETH_RX_ADAPTER_CAP_EVENT_VECTOR`` can\ndiff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c\nindex 50b0cf158a..912b73e5a8 100644\n--- a/examples/ipsec-secgw/ipsec-secgw.c\n+++ b/examples/ipsec-secgw/ipsec-secgw.c\n@@ -3056,7 +3056,8 @@ main(int32_t argc, char **argv)\n \t\tif ((socket_ctx[socket_id].session_pool != NULL) &&\n \t\t\t(socket_ctx[socket_id].sa_in == NULL) &&\n \t\t\t(socket_ctx[socket_id].sa_out == NULL)) {\n-\t\t\tsa_init(&socket_ctx[socket_id], socket_id, lcore_conf);\n+\t\t\tsa_init(&socket_ctx[socket_id], socket_id, lcore_conf,\n+\t\t\t\teh_conf->mode_params);\n \t\t\tsp4_init(&socket_ctx[socket_id], socket_id);\n \t\t\tsp6_init(&socket_ctx[socket_id], socket_id);\n \t\t\trt_init(&socket_ctx[socket_id], socket_id);\ndiff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c\nindex ee1cf871ca..d90b59774d 100644\n--- a/examples/ipsec-secgw/ipsec.c\n+++ b/examples/ipsec-secgw/ipsec.c\n@@ -6,6 +6,7 @@\n #include <netinet/ip.h>\n \n #include <rte_branch_prediction.h>\n+#include <rte_event_crypto_adapter.h>\n #include <rte_log.h>\n #include <rte_crypto.h>\n #include <rte_security.h>\n@@ -56,14 +57,17 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)\n \n int\n create_lookaside_session(struct ipsec_ctx *ipsec_ctx_lcore[],\n-\tstruct socket_ctx *skt_ctx, struct ipsec_sa *sa,\n-\tstruct rte_ipsec_session *ips)\n+\tstruct socket_ctx *skt_ctx, const struct eventmode_conf *em_conf,\n+\tstruct ipsec_sa *sa, struct rte_ipsec_session *ips)\n {\n \tuint16_t cdev_id = RTE_CRYPTO_MAX_DEVS;\n+\tenum rte_crypto_op_sess_type sess_type;\n \tstruct rte_cryptodev_info cdev_info;\n+\tenum rte_crypto_op_type op_type;\n \tunsigned long cdev_id_qp = 0;\n-\tstruct cdev_key key = { 0 };\n \tstruct ipsec_ctx *ipsec_ctx;\n+\tstruct cdev_key key = { 0 };\n+\tvoid *sess = NULL;\n \tuint32_t lcore_id;\n \tint32_t ret = 0;\n \n@@ -158,6 +162,10 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx_lcore[],\n \t\t\t\treturn -1;\n \t\t\t}\n \t\t\tips->security.ctx = ctx;\n+\n+\t\t\tsess = ips->security.ses;\n+\t\t\top_type = RTE_CRYPTO_OP_TYPE_SYMMETRIC;\n+\t\t\tsess_type = RTE_CRYPTO_OP_SECURITY_SESSION;\n \t\t} else {\n \t\t\tRTE_LOG(ERR, IPSEC, \"Inline not supported\\n\");\n \t\t\treturn -1;\n@@ -179,6 +187,28 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx_lcore[],\n \t\trte_cryptodev_info_get(cdev_id, &cdev_info);\n \t}\n \n+\t/* Setup meta data required by event crypto adapter */\n+\tif (em_conf->enable_event_crypto_adapter && sess != NULL) {\n+\t\tunion rte_event_crypto_metadata m_data;\n+\t\tconst struct eventdev_params *eventdev_conf;\n+\n+\t\teventdev_conf = &(em_conf->eventdev_config[0]);\n+\t\tmemset(&m_data, 0, sizeof(m_data));\n+\n+\t\t/* Fill in response information */\n+\t\tm_data.response_info.sched_type = em_conf->ext_params.sched_type;\n+\t\tm_data.response_info.op = RTE_EVENT_OP_NEW;\n+\t\tm_data.response_info.queue_id = eventdev_conf->ev_cpt_queue_id;\n+\n+\t\t/* Fill in request information */\n+\t\tm_data.request_info.cdev_id = cdev_id;\n+\t\tm_data.request_info.queue_pair_id = 0;\n+\n+\t\t/* Attach meta info to session */\n+\t\trte_cryptodev_session_event_mdata_set(cdev_id, sess, op_type,\n+\t\t\t\tsess_type, &m_data, sizeof(m_data));\n+\t}\n+\n \treturn 0;\n }\n \ndiff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h\nindex 538eb17d94..3d373dfd77 100644\n--- a/examples/ipsec-secgw/ipsec.h\n+++ b/examples/ipsec-secgw/ipsec.h\n@@ -14,6 +14,7 @@\n #include <rte_flow.h>\n #include <rte_ipsec.h>\n \n+#include \"event_helper.h\"\n #include \"ipsec-secgw.h\"\n \n #define RTE_LOGTYPE_IPSEC_ESP   RTE_LOGTYPE_USER2\n@@ -425,7 +426,8 @@ sa_spi_present(struct sa_ctx *sa_ctx, uint32_t spi, int inbound);\n \n void\n sa_init(struct socket_ctx *ctx, int32_t socket_id,\n-\t\tstruct lcore_conf *lcore_conf);\n+\tstruct lcore_conf *lcore_conf,\n+\tconst struct eventmode_conf *em_conf);\n \n void\n rt_init(struct socket_ctx *ctx, int32_t socket_id);\n@@ -442,8 +444,8 @@ enqueue_cop_burst(struct cdev_qp *cqp);\n \n int\n create_lookaside_session(struct ipsec_ctx *ipsec_ctx[],\n-\tstruct socket_ctx *skt_ctx, struct ipsec_sa *sa,\n-\tstruct rte_ipsec_session *ips);\n+\tstruct socket_ctx *skt_ctx, const struct eventmode_conf *em_conf,\n+\tstruct ipsec_sa *sa, struct rte_ipsec_session *ips);\n \n int\n create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,\ndiff --git a/examples/ipsec-secgw/ipsec_worker.c b/examples/ipsec-secgw/ipsec_worker.c\nindex 7f46177f8e..6c1ffbfb24 100644\n--- a/examples/ipsec-secgw/ipsec_worker.c\n+++ b/examples/ipsec-secgw/ipsec_worker.c\n@@ -3,6 +3,7 @@\n  * Copyright (C) 2020 Marvell International Ltd.\n  */\n #include <rte_acl.h>\n+#include <rte_event_crypto_adapter.h>\n #include <rte_event_eth_tx_adapter.h>\n #include <rte_lpm.h>\n #include <rte_lpm6.h>\n@@ -11,6 +12,7 @@\n #include \"ipsec.h\"\n #include \"ipsec-secgw.h\"\n #include \"ipsec_worker.h\"\n+#include \"sad.h\"\n \n #if defined(__ARM_NEON)\n #include \"ipsec_lpm_neon.h\"\n@@ -225,6 +227,47 @@ check_sp_sa_bulk(struct sp_ctx *sp, struct sa_ctx *sa_ctx,\n \tip->num = j;\n }\n \n+static inline void\n+ipv4_pkt_l3_len_set(struct rte_mbuf *pkt)\n+{\n+\tstruct rte_ipv4_hdr *ipv4;\n+\n+\tipv4 = rte_pktmbuf_mtod(pkt, struct rte_ipv4_hdr *);\n+\tpkt->l3_len = ipv4->ihl * 4;\n+}\n+\n+static inline int\n+ipv6_pkt_l3_len_set(struct rte_mbuf *pkt)\n+{\n+\tstruct rte_ipv6_hdr *ipv6;\n+\tsize_t l3_len, ext_len;\n+\tuint32_t l3_type;\n+\tint next_proto;\n+\tuint8_t *p;\n+\n+\tipv6 = rte_pktmbuf_mtod(pkt, struct rte_ipv6_hdr *);\n+\tl3_len = sizeof(struct rte_ipv6_hdr);\n+\tl3_type = pkt->packet_type & RTE_PTYPE_L3_MASK;\n+\n+\tif (l3_type == RTE_PTYPE_L3_IPV6_EXT ||\n+\t\tl3_type == RTE_PTYPE_L3_IPV6_EXT_UNKNOWN) {\n+\t\tp = rte_pktmbuf_mtod(pkt, uint8_t *);\n+\t\tnext_proto = ipv6->proto;\n+\t\twhile (next_proto != IPPROTO_ESP &&\n+\t\t\tl3_len < pkt->data_len &&\n+\t\t\t(next_proto = rte_ipv6_get_next_ext(p + l3_len,\n+\t\t\t\t\tnext_proto, &ext_len)) >= 0)\n+\t\t\tl3_len += ext_len;\n+\n+\t\t/* Drop pkt when IPv6 header exceeds first seg size */\n+\t\tif (unlikely(l3_len > pkt->data_len))\n+\t\t\treturn -EINVAL;\n+\t}\n+\tpkt->l3_len = l3_len;\n+\n+\treturn 0;\n+}\n+\n static inline uint16_t\n route4_pkt(struct rte_mbuf *pkt, struct rt_ctx *rt_ctx)\n {\n@@ -284,9 +327,67 @@ get_route(struct rte_mbuf *pkt, struct route_table *rt, enum pkt_type type)\n \treturn RTE_MAX_ETHPORTS;\n }\n \n+static inline void\n+crypto_op_reset(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[],\n+\t\tstruct rte_crypto_op *cop[], uint16_t num)\n+{\n+\tstruct rte_crypto_sym_op *sop;\n+\tuint32_t i;\n+\n+\tconst struct rte_crypto_op unproc_cop = {\n+\t\t.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC,\n+\t\t.status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED,\n+\t\t.sess_type = RTE_CRYPTO_OP_SECURITY_SESSION,\n+\t};\n+\n+\tfor (i = 0; i != num; i++) {\n+\t\tcop[i]->raw = unproc_cop.raw;\n+\t\tsop = cop[i]->sym;\n+\t\tsop->m_src = mb[i];\n+\t\tsop->m_dst = NULL;\n+\t\t__rte_security_attach_session(sop, ss->security.ses);\n+\t}\n+}\n+\n+static inline int\n+event_crypto_enqueue(struct ipsec_ctx *ctx __rte_unused, struct rte_mbuf *pkt,\n+\t\tstruct ipsec_sa *sa, const struct eh_event_link_info *ev_link)\n+{\n+\tstruct ipsec_mbuf_metadata *priv;\n+\tstruct rte_ipsec_session *sess;\n+\tstruct rte_crypto_op *cop;\n+\tstruct rte_event cev;\n+\tint ret;\n+\n+\t/* Get IPsec session */\n+\tsess = ipsec_get_primary_session(sa);\n+\n+\t/* Get pkt private data */\n+\tpriv = get_priv(pkt);\n+\tcop = &priv->cop;\n+\n+\t/* Reset crypto operation data */\n+\tcrypto_op_reset(sess, &pkt, &cop, 1);\n+\n+\t/* Update event_ptr with rte_crypto_op */\n+\tcev.event = 0;\n+\tcev.event_ptr = cop;\n+\n+\t/* Enqueue event to crypto adapter */\n+\tret = rte_event_crypto_adapter_enqueue(ev_link->eventdev_id,\n+\t\t\tev_link->event_port_id, &cev, 1);\n+\tif (unlikely(ret <= 0)) {\n+\t\t/* pkt will be freed by the caller */\n+\t\tRTE_LOG_DP(DEBUG, IPSEC, \"Cannot enqueue event: %i (errno: %i)\\n\", ret, rte_errno);\n+\t\treturn rte_errno;\n+\t}\n+\n+\treturn 0;\n+}\n+\n static inline int\n process_ipsec_ev_inbound(struct ipsec_ctx *ctx, struct route_table *rt,\n-\t\tstruct rte_event *ev)\n+\tconst struct eh_event_link_info *ev_link, struct rte_event *ev)\n {\n \tstruct ipsec_sa *sa = NULL;\n \tstruct rte_mbuf *pkt;\n@@ -337,7 +438,35 @@ process_ipsec_ev_inbound(struct ipsec_ctx *ctx, struct route_table *rt,\n \t\t\tgoto drop_pkt_and_exit;\n \t\t}\n \t\tbreak;\n+\tcase PKT_TYPE_IPSEC_IPV4:\n+\t\trte_pktmbuf_adj(pkt, RTE_ETHER_HDR_LEN);\n+\t\tipv4_pkt_l3_len_set(pkt);\n+\t\tsad_lookup(&ctx->sa_ctx->sad, &pkt, (void **)&sa, 1);\n+\t\tsa = ipsec_mask_saptr(sa);\n+\t\tif (unlikely(sa == NULL)) {\n+\t\t\tRTE_LOG_DP(DEBUG, IPSEC, \"Cannot find sa\\n\");\n+\t\t\tgoto drop_pkt_and_exit;\n+\t\t}\n+\n+\t\tif (unlikely(event_crypto_enqueue(ctx, pkt, sa, ev_link)))\n+\t\t\tgoto drop_pkt_and_exit;\n+\n+\t\treturn PKT_POSTED;\n+\tcase PKT_TYPE_IPSEC_IPV6:\n+\t\trte_pktmbuf_adj(pkt, RTE_ETHER_HDR_LEN);\n+\t\tif (unlikely(ipv6_pkt_l3_len_set(pkt) != 0))\n+\t\t\tgoto drop_pkt_and_exit;\n+\t\tsad_lookup(&ctx->sa_ctx->sad, &pkt, (void **)&sa, 1);\n+\t\tsa = ipsec_mask_saptr(sa);\n+\t\tif (unlikely(sa == NULL)) {\n+\t\t\tRTE_LOG_DP(DEBUG, IPSEC, \"Cannot find sa\\n\");\n+\t\t\tgoto drop_pkt_and_exit;\n+\t\t}\n \n+\t\tif (unlikely(event_crypto_enqueue(ctx, pkt, sa, ev_link)))\n+\t\t\tgoto drop_pkt_and_exit;\n+\n+\t\treturn PKT_POSTED;\n \tdefault:\n \t\tRTE_LOG_DP(DEBUG, IPSEC_ESP, \"Unsupported packet type = %d\\n\",\n \t\t\t   type);\n@@ -386,7 +515,7 @@ process_ipsec_ev_inbound(struct ipsec_ctx *ctx, struct route_table *rt,\n \n static inline int\n process_ipsec_ev_outbound(struct ipsec_ctx *ctx, struct route_table *rt,\n-\t\tstruct rte_event *ev)\n+\t\tconst struct eh_event_link_info *ev_link, struct rte_event *ev)\n {\n \tstruct rte_ipsec_session *sess;\n \tstruct rte_ether_hdr *ethhdr;\n@@ -455,11 +584,9 @@ process_ipsec_ev_outbound(struct ipsec_ctx *ctx, struct route_table *rt,\n \t/* Get IPsec session */\n \tsess = ipsec_get_primary_session(sa);\n \n-\t/* Allow only inline protocol for now */\n-\tif (unlikely(sess->type != RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL)) {\n-\t\tRTE_LOG(ERR, IPSEC, \"SA type not supported\\n\");\n-\t\tgoto drop_pkt_and_exit;\n-\t}\n+\t/* Determine protocol type */\n+\tif (sess->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL)\n+\t\tgoto lookaside;\n \n \trte_security_set_pkt_metadata(sess->security.ctx,\n \t\t\t\t      sess->security.ses, pkt, NULL);\n@@ -484,6 +611,13 @@ process_ipsec_ev_outbound(struct ipsec_ctx *ctx, struct route_table *rt,\n \tipsec_event_pre_forward(pkt, port_id);\n \treturn PKT_FORWARDED;\n \n+lookaside:\n+\t/* prepare pkt - advance start to L3 */\n+\trte_pktmbuf_adj(pkt, RTE_ETHER_HDR_LEN);\n+\n+\tif (likely(event_crypto_enqueue(ctx, pkt, sa, ev_link) == 0))\n+\t\treturn PKT_POSTED;\n+\n drop_pkt_and_exit:\n \tRTE_LOG(ERR, IPSEC, \"Outbound packet dropped\\n\");\n \trte_pktmbuf_free(pkt);\n@@ -762,6 +896,67 @@ ipsec_ev_vector_drv_mode_process(struct eh_event_link_info *links,\n \t\trte_mempool_put(rte_mempool_from_obj(vec), vec);\n }\n \n+static inline int\n+ipsec_ev_cryptodev_process(const struct lcore_conf_ev_tx_int_port_wrkr *lconf,\n+\t\t\t   struct rte_event *ev)\n+{\n+\tstruct rte_ether_hdr *ethhdr;\n+\tstruct rte_crypto_op *cop;\n+\tstruct rte_mbuf *pkt;\n+\tuint16_t port_id;\n+\tstruct ip *ip;\n+\n+\t/* Get pkt data */\n+\tcop = ev->event_ptr;\n+\tpkt = cop->sym->m_src;\n+\n+\t/* If operation was not successful, drop the packet */\n+\tif (unlikely(cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS)) {\n+\t\tRTE_LOG_DP(INFO, IPSEC, \"Crypto operation failed\\n\");\n+\t\tfree_pkts(&pkt, 1);\n+\t\treturn PKT_DROPPED;\n+\t}\n+\n+\tip = rte_pktmbuf_mtod(pkt, struct ip *);\n+\n+\t/* Prepend Ether layer */\n+\tethhdr = (struct rte_ether_hdr *)rte_pktmbuf_prepend(pkt, RTE_ETHER_HDR_LEN);\n+\n+\t/* Route pkt and update required fields */\n+\tif (ip->ip_v == IPVERSION) {\n+\t\tpkt->ol_flags |= lconf->outbound.ipv4_offloads;\n+\t\tpkt->l3_len = sizeof(struct ip);\n+\t\tpkt->l2_len = RTE_ETHER_HDR_LEN;\n+\n+\t\tethhdr->ether_type = rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4);\n+\n+\t\tport_id = route4_pkt(pkt, lconf->rt.rt4_ctx);\n+\t} else {\n+\t\tpkt->ol_flags |= lconf->outbound.ipv6_offloads;\n+\t\tpkt->l3_len = sizeof(struct ip6_hdr);\n+\t\tpkt->l2_len = RTE_ETHER_HDR_LEN;\n+\n+\t\tethhdr->ether_type = rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV6);\n+\n+\t\tport_id = route6_pkt(pkt, lconf->rt.rt6_ctx);\n+\t}\n+\n+\tif (unlikely(port_id == RTE_MAX_ETHPORTS)) {\n+\t\tRTE_LOG_DP(DEBUG, IPSEC, \"Cannot route processed packet\\n\");\n+\t\tfree_pkts(&pkt, 1);\n+\t\treturn PKT_DROPPED;\n+\t}\n+\n+\t/* Update Ether with port's MAC addresses */\n+\tmemcpy(&ethhdr->src_addr, &ethaddr_tbl[port_id].src, sizeof(struct rte_ether_addr));\n+\tmemcpy(&ethhdr->dst_addr, &ethaddr_tbl[port_id].dst, sizeof(struct rte_ether_addr));\n+\n+\t/* Update event */\n+\tev->mbuf = pkt;\n+\n+\treturn PKT_FORWARDED;\n+}\n+\n /*\n  * Event mode exposes various operating modes depending on the\n  * capabilities of the event device and the operating mode\n@@ -952,6 +1147,14 @@ ipsec_wrkr_non_burst_int_port_app_mode(struct eh_event_link_info *links,\n \t\t\"Launching event mode worker (non-burst - Tx internal port - \"\n \t\t\"app mode) on lcore %d\\n\", lcore_id);\n \n+\tret = ipsec_sad_lcore_cache_init(app_sa_prm.cache_sz);\n+\tif (ret != 0) {\n+\t\tRTE_LOG(ERR, IPSEC,\n+\t\t\t\"SAD cache init on lcore %u, failed with code: %d\\n\",\n+\t\t\tlcore_id, ret);\n+\t\treturn;\n+\t}\n+\n \t/* Check if it's single link */\n \tif (nb_links != 1) {\n \t\tRTE_LOG(INFO, IPSEC,\n@@ -978,6 +1181,20 @@ ipsec_wrkr_non_burst_int_port_app_mode(struct eh_event_link_info *links,\n \t\t\tipsec_ev_vector_process(&lconf, links, &ev);\n \t\t\tcontinue;\n \t\tcase RTE_EVENT_TYPE_ETHDEV:\n+\t\t\tif (is_unprotected_port(ev.mbuf->port))\n+\t\t\t\tret = process_ipsec_ev_inbound(&lconf.inbound,\n+\t\t\t\t\t\t\t\t&lconf.rt, links, &ev);\n+\t\t\telse\n+\t\t\t\tret = process_ipsec_ev_outbound(&lconf.outbound,\n+\t\t\t\t\t\t\t\t&lconf.rt, links, &ev);\n+\t\t\tif (ret != 1)\n+\t\t\t\t/* The pkt has been dropped or posted */\n+\t\t\t\tcontinue;\n+\t\t\tbreak;\n+\t\tcase RTE_EVENT_TYPE_CRYPTODEV:\n+\t\t\tret = ipsec_ev_cryptodev_process(&lconf, &ev);\n+\t\t\tif (unlikely(ret != PKT_FORWARDED))\n+\t\t\t\tcontinue;\n \t\t\tbreak;\n \t\tdefault:\n \t\t\tRTE_LOG(ERR, IPSEC, \"Invalid event type %u\",\n@@ -985,16 +1202,6 @@ ipsec_wrkr_non_burst_int_port_app_mode(struct eh_event_link_info *links,\n \t\t\tcontinue;\n \t\t}\n \n-\t\tif (is_unprotected_port(ev.mbuf->port))\n-\t\t\tret = process_ipsec_ev_inbound(&lconf.inbound,\n-\t\t\t\t\t\t\t&lconf.rt, &ev);\n-\t\telse\n-\t\t\tret = process_ipsec_ev_outbound(&lconf.outbound,\n-\t\t\t\t\t\t\t&lconf.rt, &ev);\n-\t\tif (ret != 1)\n-\t\t\t/* The pkt has been dropped */\n-\t\t\tcontinue;\n-\n \t\t/*\n \t\t * Since tx internal port is available, events can be\n \t\t * directly enqueued to the adapter and it would be\ndiff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c\nindex 396b9f9694..dc3627aacc 100644\n--- a/examples/ipsec-secgw/sa.c\n+++ b/examples/ipsec-secgw/sa.c\n@@ -1236,7 +1236,8 @@ static int\n sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],\n \t\tuint32_t nb_entries, uint32_t inbound,\n \t\tstruct socket_ctx *skt_ctx,\n-\t\tstruct ipsec_ctx *ips_ctx[])\n+\t\tstruct ipsec_ctx *ips_ctx[],\n+\t\tconst struct eventmode_conf *em_conf)\n {\n \tstruct ipsec_sa *sa;\n \tuint32_t i, idx;\n@@ -1409,7 +1410,8 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],\n \t\t\t\treturn -EINVAL;\n \t\t\t}\n \t\t} else {\n-\t\t\trc = create_lookaside_session(ips_ctx, skt_ctx, sa, ips);\n+\t\t\trc = create_lookaside_session(ips_ctx, skt_ctx,\n+\t\t\t\t\t\t      em_conf, sa, ips);\n \t\t\tif (rc != 0) {\n \t\t\t\tRTE_LOG(ERR, IPSEC_ESP,\n \t\t\t\t\t\"create_lookaside_session() failed\\n\");\n@@ -1432,17 +1434,19 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],\n static inline int\n sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],\n \t\tuint32_t nb_entries, struct socket_ctx *skt_ctx,\n-\t\tstruct ipsec_ctx *ips_ctx[])\n+\t\tstruct ipsec_ctx *ips_ctx[],\n+\t\tconst struct eventmode_conf *em_conf)\n {\n-\treturn sa_add_rules(sa_ctx, entries, nb_entries, 0, skt_ctx, ips_ctx);\n+\treturn sa_add_rules(sa_ctx, entries, nb_entries, 0, skt_ctx, ips_ctx, em_conf);\n }\n \n static inline int\n sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],\n \t\tuint32_t nb_entries, struct socket_ctx *skt_ctx,\n-\t\tstruct ipsec_ctx *ips_ctx[])\n+\t\tstruct ipsec_ctx *ips_ctx[],\n+\t\tconst struct eventmode_conf *em_conf)\n {\n-\treturn sa_add_rules(sa_ctx, entries, nb_entries, 1, skt_ctx, ips_ctx);\n+\treturn sa_add_rules(sa_ctx, entries, nb_entries, 1, skt_ctx, ips_ctx, em_conf);\n }\n \n /*\n@@ -1535,7 +1539,8 @@ fill_ipsec_session(struct rte_ipsec_session *ss, struct rte_ipsec_sa *sa)\n  */\n static int\n ipsec_sa_init(struct ipsec_sa *lsa, struct rte_ipsec_sa *sa, uint32_t sa_size,\n-\t\tstruct socket_ctx *skt_ctx, struct ipsec_ctx *ips_ctx[])\n+\t\tstruct socket_ctx *skt_ctx, struct ipsec_ctx *ips_ctx[],\n+\t\tconst struct eventmode_conf *em_conf)\n {\n \tint rc;\n \tstruct rte_ipsec_sa_prm prm;\n@@ -1577,7 +1582,7 @@ ipsec_sa_init(struct ipsec_sa *lsa, struct rte_ipsec_sa *sa, uint32_t sa_size,\n \tif (lsa->fallback_sessions == 1) {\n \t\tstruct rte_ipsec_session *ipfs = ipsec_get_fallback_session(lsa);\n \t\tif (ipfs->security.ses == NULL) {\n-\t\t\trc = create_lookaside_session(ips_ctx, skt_ctx, lsa, ipfs);\n+\t\t\trc = create_lookaside_session(ips_ctx, skt_ctx, em_conf, lsa, ipfs);\n \t\t\tif (rc != 0)\n \t\t\t\treturn rc;\n \t\t}\n@@ -1593,7 +1598,8 @@ ipsec_sa_init(struct ipsec_sa *lsa, struct rte_ipsec_sa *sa, uint32_t sa_size,\n  */\n static int\n ipsec_satbl_init(struct sa_ctx *ctx, uint32_t nb_ent, int32_t socket,\n-\t\tstruct socket_ctx *skt_ctx, struct ipsec_ctx *ips_ctx[])\n+\t\tstruct socket_ctx *skt_ctx, struct ipsec_ctx *ips_ctx[],\n+\t\tconst struct eventmode_conf *em_conf)\n {\n \tint32_t rc, sz;\n \tuint32_t i, idx;\n@@ -1631,7 +1637,7 @@ ipsec_satbl_init(struct sa_ctx *ctx, uint32_t nb_ent, int32_t socket,\n \t\tsa = (struct rte_ipsec_sa *)((uintptr_t)ctx->satbl + sz * i);\n \t\tlsa = ctx->sa + idx;\n \n-\t\trc = ipsec_sa_init(lsa, sa, sz, skt_ctx, ips_ctx);\n+\t\trc = ipsec_sa_init(lsa, sa, sz, skt_ctx, ips_ctx, em_conf);\n \t}\n \n \treturn rc;\n@@ -1674,7 +1680,8 @@ sa_spi_present(struct sa_ctx *sa_ctx, uint32_t spi, int inbound)\n \n void\n sa_init(struct socket_ctx *ctx, int32_t socket_id,\n-\t\tstruct lcore_conf *lcore_conf)\n+\tstruct lcore_conf *lcore_conf,\n+\tconst struct eventmode_conf *em_conf)\n {\n \tint32_t rc;\n \tconst char *name;\n@@ -1706,11 +1713,11 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id,\n \t\t\trte_exit(EXIT_FAILURE, \"failed to init SAD\\n\");\n \t\tRTE_LCORE_FOREACH(lcore_id)\n \t\t\tipsec_ctx[lcore_id] = &lcore_conf[lcore_id].inbound;\n-\t\tsa_in_add_rules(ctx->sa_in, sa_in, nb_sa_in, ctx, ipsec_ctx);\n+\t\tsa_in_add_rules(ctx->sa_in, sa_in, nb_sa_in, ctx, ipsec_ctx, em_conf);\n \n \t\tif (app_sa_prm.enable != 0) {\n \t\t\trc = ipsec_satbl_init(ctx->sa_in, nb_sa_in,\n-\t\t\t\tsocket_id, ctx, ipsec_ctx);\n+\t\t\t\tsocket_id, ctx, ipsec_ctx, em_conf);\n \t\t\tif (rc != 0)\n \t\t\t\trte_exit(EXIT_FAILURE,\n \t\t\t\t\t\"failed to init inbound SAs\\n\");\n@@ -1728,11 +1735,11 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id,\n \n \t\tRTE_LCORE_FOREACH(lcore_id)\n \t\t\tipsec_ctx[lcore_id] = &lcore_conf[lcore_id].outbound;\n-\t\tsa_out_add_rules(ctx->sa_out, sa_out, nb_sa_out, ctx, ipsec_ctx);\n+\t\tsa_out_add_rules(ctx->sa_out, sa_out, nb_sa_out, ctx, ipsec_ctx, em_conf);\n \n \t\tif (app_sa_prm.enable != 0) {\n \t\t\trc = ipsec_satbl_init(ctx->sa_out, nb_sa_out,\n-\t\t\t\tsocket_id, ctx, ipsec_ctx);\n+\t\t\t\tsocket_id, ctx, ipsec_ctx, em_conf);\n \t\t\tif (rc != 0)\n \t\t\t\trte_exit(EXIT_FAILURE,\n \t\t\t\t\t\"failed to init outbound SAs\\n\");\n",
    "prefixes": [
        "v3",
        "3/6"
    ]
}