Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/54737/?format=api
{ "id": 54737, "url": "http://patches.dpdk.org/api/patches/54737/?format=api", "web_url": "http://patches.dpdk.org/project/dpdk/patch/1560351121-21234-2-git-send-email-bernard.iremonger@intel.com/", "project": { "id": 1, "url": "http://patches.dpdk.org/api/projects/1/?format=api", "name": "DPDK", "link_name": "dpdk", "list_id": "dev.dpdk.org", "list_email": "dev@dpdk.org", "web_url": "http://core.dpdk.org", "scm_url": "git://dpdk.org/dpdk", "webscm_url": "http://git.dpdk.org/dpdk", "list_archive_url": "https://inbox.dpdk.org/dev", "list_archive_url_format": "https://inbox.dpdk.org/dev/{}", "commit_url_format": "" }, "msgid": "<1560351121-21234-2-git-send-email-bernard.iremonger@intel.com>", "list_archive_url": "https://inbox.dpdk.org/dev/1560351121-21234-2-git-send-email-bernard.iremonger@intel.com", "date": "2019-06-12T14:52:00", "name": "[v6,1/2] examples/ipsec-secgw: fix 1st pkt dropped for inline crypto", "commit_ref": null, "pull_url": null, "state": "superseded", "archived": true, "hash": "2e34bc0e904fc0eab05418d66c1bede8c1905f06", "submitter": { "id": 91, "url": "http://patches.dpdk.org/api/people/91/?format=api", "name": "Iremonger, Bernard", "email": "bernard.iremonger@intel.com" }, "delegate": { "id": 6690, "url": "http://patches.dpdk.org/api/users/6690/?format=api", "username": "akhil", "first_name": "akhil", "last_name": "goyal", "email": "gakhil@marvell.com" }, "mbox": "http://patches.dpdk.org/project/dpdk/patch/1560351121-21234-2-git-send-email-bernard.iremonger@intel.com/mbox/", "series": [ { "id": 4925, "url": "http://patches.dpdk.org/api/series/4925/?format=api", "web_url": "http://patches.dpdk.org/project/dpdk/list/?series=4925", "date": "2019-06-06T11:12:25", "name": "examples/ipsec-secgw: fix 1st pkt dropped", "version": 5, "mbox": "http://patches.dpdk.org/series/4925/mbox/" } ], "comments": "http://patches.dpdk.org/api/patches/54737/comments/", "check": "warning", "checks": "http://patches.dpdk.org/api/patches/54737/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<dev-bounces@dpdk.org>", "X-Original-To": "patchwork@dpdk.org", "Delivered-To": "patchwork@dpdk.org", "Received": [ "from [92.243.14.124] (localhost [127.0.0.1])\n\tby dpdk.org (Postfix) with ESMTP id 4E3E91D0E5;\n\tWed, 12 Jun 2019 16:52:14 +0200 (CEST)", "from mga02.intel.com (mga02.intel.com [134.134.136.20])\n\tby dpdk.org (Postfix) with ESMTP id 903D41C1C6;\n\tWed, 12 Jun 2019 16:52:11 +0200 (CEST)", "from fmsmga004.fm.intel.com ([10.253.24.48])\n\tby orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;\n\t12 Jun 2019 07:52:10 -0700", "from sivswdev08.ir.intel.com (HELO localhost.localdomain)\n\t([10.237.217.47])\n\tby fmsmga004.fm.intel.com with ESMTP; 12 Jun 2019 07:52:08 -0700" ], "X-Amp-Result": "SKIPPED(no attachment in message)", "X-Amp-File-Uploaded": "False", "X-ExtLoop1": "1", "From": "Bernard Iremonger <bernard.iremonger@intel.com>", "To": "dev@dpdk.org,\n\tkonstantin.ananyev@intel.com,\n\takhil.goyal@nxp.com", "Cc": "Bernard Iremonger <bernard.iremonger@intel.com>,\n\tstable@dpdk.org", "Date": "Wed, 12 Jun 2019 15:52:00 +0100", "Message-Id": "<1560351121-21234-2-git-send-email-bernard.iremonger@intel.com>", "X-Mailer": "git-send-email 1.7.0.7", "In-Reply-To": "<1559819547-20742-1-git-send-email-bernard.iremonger@intel.com>", "References": "<1559819547-20742-1-git-send-email-bernard.iremonger@intel.com>", "Subject": "[dpdk-dev] [PATCH v6 1/2] examples/ipsec-secgw: fix 1st pkt dropped\n\tfor inline crypto", "X-BeenThere": "dev@dpdk.org", "X-Mailman-Version": "2.1.15", "Precedence": "list", "List-Id": "DPDK patches and discussions <dev.dpdk.org>", "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n\t<mailto:dev-request@dpdk.org?subject=unsubscribe>", "List-Archive": "<http://mails.dpdk.org/archives/dev/>", "List-Post": "<mailto:dev@dpdk.org>", "List-Help": "<mailto:dev-request@dpdk.org?subject=help>", "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n\t<mailto:dev-request@dpdk.org?subject=subscribe>", "Errors-To": "dev-bounces@dpdk.org", "Sender": "\"dev\" <dev-bounces@dpdk.org>" }, "content": "Inline crypto installs a flow rule in the NIC. This flow\nrule must be installed before the first inbound packet is\nreceived.\n\nThe create_session() function installs the flow rule,\ncreate_session() has been refactored into create_inline_session()\nand create_lookaside_session(). The create_inline_session() function\nuses the socket_ctx data and is now called at initialisation in\nsa_add_rules().\n\nThe max_session_size() function has been added to calculate memory\nrequirements.\n\nThe cryprodev_init() function has been refactored to drop calls to\nrte_mempool_create() and to drop calculation of memory requirements.\n\nThe main() function has been refactored to call max_session_size() and\nto call session_pool_init() and session_priv_pool_init() earlier.\nThe ports are started now before adding a flow rule in main().\nThe sa_init(), sp4_init(), sp6_init() and rt_init() functions are\nnow called after the ports have been started.\n\nThe rte_ipsec_session_prepare() function is called in fill_ipsec_session()\nfor inline which is called from the ipsec_sa_init() function.\n\nFixes: ec17993a145a (\"examples/ipsec-secgw: support security offload\")\nFixes: d299106e8e31 (\"examples/ipsec-secgw: add IPsec sample application\")\nCc: stable@dpdk.org\n\nSigned-off-by: Bernard Iremonger <bernard.iremonger@intel.com>\n---\n examples/ipsec-secgw/ipsec-secgw.c | 244 ++++++++++---------\n examples/ipsec-secgw/ipsec.c | 449 +++++++++++++++++++----------------\n examples/ipsec-secgw/ipsec.h | 5 +-\n examples/ipsec-secgw/ipsec_process.c | 9 +-\n examples/ipsec-secgw/sa.c | 46 +++-\n 5 files changed, 403 insertions(+), 350 deletions(-)", "diff": "diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c\nindex 6c626fa..24876ba 100644\n--- a/examples/ipsec-secgw/ipsec-secgw.c\n+++ b/examples/ipsec-secgw/ipsec-secgw.c\n@@ -1628,7 +1628,7 @@ cryptodevs_init(void)\n \tstruct rte_cryptodev_config dev_conf;\n \tstruct rte_cryptodev_qp_conf qp_conf;\n \tuint16_t idx, max_nb_qps, qp, i;\n-\tint16_t cdev_id, port_id;\n+\tint16_t cdev_id;\n \tstruct rte_hash_parameters params = { 0 };\n \n \tparams.entries = CDEV_MAP_ENTRIES;\n@@ -1651,45 +1651,6 @@ cryptodevs_init(void)\n \n \tprintf(\"lcore/cryptodev/qp mappings:\\n\");\n \n-\tuint32_t max_sess_sz = 0, sess_sz;\n-\tfor (cdev_id = 0; cdev_id < rte_cryptodev_count(); cdev_id++) {\n-\t\tvoid *sec_ctx;\n-\n-\t\t/* Get crypto priv session size */\n-\t\tsess_sz = rte_cryptodev_sym_get_private_session_size(cdev_id);\n-\t\tif (sess_sz > max_sess_sz)\n-\t\t\tmax_sess_sz = sess_sz;\n-\n-\t\t/*\n-\t\t * If crypto device is security capable, need to check the\n-\t\t * size of security session as well.\n-\t\t */\n-\n-\t\t/* Get security context of the crypto device */\n-\t\tsec_ctx = rte_cryptodev_get_sec_ctx(cdev_id);\n-\t\tif (sec_ctx == NULL)\n-\t\t\tcontinue;\n-\n-\t\t/* Get size of security session */\n-\t\tsess_sz = rte_security_session_get_size(sec_ctx);\n-\t\tif (sess_sz > max_sess_sz)\n-\t\t\tmax_sess_sz = sess_sz;\n-\t}\n-\tRTE_ETH_FOREACH_DEV(port_id) {\n-\t\tvoid *sec_ctx;\n-\n-\t\tif ((enabled_port_mask & (1 << port_id)) == 0)\n-\t\t\tcontinue;\n-\n-\t\tsec_ctx = rte_eth_dev_get_sec_ctx(port_id);\n-\t\tif (sec_ctx == NULL)\n-\t\t\tcontinue;\n-\n-\t\tsess_sz = rte_security_session_get_size(sec_ctx);\n-\t\tif (sess_sz > max_sess_sz)\n-\t\t\tmax_sess_sz = sess_sz;\n-\t}\n-\n \tidx = 0;\n \tfor (cdev_id = 0; cdev_id < rte_cryptodev_count(); cdev_id++) {\n \t\tstruct rte_cryptodev_info cdev_info;\n@@ -1727,45 +1688,6 @@ cryptodevs_init(void)\n \t\t\t\t\"Device does not support at least %u \"\n \t\t\t\t\"sessions\", CDEV_MP_NB_OBJS);\n \n-\t\tif (!socket_ctx[dev_conf.socket_id].session_pool) {\n-\t\t\tchar mp_name[RTE_MEMPOOL_NAMESIZE];\n-\t\t\tstruct rte_mempool *sess_mp;\n-\n-\t\t\tsnprintf(mp_name, RTE_MEMPOOL_NAMESIZE,\n-\t\t\t\t\t\"sess_mp_%u\", dev_conf.socket_id);\n-\t\t\tsess_mp = rte_cryptodev_sym_session_pool_create(\n-\t\t\t\t\tmp_name, CDEV_MP_NB_OBJS,\n-\t\t\t\t\t0, CDEV_MP_CACHE_SZ, 0,\n-\t\t\t\t\tdev_conf.socket_id);\n-\t\t\tsocket_ctx[dev_conf.socket_id].session_pool = sess_mp;\n-\t\t}\n-\n-\t\tif (!socket_ctx[dev_conf.socket_id].session_priv_pool) {\n-\t\t\tchar mp_name[RTE_MEMPOOL_NAMESIZE];\n-\t\t\tstruct rte_mempool *sess_mp;\n-\n-\t\t\tsnprintf(mp_name, RTE_MEMPOOL_NAMESIZE,\n-\t\t\t\t\t\"sess_mp_priv_%u\", dev_conf.socket_id);\n-\t\t\tsess_mp = rte_mempool_create(mp_name,\n-\t\t\t\t\tCDEV_MP_NB_OBJS,\n-\t\t\t\t\tmax_sess_sz,\n-\t\t\t\t\tCDEV_MP_CACHE_SZ,\n-\t\t\t\t\t0, NULL, NULL, NULL,\n-\t\t\t\t\tNULL, dev_conf.socket_id,\n-\t\t\t\t\t0);\n-\t\t\tsocket_ctx[dev_conf.socket_id].session_priv_pool =\n-\t\t\t\t\tsess_mp;\n-\t\t}\n-\n-\t\tif (!socket_ctx[dev_conf.socket_id].session_priv_pool ||\n-\t\t\t\t!socket_ctx[dev_conf.socket_id].session_pool)\n-\t\t\trte_exit(EXIT_FAILURE,\n-\t\t\t\t\"Cannot create session pool on socket %d\\n\",\n-\t\t\t\tdev_conf.socket_id);\n-\t\telse\n-\t\t\tprintf(\"Allocated session pool on socket %d\\n\",\n-\t\t\t\t\tdev_conf.socket_id);\n-\n \t\tif (rte_cryptodev_configure(cdev_id, &dev_conf))\n \t\t\trte_panic(\"Failed to initialize cryptodev %u\\n\",\n \t\t\t\t\tcdev_id);\n@@ -1786,39 +1708,6 @@ cryptodevs_init(void)\n \t\t\t\t\tcdev_id);\n \t}\n \n-\t/* create session pools for eth devices that implement security */\n-\tRTE_ETH_FOREACH_DEV(port_id) {\n-\t\tif ((enabled_port_mask & (1 << port_id)) &&\n-\t\t\t\trte_eth_dev_get_sec_ctx(port_id)) {\n-\t\t\tint socket_id = rte_eth_dev_socket_id(port_id);\n-\n-\t\t\tif (!socket_ctx[socket_id].session_priv_pool) {\n-\t\t\t\tchar mp_name[RTE_MEMPOOL_NAMESIZE];\n-\t\t\t\tstruct rte_mempool *sess_mp;\n-\n-\t\t\t\tsnprintf(mp_name, RTE_MEMPOOL_NAMESIZE,\n-\t\t\t\t\t\t\"sess_mp_%u\", socket_id);\n-\t\t\t\tsess_mp = rte_mempool_create(mp_name,\n-\t\t\t\t\t\t(CDEV_MP_NB_OBJS * 2),\n-\t\t\t\t\t\tmax_sess_sz,\n-\t\t\t\t\t\tCDEV_MP_CACHE_SZ,\n-\t\t\t\t\t\t0, NULL, NULL, NULL,\n-\t\t\t\t\t\tNULL, socket_id,\n-\t\t\t\t\t\t0);\n-\t\t\t\tif (sess_mp == NULL)\n-\t\t\t\t\trte_exit(EXIT_FAILURE,\n-\t\t\t\t\t\t\"Cannot create session pool \"\n-\t\t\t\t\t\t\"on socket %d\\n\", socket_id);\n-\t\t\t\telse\n-\t\t\t\t\tprintf(\"Allocated session pool \"\n-\t\t\t\t\t\t\"on socket %d\\n\", socket_id);\n-\t\t\t\tsocket_ctx[socket_id].session_priv_pool =\n-\t\t\t\t\t\tsess_mp;\n-\t\t\t}\n-\t\t}\n-\t}\n-\n-\n \tprintf(\"\\n\");\n \n \treturn 0;\n@@ -1984,6 +1873,99 @@ port_init(uint16_t portid, uint64_t req_rx_offloads, uint64_t req_tx_offloads)\n \tprintf(\"\\n\");\n }\n \n+static size_t\n+max_session_size(void)\n+{\n+\tsize_t max_sz, sz;\n+\tvoid *sec_ctx;\n+\tint16_t cdev_id, port_id, n;\n+\n+\tmax_sz = 0;\n+\tn = rte_cryptodev_count();\n+\tfor (cdev_id = 0; cdev_id != n; cdev_id++) {\n+\t\tsz = rte_cryptodev_sym_get_private_session_size(cdev_id);\n+\t\tif (sz > max_sz)\n+\t\t\tmax_sz = sz;\n+\t\t/*\n+\t\t * If crypto device is security capable, need to check the\n+\t\t * size of security session as well.\n+\t\t */\n+\n+\t\t/* Get security context of the crypto device */\n+\t\tsec_ctx = rte_cryptodev_get_sec_ctx(cdev_id);\n+\t\tif (sec_ctx == NULL)\n+\t\t\tcontinue;\n+\n+\t\t/* Get size of security session */\n+\t\tsz = rte_security_session_get_size(sec_ctx);\n+\t\tif (sz > max_sz)\n+\t\t\tmax_sz = sz;\n+\t}\n+\n+\tRTE_ETH_FOREACH_DEV(port_id) {\n+\t\tif ((enabled_port_mask & (1 << port_id)) == 0)\n+\t\t\tcontinue;\n+\n+\t\tsec_ctx = rte_eth_dev_get_sec_ctx(port_id);\n+\t\tif (sec_ctx == NULL)\n+\t\t\tcontinue;\n+\n+\t\tsz = rte_security_session_get_size(sec_ctx);\n+\t\tif (sz > max_sz)\n+\t\t\tmax_sz = sz;\n+\t}\n+\n+\treturn max_sz;\n+}\n+\n+static void\n+session_pool_init(struct socket_ctx *ctx, int32_t socket_id, size_t sess_sz)\n+{\n+\tchar mp_name[RTE_MEMPOOL_NAMESIZE];\n+\tstruct rte_mempool *sess_mp;\n+\n+\tsnprintf(mp_name, RTE_MEMPOOL_NAMESIZE,\n+\t\t\t\"sess_mp_%u\", socket_id);\n+\tsess_mp = rte_cryptodev_sym_session_pool_create(\n+\t\t\tmp_name, CDEV_MP_NB_OBJS,\n+\t\t\tsess_sz, CDEV_MP_CACHE_SZ, 0,\n+\t\t\tsocket_id);\n+\tctx->session_pool = sess_mp;\n+\n+\tif (ctx->session_pool == NULL)\n+\t\trte_exit(EXIT_FAILURE,\n+\t\t\t\"Cannot init session pool on socket %d\\n\", socket_id);\n+\telse\n+\t\tprintf(\"Allocated session pool on socket %d\\n\",\tsocket_id);\n+}\n+\n+static void\n+session_priv_pool_init(struct socket_ctx *ctx, int32_t socket_id,\n+\tsize_t sess_sz)\n+{\n+\tchar mp_name[RTE_MEMPOOL_NAMESIZE];\n+\tstruct rte_mempool *sess_mp;\n+\n+\tsnprintf(mp_name, RTE_MEMPOOL_NAMESIZE,\n+\t\t\t\"sess_mp_priv_%u\", socket_id);\n+\tsess_mp = rte_mempool_create(mp_name,\n+\t\t\tCDEV_MP_NB_OBJS,\n+\t\t\tsess_sz,\n+\t\t\tCDEV_MP_CACHE_SZ,\n+\t\t\t0, NULL, NULL, NULL,\n+\t\t\tNULL, socket_id,\n+\t\t\t0);\n+\tctx->session_priv_pool = sess_mp;\n+\n+\tif (ctx->session_priv_pool == NULL)\n+\t\trte_exit(EXIT_FAILURE,\n+\t\t\t\"Cannot init session priv pool on socket %d\\n\",\n+\t\t\tsocket_id);\n+\telse\n+\t\tprintf(\"Allocated session priv pool on socket %d\\n\",\n+\t\t\tsocket_id);\n+}\n+\n static void\n pool_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t nb_mbuf)\n {\n@@ -2064,9 +2046,11 @@ main(int32_t argc, char **argv)\n {\n \tint32_t ret;\n \tuint32_t lcore_id;\n+\tuint32_t i;\n \tuint8_t socket_id;\n \tuint16_t portid;\n \tuint64_t req_rx_offloads, req_tx_offloads;\n+\tsize_t sess_sz;\n \n \t/* init EAL */\n \tret = rte_eal_init(argc, argv);\n@@ -2094,7 +2078,8 @@ main(int32_t argc, char **argv)\n \n \tnb_lcores = rte_lcore_count();\n \n-\t/* Replicate each context per socket */\n+\tsess_sz = max_session_size();\n+\n \tfor (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) {\n \t\tif (rte_lcore_is_enabled(lcore_id) == 0)\n \t\t\tcontinue;\n@@ -2104,20 +2089,14 @@ main(int32_t argc, char **argv)\n \t\telse\n \t\t\tsocket_id = 0;\n \n+\t\t/* mbuf_pool is initialised by the pool_init() function*/\n \t\tif (socket_ctx[socket_id].mbuf_pool)\n \t\t\tcontinue;\n \n-\t\t/* initilaze SPD */\n-\t\tsp4_init(&socket_ctx[socket_id], socket_id);\n-\n-\t\tsp6_init(&socket_ctx[socket_id], socket_id);\n-\n-\t\t/* initilaze SAD */\n-\t\tsa_init(&socket_ctx[socket_id], socket_id);\n-\n-\t\trt_init(&socket_ctx[socket_id], socket_id);\n-\n \t\tpool_init(&socket_ctx[socket_id], socket_id, NB_MBUF);\n+\t\tsession_pool_init(&socket_ctx[socket_id], socket_id, sess_sz);\n+\t\tsession_priv_pool_init(&socket_ctx[socket_id], socket_id,\n+\t\t\tsess_sz);\n \t}\n \n \tRTE_ETH_FOREACH_DEV(portid) {\n@@ -2135,7 +2114,11 @@ main(int32_t argc, char **argv)\n \t\tif ((enabled_port_mask & (1 << portid)) == 0)\n \t\t\tcontinue;\n \n-\t\t/* Start device */\n+\t\t/*\n+\t\t * Start device\n+\t\t * note: device must be started before a flow rule\n+\t\t * can be installed.\n+\t\t */\n \t\tret = rte_eth_dev_start(portid);\n \t\tif (ret < 0)\n \t\t\trte_exit(EXIT_FAILURE, \"rte_eth_dev_start: \"\n@@ -2153,6 +2136,19 @@ main(int32_t argc, char **argv)\n \t\t\tRTE_ETH_EVENT_IPSEC, inline_ipsec_event_callback, NULL);\n \t}\n \n+\t/* Replicate each context per socket */\n+\tfor (i = 0; i < NB_SOCKETS && i < rte_socket_count(); i++) {\n+\t\tsocket_id = rte_socket_id_by_idx(i);\n+\t\tif ((socket_ctx[socket_id].mbuf_pool != NULL) &&\n+\t\t\t(socket_ctx[socket_id].sa_in == NULL) &&\n+\t\t\t(socket_ctx[socket_id].sa_out == NULL)) {\n+\t\t\tsa_init(&socket_ctx[socket_id], socket_id);\n+\t\t\tsp4_init(&socket_ctx[socket_id], socket_id);\n+\t\t\tsp6_init(&socket_ctx[socket_id], socket_id);\n+\t\t\trt_init(&socket_ctx[socket_id], socket_id);\n+\t\t}\n+\t}\n+\n \tcheck_all_ports_link_status(enabled_port_mask);\n \n \t/* launch per-lcore init on every lcore */\ndiff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c\nindex 7b85330..c06ddd6 100644\n--- a/examples/ipsec-secgw/ipsec.c\n+++ b/examples/ipsec-secgw/ipsec.c\n@@ -40,7 +40,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)\n }\n \n int\n-create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)\n+create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)\n {\n \tstruct rte_cryptodev_info cdev_info;\n \tunsigned long cdev_id_qp = 0;\n@@ -53,19 +53,17 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)\n \tkey.auth_algo = (uint8_t)sa->auth_algo;\n \tkey.aead_algo = (uint8_t)sa->aead_algo;\n \n-\tif (sa->type == RTE_SECURITY_ACTION_TYPE_NONE) {\n-\t\tret = rte_hash_lookup_data(ipsec_ctx->cdev_map, &key,\n-\t\t\t\t(void **)&cdev_id_qp);\n-\t\tif (ret < 0) {\n-\t\t\tRTE_LOG(ERR, IPSEC,\n+\tret = rte_hash_lookup_data(ipsec_ctx->cdev_map, &key,\n+\t\t\t(void **)&cdev_id_qp);\n+\tif (ret < 0) {\n+\t\tRTE_LOG(ERR, IPSEC,\n \t\t\t\t\"No cryptodev: core %u, cipher_algo %u, \"\n \t\t\t\t\"auth_algo %u, aead_algo %u\\n\",\n \t\t\t\tkey.lcore_id,\n \t\t\t\tkey.cipher_algo,\n \t\t\t\tkey.auth_algo,\n \t\t\t\tkey.aead_algo);\n-\t\t\treturn -1;\n-\t\t}\n+\t\treturn -1;\n \t}\n \n \tRTE_LOG_DP(DEBUG, IPSEC, \"Create session for SA spi %u on cryptodev \"\n@@ -108,227 +106,267 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)\n \t\t\t\t\"SEC Session init failed: err: %d\\n\", ret);\n \t\t\t\treturn -1;\n \t\t\t}\n-\t\t} else if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {\n-\t\t\tstruct rte_flow_error err;\n-\t\t\tstruct rte_security_ctx *ctx = (struct rte_security_ctx *)\n-\t\t\t\t\t\t\trte_eth_dev_get_sec_ctx(\n-\t\t\t\t\t\t\tsa->portid);\n-\t\t\tconst struct rte_security_capability *sec_cap;\n-\t\t\tint ret = 0;\n-\n-\t\t\tsa->sec_session = rte_security_session_create(ctx,\n-\t\t\t\t\t&sess_conf, ipsec_ctx->session_priv_pool);\n-\t\t\tif (sa->sec_session == NULL) {\n-\t\t\t\tRTE_LOG(ERR, IPSEC,\n-\t\t\t\t\"SEC Session init failed: err: %d\\n\", ret);\n+\t\t} else if (\n+\t\t\t(sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) ||\n+\t\t\t(sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL)\n+\t\t\t) {\n+\t\t\t\tRTE_LOG(ERR, IPSEC, \"Inline not supported\\n\");\n \t\t\t\treturn -1;\n-\t\t\t}\n-\n-\t\t\tsec_cap = rte_security_capabilities_get(ctx);\n+\t\t}\n+\t} else {\n+\t\tsa->crypto_session = rte_cryptodev_sym_session_create(\n+\t\t\t\tipsec_ctx->session_pool);\n+\t\trte_cryptodev_sym_session_init(ipsec_ctx->tbl[cdev_id_qp].id,\n+\t\t\t\tsa->crypto_session, sa->xforms,\n+\t\t\t\tipsec_ctx->session_priv_pool);\n \n-\t\t\t/* iterate until ESP tunnel*/\n-\t\t\twhile (sec_cap->action !=\n-\t\t\t\t\tRTE_SECURITY_ACTION_TYPE_NONE) {\n+\t\trte_cryptodev_info_get(ipsec_ctx->tbl[cdev_id_qp].id,\n+\t\t\t\t&cdev_info);\n+\t}\n \n-\t\t\t\tif (sec_cap->action == sa->type &&\n-\t\t\t\t sec_cap->protocol ==\n-\t\t\t\t\tRTE_SECURITY_PROTOCOL_IPSEC &&\n-\t\t\t\t sec_cap->ipsec.mode ==\n-\t\t\t\t\tRTE_SECURITY_IPSEC_SA_MODE_TUNNEL &&\n-\t\t\t\t sec_cap->ipsec.direction == sa->direction)\n-\t\t\t\t\tbreak;\n-\t\t\t\tsec_cap++;\n-\t\t\t}\n+\tsa->cdev_id_qp = cdev_id_qp;\n \n-\t\t\tif (sec_cap->action == RTE_SECURITY_ACTION_TYPE_NONE) {\n-\t\t\t\tRTE_LOG(ERR, IPSEC,\n-\t\t\t\t\"No suitable security capability found\\n\");\n-\t\t\t\treturn -1;\n-\t\t\t}\n+\treturn 0;\n+}\n \n-\t\t\tsa->ol_flags = sec_cap->ol_flags;\n-\t\t\tsa->security_ctx = ctx;\n-\t\t\tsa->pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH;\n-\n-\t\t\tsa->pattern[1].type = RTE_FLOW_ITEM_TYPE_IPV4;\n-\t\t\tsa->pattern[1].mask = &rte_flow_item_ipv4_mask;\n-\t\t\tif (sa->flags & IP6_TUNNEL) {\n-\t\t\t\tsa->pattern[1].spec = &sa->ipv6_spec;\n-\t\t\t\tmemcpy(sa->ipv6_spec.hdr.dst_addr,\n-\t\t\t\t\tsa->dst.ip.ip6.ip6_b, 16);\n-\t\t\t\tmemcpy(sa->ipv6_spec.hdr.src_addr,\n-\t\t\t\t sa->src.ip.ip6.ip6_b, 16);\n-\t\t\t} else {\n-\t\t\t\tsa->pattern[1].spec = &sa->ipv4_spec;\n-\t\t\t\tsa->ipv4_spec.hdr.dst_addr = sa->dst.ip.ip4;\n-\t\t\t\tsa->ipv4_spec.hdr.src_addr = sa->src.ip.ip4;\n-\t\t\t}\n+int\n+create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa)\n+{\n+\tint32_t ret = 0;\n+\tstruct rte_security_ctx *sec_ctx;\n+\tstruct rte_security_session_conf sess_conf = {\n+\t\t.action_type = sa->type,\n+\t\t.protocol = RTE_SECURITY_PROTOCOL_IPSEC,\n+\t\t{.ipsec = {\n+\t\t\t.spi = sa->spi,\n+\t\t\t.salt = sa->salt,\n+\t\t\t.options = { 0 },\n+\t\t\t.direction = sa->direction,\n+\t\t\t.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,\n+\t\t\t.mode = (sa->flags == IP4_TUNNEL ||\n+\t\t\t\t\tsa->flags == IP6_TUNNEL) ?\n+\t\t\t\t\tRTE_SECURITY_IPSEC_SA_MODE_TUNNEL :\n+\t\t\t\t\tRTE_SECURITY_IPSEC_SA_MODE_TRANSPORT,\n+\t\t} },\n+\t\t.crypto_xform = sa->xforms,\n+\t\t.userdata = NULL,\n+\t};\n+\n+\tRTE_LOG_DP(DEBUG, IPSEC, \"Create session for SA spi %u on port %u\\n\",\n+\t\tsa->spi, sa->portid);\n+\n+\tif (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {\n+\t\tstruct rte_flow_error err;\n+\t\tconst struct rte_security_capability *sec_cap;\n+\t\tint ret = 0;\n+\n+\t\tsec_ctx = (struct rte_security_ctx *)\n+\t\t\t\t\trte_eth_dev_get_sec_ctx(\n+\t\t\t\t\tsa->portid);\n+\t\tif (sec_ctx == NULL) {\n+\t\t\tRTE_LOG(ERR, IPSEC,\n+\t\t\t\t\" rte_eth_dev_get_sec_ctx failed\\n\");\n+\t\t\treturn -1;\n+\t\t}\n \n-\t\t\tsa->pattern[2].type = RTE_FLOW_ITEM_TYPE_ESP;\n-\t\t\tsa->pattern[2].spec = &sa->esp_spec;\n-\t\t\tsa->pattern[2].mask = &rte_flow_item_esp_mask;\n-\t\t\tsa->esp_spec.hdr.spi = rte_cpu_to_be_32(sa->spi);\n+\t\tsa->sec_session = rte_security_session_create(sec_ctx,\n+\t\t\t\t&sess_conf, skt_ctx->session_pool);\n+\t\tif (sa->sec_session == NULL) {\n+\t\t\tRTE_LOG(ERR, IPSEC,\n+\t\t\t\t\"SEC Session init failed: err: %d\\n\", ret);\n+\t\t\treturn -1;\n+\t\t}\n \n-\t\t\tsa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END;\n+\t\tsec_cap = rte_security_capabilities_get(sec_ctx);\n+\n+\t\t/* iterate until ESP tunnel*/\n+\t\twhile (sec_cap->action != RTE_SECURITY_ACTION_TYPE_NONE) {\n+\t\t\tif (sec_cap->action == sa->type &&\n+\t\t\t sec_cap->protocol ==\n+\t\t\t\tRTE_SECURITY_PROTOCOL_IPSEC &&\n+\t\t\t sec_cap->ipsec.mode ==\n+\t\t\t\tRTE_SECURITY_IPSEC_SA_MODE_TUNNEL &&\n+\t\t\t sec_cap->ipsec.direction == sa->direction)\n+\t\t\t\tbreak;\n+\t\t\tsec_cap++;\n+\t\t}\n \n-\t\t\tsa->action[0].type = RTE_FLOW_ACTION_TYPE_SECURITY;\n-\t\t\tsa->action[0].conf = sa->sec_session;\n+\t\tif (sec_cap->action == RTE_SECURITY_ACTION_TYPE_NONE) {\n+\t\t\tRTE_LOG(ERR, IPSEC,\n+\t\t\t\t\"No suitable security capability found\\n\");\n+\t\t\treturn -1;\n+\t\t}\n \n-\t\t\tsa->action[1].type = RTE_FLOW_ACTION_TYPE_END;\n+\t\tsa->ol_flags = sec_cap->ol_flags;\n+\t\tsa->security_ctx = sec_ctx;\n+\t\tsa->pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH;\n+\n+\t\tsa->pattern[1].type = RTE_FLOW_ITEM_TYPE_IPV4;\n+\t\tsa->pattern[1].mask = &rte_flow_item_ipv4_mask;\n+\t\tif (sa->flags & IP6_TUNNEL) {\n+\t\t\tsa->pattern[1].spec = &sa->ipv6_spec;\n+\t\t\tmemcpy(sa->ipv6_spec.hdr.dst_addr,\n+\t\t\t\tsa->dst.ip.ip6.ip6_b, 16);\n+\t\t\tmemcpy(sa->ipv6_spec.hdr.src_addr,\n+\t\t\t sa->src.ip.ip6.ip6_b, 16);\n+\t\t} else {\n+\t\t\tsa->pattern[1].spec = &sa->ipv4_spec;\n+\t\t\tsa->ipv4_spec.hdr.dst_addr = sa->dst.ip.ip4;\n+\t\t\tsa->ipv4_spec.hdr.src_addr = sa->src.ip.ip4;\n+\t\t}\n \n-\t\t\tsa->attr.egress = (sa->direction ==\n-\t\t\t\t\tRTE_SECURITY_IPSEC_SA_DIR_EGRESS);\n-\t\t\tsa->attr.ingress = (sa->direction ==\n-\t\t\t\t\tRTE_SECURITY_IPSEC_SA_DIR_INGRESS);\n-\t\t\tif (sa->attr.ingress) {\n-\t\t\t\tuint8_t rss_key[40];\n-\t\t\t\tstruct rte_eth_rss_conf rss_conf = {\n-\t\t\t\t\t.rss_key = rss_key,\n-\t\t\t\t\t.rss_key_len = 40,\n-\t\t\t\t};\n-\t\t\t\tstruct rte_eth_dev *eth_dev;\n-\t\t\t\tuint16_t queue[RTE_MAX_QUEUES_PER_PORT];\n-\t\t\t\tstruct rte_flow_action_rss action_rss;\n-\t\t\t\tunsigned int i;\n-\t\t\t\tunsigned int j;\n-\n-\t\t\t\tsa->action[2].type = RTE_FLOW_ACTION_TYPE_END;\n-\t\t\t\t/* Try RSS. */\n-\t\t\t\tsa->action[1].type = RTE_FLOW_ACTION_TYPE_RSS;\n-\t\t\t\tsa->action[1].conf = &action_rss;\n-\t\t\t\teth_dev = ctx->device;\n-\t\t\t\trte_eth_dev_rss_hash_conf_get(sa->portid,\n-\t\t\t\t\t\t\t &rss_conf);\n-\t\t\t\tfor (i = 0, j = 0;\n-\t\t\t\t i < eth_dev->data->nb_rx_queues; ++i)\n-\t\t\t\t\tif (eth_dev->data->rx_queues[i])\n-\t\t\t\t\t\tqueue[j++] = i;\n-\t\t\t\taction_rss = (struct rte_flow_action_rss){\n+\t\tsa->pattern[2].type = RTE_FLOW_ITEM_TYPE_ESP;\n+\t\tsa->pattern[2].spec = &sa->esp_spec;\n+\t\tsa->pattern[2].mask = &rte_flow_item_esp_mask;\n+\t\tsa->esp_spec.hdr.spi = rte_cpu_to_be_32(sa->spi);\n+\n+\t\tsa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END;\n+\n+\t\tsa->action[0].type = RTE_FLOW_ACTION_TYPE_SECURITY;\n+\t\tsa->action[0].conf = sa->sec_session;\n+\n+\t\tsa->action[1].type = RTE_FLOW_ACTION_TYPE_END;\n+\n+\t\tsa->attr.egress = (sa->direction ==\n+\t\t\t\tRTE_SECURITY_IPSEC_SA_DIR_EGRESS);\n+\t\tsa->attr.ingress = (sa->direction ==\n+\t\t\t\tRTE_SECURITY_IPSEC_SA_DIR_INGRESS);\n+\t\tif (sa->attr.ingress) {\n+\t\t\tuint8_t rss_key[40];\n+\t\t\tstruct rte_eth_rss_conf rss_conf = {\n+\t\t\t\t.rss_key = rss_key,\n+\t\t\t\t.rss_key_len = 40,\n+\t\t\t};\n+\t\t\tstruct rte_eth_dev *eth_dev;\n+\t\t\tuint16_t queue[RTE_MAX_QUEUES_PER_PORT];\n+\t\t\tstruct rte_flow_action_rss action_rss;\n+\t\t\tunsigned int i;\n+\t\t\tunsigned int j;\n+\n+\t\t\tsa->action[2].type = RTE_FLOW_ACTION_TYPE_END;\n+\t\t\t/* Try RSS. */\n+\t\t\tsa->action[1].type = RTE_FLOW_ACTION_TYPE_RSS;\n+\t\t\tsa->action[1].conf = &action_rss;\n+\t\t\teth_dev = sec_ctx->device;\n+\t\t\trte_eth_dev_rss_hash_conf_get(sa->portid, &rss_conf);\n+\t\t\tfor (i = 0, j = 0;\n+\t\t\t i < eth_dev->data->nb_rx_queues; ++i)\n+\t\t\t\tif (eth_dev->data->rx_queues[i])\n+\t\t\t\t\tqueue[j++] = i;\n+\n+\t\t\taction_rss = (struct rte_flow_action_rss){\n \t\t\t\t\t.types = rss_conf.rss_hf,\n \t\t\t\t\t.key_len = rss_conf.rss_key_len,\n \t\t\t\t\t.queue_num = j,\n \t\t\t\t\t.key = rss_key,\n \t\t\t\t\t.queue = queue,\n-\t\t\t\t};\n-\t\t\t\tret = rte_flow_validate(sa->portid, &sa->attr,\n-\t\t\t\t\t\t\tsa->pattern, sa->action,\n-\t\t\t\t\t\t\t&err);\n-\t\t\t\tif (!ret)\n-\t\t\t\t\tgoto flow_create;\n-\t\t\t\t/* Try Queue. */\n-\t\t\t\tsa->action[1].type = RTE_FLOW_ACTION_TYPE_QUEUE;\n-\t\t\t\tsa->action[1].conf =\n-\t\t\t\t\t&(struct rte_flow_action_queue){\n-\t\t\t\t\t.index = 0,\n-\t\t\t\t};\n-\t\t\t\tret = rte_flow_validate(sa->portid, &sa->attr,\n-\t\t\t\t\t\t\tsa->pattern, sa->action,\n-\t\t\t\t\t\t\t&err);\n-\t\t\t\t/* Try End. */\n-\t\t\t\tsa->action[1].type = RTE_FLOW_ACTION_TYPE_END;\n-\t\t\t\tsa->action[1].conf = NULL;\n-\t\t\t\tret = rte_flow_validate(sa->portid, &sa->attr,\n-\t\t\t\t\t\t\tsa->pattern, sa->action,\n-\t\t\t\t\t\t\t&err);\n-\t\t\t\tif (ret)\n-\t\t\t\t\tgoto flow_create_failure;\n-\t\t\t} else if (sa->attr.egress &&\n-\t\t\t\t (sa->ol_flags &\n+\t\t\t};\n+\t\t\tret = rte_flow_validate(sa->portid, &sa->attr,\n+\t\t\t\t\t\tsa->pattern, sa->action,\n+\t\t\t\t\t\t&err);\n+\t\t\tif (!ret)\n+\t\t\t\tgoto flow_create;\n+\t\t\t/* Try Queue. */\n+\t\t\tsa->action[1].type = RTE_FLOW_ACTION_TYPE_QUEUE;\n+\t\t\tsa->action[1].conf =\n+\t\t\t\t&(struct rte_flow_action_queue){\n+\t\t\t\t.index = 0,\n+\t\t\t};\n+\t\t\tret = rte_flow_validate(sa->portid, &sa->attr,\n+\t\t\t\t\t\tsa->pattern, sa->action,\n+\t\t\t\t\t\t&err);\n+\t\t\t/* Try End. */\n+\t\t\tsa->action[1].type = RTE_FLOW_ACTION_TYPE_END;\n+\t\t\tsa->action[1].conf = NULL;\n+\t\t\tret = rte_flow_validate(sa->portid, &sa->attr,\n+\t\t\t\t\t\tsa->pattern, sa->action,\n+\t\t\t\t\t\t&err);\n+\t\t\tif (ret)\n+\t\t\t\tgoto flow_create_failure;\n+\t\t} else if (sa->attr.egress &&\n+\t\t\t (sa->ol_flags &\n \t\t\t\t RTE_SECURITY_TX_HW_TRAILER_OFFLOAD)) {\n-\t\t\t\tsa->action[1].type =\n+\t\t\tsa->action[1].type =\n \t\t\t\t\tRTE_FLOW_ACTION_TYPE_PASSTHRU;\n-\t\t\t\tsa->action[2].type =\n+\t\t\tsa->action[2].type =\n \t\t\t\t\tRTE_FLOW_ACTION_TYPE_END;\n-\t\t\t}\n+\t\t}\n flow_create:\n-\t\t\tsa->flow = rte_flow_create(sa->portid,\n+\t\tsa->flow = rte_flow_create(sa->portid,\n \t\t\t\t&sa->attr, sa->pattern, sa->action, &err);\n-\t\t\tif (sa->flow == NULL) {\n+\t\tif (sa->flow == NULL) {\n flow_create_failure:\n-\t\t\t\tRTE_LOG(ERR, IPSEC,\n-\t\t\t\t\t\"Failed to create ipsec flow msg: %s\\n\",\n-\t\t\t\t\terr.message);\n-\t\t\t\treturn -1;\n-\t\t\t}\n-\t\t} else if (sa->type ==\n-\t\t\t\tRTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) {\n-\t\t\tstruct rte_security_ctx *ctx =\n-\t\t\t\t\t(struct rte_security_ctx *)\n-\t\t\t\t\trte_eth_dev_get_sec_ctx(sa->portid);\n-\t\t\tconst struct rte_security_capability *sec_cap;\n-\n-\t\t\tif (ctx == NULL) {\n-\t\t\t\tRTE_LOG(ERR, IPSEC,\n-\t\t\t\t\"Ethernet device doesn't have security features registered\\n\");\n-\t\t\t\treturn -1;\n-\t\t\t}\n-\n-\t\t\t/* Set IPsec parameters in conf */\n-\t\t\tset_ipsec_conf(sa, &(sess_conf.ipsec));\n+\t\t\tRTE_LOG(ERR, IPSEC,\n+\t\t\t\t\"Failed to create ipsec flow msg: %s\\n\",\n+\t\t\t\terr.message);\n+\t\t\treturn -1;\n+\t\t}\n+\t} else if (sa->type ==\tRTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) {\n+\t\tconst struct rte_security_capability *sec_cap;\n \n-\t\t\t/* Save SA as userdata for the security session. When\n-\t\t\t * the packet is received, this userdata will be\n-\t\t\t * retrieved using the metadata from the packet.\n-\t\t\t *\n-\t\t\t * The PMD is expected to set similar metadata for other\n-\t\t\t * operations, like rte_eth_event, which are tied to\n-\t\t\t * security session. In such cases, the userdata could\n-\t\t\t * be obtained to uniquely identify the security\n-\t\t\t * parameters denoted.\n-\t\t\t */\n+\t\tsec_ctx = (struct rte_security_ctx *)\n+\t\t\t\trte_eth_dev_get_sec_ctx(sa->portid);\n \n-\t\t\tsess_conf.userdata = (void *) sa;\n+\t\tif (sec_ctx == NULL) {\n+\t\t\tRTE_LOG(ERR, IPSEC,\n+\t\t\t\t\"Ethernet device doesn't have security features registered\\n\");\n+\t\t\treturn -1;\n+\t\t}\n \n-\t\t\tsa->sec_session = rte_security_session_create(ctx,\n-\t\t\t\t\t&sess_conf, ipsec_ctx->session_pool);\n-\t\t\tif (sa->sec_session == NULL) {\n-\t\t\t\tRTE_LOG(ERR, IPSEC,\n+\t\t/* Set IPsec parameters in conf */\n+\t\tset_ipsec_conf(sa, &(sess_conf.ipsec));\n+\n+\t\t/* Save SA as userdata for the security session. When\n+\t\t * the packet is received, this userdata will be\n+\t\t * retrieved using the metadata from the packet.\n+\t\t *\n+\t\t * The PMD is expected to set similar metadata for other\n+\t\t * operations, like rte_eth_event, which are tied to\n+\t\t * security session. In such cases, the userdata could\n+\t\t * be obtained to uniquely identify the security\n+\t\t * parameters denoted.\n+\t\t */\n+\n+\t\tsess_conf.userdata = (void *) sa;\n+\n+\t\tsa->sec_session = rte_security_session_create(sec_ctx,\n+\t\t\t\t\t&sess_conf, skt_ctx->session_pool);\n+\t\tif (sa->sec_session == NULL) {\n+\t\t\tRTE_LOG(ERR, IPSEC,\n \t\t\t\t\"SEC Session init failed: err: %d\\n\", ret);\n-\t\t\t\treturn -1;\n-\t\t\t}\n-\n-\t\t\tsec_cap = rte_security_capabilities_get(ctx);\n+\t\t\treturn -1;\n+\t\t}\n \n-\t\t\tif (sec_cap == NULL) {\n-\t\t\t\tRTE_LOG(ERR, IPSEC,\n+\t\tsec_cap = rte_security_capabilities_get(sec_ctx);\n+\t\tif (sec_cap == NULL) {\n+\t\t\tRTE_LOG(ERR, IPSEC,\n \t\t\t\t\"No capabilities registered\\n\");\n-\t\t\t\treturn -1;\n-\t\t\t}\n+\t\t\treturn -1;\n+\t\t}\n \n-\t\t\t/* iterate until ESP tunnel*/\n-\t\t\twhile (sec_cap->action !=\n-\t\t\t\t\tRTE_SECURITY_ACTION_TYPE_NONE) {\n-\n-\t\t\t\tif (sec_cap->action == sa->type &&\n-\t\t\t\t sec_cap->protocol ==\n-\t\t\t\t\tRTE_SECURITY_PROTOCOL_IPSEC &&\n-\t\t\t\t sec_cap->ipsec.mode ==\n-\t\t\t\t\tRTE_SECURITY_IPSEC_SA_MODE_TUNNEL &&\n-\t\t\t\t sec_cap->ipsec.direction == sa->direction)\n-\t\t\t\t\tbreak;\n-\t\t\t\tsec_cap++;\n-\t\t\t}\n+\t\t/* iterate until ESP tunnel*/\n+\t\twhile (sec_cap->action != RTE_SECURITY_ACTION_TYPE_NONE) {\n+\t\t\tif (sec_cap->action == sa->type &&\n+\t\t\t sec_cap->protocol ==\n+\t\t\t\tRTE_SECURITY_PROTOCOL_IPSEC &&\n+\t\t\t sec_cap->ipsec.mode ==\n+\t\t\t\tRTE_SECURITY_IPSEC_SA_MODE_TUNNEL &&\n+\t\t\t sec_cap->ipsec.direction == sa->direction)\n+\t\t\t\tbreak;\n+\t\t\tsec_cap++;\n+\t\t}\n \n-\t\t\tif (sec_cap->action == RTE_SECURITY_ACTION_TYPE_NONE) {\n-\t\t\t\tRTE_LOG(ERR, IPSEC,\n+\t\tif (sec_cap->action == RTE_SECURITY_ACTION_TYPE_NONE) {\n+\t\t\tRTE_LOG(ERR, IPSEC,\n \t\t\t\t\"No suitable security capability found\\n\");\n-\t\t\t\treturn -1;\n-\t\t\t}\n-\n-\t\t\tsa->ol_flags = sec_cap->ol_flags;\n-\t\t\tsa->security_ctx = ctx;\n+\t\t\treturn -1;\n \t\t}\n-\t} else {\n-\t\tsa->crypto_session = rte_cryptodev_sym_session_create(\n-\t\t\t\tipsec_ctx->session_pool);\n-\t\trte_cryptodev_sym_session_init(ipsec_ctx->tbl[cdev_id_qp].id,\n-\t\t\t\tsa->crypto_session, sa->xforms,\n-\t\t\t\tipsec_ctx->session_priv_pool);\n \n-\t\trte_cryptodev_info_get(ipsec_ctx->tbl[cdev_id_qp].id,\n-\t\t\t\t&cdev_info);\n+\t\tsa->ol_flags = sec_cap->ol_flags;\n+\t\tsa->security_ctx = sec_ctx;\n \t}\n-\tsa->cdev_id_qp = cdev_id_qp;\n+\n+\tsa->cdev_id_qp = 0;\n \n \treturn 0;\n }\n@@ -395,7 +433,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,\n \t\t\trte_prefetch0(&priv->sym_cop);\n \n \t\t\tif ((unlikely(sa->sec_session == NULL)) &&\n-\t\t\t\t\tcreate_session(ipsec_ctx, sa)) {\n+\t\t\t\tcreate_lookaside_session(ipsec_ctx, sa)) {\n \t\t\t\trte_pktmbuf_free(pkts[i]);\n \t\t\t\tcontinue;\n \t\t\t}\n@@ -414,7 +452,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,\n \t\t\trte_prefetch0(&priv->sym_cop);\n \n \t\t\tif ((unlikely(sa->crypto_session == NULL)) &&\n-\t\t\t\t\tcreate_session(ipsec_ctx, sa)) {\n+\t\t\t\tcreate_lookaside_session(ipsec_ctx, sa)) {\n \t\t\t\trte_pktmbuf_free(pkts[i]);\n \t\t\t\tcontinue;\n \t\t\t}\n@@ -429,12 +467,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,\n \t\t\t}\n \t\t\tbreak;\n \t\tcase RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL:\n-\t\t\tif ((unlikely(sa->sec_session == NULL)) &&\n-\t\t\t\t\tcreate_session(ipsec_ctx, sa)) {\n-\t\t\t\trte_pktmbuf_free(pkts[i]);\n-\t\t\t\tcontinue;\n-\t\t\t}\n-\n+\t\t\tRTE_ASSERT(sa->sec_session != NULL);\n \t\t\tipsec_ctx->ol_pkts[ipsec_ctx->ol_pkts_cnt++] = pkts[i];\n \t\t\tif (sa->ol_flags & RTE_SECURITY_TX_OLOAD_NEED_MDATA)\n \t\t\t\trte_security_set_pkt_metadata(\n@@ -442,17 +475,11 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,\n \t\t\t\t\t\tsa->sec_session, pkts[i], NULL);\n \t\t\tcontinue;\n \t\tcase RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO:\n+\t\t\tRTE_ASSERT(sa->sec_session != NULL);\n \t\t\tpriv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC;\n \t\t\tpriv->cop.status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;\n \n \t\t\trte_prefetch0(&priv->sym_cop);\n-\n-\t\t\tif ((unlikely(sa->sec_session == NULL)) &&\n-\t\t\t\t\tcreate_session(ipsec_ctx, sa)) {\n-\t\t\t\trte_pktmbuf_free(pkts[i]);\n-\t\t\t\tcontinue;\n-\t\t\t}\n-\n \t\t\trte_security_attach_session(&priv->cop,\n \t\t\t\t\tsa->sec_session);\n \ndiff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h\nindex e9272d7..41bac0b 100644\n--- a/examples/ipsec-secgw/ipsec.h\n+++ b/examples/ipsec-secgw/ipsec.h\n@@ -312,6 +312,9 @@ void\n enqueue_cop_burst(struct cdev_qp *cqp);\n \n int\n-create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa);\n+create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa);\n+\n+int\n+create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa);\n \n #endif /* __IPSEC_H__ */\ndiff --git a/examples/ipsec-secgw/ipsec_process.c b/examples/ipsec-secgw/ipsec_process.c\nindex 3f9cacb..868f1a2 100644\n--- a/examples/ipsec-secgw/ipsec_process.c\n+++ b/examples/ipsec-secgw/ipsec_process.c\n@@ -95,22 +95,23 @@ fill_ipsec_session(struct rte_ipsec_session *ss, struct ipsec_ctx *ctx,\n \t/* setup crypto section */\n \tif (ss->type == RTE_SECURITY_ACTION_TYPE_NONE) {\n \t\tif (sa->crypto_session == NULL) {\n-\t\t\trc = create_session(ctx, sa);\n+\t\t\trc = create_lookaside_session(ctx, sa);\n \t\t\tif (rc != 0)\n \t\t\t\treturn rc;\n \t\t}\n \t\tss->crypto.ses = sa->crypto_session;\n \t/* setup session action type */\n-\t} else {\n+\t} else if (sa->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) {\n \t\tif (sa->sec_session == NULL) {\n-\t\t\trc = create_session(ctx, sa);\n+\t\t\trc = create_lookaside_session(ctx, sa);\n \t\t\tif (rc != 0)\n \t\t\t\treturn rc;\n \t\t}\n \t\tss->security.ses = sa->sec_session;\n \t\tss->security.ctx = sa->security_ctx;\n \t\tss->security.ol_flags = sa->ol_flags;\n-\t}\n+\t} else\n+\t\tRTE_ASSERT(0);\n \n \trc = rte_ipsec_session_prepare(ss);\n \tif (rc != 0)\ndiff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c\nindex 8d47d1d..e8e55bf 100644\n--- a/examples/ipsec-secgw/sa.c\n+++ b/examples/ipsec-secgw/sa.c\n@@ -777,11 +777,13 @@ check_eth_dev_caps(uint16_t portid, uint32_t inbound)\n \n static int\n sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],\n-\t\tuint32_t nb_entries, uint32_t inbound)\n+\t\tuint32_t nb_entries, uint32_t inbound,\n+\t\tstruct socket_ctx *skt_ctx)\n {\n \tstruct ipsec_sa *sa;\n \tuint32_t i, idx;\n \tuint16_t iv_length, aad_length;\n+\tint32_t rc;\n \n \t/* for ESN upper 32 bits of SQN also need to be part of AAD */\n \taad_length = (app_sa_prm.enable_esn != 0) ? sizeof(uint32_t) : 0;\n@@ -834,6 +836,17 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],\n \n \t\t\tsa->xforms = &sa_ctx->xf[idx].a;\n \n+\t\t\tif (sa->type ==\n+\t\t\t\tRTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL ||\n+\t\t\t\tsa->type ==\n+\t\t\t\tRTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {\n+\t\t\t\trc = create_inline_session(skt_ctx, sa);\n+\t\t\t\tif (rc != 0) {\n+\t\t\t\t\tRTE_LOG(ERR, IPSEC_ESP,\n+\t\t\t\t\t\t\"create_inline_session() failed\\n\");\n+\t\t\t\t\treturn -EINVAL;\n+\t\t\t\t}\n+\t\t\t}\n \t\t\tprint_one_sa_rule(sa, inbound);\n \t\t} else {\n \t\t\tswitch (sa->cipher_algo) {\n@@ -909,16 +922,16 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],\n \n static inline int\n sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],\n-\t\tuint32_t nb_entries)\n+\t\tuint32_t nb_entries, struct socket_ctx *skt_ctx)\n {\n-\treturn sa_add_rules(sa_ctx, entries, nb_entries, 0);\n+\treturn sa_add_rules(sa_ctx, entries, nb_entries, 0, skt_ctx);\n }\n \n static inline int\n sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],\n-\t\tuint32_t nb_entries)\n+\t\tuint32_t nb_entries, struct socket_ctx *skt_ctx)\n {\n-\treturn sa_add_rules(sa_ctx, entries, nb_entries, 1);\n+\treturn sa_add_rules(sa_ctx, entries, nb_entries, 1, skt_ctx);\n }\n \n /*\n@@ -1012,10 +1025,12 @@ fill_ipsec_sa_prm(struct rte_ipsec_sa_prm *prm, const struct ipsec_sa *ss,\n \treturn 0;\n }\n \n-static void\n+static int\n fill_ipsec_session(struct rte_ipsec_session *ss, struct rte_ipsec_sa *sa,\n \tconst struct ipsec_sa *lsa)\n {\n+\tint32_t rc = 0;\n+\n \tss->sa = sa;\n \tss->type = lsa->type;\n \n@@ -1028,6 +1043,17 @@ fill_ipsec_session(struct rte_ipsec_session *ss, struct rte_ipsec_sa *sa,\n \t\tss->security.ctx = lsa->security_ctx;\n \t\tss->security.ol_flags = lsa->ol_flags;\n \t}\n+\n+\tif (ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||\n+\t\tss->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) {\n+\t\tif (ss->security.ses != NULL) {\n+\t\t\trc = rte_ipsec_session_prepare(ss);\n+\t\t\tif (rc != 0)\n+\t\t\t\tmemset(ss, 0, sizeof(*ss));\n+\t\t}\n+\t}\n+\n+\treturn rc;\n }\n \n /*\n@@ -1062,8 +1088,8 @@ ipsec_sa_init(struct ipsec_sa *lsa, struct rte_ipsec_sa *sa, uint32_t sa_size)\n \tif (rc < 0)\n \t\treturn rc;\n \n-\tfill_ipsec_session(&lsa->ips, sa, lsa);\n-\treturn 0;\n+\trc = fill_ipsec_session(&lsa->ips, sa, lsa);\n+\treturn rc;\n }\n \n /*\n@@ -1166,7 +1192,7 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id)\n \t\t\t\t\"context %s in socket %d\\n\", rte_errno,\n \t\t\t\tname, socket_id);\n \n-\t\tsa_in_add_rules(ctx->sa_in, sa_in, nb_sa_in);\n+\t\tsa_in_add_rules(ctx->sa_in, sa_in, nb_sa_in, ctx);\n \n \t\tif (app_sa_prm.enable != 0) {\n \t\t\trc = ipsec_satbl_init(ctx->sa_in, sa_in, nb_sa_in,\n@@ -1186,7 +1212,7 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id)\n \t\t\t\t\"context %s in socket %d\\n\", rte_errno,\n \t\t\t\tname, socket_id);\n \n-\t\tsa_out_add_rules(ctx->sa_out, sa_out, nb_sa_out);\n+\t\tsa_out_add_rules(ctx->sa_out, sa_out, nb_sa_out, ctx);\n \n \t\tif (app_sa_prm.enable != 0) {\n \t\t\trc = ipsec_satbl_init(ctx->sa_out, sa_out, nb_sa_out,\n", "prefixes": [ "v6", "1/2" ] }