From patchwork Wed Apr 27 09:20:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Volodymyr Fialko X-Patchwork-Id: 110325 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id CD227A0507; Wed, 27 Apr 2022 11:20:32 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id BD2E7410DC; Wed, 27 Apr 2022 11:20:32 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id 11B7B40691 for ; Wed, 27 Apr 2022 11:20:30 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 23R80ajW014848; Wed, 27 Apr 2022 02:20:30 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=1bYzGq63gsMAieLILumFpwgp63cJ2NJJZ6xuFliOvuA=; b=BI1fpXJotnBDdrLovdAQPL2IP8j7VnoZUO4Xmgc0Zus2SUJLEbWMSbthvOhZtK2sXAiq OUg5wmjPTCzX8CFavz8oOStKLQayQZQlpN2ZmITcn4o25LGWGYZqx7087XTnWIISK3Vi edFarGly0efSLvNGDvIHTA2kuWWjIRk5XLvKUKhsBw0R4xiKLOV0YgDs5eh01zpwBPcj mxY0p7Vy/PJEJfrFCfQGyKnfxG+kMA3D1NeV1/Z7yU2SyPUgf9bO0ydmTWPPFdroLNft iTakem6DvZX8+SHo4Wp352LKIo2LUPbYlQz7CakNJd3VztM2y0ntXAgqhJ92B863v468 Lg== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0b-0016f401.pphosted.com (PPS) with ESMTPS id 3fprt4j2x6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 27 Apr 2022 02:20:30 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 27 Apr 2022 02:20:27 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Wed, 27 Apr 2022 02:20:28 -0700 Received: from localhost.localdomain (unknown [10.28.34.39]) by maili.marvell.com (Postfix) with ESMTP id AF6973F707B; Wed, 27 Apr 2022 02:20:25 -0700 (PDT) From: Volodymyr Fialko To: , Radu Nicolau , Akhil Goyal CC: , , , Volodymyr Fialko Subject: [PATCH 1/1] examples/ipsec-secgw: create lookaside sessions at init Date: Wed, 27 Apr 2022 11:20:20 +0200 Message-ID: <20220427092020.2506177-1-vfialko@marvell.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: xjDI0rTunLgplDPyszeq7o5PB8CEoYTZ X-Proofpoint-GUID: xjDI0rTunLgplDPyszeq7o5PB8CEoYTZ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-27_03,2022-04-26_02,2022-02-23_01 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org In event lookaside mode same session could be handled with multiple cores, and session creation in datapath will cause situation where multiple cores will try to create same session simultaneously. To avoid such case and enable event lookaside mode in future, lookaside sessions are now created at initialization in sa_add_rules(). All sessions(inline and lookaside) now created during init process, so session pool information was removed from ipsec context. Core id was added to obtain correct crypto device queue pair for the current core. Signed-off-by: Volodymyr Fialko Acked-by: Akhil Goyal --- Depends-on: series-22265 ("examples/ipsec-secgw: examples/ipsec-secgw: destroy lookaside sessions") Depends-on: series-22593 ("examples/ipsec-secgw: move fast path helper functions") examples/ipsec-secgw/ipsec-secgw.c | 27 +++---- examples/ipsec-secgw/ipsec.c | 101 +++++++++++++++++---------- examples/ipsec-secgw/ipsec.h | 13 ++-- examples/ipsec-secgw/ipsec_process.c | 33 +++------ examples/ipsec-secgw/ipsec_worker.c | 8 +-- examples/ipsec-secgw/sa.c | 45 +++++++----- 6 files changed, 121 insertions(+), 106 deletions(-) diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c index 57acc01e3b..05b57ce3f5 100644 --- a/examples/ipsec-secgw/ipsec-secgw.c +++ b/examples/ipsec-secgw/ipsec-secgw.c @@ -684,16 +684,12 @@ ipsec_poll_mode_worker(void) qconf->inbound.sp6_ctx = socket_ctx[socket_id].sp_ip6_in; qconf->inbound.sa_ctx = socket_ctx[socket_id].sa_in; qconf->inbound.cdev_map = cdev_map_in; - qconf->inbound.session_pool = socket_ctx[socket_id].session_pool; - qconf->inbound.session_priv_pool = - socket_ctx[socket_id].session_priv_pool; + qconf->inbound.lcore_id = lcore_id; qconf->outbound.sp4_ctx = socket_ctx[socket_id].sp_ip4_out; qconf->outbound.sp6_ctx = socket_ctx[socket_id].sp_ip6_out; qconf->outbound.sa_ctx = socket_ctx[socket_id].sa_out; qconf->outbound.cdev_map = cdev_map_out; - qconf->outbound.session_pool = socket_ctx[socket_id].session_pool; - qconf->outbound.session_priv_pool = - socket_ctx[socket_id].session_priv_pool; + qconf->outbound.lcore_id = lcore_id; qconf->frag.pool_indir = socket_ctx[socket_id].mbuf_pool_indir; rc = ipsec_sad_lcore_cache_init(app_sa_prm.cache_sz); @@ -1458,7 +1454,7 @@ check_all_ports_link_status(uint32_t port_mask) } static int32_t -add_mapping(struct rte_hash *map, const char *str, uint16_t cdev_id, +add_mapping(const char *str, uint16_t cdev_id, uint16_t qp, struct lcore_params *params, struct ipsec_ctx *ipsec_ctx, const struct rte_cryptodev_capabilities *cipher, @@ -1477,7 +1473,7 @@ add_mapping(struct rte_hash *map, const char *str, uint16_t cdev_id, if (aead) key.aead_algo = aead->sym.aead.algo; - ret = rte_hash_lookup(map, &key); + ret = rte_hash_lookup(ipsec_ctx->cdev_map, &key); if (ret != -ENOENT) return 0; @@ -1499,7 +1495,7 @@ add_mapping(struct rte_hash *map, const char *str, uint16_t cdev_id, cdev_id, qp, i); } - ret = rte_hash_add_key_data(map, &key, (void *)i); + ret = rte_hash_add_key_data(ipsec_ctx->cdev_map, &key, (void *)i); if (ret < 0) { printf("Faled to insert cdev mapping for (lcore %u, " "cdev %u, qp %u), errno %d\n", @@ -1517,20 +1513,19 @@ add_cdev_mapping(struct rte_cryptodev_info *dev_info, uint16_t cdev_id, { int32_t ret = 0; const struct rte_cryptodev_capabilities *i, *j; - struct rte_hash *map; struct lcore_conf *qconf; struct ipsec_ctx *ipsec_ctx; const char *str; qconf = &lcore_conf[params->lcore_id]; - if ((unprotected_port_mask & (1 << params->port_id)) == 0) { - map = cdev_map_out; + if (!is_unprotected_port(params->port_id)) { ipsec_ctx = &qconf->outbound; + ipsec_ctx->cdev_map = cdev_map_out; str = "Outbound"; } else { - map = cdev_map_in; ipsec_ctx = &qconf->inbound; + ipsec_ctx->cdev_map = cdev_map_in; str = "Inbound"; } @@ -1545,7 +1540,7 @@ add_cdev_mapping(struct rte_cryptodev_info *dev_info, uint16_t cdev_id, continue; if (i->sym.xform_type == RTE_CRYPTO_SYM_XFORM_AEAD) { - ret |= add_mapping(map, str, cdev_id, qp, params, + ret |= add_mapping(str, cdev_id, qp, params, ipsec_ctx, NULL, NULL, i); continue; } @@ -1561,7 +1556,7 @@ add_cdev_mapping(struct rte_cryptodev_info *dev_info, uint16_t cdev_id, if (j->sym.xform_type != RTE_CRYPTO_SYM_XFORM_AUTH) continue; - ret |= add_mapping(map, str, cdev_id, qp, params, + ret |= add_mapping(str, cdev_id, qp, params, ipsec_ctx, i, j, NULL); } } @@ -3074,7 +3069,7 @@ main(int32_t argc, char **argv) if ((socket_ctx[socket_id].mbuf_pool != NULL) && (socket_ctx[socket_id].sa_in == NULL) && (socket_ctx[socket_id].sa_out == NULL)) { - sa_init(&socket_ctx[socket_id], socket_id); + sa_init(&socket_ctx[socket_id], socket_id, lcore_conf); sp4_init(&socket_ctx[socket_id], socket_id); sp6_init(&socket_ctx[socket_id], socket_id); rt_init(&socket_ctx[socket_id], socket_id); diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index 3027fbc45f..7b7bfff696 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -55,37 +55,71 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) } int -create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa, - struct rte_ipsec_session *ips) +create_lookaside_session(struct ipsec_ctx *ipsec_ctx_lcore[], + struct socket_ctx *skt_ctx, struct ipsec_sa *sa, + struct rte_ipsec_session *ips) { + uint16_t cdev_id = RTE_CRYPTO_MAX_DEVS; struct rte_cryptodev_info cdev_info; unsigned long cdev_id_qp = 0; - int32_t ret = 0; struct cdev_key key = { 0 }; + struct ipsec_ctx *ipsec_ctx; + uint32_t lcore_id; + int32_t ret = 0; - key.lcore_id = (uint8_t)rte_lcore_id(); + RTE_LCORE_FOREACH(lcore_id) { + ipsec_ctx = ipsec_ctx_lcore[lcore_id]; - key.cipher_algo = (uint8_t)sa->cipher_algo; - key.auth_algo = (uint8_t)sa->auth_algo; - key.aead_algo = (uint8_t)sa->aead_algo; + /* Core is not bound to any cryptodev, skip it */ + if (ipsec_ctx->cdev_map == NULL) + continue; - ret = rte_hash_lookup_data(ipsec_ctx->cdev_map, &key, - (void **)&cdev_id_qp); - if (ret < 0) { - RTE_LOG(ERR, IPSEC, - "No cryptodev: core %u, cipher_algo %u, " - "auth_algo %u, aead_algo %u\n", - key.lcore_id, - key.cipher_algo, - key.auth_algo, - key.aead_algo); - return -1; + /* Looking for cryptodev, which can handle this SA */ + key.lcore_id = (uint8_t)lcore_id; + key.cipher_algo = (uint8_t)sa->cipher_algo; + key.auth_algo = (uint8_t)sa->auth_algo; + key.aead_algo = (uint8_t)sa->aead_algo; + + ret = rte_hash_lookup_data(ipsec_ctx->cdev_map, &key, + (void **)&cdev_id_qp); + if (ret == -ENOENT) + continue; + if (ret < 0) { + RTE_LOG(ERR, IPSEC, + "No cryptodev: core %u, cipher_algo %u, " + "auth_algo %u, aead_algo %u\n", + key.lcore_id, + key.cipher_algo, + key.auth_algo, + key.aead_algo); + return ret; + } + + /* Verify that all cores are using same cryptodev for current + * algorithm combination, required by SA. + * Current cryptodev mapping process will map SA to the first + * cryptodev that matches requirements, so it's a double check, + * not an additional restriction. + */ + if (cdev_id == RTE_CRYPTO_MAX_DEVS) + cdev_id = ipsec_ctx->tbl[cdev_id_qp].id; + else if (cdev_id != ipsec_ctx->tbl[cdev_id_qp].id) { + RTE_LOG(ERR, IPSEC, + "SA mapping to multiple cryptodevs is " + "not supported!"); + return -EINVAL; + } + + /* Store per core queue pair information */ + sa->cqp[lcore_id] = &ipsec_ctx->tbl[cdev_id_qp]; + } + if (cdev_id == RTE_CRYPTO_MAX_DEVS) { + RTE_LOG(WARNING, IPSEC, "No cores found to handle SA\n"); + return 0; } - RTE_LOG_DP(DEBUG, IPSEC, "Create session for SA spi %u on cryptodev " - "%u qp %u\n", sa->spi, - ipsec_ctx->tbl[cdev_id_qp].id, - ipsec_ctx->tbl[cdev_id_qp].qp); + RTE_LOG(DEBUG, IPSEC, "Create session for SA spi %u on cryptodev " + "%u\n", sa->spi, cdev_id); if (ips->type != RTE_SECURITY_ACTION_TYPE_NONE && ips->type != RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) { @@ -111,14 +145,14 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa, if (ips->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) { struct rte_security_ctx *ctx = (struct rte_security_ctx *) rte_cryptodev_get_sec_ctx( - ipsec_ctx->tbl[cdev_id_qp].id); + cdev_id); /* Set IPsec parameters in conf */ set_ipsec_conf(sa, &(sess_conf.ipsec)); ips->security.ses = rte_security_session_create(ctx, - &sess_conf, ipsec_ctx->session_pool, - ipsec_ctx->session_priv_pool); + &sess_conf, skt_ctx->session_pool, + skt_ctx->session_priv_pool); if (ips->security.ses == NULL) { RTE_LOG(ERR, IPSEC, "SEC Session init failed: err: %d\n", ret); @@ -130,8 +164,6 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa, return -1; } } else { - uint16_t cdev_id = ipsec_ctx->tbl[cdev_id_qp].id; - if (ips->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) { struct rte_cryptodev_info info; @@ -143,16 +175,14 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa, } ips->crypto.dev_id = cdev_id; ips->crypto.ses = rte_cryptodev_sym_session_create( - ipsec_ctx->session_pool); + skt_ctx->session_pool); rte_cryptodev_sym_session_init(cdev_id, ips->crypto.ses, sa->xforms, - ipsec_ctx->session_priv_pool); + skt_ctx->session_priv_pool); rte_cryptodev_info_get(cdev_id, &cdev_info); } - sa->cdev_id_qp = cdev_id_qp; - return 0; } @@ -621,8 +651,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, rte_prefetch0(&priv->sym_cop); - if ((unlikely(ips->security.ses == NULL)) && - create_lookaside_session(ipsec_ctx, sa, ips)) { + if (unlikely(ips->security.ses == NULL)) { free_pkts(&pkts[i], 1); continue; } @@ -656,8 +685,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, rte_prefetch0(&priv->sym_cop); - if ((unlikely(ips->crypto.ses == NULL)) && - create_lookaside_session(ipsec_ctx, sa, ips)) { + if (unlikely(ips->crypto.ses == NULL)) { free_pkts(&pkts[i], 1); continue; } @@ -704,8 +732,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, continue; } - RTE_ASSERT(sa->cdev_id_qp < ipsec_ctx->nb_qps); - enqueue_cop(&ipsec_ctx->tbl[sa->cdev_id_qp], &priv->cop); + enqueue_cop(sa->cqp[ipsec_ctx->lcore_id], &priv->cop); } } diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h index ecad262fcd..2005ae8fec 100644 --- a/examples/ipsec-secgw/ipsec.h +++ b/examples/ipsec-secgw/ipsec.h @@ -112,7 +112,7 @@ ipsec_mask_saptr(void *ptr) struct ipsec_sa { struct rte_ipsec_session sessions[IPSEC_SESSION_MAX]; uint32_t spi; - uint32_t cdev_id_qp; + struct cdev_qp *cqp[RTE_MAX_LCORE]; uint64_t seq; uint32_t salt; uint32_t fallback_sessions; @@ -230,12 +230,11 @@ struct ipsec_ctx { uint16_t nb_qps; uint16_t last_qp; struct cdev_qp tbl[MAX_QP_PER_LCORE]; - struct rte_mempool *session_pool; - struct rte_mempool *session_priv_pool; struct rte_mbuf *ol_pkts[MAX_PKT_BURST] __rte_aligned(sizeof(void *)); uint16_t ol_pkts_cnt; uint64_t ipv4_offloads; uint64_t ipv6_offloads; + uint32_t lcore_id; }; struct cdev_key { @@ -424,7 +423,8 @@ int sa_spi_present(struct sa_ctx *sa_ctx, uint32_t spi, int inbound); void -sa_init(struct socket_ctx *ctx, int32_t socket_id); +sa_init(struct socket_ctx *ctx, int32_t socket_id, + struct lcore_conf *lcore_conf); void rt_init(struct socket_ctx *ctx, int32_t socket_id); @@ -440,8 +440,9 @@ void enqueue_cop_burst(struct cdev_qp *cqp); int -create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa, - struct rte_ipsec_session *ips); +create_lookaside_session(struct ipsec_ctx *ipsec_ctx[], + struct socket_ctx *skt_ctx, struct ipsec_sa *sa, + struct rte_ipsec_session *ips); int create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa, diff --git a/examples/ipsec-secgw/ipsec_process.c b/examples/ipsec-secgw/ipsec_process.c index 089d89f904..b0cece3ad1 100644 --- a/examples/ipsec-secgw/ipsec_process.c +++ b/examples/ipsec-secgw/ipsec_process.c @@ -73,32 +73,18 @@ enqueue_cop_bulk(struct cdev_qp *cqp, struct rte_crypto_op *cop[], uint32_t num) } static inline int -fill_ipsec_session(struct rte_ipsec_session *ss, struct ipsec_ctx *ctx, - struct ipsec_sa *sa) +check_ipsec_session(const struct rte_ipsec_session *ss) { - int32_t rc; - - /* setup crypto section */ if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE || ss->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) { - RTE_ASSERT(ss->crypto.ses == NULL); - rc = create_lookaside_session(ctx, sa, ss); - if (rc != 0) - return rc; - /* setup session action type */ + if (ss->crypto.ses == NULL) + return -ENOENT; } else if (ss->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) { - RTE_ASSERT(ss->security.ses == NULL); - rc = create_lookaside_session(ctx, sa, ss); - if (rc != 0) - return rc; + if (ss->security.ses == NULL) + return -ENOENT; } else RTE_ASSERT(0); - - rc = rte_ipsec_session_prepare(ss); - if (rc != 0) - memset(ss, 0, sizeof(*ss)); - - return rc; + return 0; } /* @@ -183,7 +169,7 @@ ipsec_prepare_crypto_group(struct ipsec_ctx *ctx, struct ipsec_sa *sa, uint32_t j, k; struct ipsec_mbuf_metadata *priv; - cqp = &ctx->tbl[sa->cdev_id_qp]; + cqp = sa->cqp[ctx->lcore_id]; /* for that app each mbuf has it's own crypto op */ for (j = 0; j != cnt; j++) { @@ -274,9 +260,8 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf) ipsec_get_fallback_session(sa) : ipsec_get_primary_session(sa); - /* no valid HW session for that SA, try to create one */ - if (sa == NULL || (ips->crypto.ses == NULL && - fill_ipsec_session(ips, ctx, sa) != 0)) + /* no valid HW session for that SA */ + if (sa == NULL || unlikely(check_ipsec_session(ips) != 0)) k = 0; /* process packets inline */ diff --git a/examples/ipsec-secgw/ipsec_worker.c b/examples/ipsec-secgw/ipsec_worker.c index 2b96951259..6d9c1cbb37 100644 --- a/examples/ipsec-secgw/ipsec_worker.c +++ b/examples/ipsec-secgw/ipsec_worker.c @@ -892,15 +892,11 @@ ipsec_wrkr_non_burst_int_port_app_mode(struct eh_event_link_info *links, lconf.inbound.sp4_ctx = socket_ctx[socket_id].sp_ip4_in; lconf.inbound.sp6_ctx = socket_ctx[socket_id].sp_ip6_in; lconf.inbound.sa_ctx = socket_ctx[socket_id].sa_in; - lconf.inbound.session_pool = socket_ctx[socket_id].session_pool; - lconf.inbound.session_priv_pool = - socket_ctx[socket_id].session_priv_pool; + lconf.inbound.lcore_id = lcore_id; lconf.outbound.sp4_ctx = socket_ctx[socket_id].sp_ip4_out; lconf.outbound.sp6_ctx = socket_ctx[socket_id].sp_ip6_out; lconf.outbound.sa_ctx = socket_ctx[socket_id].sa_out; - lconf.outbound.session_pool = socket_ctx[socket_id].session_pool; - lconf.outbound.session_priv_pool = - socket_ctx[socket_id].session_priv_pool; + lconf.outbound.lcore_id = lcore_id; RTE_LOG(INFO, IPSEC, "Launching event mode worker (non-burst - Tx internal port - " diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index f7ecd33d94..4fe24eeba8 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -1227,7 +1227,8 @@ sa_add_address_inline_crypto(struct ipsec_sa *sa) static int sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], uint32_t nb_entries, uint32_t inbound, - struct socket_ctx *skt_ctx) + struct socket_ctx *skt_ctx, + struct ipsec_ctx *ips_ctx[]) { struct ipsec_sa *sa; uint32_t i, idx; @@ -1398,6 +1399,13 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], "create_inline_session() failed\n"); return -EINVAL; } + } else { + rc = create_lookaside_session(ips_ctx, skt_ctx, sa, ips); + if (rc != 0) { + RTE_LOG(ERR, IPSEC_ESP, + "create_lookaside_session() failed\n"); + return -EINVAL; + } } if (sa->fdir_flag && inbound) { @@ -1414,16 +1422,18 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], static inline int sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], - uint32_t nb_entries, struct socket_ctx *skt_ctx) + uint32_t nb_entries, struct socket_ctx *skt_ctx, + struct ipsec_ctx *ips_ctx[]) { - return sa_add_rules(sa_ctx, entries, nb_entries, 0, skt_ctx); + return sa_add_rules(sa_ctx, entries, nb_entries, 0, skt_ctx, ips_ctx); } static inline int sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], - uint32_t nb_entries, struct socket_ctx *skt_ctx) + uint32_t nb_entries, struct socket_ctx *skt_ctx, + struct ipsec_ctx *ips_ctx[]) { - return sa_add_rules(sa_ctx, entries, nb_entries, 1, skt_ctx); + return sa_add_rules(sa_ctx, entries, nb_entries, 1, skt_ctx, ips_ctx); } /* @@ -1497,14 +1507,9 @@ fill_ipsec_session(struct rte_ipsec_session *ss, struct rte_ipsec_sa *sa) ss->sa = sa; - if (ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO || - ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) { - if (ss->security.ses != NULL) { - rc = rte_ipsec_session_prepare(ss); - if (rc != 0) - memset(ss, 0, sizeof(*ss)); - } - } + rc = rte_ipsec_session_prepare(ss); + if (rc != 0) + memset(ss, 0, sizeof(*ss)); return rc; } @@ -1643,10 +1648,13 @@ sa_spi_present(struct sa_ctx *sa_ctx, uint32_t spi, int inbound) } void -sa_init(struct socket_ctx *ctx, int32_t socket_id) +sa_init(struct socket_ctx *ctx, int32_t socket_id, + struct lcore_conf *lcore_conf) { int32_t rc; const char *name; + uint32_t lcore_id; + struct ipsec_ctx *ipsec_ctx[RTE_MAX_LCORE]; if (ctx == NULL) rte_exit(EXIT_FAILURE, "NULL context.\n"); @@ -1671,8 +1679,9 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id) &sa_in_cnt); if (rc != 0) rte_exit(EXIT_FAILURE, "failed to init SAD\n"); - - sa_in_add_rules(ctx->sa_in, sa_in, nb_sa_in, ctx); + RTE_LCORE_FOREACH(lcore_id) + ipsec_ctx[lcore_id] = &lcore_conf[lcore_id].inbound; + sa_in_add_rules(ctx->sa_in, sa_in, nb_sa_in, ctx, ipsec_ctx); if (app_sa_prm.enable != 0) { rc = ipsec_satbl_init(ctx->sa_in, nb_sa_in, @@ -1692,7 +1701,9 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id) "context %s in socket %d\n", rte_errno, name, socket_id); - sa_out_add_rules(ctx->sa_out, sa_out, nb_sa_out, ctx); + RTE_LCORE_FOREACH(lcore_id) + ipsec_ctx[lcore_id] = &lcore_conf[lcore_id].outbound; + sa_out_add_rules(ctx->sa_out, sa_out, nb_sa_out, ctx, ipsec_ctx); if (app_sa_prm.enable != 0) { rc = ipsec_satbl_init(ctx->sa_out, nb_sa_out,