[v4,08/10] ipsec: helper functions to group completed crypto-ops
Checks
Commit Message
Introduce helper functions to process completed crypto-ops
and group related packets by sessions they belong to.
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
---
lib/librte_ipsec/Makefile | 1 +
lib/librte_ipsec/meson.build | 2 +-
lib/librte_ipsec/rte_ipsec.h | 2 +
lib/librte_ipsec/rte_ipsec_group.h | 151 +++++++++++++++++++++++++
lib/librte_ipsec/rte_ipsec_version.map | 2 +
5 files changed, 157 insertions(+), 1 deletion(-)
create mode 100644 lib/librte_ipsec/rte_ipsec_group.h
Comments
On 12/14/2018 9:53 PM, Konstantin Ananyev wrote:
> Introduce helper functions to process completed crypto-ops
> and group related packets by sessions they belong to.
>
> Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> Acked-by: Declan Doherty <declan.doherty@intel.com>
> ---
> lib/librte_ipsec/Makefile | 1 +
> lib/librte_ipsec/meson.build | 2 +-
> lib/librte_ipsec/rte_ipsec.h | 2 +
> lib/librte_ipsec/rte_ipsec_group.h | 151 +++++++++++++++++++++++++
> lib/librte_ipsec/rte_ipsec_version.map | 2 +
> 5 files changed, 157 insertions(+), 1 deletion(-)
> create mode 100644 lib/librte_ipsec/rte_ipsec_group.h
>
> diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile
> index 79f187fae..98c52f388 100644
> --- a/lib/librte_ipsec/Makefile
> +++ b/lib/librte_ipsec/Makefile
> @@ -21,6 +21,7 @@ SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += ses.c
>
> # install header files
> SYMLINK-$(CONFIG_RTE_LIBRTE_IPSEC)-include += rte_ipsec.h
> +SYMLINK-$(CONFIG_RTE_LIBRTE_IPSEC)-include += rte_ipsec_group.h
> SYMLINK-$(CONFIG_RTE_LIBRTE_IPSEC)-include += rte_ipsec_sa.h
>
> include $(RTE_SDK)/mk/rte.lib.mk
> diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build
> index 6e8c6fabe..d2427b809 100644
> --- a/lib/librte_ipsec/meson.build
> +++ b/lib/librte_ipsec/meson.build
> @@ -5,6 +5,6 @@ allow_experimental_apis = true
>
> sources=files('sa.c', 'ses.c')
>
> -install_headers = files('rte_ipsec.h', 'rte_ipsec_sa.h')
> +install_headers = files('rte_ipsec.h', 'rte_ipsec_group.h', 'rte_ipsec_sa.h')
>
> deps += ['mbuf', 'net', 'cryptodev', 'security']
> diff --git a/lib/librte_ipsec/rte_ipsec.h b/lib/librte_ipsec/rte_ipsec.h
> index cbcd861b5..cd2e3b26c 100644
> --- a/lib/librte_ipsec/rte_ipsec.h
> +++ b/lib/librte_ipsec/rte_ipsec.h
> @@ -144,6 +144,8 @@ rte_ipsec_pkt_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[],
> return ss->pkt_func.process(ss, mb, num);
> }
>
> +#include <rte_ipsec_group.h>
> +
> #ifdef __cplusplus
> }
> #endif
> diff --git a/lib/librte_ipsec/rte_ipsec_group.h b/lib/librte_ipsec/rte_ipsec_group.h
> new file mode 100644
> index 000000000..d264d7e78
> --- /dev/null
> +++ b/lib/librte_ipsec/rte_ipsec_group.h
> @@ -0,0 +1,151 @@
> +/* SPDX-License-Identifier: BSD-3-Clause
> + * Copyright(c) 2018 Intel Corporation
> + */
> +
> +#ifndef _RTE_IPSEC_GROUP_H_
> +#define _RTE_IPSEC_GROUP_H_
> +
> +/**
> + * @file rte_ipsec_group.h
> + * @b EXPERIMENTAL: this API may change without prior notice
> + *
> + * RTE IPsec support.
> + * It is not recomended to include this file direclty,
spell check
> + * include <rte_ipsec.h> instead.
> + * Contains helper functions to process completed crypto-ops
> + * and group related packets by sessions they belong to.
> + */
> +
> +
> +#ifdef __cplusplus
> +extern "C" {
> +#endif
> +
> +/**
> + * Used to group mbufs by some id.
> + * See below for particular usage.
> + */
> +struct rte_ipsec_group {
> + union {
> + uint64_t val;
> + void *ptr;
> + } id; /**< grouped by value */
> + struct rte_mbuf **m; /**< start of the group */
> + uint32_t cnt; /**< number of entries in the group */
> + int32_t rc; /**< status code associated with the group */
> +};
> +
> +/**
> + * Take crypto-op as an input and extract pointer to related ipsec session.
> + * @param cop
> + * The address of an input *rte_crypto_op* structure.
> + * @return
> + * The pointer to the related *rte_ipsec_session* structure.
> + */
> +static inline __rte_experimental struct rte_ipsec_session *
> +rte_ipsec_ses_from_crypto(const struct rte_crypto_op *cop)
__rte_experimental placement not correct
> +{
> + const struct rte_security_session *ss;
> + const struct rte_cryptodev_sym_session *cs;
> +
> + if (cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
> + ss = cop->sym[0].sec_session;
> + return (void *)(uintptr_t)ss->opaque_data;
> + } else if (cop->sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
> + cs = cop->sym[0].session;
> + return (void *)(uintptr_t)cs->opaque_data;
> + }
> + return NULL;
> +}
> +
> +/**
> + * Take as input completed crypto ops, extract related mbufs
> + * and group them by rte_ipsec_session they belong to.
> + * For mbuf which crypto-op wasn't completed successfully
> + * PKT_RX_SEC_OFFLOAD_FAILED will be raised in ol_flags.
> + * Note that mbufs with undetermined SA (session-less) are not freed
> + * by the function, but are placed beyond mbufs for the last valid group.
> + * It is a user responsibility to handle them further.
> + * @param cop
> + * The address of an array of *num* pointers to the input *rte_crypto_op*
> + * structures.
> + * @param mb
> + * The address of an array of *num* pointers to output *rte_mbuf* structures.
> + * @param grp
> + * The address of an array of *num* to output *rte_ipsec_group* structures.
> + * @param num
> + * The maximum number of crypto-ops to process.
> + * @return
> + * Number of filled elements in *grp* array.
> + */
> +static inline uint16_t __rte_experimental
> +rte_ipsec_pkt_crypto_group(const struct rte_crypto_op *cop[],
> + struct rte_mbuf *mb[], struct rte_ipsec_group grp[], uint16_t num)
> +{
> + uint32_t i, j, k, n;
> + void *ns, *ps;
> + struct rte_mbuf *m, *dr[num];
> +
> + j = 0;
> + k = 0;
> + n = 0;
> + ps = NULL;
> +
> + for (i = 0; i != num; i++) {
> +
> + m = cop[i]->sym[0].m_src;
> + ns = cop[i]->sym[0].session;
> +
> + m->ol_flags |= PKT_RX_SEC_OFFLOAD;
> + if (cop[i]->status != RTE_CRYPTO_OP_STATUS_SUCCESS)
> + m->ol_flags |= PKT_RX_SEC_OFFLOAD_FAILED;
> +
> + /* no valid session found */
> + if (ns == NULL) {
> + dr[k++] = m;
> + continue;
> + }
> +
> + /* different SA */
> + if (ps != ns) {
> +
> + /*
> + * we already have an open group - finilise it,
finalise
> + * then open a new one.
> + */
> + if (ps != NULL) {
> + grp[n].id.ptr =
> + rte_ipsec_ses_from_crypto(cop[i - 1]);
> + grp[n].cnt = mb + j - grp[n].m;
> + n++;
> + }
> +
> + /* start new group */
> + grp[n].m = mb + j;
> + ps = ns;
> + }
> +
> + mb[j++] = m;
> + }
> +
> + /* finalise last group */
> + if (ps != NULL) {
> + grp[n].id.ptr = rte_ipsec_ses_from_crypto(cop[i - 1]);
> + grp[n].cnt = mb + j - grp[n].m;
> + n++;
> + }
> +
> + /* copy mbufs with unknown session beyond recognised ones */
> + if (k != 0 && k != num) {
> + for (i = 0; i != k; i++)
> + mb[j + i] = dr[i];
> + }
> +
> + return n;
> +}
> +
> +#ifdef __cplusplus
> +}
> +#endif
> +
> +#endif /* _RTE_IPSEC_GROUP_H_ */
> diff --git a/lib/librte_ipsec/rte_ipsec_version.map b/lib/librte_ipsec/rte_ipsec_version.map
> index d1c52d7ca..0f91fb134 100644
> --- a/lib/librte_ipsec/rte_ipsec_version.map
> +++ b/lib/librte_ipsec/rte_ipsec_version.map
> @@ -1,6 +1,7 @@
> EXPERIMENTAL {
> global:
>
> + rte_ipsec_pkt_crypto_group;
> rte_ipsec_pkt_crypto_prepare;
> rte_ipsec_session_prepare;
> rte_ipsec_pkt_process;
> @@ -8,6 +9,7 @@ EXPERIMENTAL {
> rte_ipsec_sa_init;
> rte_ipsec_sa_size;
> rte_ipsec_sa_type;
> + rte_ipsec_ses_from_crypto;
>
> local: *;
> };
> > +
> > +/**
> > + * Take crypto-op as an input and extract pointer to related ipsec session.
> > + * @param cop
> > + * The address of an input *rte_crypto_op* structure.
> > + * @return
> > + * The pointer to the related *rte_ipsec_session* structure.
> > + */
> > +static inline __rte_experimental struct rte_ipsec_session *
> > +rte_ipsec_ses_from_crypto(const struct rte_crypto_op *cop)
> __rte_experimental placement not correct
You mean why not:
static inline struct rte_ipsec_session * __rte_experimental
?
Then checkpatch will complain about the space after '*'.
BTW why do you think current definition is wrong?
> > +{
> > + const struct rte_security_session *ss;
> > + const struct rte_cryptodev_sym_session *cs;
> > +
> > + if (cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
> > + ss = cop->sym[0].sec_session;
> > + return (void *)(uintptr_t)ss->opaque_data;
> > + } else if (cop->sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
> > + cs = cop->sym[0].session;
> > + return (void *)(uintptr_t)cs->opaque_data;
> > + }
> > + return NULL;
> > +}
> > +
On 12/20/2018 6:30 PM, Ananyev, Konstantin wrote:
>
>>> +
>>> +/**
>>> + * Take crypto-op as an input and extract pointer to related ipsec session.
>>> + * @param cop
>>> + * The address of an input *rte_crypto_op* structure.
>>> + * @return
>>> + * The pointer to the related *rte_ipsec_session* structure.
>>> + */
>>> +static inline __rte_experimental struct rte_ipsec_session *
>>> +rte_ipsec_ses_from_crypto(const struct rte_crypto_op *cop)
>> __rte_experimental placement not correct
> You mean why not:
> static inline struct rte_ipsec_session * __rte_experimental
> ?
yes
> Then checkpatch will complain about the space after '*'.
ok
> BTW why do you think current definition is wrong?
this is how it is being used in the rest of the code.
>
>>> +{
>>> + const struct rte_security_session *ss;
>>> + const struct rte_cryptodev_sym_session *cs;
>>> +
>>> + if (cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
>>> + ss = cop->sym[0].sec_session;
>>> + return (void *)(uintptr_t)ss->opaque_data;
>>> + } else if (cop->sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
>>> + cs = cop->sym[0].session;
>>> + return (void *)(uintptr_t)cs->opaque_data;
>>> + }
>>> + return NULL;
>>> +}
>>> +
@@ -21,6 +21,7 @@ SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += ses.c
# install header files
SYMLINK-$(CONFIG_RTE_LIBRTE_IPSEC)-include += rte_ipsec.h
+SYMLINK-$(CONFIG_RTE_LIBRTE_IPSEC)-include += rte_ipsec_group.h
SYMLINK-$(CONFIG_RTE_LIBRTE_IPSEC)-include += rte_ipsec_sa.h
include $(RTE_SDK)/mk/rte.lib.mk
@@ -5,6 +5,6 @@ allow_experimental_apis = true
sources=files('sa.c', 'ses.c')
-install_headers = files('rte_ipsec.h', 'rte_ipsec_sa.h')
+install_headers = files('rte_ipsec.h', 'rte_ipsec_group.h', 'rte_ipsec_sa.h')
deps += ['mbuf', 'net', 'cryptodev', 'security']
@@ -144,6 +144,8 @@ rte_ipsec_pkt_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[],
return ss->pkt_func.process(ss, mb, num);
}
+#include <rte_ipsec_group.h>
+
#ifdef __cplusplus
}
#endif
new file mode 100644
@@ -0,0 +1,151 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2018 Intel Corporation
+ */
+
+#ifndef _RTE_IPSEC_GROUP_H_
+#define _RTE_IPSEC_GROUP_H_
+
+/**
+ * @file rte_ipsec_group.h
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * RTE IPsec support.
+ * It is not recomended to include this file direclty,
+ * include <rte_ipsec.h> instead.
+ * Contains helper functions to process completed crypto-ops
+ * and group related packets by sessions they belong to.
+ */
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Used to group mbufs by some id.
+ * See below for particular usage.
+ */
+struct rte_ipsec_group {
+ union {
+ uint64_t val;
+ void *ptr;
+ } id; /**< grouped by value */
+ struct rte_mbuf **m; /**< start of the group */
+ uint32_t cnt; /**< number of entries in the group */
+ int32_t rc; /**< status code associated with the group */
+};
+
+/**
+ * Take crypto-op as an input and extract pointer to related ipsec session.
+ * @param cop
+ * The address of an input *rte_crypto_op* structure.
+ * @return
+ * The pointer to the related *rte_ipsec_session* structure.
+ */
+static inline __rte_experimental struct rte_ipsec_session *
+rte_ipsec_ses_from_crypto(const struct rte_crypto_op *cop)
+{
+ const struct rte_security_session *ss;
+ const struct rte_cryptodev_sym_session *cs;
+
+ if (cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
+ ss = cop->sym[0].sec_session;
+ return (void *)(uintptr_t)ss->opaque_data;
+ } else if (cop->sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
+ cs = cop->sym[0].session;
+ return (void *)(uintptr_t)cs->opaque_data;
+ }
+ return NULL;
+}
+
+/**
+ * Take as input completed crypto ops, extract related mbufs
+ * and group them by rte_ipsec_session they belong to.
+ * For mbuf which crypto-op wasn't completed successfully
+ * PKT_RX_SEC_OFFLOAD_FAILED will be raised in ol_flags.
+ * Note that mbufs with undetermined SA (session-less) are not freed
+ * by the function, but are placed beyond mbufs for the last valid group.
+ * It is a user responsibility to handle them further.
+ * @param cop
+ * The address of an array of *num* pointers to the input *rte_crypto_op*
+ * structures.
+ * @param mb
+ * The address of an array of *num* pointers to output *rte_mbuf* structures.
+ * @param grp
+ * The address of an array of *num* to output *rte_ipsec_group* structures.
+ * @param num
+ * The maximum number of crypto-ops to process.
+ * @return
+ * Number of filled elements in *grp* array.
+ */
+static inline uint16_t __rte_experimental
+rte_ipsec_pkt_crypto_group(const struct rte_crypto_op *cop[],
+ struct rte_mbuf *mb[], struct rte_ipsec_group grp[], uint16_t num)
+{
+ uint32_t i, j, k, n;
+ void *ns, *ps;
+ struct rte_mbuf *m, *dr[num];
+
+ j = 0;
+ k = 0;
+ n = 0;
+ ps = NULL;
+
+ for (i = 0; i != num; i++) {
+
+ m = cop[i]->sym[0].m_src;
+ ns = cop[i]->sym[0].session;
+
+ m->ol_flags |= PKT_RX_SEC_OFFLOAD;
+ if (cop[i]->status != RTE_CRYPTO_OP_STATUS_SUCCESS)
+ m->ol_flags |= PKT_RX_SEC_OFFLOAD_FAILED;
+
+ /* no valid session found */
+ if (ns == NULL) {
+ dr[k++] = m;
+ continue;
+ }
+
+ /* different SA */
+ if (ps != ns) {
+
+ /*
+ * we already have an open group - finilise it,
+ * then open a new one.
+ */
+ if (ps != NULL) {
+ grp[n].id.ptr =
+ rte_ipsec_ses_from_crypto(cop[i - 1]);
+ grp[n].cnt = mb + j - grp[n].m;
+ n++;
+ }
+
+ /* start new group */
+ grp[n].m = mb + j;
+ ps = ns;
+ }
+
+ mb[j++] = m;
+ }
+
+ /* finalise last group */
+ if (ps != NULL) {
+ grp[n].id.ptr = rte_ipsec_ses_from_crypto(cop[i - 1]);
+ grp[n].cnt = mb + j - grp[n].m;
+ n++;
+ }
+
+ /* copy mbufs with unknown session beyond recognised ones */
+ if (k != 0 && k != num) {
+ for (i = 0; i != k; i++)
+ mb[j + i] = dr[i];
+ }
+
+ return n;
+}
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _RTE_IPSEC_GROUP_H_ */
@@ -1,6 +1,7 @@
EXPERIMENTAL {
global:
+ rte_ipsec_pkt_crypto_group;
rte_ipsec_pkt_crypto_prepare;
rte_ipsec_session_prepare;
rte_ipsec_pkt_process;
@@ -8,6 +9,7 @@ EXPERIMENTAL {
rte_ipsec_sa_init;
rte_ipsec_sa_size;
rte_ipsec_sa_type;
+ rte_ipsec_ses_from_crypto;
local: *;
};