| Message ID | 1551888011-27692-3-git-send-email-bernard.iremonger@intel.com (mailing list archive) |
|---|---|
| State | Superseded, archived |
| Delegated to: | akhil goyal |
| Headers | show |
| Series | examples/ipsec-secgw: fix 1st pkt dropped | expand |
| Context | Check | Description |
|---|---|---|
| ci/Intel-compilation | success | Compilation OK |
Hi Bernard, > > Call create_inline_session() at initialisition in sa.c > Call rte_ipsec_session_prepare() in fill_ipsec_session() for inline. Here and in other places - it probably worth to explain what is the purpose for these changes. As a side notice, as these series fixes that problem, it probably worse to add a patch into series that removes the following: # to overcome problem with ipsec-secgw for inline mode, # when first packet(s) will be always dropped. # note that ping will fail here ssh ${REMOTE_HOST} ping -c 1 ${LOCAL_IPV4} from examples/ipsec-secgw/test/(tun|trs)_aesgcm_defs.sh Konstantin > > Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload") > Cc: stable@dpdk.org > Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com> > --- > examples/ipsec-secgw/sa.c | 46 ++++++++++++++++++++++++++++++++++++---------- > 1 file changed, 36 insertions(+), 10 deletions(-) > > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c > index 414fcd2..7fb1929 100644 > --- a/examples/ipsec-secgw/sa.c > +++ b/examples/ipsec-secgw/sa.c > @@ -762,11 +762,13 @@ check_eth_dev_caps(uint16_t portid, uint32_t inbound) > > static int > sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], > - uint32_t nb_entries, uint32_t inbound) > + uint32_t nb_entries, uint32_t inbound, > + struct socket_ctx *skt_ctx) > { > struct ipsec_sa *sa; > uint32_t i, idx; > uint16_t iv_length, aad_length; > + int32_t rc; > > /* for ESN upper 32 bits of SQN also need to be part of AAD */ > aad_length = (app_sa_prm.enable_esn != 0) ? sizeof(uint32_t) : 0; > @@ -819,6 +821,17 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], > > sa->xforms = &sa_ctx->xf[idx].a; > > + if (sa->type == > + RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL || > + sa->type == > + RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { > + rc = create_inline_session(skt_ctx, sa); > + if (rc != 0) { > + RTE_LOG(ERR, IPSEC_ESP, > + "create_inline_session() failed\n"); > + return -EINVAL; > + } > + } > print_one_sa_rule(sa, inbound); > } else { > switch (sa->cipher_algo) { > @@ -894,16 +907,16 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], > > static inline int > sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], > - uint32_t nb_entries) > + uint32_t nb_entries, struct socket_ctx *skt_ctx) > { > - return sa_add_rules(sa_ctx, entries, nb_entries, 0); > + return sa_add_rules(sa_ctx, entries, nb_entries, 0, skt_ctx); > } > > static inline int > sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], > - uint32_t nb_entries) > + uint32_t nb_entries, struct socket_ctx *skt_ctx) > { > - return sa_add_rules(sa_ctx, entries, nb_entries, 1); > + return sa_add_rules(sa_ctx, entries, nb_entries, 1, skt_ctx); > } > > /* > @@ -997,10 +1010,12 @@ fill_ipsec_sa_prm(struct rte_ipsec_sa_prm *prm, const struct ipsec_sa *ss, > return 0; > } > > -static void > +static int > fill_ipsec_session(struct rte_ipsec_session *ss, struct rte_ipsec_sa *sa, > const struct ipsec_sa *lsa) > { > + int32_t rc = 0; > + > ss->sa = sa; > ss->type = lsa->type; > > @@ -1013,6 +1028,17 @@ fill_ipsec_session(struct rte_ipsec_session *ss, struct rte_ipsec_sa *sa, > ss->security.ctx = lsa->security_ctx; > ss->security.ol_flags = lsa->ol_flags; > } > + > + if (ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO || > + ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) { > + if (ss->security.ses != NULL) { > + rc = rte_ipsec_session_prepare(ss); > + if (rc != 0) > + memset(ss, 0, sizeof(*ss)); > + } > + } > + > + return rc; > } > > /* > @@ -1047,8 +1073,8 @@ ipsec_sa_init(struct ipsec_sa *lsa, struct rte_ipsec_sa *sa, uint32_t sa_size) > if (rc < 0) > return rc; > > - fill_ipsec_session(&lsa->ips, sa, lsa); > - return 0; > + rc = fill_ipsec_session(&lsa->ips, sa, lsa); > + return rc; > } > > /* > @@ -1126,7 +1152,7 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id) > "context %s in socket %d\n", rte_errno, > name, socket_id); > > - sa_in_add_rules(ctx->sa_in, sa_in, nb_sa_in); > + sa_in_add_rules(ctx->sa_in, sa_in, nb_sa_in, ctx); > > if (app_sa_prm.enable != 0) { > rc = ipsec_satbl_init(ctx->sa_in, sa_in, nb_sa_in, > @@ -1146,7 +1172,7 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id) > "context %s in socket %d\n", rte_errno, > name, socket_id); > > - sa_out_add_rules(ctx->sa_out, sa_out, nb_sa_out); > + sa_out_add_rules(ctx->sa_out, sa_out, nb_sa_out, ctx); > > if (app_sa_prm.enable != 0) { > rc = ipsec_satbl_init(ctx->sa_out, sa_out, nb_sa_out, > -- > 2.7.4
Hi Konstantin, <snip> > Subject: RE: [PATCH 2/6] examples/ipsec-secgw: fix 1st packet dropped patch > two > > > Hi Bernard, > > > > > Call create_inline_session() at initialisition in sa.c Call > > rte_ipsec_session_prepare() in fill_ipsec_session() for inline. > > Here and in other places - it probably worth to explain what is the purpose for > these changes. I will improve explanation. > As a side notice, as these series fixes that problem, it probably worse to add a > patch into series that removes the following: > > # to overcome problem with ipsec-secgw for inline mode, > # when first packet(s) will be always dropped. > # note that ping will fail here > ssh ${REMOTE_HOST} ping -c 1 ${LOCAL_IPV4} > > from examples/ipsec-secgw/test/(tun|trs)_aesgcm_defs.sh > Konstantin I will add a patch to fix the test scripts. <snip> Regards, Bernard.
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index 414fcd2..7fb1929 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -762,11 +762,13 @@ check_eth_dev_caps(uint16_t portid, uint32_t inbound) static int sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], - uint32_t nb_entries, uint32_t inbound) + uint32_t nb_entries, uint32_t inbound, + struct socket_ctx *skt_ctx) { struct ipsec_sa *sa; uint32_t i, idx; uint16_t iv_length, aad_length; + int32_t rc; /* for ESN upper 32 bits of SQN also need to be part of AAD */ aad_length = (app_sa_prm.enable_esn != 0) ? sizeof(uint32_t) : 0; @@ -819,6 +821,17 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], sa->xforms = &sa_ctx->xf[idx].a; + if (sa->type == + RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL || + sa->type == + RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { + rc = create_inline_session(skt_ctx, sa); + if (rc != 0) { + RTE_LOG(ERR, IPSEC_ESP, + "create_inline_session() failed\n"); + return -EINVAL; + } + } print_one_sa_rule(sa, inbound); } else { switch (sa->cipher_algo) { @@ -894,16 +907,16 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], static inline int sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], - uint32_t nb_entries) + uint32_t nb_entries, struct socket_ctx *skt_ctx) { - return sa_add_rules(sa_ctx, entries, nb_entries, 0); + return sa_add_rules(sa_ctx, entries, nb_entries, 0, skt_ctx); } static inline int sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], - uint32_t nb_entries) + uint32_t nb_entries, struct socket_ctx *skt_ctx) { - return sa_add_rules(sa_ctx, entries, nb_entries, 1); + return sa_add_rules(sa_ctx, entries, nb_entries, 1, skt_ctx); } /* @@ -997,10 +1010,12 @@ fill_ipsec_sa_prm(struct rte_ipsec_sa_prm *prm, const struct ipsec_sa *ss, return 0; } -static void +static int fill_ipsec_session(struct rte_ipsec_session *ss, struct rte_ipsec_sa *sa, const struct ipsec_sa *lsa) { + int32_t rc = 0; + ss->sa = sa; ss->type = lsa->type; @@ -1013,6 +1028,17 @@ fill_ipsec_session(struct rte_ipsec_session *ss, struct rte_ipsec_sa *sa, ss->security.ctx = lsa->security_ctx; ss->security.ol_flags = lsa->ol_flags; } + + if (ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO || + ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) { + if (ss->security.ses != NULL) { + rc = rte_ipsec_session_prepare(ss); + if (rc != 0) + memset(ss, 0, sizeof(*ss)); + } + } + + return rc; } /* @@ -1047,8 +1073,8 @@ ipsec_sa_init(struct ipsec_sa *lsa, struct rte_ipsec_sa *sa, uint32_t sa_size) if (rc < 0) return rc; - fill_ipsec_session(&lsa->ips, sa, lsa); - return 0; + rc = fill_ipsec_session(&lsa->ips, sa, lsa); + return rc; } /* @@ -1126,7 +1152,7 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id) "context %s in socket %d\n", rte_errno, name, socket_id); - sa_in_add_rules(ctx->sa_in, sa_in, nb_sa_in); + sa_in_add_rules(ctx->sa_in, sa_in, nb_sa_in, ctx); if (app_sa_prm.enable != 0) { rc = ipsec_satbl_init(ctx->sa_in, sa_in, nb_sa_in, @@ -1146,7 +1172,7 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id) "context %s in socket %d\n", rte_errno, name, socket_id); - sa_out_add_rules(ctx->sa_out, sa_out, nb_sa_out); + sa_out_add_rules(ctx->sa_out, sa_out, nb_sa_out, ctx); if (app_sa_prm.enable != 0) { rc = ipsec_satbl_init(ctx->sa_out, sa_out, nb_sa_out,
Call create_inline_session() at initialisition in sa.c Call rte_ipsec_session_prepare() in fill_ipsec_session() for inline. Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload") Cc: stable@dpdk.org Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com> --- examples/ipsec-secgw/sa.c | 46 ++++++++++++++++++++++++++++++++++++---------- 1 file changed, 36 insertions(+), 10 deletions(-)