[dpdk-dev] [PATCH v4 6/9] examples/ipsec-secgw: make app to use ipsec library

Akhil Goyal akhil.goyal at nxp.com
Fri Dec 21 16:15:31 CET 2018
Previous message: [dpdk-dev] [PATCH v4 6/9] examples/ipsec-secgw: make app to use ipsec library
Next message: [dpdk-dev] [PATCH v4 6/9] examples/ipsec-secgw: make app to use ipsec library
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 12/14/2018 10:10 PM, Konstantin Ananyev wrote:
> Changes to make ipsec-secgw to utilize librte_ipsec library.
> That patch provides:
>   - changes in the related data structures.
>   - changes in the initialization code.
>   - new command-line parameters to enable librte_ipsec codepath
>     and related features.
>
> Note that right now by default current (non-librte_ipsec) code-path will
> be used. User has to run application with new command-line option ('-l')
> to enable new codepath.
> The main reason for that:
>   - current librte_ipsec doesn't support all ipsec algorithms
>     and features that the app does.
>   - allow users to run both versions in parallel for some time
>     to figure out any functional or performance degradation with the
>     new code.
>
> It is planned to deprecate and remove non-librte_ipsec code path
> in future releases.
>
> Signed-off-by: Mohammad Abdul Awal <mohammad.abdul.awal at intel.com>
> Signed-off-by: Bernard Iremonger <bernard.iremonger at intel.com>
> Signed-off-by: Konstantin Ananyev <konstantin.ananyev at intel.com>
> Acked-by: Radu Nicolau <radu.nicolau at intel.com>
> ---
>   examples/ipsec-secgw/ipsec-secgw.c |  50 ++++++-
>   examples/ipsec-secgw/ipsec.h       |  24 ++++
>   examples/ipsec-secgw/meson.build   |   2 +-
>   examples/ipsec-secgw/sa.c          | 221 ++++++++++++++++++++++++++++-
>   examples/ipsec-secgw/sp4.c         |  25 ++++
>   examples/ipsec-secgw/sp6.c         |  25 ++++
>   6 files changed, 341 insertions(+), 6 deletions(-)
>
> diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
> index d1da2d5ce..48baa5001 100644
> --- a/examples/ipsec-secgw/ipsec-secgw.c
> +++ b/examples/ipsec-secgw/ipsec-secgw.c
> @@ -155,6 +155,9 @@ static uint32_t single_sa;
>   static uint32_t single_sa_idx;
>   static uint32_t frame_size;
>   
> +/* application wide librte_ipsec/SA parameters */
> +struct app_sa_prm app_sa_prm = {.enable = 0};
> +
>   struct lcore_rx_queue {
>   	uint16_t port_id;
>   	uint8_t queue_id;
> @@ -1063,6 +1066,10 @@ print_usage(const char *prgname)
>   		" [-P]"
>   		" [-u PORTMASK]"
>   		" [-j FRAMESIZE]"
> +		" [-l]"
> +		" [-w REPLAY_WINDOW_SIZE]"
> +		" [-e]"
> +		" [-a]"
>   		" -f CONFIG_FILE"
>   		" --config (port,queue,lcore)[,(port,queue,lcore)]"
>   		" [--single-sa SAIDX]"
> @@ -1073,6 +1080,10 @@ print_usage(const char *prgname)
>   		"  -u PORTMASK: Hexadecimal bitmask of unprotected ports\n"
>   		"  -j FRAMESIZE: Enable jumbo frame with 'FRAMESIZE' as maximum\n"
>   		"                packet size\n"
> +		"  -l enables code-path that uses librte_ipsec\n"
> +		"  -w REPLAY_WINDOW_SIZE specifies IPsec SQN replay window\n"
> +		"     size for each SA\n"
> +		"  -a enables SA SQN atomic behaviour\n"
-e missing
>   		"  -f CONFIG_FILE: Configuration file\n"
>   		"  --config (port,queue,lcore): Rx queue configuration\n"
>   		"  --single-sa SAIDX: Use single SA index for outbound traffic,\n"
> @@ -1169,6 +1180,20 @@ parse_config(const char *q_arg)
>   	return 0;
>   }
>   
> +static void
> +print_app_sa_prm(const struct app_sa_prm *prm)
> +{
> +	printf("librte_ipsec usage: %s\n",
> +		(prm->enable == 0) ? "disabled" : "enabled");
> +
> +	if (prm->enable == 0)
> +		return;
> +
> +	printf("replay window size: %u\n", prm->window_size);
> +	printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled");
> +	printf("SA flags: %#" PRIx64 "\n", prm->flags);
> +}
> +
>   static int32_t
>   parse_args(int32_t argc, char **argv)
>   {
> @@ -1180,7 +1205,7 @@ parse_args(int32_t argc, char **argv)
>   
>   	argvopt = argv;
>   
> -	while ((opt = getopt_long(argc, argvopt, "p:Pu:f:j:",
> +	while ((opt = getopt_long(argc, argvopt, "aelp:Pu:f:j:w:",
>   				lgopts, &option_index)) != EOF) {
>   
>   		switch (opt) {
> @@ -1236,6 +1261,21 @@ parse_args(int32_t argc, char **argv)
>   			}
>   			printf("Enabled jumbo frames size %u\n", frame_size);
>   			break;
> +		case 'l':
> +			app_sa_prm.enable = 1;
> +			break;
> +		case 'w':
> +			app_sa_prm.enable = 1;
> +			app_sa_prm.window_size = parse_decimal(optarg);
> +			break;
> +		case 'e':
> +			app_sa_prm.enable = 1;
> +			app_sa_prm.enable_esn = 1;
> +			break;
> +		case 'a':
> +			app_sa_prm.enable = 1;
> +			app_sa_prm.flags |= RTE_IPSEC_SAFLAG_SQN_ATOM;
> +			break;
>   		case CMD_LINE_OPT_CONFIG_NUM:
>   			ret = parse_config(optarg);
>   			if (ret) {
> @@ -1280,6 +1320,8 @@ parse_args(int32_t argc, char **argv)
>   		return -1;
>   	}
>   
> +	print_app_sa_prm(&app_sa_prm);
> +
>   	if (optind >= 0)
>   		argv[optind-1] = prgname;
>   
> @@ -1923,12 +1965,14 @@ main(int32_t argc, char **argv)
>   		if (socket_ctx[socket_id].mbuf_pool)
>   			continue;
>   
> -		sa_init(&socket_ctx[socket_id], socket_id);
> -
> +		/* initilaze SPD */
>   		sp4_init(&socket_ctx[socket_id], socket_id);
>   
>   		sp6_init(&socket_ctx[socket_id], socket_id);
>   
> +		/* initilaze SAD */
> +		sa_init(&socket_ctx[socket_id], socket_id);
> +
>   		rt_init(&socket_ctx[socket_id], socket_id);
>   
>   		pool_init(&socket_ctx[socket_id], socket_id, NB_MBUF);
> diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
> index 2f04b7d68..b089fe54b 100644
> --- a/examples/ipsec-secgw/ipsec.h
> +++ b/examples/ipsec-secgw/ipsec.h
> @@ -11,6 +11,7 @@
>   #include <rte_crypto.h>
>   #include <rte_security.h>
>   #include <rte_flow.h>
> +#include <rte_ipsec.h>
>   
>   #define RTE_LOGTYPE_IPSEC       RTE_LOGTYPE_USER1
>   #define RTE_LOGTYPE_IPSEC_ESP   RTE_LOGTYPE_USER2
> @@ -70,7 +71,20 @@ struct ip_addr {
>   
>   #define MAX_KEY_SIZE		32
>   
> +/*
> + * application wide SA parameters
> + */
> +struct app_sa_prm {
> +	uint32_t enable; /* use librte_ipsec API for ipsec pkt processing */
> +	uint32_t window_size; /* replay window size */
> +	uint32_t enable_esn;  /* enable/disable ESN support */
> +	uint64_t flags;       /* rte_ipsec_sa_prm.flags */
> +};
> +
> +extern struct app_sa_prm app_sa_prm;
> +
>   struct ipsec_sa {
> +	struct rte_ipsec_session ips; /* one session per sa for now */
>   	uint32_t spi;
>   	uint32_t cdev_id_qp;
>   	uint64_t seq;
> @@ -243,6 +257,16 @@ sp4_init(struct socket_ctx *ctx, int32_t socket_id);
>   void
>   sp6_init(struct socket_ctx *ctx, int32_t socket_id);
>   
> +/*
> + * Search though SP rules for given SPI.
spell check
> + * Returns first rule index if found(greater or equal then zero),
> + * or -ENOENT otherwise.
> + */
> +int
> +sp4_spi_present(uint32_t spi, int inbound);
> +int
> +sp6_spi_present(uint32_t spi, int inbound);
> +
>   void
>   sa_init(struct socket_ctx *ctx, int32_t socket_id);
>   
> diff --git a/examples/ipsec-secgw/meson.build b/examples/ipsec-secgw/meson.build
> index 77d8b298f..31f68fee2 100644
> --- a/examples/ipsec-secgw/meson.build
> +++ b/examples/ipsec-secgw/meson.build
> @@ -6,7 +6,7 @@
>   # To build this example as a standalone application with an already-installed
>   # DPDK instance, use 'make'
>   
> -deps += ['security', 'lpm', 'acl', 'hash']
> +deps += ['security', 'lpm', 'acl', 'hash', 'ipsec']
>   allow_experimental_apis = true
>   sources = files(
>   	'esp.c', 'ipsec.c', 'ipsec-secgw.c', 'parser.c',
>
Makefile should also be updated I guess.

.....
will be running the application and will come back with issues if any.

-Akhil
Previous message: [dpdk-dev] [PATCH v4 6/9] examples/ipsec-secgw: make app to use ipsec library
Next message: [dpdk-dev] [PATCH v4 6/9] examples/ipsec-secgw: make app to use ipsec library
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the dev mailing list