[dpdk-dev] [PATCH 2/6] examples/ipsec-secgw: fix 1st packet dropped patch two
Ananyev, Konstantin
konstantin.ananyev at intel.com
Wed Mar 6 20:39:58 CET 2019
Hi Bernard,
>
> Call create_inline_session() at initialisition in sa.c
> Call rte_ipsec_session_prepare() in fill_ipsec_session() for inline.
Here and in other places - it probably worth to explain what is the purpose
for these changes.
As a side notice, as these series fixes that problem, it probably worse to add a patch
into series that removes the following:
# to overcome problem with ipsec-secgw for inline mode,
# when first packet(s) will be always dropped.
# note that ping will fail here
ssh ${REMOTE_HOST} ping -c 1 ${LOCAL_IPV4}
from examples/ipsec-secgw/test/(tun|trs)_aesgcm_defs.sh
Konstantin
>
> Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload")
> Cc: stable at dpdk.org
> Signed-off-by: Bernard Iremonger <bernard.iremonger at intel.com>
> ---
> examples/ipsec-secgw/sa.c | 46 ++++++++++++++++++++++++++++++++++++----------
> 1 file changed, 36 insertions(+), 10 deletions(-)
>
> diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
> index 414fcd2..7fb1929 100644
> --- a/examples/ipsec-secgw/sa.c
> +++ b/examples/ipsec-secgw/sa.c
> @@ -762,11 +762,13 @@ check_eth_dev_caps(uint16_t portid, uint32_t inbound)
>
> static int
> sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
> - uint32_t nb_entries, uint32_t inbound)
> + uint32_t nb_entries, uint32_t inbound,
> + struct socket_ctx *skt_ctx)
> {
> struct ipsec_sa *sa;
> uint32_t i, idx;
> uint16_t iv_length, aad_length;
> + int32_t rc;
>
> /* for ESN upper 32 bits of SQN also need to be part of AAD */
> aad_length = (app_sa_prm.enable_esn != 0) ? sizeof(uint32_t) : 0;
> @@ -819,6 +821,17 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
>
> sa->xforms = &sa_ctx->xf[idx].a;
>
> + if (sa->type ==
> + RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL ||
> + sa->type ==
> + RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
> + rc = create_inline_session(skt_ctx, sa);
> + if (rc != 0) {
> + RTE_LOG(ERR, IPSEC_ESP,
> + "create_inline_session() failed\n");
> + return -EINVAL;
> + }
> + }
> print_one_sa_rule(sa, inbound);
> } else {
> switch (sa->cipher_algo) {
> @@ -894,16 +907,16 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
>
> static inline int
> sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
> - uint32_t nb_entries)
> + uint32_t nb_entries, struct socket_ctx *skt_ctx)
> {
> - return sa_add_rules(sa_ctx, entries, nb_entries, 0);
> + return sa_add_rules(sa_ctx, entries, nb_entries, 0, skt_ctx);
> }
>
> static inline int
> sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
> - uint32_t nb_entries)
> + uint32_t nb_entries, struct socket_ctx *skt_ctx)
> {
> - return sa_add_rules(sa_ctx, entries, nb_entries, 1);
> + return sa_add_rules(sa_ctx, entries, nb_entries, 1, skt_ctx);
> }
>
> /*
> @@ -997,10 +1010,12 @@ fill_ipsec_sa_prm(struct rte_ipsec_sa_prm *prm, const struct ipsec_sa *ss,
> return 0;
> }
>
> -static void
> +static int
> fill_ipsec_session(struct rte_ipsec_session *ss, struct rte_ipsec_sa *sa,
> const struct ipsec_sa *lsa)
> {
> + int32_t rc = 0;
> +
> ss->sa = sa;
> ss->type = lsa->type;
>
> @@ -1013,6 +1028,17 @@ fill_ipsec_session(struct rte_ipsec_session *ss, struct rte_ipsec_sa *sa,
> ss->security.ctx = lsa->security_ctx;
> ss->security.ol_flags = lsa->ol_flags;
> }
> +
> + if (ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
> + ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) {
> + if (ss->security.ses != NULL) {
> + rc = rte_ipsec_session_prepare(ss);
> + if (rc != 0)
> + memset(ss, 0, sizeof(*ss));
> + }
> + }
> +
> + return rc;
> }
>
> /*
> @@ -1047,8 +1073,8 @@ ipsec_sa_init(struct ipsec_sa *lsa, struct rte_ipsec_sa *sa, uint32_t sa_size)
> if (rc < 0)
> return rc;
>
> - fill_ipsec_session(&lsa->ips, sa, lsa);
> - return 0;
> + rc = fill_ipsec_session(&lsa->ips, sa, lsa);
> + return rc;
> }
>
> /*
> @@ -1126,7 +1152,7 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id)
> "context %s in socket %d\n", rte_errno,
> name, socket_id);
>
> - sa_in_add_rules(ctx->sa_in, sa_in, nb_sa_in);
> + sa_in_add_rules(ctx->sa_in, sa_in, nb_sa_in, ctx);
>
> if (app_sa_prm.enable != 0) {
> rc = ipsec_satbl_init(ctx->sa_in, sa_in, nb_sa_in,
> @@ -1146,7 +1172,7 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id)
> "context %s in socket %d\n", rte_errno,
> name, socket_id);
>
> - sa_out_add_rules(ctx->sa_out, sa_out, nb_sa_out);
> + sa_out_add_rules(ctx->sa_out, sa_out, nb_sa_out, ctx);
>
> if (app_sa_prm.enable != 0) {
> rc = ipsec_satbl_init(ctx->sa_out, sa_out, nb_sa_out,
> --
> 2.7.4
More information about the dev
mailing list