[dpdk-dev] [PATCH v2 2/2] examples/ipsec-secgw: add target queues in flow actions

Nelio Laranjeiro nelio.laranjeiro at 6wind.com
Thu Dec 7 13:22:04 CET 2017


Hi Anoob,

On Thu, Dec 07, 2017 at 03:17:40PM +0530, Anoob wrote:
> Hi Nelio,
> 
> 
> On 12/04/2017 07:41 PM, Nelio Laranjeiro wrote:
> > Mellanox INNOVA NIC needs to have final target queue actions to perform
> > inline crypto.
> > 
> > Signed-off-by: Nelio Laranjeiro <nelio.laranjeiro at 6wind.com>
> > 
> > ---
> > 
> > Changes in v2:
> > 
> >   * Test the rule by PASSTHRU/RSS/QUEUE and apply the first one validated.
> > ---
> >   examples/ipsec-secgw/ipsec.c | 81 ++++++++++++++++++++++++++++++++++++++++----
> >   examples/ipsec-secgw/ipsec.h |  2 +-
> >   2 files changed, 76 insertions(+), 7 deletions(-)
> > 
> > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
> > index 17bd7620d..f8823fb94 100644
> > --- a/examples/ipsec-secgw/ipsec.c
> > +++ b/examples/ipsec-secgw/ipsec.c
> > @@ -142,6 +142,7 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
> >   							rte_eth_dev_get_sec_ctx(
> >   							sa->portid);
> >   			const struct rte_security_capability *sec_cap;
> > +			int ret = 0;
> >   			sa->sec_session = rte_security_session_create(ctx,
> >   					&sess_conf, ipsec_ctx->session_pool);
> > @@ -173,6 +174,10 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
> >   				return -1;
> >   			}
> > +			sa->attr.egress = (sa->direction ==
> > +					RTE_SECURITY_IPSEC_SA_DIR_EGRESS);
> > +			sa->attr.ingress = (sa->direction ==
> > +					RTE_SECURITY_IPSEC_SA_DIR_INGRESS);
> >   			sa->ol_flags = sec_cap->ol_flags;
> >   			sa->security_ctx = ctx;
> >   			sa->pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH;
> > @@ -201,15 +206,79 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
> >   			sa->action[0].type = RTE_FLOW_ACTION_TYPE_SECURITY;
> >   			sa->action[0].conf = sa->sec_session;
> > -			sa->action[1].type = RTE_FLOW_ACTION_TYPE_END;
> > -
> > -			sa->attr.egress = (sa->direction ==
> > -					RTE_SECURITY_IPSEC_SA_DIR_EGRESS);
> > -			sa->attr.ingress = (sa->direction ==
> > -					RTE_SECURITY_IPSEC_SA_DIR_INGRESS);
> > +			if (sa->attr.ingress) {
> > +				uint8_t rss_key[40];
> > +				struct rte_eth_rss_conf rss_conf = {
> > +					.rss_key = rss_key,
> > +					.rss_key_len = 40,
> > +				};
> > +				struct rte_eth_dev *eth_dev;
> > +				union {
> > +					struct rte_flow_action_rss rss;
> > +					struct {
> > +					const struct rte_eth_rss_conf *rss_conf;
> > +					uint16_t num;
> > +					uint16_t queue[RTE_MAX_QUEUES_PER_PORT];
> > +					} local;
> > +				} action_rss;
> > +				unsigned int i;
> > +				unsigned int j;
> > +
> > +				sa->action[2].type = RTE_FLOW_ACTION_TYPE_END;
> > +				/*
> > +				 * Try implicitly PASSTHRU, it can also be
> > +				 * explicit.
> > +				 */
> May be we can get rid of this check. You can do the check with RSS and then
> QUEUE. That should be fine. SECURITY is terminating on Cavium hardware, but
> according to the spec it is a non-terminating meta action. We can stick to
> that. For Cavium hardware the PMD will give success to SECURITY+QUEUE. That
> should resolve the issue.
<snip>

I'll remove it in a v3, I will send it tomorrow to let a little more
time for other people to review. 

Thanks,

-- 
Nélio Laranjeiro
6WIND


More information about the dev mailing list