#include <rte_hash.h>
#include <rte_jhash.h>
#include <rte_cryptodev.h>
+#include <rte_security.h>
#include "ipsec.h"
#include "parser.h"
#define NB_MBUF (32000)
#define CDEV_QUEUE_DESC 2048
-#define CDEV_MAP_ENTRIES 1024
+#define CDEV_MAP_ENTRIES 16384
#define CDEV_MP_NB_OBJS 2048
#define CDEV_MP_CACHE_SZ 64
#define MAX_QUEUE_PAIRS 1
.mq_mode = ETH_MQ_RX_RSS,
.max_rx_pkt_len = ETHER_MAX_LEN,
.split_hdr_size = 0,
- .offloads = DEV_RX_OFFLOAD_CHECKSUM |
- DEV_RX_OFFLOAD_CRC_STRIP,
- .ignore_offload_bitfield = 1,
+ .offloads = DEV_RX_OFFLOAD_CHECKSUM,
},
.rx_adv_conf = {
.rss_conf = {
pkt->l3_len = sizeof(struct ip);
pkt->l2_len = ETHER_HDR_LEN;
+ ip->ip_sum = 0;
ethhdr->ether_type = rte_cpu_to_be_16(ETHER_TYPE_IPv4);
} else {
pkt->ol_flags |= PKT_TX_IPV6;
sa_idx = ip->res[i] & PROTECT_MASK;
if (ip->res[i] & DISCARD)
rte_pktmbuf_free(m);
+ else if (ip->res[i] & BYPASS)
+ ip->pkts[j++] = m;
else if (sa_idx < IPSEC_SA_MAX_ENTRIES) {
ipsec->res[ipsec->num] = sa_idx;
ipsec->pkts[ipsec->num++] = m;
- } else /* BYPASS */
- ip->pkts[j++] = m;
+ } else /* invalid SA idx */
+ rte_pktmbuf_free(m);
}
ip->num = j;
}
static void
print_usage(const char *prgname)
{
- printf("%s [EAL options] -- -p PORTMASK -P -u PORTMASK"
- " --"CMD_LINE_OPT_CONFIG" (port,queue,lcore)[,(port,queue,lcore]"
- " --single-sa SAIDX -f CONFIG_FILE\n"
- " -p PORTMASK: hexadecimal bitmask of ports to configure\n"
- " -P : enable promiscuous mode\n"
- " -u PORTMASK: hexadecimal bitmask of unprotected ports\n"
- " -j FRAMESIZE: jumbo frame maximum size\n"
- " --"CMD_LINE_OPT_CONFIG": (port,queue,lcore): "
- "rx queues configuration\n"
- " --single-sa SAIDX: use single SA index for outbound, "
- "bypassing the SP\n"
- " --cryptodev_mask MASK: hexadecimal bitmask of the "
- "crypto devices to configure\n"
- " -f CONFIG_FILE: Configuration file path\n",
+ fprintf(stderr, "%s [EAL options] --"
+ " -p PORTMASK"
+ " [-P]"
+ " [-u PORTMASK]"
+ " [-j FRAMESIZE]"
+ " -f CONFIG_FILE"
+ " --config (port,queue,lcore)[,(port,queue,lcore)]"
+ " [--single-sa SAIDX]"
+ " [--cryptodev_mask MASK]"
+ "\n\n"
+ " -p PORTMASK: Hexadecimal bitmask of ports to configure\n"
+ " -P : Enable promiscuous mode\n"
+ " -u PORTMASK: Hexadecimal bitmask of unprotected ports\n"
+ " -j FRAMESIZE: Enable jumbo frame with 'FRAMESIZE' as maximum\n"
+ " packet size\n"
+ " -f CONFIG_FILE: Configuration file\n"
+ " --config (port,queue,lcore): Rx queue configuration\n"
+ " --single-sa SAIDX: Use single SA index for outbound traffic,\n"
+ " bypassing the SP\n"
+ " --cryptodev_mask MASK: Hexadecimal bitmask of the crypto\n"
+ " devices to configure\n"
+ "\n",
prgname);
}
uint32_t max_sess_sz = 0, sess_sz;
for (cdev_id = 0; cdev_id < rte_cryptodev_count(); cdev_id++) {
- sess_sz = rte_cryptodev_get_private_session_size(cdev_id);
+ void *sec_ctx;
+
+ /* Get crypto priv session size */
+ sess_sz = rte_cryptodev_sym_get_private_session_size(cdev_id);
+ if (sess_sz > max_sess_sz)
+ max_sess_sz = sess_sz;
+
+ /*
+ * If crypto device is security capable, need to check the
+ * size of security session as well.
+ */
+
+ /* Get security context of the crypto device */
+ sec_ctx = rte_cryptodev_get_sec_ctx(cdev_id);
+ if (sec_ctx == NULL)
+ continue;
+
+ /* Get size of security session */
+ sess_sz = rte_security_session_get_size(sec_ctx);
if (sess_sz > max_sess_sz)
max_sess_sz = sess_sz;
}
dev_conf.socket_id = rte_cryptodev_socket_id(cdev_id);
dev_conf.nb_queue_pairs = qp;
+ uint32_t dev_max_sess = cdev_info.sym.max_nb_sessions;
+ if (dev_max_sess != 0 && dev_max_sess < (CDEV_MP_NB_OBJS / 2))
+ rte_exit(EXIT_FAILURE,
+ "Device does not support at least %u "
+ "sessions", CDEV_MP_NB_OBJS / 2);
+
if (!socket_ctx[dev_conf.socket_id].session_pool) {
char mp_name[RTE_MEMPOOL_NAMESIZE];
struct rte_mempool *sess_mp;
cdev_id);
qp_conf.nb_descriptors = CDEV_QUEUE_DESC;
+ qp_conf.mp_session =
+ socket_ctx[dev_conf.socket_id].session_pool;
+ qp_conf.mp_session_private =
+ socket_ctx[dev_conf.socket_id].session_pool;
for (qp = 0; qp < dev_conf.nb_queue_pairs; qp++)
if (rte_cryptodev_queue_pair_setup(cdev_id, qp,
- &qp_conf, dev_conf.socket_id,
- socket_ctx[dev_conf.socket_id].session_pool))
+ &qp_conf, dev_conf.socket_id))
rte_panic("Failed to setup queue %u for "
"cdev_id %u\n", 0, cdev_id);
if (dev_info.tx_offload_capa & DEV_TX_OFFLOAD_MBUF_FAST_FREE)
local_port_conf.txmode.offloads |=
DEV_TX_OFFLOAD_MBUF_FAST_FREE;
+
+ local_port_conf.rx_adv_conf.rss_conf.rss_hf &=
+ dev_info.flow_type_rss_offloads;
+ if (local_port_conf.rx_adv_conf.rss_conf.rss_hf !=
+ port_conf.rx_adv_conf.rss_conf.rss_hf) {
+ printf("Port %u modified RSS hash function based on hardware support,"
+ "requested:%#"PRIx64" configured:%#"PRIx64"\n",
+ portid,
+ port_conf.rx_adv_conf.rss_conf.rss_hf,
+ local_port_conf.rx_adv_conf.rss_conf.rss_hf);
+ }
+
ret = rte_eth_dev_configure(portid, nb_rx_queue, nb_tx_queue,
&local_port_conf);
if (ret < 0)
printf("Setup txq=%u,%d,%d\n", lcore_id, tx_queueid, socket_id);
txconf = &dev_info.default_txconf;
- txconf->txq_flags = ETH_TXQ_FLAGS_IGNORE;
txconf->offloads = local_port_conf.txmode.offloads;
ret = rte_eth_tx_queue_setup(portid, tx_queueid, nb_txd,
printf("Allocated mbuf pool on socket %d\n", socket_id);
}
+static inline int
+inline_ipsec_event_esn_overflow(struct rte_security_ctx *ctx, uint64_t md)
+{
+ struct ipsec_sa *sa;
+
+ /* For inline protocol processing, the metadata in the event will
+ * uniquely identify the security session which raised the event.
+ * Application would then need the userdata it had registered with the
+ * security session to process the event.
+ */
+
+ sa = (struct ipsec_sa *)rte_security_get_userdata(ctx, md);
+
+ if (sa == NULL) {
+ /* userdata could not be retrieved */
+ return -1;
+ }
+
+ /* Sequence number over flow. SA need to be re-established */
+ RTE_SET_USED(sa);
+ return 0;
+}
+
+static int
+inline_ipsec_event_callback(uint16_t port_id, enum rte_eth_event_type type,
+ void *param, void *ret_param)
+{
+ uint64_t md;
+ struct rte_eth_event_ipsec_desc *event_desc = NULL;
+ struct rte_security_ctx *ctx = (struct rte_security_ctx *)
+ rte_eth_dev_get_sec_ctx(port_id);
+
+ RTE_SET_USED(param);
+
+ if (type != RTE_ETH_EVENT_IPSEC)
+ return -1;
+
+ event_desc = ret_param;
+ if (event_desc == NULL) {
+ printf("Event descriptor not set\n");
+ return -1;
+ }
+
+ md = event_desc->metadata;
+
+ if (event_desc->subtype == RTE_ETH_EVENT_IPSEC_ESN_OVERFLOW)
+ return inline_ipsec_event_esn_overflow(ctx, md);
+ else if (event_desc->subtype >= RTE_ETH_EVENT_IPSEC_MAX) {
+ printf("Invalid IPsec event reported\n");
+ return -1;
+ }
+
+ return -1;
+}
+
int32_t
main(int32_t argc, char **argv)
{
*/
if (promiscuous_on)
rte_eth_promiscuous_enable(portid);
+
+ rte_eth_dev_callback_register(portid,
+ RTE_ETH_EVENT_IPSEC, inline_ipsec_event_callback, NULL);
}
check_all_ports_link_status(enabled_port_mask);