examples/ipsec-secgw: add default flow for inline Rx

The default flow created would enable security processing on all ESP
packets. If the default flow is created, SA based rte_flow creation
would be skipped.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>

diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
index 4799bc9..e1ee7c3 100644 (file)
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -129,6 +129,8 @@ struct ethaddr_info ethaddr_tbl[RTE_MAX_ETHPORTS] = {
        { 0, ETHADDR(0x00, 0x16, 0x3e, 0x49, 0x9e, 0xdd) }
 };
 
+struct flow_info flow_info_tbl[RTE_MAX_ETHPORTS];
+
 #define CMD_LINE_OPT_CONFIG            "config"
 #define CMD_LINE_OPT_SINGLE_SA         "single-sa"
 #define CMD_LINE_OPT_CRYPTODEV_MASK    "cryptodev_mask"
@@ -2432,6 +2434,48 @@ reassemble_init(void)
        return rc;
 }
 
+static void
+create_default_ipsec_flow(uint16_t port_id, uint64_t rx_offloads)
+{
+       struct rte_flow_action action[2];
+       struct rte_flow_item pattern[2];
+       struct rte_flow_attr attr = {0};
+       struct rte_flow_error err;
+       struct rte_flow *flow;
+       int ret;
+
+       if (!(rx_offloads & DEV_RX_OFFLOAD_SECURITY))
+               return;
+
+       /* Add the default rte_flow to enable SECURITY for all ESP packets */
+
+       pattern[0].type = RTE_FLOW_ITEM_TYPE_ESP;
+       pattern[0].spec = NULL;
+       pattern[0].mask = NULL;
+       pattern[0].last = NULL;
+       pattern[1].type = RTE_FLOW_ITEM_TYPE_END;
+
+       action[0].type = RTE_FLOW_ACTION_TYPE_SECURITY;
+       action[0].conf = NULL;
+       action[1].type = RTE_FLOW_ACTION_TYPE_END;
+       action[1].conf = NULL;
+
+       attr.ingress = 1;
+
+       ret = rte_flow_validate(port_id, &attr, pattern, action, &err);
+       if (ret)
+               return;
+
+       flow = rte_flow_create(port_id, &attr, pattern, action, &err);
+       if (flow == NULL)
+               return;
+
+       flow_info_tbl[port_id].rx_def_flow = flow;
+       RTE_LOG(INFO, IPSEC,
+               "Created default flow enabling SECURITY for all ESP traffic on port %d\n",
+               port_id);
+}
+
 int32_t
 main(int32_t argc, char **argv)
 {
@@ -2440,7 +2484,8 @@ main(int32_t argc, char **argv)
        uint32_t i;
        uint8_t socket_id;
        uint16_t portid;
-       uint64_t req_rx_offloads, req_tx_offloads;
+       uint64_t req_rx_offloads[RTE_MAX_ETHPORTS];
+       uint64_t req_tx_offloads[RTE_MAX_ETHPORTS];
        size_t sess_sz;
 
        /* init EAL */
@@ -2502,8 +2547,10 @@ main(int32_t argc, char **argv)
                if ((enabled_port_mask & (1 << portid)) == 0)
                        continue;
 
-               sa_check_offloads(portid, &req_rx_offloads, &req_tx_offloads);
-               port_init(portid, req_rx_offloads, req_tx_offloads);
+               sa_check_offloads(portid, &req_rx_offloads[portid],
+                               &req_tx_offloads[portid]);
+               port_init(portid, req_rx_offloads[portid],
+                               req_tx_offloads[portid]);
        }
 
        cryptodevs_init();
@@ -2513,11 +2560,9 @@ main(int32_t argc, char **argv)
                if ((enabled_port_mask & (1 << portid)) == 0)
                        continue;
 
-               /*
-                * Start device
-                * note: device must be started before a flow rule
-                * can be installed.
-                */
+               /* Create flow before starting the device */
+               create_default_ipsec_flow(portid, req_rx_offloads[portid]);
+
                ret = rte_eth_dev_start(portid);
                if (ret < 0)
                        rte_exit(EXIT_FAILURE, "rte_eth_dev_start: "

diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index 6e81207..d406571 100644 (file)
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -275,6 +275,10 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
                        unsigned int i;
                        unsigned int j;
 
+                       /* Don't create flow if default flow is created */
+                       if (flow_info_tbl[sa->portid].rx_def_flow)
+                               return 0;
+
                        ret = rte_eth_dev_info_get(sa->portid, &dev_info);
                        if (ret != 0) {
                                RTE_LOG(ERR, IPSEC,
@@ -410,7 +414,6 @@ flow_create_failure:
                ips->security.ol_flags = sec_cap->ol_flags;
                ips->security.ctx = sec_ctx;
        }
-       sa->cdev_id_qp = 0;
 
        return 0;
 }

diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index 4f2fd61..8f5d382 100644 (file)
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -87,6 +87,12 @@ struct app_sa_prm {
 
 extern struct app_sa_prm app_sa_prm;
 
+struct flow_info {
+       struct rte_flow *rx_def_flow;
+};
+
+extern struct flow_info flow_info_tbl[RTE_MAX_ETHPORTS];
+
 enum {
        IPSEC_SESSION_PRIMARY = 0,
        IPSEC_SESSION_FALLBACK = 1,