The application is located in the ``ipsec-secgw`` sub-directory.
-#. [Optional] Build the application for debugging:
- This option adds some extra flags, disables compiler optimizations and
- is verbose::
-
- make DEBUG=1
-
Running the Application
-----------------------
The application has a number of command line options::
- ./build/ipsec-secgw [EAL options] --
+ ./<build_dir>/examples/dpdk-ipsec-secgw [EAL options] --
-p PORTMASK -P -u PORTMASK -j FRAMESIZE
- -l -w REPLAY_WINOW_SIZE -e -a
+ -l -w REPLAY_WINDOW_SIZE -e -a
-c SAD_CACHE_SIZE
-s NUMBER_OF_MBUFS_IN_PACKET_POOL
-f CONFIG_FILE_PATH
* ``-l``: enables code-path that uses librte_ipsec.
-* ``-w REPLAY_WINOW_SIZE``: specifies the IPsec sequence number replay window
+* ``-w REPLAY_WINDOW_SIZE``: specifies the IPsec sequence number replay window
size for each Security Association (available only with librte_ipsec
code path).
For example, given the following command line to run application in poll mode::
- ./build/ipsec-secgw -l 20,21 -n 4 --socket-mem 0,2048 \
+ ./<build_dir>/examples/dpdk-ipsec-secgw -l 20,21 -n 4 --socket-mem 0,2048 \
--vdev "crypto_null" -- -p 0xf -P -u 0x3 \
--config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)" \
-f /path/to/config_file --transfer-mode poll \
Similarly for example, given the following command line to run application in
event app mode::
- ./build/ipsec-secgw -c 0x3 -- -P -p 0x3 -u 0x1 \
+ ./<build_dir>/examples/dpdk-ipsec-secgw -c 0x3 -- -P -p 0x3 -u 0x1 \
-f /path/to/config_file --transfer-mode event \
--event-schedule-type parallel \
and software crypto devices are detected, hardware devices will be used.
A way to achieve the case where you want to force the use of virtual crypto
-devices is to whitelist the Ethernet devices needed and therefore implicitly
-blacklisting all hardware crypto devices.
+devices is to only use the Ethernet devices needed (via the allow flag)
+and therefore implicitly blocking all hardware crypto devices.
For example, something like the following command line:
.. code-block:: console
- ./build/ipsec-secgw -l 20,21 -n 4 --socket-mem 0,2048 \
- -w 81:00.0 -w 81:00.1 -w 81:00.2 -w 81:00.3 \
+ ./<build_dir>/examples/dpdk-ipsec-secgw -l 20,21 -n 4 --socket-mem 0,2048 \
+ -a 81:00.0 -a 81:00.1 -a 81:00.2 -a 81:00.3 \
--vdev "crypto_aesni_mb" --vdev "crypto_null" \
-- \
-p 0xf -P -u 0x3 --config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)" \
--------------
The following sections provide the syntax of configurations to initialize
-your SP, SA, Routing and Neighbour tables.
+your SP, SA, Routing, Flow and Neighbour tables.
Configurations shall be specified in the configuration file to be passed to
the application. The file is then parsed by the application. The successful
parsing will result in the appropriate rules being applied to the tables
The parse treats one line in the configuration file as one configuration
item (unless the line concatenation symbol exists). Every configuration
-item shall follow the syntax of either SP, SA, Routing or Neighbour
+item shall follow the syntax of either SP, SA, Routing, Flow or Neighbour
rules specified below.
The configuration parser supports the following special symbols:
rt ipv6 dst 1111:1111:1111:1111:1111:1111:1111:5555/116 port 0
+Flow rule syntax
+^^^^^^^^^^^^^^^^
+
+Flow rule enables the usage of hardware classification capabilities to match specific
+ingress traffic and redirect the packets to the specified queue. This feature is
+optional and relies on hardware ``rte_flow`` support.
+
+The flow rule syntax is shown as follows:
+
+.. code-block:: console
+
+ flow <ip_ver> <src_ip> <dst_ip> <port> <queue>
+
+
+where each options means:
+
+``<ip_ver>``
+
+ * IP protocol version
+
+ * Optional: No
+
+ * Available options:
+
+ * *ipv4*: IP protocol version 4
+ * *ipv6*: IP protocol version 6
+
+``<src_ip>``
+
+ * The source IP address and mask
+
+ * Optional: Yes, default address 0.0.0.0 and mask of 0 will be used
+
+ * Syntax:
+
+ * *src X.X.X.X/Y* for IPv4
+ * *src XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/Y* for IPv6
+
+``<dst_ip>``
+
+ * The destination IP address and mask
+
+ * Optional: Yes, default address 0.0.0.0 and mask of 0 will be used
+
+ * Syntax:
+
+ * *dst X.X.X.X/Y* for IPv4
+ * *dst XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/Y* for IPv6
+
+``<port>``
+
+ * The traffic input port id
+
+ * Optional: yes, default input port 0 will be used
+
+ * Syntax: *port X*
+
+``<queue>``
+
+ * The traffic input queue id
+
+ * Optional: yes, default input queue 0 will be used
+
+ * Syntax: *queue X*
+
+Example flow rules:
+
+.. code-block:: console
+
+ flow ipv4 dst 172.16.1.5/32 port 0 queue 0
+
+ flow ipv6 dst 1111:1111:1111:1111:1111:1111:1111:5555/116 port 1 queue 0
+
+
Neighbour rule syntax
^^^^^^^^^^^^^^^^^^^^^
* ``REMOTE_IFACE``: interface name for the test-port on the DUT.
-* ``ETH_DEV``: ethernet device to be used on the SUT by DPDK ('-
w <pci-id>')
+* ``ETH_DEV``: ethernet device to be used on the SUT by DPDK ('-
a <pci-id>')
Also the user can optionally setup:
* ``SGW_LCORE``: lcore to run ipsec-secgw on (default value is 0)
-* ``CRYPTO_DEV``: crypto device to be used ('-
w <pci-id>'). If none specified
+* ``CRYPTO_DEV``: crypto device to be used ('-
a <pci-id>'). If none specified
appropriate vdevs will be created by the script
Scripts can be used for multiple test scenarios. To check all available
git.droids-corp.org / dpdk.git / blobdiff