examples/ipsec-secgw: support flow director
authorPraveen Shetty <praveen.shetty@intel.com>
Thu, 16 Apr 2020 16:47:29 +0000 (17:47 +0100)
committerAkhil Goyal <akhil.goyal@nxp.com>
Sun, 19 Apr 2020 15:15:14 +0000 (17:15 +0200)
Support load distribution in security gateway application using
NIC load distribution feature (Flow Director).
Flow Director is used to redirect the specified inbound ipsec flow
to a specified queue. This is achieved by extending the SA rule syntax
to support specification by adding new action_type of <flow-direction>
to a specified <port_id> <queue_id>.

Signed-off-by: Praveen Shetty <praveen.shetty@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
doc/guides/rel_notes/release_20_05.rst
doc/guides/sample_app_ug/ipsec_secgw.rst
examples/ipsec-secgw/ep0.cfg
examples/ipsec-secgw/ipsec-secgw.c
examples/ipsec-secgw/ipsec.c
examples/ipsec-secgw/ipsec.h
examples/ipsec-secgw/sa.c

index 94f90f1..2612dc2 100644 (file)
@@ -105,6 +105,9 @@ New Features
   * Updated ipsec-secgw application to support key sizes for AES-192-CBC,
     AES-192-GCM, AES-256-GCM algorithms.
 
+  * Added IPsec inbound load-distribution support for ipsec-secgw application
+    using NIC load distribution feature(Flow Director).
+
 
 Removed Items
 -------------
index dea3ae4..72f0d0a 100644 (file)
@@ -506,6 +506,7 @@ The SA rule syntax is shown as follows:
 
     sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key>
     <mode> <src_ip> <dst_ip> <action_type> <port_id> <fallback>
+    <flow-direction> <port_id> <queue_id>
 
 where each options means:
 
@@ -702,6 +703,18 @@ where each options means:
 
    * *fallback lookaside-none*
 
+``<flow-direction>``
+
+ * Option for redirecting a specific inbound ipsec flow of a port to a specific
+   queue of that port.
+
+ * Optional: Yes.
+
+ * Available options:
+
+   * *port_id*: Port ID of the NIC for which the SA is configured.
+   * *queue_id*: Queue ID to which traffic should be redirected.
+
 Example SA rules:
 
 .. code-block:: console
@@ -731,6 +744,9 @@ Example SA rules:
     mode ipv4-tunnel src 172.16.2.5 dst 172.16.1.5 \
     type inline-crypto-offload port_id 0
 
+    sa in 117 cipher_algo null auth_algo null mode ipv4-tunnel src 172.16.2.7 \
+    dst 172.16.1.7 flow-direction 0 2
+
 Routing rule syntax
 ^^^^^^^^^^^^^^^^^^^
 
index dfd4aca..6f8d5aa 100644 (file)
@@ -29,6 +29,7 @@ sp ipv4 in esp protect 111 pri 1 dst 192.168.186.0/24 sport 0:65535 dport 0:6553
 sp ipv4 in esp protect 115 pri 1 dst 192.168.210.0/24 sport 0:65535 dport 0:65535
 sp ipv4 in esp protect 116 pri 1 dst 192.168.211.0/24 sport 0:65535 dport 0:65535
 sp ipv4 in esp protect 115 pri 1 dst 192.168.210.0/24 sport 0:65535 dport 0:65535
+sp ipv4 in esp protect 117 pri 1 dst 192.168.212.0/24 sport 0:65535 dport 0:65535
 sp ipv4 in esp protect 125 pri 1 dst 192.168.65.0/24 sport 0:65535 dport 0:65535
 sp ipv4 in esp protect 125 pri 1 dst 192.168.65.0/24 sport 0:65535 dport 0:65535
 sp ipv4 in esp protect 126 pri 1 dst 192.168.66.0/24 sport 0:65535 dport 0:65535
@@ -61,6 +62,8 @@ sp ipv6 in esp protect 125 pri 1 dst ffff:0000:0000:0000:aaaa:aaaa:0000:0000/96
 sport 0:65535 dport 0:65535
 sp ipv6 in esp protect 126 pri 1 dst ffff:0000:0000:0000:bbbb:bbbb:0000:0000/96 \
 sport 0:65535 dport 0:65535
+sp ipv6 in esp protect 127 pri 1 dst ffff:0000:0000:0000:cccc:dddd:0000:0000/96 \
+sport 0:65535 dport 0:65535
 
 #SA rules
 sa out 5 cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
@@ -118,6 +121,9 @@ dst 172.16.1.5
 
 sa in 116 cipher_algo null auth_algo null mode ipv4-tunnel src 172.16.2.6 dst 172.16.1.6
 
+sa in 117 cipher_algo null auth_algo null mode ipv4-tunnel src 172.16.2.7 \
+dst 172.16.1.7 flow-direction 0 2
+
 sa in 125 cipher_algo aes-128-cbc cipher_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\
 c3:c3:c3:c3:c3 auth_algo sha1-hmac auth_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:\
 c3:c3:c3:c3:c3:c3:c3:c3:c3 mode ipv6-tunnel \
@@ -130,6 +136,11 @@ sa in 126 cipher_algo aes-128-cbc cipher_key 4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:4d:\
 src 2222:2222:2222:2222:2222:2222:2222:6666 \
 dst 1111:1111:1111:1111:1111:1111:1111:6666
 
+sa in 127 cipher_algo null auth_algo null mode ipv6-tunnel \
+src 2222:2222:2222:2222:2222:2222:2222:7777 \
+dst 1111:1111:1111:1111:1111:1111:1111:7777 \
+flow-direction 0 3
+
 #Routing rules
 rt ipv4 dst 172.16.2.5/32 port 0
 rt ipv4 dst 172.16.2.6/32 port 1
index 5fde4f7..6d02341 100644 (file)
@@ -1183,6 +1183,28 @@ ipsec_poll_mode_worker(void)
        }
 }
 
+int
+check_flow_params(uint16_t fdir_portid, uint8_t fdir_qid)
+{
+       uint16_t i;
+       uint16_t portid;
+       uint8_t queueid;
+
+       for (i = 0; i < nb_lcore_params; ++i) {
+               portid = lcore_params_array[i].port_id;
+               if (portid == fdir_portid) {
+                       queueid = lcore_params_array[i].queue_id;
+                       if (queueid == fdir_qid)
+                               break;
+               }
+
+               if (i == nb_lcore_params - 1)
+                       return -1;
+       }
+
+       return 1;
+}
+
 static int32_t
 check_poll_mode_params(struct eh_conf *eh_conf)
 {
index d406571..bf88d80 100644 (file)
@@ -418,6 +418,72 @@ flow_create_failure:
        return 0;
 }
 
+int
+create_ipsec_esp_flow(struct ipsec_sa *sa)
+{
+       int ret = 0;
+       struct rte_flow_error err;
+       if (sa->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+               RTE_LOG(ERR, IPSEC,
+                       "No Flow director rule for Egress traffic\n");
+               return -1;
+       }
+       if (sa->flags == TRANSPORT) {
+               RTE_LOG(ERR, IPSEC,
+                       "No Flow director rule for transport mode\n");
+               return -1;
+       }
+       sa->action[0].type = RTE_FLOW_ACTION_TYPE_QUEUE;
+       sa->pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH;
+       sa->action[0].conf = &(struct rte_flow_action_queue) {
+                               .index = sa->fdir_qid,
+       };
+       sa->attr.egress = 0;
+       sa->attr.ingress = 1;
+       if (IS_IP6(sa->flags)) {
+               sa->pattern[1].mask = &rte_flow_item_ipv6_mask;
+               sa->pattern[1].type = RTE_FLOW_ITEM_TYPE_IPV6;
+               sa->pattern[1].spec = &sa->ipv6_spec;
+               memcpy(sa->ipv6_spec.hdr.dst_addr,
+                       sa->dst.ip.ip6.ip6_b, sizeof(sa->dst.ip.ip6.ip6_b));
+               memcpy(sa->ipv6_spec.hdr.src_addr,
+                       sa->src.ip.ip6.ip6_b, sizeof(sa->src.ip.ip6.ip6_b));
+               sa->pattern[2].type = RTE_FLOW_ITEM_TYPE_ESP;
+               sa->pattern[2].spec = &sa->esp_spec;
+               sa->pattern[2].mask = &rte_flow_item_esp_mask;
+               sa->esp_spec.hdr.spi = rte_cpu_to_be_32(sa->spi);
+               sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END;
+       } else if (IS_IP4(sa->flags)) {
+               sa->pattern[1].mask = &rte_flow_item_ipv4_mask;
+               sa->pattern[1].type = RTE_FLOW_ITEM_TYPE_IPV4;
+               sa->pattern[1].spec = &sa->ipv4_spec;
+               sa->ipv4_spec.hdr.dst_addr = sa->dst.ip.ip4;
+               sa->ipv4_spec.hdr.src_addr = sa->src.ip.ip4;
+               sa->pattern[2].type = RTE_FLOW_ITEM_TYPE_ESP;
+               sa->pattern[2].spec = &sa->esp_spec;
+               sa->pattern[2].mask = &rte_flow_item_esp_mask;
+               sa->esp_spec.hdr.spi = rte_cpu_to_be_32(sa->spi);
+               sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END;
+       }
+       sa->action[1].type = RTE_FLOW_ACTION_TYPE_END;
+
+       ret = rte_flow_validate(sa->portid, &sa->attr, sa->pattern, sa->action,
+                               &err);
+       if (ret < 0) {
+               RTE_LOG(ERR, IPSEC, "Flow validation failed %s\n", err.message);
+               return ret;
+       }
+
+       sa->flow = rte_flow_create(sa->portid, &sa->attr, sa->pattern,
+                                       sa->action, &err);
+       if (!sa->flow) {
+               RTE_LOG(ERR, IPSEC, "Flow creation failed %s\n", err.message);
+               return -1;
+       }
+
+       return 0;
+}
+
 /*
  * queue crypto-ops into PMD queue.
  */
index 2fc60ff..1e642d1 100644 (file)
@@ -144,6 +144,8 @@ struct ipsec_sa {
        };
        enum rte_security_ipsec_sa_direction direction;
        uint16_t portid;
+       uint8_t fdir_qid;
+       uint8_t fdir_flag;
 
 #define MAX_RTE_FLOW_PATTERN (4)
 #define MAX_RTE_FLOW_ACTIONS (3)
@@ -408,5 +410,10 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa,
 int
 create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
                struct rte_ipsec_session *ips);
+int
+check_flow_params(uint16_t fdir_portid, uint8_t fdir_qid);
+
+int
+create_ipsec_esp_flow(struct ipsec_sa *sa);
 
 #endif /* __IPSEC_H__ */
index 5e3a7aa..e3a1a5a 100644 (file)
@@ -296,6 +296,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
        uint32_t type_p = 0;
        uint32_t portid_p = 0;
        uint32_t fallback_p = 0;
+       int16_t status_p = 0;
 
        if (strcmp(tokens[0], "in") == 0) {
                ri = &nb_sa_in;
@@ -320,6 +321,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
        if (atoi(tokens[1]) == INVALID_SPI)
                return;
        rule->spi = atoi(tokens[1]);
+       rule->portid = UINT16_MAX;
        ips = ipsec_get_primary_session(rule);
 
        for (ti = 2; ti < n_tokens; ti++) {
@@ -661,9 +663,14 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
                        INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
                        if (status->status < 0)
                                return;
-                       rule->portid = atoi(tokens[ti]);
-                       if (status->status < 0)
+                       if (rule->portid == UINT16_MAX)
+                               rule->portid = atoi(tokens[ti]);
+                       else if (rule->portid != atoi(tokens[ti])) {
+                               APP_CHECK(0, status,
+                                       "portid %s not matching with already assigned portid %u",
+                                       tokens[ti], rule->portid);
                                return;
+                       }
                        portid_p = 1;
                        continue;
                }
@@ -708,6 +715,46 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
                        fallback_p = 1;
                        continue;
                }
+               if (strcmp(tokens[ti], "flow-direction") == 0) {
+                       switch (ips->type) {
+                       case RTE_SECURITY_ACTION_TYPE_NONE:
+                       case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO:
+                               rule->fdir_flag = 1;
+                               INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
+                               if (status->status < 0)
+                                       return;
+                               if (rule->portid == UINT16_MAX)
+                                       rule->portid = atoi(tokens[ti]);
+                               else if (rule->portid != atoi(tokens[ti])) {
+                                       APP_CHECK(0, status,
+                                               "portid %s not matching with already assigned portid %u",
+                                               tokens[ti], rule->portid);
+                                       return;
+                               }
+                               INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
+                               if (status->status < 0)
+                                       return;
+                               rule->fdir_qid = atoi(tokens[ti]);
+                               /* validating portid and queueid */
+                               status_p = check_flow_params(rule->portid,
+                                               rule->fdir_qid);
+                               if (status_p < 0) {
+                                       printf("port id %u / queue id %u is "
+                                               "not valid\n", rule->portid,
+                                                rule->fdir_qid);
+                               }
+                               break;
+                       case RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO:
+                       case RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL:
+                       case RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL:
+                       default:
+                               APP_CHECK(0, status,
+                                       "flow director not supported for security session type %d",
+                                       ips->type);
+                               return;
+                       }
+                       continue;
+               }
 
                /* unrecognizeable input */
                APP_CHECK(0, status, "unrecognized input \"%s\"",
@@ -746,7 +793,6 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
        if (!type_p || (!portid_p && ips->type !=
                        RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO)) {
                ips->type = RTE_SECURITY_ACTION_TYPE_NONE;
-               rule->portid = -1;
        }
 
        *ri = *ri + 1;
@@ -832,7 +878,7 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound)
                printf("lookaside-protocol-offload ");
                break;
        case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO:
-               printf("cpu-crypto-accelerated");
+               printf("cpu-crypto-accelerated ");
                break;
        }
 
@@ -851,6 +897,10 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound)
                        break;
                }
        }
+       if (sa->fdir_flag == 1)
+               printf("flow-direction port %d queue %d", sa->portid,
+                               sa->fdir_qid);
+
        printf("\n");
 }
 
@@ -1169,6 +1219,13 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
                        }
                }
 
+               if (sa->fdir_flag && inbound) {
+                       rc = create_ipsec_esp_flow(sa);
+                       if (rc != 0)
+                               RTE_LOG(ERR, IPSEC_ESP,
+                                       "create_ipsec_esp_flow() failed %s\n",
+                                       strerror(rc));
+               }
                print_one_sa_rule(sa, inbound);
        }