ethdev: add IPv4 and L4 checksum RSS offload types
This patch defines new RSS offload types for IPv4 and
L4(TCP/UDP/SCTP) checksum, which are required when users want
to distribute packets based on the IPv4 or L4 checksum field.
For example "flow create 0 ingress pattern eth / ipv4 / end
actions rss types ipv4-chksum end queues end / end", this flow
causes all matching packets to be distributed to queues on
basis of IPv4 checksum.
security: add option to configure tunnel header verification
Add option to indicate whether outer header verification
need to be done as part of inbound IPsec processing.
With inline IPsec processing, SA lookup would be happening
in the Rx path of rte_ethdev. When rte_flow is configured to
support more than one SA, SPI would be used to lookup SA.
In such cases, additional verification would be required to
ensure duplicate SPIs are not getting processed in the inline path.
For lookaside cases, the same option can be used by application
to offload tunnel verification to the PMD.
These verifications would help in averting possible DoS attacks.
Soft expiry is not a mandatory IPsec feature. It is verified separately
with IPsec unit tests. So configuration of the same is not required.
Also, soft expiry tracking can cause perf degradation with some PMDs.
Since a separate UT is available and the same setting in ipsec-secgw is
not verifying the functionality, remove the same by clearing life
configuration.
Signed-off-by: Anoob Joseph <anoobj@marvell.com> Acked-by: Akhil Goyal <gakhil@marvell.com>
Anoob Joseph [Tue, 28 Sep 2021 10:59:54 +0000 (16:29 +0530)]
security: add SA lifetime configuration
Add SA lifetime configuration to register soft and hard expiry limits.
Expiry can be in units of number of packets or bytes. Crypto op
status is also updated to include new field, aux_flags, which can be
used to indicate cases such as soft expiry in case of lookaside
protocol operations.
In case of soft expiry, the packets are successfully IPsec processed but
the soft expiry would indicate that SA needs to be reconfigured. For
inline protocol capable ethdev, this would result in an eth event while
for lookaside protocol capable cryptodev, this can be communicated via
`rte_crypto_op.aux_flags` field.
In case of hard expiry, the packets will not be IPsec processed and
would result in error.
Signed-off-by: Anoob Joseph <anoobj@marvell.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <gakhil@marvell.com>
Added tests to verify UDP encapsulation with IPsec.
The tests have IPsec packets generated from plain packets
and verifies that UDP header is added. Subsequently, the
packets are decapsulated and then resultant packet is
verified by comparing against original packet.
Signed-off-by: Anoob Joseph <anoobj@marvell.com> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> Acked-by: Akhil Goyal <gakhil@marvell.com> Acked-by: Ciara Power <ciara.power@intel.com>
Add negative test to validate IPsec inbound processing failure with ICV
corruption. The tests would first do IPsec encapsulation and corrupt
ICV of the generated IPsec packet. Then the packet is submitted to IPsec
outbound processing for decapsulation. Test case would validate that PMD
returns an error in such cases.
Signed-off-by: Anoob Joseph <anoobj@marvell.com> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> Acked-by: Akhil Goyal <gakhil@marvell.com> Acked-by: Ciara Power <ciara.power@intel.com> Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Anoob Joseph [Sat, 25 Sep 2021 15:35:29 +0000 (21:05 +0530)]
test/crypto: add combined mode IPsec cases
Add framework to test IPsec features with all supported
combinations of ciphers.
Combined mode tests are used to test all IPsec features against all
ciphers supported by the PMD. The framework is introduced to avoid
testing with any specific algo, thereby making it mandatory to be
supported. Also, testing with all supported combinations will help with
increasing coverage as well.
The tests would first do IPsec encapsulation and do sanity checks. Based
on flags, packet would be updated or additional checks are done,
followed by IPsec decapsulation. Since the encrypted packet is generated
by the test, known vectors are not required.
Signed-off-by: Anoob Joseph <anoobj@marvell.com> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> Acked-by: Akhil Goyal <gakhil@marvell.com> Acked-by: Ciara Power <ciara.power@intel.com>
Fixes stack buffer overflow bug in compressdev autotest, which
was caused by the use of buf_idx in the debug logs. Originally, buf_idx
was treated as an array instead of the reference of an integer.
This was fixed by replacing the use of buf_idx[priv_data->orig_idx] with
the variable i.
Tal Shnaiderman [Mon, 13 Sep 2021 14:02:24 +0000 (17:02 +0300)]
crypto/mlx5: fix queue indexing
The crypto QP consumer (ci) and producer (pi) indexes are increased
with each successful enqueue/dequeue operations.
However the QP pi index is calculated with a wraparound the number
of elements while the QP ci does not.
This is causing incorrect engine calculation for encqueued WQ values
(wq->pi - wq->ci) and eventually the device stops accepting new enqueue
operations.
Fixed by removing the wraparound on QP pi and using a temp calculation
where wraparound values are needed.
Fixes: 8e196c08ab53 ("crypto/mlx5: support enqueue/dequeue operations") Cc: stable@dpdk.org Signed-off-by: Tal Shnaiderman <talshn@nvidia.com> Acked-by: Matan Azrad <matan@nvidia.com>
David George [Fri, 24 Sep 2021 11:20:36 +0000 (16:50 +0530)]
common/cpt: rework pending queue
Replace pending queue with one that allows concurrent single producer and
single consumer. This relaxes the restriction of only allowing a single
lcore to operate on a given queue pair.
Signed-off-by: David George <david.george@sophos.com> Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Fan Zhang [Thu, 16 Sep 2021 13:02:42 +0000 (14:02 +0100)]
test/crypto: fix PDCP short MAC-I case
This patch fixes the PDCP short MAC-I test by removing them
from snow3g and kasumi test suite and move to PDCP test suite.
This is to prevent incorrect failure for crypto device not
support PDCP.
Fixes: c24489e479fd ("test/crypto: support PDCP short MAC-I") Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Anoob Joseph <anoobj@marvell.com>
security: add option for faster user/meta data access
Currently rte_security_set_pkt_metadata() and rte_security_get_userdata()
methods to set pkt metadata on Inline outbound and get userdata
after Inline inbound processing is always driver specific callbacks.
For drivers that do not have much to do in the callbacks but just
to update metadata in rte_security dynamic field and get userdata
from rte_security dynamic field, having to just to PMD specific
callback is costly per packet operation. This patch provides
a mechanism to do the same in inline function and avoid function
pointer jump if a driver supports the same.
mbuf: enforce semantics for Tx inline IPsec processing
Not all net PMD's/HW can parse packet and identify L2 header and
L3 header locations on Tx. This is inline with other Tx offloads
requirements such as L3 checksum, L4 checksum offload, etc,
where mbuf.l2_len, mbuf.l3_len etc, needs to be set for HW to be
able to generate checksum. Since Inline IPsec is also such a Tx
offload, some PMD's at least need mbuf.l2_len to be valid to
find L3 header and perform Outbound IPSec processing.
Hence, this patch updates documentation to enforce setting
mbuf.l2_len while setting PKT_TX_SEC_OFFLOAD in mbuf.ol_flags
for Inline IPsec Crypto / Protocol offload processing to
work on Tx.
The previous commit 18effad9cfa7 ("stack: reload head when pop fails")
only changed C11 implementation, not generic implementation.
List head must be loaded right before continue (when failed to find the
new head). Without this, one thread might keep trying and failing to pop
items without ever loading the new correct head.
Xueming Li [Thu, 23 Sep 2021 08:11:22 +0000 (16:11 +0800)]
vdpa/mlx5: fix large VM memory region registration
When VM size is larger than 4G (u32) and memory region is larger than 4G,
the 32-bit GCD function overflowed and returned wrong value
that resulted in memory registration failure.
This patch calls 64-bit GCD function to avoid overflow.
Xueming Li [Thu, 23 Sep 2021 08:11:21 +0000 (16:11 +0800)]
sched: get 64-bit greatest common divisor
This patch adds new function that compute the greatest common
divisor of 64 bits, also changes the original 32 bits function
to call this new 64-bit version.
Cc: stable@dpdk.org Signed-off-by: Xueming Li <xuemingl@nvidia.com> Acked-by: Kevin Traynor <ktraynor@redhat.com>
pipeline: improve handling of learner action arguments
The arguments of actions that are learned are now specified as part of
the learn instruction as opposed to being statically specified as part
of the learner table configuration.
Commit the pipeline changes when the compilation process is
successful: change the table lookup instructions to execute the action
function for each action, replace the regular pipeline instructions
with the custom instructions.
Generate a C function for each custom instruction, which essentially
consolidate multiple regular instructions into a single function call.
The pipeline program is split into groups of instructions, and a
custom instruction is generated for each group that has more than one
instruction. Special care is taken the instructions that can do thread
yield (RX, extern) and for those that can change the instruction
pointer (TX, near/far jump).
Generate a C function for each action. For most instructions, the
associated inline function is called directly. Special care is taken
for TX, jump and return instructions.
Lay the foundation to generate C code for the pipeline: C functions
for actions and custom instructions are generated, built as shared
object library and loaded into the pipeline.
For better performance, the option to create custom instructions when
the program is translated and add them on-the-fly to the pipeline is
now provided. Multiple regular instructions can now be consolidated
into a single C function optimized by the C compiler directly.
For better performance, the option to run a single function per action
is now provided, which requires a single function call per action that
can be better optimized by the C compiler, as opposed to one function
call per instruction. Special table lookup instructions are added to
to support this feature.
A learner table is typically used for learning or connection tracking,
where it allows for the implementation of the "add on miss" scenario:
whenever the lookup key is not found in the table (lookup miss), the
data plane can decide to add this key to the table with a given action
with no control plane intervention. Likewise, the table keys expire
based on a configurable timeout and are automatically deleted from the
table with no control plane intervention.
Added look-ahead instruction to read a header from the input packet
without advancing the extraction pointer. This is typically used in
correlation with the special extract instruction to extract variable
size headers from the input packet: the first few header fields are
read without advancing the extraction pointer, just enough to detect
the actual length of the header (e.g. IPv4 IHL field); then the full
header is extracted.
Added a mechanism to extract variable size headers through a special
flavor of the extract instruction. The length of the last struct field
which has variable size is passed as argument to the instruction.
Added support for variable size headers. The last field of a struct
type can now have a variable size between 0 and N bytes. Useful to
accommodate IPv4 packets with options, etc.
The emit instruction that is responsible for pushing headers into the
output packet is now reading the header length from internal run-time
structures as opposed to constant value from the instruction opcode.
Tal Shnaiderman [Mon, 13 Sep 2021 16:55:00 +0000 (19:55 +0300)]
eal/windows: fix debug build
When building DPDK on Windows in debug mode the following
warning appear:
warning: token pasting of ',' and __VA_ARGS__ is a GNU extension
[-Wgnu-zero-variadic-macro-arguments] #define open(path, flags, ...)
_open(path, flags, ##__VA_ARGS__)
Modify the 'open' macro to avoid it.
Fixes: 45d62067c237 ("eal: make OS shims internal") Cc: stable@dpdk.org Signed-off-by: Tal Shnaiderman <talshn@nvidia.com> Acked-by: Dmitry Kozlyuk <dmitry.kozliuk@gmail.com>
On older CPUs, currently numa_node returns value only for socket 0.
Instead, application should be able to make correct decision and
also to keep consistent with the Linux code,
replace the return value to -1.
Fixes: ac7c98d04f2c ("bus/pci: ignore missing NUMA node on Windows") Cc: stable@dpdk.org Reported-by: Vipin Varghese <vipin.varghese@intel.com> Signed-off-by: Pallavi Kadam <pallavi.kadam@intel.com> Acked-by: Tal Shnaiderman <talshn@nvidia.com>
Bruce Richardson [Wed, 15 Sep 2021 09:50:36 +0000 (10:50 +0100)]
doc: add line continuation note in Meson coding style
Add a note for the preference of using "()" rather than "\" for line
continuations in Meson.
Suggested-by: David Marchand <david.marchand@redhat.com> Signed-off-by: Bruce Richardson <bruce.richardson@intel.com> Reviewed-by: David Marchand <david.marchand@redhat.com>
Thomas Monjalon [Wed, 15 Sep 2021 16:28:45 +0000 (18:28 +0200)]
doc: remove references to the old build system
Some docs and comments in Meson files are still mentioning
the old build system based on "make", removed in 20.11.
After one year, such references are better to be removed.
Signed-off-by: Thomas Monjalon <thomas@monjalon.net> Acked-by: Bruce Richardson <bruce.richardson@intel.com> Acked-by: David Marchand <david.marchand@redhat.com>
Thomas Monjalon [Wed, 15 Sep 2021 16:25:09 +0000 (18:25 +0200)]
doc: remove template comments in old release notes
The release notes comments mention how to generate the documentation
with the old & removed build system.
Rather than fixing these comments, all old release notes comments
are removed, because they are useful only for the current release.
Few extra blank lines are removed for consistency.
Signed-off-by: Thomas Monjalon <thomas@monjalon.net> Acked-by: Bruce Richardson <bruce.richardson@intel.com> Acked-by: David Marchand <david.marchand@redhat.com> Acked-by: John McNamara <john.mcnamara@intel.com>
Steve Yang [Fri, 10 Sep 2021 08:54:58 +0000 (08:54 +0000)]
net/ice/base: support L4 for QinQ switch filter
This patch adds more dummy packet types for QinQ packet,
it enables tcp/udp layer of ipv4/ipv6 for QinQ payload,
so we can use L4 dst/src port as input set for switch
filter.
Signed-off-by: Steve Yang <stevex.yang@intel.com> Acked-by: Qi Zhang <qi.z.zhang@intel.com>
During the port probe process, there are two abnormal branches that did
not release the previously requested memory, resulting in leakage. The
patch adds an iavf_uninit_vf function, which corresponds to the
iavf_init_vf function.
The RTE_ALIGN macro is aligned upwards. If the buf_size variable is not
aligned with 1 << I40E_RXQ_CTX_DBUFF_SHIFT, the rx_buf_len is larger than
the actual mbuf memory after the operation. When receiving the packet, if
the packet is larger than the configured buf_size, it will cause a memory
stepping event.
The patch uses the RTE_ALIGN_FLOOR down alignment macro to correct the
problem.
Qiming Chen [Sat, 21 Aug 2021 06:30:08 +0000 (14:30 +0800)]
net/i40e/base: fix resource leakage
In the i40e_init_arq function, when the i40e_config_arq_regs function
returns from processing failure, the previously applied arq_bufs resource
is not released, which leads to leakage.
The patch is processed in the same way as the i40e_init_asq function,
maintaining a unified coding style.
A local test found that repeated port start and stop operations during
the continuous SSE vector bufflist receiving process will cause the mbuf
resource to run out. The final positioning is when the port is stopped,
the mbuf of the pkt_first_seg pointer is not released. Resources leak.
The patch scheme is to judge whether the pointer is empty when the port
is stopped, and release the corresponding mbuf if it is not empty.
If DCF representor port is closed after DCF port is closed, there will
be segmentation fault because representor accesses the released resource
of DCF port.
This patch checks if the resource is present before accessing.
Qiming Chen [Sat, 21 Aug 2021 09:44:35 +0000 (17:44 +0800)]
net/i40e: fix device startup resource release
In the eth_i40e_dev_init function, the tunnel and ethertype hash table
resource release interface should be rte_hash_free instead of rte_free,
and the previously registered interrupt handling function also needs to
be removed from the interrupt list. The patch is amended to use the
correct interface to release the hash table resource and release the
interrupt handling function at the same time.
Fixes: 425c3325f0b0 ("net/i40e: store tunnel filter") Fixes: 5c53c82c8174 ("net/i40e: store flow director filter") Cc: stable@dpdk.org Signed-off-by: Qiming Chen <chenqiming_huawei@163.com> Acked-by: Qi Zhang <qi.z.zhang@intel.com>
git.droids-corp.org / dpdk.git / log