On 12/14/2018 10:10 PM, Konstantin Ananyev wrote:
> Changes to make ipsec-secgw to utilize librte_ipsec library.
> That patch provides:
> - changes in the related data structures.
> - changes in the initialization code.
> - new command-line parameters to enable librte_ipsec codepath
> and related features.
>
> Note that right now by default current (non-librte_ipsec) code-path will
> be used. User has to run application with new command-line option ('-l')
> to enable new codepath.
> The main reason for that:
> - current librte_ipsec doesn't support all ipsec algorithms
> and features that the app does.
> - allow users to run both versions in parallel for some time
> to figure out any functional or performance degradation with the
> new code.
>
> It is planned to deprecate and remove non-librte_ipsec code path
> in future releases.
>
> Signed-off-by: Mohammad Abdul Awal <mohammad.abdul.a...@intel.com>
> Signed-off-by: Bernard Iremonger <bernard.iremon...@intel.com>
> Signed-off-by: Konstantin Ananyev <konstantin.anan...@intel.com>
> Acked-by: Radu Nicolau <radu.nico...@intel.com>
> ---
> examples/ipsec-secgw/ipsec-secgw.c | 50 ++++++-
> examples/ipsec-secgw/ipsec.h | 24 ++++
> examples/ipsec-secgw/meson.build | 2 +-
> examples/ipsec-secgw/sa.c | 221 ++++++++++++++++++++++++++++-
> examples/ipsec-secgw/sp4.c | 25 ++++
> examples/ipsec-secgw/sp6.c | 25 ++++
> 6 files changed, 341 insertions(+), 6 deletions(-)
>
> diff --git a/examples/ipsec-secgw/ipsec-secgw.c
> b/examples/ipsec-secgw/ipsec-secgw.c
> index d1da2d5ce..48baa5001 100644
> --- a/examples/ipsec-secgw/ipsec-secgw.c
> +++ b/examples/ipsec-secgw/ipsec-secgw.c
> @@ -155,6 +155,9 @@ static uint32_t single_sa;
> static uint32_t single_sa_idx;
> static uint32_t frame_size;
>
> +/* application wide librte_ipsec/SA parameters */
> +struct app_sa_prm app_sa_prm = {.enable = 0};
> +
> struct lcore_rx_queue {
> uint16_t port_id;
> uint8_t queue_id;
> @@ -1063,6 +1066,10 @@ print_usage(const char *prgname)
> " [-P]"
> " [-u PORTMASK]"
> " [-j FRAMESIZE]"
> + " [-l]"
> + " [-w REPLAY_WINDOW_SIZE]"
> + " [-e]"
> + " [-a]"
> " -f CONFIG_FILE"
> " --config (port,queue,lcore)[,(port,queue,lcore)]"
> " [--single-sa SAIDX]"
> @@ -1073,6 +1080,10 @@ print_usage(const char *prgname)
> " -u PORTMASK: Hexadecimal bitmask of unprotected ports\n"
> " -j FRAMESIZE: Enable jumbo frame with 'FRAMESIZE' as
> maximum\n"
> " packet size\n"
> + " -l enables code-path that uses librte_ipsec\n"
> + " -w REPLAY_WINDOW_SIZE specifies IPsec SQN replay window\n"
> + " size for each SA\n"
> + " -a enables SA SQN atomic behaviour\n"
-e missing
> " -f CONFIG_FILE: Configuration file\n"
> " --config (port,queue,lcore): Rx queue configuration\n"
> " --single-sa SAIDX: Use single SA index for outbound
> traffic,\n"
> @@ -1169,6 +1180,20 @@ parse_config(const char *q_arg)
> return 0;
> }
>
> +static void
> +print_app_sa_prm(const struct app_sa_prm *prm)
> +{
> + printf("librte_ipsec usage: %s\n",
> + (prm->enable == 0) ? "disabled" : "enabled");
> +
> + if (prm->enable == 0)
> + return;
> +
> + printf("replay window size: %u\n", prm->window_size);
> + printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled");
> + printf("SA flags: %#" PRIx64 "\n", prm->flags);
> +}
> +
> static int32_t
> parse_args(int32_t argc, char **argv)
> {
> @@ -1180,7 +1205,7 @@ parse_args(int32_t argc, char **argv)
>
> argvopt = argv;
>
> - while ((opt = getopt_long(argc, argvopt, "p:Pu:f:j:",
> + while ((opt = getopt_long(argc, argvopt, "aelp:Pu:f:j:w:",
> lgopts, &option_index)) != EOF) {
>
> switch (opt) {
> @@ -1236,6 +1261,21 @@ parse_args(int32_t argc, char **argv)
> }
> printf("Enabled jumbo frames size %u\n", frame_size);
> break;
> + case 'l':
> + app_sa_prm.enable = 1;
> + break;
> + case 'w':
> + app_sa_prm.enable = 1;
> + app_sa_prm.window_size = parse_decimal(optarg);
> + break;
> + case 'e':
> + app_sa_prm.enable = 1;
> + app_sa_prm.enable_esn = 1;
> + break;
> + case 'a':
> + app_sa_prm.enable = 1;
> + app_sa_prm.flags |= RTE_IPSEC_SAFLAG_SQN_ATOM;
> + break;
> case CMD_LINE_OPT_CONFIG_NUM:
> ret = parse_config(optarg);
> if (ret) {
> @@ -1280,6 +1320,8 @@ parse_args(int32_t argc, char **argv)
> return -1;
> }
>
> + print_app_sa_prm(&app_sa_prm);
> +
> if (optind >= 0)
> argv[optind-1] = prgname;
>
> @@ -1923,12 +1965,14 @@ main(int32_t argc, char **argv)
> if (socket_ctx[socket_id].mbuf_pool)
> continue;
>
> - sa_init(&socket_ctx[socket_id], socket_id);
> -
> + /* initilaze SPD */
> sp4_init(&socket_ctx[socket_id], socket_id);
>
> sp6_init(&socket_ctx[socket_id], socket_id);
>
> + /* initilaze SAD */
> + sa_init(&socket_ctx[socket_id], socket_id);
> +
> rt_init(&socket_ctx[socket_id], socket_id);
>
> pool_init(&socket_ctx[socket_id], socket_id, NB_MBUF);
> diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
> index 2f04b7d68..b089fe54b 100644
> --- a/examples/ipsec-secgw/ipsec.h
> +++ b/examples/ipsec-secgw/ipsec.h
> @@ -11,6 +11,7 @@
> #include <rte_crypto.h>
> #include <rte_security.h>
> #include <rte_flow.h>
> +#include <rte_ipsec.h>
>
> #define RTE_LOGTYPE_IPSEC RTE_LOGTYPE_USER1
> #define RTE_LOGTYPE_IPSEC_ESP RTE_LOGTYPE_USER2
> @@ -70,7 +71,20 @@ struct ip_addr {
>
> #define MAX_KEY_SIZE 32
>
> +/*
> + * application wide SA parameters
> + */
> +struct app_sa_prm {
> + uint32_t enable; /* use librte_ipsec API for ipsec pkt processing */
> + uint32_t window_size; /* replay window size */
> + uint32_t enable_esn; /* enable/disable ESN support */
> + uint64_t flags; /* rte_ipsec_sa_prm.flags */
> +};
> +
> +extern struct app_sa_prm app_sa_prm;
> +
> struct ipsec_sa {
> + struct rte_ipsec_session ips; /* one session per sa for now */
> uint32_t spi;
> uint32_t cdev_id_qp;
> uint64_t seq;
> @@ -243,6 +257,16 @@ sp4_init(struct socket_ctx *ctx, int32_t socket_id);
> void
> sp6_init(struct socket_ctx *ctx, int32_t socket_id);
>
> +/*
> + * Search though SP rules for given SPI.
spell check
> + * Returns first rule index if found(greater or equal then zero),
> + * or -ENOENT otherwise.
> + */
> +int
> +sp4_spi_present(uint32_t spi, int inbound);
> +int
> +sp6_spi_present(uint32_t spi, int inbound);
> +
> void
> sa_init(struct socket_ctx *ctx, int32_t socket_id);
>
> diff --git a/examples/ipsec-secgw/meson.build
> b/examples/ipsec-secgw/meson.build
> index 77d8b298f..31f68fee2 100644
> --- a/examples/ipsec-secgw/meson.build
> +++ b/examples/ipsec-secgw/meson.build
> @@ -6,7 +6,7 @@
> # To build this example as a standalone application with an
> already-installed
> # DPDK instance, use 'make'
>
> -deps += ['security', 'lpm', 'acl', 'hash']
> +deps += ['security', 'lpm', 'acl', 'hash', 'ipsec']
> allow_experimental_apis = true
> sources = files(
> 'esp.c', 'ipsec.c', 'ipsec-secgw.c', 'parser.c',
>
Makefile should also be updated I guess.
.....
will be running the application and will come back with issues if any.
-Akhil
