Hi Akhil, > -----Original Message----- > From: Akhil Goyal [mailto:akhil.go...@nxp.com] > Sent: Wednesday, April 17, 2019 12:52 PM > To: Iremonger, Bernard <bernard.iremon...@intel.com>; dev@dpdk.org; > Ananyev, Konstantin <konstantin.anan...@intel.com> > Cc: sta...@dpdk.org > Subject: RE: [PATCH v3 1/2] examples/ipsec-secgw: fix 1st packet dropped > for inline crypto > > > > > Inline crypto installs a flow rule in the NIC. This flow rule must be > > installed before the first inbound packet is received. > > > > The create_session() function installs the flow rule. > > > > Refactor ipsec-secgw.c, sa.c, ipsec.h and ipsec.c to create sessions > > at startup to fix the issue of the first packet being dropped for > > inline crypto. > > > > The create_session() function is now called at initialisation in > > sa_add_rules() which is called from sa_init(). > > The return code for add_rules is checked. > > Calls to create_session() in other functions are dropped. > > > > Add crypto_devid_fill() in ipsec-secgw.c Add max_session_size() in > > ipsec-secgw.c Add check_cryptodev_capability() in ipsec.c Add > > check_cryptodev_aead_capability() in ipsec.c Add create_sec_session() > > and create_crypto_session() in ipsec.c > > > > The crypto_dev_fill() function has been added to find the enabled > > crypto devices. > > > > The max_session_size() function has been added to calculate memory > > requirements. > > > > The check_cryptodev_capability() and check_cryptodev_aead_capability() > > functions have been added to check that the SA is supported by the > > crypto device. > > > > The create_session() function is refactored to use the > > create_sec_session() and create_crypto_session() functions. > > > > The cryprodev_init() function has been refactored to drop calls to > > rte_mempool_create() and to drop calculation of memory requirements. > > > > The main() function has been refactored to call crypto_devid_fill() > > and max_session_size() and to call session_pool_init() and > > session_priv_pool_init(). > > The ports are started now before adding a flow rule in main(). > > The sa_init(), sp4_init(), sp6_init() and rt_init() functions are now > > called after the ports have been started. > > > > Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload") > > Fixes: d299106e8e31 ("examples/ipsec-secgw: add IPsec sample > > application") > > Cc: sta...@dpdk.org > > > > Signed-off-by: Bernard Iremonger <bernard.iremon...@intel.com> > > --- > > examples/ipsec-secgw/ipsec-secgw.c | 271 +++++++++-------- > > examples/ipsec-secgw/ipsec.c | 569 +++++++++++++++++++----------- > ----- > > examples/ipsec-secgw/ipsec.h | 10 +- > > examples/ipsec-secgw/ipsec_process.c | 38 +-- > > examples/ipsec-secgw/sa.c | 42 ++- > > 5 files changed, 495 insertions(+), 435 deletions(-) > > > > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec- > > secgw/ipsec-secgw.c index ffbd00b..cc8bb57 100644 > > --- a/examples/ipsec-secgw/ipsec-secgw.c > > +++ b/examples/ipsec-secgw/ipsec-secgw.c > > @@ -182,6 +182,14 @@ struct lcore_params { > > uint8_t lcore_id; > > } __rte_cache_aligned; > > > > +/* > > + * Number of enabled crypto devices > > + * This number is needed when checking crypto device capabilities */ > > +uint8_t crypto_dev_num; > > +/* array of crypto device ID's */ > > +uint8_t crypto_devid[RTE_CRYPTO_MAX_DEVS]; > > + > > static struct lcore_params lcore_params_array[MAX_LCORE_PARAMS]; > > > > static struct lcore_params *lcore_params; @@ -1623,13 +1631,27 @@ > > check_cryptodev_mask(uint8_t cdev_id) > > return -1; > > } > > > > +static void > > +crypto_devid_fill(void) > > +{ > > + uint32_t i, n; > > + > > + n = rte_cryptodev_count(); > > + > > + for (i = 0; i != n; i++) { > > + if (check_cryptodev_mask(i) == 0) > > + crypto_devid[crypto_dev_num++] = i; > > + } > > +} > > + > > static int32_t > > cryptodevs_init(void) > > { > > struct rte_cryptodev_config dev_conf; > > struct rte_cryptodev_qp_conf qp_conf; > > uint16_t idx, max_nb_qps, qp, i; > > - int16_t cdev_id, port_id; > > + int16_t cdev_id; > > + uint32_t dev_max_sess; > > struct rte_hash_parameters params = { 0 }; > > > > params.entries = CDEV_MAP_ENTRIES; > > @@ -1652,45 +1674,6 @@ cryptodevs_init(void) > > > > printf("lcore/cryptodev/qp mappings:\n"); > > > > - uint32_t max_sess_sz = 0, sess_sz; > > - for (cdev_id = 0; cdev_id < rte_cryptodev_count(); cdev_id++) { > > - void *sec_ctx; > > - > > - /* Get crypto priv session size */ > > - sess_sz = > rte_cryptodev_sym_get_private_session_size(cdev_id); > > - if (sess_sz > max_sess_sz) > > - max_sess_sz = sess_sz; > > - > > - /* > > - * If crypto device is security capable, need to check the > > - * size of security session as well. > > - */ > > - > > - /* Get security context of the crypto device */ > > - sec_ctx = rte_cryptodev_get_sec_ctx(cdev_id); > > - if (sec_ctx == NULL) > > - continue; > > - > > - /* Get size of security session */ > > - sess_sz = rte_security_session_get_size(sec_ctx); > > - if (sess_sz > max_sess_sz) > > - max_sess_sz = sess_sz; > > - } > > - RTE_ETH_FOREACH_DEV(port_id) { > > - void *sec_ctx; > > - > > - if ((enabled_port_mask & (1 << port_id)) == 0) > > - continue; > > - > > - sec_ctx = rte_eth_dev_get_sec_ctx(port_id); > > - if (sec_ctx == NULL) > > - continue; > > - > > - sess_sz = rte_security_session_get_size(sec_ctx); > > - if (sess_sz > max_sess_sz) > > - max_sess_sz = sess_sz; > > - } > > - > > idx = 0; > > for (cdev_id = 0; cdev_id < rte_cryptodev_count(); cdev_id++) { > > struct rte_cryptodev_info cdev_info; @@ -1722,51 +1705,12 > @@ > > cryptodevs_init(void) > > dev_conf.socket_id = rte_cryptodev_socket_id(cdev_id); > > dev_conf.nb_queue_pairs = qp; > > > > - uint32_t dev_max_sess = cdev_info.sym.max_nb_sessions; > > + dev_max_sess = cdev_info.sym.max_nb_sessions; > > if (dev_max_sess != 0 && dev_max_sess < > CDEV_MP_NB_OBJS) > > rte_exit(EXIT_FAILURE, > > "Device does not support at least %u " > > "sessions", CDEV_MP_NB_OBJS); > > > > - if (!socket_ctx[dev_conf.socket_id].session_pool) { > > - char mp_name[RTE_MEMPOOL_NAMESIZE]; > > - struct rte_mempool *sess_mp; > > - > > - snprintf(mp_name, RTE_MEMPOOL_NAMESIZE, > > - "sess_mp_%u", dev_conf.socket_id); > > - sess_mp = > rte_cryptodev_sym_session_pool_create( > > - mp_name, CDEV_MP_NB_OBJS, > > - 0, CDEV_MP_CACHE_SZ, 0, > > - dev_conf.socket_id); > > - socket_ctx[dev_conf.socket_id].session_pool = > > sess_mp; > > - } > > - > > - if (!socket_ctx[dev_conf.socket_id].session_priv_pool) { > > - char mp_name[RTE_MEMPOOL_NAMESIZE]; > > - struct rte_mempool *sess_mp; > > - > > - snprintf(mp_name, RTE_MEMPOOL_NAMESIZE, > > - "sess_mp_priv_%u", > > dev_conf.socket_id); > > - sess_mp = rte_mempool_create(mp_name, > > - CDEV_MP_NB_OBJS, > > - max_sess_sz, > > - CDEV_MP_CACHE_SZ, > > - 0, NULL, NULL, NULL, > > - NULL, dev_conf.socket_id, > > - 0); > > - socket_ctx[dev_conf.socket_id].session_priv_pool = > > - sess_mp; > > - } > > - > > - if (!socket_ctx[dev_conf.socket_id].session_priv_pool || > > - > !socket_ctx[dev_conf.socket_id].session_pool) > > - rte_exit(EXIT_FAILURE, > > - "Cannot create session pool on socket %d\n", > > - dev_conf.socket_id); > > - else > > - printf("Allocated session pool on socket %d\n", > > - dev_conf.socket_id); > > - > > if (rte_cryptodev_configure(cdev_id, &dev_conf)) > > rte_panic("Failed to initialize cryptodev %u\n", > > cdev_id); > > @@ -1787,38 +1731,6 @@ cryptodevs_init(void) > > cdev_id); > > } > > > > - /* create session pools for eth devices that implement security */ > > - RTE_ETH_FOREACH_DEV(port_id) { > > - if ((enabled_port_mask & (1 << port_id)) && > > - rte_eth_dev_get_sec_ctx(port_id)) { > > - int socket_id = rte_eth_dev_socket_id(port_id); > > - > > - if (!socket_ctx[socket_id].session_pool) { > > - char mp_name[RTE_MEMPOOL_NAMESIZE]; > > - struct rte_mempool *sess_mp; > > - > > - snprintf(mp_name, > RTE_MEMPOOL_NAMESIZE, > > - "sess_mp_%u", socket_id); > > - sess_mp = rte_mempool_create(mp_name, > > - (CDEV_MP_NB_OBJS * 2), > > - max_sess_sz, > > - CDEV_MP_CACHE_SZ, > > - 0, NULL, NULL, NULL, > > - NULL, socket_id, > > - 0); > > - if (sess_mp == NULL) > > - rte_exit(EXIT_FAILURE, > > - "Cannot create session pool " > > - "on socket %d\n", socket_id); > > - else > > - printf("Allocated session pool " > > - "on socket %d\n", socket_id); > > - socket_ctx[socket_id].session_pool = > sess_mp; > > - } > > - } > > - } > > - > > - > > printf("\n"); > > > > return 0; > > @@ -1984,6 +1896,98 @@ port_init(uint16_t portid, uint64_t > > req_rx_offloads, uint64_t req_tx_offloads) > > printf("\n"); > > } > > > > +static size_t > > +max_session_size(void) > > +{ > > + size_t max_sz, sz; > > + void *sec_ctx; > > + int16_t cdev_id, port_id, n; > > + > > + max_sz = 0; > > + n = rte_cryptodev_count(); > > + for (cdev_id = 0; cdev_id != n; cdev_id++) { > > + sz = rte_cryptodev_sym_get_private_session_size(cdev_id); > > + if (sz > max_sz) > > + max_sz = sz; > > + /* > > + * If crypto device is security capable, need to check the > > + * size of security session as well. > > + */ > > + > > + /* Get security context of the crypto device */ > > + sec_ctx = rte_cryptodev_get_sec_ctx(cdev_id); > > + if (sec_ctx == NULL) > > + continue; > > + > > + /* Get size of security session */ > > + sz = rte_security_session_get_size(sec_ctx); > > + if (sz > max_sz) > > + max_sz = sz; > > + } > > + > > + RTE_ETH_FOREACH_DEV(port_id) { > > + if ((enabled_port_mask & (1 << port_id)) == 0) > > + continue; > > + > > + sec_ctx = rte_eth_dev_get_sec_ctx(port_id); > > + if (sec_ctx == NULL) > > + continue; > > + > > + sz = rte_security_session_get_size(sec_ctx); > > + if (sz > max_sz) > > + max_sz = sz; > > + } > > + > > + return max_sz; > > +} > > + > > +static void > > +session_pool_init(struct socket_ctx *ctx, int32_t socket_id, size_t > > +sess_sz) { > > + char mp_name[RTE_MEMPOOL_NAMESIZE]; > > + struct rte_mempool *sess_mp; > > + > > + snprintf(mp_name, RTE_MEMPOOL_NAMESIZE, > > + "sess_mp_%u", socket_id); > > + sess_mp = rte_cryptodev_sym_session_pool_create( > > + mp_name, CDEV_MP_NB_OBJS, > > + sess_sz, CDEV_MP_CACHE_SZ, 0, > > + socket_id); > > + ctx->session_pool = sess_mp; > > + > > + if (ctx->session_pool == NULL) > > + rte_exit(EXIT_FAILURE, > > + "Cannot init session pool on socket %d\n", > socket_id); > > + else > > + printf("Allocated session pool on socket %d\n", > socket_id); > > +} > > + > > +static void > > +session_priv_pool_init(struct socket_ctx *ctx, int32_t socket_id, > > + size_t sess_sz) > > +{ > > + char mp_name[RTE_MEMPOOL_NAMESIZE]; > > + struct rte_mempool *sess_mp; > > + > > + snprintf(mp_name, RTE_MEMPOOL_NAMESIZE, > > + "sess_mp_priv_%u", socket_id); > > + sess_mp = rte_mempool_create(mp_name, > > + CDEV_MP_NB_OBJS, > > + sess_sz, > > + CDEV_MP_CACHE_SZ, > > + 0, NULL, NULL, NULL, > > + NULL, socket_id, > > + 0); > > + ctx->session_priv_pool = sess_mp; > > + if (ctx->session_priv_pool == NULL) > > + rte_exit(EXIT_FAILURE, > > + "Cannot init session priv pool on socket %d\n", > > + socket_id); > > + else > > + printf("Allocated session priv pool on socket %d\n", > > + socket_id); > > +} > > + > > static void > > pool_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t > > nb_mbuf) { @@ -2064,9 +2068,11 @@ main(int32_t argc, char **argv) { > > int32_t ret; > > uint32_t lcore_id; > > + uint32_t i; > > uint8_t socket_id; > > uint16_t portid; > > uint64_t req_rx_offloads, req_tx_offloads; > > + size_t sess_sz; > > > > /* init EAL */ > > ret = rte_eal_init(argc, argv); > > @@ -2094,7 +2100,10 @@ main(int32_t argc, char **argv) > > > > nb_lcores = rte_lcore_count(); > > > > - /* Replicate each context per socket */ > > + crypto_devid_fill(); > > + > > + sess_sz = max_session_size(); > > + > > for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) { > > if (rte_lcore_is_enabled(lcore_id) == 0) > > continue; > > @@ -2104,20 +2113,17 @@ main(int32_t argc, char **argv) > > else > > socket_id = 0; > > > > + /* mbuf_pool is initialised by the pool_init() function*/ > > if (socket_ctx[socket_id].mbuf_pool) > > continue; > > > > - /* initilaze SPD */ > > - sp4_init(&socket_ctx[socket_id], socket_id); > > - > > - sp6_init(&socket_ctx[socket_id], socket_id); > > - > > - /* initilaze SAD */ > > - sa_init(&socket_ctx[socket_id], socket_id); > > - > > - rt_init(&socket_ctx[socket_id], socket_id); > > - > > pool_init(&socket_ctx[socket_id], socket_id, NB_MBUF); > > + session_pool_init(&socket_ctx[socket_id], socket_id, > sess_sz); > > + session_priv_pool_init(&socket_ctx[socket_id], socket_id, > > + sess_sz); > > + > > + if (!numa_on) > > + break; > > } > > > > RTE_ETH_FOREACH_DEV(portid) { > > @@ -2135,7 +2141,11 @@ main(int32_t argc, char **argv) > > if ((enabled_port_mask & (1 << portid)) == 0) > > continue; > > > > - /* Start device */ > > + /* > > + * Start device > > + * note: device must be started before a flow rule > > + * can be installed. > > + */ > > ret = rte_eth_dev_start(portid); > > if (ret < 0) > > rte_exit(EXIT_FAILURE, "rte_eth_dev_start: " > > @@ -2153,6 +2163,19 @@ main(int32_t argc, char **argv) > > RTE_ETH_EVENT_IPSEC, inline_ipsec_event_callback, > NULL); > > } > > > > + /* Replicate each context per socket */ > > + for (i = 0; i < NB_SOCKETS && i < rte_socket_count(); i++) { > > + socket_id = rte_socket_id_by_idx(i); > > + if ((socket_ctx[socket_id].mbuf_pool != NULL) && > > + (socket_ctx[socket_id].sa_in == NULL) && > > + (socket_ctx[socket_id].sa_out == NULL)) { > > + sa_init(&socket_ctx[socket_id], socket_id); > > + sp4_init(&socket_ctx[socket_id], socket_id); > > + sp6_init(&socket_ctx[socket_id], socket_id); > > + rt_init(&socket_ctx[socket_id], socket_id); > > + } > > + } > > + > > check_all_ports_link_status(enabled_port_mask); > > > > /* launch per-lcore init on every lcore */ diff --git > > a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index > > 4352cb8..e31d472 100644 > > --- a/examples/ipsec-secgw/ipsec.c > > +++ b/examples/ipsec-secgw/ipsec.c > > @@ -39,42 +39,17 @@ set_ipsec_conf(struct ipsec_sa *sa, struct > > rte_security_ipsec_xform *ipsec) > > ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; } > > > > -int > > -create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) > > +static int > > +create_sec_session(struct ipsec_sa *sa, struct rte_mempool *pool) > > { > > - struct rte_cryptodev_info cdev_info; > > - unsigned long cdev_id_qp = 0; > > + const struct rte_security_capability *sec_cap; > > + struct rte_security_ctx *ctx; > > int32_t ret = 0; > > - struct cdev_key key = { 0 }; > > - > > - key.lcore_id = (uint8_t)rte_lcore_id(); > > - > > - key.cipher_algo = (uint8_t)sa->cipher_algo; > > - key.auth_algo = (uint8_t)sa->auth_algo; > > - key.aead_algo = (uint8_t)sa->aead_algo; > > - > > - if (sa->type == RTE_SECURITY_ACTION_TYPE_NONE) { > > - ret = rte_hash_lookup_data(ipsec_ctx->cdev_map, &key, > > - (void **)&cdev_id_qp); > > - if (ret < 0) { > > - RTE_LOG(ERR, IPSEC, > > - "No cryptodev: core %u, cipher_algo %u, " > > - "auth_algo %u, aead_algo %u\n", > > - key.lcore_id, > > - key.cipher_algo, > > - key.auth_algo, > > - key.aead_algo); > > - return -1; > > - } > > - } > > > > - RTE_LOG_DP(DEBUG, IPSEC, "Create session for SA spi %u on > cryptodev > > " > > - "%u qp %u\n", sa->spi, > > - ipsec_ctx->tbl[cdev_id_qp].id, > > - ipsec_ctx->tbl[cdev_id_qp].qp); > > + if ((sa == NULL) || (pool == NULL)) > > + return -EINVAL; > > > > - if (sa->type != RTE_SECURITY_ACTION_TYPE_NONE) { > > - struct rte_security_session_conf sess_conf = { > > + struct rte_security_session_conf sess_conf = { > > .action_type = sa->type, > > .protocol = RTE_SECURITY_PROTOCOL_IPSEC, > > {.ipsec = { > > @@ -90,247 +65,340 @@ create_session(struct ipsec_ctx *ipsec_ctx, > > struct ipsec_sa *sa) > > } }, > > .crypto_xform = sa->xforms, > > .userdata = NULL, > > - > > }; > > > > - if (sa->type == > > RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) { > > - struct rte_security_ctx *ctx = (struct rte_security_ctx > *) > > - > > rte_cryptodev_get_sec_ctx( > > - ipsec_ctx- > > >tbl[cdev_id_qp].id); > > - > > - /* Set IPsec parameters in conf */ > > - set_ipsec_conf(sa, &(sess_conf.ipsec)); > > - > > - sa->sec_session = rte_security_session_create(ctx, > > - &sess_conf, ipsec_ctx- > >session_pool); > > - if (sa->sec_session == NULL) { > > - RTE_LOG(ERR, IPSEC, > > - "SEC Session init failed: err: %d\n", ret); > > - return -1; > > - } > > - } else if (sa->type == > > RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { > > - struct rte_flow_error err; > > - struct rte_security_ctx *ctx = (struct rte_security_ctx > *) > > - > > rte_eth_dev_get_sec_ctx( > > - sa->portid); > > - const struct rte_security_capability *sec_cap; > > - int ret = 0; > > - > > - sa->sec_session = rte_security_session_create(ctx, > > - &sess_conf, ipsec_ctx- > >session_pool); > > - if (sa->sec_session == NULL) { > > - RTE_LOG(ERR, IPSEC, > > - "SEC Session init failed: err: %d\n", ret); > > - return -1; > > - } > > + if (sa->type == > RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) { > > + ctx = (struct rte_security_ctx *) > > + rte_eth_dev_get_sec_ctx(sa->portid); > > > > - sec_cap = rte_security_capabilities_get(ctx); > > + /* Set IPsec parameters in conf */ > > + set_ipsec_conf(sa, &(sess_conf.ipsec)); > > > > - /* iterate until ESP tunnel*/ > > - while (sec_cap->action != > > - > RTE_SECURITY_ACTION_TYPE_NONE) > > { > > + sa->sec_session = rte_security_session_create(ctx, > > + &sess_conf, pool); > > + if (sa->sec_session == NULL) { > > + RTE_LOG(ERR, IPSEC, > > + "SEC Session init failed: err: %d\n", > > + ret); > > + return -1; > > + } > > + } else if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) > { > > + struct rte_flow_error err; > > + ctx = (struct rte_security_ctx *) > > + rte_eth_dev_get_sec_ctx(sa->portid); > > + sa->sec_session = rte_security_session_create(ctx, > > + &sess_conf, pool); > > + if (sa->sec_session == NULL) { > > + RTE_LOG(ERR, IPSEC, "SEC Session init failed\n"); > > + return -1; > > + } > > > > - if (sec_cap->action == sa->type && > > - sec_cap->protocol == > > - RTE_SECURITY_PROTOCOL_IPSEC && > > - sec_cap->ipsec.mode == > > - > > RTE_SECURITY_IPSEC_SA_MODE_TUNNEL && > > - sec_cap->ipsec.direction == sa->direction) > > - break; > > - sec_cap++; > > - } > > + sec_cap = rte_security_capabilities_get(ctx); > > + > > + /* iterate until ESP tunnel*/ > > + while (sec_cap->action != > RTE_SECURITY_ACTION_TYPE_NONE) > > { > > + if (sec_cap->action == sa->type && > > + sec_cap->protocol == > > + RTE_SECURITY_PROTOCOL_IPSEC && > > + sec_cap->ipsec.mode == > > + RTE_SECURITY_IPSEC_SA_MODE_TUNNEL > && > > + sec_cap->ipsec.direction == sa->direction) > > + break; > > + sec_cap++; > > + } > > > > - if (sec_cap->action == > > RTE_SECURITY_ACTION_TYPE_NONE) { > > - RTE_LOG(ERR, IPSEC, > > + if (sec_cap->action == RTE_SECURITY_ACTION_TYPE_NONE) > { > > + RTE_LOG(ERR, IPSEC, > > "No suitable security capability found\n"); > > return -1; > > - } > > + } > > > > - sa->ol_flags = sec_cap->ol_flags; > > - sa->security_ctx = ctx; > > - sa->pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH; > > - > > - sa->pattern[1].type = RTE_FLOW_ITEM_TYPE_IPV4; > > - sa->pattern[1].mask = &rte_flow_item_ipv4_mask; > > - if (sa->flags & IP6_TUNNEL) { > > - sa->pattern[1].spec = &sa->ipv6_spec; > > - memcpy(sa->ipv6_spec.hdr.dst_addr, > > - sa->dst.ip.ip6.ip6_b, 16); > > - memcpy(sa->ipv6_spec.hdr.src_addr, > > - sa->src.ip.ip6.ip6_b, 16); > > - } else { > > - sa->pattern[1].spec = &sa->ipv4_spec; > > - sa->ipv4_spec.hdr.dst_addr = sa->dst.ip.ip4; > > - sa->ipv4_spec.hdr.src_addr = sa->src.ip.ip4; > > - } > > + sa->ol_flags = sec_cap->ol_flags; > > + sa->security_ctx = ctx; > > + sa->pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH; > > + > > + sa->pattern[1].type = RTE_FLOW_ITEM_TYPE_IPV4; > > + sa->pattern[1].mask = &rte_flow_item_ipv4_mask; > > + if (sa->flags & IP6_TUNNEL) { > > + sa->pattern[1].spec = &sa->ipv6_spec; > > + memcpy(sa->ipv6_spec.hdr.dst_addr, > > + sa->dst.ip.ip6.ip6_b, 16); > > + memcpy(sa->ipv6_spec.hdr.src_addr, > > + sa->src.ip.ip6.ip6_b, 16); > > + } else { > > + sa->pattern[1].spec = &sa->ipv4_spec; > > + sa->ipv4_spec.hdr.dst_addr = sa->dst.ip.ip4; > > + sa->ipv4_spec.hdr.src_addr = sa->src.ip.ip4; > > + } > > > > - sa->pattern[2].type = RTE_FLOW_ITEM_TYPE_ESP; > > - sa->pattern[2].spec = &sa->esp_spec; > > - sa->pattern[2].mask = &rte_flow_item_esp_mask; > > - sa->esp_spec.hdr.spi = rte_cpu_to_be_32(sa->spi); > > + sa->pattern[2].type = RTE_FLOW_ITEM_TYPE_ESP; > > + sa->pattern[2].spec = &sa->esp_spec; > > + sa->pattern[2].mask = &rte_flow_item_esp_mask; > > + sa->esp_spec.hdr.spi = rte_cpu_to_be_32(sa->spi); > > > > - sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END; > > + sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END; > > > > - sa->action[0].type = > > RTE_FLOW_ACTION_TYPE_SECURITY; > > - sa->action[0].conf = sa->sec_session; > > + sa->action[0].type = RTE_FLOW_ACTION_TYPE_SECURITY; > > + sa->action[0].conf = sa->sec_session; > > > > - sa->action[1].type = RTE_FLOW_ACTION_TYPE_END; > > + sa->action[1].type = RTE_FLOW_ACTION_TYPE_END; > > > > - sa->attr.egress = (sa->direction == > > + sa->attr.egress = (sa->direction == > > > > RTE_SECURITY_IPSEC_SA_DIR_EGRESS); > > - sa->attr.ingress = (sa->direction == > > + sa->attr.ingress = (sa->direction == > > > > RTE_SECURITY_IPSEC_SA_DIR_INGRESS); > > - if (sa->attr.ingress) { > > - uint8_t rss_key[40]; > > - struct rte_eth_rss_conf rss_conf = { > > - .rss_key = rss_key, > > - .rss_key_len = 40, > > - }; > > - struct rte_eth_dev *eth_dev; > > - uint16_t > > queue[RTE_MAX_QUEUES_PER_PORT]; > > - struct rte_flow_action_rss action_rss; > > - unsigned int i; > > - unsigned int j; > > - > > - sa->action[2].type = > > RTE_FLOW_ACTION_TYPE_END; > > - /* Try RSS. */ > > - sa->action[1].type = > > RTE_FLOW_ACTION_TYPE_RSS; > > - sa->action[1].conf = &action_rss; > > - eth_dev = ctx->device; > > - rte_eth_dev_rss_hash_conf_get(sa->portid, > > - &rss_conf); > > - for (i = 0, j = 0; > > - i < eth_dev->data->nb_rx_queues; ++i) > > - if (eth_dev->data->rx_queues[i]) > > - queue[j++] = i; > > + if (sa->attr.ingress) { > > + uint8_t rss_key[40]; > > + struct rte_eth_rss_conf rss_conf = { > > + .rss_key = rss_key, > > + .rss_key_len = 40, > > + }; > > + struct rte_eth_dev *eth_dev; > > + uint16_t queue[RTE_MAX_QUEUES_PER_PORT]; > > + struct rte_flow_action_rss action_rss; > > + unsigned int i; > > + unsigned int j; > > + > > + sa->action[2].type = RTE_FLOW_ACTION_TYPE_END; > > + /* Try RSS. */ > > + sa->action[1].type = RTE_FLOW_ACTION_TYPE_RSS; > > + sa->action[1].conf = &action_rss; > > + eth_dev = ctx->device; > > + rte_eth_dev_rss_hash_conf_get(sa->portid, > > + &rss_conf); > > + for (i = 0, j = 0; i < eth_dev->data->nb_rx_queues; > > + ++i) > > + if (eth_dev->data->rx_queues[i]) > > + queue[j++] = i; > Compilation error > > /home/akhil/up/dpdk-next-crypto/examples/ipsec-secgw/ipsec.c: In > function 'create_sec_session': > /home/akhil/up/dpdk-next-crypto/examples/ipsec-secgw/ipsec.c:169:4: > error: this 'for' clause does not guard... [-Werror=misleading-indentation] > for (i = 0, j = 0; i < eth_dev->data->nb_rx_queues; > ^~~ > /home/akhil/up/dpdk-next-crypto/examples/ipsec-secgw/ipsec.c:173:5: > note: ...this statement, but the latter is misleadingly indented as if it is > guarded by the 'for' > action_rss = (struct rte_flow_action_rss){ > ^~~~~~~~~~ > <snip>
I will send a v4. What compiler are you using? Regards, Bernard.
