Update IXGBE PMD with support for IPsec statistics.
Signed-off-by: Radu Nicolau <radu.nico...@intel.com>
---
drivers/net/ixgbe/ixgbe_ipsec.c | 244 ++++++++++++++++++++++++++++++++-
drivers/net/ixgbe/ixgbe_ipsec.h | 17 ++-
drivers/net/ixgbe/ixgbe_rxtx.c | 18 +++
drivers/net/ixgbe/ixgbe_rxtx.h | 4 +
drivers/net/ixgbe/ixgbe_rxtx_vec_sse.c | 6 +
5 files changed, 285 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ixgbe/ixgbe_ipsec.c b/drivers/net/ixgbe/ixgbe_ipsec.c
index 48f5082..94daf92 100644
--- a/drivers/net/ixgbe/ixgbe_ipsec.c
+++ b/drivers/net/ixgbe/ixgbe_ipsec.c
@@ -9,6 +9,7 @@
#include <rte_security_driver.h>
#include <rte_cryptodev.h>
#include <rte_flow.h>
+#include <rte_hash_crc.h>
#include "base/ixgbe_type.h"
#include "base/ixgbe_api.h"
@@ -94,6 +95,7 @@ ixgbe_crypto_add_sa(struct ixgbe_crypto_session *ic_session)
dev->data->dev_private);
uint32_t reg_val;
int sa_index = -1;
+ struct ixgbe_crypto_sess_htable_key tbl_key = {0};
if (ic_session->op == IXGBE_OP_AUTHENTICATED_DECRYPTION) {
int i, ip_index = -1;
@@ -158,9 +160,14 @@ ixgbe_crypto_add_sa(struct ixgbe_crypto_session
*ic_session)
if (ic_session->dst_ip.type == IPv6) {
priv->rx_sa_tbl[sa_index].mode |= IPSRXMOD_IPV6;
priv->rx_ip_tbl[ip_index].ip.type = IPv6;
- } else if (ic_session->dst_ip.type == IPv4)
+ memcpy(&tbl_key.ip.ipv6, &ic_session->dst_ip.ipv6,
+ sizeof(ic_session->dst_ip.ipv6));
+ } else if (ic_session->dst_ip.type == IPv4) {
priv->rx_ip_tbl[ip_index].ip.type = IPv4;
+ tbl_key.ip.ipv4 = ic_session->dst_ip.ipv4;
+ }
+ tbl_key.spi = priv->rx_sa_tbl[sa_index].spi;
priv->rx_sa_tbl[sa_index].used = 1;
/* write IP table entry*/
@@ -238,6 +245,7 @@ ixgbe_crypto_add_sa(struct ixgbe_crypto_session *ic_session)
priv->tx_sa_tbl[sa_index].spi =
rte_cpu_to_be_32(ic_session->spi);
+ tbl_key.spi = priv->tx_sa_tbl[sa_index].spi;
priv->tx_sa_tbl[i].used = 1;
ic_session->sa_index = sa_index;
@@ -264,6 +272,7 @@ ixgbe_crypto_add_sa(struct ixgbe_crypto_session *ic_session)
free(key);
}
+ rte_hash_add_key_data(priv->session_tbl, &tbl_key, ic_session);
return 0;
}
@@ -276,6 +285,7 @@ ixgbe_crypto_remove_sa(struct rte_eth_dev *dev,
IXGBE_DEV_PRIVATE_TO_IPSEC(dev->data->dev_private);
uint32_t reg_val;
int sa_index = -1;
+ struct ixgbe_crypto_sess_htable_key tbl_key = {0};
if (ic_session->op == IXGBE_OP_AUTHENTICATED_DECRYPTION) {
int i, ip_index = -1;
@@ -324,6 +334,13 @@ ixgbe_crypto_remove_sa(struct rte_eth_dev *dev,
IXGBE_WRITE_REG(hw, IXGBE_IPSRXMOD, 0);
IXGBE_WAIT_RWRITE;
priv->rx_sa_tbl[sa_index].used = 0;
+ if (priv->rx_sa_tbl[sa_index].mode & IPSRXMOD_IPV6) {
+ memcpy(&tbl_key.ip.ipv6, &ic_session->dst_ip.ipv6,
+ sizeof(ic_session->dst_ip.ipv6));
+ } else {
+ tbl_key.ip.ipv4 = ic_session->dst_ip.ipv4;
+ }
+ tbl_key.spi = priv->rx_sa_tbl[sa_index].spi;
/* If last used then clear the IP table entry*/
priv->rx_ip_tbl[ip_index].ref_count--;
@@ -361,8 +378,10 @@ ixgbe_crypto_remove_sa(struct rte_eth_dev *dev,
IXGBE_WAIT_TWRITE;
priv->tx_sa_tbl[sa_index].used = 0;
+ tbl_key.spi = priv->tx_sa_tbl[sa_index].spi;
}
+ rte_hash_del_key(priv->session_tbl, &tbl_key);
return 0;
}
@@ -376,6 +395,8 @@ ixgbe_crypto_create_session(void *device,
struct ixgbe_crypto_session *ic_session = NULL;
struct rte_crypto_aead_xform *aead_xform;
struct rte_eth_conf *dev_conf = ð_dev->data->dev_conf;
+ struct ixgbe_ipsec *priv =
+ IXGBE_DEV_PRIVATE_TO_IPSEC(eth_dev->data->dev_private);
if (rte_mempool_get(mempool, (void **)&ic_session)) {
PMD_DRV_LOG(ERR, "Cannot get object from ic_session mempool");
@@ -426,6 +447,40 @@ ixgbe_crypto_create_session(void *device,
}
}
+ if (conf->ipsec.options.stats) {
+ ic_session->stats_enabled = 1;
+ priv->per_session_stats_active++;
+ }
+
+ return 0;
+}
+
+static int
+ixgbe_crypto_stats_get(__rte_unused void *device,
+ struct rte_security_session *sess,
+ struct rte_security_stats *stats)
+{
+ struct rte_eth_dev *eth_dev = device;
+ struct ixgbe_ipsec *priv =
+ IXGBE_DEV_PRIVATE_TO_IPSEC(eth_dev->data->dev_private);
+ volatile struct rte_security_ipsec_stats *ixgbe_stats;
+
+ if (sess) {
+ struct ixgbe_crypto_session *ic_session =
+ (struct ixgbe_crypto_session *)
+ get_sec_session_private_data(sess);
+ ixgbe_stats = &ic_session->stats;
+ } else {
+ ixgbe_stats = &priv->stats;
+ }
+
+ stats->ipsec.ipackets = ixgbe_stats->ipackets;
+ stats->ipsec.opackets = ixgbe_stats->opackets;
+ stats->ipsec.ibytes = ixgbe_stats->ibytes;
+ stats->ipsec.obytes = ixgbe_stats->obytes;
+ stats->ipsec.ierrors = ixgbe_stats->ierrors;
+ stats->ipsec.oerrors = ixgbe_stats->oerrors;
+
return 0;
}
@@ -444,6 +499,8 @@ ixgbe_crypto_remove_session(void *device,
(struct ixgbe_crypto_session *)
get_sec_session_private_data(session);
struct rte_mempool *mempool = rte_mempool_from_obj(ic_session);
+ struct ixgbe_ipsec *priv =
+ IXGBE_DEV_PRIVATE_TO_IPSEC(eth_dev->data->dev_private);
if (eth_dev != ic_session->dev) {
PMD_DRV_LOG(ERR, "Session not bound to this device\n");
@@ -455,11 +512,44 @@ ixgbe_crypto_remove_session(void *device,
return -EFAULT;
}
+ if (ic_session->stats_enabled && priv->per_session_stats_active > 0)
+ priv->per_session_stats_active--;
+
rte_mempool_put(mempool, (void *)ic_session);
return 0;
}
+static int
+ixgbe_crypto_update_session(void *device,
+ struct rte_security_session *session,
+ struct rte_security_session_conf *conf)
+{
+ struct rte_eth_dev *eth_dev = device;
+ struct ixgbe_crypto_session *ic_session =
+ (struct ixgbe_crypto_session *)
+ get_sec_session_private_data(session);
+ struct ixgbe_ipsec *priv =
+ IXGBE_DEV_PRIVATE_TO_IPSEC(eth_dev->data->dev_private);
+
+ if (eth_dev != ic_session->dev) {
+ PMD_DRV_LOG(ERR, "Session not bound to this device\n");
+ return -ENODEV;
+ }
+
+ /* Enable/disable per session stats */
+ if (ic_session->stats_enabled && !conf->ipsec.options.stats) {
+ ic_session->stats_enabled = 0;
+ if (priv->per_session_stats_active > 0)
+ priv->per_session_stats_active--;
+ } else if (!ic_session->stats_enabled && conf->ipsec.options.stats) {
+ ic_session->stats_enabled = 1;
+ priv->per_session_stats_active++;
+ }
+
+ return 0;
+}
+
static inline uint8_t
ixgbe_crypto_compute_pad_len(struct rte_mbuf *m)
{
@@ -624,6 +714,8 @@ int
ixgbe_crypto_enable_ipsec(struct rte_eth_dev *dev)
{
struct ixgbe_hw *hw = IXGBE_DEV_PRIVATE_TO_HW(dev->data->dev_private);
+ struct ixgbe_ipsec *priv =
+ IXGBE_DEV_PRIVATE_TO_IPSEC(dev->data->dev_private);
uint32_t reg;
uint64_t rx_offloads;
uint64_t tx_offloads;
@@ -676,6 +768,23 @@ ixgbe_crypto_enable_ipsec(struct rte_eth_dev *dev)
ixgbe_crypto_clear_ipsec_tables(dev);
+ if (priv->session_tbl == NULL) {
+ char session_tbl_hash_name[RTE_HASH_NAMESIZE];
+ struct rte_hash_parameters params = {
+ .name = session_tbl_hash_name,
+ .entries = IPSEC_MAX_SA_COUNT * 2,
+ .key_len = sizeof(struct ixgbe_crypto_sess_htable_key),
+ .hash_func = rte_hash_crc,
+ .socket_id = rte_socket_id(),
+ };
+ snprintf(session_tbl_hash_name, RTE_HASH_NAMESIZE,
+ "session_tbl_hash_%s", dev->device->name);
+
+ priv->session_tbl = rte_hash_create(¶ms);
+ } else {
+ rte_hash_reset(priv->session_tbl);
+ }
+
return 0;
}
@@ -709,11 +818,140 @@ ixgbe_crypto_add_ingress_sa_from_flow(const void *sess,
return 0;
}
+void
+ixgbe_crypto_update_rx_stats(struct ixgbe_ipsec *ixgbe_ipsec,
+ struct rte_mbuf **mbufs,
+ uint16_t count)
+{
+ uint16_t i;
+ uint32_t ipackets = 0, ibytes = 0, ierrors = 0;
+
+ if (ixgbe_ipsec->per_session_stats_active) {
+ struct ip *ip;
+ struct rte_esp_hdr *esp;
+ struct ixgbe_crypto_session *sess;
+ struct ixgbe_crypto_sess_htable_key tbl_key = {0};
+
+ for (i = 0; i < count; i++) {
+ if ((mbufs[i]->ol_flags & PKT_RX_SEC_OFFLOAD) == 0)
+ continue;
+ ip = rte_pktmbuf_mtod_offset(mbufs[i],
+ struct ip *,
+ sizeof(struct rte_ether_hdr));
+ if (ip->ip_v == IPVERSION) {
+ tbl_key.ip.ipv4 = ip->ip_dst.s_addr;
+ esp = rte_pktmbuf_mtod_offset(mbufs[i],
+ struct rte_esp_hdr *,
+ sizeof(struct rte_ether_hdr) +
+ ip->ip_hl * 4);
+ } else {
+ struct ip6_hdr *ip6 = (struct ip6_hdr *)ip;
+ memcpy(&tbl_key.ip.ipv6, &ip6->ip6_dst, 16);
+ esp = rte_pktmbuf_mtod_offset(mbufs[i],
+ struct rte_esp_hdr *,
+ sizeof(struct rte_ether_hdr) +
+ sizeof(struct ip6_hdr));
+ }
+ tbl_key.spi = esp->spi;
+ if (rte_hash_lookup_data(ixgbe_ipsec->session_tbl,
+ &tbl_key, (void **)&sess) < 0)
+ sess = NULL;
+ if (mbufs[i]->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED) {
+ if (sess && sess->stats_enabled)
+ sess->stats.ierrors++;
+ ierrors++;
+ } else {
+ if (sess && sess->stats_enabled) {
+ sess->stats.ipackets++;
+ sess->stats.ibytes +=
+ rte_pktmbuf_pkt_len(mbufs[i]);
+ }
+ ipackets++;
+ ibytes += rte_pktmbuf_pkt_len(mbufs[i]);
+ }
+ }
+ } else { /* Global stats only */
+ for (i = 0; i < count; i++) {
+ if (mbufs[i]->ol_flags & PKT_RX_SEC_OFFLOAD) {
+ if (mbufs[i]->ol_flags &
+ PKT_RX_SEC_OFFLOAD_FAILED) {
+ ierrors++;
+ } else {
+ ipackets++;
+ ibytes += rte_pktmbuf_pkt_len(mbufs[i]);
+ }
+ }
+ }
+ }
+
+ /* Update global stats */
+ ixgbe_ipsec->stats.ipackets += ipackets;
+ ixgbe_ipsec->stats.ibytes += ibytes;
+ ixgbe_ipsec->stats.ierrors += ierrors;
+}
+
+void
+ixgbe_crypto_update_tx_stats(struct ixgbe_ipsec *ixgbe_ipsec,
+ struct rte_mbuf **mbufs,
+ uint16_t count)
+{
+ uint16_t i;
+ uint32_t opackets = 0, obytes = 0;
+
+ if (ixgbe_ipsec->per_session_stats_active) {
+ struct ip *ip;
+ struct rte_esp_hdr *esp;
+ struct ixgbe_crypto_session *sess;
+ struct ixgbe_crypto_sess_htable_key tbl_key = {0};
+
+ for (i = 0; i < count; i++) {
+ if ((mbufs[i]->ol_flags & PKT_TX_SEC_OFFLOAD) == 0)
+ continue;
+ ip = rte_pktmbuf_mtod_offset(mbufs[i],
+ struct ip *,
+ sizeof(struct rte_ether_hdr));
+ if (ip->ip_v == IPVERSION) {
+ esp = rte_pktmbuf_mtod_offset(mbufs[i],
+ struct rte_esp_hdr *,
+ sizeof(struct rte_ether_hdr) +
+ ip->ip_hl * 4);
+ } else {
+ esp = rte_pktmbuf_mtod_offset(mbufs[i],
+ struct rte_esp_hdr *,
+ sizeof(struct rte_ether_hdr) +
+ sizeof(struct ip6_hdr));
+ }
+ tbl_key.spi = esp->spi;
+ if (rte_hash_lookup_data(ixgbe_ipsec->session_tbl,
+ &tbl_key, (void **)&sess) < 0)
+ sess = NULL;
+ if (sess && sess->stats_enabled) {
+ sess->stats.opackets++;
+ sess->stats.obytes +=
+ rte_pktmbuf_pkt_len(mbufs[i]);
+ }
+ opackets++;
+ obytes += rte_pktmbuf_pkt_len(mbufs[i]);
+ }
+ } else { /* Global stats only */
+ for (i = 0; i < count; i++) {
+ if (mbufs[i]->ol_flags & PKT_RX_SEC_OFFLOAD) {
+ opackets++;
+ obytes += rte_pktmbuf_pkt_len(mbufs[i]);
+ }
+ }
+ }
+
+ /* Update global stats */
+ ixgbe_ipsec->stats.opackets += opackets;
+ ixgbe_ipsec->stats.obytes += obytes;
+}
+
static struct rte_security_ops ixgbe_security_ops = {
.session_create = ixgbe_crypto_create_session,
- .session_update = NULL,
+ .session_update = ixgbe_crypto_update_session,
.session_get_size = ixgbe_crypto_session_get_size,
- .session_stats_get = NULL,
+ .session_stats_get = ixgbe_crypto_stats_get,
.session_destroy = ixgbe_crypto_remove_session,
.set_pkt_metadata = ixgbe_crypto_update_mb,
.capabilities_get = ixgbe_crypto_capabilities_get
diff --git a/drivers/net/ixgbe/ixgbe_ipsec.h b/drivers/net/ixgbe/ixgbe_ipsec.h
index e218c0a..a4ff8b6 100644
--- a/drivers/net/ixgbe/ixgbe_ipsec.h
+++ b/drivers/net/ixgbe/ixgbe_ipsec.h
@@ -70,6 +70,8 @@ struct ixgbe_crypto_session {
struct ipaddr src_ip;
struct ipaddr dst_ip;
struct rte_eth_dev *dev;
+ volatile struct rte_security_ipsec_stats stats;
+ uint8_t stats_enabled;
} __rte_cache_aligned;
struct ixgbe_crypto_rx_ip_table {
@@ -100,10 +102,18 @@ union ixgbe_crypto_tx_desc_md {
};
};
+struct ixgbe_crypto_sess_htable_key {
+ uint32_t spi;
+ struct ipaddr ip;
+};
+
struct ixgbe_ipsec {
struct ixgbe_crypto_rx_ip_table rx_ip_tbl[IPSEC_MAX_RX_IP_COUNT];
struct ixgbe_crypto_rx_sa_table rx_sa_tbl[IPSEC_MAX_SA_COUNT];
struct ixgbe_crypto_tx_sa_table tx_sa_tbl[IPSEC_MAX_SA_COUNT];
+ volatile struct rte_security_ipsec_stats stats;
+ volatile uint16_t per_session_stats_active;
+ struct rte_hash *session_tbl;
};
@@ -112,7 +122,12 @@ int ixgbe_crypto_enable_ipsec(struct rte_eth_dev *dev);
int ixgbe_crypto_add_ingress_sa_from_flow(const void *sess,
const void *ip_spec,
uint8_t is_ipv6);
-
+void ixgbe_crypto_update_rx_stats(struct ixgbe_ipsec *ixgbe_ipsec,
+ struct rte_mbuf **mbufs,
+ uint16_t count);
+void ixgbe_crypto_update_tx_stats(struct ixgbe_ipsec *ixgbe_ipsec,
+ struct rte_mbuf **mbufs,
+ uint16_t count);
#endif /*IXGBE_IPSEC_H_*/
diff --git a/drivers/net/ixgbe/ixgbe_rxtx.c b/drivers/net/ixgbe/ixgbe_rxtx.c
index edcfa60..cde012f 100644
--- a/drivers/net/ixgbe/ixgbe_rxtx.c
+++ b/drivers/net/ixgbe/ixgbe_rxtx.c
@@ -956,6 +956,12 @@ ixgbe_xmit_pkts(void *tx_queue, struct rte_mbuf **tx_pkts,
IXGBE_PCI_REG_WRITE_RELAXED(txq->tdt_reg_addr, tx_id);
txq->tx_tail = tx_id;
+#ifdef RTE_LIBRTE_SECURITY
+ if (unlikely(txq->using_ipsec))
+ ixgbe_crypto_update_tx_stats(txq->ixgbe_ipsec,
+ &tx_pkts[-nb_tx], nb_tx);
+#endif
+
return nb_tx;
}
@@ -1643,6 +1649,12 @@ ixgbe_rx_fill_from_stage(struct ixgbe_rx_queue *rxq,
struct rte_mbuf **rx_pkts,
rxq->rx_nb_avail = (uint16_t)(rxq->rx_nb_avail - nb_pkts);
rxq->rx_next_avail = (uint16_t)(rxq->rx_next_avail + nb_pkts);
+#ifdef RTE_LIBRTE_SECURITY
+ if (unlikely(rxq->using_ipsec))
+ ixgbe_crypto_update_rx_stats(rxq->ixgbe_ipsec,
+ rx_pkts, nb_pkts);
+#endif
+
return nb_pkts;
}
@@ -2618,6 +2630,9 @@ ixgbe_dev_tx_queue_setup(struct rte_eth_dev *dev,
#ifdef RTE_LIBRTE_SECURITY
txq->using_ipsec = !!(dev->data->dev_conf.txmode.offloads &
DEV_TX_OFFLOAD_SECURITY);
+ if (txq->using_ipsec)
+ txq->ixgbe_ipsec =
+ IXGBE_DEV_PRIVATE_TO_IPSEC(dev->data->dev_private);
#endif
/*
@@ -4730,6 +4745,9 @@ ixgbe_set_rx_function(struct rte_eth_dev *dev)
#ifdef RTE_LIBRTE_SECURITY
rxq->using_ipsec = !!(dev->data->dev_conf.rxmode.offloads &
DEV_RX_OFFLOAD_SECURITY);
+ if (rxq->using_ipsec)
+ rxq->ixgbe_ipsec =
+ IXGBE_DEV_PRIVATE_TO_IPSEC(dev->data->dev_private);
#endif
}
}
diff --git a/drivers/net/ixgbe/ixgbe_rxtx.h b/drivers/net/ixgbe/ixgbe_rxtx.h
index 505d344..b5f130d 100644
--- a/drivers/net/ixgbe/ixgbe_rxtx.h
+++ b/drivers/net/ixgbe/ixgbe_rxtx.h
@@ -114,6 +114,8 @@ struct ixgbe_rx_queue {
#ifdef RTE_LIBRTE_SECURITY
uint8_t using_ipsec;
/**< indicates that IPsec RX feature is in use */
+ struct ixgbe_ipsec *ixgbe_ipsec;
+ /**< IXGBE IPsec internals */
#endif
#ifdef RTE_IXGBE_INC_VECTOR
uint16_t rxrearm_nb; /**< number of remaining to be
re-armed */
@@ -231,6 +233,8 @@ struct ixgbe_tx_queue {
#ifdef RTE_LIBRTE_SECURITY
uint8_t using_ipsec;
/**< indicates that IPsec TX feature is in use */
+ struct ixgbe_ipsec *ixgbe_ipsec;
+ /**< IXGBE IPsec internals */
#endif
};
diff --git a/drivers/net/ixgbe/ixgbe_rxtx_vec_sse.c
b/drivers/net/ixgbe/ixgbe_rxtx_vec_sse.c
index 599ba30..b92d1a9 100644
--- a/drivers/net/ixgbe/ixgbe_rxtx_vec_sse.c
+++ b/drivers/net/ixgbe/ixgbe_rxtx_vec_sse.c
@@ -553,6 +553,12 @@ _recv_raw_pkts_vec(struct ixgbe_rx_queue *rxq, struct
rte_mbuf **rx_pkts,
rxq->rx_tail = (uint16_t)(rxq->rx_tail & (rxq->nb_rx_desc - 1));
rxq->rxrearm_nb = (uint16_t)(rxq->rxrearm_nb + nb_pkts_recd);
+#ifdef RTE_LIBRTE_SECURITY
+ if (unlikely(use_ipsec))
+ ixgbe_crypto_update_rx_stats(rxq->ixgbe_ipsec,
+ rx_pkts, nb_pkts_recd);
+#endif
+
return nb_pkts_recd;
}
--
2.7.4
