Hi Nithin,
> Enable Tx IPv4 checksum offload only when Tx inline crypto, lookaside > crypto/protocol or cpu crypto is needed. > For Tx Inline protocol offload, checksum computation > is implicitly taken care by HW. The thing is that right now it is not stated explicitly that RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL implies TSO support. It says that it 'might', it is not guaranteed. At least in dpdk docs. >From https://doc.dpdk.org/guides/prog_guide/rte_security.html: "22.1.2. Inline protocol offload ... Egress Data path - The software will send the plain packet without any security protocol headers added to the packet. The driver will configure the security index and other requirement in tx descriptors. The hardware device will do security processing on the packet that includes adding the relevant protocol headers and encrypting the data before sending the packet out. The software should make sure that the buffer has required head room and tail room for any protocol header addition. The software may also do early fragmentation if the resultant packet is expected to cross the MTU size. Note The underlying device will manage state information required for egress processing. E.g. in case of IPsec, the seq number will be added to the packet, however the device shall provide indication when the sequence number is about to overflow. The underlying device may support post encryption TSO." So, if I am not mistaken, what you suggest will change HW/PMD requirements. AFAIK, right now only Marvell supports RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL, so in theory I don't mind if you'd like to harden the requirements here. Though such change probably needs to be properly documented and acked by other vendors. > > Signed-off-by: Nithin Dabilpuram <ndabilpu...@marvell.com> > --- > examples/ipsec-secgw/ipsec-secgw.c | 3 --- > examples/ipsec-secgw/sa.c | 32 +++++++++++++++++++++++++------- > 2 files changed, 25 insertions(+), 10 deletions(-) > > diff --git a/examples/ipsec-secgw/ipsec-secgw.c > b/examples/ipsec-secgw/ipsec-secgw.c > index 42b5081..76919e5 100644 > --- a/examples/ipsec-secgw/ipsec-secgw.c > +++ b/examples/ipsec-secgw/ipsec-secgw.c > @@ -2330,9 +2330,6 @@ port_init(uint16_t portid, uint64_t req_rx_offloads, > uint64_t req_tx_offloads) > local_port_conf.txmode.offloads |= > RTE_ETH_TX_OFFLOAD_MBUF_FAST_FREE; > > - if (dev_info.tx_offload_capa & RTE_ETH_TX_OFFLOAD_IPV4_CKSUM) > - local_port_conf.txmode.offloads |= > RTE_ETH_TX_OFFLOAD_IPV4_CKSUM; > - > printf("port %u configuring rx_offloads=0x%" PRIx64 > ", tx_offloads=0x%" PRIx64 "\n", > portid, local_port_conf.rxmode.offloads, > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c > index 1839ac7..36d890f 100644 > --- a/examples/ipsec-secgw/sa.c > +++ b/examples/ipsec-secgw/sa.c > @@ -1785,13 +1785,31 @@ sa_check_offloads(uint16_t port_id, uint64_t > *rx_offloads, > for (idx_sa = 0; idx_sa < nb_sa_out; idx_sa++) { > rule = &sa_out[idx_sa]; > rule_type = ipsec_get_action_type(rule); > - if ((rule_type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO || > - rule_type == > - RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) > - && rule->portid == port_id) { > - *tx_offloads |= RTE_ETH_TX_OFFLOAD_SECURITY; > - if (rule->mss) > - *tx_offloads |= RTE_ETH_TX_OFFLOAD_TCP_TSO; > + switch (rule_type) { > + case RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL: > + /* Checksum offload is not needed for inline protocol as > + * all processing for Outbound IPSec packets will be > + * implicitly taken care and for non-IPSec packets, > + * there is no need of IPv4 Checksum offload. > + */ > + if (rule->portid == port_id) > + *tx_offloads |= RTE_ETH_TX_OFFLOAD_SECURITY; > + break; > + case RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO: > + if (rule->portid == port_id) { > + *tx_offloads |= RTE_ETH_TX_OFFLOAD_SECURITY; > + if (rule->mss) > + *tx_offloads |= > + RTE_ETH_TX_OFFLOAD_TCP_TSO; > + *tx_offloads |= RTE_ETH_TX_OFFLOAD_IPV4_CKSUM; > + } > + break; > + default: > + /* Enable IPv4 checksum offload even if one of lookaside > + * SA's are present. > + */ > + *tx_offloads |= RTE_ETH_TX_OFFLOAD_IPV4_CKSUM; Shouldn't we check here that given port really supports IPV4_CKSUM offload? > + break; > } > } > return 0; > -- > 2.8.4
