Hi Anoob,
On Thu, Dec 07, 2017 at 03:17:40PM +0530, Anoob wrote:
> Hi Nelio,
>
>
> On 12/04/2017 07:41 PM, Nelio Laranjeiro wrote:
> > Mellanox INNOVA NIC needs to have final target queue actions to perform
> > inline crypto.
> >
> > Signed-off-by: Nelio Laranjeiro <nelio.laranje...@6wind.com>
> >
> > ---
> >
> > Changes in v2:
> >
> > * Test the rule by PASSTHRU/RSS/QUEUE and apply the first one validated.
> > ---
> > examples/ipsec-secgw/ipsec.c | 81
> > ++++++++++++++++++++++++++++++++++++++++----
> > examples/ipsec-secgw/ipsec.h | 2 +-
> > 2 files changed, 76 insertions(+), 7 deletions(-)
> >
> > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
> > index 17bd7620d..f8823fb94 100644
> > --- a/examples/ipsec-secgw/ipsec.c
> > +++ b/examples/ipsec-secgw/ipsec.c
> > @@ -142,6 +142,7 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct
> > ipsec_sa *sa)
> > rte_eth_dev_get_sec_ctx(
> > sa->portid);
> > const struct rte_security_capability *sec_cap;
> > + int ret = 0;
> > sa->sec_session = rte_security_session_create(ctx,
> > &sess_conf, ipsec_ctx->session_pool);
> > @@ -173,6 +174,10 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct
> > ipsec_sa *sa)
> > return -1;
> > }
> > + sa->attr.egress = (sa->direction ==
> > + RTE_SECURITY_IPSEC_SA_DIR_EGRESS);
> > + sa->attr.ingress = (sa->direction ==
> > + RTE_SECURITY_IPSEC_SA_DIR_INGRESS);
> > sa->ol_flags = sec_cap->ol_flags;
> > sa->security_ctx = ctx;
> > sa->pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH;
> > @@ -201,15 +206,79 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct
> > ipsec_sa *sa)
> > sa->action[0].type = RTE_FLOW_ACTION_TYPE_SECURITY;
> > sa->action[0].conf = sa->sec_session;
> > - sa->action[1].type = RTE_FLOW_ACTION_TYPE_END;
> > -
> > - sa->attr.egress = (sa->direction ==
> > - RTE_SECURITY_IPSEC_SA_DIR_EGRESS);
> > - sa->attr.ingress = (sa->direction ==
> > - RTE_SECURITY_IPSEC_SA_DIR_INGRESS);
> > + if (sa->attr.ingress) {
> > + uint8_t rss_key[40];
> > + struct rte_eth_rss_conf rss_conf = {
> > + .rss_key = rss_key,
> > + .rss_key_len = 40,
> > + };
> > + struct rte_eth_dev *eth_dev;
> > + union {
> > + struct rte_flow_action_rss rss;
> > + struct {
> > + const struct rte_eth_rss_conf *rss_conf;
> > + uint16_t num;
> > + uint16_t queue[RTE_MAX_QUEUES_PER_PORT];
> > + } local;
> > + } action_rss;
> > + unsigned int i;
> > + unsigned int j;
> > +
> > + sa->action[2].type = RTE_FLOW_ACTION_TYPE_END;
> > + /*
> > + * Try implicitly PASSTHRU, it can also be
> > + * explicit.
> > + */
> May be we can get rid of this check. You can do the check with RSS and then
> QUEUE. That should be fine. SECURITY is terminating on Cavium hardware, but
> according to the spec it is a non-terminating meta action. We can stick to
> that. For Cavium hardware the PMD will give success to SECURITY+QUEUE. That
> should resolve the issue.
<snip>
I'll remove it in a v3, I will send it tomorrow to let a little more
time for other people to review.
Thanks,
--
NĂ©lio Laranjeiro
6WIND
