Re: [dpdk-dev] [EXT] [PATCH v3 6/6] spinlock: ticket based to improve fairness

[Gavin Hu (Arm Technology China)]

> -Original Message-
> From: Jerin Jacob Kollanukkaran 
> Sent: Friday, December 28, 2018 12:39 PM
> To: step...@networkplumber.org
> Cc: david.march...@redhat.com; chao...@linux.vnet.ibm.com; nd
> ; bruce.richard...@intel.com; tho...@monjalon.net;
> dev@dpdk.org; Joyce Kong (Arm Technology China) ;
> hemant.agra...@nxp.com; Honnappa Nagarahalli
> ; Gavin Hu (Arm Technology China)
> 
> Subject: Re: [EXT] [PATCH v3 6/6] spinlock: ticket based to improve fairness
> 
> On Thu, 2018-12-27 at 15:41 -0800, Stephen Hemminger wrote:
> > On Thu, 27 Dec 2018 12:08:26 +
> > Jerin Jacob Kollanukkaran  wrote:
> >
> > > On Thu, 2018-12-27 at 10:05 +, Gavin Hu (Arm Technology China)
> > > wrote:
> > > > > -Original Message-
> > > > > From: Jerin Jacob Kollanukkaran 
> > > > > Sent: Thursday, December 27, 2018 2:58 PM
> > > > > To: Gavin Hu (Arm Technology China) ;
> > > > > dev@dpdk.org
> > > > > Cc: david.march...@redhat.com; chao...@linux.vnet.ibm.com; nd
> > > > > ; bruce.richard...@intel.com; tho...@monjalon.net;
> > > > > Joyce
> > > > > Kong (Arm Technology China) ;
> > > > > hemant.agra...@nxp.com; step...@networkplumber.org; Honnappa
> > > > > Nagarahalli 
> > > > > Subject: Re: [EXT] [PATCH v3 6/6] spinlock: ticket based to
> > > > > improve
> > > > > fairness
> > > > >
> > > > > On Thu, 2018-12-27 at 12:13 +0800, Gavin Hu wrote:
> > > > > > ---
> > > > > > 
> > > > > > 
> > > > > > ---
> > > > > > From: Joyce Kong 
> > > > > >
> > > > > > The old implementation is unfair, some threads may take locks
> > > > > > aggressively
> > > > >
> > > > > I think, one issue here is x86 and ppc follows traditional
> > > > > spinlock
> > > > > and
> > > > > arm64 will be following ticket lock for spinlock
> > > > > implementation.
> > > > > This would change application behaviour on arm64 compared to
> > > > > x86
> > > > > and
> > > > > ppc.
> > > > >
> > > > > How about having a separate API for ticket lock? That would
> > > > > give,
> > > > > # application choice to use the locking strategy
> > > > > # application behaviour will be same across all arch.
> > > >
> > > > Ok, will do in v4 to have a new named rte_ticket_spinlock API.
> > >
> > > I would prefer rte_ticketlock_[lock/unlock/trylock/is_locked] name
> > > instead of rte_ticket_spinlock_lock etc to reduce the length of the
> > > API.
> >
> > NAK to adding new API for this.
> >
> > I want the best possible locks for all applications and all
> > architectures.
> > These should be called spinlock so there is no requirement for
> > application
> > to change to get better performance. Why not just implement the best
> > algorithm
> > across the board. Yes, this means collaboration or working on the
> > other guys
> > architecture.
> 
> Then 6/6 patch needs to put on hold if every arch needs to make ticket
> lock as default spinlock lock strategy.
> 
> How about following to make forward progress:
> 1) Introduce rte_ticketlock_[lock/unlock/trylock/is_locked] API now as
> experimental with default implementation
> 2) Provide a time line to switch every arch for optimized ticketlock
> implementation if needed.
> 3) Switch rte_ticketlock_ as rte_spinlock_ API.
> 4) Keep old version of spinlock as new API if some application does not
> need fairness between threads at the cost of light weight spinlock
> implementation.

We will rework the patches following this proposal, and let's switch over at 
some point of later.
 
> I don't want arm64 to behave differently than other arch(s).

This is the generic implementation, x86 and ppc can choose also by setting 
CONFIG_RTE_FORCE_INTRINSICS=y  in the config file.
The arch specific implementation is instruction level based, arm will implement 
this also, they are not ticket based.
> 

[dpdk-dev] [PATCH] libs/power: fix the resource leaking issue

[Liang Ma]

Fixes: e6c6dc0f96c8 ("power: add p-state driver compatibility")
Coverity issue: 328528

Also add the missing functionality of enable/disable turbo

Signed-off-by: Liang Ma 
---
 lib/librte_power/power_pstate_cpufreq.c | 34 -
 1 file changed, 33 insertions(+), 1 deletion(-)

diff --git a/lib/librte_power/power_pstate_cpufreq.c 
b/lib/librte_power/power_pstate_cpufreq.c
index 411d0eb..cb226a5 100644
--- a/lib/librte_power/power_pstate_cpufreq.c
+++ b/lib/librte_power/power_pstate_cpufreq.c
@@ -160,6 +160,10 @@ power_init_for_setting_freq(struct pstate_power_info *pi)
pi->lcore_id);
 
f_max = fopen(fullpath_max, "rw+");
+
+   if (f_max == NULL)
+   fclose(f_min);
+
FOPEN_OR_ERR_RET(f_max, -1);
 
pi->f_cur_min = f_min;
@@ -214,7 +218,13 @@ set_freq_internal(struct pstate_power_info *pi, uint32_t 
idx)
/* Turbo is available and enabled, first freq bucket is sys max freq */
if (pi->turbo_available && pi->turbo_enable && (idx == 0))
target_freq = pi->sys_max_freq;
-   else
+   else if (pi->turbo_available && (!pi->turbo_enable) && (idx == 0)) {
+
+   RTE_LOG(ERR, POWER, "Turbo is off, frequency can't be scaled up 
more %u\n",
+   pi->lcore_id);
+   return -1;
+
+   } else
target_freq = pi->freqs[idx];
 
/* Decrease freq, the min freq should be updated first */
@@ -394,6 +404,10 @@ power_get_available_freqs(struct pstate_power_info *pi)
FOPEN_OR_ERR_RET(f_min, ret);
 
f_max = fopen(fullpath_max, "r");
+
+   if (f_max == NULL)
+   fclose(f_min);
+
FOPEN_OR_ERR_RET(f_max, ret);
 
s_min = fgets(buf_min, sizeof(buf_min), f_min);
@@ -726,6 +740,14 @@ power_pstate_enable_turbo(unsigned int lcore_id)
return -1;
}
 
+   /* Max may have changed, so call to max function */
+   if (power_pstate_cpufreq_freq_max(lcore_id) < 0) {
+   RTE_LOG(ERR, POWER,
+   "Failed to set frequency of lcore %u to max\n",
+   lcore_id);
+   return -1;
+   }
+
return 0;
 }
 
@@ -744,6 +766,16 @@ power_pstate_disable_turbo(unsigned int lcore_id)
 
pi->turbo_enable = 0;
 
+   if ((pi->turbo_available) && (pi->curr_idx <= 1)) {
+   /* Try to set freq to max by default coming out of turbo */
+   if (power_pstate_cpufreq_freq_max(lcore_id) < 0) {
+   RTE_LOG(ERR, POWER,
+   "Failed to set frequency of lcore %u to max\n",
+   lcore_id);
+   return -1;
+   }
+   }
+
 
return 0;
 }
-- 
2.7.5

[dpdk-dev] [PATCH v5 00/10] ipsec: new library for IPsec data-path processing

[Konstantin Ananyev]

v4 -> v5
 - Fix issue with SQN overflows
 - Address Akhil comments:
 documentation update
 spell checks spacing etc.
 fix input crypto_xform check/prepcess
 test cases for lookaside and inline proto

v3 -> v4
 - Changes to adress Declan comments
 - Update docs

v2 -> v3
 - Several fixes for IPv6 support
 - Extra checks for input parameters in public APi functions 

v1 -> v2
 - Changes to get into account l2_len for outbound transport packets
   (Qi comments)
 - Several bug fixes
 - Some code restructured
 - Update MAINTAINERS file

RFCv2 -> v1
 - Changes per Jerin comments
 - Implement transport mode
 - Several bug fixes
 - UT largely reworked and extended

This patch introduces a new library within DPDK: librte_ipsec.
The aim is to provide DPDK native high performance library for IPsec
data-path processing.
The library is supposed to utilize existing DPDK crypto-dev and
security API to provide application with transparent IPsec
processing API.
The library is concentrated on data-path protocols processing
(ESP and AH), IKE protocol(s) implementation is out of scope
for that library.
Current patch introduces SA-level API.

SA (low) level API
==

API described below operates on SA level.
It provides functionality that allows user for given SA to process
inbound and outbound IPsec packets.
To be more specific:
- for inbound ESP/AH packets perform decryption, authentication,
  integrity checking, remove ESP/AH related headers
- for outbound packets perform payload encryption, attach ICV,
  update/add IP headers, add ESP/AH headers/trailers,
  setup related mbuf felids (ol_flags, tx_offloads, etc.).
- initialize/un-initialize given SA based on user provided parameters.

The following functionality:
  - match inbound/outbound packets to particular SA
  - manage crypto/security devices
  - provide SAD/SPD related functionality
  - determine what crypto/security device has to be used
for given packet(s)
is out of scope for SA-level API.

SA-level API is based on top of crypto-dev/security API and relies on them
to perform actual cipher and integrity checking.
To have an ability to easily map crypto/security sessions into related
IPSec SA opaque userdata field was added into
rte_cryptodev_sym_session and rte_security_session structures.
That implies ABI change for both librte_crytpodev and librte_security.

Due to the nature of crypto-dev API (enqueue/deque model) we use
asynchronous API for IPsec packets destined to be processed by crypto-device.
Expected API call sequence would be:
  /* enqueue for processing by crypto-device */
  rte_ipsec_pkt_crypto_prepare(...);
  rte_cryptodev_enqueue_burst(...);
  /* dequeue from crypto-device and do final processing (if any) */
  rte_cryptodev_dequeue_burst(...);
  rte_ipsec_pkt_crypto_group(...); /* optional */
  rte_ipsec_pkt_process(...);

Though for packets destined for inline processing no extra overhead
is required and synchronous API call: rte_ipsec_pkt_process()
is sufficient for that case.

Current implementation supports all four currently defined
rte_security types.
Though to accommodate future custom implementations function pointers
model is used for both for *crypto_prepare* and *process* impelementations.

Konstantin Ananyev (10):
  cryptodev: add opaque userdata pointer into crypto sym session
  security: add opaque userdata pointer into security session
  net: add ESP trailer structure definition
  lib: introduce ipsec library
  ipsec: add SA data-path API
  ipsec: implement SA data-path API
  ipsec: rework SA replay window/SQN for MT environment
  ipsec: helper functions to group completed crypto-ops
  test/ipsec: introduce functional test
  doc: add IPsec library guide

 MAINTAINERS|8 +-
 config/common_base |5 +
 doc/guides/prog_guide/index.rst|1 +
 doc/guides/prog_guide/ipsec_lib.rst|  168 ++
 doc/guides/rel_notes/release_19_02.rst |   11 +
 lib/Makefile   |2 +
 lib/librte_cryptodev/rte_cryptodev.h   |2 +
 lib/librte_ipsec/Makefile  |   27 +
 lib/librte_ipsec/crypto.h  |  123 ++
 lib/librte_ipsec/iph.h |   84 +
 lib/librte_ipsec/ipsec_sqn.h   |  343 
 lib/librte_ipsec/meson.build   |   10 +
 lib/librte_ipsec/pad.h |   45 +
 lib/librte_ipsec/rte_ipsec.h   |  154 ++
 lib/librte_ipsec/rte_ipsec_group.h |  151 ++
 lib/librte_ipsec/rte_ipsec_sa.h|  174 ++
 lib/librte_ipsec/rte_ipsec_version.map |   15 +
 lib/librte_ipsec/sa.c  | 1527 ++
 lib/librte_ipsec/sa.h  |  106 +
 lib/librte_ipsec/ses.c |   45 +
 lib/librte_net/rte_esp.h   |   10 +-
 lib/librte_security/rte_security.h |2 +
 lib/meson.build|2 +
 mk/rte.app.mk  |2 +
 test/test/Makefile |3 +
 test/test/meson.build

[dpdk-dev] [PATCH v5 02/10] security: add opaque userdata pointer into security session

[Konstantin Ananyev]

Add 'uint64_t opaque_data' inside struct rte_security_session.
That allows upper layer to easily associate some user defined
data with the session.

Signed-off-by: Konstantin Ananyev 
Acked-by: Mohammad Abdul Awal 
Acked-by: Declan Doherty 
Acked-by: Akhil Goyal 
---
 lib/librte_security/rte_security.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/librte_security/rte_security.h 
b/lib/librte_security/rte_security.h
index 718147e00..c8e438fdd 100644
--- a/lib/librte_security/rte_security.h
+++ b/lib/librte_security/rte_security.h
@@ -317,6 +317,8 @@ struct rte_security_session_conf {
 struct rte_security_session {
void *sess_private_data;
/**< Private session material */
+   uint64_t opaque_data;
+   /**< Opaque user defined data */
 };
 
 /**
-- 
2.17.1

[dpdk-dev] [PATCH v5 04/10] lib: introduce ipsec library

[Konstantin Ananyev]

Introduce librte_ipsec library.
The library is supposed to utilize existing DPDK crypto-dev and
security API to provide application with transparent IPsec processing API.
That initial commit provides some base API to manage
IPsec Security Association (SA) object.

Signed-off-by: Mohammad Abdul Awal 
Signed-off-by: Konstantin Ananyev 
Acked-by: Declan Doherty 
---
 MAINTAINERS|   8 +-
 config/common_base |   5 +
 lib/Makefile   |   2 +
 lib/librte_ipsec/Makefile  |  24 ++
 lib/librte_ipsec/ipsec_sqn.h   |  48 
 lib/librte_ipsec/meson.build   |  10 +
 lib/librte_ipsec/rte_ipsec_sa.h| 141 +++
 lib/librte_ipsec/rte_ipsec_version.map |  10 +
 lib/librte_ipsec/sa.c  | 335 +
 lib/librte_ipsec/sa.h  |  85 +++
 lib/meson.build|   2 +
 mk/rte.app.mk  |   2 +
 12 files changed, 671 insertions(+), 1 deletion(-)
 create mode 100644 lib/librte_ipsec/Makefile
 create mode 100644 lib/librte_ipsec/ipsec_sqn.h
 create mode 100644 lib/librte_ipsec/meson.build
 create mode 100644 lib/librte_ipsec/rte_ipsec_sa.h
 create mode 100644 lib/librte_ipsec/rte_ipsec_version.map
 create mode 100644 lib/librte_ipsec/sa.c
 create mode 100644 lib/librte_ipsec/sa.h

diff --git a/MAINTAINERS b/MAINTAINERS
index 470f36b9c..9ce636be6 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1036,6 +1036,13 @@ M: Jiayu Hu 
 F: lib/librte_gso/
 F: doc/guides/prog_guide/generic_segmentation_offload_lib.rst
 
+IPsec - EXPERIMENTAL
+M: Konstantin Ananyev 
+T: git://dpdk.org/next/dpdk-next-crypto
+F: lib/librte_ipsec/
+M: Bernard Iremonger 
+F: test/test/test_ipsec.c
+
 Flow Classify - EXPERIMENTAL
 M: Bernard Iremonger 
 F: lib/librte_flow_classify/
@@ -1077,7 +1084,6 @@ F: doc/guides/prog_guide/pdump_lib.rst
 F: app/pdump/
 F: doc/guides/tools/pdump.rst
 
-
 Packet Framework
 
 M: Cristian Dumitrescu 
diff --git a/config/common_base b/config/common_base
index 0e3f900c5..14ad0b7bf 100644
--- a/config/common_base
+++ b/config/common_base
@@ -934,6 +934,11 @@ CONFIG_RTE_LIBRTE_BPF=y
 # allow load BPF from ELF files (requires libelf)
 CONFIG_RTE_LIBRTE_BPF_ELF=n
 
+#
+# Compile librte_ipsec
+#
+CONFIG_RTE_LIBRTE_IPSEC=y
+
 #
 # Compile the test application
 #
diff --git a/lib/Makefile b/lib/Makefile
index 8dbdc9bca..d6239d27c 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -107,6 +107,8 @@ DEPDIRS-librte_gso := librte_eal librte_mbuf librte_ethdev 
librte_net
 DEPDIRS-librte_gso += librte_mempool
 DIRS-$(CONFIG_RTE_LIBRTE_BPF) += librte_bpf
 DEPDIRS-librte_bpf := librte_eal librte_mempool librte_mbuf librte_ethdev
+DIRS-$(CONFIG_RTE_LIBRTE_IPSEC) += librte_ipsec
+DEPDIRS-librte_ipsec := librte_eal librte_mbuf librte_cryptodev librte_security
 DIRS-$(CONFIG_RTE_LIBRTE_TELEMETRY) += librte_telemetry
 DEPDIRS-librte_telemetry := librte_eal librte_metrics librte_ethdev
 
diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile
new file mode 100644
index 0..0e2868d26
--- /dev/null
+++ b/lib/librte_ipsec/Makefile
@@ -0,0 +1,24 @@
+# SPDX-License-Identifier: BSD-3-Clause
+# Copyright(c) 2018 Intel Corporation
+
+include $(RTE_SDK)/mk/rte.vars.mk
+
+# library name
+LIB = librte_ipsec.a
+
+CFLAGS += -O3
+CFLAGS += $(WERROR_FLAGS) -I$(SRCDIR)
+CFLAGS += -DALLOW_EXPERIMENTAL_API
+LDLIBS += -lrte_eal -lrte_mbuf -lrte_net -lrte_cryptodev -lrte_security
+
+EXPORT_MAP := rte_ipsec_version.map
+
+LIBABIVER := 1
+
+# all source are stored in SRCS-y
+SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += sa.c
+
+# install header files
+SYMLINK-$(CONFIG_RTE_LIBRTE_IPSEC)-include += rte_ipsec_sa.h
+
+include $(RTE_SDK)/mk/rte.lib.mk
diff --git a/lib/librte_ipsec/ipsec_sqn.h b/lib/librte_ipsec/ipsec_sqn.h
new file mode 100644
index 0..1935f6e30
--- /dev/null
+++ b/lib/librte_ipsec/ipsec_sqn.h
@@ -0,0 +1,48 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2018 Intel Corporation
+ */
+
+#ifndef _IPSEC_SQN_H_
+#define _IPSEC_SQN_H_
+
+#define WINDOW_BUCKET_BITS 6 /* uint64_t */
+#define WINDOW_BUCKET_SIZE (1 << WINDOW_BUCKET_BITS)
+#define WINDOW_BIT_LOC_MASK(WINDOW_BUCKET_SIZE - 1)
+
+/* minimum number of bucket, power of 2*/
+#define WINDOW_BUCKET_MIN  2
+#define WINDOW_BUCKET_MAX  (INT16_MAX + 1)
+
+#define IS_ESN(sa) ((sa)->sqn_mask == UINT64_MAX)
+
+/*
+ * for given size, calculate required number of buckets.
+ */
+static uint32_t
+replay_num_bucket(uint32_t wsz)
+{
+   uint32_t nb;
+
+   nb = rte_align32pow2(RTE_ALIGN_MUL_CEIL(wsz, WINDOW_BUCKET_SIZE) /
+   WINDOW_BUCKET_SIZE);
+   nb = RTE_MAX(nb, (uint32_t)WINDOW_BUCKET_MIN);
+
+   return nb;
+}
+
+/**
+ * Based on number of buckets calculated required size for the
+ * structure that holds replay window and sequence number (RSN) information.
+ */
+static size_t
+rsn_size(uint32_

[dpdk-dev] [PATCH v5 01/10] cryptodev: add opaque userdata pointer into crypto sym session

[Konstantin Ananyev]

Add 'uint64_t opaque_data' inside struct rte_cryptodev_sym_session.
That allows upper layer to easily associate some user defined
data with the session.

Signed-off-by: Konstantin Ananyev 
Acked-by: Fiona Trahe 
Acked-by: Mohammad Abdul Awal 
Acked-by: Declan Doherty 
Acked-by: Akhil Goyal 
---
 lib/librte_cryptodev/rte_cryptodev.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/librte_cryptodev/rte_cryptodev.h 
b/lib/librte_cryptodev/rte_cryptodev.h
index 4099823f1..009860e7b 100644
--- a/lib/librte_cryptodev/rte_cryptodev.h
+++ b/lib/librte_cryptodev/rte_cryptodev.h
@@ -954,6 +954,8 @@ rte_cryptodev_enqueue_burst(uint8_t dev_id, uint16_t qp_id,
  * has a fixed algo, key, op-type, digest_len etc.
  */
 struct rte_cryptodev_sym_session {
+   uint64_t opaque_data;
+   /**< Opaque user defined data */
__extension__ void *sess_private_data[0];
/**< Private symmetric session material */
 };
-- 
2.17.1

[dpdk-dev] [PATCH v5 03/10] net: add ESP trailer structure definition

[Konstantin Ananyev]

Signed-off-by: Konstantin Ananyev 
Acked-by: Mohammad Abdul Awal 
Acked-by: Declan Doherty 
Acked-by: Akhil Goyal 
---
 lib/librte_net/rte_esp.h | 10 +-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/librte_net/rte_esp.h b/lib/librte_net/rte_esp.h
index f77ec2eb2..8e1b3d2dd 100644
--- a/lib/librte_net/rte_esp.h
+++ b/lib/librte_net/rte_esp.h
@@ -11,7 +11,7 @@
  * ESP-related defines
  */
 
-#include 
+#include 
 
 #ifdef __cplusplus
 extern "C" {
@@ -25,6 +25,14 @@ struct esp_hdr {
rte_be32_t seq;  /**< packet sequence number */
 } __attribute__((__packed__));
 
+/**
+ * ESP Trailer
+ */
+struct esp_tail {
+   uint8_t pad_len; /**< number of pad bytes (0-255) */
+   uint8_t next_proto;  /**< IPv4 or IPv6 or next layer header */
+} __attribute__((__packed__));
+
 #ifdef __cplusplus
 }
 #endif
-- 
2.17.1

[dpdk-dev] [PATCH v5 05/10] ipsec: add SA data-path API

[Konstantin Ananyev]

Introduce Security Association (SA-level) data-path API
Operates at SA level, provides functions to:
- initialize/teardown SA object
- process inbound/outbound ESP/AH packets associated with the given SA
  (decrypt/encrypt, authenticate, check integrity,
  add/remove ESP/AH related headers and data, etc.).

Signed-off-by: Mohammad Abdul Awal 
Signed-off-by: Konstantin Ananyev 
Acked-by: Declan Doherty 
---
 lib/librte_ipsec/Makefile  |   2 +
 lib/librte_ipsec/meson.build   |   4 +-
 lib/librte_ipsec/rte_ipsec.h   | 152 +
 lib/librte_ipsec/rte_ipsec_version.map |   3 +
 lib/librte_ipsec/sa.c  |  21 +++-
 lib/librte_ipsec/sa.h  |   4 +
 lib/librte_ipsec/ses.c |  45 
 7 files changed, 228 insertions(+), 3 deletions(-)
 create mode 100644 lib/librte_ipsec/rte_ipsec.h
 create mode 100644 lib/librte_ipsec/ses.c

diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile
index 0e2868d26..71e39df0b 100644
--- a/lib/librte_ipsec/Makefile
+++ b/lib/librte_ipsec/Makefile
@@ -17,8 +17,10 @@ LIBABIVER := 1
 
 # all source are stored in SRCS-y
 SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += sa.c
+SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += ses.c
 
 # install header files
+SYMLINK-$(CONFIG_RTE_LIBRTE_IPSEC)-include += rte_ipsec.h
 SYMLINK-$(CONFIG_RTE_LIBRTE_IPSEC)-include += rte_ipsec_sa.h
 
 include $(RTE_SDK)/mk/rte.lib.mk
diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build
index 52c78eaeb..6e8c6fabe 100644
--- a/lib/librte_ipsec/meson.build
+++ b/lib/librte_ipsec/meson.build
@@ -3,8 +3,8 @@
 
 allow_experimental_apis = true
 
-sources=files('sa.c')
+sources=files('sa.c', 'ses.c')
 
-install_headers = files('rte_ipsec_sa.h')
+install_headers = files('rte_ipsec.h', 'rte_ipsec_sa.h')
 
 deps += ['mbuf', 'net', 'cryptodev', 'security']
diff --git a/lib/librte_ipsec/rte_ipsec.h b/lib/librte_ipsec/rte_ipsec.h
new file mode 100644
index 0..93e4df1bd
--- /dev/null
+++ b/lib/librte_ipsec/rte_ipsec.h
@@ -0,0 +1,152 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2018 Intel Corporation
+ */
+
+#ifndef _RTE_IPSEC_H_
+#define _RTE_IPSEC_H_
+
+/**
+ * @file rte_ipsec.h
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * RTE IPsec support.
+ * librte_ipsec provides a framework for data-path IPsec protocol
+ * processing (ESP/AH).
+ */
+
+#include 
+#include 
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct rte_ipsec_session;
+
+/**
+ * IPsec session specific functions that will be used to:
+ * - prepare - for input mbufs and given IPsec session prepare crypto ops
+ *   that can be enqueued into the cryptodev associated with given session
+ *   (see *rte_ipsec_pkt_crypto_prepare* below for more details).
+ * - process - finalize processing of packets after crypto-dev finished
+ *   with them or process packets that are subjects to inline IPsec offload
+ *   (see rte_ipsec_pkt_process for more details).
+ */
+struct rte_ipsec_sa_pkt_func {
+   uint16_t (*prepare)(const struct rte_ipsec_session *ss,
+   struct rte_mbuf *mb[],
+   struct rte_crypto_op *cop[],
+   uint16_t num);
+   uint16_t (*process)(const struct rte_ipsec_session *ss,
+   struct rte_mbuf *mb[],
+   uint16_t num);
+};
+
+/**
+ * rte_ipsec_session is an aggregate structure that defines particular
+ * IPsec Security Association IPsec (SA) on given security/crypto device:
+ * - pointer to the SA object
+ * - security session action type
+ * - pointer to security/crypto session, plus other related data
+ * - session/device specific functions to prepare/process IPsec packets.
+ */
+struct rte_ipsec_session {
+   /**
+* SA that session belongs to.
+* Note that multiple sessions can belong to the same SA.
+*/
+   struct rte_ipsec_sa *sa;
+   /** session action type */
+   enum rte_security_session_action_type type;
+   /** session and related data */
+   union {
+   struct {
+   struct rte_cryptodev_sym_session *ses;
+   } crypto;
+   struct {
+   struct rte_security_session *ses;
+   struct rte_security_ctx *ctx;
+   uint32_t ol_flags;
+   } security;
+   };
+   /** functions to prepare/process IPsec packets */
+   struct rte_ipsec_sa_pkt_func pkt_func;
+} __rte_cache_aligned;
+
+/**
+ * Checks that inside given rte_ipsec_session crypto/security fields
+ * are filled correctly and setups function pointers based on these values.
+ * Expects that all fields except IPsec processing function pointers
+ * (*pkt_func*) will be filled correctly by caller.
+ * @param ss
+ *   Pointer to the *rte_ipsec_session* object
+ * @return
+ *   - Zero if operation completed successfully.

[dpdk-dev] [PATCH v5 06/10] ipsec: implement SA data-path API

[Konstantin Ananyev]

Provide implementation for rte_ipsec_pkt_crypto_prepare() and
rte_ipsec_pkt_process().
Current implementation:
 - supports ESP protocol tunnel mode.
 - supports ESP protocol transport mode.
 - supports ESN and replay window.
 - supports algorithms: AES-CBC, AES-GCM, HMAC-SHA1, NULL.
 - covers all currently defined security session types:
- RTE_SECURITY_ACTION_TYPE_NONE
- RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO
- RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL
- RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL

For first two types SQN check/update is done by SW (inside the library).
For last two type it is HW/PMD responsibility.

Signed-off-by: Mohammad Abdul Awal 
Signed-off-by: Konstantin Ananyev 
Acked-by: Declan Doherty 
---
 lib/librte_ipsec/crypto.h|  123 
 lib/librte_ipsec/iph.h   |   84 +++
 lib/librte_ipsec/ipsec_sqn.h |  186 ++
 lib/librte_ipsec/pad.h   |   45 ++
 lib/librte_ipsec/sa.c| 1133 +-
 5 files changed, 1569 insertions(+), 2 deletions(-)
 create mode 100644 lib/librte_ipsec/crypto.h
 create mode 100644 lib/librte_ipsec/iph.h
 create mode 100644 lib/librte_ipsec/pad.h

diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h
new file mode 100644
index 0..61f5c1433
--- /dev/null
+++ b/lib/librte_ipsec/crypto.h
@@ -0,0 +1,123 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2018 Intel Corporation
+ */
+
+#ifndef _CRYPTO_H_
+#define _CRYPTO_H_
+
+/**
+ * @file crypto.h
+ * Contains crypto specific functions/structures/macros used internally
+ * by ipsec library.
+ */
+
+ /*
+  * AES-GCM devices have some specific requirements for IV and AAD formats.
+  * Ideally that to be done by the driver itself.
+  */
+
+struct aead_gcm_iv {
+   uint32_t salt;
+   uint64_t iv;
+   uint32_t cnt;
+} __attribute__((packed));
+
+struct aead_gcm_aad {
+   uint32_t spi;
+   /*
+* RFC 4106, section 5:
+* Two formats of the AAD are defined:
+* one for 32-bit sequence numbers, and one for 64-bit ESN.
+*/
+   union {
+   uint32_t u32[2];
+   uint64_t u64;
+   } sqn;
+   uint32_t align0; /* align to 16B boundary */
+} __attribute__((packed));
+
+struct gcm_esph_iv {
+   struct esp_hdr esph;
+   uint64_t iv;
+} __attribute__((packed));
+
+
+static inline void
+aead_gcm_iv_fill(struct aead_gcm_iv *gcm, uint64_t iv, uint32_t salt)
+{
+   gcm->salt = salt;
+   gcm->iv = iv;
+   gcm->cnt = rte_cpu_to_be_32(1);
+}
+
+/*
+ * RFC 4106, 5 AAD Construction
+ * spi and sqn should already be converted into network byte order.
+ * Make sure that not used bytes are zeroed.
+ */
+static inline void
+aead_gcm_aad_fill(struct aead_gcm_aad *aad, rte_be32_t spi, rte_be64_t sqn,
+   int esn)
+{
+   aad->spi = spi;
+   if (esn)
+   aad->sqn.u64 = sqn;
+   else {
+   aad->sqn.u32[0] = sqn_low32(sqn);
+   aad->sqn.u32[1] = 0;
+   }
+   aad->align0 = 0;
+}
+
+static inline void
+gen_iv(uint64_t iv[IPSEC_MAX_IV_QWORD], rte_be64_t sqn)
+{
+   iv[0] = sqn;
+   iv[1] = 0;
+}
+
+/*
+ * from RFC 4303 3.3.2.1.4:
+ * If the ESN option is enabled for the SA, the high-order 32
+ * bits of the sequence number are appended after the Next Header field
+ * for purposes of this computation, but are not transmitted.
+ */
+
+/*
+ * Helper function that moves ICV by 4B below, and inserts SQN.hibits.
+ * icv parameter points to the new start of ICV.
+ */
+static inline void
+insert_sqh(uint32_t sqh, void *picv, uint32_t icv_len)
+{
+   uint32_t *icv;
+   int32_t i;
+
+   RTE_ASSERT(icv_len % sizeof(uint32_t) == 0);
+
+   icv = picv;
+   icv_len = icv_len / sizeof(uint32_t);
+   for (i = icv_len; i-- != 0; icv[i] = icv[i - 1])
+   ;
+
+   icv[i] = sqh;
+}
+
+/*
+ * Helper function that moves ICV by 4B up, and removes SQN.hibits.
+ * icv parameter points to the new start of ICV.
+ */
+static inline void
+remove_sqh(void *picv, uint32_t icv_len)
+{
+   uint32_t i, *icv;
+
+   RTE_ASSERT(icv_len % sizeof(uint32_t) == 0);
+
+   icv = picv;
+   icv_len = icv_len / sizeof(uint32_t);
+   for (i = 0; i != icv_len; i++)
+   icv[i] = icv[i + 1];
+}
+
+#endif /* _CRYPTO_H_ */
diff --git a/lib/librte_ipsec/iph.h b/lib/librte_ipsec/iph.h
new file mode 100644
index 0..58930cf18
--- /dev/null
+++ b/lib/librte_ipsec/iph.h
@@ -0,0 +1,84 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2018 Intel Corporation
+ */
+
+#ifndef _IPH_H_
+#define _IPH_H_
+
+/**
+ * @file iph.h
+ * Contains functions/structures/macros to manipulate IPv4/IPv6 headers
+ * used internally by ipsec library.
+ */
+
+/*
+ * Move preceding (L3) headers down to remove ESP header and IV.
+ */
+static inline void
+remove_esph(char *np, char *op, uint32_t hlen)
+{
+   uint32_t i;
+
+   for (i = hlen; i-- != 0; np[i] = op[i])
+ 

[dpdk-dev] [PATCH v5 08/10] ipsec: helper functions to group completed crypto-ops

[Konstantin Ananyev]

Introduce helper functions to process completed crypto-ops
and group related packets by sessions they belong to.

Signed-off-by: Konstantin Ananyev 
Acked-by: Declan Doherty 
---
 lib/librte_ipsec/Makefile  |   1 +
 lib/librte_ipsec/meson.build   |   2 +-
 lib/librte_ipsec/rte_ipsec.h   |   2 +
 lib/librte_ipsec/rte_ipsec_group.h | 151 +
 lib/librte_ipsec/rte_ipsec_version.map |   2 +
 5 files changed, 157 insertions(+), 1 deletion(-)
 create mode 100644 lib/librte_ipsec/rte_ipsec_group.h

diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile
index 71e39df0b..77506d6ad 100644
--- a/lib/librte_ipsec/Makefile
+++ b/lib/librte_ipsec/Makefile
@@ -21,6 +21,7 @@ SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += ses.c
 
 # install header files
 SYMLINK-$(CONFIG_RTE_LIBRTE_IPSEC)-include += rte_ipsec.h
+SYMLINK-$(CONFIG_RTE_LIBRTE_IPSEC)-include += rte_ipsec_group.h
 SYMLINK-$(CONFIG_RTE_LIBRTE_IPSEC)-include += rte_ipsec_sa.h
 
 include $(RTE_SDK)/mk/rte.lib.mk
diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build
index 6e8c6fabe..d2427b809 100644
--- a/lib/librte_ipsec/meson.build
+++ b/lib/librte_ipsec/meson.build
@@ -5,6 +5,6 @@ allow_experimental_apis = true
 
 sources=files('sa.c', 'ses.c')
 
-install_headers = files('rte_ipsec.h', 'rte_ipsec_sa.h')
+install_headers = files('rte_ipsec.h', 'rte_ipsec_group.h', 'rte_ipsec_sa.h')
 
 deps += ['mbuf', 'net', 'cryptodev', 'security']
diff --git a/lib/librte_ipsec/rte_ipsec.h b/lib/librte_ipsec/rte_ipsec.h
index 93e4df1bd..ff1ec801e 100644
--- a/lib/librte_ipsec/rte_ipsec.h
+++ b/lib/librte_ipsec/rte_ipsec.h
@@ -145,6 +145,8 @@ rte_ipsec_pkt_process(const struct rte_ipsec_session *ss, 
struct rte_mbuf *mb[],
return ss->pkt_func.process(ss, mb, num);
 }
 
+#include 
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/lib/librte_ipsec/rte_ipsec_group.h 
b/lib/librte_ipsec/rte_ipsec_group.h
new file mode 100644
index 0..696ed277a
--- /dev/null
+++ b/lib/librte_ipsec/rte_ipsec_group.h
@@ -0,0 +1,151 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2018 Intel Corporation
+ */
+
+#ifndef _RTE_IPSEC_GROUP_H_
+#define _RTE_IPSEC_GROUP_H_
+
+/**
+ * @file rte_ipsec_group.h
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * RTE IPsec support.
+ * It is not recommended to include this file direclty,
+ * include  instead.
+ * Contains helper functions to process completed crypto-ops
+ * and group related packets by sessions they belong to.
+ */
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Used to group mbufs by some id.
+ * See below for particular usage.
+ */
+struct rte_ipsec_group {
+   union {
+   uint64_t val;
+   void *ptr;
+   } id; /**< grouped by value */
+   struct rte_mbuf **m;  /**< start of the group */
+   uint32_t cnt; /**< number of entries in the group */
+   int32_t rc;   /**< status code associated with the group */
+};
+
+/**
+ * Take crypto-op as an input and extract pointer to related ipsec session.
+ * @param cop
+ *   The address of an input *rte_crypto_op* structure.
+ * @return
+ *   The pointer to the related *rte_ipsec_session* structure.
+ */
+static inline __rte_experimental struct rte_ipsec_session *
+rte_ipsec_ses_from_crypto(const struct rte_crypto_op *cop)
+{
+   const struct rte_security_session *ss;
+   const struct rte_cryptodev_sym_session *cs;
+
+   if (cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
+   ss = cop->sym[0].sec_session;
+   return (void *)(uintptr_t)ss->opaque_data;
+   } else if (cop->sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
+   cs = cop->sym[0].session;
+   return (void *)(uintptr_t)cs->opaque_data;
+   }
+   return NULL;
+}
+
+/**
+ * Take as input completed crypto ops, extract related mbufs
+ * and group them by rte_ipsec_session they belong to.
+ * For mbuf which crypto-op wasn't completed successfully
+ * PKT_RX_SEC_OFFLOAD_FAILED will be raised in ol_flags.
+ * Note that mbufs with undetermined SA (session-less) are not freed
+ * by the function, but are placed beyond mbufs for the last valid group.
+ * It is a user responsibility to handle them further.
+ * @param cop
+ *   The address of an array of *num* pointers to the input *rte_crypto_op*
+ *   structures.
+ * @param mb
+ *   The address of an array of *num* pointers to output *rte_mbuf* structures.
+ * @param grp
+ *   The address of an array of *num* to output *rte_ipsec_group* structures.
+ * @param num
+ *   The maximum number of crypto-ops to process.
+ * @return
+ *   Number of filled elements in *grp* array.
+ */
+static inline uint16_t __rte_experimental
+rte_ipsec_pkt_crypto_group(const struct rte_crypto_op *cop[],
+   struct rte_mbuf *mb[], struct rte_ipsec_group grp[], uint16_t num)
+{
+   uint32_t i, j, k, n;
+   void *ns, *ps;
+   struct rte_mbuf *m, *dr[num];
+
+   j =

[dpdk-dev] [PATCH v5 10/10] doc: add IPsec library guide

[Konstantin Ananyev]

Add IPsec library guide and update release notes.

Signed-off-by: Bernard Iremonger 
Signed-off-by: Konstantin Ananyev 
---
 doc/guides/prog_guide/index.rst|   1 +
 doc/guides/prog_guide/ipsec_lib.rst| 168 +
 doc/guides/rel_notes/release_19_02.rst |  11 ++
 3 files changed, 180 insertions(+)
 create mode 100644 doc/guides/prog_guide/ipsec_lib.rst

diff --git a/doc/guides/prog_guide/index.rst b/doc/guides/prog_guide/index.rst
index ba8c1f6ad..6726b1e8d 100644
--- a/doc/guides/prog_guide/index.rst
+++ b/doc/guides/prog_guide/index.rst
@@ -54,6 +54,7 @@ Programmer's Guide
 vhost_lib
 metrics_lib
 bpf_lib
+ipsec_lib
 source_org
 dev_kit_build_system
 dev_kit_root_make_help
diff --git a/doc/guides/prog_guide/ipsec_lib.rst 
b/doc/guides/prog_guide/ipsec_lib.rst
new file mode 100644
index 0..e50d357c8
--- /dev/null
+++ b/doc/guides/prog_guide/ipsec_lib.rst
@@ -0,0 +1,168 @@
+..  SPDX-License-Identifier: BSD-3-Clause
+Copyright(c) 2018 Intel Corporation.
+
+IPsec Packet Processing Library
+===
+
+DPDK provides a library for IPsec data-path processing.
+The library utilizes the existing DPDK crypto-dev and
+security API to provide the application with a transparent and
+high performant IPsec packet processing API.
+The library is concentrated on data-path protocols processing
+(ESP and AH), IKE protocol(s) implementation is out of scope
+for this library.
+
+SA level API
+
+
+This API operates on the IPsec Security Association (SA) level.
+It provides functionality that allows user for given SA to process
+inbound and outbound IPsec packets.
+
+To be more specific:
+
+*  for inbound ESP/AH packets perform decryption, authentication, integrity 
checking, remove ESP/AH related headers
+*  for outbound packets perform payload encryption, attach ICV, update/add IP 
headers, add ESP/AH headers/trailers,
+*  setup related mbuf fields (ol_flags, tx_offloads, etc.).
+*  initialize/un-initialize given SA based on user provided parameters.
+
+The SA level API is based on top of crypto-dev/security API and relies on
+them to perform actual cipher and integrity checking.
+
+Due to the nature of the crypto-dev API (enqueue/dequeue model) the library
+introduces an asynchronous API for IPsec packets destined to be processed by
+the crypto-device.
+
+The expected API call sequence for data-path processing would be:
+
+.. code-block:: c
+
+/* enqueue for processing by crypto-device */
+rte_ipsec_pkt_crypto_prepare(...);
+rte_cryptodev_enqueue_burst(...);
+/* dequeue from crypto-device and do final processing (if any) */
+rte_cryptodev_dequeue_burst(...);
+rte_ipsec_pkt_crypto_group(...); /* optional */
+rte_ipsec_pkt_process(...);
+
+For packets destined for inline processing no extra overhead
+is required and the synchronous API call: rte_ipsec_pkt_process()
+is sufficient for that case.
+
+.. note::
+
+For more details about the IPsec API, please refer to the *DPDK API 
Reference*.
+
+The current implementation supports all four currently defined
+rte_security types:
+
+RTE_SECURITY_ACTION_TYPE_NONE
+~
+
+In that mode the library functions perform
+
+* for inbound packets:
+
+  - check SQN
+  - prepare *rte_crypto_op* structure for each input packet
+  - verify that integity check and decryption performed by crypto device
+completed successfully
+  - check padding data
+  - remove outer IP header (tunnel mode) / update IP header (transport mode)
+  - remove ESP header and trailer, padding, IV and ICV data
+  - update SA replay window
+
+* for outbound packets:
+
+  - generate SQN and IV
+  - add outer IP header (tunnel mode) / update IP header (transport mode)
+  - add ESP header and trailer, padding and IV data
+  - prepare *rte_crypto_op* structure for each input packet
+  - verify that crypto device operations (encryption, ICV generation)
+were completed successfully
+
+RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO
+~~
+
+In that mode the library functions perform
+
+* for inbound packets:
+
+  - verify that integity check and decryption performed by *rte_security *
+device completed successfully
+  - check SQN
+  - check padding data
+  - remove outer IP header (tunnel mode) / update IP header (transport mode)
+  - remove ESP header and trailer, padding, IV and ICV data
+  - update SA replay window
+
+* for outbound packets:
+
+  - generate SQN and IV
+  - add outer IP header (tunnel mode) / update IP header (transport mode)
+  - add ESP header and trailer, padding and IV data
+  - update *ol_flags* inside *struct  rte_mbuf* to inidicate that
+inline-crypto processing has to be performed by HW on this packet
+  - invoke *rte_security* device specific *set_pkt_metadata()* to associate
+secuirty device specific data with the packet
+
+RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL
+~~

[dpdk-dev] [PATCH v5 09/10] test/ipsec: introduce functional test

[Konstantin Ananyev]

Create functional test for librte_ipsec.
Note that the test requires null crypto pmd to pass successfully.

Signed-off-by: Mohammad Abdul Awal 
Signed-off-by: Bernard Iremonger 
Acked-by: Declan Doherty 
Signed-off-by: Konstantin Ananyev 
---
 test/test/Makefile |3 +
 test/test/meson.build  |3 +
 test/test/test_ipsec.c | 2555 
 3 files changed, 2561 insertions(+)
 create mode 100644 test/test/test_ipsec.c

diff --git a/test/test/Makefile b/test/test/Makefile
index ab4fec34a..e7c8108f2 100644
--- a/test/test/Makefile
+++ b/test/test/Makefile
@@ -207,6 +207,9 @@ SRCS-$(CONFIG_RTE_LIBRTE_KVARGS) += test_kvargs.c
 
 SRCS-$(CONFIG_RTE_LIBRTE_BPF) += test_bpf.c
 
+SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += test_ipsec.c
+LDLIBS += -lrte_ipsec
+
 CFLAGS += -DALLOW_EXPERIMENTAL_API
 
 CFLAGS += -O3
diff --git a/test/test/meson.build b/test/test/meson.build
index 5a4816fed..9e45baf7a 100644
--- a/test/test/meson.build
+++ b/test/test/meson.build
@@ -50,6 +50,7 @@ test_sources = files('commands.c',
'test_hash_perf.c',
'test_hash_readwrite_lf.c',
'test_interrupts.c',
+   'test_ipsec.c',
'test_kni.c',
'test_kvargs.c',
'test_link_bonding.c',
@@ -117,6 +118,7 @@ test_deps = ['acl',
'eventdev',
'flow_classify',
'hash',
+   'ipsec',
'lpm',
'member',
'metrics',
@@ -182,6 +184,7 @@ test_names = [
'hash_readwrite_autotest',
'hash_readwrite_lf_autotest',
'interrupt_autotest',
+   'ipsec_autotest',
'kni_autotest',
'kvargs_autotest',
'link_bonding_autotest',
diff --git a/test/test/test_ipsec.c b/test/test/test_ipsec.c
new file mode 100644
index 0..d1625af1f
--- /dev/null
+++ b/test/test/test_ipsec.c
@@ -0,0 +1,2555 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2018 Intel Corporation
+ */
+
+#include 
+
+#include 
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include "test.h"
+#include "test_cryptodev.h"
+
+#define VDEV_ARGS_SIZE 100
+#define MAX_NB_SESSIONS100
+#define MAX_NB_SAS 2
+#define REPLAY_WIN_0   0
+#define REPLAY_WIN_32  32
+#define REPLAY_WIN_64  64
+#define REPLAY_WIN_128 128
+#define REPLAY_WIN_256 256
+#define DATA_64_BYTES  64
+#define DATA_80_BYTES  80
+#define DATA_100_BYTES 100
+#define ESN_ENABLED1
+#define ESN_DISABLED   0
+#define INBOUND_SPI7
+#define OUTBOUND_SPI   17
+#define BURST_SIZE 32
+#define REORDER_PKTS   1
+
+struct user_params {
+   enum rte_crypto_sym_xform_type auth;
+   enum rte_crypto_sym_xform_type cipher;
+   enum rte_crypto_sym_xform_type aead;
+
+   char auth_algo[128];
+   char cipher_algo[128];
+   char aead_algo[128];
+};
+
+struct ipsec_testsuite_params {
+   struct rte_mempool *mbuf_pool;
+   struct rte_mempool *cop_mpool;
+   struct rte_mempool *session_mpool;
+   struct rte_cryptodev_config conf;
+   struct rte_cryptodev_qp_conf qp_conf;
+
+   uint8_t valid_devs[RTE_CRYPTO_MAX_DEVS];
+   uint8_t valid_dev_count;
+};
+
+struct ipsec_unitest_params {
+   struct rte_crypto_sym_xform cipher_xform;
+   struct rte_crypto_sym_xform auth_xform;
+   struct rte_crypto_sym_xform aead_xform;
+   struct rte_crypto_sym_xform *crypto_xforms;
+
+   struct rte_security_ipsec_xform ipsec_xform;
+
+   struct rte_ipsec_sa_prm sa_prm;
+   struct rte_ipsec_session ss[MAX_NB_SAS];
+
+   struct rte_crypto_op *cop[BURST_SIZE];
+
+   struct rte_mbuf *obuf[BURST_SIZE], *ibuf[BURST_SIZE],
+   *testbuf[BURST_SIZE];
+
+   uint8_t *digest;
+   uint16_t pkt_index;
+};
+
+struct ipsec_test_cfg {
+   uint32_t replay_win_sz;
+   uint32_t esn;
+   uint64_t flags;
+   size_t pkt_sz;
+   uint16_t num_pkts;
+   uint32_t reorder_pkts;
+};
+
+static const struct ipsec_test_cfg test_cfg[] = {
+
+   {REPLAY_WIN_0, ESN_DISABLED, 0, DATA_64_BYTES, 1, 0},
+   {REPLAY_WIN_0, ESN_DISABLED, 0, DATA_80_BYTES, BURST_SIZE,
+   REORDER_PKTS},
+   {REPLAY_WIN_32, ESN_ENABLED, 0, DATA_100_BYTES, 1, 0},
+   {REPLAY_WIN_32, ESN_ENABLED, 0, DATA_100_BYTES, BURST_SIZE,
+   REORDER_PKTS},
+   {REPLAY_WIN_64, ESN_ENABLED, 0, DATA_64_BYTES, 1, 0},
+   {REPLAY_WIN_128, ESN_ENABLED, RTE_IPSEC_SAFLAG_SQN_ATOM,
+   DATA_80_BYTES, 1, 0},
+   {REPLAY_WIN_256, ESN_DISABLED, 0, DATA_100_BYTES, 1, 0},
+};
+
+static const int num_cfg = RTE_DIM(test_cfg);
+static struct ipsec_testsuite_params testsuite_params = { NULL };
+static struct ipsec_unitest_params unittest_params;
+static struct user_params uparams;
+
+static uint8_t global_key[128] = { 0 };
+
+struct supported_cipher_algo {
+   const char *keyword;
+   enum rte_crypto_cip

[dpdk-dev] [PATCH v5 07/10] ipsec: rework SA replay window/SQN for MT environment

[Konstantin Ananyev]

With these changes functions:
  - rte_ipsec_pkt_crypto_prepare
  - rte_ipsec_pkt_process
 can be safely used in MT environment, as long as the user can guarantee
 that they obey multiple readers/single writer model for SQN+replay_window
 operations.
 To be more specific:
 for outbound SA there are no restrictions.
 for inbound SA the caller has to guarantee that at any given moment
 only one thread is executing rte_ipsec_pkt_process() for given SA.
 Note that it is caller responsibility to maintain correct order
 of packets to be processed.

Signed-off-by: Konstantin Ananyev 
Acked-by: Declan Doherty 
---
 lib/librte_ipsec/ipsec_sqn.h| 113 +++-
 lib/librte_ipsec/rte_ipsec_sa.h |  33 ++
 lib/librte_ipsec/sa.c   |  80 +-
 lib/librte_ipsec/sa.h   |  21 +-
 4 files changed, 225 insertions(+), 22 deletions(-)

diff --git a/lib/librte_ipsec/ipsec_sqn.h b/lib/librte_ipsec/ipsec_sqn.h
index 6e18c34eb..7de10bef5 100644
--- a/lib/librte_ipsec/ipsec_sqn.h
+++ b/lib/librte_ipsec/ipsec_sqn.h
@@ -15,6 +15,8 @@
 
 #define IS_ESN(sa) ((sa)->sqn_mask == UINT64_MAX)
 
+#defineSQN_ATOMIC(sa)  ((sa)->type & RTE_IPSEC_SATP_SQN_ATOM)
+
 /*
  * gets SQN.hi32 bits, SQN supposed to be in network byte order.
  */
@@ -140,8 +142,12 @@ esn_outb_update_sqn(struct rte_ipsec_sa *sa, uint32_t *num)
uint64_t n, s, sqn;
 
n = *num;
-   sqn = sa->sqn.outb + n;
-   sa->sqn.outb = sqn;
+   if (SQN_ATOMIC(sa))
+   sqn = (uint64_t)rte_atomic64_add_return(&sa->sqn.outb.atom, n);
+   else {
+   sqn = sa->sqn.outb.raw + n;
+   sa->sqn.outb.raw = sqn;
+   }
 
/* overflow */
if (sqn > sa->sqn_mask) {
@@ -231,4 +237,107 @@ rsn_size(uint32_t nb_bucket)
return sz;
 }
 
+/**
+ * Copy replay window and SQN.
+ */
+static inline void
+rsn_copy(const struct rte_ipsec_sa *sa, uint32_t dst, uint32_t src)
+{
+   uint32_t i, n;
+   struct replay_sqn *d;
+   const struct replay_sqn *s;
+
+   d = sa->sqn.inb.rsn[dst];
+   s = sa->sqn.inb.rsn[src];
+
+   n = sa->replay.nb_bucket;
+
+   d->sqn = s->sqn;
+   for (i = 0; i != n; i++)
+   d->window[i] = s->window[i];
+}
+
+/**
+ * Get RSN for read-only access.
+ */
+static inline struct replay_sqn *
+rsn_acquire(struct rte_ipsec_sa *sa)
+{
+   uint32_t n;
+   struct replay_sqn *rsn;
+
+   n = sa->sqn.inb.rdidx;
+   rsn = sa->sqn.inb.rsn[n];
+
+   if (!SQN_ATOMIC(sa))
+   return rsn;
+
+   /* check there are no writers */
+   while (rte_rwlock_read_trylock(&rsn->rwl) < 0) {
+   rte_pause();
+   n = sa->sqn.inb.rdidx;
+   rsn = sa->sqn.inb.rsn[n];
+   rte_compiler_barrier();
+   }
+
+   return rsn;
+}
+
+/**
+ * Release read-only access for RSN.
+ */
+static inline void
+rsn_release(struct rte_ipsec_sa *sa, struct replay_sqn *rsn)
+{
+   if (SQN_ATOMIC(sa))
+   rte_rwlock_read_unlock(&rsn->rwl);
+}
+
+/**
+ * Start RSN update.
+ */
+static inline struct replay_sqn *
+rsn_update_start(struct rte_ipsec_sa *sa)
+{
+   uint32_t k, n;
+   struct replay_sqn *rsn;
+
+   n = sa->sqn.inb.wridx;
+
+   /* no active writers */
+   RTE_ASSERT(n == sa->sqn.inb.rdidx);
+
+   if (!SQN_ATOMIC(sa))
+   return sa->sqn.inb.rsn[n];
+
+   k = REPLAY_SQN_NEXT(n);
+   sa->sqn.inb.wridx = k;
+
+   rsn = sa->sqn.inb.rsn[k];
+   rte_rwlock_write_lock(&rsn->rwl);
+   rsn_copy(sa, k, n);
+
+   return rsn;
+}
+
+/**
+ * Finish RSN update.
+ */
+static inline void
+rsn_update_finish(struct rte_ipsec_sa *sa, struct replay_sqn *rsn)
+{
+   uint32_t n;
+
+   if (!SQN_ATOMIC(sa))
+   return;
+
+   n = sa->sqn.inb.wridx;
+   RTE_ASSERT(n != sa->sqn.inb.rdidx);
+   RTE_ASSERT(rsn - sa->sqn.inb.rsn == n);
+
+   rte_rwlock_write_unlock(&rsn->rwl);
+   sa->sqn.inb.rdidx = n;
+}
+
+
 #endif /* _IPSEC_SQN_H_ */
diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h
index d99028c2c..7802da3b1 100644
--- a/lib/librte_ipsec/rte_ipsec_sa.h
+++ b/lib/librte_ipsec/rte_ipsec_sa.h
@@ -55,6 +55,27 @@ struct rte_ipsec_sa_prm {
uint32_t replay_win_sz;
 };
 
+/**
+ * Indicates that SA will(/will not) need an 'atomic' access
+ * to sequence number and replay window.
+ * 'atomic' here means:
+ * functions:
+ *  - rte_ipsec_pkt_crypto_prepare
+ *  - rte_ipsec_pkt_process
+ * can be safely used in MT environment, as long as the user can guarantee
+ * that they obey multiple readers/single writer model for SQN+replay_window
+ * operations.
+ * To be more specific:
+ * for outbound SA there are no restrictions.
+ * for inbound SA the caller has to guarantee that at any given moment
+ * only one thread is executing rte_ipsec_pkt_process() for given SA.
+ * Note that it is caller responsibility to maintain correct

[dpdk-dev] [PATCH v5 00/10] examples/ipsec-secgw: make app to use ipsec library

[Konstantin Ananyev]

This patch series depends on the patch series:

ipsec: new library for IPsec data-path processing
http://patches.dpdk.org/patch/49332/
http://patches.dpdk.org/patch/49333/
http://patches.dpdk.org/patch/49334/
http://patches.dpdk.org/patch/49335/
http://patches.dpdk.org/patch/49336/
http://patches.dpdk.org/patch/49337/
http://patches.dpdk.org/patch/49338/
http://patches.dpdk.org/patch/49339/
http://patches.dpdk.org/patch/49340/
http://patches.dpdk.org/patch/49341/

to be applied first.

v4 -> v5
- Address Akhil comments:
 documentation update
 spell checks spacing etc.
 introduce rxoffload/txoffload parameters
 single SA for ipv6
 update Makefile

v3 -> v4
 - fix few issues with the test scripts
 - update docs

v2 -> v3
 - add IPv6 cases into test scripts
 - fixes for IPv6 support
 - fixes for inline-crypto support
 - some code restructuring

v1 -> v2
 - Several bug fixes

That series contians few bug-fixes and changes to make ipsec-secgw
to utilize librte_ipsec library:
 - changes in the related data structures.
 - changes in the initialization code.
 - changes in the data-path code.
 - new command-line parameters to enable librte_ipsec codepath
   and related features.
 - test scripts to help automate ipsec-secgw functional testing.

Note that right now by default current (non-librte_ipsec) code-path
will be used. User has to run application with new command-line option
('-l')
to enable new codepath.
The main reason for that:
  - current librte_ipsec doesn't support all ipsec algorithms
and features that the app does.
  - allow users to run both versions in parallel for some time
to figure out any functional or performance degradation with the
new code.

Test scripts were run with the following crypto devices:
 - aesni_mb
 - aesni_gcm
 - qat

Konstantin Ananyev (10):
  examples/ipsec-secgw: allow user to disable some RX/TX offloads
  examples/ipsec-secgw: allow to specify neighbour mac address
  examples/ipsec-secgw: fix crypto-op might never get dequeued
  examples/ipsec-secgw: fix outbound codepath for single SA
  examples/ipsec-secgw: make local variables static
  examples/ipsec-secgw: fix inbound SA checking
  examples/ipsec-secgw: make app to use ipsec library
  examples/ipsec-secgw: make data-path to use ipsec library
  examples/ipsec-secgw: add scripts for functional test
  doc: update ipsec-secgw guide and relelase notes

 doc/guides/rel_notes/release_19_02.rst|  14 +
 doc/guides/sample_app_ug/ipsec_secgw.rst  | 159 +-
 examples/ipsec-secgw/Makefile |   5 +-
 examples/ipsec-secgw/ipsec-secgw.c| 480 ++
 examples/ipsec-secgw/ipsec.c  |  62 ++-
 examples/ipsec-secgw/ipsec.h  |  67 +++
 examples/ipsec-secgw/ipsec_process.c  | 341 +
 examples/ipsec-secgw/meson.build  |   6 +-
 examples/ipsec-secgw/parser.c |  91 
 examples/ipsec-secgw/parser.h |   8 +-
 examples/ipsec-secgw/sa.c | 263 +-
 examples/ipsec-secgw/sp4.c|  35 +-
 examples/ipsec-secgw/sp6.c|  35 +-
 examples/ipsec-secgw/test/common_defs.sh  | 153 ++
 examples/ipsec-secgw/test/data_rxtx.sh|  62 +++
 examples/ipsec-secgw/test/linux_test4.sh  |  63 +++
 examples/ipsec-secgw/test/linux_test6.sh  |  64 +++
 examples/ipsec-secgw/test/run_test.sh |  80 +++
 .../test/trs_aescbc_sha1_common_defs.sh   |  69 +++
 .../ipsec-secgw/test/trs_aescbc_sha1_defs.sh  |  67 +++
 .../test/trs_aescbc_sha1_esn_atom_defs.sh |   5 +
 .../test/trs_aescbc_sha1_esn_defs.sh  |  66 +++
 .../test/trs_aescbc_sha1_old_defs.sh  |   5 +
 .../test/trs_aesgcm_common_defs.sh|  60 +++
 examples/ipsec-secgw/test/trs_aesgcm_defs.sh  |  66 +++
 .../test/trs_aesgcm_esn_atom_defs.sh  |   5 +
 .../ipsec-secgw/test/trs_aesgcm_esn_defs.sh   |  66 +++
 .../ipsec-secgw/test/trs_aesgcm_old_defs.sh   |   5 +
 .../test/tun_aescbc_sha1_common_defs.sh   |  68 +++
 .../ipsec-secgw/test/tun_aescbc_sha1_defs.sh  |  70 +++
 .../test/tun_aescbc_sha1_esn_atom_defs.sh |   5 +
 .../test/tun_aescbc_sha1_esn_defs.sh  |  70 +++
 .../test/tun_aescbc_sha1_old_defs.sh  |   5 +
 .../test/tun_aesgcm_common_defs.sh|  60 +++
 examples/ipsec-secgw/test/tun_aesgcm_defs.sh  |  70 +++
 .../test/tun_aesgcm_esn_atom_defs.sh  |   5 +
 .../ipsec-secgw/test/tun_aesgcm_esn_defs.sh   |  70 +++
 .../ipsec-secgw/test/tun_aesgcm_old_defs.sh   |   5 +
 38 files changed, 2685 insertions(+), 145 deletions(-)
 create mode 100644 examples/ipsec-secgw/ipsec_process.c
 create mode 100644 examples/ipsec-secgw/test/common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/data_rxtx.sh
 create mode 100644 examples/ipsec-secgw/test/linux_test4.sh
 create mode 100644 examples/ipsec-secgw/test/linux_test6.sh
 create mode 100644 examples/ipse

[dpdk-dev] [PATCH v5 01/10] examples/ipsec-secgw: allow user to disable some RX/TX offloads

[Konstantin Ananyev]

Right now ipsec-secgw always enables TX offloads
(DEV_TX_OFFLOAD_MULTI_SEGS, DEV_TX_OFFLOAD_SECURITY),
even when they are not requested by the config.
That causes many PMD to choose full-featured TX function,
which in many cases is much slower then one without offloads.
That patch adds ability for the user to disable unneeded HW offloads.
If DEV_TX_OFFLOAD_IPV4_CKSUM is disabled by user, then
SW version of ip cksum calculation is used.
That allows to use vector TX function, when inline-ipsec is not
requested.

Signed-off-by: Remy Horton 
Signed-off-by: Konstantin Ananyev 
Acked-by: Radu Nicolau 
---
 doc/guides/sample_app_ug/ipsec_secgw.rst |  12 +++
 examples/ipsec-secgw/ipsec-secgw.c   | 126 ---
 examples/ipsec-secgw/ipsec.h |   6 ++
 examples/ipsec-secgw/sa.c|  35 +++
 4 files changed, 164 insertions(+), 15 deletions(-)

diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst 
b/doc/guides/sample_app_ug/ipsec_secgw.rst
index 4869a011d..244bde2de 100644
--- a/doc/guides/sample_app_ug/ipsec_secgw.rst
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -95,6 +95,8 @@ The application has a number of command line options::
 -p PORTMASK -P -u PORTMASK -j FRAMESIZE
 --config (port,queue,lcore)[,(port,queue,lcore]
 --single-sa SAIDX
+--rxoffload MASK
+--txoffload MASK
 -f CONFIG_FILE_PATH
 
 Where:
@@ -119,6 +121,16 @@ Where:
 on both Inbound and Outbound. This option is meant for 
debugging/performance
 purposes.
 
+*   ``--rxoffload MASK``: RX HW offload capabilities to enable/use on this port
+(bitmask of DEV_RX_OFFLOAD_* values). It is an optional parameter and
+allows user to disable some of the RX HW offload capabilities.
+By default all HW RX offloads are enabled.
+
+*   ``--txoffload MASK``: TX HW offload capabilities to enable/use on this port
+(bitmask of DEV_TX_OFFLOAD_* values). It is an optional parameter and
+allows user to disable some of the TX HW offload capabilities.
+By default all HW TX offloads are enabled.
+
 *   ``-f CONFIG_FILE_PATH``: the full path of text-based file containing all
 configuration items for running the application (See Configuration file
 syntax section below). ``-f CONFIG_FILE_PATH`` **must** be specified.
diff --git a/examples/ipsec-secgw/ipsec-secgw.c 
b/examples/ipsec-secgw/ipsec-secgw.c
index 1bc0b5b50..f5db3da0c 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -124,6 +124,8 @@ struct ethaddr_info ethaddr_tbl[RTE_MAX_ETHPORTS] = {
 #define CMD_LINE_OPT_CONFIG"config"
 #define CMD_LINE_OPT_SINGLE_SA "single-sa"
 #define CMD_LINE_OPT_CRYPTODEV_MASK"cryptodev_mask"
+#define CMD_LINE_OPT_RX_OFFLOAD"rxoffload"
+#define CMD_LINE_OPT_TX_OFFLOAD"txoffload"
 
 enum {
/* long options mapped to a short option */
@@ -135,12 +137,16 @@ enum {
CMD_LINE_OPT_CONFIG_NUM,
CMD_LINE_OPT_SINGLE_SA_NUM,
CMD_LINE_OPT_CRYPTODEV_MASK_NUM,
+   CMD_LINE_OPT_RX_OFFLOAD_NUM,
+   CMD_LINE_OPT_TX_OFFLOAD_NUM,
 };
 
 static const struct option lgopts[] = {
{CMD_LINE_OPT_CONFIG, 1, 0, CMD_LINE_OPT_CONFIG_NUM},
{CMD_LINE_OPT_SINGLE_SA, 1, 0, CMD_LINE_OPT_SINGLE_SA_NUM},
{CMD_LINE_OPT_CRYPTODEV_MASK, 1, 0, CMD_LINE_OPT_CRYPTODEV_MASK_NUM},
+   {CMD_LINE_OPT_RX_OFFLOAD, 1, 0, CMD_LINE_OPT_RX_OFFLOAD_NUM},
+   {CMD_LINE_OPT_TX_OFFLOAD, 1, 0, CMD_LINE_OPT_TX_OFFLOAD_NUM},
{NULL, 0, 0, 0}
 };
 
@@ -155,6 +161,13 @@ static uint32_t single_sa;
 static uint32_t single_sa_idx;
 static uint32_t frame_size;
 
+/*
+ * RX/TX HW offload capabilities to enable/use on ethernet ports.
+ * By default all capabilities are enabled.
+ */
+static uint64_t dev_rx_offload = UINT64_MAX;
+static uint64_t dev_tx_offload = UINT64_MAX;
+
 struct lcore_rx_queue {
uint16_t port_id;
uint8_t queue_id;
@@ -208,8 +221,6 @@ static struct rte_eth_conf port_conf = {
},
.txmode = {
.mq_mode = ETH_MQ_TX_NONE,
-   .offloads = (DEV_TX_OFFLOAD_IPV4_CKSUM |
-DEV_TX_OFFLOAD_MULTI_SEGS),
},
 };
 
@@ -315,7 +326,8 @@ prepare_traffic(struct rte_mbuf **pkts, struct 
ipsec_traffic *t,
 }
 
 static inline void
-prepare_tx_pkt(struct rte_mbuf *pkt, uint16_t port)
+prepare_tx_pkt(struct rte_mbuf *pkt, uint16_t port,
+   const struct lcore_conf *qconf)
 {
struct ip *ip;
struct ether_hdr *ethhdr;
@@ -325,14 +337,19 @@ prepare_tx_pkt(struct rte_mbuf *pkt, uint16_t port)
ethhdr = (struct ether_hdr *)rte_pktmbuf_prepend(pkt, ETHER_HDR_LEN);
 
if (ip->ip_v == IPVERSION) {
-   pkt->ol_flags |= PKT_TX_IP_CKSUM | PKT_TX_IPV4;
+   pkt->ol_flags |= qconf->outbound.ipv4_offloads;
   

[dpdk-dev] [PATCH v5 02/10] examples/ipsec-secgw: allow to specify neighbour mac address

[Konstantin Ananyev]

In some cases it is useful to allow user to specify destination
ether address for outgoing packets.
This patch adds such ability by introducing new 'neigh' config
file option.

Signed-off-by: Konstantin Ananyev 
Acked-by: Radu Nicolau 
---
 doc/guides/sample_app_ug/ipsec_secgw.rst | 42 ++-
 examples/ipsec-secgw/ipsec-secgw.c   | 21 --
 examples/ipsec-secgw/ipsec.h |  3 +
 examples/ipsec-secgw/parser.c| 91 
 examples/ipsec-secgw/parser.h|  8 +--
 5 files changed, 154 insertions(+), 11 deletions(-)

diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst 
b/doc/guides/sample_app_ug/ipsec_secgw.rst
index 244bde2de..61638e733 100644
--- a/doc/guides/sample_app_ug/ipsec_secgw.rst
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -217,7 +217,7 @@ Configurations
 --
 
 The following sections provide the syntax of configurations to initialize
-your SP, SA and Routing tables.
+your SP, SA, Routing and Neighbour tables.
 Configurations shall be specified in the configuration file to be passed to
 the application. The file is then parsed by the application. The successful
 parsing will result in the appropriate rules being applied to the tables
@@ -238,8 +238,8 @@ General rule syntax
 
 The parse treats one line in the configuration file as one configuration
 item (unless the line concatenation symbol exists). Every configuration
-item shall follow the syntax of either SP, SA, or Routing rules specified
-below.
+item shall follow the syntax of either SP, SA, Routing or Neighbour
+rules specified below.
 
 The configuration parser supports the following special symbols:
 
@@ -631,3 +631,39 @@ Example SP rules:
 rt ipv4 dst 172.16.1.5/32 port 0
 
 rt ipv6 dst :::::::/116 port 0
+
+Neighbour rule syntax
+^
+
+The Neighbour rule syntax is shown as follows:
+
+.. code-block:: console
+
+neigh  
+
+
+where each options means:
+
+
+
+ * The output port id
+
+ * Optional: No
+
+ * Syntax: *port X*
+
+
+
+ * The destination ethernet address to use for that port
+
+ * Optional: No
+
+ * Syntax:
+
+   * XX:XX:XX:XX:XX:XX
+
+Example Neighbour rules:
+
+.. code-block:: console
+
+neigh port 0 DE:AD:BE:EF:01:02
diff --git a/examples/ipsec-secgw/ipsec-secgw.c 
b/examples/ipsec-secgw/ipsec-secgw.c
index f5db3da0c..274a49cbb 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -104,9 +104,9 @@ static uint16_t nb_txd = IPSEC_SECGW_TX_DESC_DEFAULT;
 #define ETHADDR(a, b, c, d, e, f) (__BYTES_TO_UINT64(a, b, c, d, e, f, 0, 0))
 
 #define ETHADDR_TO_UINT64(addr) __BYTES_TO_UINT64( \
-   addr.addr_bytes[0], addr.addr_bytes[1], \
-   addr.addr_bytes[2], addr.addr_bytes[3], \
-   addr.addr_bytes[4], addr.addr_bytes[5], \
+   (addr)->addr_bytes[0], (addr)->addr_bytes[1], \
+   (addr)->addr_bytes[2], (addr)->addr_bytes[3], \
+   (addr)->addr_bytes[4], (addr)->addr_bytes[5], \
0, 0)
 
 /* port/source ethernet addr and destination ethernet addr */
@@ -1242,6 +1242,19 @@ print_ethaddr(const char *name, const struct ether_addr 
*eth_addr)
printf("%s%s", name, buf);
 }
 
+/*
+ * Update destination ethaddr for the port.
+ */
+int
+add_dst_ethaddr(uint16_t port, const struct ether_addr *addr)
+{
+   if (port > RTE_DIM(ethaddr_tbl))
+   return -EINVAL;
+
+   ethaddr_tbl[port].dst = ETHADDR_TO_UINT64(addr);
+   return 0;
+}
+
 /* Check the link status of all ports in up to 9s, and print them finally */
 static void
 check_all_ports_link_status(uint32_t port_mask)
@@ -1622,7 +1635,7 @@ port_init(uint16_t portid, uint64_t req_rx_offloads, 
uint64_t req_tx_offloads)
printf("Configuring device port %u:\n", portid);
 
rte_eth_macaddr_get(portid, ðaddr);
-   ethaddr_tbl[portid].src = ETHADDR_TO_UINT64(ethaddr);
+   ethaddr_tbl[portid].src = ETHADDR_TO_UINT64(ðaddr);
print_ethaddr("Address: ", ðaddr);
printf("\n");
 
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index 9b1586f52..580f7876b 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -245,4 +245,7 @@ int
 sa_check_offloads(uint16_t port_id, uint64_t *rx_offloads,
uint64_t *tx_offloads);
 
+int
+add_dst_ethaddr(uint16_t port, const struct ether_addr *addr);
+
 #endif /* __IPSEC_H__ */
diff --git a/examples/ipsec-secgw/parser.c b/examples/ipsec-secgw/parser.c
index 91282ca94..b0a8ee23b 100644
--- a/examples/ipsec-secgw/parser.c
+++ b/examples/ipsec-secgw/parser.c
@@ -306,6 +306,46 @@ parse_range(const char *token, uint16_t *low, uint16_t 
*high)
return 0;
 }
 
+/*
+ * helper function for parse_mac, parse one section of the ether addr.
+ */
+static const char *
+parse_uint8x16(const char *s, uint8_t *v, uint8_t ls)
+{
+   char *end;
+   unsigned long t;
+
+   er

[dpdk-dev] [PATCH v5 03/10] examples/ipsec-secgw: fix crypto-op might never get dequeued

[Konstantin Ananyev]

In some cases crypto-ops could never be dequeued from the crypto-device.
The easiest way to reproduce:
start ipsec-secgw with crypto-dev and send to it less then 32 packets.
none packets will be forwarded.
Reason for that is that the application does dequeue() from crypto-queues
only when new packets arrive.
This patch makes sure it calls dequeue() on a regular basis.

Fixes: c64278c0c18b ("examples/ipsec-secgw: rework processing loop")
Cc: sta...@dpdk.org

Signed-off-by: Konstantin Ananyev 
Acked-by: Radu Nicolau 
---
 examples/ipsec-secgw/ipsec-secgw.c | 136 -
 examples/ipsec-secgw/ipsec.c   |  60 -
 examples/ipsec-secgw/ipsec.h   |  11 +++
 3 files changed, 165 insertions(+), 42 deletions(-)

diff --git a/examples/ipsec-secgw/ipsec-secgw.c 
b/examples/ipsec-secgw/ipsec-secgw.c
index 274a49cbb..797bd6435 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -469,38 +469,55 @@ inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, 
struct traffic_type *ip,
ip->num = j;
 }
 
-static inline void
-process_pkts_inbound(struct ipsec_ctx *ipsec_ctx,
-   struct ipsec_traffic *traffic)
+static void
+split46_traffic(struct ipsec_traffic *trf, struct rte_mbuf *mb[], uint32_t num)
 {
+   uint32_t i, n4, n6;
+   struct ip *ip;
struct rte_mbuf *m;
-   uint16_t idx, nb_pkts_in, i, n_ip4, n_ip6;
 
-   nb_pkts_in = ipsec_inbound(ipsec_ctx, traffic->ipsec.pkts,
-   traffic->ipsec.num, MAX_PKT_BURST);
+   n4 = trf->ip4.num;
+   n6 = trf->ip6.num;
 
-   n_ip4 = traffic->ip4.num;
-   n_ip6 = traffic->ip6.num;
+   for (i = 0; i < num; i++) {
+
+   m = mb[i];
+   ip = rte_pktmbuf_mtod(m, struct ip *);
 
-   /* SP/ACL Inbound check ipsec and ip4 */
-   for (i = 0; i < nb_pkts_in; i++) {
-   m = traffic->ipsec.pkts[i];
-   struct ip *ip = rte_pktmbuf_mtod(m, struct ip *);
if (ip->ip_v == IPVERSION) {
-   idx = traffic->ip4.num++;
-   traffic->ip4.pkts[idx] = m;
-   traffic->ip4.data[idx] = rte_pktmbuf_mtod_offset(m,
+   trf->ip4.pkts[n4] = m;
+   trf->ip4.data[n4] = rte_pktmbuf_mtod_offset(m,
uint8_t *, offsetof(struct ip, ip_p));
+   n4++;
} else if (ip->ip_v == IP6_VERSION) {
-   idx = traffic->ip6.num++;
-   traffic->ip6.pkts[idx] = m;
-   traffic->ip6.data[idx] = rte_pktmbuf_mtod_offset(m,
+   trf->ip6.pkts[n6] = m;
+   trf->ip6.data[n6] = rte_pktmbuf_mtod_offset(m,
uint8_t *,
offsetof(struct ip6_hdr, ip6_nxt));
+   n6++;
} else
rte_pktmbuf_free(m);
}
 
+   trf->ip4.num = n4;
+   trf->ip6.num = n6;
+}
+
+
+static inline void
+process_pkts_inbound(struct ipsec_ctx *ipsec_ctx,
+   struct ipsec_traffic *traffic)
+{
+   uint16_t nb_pkts_in, n_ip4, n_ip6;
+
+   n_ip4 = traffic->ip4.num;
+   n_ip6 = traffic->ip6.num;
+
+   nb_pkts_in = ipsec_inbound(ipsec_ctx, traffic->ipsec.pkts,
+   traffic->ipsec.num, MAX_PKT_BURST);
+
+   split46_traffic(traffic, traffic->ipsec.pkts, nb_pkts_in);
+
inbound_sp_sa(ipsec_ctx->sp4_ctx, ipsec_ctx->sa_ctx, &traffic->ip4,
n_ip4);
 
@@ -795,7 +812,7 @@ process_pkts(struct lcore_conf *qconf, struct rte_mbuf 
**pkts,
 }
 
 static inline void
-drain_buffers(struct lcore_conf *qconf)
+drain_tx_buffers(struct lcore_conf *qconf)
 {
struct buffer *buf;
uint32_t portid;
@@ -809,6 +826,81 @@ drain_buffers(struct lcore_conf *qconf)
}
 }
 
+static inline void
+drain_crypto_buffers(struct lcore_conf *qconf)
+{
+   uint32_t i;
+   struct ipsec_ctx *ctx;
+
+   /* drain inbound buffers*/
+   ctx = &qconf->inbound;
+   for (i = 0; i != ctx->nb_qps; i++) {
+   if (ctx->tbl[i].len != 0)
+   enqueue_cop_burst(ctx->tbl  + i);
+   }
+
+   /* drain outbound buffers*/
+   ctx = &qconf->outbound;
+   for (i = 0; i != ctx->nb_qps; i++) {
+   if (ctx->tbl[i].len != 0)
+   enqueue_cop_burst(ctx->tbl  + i);
+   }
+}
+
+static void
+drain_inbound_crypto_queues(const struct lcore_conf *qconf,
+   struct ipsec_ctx *ctx)
+{
+   uint32_t n;
+   struct ipsec_traffic trf;
+
+   /* dequeue packets from crypto-queue */
+   n = ipsec_inbound_cqp_dequeue(ctx, trf.ipsec.pkts,
+   RTE_DIM(trf.ipsec.pkts));
+   if (n == 0)
+   return;
+
+   trf.ip4.num = 0;
+   trf.ip6.num = 0;
+
+   /* split traffic b

[dpdk-dev] [PATCH v5 04/10] examples/ipsec-secgw: fix outbound codepath for single SA

[Konstantin Ananyev]

Looking at process_pkts_outbound_nosp() there seems few issues:
- accessing mbuf after it was freed
- invoking ipsec_outbound() for ipv4 packets only
- copying number of packets, but not the mbuf pointers itself

that patch provides fixes for that issues.

Fixes: 906257e965b7 ("examples/ipsec-secgw: support IPv6")
Cc: sta...@dpdk.org

Signed-off-by: Konstantin Ananyev 
Acked-by: Radu Nicolau 
---
 examples/ipsec-secgw/ipsec-secgw.c | 33 +-
 1 file changed, 23 insertions(+), 10 deletions(-)

diff --git a/examples/ipsec-secgw/ipsec-secgw.c 
b/examples/ipsec-secgw/ipsec-secgw.c
index 797bd6435..cc812d502 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -629,32 +629,45 @@ process_pkts_outbound_nosp(struct ipsec_ctx *ipsec_ctx,
struct ipsec_traffic *traffic)
 {
struct rte_mbuf *m;
-   uint32_t nb_pkts_out, i;
+   uint32_t nb_pkts_out, i, n;
struct ip *ip;
 
/* Drop any IPsec traffic from protected ports */
for (i = 0; i < traffic->ipsec.num; i++)
rte_pktmbuf_free(traffic->ipsec.pkts[i]);
 
-   traffic->ipsec.num = 0;
+   n = 0;
 
-   for (i = 0; i < traffic->ip4.num; i++)
-   traffic->ip4.res[i] = single_sa_idx;
+   for (i = 0; i < traffic->ip4.num; i++) {
+   traffic->ipsec.pkts[n] = traffic->ip4.pkts[i];
+   traffic->ipsec.res[n++] = single_sa_idx;
+   }
 
-   for (i = 0; i < traffic->ip6.num; i++)
-   traffic->ip6.res[i] = single_sa_idx;
+   for (i = 0; i < traffic->ip6.num; i++) {
+   traffic->ipsec.pkts[n] = traffic->ip6.pkts[i];
+   traffic->ipsec.res[n++] = single_sa_idx;
+   }
+
+   traffic->ip4.num = 0;
+   traffic->ip6.num = 0;
+   traffic->ipsec.num = n;
 
-   nb_pkts_out = ipsec_outbound(ipsec_ctx, traffic->ip4.pkts,
-   traffic->ip4.res, traffic->ip4.num,
+   nb_pkts_out = ipsec_outbound(ipsec_ctx, traffic->ipsec.pkts,
+   traffic->ipsec.res, traffic->ipsec.num,
MAX_PKT_BURST);
 
/* They all sue the same SA (ip4 or ip6 tunnel) */
m = traffic->ipsec.pkts[i];
ip = rte_pktmbuf_mtod(m, struct ip *);
-   if (ip->ip_v == IPVERSION)
+   if (ip->ip_v == IPVERSION) {
traffic->ip4.num = nb_pkts_out;
-   else
+   for (i = 0; i < nb_pkts_out; i++)
+   traffic->ip4.pkts[i] = traffic->ipsec.pkts[i];
+   } else {
traffic->ip6.num = nb_pkts_out;
+   for (i = 0; i < nb_pkts_out; i++)
+   traffic->ip6.pkts[i] = traffic->ipsec.pkts[i];
+   }
 }
 
 static inline int32_t
-- 
2.17.1

[dpdk-dev] [PATCH v5 05/10] examples/ipsec-secgw: make local variables static

[Konstantin Ananyev]

in sp4.c and sp6.c there are few globals that used only locally.
Define them as static ones.

Cc: sta...@dpdk.org

Signed-off-by: Konstantin Ananyev 
Acked-by: Radu Nicolau 
---
 examples/ipsec-secgw/sp4.c | 10 +-
 examples/ipsec-secgw/sp6.c | 10 +-
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/examples/ipsec-secgw/sp4.c b/examples/ipsec-secgw/sp4.c
index 8d3d3d8e0..6b05daaa9 100644
--- a/examples/ipsec-secgw/sp4.c
+++ b/examples/ipsec-secgw/sp4.c
@@ -44,7 +44,7 @@ enum {
RTE_ACL_IPV4_NUM
 };
 
-struct rte_acl_field_def ip4_defs[NUM_FIELDS_IPV4] = {
+static struct rte_acl_field_def ip4_defs[NUM_FIELDS_IPV4] = {
{
.type = RTE_ACL_FIELD_TYPE_BITMASK,
.size = sizeof(uint8_t),
@@ -85,11 +85,11 @@ struct rte_acl_field_def ip4_defs[NUM_FIELDS_IPV4] = {
 
 RTE_ACL_RULE_DEF(acl4_rules, RTE_DIM(ip4_defs));
 
-struct acl4_rules acl4_rules_out[MAX_ACL_RULE_NUM];
-uint32_t nb_acl4_rules_out;
+static struct acl4_rules acl4_rules_out[MAX_ACL_RULE_NUM];
+static uint32_t nb_acl4_rules_out;
 
-struct acl4_rules acl4_rules_in[MAX_ACL_RULE_NUM];
-uint32_t nb_acl4_rules_in;
+static struct acl4_rules acl4_rules_in[MAX_ACL_RULE_NUM];
+static uint32_t nb_acl4_rules_in;
 
 void
 parse_sp4_tokens(char **tokens, uint32_t n_tokens,
diff --git a/examples/ipsec-secgw/sp6.c b/examples/ipsec-secgw/sp6.c
index 6002afef3..dc5b94c6a 100644
--- a/examples/ipsec-secgw/sp6.c
+++ b/examples/ipsec-secgw/sp6.c
@@ -34,7 +34,7 @@ enum {
 
 #define IP6_ADDR_SIZE 16
 
-struct rte_acl_field_def ip6_defs[IP6_NUM] = {
+static struct rte_acl_field_def ip6_defs[IP6_NUM] = {
{
.type = RTE_ACL_FIELD_TYPE_BITMASK,
.size = sizeof(uint8_t),
@@ -116,11 +116,11 @@ struct rte_acl_field_def ip6_defs[IP6_NUM] = {
 
 RTE_ACL_RULE_DEF(acl6_rules, RTE_DIM(ip6_defs));
 
-struct acl6_rules acl6_rules_out[MAX_ACL_RULE_NUM];
-uint32_t nb_acl6_rules_out;
+static struct acl6_rules acl6_rules_out[MAX_ACL_RULE_NUM];
+static uint32_t nb_acl6_rules_out;
 
-struct acl6_rules acl6_rules_in[MAX_ACL_RULE_NUM];
-uint32_t nb_acl6_rules_in;
+static struct acl6_rules acl6_rules_in[MAX_ACL_RULE_NUM];
+static uint32_t nb_acl6_rules_in;
 
 void
 parse_sp6_tokens(char **tokens, uint32_t n_tokens,
-- 
2.17.1

[dpdk-dev] [PATCH v5 06/10] examples/ipsec-secgw: fix inbound SA checking

[Konstantin Ananyev]

In the inbound_sa_check() make sure that sa pointer stored
inside mbuf private area is not NULL.

Fixes: d299106e8e31 ("examples/ipsec-secgw: add IPsec sample application")
Cc: sta...@dpdk.org

Signed-off-by: Bernard Iremonger 
Acked-by: Radu Nicolau 
Signed-off-by: Konstantin Ananyev 
---
 examples/ipsec-secgw/sa.c | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index f6271bc60..839aaca0c 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -947,10 +947,15 @@ int
 inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx)
 {
struct ipsec_mbuf_metadata *priv;
+   struct ipsec_sa *sa;
 
priv = get_priv(m);
+   sa = priv->sa;
+   if (sa != NULL)
+   return (sa_ctx->sa[sa_idx].spi == sa->spi);
 
-   return (sa_ctx->sa[sa_idx].spi == priv->sa->spi);
+   RTE_LOG(ERR, IPSEC, "SA not saved in private data\n");
+   return 0;
 }
 
 static inline void
-- 
2.17.1

[dpdk-dev] [PATCH v5 08/10] examples/ipsec-secgw: make data-path to use ipsec library

[Konstantin Ananyev]

Changes to make ipsec-secgw data-path code to utilize librte_ipsec library.
Note that right now by default current (non-librte_ipsec) code-path will
be used. User has to run application with new command-line option ('-l')
to enable new codepath.

Signed-off-by: Mohammad Abdul Awal 
Signed-off-by: Bernard Iremonger 
Signed-off-by: Konstantin Ananyev 
Acked-by: Radu Nicolau 
---
 examples/ipsec-secgw/Makefile|   1 +
 examples/ipsec-secgw/ipsec-secgw.c   | 179 --
 examples/ipsec-secgw/ipsec.c |   2 +-
 examples/ipsec-secgw/ipsec.h |  23 ++
 examples/ipsec-secgw/ipsec_process.c | 341 +++
 examples/ipsec-secgw/meson.build |   4 +-
 6 files changed, 471 insertions(+), 79 deletions(-)
 create mode 100644 examples/ipsec-secgw/ipsec_process.c

diff --git a/examples/ipsec-secgw/Makefile b/examples/ipsec-secgw/Makefile
index 3918ee63e..08f474da6 100644
--- a/examples/ipsec-secgw/Makefile
+++ b/examples/ipsec-secgw/Makefile
@@ -13,6 +13,7 @@ SRCS-y += sp4.c
 SRCS-y += sp6.c
 SRCS-y += sa.c
 SRCS-y += rt.c
+SRCS-y += ipsec_process.c
 SRCS-y += ipsec-secgw.c
 
 CFLAGS += -gdwarf-2
diff --git a/examples/ipsec-secgw/ipsec-secgw.c 
b/examples/ipsec-secgw/ipsec-secgw.c
index c2c9cb2bd..9a340acd6 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -229,19 +229,6 @@ static struct rte_eth_conf port_conf = {
 
 static struct socket_ctx socket_ctx[NB_SOCKETS];
 
-struct traffic_type {
-   const uint8_t *data[MAX_PKT_BURST * 2];
-   struct rte_mbuf *pkts[MAX_PKT_BURST * 2];
-   uint32_t res[MAX_PKT_BURST * 2];
-   uint32_t num;
-};
-
-struct ipsec_traffic {
-   struct traffic_type ipsec;
-   struct traffic_type ip4;
-   struct traffic_type ip6;
-};
-
 static inline void
 prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)
 {
@@ -258,6 +245,8 @@ prepare_one_packet(struct rte_mbuf *pkt, struct 
ipsec_traffic *t)
t->ip4.data[t->ip4.num] = nlp;
t->ip4.pkts[(t->ip4.num)++] = pkt;
}
+   pkt->l2_len = 0;
+   pkt->l3_len = sizeof(struct ip);
} else if (eth->ether_type == rte_cpu_to_be_16(ETHER_TYPE_IPv6)) {
nlp = (uint8_t *)rte_pktmbuf_adj(pkt, ETHER_HDR_LEN);
nlp = RTE_PTR_ADD(nlp, offsetof(struct ip6_hdr, ip6_nxt));
@@ -267,6 +256,8 @@ prepare_one_packet(struct rte_mbuf *pkt, struct 
ipsec_traffic *t)
t->ip6.data[t->ip6.num] = nlp;
t->ip6.pkts[(t->ip6.num)++] = pkt;
}
+   pkt->l2_len = 0;
+   pkt->l3_len = sizeof(struct ip6_hdr);
} else {
/* Unknown/Unsupported type, drop the packet */
RTE_LOG(ERR, IPSEC, "Unsupported packet type\n");
@@ -516,10 +507,15 @@ process_pkts_inbound(struct ipsec_ctx *ipsec_ctx,
n_ip4 = traffic->ip4.num;
n_ip6 = traffic->ip6.num;
 
-   nb_pkts_in = ipsec_inbound(ipsec_ctx, traffic->ipsec.pkts,
-   traffic->ipsec.num, MAX_PKT_BURST);
-
-   split46_traffic(traffic, traffic->ipsec.pkts, nb_pkts_in);
+   if (app_sa_prm.enable == 0) {
+   nb_pkts_in = ipsec_inbound(ipsec_ctx, traffic->ipsec.pkts,
+   traffic->ipsec.num, MAX_PKT_BURST);
+   split46_traffic(traffic, traffic->ipsec.pkts, nb_pkts_in);
+   } else {
+   inbound_sa_lookup(ipsec_ctx->sa_ctx, traffic->ipsec.pkts,
+   traffic->ipsec.saptr, traffic->ipsec.num);
+   ipsec_process(ipsec_ctx, traffic);
+   }
 
inbound_sp_sa(ipsec_ctx->sp4_ctx, ipsec_ctx->sa_ctx, &traffic->ip4,
n_ip4);
@@ -575,20 +571,27 @@ process_pkts_outbound(struct ipsec_ctx *ipsec_ctx,
 
outbound_sp(ipsec_ctx->sp6_ctx, &traffic->ip6, &traffic->ipsec);
 
-   nb_pkts_out = ipsec_outbound(ipsec_ctx, traffic->ipsec.pkts,
-   traffic->ipsec.res, traffic->ipsec.num,
-   MAX_PKT_BURST);
-
-   for (i = 0; i < nb_pkts_out; i++) {
-   m = traffic->ipsec.pkts[i];
-   struct ip *ip = rte_pktmbuf_mtod(m, struct ip *);
-   if (ip->ip_v == IPVERSION) {
-   idx = traffic->ip4.num++;
-   traffic->ip4.pkts[idx] = m;
-   } else {
-   idx = traffic->ip6.num++;
-   traffic->ip6.pkts[idx] = m;
+   if (app_sa_prm.enable == 0) {
+
+   nb_pkts_out = ipsec_outbound(ipsec_ctx, traffic->ipsec.pkts,
+   traffic->ipsec.res, traffic->ipsec.num,
+   MAX_PKT_BURST);
+
+   for (i = 0; i < nb_pkts_out; i++) {
+   m = traffic->ipsec.pkts[i];
+   struct ip *ip = rte_pktmbuf_mtod(m, struct ip *);
+   if (ip->ip_v == IPVERSION) {
+ 

[dpdk-dev] [PATCH v5 10/10] doc: update ipsec-secgw guide and relelase notes

[Konstantin Ananyev]

Update ipsec-secgw guide and relelase notes to reflect latest changes.

Signed-off-by: Bernard Iremonger 
Signed-off-by: Konstantin Ananyev 
---
 doc/guides/rel_notes/release_19_02.rst   |  14 +++
 doc/guides/sample_app_ug/ipsec_secgw.rst | 105 ++-
 2 files changed, 117 insertions(+), 2 deletions(-)

diff --git a/doc/guides/rel_notes/release_19_02.rst 
b/doc/guides/rel_notes/release_19_02.rst
index 1a9885c44..28dbe3ad0 100644
--- a/doc/guides/rel_notes/release_19_02.rst
+++ b/doc/guides/rel_notes/release_19_02.rst
@@ -116,6 +116,20 @@ New Features
 
   See :doc:`../prog_guide/ipsec_lib` for more information.
 
+* **Updated the ipsec-secgw sample application.**
+
+  The ``ipsec-secgw`` sample application has been updated to use the new
+  ``librte_ipsec`` library also added in this release.
+  The original functionality of ipsec-secgw is retained, a new command line
+  parameter ``-l`` has  been added to ipsec-secgw to use the IPsec library,
+  instead of the existing IPsec code in the application.
+
+  The IPsec library does not support all the functionality of the existing
+  ipsec-secgw application, its is planned to add the outstanding functionality
+  in future releases.
+
+  See :doc:`../sample_app_ug/ipsec_secgw` for more information.
+
 
 Removed Items
 -
diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst 
b/doc/guides/sample_app_ug/ipsec_secgw.rst
index 61638e733..3d784e705 100644
--- a/doc/guides/sample_app_ug/ipsec_secgw.rst
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -76,7 +76,7 @@ Compiling the Application
 
 To compile the sample application see :doc:`compiling`.
 
-The application is located in the ``rpsec-secgw`` sub-directory.
+The application is located in the ``ipsec-secgw`` sub-directory.
 
 #. [Optional] Build the application for debugging:
This option adds some extra flags, disables compiler optimizations and
@@ -93,6 +93,7 @@ The application has a number of command line options::
 
./build/ipsec-secgw [EAL options] --
 -p PORTMASK -P -u PORTMASK -j FRAMESIZE
+-l -w REPLAY_WINOW_SIZE -e -a
 --config (port,queue,lcore)[,(port,queue,lcore]
 --single-sa SAIDX
 --rxoffload MASK
@@ -114,6 +115,18 @@ Where:
 specified as FRAMESIZE. If an invalid value is provided as FRAMESIZE
 then the default value 9000 is used.
 
+*   ``-l``: enables code-path that uses librte_ipsec.
+
+*   ``-w REPLAY_WINOW_SIZE``: specifies the IPsec sequence number replay window
+size for each Security Association (available only with librte_ipsec
+code path).
+
+*   ``-e``: enables Security Association extended sequence number processing
+(available only with librte_ipsec code path).
+
+*   ``-a``: enables Security Association sequence number atomic behaviour
+(available only with librte_ipsec code path).
+
 *   ``--config (port,queue,lcore)[,(port,queue,lcore)]``: determines which 
queues
 from which ports are mapped to which cores.
 
@@ -225,7 +238,7 @@ accordingly.
 
 
 Configuration File Syntax
-~~
+~
 
 As mention in the overview, the Security Policies are ACL rules.
 The application parsers the rules specified in the configuration file and
@@ -571,6 +584,11 @@ Example SA rules:
 mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \
 type lookaside-protocol-offload port_id 4
 
+sa in 35 aead_algo aes-128-gcm \
+aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src 172.16.2.5 dst 172.16.1.5 \
+type inline-crypto-offload port_id 0
+
 Routing rule syntax
 ^^^
 
@@ -667,3 +685,86 @@ Example Neighbour rules:
 .. code-block:: console
 
 neigh port 0 DE:AD:BE:EF:01:02
+
+Test directory
+--
+
+The test directory contains scripts for testing the various encryption
+algorithms.
+
+The purpose of the scripts is to automate ipsec-secgw testing
+using another system running linux as a DUT.
+
+The user must setup the following environment variables:
+
+*   ``SGW_PATH``: path to the ipsec-secgw binary to test.
+
+*   ``REMOTE_HOST``: IP address/hostname of the DUT.
+
+*   ``REMOTE_IFACE``: interface name for the test-port on the DUT.
+
+*   ``ETH_DEV``: ethernet device to be used on the SUT by DPDK ('-w ')
+
+Also the user can optionally setup:
+
+*   ``SGW_LCORE``: lcore to run ipsec-secgw on (default value is 0)
+
+*   ``CRYPTO_DEV``: crypto device to be used ('-w '). If none specified
+appropriate vdevs will be created by the script
+
+Note that most of the tests require the appropriate crypto PMD/device to be
+available.
+
+Server configuration
+
+
+Two servers are required for the tests, SUT and DUT.
+
+Make sure the user from the SUT can ssh to the DUT without entering the 
password.
+To enable this feature keys must be setup on the DUT.
+
+``ssh-keygen`` will make a

[dpdk-dev] [PATCH v5 07/10] examples/ipsec-secgw: make app to use ipsec library

[Konstantin Ananyev]

Changes to make ipsec-secgw to utilize librte_ipsec library.
That patch provides:
 - changes in the related data structures.
 - changes in the initialization code.
 - new command-line parameters to enable librte_ipsec codepath
   and related features.

Note that right now by default current (non-librte_ipsec) code-path will
be used. User has to run application with new command-line option ('-l')
to enable new codepath.
The main reason for that:
 - current librte_ipsec doesn't support all ipsec algorithms
   and features that the app does.
 - allow users to run both versions in parallel for some time
   to figure out any functional or performance degradation with the
   new code.

It is planned to deprecate and remove non-librte_ipsec code path
in future releases.

Signed-off-by: Mohammad Abdul Awal 
Signed-off-by: Bernard Iremonger 
Signed-off-by: Konstantin Ananyev 
Acked-by: Radu Nicolau 
---
 examples/ipsec-secgw/Makefile  |   4 +-
 examples/ipsec-secgw/ipsec-secgw.c |  51 ++-
 examples/ipsec-secgw/ipsec.h   |  24 
 examples/ipsec-secgw/meson.build   |   2 +-
 examples/ipsec-secgw/sa.c  | 221 -
 examples/ipsec-secgw/sp4.c |  25 
 examples/ipsec-secgw/sp6.c |  25 
 7 files changed, 344 insertions(+), 8 deletions(-)

diff --git a/examples/ipsec-secgw/Makefile b/examples/ipsec-secgw/Makefile
index 02d41e39a..3918ee63e 100644
--- a/examples/ipsec-secgw/Makefile
+++ b/examples/ipsec-secgw/Makefile
@@ -61,8 +61,8 @@ RTE_TARGET ?= x86_64-native-linuxapp-gcc
 include $(RTE_SDK)/mk/rte.vars.mk
 
 ifneq ($(MAKECMDGOALS),clean)
-ifneq ($(CONFIG_RTE_LIBRTE_SECURITY),y)
-$(error "RTE_LIBRTE_SECURITY is required to build ipsec-secgw")
+ifneq ($(CONFIG_RTE_LIBRTE_IPSEC),y)
+$(error "RTE_LIBRTE_IPSEC is required to build ipsec-secgw")
 endif
 endif
 
diff --git a/examples/ipsec-secgw/ipsec-secgw.c 
b/examples/ipsec-secgw/ipsec-secgw.c
index cc812d502..c2c9cb2bd 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -168,6 +168,9 @@ static uint32_t frame_size;
 static uint64_t dev_rx_offload = UINT64_MAX;
 static uint64_t dev_tx_offload = UINT64_MAX;
 
+/* application wide librte_ipsec/SA parameters */
+struct app_sa_prm app_sa_prm = {.enable = 0};
+
 struct lcore_rx_queue {
uint16_t port_id;
uint8_t queue_id;
@@ -1077,6 +1080,10 @@ print_usage(const char *prgname)
" [-P]"
" [-u PORTMASK]"
" [-j FRAMESIZE]"
+   " [-l]"
+   " [-w REPLAY_WINDOW_SIZE]"
+   " [-e]"
+   " [-a]"
" -f CONFIG_FILE"
" --config (port,queue,lcore)[,(port,queue,lcore)]"
" [--single-sa SAIDX]"
@@ -1089,6 +1096,11 @@ print_usage(const char *prgname)
"  -u PORTMASK: Hexadecimal bitmask of unprotected ports\n"
"  -j FRAMESIZE: Enable jumbo frame with 'FRAMESIZE' as 
maximum\n"
"packet size\n"
+   "  -l enables code-path that uses librte_ipsec\n"
+   "  -w REPLAY_WINDOW_SIZE specifies IPsec SQN replay window\n"
+   " size for each SA\n"
+   "  -e enables ESN\n"
+   "  -a enables SA SQN atomic behaviour\n"
"  -f CONFIG_FILE: Configuration file\n"
"  --config (port,queue,lcore): Rx queue configuration\n"
"  --single-sa SAIDX: Use single SA index for outbound 
traffic,\n"
@@ -1206,6 +1218,20 @@ parse_config(const char *q_arg)
return 0;
 }
 
+static void
+print_app_sa_prm(const struct app_sa_prm *prm)
+{
+   printf("librte_ipsec usage: %s\n",
+   (prm->enable == 0) ? "disabled" : "enabled");
+
+   if (prm->enable == 0)
+   return;
+
+   printf("replay window size: %u\n", prm->window_size);
+   printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled");
+   printf("SA flags: %#" PRIx64 "\n", prm->flags);
+}
+
 static int32_t
 parse_args(int32_t argc, char **argv)
 {
@@ -1217,7 +1243,7 @@ parse_args(int32_t argc, char **argv)
 
argvopt = argv;
 
-   while ((opt = getopt_long(argc, argvopt, "p:Pu:f:j:",
+   while ((opt = getopt_long(argc, argvopt, "aelp:Pu:f:j:w:",
lgopts, &option_index)) != EOF) {
 
switch (opt) {
@@ -1273,6 +1299,21 @@ parse_args(int32_t argc, char **argv)
}
printf("Enabled jumbo frames size %u\n", frame_size);
break;
+   case 'l':
+   app_sa_prm.enable = 1;
+   break;
+   case 'w':
+   app_sa_prm.enable = 1;
+   app_sa_prm.window_size = parse_decimal(optarg);
+   break;
+   case 'e':
+   app_sa_prm.enable = 1;
+   app_sa_prm.enable_e

[dpdk-dev] [PATCH v5 09/10] examples/ipsec-secgw: add scripts for functional test

[Konstantin Ananyev]

The purpose of these scripts is to automate ipsec-secgw functional testing.
The scripts require two machines (SUT and DUT) connected through
at least 2 NICs and running linux (so far tested only on Ubuntu 18.04).
Introduced test-cases for the following scenarios:
- Transport/Tunnel modes
- AES-CBC SHA1
- AES-GCM
- ESN on/off
- legacy/librte_ipsec code path

Signed-off-by: Konstantin Ananyev 
Acked-by: Radu Nicolau 
---
 examples/ipsec-secgw/test/common_defs.sh  | 153 ++
 examples/ipsec-secgw/test/data_rxtx.sh|  62 +++
 examples/ipsec-secgw/test/linux_test4.sh  |  63 
 examples/ipsec-secgw/test/linux_test6.sh  |  64 
 examples/ipsec-secgw/test/run_test.sh |  80 +
 .../test/trs_aescbc_sha1_common_defs.sh   |  69 
 .../ipsec-secgw/test/trs_aescbc_sha1_defs.sh  |  67 
 .../test/trs_aescbc_sha1_esn_atom_defs.sh |   5 +
 .../test/trs_aescbc_sha1_esn_defs.sh  |  66 
 .../test/trs_aescbc_sha1_old_defs.sh  |   5 +
 .../test/trs_aesgcm_common_defs.sh|  60 +++
 examples/ipsec-secgw/test/trs_aesgcm_defs.sh  |  66 
 .../test/trs_aesgcm_esn_atom_defs.sh  |   5 +
 .../ipsec-secgw/test/trs_aesgcm_esn_defs.sh   |  66 
 .../ipsec-secgw/test/trs_aesgcm_old_defs.sh   |   5 +
 .../test/tun_aescbc_sha1_common_defs.sh   |  68 
 .../ipsec-secgw/test/tun_aescbc_sha1_defs.sh  |  70 
 .../test/tun_aescbc_sha1_esn_atom_defs.sh |   5 +
 .../test/tun_aescbc_sha1_esn_defs.sh  |  70 
 .../test/tun_aescbc_sha1_old_defs.sh  |   5 +
 .../test/tun_aesgcm_common_defs.sh|  60 +++
 examples/ipsec-secgw/test/tun_aesgcm_defs.sh  |  70 
 .../test/tun_aesgcm_esn_atom_defs.sh  |   5 +
 .../ipsec-secgw/test/tun_aesgcm_esn_defs.sh   |  70 
 .../ipsec-secgw/test/tun_aesgcm_old_defs.sh   |   5 +
 25 files changed, 1264 insertions(+)
 create mode 100644 examples/ipsec-secgw/test/common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/data_rxtx.sh
 create mode 100644 examples/ipsec-secgw/test/linux_test4.sh
 create mode 100644 examples/ipsec-secgw/test/linux_test6.sh
 create mode 100644 examples/ipsec-secgw/test/run_test.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_old_defs.sh

diff --git a/examples/ipsec-secgw/test/common_defs.sh 
b/examples/ipsec-secgw/test/common_defs.sh
new file mode 100644
index 0..7adfffa19
--- /dev/null
+++ b/examples/ipsec-secgw/test/common_defs.sh
@@ -0,0 +1,153 @@
+#! /bin/bash
+
+#check that env vars are properly defined
+
+#check SGW_PATH
+if [[ -z "${SGW_PATH}" || ! -x ${SGW_PATH} ]]; then
+   echo "SGW_PATH is invalid"
+   exit 127
+fi
+
+#check ETH_DEV
+if [[ -z "${ETH_DEV}" ]]; then
+   echo "ETH_DEV is invalid"
+   exit 127
+fi
+
+#setup SGW_LCORE
+SGW_LCORE=${SGW_LCORE:-0}
+
+#check that REMOTE_HOST is reachable
+ssh ${REMOTE_HOST} echo
+st=$?
+if [[ $st -ne 0 ]]; then
+   echo "host ${REMOTE_HOST} is not reachable"
+   exit $st
+fi
+
+#get ether addr of REMOTE_HOST
+REMOTE_MAC=`ssh ${REMOTE_HOST} ip addr show dev ${REMOTE_IFACE}`
+st=$?
+REMOTE_MAC=`echo ${REMOTE_MAC} | sed -e 's/^.*ether //' -e 's/ brd.*$//'`
+if [[ $st -ne 0 || -z "${REMOTE_MAC}" ]]; then
+   echo "coouldn't retrieve ether addr from ${REMOTE_IFACE}"
+   exit 127
+fi
+
+LOCAL_IFACE=dtap0
+
+LOCAL_MAC="00:64:74:61:70:30"
+
+REMOTE_IPV4=192.168.31.14
+LOCAL_IPV4=192.168.31.92
+
+REMOTE_IPV6=fd12:3456:789a:0031::::0014
+LOCAL_IPV6=fd12:3456:789a:0031::::0092
+
+DPDK_PATH=${RTE_SD

[dpdk-dev] unimplemented API heads-up notice

[Ananyev, Konstantin]

Hi everyone,
As you probably know, all un-implemented API inside DPDK
planned to be deprecated in 19.05 and removed in 19.08.
For more details, please refer to:
https://mails.dpdk.org/archives/dev/2018-November/118697.html
Below is the list (probably incomplete) of currently un-implemented API. 
If you are aware of some extra unimplemented API that is not in that list,
or you believe that something was added into the list by mistake,
please reply to that message.
Happy NY :)
Konstantin

1) rte_security
   a)  RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL
   b)  RTE_SECURITY_RX_HW_TRAILER_OFFLOAD, RTE_SECURITY_TX_HW_TRAILER_OFFLOAD
   c)  rte_security_ops methods: 
 - get_userdata
 - session_update
 - session_stats_get (and rte_security_stats)

2) rte_ethdev
a) RTE_ETH_EVENT_IPSEC_*
b) rx offloads:
 -   DEV_RX_OFFLOAD_SCTP_CKSUM
 -  DEV_RX_OFFLOAD_OUTER_UDP_CKSUM
 -  DEV_RX_OFFLOAD_HEADER_SPLIT
 -  DEV_RX_OFFLOAD_MACSEC_STRIP 

 3) rte_mbuf
 a) rte_mbuf.inner_esp_next_proto
 b) RTE_PTYPE_TUNNEL_ESP

 4) rte_bbdev
a) rte_bbdev_ops methods:
   - setup_queues
   - intr_enable
   - start
   - stop
   - close
   - stats_get
   - stats_reset
   - queue_start
   - queue_stop
   - queue_intr_enable
   - queue_intr_disable

[dpdk-dev] [PATCH v3] net/i40e: fix get RSS conf issue

[Qiming Yang]

rte_eth_dev_rss_hash_conf_get API doesn't force 'rss_conf.rss_key'
to be not NULL, so rss_key = NULL should be allowed in i40e
driver.

Fixes: 16321de09396 ("ethdev: allow to get RSS hash functions and key")
Cc: sta...@dpdk.org

Change-Id: I992847995cac44172694ea15ab30c4d1e7e48957
Signed-off-by: Qiming Yang 
---
 drivers/net/i40e/i40e_ethdev.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/net/i40e/i40e_ethdev.c b/drivers/net/i40e/i40e_ethdev.c
index 8dc1a4a..a6b97e1 100644
--- a/drivers/net/i40e/i40e_ethdev.c
+++ b/drivers/net/i40e/i40e_ethdev.c
@@ -7407,7 +7407,7 @@ i40e_get_rss_key(struct i40e_vsi *vsi, uint8_t *key, 
uint8_t *key_len)
int ret;
 
if (!key || !key_len)
-   return -EINVAL;
+   return 0;
 
if (pf->flags & I40E_FLAG_RSS_AQ_CAPABLE) {
ret = i40e_aq_get_rss_key(hw, vsi->vsi_id,
@@ -7492,6 +7492,9 @@ i40e_dev_rss_hash_conf_get(struct rte_eth_dev *dev,
uint64_t hena;
int ret;
 
+   if (!rss_conf)
+   return -EINVAL;
+
ret = i40e_get_rss_key(pf->main_vsi, rss_conf->rss_key,
 &rss_conf->rss_key_len);
if (ret)
-- 
2.9.5

Re: [dpdk-dev] [PATCH 1/3] eal: add --dev-hotplug option

[Jeff Guo]

hi, david

On 12/17/2018 6:15 PM, David Marchand wrote:


On Fri, Dec 14, 2018 at 8:41 AM Jeff Guo > wrote:


This command-line option will enable hotplug event detecting and
enable
hotplug handling for device hotplug.

Signed-off-by: Jeff Guo mailto:jia@intel.com>>


Is there a reason why we would want this disabled by default and 
enabled via option ?





Before i can give you an answer, let's see what will bring on if enable it.

When enable the hotplug will means that it will bring a new netlink 
socket communication


and a sigbus detecting and specific processing. So if user not want to 
add this work load, just


let it to be optional. Do you agree with that? If not please show what 
is your concern. Thanks.




diff --git a/lib/librte_eal/common/eal_options.h
b/lib/librte_eal/common/eal_options.h
index 5271f94..4d8a12e 100644
--- a/lib/librte_eal/common/eal_options.h
+++ b/lib/librte_eal/common/eal_options.h
@@ -65,7 +65,9 @@ enum {
        OPT_SINGLE_FILE_SEGMENTS_NUM,
 #define OPT_IOVA_MODE          "iova-mode"
        OPT_IOVA_MODE_NUM,
-       OPT_LONG_MAX_NUM
+       OPT_LONG_MAX_NUM,
+#define OPT_DEV_HOTPLUG              "dev-hotplug"
+       OPT_DEV_HOTPLUG_NUM,
 };

 extern const char eal_short_options[];


OPT_LONG_MAX_NUM is supposed to be the last enum.

--
David Marchand