Age | Commit message (Collapse) | Author | Files | Lines |
|
in the same maaner as with other tunnel tyeps we use
the FIB to cache and track the destination used to reach
the tunnel endpoint. Post encap we can then ship the packet
straight to this adjacency and thus elide the costly second
lookup.
- SA add and del function so they can be used both directly
from the API and for tunnels.
- API change for the SA dump to use the SA type
- ipsec_key_t type for convenience (copying, [un]formating)
- no matching tunnel counters in ipsec-if-input
Change-Id: I9d144a59667f7bf96442f4ca66bef5c1d3c7f1ea
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
DPDK 19.02 adds two new fields to struct rte_cryptodev_qp_conf,
which the current code was not initializing properly.
Also session mempools are now required to have specific private data.
For that just use the new API to create symmetric session pools.
Change-Id: Ie732d4e10b908aeaea322717d6011113e3e7172c
Signed-off-by: Sergio Gonzalez Monroy <sgmonroy@gmail.com>
|
|
dpdk_crypto_input_trace was called before vlib_buffer_enqueue_to_next
then VLIB_FRAME_TRACE of next_frame->flag will be overwritten by
vlib_next_frame_change_ownership(), leading to a broken trace.
now it is working:
Packet 1
00:00:15:654983: dpdk-crypto-input
dev_id 0 next-index 1
00:00:15:654999: ip4-lookup
fib 0 dpo-idx 0 flow hash: 0x00000000
IPSEC_ESP: 18.1.0.71 -> 18.1.0.241
tos 0x00, ttl 254, length 168, checksum 0x96ea
......
Change-Id: I73d77c06c11db8911866adb6240b2565b690f469
Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
|
|
HQoS requires fixes to work with dpdk 19.02 so code is disabled and
pending deprecation unless active maintainer is found.
Change-Id: I3569c4287b6dfdd2c29e02375eb53bf01fa6ae84
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I2c796583087c70fbc5cf09e8afd0f2a1f389d346
Signed-off-by: Sergio Gonzalez Monroy <sgmonroy@gmail.com>
|
|
This patch introduces following changes:
- deprecated free lists which are not used and not compatible
with external buffer managers (i.e. DPDK)
- introduces native support for per-numa buffer pools
- significantly improves performance of buffer alloc and free
Change-Id: I4a8e723ae47056717afd6cac0efe87cb731b5be7
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
as this node is refactored in new style with
vlib_buffer_enqueue_to_next, we have to check if the 'count'
is greater than 0. otherise, the next_index would be invalid
then lead to a crash
Change-Id: If7c323b59c02b5c16bd9d77b65c946512cc972c1
Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
|
|
Change-Id: I998658ad7860b23425444e218ce2e1ec655b885a
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I764c6565f96e0cb9078503e54e3cf3bb3fd9ff3f
Signed-off-by: Simon Zhang <yuwei1.zhang@intel.com>
|
|
Change-Id: I47d021522cfc92cfb3877449333cbf31022c06f4
Signed-off-by: Simon Zhang <yuwei1.zhang@intel.com>
|
|
Change-Id: I2ef33c7c15b3eb1f55bbfd5cbdd230d6a4d58936
Signed-off-by: Simon Zhang <yuwei1.zhang@intel.com>
|
|
* u32/u64/uword mismatches
* pointer-to-int fixes
* printf formatting issues
* issues with incorrect "ULL" and related suffixes
* structure alignment and padding issues
Change-Id: I70b989007758755fe8211c074f651150680f60b4
Signed-off-by: David Johnson <davijoh3@cisco.com>
|
|
fix a copy-paste bug, and a typo of function name
Change-Id: Ib408522d2bb6fde7a7492de6f5d5369b461d77c9
Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
|
|
1. multi-loop, and new style with vlib_buffer_enqueue_to_next
2. add error counter for AUTH-FAILURE
3. buffer trace changed. now it supports 'trace add dpdk-crypto-input 10'
just like the other input nodes
Actual measurement shows >10 clocks per packets are saved, under QAT
or openssl PMD case
Change-Id: I6ea34e4ae3b08c381219ff6bc8adda2d927fbfd5
Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
|
|
startup.conf
otherwise, these pools will occupy an entire huge page for each even
they are very small.
Change-Id: I08919714de9b6cd4b8dddb546ca54364b56ec99f
Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
|
|
fix coding style
Change-Id: I458d81fa80c509b71edb2021468a89715cb32ae3
Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
|
|
crypto-input,esp encrypt/decrypt are indicated in CMakefiles
Change-Id: I18ba851c1d4e5633d07c5de61cdaeae938e94982
Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
|
|
Change-Id: Ifa6d8391b1b2413a88b7720fc434e0bc849a149a
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: Id4f37f5d4a03160572954a416efa1ef9b3d79ad1
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Fixes debug build crash.
Change-Id: Ia5c5da82beda5992f9e67456af9a4676b9b82722
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: Ibef46e068cd72415af28920b0146adf48105bf68
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: Ic4c46bc733afae8bf0d8146623ed15633928de30
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
The function dpdk_ipsec_process() attempts to initialize some
globals that store node indexes after looking up the node
dpdk-esp6-decrypt. No such node was declared, so a segv
occurs after dereferencing the result of the lookup.
Add a node function that invokes dpdk_esp_decrypt_inline()
with is_ip6 set to 1. Add a declaration of node dpdk-esp6-decrypt
that uses the node function.
Change-Id: I31ce23a458c2d4181bf40cbc2118c4ef3b9baf97
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Change-Id: Ied34720ca5a6e6e717eea4e86003e854031b6eab
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Change-Id: I70bc5af646894811d373456ec66aa83f2d75a477
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: Ic6b27659f1fe9e8df39e80a0441305e4e952195a
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: I085615fde1f966490f30ed5d32017b8b088cfd59
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
|
|
Change-Id: If1b93341c222160b9a08f127620c024620e55c37
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
- Some crypto devices rely on rte_cryptodev_start() API to be called by
application to enable a pre-configured H/W Crypto device.
- NXP dpaa2 is one of the example.
Change-Id: I2ad8ca0060604fb4e0541161e91bdebc6642f4da
Signed-off-by: Sachin Saxena <sachin.saxena@nxp.com>
|
|
Change-Id: I024c1d398fcb51e5a20f9049d16a87b3b1ba0c20
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
|
|
Change-Id: I205932bc727c990011bbbe1dc6c0cf5349d19806
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
This fixes some compilation warnings with clang on AArch64.
Change-Id: Idb941944e3f199f483c80e143a9e5163a031c4aa
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Replace hash with a vector to improve performance.
Plus other minor performance improvements.
Change-Id: I3f0ebd909782ce3727f6360ce5ff5ddd131f8574
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
|
|
The pointer to IP header was derived from l3_hdr_offset,
which would be ok, if l3_hdr_offset was valid. But it does not
have to be, so it was a bad solution. Now the previous nodes
mark whether it is a IPv6 or IPv4 packet tyle, and in esp_decrypt
we count get ip header pointer by substracting the size
of the ip header from the pointer to esp header (which lies
in front of the ip header).
Change-Id: I6d425b90931053711e8ce9126811b77ae6002a16
Signed-off-by: Szymon Sliwa <szs@semihalf.com>
|
|
Change-Id: Ic1e189c22e3d344d165e0eab05ccb667eef088a9
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
|
|
Object sizes must evenly divide alignment requests, or vice
versa. Otherwise, only the first object will be aligned as
requested.
Three choices: add CLIB_CACHE_LINE_ALIGN_MARK(align_me) at
the end of structures, manually pad to an even divisor or multiple of
the alignment request, or use plain vectors/pools.
static assert for enforcement.
Change-Id: I41aa6ff1a58267301d32aaf4b9cd24678ac1c147
Signed-off-by: Dave Barach <dbarach@cisco.com>
|
|
Change-Id: I927c9358915e03187cf7d3098c00b85b5ea2f92d
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Change-Id: I6400b77de388c01e85209e5dc5f11ccafb79a459
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
|
|
Changes the source of the l3 offset to a more
proper one, same as I5d9f41599ba8d8eb14ce2d9d523f82ea6e0fd10d.
Change-Id: I5ff05d7d89507ecb378a2bd62f5b149189ca9e99
Signed-off-by: Szymon Sliwa <szs@semihalf.com>
|
|
The expression to determine whether to delete a session
from the disposal list only evaluates true if some,
but not all, of the sessions in the list were freed.
When all sessions in the list are freed, it evaluates
false and the sessions are left in the list to be freed
again later, which can result in a session pool element
that was reallocated to a different SA being freed,
breaking crypto for the newer SA.
Add an 'else' that handles the case where all sessions
were freed.
Change-Id: I3ae54d5b3bfc3658bf406caa50646924baaae589
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
When using a DPDK cryptodev with IPsec, deleting a
session often results in a SEGV. A bad pointer
is being passed to rte_cryptodev_sym_session_free().
Put the correct value on the crypto disposal list and
add a check to determine whether the call to free the
session is going to result in a crash before doing
it.
Change-Id: I8a6b0a594585ebcfa56b555ede7ef7d67e5e2b33
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
17.11 is still default.
Change-Id: I524d232579db8a59c717c5d760398b6b7f811d03
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I6eef2ca258ff5b4aa9b21b98543d814633e295af
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
|
|
- fix ESP transport mode
- safely free crypto sessions
- use rte_mempool_virt2phy/rte_mempool_virt2iova
- align DPDK QAT capabilities for IPsec usage (DPDK 17.08)
- reserve 16B for aad (reference cryptodev doc)
Change-Id: I3822a7456fb5a255c767f5a44a429f91a140fe64
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
|
|
Also remove DPDK 17.05 support.
Change-Id: I4f96cb3f002cd90b12d800d6904f2364d7c4e270
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: Ic4f797cea6fa21fb29d646256210357cf5267b38
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
|
|
Change-Id: I2feb3e07c3070e8a525c539dd2feffa0dd1bca21
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
|
|
VPP-1034
Change-Id: I02b4db9e52446ab8578df1f011dd27f39de64c70
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
|
|
- Global variables declared in header files without
the use of the 'extern' keword will result in multiple
instances of the variable to be created by the compiler
-- one for each different source file in which the
the header file is included. This results in wasted
memory allocated in the BSS segments as well as
potentially introducing bugs in the application.
Change-Id: I6ef1790b60a0bd9dd3994f8510723decf258b0cc
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Ubuntu 17.04, gcc version 6.3.0 20170406 (Ubuntu 6.3.0-12ubuntu2),
"make build" fails with the few of the errors below:
error: suggest parentheses around comparison in operand of ‘|’
[-Werror=parentheses]
is_aead = (sa0->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_128 |
Solution: use the logical rather than the bitwise or.
Change-Id: Iffcc1ed2e68b14b248159cb117593d32c623c553
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|