date:20220123

Re: [vpp-dev] IPSec/QAT offload config

2022-01-23 Thread Govindarajan Mohandoss

Hi Experts,
It worked after making the following changes. I enabled "crypto_native_plugin" 
& qat in startup.  If this is a real issue and if my Crypto/QAT config is 
correct, I can submit this fix for review. Please let me know.

diff --git a/src/vnet/crypto/crypto.c b/src/vnet/crypto/crypto.c
index 9f437cfcd..ed9a9d1be 100644
--- a/src/vnet/crypto/crypto.c
+++ b/src/vnet/crypto/crypto.c
@@ -333,6 +333,8 @@ vnet_crypto_update_cm_dequeue_handlers (void)
   for (i = 0; i < VNET_CRYPTO_ASYNC_OP_N_IDS; i++)
 {
   otd = cm->async_opt_data + i;
+  if (otd->active_engine_index_async == ~0)
+   continue;
   e = cm->engines + otd->active_engine_index_async;
   if (!e->dequeue_handler)
continue;
@@ -345,6 +347,8 @@ vnet_crypto_update_cm_dequeue_handlers (void)
 {
   if (ei[0] == last_ei)
continue;
+  if (ei[0] == ~0)
+   continue;

   e = cm->engines + ei[0];
   vec_add1 (cm->dequeue_handlers, e->dequeue_handler);


Startup conf:
-
plugins
{
...
plugin crypto_native_plugin.so
  {
enable
  }
}

cpu
{
 corelist-workers 9  /* Single worker */
  main-core 0
}

dpdk
{
  dev :af:00.0 #NIC
  dev :39:01.0 #QAT
  log-level debug
  dev default
  {
num-rx-desc 256
num-tx-desc 256
  }

Thanks
Govind

From: vpp-dev@lists.fd.io  On Behalf Of Govindarajan 
Mohandoss via lists.fd.io
Sent: Friday, January 21, 2022 1:19 PM
To: Govindarajan Mohandoss ; vpp-dev 

Cc: Yoan Picchi ; nd ; nd 
Subject: Re: [vpp-dev] IPSec/QAT offload config


Once more than 1 worker core is added in startup conf, crash is not observed 
during init phase.  But when I set the async mode on, it crashes in same place. 
Do I need to set async mode on to use QAT ? Do I need to enable any specific 
plugin ?



cpu

{

 corelist-workers 9-12

  main-core 13

}



DBGvpp# set ipsec async mode on



Thread 1 "vpp_main" received signal SIGSEGV, Segmentation fault.

0x773713c9 in vnet_crypto_update_cm_dequeue_handlers () at 
/home/govmoh01/vpp_qat/vpp/src/vnet/crypto/crypto.c:337

337   if (!e->dequeue_handler)

(gdb)





> -Original Message-

> From: vpp-dev@lists.fd.io 
> mailto:vpp-dev@lists.fd.io>> On Behalf Of Govindarajan

> Mohandoss via lists.fd.io

> Sent: Friday, January 21, 2022 12:24 PM

> To: vpp-dev mailto:vpp-dev@lists.fd.io>>

> Cc: Yoan Picchi mailto:yoan.pic...@arm.com>>; nd 
> mailto:n...@arm.com>>; nd

> mailto:n...@arm.com>>

> Subject: [vpp-dev] IPSec/QAT offload config

>

> Hi Experts,

>   We are trying to run IPSec with QAT offload and did the following dpdk

> config in startup conf. When we run VPP, it crashes in the init phase (Before

> reaching out to VPP shell). Can you please help us with proper config to

> enable QAT ?

> We did a sanity test with standalone DPDK IPSec application and it works fine

> with QAT card.

>

> dpdk

> {

>   dev :af:00.0 #NIC

>   dev :39:01.0 #QAT

>   log-level debug

>   dev default

>   {

> num-rx-desc 1024

> num-tx-desc 1024

>   }

> }

>

>

> Thread 1 "vpp_main" received signal SIGSEGV, Segmentation fault.

> 0x773713c9 in vnet_crypto_update_cm_dequeue_handlers () at

> /home/govmoh01/vpp_qat/vpp/src/vnet/crypto/crypto.c:337

> 337   if (!e->dequeue_handler)

> (gdb) bt

> #0  0x773713c9 in vnet_crypto_update_cm_dequeue_handlers () at

> /home/govmoh01/vpp_qat/vpp/src/vnet/crypto/crypto.c:337

> #1  0x77371d69 in vnet_crypto_request_async_mode (is_enable=1)

> at /home/govmoh01/vpp_qat/vpp/src/vnet/crypto/crypto.c:678

> #2  0x7ffef5b0e4ff in dpdk_cryptodev_init (vm=0x7ffef685a680)

> at

> /home/govmoh01/vpp_qat/vpp/src/plugins/dpdk/cryptodev/cryptodev.c:12

> 00

> #3  0x7ffef5af1608 in dpdk_process (vm=0x7ffef685a680,

> rt=0x7ffef8176d00, f=0x0)

> at /home/govmoh01/vpp_qat/vpp/src/plugins/dpdk/device/init.c:1417

> #4  0x76e513ed in vlib_process_bootstrap (_a=140733006596280) at

> /home/govmoh01/vpp_qat/vpp/src/vlib/main.c:1235

> #5  0x76cefc38 in clib_calljmp () at

> /home/govmoh01/vpp_qat/vpp/src/vppinfra/longjmp.S:123

> #6  0x7ffef4ddc8b0 in ?? ()

> #7  0x76e50e0f in vlib_process_startup (vm=0x7ffef685a680,

> p=0x7ffef8176d00, f=0x0)

>

> Thanks

> Govind

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#20783): https://lists.fd.io/g/vpp-dev/message/20783
Mute This Topic: https://lists.fd.io/mt/88589344/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] SNAT, nat44 with static mapping of whole subnet

2022-01-23 Thread Adrian Imboden


Hu Filip

Thanks for your response. Your input did get me to the right direction.

For future reference, this is how I got it working (Version 21.10):

comment { === external wan: TenGigabitEtherneta/0/0, "public" ips: 
10.10.100.50, 10.10.100.51 }

comment { === testnet1 lan: TenGigabitEthernetc/0/3, 192.168.10.0/23 }
comment { === testnet2 lan: TenGigabitEthernetc/0/2, 192.168.12.0/23 }


comment { === testnet1 }
ip table add 1
create tap id 1 host-if-name testnet1 host-ip4-addr 192.168.10.1/23
create loopback interface instance 1

set interface ip table loop1 1
set interface ip address loop1 192.168.10.255/23

set int l2 bridge tap1 1
set int l2 bridge loop1 1 bvi
set int l2 bridge TenGigabitEthernetc/0/3 1

comment { === testnet2 }
ip table add 2
create tap id 2 host-if-name testnet2 host-ip4-addr 192.168.12.1/23
create loopback interface instance 2

set interface ip table loop2 2
set interface ip address loop2 192.168.12.255/23

set int l2 bridge tap2 2
set int l2 bridge loop2 2 bvi
set int l2 bridge TenGigabitEthernetc/0/2 2


comment { === nat }
nat44 enable
set interface ip address TenGigabitEtherneta/0/0 10.10.100.50/23
set interface ip address TenGigabitEtherneta/0/0 10.10.100.51/23
set interface nat44 out TenGigabitEtherneta/0/0
nat44 add address 10.10.100.50 tenant-vrf 1
set interface nat44 in loop1
nat44 add address 10.10.100.51 tenant-vrf 2
set interface nat44 in loop2


comment { === enable interfaces }
set int state TenGigabitEtherneta/0/0 up
set int state loop1 up
set int state tap1 up
set int state TenGigabitEthernetc/0/3 up
set int state loop2 up
set int state tap2 up
set int state TenGigabitEthernetc/0/2 up


Thanks and Greetings
Adrian

On 22.01.22 06:10, Filip Varga via lists.fd.io wrote:

Hi,

 From the first look i can see you are not enabling deterministic plugin like 
you are nat44 plugin. Secondly mixing both plugins isn't fully supported. There 
could be probably some issues. I am not completely sure about your use cases 
but using static mappings in this kind of scenario isn't viable solution.

If you just want each subnet to have different outside address. You should 
definitely use PAT - aka dynamic mapping and put all of those inside subnets in 
different VRF's after that add nat address for each vrf.

VRF1 192.168.0/24 -> 10.0.0.1
VRF2 192.168.1/24 - > 10.0.02
etc.

Be sure to set inside - vrf interfaces as inside and outside interface as 
outside.

Use nat44-ed plugin.

Best regards,
Filip

-Original Message-
From: vpp-dev@lists.fd.io  On Behalf Of Adrian Imboden
Sent: Thursday, January 20, 2022 1:55 AM
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] SNAT, nat44 with static mapping of whole subnet
Importance: High

Hi all

I'm using vpp only recently and I am very happy with the way it works.

I am currently trying to replace my linux based router with a linux based vpp 
router.

- I use version release 21.10
- I have a small ipv4 /24 network and an additional static ip
- I have multiple subnets (test1, test2 in the example)

What I want to do is:
- Do SNAT
- Map each subnet to a single ipv4 address
- For my test: assume 10.10.100.50-10.10.100.52 are my public ips

What I have now is the following:
```
comment { == setting up testnet1 } create tap id 1 
host-if-name testnet1 host-ip4-addr 192.168.10.1/23 create loopback interface 
instance 1 set interface ip address loop1 192.168.10.255/23

set int l2 bridge tap1 1
set int l2 bridge loop1 1 bvi
set int l2 bridge TenGigabitEthernet8/0/0 1

comment { == setting up testnet2 } create tap id 2 
host-if-name testnet2 host-ip4-addr 192.168.12.1/23 create loopback interface 
instance 2 set interface ip address loop2 192.168.12.255/23

set int l2 bridge tap2 2
set int l2 bridge loop2 2 bvi


set interface ip address TenGigabitEtherneta/0/3 10.10.100.50/23 set interface 
ip address TenGigabitEtherneta/0/3 10.10.100.51/23 set interface ip address 
TenGigabitEtherneta/0/3 10.10.100.52/23

nat44 enable

nat44 add address 10.10.100.50
nat44 add address 10.10.100.51
nat44 add address 10.10.100.52
set interface nat44 out TenGigabitEtherneta/0/3 set interface nat44 in loop1 
set interface nat44 in loop2

ip route add 10.10.100.0/23 via TenGigabitEtherneta/0/3

comment { = port forwarding }
det44 add static mapping udp local 102.168.10.33 1234 external
10.10.100.51 1234


comment { enable all interfaces }
set int state tap1 up
set int state loop1 up
set int state TenGigabitEthernet8/0/0 up
set int state tap2 up
set int state loop2 up
set int state TenGigabitEtherneta/0/3 up
```



Now I have the problem that only 10.10.100.50 gets used (or until the
ports are used up I assume).
det44 would support my use case with:
```
det44 add in 192.168.10.0/23 out 10.10.100.51/32
det44 add in 192.168.20.0/23 out 10.10.100.52/32
```

but det44 does not support port forwarding.

and nat44 only supports mapping each host one by one.
In my case I could add all IPs (512 IPs per

Re: [vpp-dev] IPSec/QAT offload config

Re: [vpp-dev] SNAT, nat44 with static mapping of whole subnet

2 matches

Site Navigation

Mail list logo

Footer information