Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/101013/?format=api
http://patches.dpdk.org/api/patches/101013/?format=api", "web_url": "http://patches.dpdk.org/project/dpdk/patch/20211011112945.2876-5-radu.nicolau@intel.com/", "project": { "id": 1, "url": "http://patches.dpdk.org/api/projects/1/?format=api", "name": "DPDK", "link_name": "dpdk", "list_id": "dev.dpdk.org", "list_email": "dev@dpdk.org", "web_url": "http://core.dpdk.org", "scm_url": "git://dpdk.org/dpdk", "webscm_url": "http://git.dpdk.org/dpdk", "list_archive_url": "https://inbox.dpdk.org/dev", "list_archive_url_format": "https://inbox.dpdk.org/dev/{}", "commit_url_format": "" }, "msgid": "<20211011112945.2876-5-radu.nicolau@intel.com>", "list_archive_url": "https://inbox.dpdk.org/dev/20211011112945.2876-5-radu.nicolau@intel.com", "date": "2021-10-11T11:29:39", "name": "[v8,04/10] ipsec: add support for NAT-T", "commit_ref": null, "pull_url": null, "state": "superseded", "archived": true, "hash": "ae4aa93fa80bf95409ef09d4edc8b001d5f4d1eb", "submitter": { "id": 743, "url": "http://patches.dpdk.org/api/people/743/?format=api", "name": "Radu Nicolau", "email": "radu.nicolau@intel.com" }, "delegate": { "id": 6690, "url": "http://patches.dpdk.org/api/users/6690/?format=api", "username": "akhil", "first_name": "akhil", "last_name": "goyal", "email": "gakhil@marvell.com" }, "mbox": "http://patches.dpdk.org/project/dpdk/patch/20211011112945.2876-5-radu.nicolau@intel.com/mbox/", "series": [ { "id": 19516, "url": "http://patches.dpdk.org/api/series/19516/?format=api", "web_url": "http://patches.dpdk.org/project/dpdk/list/?series=19516", "date": "2021-10-11T11:29:35", "name": "new features for ipsec and security libraries", "version": 8, "mbox": "http://patches.dpdk.org/series/19516/mbox/" } ], "comments": "http://patches.dpdk.org/api/patches/101013/comments/", "check": "success", "checks": "http://patches.dpdk.org/api/patches/101013/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<dev-bounces@dpdk.org>", "X-Original-To": "patchwork@inbox.dpdk.org", "Delivered-To": "patchwork@inbox.dpdk.org", "Received": [ "from mails.dpdk.org (mails.dpdk.org [217.70.189.124])\n\tby inbox.dpdk.org (Postfix) with ESMTP id 451ABA034F;\n\tMon, 11 Oct 2021 13:41:50 +0200 (CEST)", "from [217.70.189.124] (localhost [127.0.0.1])\n\tby mails.dpdk.org (Postfix) with ESMTP id 5C012410F7;\n\tMon, 11 Oct 2021 13:41:37 +0200 (CEST)", "from mga17.intel.com (mga17.intel.com [192.55.52.151])\n by mails.dpdk.org (Postfix) with ESMTP id 10A85410F7\n for <dev@dpdk.org>; Mon, 11 Oct 2021 13:41:35 +0200 (CEST)", "from orsmga007.jf.intel.com ([10.7.209.58])\n by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 11 Oct 2021 04:41:35 -0700", "from silpixa00400884.ir.intel.com ([10.243.22.82])\n by orsmga007.jf.intel.com with ESMTP; 11 Oct 2021 04:41:32 -0700" ], "X-IronPort-AV": [ "E=McAfee;i=\"6200,9189,10133\"; a=\"207660509\"", "E=Sophos;i=\"5.85,364,1624345200\"; d=\"scan'208\";a=\"207660509\"", "E=Sophos;i=\"5.85,364,1624345200\"; d=\"scan'208\";a=\"479821991\"" ], "X-ExtLoop1": "1", "From": "Radu Nicolau <radu.nicolau@intel.com>", "To": "Konstantin Ananyev <konstantin.ananyev@intel.com>,\n Bernard Iremonger <bernard.iremonger@intel.com>,\n Vladimir Medvedkin <vladimir.medvedkin@intel.com>", "Cc": "dev@dpdk.org, mdr@ashroe.eu, bruce.richardson@intel.com,\n roy.fan.zhang@intel.com, hemant.agrawal@nxp.com, gakhil@marvell.com,\n anoobj@marvell.com, declan.doherty@intel.com, abhijit.sinha@intel.com,\n daniel.m.buckley@intel.com, marchana@marvell.com, ktejasree@marvell.com,\n matan@nvidia.com, Radu Nicolau <radu.nicolau@intel.com>", "Date": "Mon, 11 Oct 2021 12:29:39 +0100", "Message-Id": "<20211011112945.2876-5-radu.nicolau@intel.com>", "X-Mailer": "git-send-email 2.25.1", "In-Reply-To": "<20211011112945.2876-1-radu.nicolau@intel.com>", "References": "<20210713133542.3550525-1-radu.nicolau@intel.com>\n <20211011112945.2876-1-radu.nicolau@intel.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "Subject": "[dpdk-dev] [PATCH v8 04/10] ipsec: add support for NAT-T", "X-BeenThere": "dev@dpdk.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "DPDK patches and discussions <dev.dpdk.org>", "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n <mailto:dev-request@dpdk.org?subject=unsubscribe>", "List-Archive": "<http://mails.dpdk.org/archives/dev/>", "List-Post": "<mailto:dev@dpdk.org>", "List-Help": "<mailto:dev-request@dpdk.org?subject=help>", "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n <mailto:dev-request@dpdk.org?subject=subscribe>", "Errors-To": "dev-bounces@dpdk.org", "Sender": "\"dev\" <dev-bounces@dpdk.org>" }, "content": "Add support for the IPsec NAT-Traversal use case for Tunnel mode\npackets.\n\nSigned-off-by: Declan Doherty <declan.doherty@intel.com>\nSigned-off-by: Radu Nicolau <radu.nicolau@intel.com>\nSigned-off-by: Abhijit Sinha <abhijit.sinha@intel.com>\nSigned-off-by: Daniel Martin Buckley <daniel.m.buckley@intel.com>\nAcked-by: Fan Zhang <roy.fan.zhang@intel.com>\n---\n doc/guides/prog_guide/ipsec_lib.rst | 2 ++\n doc/guides/rel_notes/release_21_11.rst | 1 +\n lib/ipsec/esp_outb.c | 9 +++++++++\n lib/ipsec/rte_ipsec_sa.h | 9 ++++++++-\n lib/ipsec/sa.c | 28 +++++++++++++++++++++++---\n 5 files changed, 45 insertions(+), 4 deletions(-)", "diff": "diff --git a/doc/guides/prog_guide/ipsec_lib.rst b/doc/guides/prog_guide/ipsec_lib.rst\nindex 93e213bf36..af51ff8131 100644\n--- a/doc/guides/prog_guide/ipsec_lib.rst\n+++ b/doc/guides/prog_guide/ipsec_lib.rst\n@@ -313,6 +313,8 @@ Supported features\n \n * ESN and replay window.\n \n+* NAT-T / UDP encapsulated ESP.\n+\n * algorithms: 3DES-CBC, AES-CBC, AES-CTR, AES-GCM, AES_CCM, CHACHA20_POLY1305,\n AES_GMAC, HMAC-SHA1, NULL.\n \ndiff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst\nindex 1a29640eea..73a566eaca 100644\n--- a/doc/guides/rel_notes/release_21_11.rst\n+++ b/doc/guides/rel_notes/release_21_11.rst\n@@ -137,6 +137,7 @@ New Features\n * **IPsec library new features.**\n \n * Added support for AEAD algorithms AES_CCM, CHACHA20_POLY1305 and AES_GMAC.\n+ * Added support for NAT-T / UDP encapsulated ESP\n \n \n Removed Items\ndiff --git a/lib/ipsec/esp_outb.c b/lib/ipsec/esp_outb.c\nindex a3f77469c3..0e3314b358 100644\n--- a/lib/ipsec/esp_outb.c\n+++ b/lib/ipsec/esp_outb.c\n@@ -5,6 +5,7 @@\n #include <rte_ipsec.h>\n #include <rte_esp.h>\n #include <rte_ip.h>\n+#include <rte_udp.h>\n #include <rte_errno.h>\n #include <rte_cryptodev.h>\n \n@@ -185,6 +186,14 @@ outb_tun_pkt_prepare(struct rte_ipsec_sa *sa, rte_be64_t sqc,\n \t/* copy tunnel pkt header */\n \trte_memcpy(ph, sa->hdr, sa->hdr_len);\n \n+\t/* if UDP encap is enabled update the dgram_len */\n+\tif (sa->type & RTE_IPSEC_SATP_NATT_ENABLE) {\n+\t\tstruct rte_udp_hdr *udph = (struct rte_udp_hdr *)\n+\t\t\t\t(ph - sizeof(struct rte_udp_hdr));\n+\t\tudph->dgram_len = rte_cpu_to_be_16(mb->pkt_len - sqh_len -\n+\t\t\t\tsa->hdr_l3_off - sa->hdr_len);\n+\t}\n+\n \t/* update original and new ip header fields */\n \tupdate_tun_outb_l3hdr(sa, ph + sa->hdr_l3_off, ph + hlen,\n \t\t\tmb->pkt_len - sqh_len, sa->hdr_l3_off, sqn_low16(sqc));\ndiff --git a/lib/ipsec/rte_ipsec_sa.h b/lib/ipsec/rte_ipsec_sa.h\nindex cf51ad8338..3a22705055 100644\n--- a/lib/ipsec/rte_ipsec_sa.h\n+++ b/lib/ipsec/rte_ipsec_sa.h\n@@ -78,6 +78,7 @@ struct rte_ipsec_sa_prm {\n * - for TUNNEL outer IP version (IPv4/IPv6)\n * - are SA SQN operations 'atomic'\n * - ESN enabled/disabled\n+ * - NAT-T UDP encapsulated (TUNNEL mode only)\n * ...\n */\n \n@@ -89,7 +90,8 @@ enum {\n \tRTE_SATP_LOG2_SQN = RTE_SATP_LOG2_MODE + 2,\n \tRTE_SATP_LOG2_ESN,\n \tRTE_SATP_LOG2_ECN,\n-\tRTE_SATP_LOG2_DSCP\n+\tRTE_SATP_LOG2_DSCP,\n+\tRTE_SATP_LOG2_NATT\n };\n \n #define RTE_IPSEC_SATP_IPV_MASK\t\t(1ULL << RTE_SATP_LOG2_IPV)\n@@ -125,6 +127,11 @@ enum {\n #define RTE_IPSEC_SATP_DSCP_DISABLE\t(0ULL << RTE_SATP_LOG2_DSCP)\n #define RTE_IPSEC_SATP_DSCP_ENABLE\t(1ULL << RTE_SATP_LOG2_DSCP)\n \n+#define RTE_IPSEC_SATP_NATT_MASK\t(1ULL << RTE_SATP_LOG2_NATT)\n+#define RTE_IPSEC_SATP_NATT_DISABLE\t(0ULL << RTE_SATP_LOG2_NATT)\n+#define RTE_IPSEC_SATP_NATT_ENABLE\t(1ULL << RTE_SATP_LOG2_NATT)\n+\n+\n /**\n * get type of given SA\n * @return\ndiff --git a/lib/ipsec/sa.c b/lib/ipsec/sa.c\nindex 720e0f365b..1dd19467a6 100644\n--- a/lib/ipsec/sa.c\n+++ b/lib/ipsec/sa.c\n@@ -5,6 +5,7 @@\n #include <rte_ipsec.h>\n #include <rte_esp.h>\n #include <rte_ip.h>\n+#include <rte_udp.h>\n #include <rte_errno.h>\n #include <rte_cryptodev.h>\n \n@@ -217,6 +218,10 @@ fill_sa_type(const struct rte_ipsec_sa_prm *prm, uint64_t *type)\n \t} else\n \t\treturn -EINVAL;\n \n+\t/* check for UDP encapsulation flag */\n+\tif (prm->ipsec_xform.options.udp_encap == 1)\n+\t\ttp |= RTE_IPSEC_SATP_NATT_ENABLE;\n+\n \t/* check for ESN flag */\n \tif (prm->ipsec_xform.options.esn == 0)\n \t\ttp |= RTE_IPSEC_SATP_ESN_DISABLE;\n@@ -355,12 +360,22 @@ esp_outb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm)\n \tsa->hdr_len = prm->tun.hdr_len;\n \tsa->hdr_l3_off = prm->tun.hdr_l3_off;\n \n+\tmemcpy(sa->hdr, prm->tun.hdr, prm->tun.hdr_len);\n+\n+\t/* insert UDP header if UDP encapsulation is inabled */\n+\tif (sa->type & RTE_IPSEC_SATP_NATT_ENABLE) {\n+\t\tstruct rte_udp_hdr *udph = (struct rte_udp_hdr *)\n+\t\t\t\t&sa->hdr[prm->tun.hdr_len];\n+\t\tsa->hdr_len += sizeof(struct rte_udp_hdr);\n+\t\tudph->src_port = prm->ipsec_xform.udp.sport;\n+\t\tudph->dst_port = prm->ipsec_xform.udp.dport;\n+\t\tudph->dgram_cksum = 0;\n+\t}\n+\n \t/* update l2_len and l3_len fields for outbound mbuf */\n \tsa->tx_offload.val = rte_mbuf_tx_offload(sa->hdr_l3_off,\n \t\tsa->hdr_len - sa->hdr_l3_off, 0, 0, 0, 0, 0);\n \n-\tmemcpy(sa->hdr, prm->tun.hdr, sa->hdr_len);\n-\n \tesp_outb_init(sa, sa->hdr_len);\n }\n \n@@ -372,7 +387,8 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,\n \tconst struct crypto_xform *cxf)\n {\n \tstatic const uint64_t msk = RTE_IPSEC_SATP_DIR_MASK |\n-\t\t\t\tRTE_IPSEC_SATP_MODE_MASK;\n+\t\t\t\tRTE_IPSEC_SATP_MODE_MASK |\n+\t\t\t\tRTE_IPSEC_SATP_NATT_MASK;\n \n \tif (prm->ipsec_xform.options.ecn)\n \t\tsa->tos_mask |= RTE_IPV4_HDR_ECN_MASK;\n@@ -475,10 +491,16 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,\n \tcase (RTE_IPSEC_SATP_DIR_IB | RTE_IPSEC_SATP_MODE_TRANS):\n \t\tesp_inb_init(sa);\n \t\tbreak;\n+\tcase (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV4 |\n+\t\t\tRTE_IPSEC_SATP_NATT_ENABLE):\n+\tcase (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV6 |\n+\t\t\tRTE_IPSEC_SATP_NATT_ENABLE):\n \tcase (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV4):\n \tcase (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV6):\n \t\tesp_outb_tun_init(sa, prm);\n \t\tbreak;\n+\tcase (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TRANS |\n+\t\t\tRTE_IPSEC_SATP_NATT_ENABLE):\n \tcase (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TRANS):\n \t\tesp_outb_init(sa, 0);\n \t\tbreak;\n", "prefixes": [ "v8", "04/10" ] }{ "id": 101013, "url": "