Patch Detail

HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 55312,
    "url": "http://patches.dpdk.org/api/patches/55312/?format=api",
    "web_url": "http://patches.dpdk.org/project/dpdk/patch/20190625134321.71595-2-roy.fan.zhang@intel.com/",
    "project": {
        "id": 1,
        "url": "http://patches.dpdk.org/api/projects/1/?format=api",
        "name": "DPDK",
        "link_name": "dpdk",
        "list_id": "dev.dpdk.org",
        "list_email": "dev@dpdk.org",
        "web_url": "http://core.dpdk.org",
        "scm_url": "git://dpdk.org/dpdk",
        "webscm_url": "http://git.dpdk.org/dpdk",
        "list_archive_url": "https://inbox.dpdk.org/dev",
        "list_archive_url_format": "https://inbox.dpdk.org/dev/{}",
        "commit_url_format": ""
    },
    "msgid": "<20190625134321.71595-2-roy.fan.zhang@intel.com>",
    "list_archive_url": "https://inbox.dpdk.org/dev/20190625134321.71595-2-roy.fan.zhang@intel.com",
    "date": "2019-06-25T13:43:20",
    "name": "[v2,1/2] lib/ipsec: add support for header construction",
    "commit_ref": null,
    "pull_url": null,
    "state": "superseded",
    "archived": true,
    "hash": "255499876d84e7ae000f9dd882cdd9a156d8d3c6",
    "submitter": {
        "id": 304,
        "url": "http://patches.dpdk.org/api/people/304/?format=api",
        "name": "Fan Zhang",
        "email": "roy.fan.zhang@intel.com"
    },
    "delegate": {
        "id": 6690,
        "url": "http://patches.dpdk.org/api/users/6690/?format=api",
        "username": "akhil",
        "first_name": "akhil",
        "last_name": "goyal",
        "email": "gakhil@marvell.com"
    },
    "mbox": "http://patches.dpdk.org/project/dpdk/patch/20190625134321.71595-2-roy.fan.zhang@intel.com/mbox/",
    "series": [
        {
            "id": 5157,
            "url": "http://patches.dpdk.org/api/series/5157/?format=api",
            "web_url": "http://patches.dpdk.org/project/dpdk/list/?series=5157",
            "date": "2019-06-25T13:43:19",
            "name": "ipsec: ECN and DSCP header reconstruction.",
            "version": 2,
            "mbox": "http://patches.dpdk.org/series/5157/mbox/"
        }
    ],
    "comments": "http://patches.dpdk.org/api/patches/55312/comments/",
    "check": "fail",
    "checks": "http://patches.dpdk.org/api/patches/55312/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "<dev-bounces@dpdk.org>",
        "X-Original-To": "patchwork@dpdk.org",
        "Delivered-To": "patchwork@dpdk.org",
        "Received": [
            "from [92.243.14.124] (localhost [127.0.0.1])\n\tby dpdk.org (Postfix) with ESMTP id 6EB911BA64;\n\tTue, 25 Jun 2019 15:49:20 +0200 (CEST)",
            "from mga04.intel.com (mga04.intel.com [192.55.52.120])\n\tby dpdk.org (Postfix) with ESMTP id 0F05A1BA5D\n\tfor <dev@dpdk.org>; Tue, 25 Jun 2019 15:49:17 +0200 (CEST)",
            "from orsmga008.jf.intel.com ([10.7.209.65])\n\tby fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;\n\t25 Jun 2019 06:49:17 -0700",
            "from silpixa00398673.ir.intel.com (HELO\n\tsilpixa00398673.ger.corp.intel.com) ([10.237.223.136])\n\tby orsmga008.jf.intel.com with ESMTP; 25 Jun 2019 06:49:15 -0700"
        ],
        "X-Amp-Result": "SKIPPED(no attachment in message)",
        "X-Amp-File-Uploaded": "False",
        "X-ExtLoop1": "1",
        "X-IronPort-AV": "E=Sophos;i=\"5.63,416,1557212400\"; d=\"scan'208\";a=\"155514561\"",
        "From": "Fan Zhang <roy.fan.zhang@intel.com>",
        "To": "dev@dpdk.org",
        "Cc": "akhil.goyal@nxp.com, konstantin.ananyev@intel.com,\n\tMarko Kovacevic <marko.kovacevic@intel.com>,\n\tFan Zhang <roy.fan.zhang@intel.com>",
        "Date": "Tue, 25 Jun 2019 14:43:20 +0100",
        "Message-Id": "<20190625134321.71595-2-roy.fan.zhang@intel.com>",
        "X-Mailer": "git-send-email 2.14.5",
        "In-Reply-To": "<20190625134321.71595-1-roy.fan.zhang@intel.com>",
        "References": "<20190517160319.2468-1-marko.kovacevic@intel.com>\n\t<20190625134321.71595-1-roy.fan.zhang@intel.com>",
        "Subject": "[dpdk-dev] [PATCH v2 1/2] lib/ipsec: add support for header\n\tconstruction",
        "X-BeenThere": "dev@dpdk.org",
        "X-Mailman-Version": "2.1.15",
        "Precedence": "list",
        "List-Id": "DPDK patches and discussions <dev.dpdk.org>",
        "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n\t<mailto:dev-request@dpdk.org?subject=unsubscribe>",
        "List-Archive": "<http://mails.dpdk.org/archives/dev/>",
        "List-Post": "<mailto:dev@dpdk.org>",
        "List-Help": "<mailto:dev-request@dpdk.org?subject=help>",
        "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n\t<mailto:dev-request@dpdk.org?subject=subscribe>",
        "Errors-To": "dev-bounces@dpdk.org",
        "Sender": "\"dev\" <dev-bounces@dpdk.org>"
    },
    "content": "From: Marko Kovacevic <marko.kovacevic@intel.com>\n\nAdd support for RFC 4301(5.1.2) to update of\nType of service field and Traffic class field\nbits inside ipv4/ipv6 packets for outbound cases\nand inbound cases which deals with the update of\nthe DSCP/ENC bits inside each of the fields.\n\nSigned-off-by: Marko Kovacevic <marko.kovacevic@intel.com>\nSigned-off-by: Fan Zhang <roy.fan.zhang@intel.com>\n---\n lib/librte_ipsec/esp_inb.c         |  14 +++-\n lib/librte_ipsec/esp_outb.c        |   4 +-\n lib/librte_ipsec/iph.h             | 134 +++++++++++++++++++++++++++++++++++--\n lib/librte_ipsec/rte_ipsec_sa.h    |  25 +++++++\n lib/librte_ipsec/sa.c              |  17 +++++\n lib/librte_ipsec/sa.h              |   2 +\n lib/librte_net/rte_ip.h            |  11 +++\n lib/librte_security/rte_security.h |   9 +++\n 8 files changed, 205 insertions(+), 11 deletions(-)",
    "diff": "diff --git a/lib/librte_ipsec/esp_inb.c b/lib/librte_ipsec/esp_inb.c\nindex 3e12ca103..8c68f8913 100644\n--- a/lib/librte_ipsec/esp_inb.c\n+++ b/lib/librte_ipsec/esp_inb.c\n@@ -377,9 +377,10 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],\n {\n \tuint32_t adj, i, k, tl;\n \tuint32_t hl[num];\n+\tvoid *inner_h;\n+\tconst void *outter_h;\n \tstruct esp_tail espt[num];\n \tstruct rte_mbuf *ml[num];\n-\n \tconst uint32_t tlen = sa->icv_len + sizeof(espt[0]);\n \tconst uint32_t cofs = sa->ctp.cipher.offset;\n \n@@ -400,9 +401,16 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],\n \t\tif (tun_process_check(mb[i], ml[i], espt[i], adj, tl,\n \t\t\t\t\tsa->proto) == 0) {\n \n+\t\t\toutter_h = rte_pktmbuf_mtod_offset(mb[i], uint8_t *,\n+\t\t\t\t\tmb[i]->l2_len);\n+\n \t\t\t/* modify packet's layout */\n-\t\t\ttun_process_step2(mb[i], ml[i], hl[i], adj,\n-\t\t\t\ttl, sqn + k);\n+\t\t\tinner_h = tun_process_step2(mb[i], ml[i], hl[i], adj,\n+\t\t\t\t\ttl, sqn + k);\n+\n+\t\t\tif ((sa->type & INB_TUN_HDR_MSK) != 0)\n+\t\t\t\tupdate_inb_tun_l3_hdr(sa, inner_h, outter_h);\n+\n \t\t\t/* update mbuf's metadata */\n \t\t\ttun_process_step3(mb[i], sa->tx_offload.msk,\n \t\t\t\tsa->tx_offload.val);\ndiff --git a/lib/librte_ipsec/esp_outb.c b/lib/librte_ipsec/esp_outb.c\nindex 862a9982d..a0fa9e660 100644\n--- a/lib/librte_ipsec/esp_outb.c\n+++ b/lib/librte_ipsec/esp_outb.c\n@@ -152,8 +152,8 @@ outb_tun_pkt_prepare(struct rte_ipsec_sa *sa, rte_be64_t sqc,\n \trte_memcpy(ph, sa->hdr, sa->hdr_len);\n \n \t/* update original and new ip header fields */\n-\tupdate_tun_l3hdr(sa, ph + sa->hdr_l3_off, mb->pkt_len, sa->hdr_l3_off,\n-\t\t\tsqn_low16(sqc));\n+\tupdate_outb_tun_l3hdr(sa, ph + sa->hdr_l3_off, ph + hlen, mb->pkt_len,\n+\t\t\tsa->hdr_l3_off, sqn_low16(sqc));\n \n \t/* update spi, seqn and iv */\n \tesph = (struct rte_esp_hdr *)(ph + sa->hdr_len);\ndiff --git a/lib/librte_ipsec/iph.h b/lib/librte_ipsec/iph.h\nindex 62d78b7b1..a4e7070e3 100644\n--- a/lib/librte_ipsec/iph.h\n+++ b/lib/librte_ipsec/iph.h\n@@ -5,14 +5,17 @@\n #ifndef _IPH_H_\n #define _IPH_H_\n \n-#include <rte_ip.h>\n-\n /**\n  * @file iph.h\n  * Contains functions/structures/macros to manipulate IPv4/IPv6 headers\n  * used internally by ipsec library.\n  */\n \n+#define IPV6_DSCP_MASK\t(RTE_IP_DSCP_MASK << RTE_IPV6_HDR_TC_SHIFT)\n+#define IPV6_ECN_MASK\t(RTE_IP_ECN_MASK << RTE_IPV6_HDR_TC_SHIFT)\n+#define IPV6_TOS_MASK\t(IPV6_ECN_MASK | IPV6_DSCP_MASK)\n+#define IPV6_ECN_CE\tIPV6_ECN_MASK\n+\n /*\n  * Move preceding (L3) headers down to remove ESP header and IV.\n  */\n@@ -37,6 +40,26 @@ insert_esph(char *np, char *op, uint32_t hlen)\n \t\tnp[i] = op[i];\n }\n \n+static inline uint8_t\n+get_ipv6_tos(rte_be32_t vtc_flow)\n+{\n+\tuint32_t v;\n+\n+\tv = rte_be_to_cpu_32(vtc_flow);\n+\treturn v >> RTE_IPV6_HDR_TC_SHIFT;\n+}\n+\n+static inline rte_be32_t\n+set_ipv6_tos(rte_be32_t vtc_flow, uint32_t tos)\n+{\n+\tuint32_t v;\n+\n+\tv = rte_cpu_to_be_32(tos << RTE_IPV6_HDR_TC_SHIFT);\n+\tvtc_flow &= ~rte_cpu_to_be_32(IPV6_TOS_MASK);\n+\n+\treturn (v | vtc_flow);\n+}\n+\n /* update original ip header fields for transport case */\n static inline int\n update_trs_l3hdr(const struct rte_ipsec_sa *sa, void *p, uint32_t plen,\n@@ -103,21 +126,120 @@ update_trs_l3hdr(const struct rte_ipsec_sa *sa, void *p, uint32_t plen,\n \n /* update original and new ip header fields for tunnel case */\n static inline void\n-update_tun_l3hdr(const struct rte_ipsec_sa *sa, void *p, uint32_t plen,\n-\t\tuint32_t l2len, rte_be16_t pid)\n+update_outb_tun_l3hdr(const struct rte_ipsec_sa *sa, void *outh,\n+\t\tconst void *inh, uint32_t plen, uint32_t l2len, rte_be16_t pid)\n {\n \tstruct rte_ipv4_hdr *v4h;\n \tstruct rte_ipv6_hdr *v6h;\n+\tuint32_t itp, otp;\n+\tconst struct rte_ipv4_hdr *v4in_h;\n+\tconst struct rte_ipv6_hdr *v6in_h;\n \n \tif (sa->type & RTE_IPSEC_SATP_MODE_TUNLV4) {\n-\t\tv4h = p;\n+\t\tv4h = outh;\n \t\tv4h->packet_id = pid;\n \t\tv4h->total_length = rte_cpu_to_be_16(plen - l2len);\n+\n+\t\tif ((sa->type & INB_TUN_HDR_MSK) == 0)\n+\t\t\treturn;\n+\n+\t\tif ((sa->type & RTE_IPSEC_SATP_IPV_MASK) ==\n+\t\t\t\tRTE_IPSEC_SATP_IPV4) {\n+\t\t\t/* ipv4 inner header */\n+\t\t\tv4in_h = inh;\n+\n+\t\t\totp = v4h->type_of_service & ~sa->tos_mask;\n+\t\t\titp = v4in_h->type_of_service & sa->tos_mask;\n+\t\t\tv4h->type_of_service = (otp | itp);\n+\t\t} else {\n+\t\t\t/* ipv6 inner header */\n+\t\t\tv6in_h = inh;\n+\n+\t\t\totp = v4h->type_of_service & ~sa->tos_mask;\n+\t\t\titp = get_ipv6_tos(v6in_h->vtc_flow) & sa->tos_mask;\n+\t\t\tv4h->type_of_service = (otp | itp);\n+\t\t}\n \t} else {\n-\t\tv6h = p;\n+\t\tv6h = outh;\n \t\tv6h->payload_len = rte_cpu_to_be_16(plen - l2len -\n \t\t\t\tsizeof(*v6h));\n+\n+\t\tif ((sa->type & INB_TUN_HDR_MSK) == 0)\n+\t\t\treturn;\n+\n+\t\tif ((sa->type & RTE_IPSEC_SATP_IPV_MASK) ==\n+\t\t\t\tRTE_IPSEC_SATP_IPV4) {\n+\t\t\t/* ipv4 inner header */\n+\t\t\tv4in_h = inh;\n+\n+\t\t\totp = get_ipv6_tos(v6h->vtc_flow) & ~sa->tos_mask;\n+\t\t\titp = v4in_h->type_of_service & sa->tos_mask;\n+\t\t\tv6h->vtc_flow = set_ipv6_tos(v6h->vtc_flow, otp | itp);\n+\t\t} else {\n+\t\t\t/* ipv6 inner header */\n+\t\t\tv6in_h = inh;\n+\n+\t\t\totp = get_ipv6_tos(v6h->vtc_flow) & ~sa->tos_mask;\n+\t\t\titp = get_ipv6_tos(v6in_h->vtc_flow) & sa->tos_mask;\n+\t\t\tv6h->vtc_flow = set_ipv6_tos(v6h->vtc_flow, otp | itp);\n+\t\t}\n+\t}\n+}\n+\n+static inline void\n+update_inb_tun_l3_hdr(const struct rte_ipsec_sa *sa, void *ip_inner,\n+\t\tconst void *ip_outter)\n+{\n+\tstruct rte_ipv4_hdr *inner_v4h;\n+\tconst struct rte_ipv4_hdr *outter_v4h;\n+\tstruct rte_ipv6_hdr *inner_v6h;\n+\tconst struct rte_ipv6_hdr *outter_v6h;\n+\tuint8_t ecn_v4out, ecn_v4in;\n+\tuint32_t ecn_v6out, ecn_v6in;\n+\n+\tinner_v4h = ip_inner;\n+\toutter_v4h = ip_outter;\n+\n+\tinner_v6h = ip_inner;\n+\toutter_v6h = ip_outter;\n+\n+\t/* <update ecn bits in inner IP header> */\n+\tif (sa->type & RTE_IPSEC_SATP_MODE_TUNLV4) {\n+\n+\t\tecn_v4out = outter_v4h->type_of_service & RTE_IP_ECN_MASK;\n+\n+\t\tif ((sa->type & RTE_IPSEC_SATP_IPV_MASK) ==\n+\t\t\t\tRTE_IPSEC_SATP_IPV4) {\n+\t\t\tecn_v4in = inner_v4h->type_of_service & RTE_IP_ECN_MASK;\n+\t\t\tif (ecn_v4out == RTE_IP_ECN_CE && ecn_v4in != 0)\n+\t\t\t\tinner_v4h->type_of_service |= RTE_IP_ECN_CE;\n+\t\t} else {\n+\t\t\tecn_v6in = inner_v6h->vtc_flow &\n+\t\t\t\t\trte_cpu_to_be_32(IPV6_ECN_MASK);\n+\t\t\tif (ecn_v4out == RTE_IP_ECN_CE && ecn_v6in != 0)\n+\t\t\t\tinner_v6h->vtc_flow |=\n+\t\t\t\t\t\trte_cpu_to_be_32(IPV6_ECN_CE);\n+\t\t}\n+\t} else {\n+\t\tecn_v6out = outter_v6h->vtc_flow &\n+\t\t\t\trte_cpu_to_be_32(IPV6_ECN_MASK);\n+\n+\t\tif ((sa->type & RTE_IPSEC_SATP_IPV_MASK) ==\n+\t\t\t\tRTE_IPSEC_SATP_IPV6) {\n+\t\t\tecn_v6in = inner_v6h->vtc_flow &\n+\t\t\t\t\trte_cpu_to_be_32(IPV6_ECN_MASK);\n+\t\t\tif ((ecn_v6out == rte_cpu_to_be_32(IPV6_ECN_CE)) &&\n+\t\t\t\t\t(ecn_v6in != 0))\n+\t\t\t\tinner_v6h->vtc_flow |=\n+\t\t\t\t\t\trte_cpu_to_be_32(IPV6_ECN_CE);\n+\t\t} else {\n+\t\t\tecn_v4in = inner_v4h->type_of_service & RTE_IP_ECN_MASK;\n+\t\t\tif ((ecn_v6out == rte_cpu_to_be_32(IPV6_ECN_CE)) &&\n+\t\t\t\t\t(ecn_v4in != 0))\n+\t\t\t\tinner_v4h->type_of_service |= RTE_IP_ECN_CE;\n+\t\t}\n \t}\n }\n \n #endif /* _IPH_H_ */\n+\ndiff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h\nindex fd9b3ed60..8f179ee9d 100644\n--- a/lib/librte_ipsec/rte_ipsec_sa.h\n+++ b/lib/librte_ipsec/rte_ipsec_sa.h\n@@ -95,6 +95,11 @@ enum {\n \tRTE_SATP_LOG2_MODE,\n \tRTE_SATP_LOG2_SQN = RTE_SATP_LOG2_MODE + 2,\n \tRTE_SATP_LOG2_ESN,\n+\tRTE_SATP_LOG2_ECN,\n+\tRTE_SATP_LOG2_DSCP,\n+\tRTE_SATP_LOG2_TTL,\n+\tRTE_SATP_LOG2_DF,\n+\tRTE_SATP_LOG2_FLABEL,\n \tRTE_SATP_LOG2_NUM\n };\n \n@@ -123,6 +128,26 @@ enum {\n #define RTE_IPSEC_SATP_ESN_DISABLE\t(0ULL << RTE_SATP_LOG2_ESN)\n #define RTE_IPSEC_SATP_ESN_ENABLE\t(1ULL << RTE_SATP_LOG2_ESN)\n \n+#define RTE_IPSEC_SATP_ECN_MASK\t\t(1ULL << RTE_SATP_LOG2_ECN)\n+#define RTE_IPSEC_SATP_ECN_DISABLE\t(0ULL << RTE_SATP_LOG2_ECN)\n+#define RTE_IPSEC_SATP_ECN_ENABLE\t(1ULL << RTE_SATP_LOG2_ECN)\n+\n+#define RTE_IPSEC_SATP_DSCP_MASK\t(1ULL << RTE_SATP_LOG2_DSCP)\n+#define RTE_IPSEC_SATP_DSCP_DISABLE\t(0ULL << RTE_SATP_LOG2_DSCP)\n+#define RTE_IPSEC_SATP_DSCP_ENABLE\t(1ULL << RTE_SATP_LOG2_DSCP)\n+\n+#define RTE_IPSEC_SATP_TTL_MASK\t\t(1ULL << RTE_SATP_LOG2_TTL)\n+#define RTE_IPSEC_SATP_TTL_DISABLE\t(0ULL << RTE_SATP_LOG2_TTL)\n+#define RTE_IPSEC_SATP_TTL_ENABLE\t(1ULL << RTE_SATP_LOG2_TTL)\n+\n+#define RTE_IPSEC_SATP_DF_MASK\t\t(1ULL << RTE_SATP_LOG2_DF)\n+#define RTE_IPSEC_SATP_DF_DISABLE\t(0ULL << RTE_SATP_LOG2_DF)\n+#define RTE_IPSEC_SATP_DF_ENABLE\t(1ULL << RTE_SATP_LOG2_DF)\n+\n+#define RTE_IPSEC_SATP_FLABEL_MASK\t(1ULL << RTE_SATP_LOG2_FLABEL)\n+#define RTE_IPSEC_SATP_FLABEL_DISABLE\t(0ULL << RTE_SATP_LOG2_FLABEL)\n+#define RTE_IPSEC_SATP_FLABEL_ENABLE\t(1ULL << RTE_SATP_LOG2_FLABEL)\n+\n /**\n  * get type of given SA\n  * @return\ndiff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c\nindex 1cb71caa1..952442785 100644\n--- a/lib/librte_ipsec/sa.c\n+++ b/lib/librte_ipsec/sa.c\n@@ -220,6 +220,17 @@ fill_sa_type(const struct rte_ipsec_sa_prm *prm, uint64_t *type)\n \telse\n \t\ttp |= RTE_IPSEC_SATP_SQN_RAW;\n \n+\t/* check for ECN flag */\n+\tif (prm->ipsec_xform.options.ecn == 0)\n+\t\ttp |= RTE_IPSEC_SATP_ECN_DISABLE;\n+\telse\n+\t\ttp |= RTE_IPSEC_SATP_ECN_ENABLE;\n+\t/* check for DSCP flag */\n+\tif (prm->ipsec_xform.options.copy_dscp == 0)\n+\t\ttp |= RTE_IPSEC_SATP_DSCP_DISABLE;\n+\telse\n+\t\ttp |= RTE_IPSEC_SATP_DSCP_ENABLE;\n+\n \t*type = tp;\n \treturn 0;\n }\n@@ -310,6 +321,12 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,\n \tstatic const uint64_t msk = RTE_IPSEC_SATP_DIR_MASK |\n \t\t\t\tRTE_IPSEC_SATP_MODE_MASK;\n \n+\tif (prm->ipsec_xform.options.ecn)\n+\t\tsa->tos_mask |= RTE_IP_ECN_MASK;\n+\n+\tif (prm->ipsec_xform.options.copy_dscp)\n+\t\tsa->tos_mask |= RTE_IP_DSCP_MASK;\n+\n \tif (cxf->aead != NULL) {\n \t\tswitch (cxf->aead->algo) {\n \t\tcase RTE_CRYPTO_AEAD_AES_GCM:\ndiff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h\nindex ffb5fb4f8..41e0b78c9 100644\n--- a/lib/librte_ipsec/sa.h\n+++ b/lib/librte_ipsec/sa.h\n@@ -10,6 +10,7 @@\n #define IPSEC_MAX_HDR_SIZE\t64\n #define IPSEC_MAX_IV_SIZE\t16\n #define IPSEC_MAX_IV_QWORD\t(IPSEC_MAX_IV_SIZE / sizeof(uint64_t))\n+#define INB_TUN_HDR_MSK (RTE_IPSEC_SATP_ECN_MASK | RTE_IPSEC_SATP_DSCP_MASK)\n \n /* padding alignment for different algorithms */\n enum {\n@@ -103,6 +104,7 @@ struct rte_ipsec_sa {\n \tuint8_t iv_ofs; /* offset for algo-specific IV inside crypto op */\n \tuint8_t iv_len;\n \tuint8_t pad_align;\n+\tuint8_t tos_mask;\n \n \t/* template for tunnel header */\n \tuint8_t hdr[IPSEC_MAX_HDR_SIZE];\ndiff --git a/lib/librte_net/rte_ip.h b/lib/librte_net/rte_ip.h\nindex c2c67b85d..85c53e8d9 100644\n--- a/lib/librte_net/rte_ip.h\n+++ b/lib/librte_net/rte_ip.h\n@@ -46,6 +46,17 @@ struct rte_ipv4_hdr {\n \t\t\t\t\t   (((b) & 0xff) << 16) | \\\n \t\t\t\t\t   (((c) & 0xff) << 8)  | \\\n \t\t\t\t\t   ((d) & 0xff))\n+/**\n+ * RFC 3168 Explicit Congestion Notification (ECN)\n+ * * ECT(1) (ECN-Capable Transport(1))\n+ * * ECT(0) (ECN-Capable Transport(0))\n+ * * ECT(CE)(CE (Congestion Experienced))\n+ */\n+#define RTE_IP_ECN_MASK\t\t(0x03)\n+#define RTE_IP_ECN_CE\t\tRTE_IP_ECN_MASK\n+\n+/** Packet Option Masks */\n+#define RTE_IP_DSCP_MASK\t\t(0xFC)\n \n /** Maximal IPv4 packet length (including a header) */\n #define RTE_IPV4_MAX_PKT_LEN        65535\ndiff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h\nindex 76f54e0e0..d0492928c 100644\n--- a/lib/librte_security/rte_security.h\n+++ b/lib/librte_security/rte_security.h\n@@ -163,6 +163,15 @@ struct rte_security_ipsec_sa_options {\n \t * * 0: Inner packet is not modified.\n \t */\n \tuint32_t dec_ttl : 1;\n+\n+\t/**< Explicit Congestion Notification (ECN)\n+\t *\n+\t * * 1: In tunnel mode, enable outer header ECN Field copied from\n+\t *      inner header in tunnel encapsulation, or inner header ECN\n+\t *      field construction in decapsulation.\n+\t * * 0: Inner/outer header are not modified.\n+\t */\n+\tuint32_t ecn : 1;\n };\n \n /** IPSec security association direction */\n",
    "prefixes": [
        "v2",
        "1/2"
    ]
}