get:
Show a patch.

patch:
Update a patch.

put:
Update a patch.

GET /api/patches/55761/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 55761,
    "url": "http://patches.dpdk.org/api/patches/55761/?format=api",
    "web_url": "http://patches.dpdk.org/project/dpdk/patch/20190701120124.70418-2-roy.fan.zhang@intel.com/",
    "project": {
        "id": 1,
        "url": "http://patches.dpdk.org/api/projects/1/?format=api",
        "name": "DPDK",
        "link_name": "dpdk",
        "list_id": "dev.dpdk.org",
        "list_email": "dev@dpdk.org",
        "web_url": "http://core.dpdk.org",
        "scm_url": "git://dpdk.org/dpdk",
        "webscm_url": "http://git.dpdk.org/dpdk",
        "list_archive_url": "https://inbox.dpdk.org/dev",
        "list_archive_url_format": "https://inbox.dpdk.org/dev/{}",
        "commit_url_format": ""
    },
    "msgid": "<20190701120124.70418-2-roy.fan.zhang@intel.com>",
    "list_archive_url": "https://inbox.dpdk.org/dev/20190701120124.70418-2-roy.fan.zhang@intel.com",
    "date": "2019-07-01T12:01:23",
    "name": "[v6,1/2] lib/ipsec: add support for header construction",
    "commit_ref": null,
    "pull_url": null,
    "state": "superseded",
    "archived": true,
    "hash": "4f387053e991000839ff53bcfd08e51187905fd3",
    "submitter": {
        "id": 304,
        "url": "http://patches.dpdk.org/api/people/304/?format=api",
        "name": "Fan Zhang",
        "email": "roy.fan.zhang@intel.com"
    },
    "delegate": {
        "id": 6690,
        "url": "http://patches.dpdk.org/api/users/6690/?format=api",
        "username": "akhil",
        "first_name": "akhil",
        "last_name": "goyal",
        "email": "gakhil@marvell.com"
    },
    "mbox": "http://patches.dpdk.org/project/dpdk/patch/20190701120124.70418-2-roy.fan.zhang@intel.com/mbox/",
    "series": [
        {
            "id": 5243,
            "url": "http://patches.dpdk.org/api/series/5243/?format=api",
            "web_url": "http://patches.dpdk.org/project/dpdk/list/?series=5243",
            "date": "2019-07-01T12:01:22",
            "name": "ipsec: ECN and DSCP header reconstruction",
            "version": 6,
            "mbox": "http://patches.dpdk.org/series/5243/mbox/"
        }
    ],
    "comments": "http://patches.dpdk.org/api/patches/55761/comments/",
    "check": "fail",
    "checks": "http://patches.dpdk.org/api/patches/55761/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "<dev-bounces@dpdk.org>",
        "X-Original-To": "patchwork@dpdk.org",
        "Delivered-To": "patchwork@dpdk.org",
        "Received": [
            "from [92.243.14.124] (localhost [127.0.0.1])\n\tby dpdk.org (Postfix) with ESMTP id 6AA3A1B945;\n\tMon,  1 Jul 2019 14:07:21 +0200 (CEST)",
            "from mga04.intel.com (mga04.intel.com [192.55.52.120])\n\tby dpdk.org (Postfix) with ESMTP id B55F53195\n\tfor <dev@dpdk.org>; Mon,  1 Jul 2019 14:07:18 +0200 (CEST)",
            "from orsmga004.jf.intel.com ([10.7.209.38])\n\tby fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;\n\t01 Jul 2019 05:07:18 -0700",
            "from silpixa00398673.ir.intel.com (HELO\n\tsilpixa00398673.ger.corp.intel.com) ([10.237.223.136])\n\tby orsmga004.jf.intel.com with ESMTP; 01 Jul 2019 05:07:16 -0700"
        ],
        "X-Amp-Result": "SKIPPED(no attachment in message)",
        "X-Amp-File-Uploaded": "False",
        "X-ExtLoop1": "1",
        "X-IronPort-AV": "E=Sophos;i=\"5.63,439,1557212400\"; d=\"scan'208\";a=\"314864218\"",
        "From": "Fan Zhang <roy.fan.zhang@intel.com>",
        "To": "dev@dpdk.org",
        "Cc": "akhil.goyal@nxp.com, pablo.de.lara.guarch@intel.com,\n\tFan Zhang <roy.fan.zhang@intel.com>,\n\tMarko Kovacevic <marko.kovacevic@intel.com>",
        "Date": "Mon,  1 Jul 2019 13:01:23 +0100",
        "Message-Id": "<20190701120124.70418-2-roy.fan.zhang@intel.com>",
        "X-Mailer": "git-send-email 2.14.5",
        "In-Reply-To": "<20190701120124.70418-1-roy.fan.zhang@intel.com>",
        "References": "<20190626150509.17442-1-roy.fan.zhang@intel.com>\n\t<20190701120124.70418-1-roy.fan.zhang@intel.com>",
        "Subject": "[dpdk-dev] [PATCH v6 1/2] lib/ipsec: add support for header\n\tconstruction",
        "X-BeenThere": "dev@dpdk.org",
        "X-Mailman-Version": "2.1.15",
        "Precedence": "list",
        "List-Id": "DPDK patches and discussions <dev.dpdk.org>",
        "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n\t<mailto:dev-request@dpdk.org?subject=unsubscribe>",
        "List-Archive": "<http://mails.dpdk.org/archives/dev/>",
        "List-Post": "<mailto:dev@dpdk.org>",
        "List-Help": "<mailto:dev-request@dpdk.org?subject=help>",
        "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n\t<mailto:dev-request@dpdk.org?subject=subscribe>",
        "Errors-To": "dev-bounces@dpdk.org",
        "Sender": "\"dev\" <dev-bounces@dpdk.org>"
    },
    "content": "Add support for RFC 4301(5.1.2) to update of\nType of service field and Traffic class field\nbits inside ipv4/ipv6 packets for outbound cases\nand inbound cases which deals with the update of\nthe DSCP/ENC bits inside each of the fields.\n\nSigned-off-by: Marko Kovacevic <marko.kovacevic@intel.com>\nSigned-off-by: Fan Zhang <roy.fan.zhang@intel.com>\nAcked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>\nTested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>\n---\n lib/librte_ipsec/esp_inb.c         |  13 ++-\n lib/librte_ipsec/esp_outb.c        |   4 +-\n lib/librte_ipsec/iph.h             | 168 ++++++++++++++++++++++++++++++++++++-\n lib/librte_ipsec/rte_ipsec_sa.h    |  10 +++\n lib/librte_ipsec/sa.c              |  18 ++++\n lib/librte_ipsec/sa.h              |   2 +\n lib/librte_net/rte_ip.h            |  12 +++\n lib/librte_security/rte_security.h |   9 ++\n 8 files changed, 228 insertions(+), 8 deletions(-)",
    "diff": "diff --git a/lib/librte_ipsec/esp_inb.c b/lib/librte_ipsec/esp_inb.c\nindex fb10b7085..8e3ecbc64 100644\n--- a/lib/librte_ipsec/esp_inb.c\n+++ b/lib/librte_ipsec/esp_inb.c\n@@ -464,6 +464,8 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],\n \tuint32_t hl[num], to[num];\n \tstruct esp_tail espt[num];\n \tstruct rte_mbuf *ml[num];\n+\tconst void *outh;\n+\tvoid *inh;\n \n \t/*\n \t * remove icv, esp trailer and high-order\n@@ -489,9 +491,16 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],\n \t\tif (tun_process_check(mb[i], &ml[i], &to[i], espt[i], adj, tl,\n \t\t\t\t\tsa->proto) == 0) {\n \n+\t\t\touth = rte_pktmbuf_mtod_offset(mb[i], uint8_t *,\n+\t\t\t\t\tmb[i]->l2_len);\n+\n \t\t\t/* modify packet's layout */\n-\t\t\ttun_process_step2(mb[i], ml[i], hl[i], adj, to[i],\n-\t\t\t\ttl, sqn + k);\n+\t\t\tinh = tun_process_step2(mb[i], ml[i], hl[i], adj,\n+\t\t\t\t\tto[i], tl, sqn + k);\n+\n+\t\t\t/* update inner ip header */\n+\t\t\tupdate_tun_inb_l3hdr(sa, outh, inh);\n+\n \t\t\t/* update mbuf's metadata */\n \t\t\ttun_process_step3(mb[i], sa->tx_offload.msk,\n \t\t\t\tsa->tx_offload.val);\ndiff --git a/lib/librte_ipsec/esp_outb.c b/lib/librte_ipsec/esp_outb.c\nindex 8c6db3553..55799a867 100644\n--- a/lib/librte_ipsec/esp_outb.c\n+++ b/lib/librte_ipsec/esp_outb.c\n@@ -152,8 +152,8 @@ outb_tun_pkt_prepare(struct rte_ipsec_sa *sa, rte_be64_t sqc,\n \trte_memcpy(ph, sa->hdr, sa->hdr_len);\n \n \t/* update original and new ip header fields */\n-\tupdate_tun_l3hdr(sa, ph + sa->hdr_l3_off, mb->pkt_len - sqh_len,\n-\t\t\tsa->hdr_l3_off, sqn_low16(sqc));\n+\tupdate_tun_outb_l3hdr(sa, ph + sa->hdr_l3_off, ph + hlen,\n+\t\t\tmb->pkt_len - sqh_len, sa->hdr_l3_off, sqn_low16(sqc));\n \n \t/* update spi, seqn and iv */\n \tesph = (struct rte_esp_hdr *)(ph + sa->hdr_len);\ndiff --git a/lib/librte_ipsec/iph.h b/lib/librte_ipsec/iph.h\nindex 62d78b7b1..90faff6d5 100644\n--- a/lib/librte_ipsec/iph.h\n+++ b/lib/librte_ipsec/iph.h\n@@ -101,23 +101,183 @@ update_trs_l3hdr(const struct rte_ipsec_sa *sa, void *p, uint32_t plen,\n \treturn rc;\n }\n \n+/*\n+ * The masks for ipv6 header reconstruction (RFC4301)\n+ */\n+#define IPV6_DSCP_MASK\t(RTE_IP_DSCP_MASK << RTE_IPV6_HDR_TC_SHIFT)\n+#define IPV6_ECN_MASK\t(RTE_IP_ECN_MASK << RTE_IPV6_HDR_TC_SHIFT)\n+#define IPV6_TOS_MASK\t(IPV6_ECN_MASK | IPV6_DSCP_MASK)\n+#define IPV6_ECN_CE\tIPV6_ECN_MASK\n+\n+/*\n+ * Inline functions to get and set ipv6 packet header traffic class (TC) field.\n+ */\n+static inline uint8_t\n+get_ipv6_tc(rte_be32_t vtc_flow)\n+{\n+\tuint32_t v;\n+\n+\tv = rte_be_to_cpu_32(vtc_flow);\n+\treturn v >> RTE_IPV6_HDR_TC_SHIFT;\n+}\n+\n+static inline rte_be32_t\n+set_ipv6_tc(rte_be32_t vtc_flow, uint32_t tos)\n+{\n+\tuint32_t v;\n+\n+\tv = rte_cpu_to_be_32(tos << RTE_IPV6_HDR_TC_SHIFT);\n+\tvtc_flow &= ~rte_cpu_to_be_32(IPV6_TOS_MASK);\n+\n+\treturn (v | vtc_flow);\n+}\n+\n+/**\n+ * Update type-of-service/traffic-class field of outbound tunnel packet.\n+ *\n+ * @param ref_h: reference header, for outbound it is inner header, otherwise\n+ *   outer header.\n+ * @param update_h: header to be updated tos/tc field, for outbound it is outer\n+ *   header, otherwise inner header.\n+ * @param tos_mask: type-of-service mask stored in sa.\n+ * @param is_outh_ipv4: 1 if outer header is ipv4, 0 if it is ipv6.\n+ * @param is_inner_ipv4: 1 if inner header is ipv4, 0 if it is ipv6.\n+ */\n+static inline void\n+update_outb_tun_tos(const void *ref_h, void *update_h, uint32_t tos_mask,\n+\t\tuint8_t is_outh_ipv4, uint8_t is_inh_ipv4)\n+{\n+\tuint8_t idx = ((is_outh_ipv4 << 1) | is_inh_ipv4);\n+\tstruct rte_ipv4_hdr *v4out_h;\n+\tstruct rte_ipv6_hdr *v6out_h;\n+\tuint32_t itp, otp;\n+\n+\tswitch (idx) {\n+\tcase 0: /*outh ipv6, inh ipv6 */\n+\t\tv6out_h = update_h;\n+\t\totp = get_ipv6_tc(v6out_h->vtc_flow) & ~tos_mask;\n+\t\titp = get_ipv6_tc(((const struct rte_ipv6_hdr *)ref_h)->\n+\t\t\t\tvtc_flow) & tos_mask;\n+\t\tv6out_h->vtc_flow = set_ipv6_tc(v6out_h->vtc_flow, otp | itp);\n+\t\tbreak;\n+\tcase 1: /*outh ipv6, inh ipv4 */\n+\t\tv6out_h = update_h;\n+\t\totp = get_ipv6_tc(v6out_h->vtc_flow) & ~tos_mask;\n+\t\titp = ((const struct rte_ipv4_hdr *)ref_h)->type_of_service &\n+\t\t\t\ttos_mask;\n+\t\tv6out_h->vtc_flow = set_ipv6_tc(v6out_h->vtc_flow, otp | itp);\n+\t\tbreak;\n+\tcase 2: /*outh ipv4, inh ipv6 */\n+\t\tv4out_h = update_h;\n+\t\totp = v4out_h->type_of_service & ~tos_mask;\n+\t\titp = get_ipv6_tc(((const struct rte_ipv6_hdr *)ref_h)->\n+\t\t\t\tvtc_flow) & tos_mask;\n+\t\tv4out_h->type_of_service = (otp | itp);\n+\t\tbreak;\n+\tcase 3: /* outh ipv4, inh ipv4 */\n+\t\tv4out_h = update_h;\n+\t\totp = v4out_h->type_of_service & ~tos_mask;\n+\t\titp = ((const struct rte_ipv4_hdr *)ref_h)->type_of_service &\n+\t\t\t\ttos_mask;\n+\t\tv4out_h->type_of_service = (otp | itp);\n+\t\tbreak;\n+\t}\n+}\n+\n+/**\n+ * Update type-of-service/traffic-class field of inbound tunnel packet.\n+ *\n+ * @param ref_h: reference header, for outbound it is inner header, otherwise\n+ *   outer header.\n+ * @param update_h: header to be updated tos/tc field, for outbound it is outer\n+ *   header, otherwise inner header.\n+ * @param is_outh_ipv4: 1 if outer header is ipv4, 0 if it is ipv6.\n+ * @param is_inner_ipv4: 1 if inner header is ipv4, 0 if it is ipv6.\n+ */\n+static inline void\n+update_inb_tun_tos(const void *ref_h, void *update_h,\n+\t\tuint8_t is_outh_ipv4, uint8_t is_inh_ipv4)\n+{\n+\tuint8_t idx = ((is_outh_ipv4 << 1) | is_inh_ipv4);\n+\tstruct rte_ipv4_hdr *v4in_h;\n+\tstruct rte_ipv6_hdr *v6in_h;\n+\tuint8_t ecn_v4out, ecn_v4in;\n+\tuint32_t ecn_v6out, ecn_v6in;\n+\n+\tswitch (idx) {\n+\tcase 0: /* outh ipv6, inh ipv6 */\n+\t\tv6in_h = update_h;\n+\t\tecn_v6out = ((const struct rte_ipv6_hdr *)ref_h)->vtc_flow &\n+\t\t\t\trte_cpu_to_be_32(IPV6_ECN_MASK);\n+\t\tecn_v6in = v6in_h->vtc_flow & rte_cpu_to_be_32(IPV6_ECN_MASK);\n+\t\tif ((ecn_v6out == rte_cpu_to_be_32(IPV6_ECN_CE)) &&\n+\t\t\t\t(ecn_v6in != 0))\n+\t\t\tv6in_h->vtc_flow |= rte_cpu_to_be_32(IPV6_ECN_CE);\n+\t\tbreak;\n+\tcase 1: /* outh ipv6, inh ipv4 */\n+\t\tv4in_h = update_h;\n+\t\tecn_v6out = ((const struct rte_ipv6_hdr *)ref_h)->vtc_flow &\n+\t\t\t\trte_cpu_to_be_32(IPV6_ECN_MASK);\n+\t\tecn_v4in = v4in_h->type_of_service & RTE_IP_ECN_MASK;\n+\t\tif ((ecn_v6out == rte_cpu_to_be_32(IPV6_ECN_CE)) &&\n+\t\t\t\t(ecn_v4in != 0))\n+\t\t\tv4in_h->type_of_service |= RTE_IP_ECN_CE;\n+\t\tbreak;\n+\tcase 2: /* outh ipv4, inh ipv6 */\n+\t\tv6in_h = update_h;\n+\t\tecn_v4out = ((const struct rte_ipv4_hdr *)ref_h)->\n+\t\t\t\ttype_of_service & RTE_IP_ECN_MASK;\n+\t\tecn_v6in = v6in_h->vtc_flow & rte_cpu_to_be_32(IPV6_ECN_MASK);\n+\t\tif (ecn_v4out == RTE_IP_ECN_CE && ecn_v6in != 0)\n+\t\t\tv6in_h->vtc_flow |= rte_cpu_to_be_32(IPV6_ECN_CE);\n+\t\tbreak;\n+\tcase 3: /* outh ipv4, inh ipv4 */\n+\t\tv4in_h = update_h;\n+\t\tecn_v4out = ((const struct rte_ipv4_hdr *)ref_h)->\n+\t\t\t\ttype_of_service & RTE_IP_ECN_MASK;\n+\t\tecn_v4in = v4in_h->type_of_service & RTE_IP_ECN_MASK;\n+\t\tif (ecn_v4out == RTE_IP_ECN_CE && ecn_v4in != 0)\n+\t\t\tv4in_h->type_of_service |= RTE_IP_ECN_CE;\n+\t\tbreak;\n+\t}\n+}\n+\n /* update original and new ip header fields for tunnel case */\n static inline void\n-update_tun_l3hdr(const struct rte_ipsec_sa *sa, void *p, uint32_t plen,\n-\t\tuint32_t l2len, rte_be16_t pid)\n+update_tun_outb_l3hdr(const struct rte_ipsec_sa *sa, void *outh,\n+\t\tconst void *inh, uint32_t plen, uint32_t l2len, rte_be16_t pid)\n {\n \tstruct rte_ipv4_hdr *v4h;\n \tstruct rte_ipv6_hdr *v6h;\n+\tuint8_t is_outh_ipv4;\n \n \tif (sa->type & RTE_IPSEC_SATP_MODE_TUNLV4) {\n-\t\tv4h = p;\n+\t\tis_outh_ipv4 = 1;\n+\t\tv4h = outh;\n \t\tv4h->packet_id = pid;\n \t\tv4h->total_length = rte_cpu_to_be_16(plen - l2len);\n \t} else {\n-\t\tv6h = p;\n+\t\tis_outh_ipv4 = 0;\n+\t\tv6h = outh;\n \t\tv6h->payload_len = rte_cpu_to_be_16(plen - l2len -\n \t\t\t\tsizeof(*v6h));\n \t}\n+\n+\tif (sa->type & TUN_HDR_MSK)\n+\t\tupdate_outb_tun_tos(inh, outh, sa->tos_mask, is_outh_ipv4,\n+\t\t\t\t((sa->type & RTE_IPSEC_SATP_IPV_MASK) ==\n+\t\t\t\t\tRTE_IPSEC_SATP_IPV4));\n+}\n+\n+static inline void\n+update_tun_inb_l3hdr(const struct rte_ipsec_sa *sa, const void *outh,\n+\t\tvoid *inh)\n+{\n+\tif (sa->type & TUN_HDR_MSK)\n+\t\tupdate_inb_tun_tos(outh, inh,\n+\t\t\t\t((sa->type & RTE_IPSEC_SATP_MODE_TUNLV4) != 0),\n+\t\t\t\t((sa->type & RTE_IPSEC_SATP_IPV_MASK) ==\n+\t\t\t\t\t\tRTE_IPSEC_SATP_IPV4));\n }\n \n #endif /* _IPH_H_ */\ndiff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h\nindex fd9b3ed60..a71b55f68 100644\n--- a/lib/librte_ipsec/rte_ipsec_sa.h\n+++ b/lib/librte_ipsec/rte_ipsec_sa.h\n@@ -95,6 +95,8 @@ enum {\n \tRTE_SATP_LOG2_MODE,\n \tRTE_SATP_LOG2_SQN = RTE_SATP_LOG2_MODE + 2,\n \tRTE_SATP_LOG2_ESN,\n+\tRTE_SATP_LOG2_ECN,\n+\tRTE_SATP_LOG2_DSCP,\n \tRTE_SATP_LOG2_NUM\n };\n \n@@ -123,6 +125,14 @@ enum {\n #define RTE_IPSEC_SATP_ESN_DISABLE\t(0ULL << RTE_SATP_LOG2_ESN)\n #define RTE_IPSEC_SATP_ESN_ENABLE\t(1ULL << RTE_SATP_LOG2_ESN)\n \n+#define RTE_IPSEC_SATP_ECN_MASK\t\t(1ULL << RTE_SATP_LOG2_ECN)\n+#define RTE_IPSEC_SATP_ECN_DISABLE\t(0ULL << RTE_SATP_LOG2_ECN)\n+#define RTE_IPSEC_SATP_ECN_ENABLE\t(1ULL << RTE_SATP_LOG2_ECN)\n+\n+#define RTE_IPSEC_SATP_DSCP_MASK\t(1ULL << RTE_SATP_LOG2_DSCP)\n+#define RTE_IPSEC_SATP_DSCP_DISABLE\t(0ULL << RTE_SATP_LOG2_DSCP)\n+#define RTE_IPSEC_SATP_DSCP_ENABLE\t(1ULL << RTE_SATP_LOG2_DSCP)\n+\n /**\n  * get type of given SA\n  * @return\ndiff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c\nindex 087de958a..4dec9c37d 100644\n--- a/lib/librte_ipsec/sa.c\n+++ b/lib/librte_ipsec/sa.c\n@@ -214,6 +214,18 @@ fill_sa_type(const struct rte_ipsec_sa_prm *prm, uint64_t *type)\n \telse\n \t\ttp |= RTE_IPSEC_SATP_ESN_ENABLE;\n \n+\t/* check for ECN flag */\n+\tif (prm->ipsec_xform.options.ecn == 0)\n+\t\ttp |= RTE_IPSEC_SATP_ECN_DISABLE;\n+\telse\n+\t\ttp |= RTE_IPSEC_SATP_ECN_ENABLE;\n+\n+\t/* check for DSCP flag */\n+\tif (prm->ipsec_xform.options.copy_dscp == 0)\n+\t\ttp |= RTE_IPSEC_SATP_DSCP_DISABLE;\n+\telse\n+\t\ttp |= RTE_IPSEC_SATP_DSCP_ENABLE;\n+\n \t/* interpret flags */\n \tif (prm->flags & RTE_IPSEC_SAFLAG_SQN_ATOM)\n \t\ttp |= RTE_IPSEC_SATP_SQN_ATOM;\n@@ -310,6 +322,12 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,\n \tstatic const uint64_t msk = RTE_IPSEC_SATP_DIR_MASK |\n \t\t\t\tRTE_IPSEC_SATP_MODE_MASK;\n \n+\tif (prm->ipsec_xform.options.ecn)\n+\t\tsa->tos_mask |= RTE_IP_ECN_MASK;\n+\n+\tif (prm->ipsec_xform.options.copy_dscp)\n+\t\tsa->tos_mask |= RTE_IP_DSCP_MASK;\n+\n \tif (cxf->aead != NULL) {\n \t\tswitch (cxf->aead->algo) {\n \t\tcase RTE_CRYPTO_AEAD_AES_GCM:\ndiff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h\nindex 20c0a65c0..51e69ad05 100644\n--- a/lib/librte_ipsec/sa.h\n+++ b/lib/librte_ipsec/sa.h\n@@ -10,6 +10,7 @@\n #define IPSEC_MAX_HDR_SIZE\t64\n #define IPSEC_MAX_IV_SIZE\t16\n #define IPSEC_MAX_IV_QWORD\t(IPSEC_MAX_IV_SIZE / sizeof(uint64_t))\n+#define TUN_HDR_MSK (RTE_IPSEC_SATP_ECN_MASK | RTE_IPSEC_SATP_DSCP_MASK)\n \n /* padding alignment for different algorithms */\n enum {\n@@ -103,6 +104,7 @@ struct rte_ipsec_sa {\n \tuint8_t iv_ofs; /* offset for algo-specific IV inside crypto op */\n \tuint8_t iv_len;\n \tuint8_t pad_align;\n+\tuint8_t tos_mask;\n \n \t/* template for tunnel header */\n \tuint8_t hdr[IPSEC_MAX_HDR_SIZE];\ndiff --git a/lib/librte_net/rte_ip.h b/lib/librte_net/rte_ip.h\nindex c2c67b85d..2e5790691 100644\n--- a/lib/librte_net/rte_ip.h\n+++ b/lib/librte_net/rte_ip.h\n@@ -70,6 +70,18 @@ struct rte_ipv4_hdr {\n \n #define\tRTE_IPV4_HDR_OFFSET_UNITS\t8\n \n+/**\n+ * RFC 3168 Explicit Congestion Notification (ECN)\n+ * * ECT(1) (ECN-Capable Transport(1))\n+ * * ECT(0) (ECN-Capable Transport(0))\n+ * * ECT(CE)(CE (Congestion Experienced))\n+ */\n+#define RTE_IP_ECN_MASK\t\t(0x03)\n+#define RTE_IP_ECN_CE\t\tRTE_IP_ECN_MASK\n+\n+/** Packet Option Masks */\n+#define RTE_IP_DSCP_MASK\t\t(0xFC)\n+\n /*\n  * IPv4 address types\n  */\ndiff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h\nindex 76f54e0e0..d0492928c 100644\n--- a/lib/librte_security/rte_security.h\n+++ b/lib/librte_security/rte_security.h\n@@ -163,6 +163,15 @@ struct rte_security_ipsec_sa_options {\n \t * * 0: Inner packet is not modified.\n \t */\n \tuint32_t dec_ttl : 1;\n+\n+\t/**< Explicit Congestion Notification (ECN)\n+\t *\n+\t * * 1: In tunnel mode, enable outer header ECN Field copied from\n+\t *      inner header in tunnel encapsulation, or inner header ECN\n+\t *      field construction in decapsulation.\n+\t * * 0: Inner/outer header are not modified.\n+\t */\n+\tuint32_t ecn : 1;\n };\n \n /** IPSec security association direction */\n",
    "prefixes": [
        "v6",
        "1/2"
    ]
}