Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/61432/?format=api
{ "id": 61432, "url": "http://patches.dpdk.org/api/patches/61432/?format=api", "web_url": "http://patches.dpdk.org/project/dpdk/patch/7141ff3797906daf03a38169d21e5f8fcb1230d0.1571322983.git.vladimir.medvedkin@intel.com/", "project": { "id": 1, "url": "http://patches.dpdk.org/api/projects/1/?format=api", "name": "DPDK", "link_name": "dpdk", "list_id": "dev.dpdk.org", "list_email": "dev@dpdk.org", "web_url": "http://core.dpdk.org", "scm_url": "git://dpdk.org/dpdk", "webscm_url": "http://git.dpdk.org/dpdk", "list_archive_url": "https://inbox.dpdk.org/dev", "list_archive_url_format": "https://inbox.dpdk.org/dev/{}", "commit_url_format": "" }, "msgid": "<7141ff3797906daf03a38169d21e5f8fcb1230d0.1571322983.git.vladimir.medvedkin@intel.com>", "list_archive_url": "https://inbox.dpdk.org/dev/7141ff3797906daf03a38169d21e5f8fcb1230d0.1571322983.git.vladimir.medvedkin@intel.com", "date": "2019-10-17T15:48:03", "name": "[v6,6/6] doc/ipsec: update ipsec programmer's guide", "commit_ref": null, "pull_url": null, "state": "superseded", "archived": true, "hash": "c5349133149ab7823251c1397c2094891a180e74", "submitter": { "id": 1216, "url": "http://patches.dpdk.org/api/people/1216/?format=api", "name": "Vladimir Medvedkin", "email": "vladimir.medvedkin@intel.com" }, "delegate": { "id": 6690, "url": "http://patches.dpdk.org/api/users/6690/?format=api", "username": "akhil", "first_name": "akhil", "last_name": "goyal", "email": "gakhil@marvell.com" }, "mbox": "http://patches.dpdk.org/project/dpdk/patch/7141ff3797906daf03a38169d21e5f8fcb1230d0.1571322983.git.vladimir.medvedkin@intel.com/mbox/", "series": [ { "id": 6917, "url": "http://patches.dpdk.org/api/series/6917/?format=api", "web_url": "http://patches.dpdk.org/project/dpdk/list/?series=6917", "date": "2019-10-17T15:47:57", "name": "ipsec: add inbound SAD", "version": 6, "mbox": "http://patches.dpdk.org/series/6917/mbox/" } ], "comments": "http://patches.dpdk.org/api/patches/61432/comments/", "check": "success", "checks": "http://patches.dpdk.org/api/patches/61432/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<dev-bounces@dpdk.org>", "X-Original-To": "patchwork@dpdk.org", "Delivered-To": "patchwork@dpdk.org", "Received": [ "from [92.243.14.124] (localhost [127.0.0.1])\n\tby dpdk.org (Postfix) with ESMTP id BE2471EA42;\n\tThu, 17 Oct 2019 17:48:30 +0200 (CEST)", "from mga12.intel.com (mga12.intel.com [192.55.52.136])\n\tby dpdk.org (Postfix) with ESMTP id 90C231E9F1\n\tfor <dev@dpdk.org>; Thu, 17 Oct 2019 17:48:18 +0200 (CEST)", "from orsmga005.jf.intel.com ([10.7.209.41])\n\tby fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;\n\t17 Oct 2019 08:48:18 -0700", "from silpixa00400072.ir.intel.com ([10.237.222.213])\n\tby orsmga005.jf.intel.com with ESMTP; 17 Oct 2019 08:48:16 -0700" ], "X-Amp-Result": "SKIPPED(no attachment in message)", "X-Amp-File-Uploaded": "False", "X-ExtLoop1": "1", "X-IronPort-AV": "E=Sophos;i=\"5.67,308,1566889200\"; d=\"scan'208\";a=\"371174165\"", "From": "Vladimir Medvedkin <vladimir.medvedkin@intel.com>", "To": "dev@dpdk.org", "Cc": "konstantin.ananyev@intel.com, bernard.iremonger@intel.com,\n\takhil.goyal@nxp.com", "Date": "Thu, 17 Oct 2019 16:48:03 +0100", "Message-Id": "<7141ff3797906daf03a38169d21e5f8fcb1230d0.1571322983.git.vladimir.medvedkin@intel.com>", "X-Mailer": "git-send-email 2.7.4", "In-Reply-To": [ "<cover.1571322982.git.vladimir.medvedkin@intel.com>", "<cover.1571322982.git.vladimir.medvedkin@intel.com>" ], "References": [ "<cover.1571322982.git.vladimir.medvedkin@intel.com>", "<cover.1570725871.git.vladimir.medvedkin@intel.com>\n\t<cover.1571322982.git.vladimir.medvedkin@intel.com>" ], "Subject": "[dpdk-dev] [PATCH v6 6/6] doc/ipsec: update ipsec programmer's guide", "X-BeenThere": "dev@dpdk.org", "X-Mailman-Version": "2.1.15", "Precedence": "list", "List-Id": "DPDK patches and discussions <dev.dpdk.org>", "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n\t<mailto:dev-request@dpdk.org?subject=unsubscribe>", "List-Archive": "<http://mails.dpdk.org/archives/dev/>", "List-Post": "<mailto:dev@dpdk.org>", "List-Help": "<mailto:dev-request@dpdk.org?subject=help>", "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n\t<mailto:dev-request@dpdk.org?subject=subscribe>", "Errors-To": "dev-bounces@dpdk.org", "Sender": "\"dev\" <dev-bounces@dpdk.org>" }, "content": "Add section about ipsec SAD\nUpdate release notes\n\nSigned-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>\n---\n doc/guides/prog_guide/ipsec_lib.rst | 152 +++++++++++++++++++++++++++++++++\n doc/guides/rel_notes/release_19_11.rst | 3 +\n 2 files changed, 155 insertions(+)", "diff": "diff --git a/doc/guides/prog_guide/ipsec_lib.rst b/doc/guides/prog_guide/ipsec_lib.rst\nindex 63b75b6..4487e4c 100644\n--- a/doc/guides/prog_guide/ipsec_lib.rst\n+++ b/doc/guides/prog_guide/ipsec_lib.rst\n@@ -143,6 +143,158 @@ In that mode the library functions perform\n To accommodate future custom implementations function pointers\n model is used for both *crypto_prepare* and *process* implementations.\n \n+SA database API\n+----------------\n+\n+SA database(SAD) is a table with <key, value> pairs.\n+\n+Value is an opaque user provided pointer to the user defined SA data structure.\n+\n+According to RFC4301 each SA can be uniquely identified by a key\n+which is either:\n+\n+ - security parameter index(SPI)\n+ - or SPI and destination IP(DIP)\n+ - or SPI, DIP and source IP(SIP)\n+\n+In case of multiple matches, longest matching key will be returned.\n+\n+Create/destroy\n+~~~~~~~~~~~~~~\n+\n+librte_ipsec SAD implementation provides ability to create/destroy SAD tables.\n+\n+To create SAD table user has to specify how many entries of each key type is\n+required and IP protocol type (IPv4/IPv6).\n+As an example:\n+\n+\n+.. code-block:: c\n+\n+ struct rte_ipsec_sad *sad;\n+ struct rte_ipsec_sad_conf conf;\n+\n+ conf.socket_id = -1;\n+ conf.max_sa[RTE_IPSEC_SAD_SPI_ONLY] = some_nb_rules_spi_only;\n+ conf.max_sa[RTE_IPSEC_SAD_SPI_DIP] = some_nb_rules_spi_dip;\n+ conf.max_sa[RTE_IPSEC_SAD_SPI_DIP_SIP] = some_nb_rules_spi_dip_sip;\n+ conf.flags = RTE_IPSEC_SAD_FLAG_RW_CONCURRENCY;\n+\n+ sad = rte_ipsec_sad_create(\"test\", &conf);\n+\n+.. note::\n+\n+ for more information please refer to ipsec library API reference\n+\n+Add/delete rules\n+~~~~~~~~~~~~~~~~\n+\n+Library also provides methods to add or delete key/value pairs from the SAD.\n+To add user has to specify key, key type and a value which is an opaque pointer to SA.\n+The key type reflects a set of tuple fields that will be used for lookup of the SA.\n+As mentioned above there are 3 types of a key and the representation of a key type is:\n+\n+.. code-block:: c\n+\n+ RTE_IPSEC_SAD_SPI_ONLY,\n+ RTE_IPSEC_SAD_SPI_DIP,\n+ RTE_IPSEC_SAD_SPI_DIP_SIP,\n+\n+As an example, to add new entry into the SAD for IPv4 addresses:\n+\n+.. code-block:: c\n+\n+ struct rte_ipsec_sa *sa;\n+ union rte_ipsec_sad_key key;\n+\n+ key.v4.spi = rte_cpu_to_be_32(spi_val);\n+ if (key_type >= RTE_IPSEC_SAD_SPI_DIP) /* DIP is optional*/\n+ key.v4.dip = rte_cpu_to_be_32(dip_val);\n+ if (key_type == RTE_IPSEC_SAD_SPI_DIP_SIP) /* SIP is optional*/\n+ key.v4.sip = rte_cpu_to_be_32(sip_val);\n+\n+ rte_ipsec_sad_add(sad, &key, key_type, sa);\n+\n+.. note::\n+\n+ By performance reason it is better to keep spi/dip/sip in net byte order\n+ to eliminate byteswap on lookup\n+\n+To delete user has to specify key and key type.\n+\n+Delete code would look like:\n+\n+.. code-block:: c\n+\n+ union rte_ipsec_sad_key key;\n+\n+ key.v4.spi = rte_cpu_to_be_32(necessary_spi);\n+ if (key_type >= RTE_IPSEC_SAD_SPI_DIP) /* DIP is optional*/\n+ key.v4.dip = rte_cpu_to_be_32(necessary_dip);\n+ if (key_type == RTE_IPSEC_SAD_SPI_DIP_SIP) /* SIP is optional*/\n+ key.v4.sip = rte_cpu_to_be_32(necessary_sip);\n+\n+ rte_ipsec_sad_del(sad, &key, key_type);\n+\n+\n+Lookup\n+~~~~~~\n+Library provides lookup by the given {SPI,DIP,SIP} tuple of\n+inbound ipsec packet as a key.\n+\n+The search key is represented by:\n+\n+.. code-block:: c\n+\n+ union rte_ipsec_sad_key {\n+ struct rte_ipsec_sadv4_key v4;\n+ struct rte_ipsec_sadv6_key v6;\n+ };\n+\n+where v4 is a tuple for IPv4:\n+\n+.. code-block:: c\n+\n+ struct rte_ipsec_sadv4_key {\n+ uint32_t spi;\n+ uint32_t dip;\n+ uint32_t sip;\n+ };\n+\n+and v6 is a tuple for IPv6:\n+\n+.. code-block:: c\n+\n+ struct rte_ipsec_sadv6_key {\n+ uint32_t spi;\n+ uint8_t dip[16];\n+ uint8_t sip[16];\n+ };\n+\n+As an example, lookup related code could look like that:\n+\n+.. code-block:: c\n+\n+ int i;\n+ union rte_ipsec_sad_key keys[BURST_SZ];\n+ const union rte_ipsec_sad_key *keys_p[BURST_SZ];\n+ void *vals[BURST_SZ];\n+\n+ for (i = 0; i < BURST_SZ_MAX; i++) {\n+ keys[i].v4.spi = esp_hdr[i]->spi;\n+ keys[i].v4.dip = ipv4_hdr[i]->dst_addr;\n+ keys[i].v4.sip = ipv4_hdr[i]->src_addr;\n+ keys_p[i] = &keys[i];\n+ }\n+ rte_ipsec_sad_lookup(sad, keys_p, vals, BURST_SZ);\n+\n+ for (i = 0; i < BURST_SZ_MAX; i++) {\n+ if (vals[i] == NULL)\n+ printf(\"SA not found for key index %d\\n\", i);\n+ else\n+ printf(\"SA pointer is %p\\n\", vals[i]);\n+ }\n+\n \n Supported features\n ------------------\ndiff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst\nindex 85953b9..581f311 100644\n--- a/doc/guides/rel_notes/release_19_11.rst\n+++ b/doc/guides/rel_notes/release_19_11.rst\n@@ -115,6 +115,9 @@ New Features\n Added eBPF JIT support for arm64 architecture to improve the eBPF program\n performance.\n \n+* **Updated the IPSec library.**\n+\n+ Added SA Database API to ``librte_ipsec``\n \n Removed Items\n -------------\n", "prefixes": [ "v6", "6/6" ] }