Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/91541/?format=api
{ "id": 91541, "url": "https://patches.dpdk.org/api/patches/91541/?format=api", "web_url": "https://patches.dpdk.org/project/dpdk/patch/20210415072205.1439-3-ktejasree@marvell.com/", "project": { "id": 1, "url": "https://patches.dpdk.org/api/projects/1/?format=api", "name": "DPDK", "link_name": "dpdk", "list_id": "dev.dpdk.org", "list_email": "dev@dpdk.org", "web_url": "http://core.dpdk.org", "scm_url": "git://dpdk.org/dpdk", "webscm_url": "http://git.dpdk.org/dpdk", "list_archive_url": "https://inbox.dpdk.org/dev", "list_archive_url_format": "https://inbox.dpdk.org/dev/{}", "commit_url_format": "" }, "msgid": "<20210415072205.1439-3-ktejasree@marvell.com>", "list_archive_url": "https://inbox.dpdk.org/dev/20210415072205.1439-3-ktejasree@marvell.com", "date": "2021-04-15T07:22:04", "name": "[v4,2/3] examples/ipsec-secgw: add UDP encapsulation support", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": true, "hash": "ca194e36a62a83eb5fd0e898b8067e12459ffb4f", "submitter": { "id": 1789, "url": "https://patches.dpdk.org/api/people/1789/?format=api", "name": "Tejasree Kondoj", "email": "ktejasree@marvell.com" }, "delegate": { "id": 6690, "url": "https://patches.dpdk.org/api/users/6690/?format=api", "username": "akhil", "first_name": "akhil", "last_name": "goyal", "email": "gakhil@marvell.com" }, "mbox": "https://patches.dpdk.org/project/dpdk/patch/20210415072205.1439-3-ktejasree@marvell.com/mbox/", "series": [ { "id": 16394, "url": "https://patches.dpdk.org/api/series/16394/?format=api", "web_url": "https://patches.dpdk.org/project/dpdk/list/?series=16394", "date": "2021-04-15T07:22:02", "name": "add lookaside IPsec UDP encapsulation and transport mode", "version": 4, "mbox": "https://patches.dpdk.org/series/16394/mbox/" } ], "comments": "https://patches.dpdk.org/api/patches/91541/comments/", "check": "success", "checks": "https://patches.dpdk.org/api/patches/91541/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<dev-bounces@dpdk.org>", "X-Original-To": "patchwork@inbox.dpdk.org", "Delivered-To": "patchwork@inbox.dpdk.org", "Received": [ "from mails.dpdk.org (mails.dpdk.org [217.70.189.124])\n\tby inbox.dpdk.org (Postfix) with ESMTP id 8BFC6A0A0C;\n\tThu, 15 Apr 2021 08:26:29 +0200 (CEST)", "from [217.70.189.124] (localhost [127.0.0.1])\n\tby mails.dpdk.org (Postfix) with ESMTP id 7BDEA162039;\n\tThu, 15 Apr 2021 08:26:29 +0200 (CEST)", "from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com\n [67.231.156.173])\n by mails.dpdk.org (Postfix) with ESMTP id CA41E162039\n for <dev@dpdk.org>; Thu, 15 Apr 2021 08:26:27 +0200 (CEST)", "from pps.filterd (m0045851.ppops.net [127.0.0.1])\n by mx0b-0016f401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id\n 13F6PHKK029945; Wed, 14 Apr 2021 23:26:26 -0700", "from dc5-exch02.marvell.com ([199.233.59.182])\n by mx0b-0016f401.pphosted.com with ESMTP id 37wqtm4jtp-3\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT);\n Wed, 14 Apr 2021 23:26:26 -0700", "from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH02.marvell.com\n (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.2;\n Wed, 14 Apr 2021 23:26:23 -0700", "from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com\n (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.2 via Frontend\n Transport; Wed, 14 Apr 2021 23:26:23 -0700", "from hyd1554T5810.caveonetworks.com.com (unknown [10.29.57.11])\n by maili.marvell.com (Postfix) with ESMTP id A50583F7041;\n Wed, 14 Apr 2021 23:26:20 -0700 (PDT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com;\n h=from : to : cc :\n subject : date : message-id : in-reply-to : references : mime-version :\n content-transfer-encoding : content-type; s=pfpt0220;\n bh=qo79/glWmjlp1BopTOTJnyixcltvvMNfBD25fkMmG/k=;\n b=N+xdK1yokBPGQUIQWcHO3lSyoGfyQG/zot/ealqBbOOL5f/MvHaDluheQzmPry3e2KJC\n yMxECoIpv0Y7xNPE+mVVKIZI63GH8JK8dBvG6fgf11yrNoSu1KABf+7JpdZIpT9/GwIc\n G2j4GJRMyzzR7jkeuqWfN6lCL6L5gt6c8J3l0L3pgLm1i+Jeh7CIyeEbg3tBBANDBhaH\n Sp0d/etSKEG1ChHvbV9i2ab3uI4YrFLN+lACIaFLqD7YWMkj66bdUic+cGXs6giT4NV2\n KRkaIiqVJPgUW0mOa4+Z0D7jsavPQ3GMlRNxtK5NgAf73Z3RYCdj2oEQFvSV6ahqfD5M Yw==", "From": "Tejasree Kondoj <ktejasree@marvell.com>", "To": "Akhil Goyal <gakhil@marvell.com>, Radu Nicolau <radu.nicolau@intel.com>,\n Konstantin Ananyev <konstantin.ananyev@intel.com>", "CC": "Tejasree Kondoj <ktejasree@marvell.com>,\n Anoob Joseph <anoobj@marvell.com>,\n Ankur Dwivedi <adwivedi@marvell.com>, Jerin Jacob <jerinj@marvell.com>,\n Olivier Matz <olivier.matz@6wind.com>, <dev@dpdk.org>", "Date": "Thu, 15 Apr 2021 12:52:04 +0530", "Message-ID": "<20210415072205.1439-3-ktejasree@marvell.com>", "X-Mailer": "git-send-email 2.27.0", "In-Reply-To": "<20210415072205.1439-1-ktejasree@marvell.com>", "References": "<20210415072205.1439-1-ktejasree@marvell.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "Content-Type": "text/plain", "X-Proofpoint-ORIG-GUID": "xawUtgPKpN4kQj0UcHeSWuAIdXnvkcoC", "X-Proofpoint-GUID": "xawUtgPKpN4kQj0UcHeSWuAIdXnvkcoC", "X-Proofpoint-Virus-Version": "vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761\n definitions=2021-04-15_02:2021-04-15,\n 2021-04-15 signatures=0", "Subject": "[dpdk-dev] [PATCH v4 2/3] examples/ipsec-secgw: add UDP\n encapsulation support", "X-BeenThere": "dev@dpdk.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "DPDK patches and discussions <dev.dpdk.org>", "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n <mailto:dev-request@dpdk.org?subject=unsubscribe>", "List-Archive": "<http://mails.dpdk.org/archives/dev/>", "List-Post": "<mailto:dev@dpdk.org>", "List-Help": "<mailto:dev-request@dpdk.org?subject=help>", "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n <mailto:dev-request@dpdk.org?subject=subscribe>", "Errors-To": "dev-bounces@dpdk.org", "Sender": "\"dev\" <dev-bounces@dpdk.org>" }, "content": "Adding lookaside IPsec UDP encapsulation support\nfor NAT traversal.\nApplication has to add udp-encap option to sa config file\nto enable UDP encapsulation on the SA.\n\nSigned-off-by: Tejasree Kondoj <ktejasree@marvell.com>\nAcked-by: Akhil Goyal <gakhil@marvell.com>\n---\n doc/guides/rel_notes/release_21_05.rst | 5 +++\n doc/guides/sample_app_ug/ipsec_secgw.rst | 15 +++++++-\n examples/ipsec-secgw/ipsec-secgw.c | 49 +++++++++++++++++++++---\n examples/ipsec-secgw/ipsec-secgw.h | 3 ++\n examples/ipsec-secgw/ipsec.c | 10 +++++\n examples/ipsec-secgw/ipsec.h | 2 +\n examples/ipsec-secgw/sa.c | 18 +++++++++\n examples/ipsec-secgw/sad.h | 7 +++-\n 8 files changed, 101 insertions(+), 8 deletions(-)", "diff": "diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst\nindex f637591e91..e2ab7e0290 100644\n--- a/doc/guides/rel_notes/release_21_05.rst\n+++ b/doc/guides/rel_notes/release_21_05.rst\n@@ -184,6 +184,11 @@ New Features\n * Added command to display Rx queue used descriptor count.\n ``show port (port_id) rxq (queue_id) desc used count``\n \n+* **Updated ipsec-secgw sample application.**\n+\n+ * Updated the ``ipsec-secgw`` sample application with UDP encapsulation\n+ support for NAT Traversal.\n+\n \n Removed Items\n -------------\ndiff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst\nindex 176e292d3f..2dc39aa50a 100644\n--- a/doc/guides/sample_app_ug/ipsec_secgw.rst\n+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst\n@@ -500,7 +500,7 @@ The SA rule syntax is shown as follows:\n \n sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key>\n <mode> <src_ip> <dst_ip> <action_type> <port_id> <fallback>\n- <flow-direction> <port_id> <queue_id>\n+ <flow-direction> <port_id> <queue_id> <udp-encap>\n \n where each options means:\n \n@@ -709,6 +709,17 @@ where each options means:\n * *port_id*: Port ID of the NIC for which the SA is configured.\n * *queue_id*: Queue ID to which traffic should be redirected.\n \n+ ``<udp-encap>``\n+\n+ * Option to enable IPsec UDP encapsulation for NAT Traversal.\n+ Only *lookaside-protocol-offload* mode is supported at the moment.\n+\n+ * Optional: Yes, it is disabled by default\n+\n+ * Syntax:\n+\n+ * *udp-encap*\n+\n Example SA rules:\n \n .. code-block:: console\n@@ -1023,4 +1034,4 @@ Available options:\n * ``-h`` Show usage.\n \n If <ipsec_mode> is specified, only tests for that mode will be invoked. For the\n-list of available modes please refer to run_test.sh.\n\\ No newline at end of file\n+list of available modes please refer to run_test.sh.\ndiff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c\nindex 20d69ba813..59971dc766 100644\n--- a/examples/ipsec-secgw/ipsec-secgw.c\n+++ b/examples/ipsec-secgw/ipsec-secgw.c\n@@ -184,7 +184,8 @@ static uint64_t frag_ttl_ns = MAX_FRAG_TTL_NS;\n /* application wide librte_ipsec/SA parameters */\n struct app_sa_prm app_sa_prm = {\n \t\t\t.enable = 0,\n-\t\t\t.cache_sz = SA_CACHE_SZ\n+\t\t\t.cache_sz = SA_CACHE_SZ,\n+\t\t\t.udp_encap = 0\n \t\t};\n static const char *cfgfile;\n \n@@ -360,6 +361,9 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)\n \tconst struct rte_ether_hdr *eth;\n \tconst struct rte_ipv4_hdr *iph4;\n \tconst struct rte_ipv6_hdr *iph6;\n+\tconst struct rte_udp_hdr *udp;\n+\tuint16_t ip4_hdr_len;\n+\tuint16_t nat_port;\n \n \teth = rte_pktmbuf_mtod(pkt, const struct rte_ether_hdr *);\n \tif (eth->ether_type == rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4)) {\n@@ -368,9 +372,28 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)\n \t\t\tRTE_ETHER_HDR_LEN);\n \t\tadjust_ipv4_pktlen(pkt, iph4, 0);\n \n-\t\tif (iph4->next_proto_id == IPPROTO_ESP)\n+\t\tswitch (iph4->next_proto_id) {\n+\t\tcase IPPROTO_ESP:\n \t\t\tt->ipsec.pkts[(t->ipsec.num)++] = pkt;\n-\t\telse {\n+\t\t\tbreak;\n+\t\tcase IPPROTO_UDP:\n+\t\t\tif (app_sa_prm.udp_encap == 1) {\n+\t\t\t\tip4_hdr_len = ((iph4->version_ihl &\n+\t\t\t\t\tRTE_IPV4_HDR_IHL_MASK) *\n+\t\t\t\t\tRTE_IPV4_IHL_MULTIPLIER);\n+\t\t\t\tudp = rte_pktmbuf_mtod_offset(pkt,\n+\t\t\t\t\tstruct rte_udp_hdr *, ip4_hdr_len);\n+\t\t\t\tnat_port = rte_cpu_to_be_16(IPSEC_NAT_T_PORT);\n+\t\t\t\tif (udp->src_port == nat_port ||\n+\t\t\t\t\tudp->dst_port == nat_port){\n+\t\t\t\t\tt->ipsec.pkts[(t->ipsec.num)++] = pkt;\n+\t\t\t\t\tpkt->packet_type |=\n+\t\t\t\t\t\tMBUF_PTYPE_TUNNEL_ESP_IN_UDP;\n+\t\t\t\t\tbreak;\n+\t\t\t\t}\n+\t\t\t}\n+\t\t/* Fall through */\n+\t\tdefault:\n \t\t\tt->ip4.data[t->ip4.num] = &iph4->next_proto_id;\n \t\t\tt->ip4.pkts[(t->ip4.num)++] = pkt;\n \t\t}\n@@ -403,9 +426,25 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)\n \t\t\treturn;\n \t\t}\n \n-\t\tif (next_proto == IPPROTO_ESP)\n+\t\tswitch (iph6->proto) {\n+\t\tcase IPPROTO_ESP:\n \t\t\tt->ipsec.pkts[(t->ipsec.num)++] = pkt;\n-\t\telse {\n+\t\t\tbreak;\n+\t\tcase IPPROTO_UDP:\n+\t\t\tif (app_sa_prm.udp_encap == 1) {\n+\t\t\t\tudp = rte_pktmbuf_mtod_offset(pkt,\n+\t\t\t\t\tstruct rte_udp_hdr *, l3len);\n+\t\t\t\tnat_port = rte_cpu_to_be_16(IPSEC_NAT_T_PORT);\n+\t\t\t\tif (udp->src_port == nat_port ||\n+\t\t\t\t\tudp->dst_port == nat_port){\n+\t\t\t\t\tt->ipsec.pkts[(t->ipsec.num)++] = pkt;\n+\t\t\t\t\tpkt->packet_type |=\n+\t\t\t\t\t\tMBUF_PTYPE_TUNNEL_ESP_IN_UDP;\n+\t\t\t\t\tbreak;\n+\t\t\t\t}\n+\t\t\t}\n+\t\t/* Fall through */\n+\t\tdefault:\n \t\t\tt->ip6.data[t->ip6.num] = &iph6->proto;\n \t\t\tt->ip6.pkts[(t->ip6.num)++] = pkt;\n \t\t}\ndiff --git a/examples/ipsec-secgw/ipsec-secgw.h b/examples/ipsec-secgw/ipsec-secgw.h\nindex f2281e73cf..96e22de45e 100644\n--- a/examples/ipsec-secgw/ipsec-secgw.h\n+++ b/examples/ipsec-secgw/ipsec-secgw.h\n@@ -47,6 +47,9 @@\n \n #define ETHADDR(a, b, c, d, e, f) (__BYTES_TO_UINT64(a, b, c, d, e, f, 0, 0))\n \n+#define IPSEC_NAT_T_PORT 4500\n+#define MBUF_PTYPE_TUNNEL_ESP_IN_UDP (RTE_PTYPE_TUNNEL_ESP | RTE_PTYPE_L4_UDP)\n+\n struct traffic_type {\n \tconst uint8_t *data[MAX_PKT_BURST * 2];\n \tstruct rte_mbuf *pkts[MAX_PKT_BURST * 2];\ndiff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c\nindex 6baeeb342f..5b032fecfb 100644\n--- a/examples/ipsec-secgw/ipsec.c\n+++ b/examples/ipsec-secgw/ipsec.c\n@@ -52,6 +52,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)\n \tipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;\n \tipsec->replay_win_sz = app_sa_prm.window_size;\n \tipsec->options.esn = app_sa_prm.enable_esn;\n+\tipsec->options.udp_encap = sa->udp_encap;\n }\n \n int\n@@ -556,6 +557,15 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,\n \t\t\t\tcontinue;\n \t\t\t}\n \n+\t\t\tif (unlikely((pkts[i]->packet_type &\n+\t\t\t\t\t(RTE_PTYPE_TUNNEL_MASK |\n+\t\t\t\t\tRTE_PTYPE_L4_MASK)) ==\n+\t\t\t\t\tMBUF_PTYPE_TUNNEL_ESP_IN_UDP &&\n+\t\t\t\t\tsa->udp_encap != 1)) {\n+\t\t\t\tfree_pkts(&pkts[i], 1);\n+\t\t\t\tcontinue;\n+\t\t\t}\n+\n \t\t\tsym_cop = get_sym_cop(&priv->cop);\n \t\t\tsym_cop->m_src = pkts[i];\n \ndiff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h\nindex 7031e28c46..ae5058de27 100644\n--- a/examples/ipsec-secgw/ipsec.h\n+++ b/examples/ipsec-secgw/ipsec.h\n@@ -75,6 +75,7 @@ struct app_sa_prm {\n \tuint32_t window_size; /* replay window size */\n \tuint32_t enable_esn; /* enable/disable ESN support */\n \tuint32_t cache_sz;\t/* per lcore SA cache size */\n+\tuint32_t udp_encap; /* enable/disable UDP Encapsulation */\n \tuint64_t flags; /* rte_ipsec_sa_prm.flags */\n };\n \n@@ -136,6 +137,7 @@ struct ipsec_sa {\n \t\tstruct rte_security_ipsec_xform *sec_xform;\n \t};\n \tenum rte_security_ipsec_sa_direction direction;\n+\tuint8_t udp_encap;\n \tuint16_t portid;\n \tuint8_t fdir_qid;\n \tuint8_t fdir_flag;\ndiff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c\nindex cd1397531a..7bb9ef36c2 100644\n--- a/examples/ipsec-secgw/sa.c\n+++ b/examples/ipsec-secgw/sa.c\n@@ -298,6 +298,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,\n \tuint32_t portid_p = 0;\n \tuint32_t fallback_p = 0;\n \tint16_t status_p = 0;\n+\tuint16_t udp_encap_p = 0;\n \n \tif (strcmp(tokens[0], \"in\") == 0) {\n \t\tri = &nb_sa_in;\n@@ -757,6 +758,23 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,\n \t\t\t}\n \t\t\tcontinue;\n \t\t}\n+\t\tif (strcmp(tokens[ti], \"udp-encap\") == 0) {\n+\t\t\tAPP_CHECK(ips->type ==\n+\t\t\t\tRTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,\n+\t\t\t\tstatus, \"UDP encapsulation is allowed if the \"\n+\t\t\t\t\"session is of type lookaside-protocol-offload \"\n+\t\t\t\t\"only.\");\n+\t\t\tif (status->status < 0)\n+\t\t\t\treturn;\n+\t\t\tAPP_CHECK_PRESENCE(udp_encap_p, tokens[ti], status);\n+\t\t\tif (status->status < 0)\n+\t\t\t\treturn;\n+\n+\t\t\trule->udp_encap = 1;\n+\t\t\tapp_sa_prm.udp_encap = 1;\n+\t\t\tudp_encap_p = 1;\n+\t\t\tcontinue;\n+\t\t}\n \n \t\t/* unrecognizeable input */\n \t\tAPP_CHECK(0, status, \"unrecognized input \\\"%s\\\"\",\ndiff --git a/examples/ipsec-secgw/sad.h b/examples/ipsec-secgw/sad.h\nindex 473aaa938e..3224b6252c 100644\n--- a/examples/ipsec-secgw/sad.h\n+++ b/examples/ipsec-secgw/sad.h\n@@ -77,6 +77,7 @@ sad_lookup(struct ipsec_sad *sad, struct rte_mbuf *pkts[],\n \tuint32_t spi, cache_idx;\n \tstruct ipsec_sad_cache *cache;\n \tstruct ipsec_sa *cached_sa;\n+\tuint16_t udp_hdr_len = 0;\n \tint is_ipv4;\n \n \tcache = &RTE_PER_LCORE(sad_cache);\n@@ -85,8 +86,12 @@ sad_lookup(struct ipsec_sad *sad, struct rte_mbuf *pkts[],\n \tfor (i = 0; i < nb_pkts; i++) {\n \t\tipv4 = rte_pktmbuf_mtod(pkts[i], struct rte_ipv4_hdr *);\n \t\tipv6 = rte_pktmbuf_mtod(pkts[i], struct rte_ipv6_hdr *);\n+\t\tif ((pkts[i]->packet_type &\n+\t\t\t\t(RTE_PTYPE_TUNNEL_MASK | RTE_PTYPE_L4_MASK)) ==\n+\t\t\t\tMBUF_PTYPE_TUNNEL_ESP_IN_UDP)\n+\t\t\tudp_hdr_len = sizeof(struct rte_udp_hdr);\n \t\tesp = rte_pktmbuf_mtod_offset(pkts[i], struct rte_esp_hdr *,\n-\t\t\t\tpkts[i]->l3_len);\n+\t\t\t\tpkts[i]->l3_len + udp_hdr_len);\n \n \t\tis_ipv4 = pkts[i]->packet_type & RTE_PTYPE_L3_IPV4;\n \t\tspi = rte_be_to_cpu_32(esp->spi);\n", "prefixes": [ "v4", "2/3" ] }