[v5,3/7] examples/ipsec-secgw: add support for inline crypto UDP encapsulation
Checks
Commit Message
Enable UDP encapsulation for both transport and tunnel modes for the
inline crypto offload path.
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
---
doc/guides/sample_app_ug/ipsec_secgw.rst | 3 ++-
examples/ipsec-secgw/ipsec.c | 33 +++++++++++++++++++++---
examples/ipsec-secgw/ipsec.h | 7 ++++-
examples/ipsec-secgw/sa.c | 9 +++++++
4 files changed, 46 insertions(+), 6 deletions(-)
Comments
> Enable UDP encapsulation for both transport and tunnel modes for the
> inline crypto offload path.
>
> Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
> ---
> doc/guides/sample_app_ug/ipsec_secgw.rst | 3 ++-
> examples/ipsec-secgw/ipsec.c | 33 +++++++++++++++++++++---
> examples/ipsec-secgw/ipsec.h | 7 ++++-
> examples/ipsec-secgw/sa.c | 9 +++++++
> 4 files changed, 46 insertions(+), 6 deletions(-)
>
> diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst
> b/doc/guides/sample_app_ug/ipsec_secgw.rst
> index 282926924f..2d0f322427 100644
> --- a/doc/guides/sample_app_ug/ipsec_secgw.rst
> +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
> @@ -717,7 +717,8 @@ where each options means:
> ``<udp-encap>``
>
> * Option to enable IPsec UDP encapsulation for NAT Traversal.
> - Only *lookaside-protocol-offload* mode is supported at the moment.
> + Only *lookaside-protocol-offload* and *inline-protocol-offload* modes
> are
> + supported at the moment.
Patch says inline crypto is supported but here inline protocol offload is supported.
With this fixed,
Acked-by: Akhil Goyal <gakhil@marvell.com>
@@ -717,7 +717,8 @@ where each options means:
``<udp-encap>``
* Option to enable IPsec UDP encapsulation for NAT Traversal.
- Only *lookaside-protocol-offload* mode is supported at the moment.
+ Only *lookaside-protocol-offload* and *inline-protocol-offload* modes are
+ supported at the moment.
* Optional: Yes, it is disabled by default
@@ -221,6 +221,12 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
}
}
+ if (sa->udp_encap) {
+ sess_conf.ipsec.options.udp_encap = 1;
+ sess_conf.ipsec.udp.sport = htons(sa->udp.sport);
+ sess_conf.ipsec.udp.dport = htons(sa->udp.dport);
+ }
+
RTE_LOG_DP(DEBUG, IPSEC, "Create session for SA spi %u on port %u\n",
sa->spi, sa->portid);
@@ -289,12 +295,31 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
sa->ipv4_spec.hdr.src_addr = sa->src.ip.ip4;
}
- sa->pattern[2].type = RTE_FLOW_ITEM_TYPE_ESP;
- sa->pattern[2].spec = &sa->esp_spec;
- sa->pattern[2].mask = &rte_flow_item_esp_mask;
sa->esp_spec.hdr.spi = rte_cpu_to_be_32(sa->spi);
- sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END;
+ if (sa->udp_encap) {
+
+ sa->udp_spec.hdr.dst_port =
+ rte_cpu_to_be_16(sa->udp.dport);
+ sa->udp_spec.hdr.src_port =
+ rte_cpu_to_be_16(sa->udp.sport);
+
+ sa->pattern[2].mask = &rte_flow_item_udp_mask;
+ sa->pattern[2].type = RTE_FLOW_ITEM_TYPE_UDP;
+ sa->pattern[2].spec = &sa->udp_spec;
+
+ sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_ESP;
+ sa->pattern[3].spec = &sa->esp_spec;
+ sa->pattern[3].mask = &rte_flow_item_esp_mask;
+
+ sa->pattern[4].type = RTE_FLOW_ITEM_TYPE_END;
+ } else {
+ sa->pattern[2].type = RTE_FLOW_ITEM_TYPE_ESP;
+ sa->pattern[2].spec = &sa->esp_spec;
+ sa->pattern[2].mask = &rte_flow_item_esp_mask;
+
+ sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END;
+ }
sa->action[0].type = RTE_FLOW_ACTION_TYPE_SECURITY;
sa->action[0].conf = ips->security.ses;
@@ -125,6 +125,10 @@ struct ipsec_sa {
#define IP6_TRANSPORT (1 << 4)
struct ip_addr src;
struct ip_addr dst;
+ struct {
+ uint16_t sport;
+ uint16_t dport;
+ } udp;
uint8_t cipher_key[MAX_KEY_SIZE];
uint16_t cipher_key_len;
uint8_t auth_key[MAX_KEY_SIZE];
@@ -140,7 +144,7 @@ struct ipsec_sa {
uint8_t fdir_qid;
uint8_t fdir_flag;
-#define MAX_RTE_FLOW_PATTERN (4)
+#define MAX_RTE_FLOW_PATTERN (5)
#define MAX_RTE_FLOW_ACTIONS (3)
struct rte_flow_item pattern[MAX_RTE_FLOW_PATTERN];
struct rte_flow_action action[MAX_RTE_FLOW_ACTIONS];
@@ -149,6 +153,7 @@ struct ipsec_sa {
struct rte_flow_item_ipv4 ipv4_spec;
struct rte_flow_item_ipv6 ipv6_spec;
};
+ struct rte_flow_item_udp udp_spec;
struct rte_flow_item_esp esp_spec;
struct rte_flow *flow;
struct rte_security_session_conf sess_conf;
@@ -17,6 +17,7 @@
#include <rte_byteorder.h>
#include <rte_errno.h>
#include <rte_ip.h>
+#include <rte_udp.h>
#include <rte_random.h>
#include <rte_ethdev.h>
#include <rte_malloc.h>
@@ -771,6 +772,11 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
app_sa_prm.udp_encap = 1;
udp_encap_p = 1;
break;
+ case RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO:
+ rule->udp_encap = 1;
+ rule->udp.sport = 0;
+ rule->udp.dport = 4500;
+ break;
default:
APP_CHECK(0, status,
"UDP encapsulation not supported for "
@@ -858,6 +864,8 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound)
}
printf("mode:");
+ if (sa->udp_encap)
+ printf("UDP encapsulated ");
switch (WITHOUT_TRANSPORT_VERSION(sa->flags)) {
case IP4_TUNNEL:
@@ -1311,6 +1319,7 @@ fill_ipsec_sa_prm(struct rte_ipsec_sa_prm *prm, const struct ipsec_sa *ss,
prm->ipsec_xform.mode = (IS_TRANSPORT(ss->flags)) ?
RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT :
RTE_SECURITY_IPSEC_SA_MODE_TUNNEL;
+ prm->ipsec_xform.options.udp_encap = ss->udp_encap;
prm->ipsec_xform.options.ecn = 1;
prm->ipsec_xform.options.copy_dscp = 1;