From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0045.outbound.protection.outlook.com [104.47.37.45]) by dpdk.org (Postfix) with ESMTP id DF3647CE1 for ; Mon, 20 Nov 2017 11:36:47 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=CAVIUMNETWORKS.onmicrosoft.com; s=selector1-cavium-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=KpwJSrrJIQS55ljS7ZC05t6jETXmvY8iw8oN0/Lgu40=; b=VLN1ZL/yKQy4svmnH6m12nk/j4z6ivb+0xTrEgL+sZdIyYrMA6MgZ5gPjDcW2600etsL43kGrR4/Hp3l2PR+/2sG0lVS7XwvnQ0J/Mbx+neQhIWCCaml2RoITQ/efWpIpfGPP2gYwgVvqnzXePWD4ggGi7KzUd7f4OaIfj+JKtI= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Anoob.Joseph@cavium.com; Received: from ajoseph83.caveonetworks.com (14.140.2.178) by MWHPR0701MB3642.namprd07.prod.outlook.com (2603:10b6:301:7d::35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.239.5; Mon, 20 Nov 2017 10:36:42 +0000 From: Anoob Joseph To: Akhil Goyal , Declan Doherty , Sergio Gonzalez Monroy , Radu Nicolau Cc: Narayana Prasad , Jerin Jacob , dev@dpdk.org Date: Mon, 20 Nov 2017 10:31:45 +0000 Message-Id: <1511173905-22117-3-git-send-email-anoob.joseph@caviumnetworks.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1511173905-22117-1-git-send-email-anoob.joseph@caviumnetworks.com> References: <1511173905-22117-1-git-send-email-anoob.joseph@caviumnetworks.com> MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [14.140.2.178] X-ClientProxiedBy: CO2PR06CA0076.namprd06.prod.outlook.com (2603:10b6:104:3::34) To MWHPR0701MB3642.namprd07.prod.outlook.com (2603:10b6:301:7d::35) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 19a735ab-c4e9-4a63-b579-08d530029922 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(4534020)(4602075)(7168020)(4627115)(201703031133081)(201702281549075)(2017052603199); SRVR:MWHPR0701MB3642; X-Microsoft-Exchange-Diagnostics: 1; MWHPR0701MB3642; 3:U+bYe/sPHDUmCEkfJQV5R7bwnwxXyy+zOppTIKXYqP3KqpUzkFGr/O2OMT3gfMoyAgBRuahHevYIMh0reOOpXuj5G4+/6U/uNmIXhGD3hFeouWcvI0qBiVDfgt+CzJ4iEYdmGi6wYMWEYWOtz51AdRiTyqFln5ajvCnjfmbhZGBnUqUCZmbCpTBIQsljzU+Eecu6TyWqGBSfPKgsBExE3VfHi7C/lKag03D4ddd9dShsFOoyl1lvHUurW7vaYoBz; 25:w/uossBFz7qonKqRHMDMcjNtRDpu8THL2bLJZxvT3i+HFYq0EwlgUMzRkyW51D2Dnhe01ODKQ+guSvO1cQVuMV1l+H4aInqYT7Cl3StRHHHL8U1PTiavoCt0W0f3fCfqUfkkZHonlQCTkQ9kItGyF8S1HKvfJH0Eh/cqGtoE8nl5Svh/OySUljLw8WzIW58t58U7ysmkJ1+NxVyKFdo7mcNfJkUzSM4XOEBHbxn+j5K4s5MFuZRuwq1j7U5w0p8lAgoyoSQfoG6oyI/vLxmTyKEcW44I9ZrHG1o413PpevA1+7NNaPy2V4oiERg1WcB7sUr+2EQasJXXz92uG7YpeU2tov18IXVU+K/T2oRG/I8=; 31:X0cDkLaJLbwIZR4KsfURaX/lu6gw6qBLnzLJmSW3hew6j7wbzIkv/Tge4UtOwrUQ6QM0ar+WWLBP84crWet0AYTw1nTVj8XuYcfJ+rltPm/egypCU0ACC7hPS6uOtmlVLddQXE6w9e0sG04H9UZ/FoXd0aQXQJoqSox0hhXyyNDyiagd4mCZwyRO+H6qNSXW1+YnogTr4vnPASm4arDmAyXaT9FJuU+dT1u+qYjqkAA= X-MS-TrafficTypeDiagnostic: MWHPR0701MB3642: X-Microsoft-Exchange-Diagnostics: 1; MWHPR0701MB3642; 20:5V6GuALRruKMrebsAFoG2hVDfhpyvzVLbQvBARGP0D2zqT9i56a3LE8tEx7swYnw3XwPsTQF+SOr6RxFJWjYFue10+JZAqGxOSkyu8KlfIznORgrNwN8wkNNfbf7yOP0U+r4o+8tdlh/lx4NTT/eZ20d+CniMU/FxVbmRARI5RfLiWEoZVnPWMJhMAYfa/tAVXA5nTHiHeyjAidCEsiXimLJxVC8Voy7RMGlfzhw9YY2neDoNFYiOJa1JO1XwYPTA8QIkv6PSR5UflUZML2jOlJjbrLLP65NQy0mQi6LKaIHdSr5pJNpSrWaJgxyHGIhCO8m2kxMcv0ehoFbPIWiJdF7xmFOCUK5j7McMsqBRih10Avtc0VEdCpNW52/E0IG/phzNCysLoMtquYPJ4Wq97Mlpu8SyZ9jzppYFLN7sEF6EVHAF2bJMkO3E0X51GzoEhtyLinD3JuXrW7xlVpWvR8Hw8GrZ5GZ5X7I4h/a+EzF4HYEqBbhxXPtyinYoJv0FgoPX3G1OixalgLLKKb2LDeRb7LrJlFj7/Kb5I6t3EmuOxQsDBZpIOrjt12eljYsupi74v8S6YdXx28NhzFpC6NCJPuzGWmU3WOzap9w7wQ=; 4:R0C3ZibwdA6sKZplHp2gf2+qMtY28mabAF4O5fwH6YNEV2EB6AJ5eL7hXV4E6WEI9LD41vOkGvMbjTjuQYhuft5YVFFtaPTDLEM1LT03rQFH5VX/iTsVmDvYpw564bBDfI2cjkzDTchYDpQDMUR8jgaJVsLoNvyCI91+gbhN0TNsgSUpi/rX9ozJPch5q3SFiO++qosOzMe0N4TNg1ffXvBbDgVXtaOz3jbdWKHkttoo4C7UYsOzmrvvQXh0LPlPD9tD9woro+ghD197xeIoUHRKVp3YNlywiJY/CSYuNk6e79mUe9IA0P0fkgDGG/QT X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(192374486261705); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(3002001)(10201501046)(93006095)(3231022)(100000703101)(100105400095)(6041248)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(20161123562025)(20161123558100)(20161123560025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:MWHPR0701MB3642; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:MWHPR0701MB3642; X-Forefront-PRVS: 04976078F0 X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(6009001)(376002)(346002)(189002)(199003)(97736004)(48376002)(50466002)(6512007)(5660300001)(16526018)(8676002)(68736007)(36756003)(7736002)(42882006)(2950100002)(8936002)(189998001)(50226002)(305945005)(81166006)(81156014)(5009440100003)(72206003)(478600001)(53416004)(106356001)(105586002)(8656006)(316002)(4326008)(53936002)(16586007)(55236003)(5003940100001)(33646002)(76176999)(110136005)(54906003)(25786009)(6486002)(2906002)(50986999)(6116002)(6506006)(69596002)(101416001)(66066001)(47776003)(3846002)(110426004); DIR:OUT; SFP:1101; SCL:1; SRVR:MWHPR0701MB3642; H:ajoseph83.caveonetworks.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; Received-SPF: None (protection.outlook.com: cavium.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; MWHPR0701MB3642; 23:qOTaudlHijupN7IIHU3o6f/r0n/K6B5fa8u0GBm?= =?us-ascii?Q?Hlojgi9A5HqF4qFeANBC0diXGYMDK/2Kc38tbwZROkXJBvv+rCmMG4nC/SJt?= =?us-ascii?Q?ehVkaRDWXndgj59C0h+x9zUQrju3iAC3WVMVuoqrOe0Yj9HG9I+lHJNnyanL?= =?us-ascii?Q?2FpOztzLcOQu/iKEqevMqq78t7I+k2KH0isP63zHFfeMhqb1gr73BB33Hpck?= =?us-ascii?Q?OCS8fPpAgyYYs1TdiaL9FC4xDXIqbPUQrUfTv5oaZUIXsyX+uCQFogz9aV9o?= =?us-ascii?Q?iQrsDi69ZBk+zQFvxhUqe7vO8gwnwuFnVHC3qwzypcw9Ola78zkCNvZyShtq?= =?us-ascii?Q?PpJxxUUv7yAP0vsbPY1ERqd1AIHaOaCSDhAMoJc8zuAQYtkGRY96D6icJg7W?= =?us-ascii?Q?co40jANmF5tr/OiRdyku4taJf3jiWwuXT/uUdJYM46kQGa6+7MKicJKRXc2q?= =?us-ascii?Q?MxRP4LhYjDTpbBt9WF3gz38wjdj42sYO00RqdADvK0wqUisHzNqIBJoHD7Ht?= =?us-ascii?Q?wKVFsgyhIdyw2BjQnCXqk6TB+qYpm6PfxTCPUx69wbgQdlzW0sMCgTkay2q1?= =?us-ascii?Q?EcY5/lupjMYmxXd6BNqarxQC7XNZxVM+YRV0qhjelYQ2146ovdeQVVcA9QEm?= =?us-ascii?Q?jSODYPI3P79ccFP95uFngIzGf3YpeESViqsbqRcDzSyp3toqiUb9+W5xhu5Z?= =?us-ascii?Q?S4GdnaBF9KmfeVKv/+IGaBB3rHI6pkZQ0GdN1/d/5aJQ7nNF44xEukGubwkN?= =?us-ascii?Q?fiyhE486gISpN9Ic2rCIV2FFn8UtNnFoUbxEqTcjAz9R5fjB14Uuheo826RB?= =?us-ascii?Q?Aia5ZuSTyOclOVO57ZCzz02SJ9L7H6/PfHoXXK4TZuJvf0SffFGPTjUN6FqQ?= =?us-ascii?Q?6pkOAzObky104BECswcZP8A5bPEPKpV/xnzdsQcaNeeDJ0QnUGMy2uuJBGih?= =?us-ascii?Q?vkLAAFM5L9ppaDEQzazcTWT2LmCixQGSN6bGgvx79Avevnkg3ibPnOpwB4Xv?= =?us-ascii?Q?IP2/dKgnMc39RAEEBtxuVrERKzmRHiW5jwA1mws7wE/J+dBumCt7tYvq+k9t?= =?us-ascii?Q?hmRmZP5dOVtv1SAwbTh01i8aiLVdD0lPA5YkVizzDM3HwYH9/OI5XfXM2AKQ?= =?us-ascii?Q?6Nw7FGIHnZfNP2dMsLv0OG5T9U0VPjuj1gWNa6Qj6BnWB5OyLMVXM8CJebFm?= =?us-ascii?Q?q1M/IX4tj37KMQ4eEfi9Bu17qNey3mEe8doMPG7UneKYCYJ1VirNAoCkwjg?= =?us-ascii?Q?=3D=3D?= X-Microsoft-Exchange-Diagnostics: 1; MWHPR0701MB3642; 6:NL1UIW/zx3LYLFgDEIUmeNiyELPBhhMiH6Gz14O+c/5PWzLRCTMtSHHf9LUu3cp9RtCWEYBwe6A/BBnXTcUHnYCplciIVRtF4fn/F/LIgg5aug9w1dXpSZP5r2rZPxPYEBVEApjQ/yNiXgGIdtZw2/7E711ZUG8uT3uA7IkgQgM8XnU4Isfium4KGRmbmaFHvffMKk6E9Xl9O0X84zFOweVm607IqtppaJIC9xk50c4Fhe7yajnfP0EfObYSfY1P7zso/gu415lXbjliWcb32ii4gaYSoRRWwIBnXDfx8PcXvqaaRVl3cu4SInTWnSoeZtndMuNQAhnt2yem7yE30bQ/PGZm8bUX03nPZIkQBBk=; 5:QoMgR969ZQMeg9oc5jaYYPLdTlevmzHC9bQx2zD2T/FQ53KdJ0VqBb1PvCYGrGQBQGcXnNuOjMkGVLm9VTPP8wudvJnyrZJ5eYaXMrmg79oDW9RILBeo148Ez7K/Bcw7knEvPv+uLok4DMG5ejCa19uVdRf6dZvrW61FqNTwviY=; 24:uhtaHzngcnszckYMhX2tM+OL0p1nvvnsd7c/zSowTm2SJVoKnSh9eMtaRV7yArUprVVoIIUBhAPbslPnna2OqZpBUgqIvZSjtkYIptRhChE=; 7:lXEy0N0KD2EY8cxljlWuOPqtjLmfKC4Nplbk2ZNt2NR0oreVj6hms5+IE1SMcwk9LaNYCSLm436i85HAMYxoymGBhdu8JRN4Vldyggm6A/utFkPBnKE8AyWFQ8BU0jBQ7uQeQMXmf2kll5kWhA/bTG+BYtTsxC+zad3T3OhzvbLOl5aK9G/H6ChzZXrVFqWbMYNbMDC6kwky5iZzAn5eNVKq3doXvgvu4DzNz1UYPdkRoAQGZW1QR3ohDdYRizKU SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: caviumnetworks.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Nov 2017 10:36:42.5986 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 19a735ab-c4e9-4a63-b579-08d530029922 X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 711e4ccf-2e9b-4bcf-a551-4094005b6194 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR0701MB3642 Subject: [dpdk-dev] [PATCH 2/2] examples/ipsec-secgw: add support for inline protocol X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Nov 2017 10:36:48 -0000 Adding support for inline protocol processing. In ingress side, application will receive regular IP packets, without any IPsec related info. Application will do a selector check (SP-SA check) by making use of the cookie it registers while creating the security session. In egress side, the plain packet would be submitted to the driver. The packet will have optional metadata, which could be used to identify the security session associated with the packet. Signed-off-by: Anoob Joseph --- examples/ipsec-secgw/esp.c | 6 +- examples/ipsec-secgw/ipsec-secgw.c | 40 +++++++++++- examples/ipsec-secgw/ipsec.c | 123 +++++++++++++++++++++++++++++++------ 3 files changed, 147 insertions(+), 22 deletions(-) diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c index c3efe52..561f873 100644 --- a/examples/ipsec-secgw/esp.c +++ b/examples/ipsec-secgw/esp.c @@ -178,7 +178,8 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa, RTE_ASSERT(sa != NULL); RTE_ASSERT(cop != NULL); - if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { + if ((sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) || + (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) { if (m->ol_flags & PKT_RX_SEC_OFFLOAD) { if (m->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED) cop->status = RTE_CRYPTO_OP_STATUS_ERROR; @@ -474,7 +475,8 @@ esp_outbound_post(struct rte_mbuf *m, RTE_ASSERT(m != NULL); RTE_ASSERT(sa != NULL); - if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { + if ((sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) || + (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) { m->ol_flags |= PKT_TX_SEC_OFFLOAD; } else { RTE_ASSERT(cop != NULL); diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c index cfcb9d5..801beda 100644 --- a/examples/ipsec-secgw/ipsec-secgw.c +++ b/examples/ipsec-secgw/ipsec-secgw.c @@ -265,6 +265,38 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t) RTE_LOG(ERR, IPSEC, "Unsupported packet type\n"); rte_pktmbuf_free(pkt); } + + /* Check if the packet has been processed inline. For inline protocol + * processed packets, mbuf would have some metadata which can be + * used to determine the security session. The SA used to create the + * security session will be determined and will be saved in the mbuf. + * This is required for performing the IPsec SP-SA selector check. + */ + + if (pkt->ol_flags & PKT_RX_SEC_OFFLOAD) { + uint64_t cookie; + struct rte_security_session *sess; + struct ipsec_sa *in_sa; + struct ipsec_mbuf_metadata *priv; + struct rte_security_ctx *ctx = (struct rte_security_ctx *) + rte_eth_dev_get_sec_ctx( + pkt->port); + if (pkt->udata64 == 0) { + /* Metadata not set */ + return; + } + + /* Get the security session from the metadata */ + sess = rte_security_session_get(ctx, pkt->udata64); + + /* Get the cookie registered by the application */ + cookie = rte_security_cookie_get(ctx, sess); + + in_sa = (struct ipsec_sa *)cookie; + + priv = get_priv(pkt); + priv->sa = in_sa; + } } static inline void @@ -401,11 +433,17 @@ inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip, ip->pkts[j++] = m; continue; } - if (res & DISCARD || i < lim) { + if (res & DISCARD) { rte_pktmbuf_free(m); continue; } + /* Only check SPI match for processed IPSec packets */ + if (i < lim && ((m->ol_flags & PKT_RX_SEC_OFFLOAD) == 0)) { + rte_pktmbuf_free(m); + continue; + } + sa_idx = ip->res[i] & PROTECT_MASK; if (sa_idx == 0 || !inbound_sa_check(sa, m, sa_idx)) { rte_pktmbuf_free(m); diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index c24284d..d8e7994 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -46,6 +46,27 @@ #include "ipsec.h" #include "esp.h" +static inline void +set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) +{ + if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) { + struct rte_security_ipsec_tunnel_param *tunnel = + &ipsec->tunnel; + if (sa->flags == IP4_TUNNEL) { + tunnel->type = + RTE_SECURITY_IPSEC_TUNNEL_IPV4; + tunnel->ipv4.ttl = IPDEFTTL; + + memcpy((uint8_t *)&tunnel->ipv4.src_ip, + (uint8_t *)&sa->src.ip.ip4, 4); + + memcpy((uint8_t *)&tunnel->ipv4.dst_ip, + (uint8_t *)&sa->dst.ip.ip4, 4); + } + /* TODO support for Transport and IPV6 tunnel */ + } +} + static inline int create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) { @@ -95,7 +116,8 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) RTE_SECURITY_IPSEC_SA_MODE_TUNNEL : RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT, }, - .crypto_xform = sa->xforms + .crypto_xform = sa->xforms, + .cookie = 0, }; @@ -104,23 +126,8 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) rte_cryptodev_get_sec_ctx( ipsec_ctx->tbl[cdev_id_qp].id); - if (sess_conf.ipsec.mode == - RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) { - struct rte_security_ipsec_tunnel_param *tunnel = - &sess_conf.ipsec.tunnel; - if (sa->flags == IP4_TUNNEL) { - tunnel->type = - RTE_SECURITY_IPSEC_TUNNEL_IPV4; - tunnel->ipv4.ttl = IPDEFTTL; - - memcpy((uint8_t *)&tunnel->ipv4.src_ip, - (uint8_t *)&sa->src.ip.ip4, 4); - - memcpy((uint8_t *)&tunnel->ipv4.dst_ip, - (uint8_t *)&sa->dst.ip.ip4, 4); - } - /* TODO support for Transport and IPV6 tunnel */ - } + /* Set IPsec parameters in conf */ + set_ipsec_conf(sa, &(sess_conf.ipsec)); sa->sec_session = rte_security_session_create(ctx, &sess_conf, ipsec_ctx->session_pool); @@ -206,6 +213,72 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) err.message); return -1; } + } else if (sa->type == + RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) { + struct rte_security_ctx *ctx = + (struct rte_security_ctx *) + rte_eth_dev_get_sec_ctx(sa->portid); + const struct rte_security_capability *sec_cap; + + if (ctx == NULL) { + RTE_LOG(ERR, IPSEC, + "Ethernet device doesn't have security features registered\n"); + return -1; + } + + /* Set IPsec parameters in conf */ + set_ipsec_conf(sa, &(sess_conf.ipsec)); + + /* Save SA as cookie for the security session. When the + * packet is received, this cookie could be retrieved + * using the metadata set in the packet. If the cookie + * is not set, the application will not be able to + * determine the security parameters with which the + * packet was processed. This is required only for + * inbound SAs. + */ + + if (sa->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) + sess_conf.cookie = (uint64_t) sa; + + sa->sec_session = rte_security_session_create(ctx, + &sess_conf, ipsec_ctx->session_pool); + if (sa->sec_session == NULL) { + RTE_LOG(ERR, IPSEC, + "SEC Session init failed: err: %d\n", ret); + return -1; + } + + sec_cap = rte_security_capabilities_get(ctx); + + if (sec_cap == NULL) { + RTE_LOG(ERR, IPSEC, + "No capabilities registered\n"); + return -1; + } + + /* iterate until ESP tunnel*/ + while (sec_cap->action != + RTE_SECURITY_ACTION_TYPE_NONE) { + + if (sec_cap->action == sa->type && + sec_cap->protocol == + RTE_SECURITY_PROTOCOL_IPSEC && + sec_cap->ipsec.mode == + RTE_SECURITY_IPSEC_SA_MODE_TUNNEL && + sec_cap->ipsec.direction == sa->direction) + break; + sec_cap++; + } + + if (sec_cap->action == RTE_SECURITY_ACTION_TYPE_NONE) { + RTE_LOG(ERR, IPSEC, + "No suitable security capability found\n"); + return -1; + } + + sa->ol_flags = sec_cap->ol_flags; + sa->security_ctx = ctx; } } else { sa->crypto_session = rte_cryptodev_sym_session_create( @@ -323,7 +396,19 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, } break; case RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL: - break; + if ((unlikely(sa->sec_session == NULL)) && + create_session(ipsec_ctx, sa)) { + rte_pktmbuf_free(pkts[i]); + continue; + } + + cqp = &ipsec_ctx->tbl[sa->cdev_id_qp]; + cqp->ol_pkts[cqp->ol_pkts_cnt++] = pkts[i]; + if (sa->ol_flags & RTE_SECURITY_TX_OLOAD_NEED_MDATA) + rte_security_set_pkt_metadata( + sa->security_ctx, + sa->sec_session, pkts[i], NULL); + continue; case RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO: priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC; priv->cop.status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED; -- 2.7.4