From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 39C8DA0579; Thu, 8 Apr 2021 09:54:06 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 26C4F1410D7; Thu, 8 Apr 2021 09:54:06 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 8AE671410D7 for ; Thu, 8 Apr 2021 09:54:04 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1387oKGr007507; Thu, 8 Apr 2021 00:54:03 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=6/twnTy3eQgMa6PfFm7pHV5UjkKkozUmH5uy4N0slN4=; b=ar5huAs16iXVIjmryP30jA/2VKxpjXMYkfg0eEYja+X1EitAMomakXN3bs7NdAmVWXcV Sy6IGbiX2U35W1HqOjQL6kkK++gDxnatKUOJ5TAg67VNlXm+PKe3JJdcx+GO5uzYBtCZ lWyhPv8Z5wV12HZ0Qtsi6OpqsIPcpC4fMbQ7NUaba4JML67RWVdgZ9Lvi6Et+jIyE+KB oMF5lWsJYmYTXCVolrgPGl0Vyx/c5XS0kMeRrIs9HCNagLffo47oL5HVqOx43DcFzVGZ 0VRldDmq9/iJ7qs++Qvk756/WzTQYX2cp4rjW2aZ76Xl7c0M66bxLyU01v3g9IPTs/s1 ow== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0a-0016f401.pphosted.com with ESMTP id 37shqxj4wa-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 08 Apr 2021 00:54:03 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 8 Apr 2021 00:54:01 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Thu, 8 Apr 2021 00:54:02 -0700 Received: from hyd1554T5810.caveonetworks.com.com (unknown [10.29.57.11]) by maili.marvell.com (Postfix) with ESMTP id 12B3F5C6934; Thu, 8 Apr 2021 00:21:32 -0700 (PDT) From: Tejasree Kondoj To: Akhil Goyal , Radu Nicolau , Konstantin Ananyev CC: Tejasree Kondoj , Anoob Joseph , Ankur Dwivedi , Jerin Jacob , Date: Thu, 8 Apr 2021 13:47:19 +0530 Message-ID: <20210408081720.23314-4-ktejasree@marvell.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210408081720.23314-1-ktejasree@marvell.com> References: <20210408081720.23314-1-ktejasree@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Proofpoint-ORIG-GUID: NZHj9dAa1B0RFTXynt0_O24RnhCF9QGx X-Proofpoint-GUID: NZHj9dAa1B0RFTXynt0_O24RnhCF9QGx X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-04-08_02:2021-04-08, 2021-04-08 signatures=0 Subject: [dpdk-dev] [PATCH v3 3/4] examples/ipsec-secgw: add UDP encapsulation support X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Adding lookaside IPsec UDP encapsulation support for NAT traversal. Application has to add udp-encap option to sa config file to enable UDP encapsulation on the SA. Signed-off-by: Tejasree Kondoj --- doc/guides/rel_notes/release_21_05.rst | 5 +++ doc/guides/sample_app_ug/ipsec_secgw.rst | 15 +++++++- examples/ipsec-secgw/ipsec-secgw.c | 49 +++++++++++++++++++++--- examples/ipsec-secgw/ipsec-secgw.h | 2 + examples/ipsec-secgw/ipsec.c | 9 +++++ examples/ipsec-secgw/ipsec.h | 2 + examples/ipsec-secgw/sa.c | 18 +++++++++ examples/ipsec-secgw/sad.h | 6 ++- 8 files changed, 98 insertions(+), 8 deletions(-) diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst index c9e9e2ec22..d71422c452 100644 --- a/doc/guides/rel_notes/release_21_05.rst +++ b/doc/guides/rel_notes/release_21_05.rst @@ -141,6 +141,11 @@ New Features * Added command to display Rx queue used descriptor count. ``show port (port_id) rxq (queue_id) desc used count`` +* **Updated ipsec-secgw sample application.** + + * Updated the ``ipsec-secgw`` sample application with UDP encapsulation + support for NAT Traversal. + Removed Items ------------- diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst index 176e292d3f..2dc39aa50a 100644 --- a/doc/guides/sample_app_ug/ipsec_secgw.rst +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst @@ -500,7 +500,7 @@ The SA rule syntax is shown as follows: sa - + where each options means: @@ -709,6 +709,17 @@ where each options means: * *port_id*: Port ID of the NIC for which the SA is configured. * *queue_id*: Queue ID to which traffic should be redirected. + ```` + + * Option to enable IPsec UDP encapsulation for NAT Traversal. + Only *lookaside-protocol-offload* mode is supported at the moment. + + * Optional: Yes, it is disabled by default + + * Syntax: + + * *udp-encap* + Example SA rules: .. code-block:: console @@ -1023,4 +1034,4 @@ Available options: * ``-h`` Show usage. If is specified, only tests for that mode will be invoked. For the -list of available modes please refer to run_test.sh. \ No newline at end of file +list of available modes please refer to run_test.sh. diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c index 20d69ba813..0555d6d00f 100644 --- a/examples/ipsec-secgw/ipsec-secgw.c +++ b/examples/ipsec-secgw/ipsec-secgw.c @@ -184,7 +184,8 @@ static uint64_t frag_ttl_ns = MAX_FRAG_TTL_NS; /* application wide librte_ipsec/SA parameters */ struct app_sa_prm app_sa_prm = { .enable = 0, - .cache_sz = SA_CACHE_SZ + .cache_sz = SA_CACHE_SZ, + .udp_encap = 0 }; static const char *cfgfile; @@ -360,6 +361,9 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t) const struct rte_ether_hdr *eth; const struct rte_ipv4_hdr *iph4; const struct rte_ipv6_hdr *iph6; + const struct rte_udp_hdr *udp; + uint16_t ip4_hdr_len; + uint16_t nat_port; eth = rte_pktmbuf_mtod(pkt, const struct rte_ether_hdr *); if (eth->ether_type == rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4)) { @@ -368,9 +372,28 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t) RTE_ETHER_HDR_LEN); adjust_ipv4_pktlen(pkt, iph4, 0); - if (iph4->next_proto_id == IPPROTO_ESP) + switch (iph4->next_proto_id) { + case IPPROTO_ESP: t->ipsec.pkts[(t->ipsec.num)++] = pkt; - else { + break; + case IPPROTO_UDP: + if (app_sa_prm.udp_encap == 1) { + ip4_hdr_len = ((iph4->version_ihl & + RTE_IPV4_HDR_IHL_MASK) * + RTE_IPV4_IHL_MULTIPLIER); + udp = rte_pktmbuf_mtod_offset(pkt, + struct rte_udp_hdr *, ip4_hdr_len); + nat_port = rte_cpu_to_be_16(IPSEC_NAT_T_PORT); + if (udp->src_port == nat_port || + udp->dst_port == nat_port){ + t->ipsec.pkts[(t->ipsec.num)++] = pkt; + pkt->packet_type |= + RTE_PTYPE_TUNNEL_ESP_IN_UDP; + break; + } + } + /* Fall through */ + default: t->ip4.data[t->ip4.num] = &iph4->next_proto_id; t->ip4.pkts[(t->ip4.num)++] = pkt; } @@ -403,9 +426,25 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t) return; } - if (next_proto == IPPROTO_ESP) + switch (iph6->proto) { + case IPPROTO_ESP: t->ipsec.pkts[(t->ipsec.num)++] = pkt; - else { + break; + case IPPROTO_UDP: + if (app_sa_prm.udp_encap == 1) { + udp = rte_pktmbuf_mtod_offset(pkt, + struct rte_udp_hdr *, l3len); + nat_port = rte_cpu_to_be_16(IPSEC_NAT_T_PORT); + if (udp->src_port == nat_port || + udp->dst_port == nat_port){ + t->ipsec.pkts[(t->ipsec.num)++] = pkt; + pkt->packet_type |= + RTE_PTYPE_TUNNEL_ESP_IN_UDP; + break; + } + } + /* Fall through */ + default: t->ip6.data[t->ip6.num] = &iph6->proto; t->ip6.pkts[(t->ip6.num)++] = pkt; } diff --git a/examples/ipsec-secgw/ipsec-secgw.h b/examples/ipsec-secgw/ipsec-secgw.h index f2281e73cf..6887d752ab 100644 --- a/examples/ipsec-secgw/ipsec-secgw.h +++ b/examples/ipsec-secgw/ipsec-secgw.h @@ -47,6 +47,8 @@ #define ETHADDR(a, b, c, d, e, f) (__BYTES_TO_UINT64(a, b, c, d, e, f, 0, 0)) +#define IPSEC_NAT_T_PORT 4500 + struct traffic_type { const uint8_t *data[MAX_PKT_BURST * 2]; struct rte_mbuf *pkts[MAX_PKT_BURST * 2]; diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index 6baeeb342f..2d35536f57 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -52,6 +52,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; ipsec->replay_win_sz = app_sa_prm.window_size; ipsec->options.esn = app_sa_prm.enable_esn; + ipsec->options.udp_encap = sa->udp_encap; } int @@ -556,6 +557,14 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, continue; } + if (unlikely((pkts[i]->packet_type & + RTE_PTYPE_TUNNEL_ESP_IN_UDP) == + RTE_PTYPE_TUNNEL_ESP_IN_UDP && + sa->udp_encap != 1)) { + free_pkts(&pkts[i], 1); + continue; + } + sym_cop = get_sym_cop(&priv->cop); sym_cop->m_src = pkts[i]; diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h index 7031e28c46..ae5058de27 100644 --- a/examples/ipsec-secgw/ipsec.h +++ b/examples/ipsec-secgw/ipsec.h @@ -75,6 +75,7 @@ struct app_sa_prm { uint32_t window_size; /* replay window size */ uint32_t enable_esn; /* enable/disable ESN support */ uint32_t cache_sz; /* per lcore SA cache size */ + uint32_t udp_encap; /* enable/disable UDP Encapsulation */ uint64_t flags; /* rte_ipsec_sa_prm.flags */ }; @@ -136,6 +137,7 @@ struct ipsec_sa { struct rte_security_ipsec_xform *sec_xform; }; enum rte_security_ipsec_sa_direction direction; + uint8_t udp_encap; uint16_t portid; uint8_t fdir_qid; uint8_t fdir_flag; diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index cd1397531a..7bb9ef36c2 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -298,6 +298,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, uint32_t portid_p = 0; uint32_t fallback_p = 0; int16_t status_p = 0; + uint16_t udp_encap_p = 0; if (strcmp(tokens[0], "in") == 0) { ri = &nb_sa_in; @@ -757,6 +758,23 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, } continue; } + if (strcmp(tokens[ti], "udp-encap") == 0) { + APP_CHECK(ips->type == + RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + status, "UDP encapsulation is allowed if the " + "session is of type lookaside-protocol-offload " + "only."); + if (status->status < 0) + return; + APP_CHECK_PRESENCE(udp_encap_p, tokens[ti], status); + if (status->status < 0) + return; + + rule->udp_encap = 1; + app_sa_prm.udp_encap = 1; + udp_encap_p = 1; + continue; + } /* unrecognizeable input */ APP_CHECK(0, status, "unrecognized input \"%s\"", diff --git a/examples/ipsec-secgw/sad.h b/examples/ipsec-secgw/sad.h index 473aaa938e..751cf7afae 100644 --- a/examples/ipsec-secgw/sad.h +++ b/examples/ipsec-secgw/sad.h @@ -77,6 +77,7 @@ sad_lookup(struct ipsec_sad *sad, struct rte_mbuf *pkts[], uint32_t spi, cache_idx; struct ipsec_sad_cache *cache; struct ipsec_sa *cached_sa; + uint16_t udp_hdr_len = 0; int is_ipv4; cache = &RTE_PER_LCORE(sad_cache); @@ -85,8 +86,11 @@ sad_lookup(struct ipsec_sad *sad, struct rte_mbuf *pkts[], for (i = 0; i < nb_pkts; i++) { ipv4 = rte_pktmbuf_mtod(pkts[i], struct rte_ipv4_hdr *); ipv6 = rte_pktmbuf_mtod(pkts[i], struct rte_ipv6_hdr *); + if ((pkts[i]->packet_type & RTE_PTYPE_TUNNEL_ESP_IN_UDP) == + RTE_PTYPE_TUNNEL_ESP_IN_UDP) + udp_hdr_len = sizeof(struct rte_udp_hdr); esp = rte_pktmbuf_mtod_offset(pkts[i], struct rte_esp_hdr *, - pkts[i]->l3_len); + pkts[i]->l3_len + udp_hdr_len); is_ipv4 = pkts[i]->packet_type & RTE_PTYPE_L3_IPV4; spi = rte_be_to_cpu_32(esp->spi); -- 2.27.0