DPDK patches and discussions
 help / color / mirror / Atom feed
* [PATCH 1/4] mbuf: clarify meta data needed for Outbound Inline
@ 2022-07-07  7:29 Nithin Dabilpuram
  2022-07-07  7:29 ` [PATCH 2/4] security: clarify L2 header requirement for outbound inline Nithin Dabilpuram
                   ` (4 more replies)
  0 siblings, 5 replies; 22+ messages in thread
From: Nithin Dabilpuram @ 2022-07-07  7:29 UTC (permalink / raw)
  To: Olivier Matz; +Cc: dev, gakhil, jerinj, Nithin Dabilpuram

Clarify mbuf meta data needed for Outbound Inline processing.
Application needs to provide mbuf.l3_len and L3 type in
mbuf.ol_flags so that like tunnel mode using mbuf.l2_len, transport mode
can make use of l3_len and l3_type to determine perform
proper transport mode IPsec processing.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
---
 doc/guides/nics/features.rst | 2 +-
 lib/mbuf/rte_mbuf_core.h     | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/doc/guides/nics/features.rst b/doc/guides/nics/features.rst
index 7f6cb91..b4a8e98 100644
--- a/doc/guides/nics/features.rst
+++ b/doc/guides/nics/features.rst
@@ -431,7 +431,7 @@ protocol operations. See security library and PMD documentation for more details
 
 * **[uses]       rte_eth_rxconf,rte_eth_rxmode**: ``offloads:RTE_ETH_RX_OFFLOAD_SECURITY``,
 * **[uses]       rte_eth_txconf,rte_eth_txmode**: ``offloads:RTE_ETH_TX_OFFLOAD_SECURITY``.
-* **[uses]       mbuf**: ``mbuf.l2_len``.
+* **[uses]       mbuf**: ``mbuf.l2_len``, ``mbuf.l3_len``, ``mbuf.ol_flags``.
 * **[implements] rte_security_ops**: ``session_create``, ``session_update``,
   ``session_stats_get``, ``session_destroy``, ``set_pkt_metadata``, ``get_userdata``,
   ``capabilities_get``.
diff --git a/lib/mbuf/rte_mbuf_core.h b/lib/mbuf/rte_mbuf_core.h
index 3d6ddd6..b62a7c6 100644
--- a/lib/mbuf/rte_mbuf_core.h
+++ b/lib/mbuf/rte_mbuf_core.h
@@ -267,7 +267,8 @@ extern "C" {
 /**
  * Request security offload processing on the TX packet.
  * To use Tx security offload, the user needs to fill l2_len in mbuf
- * indicating L2 header size and where L3 header starts.
+ * indicating L2 header size and where L3 header starts. Similarly,
+ * l3_len should also be filled along with ol_flags reflecting current L3 type.
  */
 #define RTE_MBUF_F_TX_SEC_OFFLOAD	(1ULL << 43)
 #define PKT_TX_SEC_OFFLOAD RTE_DEPRECATED(PKT_TX_SEC_OFFLOAD) \
-- 
2.8.4


^ permalink raw reply	[flat|nested] 22+ messages in thread

* [PATCH 2/4] security: clarify L2 header requirement for outbound inline
  2022-07-07  7:29 [PATCH 1/4] mbuf: clarify meta data needed for Outbound Inline Nithin Dabilpuram
@ 2022-07-07  7:29 ` Nithin Dabilpuram
  2022-07-07  7:29 ` [PATCH 3/4] net/cnxk: remove l2 header update for outbound inline pkts Nithin Dabilpuram
                   ` (3 subsequent siblings)
  4 siblings, 0 replies; 22+ messages in thread
From: Nithin Dabilpuram @ 2022-07-07  7:29 UTC (permalink / raw)
  To: Akhil Goyal; +Cc: dev, jerinj, Nithin Dabilpuram

Clarify that for Outbound Inline IPsec processing, L2 header
needs to be up to date with ether type which will be applicable
post IPsec processing as the IPsec offload only touches L3 and above.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
---
 doc/guides/prog_guide/rte_security.rst | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst
index 72ca0bd..be158f6 100644
--- a/doc/guides/prog_guide/rte_security.rst
+++ b/doc/guides/prog_guide/rte_security.rst
@@ -146,7 +146,9 @@ adding the relevant protocol headers and encrypting the data before sending
 the packet out. The software should make sure that the buffer
 has required head room and tail room for any protocol header addition. The
 software may also do early fragmentation if the resultant packet is expected
-to cross the MTU size.
+to cross the MTU size. The software should also make sure that L2 header contents
+are updated with the final L2 header which is expected post IPsec processing as
+the IPsec offload will only update L3 and above in egress path.
 
 
 .. note::
-- 
2.8.4


^ permalink raw reply	[flat|nested] 22+ messages in thread

* [PATCH 3/4] net/cnxk: remove l2 header update for outbound inline pkts
  2022-07-07  7:29 [PATCH 1/4] mbuf: clarify meta data needed for Outbound Inline Nithin Dabilpuram
  2022-07-07  7:29 ` [PATCH 2/4] security: clarify L2 header requirement for outbound inline Nithin Dabilpuram
@ 2022-07-07  7:29 ` Nithin Dabilpuram
  2022-07-07  7:29 ` [PATCH 4/4] app/test: update l2 header based on tunnel ip version Nithin Dabilpuram
                   ` (2 subsequent siblings)
  4 siblings, 0 replies; 22+ messages in thread
From: Nithin Dabilpuram @ 2022-07-07  7:29 UTC (permalink / raw)
  To: Nithin Dabilpuram, Kiran Kumar K, Sunil Kumar Kori, Satha Rao
  Cc: dev, gakhil, jerinj

Remove L2 header update for outbound inline packets as
application is already taking care of the same.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
---
 drivers/net/cnxk/cn10k_tx.h | 17 -----------------
 1 file changed, 17 deletions(-)

diff --git a/drivers/net/cnxk/cn10k_tx.h b/drivers/net/cnxk/cn10k_tx.h
index ea13866..4bd47ef 100644
--- a/drivers/net/cnxk/cn10k_tx.h
+++ b/drivers/net/cnxk/cn10k_tx.h
@@ -362,15 +362,6 @@ cn10k_nix_prep_sec_vec(struct rte_mbuf *m, uint64x2_t *cmd0, uint64x2_t *cmd1,
 
 	dptr += l2_len;
 
-	if (sess_priv.mode == ROC_IE_SA_MODE_TUNNEL) {
-		if (sess_priv.outer_ip_ver == ROC_IE_SA_IP_VERSION_4)
-			*((uint16_t *)(dptr - 2)) =
-				rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4);
-		else
-			*((uint16_t *)(dptr - 2)) =
-				rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV6);
-	}
-
 	ucode_cmd[1] = dptr;
 	ucode_cmd[2] = dptr;
 
@@ -490,14 +481,6 @@ cn10k_nix_prep_sec(struct rte_mbuf *m, uint64_t *cmd, uintptr_t *nixtx_addr,
 
 	dptr += l2_len;
 
-	if (sess_priv.mode == ROC_IE_SA_MODE_TUNNEL) {
-		if (sess_priv.outer_ip_ver == ROC_IE_SA_IP_VERSION_4)
-			*((uint16_t *)(dptr - 2)) =
-				rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4);
-		else
-			*((uint16_t *)(dptr - 2)) =
-				rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV6);
-	}
 	ucode_cmd[1] = dptr;
 	ucode_cmd[2] = dptr;
 
-- 
2.8.4


^ permalink raw reply	[flat|nested] 22+ messages in thread

* [PATCH 4/4] app/test: update l2 header based on tunnel ip version
  2022-07-07  7:29 [PATCH 1/4] mbuf: clarify meta data needed for Outbound Inline Nithin Dabilpuram
  2022-07-07  7:29 ` [PATCH 2/4] security: clarify L2 header requirement for outbound inline Nithin Dabilpuram
  2022-07-07  7:29 ` [PATCH 3/4] net/cnxk: remove l2 header update for outbound inline pkts Nithin Dabilpuram
@ 2022-07-07  7:29 ` Nithin Dabilpuram
  2022-08-17 19:11 ` [PATCH v2 1/5] mbuf: clarify meta data needed for Outbound Inline Nithin Dabilpuram
  2022-08-22 14:38 ` [PATCH v3 1/5] mbuf: clarify meta data needed for Outbound Inline Nithin Dabilpuram
  4 siblings, 0 replies; 22+ messages in thread
From: Nithin Dabilpuram @ 2022-07-07  7:29 UTC (permalink / raw)
  To: Akhil Goyal; +Cc: dev, jerinj, Nithin Dabilpuram

Update l2 header based on tunnel ip version.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
---
 app/test/test_security_inline_proto.c | 34 +++++++++++++++++++++++++++++-----
 1 file changed, 29 insertions(+), 5 deletions(-)

diff --git a/app/test/test_security_inline_proto.c b/app/test/test_security_inline_proto.c
index 5f26a04..b282e7d 100644
--- a/app/test/test_security_inline_proto.c
+++ b/app/test/test_security_inline_proto.c
@@ -418,15 +418,29 @@ copy_buf_to_pkt_segs(const uint8_t *buf, unsigned int len,
 	rte_memcpy(seg_buf, buf + copied, (size_t) len);
 }
 
+static bool
+is_outer_ipv4(struct ipsec_test_data *td)
+{
+	bool outer_ipv4;
+
+	if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS ||
+	    td->ipsec_xform.mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT)
+		outer_ipv4 = (((td->input_text.data[0] & 0xF0) >> 4) == IPVERSION);
+	else
+		outer_ipv4 = (td->ipsec_xform.tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4);
+	return outer_ipv4;
+}
+
 static inline struct rte_mbuf *
-init_packet(struct rte_mempool *mp, const uint8_t *data, unsigned int len)
+init_packet(struct rte_mempool *mp, const uint8_t *data, unsigned int len, bool outer_ipv4)
 {
 	struct rte_mbuf *pkt;
 
 	pkt = rte_pktmbuf_alloc(mp);
 	if (pkt == NULL)
 		return NULL;
-	if (((data[0] & 0xF0) >> 4) == IPVERSION) {
+
+	if (outer_ipv4) {
 		rte_memcpy(rte_pktmbuf_append(pkt, RTE_ETHER_HDR_LEN),
 				&dummy_ipv4_eth_hdr, RTE_ETHER_HDR_LEN);
 		pkt->l3_len = sizeof(struct rte_ipv4_hdr);
@@ -711,6 +725,7 @@ test_ipsec_with_reassembly(struct reassembly_vector *vector,
 	struct rte_security_ctx *ctx;
 	unsigned int i, nb_rx = 0, j;
 	uint32_t ol_flags;
+	bool outer_ipv4;
 	int ret = 0;
 
 	burst_sz = vector->burst ? ENCAP_DECAP_BURST_SZ : 1;
@@ -740,11 +755,15 @@ test_ipsec_with_reassembly(struct reassembly_vector *vector,
 	memset(tx_pkts_burst, 0, sizeof(tx_pkts_burst[0]) * nb_tx);
 	memset(rx_pkts_burst, 0, sizeof(rx_pkts_burst[0]) * nb_tx);
 
+	memcpy(&sa_data, vector->sa_data, sizeof(struct ipsec_test_data));
+	sa_data.ipsec_xform.direction =	RTE_SECURITY_IPSEC_SA_DIR_EGRESS;
+	outer_ipv4 = is_outer_ipv4(&sa_data);
+
 	for (i = 0; i < nb_tx; i += vector->nb_frags) {
 		for (j = 0; j < vector->nb_frags; j++) {
 			tx_pkts_burst[i+j] = init_packet(mbufpool,
 						vector->frags[j]->data,
-						vector->frags[j]->len);
+						vector->frags[j]->len, outer_ipv4);
 			if (tx_pkts_burst[i+j] == NULL) {
 				ret = -1;
 				printf("\n packed init failed\n");
@@ -963,6 +982,7 @@ test_ipsec_inline_proto_process(struct ipsec_test_data *td,
 	int nb_rx = 0, nb_sent;
 	uint32_t ol_flags;
 	int i, j = 0, ret;
+	bool outer_ipv4;
 
 	memset(rx_pkts_burst, 0, sizeof(rx_pkts_burst[0]) * nb_pkts);
 
@@ -994,9 +1014,11 @@ test_ipsec_inline_proto_process(struct ipsec_test_data *td,
 		if (ret)
 			goto out;
 	}
+	outer_ipv4 = is_outer_ipv4(td);
+
 	for (i = 0; i < nb_pkts; i++) {
 		tx_pkts_burst[i] = init_packet(mbufpool, td->input_text.data,
-						td->input_text.len);
+						td->input_text.len, outer_ipv4);
 		if (tx_pkts_burst[i] == NULL) {
 			while (i--)
 				rte_pktmbuf_free(tx_pkts_burst[i]);
@@ -1194,6 +1216,7 @@ test_ipsec_inline_proto_process_with_esn(struct ipsec_test_data td[],
 	struct rte_security_session *ses;
 	struct rte_security_ctx *ctx;
 	uint32_t ol_flags;
+	bool outer_ipv4;
 	int i, ret;
 
 	if (td[0].aead) {
@@ -1224,10 +1247,11 @@ test_ipsec_inline_proto_process_with_esn(struct ipsec_test_data td[],
 		if (ret)
 			goto out;
 	}
+	outer_ipv4 = is_outer_ipv4(td);
 
 	for (i = 0; i < nb_pkts; i++) {
 		tx_pkt = init_packet(mbufpool, td[i].input_text.data,
-					td[i].input_text.len);
+					td[i].input_text.len, outer_ipv4);
 		if (tx_pkt == NULL) {
 			ret = TEST_FAILED;
 			goto out;
-- 
2.8.4


^ permalink raw reply	[flat|nested] 22+ messages in thread

* [PATCH v2 1/5] mbuf: clarify meta data needed for Outbound Inline
  2022-07-07  7:29 [PATCH 1/4] mbuf: clarify meta data needed for Outbound Inline Nithin Dabilpuram
                   ` (2 preceding siblings ...)
  2022-07-07  7:29 ` [PATCH 4/4] app/test: update l2 header based on tunnel ip version Nithin Dabilpuram
@ 2022-08-17 19:11 ` Nithin Dabilpuram
  2022-08-17 19:11   ` [PATCH v2 2/5] security: clarify L2 header requirement for outbound inline Nithin Dabilpuram
                     ` (3 more replies)
  2022-08-22 14:38 ` [PATCH v3 1/5] mbuf: clarify meta data needed for Outbound Inline Nithin Dabilpuram
  4 siblings, 4 replies; 22+ messages in thread
From: Nithin Dabilpuram @ 2022-08-17 19:11 UTC (permalink / raw)
  To: Olivier Matz; +Cc: jerinj, dev, gakhil, Nithin Dabilpuram

Clarify mbuf meta data needed for Outbound Inline processing.
Application needs to provide mbuf.l3_len and L3 type in
mbuf.ol_flags so that like tunnel mode using mbuf.l2_len, transport mode
can make use of l3_len and l3_type to determine perform
proper transport mode IPsec processing.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
---
v2:
- Modified ipsec-secgw to do ether type update for outbound path.

 doc/guides/nics/features.rst | 2 +-
 lib/mbuf/rte_mbuf_core.h     | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/doc/guides/nics/features.rst b/doc/guides/nics/features.rst
index 7f6cb91..b4a8e98 100644
--- a/doc/guides/nics/features.rst
+++ b/doc/guides/nics/features.rst
@@ -431,7 +431,7 @@ protocol operations. See security library and PMD documentation for more details
 
 * **[uses]       rte_eth_rxconf,rte_eth_rxmode**: ``offloads:RTE_ETH_RX_OFFLOAD_SECURITY``,
 * **[uses]       rte_eth_txconf,rte_eth_txmode**: ``offloads:RTE_ETH_TX_OFFLOAD_SECURITY``.
-* **[uses]       mbuf**: ``mbuf.l2_len``.
+* **[uses]       mbuf**: ``mbuf.l2_len``, ``mbuf.l3_len``, ``mbuf.ol_flags``.
 * **[implements] rte_security_ops**: ``session_create``, ``session_update``,
   ``session_stats_get``, ``session_destroy``, ``set_pkt_metadata``, ``get_userdata``,
   ``capabilities_get``.
diff --git a/lib/mbuf/rte_mbuf_core.h b/lib/mbuf/rte_mbuf_core.h
index 3d6ddd6..b62a7c6 100644
--- a/lib/mbuf/rte_mbuf_core.h
+++ b/lib/mbuf/rte_mbuf_core.h
@@ -267,7 +267,8 @@ extern "C" {
 /**
  * Request security offload processing on the TX packet.
  * To use Tx security offload, the user needs to fill l2_len in mbuf
- * indicating L2 header size and where L3 header starts.
+ * indicating L2 header size and where L3 header starts. Similarly,
+ * l3_len should also be filled along with ol_flags reflecting current L3 type.
  */
 #define RTE_MBUF_F_TX_SEC_OFFLOAD	(1ULL << 43)
 #define PKT_TX_SEC_OFFLOAD RTE_DEPRECATED(PKT_TX_SEC_OFFLOAD) \
-- 
2.8.4


^ permalink raw reply	[flat|nested] 22+ messages in thread

* [PATCH v2 2/5] security: clarify L2 header requirement for outbound inline
  2022-08-17 19:11 ` [PATCH v2 1/5] mbuf: clarify meta data needed for Outbound Inline Nithin Dabilpuram
@ 2022-08-17 19:11   ` Nithin Dabilpuram
  2022-08-17 19:11   ` [PATCH v2 3/5] net/cnxk: remove L2 header update for outbound inline pkts Nithin Dabilpuram
                     ` (2 subsequent siblings)
  3 siblings, 0 replies; 22+ messages in thread
From: Nithin Dabilpuram @ 2022-08-17 19:11 UTC (permalink / raw)
  To: Akhil Goyal; +Cc: jerinj, dev, Nithin Dabilpuram

Clarify that for Outbound Inline IPsec processing, L2 header
needs to be up to date with ether type which will be applicable
post IPsec processing as the IPsec offload only touches L3 and above.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
---
 doc/guides/prog_guide/rte_security.rst | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst
index 72ca0bd..be158f6 100644
--- a/doc/guides/prog_guide/rte_security.rst
+++ b/doc/guides/prog_guide/rte_security.rst
@@ -146,7 +146,9 @@ adding the relevant protocol headers and encrypting the data before sending
 the packet out. The software should make sure that the buffer
 has required head room and tail room for any protocol header addition. The
 software may also do early fragmentation if the resultant packet is expected
-to cross the MTU size.
+to cross the MTU size. The software should also make sure that L2 header contents
+are updated with the final L2 header which is expected post IPsec processing as
+the IPsec offload will only update L3 and above in egress path.
 
 
 .. note::
-- 
2.8.4


^ permalink raw reply	[flat|nested] 22+ messages in thread

* [PATCH v2 3/5] net/cnxk: remove L2 header update for outbound inline pkts
  2022-08-17 19:11 ` [PATCH v2 1/5] mbuf: clarify meta data needed for Outbound Inline Nithin Dabilpuram
  2022-08-17 19:11   ` [PATCH v2 2/5] security: clarify L2 header requirement for outbound inline Nithin Dabilpuram
@ 2022-08-17 19:11   ` Nithin Dabilpuram
  2022-08-17 19:11   ` [PATCH v2 4/5] app/test: update L2 header based on tunnel IP version Nithin Dabilpuram
  2022-08-17 19:11   ` [PATCH v2 5/5] examples/ipsec-secgw: update ether type using tunnel info Nithin Dabilpuram
  3 siblings, 0 replies; 22+ messages in thread
From: Nithin Dabilpuram @ 2022-08-17 19:11 UTC (permalink / raw)
  To: Nithin Dabilpuram, Kiran Kumar K, Sunil Kumar Kori, Satha Rao
  Cc: jerinj, dev, gakhil

Remove L2 header update for outbound inline packets as
application is already taking care of the same.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
---
 drivers/net/cnxk/cn10k_tx.h | 17 -----------------
 1 file changed, 17 deletions(-)

diff --git a/drivers/net/cnxk/cn10k_tx.h b/drivers/net/cnxk/cn10k_tx.h
index ea13866..4bd47ef 100644
--- a/drivers/net/cnxk/cn10k_tx.h
+++ b/drivers/net/cnxk/cn10k_tx.h
@@ -362,15 +362,6 @@ cn10k_nix_prep_sec_vec(struct rte_mbuf *m, uint64x2_t *cmd0, uint64x2_t *cmd1,
 
 	dptr += l2_len;
 
-	if (sess_priv.mode == ROC_IE_SA_MODE_TUNNEL) {
-		if (sess_priv.outer_ip_ver == ROC_IE_SA_IP_VERSION_4)
-			*((uint16_t *)(dptr - 2)) =
-				rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4);
-		else
-			*((uint16_t *)(dptr - 2)) =
-				rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV6);
-	}
-
 	ucode_cmd[1] = dptr;
 	ucode_cmd[2] = dptr;
 
@@ -490,14 +481,6 @@ cn10k_nix_prep_sec(struct rte_mbuf *m, uint64_t *cmd, uintptr_t *nixtx_addr,
 
 	dptr += l2_len;
 
-	if (sess_priv.mode == ROC_IE_SA_MODE_TUNNEL) {
-		if (sess_priv.outer_ip_ver == ROC_IE_SA_IP_VERSION_4)
-			*((uint16_t *)(dptr - 2)) =
-				rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4);
-		else
-			*((uint16_t *)(dptr - 2)) =
-				rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV6);
-	}
 	ucode_cmd[1] = dptr;
 	ucode_cmd[2] = dptr;
 
-- 
2.8.4


^ permalink raw reply	[flat|nested] 22+ messages in thread

* [PATCH v2 4/5] app/test: update L2 header based on tunnel IP version
  2022-08-17 19:11 ` [PATCH v2 1/5] mbuf: clarify meta data needed for Outbound Inline Nithin Dabilpuram
  2022-08-17 19:11   ` [PATCH v2 2/5] security: clarify L2 header requirement for outbound inline Nithin Dabilpuram
  2022-08-17 19:11   ` [PATCH v2 3/5] net/cnxk: remove L2 header update for outbound inline pkts Nithin Dabilpuram
@ 2022-08-17 19:11   ` Nithin Dabilpuram
  2022-08-18  9:04     ` Akhil Goyal
  2022-08-17 19:11   ` [PATCH v2 5/5] examples/ipsec-secgw: update ether type using tunnel info Nithin Dabilpuram
  3 siblings, 1 reply; 22+ messages in thread
From: Nithin Dabilpuram @ 2022-08-17 19:11 UTC (permalink / raw)
  To: Akhil Goyal; +Cc: jerinj, dev, Nithin Dabilpuram

Update L2 header based on tunnel IP version.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
---
 app/test/test_security_inline_proto.c | 34 +++++++++++++++++++++++++++++-----
 1 file changed, 29 insertions(+), 5 deletions(-)

diff --git a/app/test/test_security_inline_proto.c b/app/test/test_security_inline_proto.c
index 5f26a04..b282e7d 100644
--- a/app/test/test_security_inline_proto.c
+++ b/app/test/test_security_inline_proto.c
@@ -418,15 +418,29 @@ copy_buf_to_pkt_segs(const uint8_t *buf, unsigned int len,
 	rte_memcpy(seg_buf, buf + copied, (size_t) len);
 }
 
+static bool
+is_outer_ipv4(struct ipsec_test_data *td)
+{
+	bool outer_ipv4;
+
+	if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS ||
+	    td->ipsec_xform.mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT)
+		outer_ipv4 = (((td->input_text.data[0] & 0xF0) >> 4) == IPVERSION);
+	else
+		outer_ipv4 = (td->ipsec_xform.tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4);
+	return outer_ipv4;
+}
+
 static inline struct rte_mbuf *
-init_packet(struct rte_mempool *mp, const uint8_t *data, unsigned int len)
+init_packet(struct rte_mempool *mp, const uint8_t *data, unsigned int len, bool outer_ipv4)
 {
 	struct rte_mbuf *pkt;
 
 	pkt = rte_pktmbuf_alloc(mp);
 	if (pkt == NULL)
 		return NULL;
-	if (((data[0] & 0xF0) >> 4) == IPVERSION) {
+
+	if (outer_ipv4) {
 		rte_memcpy(rte_pktmbuf_append(pkt, RTE_ETHER_HDR_LEN),
 				&dummy_ipv4_eth_hdr, RTE_ETHER_HDR_LEN);
 		pkt->l3_len = sizeof(struct rte_ipv4_hdr);
@@ -711,6 +725,7 @@ test_ipsec_with_reassembly(struct reassembly_vector *vector,
 	struct rte_security_ctx *ctx;
 	unsigned int i, nb_rx = 0, j;
 	uint32_t ol_flags;
+	bool outer_ipv4;
 	int ret = 0;
 
 	burst_sz = vector->burst ? ENCAP_DECAP_BURST_SZ : 1;
@@ -740,11 +755,15 @@ test_ipsec_with_reassembly(struct reassembly_vector *vector,
 	memset(tx_pkts_burst, 0, sizeof(tx_pkts_burst[0]) * nb_tx);
 	memset(rx_pkts_burst, 0, sizeof(rx_pkts_burst[0]) * nb_tx);
 
+	memcpy(&sa_data, vector->sa_data, sizeof(struct ipsec_test_data));
+	sa_data.ipsec_xform.direction =	RTE_SECURITY_IPSEC_SA_DIR_EGRESS;
+	outer_ipv4 = is_outer_ipv4(&sa_data);
+
 	for (i = 0; i < nb_tx; i += vector->nb_frags) {
 		for (j = 0; j < vector->nb_frags; j++) {
 			tx_pkts_burst[i+j] = init_packet(mbufpool,
 						vector->frags[j]->data,
-						vector->frags[j]->len);
+						vector->frags[j]->len, outer_ipv4);
 			if (tx_pkts_burst[i+j] == NULL) {
 				ret = -1;
 				printf("\n packed init failed\n");
@@ -963,6 +982,7 @@ test_ipsec_inline_proto_process(struct ipsec_test_data *td,
 	int nb_rx = 0, nb_sent;
 	uint32_t ol_flags;
 	int i, j = 0, ret;
+	bool outer_ipv4;
 
 	memset(rx_pkts_burst, 0, sizeof(rx_pkts_burst[0]) * nb_pkts);
 
@@ -994,9 +1014,11 @@ test_ipsec_inline_proto_process(struct ipsec_test_data *td,
 		if (ret)
 			goto out;
 	}
+	outer_ipv4 = is_outer_ipv4(td);
+
 	for (i = 0; i < nb_pkts; i++) {
 		tx_pkts_burst[i] = init_packet(mbufpool, td->input_text.data,
-						td->input_text.len);
+						td->input_text.len, outer_ipv4);
 		if (tx_pkts_burst[i] == NULL) {
 			while (i--)
 				rte_pktmbuf_free(tx_pkts_burst[i]);
@@ -1194,6 +1216,7 @@ test_ipsec_inline_proto_process_with_esn(struct ipsec_test_data td[],
 	struct rte_security_session *ses;
 	struct rte_security_ctx *ctx;
 	uint32_t ol_flags;
+	bool outer_ipv4;
 	int i, ret;
 
 	if (td[0].aead) {
@@ -1224,10 +1247,11 @@ test_ipsec_inline_proto_process_with_esn(struct ipsec_test_data td[],
 		if (ret)
 			goto out;
 	}
+	outer_ipv4 = is_outer_ipv4(td);
 
 	for (i = 0; i < nb_pkts; i++) {
 		tx_pkt = init_packet(mbufpool, td[i].input_text.data,
-					td[i].input_text.len);
+					td[i].input_text.len, outer_ipv4);
 		if (tx_pkt == NULL) {
 			ret = TEST_FAILED;
 			goto out;
-- 
2.8.4


^ permalink raw reply	[flat|nested] 22+ messages in thread

* [PATCH v2 5/5] examples/ipsec-secgw: update ether type using tunnel info
  2022-08-17 19:11 ` [PATCH v2 1/5] mbuf: clarify meta data needed for Outbound Inline Nithin Dabilpuram
                     ` (2 preceding siblings ...)
  2022-08-17 19:11   ` [PATCH v2 4/5] app/test: update L2 header based on tunnel IP version Nithin Dabilpuram
@ 2022-08-17 19:11   ` Nithin Dabilpuram
  2022-08-18  8:01     ` Ruifeng Wang
  2022-08-18  8:26     ` Akhil Goyal
  3 siblings, 2 replies; 22+ messages in thread
From: Nithin Dabilpuram @ 2022-08-17 19:11 UTC (permalink / raw)
  To: Ruifeng Wang, Radu Nicolau, Akhil Goyal; +Cc: jerinj, dev, Nithin Dabilpuram

Update ether type for outbound SA processing based on tunnel header
information in both NEON functions for poll mode and event mode worker
functions.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
---
 examples/ipsec-secgw/ipsec_neon.h   | 41 +++++++++++++++++++++++++------------
 examples/ipsec-secgw/ipsec_worker.c | 30 +++++++++++++++++++--------
 2 files changed, 49 insertions(+), 22 deletions(-)

diff --git a/examples/ipsec-secgw/ipsec_neon.h b/examples/ipsec-secgw/ipsec_neon.h
index 3f2d0a0..9c0498b 100644
--- a/examples/ipsec-secgw/ipsec_neon.h
+++ b/examples/ipsec-secgw/ipsec_neon.h
@@ -18,12 +18,13 @@ extern xmm_t val_eth[RTE_MAX_ETHPORTS];
  */
 static inline void
 processx4_step3(struct rte_mbuf *pkts[FWDSTEP], uint16_t dst_port[FWDSTEP],
-		uint64_t tx_offloads, bool ip_cksum, uint8_t *l_pkt)
+		uint64_t tx_offloads, bool ip_cksum, bool is_ipv4, uint8_t *l_pkt)
 {
 	uint32x4_t te[FWDSTEP];
 	uint32x4_t ve[FWDSTEP];
 	uint32_t *p[FWDSTEP];
 	struct rte_mbuf *pkt;
+	uint32_t val;
 	uint8_t i;
 
 	for (i = 0; i < FWDSTEP; i++) {
@@ -38,7 +39,15 @@ processx4_step3(struct rte_mbuf *pkts[FWDSTEP], uint16_t dst_port[FWDSTEP],
 		te[i] = vld1q_u32(p[i]);
 
 		/* Update last 4 bytes */
-		ve[i] = vsetq_lane_u32(vgetq_lane_u32(te[i], 3), ve[i], 3);
+		val = vgetq_lane_u32(te[i], 3);
+#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN
+		val &= 0xFFFFUL << 16;
+		val |= rte_cpu_to_be_16(is_ipv4 ? RTE_ETHER_TYPE_IPV4 : RTE_ETHER_TYPE_IPV6);
+#else
+		val &= 0xFFFFUL;
+		val |= rte_cpu_to_be_16(is_ipv4 ? RTE_ETHER_TYPE_IPV4 : RTE_ETHER_TYPE_IPV6) << 16;
+#endif
+		ve[i] = vsetq_lane_u32(val, ve[i], 3);
 		vst1q_u32(p[i], ve[i]);
 
 		if (ip_cksum) {
@@ -64,10 +73,11 @@ processx4_step3(struct rte_mbuf *pkts[FWDSTEP], uint16_t dst_port[FWDSTEP],
  */
 static inline void
 process_packet(struct rte_mbuf *pkt, uint16_t *dst_port, uint64_t tx_offloads,
-	       bool ip_cksum, uint8_t *l_pkt)
+	       bool ip_cksum, bool is_ipv4, uint8_t *l_pkt)
 {
 	struct rte_ether_hdr *eth_hdr;
 	uint32x4_t te, ve;
+	uint32_t val;
 
 	/* Check if it is a large packet */
 	if (pkt->pkt_len - RTE_ETHER_HDR_LEN > mtu_size)
@@ -78,7 +88,15 @@ process_packet(struct rte_mbuf *pkt, uint16_t *dst_port, uint64_t tx_offloads,
 	te = vld1q_u32((uint32_t *)eth_hdr);
 	ve = vreinterpretq_u32_s32(val_eth[dst_port[0]]);
 
-	ve = vcopyq_laneq_u32(ve, 3, te, 3);
+	val = vgetq_lane_u32(te, 3);
+#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN
+	val &= 0xFFFFUL << 16;
+	val |= rte_cpu_to_be_16(is_ipv4 ? RTE_ETHER_TYPE_IPV4 : RTE_ETHER_TYPE_IPV6);
+#else
+	val &= 0xFFFFUL;
+	val |= rte_cpu_to_be_16(is_ipv4 ? RTE_ETHER_TYPE_IPV4 : RTE_ETHER_TYPE_IPV6) << 16;
+#endif
+	ve = vsetq_lane_u32(val, ve, 3);
 	vst1q_u32((uint32_t *)eth_hdr, ve);
 
 	if (ip_cksum) {
@@ -223,14 +241,14 @@ send_multi_pkts(struct rte_mbuf **pkts, uint16_t dst_port[MAX_PKT_BURST],
 		lp = pnum;
 		lp[0] = 1;
 
-		processx4_step3(pkts, dst_port, tx_offloads, ip_cksum, &l_pkt);
+		processx4_step3(pkts, dst_port, tx_offloads, ip_cksum, is_ipv4, &l_pkt);
 
 		/* dp1: <d[0], d[1], d[2], d[3], ... > */
 		dp1 = vld1q_u16(dst_port);
 
 		for (i = FWDSTEP; i != k; i += FWDSTEP) {
-			processx4_step3(&pkts[i], &dst_port[i], tx_offloads,
-					ip_cksum, &l_pkt);
+			processx4_step3(&pkts[i], &dst_port[i], tx_offloads, ip_cksum, is_ipv4,
+					&l_pkt);
 
 			/*
 			 * dp2:
@@ -268,20 +286,17 @@ send_multi_pkts(struct rte_mbuf **pkts, uint16_t dst_port[MAX_PKT_BURST],
 	/* Process up to last 3 packets one by one. */
 	switch (nb_rx % FWDSTEP) {
 	case 3:
-		process_packet(pkts[i], dst_port + i, tx_offloads, ip_cksum,
-			       &l_pkt);
+		process_packet(pkts[i], dst_port + i, tx_offloads, ip_cksum, is_ipv4, &l_pkt);
 		GROUP_PORT_STEP(dlp, dst_port, lp, pnum, i);
 		i++;
 		/* fallthrough */
 	case 2:
-		process_packet(pkts[i], dst_port + i, tx_offloads, ip_cksum,
-			       &l_pkt);
+		process_packet(pkts[i], dst_port + i, tx_offloads, ip_cksum, is_ipv4, &l_pkt);
 		GROUP_PORT_STEP(dlp, dst_port, lp, pnum, i);
 		i++;
 		/* fallthrough */
 	case 1:
-		process_packet(pkts[i], dst_port + i, tx_offloads, ip_cksum,
-			       &l_pkt);
+		process_packet(pkts[i], dst_port + i, tx_offloads, ip_cksum, is_ipv4, &l_pkt);
 		GROUP_PORT_STEP(dlp, dst_port, lp, pnum, i);
 	}
 
diff --git a/examples/ipsec-secgw/ipsec_worker.c b/examples/ipsec-secgw/ipsec_worker.c
index 803157d..5e69450 100644
--- a/examples/ipsec-secgw/ipsec_worker.c
+++ b/examples/ipsec-secgw/ipsec_worker.c
@@ -53,11 +53,8 @@ process_ipsec_get_pkt_type(struct rte_mbuf *pkt, uint8_t **nlp)
 }
 
 static inline void
-update_mac_addrs(struct rte_mbuf *pkt, uint16_t portid)
+update_mac_addrs(struct rte_ether_hdr *ethhdr, uint16_t portid)
 {
-	struct rte_ether_hdr *ethhdr;
-
-	ethhdr = rte_pktmbuf_mtod(pkt, struct rte_ether_hdr *);
 	memcpy(&ethhdr->src_addr, &ethaddr_tbl[portid].src, RTE_ETHER_ADDR_LEN);
 	memcpy(&ethhdr->dst_addr, &ethaddr_tbl[portid].dst, RTE_ETHER_ADDR_LEN);
 }
@@ -374,7 +371,7 @@ process_ipsec_ev_inbound(struct ipsec_ctx *ctx, struct route_table *rt,
 	/* else, we have a matching route */
 
 	/* Update mac addresses */
-	update_mac_addrs(pkt, port_id);
+	update_mac_addrs(rte_pktmbuf_mtod(pkt, struct rte_ether_hdr *), port_id);
 
 	/* Update the event with the dest port */
 	ipsec_event_pre_forward(pkt, port_id);
@@ -392,6 +389,7 @@ process_ipsec_ev_outbound(struct ipsec_ctx *ctx, struct route_table *rt,
 		struct rte_event *ev)
 {
 	struct rte_ipsec_session *sess;
+	struct rte_ether_hdr *ethhdr;
 	struct sa_ctx *sa_ctx;
 	struct rte_mbuf *pkt;
 	uint16_t port_id = 0;
@@ -430,6 +428,7 @@ process_ipsec_ev_outbound(struct ipsec_ctx *ctx, struct route_table *rt,
 		goto drop_pkt_and_exit;
 	}
 
+	ethhdr = rte_pktmbuf_mtod(pkt, struct rte_ether_hdr *);
 	/* Check if the packet has to be bypassed */
 	if (sa_idx == BYPASS) {
 		port_id = get_route(pkt, rt, type);
@@ -467,6 +466,9 @@ process_ipsec_ev_outbound(struct ipsec_ctx *ctx, struct route_table *rt,
 
 	/* Mark the packet for Tx security offload */
 	pkt->ol_flags |= RTE_MBUF_F_TX_SEC_OFFLOAD;
+	/* Update ether type */
+	ethhdr->ether_type = (IS_IP4(sa->flags) ? rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4) :
+			      rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV6));
 
 	/* Get the port to which this pkt need to be submitted */
 	port_id = sa->portid;
@@ -476,7 +478,7 @@ process_ipsec_ev_outbound(struct ipsec_ctx *ctx, struct route_table *rt,
 	pkt->l2_len = RTE_ETHER_HDR_LEN;
 
 	/* Update mac addresses */
-	update_mac_addrs(pkt, port_id);
+	update_mac_addrs(ethhdr, port_id);
 
 	/* Update the event with the dest port */
 	ipsec_event_pre_forward(pkt, port_id);
@@ -494,6 +496,7 @@ ipsec_ev_route_pkts(struct rte_event_vector *vec, struct route_table *rt,
 		    struct ipsec_traffic *t, struct sa_ctx *sa_ctx)
 {
 	struct rte_ipsec_session *sess;
+	struct rte_ether_hdr *ethhdr;
 	uint32_t sa_idx, i, j = 0;
 	uint16_t port_id = 0;
 	struct rte_mbuf *pkt;
@@ -505,7 +508,8 @@ ipsec_ev_route_pkts(struct rte_event_vector *vec, struct route_table *rt,
 		port_id = route4_pkt(pkt, rt->rt4_ctx);
 		if (port_id != RTE_MAX_ETHPORTS) {
 			/* Update mac addresses */
-			update_mac_addrs(pkt, port_id);
+			ethhdr = rte_pktmbuf_mtod(pkt, struct rte_ether_hdr *);
+			update_mac_addrs(ethhdr, port_id);
 			/* Update the event with the dest port */
 			ipsec_event_pre_forward(pkt, port_id);
 			ev_vector_attr_update(vec, pkt);
@@ -520,7 +524,8 @@ ipsec_ev_route_pkts(struct rte_event_vector *vec, struct route_table *rt,
 		port_id = route6_pkt(pkt, rt->rt6_ctx);
 		if (port_id != RTE_MAX_ETHPORTS) {
 			/* Update mac addresses */
-			update_mac_addrs(pkt, port_id);
+			ethhdr = rte_pktmbuf_mtod(pkt, struct rte_ether_hdr *);
+			update_mac_addrs(ethhdr, port_id);
 			/* Update the event with the dest port */
 			ipsec_event_pre_forward(pkt, port_id);
 			ev_vector_attr_update(vec, pkt);
@@ -553,7 +558,14 @@ ipsec_ev_route_pkts(struct rte_event_vector *vec, struct route_table *rt,
 
 			pkt->ol_flags |= RTE_MBUF_F_TX_SEC_OFFLOAD;
 			port_id = sa->portid;
-			update_mac_addrs(pkt, port_id);
+
+			/* Fetch outer ip type and update */
+			ethhdr = rte_pktmbuf_mtod(pkt, struct rte_ether_hdr *);
+			ethhdr->ether_type = (IS_IP4(sa->flags) ?
+					      rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4) :
+					      rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV6));
+			update_mac_addrs(ethhdr, port_id);
+
 			ipsec_event_pre_forward(pkt, port_id);
 			ev_vector_attr_update(vec, pkt);
 			vec->mbufs[j++] = pkt;
-- 
2.8.4


^ permalink raw reply	[flat|nested] 22+ messages in thread

* RE: [PATCH v2 5/5] examples/ipsec-secgw: update ether type using tunnel info
  2022-08-17 19:11   ` [PATCH v2 5/5] examples/ipsec-secgw: update ether type using tunnel info Nithin Dabilpuram
@ 2022-08-18  8:01     ` Ruifeng Wang
  2022-08-18  8:26     ` Akhil Goyal
  1 sibling, 0 replies; 22+ messages in thread
From: Ruifeng Wang @ 2022-08-18  8:01 UTC (permalink / raw)
  To: Nithin Dabilpuram, Radu Nicolau, Akhil Goyal; +Cc: jerinj, dev, nd

> -----Original Message-----
> From: Nithin Dabilpuram <ndabilpuram@marvell.com>
> Sent: Thursday, August 18, 2022 3:12 AM
> To: Ruifeng Wang <Ruifeng.Wang@arm.com>; Radu Nicolau <radu.nicolau@intel.com>; Akhil
> Goyal <gakhil@marvell.com>
> Cc: jerinj@marvell.com; dev@dpdk.org; Nithin Dabilpuram <ndabilpuram@marvell.com>
> Subject: [PATCH v2 5/5] examples/ipsec-secgw: update ether type using tunnel info
> 
> Update ether type for outbound SA processing based on tunnel header information in both
> NEON functions for poll mode and event mode worker functions.
> 
> Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
> ---
>  examples/ipsec-secgw/ipsec_neon.h   | 41 +++++++++++++++++++++++++------------
>  examples/ipsec-secgw/ipsec_worker.c | 30 +++++++++++++++++++--------
>  2 files changed, 49 insertions(+), 22 deletions(-)
> 
Reviewed-by: Ruifeng Wang <ruifeng.wang@arm.com>

^ permalink raw reply	[flat|nested] 22+ messages in thread

* RE: [PATCH v2 5/5] examples/ipsec-secgw: update ether type using tunnel info
  2022-08-17 19:11   ` [PATCH v2 5/5] examples/ipsec-secgw: update ether type using tunnel info Nithin Dabilpuram
  2022-08-18  8:01     ` Ruifeng Wang
@ 2022-08-18  8:26     ` Akhil Goyal
  1 sibling, 0 replies; 22+ messages in thread
From: Akhil Goyal @ 2022-08-18  8:26 UTC (permalink / raw)
  To: Nithin Kumar Dabilpuram, Ruifeng Wang, Radu Nicolau
  Cc: Jerin Jacob Kollanukkaran, dev, Nithin Kumar Dabilpuram, thomas

> Subject: [PATCH v2 5/5] examples/ipsec-secgw: update ether type using tunnel
> info
> 
> Update ether type for outbound SA processing based on tunnel header
> information in both NEON functions for poll mode and event mode worker
> functions.
> 
> Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
> ---
Acked-by: Akhil Goyal <gakhil@marvell.com>

^ permalink raw reply	[flat|nested] 22+ messages in thread

* RE: [PATCH v2 4/5] app/test: update L2 header based on tunnel IP version
  2022-08-17 19:11   ` [PATCH v2 4/5] app/test: update L2 header based on tunnel IP version Nithin Dabilpuram
@ 2022-08-18  9:04     ` Akhil Goyal
  0 siblings, 0 replies; 22+ messages in thread
From: Akhil Goyal @ 2022-08-18  9:04 UTC (permalink / raw)
  To: Nithin Kumar Dabilpuram
  Cc: Jerin Jacob Kollanukkaran, dev, Nithin Kumar Dabilpuram

> Subject: [PATCH v2 4/5] app/test: update L2 header based on tunnel IP version
> 
> Update L2 header based on tunnel IP version.
> 
> Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
Description need to be reworded. It is not clear why the change is done.

Apart from that
Acked-by: Akhil Goyal <gakhil@marvell.com> 

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [PATCH v3 1/5] mbuf: clarify meta data needed for Outbound Inline
  2022-07-07  7:29 [PATCH 1/4] mbuf: clarify meta data needed for Outbound Inline Nithin Dabilpuram
                   ` (3 preceding siblings ...)
  2022-08-17 19:11 ` [PATCH v2 1/5] mbuf: clarify meta data needed for Outbound Inline Nithin Dabilpuram
@ 2022-08-22 14:38 ` Nithin Dabilpuram
  2022-08-22 14:38   ` [PATCH v3 2/5] security: clarify L2 header requirement for outbound inline Nithin Dabilpuram
                     ` (5 more replies)
  4 siblings, 6 replies; 22+ messages in thread
From: Nithin Dabilpuram @ 2022-08-22 14:38 UTC (permalink / raw)
  To: Olivier Matz; +Cc: jerinj, dev, gakhil, ruifeng.wang, Nithin Dabilpuram

Clarify mbuf meta data needed for Outbound Inline processing.
Application needs to provide mbuf.l3_len and L3 type in
mbuf.ol_flags so that like tunnel mode using mbuf.l2_len, transport mode
can make use of l3_len and l3_type to determine perform
proper transport mode IPsec processing.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
---
v3:
- Addressed comments on patch 4/5 and added acks.
v2:
- Modified ipsec-secgw to do ether type update for outbound path.

 doc/guides/nics/features.rst | 2 +-
 lib/mbuf/rte_mbuf_core.h     | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/doc/guides/nics/features.rst b/doc/guides/nics/features.rst
index 7f6cb91..b4a8e98 100644
--- a/doc/guides/nics/features.rst
+++ b/doc/guides/nics/features.rst
@@ -431,7 +431,7 @@ protocol operations. See security library and PMD documentation for more details
 
 * **[uses]       rte_eth_rxconf,rte_eth_rxmode**: ``offloads:RTE_ETH_RX_OFFLOAD_SECURITY``,
 * **[uses]       rte_eth_txconf,rte_eth_txmode**: ``offloads:RTE_ETH_TX_OFFLOAD_SECURITY``.
-* **[uses]       mbuf**: ``mbuf.l2_len``.
+* **[uses]       mbuf**: ``mbuf.l2_len``, ``mbuf.l3_len``, ``mbuf.ol_flags``.
 * **[implements] rte_security_ops**: ``session_create``, ``session_update``,
   ``session_stats_get``, ``session_destroy``, ``set_pkt_metadata``, ``get_userdata``,
   ``capabilities_get``.
diff --git a/lib/mbuf/rte_mbuf_core.h b/lib/mbuf/rte_mbuf_core.h
index 3d6ddd6..b62a7c6 100644
--- a/lib/mbuf/rte_mbuf_core.h
+++ b/lib/mbuf/rte_mbuf_core.h
@@ -267,7 +267,8 @@ extern "C" {
 /**
  * Request security offload processing on the TX packet.
  * To use Tx security offload, the user needs to fill l2_len in mbuf
- * indicating L2 header size and where L3 header starts.
+ * indicating L2 header size and where L3 header starts. Similarly,
+ * l3_len should also be filled along with ol_flags reflecting current L3 type.
  */
 #define RTE_MBUF_F_TX_SEC_OFFLOAD	(1ULL << 43)
 #define PKT_TX_SEC_OFFLOAD RTE_DEPRECATED(PKT_TX_SEC_OFFLOAD) \
-- 
2.8.4


^ permalink raw reply	[flat|nested] 22+ messages in thread

* [PATCH v3 2/5] security: clarify L2 header requirement for outbound inline
  2022-08-22 14:38 ` [PATCH v3 1/5] mbuf: clarify meta data needed for Outbound Inline Nithin Dabilpuram
@ 2022-08-22 14:38   ` Nithin Dabilpuram
  2022-09-21 18:23     ` Akhil Goyal
  2022-08-22 14:38   ` [PATCH v3 3/5] net/cnxk: remove L2 header update for outbound inline pkts Nithin Dabilpuram
                     ` (4 subsequent siblings)
  5 siblings, 1 reply; 22+ messages in thread
From: Nithin Dabilpuram @ 2022-08-22 14:38 UTC (permalink / raw)
  To: Akhil Goyal; +Cc: jerinj, dev, ruifeng.wang, Nithin Dabilpuram

Clarify that for Outbound Inline IPsec processing, L2 header
needs to be up to date with ether type which will be applicable
post IPsec processing as the IPsec offload only touches L3 and above.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
---
 doc/guides/prog_guide/rte_security.rst | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst
index 72ca0bd..be158f6 100644
--- a/doc/guides/prog_guide/rte_security.rst
+++ b/doc/guides/prog_guide/rte_security.rst
@@ -146,7 +146,9 @@ adding the relevant protocol headers and encrypting the data before sending
 the packet out. The software should make sure that the buffer
 has required head room and tail room for any protocol header addition. The
 software may also do early fragmentation if the resultant packet is expected
-to cross the MTU size.
+to cross the MTU size. The software should also make sure that L2 header contents
+are updated with the final L2 header which is expected post IPsec processing as
+the IPsec offload will only update L3 and above in egress path.
 
 
 .. note::
-- 
2.8.4


^ permalink raw reply	[flat|nested] 22+ messages in thread

* [PATCH v3 3/5] net/cnxk: remove L2 header update for outbound inline pkts
  2022-08-22 14:38 ` [PATCH v3 1/5] mbuf: clarify meta data needed for Outbound Inline Nithin Dabilpuram
  2022-08-22 14:38   ` [PATCH v3 2/5] security: clarify L2 header requirement for outbound inline Nithin Dabilpuram
@ 2022-08-22 14:38   ` Nithin Dabilpuram
  2022-08-22 14:38   ` [PATCH v3 4/5] app/test: update L2 header based on tunnel IP version Nithin Dabilpuram
                     ` (3 subsequent siblings)
  5 siblings, 0 replies; 22+ messages in thread
From: Nithin Dabilpuram @ 2022-08-22 14:38 UTC (permalink / raw)
  To: Nithin Dabilpuram, Kiran Kumar K, Sunil Kumar Kori, Satha Rao
  Cc: jerinj, dev, gakhil, ruifeng.wang

Remove L2 header update for outbound inline packets as
application is already taking care of the same.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
---
 drivers/net/cnxk/cn10k_tx.h | 17 -----------------
 1 file changed, 17 deletions(-)

diff --git a/drivers/net/cnxk/cn10k_tx.h b/drivers/net/cnxk/cn10k_tx.h
index ea13866..4bd47ef 100644
--- a/drivers/net/cnxk/cn10k_tx.h
+++ b/drivers/net/cnxk/cn10k_tx.h
@@ -362,15 +362,6 @@ cn10k_nix_prep_sec_vec(struct rte_mbuf *m, uint64x2_t *cmd0, uint64x2_t *cmd1,
 
 	dptr += l2_len;
 
-	if (sess_priv.mode == ROC_IE_SA_MODE_TUNNEL) {
-		if (sess_priv.outer_ip_ver == ROC_IE_SA_IP_VERSION_4)
-			*((uint16_t *)(dptr - 2)) =
-				rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4);
-		else
-			*((uint16_t *)(dptr - 2)) =
-				rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV6);
-	}
-
 	ucode_cmd[1] = dptr;
 	ucode_cmd[2] = dptr;
 
@@ -490,14 +481,6 @@ cn10k_nix_prep_sec(struct rte_mbuf *m, uint64_t *cmd, uintptr_t *nixtx_addr,
 
 	dptr += l2_len;
 
-	if (sess_priv.mode == ROC_IE_SA_MODE_TUNNEL) {
-		if (sess_priv.outer_ip_ver == ROC_IE_SA_IP_VERSION_4)
-			*((uint16_t *)(dptr - 2)) =
-				rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4);
-		else
-			*((uint16_t *)(dptr - 2)) =
-				rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV6);
-	}
 	ucode_cmd[1] = dptr;
 	ucode_cmd[2] = dptr;
 
-- 
2.8.4


^ permalink raw reply	[flat|nested] 22+ messages in thread

* [PATCH v3 4/5] app/test: update L2 header based on tunnel IP version
  2022-08-22 14:38 ` [PATCH v3 1/5] mbuf: clarify meta data needed for Outbound Inline Nithin Dabilpuram
  2022-08-22 14:38   ` [PATCH v3 2/5] security: clarify L2 header requirement for outbound inline Nithin Dabilpuram
  2022-08-22 14:38   ` [PATCH v3 3/5] net/cnxk: remove L2 header update for outbound inline pkts Nithin Dabilpuram
@ 2022-08-22 14:38   ` Nithin Dabilpuram
  2022-08-22 14:38   ` [PATCH v3 5/5] examples/ipsec-secgw: update ether type using tunnel info Nithin Dabilpuram
                     ` (2 subsequent siblings)
  5 siblings, 0 replies; 22+ messages in thread
From: Nithin Dabilpuram @ 2022-08-22 14:38 UTC (permalink / raw)
  To: Akhil Goyal; +Cc: jerinj, dev, ruifeng.wang, Nithin Dabilpuram

Update L2 header based on tunnel IP version in the application
as driver/HW is not expected to update L2 ether type post
Outbound Inline protocol offload processing.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security_inline_proto.c | 34 +++++++++++++++++++++++++++++-----
 1 file changed, 29 insertions(+), 5 deletions(-)

diff --git a/app/test/test_security_inline_proto.c b/app/test/test_security_inline_proto.c
index 5f26a04..b282e7d 100644
--- a/app/test/test_security_inline_proto.c
+++ b/app/test/test_security_inline_proto.c
@@ -418,15 +418,29 @@ copy_buf_to_pkt_segs(const uint8_t *buf, unsigned int len,
 	rte_memcpy(seg_buf, buf + copied, (size_t) len);
 }
 
+static bool
+is_outer_ipv4(struct ipsec_test_data *td)
+{
+	bool outer_ipv4;
+
+	if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS ||
+	    td->ipsec_xform.mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT)
+		outer_ipv4 = (((td->input_text.data[0] & 0xF0) >> 4) == IPVERSION);
+	else
+		outer_ipv4 = (td->ipsec_xform.tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4);
+	return outer_ipv4;
+}
+
 static inline struct rte_mbuf *
-init_packet(struct rte_mempool *mp, const uint8_t *data, unsigned int len)
+init_packet(struct rte_mempool *mp, const uint8_t *data, unsigned int len, bool outer_ipv4)
 {
 	struct rte_mbuf *pkt;
 
 	pkt = rte_pktmbuf_alloc(mp);
 	if (pkt == NULL)
 		return NULL;
-	if (((data[0] & 0xF0) >> 4) == IPVERSION) {
+
+	if (outer_ipv4) {
 		rte_memcpy(rte_pktmbuf_append(pkt, RTE_ETHER_HDR_LEN),
 				&dummy_ipv4_eth_hdr, RTE_ETHER_HDR_LEN);
 		pkt->l3_len = sizeof(struct rte_ipv4_hdr);
@@ -711,6 +725,7 @@ test_ipsec_with_reassembly(struct reassembly_vector *vector,
 	struct rte_security_ctx *ctx;
 	unsigned int i, nb_rx = 0, j;
 	uint32_t ol_flags;
+	bool outer_ipv4;
 	int ret = 0;
 
 	burst_sz = vector->burst ? ENCAP_DECAP_BURST_SZ : 1;
@@ -740,11 +755,15 @@ test_ipsec_with_reassembly(struct reassembly_vector *vector,
 	memset(tx_pkts_burst, 0, sizeof(tx_pkts_burst[0]) * nb_tx);
 	memset(rx_pkts_burst, 0, sizeof(rx_pkts_burst[0]) * nb_tx);
 
+	memcpy(&sa_data, vector->sa_data, sizeof(struct ipsec_test_data));
+	sa_data.ipsec_xform.direction =	RTE_SECURITY_IPSEC_SA_DIR_EGRESS;
+	outer_ipv4 = is_outer_ipv4(&sa_data);
+
 	for (i = 0; i < nb_tx; i += vector->nb_frags) {
 		for (j = 0; j < vector->nb_frags; j++) {
 			tx_pkts_burst[i+j] = init_packet(mbufpool,
 						vector->frags[j]->data,
-						vector->frags[j]->len);
+						vector->frags[j]->len, outer_ipv4);
 			if (tx_pkts_burst[i+j] == NULL) {
 				ret = -1;
 				printf("\n packed init failed\n");
@@ -963,6 +982,7 @@ test_ipsec_inline_proto_process(struct ipsec_test_data *td,
 	int nb_rx = 0, nb_sent;
 	uint32_t ol_flags;
 	int i, j = 0, ret;
+	bool outer_ipv4;
 
 	memset(rx_pkts_burst, 0, sizeof(rx_pkts_burst[0]) * nb_pkts);
 
@@ -994,9 +1014,11 @@ test_ipsec_inline_proto_process(struct ipsec_test_data *td,
 		if (ret)
 			goto out;
 	}
+	outer_ipv4 = is_outer_ipv4(td);
+
 	for (i = 0; i < nb_pkts; i++) {
 		tx_pkts_burst[i] = init_packet(mbufpool, td->input_text.data,
-						td->input_text.len);
+						td->input_text.len, outer_ipv4);
 		if (tx_pkts_burst[i] == NULL) {
 			while (i--)
 				rte_pktmbuf_free(tx_pkts_burst[i]);
@@ -1194,6 +1216,7 @@ test_ipsec_inline_proto_process_with_esn(struct ipsec_test_data td[],
 	struct rte_security_session *ses;
 	struct rte_security_ctx *ctx;
 	uint32_t ol_flags;
+	bool outer_ipv4;
 	int i, ret;
 
 	if (td[0].aead) {
@@ -1224,10 +1247,11 @@ test_ipsec_inline_proto_process_with_esn(struct ipsec_test_data td[],
 		if (ret)
 			goto out;
 	}
+	outer_ipv4 = is_outer_ipv4(td);
 
 	for (i = 0; i < nb_pkts; i++) {
 		tx_pkt = init_packet(mbufpool, td[i].input_text.data,
-					td[i].input_text.len);
+					td[i].input_text.len, outer_ipv4);
 		if (tx_pkt == NULL) {
 			ret = TEST_FAILED;
 			goto out;
-- 
2.8.4


^ permalink raw reply	[flat|nested] 22+ messages in thread

* [PATCH v3 5/5] examples/ipsec-secgw: update ether type using tunnel info
  2022-08-22 14:38 ` [PATCH v3 1/5] mbuf: clarify meta data needed for Outbound Inline Nithin Dabilpuram
                     ` (2 preceding siblings ...)
  2022-08-22 14:38   ` [PATCH v3 4/5] app/test: update L2 header based on tunnel IP version Nithin Dabilpuram
@ 2022-08-22 14:38   ` Nithin Dabilpuram
  2022-08-31  1:49   ` [PATCH v3 1/5] mbuf: clarify meta data needed for Outbound Inline Nithin Kumar Dabilpuram
  2022-09-22 15:48   ` Akhil Goyal
  5 siblings, 0 replies; 22+ messages in thread
From: Nithin Dabilpuram @ 2022-08-22 14:38 UTC (permalink / raw)
  To: Ruifeng Wang, Radu Nicolau, Akhil Goyal; +Cc: jerinj, dev, Nithin Dabilpuram

Update ether type for outbound SA processing based on tunnel header
information in both NEON functions for poll mode and event mode worker
functions.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
Reviewed-by: Ruifeng Wang <ruifeng.wang@arm.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
---
 examples/ipsec-secgw/ipsec_neon.h   | 41 +++++++++++++++++++++++++------------
 examples/ipsec-secgw/ipsec_worker.c | 30 +++++++++++++++++++--------
 2 files changed, 49 insertions(+), 22 deletions(-)

diff --git a/examples/ipsec-secgw/ipsec_neon.h b/examples/ipsec-secgw/ipsec_neon.h
index 3f2d0a0..9c0498b 100644
--- a/examples/ipsec-secgw/ipsec_neon.h
+++ b/examples/ipsec-secgw/ipsec_neon.h
@@ -18,12 +18,13 @@ extern xmm_t val_eth[RTE_MAX_ETHPORTS];
  */
 static inline void
 processx4_step3(struct rte_mbuf *pkts[FWDSTEP], uint16_t dst_port[FWDSTEP],
-		uint64_t tx_offloads, bool ip_cksum, uint8_t *l_pkt)
+		uint64_t tx_offloads, bool ip_cksum, bool is_ipv4, uint8_t *l_pkt)
 {
 	uint32x4_t te[FWDSTEP];
 	uint32x4_t ve[FWDSTEP];
 	uint32_t *p[FWDSTEP];
 	struct rte_mbuf *pkt;
+	uint32_t val;
 	uint8_t i;
 
 	for (i = 0; i < FWDSTEP; i++) {
@@ -38,7 +39,15 @@ processx4_step3(struct rte_mbuf *pkts[FWDSTEP], uint16_t dst_port[FWDSTEP],
 		te[i] = vld1q_u32(p[i]);
 
 		/* Update last 4 bytes */
-		ve[i] = vsetq_lane_u32(vgetq_lane_u32(te[i], 3), ve[i], 3);
+		val = vgetq_lane_u32(te[i], 3);
+#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN
+		val &= 0xFFFFUL << 16;
+		val |= rte_cpu_to_be_16(is_ipv4 ? RTE_ETHER_TYPE_IPV4 : RTE_ETHER_TYPE_IPV6);
+#else
+		val &= 0xFFFFUL;
+		val |= rte_cpu_to_be_16(is_ipv4 ? RTE_ETHER_TYPE_IPV4 : RTE_ETHER_TYPE_IPV6) << 16;
+#endif
+		ve[i] = vsetq_lane_u32(val, ve[i], 3);
 		vst1q_u32(p[i], ve[i]);
 
 		if (ip_cksum) {
@@ -64,10 +73,11 @@ processx4_step3(struct rte_mbuf *pkts[FWDSTEP], uint16_t dst_port[FWDSTEP],
  */
 static inline void
 process_packet(struct rte_mbuf *pkt, uint16_t *dst_port, uint64_t tx_offloads,
-	       bool ip_cksum, uint8_t *l_pkt)
+	       bool ip_cksum, bool is_ipv4, uint8_t *l_pkt)
 {
 	struct rte_ether_hdr *eth_hdr;
 	uint32x4_t te, ve;
+	uint32_t val;
 
 	/* Check if it is a large packet */
 	if (pkt->pkt_len - RTE_ETHER_HDR_LEN > mtu_size)
@@ -78,7 +88,15 @@ process_packet(struct rte_mbuf *pkt, uint16_t *dst_port, uint64_t tx_offloads,
 	te = vld1q_u32((uint32_t *)eth_hdr);
 	ve = vreinterpretq_u32_s32(val_eth[dst_port[0]]);
 
-	ve = vcopyq_laneq_u32(ve, 3, te, 3);
+	val = vgetq_lane_u32(te, 3);
+#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN
+	val &= 0xFFFFUL << 16;
+	val |= rte_cpu_to_be_16(is_ipv4 ? RTE_ETHER_TYPE_IPV4 : RTE_ETHER_TYPE_IPV6);
+#else
+	val &= 0xFFFFUL;
+	val |= rte_cpu_to_be_16(is_ipv4 ? RTE_ETHER_TYPE_IPV4 : RTE_ETHER_TYPE_IPV6) << 16;
+#endif
+	ve = vsetq_lane_u32(val, ve, 3);
 	vst1q_u32((uint32_t *)eth_hdr, ve);
 
 	if (ip_cksum) {
@@ -223,14 +241,14 @@ send_multi_pkts(struct rte_mbuf **pkts, uint16_t dst_port[MAX_PKT_BURST],
 		lp = pnum;
 		lp[0] = 1;
 
-		processx4_step3(pkts, dst_port, tx_offloads, ip_cksum, &l_pkt);
+		processx4_step3(pkts, dst_port, tx_offloads, ip_cksum, is_ipv4, &l_pkt);
 
 		/* dp1: <d[0], d[1], d[2], d[3], ... > */
 		dp1 = vld1q_u16(dst_port);
 
 		for (i = FWDSTEP; i != k; i += FWDSTEP) {
-			processx4_step3(&pkts[i], &dst_port[i], tx_offloads,
-					ip_cksum, &l_pkt);
+			processx4_step3(&pkts[i], &dst_port[i], tx_offloads, ip_cksum, is_ipv4,
+					&l_pkt);
 
 			/*
 			 * dp2:
@@ -268,20 +286,17 @@ send_multi_pkts(struct rte_mbuf **pkts, uint16_t dst_port[MAX_PKT_BURST],
 	/* Process up to last 3 packets one by one. */
 	switch (nb_rx % FWDSTEP) {
 	case 3:
-		process_packet(pkts[i], dst_port + i, tx_offloads, ip_cksum,
-			       &l_pkt);
+		process_packet(pkts[i], dst_port + i, tx_offloads, ip_cksum, is_ipv4, &l_pkt);
 		GROUP_PORT_STEP(dlp, dst_port, lp, pnum, i);
 		i++;
 		/* fallthrough */
 	case 2:
-		process_packet(pkts[i], dst_port + i, tx_offloads, ip_cksum,
-			       &l_pkt);
+		process_packet(pkts[i], dst_port + i, tx_offloads, ip_cksum, is_ipv4, &l_pkt);
 		GROUP_PORT_STEP(dlp, dst_port, lp, pnum, i);
 		i++;
 		/* fallthrough */
 	case 1:
-		process_packet(pkts[i], dst_port + i, tx_offloads, ip_cksum,
-			       &l_pkt);
+		process_packet(pkts[i], dst_port + i, tx_offloads, ip_cksum, is_ipv4, &l_pkt);
 		GROUP_PORT_STEP(dlp, dst_port, lp, pnum, i);
 	}
 
diff --git a/examples/ipsec-secgw/ipsec_worker.c b/examples/ipsec-secgw/ipsec_worker.c
index 803157d..5e69450 100644
--- a/examples/ipsec-secgw/ipsec_worker.c
+++ b/examples/ipsec-secgw/ipsec_worker.c
@@ -53,11 +53,8 @@ process_ipsec_get_pkt_type(struct rte_mbuf *pkt, uint8_t **nlp)
 }
 
 static inline void
-update_mac_addrs(struct rte_mbuf *pkt, uint16_t portid)
+update_mac_addrs(struct rte_ether_hdr *ethhdr, uint16_t portid)
 {
-	struct rte_ether_hdr *ethhdr;
-
-	ethhdr = rte_pktmbuf_mtod(pkt, struct rte_ether_hdr *);
 	memcpy(&ethhdr->src_addr, &ethaddr_tbl[portid].src, RTE_ETHER_ADDR_LEN);
 	memcpy(&ethhdr->dst_addr, &ethaddr_tbl[portid].dst, RTE_ETHER_ADDR_LEN);
 }
@@ -374,7 +371,7 @@ process_ipsec_ev_inbound(struct ipsec_ctx *ctx, struct route_table *rt,
 	/* else, we have a matching route */
 
 	/* Update mac addresses */
-	update_mac_addrs(pkt, port_id);
+	update_mac_addrs(rte_pktmbuf_mtod(pkt, struct rte_ether_hdr *), port_id);
 
 	/* Update the event with the dest port */
 	ipsec_event_pre_forward(pkt, port_id);
@@ -392,6 +389,7 @@ process_ipsec_ev_outbound(struct ipsec_ctx *ctx, struct route_table *rt,
 		struct rte_event *ev)
 {
 	struct rte_ipsec_session *sess;
+	struct rte_ether_hdr *ethhdr;
 	struct sa_ctx *sa_ctx;
 	struct rte_mbuf *pkt;
 	uint16_t port_id = 0;
@@ -430,6 +428,7 @@ process_ipsec_ev_outbound(struct ipsec_ctx *ctx, struct route_table *rt,
 		goto drop_pkt_and_exit;
 	}
 
+	ethhdr = rte_pktmbuf_mtod(pkt, struct rte_ether_hdr *);
 	/* Check if the packet has to be bypassed */
 	if (sa_idx == BYPASS) {
 		port_id = get_route(pkt, rt, type);
@@ -467,6 +466,9 @@ process_ipsec_ev_outbound(struct ipsec_ctx *ctx, struct route_table *rt,
 
 	/* Mark the packet for Tx security offload */
 	pkt->ol_flags |= RTE_MBUF_F_TX_SEC_OFFLOAD;
+	/* Update ether type */
+	ethhdr->ether_type = (IS_IP4(sa->flags) ? rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4) :
+			      rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV6));
 
 	/* Get the port to which this pkt need to be submitted */
 	port_id = sa->portid;
@@ -476,7 +478,7 @@ process_ipsec_ev_outbound(struct ipsec_ctx *ctx, struct route_table *rt,
 	pkt->l2_len = RTE_ETHER_HDR_LEN;
 
 	/* Update mac addresses */
-	update_mac_addrs(pkt, port_id);
+	update_mac_addrs(ethhdr, port_id);
 
 	/* Update the event with the dest port */
 	ipsec_event_pre_forward(pkt, port_id);
@@ -494,6 +496,7 @@ ipsec_ev_route_pkts(struct rte_event_vector *vec, struct route_table *rt,
 		    struct ipsec_traffic *t, struct sa_ctx *sa_ctx)
 {
 	struct rte_ipsec_session *sess;
+	struct rte_ether_hdr *ethhdr;
 	uint32_t sa_idx, i, j = 0;
 	uint16_t port_id = 0;
 	struct rte_mbuf *pkt;
@@ -505,7 +508,8 @@ ipsec_ev_route_pkts(struct rte_event_vector *vec, struct route_table *rt,
 		port_id = route4_pkt(pkt, rt->rt4_ctx);
 		if (port_id != RTE_MAX_ETHPORTS) {
 			/* Update mac addresses */
-			update_mac_addrs(pkt, port_id);
+			ethhdr = rte_pktmbuf_mtod(pkt, struct rte_ether_hdr *);
+			update_mac_addrs(ethhdr, port_id);
 			/* Update the event with the dest port */
 			ipsec_event_pre_forward(pkt, port_id);
 			ev_vector_attr_update(vec, pkt);
@@ -520,7 +524,8 @@ ipsec_ev_route_pkts(struct rte_event_vector *vec, struct route_table *rt,
 		port_id = route6_pkt(pkt, rt->rt6_ctx);
 		if (port_id != RTE_MAX_ETHPORTS) {
 			/* Update mac addresses */
-			update_mac_addrs(pkt, port_id);
+			ethhdr = rte_pktmbuf_mtod(pkt, struct rte_ether_hdr *);
+			update_mac_addrs(ethhdr, port_id);
 			/* Update the event with the dest port */
 			ipsec_event_pre_forward(pkt, port_id);
 			ev_vector_attr_update(vec, pkt);
@@ -553,7 +558,14 @@ ipsec_ev_route_pkts(struct rte_event_vector *vec, struct route_table *rt,
 
 			pkt->ol_flags |= RTE_MBUF_F_TX_SEC_OFFLOAD;
 			port_id = sa->portid;
-			update_mac_addrs(pkt, port_id);
+
+			/* Fetch outer ip type and update */
+			ethhdr = rte_pktmbuf_mtod(pkt, struct rte_ether_hdr *);
+			ethhdr->ether_type = (IS_IP4(sa->flags) ?
+					      rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4) :
+					      rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV6));
+			update_mac_addrs(ethhdr, port_id);
+
 			ipsec_event_pre_forward(pkt, port_id);
 			ev_vector_attr_update(vec, pkt);
 			vec->mbufs[j++] = pkt;
-- 
2.8.4


^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH v3 1/5] mbuf: clarify meta data needed for Outbound Inline
  2022-08-22 14:38 ` [PATCH v3 1/5] mbuf: clarify meta data needed for Outbound Inline Nithin Dabilpuram
                     ` (3 preceding siblings ...)
  2022-08-22 14:38   ` [PATCH v3 5/5] examples/ipsec-secgw: update ether type using tunnel info Nithin Dabilpuram
@ 2022-08-31  1:49   ` Nithin Kumar Dabilpuram
  2022-09-21 18:21     ` Akhil Goyal
  2022-09-22 15:48   ` Akhil Goyal
  5 siblings, 1 reply; 22+ messages in thread
From: Nithin Kumar Dabilpuram @ 2022-08-31  1:49 UTC (permalink / raw)
  To: Olivier Matz, Ananyev, Konstantin
  Cc: Jerin Jacob Kollanukkaran, dev, Akhil Goyal, ruifeng.wang

Ping. Any thoughts on this ?

This is just clarification of existing assumptions for Inline Outbound 
that are being made.


On 2022-08-22 8:08 PM, Nithin Dabilpuram wrote:
> Clarify mbuf meta data needed for Outbound Inline processing.
> Application needs to provide mbuf.l3_len and L3 type in
> mbuf.ol_flags so that like tunnel mode using mbuf.l2_len, transport mode
> can make use of l3_len and l3_type to determine perform
> proper transport mode IPsec processing.
>
> Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
> ---
> v3:
> - Addressed comments on patch 4/5 and added acks.
> v2:
> - Modified ipsec-secgw to do ether type update for outbound path.
>
>   doc/guides/nics/features.rst | 2 +-
>   lib/mbuf/rte_mbuf_core.h     | 3 ++-
>   2 files changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/doc/guides/nics/features.rst b/doc/guides/nics/features.rst
> index 7f6cb91..b4a8e98 100644
> --- a/doc/guides/nics/features.rst
> +++ b/doc/guides/nics/features.rst
> @@ -431,7 +431,7 @@ protocol operations. See security library and PMD documentation for more details
>   
>   * **[uses]       rte_eth_rxconf,rte_eth_rxmode**: ``offloads:RTE_ETH_RX_OFFLOAD_SECURITY``,
>   * **[uses]       rte_eth_txconf,rte_eth_txmode**: ``offloads:RTE_ETH_TX_OFFLOAD_SECURITY``.
> -* **[uses]       mbuf**: ``mbuf.l2_len``.
> +* **[uses]       mbuf**: ``mbuf.l2_len``, ``mbuf.l3_len``, ``mbuf.ol_flags``.
>   * **[implements] rte_security_ops**: ``session_create``, ``session_update``,
>     ``session_stats_get``, ``session_destroy``, ``set_pkt_metadata``, ``get_userdata``,
>     ``capabilities_get``.
> diff --git a/lib/mbuf/rte_mbuf_core.h b/lib/mbuf/rte_mbuf_core.h
> index 3d6ddd6..b62a7c6 100644
> --- a/lib/mbuf/rte_mbuf_core.h
> +++ b/lib/mbuf/rte_mbuf_core.h
> @@ -267,7 +267,8 @@ extern "C" {
>   /**
>    * Request security offload processing on the TX packet.
>    * To use Tx security offload, the user needs to fill l2_len in mbuf
> - * indicating L2 header size and where L3 header starts.
> + * indicating L2 header size and where L3 header starts. Similarly,
> + * l3_len should also be filled along with ol_flags reflecting current L3 type.
>    */
>   #define RTE_MBUF_F_TX_SEC_OFFLOAD	(1ULL << 43)
>   #define PKT_TX_SEC_OFFLOAD RTE_DEPRECATED(PKT_TX_SEC_OFFLOAD) \

^ permalink raw reply	[flat|nested] 22+ messages in thread

* RE: [PATCH v3 1/5] mbuf: clarify meta data needed for Outbound Inline
  2022-08-31  1:49   ` [PATCH v3 1/5] mbuf: clarify meta data needed for Outbound Inline Nithin Kumar Dabilpuram
@ 2022-09-21 18:21     ` Akhil Goyal
  2022-09-21 18:46       ` Thomas Monjalon
  0 siblings, 1 reply; 22+ messages in thread
From: Akhil Goyal @ 2022-09-21 18:21 UTC (permalink / raw)
  To: Nithin Kumar Dabilpuram, Olivier Matz, Ananyev, Konstantin, thomas
  Cc: Jerin Jacob Kollanukkaran, dev, ruifeng.wang

> Ping. Any thoughts on this ?
> 
> This is just clarification of existing assumptions for Inline Outbound
> that are being made.
> 
> 
> On 2022-08-22 8:08 PM, Nithin Dabilpuram wrote:
> > Clarify mbuf meta data needed for Outbound Inline processing.
> > Application needs to provide mbuf.l3_len and L3 type in
> > mbuf.ol_flags so that like tunnel mode using mbuf.l2_len, transport mode
> > can make use of l3_len and l3_type to determine perform
> > proper transport mode IPsec processing.
> >
> > Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>

Series
Acked-by: Akhil Goyal <gakhil@marvell.com>

@Thomas : Can this series be merged into crypto tree?

Any objections?

^ permalink raw reply	[flat|nested] 22+ messages in thread

* RE: [PATCH v3 2/5] security: clarify L2 header requirement for outbound inline
  2022-08-22 14:38   ` [PATCH v3 2/5] security: clarify L2 header requirement for outbound inline Nithin Dabilpuram
@ 2022-09-21 18:23     ` Akhil Goyal
  0 siblings, 0 replies; 22+ messages in thread
From: Akhil Goyal @ 2022-09-21 18:23 UTC (permalink / raw)
  To: Nithin Kumar Dabilpuram, radu.nicolau, konstantin.v.ananyev
  Cc: Jerin Jacob Kollanukkaran, dev, ruifeng.wang, Nithin Kumar Dabilpuram

> 
> Clarify that for Outbound Inline IPsec processing, L2 header
> needs to be up to date with ether type which will be applicable
> post IPsec processing as the IPsec offload only touches L3 and above.
> 
> Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
> ---
Acked-by: Akhil Goyal <gakhil@marvell.com>

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH v3 1/5] mbuf: clarify meta data needed for Outbound Inline
  2022-09-21 18:21     ` Akhil Goyal
@ 2022-09-21 18:46       ` Thomas Monjalon
  0 siblings, 0 replies; 22+ messages in thread
From: Thomas Monjalon @ 2022-09-21 18:46 UTC (permalink / raw)
  To: Nithin Kumar Dabilpuram, Olivier Matz, Ananyev, Konstantin, Akhil Goyal
  Cc: Jerin Jacob Kollanukkaran, dev, ruifeng.wang

21/09/2022 20:21, Akhil Goyal:
> > Ping. Any thoughts on this ?
> > 
> > This is just clarification of existing assumptions for Inline Outbound
> > that are being made.
> > 
> > 
> > On 2022-08-22 8:08 PM, Nithin Dabilpuram wrote:
> > > Clarify mbuf meta data needed for Outbound Inline processing.
> > > Application needs to provide mbuf.l3_len and L3 type in
> > > mbuf.ol_flags so that like tunnel mode using mbuf.l2_len, transport mode
> > > can make use of l3_len and l3_type to determine perform
> > > proper transport mode IPsec processing.
> > >
> > > Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
> 
> Series
> Acked-by: Akhil Goyal <gakhil@marvell.com>
> 
> @Thomas : Can this series be merged into crypto tree?
> 
> Any objections?

That's all about crypto, so that's perfectly fine to merge in crypto tree.



^ permalink raw reply	[flat|nested] 22+ messages in thread

* RE: [PATCH v3 1/5] mbuf: clarify meta data needed for Outbound Inline
  2022-08-22 14:38 ` [PATCH v3 1/5] mbuf: clarify meta data needed for Outbound Inline Nithin Dabilpuram
                     ` (4 preceding siblings ...)
  2022-08-31  1:49   ` [PATCH v3 1/5] mbuf: clarify meta data needed for Outbound Inline Nithin Kumar Dabilpuram
@ 2022-09-22 15:48   ` Akhil Goyal
  5 siblings, 0 replies; 22+ messages in thread
From: Akhil Goyal @ 2022-09-22 15:48 UTC (permalink / raw)
  To: Nithin Kumar Dabilpuram, Olivier Matz
  Cc: Jerin Jacob Kollanukkaran, dev, ruifeng.wang, Nithin Kumar Dabilpuram

> Subject: [PATCH v3 1/5] mbuf: clarify meta data needed for Outbound Inline
> 
> Clarify mbuf meta data needed for Outbound Inline processing.
> Application needs to provide mbuf.l3_len and L3 type in
> mbuf.ol_flags so that like tunnel mode using mbuf.l2_len, transport mode
> can make use of l3_len and l3_type to determine perform
> proper transport mode IPsec processing.
> 
> Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
> ---
> v3:
> - Addressed comments on patch 4/5 and added acks.
> v2:
> - Modified ipsec-secgw to do ether type update for outbound path.
Series Applied to dpdk-next-crypto

Thanks.

^ permalink raw reply	[flat|nested] 22+ messages in thread

end of thread, other threads:[~2022-09-22 15:48 UTC | newest]

Thread overview: 22+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-07  7:29 [PATCH 1/4] mbuf: clarify meta data needed for Outbound Inline Nithin Dabilpuram
2022-07-07  7:29 ` [PATCH 2/4] security: clarify L2 header requirement for outbound inline Nithin Dabilpuram
2022-07-07  7:29 ` [PATCH 3/4] net/cnxk: remove l2 header update for outbound inline pkts Nithin Dabilpuram
2022-07-07  7:29 ` [PATCH 4/4] app/test: update l2 header based on tunnel ip version Nithin Dabilpuram
2022-08-17 19:11 ` [PATCH v2 1/5] mbuf: clarify meta data needed for Outbound Inline Nithin Dabilpuram
2022-08-17 19:11   ` [PATCH v2 2/5] security: clarify L2 header requirement for outbound inline Nithin Dabilpuram
2022-08-17 19:11   ` [PATCH v2 3/5] net/cnxk: remove L2 header update for outbound inline pkts Nithin Dabilpuram
2022-08-17 19:11   ` [PATCH v2 4/5] app/test: update L2 header based on tunnel IP version Nithin Dabilpuram
2022-08-18  9:04     ` Akhil Goyal
2022-08-17 19:11   ` [PATCH v2 5/5] examples/ipsec-secgw: update ether type using tunnel info Nithin Dabilpuram
2022-08-18  8:01     ` Ruifeng Wang
2022-08-18  8:26     ` Akhil Goyal
2022-08-22 14:38 ` [PATCH v3 1/5] mbuf: clarify meta data needed for Outbound Inline Nithin Dabilpuram
2022-08-22 14:38   ` [PATCH v3 2/5] security: clarify L2 header requirement for outbound inline Nithin Dabilpuram
2022-09-21 18:23     ` Akhil Goyal
2022-08-22 14:38   ` [PATCH v3 3/5] net/cnxk: remove L2 header update for outbound inline pkts Nithin Dabilpuram
2022-08-22 14:38   ` [PATCH v3 4/5] app/test: update L2 header based on tunnel IP version Nithin Dabilpuram
2022-08-22 14:38   ` [PATCH v3 5/5] examples/ipsec-secgw: update ether type using tunnel info Nithin Dabilpuram
2022-08-31  1:49   ` [PATCH v3 1/5] mbuf: clarify meta data needed for Outbound Inline Nithin Kumar Dabilpuram
2022-09-21 18:21     ` Akhil Goyal
2022-09-21 18:46       ` Thomas Monjalon
2022-09-22 15:48   ` Akhil Goyal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).