From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 8DAB8A0C47; Thu, 14 Oct 2021 14:34:22 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 77DCC40E50; Thu, 14 Oct 2021 14:34:22 +0200 (CEST) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mails.dpdk.org (Postfix) with ESMTP id D964E40041 for ; Thu, 14 Oct 2021 14:34:20 +0200 (CEST) X-IronPort-AV: E=McAfee;i="6200,9189,10136"; a="288534848" X-IronPort-AV: E=Sophos;i="5.85,372,1624345200"; d="scan'208";a="288534848" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Oct 2021 05:34:19 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.85,372,1624345200"; d="scan'208";a="626783721" Received: from fmsmsx605.amr.corp.intel.com ([10.18.126.85]) by fmsmga001.fm.intel.com with ESMTP; 14 Oct 2021 05:34:19 -0700 Received: from fmsmsx612.amr.corp.intel.com (10.18.126.92) by fmsmsx605.amr.corp.intel.com (10.18.126.85) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12; Thu, 14 Oct 2021 05:34:19 -0700 Received: from FMSEDG603.ED.cps.intel.com (10.1.192.133) by fmsmsx612.amr.corp.intel.com (10.18.126.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12 via Frontend Transport; Thu, 14 Oct 2021 05:34:19 -0700 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (104.47.70.107) by edgegateway.intel.com (192.55.55.68) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.12; Thu, 14 Oct 2021 05:34:18 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hk/1yVW81Rxl9JTSQU5WdCv1quKYH+F2XCM+Pae77HjYcjOUy0NXIr/vsb8KvSZ73ujiWdNyhv4EzZIbsBs8oOXAoU1UKEQc5tO80FWIEp26dKsvxdQNlhy+M+kq5iPClDqtWT5jcGbMz2CcAWB+dP7d1btp33OrJRhCG4gfIDVDZ+a7bZ3jYFDhw2h6Vjc2NTBAdhExb2GziYmLILMT2GslgamkoaaSvvL8IapGNlgtycb5+eYg7ej6ElqH0fY0bREHLo7ZxBwpYxf/hnRdtxoMMPizS73V159D3t+6noU+/qzK0qQ23NbucG9dRGuBQQHJbQ23EB5wRJzBBdacDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=M1tMGXL3miZ1aLAufCmhXXudiRV+6Bf1T297v5ns9k4=; b=XR1QOABoMfGzg6CFA9So82b97ueT6uHlq0ugpwC+GCj8OII3OxicGcPWgB7QxlqDFPnB9QHiCMZV+5qDEUl4X5Hj8dfiE5EZpaa9GGCJEP+DWsqd1s120VSX1P651ToSozGK0uAUjNMpIMNYs/mbrC6ja4D8CBDrTXNIz/+VKKGR+Ej+gbU9Ig1nDUx9DDWI31gwUyFQxDgIisNFB9Z9hYD9BlLGGcYMNG8FJTpJE5ihjImzORAilUB08idQtMH6miT6RIeRrX7UfUP9ypZxFVOHjXx2E8fugRjlJ/PdvEtB9KJYbuJXhbwO6nYNmdh6Vp+p/gOj0S6tDCuNC9uu9w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=M1tMGXL3miZ1aLAufCmhXXudiRV+6Bf1T297v5ns9k4=; b=H2pjnBl2hoK+t6UbaXNEDW7OdACJKiq5fIe+OPgGx69ZG/tbrWiwkHeeDidO13TLsaFDc5iqRgI8ZExXbmLNqc+VpMxwl+tO4re1y2NzOkf7knXPjqfE4BB+6ucuop/59GkLdlAmqWwwjtLLjaE2VAcJI1tfSAGUkWq16rbV6D0= Received: from DM6PR11MB4491.namprd11.prod.outlook.com (2603:10b6:5:204::19) by DM6PR11MB2634.namprd11.prod.outlook.com (2603:10b6:5:c6::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4608.16; Thu, 14 Oct 2021 12:34:16 +0000 Received: from DM6PR11MB4491.namprd11.prod.outlook.com ([fe80::740e:126e:c785:c8fd]) by DM6PR11MB4491.namprd11.prod.outlook.com ([fe80::740e:126e:c785:c8fd%4]) with mapi id 15.20.4608.016; Thu, 14 Oct 2021 12:34:16 +0000 From: "Ananyev, Konstantin" To: "Nicolau, Radu" , "Iremonger, Bernard" , "Medvedkin, Vladimir" CC: "dev@dpdk.org" , "mdr@ashroe.eu" , "Richardson, Bruce" , "Zhang, Roy Fan" , "hemant.agrawal@nxp.com" , "gakhil@marvell.com" , "anoobj@marvell.com" , "Doherty, Declan" , "Sinha, Abhijit" , "Buckley, Daniel M" , "marchana@marvell.com" , "ktejasree@marvell.com" , "matan@nvidia.com" Thread-Topic: [PATCH v9 04/10] ipsec: add support for NAT-T Thread-Index: AQHXwC1yNWcu11io50uAB4QrPoagkavSagCA Date: Thu, 14 Oct 2021 12:34:16 +0000 Message-ID: References: <20210713133542.3550525-1-radu.nicolau@intel.com> <20211013121331.300245-1-radu.nicolau@intel.com> <20211013121331.300245-5-radu.nicolau@intel.com> In-Reply-To: <20211013121331.300245-5-radu.nicolau@intel.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-reaction: no-action dlp-version: 11.6.200.16 authentication-results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 68cad86a-f256-4257-001f-08d98f0eefc7 x-ms-traffictypediagnostic: DM6PR11MB2634: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8882; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: jB5IsbjRb3PUyw3FnpazSgJ57qojUHdwTiEh5UdinZeJl1JaDkAz18KthKukXSWiphHCgd69JGSGInTOaC/rJRi4qOnXsflY3zQ6AVLaSlEQK4MojgGGbmQze0y+6krzHU+/bK4MTTtnKtt6hNmkWm3/rs2HvesX1JlKVCOnGDyJpXGDxCyIuV1b85F+Sohli+wWFnQvBxnCF4NoTIwrOIwH1PwsD5M/YJ1RGJ/IRdtTUqfANoplQ5Wvz8/bgzJNBsTVDlGj30l2uzMiNh1d0k08TXa8gxlZEGUI2FC9ycdbakDOfigzJioKEr2dMp9OzStig4zvyskdGrIhDlYYGis53ku0BQYhhh5QAVxKTwTqnDv3F5y+nHAxeiYCo2nrw3FRcj4DugW0ue8ghn98xezyvo2jHxDxbCTht7DagtFnwkKjURCZ9QRptnCUgvBt9Qlmqb6H0/xOzUc/D3quWwNHdUWFQvMM60/hVfBpNwFyRUUnFt3I+YblfxO8ot8RjbRIu58OWiTdG3V0T0BlRIZERw76RakRGLIy7kEVzlyjcSdV4uJ/VVWqAWQyvoLYd0lDLMA4U16fvqgcsw8R22oOK+eA6PpUE+ccYeXvg8J1yCrAVizteRWLy2Dh/xIGM0LH5RH1Vnje5JrR5i7pROykkCLxnpOIUaoGczCmcFeFhZVEantvcU5698fE2+S12UI+9gFP4wAqI2q5MA+U8A== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR11MB4491.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(508600001)(55016002)(2906002)(9686003)(122000001)(71200400001)(38070700005)(66556008)(64756008)(66476007)(38100700002)(4326008)(83380400001)(66946007)(76116006)(6636002)(66446008)(316002)(7696005)(110136005)(52536014)(186003)(33656002)(8936002)(26005)(8676002)(5660300002)(55236004)(86362001)(6506007)(54906003)(82960400001); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?nTz9Q5hUGObsSbTNBobNQcQnxnpyq71hHb2BhN9ofmryrU4RVbVbTyG++Cgu?= =?us-ascii?Q?A/ZzMx6DOiE4pn2CqsU1/0KU87M8BCCp4YE0BeJnS/ZxBNG1FKra6v5tnE42?= =?us-ascii?Q?pJFH0Wqlvtdot/5VYOFvTeflpGU1w3nDuW59toJDAGNARndz6E24p7RBXuLR?= =?us-ascii?Q?tA/NVTKE/bx5SSqIeWXx5dstjTrVe7zgB5yLI5J1SA1ce0Ah5MbUnwrJ5Sxx?= =?us-ascii?Q?1ZDiNhm2UeXud+3yQYOteH3mmy3nzlal2tZsSnQK57c3gY+fbK3oANGADfVl?= =?us-ascii?Q?d5ObOg2ru61uQcGokSZXUarmkZuoYTf3MR+b6gbxKziyDxN6GujTJPnNVqhE?= =?us-ascii?Q?+jQlBrPWb3L6EDsWYqtQP+NuGzJO4Khq6B8A9MCMJl9Et+qntZgUTc9YCPVJ?= =?us-ascii?Q?fB39Io4eaAHZWrYYxuc/dLAWwNJJlpxWZt4UUC5sHkFGYaEXvnVRz/jWosK+?= =?us-ascii?Q?xROoKEJzPfCZdYcWtJ/EoWmw0AMknRvoEh2LH97ffapUFxI8S8e31ogOLwoQ?= =?us-ascii?Q?7IH2ovJI8hr5MQTvF18/E7TT8Sc8EnvIEBNgsFKGBTdpNzR6Tz1YZ/xZTzOL?= =?us-ascii?Q?Xo/zRGnbWY7k9cqwxvLCKLGb9cAyF9mUmCVSKZj/F9pI45obn6G/yXtH5nR3?= =?us-ascii?Q?Cbalt9kg7YU8Ga/p7x7qI5i4vecEtzQNidhU+K8W+QIL2tFSphKLihdGNPdm?= =?us-ascii?Q?kUlm26l1q7fgk4MYcfLwRP7SQznkUUT85gdHz6P5HvZpHJpWDgy6BwbKlN4r?= =?us-ascii?Q?AbSBVQUtvHtnT9xXg5QWwSMVkDNJ0Q5LSN9Mn6bNd7co0MS2blzeYTW4oljE?= =?us-ascii?Q?zYExY8eV/B+rtpihoKfl51uAR4EU1Aq5wuuFeVOVB5Gt2nvPFXyhEKNkpWjM?= =?us-ascii?Q?IF9MzakTYjA39X9u3SKngwrqpgSyh0pD6qwnKSrHmqc+D+Nixofj56RLGHyj?= =?us-ascii?Q?1vUo82CRKGAJDcryAc8oJEmuYP6jVG0YJ1RDKPR/7RRH9HAa9EEE+q32IZhd?= =?us-ascii?Q?pIoKOSNngmOLRj1tdqhOSEl0+E0otazU6BK1SbmL9Zb1WzI0M6zWt8VyQHpZ?= =?us-ascii?Q?r0kI9t99P+rAgAZdnlZVN4PAgvQjMrIu4MAd4TNVwncWfwU6IYeaC9Kn7pEy?= =?us-ascii?Q?z5cV463MIt5HtpTMOhsszEngNKNwYdzcH422ICREElw6IcyQTqEGNSbfCQv1?= =?us-ascii?Q?BS67Js7tKLE+2glLvgpThBra523Sk+O+xtambEGw6M0xY37xcc5o88zOyvqo?= =?us-ascii?Q?gzOYNyRP61/+aVdfD21WWGV8gbMDMVlrbu4WU4ANU6FWi9RGQw84clXgxoe3?= =?us-ascii?Q?ECLBuOsT5wXen7HkyN2UDD+u?= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB4491.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 68cad86a-f256-4257-001f-08d98f0eefc7 X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Oct 2021 12:34:16.3357 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: DsQOoSnaau29KSQjNu90sjM6XQ1NHdxZ7++LcMh61qAHJz03GfL5aee5nJHXJ3WVYgeWeVGnwSpzmq7qLvQ3uxYcmMX51HPSh4v9PHIc0oA= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB2634 X-OriginatorOrg: intel.com Subject: Re: [dpdk-dev] [PATCH v9 04/10] ipsec: add support for NAT-T X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" >=20 > Add support for the IPsec NAT-Traversal use case for Tunnel mode > packets. >=20 > Signed-off-by: Declan Doherty > Signed-off-by: Radu Nicolau > Signed-off-by: Abhijit Sinha > Signed-off-by: Daniel Martin Buckley > Acked-by: Fan Zhang > --- > doc/guides/prog_guide/ipsec_lib.rst | 2 ++ > doc/guides/rel_notes/release_21_11.rst | 1 + > lib/ipsec/esp_outb.c | 9 ++++++ > lib/ipsec/rte_ipsec_sa.h | 9 +++++- > lib/ipsec/sa.c | 39 ++++++++++++++++++++++---- > 5 files changed, 54 insertions(+), 6 deletions(-) >=20 > diff --git a/doc/guides/prog_guide/ipsec_lib.rst b/doc/guides/prog_guide/= ipsec_lib.rst > index 93e213bf36..af51ff8131 100644 > --- a/doc/guides/prog_guide/ipsec_lib.rst > +++ b/doc/guides/prog_guide/ipsec_lib.rst > @@ -313,6 +313,8 @@ Supported features >=20 > * ESN and replay window. >=20 > +* NAT-T / UDP encapsulated ESP. > + > * algorithms: 3DES-CBC, AES-CBC, AES-CTR, AES-GCM, AES_CCM, CHACHA20_PO= LY1305, > AES_GMAC, HMAC-SHA1, NULL. >=20 > diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_note= s/release_21_11.rst > index 1748c2db05..e9fb169d44 100644 > --- a/doc/guides/rel_notes/release_21_11.rst > +++ b/doc/guides/rel_notes/release_21_11.rst > @@ -157,6 +157,7 @@ New Features > * **IPsec library new features.** >=20 > * Added support for AEAD algorithms AES_CCM, CHACHA20_POLY1305 and AES= _GMAC. > + * Added support for NAT-T / UDP encapsulated ESP >=20 >=20 > Removed Items > diff --git a/lib/ipsec/esp_outb.c b/lib/ipsec/esp_outb.c > index a3f77469c3..0e3314b358 100644 > --- a/lib/ipsec/esp_outb.c > +++ b/lib/ipsec/esp_outb.c > @@ -5,6 +5,7 @@ > #include > #include > #include > +#include > #include > #include >=20 > @@ -185,6 +186,14 @@ outb_tun_pkt_prepare(struct rte_ipsec_sa *sa, rte_be= 64_t sqc, > /* copy tunnel pkt header */ > rte_memcpy(ph, sa->hdr, sa->hdr_len); >=20 > + /* if UDP encap is enabled update the dgram_len */ > + if (sa->type & RTE_IPSEC_SATP_NATT_ENABLE) { > + struct rte_udp_hdr *udph =3D (struct rte_udp_hdr *) > + (ph - sizeof(struct rte_udp_hdr)); > + udph->dgram_len =3D rte_cpu_to_be_16(mb->pkt_len - sqh_len - > + sa->hdr_l3_off - sa->hdr_len); > + } > + > /* update original and new ip header fields */ > update_tun_outb_l3hdr(sa, ph + sa->hdr_l3_off, ph + hlen, > mb->pkt_len - sqh_len, sa->hdr_l3_off, sqn_low16(sqc)); > diff --git a/lib/ipsec/rte_ipsec_sa.h b/lib/ipsec/rte_ipsec_sa.h > index cf51ad8338..3a22705055 100644 > --- a/lib/ipsec/rte_ipsec_sa.h > +++ b/lib/ipsec/rte_ipsec_sa.h > @@ -78,6 +78,7 @@ struct rte_ipsec_sa_prm { > * - for TUNNEL outer IP version (IPv4/IPv6) > * - are SA SQN operations 'atomic' > * - ESN enabled/disabled > + * - NAT-T UDP encapsulated (TUNNEL mode only) > * ... > */ >=20 > @@ -89,7 +90,8 @@ enum { > RTE_SATP_LOG2_SQN =3D RTE_SATP_LOG2_MODE + 2, > RTE_SATP_LOG2_ESN, > RTE_SATP_LOG2_ECN, > - RTE_SATP_LOG2_DSCP > + RTE_SATP_LOG2_DSCP, > + RTE_SATP_LOG2_NATT > }; >=20 > #define RTE_IPSEC_SATP_IPV_MASK (1ULL << RTE_SATP_LOG2_IPV) > @@ -125,6 +127,11 @@ enum { > #define RTE_IPSEC_SATP_DSCP_DISABLE (0ULL << RTE_SATP_LOG2_DSCP) > #define RTE_IPSEC_SATP_DSCP_ENABLE (1ULL << RTE_SATP_LOG2_DSCP) >=20 > +#define RTE_IPSEC_SATP_NATT_MASK (1ULL << RTE_SATP_LOG2_NATT) > +#define RTE_IPSEC_SATP_NATT_DISABLE (0ULL << RTE_SATP_LOG2_NATT) > +#define RTE_IPSEC_SATP_NATT_ENABLE (1ULL << RTE_SATP_LOG2_NATT) > + > + > /** > * get type of given SA > * @return > diff --git a/lib/ipsec/sa.c b/lib/ipsec/sa.c > index 720e0f365b..2830506385 100644 > --- a/lib/ipsec/sa.c > +++ b/lib/ipsec/sa.c > @@ -5,6 +5,7 @@ > #include > #include > #include > +#include > #include > #include >=20 > @@ -217,6 +218,10 @@ fill_sa_type(const struct rte_ipsec_sa_prm *prm, uin= t64_t *type) > } else > return -EINVAL; >=20 > + /* check for UDP encapsulation flag */ > + if (prm->ipsec_xform.options.udp_encap =3D=3D 1) > + tp |=3D RTE_IPSEC_SATP_NATT_ENABLE; > + > /* check for ESN flag */ > if (prm->ipsec_xform.options.esn =3D=3D 0) > tp |=3D RTE_IPSEC_SATP_ESN_DISABLE; > @@ -348,20 +353,36 @@ esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hle= n) > /* > * Init ESP outbound tunnel specific things. > */ > -static void > +static int > esp_outb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm= *prm) > { > sa->proto =3D prm->tun.next_proto; > sa->hdr_len =3D prm->tun.hdr_len; > sa->hdr_l3_off =3D prm->tun.hdr_l3_off; >=20 > + if (prm->tun.hdr_len > IPSEC_MAX_HDR_SIZE) > + return -EINVAL; That's not exactly what I asked for. We already have this check in rte_ipsec_sa_init(): if (prm->ipsec_xform.mode =3D=3D RTE_SECURITY_IPSEC_SA_MODE_TUNNEL && prm->tun.hdr_len > sizeof(sa->hdr)) What we need to check is that if NATT enabled, then our new header size wou= ldn't overflow our sa->hdr buffer. So I'd suggest we do instead of that check above, we do something like: =20 --- a/lib/ipsec/sa.c +++ b/lib/ipsec/sa.c @@ -560,7 +560,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct= rte_ipsec_sa_prm *prm, uint32_t size) { int32_t rc, sz; - uint32_t nb, wsz; + uint32_t hlen, nb, wsz; uint64_t type; struct crypto_xform cxf; @@ -584,9 +584,14 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struc= t rte_ipsec_sa_prm *prm, if (prm->ipsec_xform.proto !=3D RTE_SECURITY_IPSEC_SA_PROTO_ESP) return -EINVAL; - if (prm->ipsec_xform.mode =3D=3D RTE_SECURITY_IPSEC_SA_MODE_TUNNEL = && - prm->tun.hdr_len > sizeof(sa->hdr)) - return -EINVAL; + if (prm->ipsec_xform.mode =3D=3D RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)= { + + hlen =3D prm->tun.hdr_len; + if (sa->type & RTE_IPSEC_SATP_NATT_ENABLE) + hlen +=3D sizeof(struct rte_udp_hdr); + if (hlen > sizeof(sa->hdr)) + return -EINVAL; + } rc =3D fill_crypto_xform(&cxf, type, prm); if (rc !=3D 0) Then again, we can keep esp_outb_tun_init() as void. With that in place, feel free to add: Acked-by: Konstantin Ananyev > + memcpy(sa->hdr, prm->tun.hdr, prm->tun.hdr_len); > + > + /* insert UDP header if UDP encapsulation is inabled */ > + if (sa->type & RTE_IPSEC_SATP_NATT_ENABLE) { > + struct rte_udp_hdr *udph =3D (struct rte_udp_hdr *) > + &sa->hdr[prm->tun.hdr_len]; > + sa->hdr_len +=3D sizeof(struct rte_udp_hdr); > + if (sa->hdr_len > IPSEC_MAX_HDR_SIZE) > + return -EINVAL; > + udph->src_port =3D prm->ipsec_xform.udp.sport; > + udph->dst_port =3D prm->ipsec_xform.udp.dport; > + udph->dgram_cksum =3D 0; > + } > + > /* update l2_len and l3_len fields for outbound mbuf */ > sa->tx_offload.val =3D rte_mbuf_tx_offload(sa->hdr_l3_off, > sa->hdr_len - sa->hdr_l3_off, 0, 0, 0, 0, 0); >=20 > - memcpy(sa->hdr, prm->tun.hdr, sa->hdr_len); > - > esp_outb_init(sa, sa->hdr_len); > + > + return 0; > } >=20 > /* > @@ -372,7 +393,8 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte= _ipsec_sa_prm *prm, > const struct crypto_xform *cxf) > { > static const uint64_t msk =3D RTE_IPSEC_SATP_DIR_MASK | > - RTE_IPSEC_SATP_MODE_MASK; > + RTE_IPSEC_SATP_MODE_MASK | > + RTE_IPSEC_SATP_NATT_MASK; >=20 > if (prm->ipsec_xform.options.ecn) > sa->tos_mask |=3D RTE_IPV4_HDR_ECN_MASK; > @@ -475,10 +497,17 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct r= te_ipsec_sa_prm *prm, > case (RTE_IPSEC_SATP_DIR_IB | RTE_IPSEC_SATP_MODE_TRANS): > esp_inb_init(sa); > break; > + case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV4 | > + RTE_IPSEC_SATP_NATT_ENABLE): > + case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV6 | > + RTE_IPSEC_SATP_NATT_ENABLE): > case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV4): > case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV6): > - esp_outb_tun_init(sa, prm); > + if (esp_outb_tun_init(sa, prm)) > + return -EINVAL; > break; > + case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TRANS | > + RTE_IPSEC_SATP_NATT_ENABLE): > case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TRANS): > esp_outb_init(sa, 0); > break; > -- > 2.25.1