Re: [dpdk-dev] [PATCH 2/2] examples/ipsec-secgw: fix not working inline ipsec modes

[Akhil Goyal <akhil.goyal@nxp.com>]

Hi Marius,


> Application ipsec-secgw is not working for IPv4 transport mode and for
> IPv6 both transport and tunnel mode.
> 
> IPv6 tunnel mode is not working due to wrongly assigned fields of
> security association patterns, as it was IPv4, during creation of
> inline crypto session.
> 
> IPv6 and IPv4 transport mode is iterating through security capabilities
> until it reaches tunnel, which causes session to be created as tunnel,
> instead of transport. Another issue, is that config file does not
> provide source and destination ip addresses for transport mode, which
> are required by NIC to perform inline crypto. It uses default addresses
> stored in security association (all zeroes), which causes dropped
> packages.
> 
> To fix that, reorganization of code in create_session() is needed,
> to behave appropriately to given protocol (IPv6/IPv4). Change in
> iteration through security capabilities is also required, to check
> for expected mode (not only tunnel).
> 
> For lack of addresses issue, some resolving mechanism is needed.
> Approach is to store addresses in security association, as it is
> for tunnel mode. Difference is that they are obtained from sp rules,
> instead of config file. To do that, sp[4/6]_spi_present() function
> is used to find addresses based on spi value, and then stored in
> corresponding sa rule. This approach assumes, that every sp rule
> for inline crypto have valid addresses, as well as range of addresses
> is not supported.
> 
> New flags for ipsec_sa structure are required to distinguish between
> IPv4 and IPv6 transport modes. Because of that, there is need to
> change all checks done on these flags, so they work as expected.
> 
> Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload")
> Fixes: 9a0752f498d2 ("net/ixgbe: enable inline IPsec")
> 
This is a very well written description. Thanks. This helps in review of the patch.

I have a few small comments, rest all is fine.

> Signed-off-by: Mariusz Drost <mariuszx.drost@intel.com>
> ---
>  examples/ipsec-secgw/esp.c   |  12 +--
>  examples/ipsec-secgw/ipsec.c |  19 +++--
>  examples/ipsec-secgw/ipsec.h |  21 +++++-
>  examples/ipsec-secgw/sa.c    | 142 ++++++++++++++++++++++++++---------
>  examples/ipsec-secgw/sp4.c   |  24 +++++-
>  examples/ipsec-secgw/sp6.c   |  42 ++++++++++-
>  6 files changed, 205 insertions(+), 55 deletions(-)
> 
> diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
> index f11d095ba..764e08dcf 100644
> --- a/examples/ipsec-secgw/esp.c
> +++ b/examples/ipsec-secgw/esp.c
> @@ -192,7 +192,7 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa
> *sa,
>  		}
>  	}
> 
> -	if (unlikely(sa->flags == TRANSPORT)) {
> +	if (unlikely(IS_TRANSPORT(sa->flags))) {
>  		ip = rte_pktmbuf_mtod(m, struct ip *);
>  		ip4 = (struct ip *)rte_pktmbuf_adj(m,
>  				sizeof(struct rte_esp_hdr) + sa->iv_len);
> @@ -233,13 +233,13 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa
> *sa,
> 
>  	ip4 = rte_pktmbuf_mtod(m, struct ip *);
>  	if (likely(ip4->ip_v == IPVERSION)) {
> -		if (unlikely(sa->flags == TRANSPORT)) {
> +		if (unlikely(IS_TRANSPORT(sa->flags))) {
>  			ip_hdr_len = ip4->ip_hl * 4;
>  			nlp = ip4->ip_p;
>  		} else
>  			nlp = IPPROTO_IPIP;
>  	} else if (ip4->ip_v == IP6_VERSION) {
> -		if (unlikely(sa->flags == TRANSPORT)) {
> +		if (unlikely(IS_TRANSPORT(sa->flags))) {
>  			/* XXX No option headers supported */
>  			ip_hdr_len = sizeof(struct ip6_hdr);
>  			ip6 = (struct ip6_hdr *)ip4;
> @@ -258,13 +258,13 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa
> *sa,
>  	pad_len = pad_payload_len + ip_hdr_len - rte_pktmbuf_pkt_len(m);
> 
>  	RTE_ASSERT(sa->flags == IP4_TUNNEL || sa->flags == IP6_TUNNEL ||
> -			sa->flags == TRANSPORT);
> +			IS_TRANSPORT(sa->flags));
I can see that at multiple places, sa->flags are accessed without your defined macros. Could you please update this at all places, so that it will be uniform across the application.

> 
>  	if (likely(sa->flags == IP4_TUNNEL))
>  		ip_hdr_len = sizeof(struct ip);
>  	else if (sa->flags == IP6_TUNNEL)
>  		ip_hdr_len = sizeof(struct ip6_hdr);
> -	else if (sa->flags != TRANSPORT) {
> +	else if (!IS_TRANSPORT(sa->flags)) {
>  		RTE_LOG(ERR, IPSEC_ESP, "Unsupported SA flags: 0x%x\n",
>  				sa->flags);
>  		return -EINVAL;
> @@ -291,7 +291,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
>  		rte_prefetch0(padding);
>  	}
> 
> -	switch (sa->flags) {
> +	switch (WITHOUT_TRANSPORT_VERSION(sa->flags)) {
I do not get the intent of this macro " WITHOUT_TRANSPORT_VERSION ". could you explain this in comments or some better name of the macro.

>  	case IP4_TUNNEL:
>  		ip4 = ip4ip_outbound(m, sizeof(struct rte_esp_hdr) + sa->iv_len,
>  				&sa->src, &sa->dst);


Regards,
Akhil