From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id C701D42E3A;
	Mon, 10 Jul 2023 11:20:57 +0200 (CEST)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 533CB40C35;
	Mon, 10 Jul 2023 11:20:57 +0200 (CEST)
Received: from forward502c.mail.yandex.net (forward502c.mail.yandex.net
 [178.154.239.210])
 by mails.dpdk.org (Postfix) with ESMTP id 4BFFC40698
 for <dev@dpdk.org>; Mon, 10 Jul 2023 11:20:55 +0200 (CEST)
Received: from mail-nwsmtp-smtp-production-main-81.myt.yp-c.yandex.net
 (mail-nwsmtp-smtp-production-main-81.myt.yp-c.yandex.net
 [IPv6:2a02:6b8:c12:5392:0:640:8d2a:0])
 by forward502c.mail.yandex.net (Yandex) with ESMTP id 8E4165EB2D;
 Mon, 10 Jul 2023 12:20:54 +0300 (MSK)
Received: by mail-nwsmtp-smtp-production-main-81.myt.yp-c.yandex.net
 (smtp/Yandex) with ESMTPSA id pKURWAHUiGk0-XZv8X2G1; 
 Mon, 10 Jul 2023 12:20:54 +0300
X-Yandex-Fwd: 1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail;
 t=1688980854; bh=CiSpXK/P/1zpCCj7Ve9UkSTx1Hpa1NZb9ndXxSADUhU=;
 h=From:In-Reply-To:Cc:Date:References:To:Subject:Message-ID;
 b=aZ2/Ma8adVSQqMmWvSJ/mO1gay4EuZlnbB0v5yU4rIb5SNgznj8jE4VUsAC/QNmrk
 iNLahzIGM59+HD4DaYvAutokXvbT0cpDA2nnUYJWp9U7+96cRS9fbEuNH+yVJLhXBy
 ePKS1AsGn0kmS82uh7OPOsyCE1mJ2IPQ1K1SAGgQ=
Authentication-Results: mail-nwsmtp-smtp-production-main-81.myt.yp-c.yandex.net;
 dkim=pass header.i=@yandex.ru
Message-ID: <b3e91ede-3a42-53db-1a4c-5e1228d2f0af@yandex.ru>
Date: Mon, 10 Jul 2023 10:20:51 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.11.0
Subject: Re: [PATCH] ipsec: fix NAT-T length calculation
Content-Language: en-US
To: Xiao Liang <shaw.leon@gmail.com>,
 Vladimir Medvedkin <vladimir.medvedkin@intel.com>
Cc: dev@dpdk.org
References: <20230418084613.52740-1-shaw.leon@gmail.com>
From: Konstantin Ananyev <konstantin.v.ananyev@yandex.ru>
In-Reply-To: <20230418084613.52740-1-shaw.leon@gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org

18/04/2023 09:46, Xiao Liang пишет:
> UDP header length is included in sa->hdr_len. Take care of that in
> L3 header and pakcet length calculation.
> 
> Fixes: 01eef5907fc3 ("ipsec: support NAT-T")
> 
> Signed-off-by: Xiao Liang <shaw.leon@gmail.com>
> ---
>   lib/ipsec/esp_outb.c | 2 +-
>   lib/ipsec/sa.c       | 2 +-
>   2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/lib/ipsec/esp_outb.c b/lib/ipsec/esp_outb.c
> index 9cbd9202f6..ec87b1dce2 100644
> --- a/lib/ipsec/esp_outb.c
> +++ b/lib/ipsec/esp_outb.c
> @@ -198,7 +198,7 @@ outb_tun_pkt_prepare(struct rte_ipsec_sa *sa, rte_be64_t sqc,
>   		struct rte_udp_hdr *udph = (struct rte_udp_hdr *)
>   			(ph + sa->hdr_len - sizeof(struct rte_udp_hdr));
>   		udph->dgram_len = rte_cpu_to_be_16(mb->pkt_len - sqh_len -
> -				sa->hdr_l3_off - sa->hdr_len);
> +				sa->hdr_len + sizeof(struct rte_udp_hdr));
>   	}
>   
>   	/* update original and new ip header fields */
> diff --git a/lib/ipsec/sa.c b/lib/ipsec/sa.c
> index 59a547637d..2297bd6d72 100644
> --- a/lib/ipsec/sa.c
> +++ b/lib/ipsec/sa.c
> @@ -371,7 +371,7 @@ esp_outb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm)
>   
>   	/* update l2_len and l3_len fields for outbound mbuf */
>   	sa->tx_offload.val = rte_mbuf_tx_offload(sa->hdr_l3_off,
> -		sa->hdr_len - sa->hdr_l3_off, 0, 0, 0, 0, 0);
> +		prm->tun.hdr_len - sa->hdr_l3_off, 0, 0, 0, 0, 0);
>   
>   	esp_outb_init(sa, sa->hdr_len, prm->ipsec_xform.esn.value);
>   }

Acked-by: Konstantin Ananyev <konstantin.v.ananyev@yandex.ru>


Thanks for explanation and for the fix.
One thing that still bothers me with UDP encap support:
we still don't have a test-case for it in examples/ipsec-secgw/test.