DPDK patches and discussions
 help / color / mirror / Atom feed
From: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
To: dev@dpdk.org
Cc: john.mcnamara@intel.com
Subject: [dpdk-dev] [PATCH v2 7/9] examples/ipsec-secgw: ipv6 support
Date: Wed, 18 May 2016 13:42:08 +0100	[thread overview]
Message-ID: <1463575330-8467-8-git-send-email-sergio.gonzalez.monroy@intel.com> (raw)
In-Reply-To: <1463575330-8467-1-git-send-email-sergio.gonzalez.monroy@intel.com>

Support IPSec IPv6 allowing IPv4/IPv6 traffic in IPv4 or IPv6 tunnel.

We need separate Routing (LPM) and SP (ACL) tables for IPv4 and IPv6,
but a common SA table.

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
---
 examples/ipsec-secgw/Makefile      |   5 +-
 examples/ipsec-secgw/esp.c         | 128 +++++++-----
 examples/ipsec-secgw/ipip.h        | 145 ++++++++++---
 examples/ipsec-secgw/ipsec-secgw.c | 332 ++++++++++++++++++++----------
 examples/ipsec-secgw/ipsec.c       |   9 +-
 examples/ipsec-secgw/ipsec.h       |  60 ++++--
 examples/ipsec-secgw/rt.c          | 201 +++++++++++++-----
 examples/ipsec-secgw/sa.c          | 239 ++++++++++++++--------
 examples/ipsec-secgw/sp.c          | 366 ---------------------------------
 examples/ipsec-secgw/sp4.c         | 407 +++++++++++++++++++++++++++++++++++++
 examples/ipsec-secgw/sp6.c         | 400 ++++++++++++++++++++++++++++++++++++
 11 files changed, 1582 insertions(+), 710 deletions(-)
 delete mode 100644 examples/ipsec-secgw/sp.c
 create mode 100644 examples/ipsec-secgw/sp4.c
 create mode 100644 examples/ipsec-secgw/sp6.c

diff --git a/examples/ipsec-secgw/Makefile b/examples/ipsec-secgw/Makefile
index 6780ad5..06b6db1 100644
--- a/examples/ipsec-secgw/Makefile
+++ b/examples/ipsec-secgw/Makefile
@@ -47,7 +47,7 @@ CFLAGS_sa.o += -diag-disable=vec
 endif
 
 ifeq ($(DEBUG),1)
-CFLAGS += -DIPSEC_DEBUG -fstack-protector-all
+CFLAGS += -DIPSEC_DEBUG -fstack-protector-all -O0
 endif
 
 #
@@ -55,7 +55,8 @@ endif
 #
 SRCS-y += ipsec.c
 SRCS-y += esp.c
-SRCS-y += sp.c
+SRCS-y += sp4.c
+SRCS-y += sp6.c
 SRCS-y += sa.c
 SRCS-y += rt.c
 SRCS-y += ipsec-secgw.c
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index b423080..e1fde36 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -37,6 +37,7 @@
 #include <sys/stat.h>
 #include <netinet/in.h>
 #include <netinet/ip.h>
+#include <netinet/ip6.h>
 #include <fcntl.h>
 #include <unistd.h>
 
@@ -50,13 +51,11 @@
 #include "esp.h"
 #include "ipip.h"
 
-#define IP_ESP_HDR_SZ (sizeof(struct ip) + sizeof(struct esp_hdr))
-
 static inline void
 random_iv_u64(uint64_t *buf, uint16_t n)
 {
-	unsigned left = n & 0x7;
-	unsigned i;
+	uint32_t left = n & 0x7;
+	uint32_t i;
 
 	RTE_ASSERT((n & 0x3) == 0);
 
@@ -67,20 +66,29 @@ random_iv_u64(uint64_t *buf, uint16_t n)
 		*((uint32_t *)&buf[i]) = (uint32_t)lrand48();
 }
 
-/* IPv4 Tunnel */
 int
 esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 		struct rte_crypto_op *cop)
 {
-	int32_t payload_len;
+	int32_t payload_len, ip_hdr_len;
 	struct rte_crypto_sym_op *sym_cop;
 
 	RTE_ASSERT(m != NULL);
 	RTE_ASSERT(sa != NULL);
 	RTE_ASSERT(cop != NULL);
 
-	payload_len = rte_pktmbuf_pkt_len(m) - IP_ESP_HDR_SZ - sa->iv_len -
-		sa->digest_len;
+	ip_hdr_len = 0;
+	switch (sa->flags) {
+	case IP4_TUNNEL:
+		ip_hdr_len = sizeof(struct ip);
+		break;
+	case IP6_TUNNEL:
+		ip_hdr_len = sizeof(struct ip6_hdr);
+		break;
+	}
+
+	payload_len = rte_pktmbuf_pkt_len(m) - ip_hdr_len -
+		sizeof(struct esp_hdr) - sa->iv_len - sa->digest_len;
 
 	if ((payload_len & (sa->block_size - 1)) || (payload_len <= 0)) {
 		RTE_LOG(DEBUG, IPSEC_ESP, "payload %d not multiple of %u\n",
@@ -91,21 +99,19 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 	sym_cop = (struct rte_crypto_sym_op *)(cop + 1);
 
 	sym_cop->m_src = m;
-	sym_cop->cipher.data.offset = IP_ESP_HDR_SZ + sa->iv_len;
+	sym_cop->cipher.data.offset =  ip_hdr_len + sizeof(struct esp_hdr) +
+		sa->iv_len;
 	sym_cop->cipher.data.length = payload_len;
 
 	sym_cop->cipher.iv.data = rte_pktmbuf_mtod_offset(m, void*,
-			IP_ESP_HDR_SZ);
+			 ip_hdr_len + sizeof(struct esp_hdr));
 	sym_cop->cipher.iv.phys_addr = rte_pktmbuf_mtophys_offset(m,
-			IP_ESP_HDR_SZ);
+			 ip_hdr_len + sizeof(struct esp_hdr));
 	sym_cop->cipher.iv.length = sa->iv_len;
 
-	sym_cop->auth.data.offset = sizeof(struct ip);
-	if (sa->auth_algo == RTE_CRYPTO_AUTH_AES_GCM)
-		sym_cop->auth.data.length = sizeof(struct esp_hdr);
-	else
-		sym_cop->auth.data.length = sizeof(struct esp_hdr) +
-			sa->iv_len + payload_len;
+	sym_cop->auth.data.offset = ip_hdr_len;
+	sym_cop->auth.data.length = sizeof(struct esp_hdr) +
+		sa->iv_len + payload_len;
 
 	sym_cop->auth.digest.data = rte_pktmbuf_mtod_offset(m, void*,
 			rte_pktmbuf_pkt_len(m) - sa->digest_len);
@@ -151,17 +157,20 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
 		return -EINVAL;
 	}
 
-	return ip4ip_inbound(m, sizeof(struct esp_hdr) + sa->iv_len);
+	ipip_inbound(m, sizeof(struct esp_hdr) + sa->iv_len);
+
+	return 0;
 }
 
 int
 esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 		struct rte_crypto_op *cop)
 {
-	uint16_t pad_payload_len, pad_len;
-	struct ip *ip;
+	uint16_t pad_payload_len, pad_len, ip_hdr_len;
+	struct ip *ip4;
+	struct ip6_hdr *ip6;
 	struct esp_hdr *esp;
-	int i;
+	int32_t i;
 	char *padding;
 	struct rte_crypto_sym_op *sym_cop;
 
@@ -174,62 +183,87 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 			sa->block_size);
 	pad_len = pad_payload_len - rte_pktmbuf_pkt_len(m);
 
-	rte_prefetch0(rte_pktmbuf_mtod_offset(m, void *,
-				rte_pktmbuf_pkt_len(m)));
+	ip_hdr_len = 0;
+	switch (sa->flags) {
+	case IP4_TUNNEL:
+		ip_hdr_len = sizeof(struct ip);
+		break;
+	case IP6_TUNNEL:
+		ip_hdr_len = sizeof(struct ip6_hdr);
+		break;
+	}
 
 	/* Check maximum packet size */
-	if (unlikely(IP_ESP_HDR_SZ + sa->iv_len + pad_payload_len +
-				sa->digest_len > IP_MAXPACKET)) {
-		RTE_LOG(DEBUG, IPSEC_ESP, "ipsec packet is too big\n");
+	if (unlikely(ip_hdr_len + sizeof(struct esp_hdr) + sa->iv_len +
+			pad_payload_len + sa->digest_len > IP_MAXPACKET)) {
+		RTE_LOG(ERR, IPSEC_ESP, "ipsec packet is too big\n");
 		return -EINVAL;
 	}
 
 	padding = rte_pktmbuf_append(m, pad_len + sa->digest_len);
+	if (unlikely(padding == NULL)) {
+		RTE_LOG(ERR, IPSEC_ESP, "not enough mbuf trailing space\n");
+		return -ENOSPC;
+	}
+	rte_prefetch0(padding);
+
+	switch (sa->flags) {
+	case IP4_TUNNEL:
+		ip4 = ip4ip_outbound(m, sizeof(struct esp_hdr) + sa->iv_len,
+				&sa->src, &sa->dst);
+		esp = (struct esp_hdr *)(ip4 + 1);
+		break;
+	case IP6_TUNNEL:
+		ip6 = ip6ip_outbound(m, sizeof(struct esp_hdr) + sa->iv_len,
+				&sa->src, &sa->dst);
+		esp = (struct esp_hdr *)(ip6 + 1);
+		break;
+	default:
+		RTE_LOG(ERR, IPSEC_ESP, "Unsupported SA flags: 0x%x\n",
+				sa->flags);
+		return -EINVAL;
+	}
 
-	RTE_ASSERT(padding != NULL);
-
-	ip = ip4ip_outbound(m, sizeof(struct esp_hdr) + sa->iv_len,
-			sa->src, sa->dst);
-
-	esp = (struct esp_hdr *)(ip + 1);
-	esp->spi = sa->spi;
-	esp->seq = htonl(sa->seq++);
+	sa->seq++;
+	esp->spi = rte_cpu_to_be_32(sa->spi);
+	esp->seq = rte_cpu_to_be_32(sa->seq);
 
-	RTE_LOG(DEBUG, IPSEC_ESP, "pktlen %u\n", rte_pktmbuf_pkt_len(m));
+	if (sa->cipher_algo == RTE_CRYPTO_CIPHER_AES_CBC)
+		random_iv_u64((uint64_t *)(esp + 1), sa->iv_len);
 
 	/* Fill pad_len using default sequential scheme */
 	for (i = 0; i < pad_len - 2; i++)
 		padding[i] = i + 1;
-
 	padding[pad_len - 2] = pad_len - 2;
-	padding[pad_len - 1] = IPPROTO_IPIP;
+
+	if (RTE_ETH_IS_IPV4_HDR(m->packet_type))
+		padding[pad_len - 1] = IPPROTO_IPIP;
+	else
+		padding[pad_len - 1] = IPPROTO_IPV6;
 
 	sym_cop = (struct rte_crypto_sym_op *)(cop + 1);
 
 	sym_cop->m_src = m;
-	sym_cop->cipher.data.offset = IP_ESP_HDR_SZ + sa->iv_len;
+	sym_cop->cipher.data.offset = ip_hdr_len + sizeof(struct esp_hdr) +
+			sa->iv_len;
 	sym_cop->cipher.data.length = pad_payload_len;
 
 	sym_cop->cipher.iv.data = rte_pktmbuf_mtod_offset(m, uint8_t *,
-			IP_ESP_HDR_SZ);
+			 ip_hdr_len + sizeof(struct esp_hdr));
 	sym_cop->cipher.iv.phys_addr = rte_pktmbuf_mtophys_offset(m,
-			IP_ESP_HDR_SZ);
+			 ip_hdr_len + sizeof(struct esp_hdr));
 	sym_cop->cipher.iv.length = sa->iv_len;
 
-	sym_cop->auth.data.offset = sizeof(struct ip);
+	sym_cop->auth.data.offset = ip_hdr_len;
 	sym_cop->auth.data.length = sizeof(struct esp_hdr) + sa->iv_len +
 		pad_payload_len;
 
 	sym_cop->auth.digest.data = rte_pktmbuf_mtod_offset(m, uint8_t *,
-			IP_ESP_HDR_SZ + sa->iv_len + pad_payload_len);
+			rte_pktmbuf_pkt_len(m) - sa->digest_len);
 	sym_cop->auth.digest.phys_addr = rte_pktmbuf_mtophys_offset(m,
-			IP_ESP_HDR_SZ + sa->iv_len + pad_payload_len);
+			rte_pktmbuf_pkt_len(m) - sa->digest_len);
 	sym_cop->auth.digest.length = sa->digest_len;
 
-	if (sa->cipher_algo == RTE_CRYPTO_CIPHER_AES_CBC)
-		random_iv_u64((uint64_t *)sym_cop->cipher.iv.data,
-				sym_cop->cipher.iv.length);
-
 	return 0;
 }
 
diff --git a/examples/ipsec-secgw/ipip.h b/examples/ipsec-secgw/ipip.h
index 1307a12..886e7a8 100644
--- a/examples/ipsec-secgw/ipip.h
+++ b/examples/ipsec-secgw/ipip.h
@@ -37,65 +37,144 @@
 #include <stdint.h>
 #include <netinet/in.h>
 #include <netinet/ip.h>
+#include <netinet/ip6.h>
 
 #include <rte_mbuf.h>
 
-#define IPV6_VERSION (6)
-
-static inline  struct ip *
-ip4ip_outbound(struct rte_mbuf *m, uint32_t offset, uint32_t src, uint32_t dst)
+static inline void *
+ipip_outbound(struct rte_mbuf *m, uint32_t offset, uint32_t is_ipv6,
+		struct ip_addr *src,  struct ip_addr *dst)
 {
-	struct ip *inip, *outip;
+	struct ip *inip4, *outip4;
+	struct ip6_hdr *inip6, *outip6;
+	uint8_t ds_ecn;
 
-	inip = rte_pktmbuf_mtod(m, struct ip*);
+	inip4 = rte_pktmbuf_mtod(m, struct ip *);
 
-	RTE_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION);
+	RTE_ASSERT(inip4->ip_v == IPVERSION || inip4->ip_v == IP6_VERSION);
 
-	offset += sizeof(struct ip);
+	if (inip4->ip_v == IPVERSION) {
+		/* XXX This should be done by the forwarding engine instead */
+		inip4->ip_ttl -= 1;
+		ds_ecn = inip4->ip_tos;
+	} else {
+		inip6 = (struct ip6_hdr *)inip4;
+		/* XXX This should be done by the forwarding engine instead */
+		inip6->ip6_hops -= 1;
+		ds_ecn = ntohl(inip6->ip6_flow) >> 20;
+	}
+
+	if (is_ipv6) {
+		offset += sizeof(struct ip6_hdr);
+		outip6 = (struct ip6_hdr *)rte_pktmbuf_prepend(m, offset);
+
+		RTE_ASSERT(outip6 != NULL);
+
+		/* Per RFC4301 5.1.2.1 */
+		outip6->ip6_flow = htonl(IP6_VERSION << 28 | ds_ecn << 20);
+		outip6->ip6_plen = htons(rte_pktmbuf_data_len(m));
+
+		outip6->ip6_nxt = IPPROTO_ESP;
+		outip6->ip6_hops = IPDEFTTL;
 
-	outip = (struct ip *)rte_pktmbuf_prepend(m, offset);
+		memcpy(&outip6->ip6_src.s6_addr, src, 16);
+		memcpy(&outip6->ip6_dst.s6_addr, dst, 16);
 
-	RTE_ASSERT(outip != NULL);
+		return outip6;
+	}
+
+	offset += sizeof(struct ip);
+	outip4 = (struct ip *)rte_pktmbuf_prepend(m, offset);
+
+	RTE_ASSERT(outip4 != NULL);
 
 	/* Per RFC4301 5.1.2.1 */
-	outip->ip_v = IPVERSION;
-	outip->ip_hl = 5;
-	outip->ip_tos = inip->ip_tos;
-	outip->ip_len = htons(rte_pktmbuf_data_len(m));
+	outip4->ip_v = IPVERSION;
+	outip4->ip_hl = 5;
+	outip4->ip_tos = ds_ecn;
+	outip4->ip_len = htons(rte_pktmbuf_data_len(m));
 
-	outip->ip_id = 0;
-	outip->ip_off = 0;
+	outip4->ip_id = 0;
+	outip4->ip_off = 0;
 
-	outip->ip_ttl = IPDEFTTL;
-	outip->ip_p = IPPROTO_ESP;
+	outip4->ip_ttl = IPDEFTTL;
+	outip4->ip_p = IPPROTO_ESP;
 
-	outip->ip_src.s_addr = src;
-	outip->ip_dst.s_addr = dst;
+	outip4->ip_src.s_addr = src->ip4;
+	outip4->ip_dst.s_addr = dst->ip4;
 
-	return outip;
+	return outip4;
+}
+
+static inline struct ip *
+ip4ip_outbound(struct rte_mbuf *m, uint32_t offset,
+		struct ip_addr *src,  struct ip_addr *dst)
+{
+	return ipip_outbound(m, offset, 0, src, dst);
+}
+
+static inline struct ip6_hdr *
+ip6ip_outbound(struct rte_mbuf *m, uint32_t offset,
+		struct ip_addr *src,  struct ip_addr *dst)
+{
+	return ipip_outbound(m, offset, 1, src, dst);
+}
+
+static inline void
+ip4_ecn_setup(struct ip *ip4)
+{
+	if (ip4->ip_tos & IPTOS_ECN_MASK)
+		ip4->ip_tos |= IPTOS_ECN_CE;
+}
+
+static inline void
+ip6_ecn_setup(struct ip6_hdr *ip6)
+{
+	if ((ntohl(ip6->ip6_flow) >> 20) & IPTOS_ECN_MASK)
+		ip6->ip6_flow = htonl(ntohl(ip6->ip6_flow) |
+					(IPTOS_ECN_CE << 20));
 }
 
 static inline int
-ip4ip_inbound(struct rte_mbuf *m, uint32_t offset)
+ipip_inbound(struct rte_mbuf *m, uint32_t offset)
 {
-	struct ip *inip;
-	struct ip *outip;
+	struct ip *inip4, *outip4;
+	struct ip6_hdr *inip6, *outip6;
+	uint32_t ip_len, set_ecn;
 
-	outip = rte_pktmbuf_mtod(m, struct ip*);
+	outip4 = rte_pktmbuf_mtod(m, struct ip*);
 
-	RTE_ASSERT(outip->ip_v == IPVERSION);
+	RTE_ASSERT(outip4->ip_v == IPVERSION || outip4->ip_v == IP6_VERSION);
 
-	offset += sizeof(struct ip);
-	inip = (struct ip *)rte_pktmbuf_adj(m, offset);
-	RTE_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION);
+	if (outip4->ip_v == IPVERSION) {
+		ip_len = sizeof(struct ip);
+		set_ecn = ((outip4->ip_tos & IPTOS_ECN_CE) == IPTOS_ECN_CE);
+	} else {
+		outip6 = (struct ip6_hdr *)outip4;
+		ip_len = sizeof(struct ip6_hdr);
+		set_ecn = ntohl(outip6->ip6_flow) >> 20;
+		set_ecn = ((set_ecn & IPTOS_ECN_CE) == IPTOS_ECN_CE);
+	}
+
+	inip4 = (struct ip *)rte_pktmbuf_adj(m, offset + ip_len);
+	RTE_ASSERT(inip4->ip_v == IPVERSION || inip4->ip_v == IP6_VERSION);
 
 	/* Check packet is still bigger than IP header (inner) */
-	RTE_ASSERT(rte_pktmbuf_pkt_len(m) > sizeof(struct ip));
+	RTE_ASSERT(rte_pktmbuf_pkt_len(m) > ip_len);
 
 	/* RFC4301 5.1.2.1 Note 6 */
-	if ((inip->ip_tos & htons(IPTOS_ECN_ECT0 | IPTOS_ECN_ECT1)) &&
-			((outip->ip_tos & htons(IPTOS_ECN_CE)) == IPTOS_ECN_CE))
-		inip->ip_tos |= htons(IPTOS_ECN_CE);
+	if (inip4->ip_v == IPVERSION) {
+		if (set_ecn)
+			ip4_ecn_setup(inip4);
+		/* XXX This should be done by the forwarding engine instead */
+		inip4->ip_ttl -= 1;
+	} else {
+		inip6 = (struct ip6_hdr *)inip4;
+		if (set_ecn)
+			ip6_ecn_setup(inip6);
+		/* XXX This should be done by the forwarding engine instead */
+		inip6->ip6_hops -= 1;
+	}
 
 	return 0;
 }
diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
index 00ab2d8..4065b59 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -38,6 +38,7 @@
 #include <sys/types.h>
 #include <netinet/in.h>
 #include <netinet/ip.h>
+#include <netinet/ip6.h>
 #include <string.h>
 #include <sys/queue.h>
 #include <stdarg.h>
@@ -65,6 +66,7 @@
 #include <rte_mbuf.h>
 #include <rte_acl.h>
 #include <rte_lpm.h>
+#include <rte_lpm6.h>
 #include <rte_hash.h>
 #include <rte_jhash.h>
 #include <rte_cryptodev.h>
@@ -192,7 +194,8 @@ struct lcore_conf {
 	struct buffer tx_mbufs[RTE_MAX_ETHPORTS];
 	struct ipsec_ctx inbound;
 	struct ipsec_ctx outbound;
-	struct rt_ctx *rt_ctx;
+	struct rt_ctx *rt4_ctx;
+	struct rt_ctx *rt6_ctx;
 } __rte_cache_aligned;
 
 static struct lcore_conf lcore_conf[RTE_MAX_LCORE];
@@ -230,27 +233,39 @@ struct traffic_type {
 };
 
 struct ipsec_traffic {
-	struct traffic_type ipsec4;
-	struct traffic_type ipv4;
+	struct traffic_type ipsec;
+	struct traffic_type ip4;
+	struct traffic_type ip6;
 };
 
 static inline void
 prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)
 {
 	uint8_t *nlp;
+	struct ether_hdr *eth;
 
-	if (RTE_ETH_IS_IPV4_HDR(pkt->packet_type)) {
-		rte_pktmbuf_adj(pkt, ETHER_HDR_LEN);
-		nlp = rte_pktmbuf_mtod_offset(pkt, uint8_t *,
-				offsetof(struct ip, ip_p));
+	eth = rte_pktmbuf_mtod(pkt, struct ether_hdr *);
+	if (eth->ether_type == rte_cpu_to_be_16(ETHER_TYPE_IPv4)) {
+		nlp = (uint8_t *)rte_pktmbuf_adj(pkt, ETHER_HDR_LEN);
+		nlp = RTE_PTR_ADD(nlp, offsetof(struct ip, ip_p));
 		if (*nlp == IPPROTO_ESP)
-			t->ipsec4.pkts[(t->ipsec4.num)++] = pkt;
+			t->ipsec.pkts[(t->ipsec.num)++] = pkt;
 		else {
-			t->ipv4.data[t->ipv4.num] = nlp;
-			t->ipv4.pkts[(t->ipv4.num)++] = pkt;
+			t->ip4.data[t->ip4.num] = nlp;
+			t->ip4.pkts[(t->ip4.num)++] = pkt;
+		}
+	} else if (eth->ether_type == rte_cpu_to_be_16(ETHER_TYPE_IPv6)) {
+		nlp = (uint8_t *)rte_pktmbuf_adj(pkt, ETHER_HDR_LEN);
+		nlp = RTE_PTR_ADD(nlp, offsetof(struct ip6_hdr, ip6_nxt));
+		if (*nlp == IPPROTO_ESP)
+			t->ipsec.pkts[(t->ipsec.num)++] = pkt;
+		else {
+			t->ip6.data[t->ip6.num] = nlp;
+			t->ip6.pkts[(t->ip6.num)++] = pkt;
 		}
 	} else {
 		/* Unknown/Unsupported type, drop the packet */
+		RTE_LOG(ERR, IPSEC, "Unsupported packet type\n");
 		rte_pktmbuf_free(pkt);
 	}
 }
@@ -261,8 +276,9 @@ prepare_traffic(struct rte_mbuf **pkts, struct ipsec_traffic *t,
 {
 	int32_t i;
 
-	t->ipsec4.num = 0;
-	t->ipv4.num = 0;
+	t->ipsec.num = 0;
+	t->ip4.num = 0;
+	t->ip6.num = 0;
 
 	for (i = 0; i < (nb_pkts - PREFETCH_OFFSET); i++) {
 		rte_prefetch0(rte_pktmbuf_mtod(pkts[i + PREFETCH_OFFSET],
@@ -277,14 +293,27 @@ prepare_traffic(struct rte_mbuf **pkts, struct ipsec_traffic *t,
 static inline void
 prepare_tx_pkt(struct rte_mbuf *pkt, uint8_t port)
 {
-	pkt->ol_flags |= PKT_TX_IP_CKSUM | PKT_TX_IPV4;
-	pkt->l3_len = sizeof(struct ip);
-	pkt->l2_len = ETHER_HDR_LEN;
+	struct ip *ip;
+	struct ether_hdr *ethhdr;
+
+	ip = rte_pktmbuf_mtod(pkt, struct ip *);
+
+	ethhdr = (struct ether_hdr *)rte_pktmbuf_prepend(pkt, ETHER_HDR_LEN);
 
-	struct ether_hdr *ethhdr = (struct ether_hdr *)rte_pktmbuf_prepend(pkt,
-			ETHER_HDR_LEN);
+	if (ip->ip_v == IPVERSION) {
+		pkt->ol_flags |= PKT_TX_IP_CKSUM | PKT_TX_IPV4;
+		pkt->l3_len = sizeof(struct ip);
+		pkt->l2_len = ETHER_HDR_LEN;
+
+		ethhdr->ether_type = rte_cpu_to_be_16(ETHER_TYPE_IPv4);
+	} else {
+		pkt->ol_flags |= PKT_TX_IPV6;
+		pkt->l3_len = sizeof(struct ip6_hdr);
+		pkt->l2_len = ETHER_HDR_LEN;
+
+		ethhdr->ether_type = rte_cpu_to_be_16(ETHER_TYPE_IPv6);
+	}
 
-	ethhdr->ether_type = rte_cpu_to_be_16(ETHER_TYPE_IPv4);
 	memcpy(&ethhdr->s_addr, &ethaddr_tbl[port].src,
 			sizeof(struct ether_addr));
 	memcpy(&ethhdr->d_addr, &ethaddr_tbl[port].dst,
@@ -355,94 +384,133 @@ send_single_packet(struct rte_mbuf *m, uint8_t port)
 }
 
 static inline void
-process_pkts_inbound(struct ipsec_ctx *ipsec_ctx,
-		struct ipsec_traffic *traffic)
+inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip)
 {
 	struct rte_mbuf *m;
-	uint16_t idx, nb_pkts_in, i, j;
-	uint32_t sa_idx, res;
-
-	nb_pkts_in = ipsec_inbound(ipsec_ctx, traffic->ipsec4.pkts,
-			traffic->ipsec4.num, MAX_PKT_BURST);
+	uint32_t i, j, res, sa_idx;
 
-	/* SP/ACL Inbound check ipsec and ipv4 */
-	for (i = 0; i < nb_pkts_in; i++) {
-		idx = traffic->ipv4.num++;
-		m = traffic->ipsec4.pkts[i];
-		traffic->ipv4.pkts[idx] = m;
-		traffic->ipv4.data[idx] = rte_pktmbuf_mtod_offset(m,
-				uint8_t *, offsetof(struct ip, ip_p));
-	}
+	if (ip->num == 0)
+		return;
 
-	rte_acl_classify((struct rte_acl_ctx *)ipsec_ctx->sp_ctx,
-			traffic->ipv4.data, traffic->ipv4.res,
-			traffic->ipv4.num, DEFAULT_MAX_CATEGORIES);
+	rte_acl_classify((struct rte_acl_ctx *)sp, ip->data, ip->res,
+			ip->num, DEFAULT_MAX_CATEGORIES);
 
 	j = 0;
-	for (i = 0; i < traffic->ipv4.num - nb_pkts_in; i++) {
-		m = traffic->ipv4.pkts[i];
-		res = traffic->ipv4.res[i];
-		if (res & ~BYPASS) {
+	for (i = 0; i < ip->num; i++) {
+		m = ip->pkts[i];
+		res = ip->res[i];
+		if (res & DISCARD) {
 			rte_pktmbuf_free(m);
 			continue;
 		}
-		traffic->ipv4.pkts[j++] = m;
-	}
-	/* Check return SA SPI matches pkt SPI */
-	for ( ; i < traffic->ipv4.num; i++) {
-		m = traffic->ipv4.pkts[i];
-		sa_idx = traffic->ipv4.res[i] & PROTECT_MASK;
-		if (sa_idx == 0 || !inbound_sa_check(ipsec_ctx->sa_ctx,
-					m, sa_idx)) {
+		if (res & BYPASS) {
+			ip->pkts[j++] = m;
+			continue;
+		}
+		/* Check return SA SPI matches pkt SPI */
+		sa_idx = ip->res[i] & PROTECT_MASK;
+		if (sa_idx == 0 || !inbound_sa_check(sa, m, sa_idx)) {
 			rte_pktmbuf_free(m);
 			continue;
 		}
-		traffic->ipv4.pkts[j++] = m;
+		ip->pkts[j++] = m;
 	}
-	traffic->ipv4.num = j;
+	ip->num = j;
 }
 
 static inline void
-process_pkts_outbound(struct ipsec_ctx *ipsec_ctx,
+process_pkts_inbound(struct ipsec_ctx *ipsec_ctx,
 		struct ipsec_traffic *traffic)
 {
 	struct rte_mbuf *m;
-	uint16_t idx, nb_pkts_out, i, j;
-	uint32_t sa_idx, res;
+	uint16_t idx, nb_pkts_in, i;
 
-	rte_acl_classify((struct rte_acl_ctx *)ipsec_ctx->sp_ctx,
-			traffic->ipv4.data, traffic->ipv4.res,
-			traffic->ipv4.num, DEFAULT_MAX_CATEGORIES);
+	nb_pkts_in = ipsec_inbound(ipsec_ctx, traffic->ipsec.pkts,
+			traffic->ipsec.num, MAX_PKT_BURST);
 
-	/* Drop any IPsec traffic from protected ports */
-	for (i = 0; i < traffic->ipsec4.num; i++)
-		rte_pktmbuf_free(traffic->ipsec4.pkts[i]);
+	/* SP/ACL Inbound check ipsec and ip4 */
+	for (i = 0; i < nb_pkts_in; i++) {
+		m = traffic->ipsec.pkts[i];
+		struct ip *ip = rte_pktmbuf_mtod(m, struct ip *);
+		if (ip->ip_v == IPVERSION) {
+			idx = traffic->ip4.num++;
+			traffic->ip4.pkts[idx] = m;
+			traffic->ip4.data[idx] = rte_pktmbuf_mtod_offset(m,
+					uint8_t *, offsetof(struct ip, ip_p));
+		} else if (ip->ip_v == IP6_VERSION) {
+			idx = traffic->ip6.num++;
+			traffic->ip6.pkts[idx] = m;
+			traffic->ip6.data[idx] = rte_pktmbuf_mtod_offset(m,
+					uint8_t *,
+					offsetof(struct ip6_hdr, ip6_nxt));
+		} else
+			rte_pktmbuf_free(m);
+	}
+
+	inbound_sp_sa(ipsec_ctx->sp4_ctx, ipsec_ctx->sa_ctx, &traffic->ip4);
+
+	inbound_sp_sa(ipsec_ctx->sp6_ctx, ipsec_ctx->sa_ctx, &traffic->ip6);
+}
+
+static inline void
+outbound_sp(struct sp_ctx *sp, struct traffic_type *ip,
+		struct traffic_type *ipsec)
+{
+	struct rte_mbuf *m;
+	uint32_t i, j, sa_idx;
+
+	if (ip->num == 0)
+		return;
 
-	traffic->ipsec4.num = 0;
+	rte_acl_classify((struct rte_acl_ctx *)sp, ip->data, ip->res,
+			ip->num, DEFAULT_MAX_CATEGORIES);
 
 	j = 0;
-	for (i = 0; i < traffic->ipv4.num; i++) {
-		m = traffic->ipv4.pkts[i];
-		res = traffic->ipv4.res[i];
-		sa_idx = res & PROTECT_MASK;
-		if ((res == 0) || (res & DISCARD))
+	for (i = 0; i < ip->num; i++) {
+		m = ip->pkts[i];
+		sa_idx = ip->res[i] & PROTECT_MASK;
+		if ((ip->res[i] == 0) || (ip->res[i] & DISCARD))
 			rte_pktmbuf_free(m);
 		else if (sa_idx != 0) {
-			traffic->ipsec4.res[traffic->ipsec4.num] = sa_idx;
-			traffic->ipsec4.pkts[traffic->ipsec4.num++] = m;
+			ipsec->res[ipsec->num] = sa_idx;
+			ipsec->pkts[ipsec->num++] = m;
 		} else /* BYPASS */
-			traffic->ipv4.pkts[j++] = m;
+			ip->pkts[j++] = m;
 	}
-	traffic->ipv4.num = j;
+	ip->num = j;
+}
+
+static inline void
+process_pkts_outbound(struct ipsec_ctx *ipsec_ctx,
+		struct ipsec_traffic *traffic)
+{
+	struct rte_mbuf *m;
+	uint16_t idx, nb_pkts_out, i;
+
+	/* Drop any IPsec traffic from protected ports */
+	for (i = 0; i < traffic->ipsec.num; i++)
+		rte_pktmbuf_free(traffic->ipsec.pkts[i]);
 
-	nb_pkts_out = ipsec_outbound(ipsec_ctx, traffic->ipsec4.pkts,
-			traffic->ipsec4.res, traffic->ipsec4.num,
+	traffic->ipsec.num = 0;
+
+	outbound_sp(ipsec_ctx->sp4_ctx, &traffic->ip4, &traffic->ipsec);
+
+	outbound_sp(ipsec_ctx->sp6_ctx, &traffic->ip6, &traffic->ipsec);
+
+	nb_pkts_out = ipsec_outbound(ipsec_ctx, traffic->ipsec.pkts,
+			traffic->ipsec.res, traffic->ipsec.num,
 			MAX_PKT_BURST);
 
 	for (i = 0; i < nb_pkts_out; i++) {
-		idx = traffic->ipv4.num++;
-		m = traffic->ipsec4.pkts[i];
-		traffic->ipv4.pkts[idx] = m;
+		m = traffic->ipsec.pkts[i];
+		struct ip *ip = rte_pktmbuf_mtod(m, struct ip *);
+		if (ip->ip_v == IPVERSION) {
+			idx = traffic->ip4.num++;
+			traffic->ip4.pkts[idx] = m;
+		} else {
+			idx = traffic->ip6.num++;
+			traffic->ip6.pkts[idx] = m;
+		}
 	}
 }
 
@@ -450,47 +518,72 @@ static inline void
 process_pkts_inbound_nosp(struct ipsec_ctx *ipsec_ctx,
 		struct ipsec_traffic *traffic)
 {
-	uint16_t nb_pkts_in, i;
+	struct rte_mbuf *m;
+	uint32_t nb_pkts_in, i, idx;
 
 	/* Drop any IPv4 traffic from unprotected ports */
-	for (i = 0; i < traffic->ipv4.num; i++)
-		rte_pktmbuf_free(traffic->ipv4.pkts[i]);
+	for (i = 0; i < traffic->ip4.num; i++)
+		rte_pktmbuf_free(traffic->ip4.pkts[i]);
 
-	traffic->ipv4.num = 0;
+	traffic->ip4.num = 0;
 
-	nb_pkts_in = ipsec_inbound(ipsec_ctx, traffic->ipsec4.pkts,
-			traffic->ipsec4.num, MAX_PKT_BURST);
+	/* Drop any IPv6 traffic from unprotected ports */
+	for (i = 0; i < traffic->ip6.num; i++)
+		rte_pktmbuf_free(traffic->ip6.pkts[i]);
 
-	for (i = 0; i < nb_pkts_in; i++)
-		traffic->ipv4.pkts[i] = traffic->ipsec4.pkts[i];
+	traffic->ip6.num = 0;
 
-	traffic->ipv4.num = nb_pkts_in;
+	nb_pkts_in = ipsec_inbound(ipsec_ctx, traffic->ipsec.pkts,
+			traffic->ipsec.num, MAX_PKT_BURST);
+
+	for (i = 0; i < nb_pkts_in; i++) {
+		m = traffic->ipsec.pkts[i];
+		struct ip *ip = rte_pktmbuf_mtod(m, struct ip *);
+		if (ip->ip_v == IPVERSION) {
+			idx = traffic->ip4.num++;
+			traffic->ip4.pkts[idx] = m;
+		} else {
+			idx = traffic->ip6.num++;
+			traffic->ip6.pkts[idx] = m;
+		}
+	}
 }
 
 static inline void
 process_pkts_outbound_nosp(struct ipsec_ctx *ipsec_ctx,
 		struct ipsec_traffic *traffic)
 {
-	uint16_t nb_pkts_out, i;
+	struct rte_mbuf *m;
+	uint32_t nb_pkts_out, i;
+	struct ip *ip;
 
 	/* Drop any IPsec traffic from protected ports */
-	for (i = 0; i < traffic->ipsec4.num; i++)
-		rte_pktmbuf_free(traffic->ipsec4.pkts[i]);
+	for (i = 0; i < traffic->ipsec.num; i++)
+		rte_pktmbuf_free(traffic->ipsec.pkts[i]);
 
-	traffic->ipsec4.num = 0;
+	traffic->ipsec.num = 0;
 
-	for (i = 0; i < traffic->ipv4.num; i++)
-		traffic->ipv4.res[i] = single_sa_idx;
+	for (i = 0; i < traffic->ip4.num; i++)
+		traffic->ip4.res[i] = single_sa_idx;
 
-	nb_pkts_out = ipsec_outbound(ipsec_ctx, traffic->ipv4.pkts,
-			traffic->ipv4.res, traffic->ipv4.num,
+	for (i = 0; i < traffic->ip6.num; i++)
+		traffic->ip6.res[i] = single_sa_idx;
+
+	nb_pkts_out = ipsec_outbound(ipsec_ctx, traffic->ip4.pkts,
+			traffic->ip4.res, traffic->ip4.num,
 			MAX_PKT_BURST);
 
-	traffic->ipv4.num = nb_pkts_out;
+	/* They all sue the same SA (ip4 or ip6 tunnel) */
+	m = traffic->ipsec.pkts[i];
+	ip = rte_pktmbuf_mtod(m, struct ip *);
+	if (ip->ip_v == IPVERSION)
+		traffic->ip4.num = nb_pkts_out;
+	else
+		traffic->ip6.num = nb_pkts_out;
 }
 
 static inline void
-route_pkts(struct rt_ctx *rt_ctx, struct rte_mbuf *pkts[], uint8_t nb_pkts)
+route4_pkts(struct rt_ctx *rt_ctx, struct rte_mbuf *pkts[], uint8_t nb_pkts)
 {
 	uint32_t hop[MAX_PKT_BURST * 2];
 	uint32_t dst_ip[MAX_PKT_BURST * 2];
@@ -518,6 +611,35 @@ route_pkts(struct rt_ctx *rt_ctx, struct rte_mbuf *pkts[], uint8_t nb_pkts)
 }
 
 static inline void
+route6_pkts(struct rt_ctx *rt_ctx, struct rte_mbuf *pkts[], uint8_t nb_pkts)
+{
+	int16_t hop[MAX_PKT_BURST * 2];
+	uint8_t dst_ip[MAX_PKT_BURST * 2][16];
+	uint8_t *ip6_dst;
+	uint16_t i, offset;
+
+	if (nb_pkts == 0)
+		return;
+
+	for (i = 0; i < nb_pkts; i++) {
+		offset = offsetof(struct ip6_hdr, ip6_dst);
+		ip6_dst = rte_pktmbuf_mtod_offset(pkts[i], uint8_t *, offset);
+		memcpy(&dst_ip[i][0], ip6_dst, 16);
+	}
+
+	rte_lpm6_lookup_bulk_func((struct rte_lpm6 *)rt_ctx, dst_ip,
+			hop, nb_pkts);
+
+	for (i = 0; i < nb_pkts; i++) {
+		if (hop[i] == -1) {
+			rte_pktmbuf_free(pkts[i]);
+			continue;
+		}
+		send_single_packet(pkts[i], hop[i] & 0xff);
+	}
+}
+
+static inline void
 process_pkts(struct lcore_conf *qconf, struct rte_mbuf **pkts,
 		uint8_t nb_pkts, uint8_t portid)
 {
@@ -525,7 +647,7 @@ process_pkts(struct lcore_conf *qconf, struct rte_mbuf **pkts,
 
 	prepare_traffic(pkts, &traffic, nb_pkts);
 
-	if (single_sa) {
+	if (unlikely(single_sa)) {
 		if (UNPROTECTED_PORT(portid))
 			process_pkts_inbound_nosp(&qconf->inbound, &traffic);
 		else
@@ -537,7 +659,8 @@ process_pkts(struct lcore_conf *qconf, struct rte_mbuf **pkts,
 			process_pkts_outbound(&qconf->outbound, &traffic);
 	}
 
-	route_pkts(qconf->rt_ctx, traffic.ipv4.pkts, traffic.ipv4.num);
+	route4_pkts(qconf->rt4_ctx, traffic.ip4.pkts, traffic.ip4.num);
+	route6_pkts(qconf->rt6_ctx, traffic.ip6.pkts, traffic.ip6.num);
 }
 
 static inline void
@@ -576,12 +699,15 @@ main_loop(__attribute__((unused)) void *dummy)
 	rxql = qconf->rx_queue_list;
 	socket_id = rte_lcore_to_socket_id(lcore_id);
 
-	qconf->rt_ctx = socket_ctx[socket_id].rt_ipv4;
-	qconf->inbound.sp_ctx = socket_ctx[socket_id].sp_ipv4_in;
-	qconf->inbound.sa_ctx = socket_ctx[socket_id].sa_ipv4_in;
+	qconf->rt4_ctx = socket_ctx[socket_id].rt_ip4;
+	qconf->rt6_ctx = socket_ctx[socket_id].rt_ip6;
+	qconf->inbound.sp4_ctx = socket_ctx[socket_id].sp_ip4_in;
+	qconf->inbound.sp6_ctx = socket_ctx[socket_id].sp_ip6_in;
+	qconf->inbound.sa_ctx = socket_ctx[socket_id].sa_in;
 	qconf->inbound.cdev_map = cdev_map_in;
-	qconf->outbound.sp_ctx = socket_ctx[socket_id].sp_ipv4_out;
-	qconf->outbound.sa_ctx = socket_ctx[socket_id].sa_ipv4_out;
+	qconf->outbound.sp4_ctx = socket_ctx[socket_id].sp_ip4_out;
+	qconf->outbound.sp6_ctx = socket_ctx[socket_id].sp_ip6_out;
+	qconf->outbound.sa_ctx = socket_ctx[socket_id].sa_out;
 	qconf->outbound.cdev_map = cdev_map_out;
 
 	if (qconf->nb_rx_queue == 0) {
@@ -762,7 +888,7 @@ parse_config(const char *q_arg)
 		FLD_LCORE,
 		_NUM_FLD
 	};
-	int long int_fld[_NUM_FLD];
+	unsigned long int_fld[_NUM_FLD];
 	char *str_fld[_NUM_FLD];
 	int32_t i;
 	uint32_t size;
@@ -1313,7 +1439,9 @@ main(int32_t argc, char **argv)
 
 		sa_init(&socket_ctx[socket_id], socket_id, ep);
 
-		sp_init(&socket_ctx[socket_id], socket_id, ep);
+		sp4_init(&socket_ctx[socket_id], socket_id, ep);
+
+		sp6_init(&socket_ctx[socket_id], socket_id, ep);
 
 		rt_init(&socket_ctx[socket_id], socket_id, ep);
 
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index ccc840f..1e87d0d 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -66,7 +66,8 @@ create_session(struct ipsec_ctx *ipsec_ctx __rte_unused, struct ipsec_sa *sa)
 	}
 
 	RTE_LOG(DEBUG, IPSEC, "Create session for SA spi %u on cryptodev "
-			"%u qp %u\n", sa->spi, ipsec_ctx->tbl[cdev_id_qp].id,
+			"%u qp %u\n", sa->spi,
+			ipsec_ctx->tbl[cdev_id_qp].id,
 			ipsec_ctx->tbl[cdev_id_qp].qp);
 
 	sa->crypto_session = rte_cryptodev_sym_session_create(
@@ -80,7 +81,7 @@ create_session(struct ipsec_ctx *ipsec_ctx __rte_unused, struct ipsec_sa *sa)
 static inline void
 enqueue_cop(struct cdev_qp *cqp, struct rte_crypto_op *cop)
 {
-	int ret, i;
+	int32_t ret, i;
 
 	cqp->buf[cqp->len++] = cop;
 
@@ -105,7 +106,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
 		struct rte_mbuf *pkts[], struct ipsec_sa *sas[],
 		uint16_t nb_pkts)
 {
-	int ret = 0, i;
+	int32_t ret = 0, i;
 	struct ipsec_mbuf_metadata *priv;
 	struct ipsec_sa *sa;
 
@@ -151,7 +152,7 @@ static inline int
 ipsec_dequeue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
 		struct rte_mbuf *pkts[], uint16_t max_pkts)
 {
-	int nb_pkts = 0, ret = 0, i, j, nb_cops;
+	int32_t nb_pkts = 0, ret = 0, i, j, nb_cops;
 	struct ipsec_mbuf_metadata *priv;
 	struct rte_crypto_op *cops[max_pkts];
 	struct ipsec_sa *sa;
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index 74ef6fc..83d7b1c 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -37,7 +37,6 @@
 #include <stdint.h>
 
 #include <rte_byteorder.h>
-#include <rte_ip.h>
 #include <rte_crypto.h>
 
 #define RTE_LOGTYPE_IPSEC       RTE_LOGTYPE_USER1
@@ -50,15 +49,15 @@
 #define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
 
 #define uint32_t_to_char(ip, a, b, c, d) do {\
-		*a = (unsigned char)(ip >> 24 & 0xff);\
-		*b = (unsigned char)(ip >> 16 & 0xff);\
-		*c = (unsigned char)(ip >> 8 & 0xff);\
-		*d = (unsigned char)(ip & 0xff);\
+		*a = (uint8_t)(ip >> 24 & 0xff);\
+		*b = (uint8_t)(ip >> 16 & 0xff);\
+		*c = (uint8_t)(ip >> 8 & 0xff);\
+		*d = (uint8_t)(ip & 0xff);\
 	} while (0)
 
 #define DEFAULT_MAX_CATEGORIES	1
 
-#define IPSEC_SA_MAX_ENTRIES (64) /* must be power of 2, max 2 power 30 */
+#define IPSEC_SA_MAX_ENTRIES (128) /* must be power of 2, max 2 power 30 */
 #define SPI2IDX(spi) (spi & (IPSEC_SA_MAX_ENTRIES - 1))
 #define INVALID_SPI (0)
 
@@ -69,6 +68,8 @@
 
 #define IPSEC_XFORM_MAX 2
 
+#define IP6_VERSION (6)
+
 struct rte_crypto_xform;
 struct ipsec_xform;
 struct rte_cryptodev_session;
@@ -76,23 +77,35 @@ struct rte_mbuf;
 
 struct ipsec_sa;
 
-typedef int (*ipsec_xform_fn)(struct rte_mbuf *m, struct ipsec_sa *sa,
+typedef int32_t (*ipsec_xform_fn)(struct rte_mbuf *m, struct ipsec_sa *sa,
 		struct rte_crypto_op *cop);
 
+struct ip_addr {
+	union {
+		uint32_t ip4;
+		union {
+			uint64_t ip6[2];
+			uint8_t ip6_b[16];
+		};
+	};
+};
+
 struct ipsec_sa {
 	uint32_t spi;
 	uint32_t cdev_id_qp;
-	uint32_t src;
-	uint32_t dst;
 	struct rte_cryptodev_sym_session *crypto_session;
-	struct rte_crypto_sym_xform *xforms;
+	uint32_t seq;
 	enum rte_crypto_cipher_algorithm cipher_algo;
 	enum rte_crypto_auth_algorithm auth_algo;
 	uint16_t digest_len;
 	uint16_t iv_len;
 	uint16_t block_size;
 	uint16_t flags;
-	uint32_t seq;
+#define IP4_TUNNEL (1 << 0)
+#define IP6_TUNNEL (1 << 1)
+	struct ip_addr src;
+	struct ip_addr dst;
+	struct rte_crypto_sym_xform *xforms;
 } __rte_cache_aligned;
 
 struct ipsec_mbuf_metadata {
@@ -111,7 +124,8 @@ struct cdev_qp {
 
 struct ipsec_ctx {
 	struct rte_hash *cdev_map;
-	struct sp_ctx *sp_ctx;
+	struct sp_ctx *sp4_ctx;
+	struct sp_ctx *sp6_ctx;
 	struct sa_ctx *sa_ctx;
 	uint16_t nb_qps;
 	uint16_t last_qp;
@@ -125,11 +139,14 @@ struct cdev_key {
 };
 
 struct socket_ctx {
-	struct sa_ctx *sa_ipv4_in;
-	struct sa_ctx *sa_ipv4_out;
-	struct sp_ctx *sp_ipv4_in;
-	struct sp_ctx *sp_ipv4_out;
-	struct rt_ctx *rt_ipv4;
+	struct sa_ctx *sa_in;
+	struct sa_ctx *sa_out;
+	struct sp_ctx *sp_ip4_in;
+	struct sp_ctx *sp_ip4_out;
+	struct sp_ctx *sp_ip6_in;
+	struct sp_ctx *sp_ip6_out;
+	struct rt_ctx *rt_ip4;
+	struct rt_ctx *rt_ip6;
 	struct rte_mempool *mbuf_pool;
 };
 
@@ -165,12 +182,15 @@ outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[],
 		struct ipsec_sa *sa[], uint16_t nb_pkts);
 
 void
-sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep);
+sp4_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t ep);
+
+void
+sp6_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t ep);
 
 void
-sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep);
+sa_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t ep);
 
 void
-rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep);
+rt_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t ep);
 
 #endif /* __IPSEC_H__ */
diff --git a/examples/ipsec-secgw/rt.c b/examples/ipsec-secgw/rt.c
index a6d0866..d46df49 100644
--- a/examples/ipsec-secgw/rt.c
+++ b/examples/ipsec-secgw/rt.c
@@ -36,110 +36,205 @@
  */
 #include <sys/types.h>
 #include <rte_lpm.h>
+#include <rte_lpm6.h>
 #include <rte_errno.h>
+#include <rte_ip.h>
 
 #include "ipsec.h"
 
-#define RT_IPV4_MAX_RULES         64
+#define RT_IPV4_MAX_RULES	1024
+#define RT_IPV6_MAX_RULES	1024
 
-struct ipv4_route {
+struct ip4_route {
 	uint32_t ip;
-	uint8_t  depth;
-	uint8_t  if_out;
+	uint8_t depth;
+	uint8_t if_out;
 };
 
-/* In the default routing table we have:
- * ep0 protected ports 0 and 1, and unprotected ports 2 and 3.
- */
-static struct ipv4_route rt_ipv4_ep0[] = {
+struct ip6_route {
+	uint8_t ip[16];
+	uint8_t depth;
+	uint8_t if_out;
+};
+
+static struct ip4_route rt_ip4_ep0[] = {
+	/* Outbound */
+	/* Tunnels */
 	{ IPv4(172, 16, 2, 5), 32, 0 },
-	{ IPv4(172, 16, 2, 6), 32, 0 },
-	{ IPv4(172, 16, 2, 7), 32, 1 },
-	{ IPv4(172, 16, 2, 8), 32, 1 },
+	{ IPv4(172, 16, 2, 6), 32, 1 },
+	/* Bypass */
+	{ IPv4(192, 168, 240, 0), 24, 0 },
+	{ IPv4(192, 168, 241, 0), 24, 1 },
 
+	/* Inbound */
+	/* Tunnels */
 	{ IPv4(192, 168, 115, 0), 24, 2 },
-	{ IPv4(192, 168, 116, 0), 24, 2 },
-	{ IPv4(192, 168, 117, 0), 24, 3 },
-	{ IPv4(192, 168, 118, 0), 24, 3 },
-
+	{ IPv4(192, 168, 116, 0), 24, 3 },
+	{ IPv4(192, 168, 65, 0), 24, 2 },
+	{ IPv4(192, 168, 66, 0), 24, 3 },
+	/* NULL */
 	{ IPv4(192, 168, 210, 0), 24, 2 },
-
-	{ IPv4(192, 168, 240, 0), 24, 2 },
-	{ IPv4(192, 168, 250, 0), 24, 0 }
+	{ IPv4(192, 168, 211, 0), 24, 3 },
+	/* Bypass */
+	{ IPv4(192, 168, 245, 0), 24, 2 },
+	{ IPv4(192, 168, 246, 0), 24, 3 },
 };
 
-/* In the default routing table we have:
- * ep1 protected ports 0 and 1, and unprotected ports 2 and 3.
- */
-static struct ipv4_route rt_ipv4_ep1[] = {
-	{ IPv4(172, 16, 1, 5), 32, 2 },
-	{ IPv4(172, 16, 1, 6), 32, 2 },
-	{ IPv4(172, 16, 1, 7), 32, 3 },
-	{ IPv4(172, 16, 1, 8), 32, 3 },
-
-	{ IPv4(192, 168, 105, 0), 24, 0 },
-	{ IPv4(192, 168, 106, 0), 24, 0 },
-	{ IPv4(192, 168, 107, 0), 24, 1 },
-	{ IPv4(192, 168, 108, 0), 24, 1 },
-
-	{ IPv4(192, 168, 200, 0), 24, 0 },
+static struct ip6_route rt_ip6_ep0[] = {
+	/* Outbound */
+	/* Tunnels */
+	{ { 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
+		  0x22, 0x22, 0x22, 0x22, 0x22, 0x55, 0x55 }, 116, 0 },
+	{ { 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
+		  0x22, 0x22, 0x22, 0x22, 0x22, 0x66, 0x66 }, 116, 1 },
+	/* Inbound */
+	/* Tunnels */
+	{ { 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xaa,
+		  0xaa, 0xaa, 0xaa, 0x00, 0x00, 0x00, 0x00 }, 116, 2 },
+	{ { 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xbb,
+		  0xbb, 0xbb, 0xbb, 0x00, 0x00, 0x00, 0x00 }, 116, 3 },
+	{ { 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x55,
+		  0x55, 0x55, 0x55, 0x00, 0x00, 0x00, 0x00 }, 116, 2 },
+	{ { 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x66,
+		  0x66, 0x66, 0x66, 0x00, 0x00, 0x00, 0x00 }, 116, 3 },
+};
 
+static struct ip4_route rt_ip4_ep1[] = {
+	/* Outbound */
+	/* Tunnels */
+	{ IPv4(172, 16, 1, 5), 32, 0 },
+	{ IPv4(172, 16, 1, 6), 32, 1 },
+	/* Bypass */
+	{ IPv4(192, 168, 245, 0), 24, 0 },
+	{ IPv4(192, 168, 246, 0), 24, 1 },
+
+	/* Inbound */
+	/* Tunnels */
+	{ IPv4(192, 168, 105, 0), 24, 2 },
+	{ IPv4(192, 168, 106, 0), 24, 3 },
+	{ IPv4(192, 168, 55, 0), 24, 2 },
+	{ IPv4(192, 168, 56, 0), 24, 3 },
+	/* NULL */
+	{ IPv4(192, 168, 200, 0), 24, 2 },
+	{ IPv4(192, 168, 201, 0), 24, 3 },
+	/* Bypass */
 	{ IPv4(192, 168, 240, 0), 24, 2 },
-	{ IPv4(192, 168, 250, 0), 24, 0 }
+	{ IPv4(192, 168, 241, 0), 24, 3 },
+};
+
+static struct ip6_route rt_ip6_ep1[] = {
+	/* Outbound */
+	/* Tunnels */
+	{ { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+		  0x11, 0x11, 0x11, 0x11, 0x11, 0x55, 0x55 }, 116, 0 },
+	{ { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+		  0x11, 0x11, 0x11, 0x11, 0x11, 0x66, 0x66 }, 116, 1 },
+
+	/* Inbound */
+	/* Tunnels */
+	{ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xaa,
+		  0xaa, 0xaa, 0xaa, 0x00, 0x00, 0x00, 0x00 }, 116, 2 },
+	{ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xbb,
+		  0xbb, 0xbb, 0xbb, 0x00, 0x00, 0x00, 0x00 }, 116, 3 },
+	{ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x55,
+		  0x55, 0x55, 0x55, 0x00, 0x00, 0x00, 0x00 }, 116, 2 },
+	{ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x66,
+		  0x66, 0x66, 0x66, 0x00, 0x00, 0x00, 0x00 }, 116, 3 },
 };
 
 void
-rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep)
+rt_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t ep)
 {
 	char name[PATH_MAX];
-	unsigned i;
-	int ret;
+	uint32_t i;
+	int32_t ret;
 	struct rte_lpm *lpm;
-	struct ipv4_route *rt;
+	struct rte_lpm6 *lpm6;
+	struct ip4_route *rt;
+	struct ip6_route *rt6;
 	char a, b, c, d;
-	unsigned nb_routes;
+	uint32_t nb_routes, nb_routes6;
 	struct rte_lpm_config conf = { 0 };
+	struct rte_lpm6_config conf6 = { 0 };
 
 	if (ctx == NULL)
 		rte_exit(EXIT_FAILURE, "NULL context.\n");
 
-	if (ctx->rt_ipv4 != NULL)
-		rte_exit(EXIT_FAILURE, "Routing Table for socket %u already "
-			"initialized\n", socket_id);
+	if (ctx->rt_ip4 != NULL)
+		rte_exit(EXIT_FAILURE, "IPv4 Routing Table for socket %u "
+			"already initialized\n", socket_id);
 
-	printf("Creating Routing Table (RT) context with %u max routes\n",
+	if (ctx->rt_ip6 != NULL)
+		rte_exit(EXIT_FAILURE, "IPv6 Routing Table for socket %u "
+			"already initialized\n", socket_id);
+
+	printf("Creating IPv4 Routing Table (RT) context with %u max routes\n",
 			RT_IPV4_MAX_RULES);
 
 	if (ep == 0) {
-		rt = rt_ipv4_ep0;
-		nb_routes = RTE_DIM(rt_ipv4_ep0);
+		rt = rt_ip4_ep0;
+		nb_routes = RTE_DIM(rt_ip4_ep0);
+		rt6 = rt_ip6_ep0;
+		nb_routes6 = RTE_DIM(rt_ip6_ep0);
 	} else if (ep == 1) {
-		rt = rt_ipv4_ep1;
-		nb_routes = RTE_DIM(rt_ipv4_ep1);
+		rt = rt_ip4_ep1;
+		nb_routes = RTE_DIM(rt_ip4_ep1);
+		rt6 = rt_ip6_ep1;
+		nb_routes6 = RTE_DIM(rt_ip6_ep1);
 	} else
 		rte_exit(EXIT_FAILURE, "Invalid EP value %u. Only 0 or 1 "
 			"supported.\n", ep);
 
 	/* create the LPM table */
-	snprintf(name, sizeof(name), "%s_%u", "rt_ipv4", socket_id);
+	snprintf(name, sizeof(name), "%s_%u", "rt_ip4", socket_id);
 	conf.max_rules = RT_IPV4_MAX_RULES;
 	conf.number_tbl8s = RTE_LPM_TBL8_NUM_ENTRIES;
 	lpm = rte_lpm_create(name, socket_id, &conf);
 	if (lpm == NULL)
-		rte_exit(EXIT_FAILURE, "Unable to create LPM table "
-			"on socket %d\n", socket_id);
+		rte_exit(EXIT_FAILURE, "Unable to create %s LPM table "
+			"on socket %d\n", name, socket_id);
 
 	/* populate the LPM table */
 	for (i = 0; i < nb_routes; i++) {
 		ret = rte_lpm_add(lpm, rt[i].ip, rt[i].depth, rt[i].if_out);
 		if (ret < 0)
-			rte_exit(EXIT_FAILURE, "Unable to add entry num %u to "
-				"LPM table on socket %d\n", i, socket_id);
+			rte_exit(EXIT_FAILURE, "Fail to add entry num %u to %s "
+				"LPM table on socket %d\n", i, name, socket_id);
 
 		uint32_t_to_char(rt[i].ip, &a, &b, &c, &d);
 		printf("LPM: Adding route %hhu.%hhu.%hhu.%hhu/%hhu (%hhu)\n",
 				a, b, c, d, rt[i].depth, rt[i].if_out);
 	}
 
-	ctx->rt_ipv4 = (struct rt_ctx *)lpm;
+	snprintf(name, sizeof(name), "%s_%u", "rt_ip6", socket_id);
+	conf6.max_rules = RT_IPV6_MAX_RULES;
+	conf6.number_tbl8s = RTE_LPM_TBL8_NUM_ENTRIES;
+	lpm6 = rte_lpm6_create(name, socket_id, &conf6);
+	if (lpm6 == NULL)
+		rte_exit(EXIT_FAILURE, "Unable to create %s LPM table "
+			"on socket %d\n", name, socket_id);
+
+	/* populate the LPM table */
+	for (i = 0; i < nb_routes6; i++) {
+		ret = rte_lpm6_add(lpm6, rt6[i].ip, rt6[i].depth,
+				rt6[i].if_out);
+		if (ret < 0)
+			rte_exit(EXIT_FAILURE, "Fail to add entry num %u to %s "
+				"LPM table on socket %d\n", i, name, socket_id);
+
+		printf("LPM6: Adding route "
+			" %hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx/%hhx (%hhx)\n",
+			(uint16_t)((rt6[i].ip[0] << 8) | rt6[i].ip[1]),
+			(uint16_t)((rt6[i].ip[2] << 8) | rt6[i].ip[3]),
+			(uint16_t)((rt6[i].ip[4] << 8) | rt6[i].ip[5]),
+			(uint16_t)((rt6[i].ip[6] << 8) | rt6[i].ip[7]),
+			(uint16_t)((rt6[i].ip[8] << 8) | rt6[i].ip[9]),
+			(uint16_t)((rt6[i].ip[10] << 8) | rt6[i].ip[11]),
+			(uint16_t)((rt6[i].ip[12] << 8) | rt6[i].ip[13]),
+			(uint16_t)((rt6[i].ip[14] << 8) | rt6[i].ip[15]),
+			rt6[i].depth, rt6[i].if_out);
+	}
+
+	ctx->rt_ip4 = (struct rt_ctx *)lpm;
+	ctx->rt_ip6 = (struct rt_ctx *)lpm6;
 }
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index a193bdf..8b54beb 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -37,12 +37,14 @@
 #include <sys/types.h>
 #include <netinet/in.h>
 #include <netinet/ip.h>
+#include <netinet/ip6.h>
 
 #include <rte_memzone.h>
 #include <rte_crypto.h>
 #include <rte_cryptodev.h>
 #include <rte_byteorder.h>
 #include <rte_errno.h>
+#include <rte_ip.h>
 
 #include "ipsec.h"
 #include "esp.h"
@@ -51,108 +53,148 @@
 const struct ipsec_sa sa_out[] = {
 	{
 	.spi = 5,
-	.src = IPv4(172, 16, 1, 5),
-	.dst = IPv4(172, 16, 2, 5),
+	.src.ip4 = IPv4(172, 16, 1, 5),
+	.dst.ip4 = IPv4(172, 16, 2, 5),
 	.cipher_algo = RTE_CRYPTO_CIPHER_AES_CBC,
 	.auth_algo = RTE_CRYPTO_AUTH_SHA1_HMAC,
 	.digest_len = 12,
 	.iv_len = 16,
 	.block_size = 16,
+	.flags = IP4_TUNNEL
 	},
 	{
 	.spi = 6,
-	.src = IPv4(172, 16, 1, 6),
-	.dst = IPv4(172, 16, 2, 6),
+	.src.ip4 = IPv4(172, 16, 1, 6),
+	.dst.ip4 = IPv4(172, 16, 2, 6),
 	.cipher_algo = RTE_CRYPTO_CIPHER_AES_CBC,
 	.auth_algo = RTE_CRYPTO_AUTH_SHA1_HMAC,
 	.digest_len = 12,
 	.iv_len = 16,
 	.block_size = 16,
+	.flags = IP4_TUNNEL
 	},
 	{
-	.spi = 7,
-	.src = IPv4(172, 16, 1, 7),
-	.dst = IPv4(172, 16, 2, 7),
+	.spi = 15,
+	.src.ip4 = IPv4(172, 16, 1, 5),
+	.dst.ip4 = IPv4(172, 16, 2, 5),
+	.cipher_algo = RTE_CRYPTO_CIPHER_NULL,
+	.auth_algo = RTE_CRYPTO_AUTH_NULL,
+	.digest_len = 0,
+	.iv_len = 0,
+	.block_size = 4,
+	.flags = IP4_TUNNEL
+	},
+	{
+	.spi = 16,
+	.src.ip4 = IPv4(172, 16, 1, 6),
+	.dst.ip4 = IPv4(172, 16, 2, 6),
+	.cipher_algo = RTE_CRYPTO_CIPHER_NULL,
+	.auth_algo = RTE_CRYPTO_AUTH_NULL,
+	.digest_len = 0,
+	.iv_len = 0,
+	.block_size = 4,
+	.flags = IP4_TUNNEL
+	},
+	{
+	.spi = 25,
+	.src.ip6_b = { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+		0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x55, 0x55 },
+	.dst.ip6_b = { 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
+		0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x55, 0x55 },
 	.cipher_algo = RTE_CRYPTO_CIPHER_AES_CBC,
 	.auth_algo = RTE_CRYPTO_AUTH_SHA1_HMAC,
 	.digest_len = 12,
 	.iv_len = 16,
 	.block_size = 16,
+	.flags = IP6_TUNNEL
 	},
 	{
-	.spi = 8,
-	.src = IPv4(172, 16, 1, 8),
-	.dst = IPv4(172, 16, 2, 8),
+	.spi = 26,
+	.src.ip6_b = { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+		0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x66, 0x66 },
+	.dst.ip6_b = { 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
+		0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x66, 0x66 },
 	.cipher_algo = RTE_CRYPTO_CIPHER_AES_CBC,
 	.auth_algo = RTE_CRYPTO_AUTH_SHA1_HMAC,
 	.digest_len = 12,
 	.iv_len = 16,
 	.block_size = 16,
+	.flags = IP6_TUNNEL
 	},
-	{
-	.spi = 9,
-	.src = IPv4(172, 16, 1, 9),
-	.dst = IPv4(172, 16, 2, 9),
-	.cipher_algo = RTE_CRYPTO_CIPHER_NULL,
-	.auth_algo = RTE_CRYPTO_AUTH_NULL,
-	.digest_len = 0,
-	.iv_len = 0,
-	.block_size = 4,
-	}
 };
 
 /* SAs Inbound */
 const struct ipsec_sa sa_in[] = {
 	{
-	.spi = 55,
-	.src = IPv4(172, 16, 2, 5),
-	.dst = IPv4(172, 16, 1, 5),
+	.spi = 105,
+	.src.ip4 = IPv4(172, 16, 2, 5),
+	.dst.ip4 = IPv4(172, 16, 1, 5),
 	.cipher_algo = RTE_CRYPTO_CIPHER_AES_CBC,
 	.auth_algo = RTE_CRYPTO_AUTH_SHA1_HMAC,
 	.digest_len = 12,
 	.iv_len = 16,
 	.block_size = 16,
+	.flags = IP4_TUNNEL
 	},
 	{
-	.spi = 56,
-	.src = IPv4(172, 16, 2, 6),
-	.dst = IPv4(172, 16, 1, 6),
+	.spi = 106,
+	.src.ip4 = IPv4(172, 16, 2, 6),
+	.dst.ip4 = IPv4(172, 16, 1, 6),
 	.cipher_algo = RTE_CRYPTO_CIPHER_AES_CBC,
 	.auth_algo = RTE_CRYPTO_AUTH_SHA1_HMAC,
 	.digest_len = 12,
 	.iv_len = 16,
 	.block_size = 16,
+	.flags = IP4_TUNNEL
+	},
+	{
+	.spi = 115,
+	.src.ip4 = IPv4(172, 16, 2, 5),
+	.dst.ip4 = IPv4(172, 16, 1, 5),
+	.cipher_algo = RTE_CRYPTO_CIPHER_NULL,
+	.auth_algo = RTE_CRYPTO_AUTH_NULL,
+	.digest_len = 0,
+	.iv_len = 0,
+	.block_size = 4,
+	.flags = IP4_TUNNEL
 	},
 	{
-	.spi = 57,
-	.src = IPv4(172, 16, 2, 7),
-	.dst = IPv4(172, 16, 1, 7),
+	.spi = 116,
+	.src.ip4 = IPv4(172, 16, 2, 6),
+	.dst.ip4 = IPv4(172, 16, 1, 6),
+	.cipher_algo = RTE_CRYPTO_CIPHER_NULL,
+	.auth_algo = RTE_CRYPTO_AUTH_NULL,
+	.digest_len = 0,
+	.iv_len = 0,
+	.block_size = 4,
+	.flags = IP4_TUNNEL
+	},
+	{
+	.spi = 125,
+	.src.ip6_b = { 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
+		0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x55, 0x55 },
+	.dst.ip6_b = { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+		0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x55, 0x55 },
 	.cipher_algo = RTE_CRYPTO_CIPHER_AES_CBC,
 	.auth_algo = RTE_CRYPTO_AUTH_SHA1_HMAC,
 	.digest_len = 12,
 	.iv_len = 16,
 	.block_size = 16,
+	.flags = IP6_TUNNEL
 	},
 	{
-	.spi = 58,
-	.src = IPv4(172, 16, 2, 8),
-	.dst = IPv4(172, 16, 1, 8),
+	.spi = 126,
+	.src.ip6_b = { 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
+		0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x66, 0x66 },
+	.dst.ip6_b = { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+		0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x66, 0x66 },
 	.cipher_algo = RTE_CRYPTO_CIPHER_AES_CBC,
 	.auth_algo = RTE_CRYPTO_AUTH_SHA1_HMAC,
 	.digest_len = 12,
 	.iv_len = 16,
 	.block_size = 16,
+	.flags = IP6_TUNNEL
 	},
-	{
-	.spi = 59,
-	.src = IPv4(172, 16, 2, 9),
-	.dst = IPv4(172, 16, 1, 9),
-	.cipher_algo = RTE_CRYPTO_CIPHER_NULL,
-	.auth_algo = RTE_CRYPTO_AUTH_NULL,
-	.digest_len = 0,
-	.iv_len = 0,
-	.block_size = 4,
-	}
 };
 
 static uint8_t cipher_key[256] = "sixteenbytes key";
@@ -217,11 +259,11 @@ struct sa_ctx {
 };
 
 static struct sa_ctx *
-sa_ipv4_create(const char *name, int socket_id)
+sa_create(const char *name, int32_t socket_id)
 {
 	char s[PATH_MAX];
 	struct sa_ctx *sa_ctx;
-	unsigned mz_size;
+	uint32_t mz_size;
 	const struct rte_memzone *mz;
 
 	snprintf(s, sizeof(s), "%s_%u", name, socket_id);
@@ -246,10 +288,10 @@ sa_ipv4_create(const char *name, int socket_id)
 
 static int
 sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
-		unsigned nb_entries, unsigned inbound)
+		uint32_t nb_entries, uint32_t inbound)
 {
 	struct ipsec_sa *sa;
-	unsigned i, idx;
+	uint32_t i, idx;
 
 	for (i = 0; i < nb_entries; i++) {
 		idx = SPI2IDX(entries[i].spi);
@@ -260,8 +302,14 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
 			return -EINVAL;
 		}
 		*sa = entries[i];
-		sa->src = rte_cpu_to_be_32(sa->src);
-		sa->dst = rte_cpu_to_be_32(sa->dst);
+		sa->seq = 0;
+
+		switch (sa->flags) {
+		case IP4_TUNNEL:
+			sa->src.ip4 = rte_cpu_to_be_32(sa->src.ip4);
+			sa->dst.ip4 = rte_cpu_to_be_32(sa->dst.ip4);
+		}
+
 		if (inbound) {
 			if (sa->cipher_algo == RTE_CRYPTO_CIPHER_NULL) {
 				sa_ctx->xf[idx].a = null_auth_xf;
@@ -289,33 +337,33 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
 
 static inline int
 sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
-		unsigned nb_entries)
+		uint32_t nb_entries)
 {
 	return sa_add_rules(sa_ctx, entries, nb_entries, 0);
 }
 
 static inline int
 sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
-		unsigned nb_entries)
+		uint32_t nb_entries)
 {
 	return sa_add_rules(sa_ctx, entries, nb_entries, 1);
 }
 
 void
-sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep)
+sa_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t ep)
 {
 	const struct ipsec_sa *sa_out_entries, *sa_in_entries;
-	unsigned nb_out_entries, nb_in_entries;
+	uint32_t nb_out_entries, nb_in_entries;
 	const char *name;
 
 	if (ctx == NULL)
 		rte_exit(EXIT_FAILURE, "NULL context.\n");
 
-	if (ctx->sa_ipv4_in != NULL)
+	if (ctx->sa_in != NULL)
 		rte_exit(EXIT_FAILURE, "Inbound SA DB for socket %u already "
 				"initialized\n", socket_id);
 
-	if (ctx->sa_ipv4_out != NULL)
+	if (ctx->sa_out != NULL)
 		rte_exit(EXIT_FAILURE, "Outbound SA DB for socket %u already "
 				"initialized\n", socket_id);
 
@@ -333,21 +381,21 @@ sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep)
 		rte_exit(EXIT_FAILURE, "Invalid EP value %u. "
 				"Only 0 or 1 supported.\n", ep);
 
-	name = "sa_ipv4_in";
-	ctx->sa_ipv4_in = sa_ipv4_create(name, socket_id);
-	if (ctx->sa_ipv4_in == NULL)
+	name = "sa_in";
+	ctx->sa_in = sa_create(name, socket_id);
+	if (ctx->sa_in == NULL)
 		rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s "
 				"in socket %d\n", rte_errno, name, socket_id);
 
-	name = "sa_ipv4_out";
-	ctx->sa_ipv4_out = sa_ipv4_create(name, socket_id);
-	if (ctx->sa_ipv4_out == NULL)
+	name = "sa_out";
+	ctx->sa_out = sa_create(name, socket_id);
+	if (ctx->sa_out == NULL)
 		rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s "
 				"in socket %d\n", rte_errno, name, socket_id);
 
-	sa_in_add_rules(ctx->sa_ipv4_in, sa_in_entries, nb_in_entries);
+	sa_in_add_rules(ctx->sa_in, sa_in_entries, nb_in_entries);
 
-	sa_out_add_rules(ctx->sa_ipv4_out, sa_out_entries, nb_out_entries);
+	sa_out_add_rules(ctx->sa_out, sa_out_entries, nb_out_entries);
 }
 
 int
@@ -360,38 +408,63 @@ inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx)
 	return (sa_ctx->sa[sa_idx].spi == priv->sa->spi);
 }
 
+static inline void
+single_inbound_lookup(struct ipsec_sa *sadb, struct rte_mbuf *pkt,
+		struct ipsec_sa **sa_ret)
+{
+	struct esp_hdr *esp;
+	struct ip *ip;
+	uint32_t *src4_addr;
+	uint8_t *src6_addr;
+	struct ipsec_sa *sa;
+
+	*sa_ret = NULL;
+
+	ip = rte_pktmbuf_mtod(pkt, struct ip *);
+	if (ip->ip_v == IPVERSION)
+		esp = (struct esp_hdr *)(ip + 1);
+	else
+		esp = (struct esp_hdr *)(((struct ip6_hdr *)ip) + 1);
+
+	if (esp->spi == INVALID_SPI)
+		return;
+
+	sa = &sadb[SPI2IDX(rte_be_to_cpu_32(esp->spi))];
+	if (rte_be_to_cpu_32(esp->spi) != sa->spi)
+		return;
+
+	switch (sa->flags) {
+	case IP4_TUNNEL:
+		src4_addr = RTE_PTR_ADD(ip, offsetof(struct ip, ip_src));
+		if ((ip->ip_v == IPVERSION) &&
+				(sa->src.ip4 == *src4_addr) &&
+				(sa->dst.ip4 == *(src4_addr + 1)))
+			*sa_ret = sa;
+		break;
+	case IP6_TUNNEL:
+		src6_addr = RTE_PTR_ADD(ip, offsetof(struct ip6_hdr, ip6_src));
+		if ((ip->ip_v == IP6_VERSION) &&
+				!memcmp(&sa->src.ip6, src6_addr, 16) &&
+				!memcmp(&sa->dst.ip6, src6_addr + 16, 16))
+			*sa_ret = sa;
+	}
+}
+
 void
 inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[],
 		struct ipsec_sa *sa[], uint16_t nb_pkts)
 {
-	unsigned i;
-	uint32_t *src, spi;
-
-	for (i = 0; i < nb_pkts; i++) {
-		spi = rte_pktmbuf_mtod_offset(pkts[i], struct esp_hdr *,
-				sizeof(struct ip))->spi;
+	uint32_t i;
 
-		if (spi == INVALID_SPI)
-			continue;
-
-		sa[i] = &sa_ctx->sa[SPI2IDX(spi)];
-		if (spi != sa[i]->spi) {
-			sa[i] = NULL;
-			continue;
-		}
-
-		src = rte_pktmbuf_mtod_offset(pkts[i], uint32_t *,
-				offsetof(struct ip, ip_src));
-		if ((sa[i]->src != *src) || (sa[i]->dst != *(src + 1)))
-			sa[i] = NULL;
-	}
+	for (i = 0; i < nb_pkts; i++)
+		single_inbound_lookup(sa_ctx->sa, pkts[i], &sa[i]);
 }
 
 void
 outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[],
 		struct ipsec_sa *sa[], uint16_t nb_pkts)
 {
-	unsigned i;
+	uint32_t i;
 
 	for (i = 0; i < nb_pkts; i++)
 		sa[i] = &sa_ctx->sa[sa_idx[i]];
diff --git a/examples/ipsec-secgw/sp.c b/examples/ipsec-secgw/sp.c
deleted file mode 100644
index 6aa377d..0000000
--- a/examples/ipsec-secgw/sp.c
+++ /dev/null
@@ -1,366 +0,0 @@
-/*-
- *   BSD LICENSE
- *
- *   Copyright(c) 2016 Intel Corporation. All rights reserved.
- *   All rights reserved.
- *
- *   Redistribution and use in source and binary forms, with or without
- *   modification, are permitted provided that the following conditions
- *   are met:
- *
- *     * Redistributions of source code must retain the above copyright
- *       notice, this list of conditions and the following disclaimer.
- *     * Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in
- *       the documentation and/or other materials provided with the
- *       distribution.
- *     * Neither the name of Intel Corporation nor the names of its
- *       contributors may be used to endorse or promote products derived
- *       from this software without specific prior written permission.
- *
- *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Security Policies
- */
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <netinet/ip.h>
-
-#include <rte_acl.h>
-
-#include "ipsec.h"
-
-#define MAX_ACL_RULE_NUM	1000
-
-/*
- * Rule and trace formats definitions.
- */
-enum {
-	PROTO_FIELD_IPV4,
-	SRC_FIELD_IPV4,
-	DST_FIELD_IPV4,
-	SRCP_FIELD_IPV4,
-	DSTP_FIELD_IPV4,
-	NUM_FIELDS_IPV4
-};
-
-/*
- * That effectively defines order of IPV4 classifications:
- *  - PROTO
- *  - SRC IP ADDRESS
- *  - DST IP ADDRESS
- *  - PORTS (SRC and DST)
- */
-enum {
-	RTE_ACL_IPV4_PROTO,
-	RTE_ACL_IPV4_SRC,
-	RTE_ACL_IPV4_DST,
-	RTE_ACL_IPV4_PORTS,
-	RTE_ACL_IPV4_NUM
-};
-
-struct rte_acl_field_def ipv4_defs[NUM_FIELDS_IPV4] = {
-	{
-	.type = RTE_ACL_FIELD_TYPE_BITMASK,
-	.size = sizeof(uint8_t),
-	.field_index = PROTO_FIELD_IPV4,
-	.input_index = RTE_ACL_IPV4_PROTO,
-	.offset = 0,
-	},
-	{
-	.type = RTE_ACL_FIELD_TYPE_MASK,
-	.size = sizeof(uint32_t),
-	.field_index = SRC_FIELD_IPV4,
-	.input_index = RTE_ACL_IPV4_SRC,
-	.offset = offsetof(struct ip, ip_src) -	offsetof(struct ip, ip_p)
-	},
-	{
-	.type = RTE_ACL_FIELD_TYPE_MASK,
-	.size = sizeof(uint32_t),
-	.field_index = DST_FIELD_IPV4,
-	.input_index = RTE_ACL_IPV4_DST,
-	.offset = offsetof(struct ip, ip_dst) - offsetof(struct ip, ip_p)
-	},
-	{
-	.type = RTE_ACL_FIELD_TYPE_RANGE,
-	.size = sizeof(uint16_t),
-	.field_index = SRCP_FIELD_IPV4,
-	.input_index = RTE_ACL_IPV4_PORTS,
-	.offset = sizeof(struct ip) - offsetof(struct ip, ip_p)
-	},
-	{
-	.type = RTE_ACL_FIELD_TYPE_RANGE,
-	.size = sizeof(uint16_t),
-	.field_index = DSTP_FIELD_IPV4,
-	.input_index = RTE_ACL_IPV4_PORTS,
-	.offset = sizeof(struct ip) - offsetof(struct ip, ip_p) +
-		sizeof(uint16_t)
-	},
-};
-
-RTE_ACL_RULE_DEF(acl4_rules, RTE_DIM(ipv4_defs));
-
-const struct acl4_rules acl4_rules_out[] = {
-	{
-	.data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1},
-	/* destination IPv4 */
-	.field[2] = {.value.u32 = IPv4(192, 168, 105, 0),
-				.mask_range.u32 = 24,},
-	/* source port */
-	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
-	/* destination port */
-	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
-	},
-	{
-	.data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2},
-	/* destination IPv4 */
-	.field[2] = {.value.u32 = IPv4(192, 168, 106, 0),
-				.mask_range.u32 = 24,},
-	/* source port */
-	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
-	/* destination port */
-	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
-	},
-	{
-	.data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3},
-	/* destination IPv4 */
-	.field[2] = {.value.u32 = IPv4(192, 168, 107, 0),
-				.mask_range.u32 = 24,},
-	/* source port */
-	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
-	/* destination port */
-	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
-	},
-	{
-	.data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4},
-	/* destination IPv4 */
-	.field[2] = {.value.u32 = IPv4(192, 168, 108, 0),
-				.mask_range.u32 = 24,},
-	/* source port */
-	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
-	/* destination port */
-	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
-	},
-	{
-	.data = {.userdata = PROTECT(9), .category_mask = 1, .priority = 5},
-	/* destination IPv4 */
-	.field[2] = {.value.u32 = IPv4(192, 168, 200, 0),
-				.mask_range.u32 = 24,},
-	/* source port */
-	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
-	/* destination port */
-	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
-	},
-	{
-	.data = {.userdata = BYPASS, .category_mask = 1, .priority = 6},
-	/* destination IPv4 */
-	.field[2] = {.value.u32 = IPv4(192, 168, 250, 0),
-				.mask_range.u32 = 24,},
-	/* source port */
-	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
-	/* destination port */
-	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
-	}
-};
-
-const struct acl4_rules acl4_rules_in[] = {
-	{
-	.data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1},
-	/* destination IPv4 */
-	.field[2] = {.value.u32 = IPv4(192, 168, 115, 0),
-				.mask_range.u32 = 24,},
-	/* source port */
-	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
-	/* destination port */
-	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
-	},
-	{
-	.data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2},
-	/* destination IPv4 */
-	.field[2] = {.value.u32 = IPv4(192, 168, 116, 0),
-				.mask_range.u32 = 24,},
-	/* source port */
-	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
-	/* destination port */
-	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
-	},
-	{
-	.data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3},
-	/* destination IPv4 */
-	.field[2] = {.value.u32 = IPv4(192, 168, 117, 0),
-				.mask_range.u32 = 24,},
-	/* source port */
-	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
-	/* destination port */
-	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
-	},
-	{
-	.data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4},
-	/* destination IPv4 */
-	.field[2] = {.value.u32 = IPv4(192, 168, 118, 0),
-				.mask_range.u32 = 24,},
-	/* source port */
-	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
-	/* destination port */
-	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
-	},
-	{
-	.data = {.userdata = PROTECT(9), .category_mask = 1, .priority = 5},
-	/* destination IPv4 */
-	.field[2] = {.value.u32 = IPv4(192, 168, 210, 0),
-				.mask_range.u32 = 24,},
-	/* source port */
-	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
-	/* destination port */
-	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
-	},
-	{
-	.data = {.userdata = BYPASS, .category_mask = 1, .priority = 6},
-	/* destination IPv4 */
-	.field[2] = {.value.u32 = IPv4(192, 168, 240, 0),
-				.mask_range.u32 = 24,},
-	/* source port */
-	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
-	/* destination port */
-	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
-	}
-};
-
-static void
-print_one_ipv4_rule(const struct acl4_rules *rule, int extra)
-{
-	unsigned char a, b, c, d;
-
-	uint32_t_to_char(rule->field[SRC_FIELD_IPV4].value.u32,
-			&a, &b, &c, &d);
-	printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d,
-			rule->field[SRC_FIELD_IPV4].mask_range.u32);
-	uint32_t_to_char(rule->field[DST_FIELD_IPV4].value.u32,
-			&a, &b, &c, &d);
-	printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d,
-			rule->field[DST_FIELD_IPV4].mask_range.u32);
-	printf("%hu : %hu %hu : %hu 0x%hhx/0x%hhx ",
-		rule->field[SRCP_FIELD_IPV4].value.u16,
-		rule->field[SRCP_FIELD_IPV4].mask_range.u16,
-		rule->field[DSTP_FIELD_IPV4].value.u16,
-		rule->field[DSTP_FIELD_IPV4].mask_range.u16,
-		rule->field[PROTO_FIELD_IPV4].value.u8,
-		rule->field[PROTO_FIELD_IPV4].mask_range.u8);
-	if (extra)
-		printf("0x%x-0x%x-0x%x ",
-			rule->data.category_mask,
-			rule->data.priority,
-			rule->data.userdata);
-}
-
-static inline void
-dump_ipv4_rules(const struct acl4_rules *rule, int num, int extra)
-{
-	int i;
-
-	for (i = 0; i < num; i++, rule++) {
-		printf("\t%d:", i + 1);
-		print_one_ipv4_rule(rule, extra);
-		printf("\n");
-	}
-}
-
-static struct rte_acl_ctx *
-acl4_init(const char *name, int socketid, const struct acl4_rules *rules,
-		unsigned rules_nb)
-{
-	char s[PATH_MAX];
-	struct rte_acl_param acl_param;
-	struct rte_acl_config acl_build_param;
-	struct rte_acl_ctx *ctx;
-
-	printf("Creating SP context with %u max rules\n", MAX_ACL_RULE_NUM);
-
-	memset(&acl_param, 0, sizeof(acl_param));
-
-	/* Create ACL contexts */
-	snprintf(s, sizeof(s), "%s_%d", name, socketid);
-
-	printf("IPv4 %s entries [%u]:\n", s, rules_nb);
-	dump_ipv4_rules(rules, rules_nb, 1);
-
-	acl_param.name = s;
-	acl_param.socket_id = socketid;
-	acl_param.rule_size = RTE_ACL_RULE_SZ(RTE_DIM(ipv4_defs));
-	acl_param.max_rule_num = MAX_ACL_RULE_NUM;
-
-	ctx = rte_acl_create(&acl_param);
-	if (ctx == NULL)
-		rte_exit(EXIT_FAILURE, "Failed to create ACL context\n");
-
-	if (rte_acl_add_rules(ctx, (const struct rte_acl_rule *)rules,
-				rules_nb) < 0)
-		rte_exit(EXIT_FAILURE, "add rules failed\n");
-
-	/* Perform builds */
-	memset(&acl_build_param, 0, sizeof(acl_build_param));
-
-	acl_build_param.num_categories = DEFAULT_MAX_CATEGORIES;
-	acl_build_param.num_fields = RTE_DIM(ipv4_defs);
-	memcpy(&acl_build_param.defs, ipv4_defs, sizeof(ipv4_defs));
-
-	if (rte_acl_build(ctx, &acl_build_param) != 0)
-		rte_exit(EXIT_FAILURE, "Failed to build ACL trie\n");
-
-	rte_acl_dump(ctx);
-
-	return ctx;
-}
-
-void
-sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep)
-{
-	const char *name;
-	const struct acl4_rules *rules_out, *rules_in;
-	unsigned nb_out_rules, nb_in_rules;
-
-	if (ctx == NULL)
-		rte_exit(EXIT_FAILURE, "NULL context.\n");
-
-	if (ctx->sp_ipv4_in != NULL)
-		rte_exit(EXIT_FAILURE, "Inbound SP DB for socket %u already "
-				"initialized\n", socket_id);
-
-	if (ctx->sp_ipv4_out != NULL)
-		rte_exit(EXIT_FAILURE, "Outbound SP DB for socket %u already "
-				"initialized\n", socket_id);
-
-	if (ep == 0) {
-		rules_out = acl4_rules_out;
-		nb_out_rules = RTE_DIM(acl4_rules_out);
-		rules_in = acl4_rules_in;
-		nb_in_rules = RTE_DIM(acl4_rules_in);
-	} else if (ep == 1) {
-		rules_out = acl4_rules_in;
-		nb_out_rules = RTE_DIM(acl4_rules_in);
-		rules_in = acl4_rules_out;
-		nb_in_rules = RTE_DIM(acl4_rules_out);
-	} else
-		rte_exit(EXIT_FAILURE, "Invalid EP value %u. "
-				"Only 0 or 1 supported.\n", ep);
-
-	name = "sp_ipv4_in";
-	ctx->sp_ipv4_in = (struct sp_ctx *)acl4_init(name, socket_id,
-			rules_in, nb_in_rules);
-
-	name = "sp_ipv4_out";
-	ctx->sp_ipv4_out = (struct sp_ctx *)acl4_init(name, socket_id,
-			rules_out, nb_out_rules);
-}
diff --git a/examples/ipsec-secgw/sp4.c b/examples/ipsec-secgw/sp4.c
new file mode 100644
index 0000000..61720c8
--- /dev/null
+++ b/examples/ipsec-secgw/sp4.c
@@ -0,0 +1,407 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Security Policies
+ */
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+
+#include <rte_acl.h>
+#include <rte_ip.h>
+
+#include "ipsec.h"
+
+#define MAX_ACL_RULE_NUM	1000
+
+/*
+ * Rule and trace formats definitions.
+ */
+enum {
+	PROTO_FIELD_IPV4,
+	SRC_FIELD_IPV4,
+	DST_FIELD_IPV4,
+	SRCP_FIELD_IPV4,
+	DSTP_FIELD_IPV4,
+	NUM_FIELDS_IPV4
+};
+
+/*
+ * That effectively defines order of IPV4 classifications:
+ *  - PROTO
+ *  - SRC IP ADDRESS
+ *  - DST IP ADDRESS
+ *  - PORTS (SRC and DST)
+ */
+enum {
+	RTE_ACL_IPV4_PROTO,
+	RTE_ACL_IPV4_SRC,
+	RTE_ACL_IPV4_DST,
+	RTE_ACL_IPV4_PORTS,
+	RTE_ACL_IPV4_NUM
+};
+
+struct rte_acl_field_def ip4_defs[NUM_FIELDS_IPV4] = {
+	{
+	.type = RTE_ACL_FIELD_TYPE_BITMASK,
+	.size = sizeof(uint8_t),
+	.field_index = PROTO_FIELD_IPV4,
+	.input_index = RTE_ACL_IPV4_PROTO,
+	.offset = 0,
+	},
+	{
+	.type = RTE_ACL_FIELD_TYPE_MASK,
+	.size = sizeof(uint32_t),
+	.field_index = SRC_FIELD_IPV4,
+	.input_index = RTE_ACL_IPV4_SRC,
+	.offset = offsetof(struct ip, ip_src) -	offsetof(struct ip, ip_p)
+	},
+	{
+	.type = RTE_ACL_FIELD_TYPE_MASK,
+	.size = sizeof(uint32_t),
+	.field_index = DST_FIELD_IPV4,
+	.input_index = RTE_ACL_IPV4_DST,
+	.offset = offsetof(struct ip, ip_dst) - offsetof(struct ip, ip_p)
+	},
+	{
+	.type = RTE_ACL_FIELD_TYPE_RANGE,
+	.size = sizeof(uint16_t),
+	.field_index = SRCP_FIELD_IPV4,
+	.input_index = RTE_ACL_IPV4_PORTS,
+	.offset = sizeof(struct ip) - offsetof(struct ip, ip_p)
+	},
+	{
+	.type = RTE_ACL_FIELD_TYPE_RANGE,
+	.size = sizeof(uint16_t),
+	.field_index = DSTP_FIELD_IPV4,
+	.input_index = RTE_ACL_IPV4_PORTS,
+	.offset = sizeof(struct ip) - offsetof(struct ip, ip_p) +
+		sizeof(uint16_t)
+	},
+};
+
+RTE_ACL_RULE_DEF(acl4_rules, RTE_DIM(ip4_defs));
+
+const struct acl4_rules acl4_rules_out[] = {
+	{
+	.data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 105, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 1},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 106, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(15), .category_mask = 1, .priority = 1},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 200, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(16), .category_mask = 1, .priority = 1},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 201, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(25), .category_mask = 1, .priority = 1},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 55, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(26), .category_mask = 1, .priority = 1},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 56, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = BYPASS, .category_mask = 1, .priority = 1},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 240, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = BYPASS, .category_mask = 1, .priority = 1},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 241, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	}
+};
+
+const struct acl4_rules acl4_rules_in[] = {
+	{
+	.data = {.userdata = PROTECT(105), .category_mask = 1, .priority = 1},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 115, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(106), .category_mask = 1, .priority = 1},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 116, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(115), .category_mask = 1, .priority = 1},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 210, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(116), .category_mask = 1, .priority = 1},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 211, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(125), .category_mask = 1, .priority = 1},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 65, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(126), .category_mask = 1, .priority = 1},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 66, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = BYPASS, .category_mask = 1, .priority = 1},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 245, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = BYPASS, .category_mask = 1, .priority = 1},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 246, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	}
+};
+
+static void
+print_one_ip4_rule(const struct acl4_rules *rule, int32_t extra)
+{
+	uint8_t a, b, c, d;
+
+	uint32_t_to_char(rule->field[SRC_FIELD_IPV4].value.u32,
+			&a, &b, &c, &d);
+	printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d,
+			rule->field[SRC_FIELD_IPV4].mask_range.u32);
+	uint32_t_to_char(rule->field[DST_FIELD_IPV4].value.u32,
+			&a, &b, &c, &d);
+	printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d,
+			rule->field[DST_FIELD_IPV4].mask_range.u32);
+	printf("%hu : %hu %hu : %hu 0x%hhx/0x%hhx ",
+		rule->field[SRCP_FIELD_IPV4].value.u16,
+		rule->field[SRCP_FIELD_IPV4].mask_range.u16,
+		rule->field[DSTP_FIELD_IPV4].value.u16,
+		rule->field[DSTP_FIELD_IPV4].mask_range.u16,
+		rule->field[PROTO_FIELD_IPV4].value.u8,
+		rule->field[PROTO_FIELD_IPV4].mask_range.u8);
+	if (extra)
+		printf("0x%x-0x%x-0x%x ",
+			rule->data.category_mask,
+			rule->data.priority,
+			rule->data.userdata);
+}
+
+static inline void
+dump_ip4_rules(const struct acl4_rules *rule, int32_t num, int32_t extra)
+{
+	int32_t i;
+
+	for (i = 0; i < num; i++, rule++) {
+		printf("\t%d:", i + 1);
+		print_one_ip4_rule(rule, extra);
+		printf("\n");
+	}
+}
+
+static struct rte_acl_ctx *
+acl4_init(const char *name, int32_t socketid, const struct acl4_rules *rules,
+		uint32_t rules_nb)
+{
+	char s[PATH_MAX];
+	struct rte_acl_param acl_param;
+	struct rte_acl_config acl_build_param;
+	struct rte_acl_ctx *ctx;
+
+	printf("Creating SP context with %u max rules\n", MAX_ACL_RULE_NUM);
+
+	memset(&acl_param, 0, sizeof(acl_param));
+
+	/* Create ACL contexts */
+	snprintf(s, sizeof(s), "%s_%d", name, socketid);
+
+	printf("IPv4 %s entries [%u]:\n", s, rules_nb);
+	dump_ip4_rules(rules, rules_nb, 1);
+
+	acl_param.name = s;
+	acl_param.socket_id = socketid;
+	acl_param.rule_size = RTE_ACL_RULE_SZ(RTE_DIM(ip4_defs));
+	acl_param.max_rule_num = MAX_ACL_RULE_NUM;
+
+	ctx = rte_acl_create(&acl_param);
+	if (ctx == NULL)
+		rte_exit(EXIT_FAILURE, "Failed to create ACL context\n");
+
+	if (rte_acl_add_rules(ctx, (const struct rte_acl_rule *)rules,
+				rules_nb) < 0)
+		rte_exit(EXIT_FAILURE, "add rules failed\n");
+
+	/* Perform builds */
+	memset(&acl_build_param, 0, sizeof(acl_build_param));
+
+	acl_build_param.num_categories = DEFAULT_MAX_CATEGORIES;
+	acl_build_param.num_fields = RTE_DIM(ip4_defs);
+	memcpy(&acl_build_param.defs, ip4_defs, sizeof(ip4_defs));
+
+	if (rte_acl_build(ctx, &acl_build_param) != 0)
+		rte_exit(EXIT_FAILURE, "Failed to build ACL trie\n");
+
+	rte_acl_dump(ctx);
+
+	return ctx;
+}
+
+void
+sp4_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t ep)
+{
+	const char *name;
+	const struct acl4_rules *rules_out, *rules_in;
+	uint32_t nb_out_rules, nb_in_rules;
+
+	if (ctx == NULL)
+		rte_exit(EXIT_FAILURE, "NULL context.\n");
+
+	if (ctx->sp_ip4_in != NULL)
+		rte_exit(EXIT_FAILURE, "Inbound SP DB for socket %u already "
+				"initialized\n", socket_id);
+
+	if (ctx->sp_ip4_out != NULL)
+		rte_exit(EXIT_FAILURE, "Outbound SP DB for socket %u already "
+				"initialized\n", socket_id);
+
+	if (ep == 0) {
+		rules_out = acl4_rules_out;
+		nb_out_rules = RTE_DIM(acl4_rules_out);
+		rules_in = acl4_rules_in;
+		nb_in_rules = RTE_DIM(acl4_rules_in);
+	} else if (ep == 1) {
+		rules_out = acl4_rules_in;
+		nb_out_rules = RTE_DIM(acl4_rules_in);
+		rules_in = acl4_rules_out;
+		nb_in_rules = RTE_DIM(acl4_rules_out);
+	} else
+		rte_exit(EXIT_FAILURE, "Invalid EP value %u. "
+				"Only 0 or 1 supported.\n", ep);
+
+	name = "sp_ip4_in";
+	ctx->sp_ip4_in = (struct sp_ctx *)acl4_init(name, socket_id,
+			rules_in, nb_in_rules);
+
+	name = "sp_ip4_out";
+	ctx->sp_ip4_out = (struct sp_ctx *)acl4_init(name, socket_id,
+			rules_out, nb_out_rules);
+}
diff --git a/examples/ipsec-secgw/sp6.c b/examples/ipsec-secgw/sp6.c
new file mode 100644
index 0000000..c6fb851
--- /dev/null
+++ b/examples/ipsec-secgw/sp6.c
@@ -0,0 +1,400 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Security Policies
+ */
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <netinet/ip6.h>
+
+#include <rte_acl.h>
+#include <rte_ip.h>
+
+#include "ipsec.h"
+
+#define MAX_ACL_RULE_NUM	1000
+
+enum {
+	IP6_PROTO,
+	IP6_SRC0,
+	IP6_SRC1,
+	IP6_SRC2,
+	IP6_SRC3,
+	IP6_DST0,
+	IP6_DST1,
+	IP6_DST2,
+	IP6_DST3,
+	IP6_SRCP,
+	IP6_DSTP,
+	IP6_NUM
+};
+
+#define IP6_ADDR_SIZE 16
+
+struct rte_acl_field_def ip6_defs[IP6_NUM] = {
+	{
+	.type = RTE_ACL_FIELD_TYPE_BITMASK,
+	.size = sizeof(uint8_t),
+	.field_index = IP6_PROTO,
+	.input_index = IP6_PROTO,
+	.offset = 0,
+	},
+	{
+	.type = RTE_ACL_FIELD_TYPE_MASK,
+	.size = 4,
+	.field_index = IP6_SRC0,
+	.input_index = IP6_SRC0,
+	.offset = 2
+	},
+	{
+	.type = RTE_ACL_FIELD_TYPE_MASK,
+	.size = 4,
+	.field_index = IP6_SRC1,
+	.input_index = IP6_SRC1,
+	.offset = 6
+	},
+	{
+	.type = RTE_ACL_FIELD_TYPE_MASK,
+	.size = 4,
+	.field_index = IP6_SRC2,
+	.input_index = IP6_SRC2,
+	.offset = 10
+	},
+	{
+	.type = RTE_ACL_FIELD_TYPE_MASK,
+	.size = 4,
+	.field_index = IP6_SRC3,
+	.input_index = IP6_SRC3,
+	.offset = 14
+	},
+	{
+	.type = RTE_ACL_FIELD_TYPE_MASK,
+	.size = 4,
+	.field_index = IP6_DST0,
+	.input_index = IP6_DST0,
+	.offset = 18
+	},
+	{
+	.type = RTE_ACL_FIELD_TYPE_MASK,
+	.size = 4,
+	.field_index = IP6_DST1,
+	.input_index = IP6_DST1,
+	.offset = 22
+	},
+	{
+	.type = RTE_ACL_FIELD_TYPE_MASK,
+	.size = 4,
+	.field_index = IP6_DST2,
+	.input_index = IP6_DST2,
+	.offset = 26
+	},
+	{
+	.type = RTE_ACL_FIELD_TYPE_MASK,
+	.size = 4,
+	.field_index = IP6_DST3,
+	.input_index = IP6_DST3,
+	.offset = 30
+	},
+	{
+	.type = RTE_ACL_FIELD_TYPE_RANGE,
+	.size = sizeof(uint16_t),
+	.field_index = IP6_SRCP,
+	.input_index = IP6_SRCP,
+	.offset = 34
+	},
+	{
+	.type = RTE_ACL_FIELD_TYPE_RANGE,
+	.size = sizeof(uint16_t),
+	.field_index = IP6_DSTP,
+	.input_index = IP6_SRCP,
+	.offset = 36
+	}
+};
+
+RTE_ACL_RULE_DEF(acl6_rules, RTE_DIM(ip6_defs));
+
+const struct acl6_rules acl6_rules_out[] = {
+	{
+	.data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1},
+	/* destination IPv6 */
+	.field[5] = {.value.u32 = 0x0, .mask_range.u32 = 32,},
+	.field[6] = {.value.u32 = 0x0, .mask_range.u32 = 32,},
+	.field[7] = {.value.u32 = 0x55555555, .mask_range.u32 = 32,},
+	.field[8] = {.value.u32 = 0x0, .mask_range.u32 = 0,},
+	/* source port */
+	.field[9] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[10] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 1},
+	/* destination IPv6 */
+	.field[5] = {.value.u32 = 0x0, .mask_range.u32 = 32,},
+	.field[6] = {.value.u32 = 0x0, .mask_range.u32 = 32,},
+	.field[7] = {.value.u32 = 0x66666666, .mask_range.u32 = 32,},
+	.field[8] = {.value.u32 = 0x0, .mask_range.u32 = 0,},
+	/* source port */
+	.field[9] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[10] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(25), .category_mask = 1, .priority = 1},
+	/* destination IPv6 */
+	.field[5] = {.value.u32 = 0x0, .mask_range.u32 = 32,},
+	.field[6] = {.value.u32 = 0x0, .mask_range.u32 = 32,},
+	.field[7] = {.value.u32 = 0xaaaaaaaa, .mask_range.u32 = 32,},
+	.field[8] = {.value.u32 = 0x0, .mask_range.u32 = 0,},
+	/* source port */
+	.field[9] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[10] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(26), .category_mask = 1, .priority = 1},
+	/* destination IPv6 */
+	.field[5] = {.value.u32 = 0x0, .mask_range.u32 = 32,},
+	.field[6] = {.value.u32 = 0x0, .mask_range.u32 = 32,},
+	.field[7] = {.value.u32 = 0xbbbbbbbb, .mask_range.u32 = 32,},
+	.field[8] = {.value.u32 = 0x0, .mask_range.u32 = 0,},
+	/* source port */
+	.field[9] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[10] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	}
+};
+
+const struct acl6_rules acl6_rules_in[] = {
+	{
+	.data = {.userdata = PROTECT(15), .category_mask = 1, .priority = 1},
+	/* destination IPv6 */
+	.field[5] = {.value.u32 = 0xffff0000, .mask_range.u32 = 32,},
+	.field[6] = {.value.u32 = 0x0, .mask_range.u32 = 32,},
+	.field[7] = {.value.u32 = 0x55555555, .mask_range.u32 = 32,},
+	.field[8] = {.value.u32 = 0x0, .mask_range.u32 = 0,},
+	/* source port */
+	.field[9] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[10] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(16), .category_mask = 1, .priority = 1},
+	/* destination IPv6 */
+	.field[5] = {.value.u32 = 0xffff0000, .mask_range.u32 = 32,},
+	.field[6] = {.value.u32 = 0x0, .mask_range.u32 = 32,},
+	.field[7] = {.value.u32 = 0x66666666, .mask_range.u32 = 32,},
+	.field[8] = {.value.u32 = 0x0, .mask_range.u32 = 0,},
+	/* source port */
+	.field[9] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[10] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(125), .category_mask = 1, .priority = 1},
+	/* destination IPv6 */
+	.field[5] = {.value.u32 = 0xffff0000, .mask_range.u32 = 32,},
+	.field[6] = {.value.u32 = 0x0, .mask_range.u32 = 32,},
+	.field[7] = {.value.u32 = 0xaaaaaaaa, .mask_range.u32 = 32,},
+	.field[8] = {.value.u32 = 0x0, .mask_range.u32 = 0,},
+	/* source port */
+	.field[9] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[10] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(126), .category_mask = 1, .priority = 1},
+	/* destination IPv6 */
+	.field[5] = {.value.u32 = 0xffff0000, .mask_range.u32 = 32,},
+	.field[6] = {.value.u32 = 0x0, .mask_range.u32 = 32,},
+	.field[7] = {.value.u32 = 0xbbbbbbbb, .mask_range.u32 = 32,},
+	.field[8] = {.value.u32 = 0x0, .mask_range.u32 = 0,},
+	/* source port */
+	.field[9] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[10] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	}
+};
+
+static inline void
+print_one_ip6_rule(const struct acl6_rules *rule, int32_t extra)
+{
+	uint8_t a, b, c, d;
+
+	uint32_t_to_char(rule->field[IP6_SRC0].value.u32,
+		&a, &b, &c, &d);
+	printf("%.2x%.2x:%.2x%.2x", a, b, c, d);
+	uint32_t_to_char(rule->field[IP6_SRC1].value.u32,
+		&a, &b, &c, &d);
+	printf(":%.2x%.2x:%.2x%.2x", a, b, c, d);
+	uint32_t_to_char(rule->field[IP6_SRC2].value.u32,
+		&a, &b, &c, &d);
+	printf(":%.2x%.2x:%.2x%.2x", a, b, c, d);
+	uint32_t_to_char(rule->field[IP6_SRC3].value.u32,
+		&a, &b, &c, &d);
+	printf(":%.2x%.2x:%.2x%.2x/%u ", a, b, c, d,
+			rule->field[IP6_SRC0].mask_range.u32
+			+ rule->field[IP6_SRC1].mask_range.u32
+			+ rule->field[IP6_SRC2].mask_range.u32
+			+ rule->field[IP6_SRC3].mask_range.u32);
+
+	uint32_t_to_char(rule->field[IP6_DST0].value.u32,
+		&a, &b, &c, &d);
+	printf("%.2x%.2x:%.2x%.2x", a, b, c, d);
+	uint32_t_to_char(rule->field[IP6_DST1].value.u32,
+		&a, &b, &c, &d);
+	printf(":%.2x%.2x:%.2x%.2x", a, b, c, d);
+	uint32_t_to_char(rule->field[IP6_DST2].value.u32,
+		&a, &b, &c, &d);
+	printf(":%.2x%.2x:%.2x%.2x", a, b, c, d);
+	uint32_t_to_char(rule->field[IP6_DST3].value.u32,
+		&a, &b, &c, &d);
+	printf(":%.2x%.2x:%.2x%.2x/%u ", a, b, c, d,
+			rule->field[IP6_DST0].mask_range.u32
+			+ rule->field[IP6_DST1].mask_range.u32
+			+ rule->field[IP6_DST2].mask_range.u32
+			+ rule->field[IP6_DST3].mask_range.u32);
+
+	printf("%hu : %hu %hu : %hu 0x%hhx/0x%hhx ",
+		rule->field[IP6_SRCP].value.u16,
+		rule->field[IP6_SRCP].mask_range.u16,
+		rule->field[IP6_DSTP].value.u16,
+		rule->field[IP6_DSTP].mask_range.u16,
+		rule->field[IP6_PROTO].value.u8,
+		rule->field[IP6_PROTO].mask_range.u8);
+	if (extra)
+		printf("0x%x-0x%x-0x%x ",
+			rule->data.category_mask,
+			rule->data.priority,
+			rule->data.userdata);
+}
+
+static inline void
+dump_ip6_rules(const struct acl6_rules *rule, int32_t num, int32_t extra)
+{
+	int32_t i;
+
+	for (i = 0; i < num; i++, rule++) {
+		printf("\t%d:", i + 1);
+		print_one_ip6_rule(rule, extra);
+		printf("\n");
+	}
+}
+
+static struct rte_acl_ctx *
+acl6_init(const char *name, int32_t socketid, const struct acl6_rules *rules,
+		uint32_t rules_nb)
+{
+	char s[PATH_MAX];
+	struct rte_acl_param acl_param;
+	struct rte_acl_config acl_build_param;
+	struct rte_acl_ctx *ctx;
+
+	printf("Creating SP context with %u max rules\n", MAX_ACL_RULE_NUM);
+
+	memset(&acl_param, 0, sizeof(acl_param));
+
+	/* Create ACL contexts */
+	snprintf(s, sizeof(s), "%s_%d", name, socketid);
+
+	printf("IPv4 %s entries [%u]:\n", s, rules_nb);
+	dump_ip6_rules(rules, rules_nb, 1);
+
+	acl_param.name = s;
+	acl_param.socket_id = socketid;
+	acl_param.rule_size = RTE_ACL_RULE_SZ(RTE_DIM(ip6_defs));
+	acl_param.max_rule_num = MAX_ACL_RULE_NUM;
+
+	ctx = rte_acl_create(&acl_param);
+	if (ctx == NULL)
+		rte_exit(EXIT_FAILURE, "Failed to create ACL context\n");
+
+	if (rte_acl_add_rules(ctx, (const struct rte_acl_rule *)rules,
+				rules_nb) < 0)
+		rte_exit(EXIT_FAILURE, "add rules failed\n");
+
+	/* Perform builds */
+	memset(&acl_build_param, 0, sizeof(acl_build_param));
+
+	acl_build_param.num_categories = DEFAULT_MAX_CATEGORIES;
+	acl_build_param.num_fields = RTE_DIM(ip6_defs);
+	memcpy(&acl_build_param.defs, ip6_defs, sizeof(ip6_defs));
+
+	if (rte_acl_build(ctx, &acl_build_param) != 0)
+		rte_exit(EXIT_FAILURE, "Failed to build ACL trie\n");
+
+	rte_acl_dump(ctx);
+
+	return ctx;
+}
+
+void
+sp6_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t ep)
+{
+	const char *name;
+	const struct acl6_rules *rules_out, *rules_in;
+	uint32_t nb_out_rules, nb_in_rules;
+
+	if (ctx == NULL)
+		rte_exit(EXIT_FAILURE, "NULL context.\n");
+
+	if (ctx->sp_ip6_in != NULL)
+		rte_exit(EXIT_FAILURE, "Inbound IPv6 SP DB for socket %u "
+				"already initialized\n", socket_id);
+
+	if (ctx->sp_ip6_out != NULL)
+		rte_exit(EXIT_FAILURE, "Outbound IPv6 SP DB for socket %u "
+				"already initialized\n", socket_id);
+
+	if (ep == 0) {
+		rules_out = acl6_rules_out;
+		nb_out_rules = RTE_DIM(acl6_rules_out);
+		rules_in = acl6_rules_in;
+		nb_in_rules = RTE_DIM(acl6_rules_in);
+	} else if (ep == 1) {
+		rules_out = acl6_rules_in;
+		nb_out_rules = RTE_DIM(acl6_rules_in);
+		rules_in = acl6_rules_out;
+		nb_in_rules = RTE_DIM(acl6_rules_out);
+	} else
+		rte_exit(EXIT_FAILURE, "Invalid EP value %u. "
+				"Only 0 or 1 supported.\n", ep);
+
+	name = "sp_ip6_in";
+	ctx->sp_ip6_in = (struct sp_ctx *)acl6_init(name, socket_id,
+			rules_in, nb_in_rules);
+
+	name = "sp_ip6_out";
+	ctx->sp_ip6_out = (struct sp_ctx *)acl6_init(name, socket_id,
+			rules_out, nb_out_rules);
+}
-- 
2.5.5

  parent reply	other threads:[~2016-05-18 12:42 UTC|newest]

Thread overview: 38+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-05-06 16:31 [dpdk-dev] [PATCH 0/9] IPSec example enhancements Sergio Gonzalez Monroy
2016-05-06 16:31 ` [dpdk-dev] [PATCH 1/9] examples/ipsec-secgw: fix esp padding check Sergio Gonzalez Monroy
2016-05-06 16:31 ` [dpdk-dev] [PATCH 2/9] examples/ipsec-secgw: fix stack smashing error Sergio Gonzalez Monroy
2016-05-06 16:31 ` [dpdk-dev] [PATCH 3/9] examples/ipsec-secgw: add build option and cleanup Sergio Gonzalez Monroy
2016-05-06 16:31 ` [dpdk-dev] [PATCH 4/9] examples/ipsec-secgw: rework ipsec execution loop Sergio Gonzalez Monroy
2016-05-06 16:31 ` [dpdk-dev] [PATCH 5/9] examples/ipsec-secgw: fix no sa found case Sergio Gonzalez Monroy
2016-05-06 16:31 ` [dpdk-dev] [PATCH 6/9] examples/ipsec-secgw: consistent config variable names Sergio Gonzalez Monroy
2016-05-06 16:31 ` [dpdk-dev] [PATCH 7/9] examples/ipsec-secgw: ipv6 support Sergio Gonzalez Monroy
2016-05-06 16:31 ` [dpdk-dev] [PATCH 8/9] examples/ipsec-secgw: transport mode support Sergio Gonzalez Monroy
2016-05-06 16:31 ` [dpdk-dev] [PATCH 9/9] doc: update ipsec sample guide Sergio Gonzalez Monroy
2016-05-10  9:21   ` Mcnamara, John
2016-05-18 12:42 ` [dpdk-dev] [PATCH v2 0/9] IPSec enhancements Sergio Gonzalez Monroy
2016-05-18 12:42   ` [dpdk-dev] [PATCH v2 1/9] examples/ipsec-secgw: fix esp padding check Sergio Gonzalez Monroy
2016-05-18 12:42   ` [dpdk-dev] [PATCH v2 2/9] examples/ipsec-secgw: fix stack smashing error Sergio Gonzalez Monroy
2016-05-18 12:42   ` [dpdk-dev] [PATCH v2 3/9] examples/ipsec-secgw: add build option and cleanup Sergio Gonzalez Monroy
2016-05-18 12:42   ` [dpdk-dev] [PATCH v2 4/9] examples/ipsec-secgw: rework ipsec execution loop Sergio Gonzalez Monroy
2016-06-07 12:50     ` De Lara Guarch, Pablo
2016-05-18 12:42   ` [dpdk-dev] [PATCH v2 5/9] examples/ipsec-secgw: fix no sa found case Sergio Gonzalez Monroy
2016-06-07 13:17     ` De Lara Guarch, Pablo
2016-05-18 12:42   ` [dpdk-dev] [PATCH v2 6/9] examples/ipsec-secgw: consistent config variable names Sergio Gonzalez Monroy
2016-05-18 12:42   ` Sergio Gonzalez Monroy [this message]
2016-06-07 16:10     ` [dpdk-dev] [PATCH v2 7/9] examples/ipsec-secgw: ipv6 support De Lara Guarch, Pablo
2016-05-18 12:42   ` [dpdk-dev] [PATCH v2 8/9] examples/ipsec-secgw: transport mode support Sergio Gonzalez Monroy
2016-05-18 12:42   ` [dpdk-dev] [PATCH v2 9/9] doc: update ipsec sample guide Sergio Gonzalez Monroy
2016-05-18 13:43     ` Mcnamara, John
2016-06-09  8:42   ` [dpdk-dev] [PATCH v3 0/9] IPSec Enhancements Sergio Gonzalez Monroy
2016-06-09  8:42     ` [dpdk-dev] [PATCH v3 1/9] examples/ipsec-secgw: fix esp padding check Sergio Gonzalez Monroy
2016-06-09  8:42     ` [dpdk-dev] [PATCH v3 2/9] examples/ipsec-secgw: fix stack smashing error Sergio Gonzalez Monroy
2016-06-09  8:42     ` [dpdk-dev] [PATCH v3 3/9] examples/ipsec-secgw: add build option and cleanup Sergio Gonzalez Monroy
2016-06-09  8:42     ` [dpdk-dev] [PATCH v3 4/9] examples/ipsec-secgw: rework ipsec execution loop Sergio Gonzalez Monroy
2016-06-09  8:42     ` [dpdk-dev] [PATCH v3 5/9] examples/ipsec-secgw: fix no sa found case Sergio Gonzalez Monroy
2016-06-09  8:42     ` [dpdk-dev] [PATCH v3 6/9] examples/ipsec-secgw: consistent config variable names Sergio Gonzalez Monroy
2016-06-09  8:42     ` [dpdk-dev] [PATCH v3 7/9] examples/ipsec-secgw: ipv6 support Sergio Gonzalez Monroy
2016-06-09  8:42     ` [dpdk-dev] [PATCH v3 8/9] examples/ipsec-secgw: transport mode support Sergio Gonzalez Monroy
2016-06-09  8:42     ` [dpdk-dev] [PATCH v3 9/9] doc: update ipsec sample guide Sergio Gonzalez Monroy
2016-06-09 11:11       ` Mcnamara, John
2016-06-09 11:58     ` [dpdk-dev] [PATCH v3 0/9] IPSec Enhancements De Lara Guarch, Pablo
2016-06-21 10:14       ` Thomas Monjalon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1463575330-8467-8-git-send-email-sergio.gonzalez.monroy@intel.com \
    --to=sergio.gonzalez.monroy@intel.com \
    --cc=dev@dpdk.org \
    --cc=john.mcnamara@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).