From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0088.outbound.protection.outlook.com [104.47.34.88]) by dpdk.org (Postfix) with ESMTP id C90AB2BB1 for ; Thu, 23 Nov 2017 12:20:46 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=CAVIUMNETWORKS.onmicrosoft.com; s=selector1-cavium-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=zNWjEbD4zhRBe2DAnuW1BefGn5B8fO4JKgHLV/6szEo=; b=EYLHJusu27dN6VllqR5KeS9BqU2JWhlb1JARI12zTBm31hRADlbux89WtdmGHijQKtGevWdpJABNQxgOu5YJWNXpZoNptogWknxiJ0cND9Jv3kzl8Le8Fkh52o6sTimoLxAtpUd/osOBDfT9wPZiSW401NxUDGIMRRSOOA/rV7s= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Anoob.Joseph@cavium.com; Received: from ajoseph83.caveonetworks.com (14.140.2.178) by MWHPR0701MB3641.namprd07.prod.outlook.com (2603:10b6:301:7d::34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.260.4; Thu, 23 Nov 2017 11:20:42 +0000 From: Anoob Joseph To: Akhil Goyal , Declan Doherty , Radu Nicolau , Sergio Gonzalez Monroy Cc: Jerin Jacob , Narayana Prasad , dev@dpdk.org Date: Thu, 23 Nov 2017 11:19:28 +0000 Message-Id: <1511435969-5887-3-git-send-email-anoob.joseph@caviumnetworks.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1511435969-5887-1-git-send-email-anoob.joseph@caviumnetworks.com> References: <1511333716-11955-1-git-send-email-anoob.joseph@caviumnetworks.com> <1511435969-5887-1-git-send-email-anoob.joseph@caviumnetworks.com> MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [14.140.2.178] X-ClientProxiedBy: CO2PR04CA0056.namprd04.prod.outlook.com (2603:10b6:102:1::24) To MWHPR0701MB3641.namprd07.prod.outlook.com (2603:10b6:301:7d::34) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 988e0607-a7d0-4e6a-272b-08d532643d04 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(4534020)(4602075)(7168020)(4627115)(201703031133081)(201702281549075)(5600025)(4604075)(2017052603199); SRVR:MWHPR0701MB3641; X-Microsoft-Exchange-Diagnostics: 1; MWHPR0701MB3641; 3:63+bW4Azf6q8m23ahWxdAPqomwz1rzO0Er5CvwYsAqbOwVQH1BGyAN2/VCilUlumaMufuBnP5rgcMWQRpYH8g5F3S8NLgsu0Q0VA6sd+KwZwmwzG8Wk4NEKBoZcHytRTtyUGl06r86qdYC6qtFWfpfjjINWvteeCWUUO4RTMwh49niJ75YPt65OKsx/KYfJy7fR0s6x72ASMo5r9fD3UMWXgdn35mdolTZrDAMUfdGt9dBZY5dCwAto25MN1iZNu; 25:Nk5M1vvPwBKfFr8VpBSZRY9Na7Zlo8IiQehDHOnZbvwE16eWNLoBJzH9DbpskC8JNz+KQNRLYScP0EPjxMHxAs7jQ6u+rYi7CKRc0mFGwJgT6e+miNuUq8czLJiVdudfxZgt04asL/p1TzDujX4tyiIp980n6bhn9Y6TTtgkgsEadAotUp1Nfi50OU5v/ZwF62iIJfNXueObZo93X0mxlbu15i7GD/eHSN2Hw+P9ANjCOkqU7GYWDs7M9b5zdjM6lPL3MqYAtT4X97ENEHD0WYdKlt3iu3yy2C7HSUbxff1raNCbaiXMw+vxN2rgitND7dkPfgVjFBrxTnePtWjyvw==; 31:ybxhG/ZPQsWoQZFDE1jUqkqRBzMkeJwaCJQiWCcrL735cIQMtqu/n4xGjz7wZeg5Krltxiq3Cj3cEe7p8Y6orFU+PpebIy9ZlJ8ssg3escJSVCUglVuE9n3AWySpVY1L4VvDwpKqXDMVCcpS/AZ8liyNjm8yN+94DvmHsySPWZV1xsuxKixBQVRmdIRe0opu/hx1Bz5UuleNzwT3u/UFJ/XUP42hy6J3zjPNhhPiDFw= X-MS-TrafficTypeDiagnostic: MWHPR0701MB3641: X-Microsoft-Exchange-Diagnostics: 1; MWHPR0701MB3641; 20:D/VFi1VfqNfdNYzCbgqUc09U/4eLQuNzc8jS4OIi6KusnQLBiXd3c/wACi/fWLSuOZv1ATAceJqAekbU3+MiRqlg8SoF/oYGeQj8Oa1rbyFdmOVfGmBR/B/zhCz0AjYGMxluFv3MC5t2KfqoDxf8/zIPsjeXRf29LxfOCcTubfQWIbZ6S0gRrRWPi8/mN6NJSayk+IO4RkWOHcWz98amMneEvVkPGD18GvN+7ZJxURxdi4m2RmKOrB1hCDvDcDLB3DRpRERuLgVX4CO/EGP9s3rKag8e62fKQWz+JOmHYZykUN9+9w+ZjAaGRBuUID9LC6oK22S1Z/i1WfBLugzMCYAU6vxllIYA/j/2P3M9wCgYX9ZrA/eW/pviKPF47/EksLU2DOvMwWgjPaNWqc/4Xu/czMqcabMH2iGNJUPPNVV/sV7jjNS0XzVnm03767DtsHRXy6ixss19rn/2sgwa4P1zeMywYNGM6YYY3xMeFZGSyRu5PkhkixsV3yMMeHTlbMyANOYdZqv8u/ldcGAYYuS/tR1WOhnjN/foO1JnC2pP5OjZgUlTR8ZL1uiCL0F8RmuN51Bjse3fINmInFMbUIKAfihhK4b+gVQaoa12iWw=; 4:KUseYy9eiFfn98wOu51yhDBOsXJ4BPR9i0PKJzgQ6wdng862riGpb2Sxp1v4DU9BwwIxcvaIp+nRKl4KydeTwbRnV+SGtBJzju8oRQ90CQC4MKogtrSdCjn2JyHEQDnbSjW4qvQHCpyDrrIGUoQ8bUw+uxkcmAPCXw6Wvxpq43i0hppBbcjR4xr7IzhBw5+OJlq7i24oi1KW/3AhGB6OIiiHbOreT4qVNqrpMA+fRX+ynQOeFo4kongg3/9rbIswzU+hacBG1C783AgB9OUqklmiPhAS5RqnTZahiUndBWe9VjLPTd7F52BMF2iz1h/a X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(192374486261705); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(100000703101)(100105400095)(3002001)(3231022)(10201501046)(93006095)(6041248)(20161123558100)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123555025)(20161123562025)(20161123564025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:MWHPR0701MB3641; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:MWHPR0701MB3641; X-Forefront-PRVS: 05009853EF X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(6009001)(366004)(346002)(376002)(199003)(189002)(316002)(50466002)(110136005)(16586007)(36756003)(53936002)(6116002)(478600001)(4326008)(52116002)(6512007)(68736007)(55236003)(25786009)(47776003)(72206003)(54906003)(66066001)(16526018)(48376002)(105586002)(8676002)(305945005)(5003940100001)(6506006)(50226002)(106356001)(7736002)(33646002)(69596002)(8656006)(6486002)(101416001)(3846002)(189998001)(97736004)(81156014)(6666003)(2906002)(53416004)(42882006)(8936002)(81166006)(5660300001)(2950100002)(76176999)(50986999)(5009440100003)(110426004); DIR:OUT; SFP:1101; SCL:1; SRVR:MWHPR0701MB3641; H:ajoseph83.caveonetworks.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; Received-SPF: None (protection.outlook.com: cavium.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; MWHPR0701MB3641; 23:ihbOswwEFyZ3oR7spo2k4pBfAUtJR9pgiOsGVi6?= =?us-ascii?Q?NiJb8x3oHqHavfS/jX4WRvZbvncrERkUOmq5Ayp2A2ysfHpCBEsuwm9nFjN3?= =?us-ascii?Q?k1qwLv1MYS35wdmR/dA6iV3V+dVydvkvyQWFkkOx7zrhkJ99KM7VeLyZoXCR?= =?us-ascii?Q?HOWreu8TCuwC1ydARpTGz73eKZT8vq2HGZlAUgV4x3x7XQvtRqmrYe882zH4?= =?us-ascii?Q?eQNJxT1jbowd/VkiuSuO38pcPO2CPAuvV1RSAaJx+dS549LosXRyqeg/2Tpj?= =?us-ascii?Q?mXX8VNyZXpfA3kVGHHv4JW9D+RujbtnrjhaRzpL2Ws/LigoHw77W/gjU5YGE?= =?us-ascii?Q?9MPR7DEPvzZRtlDMdzrVoNH2mzONUhrWiZB/KWxyA5GIxiEWBqq5u5i2aRSk?= =?us-ascii?Q?v7RAFJ81Zc81aWelols79am3SKX8/vJCNNOEG48SNtsHgAD/NO5En3rDi9NI?= =?us-ascii?Q?dtrPzzO6+LvbdGgI4nV1pp4WSzwGuOMaJpLM7+n9yXfxX6BULW2l6B5CRbV1?= =?us-ascii?Q?l7tbNNrQgROrJdOilIH5czEW/v3ewo8lnzJoRfJ4dM/EaPxrdsc4VvdR+VFW?= =?us-ascii?Q?qnDJPDH4ATxMGX5qQeq5XyeDmA2/ZZlfOFN4gjD5pC6Fb8dpLKgcVOqSL7XF?= =?us-ascii?Q?/gMygvcb1tfGQdozdalTtonpk/o4SsY71iUHYQVhrd7PzYt13bkRFLp/UW+C?= =?us-ascii?Q?e3ztY4/glAbWc6fJSDnh8gNevmRTEf+5f3jgK/S80OvynRQDehskZRERCQyP?= =?us-ascii?Q?+Uyrji/HiGmPk2XSKd9i6RiPU6mPKUkg/Y2h9B6CUvfG82HHuJKLylOnHT+5?= =?us-ascii?Q?NwBbfq/9aH7lNNA4vfbxKwo03aGUWZfG7Meg6kymJtmk4zwr1Z/myH7mFbEz?= =?us-ascii?Q?aGAjhNtxk2NL3ELOyRtqZq9r0YbtaGIwMucUSw5XsX2N0VQobqyWETu6uir5?= =?us-ascii?Q?1w0WjT8CJsItNdEVK0Y3oCe9dOHhy+++SnM3Hdf8l8bqB4XeTvI6HEeGyZiI?= =?us-ascii?Q?AVKcfdFdKtvoH2b3t105Nuca42fHAcfrisoCo9nUjXmsOZnruLjHgQkUx8uT?= =?us-ascii?Q?zrg4R9A7+UBeqFZvUklSTrekLfQroJHpWH1hXRhWISnIXCDxJsWDXnI/y0Cs?= =?us-ascii?Q?kh129LNStEeHVDDusa2R3N5mg6joOfc/l7g3Fsus3sQGKPLyXbTXp26HIvgK?= =?us-ascii?Q?6CjvTIzB+4KhdjUua5QQk3iWuP1FNSYM7budcWLlrdTwJMnbThZxF+vhaETq?= =?us-ascii?Q?7pGLhcbmTFunQzXi6+ZwsCpo8t3Px1ENZ5gJXK0+DiWNSYGaJw8EJPoKxr+/?= =?us-ascii?Q?JfA=3D=3D?= X-Microsoft-Exchange-Diagnostics: 1; MWHPR0701MB3641; 6:wVpboCSkskzcC6fyY45718lt2jgIP7jxiBV/zYFzXWPJniii9IeS9v8skrnrNYFnKX1beRzwx3x5jEfUhu2blMTkROZkM636H1w/ZQp4vIpKJdP0qSi/CaIljDcBB6jS7lnaiWp/RLzj6LvBv82DSOWCIJ36spx2lMYZ9FTb3IT8HCZqqfNK4eKdQqrsA7lFVLs329Jr8ACgqnFaSLbIC1NfMXDJMQFNdsopMR1W/zVwiyIfm+tk7LVQSR1XkHJDl/pLgYG0f41Z6QWgKmpxeRHluAheM1bD74aY9Xotr2sFGjqK31EoPXy46kceWuF2VCYWZ70zsyzTCLdUvcZhZlV3l/AC/RIYY21jm9Jjrrc=; 5:b8XTQnqFip7IGpSsmgI8VskmIrLoLQ+HUPXwqh0ptQqCRfuEoKuEflqACw6CRdYuvthJgGvAT2ztgU7FYLYgZni5XBSF5/u5hnPDRWZp/xpFsjvCQDbzRq7aKz7vhTztzuhjt2jggcPC+imY7qmZs/jhdxq8Z0Rt9uxNSI3jfHw=; 24:TUBWEBPnadSax23SPlqFWSAcTsOhKKbUasHwS8dD8Dknv9mJwXAPIf2O6cPYOF0Vy2ds4dYDV+UHpScRqMyeaeSMid9UENDOTUcRB6RalN4=; 7:6xxykuOekLgsSk5xvAT6zzBul2ZozW83NmVp/br4T87vIbcLSe9v5dW7hFNMwy/+KwFpmmfxgDdNjagYWGrb7eUp4vIvc2ARd9JlLm6xdJt/3ACbNJGVeE1KNiNxLMeCAmnhIpDcf5D389RP/cDwqtoWXohfQS/SMTiMQ+Yw6L5PRDjv9XKFjVwfvwie8gv2iTzhatkYV5EuyTvM5pjZKH2L1kgpob1KigeJqr1m0ycWIzJXsrILD1t5C/i/k/gV SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: caviumnetworks.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Nov 2017 11:20:42.4124 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 988e0607-a7d0-4e6a-272b-08d532643d04 X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 711e4ccf-2e9b-4bcf-a551-4094005b6194 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR0701MB3641 Subject: [dpdk-dev] [PATCH v3 2/2] examples/ipsec-secgw: add support for inline protocol X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Nov 2017 11:20:47 -0000 Adding support for inline protocol processing In ingress side, application will receive regular IP packets, without any IPsec related info. Application will do a selector check (SP-SA check) by making use of the metadata from the packet. In egress side, the plain packet would be submitted to the driver. The packet will have optional metadata, which could be used to identify the security session associated with the packet. Signed-off-by: Anoob Joseph --- v3: * Using (void *)userdata instead of 64 bit metadata in conf * Changes parallel to the change in API v2: * Using get_pkt_metadata API instead of get_session & get_cookie APIs examples/ipsec-secgw/esp.c | 6 +- examples/ipsec-secgw/ipsec-secgw.c | 40 +++++++++++- examples/ipsec-secgw/ipsec.c | 121 +++++++++++++++++++++++++++++++------ 3 files changed, 145 insertions(+), 22 deletions(-) diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c index c3efe52..561f873 100644 --- a/examples/ipsec-secgw/esp.c +++ b/examples/ipsec-secgw/esp.c @@ -178,7 +178,8 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa, RTE_ASSERT(sa != NULL); RTE_ASSERT(cop != NULL); - if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { + if ((sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) || + (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) { if (m->ol_flags & PKT_RX_SEC_OFFLOAD) { if (m->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED) cop->status = RTE_CRYPTO_OP_STATUS_ERROR; @@ -474,7 +475,8 @@ esp_outbound_post(struct rte_mbuf *m, RTE_ASSERT(m != NULL); RTE_ASSERT(sa != NULL); - if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { + if ((sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) || + (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) { m->ol_flags |= PKT_TX_SEC_OFFLOAD; } else { RTE_ASSERT(cop != NULL); diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c index c98454a..c79e1c2 100644 --- a/examples/ipsec-secgw/ipsec-secgw.c +++ b/examples/ipsec-secgw/ipsec-secgw.c @@ -265,6 +265,38 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t) RTE_LOG(ERR, IPSEC, "Unsupported packet type\n"); rte_pktmbuf_free(pkt); } + + /* Check if the packet has been processed inline. For inline protocol + * processed packets, metadata from the packet need to be obtained. + * This metadata will be the application registered "userdata" of the + * security session which processed the packet. + */ + + if (pkt->ol_flags & PKT_RX_SEC_OFFLOAD) { + struct ipsec_sa *sa; + struct ipsec_mbuf_metadata *priv; + struct rte_security_ctx *ctx = (struct rte_security_ctx *) + rte_eth_dev_get_sec_ctx( + pkt->port); + + /* Get metadata from the packet. This will return application + * registered userdata of the security session which processed + * the packet. Here, the userdata registered is the SA pointer. + */ + sa = (struct ipsec_sa *)rte_security_get_pkt_metadata(ctx, pkt); + + if (sa == NULL) { + /* userdata could not be retrieved */ + return; + } + + /* Save SA as priv member in mbuf. This will be used in the + * IPsec selector(SP-SA) check. + */ + + priv = get_priv(pkt); + priv->sa = sa; + } } static inline void @@ -401,11 +433,17 @@ inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip, ip->pkts[j++] = m; continue; } - if (res & DISCARD || i < lim) { + if (res & DISCARD) { rte_pktmbuf_free(m); continue; } + /* Only check SPI match for processed IPSec packets */ + if (i < lim && ((m->ol_flags & PKT_RX_SEC_OFFLOAD) == 0)) { + rte_pktmbuf_free(m); + continue; + } + sa_idx = ip->res[i] & PROTECT_MASK; if (sa_idx == 0 || !inbound_sa_check(sa, m, sa_idx)) { rte_pktmbuf_free(m); diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index 70ed227..3ad3692 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -46,6 +46,27 @@ #include "ipsec.h" #include "esp.h" +static inline void +set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) +{ + if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) { + struct rte_security_ipsec_tunnel_param *tunnel = + &ipsec->tunnel; + if (sa->flags == IP4_TUNNEL) { + tunnel->type = + RTE_SECURITY_IPSEC_TUNNEL_IPV4; + tunnel->ipv4.ttl = IPDEFTTL; + + memcpy((uint8_t *)&tunnel->ipv4.src_ip, + (uint8_t *)&sa->src.ip.ip4, 4); + + memcpy((uint8_t *)&tunnel->ipv4.dst_ip, + (uint8_t *)&sa->dst.ip.ip4, 4); + } + /* TODO support for Transport and IPV6 tunnel */ + } +} + static inline int create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) { @@ -95,7 +116,8 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) RTE_SECURITY_IPSEC_SA_MODE_TUNNEL : RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT, } }, - .crypto_xform = sa->xforms + .crypto_xform = sa->xforms, + .userdata = NULL, }; @@ -104,23 +126,8 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) rte_cryptodev_get_sec_ctx( ipsec_ctx->tbl[cdev_id_qp].id); - if (sess_conf.ipsec.mode == - RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) { - struct rte_security_ipsec_tunnel_param *tunnel = - &sess_conf.ipsec.tunnel; - if (sa->flags == IP4_TUNNEL) { - tunnel->type = - RTE_SECURITY_IPSEC_TUNNEL_IPV4; - tunnel->ipv4.ttl = IPDEFTTL; - - memcpy((uint8_t *)&tunnel->ipv4.src_ip, - (uint8_t *)&sa->src.ip.ip4, 4); - - memcpy((uint8_t *)&tunnel->ipv4.dst_ip, - (uint8_t *)&sa->dst.ip.ip4, 4); - } - /* TODO support for Transport and IPV6 tunnel */ - } + /* Set IPsec parameters in conf */ + set_ipsec_conf(sa, &(sess_conf.ipsec)); sa->sec_session = rte_security_session_create(ctx, &sess_conf, ipsec_ctx->session_pool); @@ -206,6 +213,70 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) err.message); return -1; } + } else if (sa->type == + RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) { + struct rte_security_ctx *ctx = + (struct rte_security_ctx *) + rte_eth_dev_get_sec_ctx(sa->portid); + const struct rte_security_capability *sec_cap; + + if (ctx == NULL) { + RTE_LOG(ERR, IPSEC, + "Ethernet device doesn't have security features registered\n"); + return -1; + } + + /* Set IPsec parameters in conf */ + set_ipsec_conf(sa, &(sess_conf.ipsec)); + + /* Save SA as userdata for the security session. When + * the packet is received, this userdata will be + * retrieved as the metadata from the packet. + * + * This is required only for inbound SAs. + */ + + if (sa->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) + sess_conf.userdata = (void *) sa; + + sa->sec_session = rte_security_session_create(ctx, + &sess_conf, ipsec_ctx->session_pool); + if (sa->sec_session == NULL) { + RTE_LOG(ERR, IPSEC, + "SEC Session init failed: err: %d\n", ret); + return -1; + } + + sec_cap = rte_security_capabilities_get(ctx); + + if (sec_cap == NULL) { + RTE_LOG(ERR, IPSEC, + "No capabilities registered\n"); + return -1; + } + + /* iterate until ESP tunnel*/ + while (sec_cap->action != + RTE_SECURITY_ACTION_TYPE_NONE) { + + if (sec_cap->action == sa->type && + sec_cap->protocol == + RTE_SECURITY_PROTOCOL_IPSEC && + sec_cap->ipsec.mode == + RTE_SECURITY_IPSEC_SA_MODE_TUNNEL && + sec_cap->ipsec.direction == sa->direction) + break; + sec_cap++; + } + + if (sec_cap->action == RTE_SECURITY_ACTION_TYPE_NONE) { + RTE_LOG(ERR, IPSEC, + "No suitable security capability found\n"); + return -1; + } + + sa->ol_flags = sec_cap->ol_flags; + sa->security_ctx = ctx; } } else { sa->crypto_session = rte_cryptodev_sym_session_create( @@ -323,7 +394,19 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, } break; case RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL: - break; + if ((unlikely(sa->sec_session == NULL)) && + create_session(ipsec_ctx, sa)) { + rte_pktmbuf_free(pkts[i]); + continue; + } + + cqp = &ipsec_ctx->tbl[sa->cdev_id_qp]; + cqp->ol_pkts[cqp->ol_pkts_cnt++] = pkts[i]; + if (sa->ol_flags & RTE_SECURITY_TX_OLOAD_NEED_MDATA) + rte_security_set_pkt_metadata( + sa->security_ctx, + sa->sec_session, pkts[i], NULL); + continue; case RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO: priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC; priv->cop.status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED; -- 2.7.4