* [dpdk-dev] [PATCH] example/ipsec-secgw: ipsec security gateway
@ 2016-01-29 20:29 Sergio Gonzalez Monroy
2016-01-31 14:39 ` Jerin Jacob
` (2 more replies)
0 siblings, 3 replies; 15+ messages in thread
From: Sergio Gonzalez Monroy @ 2016-01-29 20:29 UTC (permalink / raw)
To: dev
Sample app implementing an IPsec Security Geteway.
The main goal of this app is to show the use of cryptodev framework
in a real world application.
Currently only supported static IPv4 IPsec tunnels using AES-CBC
and HMAC-SHA1.
Also, currently not supported:
- SA auto negotiation (No IKE support)
- chained mbufs
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
---
MAINTAINERS | 4 +
doc/guides/sample_app_ug/index.rst | 1 +
doc/guides/sample_app_ug/ipsec_secgw.rst | 440 +++++++++++
examples/Makefile | 2 +
examples/ipsec-secgw/Makefile | 58 ++
examples/ipsec-secgw/esp.c | 256 +++++++
examples/ipsec-secgw/esp.h | 66 ++
examples/ipsec-secgw/ipip.h | 100 +++
examples/ipsec-secgw/ipsec-secgw.c | 1218 ++++++++++++++++++++++++++++++
examples/ipsec-secgw/ipsec.c | 138 ++++
examples/ipsec-secgw/ipsec.h | 184 +++++
examples/ipsec-secgw/rt.c | 131 ++++
examples/ipsec-secgw/sa.c | 391 ++++++++++
examples/ipsec-secgw/sp.c | 324 ++++++++
14 files changed, 3313 insertions(+)
create mode 100644 doc/guides/sample_app_ug/ipsec_secgw.rst
create mode 100644 examples/ipsec-secgw/Makefile
create mode 100644 examples/ipsec-secgw/esp.c
create mode 100644 examples/ipsec-secgw/esp.h
create mode 100644 examples/ipsec-secgw/ipip.h
create mode 100644 examples/ipsec-secgw/ipsec-secgw.c
create mode 100644 examples/ipsec-secgw/ipsec.c
create mode 100644 examples/ipsec-secgw/ipsec.h
create mode 100644 examples/ipsec-secgw/rt.c
create mode 100644 examples/ipsec-secgw/sa.c
create mode 100644 examples/ipsec-secgw/sp.c
diff --git a/MAINTAINERS b/MAINTAINERS
index b90aeea..996eda6 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -596,3 +596,7 @@ F: doc/guides/sample_app_ug/vmdq_dcb_forwarding.rst
M: Pablo de Lara <pablo.de.lara.guarch@intel.com>
M: Daniel Mrzyglod <danielx.t.mrzyglod@intel.com>
F: examples/ptpclient/
+
+M: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
+F: doc/guides/sample_app_ug/ipsec-secgw.rst
+F: examples/ipsec-secgw/
diff --git a/doc/guides/sample_app_ug/index.rst b/doc/guides/sample_app_ug/index.rst
index 8a646dd..88375d2 100644
--- a/doc/guides/sample_app_ug/index.rst
+++ b/doc/guides/sample_app_ug/index.rst
@@ -73,6 +73,7 @@ Sample Applications User Guide
proc_info
ptpclient
performance_thread
+ ipsec_secgw
**Figures**
diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst
new file mode 100644
index 0000000..7be3f7e
--- /dev/null
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -0,0 +1,440 @@
+.. BSD LICENSE
+ Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in
+ the documentation and/or other materials provided with the
+ distribution.
+ * Neither the name of Intel Corporation nor the names of its
+ contributors may be used to endorse or promote products derived
+ from this software without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+IPsec Security Gateway Sample Application
+=========================================
+
+The IPsec Security Gateway application is a minimal example of real work
+application using DPDK cryptodev framework.
+
+Overview
+--------
+
+The application demonstrates the implementation of a minimal Security Gateway
+(see Constraints bellow) using DPDK based on RFC4301, RFC4303, RFC3602 and
+RFC2404.
+
+Note that IKE is not supported (therefore not IPsec compliant), so only manual
+setting of Security Policies and Associations is allowed.
+
+The Security Policies (SP) are implemented as ACL rules, the Security
+Associations (SA) are stored in a table and the Routing is implemented
+using LPM.
+
+The application splits the ports between Protected and Unprotected.
+Based on the port the trafic is coming from, the traffic would be consider
+IPsec Inbound or Outbound.
+Traffic from Unprotected ports is consider IPsec Inbound, and traffic from
+Protected ports is consider IPsec Outbound.
+
+Path for IPsec Inbound traffic:
+* Read packets from the port
+* Classify packets between IPv4 and ESP.
+* Inbound SA lookup for ESP packets based on their SPI
+* Verification/Decryption
+* Removal of ESP and outter IP header
+* Inbound SP check using ACL of decrypted packets and any other IPv4 packet
+we read.
+* Routing
+* Write packet to port
+
+Path for IPsec Outbound traffic:
+* Read packets from the port
+* Outbound SP check using ACL of all IPv4 traffic
+* Outbound SA lookup for packets that need IPsec protection
+* Add ESP and outter IP header
+* Encryption/Digest
+* Routing
+* Write packet to port
+
+Constraints
+-----------
+* IPv4 traffic
+* ESP tunnel mode
+* EAS-CBC and HMAC-SHA1
+* Each SA must be handle by a unique lcore (1 RX queue per port)
+* No chained mbufs
+
+Compiling the Application
+-------------------------
+
+To compile the application:
+
+#. Go to the sample application directory:
+
+ .. code-block:: console
+
+ export RTE_SDK=/path/to/rte_sdk
+ cd ${RTE_SDK}/examples/ipsec-secgw
+
+#. Set the target (a default target is used if not specified). For example:
+
+ .. code-block:: console
+
+ export RTE_TARGET=x86_64-native-linuxapp-gcc
+
+ See the *DPDK Getting Started Guide* for possible RTE_TARGET values.
+
+#. Build the application:
+
+ .. code-block:: console
+
+ make
+
+Running the Application
+-----------------------
+
+The application has a number of command line options:
+
+.. code-block:: console
+
+ ./build/ipsec-secgw [EAL options] -- -p PORTMASK -P -u PORTMASK --config
+ (port,queue,lcore)[,(port,queue,lcore] --EP0|--EP1 --cdev AESNI|QAT
+
+where,
+
+* -p PORTMASK: Hexadecimal bitmask of ports to configure
+
+* -P: optional, sets all ports to promiscuous mode so that packets are
+ accepted regardless of the packet's Ethernet MAC destination address.
+ Without this option, only packets with the Ethernet MAC destination address
+ set to the Ethernet address of the port are accepted (default is enabled).
+
+* -u PORTMASK: hexadecimal bitmask of unprotected ports
+
+* --config (port,queue,lcore)[,(port,queue,lcore)]: determines which queues
+ from which ports are mapped to which cores
+
+* --cdev AESNI/QAT: choose whether to use QAT HW crypto or EASNI SW crypto
+
+* --EP0: configure the app as Endpoint 0.
+
+* --EP1: configure the app as Endpoint 1.
+
+Either --EP0 or --EP1 must be specified.
+
+The mapping of lcores to port/queues is similar to other l3fwd applications.
+
+For example, given the following command line:
+.. code-block:: console
+
+ ./build/ipsec-secgw -l 20,21 -n 4 --socket-mem 0,2048 -- -p 0xf -P -u 0x3
+ --config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)" --cdev AESNI --EP0
+
+where each options means:
+
+* The -l option enables cores 20 and 21
+
+* The -n option sets memory 4 channels
+
+* The --socket-mem to use 2GB on socket 1
+
+* The -p option enables ports (detected) 0, 1, 2 and 3
+
+* The -P option enables promiscous mode
+
+* The -u option sets ports 1 and 2 as unprotected, leaving 2 and 3 as protected
+
+* The --config option enables one queue per port with the following mapping:
+
++----------+-----------+-----------+---------------------------------------+
+| **Port** | **Queue** | **lcore** | **Description** |
+| | | | |
++----------+-----------+-----------+---------------------------------------+
+| 0 | 0 | 20 | Map queue 0 from port 0 to lcore 20. |
+| | | | |
++----------+-----------+-----------+---------------------------------------+
+| 1 | 0 | 20 | Map queue 0 from port 1 to lcore 20. |
+| | | | |
++----------+-----------+-----------+---------------------------------------+
+| 2 | 0 | 21 | Map queue 0 from port 2 to lcore 21. |
+| | | | |
++----------+-----------+-----------+---------------------------------------+
+| 3 | 0 | 21 | Map queue 0 from port 3 to lcore 21. |
+| | | | |
++----------+-----------+-----------+---------------------------------------+
+
+Refer to the *DPDK Getting Started Guide* for general information on running applications and the Environment Abstraction Layer (EAL) options.
+
+Configurations
+--------------
+
+The following sections provide some details on the default values used to
+initialize the SP, SA and Routing tables.
+Currently all the configuration is hardcoded into the application.
+
+Security Policy Initialization
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+As mention in the overview, the Security Policies are ACL rules.
+There are two ACLs, Inbound and Outboud.
+The application would also replicate the set of two ACLs per socket in use.
+
+Following are the default rules:
+
+Endpoint 0 Outbound Security Policies:
+
++---------+------------------+-----------+------------+
+| **Src** | **Dst** | **proto** | **SA idx** |
+| | | | |
++---------+------------------+-----------+------------+
+| Any | 192.168.105.0/24 | Any | 5 |
+| | | | |
++---------+------------------+-----------+------------+
+| Any | 192.168.106.0/24 | Any | 6 |
+| | | | |
++---------+------------------+-----------+------------+
+| Any | 192.168.107.0/24 | Any | 7 |
+| | | | |
++---------+------------------+-----------+------------+
+| Any | 192.168.108.0/24 | Any | 8 |
+| | | | |
++---------+------------------+-----------+------------+
+
+Endpoint 0 Inbound Security Policies:
+
++---------+------------------+-----------+------------+
+| **Src** | **Dst** | **proto** | **SA idx** |
+| | | | |
++---------+------------------+-----------+------------+
+| Any | 192.168.115.0/24 | Any | 5 |
+| | | | |
++---------+------------------+-----------+------------+
+| Any | 192.168.116.0/24 | Any | 6 |
+| | | | |
++---------+------------------+-----------+------------+
+| Any | 192.168.117.0/24 | Any | 7 |
+| | | | |
++---------+------------------+-----------+------------+
+| Any | 192.168.118.0/24 | Any | 8 |
+| | | | |
++---------+------------------+-----------+------------+
+
+Endpoint 1 Outbound Security Policies:
+
++---------+------------------+-----------+------------+
+| **Src** | **Dst** | **proto** | **SA idx** |
+| | | | |
++---------+------------------+-----------+------------+
+| Any | 192.168.115.0/24 | Any | 5 |
+| | | | |
++---------+------------------+-----------+------------+
+| Any | 192.168.116.0/24 | Any | 6 |
+| | | | |
++---------+------------------+-----------+------------+
+| Any | 192.168.117.0/24 | Any | 7 |
+| | | | |
++---------+------------------+-----------+------------+
+| Any | 192.168.118.0/24 | Any | 8 |
+| | | | |
++---------+------------------+-----------+------------+
+
+Endpoint 1 Inbound Security Policies:
+
++---------+------------------+-----------+------------+
+| **Src** | **Dst** | **proto** | **SA idx** |
+| | | | |
++---------+------------------+-----------+------------+
+| Any | 192.168.105.0/24 | Any | 5 |
+| | | | |
++---------+------------------+-----------+------------+
+| Any | 192.168.106.0/24 | Any | 6 |
+| | | | |
++---------+------------------+-----------+------------+
+| Any | 192.168.107.0/24 | Any | 7 |
+| | | | |
++---------+------------------+-----------+------------+
+| Any | 192.168.108.0/24 | Any | 8 |
+| | | | |
++---------+------------------+-----------+------------+
+
+
+Security Association Initialization
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The SAs are kept in a array table.
+
+For Inbound, the SPI is used as index module the table size.
+This means that on a table for 100 SA, SPI 5 and 105 would use the same index
+and that is not currently supported.
+
+Notice that it is not an issue for Outbound traffic as we store the index and
+not the SPI in the Security Policy.
+
+All SAs are configured with the same cipher algo, block size and key (AES-CBC
+16B block), and same authentication algo, digest size and key (HMAC-SHA1, 12B
+digest).
+
+Following are the default values:
+
+Endpoint 0 Outbound Security Associations:
+
++---------+----------------+------------------+
+| **SPI** | **Tunnel src** | **Tunnel dst** |
+| | | |
++---------+----------------+------------------+
+| 5 | 172.16.1.5 | 172.16.2.5 |
+| | | |
++---------+----------------+------------------+
+| 6 | 172.16.1.6 | 172.16.2.6 |
+| | | |
++---------+----------------+------------------+
+| 7 | 172.16.1.7 | 172.16.2.7 |
+| | | |
++---------+----------------+------------------+
+| 8 | 172.16.1.8 | 172.16.2.8 |
+| | | |
++---------+----------------+------------------+
+
+Endpoint 0 Inbound Security Associations:
+
++---------+----------------+------------------+
+| **SPI** | **Tunnel src** | **Tunnel dst** |
+| | | |
++---------+----------------+------------------+
+| 5 | 172.16.2.5 | 172.16.1.5 |
+| | | |
++---------+----------------+------------------+
+| 6 | 172.16.2.6 | 172.16.1.6 |
+| | | |
++---------+----------------+------------------+
+| 7 | 172.16.2.7 | 172.16.1.7 |
+| | | |
++---------+----------------+------------------+
+| 8 | 172.16.2.8 | 172.16.1.8 |
+| | | |
++---------+----------------+------------------+
+
+Endpoint 1 Outbound Security Associations:
+
++---------+----------------+------------------+
+| **SPI** | **Tunnel src** | **Tunnel dst** |
+| | | |
++---------+----------------+------------------+
+| 5 | 172.16.2.5 | 172.16.1.5 |
+| | | |
++---------+----------------+------------------+
+| 6 | 172.16.2.6 | 172.16.1.6 |
+| | | |
++---------+----------------+------------------+
+| 7 | 172.16.2.7 | 172.16.1.7 |
+| | | |
++---------+----------------+------------------+
+| 8 | 172.16.2.8 | 172.16.1.8 |
+| | | |
++---------+----------------+------------------+
+
+Endpoint 1 Inbound Security Associations:
+
++---------+----------------+------------------+
+| **SPI** | **Tunnel src** | **Tunnel dst** |
+| | | |
++---------+----------------+------------------+
+| 5 | 172.16.1.5 | 172.16.2.5 |
+| | | |
++---------+----------------+------------------+
+| 6 | 172.16.1.6 | 172.16.2.6 |
+| | | |
++---------+----------------+------------------+
+| 7 | 172.16.1.7 | 172.16.2.7 |
+| | | |
++---------+----------------+------------------+
+| 8 | 172.16.1.8 | 172.16.2.8 |
+| | | |
++---------+----------------+------------------+
+
+Routing Initialization
+~~~~~~~~~~~~~~~~~~~~~~
+
+The Routing is implemented using LPM table.
+
+Following default values:
+
+Endpoint 0 Routing Table:
+
++------------------+----------+
+| **Dst addr** | **Port** |
+| | |
++------------------+----------+
+| 172.16.2.5/32 | 0 |
+| | |
++------------------+----------+
+| 172.16.2.6/32 | 0 |
+| | |
++------------------+----------+
+| 172.16.2.7/32 | 1 |
+| | |
++------------------+----------+
+| 172.16.2.8/32 | 1 |
+| | |
++------------------+----------+
+| 192.168.115.0/24 | 2 |
+| | |
++------------------+----------+
+| 192.168.116.0/24 | 2 |
+| | |
++------------------+----------+
+| 192.168.117.0/24 | 3 |
+| | |
++------------------+----------+
+| 192.168.118.0/24 | 3 |
+| | |
++------------------+----------+
+
+Endpoint 1 Routing Table:
+
++------------------+----------+
+| **Dst addr** | **Port** |
+| | |
++------------------+----------+
+| 172.16.1.5/32 | 2 |
+| | |
++------------------+----------+
+| 172.16.1.6/32 | 2 |
+| | |
++------------------+----------+
+| 172.16.1.7/32 | 3 |
+| | |
++------------------+----------+
+| 172.16.1.8/32 | 3 |
+| | |
++------------------+----------+
+| 192.168.105.0/24 | 0 |
+| | |
++------------------+----------+
+| 192.168.106.0/24 | 0 |
+| | |
++------------------+----------+
+| 192.168.107.0/24 | 1 |
+| | |
++------------------+----------+
+| 192.168.108.0/24 | 1 |
+| | |
++------------------+----------+
diff --git a/examples/Makefile b/examples/Makefile
index 1cb4785..65ce6ce 100644
--- a/examples/Makefile
+++ b/examples/Makefile
@@ -1,6 +1,7 @@
# BSD LICENSE
#
# Copyright(c) 2014 6WIND S.A.
+# Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
@@ -78,5 +79,6 @@ DIRS-y += vmdq
DIRS-y += vmdq_dcb
DIRS-$(CONFIG_RTE_LIBRTE_POWER) += vm_power_manager
DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += l2fwd-crypto
+DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += ipsec-secgw
include $(RTE_SDK)/mk/rte.extsubdir.mk
diff --git a/examples/ipsec-secgw/Makefile b/examples/ipsec-secgw/Makefile
new file mode 100644
index 0000000..5f893b8
--- /dev/null
+++ b/examples/ipsec-secgw/Makefile
@@ -0,0 +1,58 @@
+# BSD LICENSE
+#
+# Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in
+# the documentation and/or other materials provided with the
+# distribution.
+# * Neither the name of Intel Corporation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+ifeq ($(RTE_SDK),)
+ $(error "Please define RTE_SDK environment variable")
+endif
+
+# Default target, can be overridden by command line or environment
+RTE_TARGET ?= x86_64-native-linuxapp-gcc
+
+include $(RTE_SDK)/mk/rte.vars.mk
+
+APP = ipsec-secgw
+
+CFLAGS += -O3 -gdwarf-2
+CFLAGS += $(WERROR_FLAGS)
+
+VPATH += $(SRCDIR)/librte_ipsec
+
+#
+# all source are stored in SRCS-y
+#
+SRCS-y += ipsec.c
+SRCS-y += esp.c
+SRCS-y += sp.c
+SRCS-y += sa.c
+SRCS-y += rt.c
+SRCS-y += ipsec-secgw.c
+
+include $(RTE_SDK)/mk/rte.extapp.mk
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
new file mode 100644
index 0000000..1be0621
--- /dev/null
+++ b/examples/ipsec-secgw/esp.c
@@ -0,0 +1,256 @@
+/*-
+ * BSD LICENSE
+ *
+ * Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Intel Corporation nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdint.h>
+#include <stdlib.h>
+#include <netinet/ip.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+#include <rte_memcpy.h>
+#include <rte_crypto.h>
+#include <rte_cryptodev.h>
+#include <rte_random.h>
+
+#include "ipsec.h"
+#include "esp.h"
+#include "ipip.h"
+
+static inline void
+random_iv_u64(uint64_t *buf, uint16_t n)
+{
+ unsigned left = n & 0x7;
+ unsigned i;
+
+ IPSEC_ASSERT((n & 0x3) == 0);
+
+ for (i = 0; i < (n >> 3); i++)
+ buf[i] = rte_rand();
+
+ if (left)
+ *((uint32_t *)&buf[i]) = (uint32_t)lrand48();
+}
+
+/* IPv4 Tunnel */
+int
+esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
+ struct rte_crypto_op *cop)
+{
+ uint16_t digest_len, esp_len, iphdr_len;
+ int32_t payload_len;
+
+ IPSEC_ASSERT(m != NULL);
+
+ iphdr_len = sizeof(struct ip);
+ esp_len = sizeof(struct esp_hdr) + sa->iv_len;
+ digest_len = sa->digest_len;
+ payload_len = rte_pktmbuf_pkt_len(m) - iphdr_len - esp_len - digest_len;
+
+ if ((payload_len & (sa->block_size - 1)) || (payload_len <= 0)) {
+ IPSEC_LOG(DEBUG, IPSEC_ESP, "payload %d not a multiple of %u\n",
+ payload_len, sa->block_size);
+ return -EINVAL;
+ }
+
+ cop->data.to_cipher.offset = iphdr_len + esp_len;
+ cop->data.to_cipher.length = payload_len;
+
+ cop->data.to_hash.offset = iphdr_len;
+ if (sa->auth_algo == RTE_CRYPTO_AUTH_AES_GCM)
+ cop->data.to_hash.length = esp_len - sa->iv_len;
+ else
+ cop->data.to_hash.length = esp_len + payload_len;
+
+ cop->iv.data = rte_pktmbuf_mtod_offset(m, void*,
+ iphdr_len + esp_len - sa->iv_len);
+ cop->iv.phys_addr = rte_pktmbuf_mtophys_offset(m,
+ iphdr_len + esp_len - sa->iv_len);
+
+ cop->iv.length = sa->iv_len;
+
+ cop->digest.data = rte_pktmbuf_mtod_offset(m, void*,
+ iphdr_len + esp_len + payload_len);
+ cop->digest.phys_addr = rte_pktmbuf_mtophys_offset(m,
+ iphdr_len + esp_len + payload_len);
+ cop->digest.length = digest_len;
+
+ return 0;
+}
+
+int
+esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
+ struct rte_crypto_op *cop)
+{
+ uint16_t digest_len, esp_len, iphdr_len;
+ uint8_t *nexthdr, *pad_len;
+ uint8_t *padding;
+ uint16_t i;
+
+ IPSEC_ASSERT(m != NULL);
+
+ iphdr_len = sizeof(struct ip);
+ esp_len = sizeof(struct esp_hdr) + sa->iv_len;
+ digest_len = sa->digest_len;
+
+ if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
+ IPSEC_LOG(ERR, IPSEC_ESP, "Failed crypto op\n");
+ return -1;
+ }
+
+ nexthdr = rte_pktmbuf_mtod_offset(m, uint8_t*,
+ rte_pktmbuf_pkt_len(m) - digest_len - 1);
+ pad_len = nexthdr - 1;
+
+ padding = pad_len - *pad_len;
+ for (i = 0; i < *pad_len; i++) {
+ if (padding[i] != i) {
+ IPSEC_LOG(ERR, IPSEC_ESP, "invalid pad_len field\n");
+ return -EINVAL;
+ }
+ }
+
+ if (rte_pktmbuf_trim(m, *pad_len + 2 + digest_len)) {
+ IPSEC_LOG(ERR, IPSEC_ESP,
+ "failed to remove pad_len + digest\n");
+ return -EINVAL;
+ }
+
+ return ip4ip_inbound(m, iphdr_len + esp_len);
+}
+
+int
+esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
+ struct rte_crypto_op *cop)
+{
+ uint16_t digest_len, esp_len, payload_len, block_sz, pad_len;
+ int32_t pad_payload_len;
+ struct ip *ip;
+ struct esp_hdr *esp;
+ int i;
+ char *padding;
+
+ rte_prefetch0(rte_pktmbuf_mtod(m, uint8_t *) - RTE_CACHE_LINE_SIZE);
+ rte_prefetch0(rte_pktmbuf_mtod(m, uint8_t *));
+
+ IPSEC_ASSERT(m != NULL);
+ IPSEC_ASSERT(sa != NULL);
+
+ /* Payload length */
+ payload_len = rte_pktmbuf_pkt_len(m);
+
+ block_sz = sa->block_size;
+
+ /* Per RFC4303:
+ * padded payload needs to be multiple of 4 bytes.
+ * All application supported block sizes must be power of 2
+ */
+ pad_len = (payload_len + 2) & (block_sz - 1);
+ pad_len = ((block_sz - pad_len) & (block_sz - 1)) + 2;
+
+ /* Padded payload length */
+ pad_payload_len = payload_len + pad_len;
+ /* ESP header length */
+ esp_len = sizeof(struct esp_hdr) + sa->iv_len;
+ /* Digest length */
+ digest_len = sa->digest_len;
+
+ IPSEC_LOG(DEBUG, IPSEC_ESP,
+ "pktlen %u, esp_len %u, digest_len %u, payload_len %u,"
+ " pad_payload_len %u, block_sz %u, pad_len %u\n",
+ rte_pktmbuf_pkt_len(m), esp_len, digest_len,
+ payload_len, pad_payload_len, block_sz, pad_len);
+
+ /* Check maximum packet size */
+ if (unlikely(esp_len + pad_payload_len + digest_len > IP_MAXPACKET)) {
+ IPSEC_LOG(DEBUG, IPSEC_ESP, "ipsec packet is too big\n");
+ return -EINVAL;
+ }
+
+ padding = rte_pktmbuf_append(m, pad_len + digest_len);
+
+ IPSEC_ASSERT(padding != NULL);
+
+ ip = ip4ip_outbound(m, esp_len, sa->src, sa->dst);
+
+ esp = (struct esp_hdr *)(ip + 1);
+ esp->spi = sa->spi;
+
+ esp->seq = htonl(sa->seq++);
+
+ IPSEC_LOG(DEBUG, IPSEC_ESP, "pktlen %u\n", rte_pktmbuf_pkt_len(m));
+
+ /* Fill pad_len using default sequential scheme */
+ for (i = 0; i < pad_len - 2; i++)
+ padding[i] = i + 1;
+
+ padding[pad_len - 2] = pad_len - 2;
+ padding[pad_len - 1] = IPPROTO_IPIP;
+ ip->ip_p = IPPROTO_ESP;
+
+ cop->data.to_cipher.offset = sizeof(struct ip) + esp_len;
+ cop->data.to_cipher.length = pad_payload_len;
+
+ cop->data.to_hash.offset = sizeof(struct ip);
+ cop->data.to_hash.length = esp_len + pad_payload_len;
+
+ cop->iv.data = rte_pktmbuf_mtod_offset(m, void*,
+ sizeof(struct ip) + esp_len - sa->iv_len);
+ cop->iv.phys_addr = rte_pktmbuf_mtophys_offset(m,
+ sizeof(struct ip) + esp_len - sa->iv_len);
+ cop->iv.length = sa->iv_len;
+
+ cop->digest.data = rte_pktmbuf_mtod_offset(m, void*,
+ sizeof(struct ip) + esp_len + pad_payload_len);
+ cop->digest.phys_addr = rte_pktmbuf_mtophys_offset(m,
+ sizeof(struct ip) + esp_len + pad_payload_len);
+ cop->digest.length = digest_len;
+
+ random_iv_u64((uint64_t *)cop->iv.data, cop->iv.length);
+
+ return 0;
+}
+
+int
+esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m __rte_unused,
+ struct ipsec_sa *sa __rte_unused,
+ struct rte_crypto_op *cop)
+{
+ if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
+ IPSEC_LOG(ERR, IPSEC_ESP, "Failed crypto op\n");
+ return -1;
+ }
+
+ return 0;
+}
diff --git a/examples/ipsec-secgw/esp.h b/examples/ipsec-secgw/esp.h
new file mode 100644
index 0000000..d7c8ba6
--- /dev/null
+++ b/examples/ipsec-secgw/esp.h
@@ -0,0 +1,66 @@
+/*-
+ * BSD LICENSE
+ *
+ * Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Intel Corporation nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef __RTE_IPSEC_XFORM_ESP_H__
+#define __RTE_IPSEC_XFORM_ESP_H__
+
+struct mbuf;
+
+/* RFC4303 */
+struct esp_hdr {
+ uint32_t spi;
+ uint32_t seq;
+ /* Payload */
+ /* Padding */
+ /* Pad Length */
+ /* Next Header */
+ /* Integrity Check Value - ICV */
+};
+
+/* IPv4 Tunnel */
+int
+esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
+ struct rte_crypto_op *cop);
+
+int
+esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
+ struct rte_crypto_op *cop);
+
+int
+esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
+ struct rte_crypto_op *cop);
+
+int
+esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
+ struct rte_crypto_op *cop);
+
+#endif /* __RTE_IPSEC_XFORM_ESP_H__ */
diff --git a/examples/ipsec-secgw/ipip.h b/examples/ipsec-secgw/ipip.h
new file mode 100644
index 0000000..16c5dfb
--- /dev/null
+++ b/examples/ipsec-secgw/ipip.h
@@ -0,0 +1,100 @@
+/*-
+ * BSD LICENSE
+ *
+ * Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Intel Corporation nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef __IPIP_H__
+#define __IPIP_H__
+
+#include <stdint.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+
+#include <rte_mbuf.h>
+
+static inline struct ip *
+ip4ip_outbound(struct rte_mbuf *m, uint32_t offset, uint32_t src, uint32_t dst)
+{
+ struct ip *inip, *outip;
+
+ inip = rte_pktmbuf_mtod(m, struct ip*);
+
+ IPSEC_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION);
+
+ offset += sizeof(struct ip);
+
+ outip = (struct ip *)rte_pktmbuf_prepend(m, offset);
+
+ IPSEC_ASSERT(outip != NULL);
+
+ /* Per RFC4301 5.1.2.1 */
+ outip->ip_len = htons(rte_pktmbuf_data_len(m));
+ outip->ip_v = IPVERSION;
+ outip->ip_hl = 5;
+ outip->ip_tos = inip->ip_tos;
+
+ outip->ip_id = 0;
+ outip->ip_off = 0;
+
+ outip->ip_ttl = IPDEFTTL;
+
+ outip->ip_dst.s_addr = dst;
+ outip->ip_src.s_addr = src;
+
+ return outip;
+}
+
+static inline int
+ip4ip_inbound(struct rte_mbuf *m, uint32_t offset)
+{
+ struct ip *inip;
+ struct ip *outip;
+
+ outip = rte_pktmbuf_mtod(m, struct ip*);
+
+ IPSEC_ASSERT(outip->ip_v == IPVERSION);
+
+ offset += sizeof(struct ip);
+ inip = (struct ip *)rte_pktmbuf_adj(m, offset);
+ IPSEC_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION);
+
+ /* Check packet is still bigger than IP header (inner) */
+ IPSEC_ASSERT(rte_pktmbuf_pkt_len(m) > sizeof(struct ip));
+
+ /* RFC4301 5.1.2.1 Note 6 */
+ if ((inip->ip_tos & htons(IPTOS_ECN_ECT0 | IPTOS_ECN_ECT1)) &&
+ ((outip->ip_tos & htons(IPTOS_ECN_CE)) == IPTOS_ECN_CE))
+ inip->ip_tos |= htons(IPTOS_ECN_CE);
+
+ return 0;
+}
+
+#endif /* __IPIP_H__ */
diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
new file mode 100644
index 0000000..d2e8972
--- /dev/null
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -0,0 +1,1218 @@
+/*-
+ * BSD LICENSE
+ *
+ * Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Intel Corporation nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <inttypes.h>
+#include <sys/types.h>
+#include <string.h>
+#include <sys/queue.h>
+#include <stdarg.h>
+#include <errno.h>
+#include <getopt.h>
+
+#include <rte_common.h>
+#include <rte_byteorder.h>
+#include <rte_log.h>
+#include <rte_eal.h>
+#include <rte_launch.h>
+#include <rte_atomic.h>
+#include <rte_cycles.h>
+#include <rte_prefetch.h>
+#include <rte_lcore.h>
+#include <rte_per_lcore.h>
+#include <rte_branch_prediction.h>
+#include <rte_interrupts.h>
+#include <rte_pci.h>
+#include <rte_random.h>
+#include <rte_debug.h>
+#include <rte_ether.h>
+#include <rte_ethdev.h>
+#include <rte_mempool.h>
+#include <rte_mbuf.h>
+#include <rte_acl.h>
+#include <rte_lpm.h>
+#include <rte_cryptodev.h>
+#include <rte_cryptodev.h>
+
+#include "ipsec.h"
+
+#define RTE_LOGTYPE_IPSEC RTE_LOGTYPE_USER1
+
+#define MAX_JUMBO_PKT_LEN 9600
+
+#define MEMPOOL_CACHE_SIZE 256
+
+#define NB_MBUF (32000)
+
+#define CDEV_MP_NB_OBJS 2048
+#define CDEV_MP_CACHE_SZ 64
+#define MAX_QUEUE_PAIRS 1
+
+#define OPTION_CONFIG "config"
+#define OPTION_EP0 "ep0"
+#define OPTION_EP1 "ep1"
+#define OPTION_CDEV_TYPE "cdev"
+
+#define MAX_PKT_BURST 32
+#define BURST_TX_DRAIN_US 100 /* TX drain every ~100us */
+
+#define NB_SOCKETS 4
+
+/* Configure how many packets ahead to prefetch, when reading packets */
+#define PREFETCH_OFFSET 3
+
+#define MAX_RX_QUEUE_PER_LCORE 16
+
+#define MAX_LCORE_PARAMS 1024
+
+#define UNPROTECTED_PORT(port) (unprotected_port_mask & (1 << portid))
+
+/*
+ * Configurable number of RX/TX ring descriptors
+ */
+#define IPSEC_SECGW_RX_DESC_DEFAULT 128
+#define IPSEC_SECGW_TX_DESC_DEFAULT 512
+static uint16_t nb_rxd = IPSEC_SECGW_RX_DESC_DEFAULT;
+static uint16_t nb_txd = IPSEC_SECGW_TX_DESC_DEFAULT;
+
+#if RTE_BYTE_ORDER != RTE_LITTLE_ENDIAN
+#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \
+ (((uint64_t)((a) & 0xff) << 56) | \
+ ((uint64_t)((b) & 0xff) << 48) | \
+ ((uint64_t)((c) & 0xff) << 40) | \
+ ((uint64_t)((d) & 0xff) << 32) | \
+ ((uint64_t)((e) & 0xff) << 24) | \
+ ((uint64_t)((f) & 0xff) << 16) | \
+ ((uint64_t)((g) & 0xff) << 8) | \
+ ((uint64_t)(h) & 0xff))
+#else
+#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \
+ (((uint64_t)((h) & 0xff) << 56) | \
+ ((uint64_t)((g) & 0xff) << 48) | \
+ ((uint64_t)((f) & 0xff) << 40) | \
+ ((uint64_t)((e) & 0xff) << 32) | \
+ ((uint64_t)((d) & 0xff) << 24) | \
+ ((uint64_t)((c) & 0xff) << 16) | \
+ ((uint64_t)((b) & 0xff) << 8) | \
+ ((uint64_t)(a) & 0xff))
+#endif
+#define ETHADDR(a, b, c, d, e, f) (__BYTES_TO_UINT64(a, b, c, d, e, f, 0, 0))
+
+#define ETHADDR_TO_UINT64(addr) __BYTES_TO_UINT64( \
+ addr.addr_bytes[0], addr.addr_bytes[1], \
+ addr.addr_bytes[2], addr.addr_bytes[3], \
+ addr.addr_bytes[4], addr.addr_bytes[5], \
+ 0, 0)
+
+/* port/source ethernet addr and destination ethernet addr */
+struct ethaddr_info {
+ uint64_t src, dst;
+};
+
+struct ethaddr_info ethaddr_tbl[RTE_MAX_ETHPORTS] = {
+ { 0, ETHADDR(0x00, 0x16, 0x3e, 0x7e, 0x94, 0x9a) },
+ { 0, ETHADDR(0x00, 0x16, 0x3e, 0x22, 0xa1, 0xd9) },
+ { 0, ETHADDR(0x00, 0x16, 0x3e, 0x08, 0x69, 0x26) },
+ { 0, ETHADDR(0x00, 0x16, 0x3e, 0x49, 0x9e, 0xdd) }
+};
+
+/* mask of enabled ports */
+static uint32_t enabled_port_mask;
+static uint32_t unprotected_port_mask;
+static int promiscuous_on = 1;
+static int numa_on = 1; /**< NUMA is enabled by default. */
+static int ep = -1; /**< Endpoint configuration (0 or 1) */
+static unsigned cdev_type = -1;
+static unsigned nb_lcores;
+
+struct buffer {
+ uint16_t len;
+ struct rte_mbuf *m_table[MAX_PKT_BURST];
+};
+
+struct lcore_rx_queue {
+ uint8_t port_id;
+ uint8_t queue_id;
+} __rte_cache_aligned;
+
+struct lcore_params {
+ uint8_t port_id;
+ uint8_t queue_id;
+ uint8_t lcore_id;
+} __rte_cache_aligned;
+
+static struct lcore_params lcore_params_array[MAX_LCORE_PARAMS];
+
+static struct lcore_params *lcore_params;
+static uint16_t nb_lcore_params;
+
+struct lcore_conf {
+ uint16_t nb_rx_queue;
+ struct lcore_rx_queue rx_queue_list[MAX_RX_QUEUE_PER_LCORE];
+ uint16_t tx_queue_id[RTE_MAX_ETHPORTS];
+ struct buffer tx_mbufs[RTE_MAX_ETHPORTS];
+ uint16_t cdev;
+ uint16_t cdev_q;
+} __rte_cache_aligned;
+
+static struct lcore_conf lcore_conf[RTE_MAX_LCORE];
+
+static struct rte_eth_conf port_conf = {
+ .rxmode = {
+ .mq_mode = ETH_MQ_RX_RSS,
+ .max_rx_pkt_len = ETHER_MAX_LEN,
+ .split_hdr_size = 0,
+ .header_split = 0, /**< Header Split disabled */
+ .hw_ip_checksum = 1, /**< IP checksum offload enabled */
+ .hw_vlan_filter = 0, /**< VLAN filtering disabled */
+ .jumbo_frame = 0, /**< Jumbo Frame Support disabled */
+ .hw_strip_crc = 0, /**< CRC stripped by hardware */
+ },
+ .rx_adv_conf = {
+ .rss_conf = {
+ .rss_key = NULL,
+ .rss_hf = ETH_RSS_IP | ETH_RSS_UDP |
+ ETH_RSS_TCP | ETH_RSS_SCTP,
+ },
+ },
+ .txmode = {
+ .mq_mode = ETH_MQ_TX_NONE,
+ },
+};
+
+static struct socket_ctx socket_ctx[NB_SOCKETS];
+
+struct traffic_type {
+ const uint8_t *data[MAX_PKT_BURST * 2];
+ struct rte_mbuf *pkts[MAX_PKT_BURST * 2];
+ uint32_t res[MAX_PKT_BURST * 2];
+ uint32_t num;
+};
+
+struct ipsec_traffic {
+ struct traffic_type ipsec4;
+ struct traffic_type ipv4;
+};
+
+static inline void
+prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)
+{
+ uint8_t *nlp;
+
+ if (RTE_ETH_IS_IPV4_HDR(pkt->packet_type)) {
+ rte_pktmbuf_adj(pkt, ETHER_HDR_LEN);
+ nlp = rte_pktmbuf_mtod_offset(pkt, uint8_t *,
+ offsetof(struct ip, ip_p));
+ if (*nlp == IPPROTO_ESP)
+ t->ipsec4.pkts[(t->ipsec4.num)++] = pkt;
+ else {
+ t->ipv4.data[t->ipv4.num] = nlp;
+ t->ipv4.pkts[(t->ipv4.num)++] = pkt;
+ }
+ } else {
+ /* Unknown/Unsupported type, drop the packet */
+ rte_pktmbuf_free(pkt);
+ }
+}
+
+static inline void
+prepare_traffic(struct rte_mbuf **pkts, struct ipsec_traffic *t,
+ uint16_t nb_pkts)
+{
+ int i;
+
+ t->ipsec4.num = 0;
+ t->ipv4.num = 0;
+
+ for (i = 0; i < (nb_pkts - PREFETCH_OFFSET); i++) {
+ rte_prefetch0(rte_pktmbuf_mtod(pkts[i + PREFETCH_OFFSET],
+ void *));
+ prepare_one_packet(pkts[i], t);
+ }
+ /* Process left packets */
+ for (; i < nb_pkts; i++)
+ prepare_one_packet(pkts[i], t);
+}
+
+static inline void
+prepare_tx_pkt(struct rte_mbuf *pkt, uint8_t port)
+{
+ pkt->ol_flags |= PKT_TX_IP_CKSUM | PKT_TX_IPV4;
+ pkt->l3_len = sizeof(struct ip);
+ pkt->l2_len = ETHER_HDR_LEN;
+
+ uint64_t *ethhdr = (uint64_t *)rte_pktmbuf_prepend(pkt, ETHER_HDR_LEN);
+#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN
+ ethhdr[0] = ethaddr_tbl[port].dst |
+ ((ethaddr_tbl[port].src & 0xffff) << 48);
+ ethhdr[1] = ethaddr_tbl[port].src >> 16 |
+ ((uint64_t)rte_cpu_to_be_16(ETHER_TYPE_IPv4) << 32) |
+ (ethhdr[1] & (0xffffUL << 48));
+#else
+ ethhdr[0] = ethaddr_tbl[port].dst |
+ (ethaddr_tbl[port].src >> 48 & 0xffff);
+ ethhdr[1] = ethaddr_tbl[port].src << 16 | ((ETHER_TYPE_IPv4)UL << 16) |
+ (ethhdr[1] & 0xffffUL);
+#endif
+}
+
+static inline void
+prepare_tx_burst(struct rte_mbuf *pkts[], uint16_t nb_pkts, uint8_t port)
+{
+ int i;
+ const int prefetch_offset = 2;
+
+ for (i = 0; i < (nb_pkts - prefetch_offset); i++) {
+ rte_prefetch0(pkts[i + prefetch_offset]->cacheline1);
+ prepare_tx_pkt(pkts[i], port);
+ }
+ /* Process left packets */
+ for (; i < nb_pkts; i++)
+ prepare_tx_pkt(pkts[i], port);
+}
+
+/* Send burst of packets on an output interface */
+static inline int
+send_burst(struct lcore_conf *qconf, uint16_t n, uint8_t port)
+{
+ struct rte_mbuf **m_table;
+ int ret;
+ uint16_t queueid;
+
+ queueid = qconf->tx_queue_id[port];
+ m_table = (struct rte_mbuf **)qconf->tx_mbufs[port].m_table;
+
+ prepare_tx_burst(m_table, n, port);
+
+ ret = rte_eth_tx_burst(port, queueid, m_table, n);
+ if (unlikely(ret < n)) {
+ do {
+ rte_pktmbuf_free(m_table[ret]);
+ } while (++ret < n);
+ }
+
+ return 0;
+}
+
+/* Enqueue a single packet, and send burst if queue is filled */
+static inline int
+send_single_packet(struct rte_mbuf *m, uint8_t port)
+{
+ uint32_t lcore_id;
+ uint16_t len;
+ struct lcore_conf *qconf;
+
+ lcore_id = rte_lcore_id();
+
+ qconf = &lcore_conf[lcore_id];
+ len = qconf->tx_mbufs[port].len;
+ qconf->tx_mbufs[port].m_table[len] = m;
+ len++;
+
+ /* enough pkts to be sent */
+ if (unlikely(len == MAX_PKT_BURST)) {
+ send_burst(qconf, MAX_PKT_BURST, port);
+ len = 0;
+ }
+
+ qconf->tx_mbufs[port].len = len;
+ return 0;
+}
+
+static inline void
+process_pkts_inbound(struct socket_ctx *ctx, struct ipsec_traffic *traffic)
+{
+ struct sa_ctx *sa_ctx = ctx->sa_ipv4_in;
+ struct sp_ctx *sp_ctx = ctx->sp_ipv4_in;
+ struct rte_mbuf *m;
+ uint16_t idx, nb_pkts_in, i, j;
+ uint32_t sa_idx, res;
+ struct ipsec_ctx ipsec_ctx;
+ struct lcore_conf *qconf;
+
+ qconf = &lcore_conf[rte_lcore_id()];
+ ipsec_ctx.cdev = qconf->cdev;
+ ipsec_ctx.queue = qconf->cdev_q;
+ ipsec_ctx.sa_ctx = sa_ctx;
+
+ nb_pkts_in = ipsec_inbound(&ipsec_ctx, traffic->ipsec4.pkts,
+ traffic->ipsec4.num, MAX_PKT_BURST);
+
+ /* SP/ACL Inbound check ipsec and ipv4 */
+ for (i = 0; i < nb_pkts_in; i++) {
+ idx = traffic->ipv4.num++;
+ m = traffic->ipsec4.pkts[i];
+ traffic->ipv4.pkts[idx] = m;
+ traffic->ipv4.data[idx] = rte_pktmbuf_mtod_offset(m,
+ uint8_t *, offsetof(struct ip, ip_p));
+ }
+
+ rte_acl_classify((struct rte_acl_ctx *)sp_ctx, traffic->ipv4.data,
+ traffic->ipv4.res, traffic->ipv4.num,
+ DEFAULT_MAX_CATEGORIES);
+
+ j = 0;
+ for (i = 0; i < traffic->ipv4.num - nb_pkts_in; i++) {
+ m = traffic->ipv4.pkts[i];
+ res = traffic->ipv4.res[i];
+ if (res & ~BYPASS) {
+ rte_pktmbuf_free(m);
+ continue;
+ }
+ traffic->ipv4.pkts[j++] = m;
+ }
+ /* Check return SA SPI matches pkt SPI */
+ for ( ; i < traffic->ipv4.num; i++) {
+ m = traffic->ipv4.pkts[i];
+ sa_idx = traffic->ipv4.res[i] & PROTECT_MASK;
+ if (sa_idx == 0 || !inbound_sa_check(sa_ctx, m, sa_idx)) {
+ rte_pktmbuf_free(m);
+ continue;
+ }
+ traffic->ipv4.pkts[j++] = m;
+ }
+ traffic->ipv4.num = j;
+}
+
+static inline void
+process_pkts_outbound(struct socket_ctx *ctx, struct ipsec_traffic *traffic)
+{
+ struct sa_ctx *sa_ctx = ctx->sa_ipv4_out;
+ struct sp_ctx *sp_ctx = ctx->sp_ipv4_out;
+ struct rte_mbuf *m;
+ uint16_t idx, nb_pkts_out, i, j;
+ uint32_t sa_idx, res;
+ struct ipsec_ctx ipsec_ctx;
+ struct lcore_conf *qconf;
+
+ qconf = &lcore_conf[rte_lcore_id()];
+ ipsec_ctx.cdev = qconf->cdev;
+ ipsec_ctx.queue = qconf->cdev_q;
+ ipsec_ctx.sa_ctx = sa_ctx;
+
+ rte_acl_classify((struct rte_acl_ctx *)sp_ctx, traffic->ipv4.data,
+ traffic->ipv4.res, traffic->ipv4.num,
+ DEFAULT_MAX_CATEGORIES);
+ j = 0;
+ for (i = 0; i < traffic->ipv4.num; i++) {
+ m = traffic->ipv4.pkts[i];
+ res = traffic->ipv4.res[i];
+ sa_idx = res & PROTECT_MASK;
+ if (res & DISCARD) {
+ rte_pktmbuf_free(m);
+ } else if (sa_idx != 0) {
+ traffic->ipsec4.res[traffic->ipsec4.num] = sa_idx;
+ traffic->ipsec4.pkts[traffic->ipsec4.num++] = m;
+ } else /* BYPASS */
+ traffic->ipv4.pkts[j++] = m;
+ }
+ traffic->ipv4.num = j;
+
+ nb_pkts_out = ipsec_outbound(&ipsec_ctx, traffic->ipsec4.pkts,
+ traffic->ipsec4.res, traffic->ipsec4.num,
+ MAX_PKT_BURST);
+
+ for (i = 0; i < nb_pkts_out; i++) {
+ idx = traffic->ipv4.num++;
+ m = traffic->ipsec4.pkts[i];
+ traffic->ipv4.pkts[idx] = m;
+ }
+}
+
+static inline void
+route_pkts(struct rt_ctx *rt_ctx, struct rte_mbuf *pkts[], uint8_t nb_pkts)
+{
+ uint16_t hop[MAX_PKT_BURST * 2];
+ uint32_t dst_ip[MAX_PKT_BURST * 2];
+ uint16_t i, offset;
+
+ if (nb_pkts == 0)
+ return;
+
+ for (i = 0; i < nb_pkts; i++) {
+ offset = offsetof(struct ip, ip_dst);
+ dst_ip[i] = *rte_pktmbuf_mtod_offset(pkts[i],
+ uint32_t *, offset);
+ dst_ip[i] = rte_be_to_cpu_32(dst_ip[i]);
+ }
+
+ rte_lpm_lookup_bulk((struct rte_lpm *)rt_ctx, dst_ip, hop, nb_pkts);
+
+ for (i = 0; i < nb_pkts; i++) {
+ if ((hop[i] & RTE_LPM_LOOKUP_SUCCESS) == 0) {
+ rte_pktmbuf_free(pkts[i]);
+ continue;
+ }
+ send_single_packet(pkts[i], hop[i] & 0xff);
+ }
+}
+
+static inline void
+process_pkts(struct socket_ctx *ctx, struct rte_mbuf **pkts,
+ uint8_t nb_pkts, uint8_t portid)
+{
+ struct ipsec_traffic traffic;
+
+ prepare_traffic(pkts, &traffic, nb_pkts);
+
+ if (UNPROTECTED_PORT(portid))
+ process_pkts_inbound(ctx, &traffic);
+ else
+ process_pkts_outbound(ctx, &traffic);
+
+ route_pkts(ctx->rt_ipv4, traffic.ipv4.pkts, traffic.ipv4.num);
+}
+
+static inline void
+drain_buffers(struct lcore_conf *qconf)
+{
+ struct buffer *buf;
+ unsigned portid;
+
+ for (portid = 0; portid < RTE_MAX_ETHPORTS; portid++) {
+ buf = &qconf->tx_mbufs[portid];
+ if (buf->len == 0)
+ continue;
+ send_burst(qconf, buf->len, portid);
+ buf->len = 0;
+ }
+}
+
+/* main processing loop */
+static int
+main_loop(__attribute__((unused)) void *dummy)
+{
+ struct rte_mbuf *pkts[MAX_PKT_BURST];
+ unsigned lcore_id;
+ uint64_t prev_tsc, diff_tsc, cur_tsc;
+ int i, nb_rx;
+ uint8_t portid, queueid;
+ struct lcore_conf *qconf;
+ int socket_id;
+ const uint64_t drain_tsc = (rte_get_tsc_hz() + US_PER_S - 1)
+ / US_PER_S * BURST_TX_DRAIN_US;
+ struct socket_ctx *ctx;
+ struct lcore_rx_queue *rxql;
+
+ prev_tsc = 0;
+ lcore_id = rte_lcore_id();
+ qconf = &lcore_conf[lcore_id];
+ rxql = qconf->rx_queue_list;
+ socket_id = rte_lcore_to_socket_id(lcore_id);
+
+ ctx = &socket_ctx[socket_id];
+
+ if (qconf->nb_rx_queue == 0) {
+ RTE_LOG(INFO, IPSEC, "lcore %u has nothing to do\n", lcore_id);
+ return 0;
+ }
+
+ RTE_LOG(INFO, IPSEC, "entering main loop on lcore %u\n", lcore_id);
+
+ for (i = 0; i < qconf->nb_rx_queue; i++) {
+ portid = rxql[i].port_id;
+ queueid = rxql[i].queue_id;
+ RTE_LOG(INFO, IPSEC,
+ " -- lcoreid=%u portid=%hhu rxqueueid=%hhu\n",
+ lcore_id, portid, queueid);
+ }
+
+ while (1) {
+ cur_tsc = rte_rdtsc();
+
+ /* TX queue buffer drain */
+ diff_tsc = cur_tsc - prev_tsc;
+
+ if (unlikely(diff_tsc > drain_tsc)) {
+ drain_buffers(qconf);
+ prev_tsc = cur_tsc;
+ }
+
+ /* Read packet from RX queues */
+ for (i = 0; i < qconf->nb_rx_queue; ++i) {
+ portid = rxql[i].port_id;
+ queueid = rxql[i].queue_id;
+ nb_rx = rte_eth_rx_burst(portid, queueid,
+ pkts, MAX_PKT_BURST);
+
+ if (nb_rx > 0)
+ process_pkts(ctx, pkts, nb_rx, portid);
+ }
+ }
+}
+
+static int
+check_params(void)
+{
+ uint8_t lcore, portid, nb_ports;
+ uint16_t i;
+ int socket_id;
+
+ if (lcore_params == NULL) {
+ printf("Error: No port/queue/core mappings\n");
+ return -1;
+ }
+
+ nb_ports = rte_eth_dev_count();
+ if (nb_ports > RTE_MAX_ETHPORTS)
+ nb_ports = RTE_MAX_ETHPORTS;
+
+ for (i = 0; i < nb_lcore_params; ++i) {
+ lcore = lcore_params[i].lcore_id;
+ if (!rte_lcore_is_enabled(lcore)) {
+ printf("error: lcore %hhu is not enabled in "
+ "lcore mask\n", lcore);
+ return -1;
+ }
+ socket_id = rte_lcore_to_socket_id(lcore);
+ if (socket_id != 0 && numa_on == 0) {
+ printf("warning: lcore %hhu is on socket %d "
+ "with numa off\n",
+ lcore, socket_id);
+ }
+ portid = lcore_params[i].port_id;
+ if ((enabled_port_mask & (1 << portid)) == 0) {
+ printf("port %u is not enabled in port mask\n", portid);
+ return -1;
+ }
+ if (portid >= nb_ports) {
+ printf("port %u is not present on the board\n", portid);
+ return -1;
+ }
+ }
+ return 0;
+}
+
+static uint8_t
+get_port_nb_rx_queues(const uint8_t port)
+{
+ int queue = -1;
+ uint16_t i;
+
+ for (i = 0; i < nb_lcore_params; ++i) {
+ if (lcore_params[i].port_id == port &&
+ lcore_params[i].queue_id > queue)
+ queue = lcore_params[i].queue_id;
+ }
+ return (uint8_t)(++queue);
+}
+
+static int
+init_lcore_rx_queues(void)
+{
+ uint16_t i, nb_rx_queue;
+ uint8_t lcore;
+
+ for (i = 0; i < nb_lcore_params; ++i) {
+ lcore = lcore_params[i].lcore_id;
+ nb_rx_queue = lcore_conf[lcore].nb_rx_queue;
+ if (nb_rx_queue >= MAX_RX_QUEUE_PER_LCORE) {
+ printf("error: too many queues (%u) for lcore: %u\n",
+ nb_rx_queue + 1, lcore);
+ return -1;
+ }
+ lcore_conf[lcore].rx_queue_list[nb_rx_queue].port_id =
+ lcore_params[i].port_id;
+ lcore_conf[lcore].rx_queue_list[nb_rx_queue].queue_id =
+ lcore_params[i].queue_id;
+ lcore_conf[lcore].nb_rx_queue++;
+ }
+ return 0;
+}
+
+/* display usage */
+static void
+print_usage(const char *prgname)
+{
+ printf("%s [EAL options] -- -p PORTMASK -P -u PORTMASK"
+ " --"OPTION_CONFIG" (port,queue,lcore)[,(port,queue,lcore]"
+ " --EP0|--EP1 --cdev AESNI|QAT\n"
+ " -p PORTMASK: hexadecimal bitmask of ports to configure\n"
+ " -P : enable promiscuous mode\n"
+ " -u PORTMASK: hexadecimal bitmask of unprotected ports\n"
+ " --"OPTION_CONFIG": (port,queue,lcore): "
+ "rx queues configuration\n"
+ " --cdev AESNI | QAT\n"
+ " --EP0: Configure as Endpoint 0\n"
+ " --EP1: Configure as Endpoint 1\n", prgname);
+}
+
+static int
+parse_portmask(const char *portmask)
+{
+ char *end = NULL;
+ unsigned long pm;
+
+ /* parse hexadecimal string */
+ pm = strtoul(portmask, &end, 16);
+ if ((portmask[0] == '\0') || (end == NULL) || (*end != '\0'))
+ return -1;
+
+ if (pm == 0)
+ return -1;
+
+ return pm;
+}
+
+static int
+parse_config(const char *q_arg)
+{
+ char s[256];
+ const char *p, *p0 = q_arg;
+ char *end;
+ enum fieldnames {
+ FLD_PORT = 0,
+ FLD_QUEUE,
+ FLD_LCORE,
+ _NUM_FLD
+ };
+ unsigned long int_fld[_NUM_FLD];
+ char *str_fld[_NUM_FLD];
+ int i;
+ unsigned size;
+
+ nb_lcore_params = 0;
+
+ while ((p = strchr(p0, '(')) != NULL) {
+ ++p;
+ p0 = strchr(p, ')');
+ if (p0 == NULL)
+ return -1;
+
+ size = p0 - p;
+ if (size >= sizeof(s))
+ return -1;
+
+ snprintf(s, sizeof(s), "%.*s", size, p);
+ if (rte_strsplit(s, sizeof(s), str_fld, _NUM_FLD, ',') !=
+ _NUM_FLD)
+ return -1;
+ for (i = 0; i < _NUM_FLD; i++) {
+ errno = 0;
+ int_fld[i] = strtoul(str_fld[i], &end, 0);
+ if (errno != 0 || end == str_fld[i] || int_fld[i] > 255)
+ return -1;
+ }
+ if (nb_lcore_params >= MAX_LCORE_PARAMS) {
+ printf("exceeded max number of lcore params: %hu\n",
+ nb_lcore_params);
+ return -1;
+ }
+ lcore_params_array[nb_lcore_params].port_id =
+ (uint8_t)int_fld[FLD_PORT];
+ lcore_params_array[nb_lcore_params].queue_id =
+ (uint8_t)int_fld[FLD_QUEUE];
+ lcore_params_array[nb_lcore_params].lcore_id =
+ (uint8_t)int_fld[FLD_LCORE];
+ ++nb_lcore_params;
+ }
+ lcore_params = lcore_params_array;
+ return 0;
+}
+
+#define __STRNCMP(name, opt) (!strncmp(name, opt, sizeof(opt)))
+static int
+parse_args_long_options(struct option *lgopts, int option_index)
+{
+ int ret = -1;
+ const char *optname = lgopts[option_index].name;
+
+ if (__STRNCMP(optname, OPTION_CONFIG)) {
+ ret = parse_config(optarg);
+ if (ret)
+ printf("invalid config\n");
+ }
+
+ if (__STRNCMP(optname, OPTION_EP0)) {
+ printf("endpoint 0\n");
+ ep = 0;
+ ret = 0;
+ }
+
+ if (__STRNCMP(optname, OPTION_EP1)) {
+ printf("endpoint 1\n");
+ ep = 1;
+ ret = 0;
+ }
+
+ if (__STRNCMP(optname, OPTION_CDEV_TYPE)) {
+ if (__STRNCMP(optarg, "AESNI")) {
+ cdev_type = RTE_CRYPTODEV_AESNI_MB_PMD;
+ ret = 0;
+ } else if (__STRNCMP(optarg, "QAT")) {
+ cdev_type = RTE_CRYPTODEV_QAT_PMD;
+ ret = 0;
+ }
+ }
+
+ return ret;
+}
+#undef __STRNCMP
+
+static int
+parse_args(int argc, char **argv)
+{
+ int opt, ret;
+ char **argvopt;
+ int option_index;
+ char *prgname = argv[0];
+ static struct option lgopts[] = {
+ {OPTION_CONFIG, 1, 0, 0},
+ {OPTION_EP0, 0, 0, 0},
+ {OPTION_EP1, 0, 0, 0},
+ {OPTION_CDEV_TYPE, 1, 0, 0},
+ {NULL, 0, 0, 0}
+ };
+
+ argvopt = argv;
+
+ while ((opt = getopt_long(argc, argvopt, "p:Pu:",
+ lgopts, &option_index)) != EOF) {
+
+ switch (opt) {
+ case 'p':
+ enabled_port_mask = parse_portmask(optarg);
+ if (enabled_port_mask == 0) {
+ printf("invalid portmask\n");
+ print_usage(prgname);
+ return -1;
+ }
+ break;
+ case 'P':
+ printf("Promiscuous mode selected\n");
+ promiscuous_on = 1;
+ break;
+ case 'u':
+ unprotected_port_mask = parse_portmask(optarg);
+ if (unprotected_port_mask == 0) {
+ printf("invalid unprotected portmask\n");
+ print_usage(prgname);
+ return -1;
+ }
+ break;
+ case 0:
+ if (parse_args_long_options(lgopts, option_index)) {
+ print_usage(prgname);
+ return -1;
+ }
+ break;
+ default:
+ print_usage(prgname);
+ return -1;
+ }
+ }
+
+ if (optind >= 0)
+ argv[optind-1] = prgname;
+
+ ret = optind-1;
+ optind = 0; /* reset getopt lib */
+ return ret;
+}
+
+static void
+print_ethaddr(const char *name, const struct ether_addr *eth_addr)
+{
+ char buf[ETHER_ADDR_FMT_SIZE];
+ ether_format_addr(buf, ETHER_ADDR_FMT_SIZE, eth_addr);
+ printf("%s%s", name, buf);
+}
+
+/* Check the link status of all ports in up to 9s, and print them finally */
+static void
+check_all_ports_link_status(uint8_t port_num, uint32_t port_mask)
+{
+#define CHECK_INTERVAL 100 /* 100ms */
+#define MAX_CHECK_TIME 90 /* 9s (90 * 100ms) in total */
+ uint8_t portid, count, all_ports_up, print_flag = 0;
+ struct rte_eth_link link;
+
+ printf("\nChecking link status");
+ fflush(stdout);
+ for (count = 0; count <= MAX_CHECK_TIME; count++) {
+ all_ports_up = 1;
+ for (portid = 0; portid < port_num; portid++) {
+ if ((port_mask & (1 << portid)) == 0)
+ continue;
+ memset(&link, 0, sizeof(link));
+ rte_eth_link_get_nowait(portid, &link);
+ /* print link status if flag set */
+ if (print_flag == 1) {
+ if (link.link_status)
+ printf("Port %d Link Up - speed %u "
+ "Mbps - %s\n", (uint8_t)portid,
+ (unsigned)link.link_speed,
+ (link.link_duplex == ETH_LINK_FULL_DUPLEX) ?
+ ("full-duplex") : ("half-duplex\n"));
+ else
+ printf("Port %d Link Down\n",
+ (uint8_t)portid);
+ continue;
+ }
+ /* clear all_ports_up flag if any link down */
+ if (link.link_status == 0) {
+ all_ports_up = 0;
+ break;
+ }
+ }
+ /* after finally printing all link status, get out */
+ if (print_flag == 1)
+ break;
+
+ if (all_ports_up == 0) {
+ printf(".");
+ fflush(stdout);
+ rte_delay_ms(CHECK_INTERVAL);
+ }
+
+ /* set the print_flag if all ports up or timeout */
+ if (all_ports_up == 1 || count == (MAX_CHECK_TIME - 1)) {
+ print_flag = 1;
+ printf("done\n");
+ }
+ }
+}
+
+static uint16_t
+find_next_cdev(unsigned cdev_type, uint16_t start_cdev_id)
+{
+ uint16_t cdev_id, cnt;
+ struct rte_cryptodev_info info;
+
+ cnt = rte_cryptodev_count();
+ for (cdev_id = start_cdev_id; cdev_id < cnt; cdev_id++) {
+ rte_cryptodev_info_get(cdev_id, &info);
+ if (info.dev_type == cdev_type)
+ return cdev_id;
+ }
+
+ return -1;
+}
+
+static uint16_t
+find_cdev_socket(int socket_id, unsigned cdev_type)
+{
+ uint16_t cdev_id, cnt;
+ struct rte_cryptodev_info info;
+ int cdev_socket;
+
+ cnt = rte_cryptodev_count();
+ for (cdev_id = 0; cdev_id < cnt; cdev_id++) {
+ rte_cryptodev_info_get(cdev_id, &info);
+ cdev_socket = rte_cryptodev_socket_id(cdev_id);
+ if ((info.dev_type == cdev_type) && (cdev_socket == socket_id))
+ return cdev_id;
+ }
+
+ return -1;
+}
+
+static int
+cryptodevs_init(void)
+{
+ struct rte_cryptodev_config dev_conf;
+ struct rte_cryptodev_qp_conf qp_conf;
+ struct lcore_conf *qconf;
+ uint16_t cnt, lcore_id, cdev_id;
+ int ret, i, socket_id;
+
+ if (cdev_type == RTE_CRYPTODEV_QAT_PMD) {
+ cnt = rte_cryptodev_count_devtype(RTE_CRYPTODEV_QAT_PMD);
+ printf("Found %u QAT devices\n", cnt);
+ if (cnt < nb_lcores)
+ rte_panic("Not enough QAT devices detected, "
+ "need %u (1 per core), found %d\n",
+ nb_lcores, cnt);
+ } else if (cdev_type == RTE_CRYPTODEV_AESNI_MB_PMD) {
+ printf("Initializing %u AESNI vdevs\n", rte_lcore_count());
+ for (i = 0; i < (int)rte_lcore_count(); i++) {
+ ret = rte_eal_vdev_init(
+ CRYPTODEV_NAME_AESNI_MB_PMD,
+ NULL);
+ if (ret < 0)
+ rte_panic("Failed to create AESNI-MB vdev\n");
+ }
+ } else
+ rte_panic("Need to set cryptodev type option --cdev\n");
+
+ cdev_id = 0;
+ for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) {
+ if (rte_lcore_is_enabled(lcore_id) == 0)
+ continue;
+
+ socket_id = rte_lcore_to_socket_id(lcore_id);
+ cdev_id = find_next_cdev(cdev_type, cdev_id);
+ qconf = &lcore_conf[lcore_id];
+ qconf->cdev = cdev_id;
+ qconf->cdev_q = 0;
+ if (cdev_type == RTE_CRYPTODEV_AESNI_MB_PMD) {
+ dev_conf.socket_id = socket_id;
+ printf("Initializing AESNI-MB device %u socket %u\n",
+ cdev_id, socket_id);
+ } else {
+ dev_conf.socket_id = rte_cryptodev_socket_id(cdev_id);
+ printf("Initialising QAT device %u\n", cdev_id);
+ }
+
+ dev_conf.nb_queue_pairs = 1;
+ dev_conf.session_mp.nb_objs = CDEV_MP_NB_OBJS;
+ dev_conf.session_mp.cache_size = CDEV_MP_CACHE_SZ;
+
+ if (rte_cryptodev_configure(cdev_id, &dev_conf))
+ rte_panic("Failed to initialize crypodev %u\n",
+ cdev_id);
+
+ qp_conf.nb_descriptors = CDEV_MP_NB_OBJS;
+ if (rte_cryptodev_queue_pair_setup(cdev_id, 0, &qp_conf,
+ dev_conf.socket_id))
+ rte_panic("Failed to setup queue %u for cdev_id %u\n",
+ 0, cdev_id);
+ cdev_id++;
+ }
+
+ return 0;
+}
+
+static void
+port_init(uint8_t portid)
+{
+ struct rte_eth_dev_info dev_info;
+ struct rte_eth_txconf *txconf;
+ uint16_t nb_tx_queue, nb_rx_queue;
+ uint16_t tx_queueid, rx_queueid, queue, lcore_id;
+ int ret, socket_id;
+ struct lcore_conf *qconf;
+ struct ether_addr ethaddr;
+
+ rte_eth_dev_info_get(portid, &dev_info);
+
+ printf("Configuring device port %u:\n", portid);
+
+ rte_eth_macaddr_get(portid, ðaddr);
+ ethaddr_tbl[portid].src = ETHADDR_TO_UINT64(ethaddr);
+ print_ethaddr("Address: ", ðaddr);
+ printf("\n");
+
+ nb_rx_queue = get_port_nb_rx_queues(portid);
+ nb_tx_queue = nb_lcores;
+
+ if (nb_rx_queue > dev_info.max_rx_queues)
+ rte_exit(EXIT_FAILURE, "Error: queue %u not available "
+ "(max rx queue is %u)\n",
+ nb_rx_queue, dev_info.max_rx_queues);
+
+ if (nb_tx_queue > dev_info.max_tx_queues)
+ rte_exit(EXIT_FAILURE, "Error: queue %u not available "
+ "(max tx queue is %u)\n",
+ nb_tx_queue, dev_info.max_tx_queues);
+
+ printf("Creating queues: nb_rx_queue=%d nb_tx_queue=%u...\n",
+ nb_rx_queue, nb_tx_queue);
+
+ ret = rte_eth_dev_configure(portid, nb_rx_queue, nb_tx_queue,
+ &port_conf);
+ if (ret < 0)
+ rte_exit(EXIT_FAILURE, "Cannot configure device: "
+ "err=%d, port=%d\n", ret, portid);
+
+ /* init one TX queue per lcore */
+ tx_queueid = 0;
+ for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) {
+ if (rte_lcore_is_enabled(lcore_id) == 0)
+ continue;
+
+ if (numa_on)
+ socket_id = (uint8_t)rte_lcore_to_socket_id(lcore_id);
+ else
+ socket_id = 0;
+
+ /* init TX queue */
+ printf("Setup txq=%u,%d,%d\n", lcore_id, tx_queueid, socket_id);
+
+ txconf = &dev_info.default_txconf;
+ txconf->txq_flags = 0;
+
+ ret = rte_eth_tx_queue_setup(portid, tx_queueid, nb_txd,
+ socket_id, txconf);
+ if (ret < 0)
+ rte_exit(EXIT_FAILURE, "rte_eth_tx_queue_setup: "
+ "err=%d, port=%d\n", ret, portid);
+
+ qconf = &lcore_conf[lcore_id];
+ qconf->tx_queue_id[portid] = tx_queueid;
+ tx_queueid++;
+
+ /* init RX queues */
+ for (queue = 0; queue < qconf->nb_rx_queue; ++queue) {
+ if (portid != qconf->rx_queue_list[queue].port_id)
+ continue;
+
+ rx_queueid = qconf->rx_queue_list[queue].queue_id;
+
+ printf("Setup rxq=%d,%d,%d\n", portid, rx_queueid,
+ socket_id);
+
+ ret = rte_eth_rx_queue_setup(portid, rx_queueid,
+ nb_rxd, socket_id, NULL,
+ socket_ctx[socket_id].mbuf_pool);
+ if (ret < 0)
+ rte_exit(EXIT_FAILURE,
+ "rte_eth_rx_queue_setup: err=%d, "
+ "port=%d\n", ret, portid);
+ }
+ }
+ printf("\n");
+}
+
+static void
+pool_init(struct socket_ctx *ctx, int socket_id, unsigned nb_mbuf)
+{
+ char s[64];
+
+ snprintf(s, sizeof(s), "mbuf_pool_%d", socket_id);
+ ctx->mbuf_pool = rte_pktmbuf_pool_create(s, nb_mbuf,
+ MEMPOOL_CACHE_SIZE, ipsec_metadata_size(),
+ RTE_MBUF_DEFAULT_BUF_SIZE,
+ socket_id);
+ if (ctx->mbuf_pool == NULL)
+ rte_exit(EXIT_FAILURE, "Cannot init mbuf pool on socket %d\n",
+ socket_id);
+ else
+ printf("Allocated mbuf pool on socket %d\n", socket_id);
+}
+
+int
+main(int argc, char **argv)
+{
+ int ret;
+ unsigned lcore_id, nb_ports;
+ uint8_t portid, socket_id;
+
+ /* init EAL */
+ ret = rte_eal_init(argc, argv);
+ if (ret < 0)
+ rte_exit(EXIT_FAILURE, "Invalid EAL parameters\n");
+ argc -= ret;
+ argv += ret;
+
+ /* parse application arguments (after the EAL ones) */
+ ret = parse_args(argc, argv);
+ if (ret < 0)
+ rte_exit(EXIT_FAILURE, "Invalid parameters\n");
+
+ if (ep < 0)
+ rte_exit(EXIT_FAILURE, "need to choose either EP0 or EP1\n");
+
+ if ((unprotected_port_mask & enabled_port_mask) !=
+ unprotected_port_mask)
+ rte_exit(EXIT_FAILURE, "Invalid unprotected portmask 0x%x\n",
+ unprotected_port_mask);
+
+ nb_ports = rte_eth_dev_count();
+ if (nb_ports > RTE_MAX_ETHPORTS)
+ nb_ports = RTE_MAX_ETHPORTS;
+
+ if (check_params() < 0)
+ rte_exit(EXIT_FAILURE, "check_params failed\n");
+
+ ret = init_lcore_rx_queues();
+ if (ret < 0)
+ rte_exit(EXIT_FAILURE, "init_lcore_rx_queues failed\n");
+
+ nb_lcores = rte_lcore_count();
+
+ cryptodevs_init();
+
+ /* Replicate each contex per socket */
+ for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) {
+ if (rte_lcore_is_enabled(lcore_id) == 0)
+ continue;
+
+ if (numa_on)
+ socket_id = (uint8_t)rte_lcore_to_socket_id(lcore_id);
+ else
+ socket_id = 0;
+
+ if (socket_ctx[socket_id].mbuf_pool)
+ continue;
+
+ sa_init(&socket_ctx[socket_id], socket_id, ep,
+ find_cdev_socket(socket_id, cdev_type));
+
+ sp_init(&socket_ctx[socket_id], socket_id, ep);
+
+ rt_init(&socket_ctx[socket_id], socket_id, ep);
+
+ pool_init(&socket_ctx[socket_id], socket_id, NB_MBUF);
+ }
+
+ for (portid = 0; portid < nb_ports; portid++) {
+ if ((enabled_port_mask & (1 << portid)) == 0)
+ continue;
+
+ port_init(portid);
+ }
+
+ /* start ports */
+ for (portid = 0; portid < nb_ports; portid++) {
+ if ((enabled_port_mask & (1 << portid)) == 0)
+ continue;
+
+ /* Start device */
+ ret = rte_eth_dev_start(portid);
+ if (ret < 0)
+ rte_exit(EXIT_FAILURE, "rte_eth_dev_start: "
+ "err=%d, port=%d\n", ret, portid);
+ /*
+ * If enabled, put device in promiscuous mode.
+ * This allows IO forwarding mode to forward packets
+ * to itself through 2 cross-connected ports of the
+ * target machine.
+ */
+ if (promiscuous_on)
+ rte_eth_promiscuous_enable(portid);
+ }
+
+ check_all_ports_link_status((uint8_t)nb_ports, enabled_port_mask);
+
+ /* launch per-lcore init on every lcore */
+ rte_eal_mp_remote_launch(main_loop, NULL, CALL_MASTER);
+ RTE_LCORE_FOREACH_SLAVE(lcore_id) {
+ if (rte_eal_wait_lcore(lcore_id) < 0)
+ return -1;
+ }
+
+ return 0;
+}
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
new file mode 100644
index 0000000..83e3326
--- /dev/null
+++ b/examples/ipsec-secgw/ipsec.c
@@ -0,0 +1,138 @@
+/*-
+ * BSD LICENSE
+ *
+ * Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Intel Corporation nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <netinet/in.h>
+#include <netinet/ip.h>
+
+#include <rte_branch_prediction.h>
+#include <rte_log.h>
+#include <rte_crypto.h>
+#include <rte_cryptodev.h>
+#include <rte_mbuf.h>
+
+#include "ipsec.h"
+
+static inline uint16_t
+ipsec_processing(uint8_t cdev_id, uint16_t qp_id, struct rte_mbuf *pkts[],
+ struct ipsec_sa *sas[], uint16_t nb_pkts, uint16_t max_pkts)
+{
+ int ret, i, j;
+ struct ipsec_mbuf_metadata *priv;
+ struct rte_mbuf_offload *ol;
+ struct ipsec_sa *sa;
+
+ j = 0;
+ for (i = 0; i < nb_pkts; i++) {
+ rte_prefetch0(sas[i]);
+ rte_prefetch0(pkts[i]);
+
+ priv = get_priv(pkts[i]);
+ ol = &priv->ol;
+ sa = sas[i];
+ priv->sa = sa;
+
+ IPSEC_ASSERT(sa != NULL);
+
+ __rte_pktmbuf_offload_reset(ol, RTE_PKTMBUF_OL_CRYPTO);
+
+ rte_crypto_op_attach_session(&ol->op.crypto,
+ sa->crypto_session);
+
+ pkts[i]->offload_ops = ol;
+
+ ret = sa->pre_crypto(pkts[i], sa, &ol->op.crypto);
+ if (unlikely(ret))
+ rte_pktmbuf_free(pkts[i]);
+ else
+ pkts[j++] = pkts[i];
+ }
+ nb_pkts = j;
+
+ ret = rte_cryptodev_enqueue_burst(cdev_id, qp_id, pkts, nb_pkts);
+ if (ret < nb_pkts) {
+ IPSEC_LOG(DEBUG, IPSEC, "Cryptodev %u queue %u:"
+ " enqueued %u packets (out of %u)\n",
+ cdev_id, qp_id, ret, nb_pkts);
+ for (i = ret; i < nb_pkts; i++)
+ rte_pktmbuf_free(pkts[i]);
+ }
+
+ nb_pkts = rte_cryptodev_dequeue_burst(cdev_id, qp_id, pkts, max_pkts);
+ if ((nb_pkts != 0) && (nb_pkts < max_pkts))
+ IPSEC_LOG(DEBUG, IPSEC, "Cryptodev %u queue %u:"
+ " dequeued %u packets (out of %u)\n",
+ cdev_id, qp_id, nb_pkts, max_pkts);
+
+ j = 0;
+ for (i = 0; i < nb_pkts; i++) {
+ rte_prefetch0(pkts[i]);
+
+ priv = get_priv(pkts[i]);
+ ol = &priv->ol;
+ sa = priv->sa;
+ rte_prefetch0(sa);
+
+ IPSEC_ASSERT(sa != NULL);
+
+ ret = sa->post_crypto(pkts[i], sa, &ol->op.crypto);
+ if (unlikely(ret))
+ rte_pktmbuf_free(pkts[i]);
+ else
+ pkts[j++] = pkts[i];
+ }
+
+ /* return packets */
+ return j;
+}
+
+uint16_t
+ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
+ uint16_t nb_pkts, uint16_t len)
+{
+ struct ipsec_sa *sas[nb_pkts];
+
+ inbound_sa_lookup(ctx->sa_ctx, pkts, sas, nb_pkts);
+
+ return ipsec_processing(ctx->cdev, ctx->queue, pkts, sas, nb_pkts, len);
+}
+
+uint16_t
+ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
+ uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len)
+{
+ struct ipsec_sa *sas[nb_pkts];
+
+ outbound_sa_lookup(ctx->sa_ctx, sa_idx, sas, nb_pkts);
+
+ return ipsec_processing(ctx->cdev, ctx->queue, pkts, sas, nb_pkts, len);
+}
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
new file mode 100644
index 0000000..abf9d5f
--- /dev/null
+++ b/examples/ipsec-secgw/ipsec.h
@@ -0,0 +1,184 @@
+/*-
+ * BSD LICENSE
+ *
+ * Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Intel Corporation nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef __IPSEC_H__
+#define __IPSEC_H__
+
+#include <stdint.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+
+#include <rte_mbuf_offload.h>
+#include <rte_byteorder.h>
+#include <rte_ip.h>
+
+#define RTE_LOGTYPE_IPSEC RTE_LOGTYPE_USER1
+#define RTE_LOGTYPE_IPSEC_ESP RTE_LOGTYPE_USER2
+#define RTE_LOGTYPE_IPSEC_IPIP RTE_LOGTYPE_USER3
+
+#ifdef IPSEC_DEBUG
+#define IPSEC_ASSERT(exp) \
+if (!(exp)) { \
+ rte_panic("line%d\tassert \"" #exp "\" failed\n", __LINE__); \
+}
+
+#define IPSEC_LOG RTE_LOG
+#else
+#define IPSEC_ASSERT(exp) do {} while (0)
+#define IPSEC_LOG(...) do {} while (0)
+#endif /* IPSEC_DEBUG */
+
+#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
+
+#define uint32_t_to_char(ip, a, b, c, d) do {\
+ *a = (unsigned char)(ip >> 24 & 0xff);\
+ *b = (unsigned char)(ip >> 16 & 0xff);\
+ *c = (unsigned char)(ip >> 8 & 0xff);\
+ *d = (unsigned char)(ip & 0xff);\
+ } while (0)
+
+#define DEFAULT_MAX_CATEGORIES 1
+
+#define IPSEC_SA_MAX_ENTRIES (64) /* must be power of 2, max 2 power 30 */
+#define SPI2IDX(spi) (spi & (IPSEC_SA_MAX_ENTRIES - 1))
+#define INVALID_SPI (0)
+
+#define DISCARD (0x80000000)
+#define BYPASS (0x40000000)
+#define PROTECT_MASK (0x3fffffff)
+#define PROTECT(sa_idx) (SPI2IDX(sa_idx) & PROTECT_MASK) /* SA idx 30 bits */
+
+#define IPSEC_XFORM_MAX 2
+
+struct rte_crypto_xform;
+struct ipsec_xform;
+struct rte_cryptodev_session;
+struct rte_mbuf;
+
+struct replay {
+ uint32_t seq_h;
+};
+
+struct lifetime {
+ uint64_t bytes;
+ uint64_t seconds;
+};
+
+struct ipsec_sa;
+
+typedef int (*ipsec_xform_fn)(struct rte_mbuf *m, struct ipsec_sa *sa,
+ struct rte_crypto_op *cop);
+
+struct ipsec_sa {
+ uint32_t spi;
+ uint32_t seq;
+ uint32_t src;
+ uint32_t dst;
+ struct rte_cryptodev_session *crypto_session;
+ struct rte_crypto_xform *xforms;
+ enum rte_crypto_cipher_algorithm cipher_algo;
+ enum rte_crypto_auth_algorithm auth_algo;
+ uint16_t digest_len;
+ uint16_t iv_len;
+ uint16_t block_size;
+ ipsec_xform_fn pre_crypto;
+ ipsec_xform_fn post_crypto;
+ uint32_t flags;
+ /* does not apply if no automated SA management (IKE) support */
+ struct lifetime current;
+ struct lifetime soft;
+ struct lifetime hard;
+ struct replay replay;
+} __rte_cache_aligned;
+
+struct ipsec_mbuf_metadata {
+ struct ipsec_sa *sa;
+ struct rte_mbuf_offload ol;
+};
+
+struct ipsec_ctx {
+ uint16_t cdev;
+ uint16_t queue;
+ struct sa_ctx *sa_ctx;
+};
+
+struct socket_ctx {
+ struct sa_ctx *sa_ipv4_in;
+ struct sa_ctx *sa_ipv4_out;
+ struct sp_ctx *sp_ipv4_in;
+ struct sp_ctx *sp_ipv4_out;
+ struct rt_ctx *rt_ipv4;
+ struct rte_mempool *mbuf_pool;
+};
+
+uint16_t
+ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
+ uint16_t nb_pkts, uint16_t len);
+
+uint16_t
+ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
+ uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len);
+
+static inline uint16_t
+ipsec_metadata_size(void)
+{
+ return sizeof(struct ipsec_mbuf_metadata);
+}
+
+static inline struct ipsec_mbuf_metadata *
+get_priv(struct rte_mbuf *m)
+{
+ return RTE_PTR_ADD(m, sizeof(struct rte_mbuf));
+}
+
+int
+inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx);
+
+void
+inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[],
+ struct ipsec_sa *sa[], uint16_t nb_pkts);
+
+void
+outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[],
+ struct ipsec_sa *sa[], uint16_t nb_pkts);
+
+void
+sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep);
+
+void
+sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep, uint16_t cdev_id);
+
+void
+rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep);
+
+#endif /* __IPSEC_H__ */
diff --git a/examples/ipsec-secgw/rt.c b/examples/ipsec-secgw/rt.c
new file mode 100644
index 0000000..82064b2
--- /dev/null
+++ b/examples/ipsec-secgw/rt.c
@@ -0,0 +1,131 @@
+/*-
+ * BSD LICENSE
+ *
+ * Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Intel Corporation nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Routing Table (RT)
+ */
+#include <rte_lpm.h>
+#include <rte_errno.h>
+
+#include "ipsec.h"
+
+#define RT_IPV4_MAX_RULES 64
+
+struct ipv4_route {
+ uint32_t ip;
+ uint8_t depth;
+ uint8_t if_out;
+};
+
+/* In the default routing table we have:
+ * ep0 protected ports 0 and 1, and unprotected ports 2 and 3.
+ */
+static struct ipv4_route rt_ipv4_ep0[] = {
+ { IPv4(172, 16, 2, 5), 32, 0 },
+ { IPv4(172, 16, 2, 6), 32, 0 },
+ { IPv4(172, 16, 2, 7), 32, 1 },
+ { IPv4(172, 16, 2, 8), 32, 1 },
+
+ { IPv4(192, 168, 115, 0), 24, 2 },
+ { IPv4(192, 168, 116, 0), 24, 2 },
+ { IPv4(192, 168, 117, 0), 24, 3 },
+ { IPv4(192, 168, 118, 0), 24, 3 }
+};
+
+/* In the default routing table we have:
+ * ep1 protected ports 0 and 1, and unprotected ports 2 and 3.
+ */
+static struct ipv4_route rt_ipv4_ep1[] = {
+ { IPv4(172, 16, 1, 5), 32, 2 },
+ { IPv4(172, 16, 1, 6), 32, 2 },
+ { IPv4(172, 16, 1, 7), 32, 3 },
+ { IPv4(172, 16, 1, 8), 32, 3 },
+
+ { IPv4(192, 168, 105, 0), 24, 0 },
+ { IPv4(192, 168, 106, 0), 24, 0 },
+ { IPv4(192, 168, 107, 0), 24, 1 },
+ { IPv4(192, 168, 108, 0), 24, 1 }
+};
+
+void
+rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep)
+{
+ char name[PATH_MAX];
+ unsigned i;
+ int ret;
+ struct rte_lpm *lpm;
+ struct ipv4_route *rt;
+ char a, b, c, d;
+ unsigned nb_routes;
+
+ if (ctx == NULL)
+ rte_exit(EXIT_FAILURE, "NULL context.\n");
+
+ if (ctx->rt_ipv4 != NULL)
+ rte_exit(EXIT_FAILURE, "Routing Table for socket %u already "
+ "initialized\n", socket_id);
+
+ printf("Creating Routing Table (RT) context with %u max routes\n",
+ RT_IPV4_MAX_RULES);
+
+ if (ep == 0) {
+ rt = rt_ipv4_ep0;
+ nb_routes = RTE_DIM(rt_ipv4_ep0);
+ } else if (ep == 1) {
+ rt = rt_ipv4_ep1;
+ nb_routes = RTE_DIM(rt_ipv4_ep1);
+ } else
+ rte_exit(EXIT_FAILURE, "Invalid EP value %u. Only 0 or 1 "
+ "supported.\n", ep);
+
+ /* create the LPM table */
+ snprintf(name, sizeof(name), "%s_%u", "rt_ipv4", socket_id);
+ lpm = rte_lpm_create(name, socket_id, RT_IPV4_MAX_RULES, 0);
+ if (lpm == NULL)
+ rte_exit(EXIT_FAILURE, "Unable to create LPM table "
+ "on socket %d\n", socket_id);
+
+ /* populate the LPM table */
+ for (i = 0; i < nb_routes; i++) {
+ ret = rte_lpm_add(lpm, rt[i].ip, rt[i].depth, rt[i].if_out);
+ if (ret < 0)
+ rte_exit(EXIT_FAILURE, "Unable to add entry num %u to "
+ "LPM table on socket %d\n", i, socket_id);
+
+ uint32_t_to_char(rt[i].ip, &a, &b, &c, &d);
+ printf("LPM: Adding route %hhu.%hhu.%hhu.%hhu/%hhu (%hhu)\n",
+ a, b, c, d, rt[i].depth, rt[i].if_out);
+ }
+
+ ctx->rt_ipv4 = (struct rt_ctx *)lpm;
+}
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
new file mode 100644
index 0000000..5ea7592
--- /dev/null
+++ b/examples/ipsec-secgw/sa.c
@@ -0,0 +1,391 @@
+/*-
+ * BSD LICENSE
+ *
+ * Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Intel Corporation nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Security Associations
+ */
+#include <netinet/ip.h>
+
+#include <rte_memzone.h>
+#include <rte_crypto.h>
+#include <rte_cryptodev.h>
+#include <rte_byteorder.h>
+#include <rte_errno.h>
+
+#include "ipsec.h"
+#include "esp.h"
+
+/* SAs EP0 Outbound */
+const struct ipsec_sa sa_ep0_out[] = {
+ { 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5),
+ NULL, NULL,
+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+ 12, 16, 16,
+ esp4_tunnel_outbound_pre_crypto,
+ esp4_tunnel_outbound_post_crypto,
+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
+ { 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6),
+ NULL, NULL,
+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+ 12, 16, 16,
+ esp4_tunnel_outbound_pre_crypto,
+ esp4_tunnel_outbound_post_crypto,
+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
+ { 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7),
+ NULL, NULL,
+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+ 12, 16, 16,
+ esp4_tunnel_outbound_pre_crypto,
+ esp4_tunnel_outbound_post_crypto,
+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
+ { 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8),
+ NULL, NULL,
+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+ 12, 16, 16,
+ esp4_tunnel_outbound_pre_crypto,
+ esp4_tunnel_outbound_post_crypto,
+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }
+};
+
+/* SAs EP0 Inbound */
+const struct ipsec_sa sa_ep0_in[] = {
+ { 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5),
+ NULL, NULL,
+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+ 12, 16, 16,
+ esp4_tunnel_inbound_pre_crypto,
+ esp4_tunnel_inbound_post_crypto,
+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
+ { 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6),
+ NULL, NULL,
+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+ 12, 16, 16,
+ esp4_tunnel_inbound_pre_crypto,
+ esp4_tunnel_inbound_post_crypto,
+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
+ { 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7),
+ NULL, NULL,
+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+ 12, 16, 16,
+ esp4_tunnel_inbound_pre_crypto,
+ esp4_tunnel_inbound_post_crypto,
+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
+ { 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8),
+ NULL, NULL,
+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+ 12, 16, 16,
+ esp4_tunnel_inbound_pre_crypto,
+ esp4_tunnel_inbound_post_crypto,
+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }
+};
+
+/* SAs EP1 Outbound */
+const struct ipsec_sa sa_ep1_out[] = {
+ { 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5),
+ NULL, NULL,
+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+ 12, 16, 16,
+ esp4_tunnel_outbound_pre_crypto,
+ esp4_tunnel_outbound_post_crypto,
+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
+ { 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6),
+ NULL, NULL,
+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+ 12, 16, 16,
+ esp4_tunnel_outbound_pre_crypto,
+ esp4_tunnel_outbound_post_crypto,
+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
+ { 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7),
+ NULL, NULL,
+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+ 12, 16, 16,
+ esp4_tunnel_outbound_pre_crypto,
+ esp4_tunnel_outbound_post_crypto,
+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
+ { 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8),
+ NULL, NULL,
+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+ 12, 16, 16,
+ esp4_tunnel_outbound_pre_crypto,
+ esp4_tunnel_outbound_post_crypto,
+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }
+};
+
+/* SAs EP1 Inbound */
+const struct ipsec_sa sa_ep1_in[] = {
+ { 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5),
+ NULL, NULL,
+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+ 12, 16, 16,
+ esp4_tunnel_inbound_pre_crypto,
+ esp4_tunnel_inbound_post_crypto,
+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
+ { 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6),
+ NULL, NULL,
+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+ 12, 16, 16,
+ esp4_tunnel_inbound_pre_crypto,
+ esp4_tunnel_inbound_post_crypto,
+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
+ { 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7),
+ NULL, NULL,
+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+ 12, 16, 16,
+ esp4_tunnel_inbound_pre_crypto,
+ esp4_tunnel_inbound_post_crypto,
+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
+ { 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8),
+ NULL, NULL,
+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+ 12, 16, 16,
+ esp4_tunnel_inbound_pre_crypto,
+ esp4_tunnel_inbound_post_crypto,
+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }
+};
+
+static uint8_t cipher_key[256] = "sixteenbytes key";
+
+/* AES CBC xform */
+const struct rte_crypto_xform aescbc_enc_xf = {
+ NULL,
+ RTE_CRYPTO_XFORM_CIPHER,
+ .cipher = { RTE_CRYPTO_CIPHER_OP_ENCRYPT, RTE_CRYPTO_CIPHER_AES_CBC,
+ .key = { cipher_key, 0, 16 } }
+};
+
+const struct rte_crypto_xform aescbc_dec_xf = {
+ NULL,
+ RTE_CRYPTO_XFORM_CIPHER,
+ .cipher = { RTE_CRYPTO_CIPHER_OP_DECRYPT, RTE_CRYPTO_CIPHER_AES_CBC,
+ .key = { cipher_key, 0, 16 } }
+};
+
+static uint8_t auth_key[256] = "twentybytes hash key";
+
+/* SHA1 HMAC xform */
+const struct rte_crypto_xform sha1hmac_gen_xf = {
+ NULL,
+ RTE_CRYPTO_XFORM_AUTH,
+ .auth = { RTE_CRYPTO_AUTH_OP_GENERATE, RTE_CRYPTO_AUTH_SHA1_HMAC,
+ .key = { auth_key, 0, 20 }, 12, 0 }
+};
+
+const struct rte_crypto_xform sha1hmac_verify_xf = {
+ NULL,
+ RTE_CRYPTO_XFORM_AUTH,
+ .auth = { RTE_CRYPTO_AUTH_OP_VERIFY, RTE_CRYPTO_AUTH_SHA1_HMAC,
+ .key = { auth_key, 0, 20 }, 12, 0 }
+};
+
+struct sa_ctx {
+ struct ipsec_sa sa[IPSEC_SA_MAX_ENTRIES];
+ struct {
+ struct rte_crypto_xform a;
+ struct rte_crypto_xform b;
+ } xf[IPSEC_SA_MAX_ENTRIES];
+};
+
+static struct sa_ctx *
+sa_ipv4_create(const char *name, int socket_id)
+{
+ char s[PATH_MAX];
+ struct sa_ctx *sa_ctx;
+ unsigned mz_size;
+ const struct rte_memzone *mz;
+
+ snprintf(s, sizeof(s), "%s_%u", name, socket_id);
+
+ /* Create SA array table */
+ printf("Creating SA context with %u maximum entries\n",
+ IPSEC_SA_MAX_ENTRIES);
+
+ mz_size = sizeof(struct sa_ctx);
+ mz = rte_memzone_reserve(s, mz_size, socket_id,
+ RTE_MEMZONE_1GB | RTE_MEMZONE_SIZE_HINT_ONLY);
+ if (mz == NULL) {
+ printf("Failed to allocate SA DB memory\n");
+ rte_errno = -ENOMEM;
+ return NULL;
+ }
+
+ sa_ctx = (struct sa_ctx *)mz->addr;
+
+ return sa_ctx;
+}
+
+static int
+sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
+ unsigned nb_entries, uint16_t cdev_id, unsigned inbound)
+{
+ struct ipsec_sa *sa;
+ unsigned i, idx;
+
+ for (i = 0; i < nb_entries; i++) {
+ idx = SPI2IDX(entries[i].spi);
+ sa = &sa_ctx->sa[idx];
+ if (sa->spi != 0) {
+ printf("Index %u already in use by SPI %u\n",
+ idx, sa->spi);
+ return -EINVAL;
+ }
+ *sa = entries[i];
+ sa->src = rte_cpu_to_be_32(sa->src);
+ sa->dst = rte_cpu_to_be_32(sa->dst);
+ if (inbound) {
+ sa_ctx->xf[idx].a = sha1hmac_verify_xf;
+ sa_ctx->xf[idx].b = aescbc_dec_xf;
+ } else { /* outbound */
+ sa_ctx->xf[idx].a = aescbc_enc_xf;
+ sa_ctx->xf[idx].b = sha1hmac_gen_xf;
+ }
+ sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b;
+ sa_ctx->xf[idx].b.next = NULL;
+ sa->xforms = &sa_ctx->xf[idx].a;
+
+ sa->crypto_session = rte_cryptodev_session_create(cdev_id,
+ sa->xforms);
+ }
+
+ return 0;
+}
+
+static inline int
+sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
+ unsigned nb_entries, uint16_t cdev_id)
+{
+ return sa_add_rules(sa_ctx, entries, nb_entries, cdev_id, 0);
+}
+
+static inline int
+sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
+ unsigned nb_entries, uint16_t cdev_id)
+{
+ return sa_add_rules(sa_ctx, entries, nb_entries, cdev_id, 1);
+}
+
+void
+sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep, uint16_t cdev_id)
+{
+ const struct ipsec_sa *sa_out_entries, *sa_in_entries;
+ unsigned nb_out_entries, nb_in_entries;
+ const char *name;
+
+ if (ctx == NULL)
+ rte_exit(EXIT_FAILURE, "NULL context.\n");
+
+ if (ctx->sa_ipv4_in != NULL)
+ rte_exit(EXIT_FAILURE, "Inbound SA DB for socket %u already "
+ "initialized\n", socket_id);
+
+ if (ctx->sa_ipv4_out != NULL)
+ rte_exit(EXIT_FAILURE, "Outbound SA DB for socket %u already "
+ "initialized\n", socket_id);
+
+ if (ep == 0) {
+ sa_out_entries = sa_ep0_out;
+ nb_out_entries = RTE_DIM(sa_ep0_out);
+ sa_in_entries = sa_ep0_in;
+ nb_in_entries = RTE_DIM(sa_ep0_in);
+ } else if (ep == 1) {
+ sa_out_entries = sa_ep1_out;
+ nb_out_entries = RTE_DIM(sa_ep1_out);
+ sa_in_entries = sa_ep1_in;
+ nb_in_entries = RTE_DIM(sa_ep1_in);
+ } else
+ rte_exit(EXIT_FAILURE, "Invalid EP value %u. "
+ "Only 0 or 1 supported.\n", ep);
+
+ name = "sa_ipv4_in";
+ ctx->sa_ipv4_in = sa_ipv4_create(name, socket_id);
+ if (ctx->sa_ipv4_in == NULL)
+ rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s "
+ "in socket %d\n", rte_errno, name, socket_id);
+
+ name = "sa_ipv4_out";
+ ctx->sa_ipv4_out = sa_ipv4_create(name, socket_id);
+ if (ctx->sa_ipv4_out == NULL)
+ rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s "
+ "in socket %d\n", rte_errno, name, socket_id);
+
+ sa_in_add_rules(ctx->sa_ipv4_in, sa_in_entries,
+ nb_in_entries, cdev_id);
+
+ sa_out_add_rules(ctx->sa_ipv4_out, sa_out_entries,
+ nb_out_entries, cdev_id);
+}
+
+int
+inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx)
+{
+ struct ipsec_mbuf_metadata *priv;
+
+ priv = RTE_PTR_ADD(m, sizeof(struct rte_mbuf));
+
+ return (sa_ctx->sa[sa_idx].spi == priv->sa->spi);
+}
+
+void
+inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[],
+ struct ipsec_sa *sa[], uint16_t nb_pkts)
+{
+ unsigned i;
+ uint32_t *src, spi;
+
+ for (i = 0; i < nb_pkts; i++) {
+ spi = rte_pktmbuf_mtod_offset(pkts[i], struct esp_hdr *,
+ sizeof(struct ip))->spi;
+ if (spi == INVALID_SPI)
+ continue;
+
+ sa[i] = &sa_ctx->sa[SPI2IDX(spi)];
+ if (spi != sa[i]->spi) {
+ sa[i] = NULL;
+ continue;
+ }
+
+ src = rte_pktmbuf_mtod_offset(pkts[i], uint32_t *,
+ offsetof(struct ip, ip_src));
+ if ((sa[i]->src != *src) || (sa[i]->dst != *(src + 1)))
+ sa[i] = NULL;
+ }
+}
+
+void
+outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[],
+ struct ipsec_sa *sa[], uint16_t nb_pkts)
+{
+ unsigned i;
+
+ for (i = 0; i < nb_pkts; i++)
+ sa[i] = &sa_ctx->sa[sa_idx[i]];
+}
diff --git a/examples/ipsec-secgw/sp.c b/examples/ipsec-secgw/sp.c
new file mode 100644
index 0000000..219e478
--- /dev/null
+++ b/examples/ipsec-secgw/sp.c
@@ -0,0 +1,324 @@
+/*-
+ * BSD LICENSE
+ *
+ * Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Intel Corporation nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Security Policies
+ */
+#include <netinet/ip.h>
+
+#include <rte_acl.h>
+
+#include "ipsec.h"
+
+#define MAX_ACL_RULE_NUM 1000
+
+/*
+ * Rule and trace formats definitions.
+ */
+enum {
+ PROTO_FIELD_IPV4,
+ SRC_FIELD_IPV4,
+ DST_FIELD_IPV4,
+ SRCP_FIELD_IPV4,
+ DSTP_FIELD_IPV4,
+ NUM_FIELDS_IPV4
+};
+
+/*
+ * That effectively defines order of IPV4 classifications:
+ * - PROTO
+ * - SRC IP ADDRESS
+ * - DST IP ADDRESS
+ * - PORTS (SRC and DST)
+ */
+enum {
+ RTE_ACL_IPV4_PROTO,
+ RTE_ACL_IPV4_SRC,
+ RTE_ACL_IPV4_DST,
+ RTE_ACL_IPV4_PORTS,
+ RTE_ACL_IPV4_NUM
+};
+
+struct rte_acl_field_def ipv4_defs[NUM_FIELDS_IPV4] = {
+ {
+ .type = RTE_ACL_FIELD_TYPE_BITMASK,
+ .size = sizeof(uint8_t),
+ .field_index = PROTO_FIELD_IPV4,
+ .input_index = RTE_ACL_IPV4_PROTO,
+ .offset = 0,
+ },
+ {
+ .type = RTE_ACL_FIELD_TYPE_MASK,
+ .size = sizeof(uint32_t),
+ .field_index = SRC_FIELD_IPV4,
+ .input_index = RTE_ACL_IPV4_SRC,
+ .offset = offsetof(struct ip, ip_src) - offsetof(struct ip, ip_p)
+ },
+ {
+ .type = RTE_ACL_FIELD_TYPE_MASK,
+ .size = sizeof(uint32_t),
+ .field_index = DST_FIELD_IPV4,
+ .input_index = RTE_ACL_IPV4_DST,
+ .offset = offsetof(struct ip, ip_dst) - offsetof(struct ip, ip_p)
+ },
+ {
+ .type = RTE_ACL_FIELD_TYPE_RANGE,
+ .size = sizeof(uint16_t),
+ .field_index = SRCP_FIELD_IPV4,
+ .input_index = RTE_ACL_IPV4_PORTS,
+ .offset = sizeof(struct ip) - offsetof(struct ip, ip_p)
+ },
+ {
+ .type = RTE_ACL_FIELD_TYPE_RANGE,
+ .size = sizeof(uint16_t),
+ .field_index = DSTP_FIELD_IPV4,
+ .input_index = RTE_ACL_IPV4_PORTS,
+ .offset = sizeof(struct ip) - offsetof(struct ip, ip_p) +
+ sizeof(uint16_t)
+ },
+};
+
+RTE_ACL_RULE_DEF(acl4_rules, RTE_DIM(ipv4_defs));
+
+const struct acl4_rules acl4_rules_in[] = {
+ {
+ .data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1},
+ /* destination IPv4 */
+ .field[2] = {.value.u32 = IPv4(192, 168, 105, 0),
+ .mask_range.u32 = 24,},
+ /* source port */
+ .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+ /* destination port */
+ .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+ },
+ {
+ .data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2},
+ /* destination IPv4 */
+ .field[2] = {.value.u32 = IPv4(192, 168, 106, 0),
+ .mask_range.u32 = 24,},
+ /* source port */
+ .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+ /* destination port */
+ .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+ },
+ {
+ .data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3},
+ /* destination IPv4 */
+ .field[2] = {.value.u32 = IPv4(192, 168, 107, 0),
+ .mask_range.u32 = 24,},
+ /* source port */
+ .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+ /* destination port */
+ .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+ },
+ {
+ .data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4},
+ /* destination IPv4 */
+ .field[2] = {.value.u32 = IPv4(192, 168, 108, 0),
+ .mask_range.u32 = 24,},
+ /* source port */
+ .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+ /* destination port */
+ .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+ }
+};
+
+const struct acl4_rules acl4_rules_out[] = {
+ {
+ .data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1},
+ /* destination IPv4 */
+ .field[2] = {.value.u32 = IPv4(192, 168, 115, 0),
+ .mask_range.u32 = 24,},
+ /* source port */
+ .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+ /* destination port */
+ .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+ },
+ {
+ .data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2},
+ /* destination IPv4 */
+ .field[2] = {.value.u32 = IPv4(192, 168, 116, 0),
+ .mask_range.u32 = 24,},
+ /* source port */
+ .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+ /* destination port */
+ .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+ },
+ {
+ .data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3},
+ /* destination IPv4 */
+ .field[2] = {.value.u32 = IPv4(192, 168, 117, 0),
+ .mask_range.u32 = 24,},
+ /* source port */
+ .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+ /* destination port */
+ .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+ },
+ {
+ .data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4},
+ /* destination IPv4 */
+ .field[2] = {.value.u32 = IPv4(192, 168, 118, 0),
+ .mask_range.u32 = 24,},
+ /* source port */
+ .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+ /* destination port */
+ .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+ }
+};
+
+static void
+print_one_ipv4_rule(const struct acl4_rules *rule, int extra)
+{
+ unsigned char a, b, c, d;
+
+ uint32_t_to_char(rule->field[SRC_FIELD_IPV4].value.u32,
+ &a, &b, &c, &d);
+ printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d,
+ rule->field[SRC_FIELD_IPV4].mask_range.u32);
+ uint32_t_to_char(rule->field[DST_FIELD_IPV4].value.u32,
+ &a, &b, &c, &d);
+ printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d,
+ rule->field[DST_FIELD_IPV4].mask_range.u32);
+ printf("%hu : %hu %hu : %hu 0x%hhx/0x%hhx ",
+ rule->field[SRCP_FIELD_IPV4].value.u16,
+ rule->field[SRCP_FIELD_IPV4].mask_range.u16,
+ rule->field[DSTP_FIELD_IPV4].value.u16,
+ rule->field[DSTP_FIELD_IPV4].mask_range.u16,
+ rule->field[PROTO_FIELD_IPV4].value.u8,
+ rule->field[PROTO_FIELD_IPV4].mask_range.u8);
+ if (extra)
+ printf("0x%x-0x%x-0x%x ",
+ rule->data.category_mask,
+ rule->data.priority,
+ rule->data.userdata);
+}
+
+static inline void
+dump_ipv4_rules(const struct acl4_rules *rule, int num, int extra)
+{
+ int i;
+
+ for (i = 0; i < num; i++, rule++) {
+ printf("\t%d:", i + 1);
+ print_one_ipv4_rule(rule, extra);
+ printf("\n");
+ }
+}
+
+static struct rte_acl_ctx *
+acl4_init(const char *name, int socketid, const struct acl4_rules *rules,
+ unsigned rules_nb)
+{
+ char s[PATH_MAX];
+ struct rte_acl_param acl_param;
+ struct rte_acl_config acl_build_param;
+ struct rte_acl_ctx *ctx;
+
+ printf("Creating SP context with %u max rules\n", MAX_ACL_RULE_NUM);
+
+ memset(&acl_param, 0, sizeof(acl_param));
+
+ /* Create ACL contexts */
+ snprintf(s, sizeof(s), "%s_%d", name, socketid);
+
+ printf("IPv4 %s entries [%u]:\n", s, rules_nb);
+ dump_ipv4_rules(rules, rules_nb, 1);
+
+ acl_param.name = s;
+ acl_param.socket_id = socketid;
+ acl_param.rule_size = RTE_ACL_RULE_SZ(RTE_DIM(ipv4_defs));
+ acl_param.max_rule_num = MAX_ACL_RULE_NUM;
+
+ ctx = rte_acl_create(&acl_param);
+ if (ctx == NULL)
+ rte_exit(EXIT_FAILURE, "Failed to create ACL context\n");
+
+ if (rte_acl_add_rules(ctx, (const struct rte_acl_rule *)rules,
+ rules_nb) < 0)
+ rte_exit(EXIT_FAILURE, "add rules failed\n");
+
+ /* Perform builds */
+ memset(&acl_build_param, 0, sizeof(acl_build_param));
+
+ acl_build_param.num_categories = DEFAULT_MAX_CATEGORIES;
+ acl_build_param.num_fields = rules_nb;
+ memcpy(&acl_build_param.defs, ipv4_defs, sizeof(ipv4_defs));
+
+ if (rte_acl_build(ctx, &acl_build_param) != 0)
+ rte_exit(EXIT_FAILURE, "Failed to build ACL trie\n");
+
+ rte_acl_dump(ctx);
+
+ return ctx;
+}
+
+void
+sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep)
+{
+ const char *name;
+ const struct acl4_rules *rules_out, *rules_in;
+ unsigned nb_out_rules, nb_in_rules;
+
+ if (ctx == NULL)
+ rte_exit(EXIT_FAILURE, "NULL context.\n");
+
+ if (ctx->sp_ipv4_in != NULL)
+ rte_exit(EXIT_FAILURE, "Inbound SP DB for socket %u already "
+ "initialized\n", socket_id);
+
+ if (ctx->sp_ipv4_out != NULL)
+ rte_exit(EXIT_FAILURE, "Outbound SP DB for socket %u already "
+ "initialized\n", socket_id);
+
+ if (ep == 0) {
+ rules_out = acl4_rules_in;
+ nb_out_rules = RTE_DIM(acl4_rules_in);
+ rules_in = acl4_rules_out;
+ nb_in_rules = RTE_DIM(acl4_rules_out);
+ } else if (ep == 1) {
+ rules_out = acl4_rules_out;
+ nb_out_rules = RTE_DIM(acl4_rules_out);
+ rules_in = acl4_rules_in;
+ nb_in_rules = RTE_DIM(acl4_rules_in);
+ } else
+ rte_exit(EXIT_FAILURE, "Invalid EP value %u. "
+ "Only 0 or 1 supported.\n", ep);
+
+ name = "sp_ipv4_in";
+ ctx->sp_ipv4_in = (struct sp_ctx *)acl4_init(name, socket_id,
+ rules_in, nb_in_rules);
+
+ name = "sp_ipv4_out";
+ ctx->sp_ipv4_out = (struct sp_ctx *)acl4_init(name, socket_id,
+ rules_out, nb_out_rules);
+}
--
2.4.3
^ permalink raw reply [flat|nested] 15+ messages in thread* Re: [dpdk-dev] [PATCH] example/ipsec-secgw: ipsec security gateway 2016-01-29 20:29 [dpdk-dev] [PATCH] example/ipsec-secgw: ipsec security gateway Sergio Gonzalez Monroy @ 2016-01-31 14:39 ` Jerin Jacob 2016-02-01 11:09 ` Sergio Gonzalez Monroy 2016-02-24 13:32 ` Thomas Monjalon 2016-03-11 1:38 ` [dpdk-dev] [PATCH v2] " Sergio Gonzalez Monroy 2 siblings, 1 reply; 15+ messages in thread From: Jerin Jacob @ 2016-01-31 14:39 UTC (permalink / raw) To: Sergio Gonzalez Monroy; +Cc: dev On Fri, Jan 29, 2016 at 08:29:12PM +0000, Sergio Gonzalez Monroy wrote: > Sample app implementing an IPsec Security Geteway. > The main goal of this app is to show the use of cryptodev framework > in a real world application. > > Currently only supported static IPv4 IPsec tunnels using AES-CBC > and HMAC-SHA1. > > Also, currently not supported: > - SA auto negotiation (No IKE support) > - chained mbufs > > Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Hi Sergio, Great effort, one of the best highly integrated sample DPDK application (ethernet, acl, crypto and lpm) > --- > MAINTAINERS | 4 + > doc/guides/sample_app_ug/index.rst | 1 + > doc/guides/sample_app_ug/ipsec_secgw.rst | 440 +++++++++++ > examples/Makefile | 2 + > examples/ipsec-secgw/Makefile | 58 ++ > examples/ipsec-secgw/esp.c | 256 +++++++ > examples/ipsec-secgw/esp.h | 66 ++ > examples/ipsec-secgw/ipip.h | 100 +++ > examples/ipsec-secgw/ipsec-secgw.c | 1218 ++++++++++++++++++++++++++++++ > examples/ipsec-secgw/ipsec.c | 138 ++++ > examples/ipsec-secgw/ipsec.h | 184 +++++ > examples/ipsec-secgw/rt.c | 131 ++++ > examples/ipsec-secgw/sa.c | 391 ++++++++++ > examples/ipsec-secgw/sp.c | 324 ++++++++ > 14 files changed, 3313 insertions(+) > create mode 100644 doc/guides/sample_app_ug/ipsec_secgw.rst > create mode 100644 examples/ipsec-secgw/Makefile > create mode 100644 examples/ipsec-secgw/esp.c > create mode 100644 examples/ipsec-secgw/esp.h > create mode 100644 examples/ipsec-secgw/ipip.h > create mode 100644 examples/ipsec-secgw/ipsec-secgw.c > create mode 100644 examples/ipsec-secgw/ipsec.c > create mode 100644 examples/ipsec-secgw/ipsec.h > create mode 100644 examples/ipsec-secgw/rt.c > create mode 100644 examples/ipsec-secgw/sa.c > create mode 100644 examples/ipsec-secgw/sp.c > > diff --git a/MAINTAINERS b/MAINTAINERS > index b90aeea..996eda6 100644 > --- a/MAINTAINERS > +++ b/MAINTAINERS > @@ -596,3 +596,7 @@ F: doc/guides/sample_app_ug/vmdq_dcb_forwarding.rst > M: Pablo de Lara <pablo.de.lara.guarch@intel.com> > M: Daniel Mrzyglod <danielx.t.mrzyglod@intel.com> > F: examples/ptpclient/ > + > +M: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> > +F: doc/guides/sample_app_ug/ipsec-secgw.rst > +F: examples/ipsec-secgw/ > diff --git a/doc/guides/sample_app_ug/index.rst b/doc/guides/sample_app_ug/index.rst > index 8a646dd..88375d2 100644 > --- a/doc/guides/sample_app_ug/index.rst > +++ b/doc/guides/sample_app_ug/index.rst > @@ -73,6 +73,7 @@ Sample Applications User Guide > proc_info > ptpclient > performance_thread > + ipsec_secgw > > **Figures** > > diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst > new file mode 100644 > index 0000000..7be3f7e > --- /dev/null > +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst > @@ -0,0 +1,440 @@ > +.. BSD LICENSE > + Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > + All rights reserved. > + > + Redistribution and use in source and binary forms, with or without > + modification, are permitted provided that the following conditions > + are met: > + > + * Redistributions of source code must retain the above copyright > + notice, this list of conditions and the following disclaimer. > + * Redistributions in binary form must reproduce the above copyright > + notice, this list of conditions and the following disclaimer in > + the documentation and/or other materials provided with the > + distribution. > + * Neither the name of Intel Corporation nor the names of its > + contributors may be used to endorse or promote products derived > + from this software without specific prior written permission. > + > + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > + OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > + > +IPsec Security Gateway Sample Application > +========================================= > + > +The IPsec Security Gateway application is a minimal example of real work > +application using DPDK cryptodev framework. > + > +Overview > +-------- > + > +The application demonstrates the implementation of a minimal Security Gateway > +(see Constraints bellow) using DPDK based on RFC4301, RFC4303, RFC3602 and > +RFC2404. > + > +Note that IKE is not supported (therefore not IPsec compliant), so only manual > +setting of Security Policies and Associations is allowed. > + > +The Security Policies (SP) are implemented as ACL rules, the Security > +Associations (SA) are stored in a table and the Routing is implemented > +using LPM. > + > +The application splits the ports between Protected and Unprotected. > +Based on the port the trafic is coming from, the traffic would be consider > +IPsec Inbound or Outbound. > +Traffic from Unprotected ports is consider IPsec Inbound, and traffic from > +Protected ports is consider IPsec Outbound. > + > +Path for IPsec Inbound traffic: > +* Read packets from the port > +* Classify packets between IPv4 and ESP. > +* Inbound SA lookup for ESP packets based on their SPI > +* Verification/Decryption > +* Removal of ESP and outter IP header > +* Inbound SP check using ACL of decrypted packets and any other IPv4 packet > +we read. > +* Routing > +* Write packet to port > + > +Path for IPsec Outbound traffic: > +* Read packets from the port > +* Outbound SP check using ACL of all IPv4 traffic > +* Outbound SA lookup for packets that need IPsec protection > +* Add ESP and outter IP header > +* Encryption/Digest > +* Routing > +* Write packet to port > + > +Constraints > +----------- > +* IPv4 traffic > +* ESP tunnel mode > +* EAS-CBC and HMAC-SHA1 > +* Each SA must be handle by a unique lcore (1 RX queue per port) > +* No chained mbufs > + > +Compiling the Application > +------------------------- > + > +To compile the application: > + > +#. Go to the sample application directory: > + > + .. code-block:: console > + > + export RTE_SDK=/path/to/rte_sdk > + cd ${RTE_SDK}/examples/ipsec-secgw > + > +#. Set the target (a default target is used if not specified). For example: > + > + .. code-block:: console > + > + export RTE_TARGET=x86_64-native-linuxapp-gcc > + > + See the *DPDK Getting Started Guide* for possible RTE_TARGET values. > + > +#. Build the application: > + > + .. code-block:: console > + > + make > + > +Running the Application > +----------------------- > + > +The application has a number of command line options: > + > +.. code-block:: console > + > + ./build/ipsec-secgw [EAL options] -- -p PORTMASK -P -u PORTMASK --config > + (port,queue,lcore)[,(port,queue,lcore] --EP0|--EP1 --cdev AESNI|QAT > + > +where, > + > +* -p PORTMASK: Hexadecimal bitmask of ports to configure > + > +* -P: optional, sets all ports to promiscuous mode so that packets are > + accepted regardless of the packet's Ethernet MAC destination address. > + Without this option, only packets with the Ethernet MAC destination address > + set to the Ethernet address of the port are accepted (default is enabled). > + > +* -u PORTMASK: hexadecimal bitmask of unprotected ports > + > +* --config (port,queue,lcore)[,(port,queue,lcore)]: determines which queues > + from which ports are mapped to which cores > + > +* --cdev AESNI/QAT: choose whether to use QAT HW crypto or EASNI SW crypto > + > +* --EP0: configure the app as Endpoint 0. > + > +* --EP1: configure the app as Endpoint 1. > + > +Either --EP0 or --EP1 must be specified. > + > +The mapping of lcores to port/queues is similar to other l3fwd applications. > + > +For example, given the following command line: > +.. code-block:: console > + > + ./build/ipsec-secgw -l 20,21 -n 4 --socket-mem 0,2048 -- -p 0xf -P -u 0x3 > + --config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)" --cdev AESNI --EP0 > + > +where each options means: > + > +* The -l option enables cores 20 and 21 > + > +* The -n option sets memory 4 channels > + > +* The --socket-mem to use 2GB on socket 1 > + > +* The -p option enables ports (detected) 0, 1, 2 and 3 > + > +* The -P option enables promiscous mode > + > +* The -u option sets ports 1 and 2 as unprotected, leaving 2 and 3 as protected > + > +* The --config option enables one queue per port with the following mapping: > + > ++----------+-----------+-----------+---------------------------------------+ > +| **Port** | **Queue** | **lcore** | **Description** | > +| | | | | > ++----------+-----------+-----------+---------------------------------------+ > +| 0 | 0 | 20 | Map queue 0 from port 0 to lcore 20. | > +| | | | | > ++----------+-----------+-----------+---------------------------------------+ > +| 1 | 0 | 20 | Map queue 0 from port 1 to lcore 20. | > +| | | | | > ++----------+-----------+-----------+---------------------------------------+ > +| 2 | 0 | 21 | Map queue 0 from port 2 to lcore 21. | > +| | | | | > ++----------+-----------+-----------+---------------------------------------+ > +| 3 | 0 | 21 | Map queue 0 from port 3 to lcore 21. | > +| | | | | > ++----------+-----------+-----------+---------------------------------------+ > + > +Refer to the *DPDK Getting Started Guide* for general information on running applications and the Environment Abstraction Layer (EAL) options. > + > +Configurations > +-------------- > + > +The following sections provide some details on the default values used to > +initialize the SP, SA and Routing tables. > +Currently all the configuration is hardcoded into the application. > + > +Security Policy Initialization > +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + > +As mention in the overview, the Security Policies are ACL rules. > +There are two ACLs, Inbound and Outboud. > +The application would also replicate the set of two ACLs per socket in use. > + > +Following are the default rules: > + > +Endpoint 0 Outbound Security Policies: > + > ++---------+------------------+-----------+------------+ > +| **Src** | **Dst** | **proto** | **SA idx** | > +| | | | | > ++---------+------------------+-----------+------------+ > +| Any | 192.168.105.0/24 | Any | 5 | > +| | | | | > ++---------+------------------+-----------+------------+ > +| Any | 192.168.106.0/24 | Any | 6 | > +| | | | | > ++---------+------------------+-----------+------------+ > +| Any | 192.168.107.0/24 | Any | 7 | > +| | | | | > ++---------+------------------+-----------+------------+ > +| Any | 192.168.108.0/24 | Any | 8 | > +| | | | | > ++---------+------------------+-----------+------------+ > + > +Endpoint 0 Inbound Security Policies: > + > ++---------+------------------+-----------+------------+ > +| **Src** | **Dst** | **proto** | **SA idx** | > +| | | | | > ++---------+------------------+-----------+------------+ > +| Any | 192.168.115.0/24 | Any | 5 | > +| | | | | > ++---------+------------------+-----------+------------+ > +| Any | 192.168.116.0/24 | Any | 6 | > +| | | | | > ++---------+------------------+-----------+------------+ > +| Any | 192.168.117.0/24 | Any | 7 | > +| | | | | > ++---------+------------------+-----------+------------+ > +| Any | 192.168.118.0/24 | Any | 8 | > +| | | | | > ++---------+------------------+-----------+------------+ > + > +Endpoint 1 Outbound Security Policies: > + > ++---------+------------------+-----------+------------+ > +| **Src** | **Dst** | **proto** | **SA idx** | > +| | | | | > ++---------+------------------+-----------+------------+ > +| Any | 192.168.115.0/24 | Any | 5 | > +| | | | | > ++---------+------------------+-----------+------------+ > +| Any | 192.168.116.0/24 | Any | 6 | > +| | | | | > ++---------+------------------+-----------+------------+ > +| Any | 192.168.117.0/24 | Any | 7 | > +| | | | | > ++---------+------------------+-----------+------------+ > +| Any | 192.168.118.0/24 | Any | 8 | > +| | | | | > ++---------+------------------+-----------+------------+ > + > +Endpoint 1 Inbound Security Policies: > + > ++---------+------------------+-----------+------------+ > +| **Src** | **Dst** | **proto** | **SA idx** | > +| | | | | > ++---------+------------------+-----------+------------+ > +| Any | 192.168.105.0/24 | Any | 5 | > +| | | | | > ++---------+------------------+-----------+------------+ > +| Any | 192.168.106.0/24 | Any | 6 | > +| | | | | > ++---------+------------------+-----------+------------+ > +| Any | 192.168.107.0/24 | Any | 7 | > +| | | | | > ++---------+------------------+-----------+------------+ > +| Any | 192.168.108.0/24 | Any | 8 | > +| | | | | > ++---------+------------------+-----------+------------+ > + > + > +Security Association Initialization > +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + > +The SAs are kept in a array table. > + > +For Inbound, the SPI is used as index module the table size. > +This means that on a table for 100 SA, SPI 5 and 105 would use the same index > +and that is not currently supported. > + > +Notice that it is not an issue for Outbound traffic as we store the index and > +not the SPI in the Security Policy. > + > +All SAs are configured with the same cipher algo, block size and key (AES-CBC > +16B block), and same authentication algo, digest size and key (HMAC-SHA1, 12B > +digest). > + > +Following are the default values: > + > +Endpoint 0 Outbound Security Associations: > + > ++---------+----------------+------------------+ > +| **SPI** | **Tunnel src** | **Tunnel dst** | > +| | | | > ++---------+----------------+------------------+ > +| 5 | 172.16.1.5 | 172.16.2.5 | > +| | | | > ++---------+----------------+------------------+ > +| 6 | 172.16.1.6 | 172.16.2.6 | > +| | | | > ++---------+----------------+------------------+ > +| 7 | 172.16.1.7 | 172.16.2.7 | > +| | | | > ++---------+----------------+------------------+ > +| 8 | 172.16.1.8 | 172.16.2.8 | > +| | | | > ++---------+----------------+------------------+ > + > +Endpoint 0 Inbound Security Associations: > + > ++---------+----------------+------------------+ > +| **SPI** | **Tunnel src** | **Tunnel dst** | > +| | | | > ++---------+----------------+------------------+ > +| 5 | 172.16.2.5 | 172.16.1.5 | > +| | | | > ++---------+----------------+------------------+ > +| 6 | 172.16.2.6 | 172.16.1.6 | > +| | | | > ++---------+----------------+------------------+ > +| 7 | 172.16.2.7 | 172.16.1.7 | > +| | | | > ++---------+----------------+------------------+ > +| 8 | 172.16.2.8 | 172.16.1.8 | > +| | | | > ++---------+----------------+------------------+ > + > +Endpoint 1 Outbound Security Associations: > + > ++---------+----------------+------------------+ > +| **SPI** | **Tunnel src** | **Tunnel dst** | > +| | | | > ++---------+----------------+------------------+ > +| 5 | 172.16.2.5 | 172.16.1.5 | > +| | | | > ++---------+----------------+------------------+ > +| 6 | 172.16.2.6 | 172.16.1.6 | > +| | | | > ++---------+----------------+------------------+ > +| 7 | 172.16.2.7 | 172.16.1.7 | > +| | | | > ++---------+----------------+------------------+ > +| 8 | 172.16.2.8 | 172.16.1.8 | > +| | | | > ++---------+----------------+------------------+ > + > +Endpoint 1 Inbound Security Associations: > + > ++---------+----------------+------------------+ > +| **SPI** | **Tunnel src** | **Tunnel dst** | > +| | | | > ++---------+----------------+------------------+ > +| 5 | 172.16.1.5 | 172.16.2.5 | > +| | | | > ++---------+----------------+------------------+ > +| 6 | 172.16.1.6 | 172.16.2.6 | > +| | | | > ++---------+----------------+------------------+ > +| 7 | 172.16.1.7 | 172.16.2.7 | > +| | | | > ++---------+----------------+------------------+ > +| 8 | 172.16.1.8 | 172.16.2.8 | > +| | | | > ++---------+----------------+------------------+ > + > +Routing Initialization > +~~~~~~~~~~~~~~~~~~~~~~ > + > +The Routing is implemented using LPM table. > + > +Following default values: > + > +Endpoint 0 Routing Table: > + > ++------------------+----------+ > +| **Dst addr** | **Port** | > +| | | > ++------------------+----------+ > +| 172.16.2.5/32 | 0 | > +| | | > ++------------------+----------+ > +| 172.16.2.6/32 | 0 | > +| | | > ++------------------+----------+ > +| 172.16.2.7/32 | 1 | > +| | | > ++------------------+----------+ > +| 172.16.2.8/32 | 1 | > +| | | > ++------------------+----------+ > +| 192.168.115.0/24 | 2 | > +| | | > ++------------------+----------+ > +| 192.168.116.0/24 | 2 | > +| | | > ++------------------+----------+ > +| 192.168.117.0/24 | 3 | > +| | | > ++------------------+----------+ > +| 192.168.118.0/24 | 3 | > +| | | > ++------------------+----------+ > + > +Endpoint 1 Routing Table: > + > ++------------------+----------+ > +| **Dst addr** | **Port** | > +| | | > ++------------------+----------+ > +| 172.16.1.5/32 | 2 | > +| | | > ++------------------+----------+ > +| 172.16.1.6/32 | 2 | > +| | | > ++------------------+----------+ > +| 172.16.1.7/32 | 3 | > +| | | > ++------------------+----------+ > +| 172.16.1.8/32 | 3 | > +| | | > ++------------------+----------+ > +| 192.168.105.0/24 | 0 | > +| | | > ++------------------+----------+ > +| 192.168.106.0/24 | 0 | > +| | | > ++------------------+----------+ > +| 192.168.107.0/24 | 1 | > +| | | > ++------------------+----------+ > +| 192.168.108.0/24 | 1 | > +| | | > ++------------------+----------+ > diff --git a/examples/Makefile b/examples/Makefile > index 1cb4785..65ce6ce 100644 > --- a/examples/Makefile > +++ b/examples/Makefile > @@ -1,6 +1,7 @@ > # BSD LICENSE > # > # Copyright(c) 2014 6WIND S.A. > +# Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > # > # Redistribution and use in source and binary forms, with or without > # modification, are permitted provided that the following conditions > @@ -78,5 +79,6 @@ DIRS-y += vmdq > DIRS-y += vmdq_dcb > DIRS-$(CONFIG_RTE_LIBRTE_POWER) += vm_power_manager > DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += l2fwd-crypto > +DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += ipsec-secgw > > include $(RTE_SDK)/mk/rte.extsubdir.mk > diff --git a/examples/ipsec-secgw/Makefile b/examples/ipsec-secgw/Makefile > new file mode 100644 > index 0000000..5f893b8 > --- /dev/null > +++ b/examples/ipsec-secgw/Makefile > @@ -0,0 +1,58 @@ > +# BSD LICENSE > +# > +# Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > +# All rights reserved. > +# > +# Redistribution and use in source and binary forms, with or without > +# modification, are permitted provided that the following conditions > +# are met: > +# > +# * Redistributions of source code must retain the above copyright > +# notice, this list of conditions and the following disclaimer. > +# * Redistributions in binary form must reproduce the above copyright > +# notice, this list of conditions and the following disclaimer in > +# the documentation and/or other materials provided with the > +# distribution. > +# * Neither the name of Intel Corporation nor the names of its > +# contributors may be used to endorse or promote products derived > +# from this software without specific prior written permission. > +# > +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > + > +ifeq ($(RTE_SDK),) > + $(error "Please define RTE_SDK environment variable") > +endif > + > +# Default target, can be overridden by command line or environment > +RTE_TARGET ?= x86_64-native-linuxapp-gcc > + > +include $(RTE_SDK)/mk/rte.vars.mk > + > +APP = ipsec-secgw > + > +CFLAGS += -O3 -gdwarf-2 > +CFLAGS += $(WERROR_FLAGS) > + > +VPATH += $(SRCDIR)/librte_ipsec > + > +# > +# all source are stored in SRCS-y > +# > +SRCS-y += ipsec.c > +SRCS-y += esp.c > +SRCS-y += sp.c > +SRCS-y += sa.c > +SRCS-y += rt.c > +SRCS-y += ipsec-secgw.c > + > +include $(RTE_SDK)/mk/rte.extapp.mk > diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c > new file mode 100644 > index 0000000..1be0621 > --- /dev/null > +++ b/examples/ipsec-secgw/esp.c > @@ -0,0 +1,256 @@ > +/*- > + * BSD LICENSE > + * > + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > + * All rights reserved. > + * > + * Redistribution and use in source and binary forms, with or without > + * modification, are permitted provided that the following conditions > + * are met: > + * > + * * Redistributions of source code must retain the above copyright > + * notice, this list of conditions and the following disclaimer. > + * * Redistributions in binary form must reproduce the above copyright > + * notice, this list of conditions and the following disclaimer in > + * the documentation and/or other materials provided with the > + * distribution. > + * * Neither the name of Intel Corporation nor the names of its > + * contributors may be used to endorse or promote products derived > + * from this software without specific prior written permission. > + * > + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > + */ > + > +#include <stdint.h> > +#include <stdlib.h> > +#include <netinet/ip.h> > +#include <sys/types.h> > +#include <sys/stat.h> > +#include <fcntl.h> > +#include <unistd.h> > + > +#include <rte_memcpy.h> > +#include <rte_crypto.h> > +#include <rte_cryptodev.h> > +#include <rte_random.h> > + > +#include "ipsec.h" > +#include "esp.h" > +#include "ipip.h" > + > +static inline void > +random_iv_u64(uint64_t *buf, uint16_t n) > +{ > + unsigned left = n & 0x7; > + unsigned i; > + > + IPSEC_ASSERT((n & 0x3) == 0); > + > + for (i = 0; i < (n >> 3); i++) > + buf[i] = rte_rand(); > + > + if (left) > + *((uint32_t *)&buf[i]) = (uint32_t)lrand48(); > +} > + > +/* IPv4 Tunnel */ > +int > +esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, > + struct rte_crypto_op *cop) > +{ > + uint16_t digest_len, esp_len, iphdr_len; > + int32_t payload_len; > + > + IPSEC_ASSERT(m != NULL); > + > + iphdr_len = sizeof(struct ip); > + esp_len = sizeof(struct esp_hdr) + sa->iv_len; > + digest_len = sa->digest_len; > + payload_len = rte_pktmbuf_pkt_len(m) - iphdr_len - esp_len - digest_len; > + > + if ((payload_len & (sa->block_size - 1)) || (payload_len <= 0)) { > + IPSEC_LOG(DEBUG, IPSEC_ESP, "payload %d not a multiple of %u\n", > + payload_len, sa->block_size); > + return -EINVAL; > + } > + > + cop->data.to_cipher.offset = iphdr_len + esp_len; > + cop->data.to_cipher.length = payload_len; > + > + cop->data.to_hash.offset = iphdr_len; > + if (sa->auth_algo == RTE_CRYPTO_AUTH_AES_GCM) > + cop->data.to_hash.length = esp_len - sa->iv_len; > + else > + cop->data.to_hash.length = esp_len + payload_len; > + > + cop->iv.data = rte_pktmbuf_mtod_offset(m, void*, > + iphdr_len + esp_len - sa->iv_len); > + cop->iv.phys_addr = rte_pktmbuf_mtophys_offset(m, > + iphdr_len + esp_len - sa->iv_len); > + > + cop->iv.length = sa->iv_len; > + > + cop->digest.data = rte_pktmbuf_mtod_offset(m, void*, > + iphdr_len + esp_len + payload_len); > + cop->digest.phys_addr = rte_pktmbuf_mtophys_offset(m, > + iphdr_len + esp_len + payload_len); > + cop->digest.length = digest_len; > + > + return 0; > +} > + > +int > +esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, > + struct rte_crypto_op *cop) > +{ > + uint16_t digest_len, esp_len, iphdr_len; > + uint8_t *nexthdr, *pad_len; > + uint8_t *padding; > + uint16_t i; > + > + IPSEC_ASSERT(m != NULL); > + > + iphdr_len = sizeof(struct ip); > + esp_len = sizeof(struct esp_hdr) + sa->iv_len; > + digest_len = sa->digest_len; > + > + if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) { > + IPSEC_LOG(ERR, IPSEC_ESP, "Failed crypto op\n"); > + return -1; > + } > + > + nexthdr = rte_pktmbuf_mtod_offset(m, uint8_t*, > + rte_pktmbuf_pkt_len(m) - digest_len - 1); > + pad_len = nexthdr - 1; > + > + padding = pad_len - *pad_len; > + for (i = 0; i < *pad_len; i++) { > + if (padding[i] != i) { > + IPSEC_LOG(ERR, IPSEC_ESP, "invalid pad_len field\n"); > + return -EINVAL; > + } > + } > + > + if (rte_pktmbuf_trim(m, *pad_len + 2 + digest_len)) { > + IPSEC_LOG(ERR, IPSEC_ESP, > + "failed to remove pad_len + digest\n"); > + return -EINVAL; > + } > + > + return ip4ip_inbound(m, iphdr_len + esp_len); > +} > + > +int > +esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, > + struct rte_crypto_op *cop) > +{ > + uint16_t digest_len, esp_len, payload_len, block_sz, pad_len; > + int32_t pad_payload_len; > + struct ip *ip; > + struct esp_hdr *esp; > + int i; > + char *padding; > + > + rte_prefetch0(rte_pktmbuf_mtod(m, uint8_t *) - RTE_CACHE_LINE_SIZE); > + rte_prefetch0(rte_pktmbuf_mtod(m, uint8_t *)); > + > + IPSEC_ASSERT(m != NULL); > + IPSEC_ASSERT(sa != NULL); > + > + /* Payload length */ > + payload_len = rte_pktmbuf_pkt_len(m); > + > + block_sz = sa->block_size; > + > + /* Per RFC4303: > + * padded payload needs to be multiple of 4 bytes. > + * All application supported block sizes must be power of 2 > + */ > + pad_len = (payload_len + 2) & (block_sz - 1); > + pad_len = ((block_sz - pad_len) & (block_sz - 1)) + 2; > + > + /* Padded payload length */ > + pad_payload_len = payload_len + pad_len; > + /* ESP header length */ > + esp_len = sizeof(struct esp_hdr) + sa->iv_len; > + /* Digest length */ > + digest_len = sa->digest_len; > + > + IPSEC_LOG(DEBUG, IPSEC_ESP, > + "pktlen %u, esp_len %u, digest_len %u, payload_len %u," > + " pad_payload_len %u, block_sz %u, pad_len %u\n", > + rte_pktmbuf_pkt_len(m), esp_len, digest_len, > + payload_len, pad_payload_len, block_sz, pad_len); > + > + /* Check maximum packet size */ > + if (unlikely(esp_len + pad_payload_len + digest_len > IP_MAXPACKET)) { > + IPSEC_LOG(DEBUG, IPSEC_ESP, "ipsec packet is too big\n"); > + return -EINVAL; > + } > + > + padding = rte_pktmbuf_append(m, pad_len + digest_len); > + > + IPSEC_ASSERT(padding != NULL); > + > + ip = ip4ip_outbound(m, esp_len, sa->src, sa->dst); > + > + esp = (struct esp_hdr *)(ip + 1); > + esp->spi = sa->spi; > + > + esp->seq = htonl(sa->seq++); > + > + IPSEC_LOG(DEBUG, IPSEC_ESP, "pktlen %u\n", rte_pktmbuf_pkt_len(m)); > + > + /* Fill pad_len using default sequential scheme */ > + for (i = 0; i < pad_len - 2; i++) > + padding[i] = i + 1; > + > + padding[pad_len - 2] = pad_len - 2; > + padding[pad_len - 1] = IPPROTO_IPIP; > + ip->ip_p = IPPROTO_ESP; > + > + cop->data.to_cipher.offset = sizeof(struct ip) + esp_len; > + cop->data.to_cipher.length = pad_payload_len; > + > + cop->data.to_hash.offset = sizeof(struct ip); > + cop->data.to_hash.length = esp_len + pad_payload_len; > + > + cop->iv.data = rte_pktmbuf_mtod_offset(m, void*, > + sizeof(struct ip) + esp_len - sa->iv_len); > + cop->iv.phys_addr = rte_pktmbuf_mtophys_offset(m, > + sizeof(struct ip) + esp_len - sa->iv_len); > + cop->iv.length = sa->iv_len; > + > + cop->digest.data = rte_pktmbuf_mtod_offset(m, void*, > + sizeof(struct ip) + esp_len + pad_payload_len); > + cop->digest.phys_addr = rte_pktmbuf_mtophys_offset(m, > + sizeof(struct ip) + esp_len + pad_payload_len); > + cop->digest.length = digest_len; > + > + random_iv_u64((uint64_t *)cop->iv.data, cop->iv.length); > + > + return 0; > +} > + > +int > +esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m __rte_unused, > + struct ipsec_sa *sa __rte_unused, > + struct rte_crypto_op *cop) > +{ > + if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) { > + IPSEC_LOG(ERR, IPSEC_ESP, "Failed crypto op\n"); > + return -1; > + } > + > + return 0; > +} > diff --git a/examples/ipsec-secgw/esp.h b/examples/ipsec-secgw/esp.h > new file mode 100644 > index 0000000..d7c8ba6 > --- /dev/null > +++ b/examples/ipsec-secgw/esp.h > @@ -0,0 +1,66 @@ > +/*- > + * BSD LICENSE > + * > + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > + * All rights reserved. > + * > + * Redistribution and use in source and binary forms, with or without > + * modification, are permitted provided that the following conditions > + * are met: > + * > + * * Redistributions of source code must retain the above copyright > + * notice, this list of conditions and the following disclaimer. > + * * Redistributions in binary form must reproduce the above copyright > + * notice, this list of conditions and the following disclaimer in > + * the documentation and/or other materials provided with the > + * distribution. > + * * Neither the name of Intel Corporation nor the names of its > + * contributors may be used to endorse or promote products derived > + * from this software without specific prior written permission. > + * > + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > + */ > +#ifndef __RTE_IPSEC_XFORM_ESP_H__ > +#define __RTE_IPSEC_XFORM_ESP_H__ > + > +struct mbuf; > + > +/* RFC4303 */ > +struct esp_hdr { > + uint32_t spi; > + uint32_t seq; > + /* Payload */ > + /* Padding */ > + /* Pad Length */ > + /* Next Header */ > + /* Integrity Check Value - ICV */ > +}; > + > +/* IPv4 Tunnel */ > +int > +esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, > + struct rte_crypto_op *cop); > + > +int > +esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, > + struct rte_crypto_op *cop); > + > +int > +esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, > + struct rte_crypto_op *cop); > + > +int > +esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, > + struct rte_crypto_op *cop); > + > +#endif /* __RTE_IPSEC_XFORM_ESP_H__ */ > diff --git a/examples/ipsec-secgw/ipip.h b/examples/ipsec-secgw/ipip.h > new file mode 100644 > index 0000000..16c5dfb > --- /dev/null > +++ b/examples/ipsec-secgw/ipip.h > @@ -0,0 +1,100 @@ > +/*- > + * BSD LICENSE > + * > + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > + * All rights reserved. > + * > + * Redistribution and use in source and binary forms, with or without > + * modification, are permitted provided that the following conditions > + * are met: > + * > + * * Redistributions of source code must retain the above copyright > + * notice, this list of conditions and the following disclaimer. > + * * Redistributions in binary form must reproduce the above copyright > + * notice, this list of conditions and the following disclaimer in > + * the documentation and/or other materials provided with the > + * distribution. > + * * Neither the name of Intel Corporation nor the names of its > + * contributors may be used to endorse or promote products derived > + * from this software without specific prior written permission. > + * > + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > + */ > + > +#ifndef __IPIP_H__ > +#define __IPIP_H__ > + > +#include <stdint.h> > +#include <netinet/in.h> > +#include <netinet/ip.h> > + > +#include <rte_mbuf.h> > + > +static inline struct ip * > +ip4ip_outbound(struct rte_mbuf *m, uint32_t offset, uint32_t src, uint32_t dst) > +{ > + struct ip *inip, *outip; > + > + inip = rte_pktmbuf_mtod(m, struct ip*); > + > + IPSEC_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION); > + > + offset += sizeof(struct ip); > + > + outip = (struct ip *)rte_pktmbuf_prepend(m, offset); > + > + IPSEC_ASSERT(outip != NULL); > + > + /* Per RFC4301 5.1.2.1 */ > + outip->ip_len = htons(rte_pktmbuf_data_len(m)); > + outip->ip_v = IPVERSION; > + outip->ip_hl = 5; > + outip->ip_tos = inip->ip_tos; > + > + outip->ip_id = 0; > + outip->ip_off = 0; > + > + outip->ip_ttl = IPDEFTTL; > + > + outip->ip_dst.s_addr = dst; > + outip->ip_src.s_addr = src; > + > + return outip; > +} > + > +static inline int > +ip4ip_inbound(struct rte_mbuf *m, uint32_t offset) > +{ > + struct ip *inip; > + struct ip *outip; > + > + outip = rte_pktmbuf_mtod(m, struct ip*); > + > + IPSEC_ASSERT(outip->ip_v == IPVERSION); > + > + offset += sizeof(struct ip); > + inip = (struct ip *)rte_pktmbuf_adj(m, offset); > + IPSEC_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION); > + > + /* Check packet is still bigger than IP header (inner) */ > + IPSEC_ASSERT(rte_pktmbuf_pkt_len(m) > sizeof(struct ip)); > + > + /* RFC4301 5.1.2.1 Note 6 */ > + if ((inip->ip_tos & htons(IPTOS_ECN_ECT0 | IPTOS_ECN_ECT1)) && > + ((outip->ip_tos & htons(IPTOS_ECN_CE)) == IPTOS_ECN_CE)) > + inip->ip_tos |= htons(IPTOS_ECN_CE); > + > + return 0; > +} > + > +#endif /* __IPIP_H__ */ > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c > new file mode 100644 > index 0000000..d2e8972 > --- /dev/null > +++ b/examples/ipsec-secgw/ipsec-secgw.c > @@ -0,0 +1,1218 @@ > +/*- > + * BSD LICENSE > + * > + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > + * All rights reserved. > + * > + * Redistribution and use in source and binary forms, with or without > + * modification, are permitted provided that the following conditions > + * are met: > + * > + * * Redistributions of source code must retain the above copyright > + * notice, this list of conditions and the following disclaimer. > + * * Redistributions in binary form must reproduce the above copyright > + * notice, this list of conditions and the following disclaimer in > + * the documentation and/or other materials provided with the > + * distribution. > + * * Neither the name of Intel Corporation nor the names of its > + * contributors may be used to endorse or promote products derived > + * from this software without specific prior written permission. > + * > + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > + */ > + > +#include <stdio.h> > +#include <stdlib.h> > +#include <stdint.h> > +#include <inttypes.h> > +#include <sys/types.h> > +#include <string.h> > +#include <sys/queue.h> > +#include <stdarg.h> > +#include <errno.h> > +#include <getopt.h> > + > +#include <rte_common.h> > +#include <rte_byteorder.h> > +#include <rte_log.h> > +#include <rte_eal.h> > +#include <rte_launch.h> > +#include <rte_atomic.h> > +#include <rte_cycles.h> > +#include <rte_prefetch.h> > +#include <rte_lcore.h> > +#include <rte_per_lcore.h> > +#include <rte_branch_prediction.h> > +#include <rte_interrupts.h> > +#include <rte_pci.h> > +#include <rte_random.h> > +#include <rte_debug.h> > +#include <rte_ether.h> > +#include <rte_ethdev.h> > +#include <rte_mempool.h> > +#include <rte_mbuf.h> > +#include <rte_acl.h> > +#include <rte_lpm.h> > +#include <rte_cryptodev.h> > +#include <rte_cryptodev.h> > + > +#include "ipsec.h" > + > +#define RTE_LOGTYPE_IPSEC RTE_LOGTYPE_USER1 > + > +#define MAX_JUMBO_PKT_LEN 9600 > + > +#define MEMPOOL_CACHE_SIZE 256 > + > +#define NB_MBUF (32000) > + > +#define CDEV_MP_NB_OBJS 2048 > +#define CDEV_MP_CACHE_SZ 64 > +#define MAX_QUEUE_PAIRS 1 > + > +#define OPTION_CONFIG "config" > +#define OPTION_EP0 "ep0" > +#define OPTION_EP1 "ep1" > +#define OPTION_CDEV_TYPE "cdev" > + > +#define MAX_PKT_BURST 32 > +#define BURST_TX_DRAIN_US 100 /* TX drain every ~100us */ > + > +#define NB_SOCKETS 4 > + > +/* Configure how many packets ahead to prefetch, when reading packets */ > +#define PREFETCH_OFFSET 3 > + > +#define MAX_RX_QUEUE_PER_LCORE 16 > + > +#define MAX_LCORE_PARAMS 1024 > + > +#define UNPROTECTED_PORT(port) (unprotected_port_mask & (1 << portid)) > + > +/* > + * Configurable number of RX/TX ring descriptors > + */ > +#define IPSEC_SECGW_RX_DESC_DEFAULT 128 > +#define IPSEC_SECGW_TX_DESC_DEFAULT 512 > +static uint16_t nb_rxd = IPSEC_SECGW_RX_DESC_DEFAULT; > +static uint16_t nb_txd = IPSEC_SECGW_TX_DESC_DEFAULT; > + > +#if RTE_BYTE_ORDER != RTE_LITTLE_ENDIAN > +#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \ > + (((uint64_t)((a) & 0xff) << 56) | \ > + ((uint64_t)((b) & 0xff) << 48) | \ > + ((uint64_t)((c) & 0xff) << 40) | \ > + ((uint64_t)((d) & 0xff) << 32) | \ > + ((uint64_t)((e) & 0xff) << 24) | \ > + ((uint64_t)((f) & 0xff) << 16) | \ > + ((uint64_t)((g) & 0xff) << 8) | \ > + ((uint64_t)(h) & 0xff)) > +#else > +#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \ > + (((uint64_t)((h) & 0xff) << 56) | \ > + ((uint64_t)((g) & 0xff) << 48) | \ > + ((uint64_t)((f) & 0xff) << 40) | \ > + ((uint64_t)((e) & 0xff) << 32) | \ > + ((uint64_t)((d) & 0xff) << 24) | \ > + ((uint64_t)((c) & 0xff) << 16) | \ > + ((uint64_t)((b) & 0xff) << 8) | \ > + ((uint64_t)(a) & 0xff)) > +#endif > +#define ETHADDR(a, b, c, d, e, f) (__BYTES_TO_UINT64(a, b, c, d, e, f, 0, 0)) > + > +#define ETHADDR_TO_UINT64(addr) __BYTES_TO_UINT64( \ > + addr.addr_bytes[0], addr.addr_bytes[1], \ > + addr.addr_bytes[2], addr.addr_bytes[3], \ > + addr.addr_bytes[4], addr.addr_bytes[5], \ > + 0, 0) > + > +/* port/source ethernet addr and destination ethernet addr */ > +struct ethaddr_info { > + uint64_t src, dst; > +}; > + > +struct ethaddr_info ethaddr_tbl[RTE_MAX_ETHPORTS] = { > + { 0, ETHADDR(0x00, 0x16, 0x3e, 0x7e, 0x94, 0x9a) }, > + { 0, ETHADDR(0x00, 0x16, 0x3e, 0x22, 0xa1, 0xd9) }, > + { 0, ETHADDR(0x00, 0x16, 0x3e, 0x08, 0x69, 0x26) }, > + { 0, ETHADDR(0x00, 0x16, 0x3e, 0x49, 0x9e, 0xdd) } > +}; > + > +/* mask of enabled ports */ > +static uint32_t enabled_port_mask; > +static uint32_t unprotected_port_mask; > +static int promiscuous_on = 1; > +static int numa_on = 1; /**< NUMA is enabled by default. */ > +static int ep = -1; /**< Endpoint configuration (0 or 1) */ > +static unsigned cdev_type = -1; > +static unsigned nb_lcores; > + > +struct buffer { > + uint16_t len; > + struct rte_mbuf *m_table[MAX_PKT_BURST]; > +}; > + > +struct lcore_rx_queue { > + uint8_t port_id; > + uint8_t queue_id; > +} __rte_cache_aligned; > + > +struct lcore_params { > + uint8_t port_id; > + uint8_t queue_id; > + uint8_t lcore_id; > +} __rte_cache_aligned; > + > +static struct lcore_params lcore_params_array[MAX_LCORE_PARAMS]; > + > +static struct lcore_params *lcore_params; > +static uint16_t nb_lcore_params; > + > +struct lcore_conf { > + uint16_t nb_rx_queue; > + struct lcore_rx_queue rx_queue_list[MAX_RX_QUEUE_PER_LCORE]; > + uint16_t tx_queue_id[RTE_MAX_ETHPORTS]; > + struct buffer tx_mbufs[RTE_MAX_ETHPORTS]; > + uint16_t cdev; > + uint16_t cdev_q; > +} __rte_cache_aligned; > + > +static struct lcore_conf lcore_conf[RTE_MAX_LCORE]; > + > +static struct rte_eth_conf port_conf = { > + .rxmode = { > + .mq_mode = ETH_MQ_RX_RSS, > + .max_rx_pkt_len = ETHER_MAX_LEN, > + .split_hdr_size = 0, > + .header_split = 0, /**< Header Split disabled */ > + .hw_ip_checksum = 1, /**< IP checksum offload enabled */ > + .hw_vlan_filter = 0, /**< VLAN filtering disabled */ > + .jumbo_frame = 0, /**< Jumbo Frame Support disabled */ > + .hw_strip_crc = 0, /**< CRC stripped by hardware */ > + }, > + .rx_adv_conf = { > + .rss_conf = { > + .rss_key = NULL, > + .rss_hf = ETH_RSS_IP | ETH_RSS_UDP | > + ETH_RSS_TCP | ETH_RSS_SCTP, > + }, > + }, > + .txmode = { > + .mq_mode = ETH_MQ_TX_NONE, > + }, > +}; > + > +static struct socket_ctx socket_ctx[NB_SOCKETS]; > + > +struct traffic_type { > + const uint8_t *data[MAX_PKT_BURST * 2]; > + struct rte_mbuf *pkts[MAX_PKT_BURST * 2]; > + uint32_t res[MAX_PKT_BURST * 2]; > + uint32_t num; > +}; > + > +struct ipsec_traffic { > + struct traffic_type ipsec4; > + struct traffic_type ipv4; > +}; > + > +static inline void > +prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t) > +{ > + uint8_t *nlp; > + > + if (RTE_ETH_IS_IPV4_HDR(pkt->packet_type)) { > + rte_pktmbuf_adj(pkt, ETHER_HDR_LEN); > + nlp = rte_pktmbuf_mtod_offset(pkt, uint8_t *, > + offsetof(struct ip, ip_p)); > + if (*nlp == IPPROTO_ESP) > + t->ipsec4.pkts[(t->ipsec4.num)++] = pkt; > + else { > + t->ipv4.data[t->ipv4.num] = nlp; > + t->ipv4.pkts[(t->ipv4.num)++] = pkt; > + } > + } else { > + /* Unknown/Unsupported type, drop the packet */ > + rte_pktmbuf_free(pkt); > + } > +} > + > +static inline void > +prepare_traffic(struct rte_mbuf **pkts, struct ipsec_traffic *t, > + uint16_t nb_pkts) > +{ > + int i; > + > + t->ipsec4.num = 0; > + t->ipv4.num = 0; > + > + for (i = 0; i < (nb_pkts - PREFETCH_OFFSET); i++) { > + rte_prefetch0(rte_pktmbuf_mtod(pkts[i + PREFETCH_OFFSET], > + void *)); > + prepare_one_packet(pkts[i], t); > + } > + /* Process left packets */ > + for (; i < nb_pkts; i++) > + prepare_one_packet(pkts[i], t); > +} > + > +static inline void > +prepare_tx_pkt(struct rte_mbuf *pkt, uint8_t port) > +{ > + pkt->ol_flags |= PKT_TX_IP_CKSUM | PKT_TX_IPV4; > + pkt->l3_len = sizeof(struct ip); > + pkt->l2_len = ETHER_HDR_LEN; > + > + uint64_t *ethhdr = (uint64_t *)rte_pktmbuf_prepend(pkt, ETHER_HDR_LEN); > +#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN > + ethhdr[0] = ethaddr_tbl[port].dst | > + ((ethaddr_tbl[port].src & 0xffff) << 48); > + ethhdr[1] = ethaddr_tbl[port].src >> 16 | > + ((uint64_t)rte_cpu_to_be_16(ETHER_TYPE_IPv4) << 32) | > + (ethhdr[1] & (0xffffUL << 48)); > +#else > + ethhdr[0] = ethaddr_tbl[port].dst | > + (ethaddr_tbl[port].src >> 48 & 0xffff); > + ethhdr[1] = ethaddr_tbl[port].src << 16 | ((ETHER_TYPE_IPv4)UL << 16) | > + (ethhdr[1] & 0xffffUL); > +#endif > +} > + > +static inline void > +prepare_tx_burst(struct rte_mbuf *pkts[], uint16_t nb_pkts, uint8_t port) > +{ > + int i; > + const int prefetch_offset = 2; > + > + for (i = 0; i < (nb_pkts - prefetch_offset); i++) { > + rte_prefetch0(pkts[i + prefetch_offset]->cacheline1); > + prepare_tx_pkt(pkts[i], port); > + } > + /* Process left packets */ > + for (; i < nb_pkts; i++) > + prepare_tx_pkt(pkts[i], port); > +} > + > +/* Send burst of packets on an output interface */ > +static inline int > +send_burst(struct lcore_conf *qconf, uint16_t n, uint8_t port) > +{ > + struct rte_mbuf **m_table; > + int ret; > + uint16_t queueid; > + > + queueid = qconf->tx_queue_id[port]; > + m_table = (struct rte_mbuf **)qconf->tx_mbufs[port].m_table; > + > + prepare_tx_burst(m_table, n, port); > + > + ret = rte_eth_tx_burst(port, queueid, m_table, n); > + if (unlikely(ret < n)) { > + do { > + rte_pktmbuf_free(m_table[ret]); > + } while (++ret < n); > + } > + > + return 0; > +} > + > +/* Enqueue a single packet, and send burst if queue is filled */ > +static inline int > +send_single_packet(struct rte_mbuf *m, uint8_t port) > +{ > + uint32_t lcore_id; > + uint16_t len; > + struct lcore_conf *qconf; > + > + lcore_id = rte_lcore_id(); > + > + qconf = &lcore_conf[lcore_id]; > + len = qconf->tx_mbufs[port].len; > + qconf->tx_mbufs[port].m_table[len] = m; > + len++; > + > + /* enough pkts to be sent */ > + if (unlikely(len == MAX_PKT_BURST)) { > + send_burst(qconf, MAX_PKT_BURST, port); > + len = 0; > + } > + > + qconf->tx_mbufs[port].len = len; > + return 0; > +} > + > +static inline void > +process_pkts_inbound(struct socket_ctx *ctx, struct ipsec_traffic *traffic) > +{ > + struct sa_ctx *sa_ctx = ctx->sa_ipv4_in; > + struct sp_ctx *sp_ctx = ctx->sp_ipv4_in; > + struct rte_mbuf *m; > + uint16_t idx, nb_pkts_in, i, j; > + uint32_t sa_idx, res; > + struct ipsec_ctx ipsec_ctx; > + struct lcore_conf *qconf; > + > + qconf = &lcore_conf[rte_lcore_id()]; > + ipsec_ctx.cdev = qconf->cdev; > + ipsec_ctx.queue = qconf->cdev_q; > + ipsec_ctx.sa_ctx = sa_ctx; > + > + nb_pkts_in = ipsec_inbound(&ipsec_ctx, traffic->ipsec4.pkts, > + traffic->ipsec4.num, MAX_PKT_BURST); > + > + /* SP/ACL Inbound check ipsec and ipv4 */ > + for (i = 0; i < nb_pkts_in; i++) { > + idx = traffic->ipv4.num++; > + m = traffic->ipsec4.pkts[i]; > + traffic->ipv4.pkts[idx] = m; > + traffic->ipv4.data[idx] = rte_pktmbuf_mtod_offset(m, > + uint8_t *, offsetof(struct ip, ip_p)); > + } > + > + rte_acl_classify((struct rte_acl_ctx *)sp_ctx, traffic->ipv4.data, > + traffic->ipv4.res, traffic->ipv4.num, > + DEFAULT_MAX_CATEGORIES); > + > + j = 0; > + for (i = 0; i < traffic->ipv4.num - nb_pkts_in; i++) { > + m = traffic->ipv4.pkts[i]; > + res = traffic->ipv4.res[i]; > + if (res & ~BYPASS) { > + rte_pktmbuf_free(m); > + continue; > + } > + traffic->ipv4.pkts[j++] = m; > + } > + /* Check return SA SPI matches pkt SPI */ > + for ( ; i < traffic->ipv4.num; i++) { > + m = traffic->ipv4.pkts[i]; > + sa_idx = traffic->ipv4.res[i] & PROTECT_MASK; > + if (sa_idx == 0 || !inbound_sa_check(sa_ctx, m, sa_idx)) { > + rte_pktmbuf_free(m); > + continue; > + } > + traffic->ipv4.pkts[j++] = m; > + } > + traffic->ipv4.num = j; > +} > + > +static inline void > +process_pkts_outbound(struct socket_ctx *ctx, struct ipsec_traffic *traffic) > +{ > + struct sa_ctx *sa_ctx = ctx->sa_ipv4_out; > + struct sp_ctx *sp_ctx = ctx->sp_ipv4_out; > + struct rte_mbuf *m; > + uint16_t idx, nb_pkts_out, i, j; > + uint32_t sa_idx, res; > + struct ipsec_ctx ipsec_ctx; > + struct lcore_conf *qconf; > + > + qconf = &lcore_conf[rte_lcore_id()]; > + ipsec_ctx.cdev = qconf->cdev; > + ipsec_ctx.queue = qconf->cdev_q; > + ipsec_ctx.sa_ctx = sa_ctx; > + > + rte_acl_classify((struct rte_acl_ctx *)sp_ctx, traffic->ipv4.data, > + traffic->ipv4.res, traffic->ipv4.num, > + DEFAULT_MAX_CATEGORIES); IMO, an option for single SA based outbound processing would be useful measuring performance bottlenecks with SA lookup. > + j = 0; > + for (i = 0; i < traffic->ipv4.num; i++) { > + m = traffic->ipv4.pkts[i]; > + res = traffic->ipv4.res[i]; > + sa_idx = res & PROTECT_MASK; > + if (res & DISCARD) { > + rte_pktmbuf_free(m); > + } else if (sa_idx != 0) { > + traffic->ipsec4.res[traffic->ipsec4.num] = sa_idx; > + traffic->ipsec4.pkts[traffic->ipsec4.num++] = m; > + } else /* BYPASS */ > + traffic->ipv4.pkts[j++] = m; > + } > + traffic->ipv4.num = j; > + > + nb_pkts_out = ipsec_outbound(&ipsec_ctx, traffic->ipsec4.pkts, > + traffic->ipsec4.res, traffic->ipsec4.num, > + MAX_PKT_BURST); > + > + for (i = 0; i < nb_pkts_out; i++) { > + idx = traffic->ipv4.num++; > + m = traffic->ipsec4.pkts[i]; > + traffic->ipv4.pkts[idx] = m; > + } > +} > + > +static inline void > +route_pkts(struct rt_ctx *rt_ctx, struct rte_mbuf *pkts[], uint8_t nb_pkts) > +{ > + uint16_t hop[MAX_PKT_BURST * 2]; > + uint32_t dst_ip[MAX_PKT_BURST * 2]; > + uint16_t i, offset; > + > + if (nb_pkts == 0) > + return; > + > + for (i = 0; i < nb_pkts; i++) { > + offset = offsetof(struct ip, ip_dst); > + dst_ip[i] = *rte_pktmbuf_mtod_offset(pkts[i], > + uint32_t *, offset); > + dst_ip[i] = rte_be_to_cpu_32(dst_ip[i]); > + } > + > + rte_lpm_lookup_bulk((struct rte_lpm *)rt_ctx, dst_ip, hop, nb_pkts); > + > + for (i = 0; i < nb_pkts; i++) { > + if ((hop[i] & RTE_LPM_LOOKUP_SUCCESS) == 0) { > + rte_pktmbuf_free(pkts[i]); > + continue; > + } > + send_single_packet(pkts[i], hop[i] & 0xff); > + } > +} > + > +static inline void > +process_pkts(struct socket_ctx *ctx, struct rte_mbuf **pkts, > + uint8_t nb_pkts, uint8_t portid) > +{ > + struct ipsec_traffic traffic; > + > + prepare_traffic(pkts, &traffic, nb_pkts); > + > + if (UNPROTECTED_PORT(portid)) > + process_pkts_inbound(ctx, &traffic); > + else > + process_pkts_outbound(ctx, &traffic); > + > + route_pkts(ctx->rt_ipv4, traffic.ipv4.pkts, traffic.ipv4.num); > +} > + > +static inline void > +drain_buffers(struct lcore_conf *qconf) > +{ > + struct buffer *buf; > + unsigned portid; > + > + for (portid = 0; portid < RTE_MAX_ETHPORTS; portid++) { > + buf = &qconf->tx_mbufs[portid]; > + if (buf->len == 0) > + continue; > + send_burst(qconf, buf->len, portid); > + buf->len = 0; > + } > +} > + > +/* main processing loop */ > +static int > +main_loop(__attribute__((unused)) void *dummy) > +{ > + struct rte_mbuf *pkts[MAX_PKT_BURST]; > + unsigned lcore_id; > + uint64_t prev_tsc, diff_tsc, cur_tsc; > + int i, nb_rx; > + uint8_t portid, queueid; > + struct lcore_conf *qconf; > + int socket_id; > + const uint64_t drain_tsc = (rte_get_tsc_hz() + US_PER_S - 1) > + / US_PER_S * BURST_TX_DRAIN_US; > + struct socket_ctx *ctx; > + struct lcore_rx_queue *rxql; > + > + prev_tsc = 0; > + lcore_id = rte_lcore_id(); > + qconf = &lcore_conf[lcore_id]; > + rxql = qconf->rx_queue_list; > + socket_id = rte_lcore_to_socket_id(lcore_id); > + > + ctx = &socket_ctx[socket_id]; > + > + if (qconf->nb_rx_queue == 0) { > + RTE_LOG(INFO, IPSEC, "lcore %u has nothing to do\n", lcore_id); > + return 0; > + } > + > + RTE_LOG(INFO, IPSEC, "entering main loop on lcore %u\n", lcore_id); > + > + for (i = 0; i < qconf->nb_rx_queue; i++) { > + portid = rxql[i].port_id; > + queueid = rxql[i].queue_id; > + RTE_LOG(INFO, IPSEC, > + " -- lcoreid=%u portid=%hhu rxqueueid=%hhu\n", > + lcore_id, portid, queueid); > + } > + > + while (1) { > + cur_tsc = rte_rdtsc(); > + > + /* TX queue buffer drain */ > + diff_tsc = cur_tsc - prev_tsc; > + > + if (unlikely(diff_tsc > drain_tsc)) { > + drain_buffers(qconf); > + prev_tsc = cur_tsc; > + } > + > + /* Read packet from RX queues */ > + for (i = 0; i < qconf->nb_rx_queue; ++i) { > + portid = rxql[i].port_id; > + queueid = rxql[i].queue_id; > + nb_rx = rte_eth_rx_burst(portid, queueid, > + pkts, MAX_PKT_BURST); > + > + if (nb_rx > 0) > + process_pkts(ctx, pkts, nb_rx, portid); > + } > + } > +} > + > +static int > +check_params(void) > +{ > + uint8_t lcore, portid, nb_ports; > + uint16_t i; > + int socket_id; > + > + if (lcore_params == NULL) { > + printf("Error: No port/queue/core mappings\n"); > + return -1; > + } > + > + nb_ports = rte_eth_dev_count(); > + if (nb_ports > RTE_MAX_ETHPORTS) > + nb_ports = RTE_MAX_ETHPORTS; > + > + for (i = 0; i < nb_lcore_params; ++i) { > + lcore = lcore_params[i].lcore_id; > + if (!rte_lcore_is_enabled(lcore)) { > + printf("error: lcore %hhu is not enabled in " > + "lcore mask\n", lcore); > + return -1; > + } > + socket_id = rte_lcore_to_socket_id(lcore); > + if (socket_id != 0 && numa_on == 0) { > + printf("warning: lcore %hhu is on socket %d " > + "with numa off\n", > + lcore, socket_id); > + } > + portid = lcore_params[i].port_id; > + if ((enabled_port_mask & (1 << portid)) == 0) { > + printf("port %u is not enabled in port mask\n", portid); > + return -1; > + } > + if (portid >= nb_ports) { > + printf("port %u is not present on the board\n", portid); > + return -1; > + } > + } > + return 0; > +} > + > +static uint8_t > +get_port_nb_rx_queues(const uint8_t port) > +{ > + int queue = -1; > + uint16_t i; > + > + for (i = 0; i < nb_lcore_params; ++i) { > + if (lcore_params[i].port_id == port && > + lcore_params[i].queue_id > queue) > + queue = lcore_params[i].queue_id; > + } > + return (uint8_t)(++queue); > +} > + > +static int > +init_lcore_rx_queues(void) > +{ > + uint16_t i, nb_rx_queue; > + uint8_t lcore; > + > + for (i = 0; i < nb_lcore_params; ++i) { > + lcore = lcore_params[i].lcore_id; > + nb_rx_queue = lcore_conf[lcore].nb_rx_queue; > + if (nb_rx_queue >= MAX_RX_QUEUE_PER_LCORE) { > + printf("error: too many queues (%u) for lcore: %u\n", > + nb_rx_queue + 1, lcore); > + return -1; > + } > + lcore_conf[lcore].rx_queue_list[nb_rx_queue].port_id = > + lcore_params[i].port_id; > + lcore_conf[lcore].rx_queue_list[nb_rx_queue].queue_id = > + lcore_params[i].queue_id; > + lcore_conf[lcore].nb_rx_queue++; > + } > + return 0; > +} > + > +/* display usage */ > +static void > +print_usage(const char *prgname) > +{ > + printf("%s [EAL options] -- -p PORTMASK -P -u PORTMASK" > + " --"OPTION_CONFIG" (port,queue,lcore)[,(port,queue,lcore]" > + " --EP0|--EP1 --cdev AESNI|QAT\n" > + " -p PORTMASK: hexadecimal bitmask of ports to configure\n" > + " -P : enable promiscuous mode\n" > + " -u PORTMASK: hexadecimal bitmask of unprotected ports\n" > + " --"OPTION_CONFIG": (port,queue,lcore): " > + "rx queues configuration\n" > + " --cdev AESNI | QAT\n" > + " --EP0: Configure as Endpoint 0\n" > + " --EP1: Configure as Endpoint 1\n", prgname); > +} > + > +static int > +parse_portmask(const char *portmask) > +{ > + char *end = NULL; > + unsigned long pm; > + > + /* parse hexadecimal string */ > + pm = strtoul(portmask, &end, 16); > + if ((portmask[0] == '\0') || (end == NULL) || (*end != '\0')) > + return -1; > + > + if (pm == 0) > + return -1; > + > + return pm; > +} > + > +static int > +parse_config(const char *q_arg) > +{ > + char s[256]; > + const char *p, *p0 = q_arg; > + char *end; > + enum fieldnames { > + FLD_PORT = 0, > + FLD_QUEUE, > + FLD_LCORE, > + _NUM_FLD > + }; > + unsigned long int_fld[_NUM_FLD]; > + char *str_fld[_NUM_FLD]; > + int i; > + unsigned size; > + > + nb_lcore_params = 0; > + > + while ((p = strchr(p0, '(')) != NULL) { > + ++p; > + p0 = strchr(p, ')'); > + if (p0 == NULL) > + return -1; > + > + size = p0 - p; > + if (size >= sizeof(s)) > + return -1; > + > + snprintf(s, sizeof(s), "%.*s", size, p); > + if (rte_strsplit(s, sizeof(s), str_fld, _NUM_FLD, ',') != > + _NUM_FLD) > + return -1; > + for (i = 0; i < _NUM_FLD; i++) { > + errno = 0; > + int_fld[i] = strtoul(str_fld[i], &end, 0); > + if (errno != 0 || end == str_fld[i] || int_fld[i] > 255) > + return -1; > + } > + if (nb_lcore_params >= MAX_LCORE_PARAMS) { > + printf("exceeded max number of lcore params: %hu\n", > + nb_lcore_params); > + return -1; > + } > + lcore_params_array[nb_lcore_params].port_id = > + (uint8_t)int_fld[FLD_PORT]; > + lcore_params_array[nb_lcore_params].queue_id = > + (uint8_t)int_fld[FLD_QUEUE]; > + lcore_params_array[nb_lcore_params].lcore_id = > + (uint8_t)int_fld[FLD_LCORE]; > + ++nb_lcore_params; > + } > + lcore_params = lcore_params_array; > + return 0; > +} > + > +#define __STRNCMP(name, opt) (!strncmp(name, opt, sizeof(opt))) > +static int > +parse_args_long_options(struct option *lgopts, int option_index) > +{ > + int ret = -1; > + const char *optname = lgopts[option_index].name; > + > + if (__STRNCMP(optname, OPTION_CONFIG)) { > + ret = parse_config(optarg); > + if (ret) > + printf("invalid config\n"); > + } > + > + if (__STRNCMP(optname, OPTION_EP0)) { > + printf("endpoint 0\n"); > + ep = 0; > + ret = 0; > + } > + > + if (__STRNCMP(optname, OPTION_EP1)) { > + printf("endpoint 1\n"); > + ep = 1; > + ret = 0; > + } > + > + if (__STRNCMP(optname, OPTION_CDEV_TYPE)) { > + if (__STRNCMP(optarg, "AESNI")) { > + cdev_type = RTE_CRYPTODEV_AESNI_MB_PMD; > + ret = 0; > + } else if (__STRNCMP(optarg, "QAT")) { > + cdev_type = RTE_CRYPTODEV_QAT_PMD; > + ret = 0; > + } > + } > + > + return ret; > +} > +#undef __STRNCMP > + > +static int > +parse_args(int argc, char **argv) > +{ > + int opt, ret; > + char **argvopt; > + int option_index; > + char *prgname = argv[0]; > + static struct option lgopts[] = { > + {OPTION_CONFIG, 1, 0, 0}, > + {OPTION_EP0, 0, 0, 0}, > + {OPTION_EP1, 0, 0, 0}, > + {OPTION_CDEV_TYPE, 1, 0, 0}, > + {NULL, 0, 0, 0} > + }; > + > + argvopt = argv; > + > + while ((opt = getopt_long(argc, argvopt, "p:Pu:", > + lgopts, &option_index)) != EOF) { > + > + switch (opt) { > + case 'p': > + enabled_port_mask = parse_portmask(optarg); > + if (enabled_port_mask == 0) { > + printf("invalid portmask\n"); > + print_usage(prgname); > + return -1; > + } > + break; > + case 'P': > + printf("Promiscuous mode selected\n"); > + promiscuous_on = 1; > + break; > + case 'u': > + unprotected_port_mask = parse_portmask(optarg); > + if (unprotected_port_mask == 0) { > + printf("invalid unprotected portmask\n"); > + print_usage(prgname); > + return -1; > + } > + break; > + case 0: > + if (parse_args_long_options(lgopts, option_index)) { > + print_usage(prgname); > + return -1; > + } > + break; > + default: > + print_usage(prgname); > + return -1; > + } > + } > + > + if (optind >= 0) > + argv[optind-1] = prgname; > + > + ret = optind-1; > + optind = 0; /* reset getopt lib */ > + return ret; > +} > + > +static void > +print_ethaddr(const char *name, const struct ether_addr *eth_addr) > +{ > + char buf[ETHER_ADDR_FMT_SIZE]; > + ether_format_addr(buf, ETHER_ADDR_FMT_SIZE, eth_addr); > + printf("%s%s", name, buf); > +} > + > +/* Check the link status of all ports in up to 9s, and print them finally */ > +static void > +check_all_ports_link_status(uint8_t port_num, uint32_t port_mask) > +{ > +#define CHECK_INTERVAL 100 /* 100ms */ > +#define MAX_CHECK_TIME 90 /* 9s (90 * 100ms) in total */ > + uint8_t portid, count, all_ports_up, print_flag = 0; > + struct rte_eth_link link; > + > + printf("\nChecking link status"); > + fflush(stdout); > + for (count = 0; count <= MAX_CHECK_TIME; count++) { > + all_ports_up = 1; > + for (portid = 0; portid < port_num; portid++) { > + if ((port_mask & (1 << portid)) == 0) > + continue; > + memset(&link, 0, sizeof(link)); > + rte_eth_link_get_nowait(portid, &link); > + /* print link status if flag set */ > + if (print_flag == 1) { > + if (link.link_status) > + printf("Port %d Link Up - speed %u " > + "Mbps - %s\n", (uint8_t)portid, > + (unsigned)link.link_speed, > + (link.link_duplex == ETH_LINK_FULL_DUPLEX) ? > + ("full-duplex") : ("half-duplex\n")); > + else > + printf("Port %d Link Down\n", > + (uint8_t)portid); > + continue; > + } > + /* clear all_ports_up flag if any link down */ > + if (link.link_status == 0) { > + all_ports_up = 0; > + break; > + } > + } > + /* after finally printing all link status, get out */ > + if (print_flag == 1) > + break; > + > + if (all_ports_up == 0) { > + printf("."); > + fflush(stdout); > + rte_delay_ms(CHECK_INTERVAL); > + } > + > + /* set the print_flag if all ports up or timeout */ > + if (all_ports_up == 1 || count == (MAX_CHECK_TIME - 1)) { > + print_flag = 1; > + printf("done\n"); > + } > + } > +} > + > +static uint16_t > +find_next_cdev(unsigned cdev_type, uint16_t start_cdev_id) > +{ > + uint16_t cdev_id, cnt; > + struct rte_cryptodev_info info; > + > + cnt = rte_cryptodev_count(); > + for (cdev_id = start_cdev_id; cdev_id < cnt; cdev_id++) { > + rte_cryptodev_info_get(cdev_id, &info); > + if (info.dev_type == cdev_type) > + return cdev_id; > + } > + > + return -1; > +} > + > +static uint16_t > +find_cdev_socket(int socket_id, unsigned cdev_type) > +{ > + uint16_t cdev_id, cnt; > + struct rte_cryptodev_info info; > + int cdev_socket; > + > + cnt = rte_cryptodev_count(); > + for (cdev_id = 0; cdev_id < cnt; cdev_id++) { > + rte_cryptodev_info_get(cdev_id, &info); > + cdev_socket = rte_cryptodev_socket_id(cdev_id); > + if ((info.dev_type == cdev_type) && (cdev_socket == socket_id)) > + return cdev_id; > + } > + > + return -1; > +} > + > +static int > +cryptodevs_init(void) > +{ > + struct rte_cryptodev_config dev_conf; > + struct rte_cryptodev_qp_conf qp_conf; > + struct lcore_conf *qconf; > + uint16_t cnt, lcore_id, cdev_id; > + int ret, i, socket_id; > + > + if (cdev_type == RTE_CRYPTODEV_QAT_PMD) { > + cnt = rte_cryptodev_count_devtype(RTE_CRYPTODEV_QAT_PMD); > + printf("Found %u QAT devices\n", cnt); > + if (cnt < nb_lcores) > + rte_panic("Not enough QAT devices detected, " > + "need %u (1 per core), found %d\n", > + nb_lcores, cnt); > + } else if (cdev_type == RTE_CRYPTODEV_AESNI_MB_PMD) { > + printf("Initializing %u AESNI vdevs\n", rte_lcore_count()); Is it possible to remove PMD specific Initialization code from the application and move driver layer so that new crypto pmd inclusion will not have any change in this place. > + for (i = 0; i < (int)rte_lcore_count(); i++) { > + ret = rte_eal_vdev_init( > + CRYPTODEV_NAME_AESNI_MB_PMD, > + NULL); > + if (ret < 0) > + rte_panic("Failed to create AESNI-MB vdev\n"); > + } > + } else > + rte_panic("Need to set cryptodev type option --cdev\n"); > + > + cdev_id = 0; > + for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) { > + if (rte_lcore_is_enabled(lcore_id) == 0) > + continue; > + > + socket_id = rte_lcore_to_socket_id(lcore_id); > + cdev_id = find_next_cdev(cdev_type, cdev_id); > + qconf = &lcore_conf[lcore_id]; > + qconf->cdev = cdev_id; > + qconf->cdev_q = 0; > + if (cdev_type == RTE_CRYPTODEV_AESNI_MB_PMD) { > + dev_conf.socket_id = socket_id; > + printf("Initializing AESNI-MB device %u socket %u\n", > + cdev_id, socket_id); > + } else { > + dev_conf.socket_id = rte_cryptodev_socket_id(cdev_id); > + printf("Initialising QAT device %u\n", cdev_id); > + } > + > + dev_conf.nb_queue_pairs = 1; > + dev_conf.session_mp.nb_objs = CDEV_MP_NB_OBJS; > + dev_conf.session_mp.cache_size = CDEV_MP_CACHE_SZ; > + > + if (rte_cryptodev_configure(cdev_id, &dev_conf)) > + rte_panic("Failed to initialize crypodev %u\n", > + cdev_id); > + > + qp_conf.nb_descriptors = CDEV_MP_NB_OBJS; > + if (rte_cryptodev_queue_pair_setup(cdev_id, 0, &qp_conf, > + dev_conf.socket_id)) > + rte_panic("Failed to setup queue %u for cdev_id %u\n", > + 0, cdev_id); > + cdev_id++; > + } > + > + return 0; > +} > + > +static void > +port_init(uint8_t portid) > +{ > + struct rte_eth_dev_info dev_info; > + struct rte_eth_txconf *txconf; > + uint16_t nb_tx_queue, nb_rx_queue; > + uint16_t tx_queueid, rx_queueid, queue, lcore_id; > + int ret, socket_id; > + struct lcore_conf *qconf; > + struct ether_addr ethaddr; > + > + rte_eth_dev_info_get(portid, &dev_info); > + > + printf("Configuring device port %u:\n", portid); > + > + rte_eth_macaddr_get(portid, ðaddr); > + ethaddr_tbl[portid].src = ETHADDR_TO_UINT64(ethaddr); > + print_ethaddr("Address: ", ðaddr); > + printf("\n"); > + > + nb_rx_queue = get_port_nb_rx_queues(portid); > + nb_tx_queue = nb_lcores; > + > + if (nb_rx_queue > dev_info.max_rx_queues) > + rte_exit(EXIT_FAILURE, "Error: queue %u not available " > + "(max rx queue is %u)\n", > + nb_rx_queue, dev_info.max_rx_queues); > + > + if (nb_tx_queue > dev_info.max_tx_queues) > + rte_exit(EXIT_FAILURE, "Error: queue %u not available " > + "(max tx queue is %u)\n", > + nb_tx_queue, dev_info.max_tx_queues); > + > + printf("Creating queues: nb_rx_queue=%d nb_tx_queue=%u...\n", > + nb_rx_queue, nb_tx_queue); > + > + ret = rte_eth_dev_configure(portid, nb_rx_queue, nb_tx_queue, > + &port_conf); > + if (ret < 0) > + rte_exit(EXIT_FAILURE, "Cannot configure device: " > + "err=%d, port=%d\n", ret, portid); > + > + /* init one TX queue per lcore */ > + tx_queueid = 0; > + for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) { > + if (rte_lcore_is_enabled(lcore_id) == 0) > + continue; > + > + if (numa_on) > + socket_id = (uint8_t)rte_lcore_to_socket_id(lcore_id); > + else > + socket_id = 0; > + > + /* init TX queue */ > + printf("Setup txq=%u,%d,%d\n", lcore_id, tx_queueid, socket_id); > + > + txconf = &dev_info.default_txconf; > + txconf->txq_flags = 0; > + > + ret = rte_eth_tx_queue_setup(portid, tx_queueid, nb_txd, > + socket_id, txconf); > + if (ret < 0) > + rte_exit(EXIT_FAILURE, "rte_eth_tx_queue_setup: " > + "err=%d, port=%d\n", ret, portid); > + > + qconf = &lcore_conf[lcore_id]; > + qconf->tx_queue_id[portid] = tx_queueid; > + tx_queueid++; > + > + /* init RX queues */ > + for (queue = 0; queue < qconf->nb_rx_queue; ++queue) { > + if (portid != qconf->rx_queue_list[queue].port_id) > + continue; > + > + rx_queueid = qconf->rx_queue_list[queue].queue_id; > + > + printf("Setup rxq=%d,%d,%d\n", portid, rx_queueid, > + socket_id); > + > + ret = rte_eth_rx_queue_setup(portid, rx_queueid, > + nb_rxd, socket_id, NULL, > + socket_ctx[socket_id].mbuf_pool); > + if (ret < 0) > + rte_exit(EXIT_FAILURE, > + "rte_eth_rx_queue_setup: err=%d, " > + "port=%d\n", ret, portid); > + } > + } > + printf("\n"); > +} > + > +static void > +pool_init(struct socket_ctx *ctx, int socket_id, unsigned nb_mbuf) > +{ > + char s[64]; > + > + snprintf(s, sizeof(s), "mbuf_pool_%d", socket_id); > + ctx->mbuf_pool = rte_pktmbuf_pool_create(s, nb_mbuf, > + MEMPOOL_CACHE_SIZE, ipsec_metadata_size(), > + RTE_MBUF_DEFAULT_BUF_SIZE, > + socket_id); > + if (ctx->mbuf_pool == NULL) > + rte_exit(EXIT_FAILURE, "Cannot init mbuf pool on socket %d\n", > + socket_id); > + else > + printf("Allocated mbuf pool on socket %d\n", socket_id); > +} > + > +int > +main(int argc, char **argv) > +{ > + int ret; > + unsigned lcore_id, nb_ports; > + uint8_t portid, socket_id; > + > + /* init EAL */ > + ret = rte_eal_init(argc, argv); > + if (ret < 0) > + rte_exit(EXIT_FAILURE, "Invalid EAL parameters\n"); > + argc -= ret; > + argv += ret; > + > + /* parse application arguments (after the EAL ones) */ > + ret = parse_args(argc, argv); > + if (ret < 0) > + rte_exit(EXIT_FAILURE, "Invalid parameters\n"); > + > + if (ep < 0) > + rte_exit(EXIT_FAILURE, "need to choose either EP0 or EP1\n"); > + > + if ((unprotected_port_mask & enabled_port_mask) != > + unprotected_port_mask) > + rte_exit(EXIT_FAILURE, "Invalid unprotected portmask 0x%x\n", > + unprotected_port_mask); > + > + nb_ports = rte_eth_dev_count(); > + if (nb_ports > RTE_MAX_ETHPORTS) > + nb_ports = RTE_MAX_ETHPORTS; > + > + if (check_params() < 0) > + rte_exit(EXIT_FAILURE, "check_params failed\n"); > + > + ret = init_lcore_rx_queues(); > + if (ret < 0) > + rte_exit(EXIT_FAILURE, "init_lcore_rx_queues failed\n"); > + > + nb_lcores = rte_lcore_count(); > + > + cryptodevs_init(); > + > + /* Replicate each contex per socket */ > + for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) { > + if (rte_lcore_is_enabled(lcore_id) == 0) > + continue; > + > + if (numa_on) > + socket_id = (uint8_t)rte_lcore_to_socket_id(lcore_id); > + else > + socket_id = 0; > + > + if (socket_ctx[socket_id].mbuf_pool) > + continue; > + > + sa_init(&socket_ctx[socket_id], socket_id, ep, > + find_cdev_socket(socket_id, cdev_type)); > + > + sp_init(&socket_ctx[socket_id], socket_id, ep); > + > + rt_init(&socket_ctx[socket_id], socket_id, ep); > + > + pool_init(&socket_ctx[socket_id], socket_id, NB_MBUF); > + } > + > + for (portid = 0; portid < nb_ports; portid++) { > + if ((enabled_port_mask & (1 << portid)) == 0) > + continue; > + > + port_init(portid); > + } > + > + /* start ports */ > + for (portid = 0; portid < nb_ports; portid++) { > + if ((enabled_port_mask & (1 << portid)) == 0) > + continue; > + > + /* Start device */ > + ret = rte_eth_dev_start(portid); > + if (ret < 0) > + rte_exit(EXIT_FAILURE, "rte_eth_dev_start: " > + "err=%d, port=%d\n", ret, portid); > + /* > + * If enabled, put device in promiscuous mode. > + * This allows IO forwarding mode to forward packets > + * to itself through 2 cross-connected ports of the > + * target machine. > + */ > + if (promiscuous_on) > + rte_eth_promiscuous_enable(portid); > + } > + > + check_all_ports_link_status((uint8_t)nb_ports, enabled_port_mask); > + > + /* launch per-lcore init on every lcore */ > + rte_eal_mp_remote_launch(main_loop, NULL, CALL_MASTER); > + RTE_LCORE_FOREACH_SLAVE(lcore_id) { > + if (rte_eal_wait_lcore(lcore_id) < 0) > + return -1; > + } > + > + return 0; > +} > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c > new file mode 100644 > index 0000000..83e3326 > --- /dev/null > +++ b/examples/ipsec-secgw/ipsec.c > @@ -0,0 +1,138 @@ > +/*- > + * BSD LICENSE > + * > + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > + * All rights reserved. > + * > + * Redistribution and use in source and binary forms, with or without > + * modification, are permitted provided that the following conditions > + * are met: > + * > + * * Redistributions of source code must retain the above copyright > + * notice, this list of conditions and the following disclaimer. > + * * Redistributions in binary form must reproduce the above copyright > + * notice, this list of conditions and the following disclaimer in > + * the documentation and/or other materials provided with the > + * distribution. > + * * Neither the name of Intel Corporation nor the names of its > + * contributors may be used to endorse or promote products derived > + * from this software without specific prior written permission. > + * > + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > + */ > + > +#include <netinet/in.h> > +#include <netinet/ip.h> > + > +#include <rte_branch_prediction.h> > +#include <rte_log.h> > +#include <rte_crypto.h> > +#include <rte_cryptodev.h> > +#include <rte_mbuf.h> > + > +#include "ipsec.h" > + > +static inline uint16_t > +ipsec_processing(uint8_t cdev_id, uint16_t qp_id, struct rte_mbuf *pkts[], > + struct ipsec_sa *sas[], uint16_t nb_pkts, uint16_t max_pkts) > +{ > + int ret, i, j; > + struct ipsec_mbuf_metadata *priv; > + struct rte_mbuf_offload *ol; > + struct ipsec_sa *sa; > + > + j = 0; > + for (i = 0; i < nb_pkts; i++) { > + rte_prefetch0(sas[i]); > + rte_prefetch0(pkts[i]); > + > + priv = get_priv(pkts[i]); > + ol = &priv->ol; > + sa = sas[i]; > + priv->sa = sa; > + > + IPSEC_ASSERT(sa != NULL); > + > + __rte_pktmbuf_offload_reset(ol, RTE_PKTMBUF_OL_CRYPTO); > + > + rte_crypto_op_attach_session(&ol->op.crypto, > + sa->crypto_session); > + > + pkts[i]->offload_ops = ol; > + > + ret = sa->pre_crypto(pkts[i], sa, &ol->op.crypto); > + if (unlikely(ret)) > + rte_pktmbuf_free(pkts[i]); > + else > + pkts[j++] = pkts[i]; > + } > + nb_pkts = j; > + > + ret = rte_cryptodev_enqueue_burst(cdev_id, qp_id, pkts, nb_pkts); > + if (ret < nb_pkts) { > + IPSEC_LOG(DEBUG, IPSEC, "Cryptodev %u queue %u:" > + " enqueued %u packets (out of %u)\n", > + cdev_id, qp_id, ret, nb_pkts); > + for (i = ret; i < nb_pkts; i++) > + rte_pktmbuf_free(pkts[i]); > + } > + > + nb_pkts = rte_cryptodev_dequeue_burst(cdev_id, qp_id, pkts, max_pkts); > + if ((nb_pkts != 0) && (nb_pkts < max_pkts)) > + IPSEC_LOG(DEBUG, IPSEC, "Cryptodev %u queue %u:" > + " dequeued %u packets (out of %u)\n", > + cdev_id, qp_id, nb_pkts, max_pkts); > + > + j = 0; > + for (i = 0; i < nb_pkts; i++) { > + rte_prefetch0(pkts[i]); > + > + priv = get_priv(pkts[i]); > + ol = &priv->ol; > + sa = priv->sa; > + rte_prefetch0(sa); > + > + IPSEC_ASSERT(sa != NULL); > + > + ret = sa->post_crypto(pkts[i], sa, &ol->op.crypto); > + if (unlikely(ret)) > + rte_pktmbuf_free(pkts[i]); > + else > + pkts[j++] = pkts[i]; > + } > + > + /* return packets */ > + return j; > +} > + > +uint16_t > +ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], > + uint16_t nb_pkts, uint16_t len) > +{ > + struct ipsec_sa *sas[nb_pkts]; > + > + inbound_sa_lookup(ctx->sa_ctx, pkts, sas, nb_pkts); > + > + return ipsec_processing(ctx->cdev, ctx->queue, pkts, sas, nb_pkts, len); > +} > + > +uint16_t > +ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], > + uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len) > +{ > + struct ipsec_sa *sas[nb_pkts]; > + > + outbound_sa_lookup(ctx->sa_ctx, sa_idx, sas, nb_pkts); > + > + return ipsec_processing(ctx->cdev, ctx->queue, pkts, sas, nb_pkts, len); > +} > diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h > new file mode 100644 > index 0000000..abf9d5f > --- /dev/null > +++ b/examples/ipsec-secgw/ipsec.h > @@ -0,0 +1,184 @@ > +/*- > + * BSD LICENSE > + * > + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > + * All rights reserved. > + * > + * Redistribution and use in source and binary forms, with or without > + * modification, are permitted provided that the following conditions > + * are met: > + * > + * * Redistributions of source code must retain the above copyright > + * notice, this list of conditions and the following disclaimer. > + * * Redistributions in binary form must reproduce the above copyright > + * notice, this list of conditions and the following disclaimer in > + * the documentation and/or other materials provided with the > + * distribution. > + * * Neither the name of Intel Corporation nor the names of its > + * contributors may be used to endorse or promote products derived > + * from this software without specific prior written permission. > + * > + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > + */ > + > +#ifndef __IPSEC_H__ > +#define __IPSEC_H__ > + > +#include <stdint.h> > +#include <netinet/in.h> > +#include <netinet/ip.h> > + > +#include <rte_mbuf_offload.h> > +#include <rte_byteorder.h> > +#include <rte_ip.h> > + > +#define RTE_LOGTYPE_IPSEC RTE_LOGTYPE_USER1 > +#define RTE_LOGTYPE_IPSEC_ESP RTE_LOGTYPE_USER2 > +#define RTE_LOGTYPE_IPSEC_IPIP RTE_LOGTYPE_USER3 > + > +#ifdef IPSEC_DEBUG > +#define IPSEC_ASSERT(exp) \ > +if (!(exp)) { \ > + rte_panic("line%d\tassert \"" #exp "\" failed\n", __LINE__); \ > +} > + > +#define IPSEC_LOG RTE_LOG > +#else > +#define IPSEC_ASSERT(exp) do {} while (0) > +#define IPSEC_LOG(...) do {} while (0) > +#endif /* IPSEC_DEBUG */ > + > +#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */ > + > +#define uint32_t_to_char(ip, a, b, c, d) do {\ > + *a = (unsigned char)(ip >> 24 & 0xff);\ > + *b = (unsigned char)(ip >> 16 & 0xff);\ > + *c = (unsigned char)(ip >> 8 & 0xff);\ > + *d = (unsigned char)(ip & 0xff);\ > + } while (0) > + > +#define DEFAULT_MAX_CATEGORIES 1 > + > +#define IPSEC_SA_MAX_ENTRIES (64) /* must be power of 2, max 2 power 30 */ > +#define SPI2IDX(spi) (spi & (IPSEC_SA_MAX_ENTRIES - 1)) > +#define INVALID_SPI (0) > + > +#define DISCARD (0x80000000) > +#define BYPASS (0x40000000) > +#define PROTECT_MASK (0x3fffffff) > +#define PROTECT(sa_idx) (SPI2IDX(sa_idx) & PROTECT_MASK) /* SA idx 30 bits */ > + > +#define IPSEC_XFORM_MAX 2 > + > +struct rte_crypto_xform; > +struct ipsec_xform; > +struct rte_cryptodev_session; > +struct rte_mbuf; > + > +struct replay { > + uint32_t seq_h; > +}; > + > +struct lifetime { > + uint64_t bytes; > + uint64_t seconds; > +}; > + > +struct ipsec_sa; > + > +typedef int (*ipsec_xform_fn)(struct rte_mbuf *m, struct ipsec_sa *sa, > + struct rte_crypto_op *cop); > + > +struct ipsec_sa { > + uint32_t spi; > + uint32_t seq; > + uint32_t src; > + uint32_t dst; > + struct rte_cryptodev_session *crypto_session; > + struct rte_crypto_xform *xforms; > + enum rte_crypto_cipher_algorithm cipher_algo; > + enum rte_crypto_auth_algorithm auth_algo; > + uint16_t digest_len; > + uint16_t iv_len; > + uint16_t block_size; > + ipsec_xform_fn pre_crypto; > + ipsec_xform_fn post_crypto; > + uint32_t flags; > + /* does not apply if no automated SA management (IKE) support */ > + struct lifetime current; > + struct lifetime soft; > + struct lifetime hard; > + struct replay replay; > +} __rte_cache_aligned; > + > +struct ipsec_mbuf_metadata { > + struct ipsec_sa *sa; > + struct rte_mbuf_offload ol; > +}; > + > +struct ipsec_ctx { > + uint16_t cdev; > + uint16_t queue; > + struct sa_ctx *sa_ctx; > +}; > + > +struct socket_ctx { > + struct sa_ctx *sa_ipv4_in; > + struct sa_ctx *sa_ipv4_out; > + struct sp_ctx *sp_ipv4_in; > + struct sp_ctx *sp_ipv4_out; > + struct rt_ctx *rt_ipv4; > + struct rte_mempool *mbuf_pool; > +}; > + > +uint16_t > +ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], > + uint16_t nb_pkts, uint16_t len); > + > +uint16_t > +ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], > + uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len); > + > +static inline uint16_t > +ipsec_metadata_size(void) > +{ > + return sizeof(struct ipsec_mbuf_metadata); > +} > + > +static inline struct ipsec_mbuf_metadata * > +get_priv(struct rte_mbuf *m) > +{ > + return RTE_PTR_ADD(m, sizeof(struct rte_mbuf)); > +} > + > +int > +inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx); > + > +void > +inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[], > + struct ipsec_sa *sa[], uint16_t nb_pkts); > + > +void > +outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[], > + struct ipsec_sa *sa[], uint16_t nb_pkts); > + > +void > +sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep); > + > +void > +sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep, uint16_t cdev_id); > + > +void > +rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep); > + > +#endif /* __IPSEC_H__ */ > diff --git a/examples/ipsec-secgw/rt.c b/examples/ipsec-secgw/rt.c > new file mode 100644 > index 0000000..82064b2 > --- /dev/null > +++ b/examples/ipsec-secgw/rt.c > @@ -0,0 +1,131 @@ > +/*- > + * BSD LICENSE > + * > + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > + * All rights reserved. > + * > + * Redistribution and use in source and binary forms, with or without > + * modification, are permitted provided that the following conditions > + * are met: > + * > + * * Redistributions of source code must retain the above copyright > + * notice, this list of conditions and the following disclaimer. > + * * Redistributions in binary form must reproduce the above copyright > + * notice, this list of conditions and the following disclaimer in > + * the documentation and/or other materials provided with the > + * distribution. > + * * Neither the name of Intel Corporation nor the names of its > + * contributors may be used to endorse or promote products derived > + * from this software without specific prior written permission. > + * > + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > + */ > + > +/* > + * Routing Table (RT) > + */ > +#include <rte_lpm.h> > +#include <rte_errno.h> > + > +#include "ipsec.h" > + > +#define RT_IPV4_MAX_RULES 64 > + > +struct ipv4_route { > + uint32_t ip; > + uint8_t depth; > + uint8_t if_out; > +}; > + > +/* In the default routing table we have: > + * ep0 protected ports 0 and 1, and unprotected ports 2 and 3. > + */ > +static struct ipv4_route rt_ipv4_ep0[] = { > + { IPv4(172, 16, 2, 5), 32, 0 }, > + { IPv4(172, 16, 2, 6), 32, 0 }, > + { IPv4(172, 16, 2, 7), 32, 1 }, > + { IPv4(172, 16, 2, 8), 32, 1 }, > + > + { IPv4(192, 168, 115, 0), 24, 2 }, > + { IPv4(192, 168, 116, 0), 24, 2 }, > + { IPv4(192, 168, 117, 0), 24, 3 }, > + { IPv4(192, 168, 118, 0), 24, 3 } > +}; > + > +/* In the default routing table we have: > + * ep1 protected ports 0 and 1, and unprotected ports 2 and 3. > + */ > +static struct ipv4_route rt_ipv4_ep1[] = { > + { IPv4(172, 16, 1, 5), 32, 2 }, > + { IPv4(172, 16, 1, 6), 32, 2 }, > + { IPv4(172, 16, 1, 7), 32, 3 }, > + { IPv4(172, 16, 1, 8), 32, 3 }, > + > + { IPv4(192, 168, 105, 0), 24, 0 }, > + { IPv4(192, 168, 106, 0), 24, 0 }, > + { IPv4(192, 168, 107, 0), 24, 1 }, > + { IPv4(192, 168, 108, 0), 24, 1 } > +}; > + > +void > +rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep) > +{ > + char name[PATH_MAX]; > + unsigned i; > + int ret; > + struct rte_lpm *lpm; > + struct ipv4_route *rt; > + char a, b, c, d; > + unsigned nb_routes; > + > + if (ctx == NULL) > + rte_exit(EXIT_FAILURE, "NULL context.\n"); > + > + if (ctx->rt_ipv4 != NULL) > + rte_exit(EXIT_FAILURE, "Routing Table for socket %u already " > + "initialized\n", socket_id); > + > + printf("Creating Routing Table (RT) context with %u max routes\n", > + RT_IPV4_MAX_RULES); > + > + if (ep == 0) { > + rt = rt_ipv4_ep0; > + nb_routes = RTE_DIM(rt_ipv4_ep0); > + } else if (ep == 1) { > + rt = rt_ipv4_ep1; > + nb_routes = RTE_DIM(rt_ipv4_ep1); > + } else > + rte_exit(EXIT_FAILURE, "Invalid EP value %u. Only 0 or 1 " > + "supported.\n", ep); > + > + /* create the LPM table */ > + snprintf(name, sizeof(name), "%s_%u", "rt_ipv4", socket_id); > + lpm = rte_lpm_create(name, socket_id, RT_IPV4_MAX_RULES, 0); > + if (lpm == NULL) > + rte_exit(EXIT_FAILURE, "Unable to create LPM table " > + "on socket %d\n", socket_id); > + > + /* populate the LPM table */ > + for (i = 0; i < nb_routes; i++) { > + ret = rte_lpm_add(lpm, rt[i].ip, rt[i].depth, rt[i].if_out); > + if (ret < 0) > + rte_exit(EXIT_FAILURE, "Unable to add entry num %u to " > + "LPM table on socket %d\n", i, socket_id); > + > + uint32_t_to_char(rt[i].ip, &a, &b, &c, &d); > + printf("LPM: Adding route %hhu.%hhu.%hhu.%hhu/%hhu (%hhu)\n", > + a, b, c, d, rt[i].depth, rt[i].if_out); > + } > + > + ctx->rt_ipv4 = (struct rt_ctx *)lpm; > +} > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c > new file mode 100644 > index 0000000..5ea7592 > --- /dev/null > +++ b/examples/ipsec-secgw/sa.c > @@ -0,0 +1,391 @@ > +/*- > + * BSD LICENSE > + * > + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > + * All rights reserved. > + * > + * Redistribution and use in source and binary forms, with or without > + * modification, are permitted provided that the following conditions > + * are met: > + * > + * * Redistributions of source code must retain the above copyright > + * notice, this list of conditions and the following disclaimer. > + * * Redistributions in binary form must reproduce the above copyright > + * notice, this list of conditions and the following disclaimer in > + * the documentation and/or other materials provided with the > + * distribution. > + * * Neither the name of Intel Corporation nor the names of its > + * contributors may be used to endorse or promote products derived > + * from this software without specific prior written permission. > + * > + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > + */ > + > +/* > + * Security Associations > + */ > +#include <netinet/ip.h> > + > +#include <rte_memzone.h> > +#include <rte_crypto.h> > +#include <rte_cryptodev.h> > +#include <rte_byteorder.h> > +#include <rte_errno.h> > + > +#include "ipsec.h" > +#include "esp.h" > + > +/* SAs EP0 Outbound */ > +const struct ipsec_sa sa_ep0_out[] = { > + { 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5), > + NULL, NULL, > + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > + 12, 16, 16, > + esp4_tunnel_outbound_pre_crypto, > + esp4_tunnel_outbound_post_crypto, > + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > + { 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6), > + NULL, NULL, > + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > + 12, 16, 16, > + esp4_tunnel_outbound_pre_crypto, > + esp4_tunnel_outbound_post_crypto, > + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > + { 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7), > + NULL, NULL, > + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > + 12, 16, 16, > + esp4_tunnel_outbound_pre_crypto, > + esp4_tunnel_outbound_post_crypto, > + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > + { 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8), > + NULL, NULL, > + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, IMO, a SA with NULL crypto (rfc2410) operation will be useful for ESP packet processing debugging and measuring the performance impact with the crypto block in fast path. > + 12, 16, 16, > + esp4_tunnel_outbound_pre_crypto, > + esp4_tunnel_outbound_post_crypto, > + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } } > +}; > + > +/* SAs EP0 Inbound */ > +const struct ipsec_sa sa_ep0_in[] = { > + { 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5), > + NULL, NULL, > + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > + 12, 16, 16, > + esp4_tunnel_inbound_pre_crypto, > + esp4_tunnel_inbound_post_crypto, > + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > + { 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6), > + NULL, NULL, > + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > + 12, 16, 16, > + esp4_tunnel_inbound_pre_crypto, > + esp4_tunnel_inbound_post_crypto, > + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > + { 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7), > + NULL, NULL, > + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > + 12, 16, 16, > + esp4_tunnel_inbound_pre_crypto, > + esp4_tunnel_inbound_post_crypto, > + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > + { 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8), > + NULL, NULL, > + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > + 12, 16, 16, > + esp4_tunnel_inbound_pre_crypto, > + esp4_tunnel_inbound_post_crypto, > + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } } > +}; > + > +/* SAs EP1 Outbound */ > +const struct ipsec_sa sa_ep1_out[] = { > + { 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5), > + NULL, NULL, > + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > + 12, 16, 16, > + esp4_tunnel_outbound_pre_crypto, > + esp4_tunnel_outbound_post_crypto, > + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > + { 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6), > + NULL, NULL, > + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > + 12, 16, 16, > + esp4_tunnel_outbound_pre_crypto, > + esp4_tunnel_outbound_post_crypto, > + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > + { 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7), > + NULL, NULL, > + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > + 12, 16, 16, > + esp4_tunnel_outbound_pre_crypto, > + esp4_tunnel_outbound_post_crypto, > + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > + { 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8), > + NULL, NULL, > + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > + 12, 16, 16, > + esp4_tunnel_outbound_pre_crypto, > + esp4_tunnel_outbound_post_crypto, > + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } } > +}; > + > +/* SAs EP1 Inbound */ > +const struct ipsec_sa sa_ep1_in[] = { > + { 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5), > + NULL, NULL, > + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > + 12, 16, 16, > + esp4_tunnel_inbound_pre_crypto, > + esp4_tunnel_inbound_post_crypto, > + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > + { 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6), > + NULL, NULL, > + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > + 12, 16, 16, > + esp4_tunnel_inbound_pre_crypto, > + esp4_tunnel_inbound_post_crypto, > + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > + { 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7), > + NULL, NULL, > + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > + 12, 16, 16, > + esp4_tunnel_inbound_pre_crypto, > + esp4_tunnel_inbound_post_crypto, > + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > + { 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8), > + NULL, NULL, > + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > + 12, 16, 16, > + esp4_tunnel_inbound_pre_crypto, > + esp4_tunnel_inbound_post_crypto, > + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } } > +}; > + > +static uint8_t cipher_key[256] = "sixteenbytes key"; > + > +/* AES CBC xform */ > +const struct rte_crypto_xform aescbc_enc_xf = { > + NULL, > + RTE_CRYPTO_XFORM_CIPHER, > + .cipher = { RTE_CRYPTO_CIPHER_OP_ENCRYPT, RTE_CRYPTO_CIPHER_AES_CBC, > + .key = { cipher_key, 0, 16 } } > +}; > + > +const struct rte_crypto_xform aescbc_dec_xf = { > + NULL, > + RTE_CRYPTO_XFORM_CIPHER, > + .cipher = { RTE_CRYPTO_CIPHER_OP_DECRYPT, RTE_CRYPTO_CIPHER_AES_CBC, > + .key = { cipher_key, 0, 16 } } > +}; > + > +static uint8_t auth_key[256] = "twentybytes hash key"; > + > +/* SHA1 HMAC xform */ > +const struct rte_crypto_xform sha1hmac_gen_xf = { > + NULL, > + RTE_CRYPTO_XFORM_AUTH, > + .auth = { RTE_CRYPTO_AUTH_OP_GENERATE, RTE_CRYPTO_AUTH_SHA1_HMAC, > + .key = { auth_key, 0, 20 }, 12, 0 } > +}; > + > +const struct rte_crypto_xform sha1hmac_verify_xf = { > + NULL, > + RTE_CRYPTO_XFORM_AUTH, > + .auth = { RTE_CRYPTO_AUTH_OP_VERIFY, RTE_CRYPTO_AUTH_SHA1_HMAC, > + .key = { auth_key, 0, 20 }, 12, 0 } > +}; > + > +struct sa_ctx { > + struct ipsec_sa sa[IPSEC_SA_MAX_ENTRIES]; > + struct { > + struct rte_crypto_xform a; > + struct rte_crypto_xform b; > + } xf[IPSEC_SA_MAX_ENTRIES]; > +}; > + > +static struct sa_ctx * > +sa_ipv4_create(const char *name, int socket_id) > +{ > + char s[PATH_MAX]; > + struct sa_ctx *sa_ctx; > + unsigned mz_size; > + const struct rte_memzone *mz; > + > + snprintf(s, sizeof(s), "%s_%u", name, socket_id); > + > + /* Create SA array table */ > + printf("Creating SA context with %u maximum entries\n", > + IPSEC_SA_MAX_ENTRIES); > + > + mz_size = sizeof(struct sa_ctx); > + mz = rte_memzone_reserve(s, mz_size, socket_id, > + RTE_MEMZONE_1GB | RTE_MEMZONE_SIZE_HINT_ONLY); > + if (mz == NULL) { > + printf("Failed to allocate SA DB memory\n"); > + rte_errno = -ENOMEM; > + return NULL; > + } > + > + sa_ctx = (struct sa_ctx *)mz->addr; > + > + return sa_ctx; > +} > + > +static int > +sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], > + unsigned nb_entries, uint16_t cdev_id, unsigned inbound) > +{ > + struct ipsec_sa *sa; > + unsigned i, idx; > + > + for (i = 0; i < nb_entries; i++) { > + idx = SPI2IDX(entries[i].spi); > + sa = &sa_ctx->sa[idx]; > + if (sa->spi != 0) { > + printf("Index %u already in use by SPI %u\n", > + idx, sa->spi); > + return -EINVAL; > + } > + *sa = entries[i]; > + sa->src = rte_cpu_to_be_32(sa->src); > + sa->dst = rte_cpu_to_be_32(sa->dst); > + if (inbound) { > + sa_ctx->xf[idx].a = sha1hmac_verify_xf; > + sa_ctx->xf[idx].b = aescbc_dec_xf; > + } else { /* outbound */ > + sa_ctx->xf[idx].a = aescbc_enc_xf; > + sa_ctx->xf[idx].b = sha1hmac_gen_xf; > + } > + sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b; > + sa_ctx->xf[idx].b.next = NULL; > + sa->xforms = &sa_ctx->xf[idx].a; > + > + sa->crypto_session = rte_cryptodev_session_create(cdev_id, > + sa->xforms); > + } > + > + return 0; > +} > + > +static inline int > +sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], > + unsigned nb_entries, uint16_t cdev_id) > +{ > + return sa_add_rules(sa_ctx, entries, nb_entries, cdev_id, 0); > +} > + > +static inline int > +sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], > + unsigned nb_entries, uint16_t cdev_id) > +{ > + return sa_add_rules(sa_ctx, entries, nb_entries, cdev_id, 1); > +} > + > +void > +sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep, uint16_t cdev_id) > +{ > + const struct ipsec_sa *sa_out_entries, *sa_in_entries; > + unsigned nb_out_entries, nb_in_entries; > + const char *name; > + > + if (ctx == NULL) > + rte_exit(EXIT_FAILURE, "NULL context.\n"); > + > + if (ctx->sa_ipv4_in != NULL) > + rte_exit(EXIT_FAILURE, "Inbound SA DB for socket %u already " > + "initialized\n", socket_id); > + > + if (ctx->sa_ipv4_out != NULL) > + rte_exit(EXIT_FAILURE, "Outbound SA DB for socket %u already " > + "initialized\n", socket_id); > + > + if (ep == 0) { > + sa_out_entries = sa_ep0_out; > + nb_out_entries = RTE_DIM(sa_ep0_out); > + sa_in_entries = sa_ep0_in; > + nb_in_entries = RTE_DIM(sa_ep0_in); > + } else if (ep == 1) { > + sa_out_entries = sa_ep1_out; > + nb_out_entries = RTE_DIM(sa_ep1_out); > + sa_in_entries = sa_ep1_in; > + nb_in_entries = RTE_DIM(sa_ep1_in); > + } else > + rte_exit(EXIT_FAILURE, "Invalid EP value %u. " > + "Only 0 or 1 supported.\n", ep); > + > + name = "sa_ipv4_in"; > + ctx->sa_ipv4_in = sa_ipv4_create(name, socket_id); > + if (ctx->sa_ipv4_in == NULL) > + rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s " > + "in socket %d\n", rte_errno, name, socket_id); > + > + name = "sa_ipv4_out"; > + ctx->sa_ipv4_out = sa_ipv4_create(name, socket_id); > + if (ctx->sa_ipv4_out == NULL) > + rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s " > + "in socket %d\n", rte_errno, name, socket_id); > + > + sa_in_add_rules(ctx->sa_ipv4_in, sa_in_entries, > + nb_in_entries, cdev_id); > + > + sa_out_add_rules(ctx->sa_ipv4_out, sa_out_entries, > + nb_out_entries, cdev_id); > +} > + > +int > +inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx) > +{ > + struct ipsec_mbuf_metadata *priv; > + > + priv = RTE_PTR_ADD(m, sizeof(struct rte_mbuf)); > + > + return (sa_ctx->sa[sa_idx].spi == priv->sa->spi); > +} > + > +void > +inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[], > + struct ipsec_sa *sa[], uint16_t nb_pkts) > +{ > + unsigned i; > + uint32_t *src, spi; > + > + for (i = 0; i < nb_pkts; i++) { > + spi = rte_pktmbuf_mtod_offset(pkts[i], struct esp_hdr *, > + sizeof(struct ip))->spi; > + if (spi == INVALID_SPI) > + continue; > + > + sa[i] = &sa_ctx->sa[SPI2IDX(spi)]; > + if (spi != sa[i]->spi) { > + sa[i] = NULL; > + continue; > + } > + > + src = rte_pktmbuf_mtod_offset(pkts[i], uint32_t *, > + offsetof(struct ip, ip_src)); > + if ((sa[i]->src != *src) || (sa[i]->dst != *(src + 1))) > + sa[i] = NULL; > + } > +} > + > +void > +outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[], > + struct ipsec_sa *sa[], uint16_t nb_pkts) > +{ > + unsigned i; > + > + for (i = 0; i < nb_pkts; i++) > + sa[i] = &sa_ctx->sa[sa_idx[i]]; > +} > diff --git a/examples/ipsec-secgw/sp.c b/examples/ipsec-secgw/sp.c > new file mode 100644 > index 0000000..219e478 > --- /dev/null > +++ b/examples/ipsec-secgw/sp.c > @@ -0,0 +1,324 @@ > +/*- > + * BSD LICENSE > + * > + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > + * All rights reserved. > + * > + * Redistribution and use in source and binary forms, with or without > + * modification, are permitted provided that the following conditions > + * are met: > + * > + * * Redistributions of source code must retain the above copyright > + * notice, this list of conditions and the following disclaimer. > + * * Redistributions in binary form must reproduce the above copyright > + * notice, this list of conditions and the following disclaimer in > + * the documentation and/or other materials provided with the > + * distribution. > + * * Neither the name of Intel Corporation nor the names of its > + * contributors may be used to endorse or promote products derived > + * from this software without specific prior written permission. > + * > + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > + */ > + > +/* > + * Security Policies > + */ > +#include <netinet/ip.h> > + > +#include <rte_acl.h> > + > +#include "ipsec.h" > + > +#define MAX_ACL_RULE_NUM 1000 > + > +/* > + * Rule and trace formats definitions. > + */ > +enum { > + PROTO_FIELD_IPV4, > + SRC_FIELD_IPV4, > + DST_FIELD_IPV4, > + SRCP_FIELD_IPV4, > + DSTP_FIELD_IPV4, > + NUM_FIELDS_IPV4 > +}; > + > +/* > + * That effectively defines order of IPV4 classifications: > + * - PROTO > + * - SRC IP ADDRESS > + * - DST IP ADDRESS > + * - PORTS (SRC and DST) > + */ > +enum { > + RTE_ACL_IPV4_PROTO, > + RTE_ACL_IPV4_SRC, > + RTE_ACL_IPV4_DST, > + RTE_ACL_IPV4_PORTS, > + RTE_ACL_IPV4_NUM > +}; > + > +struct rte_acl_field_def ipv4_defs[NUM_FIELDS_IPV4] = { > + { > + .type = RTE_ACL_FIELD_TYPE_BITMASK, > + .size = sizeof(uint8_t), > + .field_index = PROTO_FIELD_IPV4, > + .input_index = RTE_ACL_IPV4_PROTO, > + .offset = 0, > + }, > + { > + .type = RTE_ACL_FIELD_TYPE_MASK, > + .size = sizeof(uint32_t), > + .field_index = SRC_FIELD_IPV4, > + .input_index = RTE_ACL_IPV4_SRC, > + .offset = offsetof(struct ip, ip_src) - offsetof(struct ip, ip_p) > + }, > + { > + .type = RTE_ACL_FIELD_TYPE_MASK, > + .size = sizeof(uint32_t), > + .field_index = DST_FIELD_IPV4, > + .input_index = RTE_ACL_IPV4_DST, > + .offset = offsetof(struct ip, ip_dst) - offsetof(struct ip, ip_p) > + }, > + { > + .type = RTE_ACL_FIELD_TYPE_RANGE, > + .size = sizeof(uint16_t), > + .field_index = SRCP_FIELD_IPV4, > + .input_index = RTE_ACL_IPV4_PORTS, > + .offset = sizeof(struct ip) - offsetof(struct ip, ip_p) > + }, > + { > + .type = RTE_ACL_FIELD_TYPE_RANGE, > + .size = sizeof(uint16_t), > + .field_index = DSTP_FIELD_IPV4, > + .input_index = RTE_ACL_IPV4_PORTS, > + .offset = sizeof(struct ip) - offsetof(struct ip, ip_p) + > + sizeof(uint16_t) > + }, > +}; > + > +RTE_ACL_RULE_DEF(acl4_rules, RTE_DIM(ipv4_defs)); > + > +const struct acl4_rules acl4_rules_in[] = { > + { > + .data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1}, > + /* destination IPv4 */ > + .field[2] = {.value.u32 = IPv4(192, 168, 105, 0), > + .mask_range.u32 = 24,}, > + /* source port */ > + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, > + /* destination port */ > + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} > + }, > + { > + .data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2}, > + /* destination IPv4 */ > + .field[2] = {.value.u32 = IPv4(192, 168, 106, 0), > + .mask_range.u32 = 24,}, > + /* source port */ > + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, > + /* destination port */ > + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} > + }, > + { > + .data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3}, > + /* destination IPv4 */ > + .field[2] = {.value.u32 = IPv4(192, 168, 107, 0), > + .mask_range.u32 = 24,}, > + /* source port */ > + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, > + /* destination port */ > + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} > + }, > + { > + .data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4}, > + /* destination IPv4 */ > + .field[2] = {.value.u32 = IPv4(192, 168, 108, 0), > + .mask_range.u32 = 24,}, > + /* source port */ > + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, > + /* destination port */ > + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} > + } > +}; > + > +const struct acl4_rules acl4_rules_out[] = { > + { > + .data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1}, > + /* destination IPv4 */ > + .field[2] = {.value.u32 = IPv4(192, 168, 115, 0), > + .mask_range.u32 = 24,}, > + /* source port */ > + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, > + /* destination port */ > + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} > + }, > + { > + .data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2}, > + /* destination IPv4 */ > + .field[2] = {.value.u32 = IPv4(192, 168, 116, 0), > + .mask_range.u32 = 24,}, > + /* source port */ > + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, > + /* destination port */ > + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} > + }, > + { > + .data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3}, > + /* destination IPv4 */ > + .field[2] = {.value.u32 = IPv4(192, 168, 117, 0), > + .mask_range.u32 = 24,}, > + /* source port */ > + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, > + /* destination port */ > + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} > + }, > + { > + .data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4}, > + /* destination IPv4 */ > + .field[2] = {.value.u32 = IPv4(192, 168, 118, 0), > + .mask_range.u32 = 24,}, > + /* source port */ > + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, > + /* destination port */ > + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} > + } > +}; > + > +static void > +print_one_ipv4_rule(const struct acl4_rules *rule, int extra) > +{ > + unsigned char a, b, c, d; > + > + uint32_t_to_char(rule->field[SRC_FIELD_IPV4].value.u32, > + &a, &b, &c, &d); > + printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d, > + rule->field[SRC_FIELD_IPV4].mask_range.u32); > + uint32_t_to_char(rule->field[DST_FIELD_IPV4].value.u32, > + &a, &b, &c, &d); > + printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d, > + rule->field[DST_FIELD_IPV4].mask_range.u32); > + printf("%hu : %hu %hu : %hu 0x%hhx/0x%hhx ", > + rule->field[SRCP_FIELD_IPV4].value.u16, > + rule->field[SRCP_FIELD_IPV4].mask_range.u16, > + rule->field[DSTP_FIELD_IPV4].value.u16, > + rule->field[DSTP_FIELD_IPV4].mask_range.u16, > + rule->field[PROTO_FIELD_IPV4].value.u8, > + rule->field[PROTO_FIELD_IPV4].mask_range.u8); > + if (extra) > + printf("0x%x-0x%x-0x%x ", > + rule->data.category_mask, > + rule->data.priority, > + rule->data.userdata); > +} > + > +static inline void > +dump_ipv4_rules(const struct acl4_rules *rule, int num, int extra) > +{ > + int i; > + > + for (i = 0; i < num; i++, rule++) { > + printf("\t%d:", i + 1); > + print_one_ipv4_rule(rule, extra); > + printf("\n"); > + } > +} > + > +static struct rte_acl_ctx * > +acl4_init(const char *name, int socketid, const struct acl4_rules *rules, > + unsigned rules_nb) > +{ > + char s[PATH_MAX]; > + struct rte_acl_param acl_param; > + struct rte_acl_config acl_build_param; > + struct rte_acl_ctx *ctx; > + > + printf("Creating SP context with %u max rules\n", MAX_ACL_RULE_NUM); > + > + memset(&acl_param, 0, sizeof(acl_param)); > + > + /* Create ACL contexts */ > + snprintf(s, sizeof(s), "%s_%d", name, socketid); > + > + printf("IPv4 %s entries [%u]:\n", s, rules_nb); > + dump_ipv4_rules(rules, rules_nb, 1); > + > + acl_param.name = s; > + acl_param.socket_id = socketid; > + acl_param.rule_size = RTE_ACL_RULE_SZ(RTE_DIM(ipv4_defs)); > + acl_param.max_rule_num = MAX_ACL_RULE_NUM; > + > + ctx = rte_acl_create(&acl_param); > + if (ctx == NULL) > + rte_exit(EXIT_FAILURE, "Failed to create ACL context\n"); > + > + if (rte_acl_add_rules(ctx, (const struct rte_acl_rule *)rules, > + rules_nb) < 0) > + rte_exit(EXIT_FAILURE, "add rules failed\n"); > + > + /* Perform builds */ > + memset(&acl_build_param, 0, sizeof(acl_build_param)); > + > + acl_build_param.num_categories = DEFAULT_MAX_CATEGORIES; > + acl_build_param.num_fields = rules_nb; > + memcpy(&acl_build_param.defs, ipv4_defs, sizeof(ipv4_defs)); > + > + if (rte_acl_build(ctx, &acl_build_param) != 0) > + rte_exit(EXIT_FAILURE, "Failed to build ACL trie\n"); > + > + rte_acl_dump(ctx); > + > + return ctx; > +} > + > +void > +sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep) > +{ > + const char *name; > + const struct acl4_rules *rules_out, *rules_in; > + unsigned nb_out_rules, nb_in_rules; > + > + if (ctx == NULL) > + rte_exit(EXIT_FAILURE, "NULL context.\n"); > + > + if (ctx->sp_ipv4_in != NULL) > + rte_exit(EXIT_FAILURE, "Inbound SP DB for socket %u already " > + "initialized\n", socket_id); > + > + if (ctx->sp_ipv4_out != NULL) > + rte_exit(EXIT_FAILURE, "Outbound SP DB for socket %u already " > + "initialized\n", socket_id); > + > + if (ep == 0) { > + rules_out = acl4_rules_in; > + nb_out_rules = RTE_DIM(acl4_rules_in); > + rules_in = acl4_rules_out; > + nb_in_rules = RTE_DIM(acl4_rules_out); > + } else if (ep == 1) { > + rules_out = acl4_rules_out; > + nb_out_rules = RTE_DIM(acl4_rules_out); > + rules_in = acl4_rules_in; > + nb_in_rules = RTE_DIM(acl4_rules_in); > + } else > + rte_exit(EXIT_FAILURE, "Invalid EP value %u. " > + "Only 0 or 1 supported.\n", ep); > + > + name = "sp_ipv4_in"; > + ctx->sp_ipv4_in = (struct sp_ctx *)acl4_init(name, socket_id, > + rules_in, nb_in_rules); > + > + name = "sp_ipv4_out"; > + ctx->sp_ipv4_out = (struct sp_ctx *)acl4_init(name, socket_id, > + rules_out, nb_out_rules); > +} > -- > 2.4.3 > ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [dpdk-dev] [PATCH] example/ipsec-secgw: ipsec security gateway 2016-01-31 14:39 ` Jerin Jacob @ 2016-02-01 11:09 ` Sergio Gonzalez Monroy 2016-02-01 11:26 ` Jerin Jacob 0 siblings, 1 reply; 15+ messages in thread From: Sergio Gonzalez Monroy @ 2016-02-01 11:09 UTC (permalink / raw) To: Jerin Jacob; +Cc: dev On 31/01/2016 14:39, Jerin Jacob wrote: > On Fri, Jan 29, 2016 at 08:29:12PM +0000, Sergio Gonzalez Monroy wrote: >> Sample app implementing an IPsec Security Geteway. >> The main goal of this app is to show the use of cryptodev framework >> in a real world application. >> >> Currently only supported static IPv4 IPsec tunnels using AES-CBC >> and HMAC-SHA1. >> >> Also, currently not supported: >> - SA auto negotiation (No IKE support) >> - chained mbufs >> >> Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> > Hi Sergio, > > Great effort, one of the best highly integrated sample DPDK application > (ethernet, acl, crypto and lpm) > >> --- >> MAINTAINERS | 4 + >> doc/guides/sample_app_ug/index.rst | 1 + >> doc/guides/sample_app_ug/ipsec_secgw.rst | 440 +++++++++++ >> examples/Makefile | 2 + >> examples/ipsec-secgw/Makefile | 58 ++ >> examples/ipsec-secgw/esp.c | 256 +++++++ >> examples/ipsec-secgw/esp.h | 66 ++ >> examples/ipsec-secgw/ipip.h | 100 +++ >> examples/ipsec-secgw/ipsec-secgw.c | 1218 ++++++++++++++++++++++++++++++ >> examples/ipsec-secgw/ipsec.c | 138 ++++ >> examples/ipsec-secgw/ipsec.h | 184 +++++ >> examples/ipsec-secgw/rt.c | 131 ++++ >> examples/ipsec-secgw/sa.c | 391 ++++++++++ >> examples/ipsec-secgw/sp.c | 324 ++++++++ >> 14 files changed, 3313 insertions(+) >> create mode 100644 doc/guides/sample_app_ug/ipsec_secgw.rst >> create mode 100644 examples/ipsec-secgw/Makefile >> create mode 100644 examples/ipsec-secgw/esp.c >> create mode 100644 examples/ipsec-secgw/esp.h >> create mode 100644 examples/ipsec-secgw/ipip.h >> create mode 100644 examples/ipsec-secgw/ipsec-secgw.c >> create mode 100644 examples/ipsec-secgw/ipsec.c >> create mode 100644 examples/ipsec-secgw/ipsec.h >> create mode 100644 examples/ipsec-secgw/rt.c >> create mode 100644 examples/ipsec-secgw/sa.c >> create mode 100644 examples/ipsec-secgw/sp.c >> >> diff --git a/MAINTAINERS b/MAINTAINERS >> index b90aeea..996eda6 100644 >> --- a/MAINTAINERS >> +++ b/MAINTAINERS >> @@ -596,3 +596,7 @@ F: doc/guides/sample_app_ug/vmdq_dcb_forwarding.rst >> M: Pablo de Lara <pablo.de.lara.guarch@intel.com> >> M: Daniel Mrzyglod <danielx.t.mrzyglod@intel.com> >> F: examples/ptpclient/ >> + >> +M: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> >> +F: doc/guides/sample_app_ug/ipsec-secgw.rst >> +F: examples/ipsec-secgw/ >> diff --git a/doc/guides/sample_app_ug/index.rst b/doc/guides/sample_app_ug/index.rst >> index 8a646dd..88375d2 100644 >> --- a/doc/guides/sample_app_ug/index.rst >> +++ b/doc/guides/sample_app_ug/index.rst >> @@ -73,6 +73,7 @@ Sample Applications User Guide >> proc_info >> ptpclient >> performance_thread >> + ipsec_secgw >> >> **Figures** >> >> diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst >> new file mode 100644 >> index 0000000..7be3f7e >> --- /dev/null >> +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst >> @@ -0,0 +1,440 @@ >> +.. BSD LICENSE >> + Copyright(c) 2010-2016 Intel Corporation. All rights reserved. >> + All rights reserved. >> + >> + Redistribution and use in source and binary forms, with or without >> + modification, are permitted provided that the following conditions >> + are met: >> + >> + * Redistributions of source code must retain the above copyright >> + notice, this list of conditions and the following disclaimer. >> + * Redistributions in binary form must reproduce the above copyright >> + notice, this list of conditions and the following disclaimer in >> + the documentation and/or other materials provided with the >> + distribution. >> + * Neither the name of Intel Corporation nor the names of its >> + contributors may be used to endorse or promote products derived >> + from this software without specific prior written permission. >> + >> + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS >> + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT >> + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR >> + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT >> + OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, >> + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT >> + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >> + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >> + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >> + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >> + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >> + >> +IPsec Security Gateway Sample Application >> +========================================= >> + >> +The IPsec Security Gateway application is a minimal example of real work >> +application using DPDK cryptodev framework. >> + >> +Overview >> +-------- >> + >> +The application demonstrates the implementation of a minimal Security Gateway >> +(see Constraints bellow) using DPDK based on RFC4301, RFC4303, RFC3602 and >> +RFC2404. >> + >> +Note that IKE is not supported (therefore not IPsec compliant), so only manual >> +setting of Security Policies and Associations is allowed. >> + >> +The Security Policies (SP) are implemented as ACL rules, the Security >> +Associations (SA) are stored in a table and the Routing is implemented >> +using LPM. >> + >> +The application splits the ports between Protected and Unprotected. >> +Based on the port the trafic is coming from, the traffic would be consider >> +IPsec Inbound or Outbound. >> +Traffic from Unprotected ports is consider IPsec Inbound, and traffic from >> +Protected ports is consider IPsec Outbound. >> + >> +Path for IPsec Inbound traffic: >> +* Read packets from the port >> +* Classify packets between IPv4 and ESP. >> +* Inbound SA lookup for ESP packets based on their SPI >> +* Verification/Decryption >> +* Removal of ESP and outter IP header >> +* Inbound SP check using ACL of decrypted packets and any other IPv4 packet >> +we read. >> +* Routing >> +* Write packet to port >> + >> +Path for IPsec Outbound traffic: >> +* Read packets from the port >> +* Outbound SP check using ACL of all IPv4 traffic >> +* Outbound SA lookup for packets that need IPsec protection >> +* Add ESP and outter IP header >> +* Encryption/Digest >> +* Routing >> +* Write packet to port >> + >> +Constraints >> +----------- >> +* IPv4 traffic >> +* ESP tunnel mode >> +* EAS-CBC and HMAC-SHA1 >> +* Each SA must be handle by a unique lcore (1 RX queue per port) >> +* No chained mbufs >> + >> +Compiling the Application >> +------------------------- >> + >> +To compile the application: >> + >> +#. Go to the sample application directory: >> + >> + .. code-block:: console >> + >> + export RTE_SDK=/path/to/rte_sdk >> + cd ${RTE_SDK}/examples/ipsec-secgw >> + >> +#. Set the target (a default target is used if not specified). For example: >> + >> + .. code-block:: console >> + >> + export RTE_TARGET=x86_64-native-linuxapp-gcc >> + >> + See the *DPDK Getting Started Guide* for possible RTE_TARGET values. >> + >> +#. Build the application: >> + >> + .. code-block:: console >> + >> + make >> + >> +Running the Application >> +----------------------- >> + >> +The application has a number of command line options: >> + >> +.. code-block:: console >> + >> + ./build/ipsec-secgw [EAL options] -- -p PORTMASK -P -u PORTMASK --config >> + (port,queue,lcore)[,(port,queue,lcore] --EP0|--EP1 --cdev AESNI|QAT >> + >> +where, >> + >> +* -p PORTMASK: Hexadecimal bitmask of ports to configure >> + >> +* -P: optional, sets all ports to promiscuous mode so that packets are >> + accepted regardless of the packet's Ethernet MAC destination address. >> + Without this option, only packets with the Ethernet MAC destination address >> + set to the Ethernet address of the port are accepted (default is enabled). >> + >> +* -u PORTMASK: hexadecimal bitmask of unprotected ports >> + >> +* --config (port,queue,lcore)[,(port,queue,lcore)]: determines which queues >> + from which ports are mapped to which cores >> + >> +* --cdev AESNI/QAT: choose whether to use QAT HW crypto or EASNI SW crypto >> + >> +* --EP0: configure the app as Endpoint 0. >> + >> +* --EP1: configure the app as Endpoint 1. >> + >> +Either --EP0 or --EP1 must be specified. >> + >> +The mapping of lcores to port/queues is similar to other l3fwd applications. >> + >> +For example, given the following command line: >> +.. code-block:: console >> + >> + ./build/ipsec-secgw -l 20,21 -n 4 --socket-mem 0,2048 -- -p 0xf -P -u 0x3 >> + --config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)" --cdev AESNI --EP0 >> + >> +where each options means: >> + >> +* The -l option enables cores 20 and 21 >> + >> +* The -n option sets memory 4 channels >> + >> +* The --socket-mem to use 2GB on socket 1 >> + >> +* The -p option enables ports (detected) 0, 1, 2 and 3 >> + >> +* The -P option enables promiscous mode >> + >> +* The -u option sets ports 1 and 2 as unprotected, leaving 2 and 3 as protected >> + >> +* The --config option enables one queue per port with the following mapping: >> + >> ++----------+-----------+-----------+---------------------------------------+ >> +| **Port** | **Queue** | **lcore** | **Description** | >> +| | | | | >> ++----------+-----------+-----------+---------------------------------------+ >> +| 0 | 0 | 20 | Map queue 0 from port 0 to lcore 20. | >> +| | | | | >> ++----------+-----------+-----------+---------------------------------------+ >> +| 1 | 0 | 20 | Map queue 0 from port 1 to lcore 20. | >> +| | | | | >> ++----------+-----------+-----------+---------------------------------------+ >> +| 2 | 0 | 21 | Map queue 0 from port 2 to lcore 21. | >> +| | | | | >> ++----------+-----------+-----------+---------------------------------------+ >> +| 3 | 0 | 21 | Map queue 0 from port 3 to lcore 21. | >> +| | | | | >> ++----------+-----------+-----------+---------------------------------------+ >> + >> +Refer to the *DPDK Getting Started Guide* for general information on running applications and the Environment Abstraction Layer (EAL) options. >> + >> +Configurations >> +-------------- >> + >> +The following sections provide some details on the default values used to >> +initialize the SP, SA and Routing tables. >> +Currently all the configuration is hardcoded into the application. >> + >> +Security Policy Initialization >> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> + >> +As mention in the overview, the Security Policies are ACL rules. >> +There are two ACLs, Inbound and Outboud. >> +The application would also replicate the set of two ACLs per socket in use. >> + >> +Following are the default rules: >> + >> +Endpoint 0 Outbound Security Policies: >> + >> ++---------+------------------+-----------+------------+ >> +| **Src** | **Dst** | **proto** | **SA idx** | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.105.0/24 | Any | 5 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.106.0/24 | Any | 6 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.107.0/24 | Any | 7 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.108.0/24 | Any | 8 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> + >> +Endpoint 0 Inbound Security Policies: >> + >> ++---------+------------------+-----------+------------+ >> +| **Src** | **Dst** | **proto** | **SA idx** | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.115.0/24 | Any | 5 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.116.0/24 | Any | 6 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.117.0/24 | Any | 7 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.118.0/24 | Any | 8 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> + >> +Endpoint 1 Outbound Security Policies: >> + >> ++---------+------------------+-----------+------------+ >> +| **Src** | **Dst** | **proto** | **SA idx** | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.115.0/24 | Any | 5 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.116.0/24 | Any | 6 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.117.0/24 | Any | 7 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.118.0/24 | Any | 8 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> + >> +Endpoint 1 Inbound Security Policies: >> + >> ++---------+------------------+-----------+------------+ >> +| **Src** | **Dst** | **proto** | **SA idx** | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.105.0/24 | Any | 5 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.106.0/24 | Any | 6 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.107.0/24 | Any | 7 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.108.0/24 | Any | 8 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> + >> + >> +Security Association Initialization >> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> + >> +The SAs are kept in a array table. >> + >> +For Inbound, the SPI is used as index module the table size. >> +This means that on a table for 100 SA, SPI 5 and 105 would use the same index >> +and that is not currently supported. >> + >> +Notice that it is not an issue for Outbound traffic as we store the index and >> +not the SPI in the Security Policy. >> + >> +All SAs are configured with the same cipher algo, block size and key (AES-CBC >> +16B block), and same authentication algo, digest size and key (HMAC-SHA1, 12B >> +digest). >> + >> +Following are the default values: >> + >> +Endpoint 0 Outbound Security Associations: >> + >> ++---------+----------------+------------------+ >> +| **SPI** | **Tunnel src** | **Tunnel dst** | >> +| | | | >> ++---------+----------------+------------------+ >> +| 5 | 172.16.1.5 | 172.16.2.5 | >> +| | | | >> ++---------+----------------+------------------+ >> +| 6 | 172.16.1.6 | 172.16.2.6 | >> +| | | | >> ++---------+----------------+------------------+ >> +| 7 | 172.16.1.7 | 172.16.2.7 | >> +| | | | >> ++---------+----------------+------------------+ >> +| 8 | 172.16.1.8 | 172.16.2.8 | >> +| | | | >> ++---------+----------------+------------------+ >> + >> +Endpoint 0 Inbound Security Associations: >> + >> ++---------+----------------+------------------+ >> +| **SPI** | **Tunnel src** | **Tunnel dst** | >> +| | | | >> ++---------+----------------+------------------+ >> +| 5 | 172.16.2.5 | 172.16.1.5 | >> +| | | | >> ++---------+----------------+------------------+ >> +| 6 | 172.16.2.6 | 172.16.1.6 | >> +| | | | >> ++---------+----------------+------------------+ >> +| 7 | 172.16.2.7 | 172.16.1.7 | >> +| | | | >> ++---------+----------------+------------------+ >> +| 8 | 172.16.2.8 | 172.16.1.8 | >> +| | | | >> ++---------+----------------+------------------+ >> + >> +Endpoint 1 Outbound Security Associations: >> + >> ++---------+----------------+------------------+ >> +| **SPI** | **Tunnel src** | **Tunnel dst** | >> +| | | | >> ++---------+----------------+------------------+ >> +| 5 | 172.16.2.5 | 172.16.1.5 | >> +| | | | >> ++---------+----------------+------------------+ >> +| 6 | 172.16.2.6 | 172.16.1.6 | >> +| | | | >> ++---------+----------------+------------------+ >> +| 7 | 172.16.2.7 | 172.16.1.7 | >> +| | | | >> ++---------+----------------+------------------+ >> +| 8 | 172.16.2.8 | 172.16.1.8 | >> +| | | | >> ++---------+----------------+------------------+ >> + >> +Endpoint 1 Inbound Security Associations: >> + >> ++---------+----------------+------------------+ >> +| **SPI** | **Tunnel src** | **Tunnel dst** | >> +| | | | >> ++---------+----------------+------------------+ >> +| 5 | 172.16.1.5 | 172.16.2.5 | >> +| | | | >> ++---------+----------------+------------------+ >> +| 6 | 172.16.1.6 | 172.16.2.6 | >> +| | | | >> ++---------+----------------+------------------+ >> +| 7 | 172.16.1.7 | 172.16.2.7 | >> +| | | | >> ++---------+----------------+------------------+ >> +| 8 | 172.16.1.8 | 172.16.2.8 | >> +| | | | >> ++---------+----------------+------------------+ >> + >> +Routing Initialization >> +~~~~~~~~~~~~~~~~~~~~~~ >> + >> +The Routing is implemented using LPM table. >> + >> +Following default values: >> + >> +Endpoint 0 Routing Table: >> + >> ++------------------+----------+ >> +| **Dst addr** | **Port** | >> +| | | >> ++------------------+----------+ >> +| 172.16.2.5/32 | 0 | >> +| | | >> ++------------------+----------+ >> +| 172.16.2.6/32 | 0 | >> +| | | >> ++------------------+----------+ >> +| 172.16.2.7/32 | 1 | >> +| | | >> ++------------------+----------+ >> +| 172.16.2.8/32 | 1 | >> +| | | >> ++------------------+----------+ >> +| 192.168.115.0/24 | 2 | >> +| | | >> ++------------------+----------+ >> +| 192.168.116.0/24 | 2 | >> +| | | >> ++------------------+----------+ >> +| 192.168.117.0/24 | 3 | >> +| | | >> ++------------------+----------+ >> +| 192.168.118.0/24 | 3 | >> +| | | >> ++------------------+----------+ >> + >> +Endpoint 1 Routing Table: >> + >> ++------------------+----------+ >> +| **Dst addr** | **Port** | >> +| | | >> ++------------------+----------+ >> +| 172.16.1.5/32 | 2 | >> +| | | >> ++------------------+----------+ >> +| 172.16.1.6/32 | 2 | >> +| | | >> ++------------------+----------+ >> +| 172.16.1.7/32 | 3 | >> +| | | >> ++------------------+----------+ >> +| 172.16.1.8/32 | 3 | >> +| | | >> ++------------------+----------+ >> +| 192.168.105.0/24 | 0 | >> +| | | >> ++------------------+----------+ >> +| 192.168.106.0/24 | 0 | >> +| | | >> ++------------------+----------+ >> +| 192.168.107.0/24 | 1 | >> +| | | >> ++------------------+----------+ >> +| 192.168.108.0/24 | 1 | >> +| | | >> ++------------------+----------+ >> diff --git a/examples/Makefile b/examples/Makefile >> index 1cb4785..65ce6ce 100644 >> --- a/examples/Makefile >> +++ b/examples/Makefile >> @@ -1,6 +1,7 @@ >> # BSD LICENSE >> # >> # Copyright(c) 2014 6WIND S.A. >> +# Copyright(c) 2010-2016 Intel Corporation. All rights reserved. >> # >> # Redistribution and use in source and binary forms, with or without >> # modification, are permitted provided that the following conditions >> @@ -78,5 +79,6 @@ DIRS-y += vmdq >> DIRS-y += vmdq_dcb >> DIRS-$(CONFIG_RTE_LIBRTE_POWER) += vm_power_manager >> DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += l2fwd-crypto >> +DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += ipsec-secgw >> >> include $(RTE_SDK)/mk/rte.extsubdir.mk >> diff --git a/examples/ipsec-secgw/Makefile b/examples/ipsec-secgw/Makefile >> new file mode 100644 >> index 0000000..5f893b8 >> --- /dev/null >> +++ b/examples/ipsec-secgw/Makefile >> @@ -0,0 +1,58 @@ >> +# BSD LICENSE >> +# >> +# Copyright(c) 2010-2016 Intel Corporation. All rights reserved. >> +# All rights reserved. >> +# >> +# Redistribution and use in source and binary forms, with or without >> +# modification, are permitted provided that the following conditions >> +# are met: >> +# >> +# * Redistributions of source code must retain the above copyright >> +# notice, this list of conditions and the following disclaimer. >> +# * Redistributions in binary form must reproduce the above copyright >> +# notice, this list of conditions and the following disclaimer in >> +# the documentation and/or other materials provided with the >> +# distribution. >> +# * Neither the name of Intel Corporation nor the names of its >> +# contributors may be used to endorse or promote products derived >> +# from this software without specific prior written permission. >> +# >> +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS >> +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT >> +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR >> +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT >> +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, >> +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT >> +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >> +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >> +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >> +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >> +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >> + >> +ifeq ($(RTE_SDK),) >> + $(error "Please define RTE_SDK environment variable") >> +endif >> + >> +# Default target, can be overridden by command line or environment >> +RTE_TARGET ?= x86_64-native-linuxapp-gcc >> + >> +include $(RTE_SDK)/mk/rte.vars.mk >> + >> +APP = ipsec-secgw >> + >> +CFLAGS += -O3 -gdwarf-2 >> +CFLAGS += $(WERROR_FLAGS) >> + >> +VPATH += $(SRCDIR)/librte_ipsec >> + >> +# >> +# all source are stored in SRCS-y >> +# >> +SRCS-y += ipsec.c >> +SRCS-y += esp.c >> +SRCS-y += sp.c >> +SRCS-y += sa.c >> +SRCS-y += rt.c >> +SRCS-y += ipsec-secgw.c >> + >> +include $(RTE_SDK)/mk/rte.extapp.mk >> diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c >> new file mode 100644 >> index 0000000..1be0621 >> --- /dev/null >> +++ b/examples/ipsec-secgw/esp.c >> @@ -0,0 +1,256 @@ >> +/*- >> + * BSD LICENSE >> + * >> + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. >> + * All rights reserved. >> + * >> + * Redistribution and use in source and binary forms, with or without >> + * modification, are permitted provided that the following conditions >> + * are met: >> + * >> + * * Redistributions of source code must retain the above copyright >> + * notice, this list of conditions and the following disclaimer. >> + * * Redistributions in binary form must reproduce the above copyright >> + * notice, this list of conditions and the following disclaimer in >> + * the documentation and/or other materials provided with the >> + * distribution. >> + * * Neither the name of Intel Corporation nor the names of its >> + * contributors may be used to endorse or promote products derived >> + * from this software without specific prior written permission. >> + * >> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS >> + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT >> + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR >> + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT >> + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, >> + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT >> + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >> + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >> + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >> + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >> + */ >> + >> +#include <stdint.h> >> +#include <stdlib.h> >> +#include <netinet/ip.h> >> +#include <sys/types.h> >> +#include <sys/stat.h> >> +#include <fcntl.h> >> +#include <unistd.h> >> + >> +#include <rte_memcpy.h> >> +#include <rte_crypto.h> >> +#include <rte_cryptodev.h> >> +#include <rte_random.h> >> + >> +#include "ipsec.h" >> +#include "esp.h" >> +#include "ipip.h" >> + >> +static inline void >> +random_iv_u64(uint64_t *buf, uint16_t n) >> +{ >> + unsigned left = n & 0x7; >> + unsigned i; >> + >> + IPSEC_ASSERT((n & 0x3) == 0); >> + >> + for (i = 0; i < (n >> 3); i++) >> + buf[i] = rte_rand(); >> + >> + if (left) >> + *((uint32_t *)&buf[i]) = (uint32_t)lrand48(); >> +} >> + >> +/* IPv4 Tunnel */ >> +int >> +esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, >> + struct rte_crypto_op *cop) >> +{ >> + uint16_t digest_len, esp_len, iphdr_len; >> + int32_t payload_len; >> + >> + IPSEC_ASSERT(m != NULL); >> + >> + iphdr_len = sizeof(struct ip); >> + esp_len = sizeof(struct esp_hdr) + sa->iv_len; >> + digest_len = sa->digest_len; >> + payload_len = rte_pktmbuf_pkt_len(m) - iphdr_len - esp_len - digest_len; >> + >> + if ((payload_len & (sa->block_size - 1)) || (payload_len <= 0)) { >> + IPSEC_LOG(DEBUG, IPSEC_ESP, "payload %d not a multiple of %u\n", >> + payload_len, sa->block_size); >> + return -EINVAL; >> + } >> + >> + cop->data.to_cipher.offset = iphdr_len + esp_len; >> + cop->data.to_cipher.length = payload_len; >> + >> + cop->data.to_hash.offset = iphdr_len; >> + if (sa->auth_algo == RTE_CRYPTO_AUTH_AES_GCM) >> + cop->data.to_hash.length = esp_len - sa->iv_len; >> + else >> + cop->data.to_hash.length = esp_len + payload_len; >> + >> + cop->iv.data = rte_pktmbuf_mtod_offset(m, void*, >> + iphdr_len + esp_len - sa->iv_len); >> + cop->iv.phys_addr = rte_pktmbuf_mtophys_offset(m, >> + iphdr_len + esp_len - sa->iv_len); >> + >> + cop->iv.length = sa->iv_len; >> + >> + cop->digest.data = rte_pktmbuf_mtod_offset(m, void*, >> + iphdr_len + esp_len + payload_len); >> + cop->digest.phys_addr = rte_pktmbuf_mtophys_offset(m, >> + iphdr_len + esp_len + payload_len); >> + cop->digest.length = digest_len; >> + >> + return 0; >> +} >> + >> +int >> +esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, >> + struct rte_crypto_op *cop) >> +{ >> + uint16_t digest_len, esp_len, iphdr_len; >> + uint8_t *nexthdr, *pad_len; >> + uint8_t *padding; >> + uint16_t i; >> + >> + IPSEC_ASSERT(m != NULL); >> + >> + iphdr_len = sizeof(struct ip); >> + esp_len = sizeof(struct esp_hdr) + sa->iv_len; >> + digest_len = sa->digest_len; >> + >> + if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) { >> + IPSEC_LOG(ERR, IPSEC_ESP, "Failed crypto op\n"); >> + return -1; >> + } >> + >> + nexthdr = rte_pktmbuf_mtod_offset(m, uint8_t*, >> + rte_pktmbuf_pkt_len(m) - digest_len - 1); >> + pad_len = nexthdr - 1; >> + >> + padding = pad_len - *pad_len; >> + for (i = 0; i < *pad_len; i++) { >> + if (padding[i] != i) { >> + IPSEC_LOG(ERR, IPSEC_ESP, "invalid pad_len field\n"); >> + return -EINVAL; >> + } >> + } >> + >> + if (rte_pktmbuf_trim(m, *pad_len + 2 + digest_len)) { >> + IPSEC_LOG(ERR, IPSEC_ESP, >> + "failed to remove pad_len + digest\n"); >> + return -EINVAL; >> + } >> + >> + return ip4ip_inbound(m, iphdr_len + esp_len); >> +} >> + >> +int >> +esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, >> + struct rte_crypto_op *cop) >> +{ >> + uint16_t digest_len, esp_len, payload_len, block_sz, pad_len; >> + int32_t pad_payload_len; >> + struct ip *ip; >> + struct esp_hdr *esp; >> + int i; >> + char *padding; >> + >> + rte_prefetch0(rte_pktmbuf_mtod(m, uint8_t *) - RTE_CACHE_LINE_SIZE); >> + rte_prefetch0(rte_pktmbuf_mtod(m, uint8_t *)); >> + >> + IPSEC_ASSERT(m != NULL); >> + IPSEC_ASSERT(sa != NULL); >> + >> + /* Payload length */ >> + payload_len = rte_pktmbuf_pkt_len(m); >> + >> + block_sz = sa->block_size; >> + >> + /* Per RFC4303: >> + * padded payload needs to be multiple of 4 bytes. >> + * All application supported block sizes must be power of 2 >> + */ >> + pad_len = (payload_len + 2) & (block_sz - 1); >> + pad_len = ((block_sz - pad_len) & (block_sz - 1)) + 2; >> + >> + /* Padded payload length */ >> + pad_payload_len = payload_len + pad_len; >> + /* ESP header length */ >> + esp_len = sizeof(struct esp_hdr) + sa->iv_len; >> + /* Digest length */ >> + digest_len = sa->digest_len; >> + >> + IPSEC_LOG(DEBUG, IPSEC_ESP, >> + "pktlen %u, esp_len %u, digest_len %u, payload_len %u," >> + " pad_payload_len %u, block_sz %u, pad_len %u\n", >> + rte_pktmbuf_pkt_len(m), esp_len, digest_len, >> + payload_len, pad_payload_len, block_sz, pad_len); >> + >> + /* Check maximum packet size */ >> + if (unlikely(esp_len + pad_payload_len + digest_len > IP_MAXPACKET)) { >> + IPSEC_LOG(DEBUG, IPSEC_ESP, "ipsec packet is too big\n"); >> + return -EINVAL; >> + } >> + >> + padding = rte_pktmbuf_append(m, pad_len + digest_len); >> + >> + IPSEC_ASSERT(padding != NULL); >> + >> + ip = ip4ip_outbound(m, esp_len, sa->src, sa->dst); >> + >> + esp = (struct esp_hdr *)(ip + 1); >> + esp->spi = sa->spi; >> + >> + esp->seq = htonl(sa->seq++); >> + >> + IPSEC_LOG(DEBUG, IPSEC_ESP, "pktlen %u\n", rte_pktmbuf_pkt_len(m)); >> + >> + /* Fill pad_len using default sequential scheme */ >> + for (i = 0; i < pad_len - 2; i++) >> + padding[i] = i + 1; >> + >> + padding[pad_len - 2] = pad_len - 2; >> + padding[pad_len - 1] = IPPROTO_IPIP; >> + ip->ip_p = IPPROTO_ESP; >> + >> + cop->data.to_cipher.offset = sizeof(struct ip) + esp_len; >> + cop->data.to_cipher.length = pad_payload_len; >> + >> + cop->data.to_hash.offset = sizeof(struct ip); >> + cop->data.to_hash.length = esp_len + pad_payload_len; >> + >> + cop->iv.data = rte_pktmbuf_mtod_offset(m, void*, >> + sizeof(struct ip) + esp_len - sa->iv_len); >> + cop->iv.phys_addr = rte_pktmbuf_mtophys_offset(m, >> + sizeof(struct ip) + esp_len - sa->iv_len); >> + cop->iv.length = sa->iv_len; >> + >> + cop->digest.data = rte_pktmbuf_mtod_offset(m, void*, >> + sizeof(struct ip) + esp_len + pad_payload_len); >> + cop->digest.phys_addr = rte_pktmbuf_mtophys_offset(m, >> + sizeof(struct ip) + esp_len + pad_payload_len); >> + cop->digest.length = digest_len; >> + >> + random_iv_u64((uint64_t *)cop->iv.data, cop->iv.length); >> + >> + return 0; >> +} >> + >> +int >> +esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m __rte_unused, >> + struct ipsec_sa *sa __rte_unused, >> + struct rte_crypto_op *cop) >> +{ >> + if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) { >> + IPSEC_LOG(ERR, IPSEC_ESP, "Failed crypto op\n"); >> + return -1; >> + } >> + >> + return 0; >> +} >> diff --git a/examples/ipsec-secgw/esp.h b/examples/ipsec-secgw/esp.h >> new file mode 100644 >> index 0000000..d7c8ba6 >> --- /dev/null >> +++ b/examples/ipsec-secgw/esp.h >> @@ -0,0 +1,66 @@ >> +/*- >> + * BSD LICENSE >> + * >> + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. >> + * All rights reserved. >> + * >> + * Redistribution and use in source and binary forms, with or without >> + * modification, are permitted provided that the following conditions >> + * are met: >> + * >> + * * Redistributions of source code must retain the above copyright >> + * notice, this list of conditions and the following disclaimer. >> + * * Redistributions in binary form must reproduce the above copyright >> + * notice, this list of conditions and the following disclaimer in >> + * the documentation and/or other materials provided with the >> + * distribution. >> + * * Neither the name of Intel Corporation nor the names of its >> + * contributors may be used to endorse or promote products derived >> + * from this software without specific prior written permission. >> + * >> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS >> + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT >> + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR >> + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT >> + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, >> + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT >> + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >> + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >> + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >> + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >> + */ >> +#ifndef __RTE_IPSEC_XFORM_ESP_H__ >> +#define __RTE_IPSEC_XFORM_ESP_H__ >> + >> +struct mbuf; >> + >> +/* RFC4303 */ >> +struct esp_hdr { >> + uint32_t spi; >> + uint32_t seq; >> + /* Payload */ >> + /* Padding */ >> + /* Pad Length */ >> + /* Next Header */ >> + /* Integrity Check Value - ICV */ >> +}; >> + >> +/* IPv4 Tunnel */ >> +int >> +esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, >> + struct rte_crypto_op *cop); >> + >> +int >> +esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, >> + struct rte_crypto_op *cop); >> + >> +int >> +esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, >> + struct rte_crypto_op *cop); >> + >> +int >> +esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, >> + struct rte_crypto_op *cop); >> + >> +#endif /* __RTE_IPSEC_XFORM_ESP_H__ */ >> diff --git a/examples/ipsec-secgw/ipip.h b/examples/ipsec-secgw/ipip.h >> new file mode 100644 >> index 0000000..16c5dfb >> --- /dev/null >> +++ b/examples/ipsec-secgw/ipip.h >> @@ -0,0 +1,100 @@ >> +/*- >> + * BSD LICENSE >> + * >> + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. >> + * All rights reserved. >> + * >> + * Redistribution and use in source and binary forms, with or without >> + * modification, are permitted provided that the following conditions >> + * are met: >> + * >> + * * Redistributions of source code must retain the above copyright >> + * notice, this list of conditions and the following disclaimer. >> + * * Redistributions in binary form must reproduce the above copyright >> + * notice, this list of conditions and the following disclaimer in >> + * the documentation and/or other materials provided with the >> + * distribution. >> + * * Neither the name of Intel Corporation nor the names of its >> + * contributors may be used to endorse or promote products derived >> + * from this software without specific prior written permission. >> + * >> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS >> + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT >> + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR >> + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT >> + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, >> + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT >> + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >> + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >> + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >> + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >> + */ >> + >> +#ifndef __IPIP_H__ >> +#define __IPIP_H__ >> + >> +#include <stdint.h> >> +#include <netinet/in.h> >> +#include <netinet/ip.h> >> + >> +#include <rte_mbuf.h> >> + >> +static inline struct ip * >> +ip4ip_outbound(struct rte_mbuf *m, uint32_t offset, uint32_t src, uint32_t dst) >> +{ >> + struct ip *inip, *outip; >> + >> + inip = rte_pktmbuf_mtod(m, struct ip*); >> + >> + IPSEC_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION); >> + >> + offset += sizeof(struct ip); >> + >> + outip = (struct ip *)rte_pktmbuf_prepend(m, offset); >> + >> + IPSEC_ASSERT(outip != NULL); >> + >> + /* Per RFC4301 5.1.2.1 */ >> + outip->ip_len = htons(rte_pktmbuf_data_len(m)); >> + outip->ip_v = IPVERSION; >> + outip->ip_hl = 5; >> + outip->ip_tos = inip->ip_tos; >> + >> + outip->ip_id = 0; >> + outip->ip_off = 0; >> + >> + outip->ip_ttl = IPDEFTTL; >> + >> + outip->ip_dst.s_addr = dst; >> + outip->ip_src.s_addr = src; >> + >> + return outip; >> +} >> + >> +static inline int >> +ip4ip_inbound(struct rte_mbuf *m, uint32_t offset) >> +{ >> + struct ip *inip; >> + struct ip *outip; >> + >> + outip = rte_pktmbuf_mtod(m, struct ip*); >> + >> + IPSEC_ASSERT(outip->ip_v == IPVERSION); >> + >> + offset += sizeof(struct ip); >> + inip = (struct ip *)rte_pktmbuf_adj(m, offset); >> + IPSEC_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION); >> + >> + /* Check packet is still bigger than IP header (inner) */ >> + IPSEC_ASSERT(rte_pktmbuf_pkt_len(m) > sizeof(struct ip)); >> + >> + /* RFC4301 5.1.2.1 Note 6 */ >> + if ((inip->ip_tos & htons(IPTOS_ECN_ECT0 | IPTOS_ECN_ECT1)) && >> + ((outip->ip_tos & htons(IPTOS_ECN_CE)) == IPTOS_ECN_CE)) >> + inip->ip_tos |= htons(IPTOS_ECN_CE); >> + >> + return 0; >> +} >> + >> +#endif /* __IPIP_H__ */ >> diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c >> new file mode 100644 >> index 0000000..d2e8972 >> --- /dev/null >> +++ b/examples/ipsec-secgw/ipsec-secgw.c >> @@ -0,0 +1,1218 @@ >> +/*- >> + * BSD LICENSE >> + * >> + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. >> + * All rights reserved. >> + * >> + * Redistribution and use in source and binary forms, with or without >> + * modification, are permitted provided that the following conditions >> + * are met: >> + * >> + * * Redistributions of source code must retain the above copyright >> + * notice, this list of conditions and the following disclaimer. >> + * * Redistributions in binary form must reproduce the above copyright >> + * notice, this list of conditions and the following disclaimer in >> + * the documentation and/or other materials provided with the >> + * distribution. >> + * * Neither the name of Intel Corporation nor the names of its >> + * contributors may be used to endorse or promote products derived >> + * from this software without specific prior written permission. >> + * >> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS >> + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT >> + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR >> + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT >> + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, >> + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT >> + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >> + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >> + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >> + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >> + */ >> + >> +#include <stdio.h> >> +#include <stdlib.h> >> +#include <stdint.h> >> +#include <inttypes.h> >> +#include <sys/types.h> >> +#include <string.h> >> +#include <sys/queue.h> >> +#include <stdarg.h> >> +#include <errno.h> >> +#include <getopt.h> >> + >> +#include <rte_common.h> >> +#include <rte_byteorder.h> >> +#include <rte_log.h> >> +#include <rte_eal.h> >> +#include <rte_launch.h> >> +#include <rte_atomic.h> >> +#include <rte_cycles.h> >> +#include <rte_prefetch.h> >> +#include <rte_lcore.h> >> +#include <rte_per_lcore.h> >> +#include <rte_branch_prediction.h> >> +#include <rte_interrupts.h> >> +#include <rte_pci.h> >> +#include <rte_random.h> >> +#include <rte_debug.h> >> +#include <rte_ether.h> >> +#include <rte_ethdev.h> >> +#include <rte_mempool.h> >> +#include <rte_mbuf.h> >> +#include <rte_acl.h> >> +#include <rte_lpm.h> >> +#include <rte_cryptodev.h> >> +#include <rte_cryptodev.h> >> + >> +#include "ipsec.h" >> + >> +#define RTE_LOGTYPE_IPSEC RTE_LOGTYPE_USER1 >> + >> +#define MAX_JUMBO_PKT_LEN 9600 >> + >> +#define MEMPOOL_CACHE_SIZE 256 >> + >> +#define NB_MBUF (32000) >> + >> +#define CDEV_MP_NB_OBJS 2048 >> +#define CDEV_MP_CACHE_SZ 64 >> +#define MAX_QUEUE_PAIRS 1 >> + >> +#define OPTION_CONFIG "config" >> +#define OPTION_EP0 "ep0" >> +#define OPTION_EP1 "ep1" >> +#define OPTION_CDEV_TYPE "cdev" >> + >> +#define MAX_PKT_BURST 32 >> +#define BURST_TX_DRAIN_US 100 /* TX drain every ~100us */ >> + >> +#define NB_SOCKETS 4 >> + >> +/* Configure how many packets ahead to prefetch, when reading packets */ >> +#define PREFETCH_OFFSET 3 >> + >> +#define MAX_RX_QUEUE_PER_LCORE 16 >> + >> +#define MAX_LCORE_PARAMS 1024 >> + >> +#define UNPROTECTED_PORT(port) (unprotected_port_mask & (1 << portid)) >> + >> +/* >> + * Configurable number of RX/TX ring descriptors >> + */ >> +#define IPSEC_SECGW_RX_DESC_DEFAULT 128 >> +#define IPSEC_SECGW_TX_DESC_DEFAULT 512 >> +static uint16_t nb_rxd = IPSEC_SECGW_RX_DESC_DEFAULT; >> +static uint16_t nb_txd = IPSEC_SECGW_TX_DESC_DEFAULT; >> + >> +#if RTE_BYTE_ORDER != RTE_LITTLE_ENDIAN >> +#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \ >> + (((uint64_t)((a) & 0xff) << 56) | \ >> + ((uint64_t)((b) & 0xff) << 48) | \ >> + ((uint64_t)((c) & 0xff) << 40) | \ >> + ((uint64_t)((d) & 0xff) << 32) | \ >> + ((uint64_t)((e) & 0xff) << 24) | \ >> + ((uint64_t)((f) & 0xff) << 16) | \ >> + ((uint64_t)((g) & 0xff) << 8) | \ >> + ((uint64_t)(h) & 0xff)) >> +#else >> +#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \ >> + (((uint64_t)((h) & 0xff) << 56) | \ >> + ((uint64_t)((g) & 0xff) << 48) | \ >> + ((uint64_t)((f) & 0xff) << 40) | \ >> + ((uint64_t)((e) & 0xff) << 32) | \ >> + ((uint64_t)((d) & 0xff) << 24) | \ >> + ((uint64_t)((c) & 0xff) << 16) | \ >> + ((uint64_t)((b) & 0xff) << 8) | \ >> + ((uint64_t)(a) & 0xff)) >> +#endif >> +#define ETHADDR(a, b, c, d, e, f) (__BYTES_TO_UINT64(a, b, c, d, e, f, 0, 0)) >> + >> +#define ETHADDR_TO_UINT64(addr) __BYTES_TO_UINT64( \ >> + addr.addr_bytes[0], addr.addr_bytes[1], \ >> + addr.addr_bytes[2], addr.addr_bytes[3], \ >> + addr.addr_bytes[4], addr.addr_bytes[5], \ >> + 0, 0) >> + >> +/* port/source ethernet addr and destination ethernet addr */ >> +struct ethaddr_info { >> + uint64_t src, dst; >> +}; >> + >> +struct ethaddr_info ethaddr_tbl[RTE_MAX_ETHPORTS] = { >> + { 0, ETHADDR(0x00, 0x16, 0x3e, 0x7e, 0x94, 0x9a) }, >> + { 0, ETHADDR(0x00, 0x16, 0x3e, 0x22, 0xa1, 0xd9) }, >> + { 0, ETHADDR(0x00, 0x16, 0x3e, 0x08, 0x69, 0x26) }, >> + { 0, ETHADDR(0x00, 0x16, 0x3e, 0x49, 0x9e, 0xdd) } >> +}; >> + >> +/* mask of enabled ports */ >> +static uint32_t enabled_port_mask; >> +static uint32_t unprotected_port_mask; >> +static int promiscuous_on = 1; >> +static int numa_on = 1; /**< NUMA is enabled by default. */ >> +static int ep = -1; /**< Endpoint configuration (0 or 1) */ >> +static unsigned cdev_type = -1; >> +static unsigned nb_lcores; >> + >> +struct buffer { >> + uint16_t len; >> + struct rte_mbuf *m_table[MAX_PKT_BURST]; >> +}; >> + >> +struct lcore_rx_queue { >> + uint8_t port_id; >> + uint8_t queue_id; >> +} __rte_cache_aligned; >> + >> +struct lcore_params { >> + uint8_t port_id; >> + uint8_t queue_id; >> + uint8_t lcore_id; >> +} __rte_cache_aligned; >> + >> +static struct lcore_params lcore_params_array[MAX_LCORE_PARAMS]; >> + >> +static struct lcore_params *lcore_params; >> +static uint16_t nb_lcore_params; >> + >> +struct lcore_conf { >> + uint16_t nb_rx_queue; >> + struct lcore_rx_queue rx_queue_list[MAX_RX_QUEUE_PER_LCORE]; >> + uint16_t tx_queue_id[RTE_MAX_ETHPORTS]; >> + struct buffer tx_mbufs[RTE_MAX_ETHPORTS]; >> + uint16_t cdev; >> + uint16_t cdev_q; >> +} __rte_cache_aligned; >> + >> +static struct lcore_conf lcore_conf[RTE_MAX_LCORE]; >> + >> +static struct rte_eth_conf port_conf = { >> + .rxmode = { >> + .mq_mode = ETH_MQ_RX_RSS, >> + .max_rx_pkt_len = ETHER_MAX_LEN, >> + .split_hdr_size = 0, >> + .header_split = 0, /**< Header Split disabled */ >> + .hw_ip_checksum = 1, /**< IP checksum offload enabled */ >> + .hw_vlan_filter = 0, /**< VLAN filtering disabled */ >> + .jumbo_frame = 0, /**< Jumbo Frame Support disabled */ >> + .hw_strip_crc = 0, /**< CRC stripped by hardware */ >> + }, >> + .rx_adv_conf = { >> + .rss_conf = { >> + .rss_key = NULL, >> + .rss_hf = ETH_RSS_IP | ETH_RSS_UDP | >> + ETH_RSS_TCP | ETH_RSS_SCTP, >> + }, >> + }, >> + .txmode = { >> + .mq_mode = ETH_MQ_TX_NONE, >> + }, >> +}; >> + >> +static struct socket_ctx socket_ctx[NB_SOCKETS]; >> + >> +struct traffic_type { >> + const uint8_t *data[MAX_PKT_BURST * 2]; >> + struct rte_mbuf *pkts[MAX_PKT_BURST * 2]; >> + uint32_t res[MAX_PKT_BURST * 2]; >> + uint32_t num; >> +}; >> + >> +struct ipsec_traffic { >> + struct traffic_type ipsec4; >> + struct traffic_type ipv4; >> +}; >> + >> +static inline void >> +prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t) >> +{ >> + uint8_t *nlp; >> + >> + if (RTE_ETH_IS_IPV4_HDR(pkt->packet_type)) { >> + rte_pktmbuf_adj(pkt, ETHER_HDR_LEN); >> + nlp = rte_pktmbuf_mtod_offset(pkt, uint8_t *, >> + offsetof(struct ip, ip_p)); >> + if (*nlp == IPPROTO_ESP) >> + t->ipsec4.pkts[(t->ipsec4.num)++] = pkt; >> + else { >> + t->ipv4.data[t->ipv4.num] = nlp; >> + t->ipv4.pkts[(t->ipv4.num)++] = pkt; >> + } >> + } else { >> + /* Unknown/Unsupported type, drop the packet */ >> + rte_pktmbuf_free(pkt); >> + } >> +} >> + >> +static inline void >> +prepare_traffic(struct rte_mbuf **pkts, struct ipsec_traffic *t, >> + uint16_t nb_pkts) >> +{ >> + int i; >> + >> + t->ipsec4.num = 0; >> + t->ipv4.num = 0; >> + >> + for (i = 0; i < (nb_pkts - PREFETCH_OFFSET); i++) { >> + rte_prefetch0(rte_pktmbuf_mtod(pkts[i + PREFETCH_OFFSET], >> + void *)); >> + prepare_one_packet(pkts[i], t); >> + } >> + /* Process left packets */ >> + for (; i < nb_pkts; i++) >> + prepare_one_packet(pkts[i], t); >> +} >> + >> +static inline void >> +prepare_tx_pkt(struct rte_mbuf *pkt, uint8_t port) >> +{ >> + pkt->ol_flags |= PKT_TX_IP_CKSUM | PKT_TX_IPV4; >> + pkt->l3_len = sizeof(struct ip); >> + pkt->l2_len = ETHER_HDR_LEN; >> + >> + uint64_t *ethhdr = (uint64_t *)rte_pktmbuf_prepend(pkt, ETHER_HDR_LEN); >> +#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN >> + ethhdr[0] = ethaddr_tbl[port].dst | >> + ((ethaddr_tbl[port].src & 0xffff) << 48); >> + ethhdr[1] = ethaddr_tbl[port].src >> 16 | >> + ((uint64_t)rte_cpu_to_be_16(ETHER_TYPE_IPv4) << 32) | >> + (ethhdr[1] & (0xffffUL << 48)); >> +#else >> + ethhdr[0] = ethaddr_tbl[port].dst | >> + (ethaddr_tbl[port].src >> 48 & 0xffff); >> + ethhdr[1] = ethaddr_tbl[port].src << 16 | ((ETHER_TYPE_IPv4)UL << 16) | >> + (ethhdr[1] & 0xffffUL); >> +#endif >> +} >> + >> +static inline void >> +prepare_tx_burst(struct rte_mbuf *pkts[], uint16_t nb_pkts, uint8_t port) >> +{ >> + int i; >> + const int prefetch_offset = 2; >> + >> + for (i = 0; i < (nb_pkts - prefetch_offset); i++) { >> + rte_prefetch0(pkts[i + prefetch_offset]->cacheline1); >> + prepare_tx_pkt(pkts[i], port); >> + } >> + /* Process left packets */ >> + for (; i < nb_pkts; i++) >> + prepare_tx_pkt(pkts[i], port); >> +} >> + >> +/* Send burst of packets on an output interface */ >> +static inline int >> +send_burst(struct lcore_conf *qconf, uint16_t n, uint8_t port) >> +{ >> + struct rte_mbuf **m_table; >> + int ret; >> + uint16_t queueid; >> + >> + queueid = qconf->tx_queue_id[port]; >> + m_table = (struct rte_mbuf **)qconf->tx_mbufs[port].m_table; >> + >> + prepare_tx_burst(m_table, n, port); >> + >> + ret = rte_eth_tx_burst(port, queueid, m_table, n); >> + if (unlikely(ret < n)) { >> + do { >> + rte_pktmbuf_free(m_table[ret]); >> + } while (++ret < n); >> + } >> + >> + return 0; >> +} >> + >> +/* Enqueue a single packet, and send burst if queue is filled */ >> +static inline int >> +send_single_packet(struct rte_mbuf *m, uint8_t port) >> +{ >> + uint32_t lcore_id; >> + uint16_t len; >> + struct lcore_conf *qconf; >> + >> + lcore_id = rte_lcore_id(); >> + >> + qconf = &lcore_conf[lcore_id]; >> + len = qconf->tx_mbufs[port].len; >> + qconf->tx_mbufs[port].m_table[len] = m; >> + len++; >> + >> + /* enough pkts to be sent */ >> + if (unlikely(len == MAX_PKT_BURST)) { >> + send_burst(qconf, MAX_PKT_BURST, port); >> + len = 0; >> + } >> + >> + qconf->tx_mbufs[port].len = len; >> + return 0; >> +} >> + >> +static inline void >> +process_pkts_inbound(struct socket_ctx *ctx, struct ipsec_traffic *traffic) >> +{ >> + struct sa_ctx *sa_ctx = ctx->sa_ipv4_in; >> + struct sp_ctx *sp_ctx = ctx->sp_ipv4_in; >> + struct rte_mbuf *m; >> + uint16_t idx, nb_pkts_in, i, j; >> + uint32_t sa_idx, res; >> + struct ipsec_ctx ipsec_ctx; >> + struct lcore_conf *qconf; >> + >> + qconf = &lcore_conf[rte_lcore_id()]; >> + ipsec_ctx.cdev = qconf->cdev; >> + ipsec_ctx.queue = qconf->cdev_q; >> + ipsec_ctx.sa_ctx = sa_ctx; >> + >> + nb_pkts_in = ipsec_inbound(&ipsec_ctx, traffic->ipsec4.pkts, >> + traffic->ipsec4.num, MAX_PKT_BURST); >> + >> + /* SP/ACL Inbound check ipsec and ipv4 */ >> + for (i = 0; i < nb_pkts_in; i++) { >> + idx = traffic->ipv4.num++; >> + m = traffic->ipsec4.pkts[i]; >> + traffic->ipv4.pkts[idx] = m; >> + traffic->ipv4.data[idx] = rte_pktmbuf_mtod_offset(m, >> + uint8_t *, offsetof(struct ip, ip_p)); >> + } >> + >> + rte_acl_classify((struct rte_acl_ctx *)sp_ctx, traffic->ipv4.data, >> + traffic->ipv4.res, traffic->ipv4.num, >> + DEFAULT_MAX_CATEGORIES); >> + >> + j = 0; >> + for (i = 0; i < traffic->ipv4.num - nb_pkts_in; i++) { >> + m = traffic->ipv4.pkts[i]; >> + res = traffic->ipv4.res[i]; >> + if (res & ~BYPASS) { >> + rte_pktmbuf_free(m); >> + continue; >> + } >> + traffic->ipv4.pkts[j++] = m; >> + } >> + /* Check return SA SPI matches pkt SPI */ >> + for ( ; i < traffic->ipv4.num; i++) { >> + m = traffic->ipv4.pkts[i]; >> + sa_idx = traffic->ipv4.res[i] & PROTECT_MASK; >> + if (sa_idx == 0 || !inbound_sa_check(sa_ctx, m, sa_idx)) { >> + rte_pktmbuf_free(m); >> + continue; >> + } >> + traffic->ipv4.pkts[j++] = m; >> + } >> + traffic->ipv4.num = j; >> +} >> + >> +static inline void >> +process_pkts_outbound(struct socket_ctx *ctx, struct ipsec_traffic *traffic) >> +{ >> + struct sa_ctx *sa_ctx = ctx->sa_ipv4_out; >> + struct sp_ctx *sp_ctx = ctx->sp_ipv4_out; >> + struct rte_mbuf *m; >> + uint16_t idx, nb_pkts_out, i, j; >> + uint32_t sa_idx, res; >> + struct ipsec_ctx ipsec_ctx; >> + struct lcore_conf *qconf; >> + >> + qconf = &lcore_conf[rte_lcore_id()]; >> + ipsec_ctx.cdev = qconf->cdev; >> + ipsec_ctx.queue = qconf->cdev_q; >> + ipsec_ctx.sa_ctx = sa_ctx; >> + >> + rte_acl_classify((struct rte_acl_ctx *)sp_ctx, traffic->ipv4.data, >> + traffic->ipv4.res, traffic->ipv4.num, >> + DEFAULT_MAX_CATEGORIES); > IMO, an option for single SA based outbound processing would be useful > measuring performance bottlenecks with SA lookup. > Hi Jerin, Are you suggesting to have an option so we basically encrypt all traffic using a single SA bypassing the SP/ACL ? Currently the ACL entry contains the SA index in the SA table, so there is no SA lookup on outbound. That might have to change a bit if we were to add IKE support. >> + j = 0; >> + for (i = 0; i < traffic->ipv4.num; i++) { >> + m = traffic->ipv4.pkts[i]; >> + res = traffic->ipv4.res[i]; >> + sa_idx = res & PROTECT_MASK; >> + if (res & DISCARD) { >> + rte_pktmbuf_free(m); >> + } else if (sa_idx != 0) { >> + traffic->ipsec4.res[traffic->ipsec4.num] = sa_idx; >> + traffic->ipsec4.pkts[traffic->ipsec4.num++] = m; >> + } else /* BYPASS */ >> + traffic->ipv4.pkts[j++] = m; >> + } >> + traffic->ipv4.num = j; >> + >> + nb_pkts_out = ipsec_outbound(&ipsec_ctx, traffic->ipsec4.pkts, >> + traffic->ipsec4.res, traffic->ipsec4.num, >> + MAX_PKT_BURST); >> + >> + for (i = 0; i < nb_pkts_out; i++) { >> + idx = traffic->ipv4.num++; >> + m = traffic->ipsec4.pkts[i]; >> + traffic->ipv4.pkts[idx] = m; >> + } >> +} >> + >> +static inline void >> +route_pkts(struct rt_ctx *rt_ctx, struct rte_mbuf *pkts[], uint8_t nb_pkts) >> +{ >> + uint16_t hop[MAX_PKT_BURST * 2]; >> + uint32_t dst_ip[MAX_PKT_BURST * 2]; >> + uint16_t i, offset; >> + >> + if (nb_pkts == 0) >> + return; >> + >> + for (i = 0; i < nb_pkts; i++) { >> + offset = offsetof(struct ip, ip_dst); >> + dst_ip[i] = *rte_pktmbuf_mtod_offset(pkts[i], >> + uint32_t *, offset); >> + dst_ip[i] = rte_be_to_cpu_32(dst_ip[i]); >> + } >> + >> + rte_lpm_lookup_bulk((struct rte_lpm *)rt_ctx, dst_ip, hop, nb_pkts); >> + >> + for (i = 0; i < nb_pkts; i++) { >> + if ((hop[i] & RTE_LPM_LOOKUP_SUCCESS) == 0) { >> + rte_pktmbuf_free(pkts[i]); >> + continue; >> + } >> + send_single_packet(pkts[i], hop[i] & 0xff); >> + } >> +} >> + >> +static inline void >> +process_pkts(struct socket_ctx *ctx, struct rte_mbuf **pkts, >> + uint8_t nb_pkts, uint8_t portid) >> +{ >> + struct ipsec_traffic traffic; >> + >> + prepare_traffic(pkts, &traffic, nb_pkts); >> + >> + if (UNPROTECTED_PORT(portid)) >> + process_pkts_inbound(ctx, &traffic); >> + else >> + process_pkts_outbound(ctx, &traffic); >> + >> + route_pkts(ctx->rt_ipv4, traffic.ipv4.pkts, traffic.ipv4.num); >> +} >> + >> +static inline void >> +drain_buffers(struct lcore_conf *qconf) >> +{ >> + struct buffer *buf; >> + unsigned portid; >> + >> + for (portid = 0; portid < RTE_MAX_ETHPORTS; portid++) { >> + buf = &qconf->tx_mbufs[portid]; >> + if (buf->len == 0) >> + continue; >> + send_burst(qconf, buf->len, portid); >> + buf->len = 0; >> + } >> +} >> + >> +/* main processing loop */ >> +static int >> +main_loop(__attribute__((unused)) void *dummy) >> +{ >> + struct rte_mbuf *pkts[MAX_PKT_BURST]; >> + unsigned lcore_id; >> + uint64_t prev_tsc, diff_tsc, cur_tsc; >> + int i, nb_rx; >> + uint8_t portid, queueid; >> + struct lcore_conf *qconf; >> + int socket_id; >> + const uint64_t drain_tsc = (rte_get_tsc_hz() + US_PER_S - 1) >> + / US_PER_S * BURST_TX_DRAIN_US; >> + struct socket_ctx *ctx; >> + struct lcore_rx_queue *rxql; >> + >> + prev_tsc = 0; >> + lcore_id = rte_lcore_id(); >> + qconf = &lcore_conf[lcore_id]; >> + rxql = qconf->rx_queue_list; >> + socket_id = rte_lcore_to_socket_id(lcore_id); >> + >> + ctx = &socket_ctx[socket_id]; >> + >> + if (qconf->nb_rx_queue == 0) { >> + RTE_LOG(INFO, IPSEC, "lcore %u has nothing to do\n", lcore_id); >> + return 0; >> + } >> + >> + RTE_LOG(INFO, IPSEC, "entering main loop on lcore %u\n", lcore_id); >> + >> + for (i = 0; i < qconf->nb_rx_queue; i++) { >> + portid = rxql[i].port_id; >> + queueid = rxql[i].queue_id; >> + RTE_LOG(INFO, IPSEC, >> + " -- lcoreid=%u portid=%hhu rxqueueid=%hhu\n", >> + lcore_id, portid, queueid); >> + } >> + >> + while (1) { >> + cur_tsc = rte_rdtsc(); >> + >> + /* TX queue buffer drain */ >> + diff_tsc = cur_tsc - prev_tsc; >> + >> + if (unlikely(diff_tsc > drain_tsc)) { >> + drain_buffers(qconf); >> + prev_tsc = cur_tsc; >> + } >> + >> + /* Read packet from RX queues */ >> + for (i = 0; i < qconf->nb_rx_queue; ++i) { >> + portid = rxql[i].port_id; >> + queueid = rxql[i].queue_id; >> + nb_rx = rte_eth_rx_burst(portid, queueid, >> + pkts, MAX_PKT_BURST); >> + >> + if (nb_rx > 0) >> + process_pkts(ctx, pkts, nb_rx, portid); >> + } >> + } >> +} >> + >> +static int >> +check_params(void) >> +{ >> + uint8_t lcore, portid, nb_ports; >> + uint16_t i; >> + int socket_id; >> + >> + if (lcore_params == NULL) { >> + printf("Error: No port/queue/core mappings\n"); >> + return -1; >> + } >> + >> + nb_ports = rte_eth_dev_count(); >> + if (nb_ports > RTE_MAX_ETHPORTS) >> + nb_ports = RTE_MAX_ETHPORTS; >> + >> + for (i = 0; i < nb_lcore_params; ++i) { >> + lcore = lcore_params[i].lcore_id; >> + if (!rte_lcore_is_enabled(lcore)) { >> + printf("error: lcore %hhu is not enabled in " >> + "lcore mask\n", lcore); >> + return -1; >> + } >> + socket_id = rte_lcore_to_socket_id(lcore); >> + if (socket_id != 0 && numa_on == 0) { >> + printf("warning: lcore %hhu is on socket %d " >> + "with numa off\n", >> + lcore, socket_id); >> + } >> + portid = lcore_params[i].port_id; >> + if ((enabled_port_mask & (1 << portid)) == 0) { >> + printf("port %u is not enabled in port mask\n", portid); >> + return -1; >> + } >> + if (portid >= nb_ports) { >> + printf("port %u is not present on the board\n", portid); >> + return -1; >> + } >> + } >> + return 0; >> +} >> + >> +static uint8_t >> +get_port_nb_rx_queues(const uint8_t port) >> +{ >> + int queue = -1; >> + uint16_t i; >> + >> + for (i = 0; i < nb_lcore_params; ++i) { >> + if (lcore_params[i].port_id == port && >> + lcore_params[i].queue_id > queue) >> + queue = lcore_params[i].queue_id; >> + } >> + return (uint8_t)(++queue); >> +} >> + >> +static int >> +init_lcore_rx_queues(void) >> +{ >> + uint16_t i, nb_rx_queue; >> + uint8_t lcore; >> + >> + for (i = 0; i < nb_lcore_params; ++i) { >> + lcore = lcore_params[i].lcore_id; >> + nb_rx_queue = lcore_conf[lcore].nb_rx_queue; >> + if (nb_rx_queue >= MAX_RX_QUEUE_PER_LCORE) { >> + printf("error: too many queues (%u) for lcore: %u\n", >> + nb_rx_queue + 1, lcore); >> + return -1; >> + } >> + lcore_conf[lcore].rx_queue_list[nb_rx_queue].port_id = >> + lcore_params[i].port_id; >> + lcore_conf[lcore].rx_queue_list[nb_rx_queue].queue_id = >> + lcore_params[i].queue_id; >> + lcore_conf[lcore].nb_rx_queue++; >> + } >> + return 0; >> +} >> + >> +/* display usage */ >> +static void >> +print_usage(const char *prgname) >> +{ >> + printf("%s [EAL options] -- -p PORTMASK -P -u PORTMASK" >> + " --"OPTION_CONFIG" (port,queue,lcore)[,(port,queue,lcore]" >> + " --EP0|--EP1 --cdev AESNI|QAT\n" >> + " -p PORTMASK: hexadecimal bitmask of ports to configure\n" >> + " -P : enable promiscuous mode\n" >> + " -u PORTMASK: hexadecimal bitmask of unprotected ports\n" >> + " --"OPTION_CONFIG": (port,queue,lcore): " >> + "rx queues configuration\n" >> + " --cdev AESNI | QAT\n" >> + " --EP0: Configure as Endpoint 0\n" >> + " --EP1: Configure as Endpoint 1\n", prgname); >> +} >> + >> +static int >> +parse_portmask(const char *portmask) >> +{ >> + char *end = NULL; >> + unsigned long pm; >> + >> + /* parse hexadecimal string */ >> + pm = strtoul(portmask, &end, 16); >> + if ((portmask[0] == '\0') || (end == NULL) || (*end != '\0')) >> + return -1; >> + >> + if (pm == 0) >> + return -1; >> + >> + return pm; >> +} >> + >> +static int >> +parse_config(const char *q_arg) >> +{ >> + char s[256]; >> + const char *p, *p0 = q_arg; >> + char *end; >> + enum fieldnames { >> + FLD_PORT = 0, >> + FLD_QUEUE, >> + FLD_LCORE, >> + _NUM_FLD >> + }; >> + unsigned long int_fld[_NUM_FLD]; >> + char *str_fld[_NUM_FLD]; >> + int i; >> + unsigned size; >> + >> + nb_lcore_params = 0; >> + >> + while ((p = strchr(p0, '(')) != NULL) { >> + ++p; >> + p0 = strchr(p, ')'); >> + if (p0 == NULL) >> + return -1; >> + >> + size = p0 - p; >> + if (size >= sizeof(s)) >> + return -1; >> + >> + snprintf(s, sizeof(s), "%.*s", size, p); >> + if (rte_strsplit(s, sizeof(s), str_fld, _NUM_FLD, ',') != >> + _NUM_FLD) >> + return -1; >> + for (i = 0; i < _NUM_FLD; i++) { >> + errno = 0; >> + int_fld[i] = strtoul(str_fld[i], &end, 0); >> + if (errno != 0 || end == str_fld[i] || int_fld[i] > 255) >> + return -1; >> + } >> + if (nb_lcore_params >= MAX_LCORE_PARAMS) { >> + printf("exceeded max number of lcore params: %hu\n", >> + nb_lcore_params); >> + return -1; >> + } >> + lcore_params_array[nb_lcore_params].port_id = >> + (uint8_t)int_fld[FLD_PORT]; >> + lcore_params_array[nb_lcore_params].queue_id = >> + (uint8_t)int_fld[FLD_QUEUE]; >> + lcore_params_array[nb_lcore_params].lcore_id = >> + (uint8_t)int_fld[FLD_LCORE]; >> + ++nb_lcore_params; >> + } >> + lcore_params = lcore_params_array; >> + return 0; >> +} >> + >> +#define __STRNCMP(name, opt) (!strncmp(name, opt, sizeof(opt))) >> +static int >> +parse_args_long_options(struct option *lgopts, int option_index) >> +{ >> + int ret = -1; >> + const char *optname = lgopts[option_index].name; >> + >> + if (__STRNCMP(optname, OPTION_CONFIG)) { >> + ret = parse_config(optarg); >> + if (ret) >> + printf("invalid config\n"); >> + } >> + >> + if (__STRNCMP(optname, OPTION_EP0)) { >> + printf("endpoint 0\n"); >> + ep = 0; >> + ret = 0; >> + } >> + >> + if (__STRNCMP(optname, OPTION_EP1)) { >> + printf("endpoint 1\n"); >> + ep = 1; >> + ret = 0; >> + } >> + >> + if (__STRNCMP(optname, OPTION_CDEV_TYPE)) { >> + if (__STRNCMP(optarg, "AESNI")) { >> + cdev_type = RTE_CRYPTODEV_AESNI_MB_PMD; >> + ret = 0; >> + } else if (__STRNCMP(optarg, "QAT")) { >> + cdev_type = RTE_CRYPTODEV_QAT_PMD; >> + ret = 0; >> + } >> + } >> + >> + return ret; >> +} >> +#undef __STRNCMP >> + >> +static int >> +parse_args(int argc, char **argv) >> +{ >> + int opt, ret; >> + char **argvopt; >> + int option_index; >> + char *prgname = argv[0]; >> + static struct option lgopts[] = { >> + {OPTION_CONFIG, 1, 0, 0}, >> + {OPTION_EP0, 0, 0, 0}, >> + {OPTION_EP1, 0, 0, 0}, >> + {OPTION_CDEV_TYPE, 1, 0, 0}, >> + {NULL, 0, 0, 0} >> + }; >> + >> + argvopt = argv; >> + >> + while ((opt = getopt_long(argc, argvopt, "p:Pu:", >> + lgopts, &option_index)) != EOF) { >> + >> + switch (opt) { >> + case 'p': >> + enabled_port_mask = parse_portmask(optarg); >> + if (enabled_port_mask == 0) { >> + printf("invalid portmask\n"); >> + print_usage(prgname); >> + return -1; >> + } >> + break; >> + case 'P': >> + printf("Promiscuous mode selected\n"); >> + promiscuous_on = 1; >> + break; >> + case 'u': >> + unprotected_port_mask = parse_portmask(optarg); >> + if (unprotected_port_mask == 0) { >> + printf("invalid unprotected portmask\n"); >> + print_usage(prgname); >> + return -1; >> + } >> + break; >> + case 0: >> + if (parse_args_long_options(lgopts, option_index)) { >> + print_usage(prgname); >> + return -1; >> + } >> + break; >> + default: >> + print_usage(prgname); >> + return -1; >> + } >> + } >> + >> + if (optind >= 0) >> + argv[optind-1] = prgname; >> + >> + ret = optind-1; >> + optind = 0; /* reset getopt lib */ >> + return ret; >> +} >> + >> +static void >> +print_ethaddr(const char *name, const struct ether_addr *eth_addr) >> +{ >> + char buf[ETHER_ADDR_FMT_SIZE]; >> + ether_format_addr(buf, ETHER_ADDR_FMT_SIZE, eth_addr); >> + printf("%s%s", name, buf); >> +} >> + >> +/* Check the link status of all ports in up to 9s, and print them finally */ >> +static void >> +check_all_ports_link_status(uint8_t port_num, uint32_t port_mask) >> +{ >> +#define CHECK_INTERVAL 100 /* 100ms */ >> +#define MAX_CHECK_TIME 90 /* 9s (90 * 100ms) in total */ >> + uint8_t portid, count, all_ports_up, print_flag = 0; >> + struct rte_eth_link link; >> + >> + printf("\nChecking link status"); >> + fflush(stdout); >> + for (count = 0; count <= MAX_CHECK_TIME; count++) { >> + all_ports_up = 1; >> + for (portid = 0; portid < port_num; portid++) { >> + if ((port_mask & (1 << portid)) == 0) >> + continue; >> + memset(&link, 0, sizeof(link)); >> + rte_eth_link_get_nowait(portid, &link); >> + /* print link status if flag set */ >> + if (print_flag == 1) { >> + if (link.link_status) >> + printf("Port %d Link Up - speed %u " >> + "Mbps - %s\n", (uint8_t)portid, >> + (unsigned)link.link_speed, >> + (link.link_duplex == ETH_LINK_FULL_DUPLEX) ? >> + ("full-duplex") : ("half-duplex\n")); >> + else >> + printf("Port %d Link Down\n", >> + (uint8_t)portid); >> + continue; >> + } >> + /* clear all_ports_up flag if any link down */ >> + if (link.link_status == 0) { >> + all_ports_up = 0; >> + break; >> + } >> + } >> + /* after finally printing all link status, get out */ >> + if (print_flag == 1) >> + break; >> + >> + if (all_ports_up == 0) { >> + printf("."); >> + fflush(stdout); >> + rte_delay_ms(CHECK_INTERVAL); >> + } >> + >> + /* set the print_flag if all ports up or timeout */ >> + if (all_ports_up == 1 || count == (MAX_CHECK_TIME - 1)) { >> + print_flag = 1; >> + printf("done\n"); >> + } >> + } >> +} >> + >> +static uint16_t >> +find_next_cdev(unsigned cdev_type, uint16_t start_cdev_id) >> +{ >> + uint16_t cdev_id, cnt; >> + struct rte_cryptodev_info info; >> + >> + cnt = rte_cryptodev_count(); >> + for (cdev_id = start_cdev_id; cdev_id < cnt; cdev_id++) { >> + rte_cryptodev_info_get(cdev_id, &info); >> + if (info.dev_type == cdev_type) >> + return cdev_id; >> + } >> + >> + return -1; >> +} >> + >> +static uint16_t >> +find_cdev_socket(int socket_id, unsigned cdev_type) >> +{ >> + uint16_t cdev_id, cnt; >> + struct rte_cryptodev_info info; >> + int cdev_socket; >> + >> + cnt = rte_cryptodev_count(); >> + for (cdev_id = 0; cdev_id < cnt; cdev_id++) { >> + rte_cryptodev_info_get(cdev_id, &info); >> + cdev_socket = rte_cryptodev_socket_id(cdev_id); >> + if ((info.dev_type == cdev_type) && (cdev_socket == socket_id)) >> + return cdev_id; >> + } >> + >> + return -1; >> +} >> + >> +static int >> +cryptodevs_init(void) >> +{ >> + struct rte_cryptodev_config dev_conf; >> + struct rte_cryptodev_qp_conf qp_conf; >> + struct lcore_conf *qconf; >> + uint16_t cnt, lcore_id, cdev_id; >> + int ret, i, socket_id; >> + >> + if (cdev_type == RTE_CRYPTODEV_QAT_PMD) { >> + cnt = rte_cryptodev_count_devtype(RTE_CRYPTODEV_QAT_PMD); >> + printf("Found %u QAT devices\n", cnt); >> + if (cnt < nb_lcores) >> + rte_panic("Not enough QAT devices detected, " >> + "need %u (1 per core), found %d\n", >> + nb_lcores, cnt); >> + } else if (cdev_type == RTE_CRYPTODEV_AESNI_MB_PMD) { >> + printf("Initializing %u AESNI vdevs\n", rte_lcore_count()); > Is it possible to remove PMD specific Initialization code from the > application and move driver layer so that new crypto pmd inclusion will > not have any change in this place. Yes, it should be possible now that we have: http://dpdk.org/ml/archives/dev/2016-January/032448.html I also plan to rework the code a bit to use the new cryptodev API: http://dpdk.org/ml/archives/dev/2016-January/032445.html >> + for (i = 0; i < (int)rte_lcore_count(); i++) { >> + ret = rte_eal_vdev_init( >> + CRYPTODEV_NAME_AESNI_MB_PMD, >> + NULL); >> + if (ret < 0) >> + rte_panic("Failed to create AESNI-MB vdev\n"); >> + } >> + } else >> + rte_panic("Need to set cryptodev type option --cdev\n"); >> + >> + cdev_id = 0; >> + for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) { >> + if (rte_lcore_is_enabled(lcore_id) == 0) >> + continue; >> + >> + socket_id = rte_lcore_to_socket_id(lcore_id); >> + cdev_id = find_next_cdev(cdev_type, cdev_id); >> + qconf = &lcore_conf[lcore_id]; >> + qconf->cdev = cdev_id; >> + qconf->cdev_q = 0; >> + if (cdev_type == RTE_CRYPTODEV_AESNI_MB_PMD) { >> + dev_conf.socket_id = socket_id; >> + printf("Initializing AESNI-MB device %u socket %u\n", >> + cdev_id, socket_id); >> + } else { >> + dev_conf.socket_id = rte_cryptodev_socket_id(cdev_id); >> + printf("Initialising QAT device %u\n", cdev_id); >> + } >> + >> + dev_conf.nb_queue_pairs = 1; >> + dev_conf.session_mp.nb_objs = CDEV_MP_NB_OBJS; >> + dev_conf.session_mp.cache_size = CDEV_MP_CACHE_SZ; >> + >> + if (rte_cryptodev_configure(cdev_id, &dev_conf)) >> + rte_panic("Failed to initialize crypodev %u\n", >> + cdev_id); >> + >> + qp_conf.nb_descriptors = CDEV_MP_NB_OBJS; >> + if (rte_cryptodev_queue_pair_setup(cdev_id, 0, &qp_conf, >> + dev_conf.socket_id)) >> + rte_panic("Failed to setup queue %u for cdev_id %u\n", >> + 0, cdev_id); >> + cdev_id++; >> + } >> + >> + return 0; >> +} >> + >> +static void >> +port_init(uint8_t portid) >> +{ >> + struct rte_eth_dev_info dev_info; >> + struct rte_eth_txconf *txconf; >> + uint16_t nb_tx_queue, nb_rx_queue; >> + uint16_t tx_queueid, rx_queueid, queue, lcore_id; >> + int ret, socket_id; >> + struct lcore_conf *qconf; >> + struct ether_addr ethaddr; >> + >> + rte_eth_dev_info_get(portid, &dev_info); >> + >> + printf("Configuring device port %u:\n", portid); >> + >> + rte_eth_macaddr_get(portid, ðaddr); >> + ethaddr_tbl[portid].src = ETHADDR_TO_UINT64(ethaddr); >> + print_ethaddr("Address: ", ðaddr); >> + printf("\n"); >> + >> + nb_rx_queue = get_port_nb_rx_queues(portid); >> + nb_tx_queue = nb_lcores; >> + >> + if (nb_rx_queue > dev_info.max_rx_queues) >> + rte_exit(EXIT_FAILURE, "Error: queue %u not available " >> + "(max rx queue is %u)\n", >> + nb_rx_queue, dev_info.max_rx_queues); >> + >> + if (nb_tx_queue > dev_info.max_tx_queues) >> + rte_exit(EXIT_FAILURE, "Error: queue %u not available " >> + "(max tx queue is %u)\n", >> + nb_tx_queue, dev_info.max_tx_queues); >> + >> + printf("Creating queues: nb_rx_queue=%d nb_tx_queue=%u...\n", >> + nb_rx_queue, nb_tx_queue); >> + >> + ret = rte_eth_dev_configure(portid, nb_rx_queue, nb_tx_queue, >> + &port_conf); >> + if (ret < 0) >> + rte_exit(EXIT_FAILURE, "Cannot configure device: " >> + "err=%d, port=%d\n", ret, portid); >> + >> + /* init one TX queue per lcore */ >> + tx_queueid = 0; >> + for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) { >> + if (rte_lcore_is_enabled(lcore_id) == 0) >> + continue; >> + >> + if (numa_on) >> + socket_id = (uint8_t)rte_lcore_to_socket_id(lcore_id); >> + else >> + socket_id = 0; >> + >> + /* init TX queue */ >> + printf("Setup txq=%u,%d,%d\n", lcore_id, tx_queueid, socket_id); >> + >> + txconf = &dev_info.default_txconf; >> + txconf->txq_flags = 0; >> + >> + ret = rte_eth_tx_queue_setup(portid, tx_queueid, nb_txd, >> + socket_id, txconf); >> + if (ret < 0) >> + rte_exit(EXIT_FAILURE, "rte_eth_tx_queue_setup: " >> + "err=%d, port=%d\n", ret, portid); >> + >> + qconf = &lcore_conf[lcore_id]; >> + qconf->tx_queue_id[portid] = tx_queueid; >> + tx_queueid++; >> + >> + /* init RX queues */ >> + for (queue = 0; queue < qconf->nb_rx_queue; ++queue) { >> + if (portid != qconf->rx_queue_list[queue].port_id) >> + continue; >> + >> + rx_queueid = qconf->rx_queue_list[queue].queue_id; >> + >> + printf("Setup rxq=%d,%d,%d\n", portid, rx_queueid, >> + socket_id); >> + >> + ret = rte_eth_rx_queue_setup(portid, rx_queueid, >> + nb_rxd, socket_id, NULL, >> + socket_ctx[socket_id].mbuf_pool); >> + if (ret < 0) >> + rte_exit(EXIT_FAILURE, >> + "rte_eth_rx_queue_setup: err=%d, " >> + "port=%d\n", ret, portid); >> + } >> + } >> + printf("\n"); >> +} >> + >> +static void >> +pool_init(struct socket_ctx *ctx, int socket_id, unsigned nb_mbuf) >> +{ >> + char s[64]; >> + >> + snprintf(s, sizeof(s), "mbuf_pool_%d", socket_id); >> + ctx->mbuf_pool = rte_pktmbuf_pool_create(s, nb_mbuf, >> + MEMPOOL_CACHE_SIZE, ipsec_metadata_size(), >> + RTE_MBUF_DEFAULT_BUF_SIZE, >> + socket_id); >> + if (ctx->mbuf_pool == NULL) >> + rte_exit(EXIT_FAILURE, "Cannot init mbuf pool on socket %d\n", >> + socket_id); >> + else >> + printf("Allocated mbuf pool on socket %d\n", socket_id); >> +} >> + >> +int >> +main(int argc, char **argv) >> +{ >> + int ret; >> + unsigned lcore_id, nb_ports; >> + uint8_t portid, socket_id; >> + >> + /* init EAL */ >> + ret = rte_eal_init(argc, argv); >> + if (ret < 0) >> + rte_exit(EXIT_FAILURE, "Invalid EAL parameters\n"); >> + argc -= ret; >> + argv += ret; >> + >> + /* parse application arguments (after the EAL ones) */ >> + ret = parse_args(argc, argv); >> + if (ret < 0) >> + rte_exit(EXIT_FAILURE, "Invalid parameters\n"); >> + >> + if (ep < 0) >> + rte_exit(EXIT_FAILURE, "need to choose either EP0 or EP1\n"); >> + >> + if ((unprotected_port_mask & enabled_port_mask) != >> + unprotected_port_mask) >> + rte_exit(EXIT_FAILURE, "Invalid unprotected portmask 0x%x\n", >> + unprotected_port_mask); >> + >> + nb_ports = rte_eth_dev_count(); >> + if (nb_ports > RTE_MAX_ETHPORTS) >> + nb_ports = RTE_MAX_ETHPORTS; >> + >> + if (check_params() < 0) >> + rte_exit(EXIT_FAILURE, "check_params failed\n"); >> + >> + ret = init_lcore_rx_queues(); >> + if (ret < 0) >> + rte_exit(EXIT_FAILURE, "init_lcore_rx_queues failed\n"); >> + >> + nb_lcores = rte_lcore_count(); >> + >> + cryptodevs_init(); >> + >> + /* Replicate each contex per socket */ >> + for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) { >> + if (rte_lcore_is_enabled(lcore_id) == 0) >> + continue; >> + >> + if (numa_on) >> + socket_id = (uint8_t)rte_lcore_to_socket_id(lcore_id); >> + else >> + socket_id = 0; >> + >> + if (socket_ctx[socket_id].mbuf_pool) >> + continue; >> + >> + sa_init(&socket_ctx[socket_id], socket_id, ep, >> + find_cdev_socket(socket_id, cdev_type)); >> + >> + sp_init(&socket_ctx[socket_id], socket_id, ep); >> + >> + rt_init(&socket_ctx[socket_id], socket_id, ep); >> + >> + pool_init(&socket_ctx[socket_id], socket_id, NB_MBUF); >> + } >> + >> + for (portid = 0; portid < nb_ports; portid++) { >> + if ((enabled_port_mask & (1 << portid)) == 0) >> + continue; >> + >> + port_init(portid); >> + } >> + >> + /* start ports */ >> + for (portid = 0; portid < nb_ports; portid++) { >> + if ((enabled_port_mask & (1 << portid)) == 0) >> + continue; >> + >> + /* Start device */ >> + ret = rte_eth_dev_start(portid); >> + if (ret < 0) >> + rte_exit(EXIT_FAILURE, "rte_eth_dev_start: " >> + "err=%d, port=%d\n", ret, portid); >> + /* >> + * If enabled, put device in promiscuous mode. >> + * This allows IO forwarding mode to forward packets >> + * to itself through 2 cross-connected ports of the >> + * target machine. >> + */ >> + if (promiscuous_on) >> + rte_eth_promiscuous_enable(portid); >> + } >> + >> + check_all_ports_link_status((uint8_t)nb_ports, enabled_port_mask); >> + >> + /* launch per-lcore init on every lcore */ >> + rte_eal_mp_remote_launch(main_loop, NULL, CALL_MASTER); >> + RTE_LCORE_FOREACH_SLAVE(lcore_id) { >> + if (rte_eal_wait_lcore(lcore_id) < 0) >> + return -1; >> + } >> + >> + return 0; >> +} >> diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c >> new file mode 100644 >> index 0000000..83e3326 >> --- /dev/null >> +++ b/examples/ipsec-secgw/ipsec.c >> @@ -0,0 +1,138 @@ >> +/*- >> + * BSD LICENSE >> + * >> + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. >> + * All rights reserved. >> + * >> + * Redistribution and use in source and binary forms, with or without >> + * modification, are permitted provided that the following conditions >> + * are met: >> + * >> + * * Redistributions of source code must retain the above copyright >> + * notice, this list of conditions and the following disclaimer. >> + * * Redistributions in binary form must reproduce the above copyright >> + * notice, this list of conditions and the following disclaimer in >> + * the documentation and/or other materials provided with the >> + * distribution. >> + * * Neither the name of Intel Corporation nor the names of its >> + * contributors may be used to endorse or promote products derived >> + * from this software without specific prior written permission. >> + * >> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS >> + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT >> + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR >> + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT >> + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, >> + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT >> + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >> + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >> + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >> + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >> + */ >> + >> +#include <netinet/in.h> >> +#include <netinet/ip.h> >> + >> +#include <rte_branch_prediction.h> >> +#include <rte_log.h> >> +#include <rte_crypto.h> >> +#include <rte_cryptodev.h> >> +#include <rte_mbuf.h> >> + >> +#include "ipsec.h" >> + >> +static inline uint16_t >> +ipsec_processing(uint8_t cdev_id, uint16_t qp_id, struct rte_mbuf *pkts[], >> + struct ipsec_sa *sas[], uint16_t nb_pkts, uint16_t max_pkts) >> +{ >> + int ret, i, j; >> + struct ipsec_mbuf_metadata *priv; >> + struct rte_mbuf_offload *ol; >> + struct ipsec_sa *sa; >> + >> + j = 0; >> + for (i = 0; i < nb_pkts; i++) { >> + rte_prefetch0(sas[i]); >> + rte_prefetch0(pkts[i]); >> + >> + priv = get_priv(pkts[i]); >> + ol = &priv->ol; >> + sa = sas[i]; >> + priv->sa = sa; >> + >> + IPSEC_ASSERT(sa != NULL); >> + >> + __rte_pktmbuf_offload_reset(ol, RTE_PKTMBUF_OL_CRYPTO); >> + >> + rte_crypto_op_attach_session(&ol->op.crypto, >> + sa->crypto_session); >> + >> + pkts[i]->offload_ops = ol; >> + >> + ret = sa->pre_crypto(pkts[i], sa, &ol->op.crypto); >> + if (unlikely(ret)) >> + rte_pktmbuf_free(pkts[i]); >> + else >> + pkts[j++] = pkts[i]; >> + } >> + nb_pkts = j; >> + >> + ret = rte_cryptodev_enqueue_burst(cdev_id, qp_id, pkts, nb_pkts); >> + if (ret < nb_pkts) { >> + IPSEC_LOG(DEBUG, IPSEC, "Cryptodev %u queue %u:" >> + " enqueued %u packets (out of %u)\n", >> + cdev_id, qp_id, ret, nb_pkts); >> + for (i = ret; i < nb_pkts; i++) >> + rte_pktmbuf_free(pkts[i]); >> + } >> + >> + nb_pkts = rte_cryptodev_dequeue_burst(cdev_id, qp_id, pkts, max_pkts); >> + if ((nb_pkts != 0) && (nb_pkts < max_pkts)) >> + IPSEC_LOG(DEBUG, IPSEC, "Cryptodev %u queue %u:" >> + " dequeued %u packets (out of %u)\n", >> + cdev_id, qp_id, nb_pkts, max_pkts); >> + >> + j = 0; >> + for (i = 0; i < nb_pkts; i++) { >> + rte_prefetch0(pkts[i]); >> + >> + priv = get_priv(pkts[i]); >> + ol = &priv->ol; >> + sa = priv->sa; >> + rte_prefetch0(sa); >> + >> + IPSEC_ASSERT(sa != NULL); >> + >> + ret = sa->post_crypto(pkts[i], sa, &ol->op.crypto); >> + if (unlikely(ret)) >> + rte_pktmbuf_free(pkts[i]); >> + else >> + pkts[j++] = pkts[i]; >> + } >> + >> + /* return packets */ >> + return j; >> +} >> + >> +uint16_t >> +ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], >> + uint16_t nb_pkts, uint16_t len) >> +{ >> + struct ipsec_sa *sas[nb_pkts]; >> + >> + inbound_sa_lookup(ctx->sa_ctx, pkts, sas, nb_pkts); >> + >> + return ipsec_processing(ctx->cdev, ctx->queue, pkts, sas, nb_pkts, len); >> +} >> + >> +uint16_t >> +ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], >> + uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len) >> +{ >> + struct ipsec_sa *sas[nb_pkts]; >> + >> + outbound_sa_lookup(ctx->sa_ctx, sa_idx, sas, nb_pkts); >> + >> + return ipsec_processing(ctx->cdev, ctx->queue, pkts, sas, nb_pkts, len); >> +} >> diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h >> new file mode 100644 >> index 0000000..abf9d5f >> --- /dev/null >> +++ b/examples/ipsec-secgw/ipsec.h >> @@ -0,0 +1,184 @@ >> +/*- >> + * BSD LICENSE >> + * >> + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. >> + * All rights reserved. >> + * >> + * Redistribution and use in source and binary forms, with or without >> + * modification, are permitted provided that the following conditions >> + * are met: >> + * >> + * * Redistributions of source code must retain the above copyright >> + * notice, this list of conditions and the following disclaimer. >> + * * Redistributions in binary form must reproduce the above copyright >> + * notice, this list of conditions and the following disclaimer in >> + * the documentation and/or other materials provided with the >> + * distribution. >> + * * Neither the name of Intel Corporation nor the names of its >> + * contributors may be used to endorse or promote products derived >> + * from this software without specific prior written permission. >> + * >> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS >> + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT >> + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR >> + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT >> + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, >> + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT >> + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >> + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >> + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >> + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >> + */ >> + >> +#ifndef __IPSEC_H__ >> +#define __IPSEC_H__ >> + >> +#include <stdint.h> >> +#include <netinet/in.h> >> +#include <netinet/ip.h> >> + >> +#include <rte_mbuf_offload.h> >> +#include <rte_byteorder.h> >> +#include <rte_ip.h> >> + >> +#define RTE_LOGTYPE_IPSEC RTE_LOGTYPE_USER1 >> +#define RTE_LOGTYPE_IPSEC_ESP RTE_LOGTYPE_USER2 >> +#define RTE_LOGTYPE_IPSEC_IPIP RTE_LOGTYPE_USER3 >> + >> +#ifdef IPSEC_DEBUG >> +#define IPSEC_ASSERT(exp) \ >> +if (!(exp)) { \ >> + rte_panic("line%d\tassert \"" #exp "\" failed\n", __LINE__); \ >> +} >> + >> +#define IPSEC_LOG RTE_LOG >> +#else >> +#define IPSEC_ASSERT(exp) do {} while (0) >> +#define IPSEC_LOG(...) do {} while (0) >> +#endif /* IPSEC_DEBUG */ >> + >> +#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */ >> + >> +#define uint32_t_to_char(ip, a, b, c, d) do {\ >> + *a = (unsigned char)(ip >> 24 & 0xff);\ >> + *b = (unsigned char)(ip >> 16 & 0xff);\ >> + *c = (unsigned char)(ip >> 8 & 0xff);\ >> + *d = (unsigned char)(ip & 0xff);\ >> + } while (0) >> + >> +#define DEFAULT_MAX_CATEGORIES 1 >> + >> +#define IPSEC_SA_MAX_ENTRIES (64) /* must be power of 2, max 2 power 30 */ >> +#define SPI2IDX(spi) (spi & (IPSEC_SA_MAX_ENTRIES - 1)) >> +#define INVALID_SPI (0) >> + >> +#define DISCARD (0x80000000) >> +#define BYPASS (0x40000000) >> +#define PROTECT_MASK (0x3fffffff) >> +#define PROTECT(sa_idx) (SPI2IDX(sa_idx) & PROTECT_MASK) /* SA idx 30 bits */ >> + >> +#define IPSEC_XFORM_MAX 2 >> + >> +struct rte_crypto_xform; >> +struct ipsec_xform; >> +struct rte_cryptodev_session; >> +struct rte_mbuf; >> + >> +struct replay { >> + uint32_t seq_h; >> +}; >> + >> +struct lifetime { >> + uint64_t bytes; >> + uint64_t seconds; >> +}; >> + >> +struct ipsec_sa; >> + >> +typedef int (*ipsec_xform_fn)(struct rte_mbuf *m, struct ipsec_sa *sa, >> + struct rte_crypto_op *cop); >> + >> +struct ipsec_sa { >> + uint32_t spi; >> + uint32_t seq; >> + uint32_t src; >> + uint32_t dst; >> + struct rte_cryptodev_session *crypto_session; >> + struct rte_crypto_xform *xforms; >> + enum rte_crypto_cipher_algorithm cipher_algo; >> + enum rte_crypto_auth_algorithm auth_algo; >> + uint16_t digest_len; >> + uint16_t iv_len; >> + uint16_t block_size; >> + ipsec_xform_fn pre_crypto; >> + ipsec_xform_fn post_crypto; >> + uint32_t flags; >> + /* does not apply if no automated SA management (IKE) support */ >> + struct lifetime current; >> + struct lifetime soft; >> + struct lifetime hard; >> + struct replay replay; >> +} __rte_cache_aligned; >> + >> +struct ipsec_mbuf_metadata { >> + struct ipsec_sa *sa; >> + struct rte_mbuf_offload ol; >> +}; >> + >> +struct ipsec_ctx { >> + uint16_t cdev; >> + uint16_t queue; >> + struct sa_ctx *sa_ctx; >> +}; >> + >> +struct socket_ctx { >> + struct sa_ctx *sa_ipv4_in; >> + struct sa_ctx *sa_ipv4_out; >> + struct sp_ctx *sp_ipv4_in; >> + struct sp_ctx *sp_ipv4_out; >> + struct rt_ctx *rt_ipv4; >> + struct rte_mempool *mbuf_pool; >> +}; >> + >> +uint16_t >> +ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], >> + uint16_t nb_pkts, uint16_t len); >> + >> +uint16_t >> +ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], >> + uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len); >> + >> +static inline uint16_t >> +ipsec_metadata_size(void) >> +{ >> + return sizeof(struct ipsec_mbuf_metadata); >> +} >> + >> +static inline struct ipsec_mbuf_metadata * >> +get_priv(struct rte_mbuf *m) >> +{ >> + return RTE_PTR_ADD(m, sizeof(struct rte_mbuf)); >> +} >> + >> +int >> +inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx); >> + >> +void >> +inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[], >> + struct ipsec_sa *sa[], uint16_t nb_pkts); >> + >> +void >> +outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[], >> + struct ipsec_sa *sa[], uint16_t nb_pkts); >> + >> +void >> +sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep); >> + >> +void >> +sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep, uint16_t cdev_id); >> + >> +void >> +rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep); >> + >> +#endif /* __IPSEC_H__ */ >> diff --git a/examples/ipsec-secgw/rt.c b/examples/ipsec-secgw/rt.c >> new file mode 100644 >> index 0000000..82064b2 >> --- /dev/null >> +++ b/examples/ipsec-secgw/rt.c >> @@ -0,0 +1,131 @@ >> +/*- >> + * BSD LICENSE >> + * >> + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. >> + * All rights reserved. >> + * >> + * Redistribution and use in source and binary forms, with or without >> + * modification, are permitted provided that the following conditions >> + * are met: >> + * >> + * * Redistributions of source code must retain the above copyright >> + * notice, this list of conditions and the following disclaimer. >> + * * Redistributions in binary form must reproduce the above copyright >> + * notice, this list of conditions and the following disclaimer in >> + * the documentation and/or other materials provided with the >> + * distribution. >> + * * Neither the name of Intel Corporation nor the names of its >> + * contributors may be used to endorse or promote products derived >> + * from this software without specific prior written permission. >> + * >> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS >> + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT >> + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR >> + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT >> + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, >> + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT >> + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >> + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >> + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >> + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >> + */ >> + >> +/* >> + * Routing Table (RT) >> + */ >> +#include <rte_lpm.h> >> +#include <rte_errno.h> >> + >> +#include "ipsec.h" >> + >> +#define RT_IPV4_MAX_RULES 64 >> + >> +struct ipv4_route { >> + uint32_t ip; >> + uint8_t depth; >> + uint8_t if_out; >> +}; >> + >> +/* In the default routing table we have: >> + * ep0 protected ports 0 and 1, and unprotected ports 2 and 3. >> + */ >> +static struct ipv4_route rt_ipv4_ep0[] = { >> + { IPv4(172, 16, 2, 5), 32, 0 }, >> + { IPv4(172, 16, 2, 6), 32, 0 }, >> + { IPv4(172, 16, 2, 7), 32, 1 }, >> + { IPv4(172, 16, 2, 8), 32, 1 }, >> + >> + { IPv4(192, 168, 115, 0), 24, 2 }, >> + { IPv4(192, 168, 116, 0), 24, 2 }, >> + { IPv4(192, 168, 117, 0), 24, 3 }, >> + { IPv4(192, 168, 118, 0), 24, 3 } >> +}; >> + >> +/* In the default routing table we have: >> + * ep1 protected ports 0 and 1, and unprotected ports 2 and 3. >> + */ >> +static struct ipv4_route rt_ipv4_ep1[] = { >> + { IPv4(172, 16, 1, 5), 32, 2 }, >> + { IPv4(172, 16, 1, 6), 32, 2 }, >> + { IPv4(172, 16, 1, 7), 32, 3 }, >> + { IPv4(172, 16, 1, 8), 32, 3 }, >> + >> + { IPv4(192, 168, 105, 0), 24, 0 }, >> + { IPv4(192, 168, 106, 0), 24, 0 }, >> + { IPv4(192, 168, 107, 0), 24, 1 }, >> + { IPv4(192, 168, 108, 0), 24, 1 } >> +}; >> + >> +void >> +rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep) >> +{ >> + char name[PATH_MAX]; >> + unsigned i; >> + int ret; >> + struct rte_lpm *lpm; >> + struct ipv4_route *rt; >> + char a, b, c, d; >> + unsigned nb_routes; >> + >> + if (ctx == NULL) >> + rte_exit(EXIT_FAILURE, "NULL context.\n"); >> + >> + if (ctx->rt_ipv4 != NULL) >> + rte_exit(EXIT_FAILURE, "Routing Table for socket %u already " >> + "initialized\n", socket_id); >> + >> + printf("Creating Routing Table (RT) context with %u max routes\n", >> + RT_IPV4_MAX_RULES); >> + >> + if (ep == 0) { >> + rt = rt_ipv4_ep0; >> + nb_routes = RTE_DIM(rt_ipv4_ep0); >> + } else if (ep == 1) { >> + rt = rt_ipv4_ep1; >> + nb_routes = RTE_DIM(rt_ipv4_ep1); >> + } else >> + rte_exit(EXIT_FAILURE, "Invalid EP value %u. Only 0 or 1 " >> + "supported.\n", ep); >> + >> + /* create the LPM table */ >> + snprintf(name, sizeof(name), "%s_%u", "rt_ipv4", socket_id); >> + lpm = rte_lpm_create(name, socket_id, RT_IPV4_MAX_RULES, 0); >> + if (lpm == NULL) >> + rte_exit(EXIT_FAILURE, "Unable to create LPM table " >> + "on socket %d\n", socket_id); >> + >> + /* populate the LPM table */ >> + for (i = 0; i < nb_routes; i++) { >> + ret = rte_lpm_add(lpm, rt[i].ip, rt[i].depth, rt[i].if_out); >> + if (ret < 0) >> + rte_exit(EXIT_FAILURE, "Unable to add entry num %u to " >> + "LPM table on socket %d\n", i, socket_id); >> + >> + uint32_t_to_char(rt[i].ip, &a, &b, &c, &d); >> + printf("LPM: Adding route %hhu.%hhu.%hhu.%hhu/%hhu (%hhu)\n", >> + a, b, c, d, rt[i].depth, rt[i].if_out); >> + } >> + >> + ctx->rt_ipv4 = (struct rt_ctx *)lpm; >> +} >> diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c >> new file mode 100644 >> index 0000000..5ea7592 >> --- /dev/null >> +++ b/examples/ipsec-secgw/sa.c >> @@ -0,0 +1,391 @@ >> +/*- >> + * BSD LICENSE >> + * >> + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. >> + * All rights reserved. >> + * >> + * Redistribution and use in source and binary forms, with or without >> + * modification, are permitted provided that the following conditions >> + * are met: >> + * >> + * * Redistributions of source code must retain the above copyright >> + * notice, this list of conditions and the following disclaimer. >> + * * Redistributions in binary form must reproduce the above copyright >> + * notice, this list of conditions and the following disclaimer in >> + * the documentation and/or other materials provided with the >> + * distribution. >> + * * Neither the name of Intel Corporation nor the names of its >> + * contributors may be used to endorse or promote products derived >> + * from this software without specific prior written permission. >> + * >> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS >> + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT >> + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR >> + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT >> + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, >> + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT >> + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >> + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >> + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >> + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >> + */ >> + >> +/* >> + * Security Associations >> + */ >> +#include <netinet/ip.h> >> + >> +#include <rte_memzone.h> >> +#include <rte_crypto.h> >> +#include <rte_cryptodev.h> >> +#include <rte_byteorder.h> >> +#include <rte_errno.h> >> + >> +#include "ipsec.h" >> +#include "esp.h" >> + >> +/* SAs EP0 Outbound */ >> +const struct ipsec_sa sa_ep0_out[] = { >> + { 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_outbound_pre_crypto, >> + esp4_tunnel_outbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, >> + { 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_outbound_pre_crypto, >> + esp4_tunnel_outbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, >> + { 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_outbound_pre_crypto, >> + esp4_tunnel_outbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, >> + { 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > IMO, a SA with NULL crypto (rfc2410) operation will be useful for ESP > packet processing debugging and measuring the performance impact with > the crypto block in fast path. > I couldn't agree more. I'll add support for NULL crypto in the app with dependency on previously mentioned cryptodev capabilities patch set and: http://dpdk.org/ml/archives/dev/2016-January/032458.html Sergio >> + 12, 16, 16, >> + esp4_tunnel_outbound_pre_crypto, >> + esp4_tunnel_outbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } } >> +}; >> + >> +/* SAs EP0 Inbound */ >> +const struct ipsec_sa sa_ep0_in[] = { >> + { 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_inbound_pre_crypto, >> + esp4_tunnel_inbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, >> + { 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_inbound_pre_crypto, >> + esp4_tunnel_inbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, >> + { 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_inbound_pre_crypto, >> + esp4_tunnel_inbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, >> + { 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_inbound_pre_crypto, >> + esp4_tunnel_inbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } } >> +}; >> + >> +/* SAs EP1 Outbound */ >> +const struct ipsec_sa sa_ep1_out[] = { >> + { 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_outbound_pre_crypto, >> + esp4_tunnel_outbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, >> + { 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_outbound_pre_crypto, >> + esp4_tunnel_outbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, >> + { 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_outbound_pre_crypto, >> + esp4_tunnel_outbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, >> + { 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_outbound_pre_crypto, >> + esp4_tunnel_outbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } } >> +}; >> + >> +/* SAs EP1 Inbound */ >> +const struct ipsec_sa sa_ep1_in[] = { >> + { 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_inbound_pre_crypto, >> + esp4_tunnel_inbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, >> + { 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_inbound_pre_crypto, >> + esp4_tunnel_inbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, >> + { 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_inbound_pre_crypto, >> + esp4_tunnel_inbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, >> + { 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_inbound_pre_crypto, >> + esp4_tunnel_inbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } } >> +}; >> + >> +static uint8_t cipher_key[256] = "sixteenbytes key"; >> + >> +/* AES CBC xform */ >> +const struct rte_crypto_xform aescbc_enc_xf = { >> + NULL, >> + RTE_CRYPTO_XFORM_CIPHER, >> + .cipher = { RTE_CRYPTO_CIPHER_OP_ENCRYPT, RTE_CRYPTO_CIPHER_AES_CBC, >> + .key = { cipher_key, 0, 16 } } >> +}; >> + >> +const struct rte_crypto_xform aescbc_dec_xf = { >> + NULL, >> + RTE_CRYPTO_XFORM_CIPHER, >> + .cipher = { RTE_CRYPTO_CIPHER_OP_DECRYPT, RTE_CRYPTO_CIPHER_AES_CBC, >> + .key = { cipher_key, 0, 16 } } >> +}; >> + >> +static uint8_t auth_key[256] = "twentybytes hash key"; >> + >> +/* SHA1 HMAC xform */ >> +const struct rte_crypto_xform sha1hmac_gen_xf = { >> + NULL, >> + RTE_CRYPTO_XFORM_AUTH, >> + .auth = { RTE_CRYPTO_AUTH_OP_GENERATE, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + .key = { auth_key, 0, 20 }, 12, 0 } >> +}; >> + >> +const struct rte_crypto_xform sha1hmac_verify_xf = { >> + NULL, >> + RTE_CRYPTO_XFORM_AUTH, >> + .auth = { RTE_CRYPTO_AUTH_OP_VERIFY, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + .key = { auth_key, 0, 20 }, 12, 0 } >> +}; >> + >> +struct sa_ctx { >> + struct ipsec_sa sa[IPSEC_SA_MAX_ENTRIES]; >> + struct { >> + struct rte_crypto_xform a; >> + struct rte_crypto_xform b; >> + } xf[IPSEC_SA_MAX_ENTRIES]; >> +}; >> + >> +static struct sa_ctx * >> +sa_ipv4_create(const char *name, int socket_id) >> +{ >> + char s[PATH_MAX]; >> + struct sa_ctx *sa_ctx; >> + unsigned mz_size; >> + const struct rte_memzone *mz; >> + >> + snprintf(s, sizeof(s), "%s_%u", name, socket_id); >> + >> + /* Create SA array table */ >> + printf("Creating SA context with %u maximum entries\n", >> + IPSEC_SA_MAX_ENTRIES); >> + >> + mz_size = sizeof(struct sa_ctx); >> + mz = rte_memzone_reserve(s, mz_size, socket_id, >> + RTE_MEMZONE_1GB | RTE_MEMZONE_SIZE_HINT_ONLY); >> + if (mz == NULL) { >> + printf("Failed to allocate SA DB memory\n"); >> + rte_errno = -ENOMEM; >> + return NULL; >> + } >> + >> + sa_ctx = (struct sa_ctx *)mz->addr; >> + >> + return sa_ctx; >> +} >> + >> +static int >> +sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], >> + unsigned nb_entries, uint16_t cdev_id, unsigned inbound) >> +{ >> + struct ipsec_sa *sa; >> + unsigned i, idx; >> + >> + for (i = 0; i < nb_entries; i++) { >> + idx = SPI2IDX(entries[i].spi); >> + sa = &sa_ctx->sa[idx]; >> + if (sa->spi != 0) { >> + printf("Index %u already in use by SPI %u\n", >> + idx, sa->spi); >> + return -EINVAL; >> + } >> + *sa = entries[i]; >> + sa->src = rte_cpu_to_be_32(sa->src); >> + sa->dst = rte_cpu_to_be_32(sa->dst); >> + if (inbound) { >> + sa_ctx->xf[idx].a = sha1hmac_verify_xf; >> + sa_ctx->xf[idx].b = aescbc_dec_xf; >> + } else { /* outbound */ >> + sa_ctx->xf[idx].a = aescbc_enc_xf; >> + sa_ctx->xf[idx].b = sha1hmac_gen_xf; >> + } >> + sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b; >> + sa_ctx->xf[idx].b.next = NULL; >> + sa->xforms = &sa_ctx->xf[idx].a; >> + >> + sa->crypto_session = rte_cryptodev_session_create(cdev_id, >> + sa->xforms); >> + } >> + >> + return 0; >> +} >> + >> +static inline int >> +sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], >> + unsigned nb_entries, uint16_t cdev_id) >> +{ >> + return sa_add_rules(sa_ctx, entries, nb_entries, cdev_id, 0); >> +} >> + >> +static inline int >> +sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], >> + unsigned nb_entries, uint16_t cdev_id) >> +{ >> + return sa_add_rules(sa_ctx, entries, nb_entries, cdev_id, 1); >> +} >> + >> +void >> +sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep, uint16_t cdev_id) >> +{ >> + const struct ipsec_sa *sa_out_entries, *sa_in_entries; >> + unsigned nb_out_entries, nb_in_entries; >> + const char *name; >> + >> + if (ctx == NULL) >> + rte_exit(EXIT_FAILURE, "NULL context.\n"); >> + >> + if (ctx->sa_ipv4_in != NULL) >> + rte_exit(EXIT_FAILURE, "Inbound SA DB for socket %u already " >> + "initialized\n", socket_id); >> + >> + if (ctx->sa_ipv4_out != NULL) >> + rte_exit(EXIT_FAILURE, "Outbound SA DB for socket %u already " >> + "initialized\n", socket_id); >> + >> + if (ep == 0) { >> + sa_out_entries = sa_ep0_out; >> + nb_out_entries = RTE_DIM(sa_ep0_out); >> + sa_in_entries = sa_ep0_in; >> + nb_in_entries = RTE_DIM(sa_ep0_in); >> + } else if (ep == 1) { >> + sa_out_entries = sa_ep1_out; >> + nb_out_entries = RTE_DIM(sa_ep1_out); >> + sa_in_entries = sa_ep1_in; >> + nb_in_entries = RTE_DIM(sa_ep1_in); >> + } else >> + rte_exit(EXIT_FAILURE, "Invalid EP value %u. " >> + "Only 0 or 1 supported.\n", ep); >> + >> + name = "sa_ipv4_in"; >> + ctx->sa_ipv4_in = sa_ipv4_create(name, socket_id); >> + if (ctx->sa_ipv4_in == NULL) >> + rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s " >> + "in socket %d\n", rte_errno, name, socket_id); >> + >> + name = "sa_ipv4_out"; >> + ctx->sa_ipv4_out = sa_ipv4_create(name, socket_id); >> + if (ctx->sa_ipv4_out == NULL) >> + rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s " >> + "in socket %d\n", rte_errno, name, socket_id); >> + >> + sa_in_add_rules(ctx->sa_ipv4_in, sa_in_entries, >> + nb_in_entries, cdev_id); >> + >> + sa_out_add_rules(ctx->sa_ipv4_out, sa_out_entries, >> + nb_out_entries, cdev_id); >> +} >> + >> +int >> +inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx) >> +{ >> + struct ipsec_mbuf_metadata *priv; >> + >> + priv = RTE_PTR_ADD(m, sizeof(struct rte_mbuf)); >> + >> + return (sa_ctx->sa[sa_idx].spi == priv->sa->spi); >> +} >> + >> +void >> +inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[], >> + struct ipsec_sa *sa[], uint16_t nb_pkts) >> +{ >> + unsigned i; >> + uint32_t *src, spi; >> + >> + for (i = 0; i < nb_pkts; i++) { >> + spi = rte_pktmbuf_mtod_offset(pkts[i], struct esp_hdr *, >> + sizeof(struct ip))->spi; >> + if (spi == INVALID_SPI) >> + continue; >> + >> + sa[i] = &sa_ctx->sa[SPI2IDX(spi)]; >> + if (spi != sa[i]->spi) { >> + sa[i] = NULL; >> + continue; >> + } >> + >> + src = rte_pktmbuf_mtod_offset(pkts[i], uint32_t *, >> + offsetof(struct ip, ip_src)); >> + if ((sa[i]->src != *src) || (sa[i]->dst != *(src + 1))) >> + sa[i] = NULL; >> + } >> +} >> + >> +void >> +outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[], >> + struct ipsec_sa *sa[], uint16_t nb_pkts) >> +{ >> + unsigned i; >> + >> + for (i = 0; i < nb_pkts; i++) >> + sa[i] = &sa_ctx->sa[sa_idx[i]]; >> +} >> diff --git a/examples/ipsec-secgw/sp.c b/examples/ipsec-secgw/sp.c >> new file mode 100644 >> index 0000000..219e478 >> --- /dev/null >> +++ b/examples/ipsec-secgw/sp.c >> @@ -0,0 +1,324 @@ >> +/*- >> + * BSD LICENSE >> + * >> + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. >> + * All rights reserved. >> + * >> + * Redistribution and use in source and binary forms, with or without >> + * modification, are permitted provided that the following conditions >> + * are met: >> + * >> + * * Redistributions of source code must retain the above copyright >> + * notice, this list of conditions and the following disclaimer. >> + * * Redistributions in binary form must reproduce the above copyright >> + * notice, this list of conditions and the following disclaimer in >> + * the documentation and/or other materials provided with the >> + * distribution. >> + * * Neither the name of Intel Corporation nor the names of its >> + * contributors may be used to endorse or promote products derived >> + * from this software without specific prior written permission. >> + * >> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS >> + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT >> + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR >> + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT >> + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, >> + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT >> + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >> + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >> + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >> + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >> + */ >> + >> +/* >> + * Security Policies >> + */ >> +#include <netinet/ip.h> >> + >> +#include <rte_acl.h> >> + >> +#include "ipsec.h" >> + >> +#define MAX_ACL_RULE_NUM 1000 >> + >> +/* >> + * Rule and trace formats definitions. >> + */ >> +enum { >> + PROTO_FIELD_IPV4, >> + SRC_FIELD_IPV4, >> + DST_FIELD_IPV4, >> + SRCP_FIELD_IPV4, >> + DSTP_FIELD_IPV4, >> + NUM_FIELDS_IPV4 >> +}; >> + >> +/* >> + * That effectively defines order of IPV4 classifications: >> + * - PROTO >> + * - SRC IP ADDRESS >> + * - DST IP ADDRESS >> + * - PORTS (SRC and DST) >> + */ >> +enum { >> + RTE_ACL_IPV4_PROTO, >> + RTE_ACL_IPV4_SRC, >> + RTE_ACL_IPV4_DST, >> + RTE_ACL_IPV4_PORTS, >> + RTE_ACL_IPV4_NUM >> +}; >> + >> +struct rte_acl_field_def ipv4_defs[NUM_FIELDS_IPV4] = { >> + { >> + .type = RTE_ACL_FIELD_TYPE_BITMASK, >> + .size = sizeof(uint8_t), >> + .field_index = PROTO_FIELD_IPV4, >> + .input_index = RTE_ACL_IPV4_PROTO, >> + .offset = 0, >> + }, >> + { >> + .type = RTE_ACL_FIELD_TYPE_MASK, >> + .size = sizeof(uint32_t), >> + .field_index = SRC_FIELD_IPV4, >> + .input_index = RTE_ACL_IPV4_SRC, >> + .offset = offsetof(struct ip, ip_src) - offsetof(struct ip, ip_p) >> + }, >> + { >> + .type = RTE_ACL_FIELD_TYPE_MASK, >> + .size = sizeof(uint32_t), >> + .field_index = DST_FIELD_IPV4, >> + .input_index = RTE_ACL_IPV4_DST, >> + .offset = offsetof(struct ip, ip_dst) - offsetof(struct ip, ip_p) >> + }, >> + { >> + .type = RTE_ACL_FIELD_TYPE_RANGE, >> + .size = sizeof(uint16_t), >> + .field_index = SRCP_FIELD_IPV4, >> + .input_index = RTE_ACL_IPV4_PORTS, >> + .offset = sizeof(struct ip) - offsetof(struct ip, ip_p) >> + }, >> + { >> + .type = RTE_ACL_FIELD_TYPE_RANGE, >> + .size = sizeof(uint16_t), >> + .field_index = DSTP_FIELD_IPV4, >> + .input_index = RTE_ACL_IPV4_PORTS, >> + .offset = sizeof(struct ip) - offsetof(struct ip, ip_p) + >> + sizeof(uint16_t) >> + }, >> +}; >> + >> +RTE_ACL_RULE_DEF(acl4_rules, RTE_DIM(ipv4_defs)); >> + >> +const struct acl4_rules acl4_rules_in[] = { >> + { >> + .data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1}, >> + /* destination IPv4 */ >> + .field[2] = {.value.u32 = IPv4(192, 168, 105, 0), >> + .mask_range.u32 = 24,}, >> + /* source port */ >> + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, >> + /* destination port */ >> + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} >> + }, >> + { >> + .data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2}, >> + /* destination IPv4 */ >> + .field[2] = {.value.u32 = IPv4(192, 168, 106, 0), >> + .mask_range.u32 = 24,}, >> + /* source port */ >> + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, >> + /* destination port */ >> + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} >> + }, >> + { >> + .data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3}, >> + /* destination IPv4 */ >> + .field[2] = {.value.u32 = IPv4(192, 168, 107, 0), >> + .mask_range.u32 = 24,}, >> + /* source port */ >> + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, >> + /* destination port */ >> + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} >> + }, >> + { >> + .data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4}, >> + /* destination IPv4 */ >> + .field[2] = {.value.u32 = IPv4(192, 168, 108, 0), >> + .mask_range.u32 = 24,}, >> + /* source port */ >> + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, >> + /* destination port */ >> + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} >> + } >> +}; >> + >> +const struct acl4_rules acl4_rules_out[] = { >> + { >> + .data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1}, >> + /* destination IPv4 */ >> + .field[2] = {.value.u32 = IPv4(192, 168, 115, 0), >> + .mask_range.u32 = 24,}, >> + /* source port */ >> + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, >> + /* destination port */ >> + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} >> + }, >> + { >> + .data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2}, >> + /* destination IPv4 */ >> + .field[2] = {.value.u32 = IPv4(192, 168, 116, 0), >> + .mask_range.u32 = 24,}, >> + /* source port */ >> + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, >> + /* destination port */ >> + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} >> + }, >> + { >> + .data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3}, >> + /* destination IPv4 */ >> + .field[2] = {.value.u32 = IPv4(192, 168, 117, 0), >> + .mask_range.u32 = 24,}, >> + /* source port */ >> + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, >> + /* destination port */ >> + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} >> + }, >> + { >> + .data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4}, >> + /* destination IPv4 */ >> + .field[2] = {.value.u32 = IPv4(192, 168, 118, 0), >> + .mask_range.u32 = 24,}, >> + /* source port */ >> + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, >> + /* destination port */ >> + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} >> + } >> +}; >> + >> +static void >> +print_one_ipv4_rule(const struct acl4_rules *rule, int extra) >> +{ >> + unsigned char a, b, c, d; >> + >> + uint32_t_to_char(rule->field[SRC_FIELD_IPV4].value.u32, >> + &a, &b, &c, &d); >> + printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d, >> + rule->field[SRC_FIELD_IPV4].mask_range.u32); >> + uint32_t_to_char(rule->field[DST_FIELD_IPV4].value.u32, >> + &a, &b, &c, &d); >> + printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d, >> + rule->field[DST_FIELD_IPV4].mask_range.u32); >> + printf("%hu : %hu %hu : %hu 0x%hhx/0x%hhx ", >> + rule->field[SRCP_FIELD_IPV4].value.u16, >> + rule->field[SRCP_FIELD_IPV4].mask_range.u16, >> + rule->field[DSTP_FIELD_IPV4].value.u16, >> + rule->field[DSTP_FIELD_IPV4].mask_range.u16, >> + rule->field[PROTO_FIELD_IPV4].value.u8, >> + rule->field[PROTO_FIELD_IPV4].mask_range.u8); >> + if (extra) >> + printf("0x%x-0x%x-0x%x ", >> + rule->data.category_mask, >> + rule->data.priority, >> + rule->data.userdata); >> +} >> + >> +static inline void >> +dump_ipv4_rules(const struct acl4_rules *rule, int num, int extra) >> +{ >> + int i; >> + >> + for (i = 0; i < num; i++, rule++) { >> + printf("\t%d:", i + 1); >> + print_one_ipv4_rule(rule, extra); >> + printf("\n"); >> + } >> +} >> + >> +static struct rte_acl_ctx * >> +acl4_init(const char *name, int socketid, const struct acl4_rules *rules, >> + unsigned rules_nb) >> +{ >> + char s[PATH_MAX]; >> + struct rte_acl_param acl_param; >> + struct rte_acl_config acl_build_param; >> + struct rte_acl_ctx *ctx; >> + >> + printf("Creating SP context with %u max rules\n", MAX_ACL_RULE_NUM); >> + >> + memset(&acl_param, 0, sizeof(acl_param)); >> + >> + /* Create ACL contexts */ >> + snprintf(s, sizeof(s), "%s_%d", name, socketid); >> + >> + printf("IPv4 %s entries [%u]:\n", s, rules_nb); >> + dump_ipv4_rules(rules, rules_nb, 1); >> + >> + acl_param.name = s; >> + acl_param.socket_id = socketid; >> + acl_param.rule_size = RTE_ACL_RULE_SZ(RTE_DIM(ipv4_defs)); >> + acl_param.max_rule_num = MAX_ACL_RULE_NUM; >> + >> + ctx = rte_acl_create(&acl_param); >> + if (ctx == NULL) >> + rte_exit(EXIT_FAILURE, "Failed to create ACL context\n"); >> + >> + if (rte_acl_add_rules(ctx, (const struct rte_acl_rule *)rules, >> + rules_nb) < 0) >> + rte_exit(EXIT_FAILURE, "add rules failed\n"); >> + >> + /* Perform builds */ >> + memset(&acl_build_param, 0, sizeof(acl_build_param)); >> + >> + acl_build_param.num_categories = DEFAULT_MAX_CATEGORIES; >> + acl_build_param.num_fields = rules_nb; >> + memcpy(&acl_build_param.defs, ipv4_defs, sizeof(ipv4_defs)); >> + >> + if (rte_acl_build(ctx, &acl_build_param) != 0) >> + rte_exit(EXIT_FAILURE, "Failed to build ACL trie\n"); >> + >> + rte_acl_dump(ctx); >> + >> + return ctx; >> +} >> + >> +void >> +sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep) >> +{ >> + const char *name; >> + const struct acl4_rules *rules_out, *rules_in; >> + unsigned nb_out_rules, nb_in_rules; >> + >> + if (ctx == NULL) >> + rte_exit(EXIT_FAILURE, "NULL context.\n"); >> + >> + if (ctx->sp_ipv4_in != NULL) >> + rte_exit(EXIT_FAILURE, "Inbound SP DB for socket %u already " >> + "initialized\n", socket_id); >> + >> + if (ctx->sp_ipv4_out != NULL) >> + rte_exit(EXIT_FAILURE, "Outbound SP DB for socket %u already " >> + "initialized\n", socket_id); >> + >> + if (ep == 0) { >> + rules_out = acl4_rules_in; >> + nb_out_rules = RTE_DIM(acl4_rules_in); >> + rules_in = acl4_rules_out; >> + nb_in_rules = RTE_DIM(acl4_rules_out); >> + } else if (ep == 1) { >> + rules_out = acl4_rules_out; >> + nb_out_rules = RTE_DIM(acl4_rules_out); >> + rules_in = acl4_rules_in; >> + nb_in_rules = RTE_DIM(acl4_rules_in); >> + } else >> + rte_exit(EXIT_FAILURE, "Invalid EP value %u. " >> + "Only 0 or 1 supported.\n", ep); >> + >> + name = "sp_ipv4_in"; >> + ctx->sp_ipv4_in = (struct sp_ctx *)acl4_init(name, socket_id, >> + rules_in, nb_in_rules); >> + >> + name = "sp_ipv4_out"; >> + ctx->sp_ipv4_out = (struct sp_ctx *)acl4_init(name, socket_id, >> + rules_out, nb_out_rules); >> +} >> -- >> 2.4.3 >> ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [dpdk-dev] [PATCH] example/ipsec-secgw: ipsec security gateway 2016-02-01 11:09 ` Sergio Gonzalez Monroy @ 2016-02-01 11:26 ` Jerin Jacob 2016-02-01 14:09 ` Thomas Monjalon 2016-03-09 23:54 ` Sergio Gonzalez Monroy 0 siblings, 2 replies; 15+ messages in thread From: Jerin Jacob @ 2016-02-01 11:26 UTC (permalink / raw) To: Sergio Gonzalez Monroy; +Cc: dev On Mon, Feb 01, 2016 at 11:09:16AM +0000, Sergio Gonzalez Monroy wrote: > On 31/01/2016 14:39, Jerin Jacob wrote: > >On Fri, Jan 29, 2016 at 08:29:12PM +0000, Sergio Gonzalez Monroy wrote: > >>Sample app implementing an IPsec Security Geteway. > >>The main goal of this app is to show the use of cryptodev framework > >>in a real world application. > >> > >>Currently only supported static IPv4 IPsec tunnels using AES-CBC > >>and HMAC-SHA1. > >> > >>Also, currently not supported: > >>- SA auto negotiation (No IKE support) > >>- chained mbufs > >> > >>Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> > >Hi Sergio, > > > >Great effort, one of the best highly integrated sample DPDK application > >(ethernet, acl, crypto and lpm) > > > >>--- > >> MAINTAINERS | 4 + > >> doc/guides/sample_app_ug/index.rst | 1 + > >> doc/guides/sample_app_ug/ipsec_secgw.rst | 440 +++++++++++ > >> examples/Makefile | 2 + > >> examples/ipsec-secgw/Makefile | 58 ++ > >> examples/ipsec-secgw/esp.c | 256 +++++++ > >> examples/ipsec-secgw/esp.h | 66 ++ > >> examples/ipsec-secgw/ipip.h | 100 +++ > >> examples/ipsec-secgw/ipsec-secgw.c | 1218 ++++++++++++++++++++++++++++++ > >> examples/ipsec-secgw/ipsec.c | 138 ++++ > >> examples/ipsec-secgw/ipsec.h | 184 +++++ > >> examples/ipsec-secgw/rt.c | 131 ++++ > >> examples/ipsec-secgw/sa.c | 391 ++++++++++ > >> examples/ipsec-secgw/sp.c | 324 ++++++++ > >> 14 files changed, 3313 insertions(+) > >> create mode 100644 doc/guides/sample_app_ug/ipsec_secgw.rst > >> create mode 100644 examples/ipsec-secgw/Makefile > >> create mode 100644 examples/ipsec-secgw/esp.c > >> create mode 100644 examples/ipsec-secgw/esp.h > >> create mode 100644 examples/ipsec-secgw/ipip.h > >> create mode 100644 examples/ipsec-secgw/ipsec-secgw.c > >> create mode 100644 examples/ipsec-secgw/ipsec.c > >> create mode 100644 examples/ipsec-secgw/ipsec.h > >> create mode 100644 examples/ipsec-secgw/rt.c > >> create mode 100644 examples/ipsec-secgw/sa.c > >> create mode 100644 examples/ipsec-secgw/sp.c > >> > >>diff --git a/MAINTAINERS b/MAINTAINERS > >>index b90aeea..996eda6 100644 > >>--- a/MAINTAINERS > >>+++ b/MAINTAINERS > >>@@ -596,3 +596,7 @@ F: doc/guides/sample_app_ug/vmdq_dcb_forwarding.rst > >> M: Pablo de Lara <pablo.de.lara.guarch@intel.com> > >> M: Daniel Mrzyglod <danielx.t.mrzyglod@intel.com> > >> F: examples/ptpclient/ > >>+ > >>+M: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> > >>+F: doc/guides/sample_app_ug/ipsec-secgw.rst > >>+F: examples/ipsec-secgw/ > >>diff --git a/doc/guides/sample_app_ug/index.rst b/doc/guides/sample_app_ug/index.rst > >>index 8a646dd..88375d2 100644 > >>--- a/doc/guides/sample_app_ug/index.rst > >>+++ b/doc/guides/sample_app_ug/index.rst > >>@@ -73,6 +73,7 @@ Sample Applications User Guide > >> proc_info > >> ptpclient > >> performance_thread > >>+ ipsec_secgw > >> **Figures** > >>diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst > >>new file mode 100644 > >>index 0000000..7be3f7e > >>--- /dev/null > >>+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst > >>@@ -0,0 +1,440 @@ > >>+.. BSD LICENSE > >>+ Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > >>+ All rights reserved. > >>+ > >>+ Redistribution and use in source and binary forms, with or without > >>+ modification, are permitted provided that the following conditions > >>+ are met: > >>+ > >>+ * Redistributions of source code must retain the above copyright > >>+ notice, this list of conditions and the following disclaimer. > >>+ * Redistributions in binary form must reproduce the above copyright > >>+ notice, this list of conditions and the following disclaimer in > >>+ the documentation and/or other materials provided with the > >>+ distribution. > >>+ * Neither the name of Intel Corporation nor the names of its > >>+ contributors may be used to endorse or promote products derived > >>+ from this software without specific prior written permission. > >>+ > >>+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > >>+ "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > >>+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > >>+ A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > >>+ OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > >>+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > >>+ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > >>+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > >>+ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > >>+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > >>+ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > >>+ > >>+IPsec Security Gateway Sample Application > >>+========================================= > >>+ > >>+The IPsec Security Gateway application is a minimal example of real work > >>+application using DPDK cryptodev framework. > >>+ > >>+Overview > >>+-------- > >>+ > >>+The application demonstrates the implementation of a minimal Security Gateway > >>+(see Constraints bellow) using DPDK based on RFC4301, RFC4303, RFC3602 and > >>+RFC2404. > >>+ > >>+Note that IKE is not supported (therefore not IPsec compliant), so only manual > >>+setting of Security Policies and Associations is allowed. > >>+ > >>+The Security Policies (SP) are implemented as ACL rules, the Security > >>+Associations (SA) are stored in a table and the Routing is implemented > >>+using LPM. > >>+ > >>+The application splits the ports between Protected and Unprotected. > >>+Based on the port the trafic is coming from, the traffic would be consider > >>+IPsec Inbound or Outbound. > >>+Traffic from Unprotected ports is consider IPsec Inbound, and traffic from > >>+Protected ports is consider IPsec Outbound. > >>+ > >>+Path for IPsec Inbound traffic: > >>+* Read packets from the port > >>+* Classify packets between IPv4 and ESP. > >>+* Inbound SA lookup for ESP packets based on their SPI > >>+* Verification/Decryption > >>+* Removal of ESP and outter IP header > >>+* Inbound SP check using ACL of decrypted packets and any other IPv4 packet > >>+we read. > >>+* Routing > >>+* Write packet to port > >>+ > >>+Path for IPsec Outbound traffic: > >>+* Read packets from the port > >>+* Outbound SP check using ACL of all IPv4 traffic > >>+* Outbound SA lookup for packets that need IPsec protection > >>+* Add ESP and outter IP header > >>+* Encryption/Digest > >>+* Routing > >>+* Write packet to port > >>+ > >>+Constraints > >>+----------- > >>+* IPv4 traffic > >>+* ESP tunnel mode > >>+* EAS-CBC and HMAC-SHA1 > >>+* Each SA must be handle by a unique lcore (1 RX queue per port) > >>+* No chained mbufs > >>+ > >>+Compiling the Application > >>+------------------------- > >>+ > >>+To compile the application: > >>+ > >>+#. Go to the sample application directory: > >>+ > >>+ .. code-block:: console > >>+ > >>+ export RTE_SDK=/path/to/rte_sdk > >>+ cd ${RTE_SDK}/examples/ipsec-secgw > >>+ > >>+#. Set the target (a default target is used if not specified). For example: > >>+ > >>+ .. code-block:: console > >>+ > >>+ export RTE_TARGET=x86_64-native-linuxapp-gcc > >>+ > >>+ See the *DPDK Getting Started Guide* for possible RTE_TARGET values. > >>+ > >>+#. Build the application: > >>+ > >>+ .. code-block:: console > >>+ > >>+ make > >>+ > >>+Running the Application > >>+----------------------- > >>+ > >>+The application has a number of command line options: > >>+ > >>+.. code-block:: console > >>+ > >>+ ./build/ipsec-secgw [EAL options] -- -p PORTMASK -P -u PORTMASK --config > >>+ (port,queue,lcore)[,(port,queue,lcore] --EP0|--EP1 --cdev AESNI|QAT > >>+ > >>+where, > >>+ > >>+* -p PORTMASK: Hexadecimal bitmask of ports to configure > >>+ > >>+* -P: optional, sets all ports to promiscuous mode so that packets are > >>+ accepted regardless of the packet's Ethernet MAC destination address. > >>+ Without this option, only packets with the Ethernet MAC destination address > >>+ set to the Ethernet address of the port are accepted (default is enabled). > >>+ > >>+* -u PORTMASK: hexadecimal bitmask of unprotected ports > >>+ > >>+* --config (port,queue,lcore)[,(port,queue,lcore)]: determines which queues > >>+ from which ports are mapped to which cores > >>+ > >>+* --cdev AESNI/QAT: choose whether to use QAT HW crypto or EASNI SW crypto > >>+ > >>+* --EP0: configure the app as Endpoint 0. > >>+ > >>+* --EP1: configure the app as Endpoint 1. > >>+ > >>+Either --EP0 or --EP1 must be specified. > >>+ > >>+The mapping of lcores to port/queues is similar to other l3fwd applications. > >>+ > >>+For example, given the following command line: > >>+.. code-block:: console > >>+ > >>+ ./build/ipsec-secgw -l 20,21 -n 4 --socket-mem 0,2048 -- -p 0xf -P -u 0x3 > >>+ --config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)" --cdev AESNI --EP0 > >>+ > >>+where each options means: > >>+ > >>+* The -l option enables cores 20 and 21 > >>+ > >>+* The -n option sets memory 4 channels > >>+ > >>+* The --socket-mem to use 2GB on socket 1 > >>+ > >>+* The -p option enables ports (detected) 0, 1, 2 and 3 > >>+ > >>+* The -P option enables promiscous mode > >>+ > >>+* The -u option sets ports 1 and 2 as unprotected, leaving 2 and 3 as protected > >>+ > >>+* The --config option enables one queue per port with the following mapping: > >>+ > >>++----------+-----------+-----------+---------------------------------------+ > >>+| **Port** | **Queue** | **lcore** | **Description** | > >>+| | | | | > >>++----------+-----------+-----------+---------------------------------------+ > >>+| 0 | 0 | 20 | Map queue 0 from port 0 to lcore 20. | > >>+| | | | | > >>++----------+-----------+-----------+---------------------------------------+ > >>+| 1 | 0 | 20 | Map queue 0 from port 1 to lcore 20. | > >>+| | | | | > >>++----------+-----------+-----------+---------------------------------------+ > >>+| 2 | 0 | 21 | Map queue 0 from port 2 to lcore 21. | > >>+| | | | | > >>++----------+-----------+-----------+---------------------------------------+ > >>+| 3 | 0 | 21 | Map queue 0 from port 3 to lcore 21. | > >>+| | | | | > >>++----------+-----------+-----------+---------------------------------------+ > >>+ > >>+Refer to the *DPDK Getting Started Guide* for general information on running applications and the Environment Abstraction Layer (EAL) options. > >>+ > >>+Configurations > >>+-------------- > >>+ > >>+The following sections provide some details on the default values used to > >>+initialize the SP, SA and Routing tables. > >>+Currently all the configuration is hardcoded into the application. > >>+ > >>+Security Policy Initialization > >>+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > >>+ > >>+As mention in the overview, the Security Policies are ACL rules. > >>+There are two ACLs, Inbound and Outboud. > >>+The application would also replicate the set of two ACLs per socket in use. > >>+ > >>+Following are the default rules: > >>+ > >>+Endpoint 0 Outbound Security Policies: > >>+ > >>++---------+------------------+-----------+------------+ > >>+| **Src** | **Dst** | **proto** | **SA idx** | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.105.0/24 | Any | 5 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.106.0/24 | Any | 6 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.107.0/24 | Any | 7 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.108.0/24 | Any | 8 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+ > >>+Endpoint 0 Inbound Security Policies: > >>+ > >>++---------+------------------+-----------+------------+ > >>+| **Src** | **Dst** | **proto** | **SA idx** | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.115.0/24 | Any | 5 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.116.0/24 | Any | 6 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.117.0/24 | Any | 7 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.118.0/24 | Any | 8 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+ > >>+Endpoint 1 Outbound Security Policies: > >>+ > >>++---------+------------------+-----------+------------+ > >>+| **Src** | **Dst** | **proto** | **SA idx** | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.115.0/24 | Any | 5 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.116.0/24 | Any | 6 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.117.0/24 | Any | 7 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.118.0/24 | Any | 8 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+ > >>+Endpoint 1 Inbound Security Policies: > >>+ > >>++---------+------------------+-----------+------------+ > >>+| **Src** | **Dst** | **proto** | **SA idx** | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.105.0/24 | Any | 5 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.106.0/24 | Any | 6 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.107.0/24 | Any | 7 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.108.0/24 | Any | 8 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+ > >>+ > >>+Security Association Initialization > >>+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > >>+ > >>+The SAs are kept in a array table. > >>+ > >>+For Inbound, the SPI is used as index module the table size. > >>+This means that on a table for 100 SA, SPI 5 and 105 would use the same index > >>+and that is not currently supported. > >>+ > >>+Notice that it is not an issue for Outbound traffic as we store the index and > >>+not the SPI in the Security Policy. > >>+ > >>+All SAs are configured with the same cipher algo, block size and key (AES-CBC > >>+16B block), and same authentication algo, digest size and key (HMAC-SHA1, 12B > >>+digest). > >>+ > >>+Following are the default values: > >>+ > >>+Endpoint 0 Outbound Security Associations: > >>+ > >>++---------+----------------+------------------+ > >>+| **SPI** | **Tunnel src** | **Tunnel dst** | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 5 | 172.16.1.5 | 172.16.2.5 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 6 | 172.16.1.6 | 172.16.2.6 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 7 | 172.16.1.7 | 172.16.2.7 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 8 | 172.16.1.8 | 172.16.2.8 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+ > >>+Endpoint 0 Inbound Security Associations: > >>+ > >>++---------+----------------+------------------+ > >>+| **SPI** | **Tunnel src** | **Tunnel dst** | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 5 | 172.16.2.5 | 172.16.1.5 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 6 | 172.16.2.6 | 172.16.1.6 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 7 | 172.16.2.7 | 172.16.1.7 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 8 | 172.16.2.8 | 172.16.1.8 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+ > >>+Endpoint 1 Outbound Security Associations: > >>+ > >>++---------+----------------+------------------+ > >>+| **SPI** | **Tunnel src** | **Tunnel dst** | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 5 | 172.16.2.5 | 172.16.1.5 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 6 | 172.16.2.6 | 172.16.1.6 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 7 | 172.16.2.7 | 172.16.1.7 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 8 | 172.16.2.8 | 172.16.1.8 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+ > >>+Endpoint 1 Inbound Security Associations: > >>+ > >>++---------+----------------+------------------+ > >>+| **SPI** | **Tunnel src** | **Tunnel dst** | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 5 | 172.16.1.5 | 172.16.2.5 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 6 | 172.16.1.6 | 172.16.2.6 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 7 | 172.16.1.7 | 172.16.2.7 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 8 | 172.16.1.8 | 172.16.2.8 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+ > >>+Routing Initialization > >>+~~~~~~~~~~~~~~~~~~~~~~ > >>+ > >>+The Routing is implemented using LPM table. > >>+ > >>+Following default values: > >>+ > >>+Endpoint 0 Routing Table: > >>+ > >>++------------------+----------+ > >>+| **Dst addr** | **Port** | > >>+| | | > >>++------------------+----------+ > >>+| 172.16.2.5/32 | 0 | > >>+| | | > >>++------------------+----------+ > >>+| 172.16.2.6/32 | 0 | > >>+| | | > >>++------------------+----------+ > >>+| 172.16.2.7/32 | 1 | > >>+| | | > >>++------------------+----------+ > >>+| 172.16.2.8/32 | 1 | > >>+| | | > >>++------------------+----------+ > >>+| 192.168.115.0/24 | 2 | > >>+| | | > >>++------------------+----------+ > >>+| 192.168.116.0/24 | 2 | > >>+| | | > >>++------------------+----------+ > >>+| 192.168.117.0/24 | 3 | > >>+| | | > >>++------------------+----------+ > >>+| 192.168.118.0/24 | 3 | > >>+| | | > >>++------------------+----------+ > >>+ > >>+Endpoint 1 Routing Table: > >>+ > >>++------------------+----------+ > >>+| **Dst addr** | **Port** | > >>+| | | > >>++------------------+----------+ > >>+| 172.16.1.5/32 | 2 | > >>+| | | > >>++------------------+----------+ > >>+| 172.16.1.6/32 | 2 | > >>+| | | > >>++------------------+----------+ > >>+| 172.16.1.7/32 | 3 | > >>+| | | > >>++------------------+----------+ > >>+| 172.16.1.8/32 | 3 | > >>+| | | > >>++------------------+----------+ > >>+| 192.168.105.0/24 | 0 | > >>+| | | > >>++------------------+----------+ > >>+| 192.168.106.0/24 | 0 | > >>+| | | > >>++------------------+----------+ > >>+| 192.168.107.0/24 | 1 | > >>+| | | > >>++------------------+----------+ > >>+| 192.168.108.0/24 | 1 | > >>+| | | > >>++------------------+----------+ > >>diff --git a/examples/Makefile b/examples/Makefile > >>index 1cb4785..65ce6ce 100644 > >>--- a/examples/Makefile > >>+++ b/examples/Makefile > >>@@ -1,6 +1,7 @@ > >> # BSD LICENSE > >> # > >> # Copyright(c) 2014 6WIND S.A. > >>+# Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > >> # > >> # Redistribution and use in source and binary forms, with or without > >> # modification, are permitted provided that the following conditions > >>@@ -78,5 +79,6 @@ DIRS-y += vmdq > >> DIRS-y += vmdq_dcb > >> DIRS-$(CONFIG_RTE_LIBRTE_POWER) += vm_power_manager > >> DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += l2fwd-crypto > >>+DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += ipsec-secgw > >> include $(RTE_SDK)/mk/rte.extsubdir.mk > >>diff --git a/examples/ipsec-secgw/Makefile b/examples/ipsec-secgw/Makefile > >>new file mode 100644 > >>index 0000000..5f893b8 > >>--- /dev/null > >>+++ b/examples/ipsec-secgw/Makefile > >>@@ -0,0 +1,58 @@ > >>+# BSD LICENSE > >>+# > >>+# Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > >>+# All rights reserved. > >>+# > >>+# Redistribution and use in source and binary forms, with or without > >>+# modification, are permitted provided that the following conditions > >>+# are met: > >>+# > >>+# * Redistributions of source code must retain the above copyright > >>+# notice, this list of conditions and the following disclaimer. > >>+# * Redistributions in binary form must reproduce the above copyright > >>+# notice, this list of conditions and the following disclaimer in > >>+# the documentation and/or other materials provided with the > >>+# distribution. > >>+# * Neither the name of Intel Corporation nor the names of its > >>+# contributors may be used to endorse or promote products derived > >>+# from this software without specific prior written permission. > >>+# > >>+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > >>+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > >>+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > >>+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > >>+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > >>+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > >>+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > >>+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > >>+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > >>+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > >>+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > >>+ > >>+ifeq ($(RTE_SDK),) > >>+ $(error "Please define RTE_SDK environment variable") > >>+endif > >>+ > >>+# Default target, can be overridden by command line or environment > >>+RTE_TARGET ?= x86_64-native-linuxapp-gcc > >>+ > >>+include $(RTE_SDK)/mk/rte.vars.mk > >>+ > >>+APP = ipsec-secgw > >>+ > >>+CFLAGS += -O3 -gdwarf-2 > >>+CFLAGS += $(WERROR_FLAGS) > >>+ > >>+VPATH += $(SRCDIR)/librte_ipsec > >>+ > >>+# > >>+# all source are stored in SRCS-y > >>+# > >>+SRCS-y += ipsec.c > >>+SRCS-y += esp.c > >>+SRCS-y += sp.c > >>+SRCS-y += sa.c > >>+SRCS-y += rt.c > >>+SRCS-y += ipsec-secgw.c > >>+ > >>+include $(RTE_SDK)/mk/rte.extapp.mk > >>diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c > >>new file mode 100644 > >>index 0000000..1be0621 > >>--- /dev/null > >>+++ b/examples/ipsec-secgw/esp.c > >>@@ -0,0 +1,256 @@ > >>+/*- > >>+ * BSD LICENSE > >>+ * > >>+ * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > >>+ * All rights reserved. > >>+ * > >>+ * Redistribution and use in source and binary forms, with or without > >>+ * modification, are permitted provided that the following conditions > >>+ * are met: > >>+ * > >>+ * * Redistributions of source code must retain the above copyright > >>+ * notice, this list of conditions and the following disclaimer. > >>+ * * Redistributions in binary form must reproduce the above copyright > >>+ * notice, this list of conditions and the following disclaimer in > >>+ * the documentation and/or other materials provided with the > >>+ * distribution. > >>+ * * Neither the name of Intel Corporation nor the names of its > >>+ * contributors may be used to endorse or promote products derived > >>+ * from this software without specific prior written permission. > >>+ * > >>+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > >>+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > >>+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > >>+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > >>+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > >>+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > >>+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > >>+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > >>+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > >>+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > >>+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > >>+ */ > >>+ > >>+#include <stdint.h> > >>+#include <stdlib.h> > >>+#include <netinet/ip.h> > >>+#include <sys/types.h> > >>+#include <sys/stat.h> > >>+#include <fcntl.h> > >>+#include <unistd.h> > >>+ > >>+#include <rte_memcpy.h> > >>+#include <rte_crypto.h> > >>+#include <rte_cryptodev.h> > >>+#include <rte_random.h> > >>+ > >>+#include "ipsec.h" > >>+#include "esp.h" > >>+#include "ipip.h" > >>+ > >>+static inline void > >>+random_iv_u64(uint64_t *buf, uint16_t n) > >>+{ > >>+ unsigned left = n & 0x7; > >>+ unsigned i; > >>+ > >>+ IPSEC_ASSERT((n & 0x3) == 0); > >>+ > >>+ for (i = 0; i < (n >> 3); i++) > >>+ buf[i] = rte_rand(); > >>+ > >>+ if (left) > >>+ *((uint32_t *)&buf[i]) = (uint32_t)lrand48(); > >>+} > >>+ > >>+/* IPv4 Tunnel */ > >>+int > >>+esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, > >>+ struct rte_crypto_op *cop) > >>+{ > >>+ uint16_t digest_len, esp_len, iphdr_len; > >>+ int32_t payload_len; > >>+ > >>+ IPSEC_ASSERT(m != NULL); > >>+ > >>+ iphdr_len = sizeof(struct ip); > >>+ esp_len = sizeof(struct esp_hdr) + sa->iv_len; > >>+ digest_len = sa->digest_len; > >>+ payload_len = rte_pktmbuf_pkt_len(m) - iphdr_len - esp_len - digest_len; > >>+ > >>+ if ((payload_len & (sa->block_size - 1)) || (payload_len <= 0)) { > >>+ IPSEC_LOG(DEBUG, IPSEC_ESP, "payload %d not a multiple of %u\n", > >>+ payload_len, sa->block_size); > >>+ return -EINVAL; > >>+ } > >>+ > >>+ cop->data.to_cipher.offset = iphdr_len + esp_len; > >>+ cop->data.to_cipher.length = payload_len; > >>+ > >>+ cop->data.to_hash.offset = iphdr_len; > >>+ if (sa->auth_algo == RTE_CRYPTO_AUTH_AES_GCM) > >>+ cop->data.to_hash.length = esp_len - sa->iv_len; > >>+ else > >>+ cop->data.to_hash.length = esp_len + payload_len; > >>+ > >>+ cop->iv.data = rte_pktmbuf_mtod_offset(m, void*, > >>+ iphdr_len + esp_len - sa->iv_len); > >>+ cop->iv.phys_addr = rte_pktmbuf_mtophys_offset(m, > >>+ iphdr_len + esp_len - sa->iv_len); > >>+ > >>+ cop->iv.length = sa->iv_len; > >>+ > >>+ cop->digest.data = rte_pktmbuf_mtod_offset(m, void*, > >>+ iphdr_len + esp_len + payload_len); > >>+ cop->digest.phys_addr = rte_pktmbuf_mtophys_offset(m, > >>+ iphdr_len + esp_len + payload_len); > >>+ cop->digest.length = digest_len; > >>+ > >>+ return 0; > >>+} > >>+ > >>+int > >>+esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, > >>+ struct rte_crypto_op *cop) > >>+{ > >>+ uint16_t digest_len, esp_len, iphdr_len; > >>+ uint8_t *nexthdr, *pad_len; > >>+ uint8_t *padding; > >>+ uint16_t i; > >>+ > >>+ IPSEC_ASSERT(m != NULL); > >>+ > >>+ iphdr_len = sizeof(struct ip); > >>+ esp_len = sizeof(struct esp_hdr) + sa->iv_len; > >>+ digest_len = sa->digest_len; > >>+ > >>+ if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) { > >>+ IPSEC_LOG(ERR, IPSEC_ESP, "Failed crypto op\n"); > >>+ return -1; > >>+ } > >>+ > >>+ nexthdr = rte_pktmbuf_mtod_offset(m, uint8_t*, > >>+ rte_pktmbuf_pkt_len(m) - digest_len - 1); > >>+ pad_len = nexthdr - 1; > >>+ > >>+ padding = pad_len - *pad_len; > >>+ for (i = 0; i < *pad_len; i++) { > >>+ if (padding[i] != i) { > >>+ IPSEC_LOG(ERR, IPSEC_ESP, "invalid pad_len field\n"); > >>+ return -EINVAL; > >>+ } > >>+ } > >>+ > >>+ if (rte_pktmbuf_trim(m, *pad_len + 2 + digest_len)) { > >>+ IPSEC_LOG(ERR, IPSEC_ESP, > >>+ "failed to remove pad_len + digest\n"); > >>+ return -EINVAL; > >>+ } > >>+ > >>+ return ip4ip_inbound(m, iphdr_len + esp_len); > >>+} > >>+ > >>+int > >>+esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, > >>+ struct rte_crypto_op *cop) > >>+{ > >>+ uint16_t digest_len, esp_len, payload_len, block_sz, pad_len; > >>+ int32_t pad_payload_len; > >>+ struct ip *ip; > >>+ struct esp_hdr *esp; > >>+ int i; > >>+ char *padding; > >>+ > >>+ rte_prefetch0(rte_pktmbuf_mtod(m, uint8_t *) - RTE_CACHE_LINE_SIZE); > >>+ rte_prefetch0(rte_pktmbuf_mtod(m, uint8_t *)); > >>+ > >>+ IPSEC_ASSERT(m != NULL); > >>+ IPSEC_ASSERT(sa != NULL); > >>+ > >>+ /* Payload length */ > >>+ payload_len = rte_pktmbuf_pkt_len(m); > >>+ > >>+ block_sz = sa->block_size; > >>+ > >>+ /* Per RFC4303: > >>+ * padded payload needs to be multiple of 4 bytes. > >>+ * All application supported block sizes must be power of 2 > >>+ */ > >>+ pad_len = (payload_len + 2) & (block_sz - 1); > >>+ pad_len = ((block_sz - pad_len) & (block_sz - 1)) + 2; > >>+ > >>+ /* Padded payload length */ > >>+ pad_payload_len = payload_len + pad_len; > >>+ /* ESP header length */ > >>+ esp_len = sizeof(struct esp_hdr) + sa->iv_len; > >>+ /* Digest length */ > >>+ digest_len = sa->digest_len; > >>+ > >>+ IPSEC_LOG(DEBUG, IPSEC_ESP, > >>+ "pktlen %u, esp_len %u, digest_len %u, payload_len %u," > >>+ " pad_payload_len %u, block_sz %u, pad_len %u\n", > >>+ rte_pktmbuf_pkt_len(m), esp_len, digest_len, > >>+ payload_len, pad_payload_len, block_sz, pad_len); > >>+ > >>+ /* Check maximum packet size */ > >>+ if (unlikely(esp_len + pad_payload_len + digest_len > IP_MAXPACKET)) { > >>+ IPSEC_LOG(DEBUG, IPSEC_ESP, "ipsec packet is too big\n"); > >>+ return -EINVAL; > >>+ } > >>+ > >>+ padding = rte_pktmbuf_append(m, pad_len + digest_len); > >>+ > >>+ IPSEC_ASSERT(padding != NULL); > >>+ > >>+ ip = ip4ip_outbound(m, esp_len, sa->src, sa->dst); > >>+ > >>+ esp = (struct esp_hdr *)(ip + 1); > >>+ esp->spi = sa->spi; > >>+ > >>+ esp->seq = htonl(sa->seq++); > >>+ > >>+ IPSEC_LOG(DEBUG, IPSEC_ESP, "pktlen %u\n", rte_pktmbuf_pkt_len(m)); > >>+ > >>+ /* Fill pad_len using default sequential scheme */ > >>+ for (i = 0; i < pad_len - 2; i++) > >>+ padding[i] = i + 1; > >>+ > >>+ padding[pad_len - 2] = pad_len - 2; > >>+ padding[pad_len - 1] = IPPROTO_IPIP; > >>+ ip->ip_p = IPPROTO_ESP; > >>+ > >>+ cop->data.to_cipher.offset = sizeof(struct ip) + esp_len; > >>+ cop->data.to_cipher.length = pad_payload_len; > >>+ > >>+ cop->data.to_hash.offset = sizeof(struct ip); > >>+ cop->data.to_hash.length = esp_len + pad_payload_len; > >>+ > >>+ cop->iv.data = rte_pktmbuf_mtod_offset(m, void*, > >>+ sizeof(struct ip) + esp_len - sa->iv_len); > >>+ cop->iv.phys_addr = rte_pktmbuf_mtophys_offset(m, > >>+ sizeof(struct ip) + esp_len - sa->iv_len); > >>+ cop->iv.length = sa->iv_len; > >>+ > >>+ cop->digest.data = rte_pktmbuf_mtod_offset(m, void*, > >>+ sizeof(struct ip) + esp_len + pad_payload_len); > >>+ cop->digest.phys_addr = rte_pktmbuf_mtophys_offset(m, > >>+ sizeof(struct ip) + esp_len + pad_payload_len); > >>+ cop->digest.length = digest_len; > >>+ > >>+ random_iv_u64((uint64_t *)cop->iv.data, cop->iv.length); > >>+ > >>+ return 0; > >>+} > >>+ > >>+int > >>+esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m __rte_unused, > >>+ struct ipsec_sa *sa __rte_unused, > >>+ struct rte_crypto_op *cop) > >>+{ > >>+ if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) { > >>+ IPSEC_LOG(ERR, IPSEC_ESP, "Failed crypto op\n"); > >>+ return -1; > >>+ } > >>+ > >>+ return 0; > >>+} > >>diff --git a/examples/ipsec-secgw/esp.h b/examples/ipsec-secgw/esp.h > >>new file mode 100644 > >>index 0000000..d7c8ba6 > >>--- /dev/null > >>+++ b/examples/ipsec-secgw/esp.h > >>@@ -0,0 +1,66 @@ > >>+/*- > >>+ * BSD LICENSE > >>+ * > >>+ * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > >>+ * All rights reserved. > >>+ * > >>+ * Redistribution and use in source and binary forms, with or without > >>+ * modification, are permitted provided that the following conditions > >>+ * are met: > >>+ * > >>+ * * Redistributions of source code must retain the above copyright > >>+ * notice, this list of conditions and the following disclaimer. > >>+ * * Redistributions in binary form must reproduce the above copyright > >>+ * notice, this list of conditions and the following disclaimer in > >>+ * the documentation and/or other materials provided with the > >>+ * distribution. > >>+ * * Neither the name of Intel Corporation nor the names of its > >>+ * contributors may be used to endorse or promote products derived > >>+ * from this software without specific prior written permission. > >>+ * > >>+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > >>+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > >>+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > >>+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > >>+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > >>+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > >>+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > >>+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > >>+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > >>+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > >>+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > >>+ */ > >>+#ifndef __RTE_IPSEC_XFORM_ESP_H__ > >>+#define __RTE_IPSEC_XFORM_ESP_H__ > >>+ > >>+struct mbuf; > >>+ > >>+/* RFC4303 */ > >>+struct esp_hdr { > >>+ uint32_t spi; > >>+ uint32_t seq; > >>+ /* Payload */ > >>+ /* Padding */ > >>+ /* Pad Length */ > >>+ /* Next Header */ > >>+ /* Integrity Check Value - ICV */ > >>+}; > >>+ > >>+/* IPv4 Tunnel */ > >>+int > >>+esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, > >>+ struct rte_crypto_op *cop); > >>+ > >>+int > >>+esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, > >>+ struct rte_crypto_op *cop); > >>+ > >>+int > >>+esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, > >>+ struct rte_crypto_op *cop); > >>+ > >>+int > >>+esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, > >>+ struct rte_crypto_op *cop); > >>+ > >>+#endif /* __RTE_IPSEC_XFORM_ESP_H__ */ > >>diff --git a/examples/ipsec-secgw/ipip.h b/examples/ipsec-secgw/ipip.h > >>new file mode 100644 > >>index 0000000..16c5dfb > >>--- /dev/null > >>+++ b/examples/ipsec-secgw/ipip.h > >>@@ -0,0 +1,100 @@ > >>+/*- > >>+ * BSD LICENSE > >>+ * > >>+ * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > >>+ * All rights reserved. > >>+ * > >>+ * Redistribution and use in source and binary forms, with or without > >>+ * modification, are permitted provided that the following conditions > >>+ * are met: > >>+ * > >>+ * * Redistributions of source code must retain the above copyright > >>+ * notice, this list of conditions and the following disclaimer. > >>+ * * Redistributions in binary form must reproduce the above copyright > >>+ * notice, this list of conditions and the following disclaimer in > >>+ * the documentation and/or other materials provided with the > >>+ * distribution. > >>+ * * Neither the name of Intel Corporation nor the names of its > >>+ * contributors may be used to endorse or promote products derived > >>+ * from this software without specific prior written permission. > >>+ * > >>+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > >>+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > >>+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > >>+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > >>+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > >>+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > >>+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > >>+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > >>+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > >>+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > >>+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > >>+ */ > >>+ > >>+#ifndef __IPIP_H__ > >>+#define __IPIP_H__ > >>+ > >>+#include <stdint.h> > >>+#include <netinet/in.h> > >>+#include <netinet/ip.h> > >>+ > >>+#include <rte_mbuf.h> > >>+ > >>+static inline struct ip * > >>+ip4ip_outbound(struct rte_mbuf *m, uint32_t offset, uint32_t src, uint32_t dst) > >>+{ > >>+ struct ip *inip, *outip; > >>+ > >>+ inip = rte_pktmbuf_mtod(m, struct ip*); > >>+ > >>+ IPSEC_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION); > >>+ > >>+ offset += sizeof(struct ip); > >>+ > >>+ outip = (struct ip *)rte_pktmbuf_prepend(m, offset); > >>+ > >>+ IPSEC_ASSERT(outip != NULL); > >>+ > >>+ /* Per RFC4301 5.1.2.1 */ > >>+ outip->ip_len = htons(rte_pktmbuf_data_len(m)); > >>+ outip->ip_v = IPVERSION; > >>+ outip->ip_hl = 5; > >>+ outip->ip_tos = inip->ip_tos; > >>+ > >>+ outip->ip_id = 0; > >>+ outip->ip_off = 0; > >>+ > >>+ outip->ip_ttl = IPDEFTTL; > >>+ > >>+ outip->ip_dst.s_addr = dst; > >>+ outip->ip_src.s_addr = src; > >>+ > >>+ return outip; > >>+} > >>+ > >>+static inline int > >>+ip4ip_inbound(struct rte_mbuf *m, uint32_t offset) > >>+{ > >>+ struct ip *inip; > >>+ struct ip *outip; > >>+ > >>+ outip = rte_pktmbuf_mtod(m, struct ip*); > >>+ > >>+ IPSEC_ASSERT(outip->ip_v == IPVERSION); > >>+ > >>+ offset += sizeof(struct ip); > >>+ inip = (struct ip *)rte_pktmbuf_adj(m, offset); > >>+ IPSEC_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION); > >>+ > >>+ /* Check packet is still bigger than IP header (inner) */ > >>+ IPSEC_ASSERT(rte_pktmbuf_pkt_len(m) > sizeof(struct ip)); > >>+ > >>+ /* RFC4301 5.1.2.1 Note 6 */ > >>+ if ((inip->ip_tos & htons(IPTOS_ECN_ECT0 | IPTOS_ECN_ECT1)) && > >>+ ((outip->ip_tos & htons(IPTOS_ECN_CE)) == IPTOS_ECN_CE)) > >>+ inip->ip_tos |= htons(IPTOS_ECN_CE); > >>+ > >>+ return 0; > >>+} > >>+ > >>+#endif /* __IPIP_H__ */ > >>diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c > >>new file mode 100644 > >>index 0000000..d2e8972 > >>--- /dev/null > >>+++ b/examples/ipsec-secgw/ipsec-secgw.c > >>@@ -0,0 +1,1218 @@ > >>+/*- > >>+ * BSD LICENSE > >>+ * > >>+ * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > >>+ * All rights reserved. > >>+ * > >>+ * Redistribution and use in source and binary forms, with or without > >>+ * modification, are permitted provided that the following conditions > >>+ * are met: > >>+ * > >>+ * * Redistributions of source code must retain the above copyright > >>+ * notice, this list of conditions and the following disclaimer. > >>+ * * Redistributions in binary form must reproduce the above copyright > >>+ * notice, this list of conditions and the following disclaimer in > >>+ * the documentation and/or other materials provided with the > >>+ * distribution. > >>+ * * Neither the name of Intel Corporation nor the names of its > >>+ * contributors may be used to endorse or promote products derived > >>+ * from this software without specific prior written permission. > >>+ * > >>+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > >>+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > >>+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > >>+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > >>+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > >>+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > >>+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > >>+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > >>+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > >>+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > >>+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > >>+ */ > >>+ > >>+#include <stdio.h> > >>+#include <stdlib.h> > >>+#include <stdint.h> > >>+#include <inttypes.h> > >>+#include <sys/types.h> > >>+#include <string.h> > >>+#include <sys/queue.h> > >>+#include <stdarg.h> > >>+#include <errno.h> > >>+#include <getopt.h> > >>+ > >>+#include <rte_common.h> > >>+#include <rte_byteorder.h> > >>+#include <rte_log.h> > >>+#include <rte_eal.h> > >>+#include <rte_launch.h> > >>+#include <rte_atomic.h> > >>+#include <rte_cycles.h> > >>+#include <rte_prefetch.h> > >>+#include <rte_lcore.h> > >>+#include <rte_per_lcore.h> > >>+#include <rte_branch_prediction.h> > >>+#include <rte_interrupts.h> > >>+#include <rte_pci.h> > >>+#include <rte_random.h> > >>+#include <rte_debug.h> > >>+#include <rte_ether.h> > >>+#include <rte_ethdev.h> > >>+#include <rte_mempool.h> > >>+#include <rte_mbuf.h> > >>+#include <rte_acl.h> > >>+#include <rte_lpm.h> > >>+#include <rte_cryptodev.h> > >>+#include <rte_cryptodev.h> > >>+ > >>+#include "ipsec.h" > >>+ > >>+#define RTE_LOGTYPE_IPSEC RTE_LOGTYPE_USER1 > >>+ > >>+#define MAX_JUMBO_PKT_LEN 9600 > >>+ > >>+#define MEMPOOL_CACHE_SIZE 256 > >>+ > >>+#define NB_MBUF (32000) > >>+ > >>+#define CDEV_MP_NB_OBJS 2048 > >>+#define CDEV_MP_CACHE_SZ 64 > >>+#define MAX_QUEUE_PAIRS 1 > >>+ > >>+#define OPTION_CONFIG "config" > >>+#define OPTION_EP0 "ep0" > >>+#define OPTION_EP1 "ep1" > >>+#define OPTION_CDEV_TYPE "cdev" > >>+ > >>+#define MAX_PKT_BURST 32 > >>+#define BURST_TX_DRAIN_US 100 /* TX drain every ~100us */ > >>+ > >>+#define NB_SOCKETS 4 > >>+ > >>+/* Configure how many packets ahead to prefetch, when reading packets */ > >>+#define PREFETCH_OFFSET 3 > >>+ > >>+#define MAX_RX_QUEUE_PER_LCORE 16 > >>+ > >>+#define MAX_LCORE_PARAMS 1024 > >>+ > >>+#define UNPROTECTED_PORT(port) (unprotected_port_mask & (1 << portid)) > >>+ > >>+/* > >>+ * Configurable number of RX/TX ring descriptors > >>+ */ > >>+#define IPSEC_SECGW_RX_DESC_DEFAULT 128 > >>+#define IPSEC_SECGW_TX_DESC_DEFAULT 512 > >>+static uint16_t nb_rxd = IPSEC_SECGW_RX_DESC_DEFAULT; > >>+static uint16_t nb_txd = IPSEC_SECGW_TX_DESC_DEFAULT; > >>+ > >>+#if RTE_BYTE_ORDER != RTE_LITTLE_ENDIAN > >>+#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \ > >>+ (((uint64_t)((a) & 0xff) << 56) | \ > >>+ ((uint64_t)((b) & 0xff) << 48) | \ > >>+ ((uint64_t)((c) & 0xff) << 40) | \ > >>+ ((uint64_t)((d) & 0xff) << 32) | \ > >>+ ((uint64_t)((e) & 0xff) << 24) | \ > >>+ ((uint64_t)((f) & 0xff) << 16) | \ > >>+ ((uint64_t)((g) & 0xff) << 8) | \ > >>+ ((uint64_t)(h) & 0xff)) > >>+#else > >>+#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \ > >>+ (((uint64_t)((h) & 0xff) << 56) | \ > >>+ ((uint64_t)((g) & 0xff) << 48) | \ > >>+ ((uint64_t)((f) & 0xff) << 40) | \ > >>+ ((uint64_t)((e) & 0xff) << 32) | \ > >>+ ((uint64_t)((d) & 0xff) << 24) | \ > >>+ ((uint64_t)((c) & 0xff) << 16) | \ > >>+ ((uint64_t)((b) & 0xff) << 8) | \ > >>+ ((uint64_t)(a) & 0xff)) > >>+#endif > >>+#define ETHADDR(a, b, c, d, e, f) (__BYTES_TO_UINT64(a, b, c, d, e, f, 0, 0)) > >>+ > >>+#define ETHADDR_TO_UINT64(addr) __BYTES_TO_UINT64( \ > >>+ addr.addr_bytes[0], addr.addr_bytes[1], \ > >>+ addr.addr_bytes[2], addr.addr_bytes[3], \ > >>+ addr.addr_bytes[4], addr.addr_bytes[5], \ > >>+ 0, 0) > >>+ > >>+/* port/source ethernet addr and destination ethernet addr */ > >>+struct ethaddr_info { > >>+ uint64_t src, dst; > >>+}; > >>+ > >>+struct ethaddr_info ethaddr_tbl[RTE_MAX_ETHPORTS] = { > >>+ { 0, ETHADDR(0x00, 0x16, 0x3e, 0x7e, 0x94, 0x9a) }, > >>+ { 0, ETHADDR(0x00, 0x16, 0x3e, 0x22, 0xa1, 0xd9) }, > >>+ { 0, ETHADDR(0x00, 0x16, 0x3e, 0x08, 0x69, 0x26) }, > >>+ { 0, ETHADDR(0x00, 0x16, 0x3e, 0x49, 0x9e, 0xdd) } > >>+}; > >>+ > >>+/* mask of enabled ports */ > >>+static uint32_t enabled_port_mask; > >>+static uint32_t unprotected_port_mask; > >>+static int promiscuous_on = 1; > >>+static int numa_on = 1; /**< NUMA is enabled by default. */ > >>+static int ep = -1; /**< Endpoint configuration (0 or 1) */ > >>+static unsigned cdev_type = -1; > >>+static unsigned nb_lcores; > >>+ > >>+struct buffer { > >>+ uint16_t len; > >>+ struct rte_mbuf *m_table[MAX_PKT_BURST]; > >>+}; > >>+ > >>+struct lcore_rx_queue { > >>+ uint8_t port_id; > >>+ uint8_t queue_id; > >>+} __rte_cache_aligned; > >>+ > >>+struct lcore_params { > >>+ uint8_t port_id; > >>+ uint8_t queue_id; > >>+ uint8_t lcore_id; > >>+} __rte_cache_aligned; > >>+ > >>+static struct lcore_params lcore_params_array[MAX_LCORE_PARAMS]; > >>+ > >>+static struct lcore_params *lcore_params; > >>+static uint16_t nb_lcore_params; > >>+ > >>+struct lcore_conf { > >>+ uint16_t nb_rx_queue; > >>+ struct lcore_rx_queue rx_queue_list[MAX_RX_QUEUE_PER_LCORE]; > >>+ uint16_t tx_queue_id[RTE_MAX_ETHPORTS]; > >>+ struct buffer tx_mbufs[RTE_MAX_ETHPORTS]; > >>+ uint16_t cdev; > >>+ uint16_t cdev_q; > >>+} __rte_cache_aligned; > >>+ > >>+static struct lcore_conf lcore_conf[RTE_MAX_LCORE]; > >>+ > >>+static struct rte_eth_conf port_conf = { > >>+ .rxmode = { > >>+ .mq_mode = ETH_MQ_RX_RSS, > >>+ .max_rx_pkt_len = ETHER_MAX_LEN, > >>+ .split_hdr_size = 0, > >>+ .header_split = 0, /**< Header Split disabled */ > >>+ .hw_ip_checksum = 1, /**< IP checksum offload enabled */ > >>+ .hw_vlan_filter = 0, /**< VLAN filtering disabled */ > >>+ .jumbo_frame = 0, /**< Jumbo Frame Support disabled */ > >>+ .hw_strip_crc = 0, /**< CRC stripped by hardware */ > >>+ }, > >>+ .rx_adv_conf = { > >>+ .rss_conf = { > >>+ .rss_key = NULL, > >>+ .rss_hf = ETH_RSS_IP | ETH_RSS_UDP | > >>+ ETH_RSS_TCP | ETH_RSS_SCTP, > >>+ }, > >>+ }, > >>+ .txmode = { > >>+ .mq_mode = ETH_MQ_TX_NONE, > >>+ }, > >>+}; > >>+ > >>+static struct socket_ctx socket_ctx[NB_SOCKETS]; > >>+ > >>+struct traffic_type { > >>+ const uint8_t *data[MAX_PKT_BURST * 2]; > >>+ struct rte_mbuf *pkts[MAX_PKT_BURST * 2]; > >>+ uint32_t res[MAX_PKT_BURST * 2]; > >>+ uint32_t num; > >>+}; > >>+ > >>+struct ipsec_traffic { > >>+ struct traffic_type ipsec4; > >>+ struct traffic_type ipv4; > >>+}; > >>+ > >>+static inline void > >>+prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t) > >>+{ > >>+ uint8_t *nlp; > >>+ > >>+ if (RTE_ETH_IS_IPV4_HDR(pkt->packet_type)) { > >>+ rte_pktmbuf_adj(pkt, ETHER_HDR_LEN); > >>+ nlp = rte_pktmbuf_mtod_offset(pkt, uint8_t *, > >>+ offsetof(struct ip, ip_p)); > >>+ if (*nlp == IPPROTO_ESP) > >>+ t->ipsec4.pkts[(t->ipsec4.num)++] = pkt; > >>+ else { > >>+ t->ipv4.data[t->ipv4.num] = nlp; > >>+ t->ipv4.pkts[(t->ipv4.num)++] = pkt; > >>+ } > >>+ } else { > >>+ /* Unknown/Unsupported type, drop the packet */ > >>+ rte_pktmbuf_free(pkt); > >>+ } > >>+} > >>+ > >>+static inline void > >>+prepare_traffic(struct rte_mbuf **pkts, struct ipsec_traffic *t, > >>+ uint16_t nb_pkts) > >>+{ > >>+ int i; > >>+ > >>+ t->ipsec4.num = 0; > >>+ t->ipv4.num = 0; > >>+ > >>+ for (i = 0; i < (nb_pkts - PREFETCH_OFFSET); i++) { > >>+ rte_prefetch0(rte_pktmbuf_mtod(pkts[i + PREFETCH_OFFSET], > >>+ void *)); > >>+ prepare_one_packet(pkts[i], t); > >>+ } > >>+ /* Process left packets */ > >>+ for (; i < nb_pkts; i++) > >>+ prepare_one_packet(pkts[i], t); > >>+} > >>+ > >>+static inline void > >>+prepare_tx_pkt(struct rte_mbuf *pkt, uint8_t port) > >>+{ > >>+ pkt->ol_flags |= PKT_TX_IP_CKSUM | PKT_TX_IPV4; > >>+ pkt->l3_len = sizeof(struct ip); > >>+ pkt->l2_len = ETHER_HDR_LEN; > >>+ > >>+ uint64_t *ethhdr = (uint64_t *)rte_pktmbuf_prepend(pkt, ETHER_HDR_LEN); > >>+#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN > >>+ ethhdr[0] = ethaddr_tbl[port].dst | > >>+ ((ethaddr_tbl[port].src & 0xffff) << 48); > >>+ ethhdr[1] = ethaddr_tbl[port].src >> 16 | > >>+ ((uint64_t)rte_cpu_to_be_16(ETHER_TYPE_IPv4) << 32) | > >>+ (ethhdr[1] & (0xffffUL << 48)); > >>+#else > >>+ ethhdr[0] = ethaddr_tbl[port].dst | > >>+ (ethaddr_tbl[port].src >> 48 & 0xffff); > >>+ ethhdr[1] = ethaddr_tbl[port].src << 16 | ((ETHER_TYPE_IPv4)UL << 16) | > >>+ (ethhdr[1] & 0xffffUL); > >>+#endif > >>+} > >>+ > >>+static inline void > >>+prepare_tx_burst(struct rte_mbuf *pkts[], uint16_t nb_pkts, uint8_t port) > >>+{ > >>+ int i; > >>+ const int prefetch_offset = 2; > >>+ > >>+ for (i = 0; i < (nb_pkts - prefetch_offset); i++) { > >>+ rte_prefetch0(pkts[i + prefetch_offset]->cacheline1); > >>+ prepare_tx_pkt(pkts[i], port); > >>+ } > >>+ /* Process left packets */ > >>+ for (; i < nb_pkts; i++) > >>+ prepare_tx_pkt(pkts[i], port); > >>+} > >>+ > >>+/* Send burst of packets on an output interface */ > >>+static inline int > >>+send_burst(struct lcore_conf *qconf, uint16_t n, uint8_t port) > >>+{ > >>+ struct rte_mbuf **m_table; > >>+ int ret; > >>+ uint16_t queueid; > >>+ > >>+ queueid = qconf->tx_queue_id[port]; > >>+ m_table = (struct rte_mbuf **)qconf->tx_mbufs[port].m_table; > >>+ > >>+ prepare_tx_burst(m_table, n, port); > >>+ > >>+ ret = rte_eth_tx_burst(port, queueid, m_table, n); > >>+ if (unlikely(ret < n)) { > >>+ do { > >>+ rte_pktmbuf_free(m_table[ret]); > >>+ } while (++ret < n); > >>+ } > >>+ > >>+ return 0; > >>+} > >>+ > >>+/* Enqueue a single packet, and send burst if queue is filled */ > >>+static inline int > >>+send_single_packet(struct rte_mbuf *m, uint8_t port) > >>+{ > >>+ uint32_t lcore_id; > >>+ uint16_t len; > >>+ struct lcore_conf *qconf; > >>+ > >>+ lcore_id = rte_lcore_id(); > >>+ > >>+ qconf = &lcore_conf[lcore_id]; > >>+ len = qconf->tx_mbufs[port].len; > >>+ qconf->tx_mbufs[port].m_table[len] = m; > >>+ len++; > >>+ > >>+ /* enough pkts to be sent */ > >>+ if (unlikely(len == MAX_PKT_BURST)) { > >>+ send_burst(qconf, MAX_PKT_BURST, port); > >>+ len = 0; > >>+ } > >>+ > >>+ qconf->tx_mbufs[port].len = len; > >>+ return 0; > >>+} > >>+ > >>+static inline void > >>+process_pkts_inbound(struct socket_ctx *ctx, struct ipsec_traffic *traffic) > >>+{ > >>+ struct sa_ctx *sa_ctx = ctx->sa_ipv4_in; > >>+ struct sp_ctx *sp_ctx = ctx->sp_ipv4_in; > >>+ struct rte_mbuf *m; > >>+ uint16_t idx, nb_pkts_in, i, j; > >>+ uint32_t sa_idx, res; > >>+ struct ipsec_ctx ipsec_ctx; > >>+ struct lcore_conf *qconf; > >>+ > >>+ qconf = &lcore_conf[rte_lcore_id()]; > >>+ ipsec_ctx.cdev = qconf->cdev; > >>+ ipsec_ctx.queue = qconf->cdev_q; > >>+ ipsec_ctx.sa_ctx = sa_ctx; > >>+ > >>+ nb_pkts_in = ipsec_inbound(&ipsec_ctx, traffic->ipsec4.pkts, > >>+ traffic->ipsec4.num, MAX_PKT_BURST); > >>+ > >>+ /* SP/ACL Inbound check ipsec and ipv4 */ > >>+ for (i = 0; i < nb_pkts_in; i++) { > >>+ idx = traffic->ipv4.num++; > >>+ m = traffic->ipsec4.pkts[i]; > >>+ traffic->ipv4.pkts[idx] = m; > >>+ traffic->ipv4.data[idx] = rte_pktmbuf_mtod_offset(m, > >>+ uint8_t *, offsetof(struct ip, ip_p)); > >>+ } > >>+ > >>+ rte_acl_classify((struct rte_acl_ctx *)sp_ctx, traffic->ipv4.data, > >>+ traffic->ipv4.res, traffic->ipv4.num, > >>+ DEFAULT_MAX_CATEGORIES); > >>+ > >>+ j = 0; > >>+ for (i = 0; i < traffic->ipv4.num - nb_pkts_in; i++) { > >>+ m = traffic->ipv4.pkts[i]; > >>+ res = traffic->ipv4.res[i]; > >>+ if (res & ~BYPASS) { > >>+ rte_pktmbuf_free(m); > >>+ continue; > >>+ } > >>+ traffic->ipv4.pkts[j++] = m; > >>+ } > >>+ /* Check return SA SPI matches pkt SPI */ > >>+ for ( ; i < traffic->ipv4.num; i++) { > >>+ m = traffic->ipv4.pkts[i]; > >>+ sa_idx = traffic->ipv4.res[i] & PROTECT_MASK; > >>+ if (sa_idx == 0 || !inbound_sa_check(sa_ctx, m, sa_idx)) { > >>+ rte_pktmbuf_free(m); > >>+ continue; > >>+ } > >>+ traffic->ipv4.pkts[j++] = m; > >>+ } > >>+ traffic->ipv4.num = j; > >>+} > >>+ > >>+static inline void > >>+process_pkts_outbound(struct socket_ctx *ctx, struct ipsec_traffic *traffic) > >>+{ > >>+ struct sa_ctx *sa_ctx = ctx->sa_ipv4_out; > >>+ struct sp_ctx *sp_ctx = ctx->sp_ipv4_out; > >>+ struct rte_mbuf *m; > >>+ uint16_t idx, nb_pkts_out, i, j; > >>+ uint32_t sa_idx, res; > >>+ struct ipsec_ctx ipsec_ctx; > >>+ struct lcore_conf *qconf; > >>+ > >>+ qconf = &lcore_conf[rte_lcore_id()]; > >>+ ipsec_ctx.cdev = qconf->cdev; > >>+ ipsec_ctx.queue = qconf->cdev_q; > >>+ ipsec_ctx.sa_ctx = sa_ctx; > >>+ > >>+ rte_acl_classify((struct rte_acl_ctx *)sp_ctx, traffic->ipv4.data, > >>+ traffic->ipv4.res, traffic->ipv4.num, > >>+ DEFAULT_MAX_CATEGORIES); > >IMO, an option for single SA based outbound processing would be useful > >measuring performance bottlenecks with SA lookup. > > > > Hi Jerin, > > Are you suggesting to have an option so we basically encrypt all traffic > using > a single SA bypassing the SP/ACL ? Yes. Basicaly an option to bypass "rte_acl_classify" if its for single SA use case. > > Currently the ACL entry contains the SA index in the SA table, so there is > no SA > lookup on outbound. > That might have to change a bit if we were to add IKE support. > > >>+ j = 0; > >>+ for (i = 0; i < traffic->ipv4.num; i++) { > >>+ m = traffic->ipv4.pkts[i]; > >>+ res = traffic->ipv4.res[i]; > >>+ sa_idx = res & PROTECT_MASK; > >>+ if (res & DISCARD) { > >>+ rte_pktmbuf_free(m); > >>+ } else if (sa_idx != 0) { > >>+ traffic->ipsec4.res[traffic->ipsec4.num] = sa_idx; > >>+ traffic->ipsec4.pkts[traffic->ipsec4.num++] = m; > >>+ } else /* BYPASS */ > >>+ traffic->ipv4.pkts[j++] = m; > >>+ } > >>+ traffic->ipv4.num = j; > >>+ > >>+ nb_pkts_out = ipsec_outbound(&ipsec_ctx, traffic->ipsec4.pkts, > >>+ traffic->ipsec4.res, traffic->ipsec4.num, > >>+ MAX_PKT_BURST); > >>+ > >>+ for (i = 0; i < nb_pkts_out; i++) { > >>+ idx = traffic->ipv4.num++; > >>+ m = traffic->ipsec4.pkts[i]; > >>+ traffic->ipv4.pkts[idx] = m; > >>+ } > >>+} > >>+ > >>+static inline void > >>+route_pkts(struct rt_ctx *rt_ctx, struct rte_mbuf *pkts[], uint8_t nb_pkts) > >>+{ > >>+ uint16_t hop[MAX_PKT_BURST * 2]; > >>+ uint32_t dst_ip[MAX_PKT_BURST * 2]; > >>+ uint16_t i, offset; > >>+ > >>+ if (nb_pkts == 0) > >>+ return; > >>+ > >>+ for (i = 0; i < nb_pkts; i++) { > >>+ offset = offsetof(struct ip, ip_dst); > >>+ dst_ip[i] = *rte_pktmbuf_mtod_offset(pkts[i], > >>+ uint32_t *, offset); > >>+ dst_ip[i] = rte_be_to_cpu_32(dst_ip[i]); > >>+ } > >>+ > >>+ rte_lpm_lookup_bulk((struct rte_lpm *)rt_ctx, dst_ip, hop, nb_pkts); > >>+ > >>+ for (i = 0; i < nb_pkts; i++) { > >>+ if ((hop[i] & RTE_LPM_LOOKUP_SUCCESS) == 0) { > >>+ rte_pktmbuf_free(pkts[i]); > >>+ continue; > >>+ } > >>+ send_single_packet(pkts[i], hop[i] & 0xff); > >>+ } > >>+} > >>+ > >>+static inline void > >>+process_pkts(struct socket_ctx *ctx, struct rte_mbuf **pkts, > >>+ uint8_t nb_pkts, uint8_t portid) > >>+{ > >>+ struct ipsec_traffic traffic; > >>+ > >>+ prepare_traffic(pkts, &traffic, nb_pkts); > >>+ > >>+ if (UNPROTECTED_PORT(portid)) > >>+ process_pkts_inbound(ctx, &traffic); > >>+ else > >>+ process_pkts_outbound(ctx, &traffic); > >>+ > >>+ route_pkts(ctx->rt_ipv4, traffic.ipv4.pkts, traffic.ipv4.num); > >>+} > >>+ > >>+static inline void > >>+drain_buffers(struct lcore_conf *qconf) > >>+{ > >>+ struct buffer *buf; > >>+ unsigned portid; > >>+ > >>+ for (portid = 0; portid < RTE_MAX_ETHPORTS; portid++) { > >>+ buf = &qconf->tx_mbufs[portid]; > >>+ if (buf->len == 0) > >>+ continue; > >>+ send_burst(qconf, buf->len, portid); > >>+ buf->len = 0; > >>+ } > >>+} > >>+ > >>+/* main processing loop */ > >>+static int > >>+main_loop(__attribute__((unused)) void *dummy) > >>+{ > >>+ struct rte_mbuf *pkts[MAX_PKT_BURST]; > >>+ unsigned lcore_id; > >>+ uint64_t prev_tsc, diff_tsc, cur_tsc; > >>+ int i, nb_rx; > >>+ uint8_t portid, queueid; > >>+ struct lcore_conf *qconf; > >>+ int socket_id; > >>+ const uint64_t drain_tsc = (rte_get_tsc_hz() + US_PER_S - 1) > >>+ / US_PER_S * BURST_TX_DRAIN_US; > >>+ struct socket_ctx *ctx; > >>+ struct lcore_rx_queue *rxql; > >>+ > >>+ prev_tsc = 0; > >>+ lcore_id = rte_lcore_id(); > >>+ qconf = &lcore_conf[lcore_id]; > >>+ rxql = qconf->rx_queue_list; > >>+ socket_id = rte_lcore_to_socket_id(lcore_id); > >>+ > >>+ ctx = &socket_ctx[socket_id]; > >>+ > >>+ if (qconf->nb_rx_queue == 0) { > >>+ RTE_LOG(INFO, IPSEC, "lcore %u has nothing to do\n", lcore_id); > >>+ return 0; > >>+ } > >>+ > >>+ RTE_LOG(INFO, IPSEC, "entering main loop on lcore %u\n", lcore_id); > >>+ > >>+ for (i = 0; i < qconf->nb_rx_queue; i++) { > >>+ portid = rxql[i].port_id; > >>+ queueid = rxql[i].queue_id; > >>+ RTE_LOG(INFO, IPSEC, > >>+ " -- lcoreid=%u portid=%hhu rxqueueid=%hhu\n", > >>+ lcore_id, portid, queueid); > >>+ } > >>+ > >>+ while (1) { > >>+ cur_tsc = rte_rdtsc(); > >>+ > >>+ /* TX queue buffer drain */ > >>+ diff_tsc = cur_tsc - prev_tsc; > >>+ > >>+ if (unlikely(diff_tsc > drain_tsc)) { > >>+ drain_buffers(qconf); > >>+ prev_tsc = cur_tsc; > >>+ } > >>+ > >>+ /* Read packet from RX queues */ > >>+ for (i = 0; i < qconf->nb_rx_queue; ++i) { > >>+ portid = rxql[i].port_id; > >>+ queueid = rxql[i].queue_id; > >>+ nb_rx = rte_eth_rx_burst(portid, queueid, > >>+ pkts, MAX_PKT_BURST); > >>+ > >>+ if (nb_rx > 0) > >>+ process_pkts(ctx, pkts, nb_rx, portid); > >>+ } > >>+ } > >>+} > >>+ > >>+static int > >>+check_params(void) > >>+{ > >>+ uint8_t lcore, portid, nb_ports; > >>+ uint16_t i; > >>+ int socket_id; > >>+ > >>+ if (lcore_params == NULL) { > >>+ printf("Error: No port/queue/core mappings\n"); > >>+ return -1; > >>+ } > >>+ > >>+ nb_ports = rte_eth_dev_count(); > >>+ if (nb_ports > RTE_MAX_ETHPORTS) > >>+ nb_ports = RTE_MAX_ETHPORTS; > >>+ > >>+ for (i = 0; i < nb_lcore_params; ++i) { > >>+ lcore = lcore_params[i].lcore_id; > >>+ if (!rte_lcore_is_enabled(lcore)) { > >>+ printf("error: lcore %hhu is not enabled in " > >>+ "lcore mask\n", lcore); > >>+ return -1; > >>+ } > >>+ socket_id = rte_lcore_to_socket_id(lcore); > >>+ if (socket_id != 0 && numa_on == 0) { > >>+ printf("warning: lcore %hhu is on socket %d " > >>+ "with numa off\n", > >>+ lcore, socket_id); > >>+ } > >>+ portid = lcore_params[i].port_id; > >>+ if ((enabled_port_mask & (1 << portid)) == 0) { > >>+ printf("port %u is not enabled in port mask\n", portid); > >>+ return -1; > >>+ } > >>+ if (portid >= nb_ports) { > >>+ printf("port %u is not present on the board\n", portid); > >>+ return -1; > >>+ } > >>+ } > >>+ return 0; > >>+} > >>+ > >>+static uint8_t > >>+get_port_nb_rx_queues(const uint8_t port) > >>+{ > >>+ int queue = -1; > >>+ uint16_t i; > >>+ > >>+ for (i = 0; i < nb_lcore_params; ++i) { > >>+ if (lcore_params[i].port_id == port && > >>+ lcore_params[i].queue_id > queue) > >>+ queue = lcore_params[i].queue_id; > >>+ } > >>+ return (uint8_t)(++queue); > >>+} > >>+ > >>+static int > >>+init_lcore_rx_queues(void) > >>+{ > >>+ uint16_t i, nb_rx_queue; > >>+ uint8_t lcore; > >>+ > >>+ for (i = 0; i < nb_lcore_params; ++i) { > >>+ lcore = lcore_params[i].lcore_id; > >>+ nb_rx_queue = lcore_conf[lcore].nb_rx_queue; > >>+ if (nb_rx_queue >= MAX_RX_QUEUE_PER_LCORE) { > >>+ printf("error: too many queues (%u) for lcore: %u\n", > >>+ nb_rx_queue + 1, lcore); > >>+ return -1; > >>+ } > >>+ lcore_conf[lcore].rx_queue_list[nb_rx_queue].port_id = > >>+ lcore_params[i].port_id; > >>+ lcore_conf[lcore].rx_queue_list[nb_rx_queue].queue_id = > >>+ lcore_params[i].queue_id; > >>+ lcore_conf[lcore].nb_rx_queue++; > >>+ } > >>+ return 0; > >>+} > >>+ > >>+/* display usage */ > >>+static void > >>+print_usage(const char *prgname) > >>+{ > >>+ printf("%s [EAL options] -- -p PORTMASK -P -u PORTMASK" > >>+ " --"OPTION_CONFIG" (port,queue,lcore)[,(port,queue,lcore]" > >>+ " --EP0|--EP1 --cdev AESNI|QAT\n" > >>+ " -p PORTMASK: hexadecimal bitmask of ports to configure\n" > >>+ " -P : enable promiscuous mode\n" > >>+ " -u PORTMASK: hexadecimal bitmask of unprotected ports\n" > >>+ " --"OPTION_CONFIG": (port,queue,lcore): " > >>+ "rx queues configuration\n" > >>+ " --cdev AESNI | QAT\n" > >>+ " --EP0: Configure as Endpoint 0\n" > >>+ " --EP1: Configure as Endpoint 1\n", prgname); > >>+} > >>+ > >>+static int > >>+parse_portmask(const char *portmask) > >>+{ > >>+ char *end = NULL; > >>+ unsigned long pm; > >>+ > >>+ /* parse hexadecimal string */ > >>+ pm = strtoul(portmask, &end, 16); > >>+ if ((portmask[0] == '\0') || (end == NULL) || (*end != '\0')) > >>+ return -1; > >>+ > >>+ if (pm == 0) > >>+ return -1; > >>+ > >>+ return pm; > >>+} > >>+ > >>+static int > >>+parse_config(const char *q_arg) > >>+{ > >>+ char s[256]; > >>+ const char *p, *p0 = q_arg; > >>+ char *end; > >>+ enum fieldnames { > >>+ FLD_PORT = 0, > >>+ FLD_QUEUE, > >>+ FLD_LCORE, > >>+ _NUM_FLD > >>+ }; > >>+ unsigned long int_fld[_NUM_FLD]; > >>+ char *str_fld[_NUM_FLD]; > >>+ int i; > >>+ unsigned size; > >>+ > >>+ nb_lcore_params = 0; > >>+ > >>+ while ((p = strchr(p0, '(')) != NULL) { > >>+ ++p; > >>+ p0 = strchr(p, ')'); > >>+ if (p0 == NULL) > >>+ return -1; > >>+ > >>+ size = p0 - p; > >>+ if (size >= sizeof(s)) > >>+ return -1; > >>+ > >>+ snprintf(s, sizeof(s), "%.*s", size, p); > >>+ if (rte_strsplit(s, sizeof(s), str_fld, _NUM_FLD, ',') != > >>+ _NUM_FLD) > >>+ return -1; > >>+ for (i = 0; i < _NUM_FLD; i++) { > >>+ errno = 0; > >>+ int_fld[i] = strtoul(str_fld[i], &end, 0); > >>+ if (errno != 0 || end == str_fld[i] || int_fld[i] > 255) > >>+ return -1; > >>+ } > >>+ if (nb_lcore_params >= MAX_LCORE_PARAMS) { > >>+ printf("exceeded max number of lcore params: %hu\n", > >>+ nb_lcore_params); > >>+ return -1; > >>+ } > >>+ lcore_params_array[nb_lcore_params].port_id = > >>+ (uint8_t)int_fld[FLD_PORT]; > >>+ lcore_params_array[nb_lcore_params].queue_id = > >>+ (uint8_t)int_fld[FLD_QUEUE]; > >>+ lcore_params_array[nb_lcore_params].lcore_id = > >>+ (uint8_t)int_fld[FLD_LCORE]; > >>+ ++nb_lcore_params; > >>+ } > >>+ lcore_params = lcore_params_array; > >>+ return 0; > >>+} > >>+ > >>+#define __STRNCMP(name, opt) (!strncmp(name, opt, sizeof(opt))) > >>+static int > >>+parse_args_long_options(struct option *lgopts, int option_index) > >>+{ > >>+ int ret = -1; > >>+ const char *optname = lgopts[option_index].name; > >>+ > >>+ if (__STRNCMP(optname, OPTION_CONFIG)) { > >>+ ret = parse_config(optarg); > >>+ if (ret) > >>+ printf("invalid config\n"); > >>+ } > >>+ > >>+ if (__STRNCMP(optname, OPTION_EP0)) { > >>+ printf("endpoint 0\n"); > >>+ ep = 0; > >>+ ret = 0; > >>+ } > >>+ > >>+ if (__STRNCMP(optname, OPTION_EP1)) { > >>+ printf("endpoint 1\n"); > >>+ ep = 1; > >>+ ret = 0; > >>+ } > >>+ > >>+ if (__STRNCMP(optname, OPTION_CDEV_TYPE)) { > >>+ if (__STRNCMP(optarg, "AESNI")) { > >>+ cdev_type = RTE_CRYPTODEV_AESNI_MB_PMD; > >>+ ret = 0; > >>+ } else if (__STRNCMP(optarg, "QAT")) { > >>+ cdev_type = RTE_CRYPTODEV_QAT_PMD; > >>+ ret = 0; > >>+ } > >>+ } > >>+ > >>+ return ret; > >>+} > >>+#undef __STRNCMP > >>+ > >>+static int > >>+parse_args(int argc, char **argv) > >>+{ > >>+ int opt, ret; > >>+ char **argvopt; > >>+ int option_index; > >>+ char *prgname = argv[0]; > >>+ static struct option lgopts[] = { > >>+ {OPTION_CONFIG, 1, 0, 0}, > >>+ {OPTION_EP0, 0, 0, 0}, > >>+ {OPTION_EP1, 0, 0, 0}, > >>+ {OPTION_CDEV_TYPE, 1, 0, 0}, > >>+ {NULL, 0, 0, 0} > >>+ }; > >>+ > >>+ argvopt = argv; > >>+ > >>+ while ((opt = getopt_long(argc, argvopt, "p:Pu:", > >>+ lgopts, &option_index)) != EOF) { > >>+ > >>+ switch (opt) { > >>+ case 'p': > >>+ enabled_port_mask = parse_portmask(optarg); > >>+ if (enabled_port_mask == 0) { > >>+ printf("invalid portmask\n"); > >>+ print_usage(prgname); > >>+ return -1; > >>+ } > >>+ break; > >>+ case 'P': > >>+ printf("Promiscuous mode selected\n"); > >>+ promiscuous_on = 1; > >>+ break; > >>+ case 'u': > >>+ unprotected_port_mask = parse_portmask(optarg); > >>+ if (unprotected_port_mask == 0) { > >>+ printf("invalid unprotected portmask\n"); > >>+ print_usage(prgname); > >>+ return -1; > >>+ } > >>+ break; > >>+ case 0: > >>+ if (parse_args_long_options(lgopts, option_index)) { > >>+ print_usage(prgname); > >>+ return -1; > >>+ } > >>+ break; > >>+ default: > >>+ print_usage(prgname); > >>+ return -1; > >>+ } > >>+ } > >>+ > >>+ if (optind >= 0) > >>+ argv[optind-1] = prgname; > >>+ > >>+ ret = optind-1; > >>+ optind = 0; /* reset getopt lib */ > >>+ return ret; > >>+} > >>+ > >>+static void > >>+print_ethaddr(const char *name, const struct ether_addr *eth_addr) > >>+{ > >>+ char buf[ETHER_ADDR_FMT_SIZE]; > >>+ ether_format_addr(buf, ETHER_ADDR_FMT_SIZE, eth_addr); > >>+ printf("%s%s", name, buf); > >>+} > >>+ > >>+/* Check the link status of all ports in up to 9s, and print them finally */ > >>+static void > >>+check_all_ports_link_status(uint8_t port_num, uint32_t port_mask) > >>+{ > >>+#define CHECK_INTERVAL 100 /* 100ms */ > >>+#define MAX_CHECK_TIME 90 /* 9s (90 * 100ms) in total */ > >>+ uint8_t portid, count, all_ports_up, print_flag = 0; > >>+ struct rte_eth_link link; > >>+ > >>+ printf("\nChecking link status"); > >>+ fflush(stdout); > >>+ for (count = 0; count <= MAX_CHECK_TIME; count++) { > >>+ all_ports_up = 1; > >>+ for (portid = 0; portid < port_num; portid++) { > >>+ if ((port_mask & (1 << portid)) == 0) > >>+ continue; > >>+ memset(&link, 0, sizeof(link)); > >>+ rte_eth_link_get_nowait(portid, &link); > >>+ /* print link status if flag set */ > >>+ if (print_flag == 1) { > >>+ if (link.link_status) > >>+ printf("Port %d Link Up - speed %u " > >>+ "Mbps - %s\n", (uint8_t)portid, > >>+ (unsigned)link.link_speed, > >>+ (link.link_duplex == ETH_LINK_FULL_DUPLEX) ? > >>+ ("full-duplex") : ("half-duplex\n")); > >>+ else > >>+ printf("Port %d Link Down\n", > >>+ (uint8_t)portid); > >>+ continue; > >>+ } > >>+ /* clear all_ports_up flag if any link down */ > >>+ if (link.link_status == 0) { > >>+ all_ports_up = 0; > >>+ break; > >>+ } > >>+ } > >>+ /* after finally printing all link status, get out */ > >>+ if (print_flag == 1) > >>+ break; > >>+ > >>+ if (all_ports_up == 0) { > >>+ printf("."); > >>+ fflush(stdout); > >>+ rte_delay_ms(CHECK_INTERVAL); > >>+ } > >>+ > >>+ /* set the print_flag if all ports up or timeout */ > >>+ if (all_ports_up == 1 || count == (MAX_CHECK_TIME - 1)) { > >>+ print_flag = 1; > >>+ printf("done\n"); > >>+ } > >>+ } > >>+} > >>+ > >>+static uint16_t > >>+find_next_cdev(unsigned cdev_type, uint16_t start_cdev_id) > >>+{ > >>+ uint16_t cdev_id, cnt; > >>+ struct rte_cryptodev_info info; > >>+ > >>+ cnt = rte_cryptodev_count(); > >>+ for (cdev_id = start_cdev_id; cdev_id < cnt; cdev_id++) { > >>+ rte_cryptodev_info_get(cdev_id, &info); > >>+ if (info.dev_type == cdev_type) > >>+ return cdev_id; > >>+ } > >>+ > >>+ return -1; > >>+} > >>+ > >>+static uint16_t > >>+find_cdev_socket(int socket_id, unsigned cdev_type) > >>+{ > >>+ uint16_t cdev_id, cnt; > >>+ struct rte_cryptodev_info info; > >>+ int cdev_socket; > >>+ > >>+ cnt = rte_cryptodev_count(); > >>+ for (cdev_id = 0; cdev_id < cnt; cdev_id++) { > >>+ rte_cryptodev_info_get(cdev_id, &info); > >>+ cdev_socket = rte_cryptodev_socket_id(cdev_id); > >>+ if ((info.dev_type == cdev_type) && (cdev_socket == socket_id)) > >>+ return cdev_id; > >>+ } > >>+ > >>+ return -1; > >>+} > >>+ > >>+static int > >>+cryptodevs_init(void) > >>+{ > >>+ struct rte_cryptodev_config dev_conf; > >>+ struct rte_cryptodev_qp_conf qp_conf; > >>+ struct lcore_conf *qconf; > >>+ uint16_t cnt, lcore_id, cdev_id; > >>+ int ret, i, socket_id; > >>+ > >>+ if (cdev_type == RTE_CRYPTODEV_QAT_PMD) { > >>+ cnt = rte_cryptodev_count_devtype(RTE_CRYPTODEV_QAT_PMD); > >>+ printf("Found %u QAT devices\n", cnt); > >>+ if (cnt < nb_lcores) > >>+ rte_panic("Not enough QAT devices detected, " > >>+ "need %u (1 per core), found %d\n", > >>+ nb_lcores, cnt); > >>+ } else if (cdev_type == RTE_CRYPTODEV_AESNI_MB_PMD) { > >>+ printf("Initializing %u AESNI vdevs\n", rte_lcore_count()); > >Is it possible to remove PMD specific Initialization code from the > >application and move driver layer so that new crypto pmd inclusion will > >not have any change in this place. > > Yes, it should be possible now that we have: > http://dpdk.org/ml/archives/dev/2016-January/032448.html > > I also plan to rework the code a bit to use the new cryptodev API: > http://dpdk.org/ml/archives/dev/2016-January/032445.html > > >>+ for (i = 0; i < (int)rte_lcore_count(); i++) { > >>+ ret = rte_eal_vdev_init( > >>+ CRYPTODEV_NAME_AESNI_MB_PMD, > >>+ NULL); > >>+ if (ret < 0) > >>+ rte_panic("Failed to create AESNI-MB vdev\n"); > >>+ } > >>+ } else > >>+ rte_panic("Need to set cryptodev type option --cdev\n"); > >>+ > >>+ cdev_id = 0; > >>+ for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) { > >>+ if (rte_lcore_is_enabled(lcore_id) == 0) > >>+ continue; > >>+ > >>+ socket_id = rte_lcore_to_socket_id(lcore_id); > >>+ cdev_id = find_next_cdev(cdev_type, cdev_id); > >>+ qconf = &lcore_conf[lcore_id]; > >>+ qconf->cdev = cdev_id; > >>+ qconf->cdev_q = 0; > >>+ if (cdev_type == RTE_CRYPTODEV_AESNI_MB_PMD) { > >>+ dev_conf.socket_id = socket_id; > >>+ printf("Initializing AESNI-MB device %u socket %u\n", > >>+ cdev_id, socket_id); > >>+ } else { > >>+ dev_conf.socket_id = rte_cryptodev_socket_id(cdev_id); > >>+ printf("Initialising QAT device %u\n", cdev_id); > >>+ } > >>+ > >>+ dev_conf.nb_queue_pairs = 1; > >>+ dev_conf.session_mp.nb_objs = CDEV_MP_NB_OBJS; > >>+ dev_conf.session_mp.cache_size = CDEV_MP_CACHE_SZ; > >>+ > >>+ if (rte_cryptodev_configure(cdev_id, &dev_conf)) > >>+ rte_panic("Failed to initialize crypodev %u\n", > >>+ cdev_id); > >>+ > >>+ qp_conf.nb_descriptors = CDEV_MP_NB_OBJS; > >>+ if (rte_cryptodev_queue_pair_setup(cdev_id, 0, &qp_conf, > >>+ dev_conf.socket_id)) > >>+ rte_panic("Failed to setup queue %u for cdev_id %u\n", > >>+ 0, cdev_id); > >>+ cdev_id++; > >>+ } > >>+ > >>+ return 0; > >>+} > >>+ > >>+static void > >>+port_init(uint8_t portid) > >>+{ > >>+ struct rte_eth_dev_info dev_info; > >>+ struct rte_eth_txconf *txconf; > >>+ uint16_t nb_tx_queue, nb_rx_queue; > >>+ uint16_t tx_queueid, rx_queueid, queue, lcore_id; > >>+ int ret, socket_id; > >>+ struct lcore_conf *qconf; > >>+ struct ether_addr ethaddr; > >>+ > >>+ rte_eth_dev_info_get(portid, &dev_info); > >>+ > >>+ printf("Configuring device port %u:\n", portid); > >>+ > >>+ rte_eth_macaddr_get(portid, ðaddr); > >>+ ethaddr_tbl[portid].src = ETHADDR_TO_UINT64(ethaddr); > >>+ print_ethaddr("Address: ", ðaddr); > >>+ printf("\n"); > >>+ > >>+ nb_rx_queue = get_port_nb_rx_queues(portid); > >>+ nb_tx_queue = nb_lcores; > >>+ > >>+ if (nb_rx_queue > dev_info.max_rx_queues) > >>+ rte_exit(EXIT_FAILURE, "Error: queue %u not available " > >>+ "(max rx queue is %u)\n", > >>+ nb_rx_queue, dev_info.max_rx_queues); > >>+ > >>+ if (nb_tx_queue > dev_info.max_tx_queues) > >>+ rte_exit(EXIT_FAILURE, "Error: queue %u not available " > >>+ "(max tx queue is %u)\n", > >>+ nb_tx_queue, dev_info.max_tx_queues); > >>+ > >>+ printf("Creating queues: nb_rx_queue=%d nb_tx_queue=%u...\n", > >>+ nb_rx_queue, nb_tx_queue); > >>+ > >>+ ret = rte_eth_dev_configure(portid, nb_rx_queue, nb_tx_queue, > >>+ &port_conf); > >>+ if (ret < 0) > >>+ rte_exit(EXIT_FAILURE, "Cannot configure device: " > >>+ "err=%d, port=%d\n", ret, portid); > >>+ > >>+ /* init one TX queue per lcore */ > >>+ tx_queueid = 0; > >>+ for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) { > >>+ if (rte_lcore_is_enabled(lcore_id) == 0) > >>+ continue; > >>+ > >>+ if (numa_on) > >>+ socket_id = (uint8_t)rte_lcore_to_socket_id(lcore_id); > >>+ else > >>+ socket_id = 0; > >>+ > >>+ /* init TX queue */ > >>+ printf("Setup txq=%u,%d,%d\n", lcore_id, tx_queueid, socket_id); > >>+ > >>+ txconf = &dev_info.default_txconf; > >>+ txconf->txq_flags = 0; > >>+ > >>+ ret = rte_eth_tx_queue_setup(portid, tx_queueid, nb_txd, > >>+ socket_id, txconf); > >>+ if (ret < 0) > >>+ rte_exit(EXIT_FAILURE, "rte_eth_tx_queue_setup: " > >>+ "err=%d, port=%d\n", ret, portid); > >>+ > >>+ qconf = &lcore_conf[lcore_id]; > >>+ qconf->tx_queue_id[portid] = tx_queueid; > >>+ tx_queueid++; > >>+ > >>+ /* init RX queues */ > >>+ for (queue = 0; queue < qconf->nb_rx_queue; ++queue) { > >>+ if (portid != qconf->rx_queue_list[queue].port_id) > >>+ continue; > >>+ > >>+ rx_queueid = qconf->rx_queue_list[queue].queue_id; > >>+ > >>+ printf("Setup rxq=%d,%d,%d\n", portid, rx_queueid, > >>+ socket_id); > >>+ > >>+ ret = rte_eth_rx_queue_setup(portid, rx_queueid, > >>+ nb_rxd, socket_id, NULL, > >>+ socket_ctx[socket_id].mbuf_pool); > >>+ if (ret < 0) > >>+ rte_exit(EXIT_FAILURE, > >>+ "rte_eth_rx_queue_setup: err=%d, " > >>+ "port=%d\n", ret, portid); > >>+ } > >>+ } > >>+ printf("\n"); > >>+} > >>+ > >>+static void > >>+pool_init(struct socket_ctx *ctx, int socket_id, unsigned nb_mbuf) > >>+{ > >>+ char s[64]; > >>+ > >>+ snprintf(s, sizeof(s), "mbuf_pool_%d", socket_id); > >>+ ctx->mbuf_pool = rte_pktmbuf_pool_create(s, nb_mbuf, > >>+ MEMPOOL_CACHE_SIZE, ipsec_metadata_size(), > >>+ RTE_MBUF_DEFAULT_BUF_SIZE, > >>+ socket_id); > >>+ if (ctx->mbuf_pool == NULL) > >>+ rte_exit(EXIT_FAILURE, "Cannot init mbuf pool on socket %d\n", > >>+ socket_id); > >>+ else > >>+ printf("Allocated mbuf pool on socket %d\n", socket_id); > >>+} > >>+ > >>+int > >>+main(int argc, char **argv) > >>+{ > >>+ int ret; > >>+ unsigned lcore_id, nb_ports; > >>+ uint8_t portid, socket_id; > >>+ > >>+ /* init EAL */ > >>+ ret = rte_eal_init(argc, argv); > >>+ if (ret < 0) > >>+ rte_exit(EXIT_FAILURE, "Invalid EAL parameters\n"); > >>+ argc -= ret; > >>+ argv += ret; > >>+ > >>+ /* parse application arguments (after the EAL ones) */ > >>+ ret = parse_args(argc, argv); > >>+ if (ret < 0) > >>+ rte_exit(EXIT_FAILURE, "Invalid parameters\n"); > >>+ > >>+ if (ep < 0) > >>+ rte_exit(EXIT_FAILURE, "need to choose either EP0 or EP1\n"); > >>+ > >>+ if ((unprotected_port_mask & enabled_port_mask) != > >>+ unprotected_port_mask) > >>+ rte_exit(EXIT_FAILURE, "Invalid unprotected portmask 0x%x\n", > >>+ unprotected_port_mask); > >>+ > >>+ nb_ports = rte_eth_dev_count(); > >>+ if (nb_ports > RTE_MAX_ETHPORTS) > >>+ nb_ports = RTE_MAX_ETHPORTS; > >>+ > >>+ if (check_params() < 0) > >>+ rte_exit(EXIT_FAILURE, "check_params failed\n"); > >>+ > >>+ ret = init_lcore_rx_queues(); > >>+ if (ret < 0) > >>+ rte_exit(EXIT_FAILURE, "init_lcore_rx_queues failed\n"); > >>+ > >>+ nb_lcores = rte_lcore_count(); > >>+ > >>+ cryptodevs_init(); > >>+ > >>+ /* Replicate each contex per socket */ > >>+ for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) { > >>+ if (rte_lcore_is_enabled(lcore_id) == 0) > >>+ continue; > >>+ > >>+ if (numa_on) > >>+ socket_id = (uint8_t)rte_lcore_to_socket_id(lcore_id); > >>+ else > >>+ socket_id = 0; > >>+ > >>+ if (socket_ctx[socket_id].mbuf_pool) > >>+ continue; > >>+ > >>+ sa_init(&socket_ctx[socket_id], socket_id, ep, > >>+ find_cdev_socket(socket_id, cdev_type)); > >>+ > >>+ sp_init(&socket_ctx[socket_id], socket_id, ep); > >>+ > >>+ rt_init(&socket_ctx[socket_id], socket_id, ep); > >>+ > >>+ pool_init(&socket_ctx[socket_id], socket_id, NB_MBUF); > >>+ } > >>+ > >>+ for (portid = 0; portid < nb_ports; portid++) { > >>+ if ((enabled_port_mask & (1 << portid)) == 0) > >>+ continue; > >>+ > >>+ port_init(portid); > >>+ } > >>+ > >>+ /* start ports */ > >>+ for (portid = 0; portid < nb_ports; portid++) { > >>+ if ((enabled_port_mask & (1 << portid)) == 0) > >>+ continue; > >>+ > >>+ /* Start device */ > >>+ ret = rte_eth_dev_start(portid); > >>+ if (ret < 0) > >>+ rte_exit(EXIT_FAILURE, "rte_eth_dev_start: " > >>+ "err=%d, port=%d\n", ret, portid); > >>+ /* > >>+ * If enabled, put device in promiscuous mode. > >>+ * This allows IO forwarding mode to forward packets > >>+ * to itself through 2 cross-connected ports of the > >>+ * target machine. > >>+ */ > >>+ if (promiscuous_on) > >>+ rte_eth_promiscuous_enable(portid); > >>+ } > >>+ > >>+ check_all_ports_link_status((uint8_t)nb_ports, enabled_port_mask); > >>+ > >>+ /* launch per-lcore init on every lcore */ > >>+ rte_eal_mp_remote_launch(main_loop, NULL, CALL_MASTER); > >>+ RTE_LCORE_FOREACH_SLAVE(lcore_id) { > >>+ if (rte_eal_wait_lcore(lcore_id) < 0) > >>+ return -1; > >>+ } > >>+ > >>+ return 0; > >>+} > >>diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c > >>new file mode 100644 > >>index 0000000..83e3326 > >>--- /dev/null > >>+++ b/examples/ipsec-secgw/ipsec.c > >>@@ -0,0 +1,138 @@ > >>+/*- > >>+ * BSD LICENSE > >>+ * > >>+ * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > >>+ * All rights reserved. > >>+ * > >>+ * Redistribution and use in source and binary forms, with or without > >>+ * modification, are permitted provided that the following conditions > >>+ * are met: > >>+ * > >>+ * * Redistributions of source code must retain the above copyright > >>+ * notice, this list of conditions and the following disclaimer. > >>+ * * Redistributions in binary form must reproduce the above copyright > >>+ * notice, this list of conditions and the following disclaimer in > >>+ * the documentation and/or other materials provided with the > >>+ * distribution. > >>+ * * Neither the name of Intel Corporation nor the names of its > >>+ * contributors may be used to endorse or promote products derived > >>+ * from this software without specific prior written permission. > >>+ * > >>+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > >>+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > >>+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > >>+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > >>+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > >>+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > >>+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > >>+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > >>+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > >>+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > >>+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > >>+ */ > >>+ > >>+#include <netinet/in.h> > >>+#include <netinet/ip.h> > >>+ > >>+#include <rte_branch_prediction.h> > >>+#include <rte_log.h> > >>+#include <rte_crypto.h> > >>+#include <rte_cryptodev.h> > >>+#include <rte_mbuf.h> > >>+ > >>+#include "ipsec.h" > >>+ > >>+static inline uint16_t > >>+ipsec_processing(uint8_t cdev_id, uint16_t qp_id, struct rte_mbuf *pkts[], > >>+ struct ipsec_sa *sas[], uint16_t nb_pkts, uint16_t max_pkts) > >>+{ > >>+ int ret, i, j; > >>+ struct ipsec_mbuf_metadata *priv; > >>+ struct rte_mbuf_offload *ol; > >>+ struct ipsec_sa *sa; > >>+ > >>+ j = 0; > >>+ for (i = 0; i < nb_pkts; i++) { > >>+ rte_prefetch0(sas[i]); > >>+ rte_prefetch0(pkts[i]); > >>+ > >>+ priv = get_priv(pkts[i]); > >>+ ol = &priv->ol; > >>+ sa = sas[i]; > >>+ priv->sa = sa; > >>+ > >>+ IPSEC_ASSERT(sa != NULL); > >>+ > >>+ __rte_pktmbuf_offload_reset(ol, RTE_PKTMBUF_OL_CRYPTO); > >>+ > >>+ rte_crypto_op_attach_session(&ol->op.crypto, > >>+ sa->crypto_session); > >>+ > >>+ pkts[i]->offload_ops = ol; > >>+ > >>+ ret = sa->pre_crypto(pkts[i], sa, &ol->op.crypto); > >>+ if (unlikely(ret)) > >>+ rte_pktmbuf_free(pkts[i]); > >>+ else > >>+ pkts[j++] = pkts[i]; > >>+ } > >>+ nb_pkts = j; > >>+ > >>+ ret = rte_cryptodev_enqueue_burst(cdev_id, qp_id, pkts, nb_pkts); > >>+ if (ret < nb_pkts) { > >>+ IPSEC_LOG(DEBUG, IPSEC, "Cryptodev %u queue %u:" > >>+ " enqueued %u packets (out of %u)\n", > >>+ cdev_id, qp_id, ret, nb_pkts); > >>+ for (i = ret; i < nb_pkts; i++) > >>+ rte_pktmbuf_free(pkts[i]); > >>+ } > >>+ > >>+ nb_pkts = rte_cryptodev_dequeue_burst(cdev_id, qp_id, pkts, max_pkts); > >>+ if ((nb_pkts != 0) && (nb_pkts < max_pkts)) > >>+ IPSEC_LOG(DEBUG, IPSEC, "Cryptodev %u queue %u:" > >>+ " dequeued %u packets (out of %u)\n", > >>+ cdev_id, qp_id, nb_pkts, max_pkts); > >>+ > >>+ j = 0; > >>+ for (i = 0; i < nb_pkts; i++) { > >>+ rte_prefetch0(pkts[i]); > >>+ > >>+ priv = get_priv(pkts[i]); > >>+ ol = &priv->ol; > >>+ sa = priv->sa; > >>+ rte_prefetch0(sa); > >>+ > >>+ IPSEC_ASSERT(sa != NULL); > >>+ > >>+ ret = sa->post_crypto(pkts[i], sa, &ol->op.crypto); > >>+ if (unlikely(ret)) > >>+ rte_pktmbuf_free(pkts[i]); > >>+ else > >>+ pkts[j++] = pkts[i]; > >>+ } > >>+ > >>+ /* return packets */ > >>+ return j; > >>+} > >>+ > >>+uint16_t > >>+ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], > >>+ uint16_t nb_pkts, uint16_t len) > >>+{ > >>+ struct ipsec_sa *sas[nb_pkts]; > >>+ > >>+ inbound_sa_lookup(ctx->sa_ctx, pkts, sas, nb_pkts); > >>+ > >>+ return ipsec_processing(ctx->cdev, ctx->queue, pkts, sas, nb_pkts, len); > >>+} > >>+ > >>+uint16_t > >>+ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], > >>+ uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len) > >>+{ > >>+ struct ipsec_sa *sas[nb_pkts]; > >>+ > >>+ outbound_sa_lookup(ctx->sa_ctx, sa_idx, sas, nb_pkts); > >>+ > >>+ return ipsec_processing(ctx->cdev, ctx->queue, pkts, sas, nb_pkts, len); > >>+} > >>diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h > >>new file mode 100644 > >>index 0000000..abf9d5f > >>--- /dev/null > >>+++ b/examples/ipsec-secgw/ipsec.h > >>@@ -0,0 +1,184 @@ > >>+/*- > >>+ * BSD LICENSE > >>+ * > >>+ * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > >>+ * All rights reserved. > >>+ * > >>+ * Redistribution and use in source and binary forms, with or without > >>+ * modification, are permitted provided that the following conditions > >>+ * are met: > >>+ * > >>+ * * Redistributions of source code must retain the above copyright > >>+ * notice, this list of conditions and the following disclaimer. > >>+ * * Redistributions in binary form must reproduce the above copyright > >>+ * notice, this list of conditions and the following disclaimer in > >>+ * the documentation and/or other materials provided with the > >>+ * distribution. > >>+ * * Neither the name of Intel Corporation nor the names of its > >>+ * contributors may be used to endorse or promote products derived > >>+ * from this software without specific prior written permission. > >>+ * > >>+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > >>+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > >>+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > >>+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > >>+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > >>+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > >>+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > >>+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > >>+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > >>+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > >>+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > >>+ */ > >>+ > >>+#ifndef __IPSEC_H__ > >>+#define __IPSEC_H__ > >>+ > >>+#include <stdint.h> > >>+#include <netinet/in.h> > >>+#include <netinet/ip.h> > >>+ > >>+#include <rte_mbuf_offload.h> > >>+#include <rte_byteorder.h> > >>+#include <rte_ip.h> > >>+ > >>+#define RTE_LOGTYPE_IPSEC RTE_LOGTYPE_USER1 > >>+#define RTE_LOGTYPE_IPSEC_ESP RTE_LOGTYPE_USER2 > >>+#define RTE_LOGTYPE_IPSEC_IPIP RTE_LOGTYPE_USER3 > >>+ > >>+#ifdef IPSEC_DEBUG > >>+#define IPSEC_ASSERT(exp) \ > >>+if (!(exp)) { \ > >>+ rte_panic("line%d\tassert \"" #exp "\" failed\n", __LINE__); \ > >>+} > >>+ > >>+#define IPSEC_LOG RTE_LOG > >>+#else > >>+#define IPSEC_ASSERT(exp) do {} while (0) > >>+#define IPSEC_LOG(...) do {} while (0) > >>+#endif /* IPSEC_DEBUG */ > >>+ > >>+#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */ > >>+ > >>+#define uint32_t_to_char(ip, a, b, c, d) do {\ > >>+ *a = (unsigned char)(ip >> 24 & 0xff);\ > >>+ *b = (unsigned char)(ip >> 16 & 0xff);\ > >>+ *c = (unsigned char)(ip >> 8 & 0xff);\ > >>+ *d = (unsigned char)(ip & 0xff);\ > >>+ } while (0) > >>+ > >>+#define DEFAULT_MAX_CATEGORIES 1 > >>+ > >>+#define IPSEC_SA_MAX_ENTRIES (64) /* must be power of 2, max 2 power 30 */ > >>+#define SPI2IDX(spi) (spi & (IPSEC_SA_MAX_ENTRIES - 1)) > >>+#define INVALID_SPI (0) > >>+ > >>+#define DISCARD (0x80000000) > >>+#define BYPASS (0x40000000) > >>+#define PROTECT_MASK (0x3fffffff) > >>+#define PROTECT(sa_idx) (SPI2IDX(sa_idx) & PROTECT_MASK) /* SA idx 30 bits */ > >>+ > >>+#define IPSEC_XFORM_MAX 2 > >>+ > >>+struct rte_crypto_xform; > >>+struct ipsec_xform; > >>+struct rte_cryptodev_session; > >>+struct rte_mbuf; > >>+ > >>+struct replay { > >>+ uint32_t seq_h; > >>+}; > >>+ > >>+struct lifetime { > >>+ uint64_t bytes; > >>+ uint64_t seconds; > >>+}; > >>+ > >>+struct ipsec_sa; > >>+ > >>+typedef int (*ipsec_xform_fn)(struct rte_mbuf *m, struct ipsec_sa *sa, > >>+ struct rte_crypto_op *cop); > >>+ > >>+struct ipsec_sa { > >>+ uint32_t spi; > >>+ uint32_t seq; > >>+ uint32_t src; > >>+ uint32_t dst; > >>+ struct rte_cryptodev_session *crypto_session; > >>+ struct rte_crypto_xform *xforms; > >>+ enum rte_crypto_cipher_algorithm cipher_algo; > >>+ enum rte_crypto_auth_algorithm auth_algo; > >>+ uint16_t digest_len; > >>+ uint16_t iv_len; > >>+ uint16_t block_size; > >>+ ipsec_xform_fn pre_crypto; > >>+ ipsec_xform_fn post_crypto; > >>+ uint32_t flags; > >>+ /* does not apply if no automated SA management (IKE) support */ > >>+ struct lifetime current; > >>+ struct lifetime soft; > >>+ struct lifetime hard; > >>+ struct replay replay; > >>+} __rte_cache_aligned; > >>+ > >>+struct ipsec_mbuf_metadata { > >>+ struct ipsec_sa *sa; > >>+ struct rte_mbuf_offload ol; > >>+}; > >>+ > >>+struct ipsec_ctx { > >>+ uint16_t cdev; > >>+ uint16_t queue; > >>+ struct sa_ctx *sa_ctx; > >>+}; > >>+ > >>+struct socket_ctx { > >>+ struct sa_ctx *sa_ipv4_in; > >>+ struct sa_ctx *sa_ipv4_out; > >>+ struct sp_ctx *sp_ipv4_in; > >>+ struct sp_ctx *sp_ipv4_out; > >>+ struct rt_ctx *rt_ipv4; > >>+ struct rte_mempool *mbuf_pool; > >>+}; > >>+ > >>+uint16_t > >>+ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], > >>+ uint16_t nb_pkts, uint16_t len); > >>+ > >>+uint16_t > >>+ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], > >>+ uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len); > >>+ > >>+static inline uint16_t > >>+ipsec_metadata_size(void) > >>+{ > >>+ return sizeof(struct ipsec_mbuf_metadata); > >>+} > >>+ > >>+static inline struct ipsec_mbuf_metadata * > >>+get_priv(struct rte_mbuf *m) > >>+{ > >>+ return RTE_PTR_ADD(m, sizeof(struct rte_mbuf)); > >>+} > >>+ > >>+int > >>+inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx); > >>+ > >>+void > >>+inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[], > >>+ struct ipsec_sa *sa[], uint16_t nb_pkts); > >>+ > >>+void > >>+outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[], > >>+ struct ipsec_sa *sa[], uint16_t nb_pkts); > >>+ > >>+void > >>+sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep); > >>+ > >>+void > >>+sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep, uint16_t cdev_id); > >>+ > >>+void > >>+rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep); > >>+ > >>+#endif /* __IPSEC_H__ */ > >>diff --git a/examples/ipsec-secgw/rt.c b/examples/ipsec-secgw/rt.c > >>new file mode 100644 > >>index 0000000..82064b2 > >>--- /dev/null > >>+++ b/examples/ipsec-secgw/rt.c > >>@@ -0,0 +1,131 @@ > >>+/*- > >>+ * BSD LICENSE > >>+ * > >>+ * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > >>+ * All rights reserved. > >>+ * > >>+ * Redistribution and use in source and binary forms, with or without > >>+ * modification, are permitted provided that the following conditions > >>+ * are met: > >>+ * > >>+ * * Redistributions of source code must retain the above copyright > >>+ * notice, this list of conditions and the following disclaimer. > >>+ * * Redistributions in binary form must reproduce the above copyright > >>+ * notice, this list of conditions and the following disclaimer in > >>+ * the documentation and/or other materials provided with the > >>+ * distribution. > >>+ * * Neither the name of Intel Corporation nor the names of its > >>+ * contributors may be used to endorse or promote products derived > >>+ * from this software without specific prior written permission. > >>+ * > >>+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > >>+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > >>+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > >>+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > >>+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > >>+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > >>+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > >>+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > >>+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > >>+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > >>+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > >>+ */ > >>+ > >>+/* > >>+ * Routing Table (RT) > >>+ */ > >>+#include <rte_lpm.h> > >>+#include <rte_errno.h> > >>+ > >>+#include "ipsec.h" > >>+ > >>+#define RT_IPV4_MAX_RULES 64 > >>+ > >>+struct ipv4_route { > >>+ uint32_t ip; > >>+ uint8_t depth; > >>+ uint8_t if_out; > >>+}; > >>+ > >>+/* In the default routing table we have: > >>+ * ep0 protected ports 0 and 1, and unprotected ports 2 and 3. > >>+ */ > >>+static struct ipv4_route rt_ipv4_ep0[] = { > >>+ { IPv4(172, 16, 2, 5), 32, 0 }, > >>+ { IPv4(172, 16, 2, 6), 32, 0 }, > >>+ { IPv4(172, 16, 2, 7), 32, 1 }, > >>+ { IPv4(172, 16, 2, 8), 32, 1 }, > >>+ > >>+ { IPv4(192, 168, 115, 0), 24, 2 }, > >>+ { IPv4(192, 168, 116, 0), 24, 2 }, > >>+ { IPv4(192, 168, 117, 0), 24, 3 }, > >>+ { IPv4(192, 168, 118, 0), 24, 3 } > >>+}; > >>+ > >>+/* In the default routing table we have: > >>+ * ep1 protected ports 0 and 1, and unprotected ports 2 and 3. > >>+ */ > >>+static struct ipv4_route rt_ipv4_ep1[] = { > >>+ { IPv4(172, 16, 1, 5), 32, 2 }, > >>+ { IPv4(172, 16, 1, 6), 32, 2 }, > >>+ { IPv4(172, 16, 1, 7), 32, 3 }, > >>+ { IPv4(172, 16, 1, 8), 32, 3 }, > >>+ > >>+ { IPv4(192, 168, 105, 0), 24, 0 }, > >>+ { IPv4(192, 168, 106, 0), 24, 0 }, > >>+ { IPv4(192, 168, 107, 0), 24, 1 }, > >>+ { IPv4(192, 168, 108, 0), 24, 1 } > >>+}; > >>+ > >>+void > >>+rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep) > >>+{ > >>+ char name[PATH_MAX]; > >>+ unsigned i; > >>+ int ret; > >>+ struct rte_lpm *lpm; > >>+ struct ipv4_route *rt; > >>+ char a, b, c, d; > >>+ unsigned nb_routes; > >>+ > >>+ if (ctx == NULL) > >>+ rte_exit(EXIT_FAILURE, "NULL context.\n"); > >>+ > >>+ if (ctx->rt_ipv4 != NULL) > >>+ rte_exit(EXIT_FAILURE, "Routing Table for socket %u already " > >>+ "initialized\n", socket_id); > >>+ > >>+ printf("Creating Routing Table (RT) context with %u max routes\n", > >>+ RT_IPV4_MAX_RULES); > >>+ > >>+ if (ep == 0) { > >>+ rt = rt_ipv4_ep0; > >>+ nb_routes = RTE_DIM(rt_ipv4_ep0); > >>+ } else if (ep == 1) { > >>+ rt = rt_ipv4_ep1; > >>+ nb_routes = RTE_DIM(rt_ipv4_ep1); > >>+ } else > >>+ rte_exit(EXIT_FAILURE, "Invalid EP value %u. Only 0 or 1 " > >>+ "supported.\n", ep); > >>+ > >>+ /* create the LPM table */ > >>+ snprintf(name, sizeof(name), "%s_%u", "rt_ipv4", socket_id); > >>+ lpm = rte_lpm_create(name, socket_id, RT_IPV4_MAX_RULES, 0); > >>+ if (lpm == NULL) > >>+ rte_exit(EXIT_FAILURE, "Unable to create LPM table " > >>+ "on socket %d\n", socket_id); > >>+ > >>+ /* populate the LPM table */ > >>+ for (i = 0; i < nb_routes; i++) { > >>+ ret = rte_lpm_add(lpm, rt[i].ip, rt[i].depth, rt[i].if_out); > >>+ if (ret < 0) > >>+ rte_exit(EXIT_FAILURE, "Unable to add entry num %u to " > >>+ "LPM table on socket %d\n", i, socket_id); > >>+ > >>+ uint32_t_to_char(rt[i].ip, &a, &b, &c, &d); > >>+ printf("LPM: Adding route %hhu.%hhu.%hhu.%hhu/%hhu (%hhu)\n", > >>+ a, b, c, d, rt[i].depth, rt[i].if_out); > >>+ } > >>+ > >>+ ctx->rt_ipv4 = (struct rt_ctx *)lpm; > >>+} > >>diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c > >>new file mode 100644 > >>index 0000000..5ea7592 > >>--- /dev/null > >>+++ b/examples/ipsec-secgw/sa.c > >>@@ -0,0 +1,391 @@ > >>+/*- > >>+ * BSD LICENSE > >>+ * > >>+ * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > >>+ * All rights reserved. > >>+ * > >>+ * Redistribution and use in source and binary forms, with or without > >>+ * modification, are permitted provided that the following conditions > >>+ * are met: > >>+ * > >>+ * * Redistributions of source code must retain the above copyright > >>+ * notice, this list of conditions and the following disclaimer. > >>+ * * Redistributions in binary form must reproduce the above copyright > >>+ * notice, this list of conditions and the following disclaimer in > >>+ * the documentation and/or other materials provided with the > >>+ * distribution. > >>+ * * Neither the name of Intel Corporation nor the names of its > >>+ * contributors may be used to endorse or promote products derived > >>+ * from this software without specific prior written permission. > >>+ * > >>+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > >>+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > >>+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > >>+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > >>+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > >>+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > >>+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > >>+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > >>+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > >>+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > >>+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > >>+ */ > >>+ > >>+/* > >>+ * Security Associations > >>+ */ > >>+#include <netinet/ip.h> > >>+ > >>+#include <rte_memzone.h> > >>+#include <rte_crypto.h> > >>+#include <rte_cryptodev.h> > >>+#include <rte_byteorder.h> > >>+#include <rte_errno.h> > >>+ > >>+#include "ipsec.h" > >>+#include "esp.h" > >>+ > >>+/* SAs EP0 Outbound */ > >>+const struct ipsec_sa sa_ep0_out[] = { > >>+ { 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_outbound_pre_crypto, > >>+ esp4_tunnel_outbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > >>+ { 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_outbound_pre_crypto, > >>+ esp4_tunnel_outbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > >>+ { 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_outbound_pre_crypto, > >>+ esp4_tunnel_outbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > >>+ { 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >IMO, a SA with NULL crypto (rfc2410) operation will be useful for ESP > >packet processing debugging and measuring the performance impact with > >the crypto block in fast path. > > > > I couldn't agree more. > > I'll add support for NULL crypto in the app with dependency on previously > mentioned cryptodev capabilities patch set and: > http://dpdk.org/ml/archives/dev/2016-January/032458.html > > Sergio > > >>+ 12, 16, 16, > >>+ esp4_tunnel_outbound_pre_crypto, > >>+ esp4_tunnel_outbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } } > >>+}; > >>+ > >>+/* SAs EP0 Inbound */ > >>+const struct ipsec_sa sa_ep0_in[] = { > >>+ { 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_inbound_pre_crypto, > >>+ esp4_tunnel_inbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > >>+ { 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_inbound_pre_crypto, > >>+ esp4_tunnel_inbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > >>+ { 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_inbound_pre_crypto, > >>+ esp4_tunnel_inbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > >>+ { 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_inbound_pre_crypto, > >>+ esp4_tunnel_inbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } } > >>+}; > >>+ > >>+/* SAs EP1 Outbound */ > >>+const struct ipsec_sa sa_ep1_out[] = { > >>+ { 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_outbound_pre_crypto, > >>+ esp4_tunnel_outbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > >>+ { 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_outbound_pre_crypto, > >>+ esp4_tunnel_outbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > >>+ { 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_outbound_pre_crypto, > >>+ esp4_tunnel_outbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > >>+ { 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_outbound_pre_crypto, > >>+ esp4_tunnel_outbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } } > >>+}; > >>+ > >>+/* SAs EP1 Inbound */ > >>+const struct ipsec_sa sa_ep1_in[] = { > >>+ { 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_inbound_pre_crypto, > >>+ esp4_tunnel_inbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > >>+ { 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_inbound_pre_crypto, > >>+ esp4_tunnel_inbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > >>+ { 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_inbound_pre_crypto, > >>+ esp4_tunnel_inbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > >>+ { 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_inbound_pre_crypto, > >>+ esp4_tunnel_inbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } } > >>+}; > >>+ > >>+static uint8_t cipher_key[256] = "sixteenbytes key"; > >>+ > >>+/* AES CBC xform */ > >>+const struct rte_crypto_xform aescbc_enc_xf = { > >>+ NULL, > >>+ RTE_CRYPTO_XFORM_CIPHER, > >>+ .cipher = { RTE_CRYPTO_CIPHER_OP_ENCRYPT, RTE_CRYPTO_CIPHER_AES_CBC, > >>+ .key = { cipher_key, 0, 16 } } > >>+}; > >>+ > >>+const struct rte_crypto_xform aescbc_dec_xf = { > >>+ NULL, > >>+ RTE_CRYPTO_XFORM_CIPHER, > >>+ .cipher = { RTE_CRYPTO_CIPHER_OP_DECRYPT, RTE_CRYPTO_CIPHER_AES_CBC, > >>+ .key = { cipher_key, 0, 16 } } > >>+}; > >>+ > >>+static uint8_t auth_key[256] = "twentybytes hash key"; > >>+ > >>+/* SHA1 HMAC xform */ > >>+const struct rte_crypto_xform sha1hmac_gen_xf = { > >>+ NULL, > >>+ RTE_CRYPTO_XFORM_AUTH, > >>+ .auth = { RTE_CRYPTO_AUTH_OP_GENERATE, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ .key = { auth_key, 0, 20 }, 12, 0 } > >>+}; > >>+ > >>+const struct rte_crypto_xform sha1hmac_verify_xf = { > >>+ NULL, > >>+ RTE_CRYPTO_XFORM_AUTH, > >>+ .auth = { RTE_CRYPTO_AUTH_OP_VERIFY, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ .key = { auth_key, 0, 20 }, 12, 0 } > >>+}; > >>+ > >>+struct sa_ctx { > >>+ struct ipsec_sa sa[IPSEC_SA_MAX_ENTRIES]; > >>+ struct { > >>+ struct rte_crypto_xform a; > >>+ struct rte_crypto_xform b; > >>+ } xf[IPSEC_SA_MAX_ENTRIES]; > >>+}; > >>+ > >>+static struct sa_ctx * > >>+sa_ipv4_create(const char *name, int socket_id) > >>+{ > >>+ char s[PATH_MAX]; > >>+ struct sa_ctx *sa_ctx; > >>+ unsigned mz_size; > >>+ const struct rte_memzone *mz; > >>+ > >>+ snprintf(s, sizeof(s), "%s_%u", name, socket_id); > >>+ > >>+ /* Create SA array table */ > >>+ printf("Creating SA context with %u maximum entries\n", > >>+ IPSEC_SA_MAX_ENTRIES); > >>+ > >>+ mz_size = sizeof(struct sa_ctx); > >>+ mz = rte_memzone_reserve(s, mz_size, socket_id, > >>+ RTE_MEMZONE_1GB | RTE_MEMZONE_SIZE_HINT_ONLY); > >>+ if (mz == NULL) { > >>+ printf("Failed to allocate SA DB memory\n"); > >>+ rte_errno = -ENOMEM; > >>+ return NULL; > >>+ } > >>+ > >>+ sa_ctx = (struct sa_ctx *)mz->addr; > >>+ > >>+ return sa_ctx; > >>+} > >>+ > >>+static int > >>+sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], > >>+ unsigned nb_entries, uint16_t cdev_id, unsigned inbound) > >>+{ > >>+ struct ipsec_sa *sa; > >>+ unsigned i, idx; > >>+ > >>+ for (i = 0; i < nb_entries; i++) { > >>+ idx = SPI2IDX(entries[i].spi); > >>+ sa = &sa_ctx->sa[idx]; > >>+ if (sa->spi != 0) { > >>+ printf("Index %u already in use by SPI %u\n", > >>+ idx, sa->spi); > >>+ return -EINVAL; > >>+ } > >>+ *sa = entries[i]; > >>+ sa->src = rte_cpu_to_be_32(sa->src); > >>+ sa->dst = rte_cpu_to_be_32(sa->dst); > >>+ if (inbound) { > >>+ sa_ctx->xf[idx].a = sha1hmac_verify_xf; > >>+ sa_ctx->xf[idx].b = aescbc_dec_xf; > >>+ } else { /* outbound */ > >>+ sa_ctx->xf[idx].a = aescbc_enc_xf; > >>+ sa_ctx->xf[idx].b = sha1hmac_gen_xf; > >>+ } > >>+ sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b; > >>+ sa_ctx->xf[idx].b.next = NULL; > >>+ sa->xforms = &sa_ctx->xf[idx].a; > >>+ > >>+ sa->crypto_session = rte_cryptodev_session_create(cdev_id, > >>+ sa->xforms); > >>+ } > >>+ > >>+ return 0; > >>+} > >>+ > >>+static inline int > >>+sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], > >>+ unsigned nb_entries, uint16_t cdev_id) > >>+{ > >>+ return sa_add_rules(sa_ctx, entries, nb_entries, cdev_id, 0); > >>+} > >>+ > >>+static inline int > >>+sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], > >>+ unsigned nb_entries, uint16_t cdev_id) > >>+{ > >>+ return sa_add_rules(sa_ctx, entries, nb_entries, cdev_id, 1); > >>+} > >>+ > >>+void > >>+sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep, uint16_t cdev_id) > >>+{ > >>+ const struct ipsec_sa *sa_out_entries, *sa_in_entries; > >>+ unsigned nb_out_entries, nb_in_entries; > >>+ const char *name; > >>+ > >>+ if (ctx == NULL) > >>+ rte_exit(EXIT_FAILURE, "NULL context.\n"); > >>+ > >>+ if (ctx->sa_ipv4_in != NULL) > >>+ rte_exit(EXIT_FAILURE, "Inbound SA DB for socket %u already " > >>+ "initialized\n", socket_id); > >>+ > >>+ if (ctx->sa_ipv4_out != NULL) > >>+ rte_exit(EXIT_FAILURE, "Outbound SA DB for socket %u already " > >>+ "initialized\n", socket_id); > >>+ > >>+ if (ep == 0) { > >>+ sa_out_entries = sa_ep0_out; > >>+ nb_out_entries = RTE_DIM(sa_ep0_out); > >>+ sa_in_entries = sa_ep0_in; > >>+ nb_in_entries = RTE_DIM(sa_ep0_in); > >>+ } else if (ep == 1) { > >>+ sa_out_entries = sa_ep1_out; > >>+ nb_out_entries = RTE_DIM(sa_ep1_out); > >>+ sa_in_entries = sa_ep1_in; > >>+ nb_in_entries = RTE_DIM(sa_ep1_in); > >>+ } else > >>+ rte_exit(EXIT_FAILURE, "Invalid EP value %u. " > >>+ "Only 0 or 1 supported.\n", ep); > >>+ > >>+ name = "sa_ipv4_in"; > >>+ ctx->sa_ipv4_in = sa_ipv4_create(name, socket_id); > >>+ if (ctx->sa_ipv4_in == NULL) > >>+ rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s " > >>+ "in socket %d\n", rte_errno, name, socket_id); > >>+ > >>+ name = "sa_ipv4_out"; > >>+ ctx->sa_ipv4_out = sa_ipv4_create(name, socket_id); > >>+ if (ctx->sa_ipv4_out == NULL) > >>+ rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s " > >>+ "in socket %d\n", rte_errno, name, socket_id); > >>+ > >>+ sa_in_add_rules(ctx->sa_ipv4_in, sa_in_entries, > >>+ nb_in_entries, cdev_id); > >>+ > >>+ sa_out_add_rules(ctx->sa_ipv4_out, sa_out_entries, > >>+ nb_out_entries, cdev_id); > >>+} > >>+ > >>+int > >>+inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx) > >>+{ > >>+ struct ipsec_mbuf_metadata *priv; > >>+ > >>+ priv = RTE_PTR_ADD(m, sizeof(struct rte_mbuf)); > >>+ > >>+ return (sa_ctx->sa[sa_idx].spi == priv->sa->spi); > >>+} > >>+ > >>+void > >>+inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[], > >>+ struct ipsec_sa *sa[], uint16_t nb_pkts) > >>+{ > >>+ unsigned i; > >>+ uint32_t *src, spi; > >>+ > >>+ for (i = 0; i < nb_pkts; i++) { > >>+ spi = rte_pktmbuf_mtod_offset(pkts[i], struct esp_hdr *, > >>+ sizeof(struct ip))->spi; > >>+ if (spi == INVALID_SPI) > >>+ continue; > >>+ > >>+ sa[i] = &sa_ctx->sa[SPI2IDX(spi)]; > >>+ if (spi != sa[i]->spi) { > >>+ sa[i] = NULL; > >>+ continue; > >>+ } > >>+ > >>+ src = rte_pktmbuf_mtod_offset(pkts[i], uint32_t *, > >>+ offsetof(struct ip, ip_src)); > >>+ if ((sa[i]->src != *src) || (sa[i]->dst != *(src + 1))) > >>+ sa[i] = NULL; > >>+ } > >>+} > >>+ > >>+void > >>+outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[], > >>+ struct ipsec_sa *sa[], uint16_t nb_pkts) > >>+{ > >>+ unsigned i; > >>+ > >>+ for (i = 0; i < nb_pkts; i++) > >>+ sa[i] = &sa_ctx->sa[sa_idx[i]]; > >>+} > >>diff --git a/examples/ipsec-secgw/sp.c b/examples/ipsec-secgw/sp.c > >>new file mode 100644 > >>index 0000000..219e478 > >>--- /dev/null > >>+++ b/examples/ipsec-secgw/sp.c > >>@@ -0,0 +1,324 @@ > >>+/*- > >>+ * BSD LICENSE > >>+ * > >>+ * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > >>+ * All rights reserved. > >>+ * > >>+ * Redistribution and use in source and binary forms, with or without > >>+ * modification, are permitted provided that the following conditions > >>+ * are met: > >>+ * > >>+ * * Redistributions of source code must retain the above copyright > >>+ * notice, this list of conditions and the following disclaimer. > >>+ * * Redistributions in binary form must reproduce the above copyright > >>+ * notice, this list of conditions and the following disclaimer in > >>+ * the documentation and/or other materials provided with the > >>+ * distribution. > >>+ * * Neither the name of Intel Corporation nor the names of its > >>+ * contributors may be used to endorse or promote products derived > >>+ * from this software without specific prior written permission. > >>+ * > >>+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > >>+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > >>+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > >>+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > >>+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > >>+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > >>+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > >>+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > >>+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > >>+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > >>+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > >>+ */ > >>+ > >>+/* > >>+ * Security Policies > >>+ */ > >>+#include <netinet/ip.h> > >>+ > >>+#include <rte_acl.h> > >>+ > >>+#include "ipsec.h" > >>+ > >>+#define MAX_ACL_RULE_NUM 1000 > >>+ > >>+/* > >>+ * Rule and trace formats definitions. > >>+ */ > >>+enum { > >>+ PROTO_FIELD_IPV4, > >>+ SRC_FIELD_IPV4, > >>+ DST_FIELD_IPV4, > >>+ SRCP_FIELD_IPV4, > >>+ DSTP_FIELD_IPV4, > >>+ NUM_FIELDS_IPV4 > >>+}; > >>+ > >>+/* > >>+ * That effectively defines order of IPV4 classifications: > >>+ * - PROTO > >>+ * - SRC IP ADDRESS > >>+ * - DST IP ADDRESS > >>+ * - PORTS (SRC and DST) > >>+ */ > >>+enum { > >>+ RTE_ACL_IPV4_PROTO, > >>+ RTE_ACL_IPV4_SRC, > >>+ RTE_ACL_IPV4_DST, > >>+ RTE_ACL_IPV4_PORTS, > >>+ RTE_ACL_IPV4_NUM > >>+}; > >>+ > >>+struct rte_acl_field_def ipv4_defs[NUM_FIELDS_IPV4] = { > >>+ { > >>+ .type = RTE_ACL_FIELD_TYPE_BITMASK, > >>+ .size = sizeof(uint8_t), > >>+ .field_index = PROTO_FIELD_IPV4, > >>+ .input_index = RTE_ACL_IPV4_PROTO, > >>+ .offset = 0, > >>+ }, > >>+ { > >>+ .type = RTE_ACL_FIELD_TYPE_MASK, > >>+ .size = sizeof(uint32_t), > >>+ .field_index = SRC_FIELD_IPV4, > >>+ .input_index = RTE_ACL_IPV4_SRC, > >>+ .offset = offsetof(struct ip, ip_src) - offsetof(struct ip, ip_p) > >>+ }, > >>+ { > >>+ .type = RTE_ACL_FIELD_TYPE_MASK, > >>+ .size = sizeof(uint32_t), > >>+ .field_index = DST_FIELD_IPV4, > >>+ .input_index = RTE_ACL_IPV4_DST, > >>+ .offset = offsetof(struct ip, ip_dst) - offsetof(struct ip, ip_p) > >>+ }, > >>+ { > >>+ .type = RTE_ACL_FIELD_TYPE_RANGE, > >>+ .size = sizeof(uint16_t), > >>+ .field_index = SRCP_FIELD_IPV4, > >>+ .input_index = RTE_ACL_IPV4_PORTS, > >>+ .offset = sizeof(struct ip) - offsetof(struct ip, ip_p) > >>+ }, > >>+ { > >>+ .type = RTE_ACL_FIELD_TYPE_RANGE, > >>+ .size = sizeof(uint16_t), > >>+ .field_index = DSTP_FIELD_IPV4, > >>+ .input_index = RTE_ACL_IPV4_PORTS, > >>+ .offset = sizeof(struct ip) - offsetof(struct ip, ip_p) + > >>+ sizeof(uint16_t) > >>+ }, > >>+}; > >>+ > >>+RTE_ACL_RULE_DEF(acl4_rules, RTE_DIM(ipv4_defs)); > >>+ > >>+const struct acl4_rules acl4_rules_in[] = { > >>+ { > >>+ .data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1}, > >>+ /* destination IPv4 */ > >>+ .field[2] = {.value.u32 = IPv4(192, 168, 105, 0), > >>+ .mask_range.u32 = 24,}, > >>+ /* source port */ > >>+ .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, > >>+ /* destination port */ > >>+ .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} > >>+ }, > >>+ { > >>+ .data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2}, > >>+ /* destination IPv4 */ > >>+ .field[2] = {.value.u32 = IPv4(192, 168, 106, 0), > >>+ .mask_range.u32 = 24,}, > >>+ /* source port */ > >>+ .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, > >>+ /* destination port */ > >>+ .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} > >>+ }, > >>+ { > >>+ .data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3}, > >>+ /* destination IPv4 */ > >>+ .field[2] = {.value.u32 = IPv4(192, 168, 107, 0), > >>+ .mask_range.u32 = 24,}, > >>+ /* source port */ > >>+ .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, > >>+ /* destination port */ > >>+ .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} > >>+ }, > >>+ { > >>+ .data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4}, > >>+ /* destination IPv4 */ > >>+ .field[2] = {.value.u32 = IPv4(192, 168, 108, 0), > >>+ .mask_range.u32 = 24,}, > >>+ /* source port */ > >>+ .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, > >>+ /* destination port */ > >>+ .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} > >>+ } > >>+}; > >>+ > >>+const struct acl4_rules acl4_rules_out[] = { > >>+ { > >>+ .data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1}, > >>+ /* destination IPv4 */ > >>+ .field[2] = {.value.u32 = IPv4(192, 168, 115, 0), > >>+ .mask_range.u32 = 24,}, > >>+ /* source port */ > >>+ .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, > >>+ /* destination port */ > >>+ .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} > >>+ }, > >>+ { > >>+ .data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2}, > >>+ /* destination IPv4 */ > >>+ .field[2] = {.value.u32 = IPv4(192, 168, 116, 0), > >>+ .mask_range.u32 = 24,}, > >>+ /* source port */ > >>+ .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, > >>+ /* destination port */ > >>+ .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} > >>+ }, > >>+ { > >>+ .data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3}, > >>+ /* destination IPv4 */ > >>+ .field[2] = {.value.u32 = IPv4(192, 168, 117, 0), > >>+ .mask_range.u32 = 24,}, > >>+ /* source port */ > >>+ .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, > >>+ /* destination port */ > >>+ .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} > >>+ }, > >>+ { > >>+ .data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4}, > >>+ /* destination IPv4 */ > >>+ .field[2] = {.value.u32 = IPv4(192, 168, 118, 0), > >>+ .mask_range.u32 = 24,}, > >>+ /* source port */ > >>+ .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, > >>+ /* destination port */ > >>+ .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} > >>+ } > >>+}; > >>+ > >>+static void > >>+print_one_ipv4_rule(const struct acl4_rules *rule, int extra) > >>+{ > >>+ unsigned char a, b, c, d; > >>+ > >>+ uint32_t_to_char(rule->field[SRC_FIELD_IPV4].value.u32, > >>+ &a, &b, &c, &d); > >>+ printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d, > >>+ rule->field[SRC_FIELD_IPV4].mask_range.u32); > >>+ uint32_t_to_char(rule->field[DST_FIELD_IPV4].value.u32, > >>+ &a, &b, &c, &d); > >>+ printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d, > >>+ rule->field[DST_FIELD_IPV4].mask_range.u32); > >>+ printf("%hu : %hu %hu : %hu 0x%hhx/0x%hhx ", > >>+ rule->field[SRCP_FIELD_IPV4].value.u16, > >>+ rule->field[SRCP_FIELD_IPV4].mask_range.u16, > >>+ rule->field[DSTP_FIELD_IPV4].value.u16, > >>+ rule->field[DSTP_FIELD_IPV4].mask_range.u16, > >>+ rule->field[PROTO_FIELD_IPV4].value.u8, > >>+ rule->field[PROTO_FIELD_IPV4].mask_range.u8); > >>+ if (extra) > >>+ printf("0x%x-0x%x-0x%x ", > >>+ rule->data.category_mask, > >>+ rule->data.priority, > >>+ rule->data.userdata); > >>+} > >>+ > >>+static inline void > >>+dump_ipv4_rules(const struct acl4_rules *rule, int num, int extra) > >>+{ > >>+ int i; > >>+ > >>+ for (i = 0; i < num; i++, rule++) { > >>+ printf("\t%d:", i + 1); > >>+ print_one_ipv4_rule(rule, extra); > >>+ printf("\n"); > >>+ } > >>+} > >>+ > >>+static struct rte_acl_ctx * > >>+acl4_init(const char *name, int socketid, const struct acl4_rules *rules, > >>+ unsigned rules_nb) > >>+{ > >>+ char s[PATH_MAX]; > >>+ struct rte_acl_param acl_param; > >>+ struct rte_acl_config acl_build_param; > >>+ struct rte_acl_ctx *ctx; > >>+ > >>+ printf("Creating SP context with %u max rules\n", MAX_ACL_RULE_NUM); > >>+ > >>+ memset(&acl_param, 0, sizeof(acl_param)); > >>+ > >>+ /* Create ACL contexts */ > >>+ snprintf(s, sizeof(s), "%s_%d", name, socketid); > >>+ > >>+ printf("IPv4 %s entries [%u]:\n", s, rules_nb); > >>+ dump_ipv4_rules(rules, rules_nb, 1); > >>+ > >>+ acl_param.name = s; > >>+ acl_param.socket_id = socketid; > >>+ acl_param.rule_size = RTE_ACL_RULE_SZ(RTE_DIM(ipv4_defs)); > >>+ acl_param.max_rule_num = MAX_ACL_RULE_NUM; > >>+ > >>+ ctx = rte_acl_create(&acl_param); > >>+ if (ctx == NULL) > >>+ rte_exit(EXIT_FAILURE, "Failed to create ACL context\n"); > >>+ > >>+ if (rte_acl_add_rules(ctx, (const struct rte_acl_rule *)rules, > >>+ rules_nb) < 0) > >>+ rte_exit(EXIT_FAILURE, "add rules failed\n"); > >>+ > >>+ /* Perform builds */ > >>+ memset(&acl_build_param, 0, sizeof(acl_build_param)); > >>+ > >>+ acl_build_param.num_categories = DEFAULT_MAX_CATEGORIES; > >>+ acl_build_param.num_fields = rules_nb; > >>+ memcpy(&acl_build_param.defs, ipv4_defs, sizeof(ipv4_defs)); > >>+ > >>+ if (rte_acl_build(ctx, &acl_build_param) != 0) > >>+ rte_exit(EXIT_FAILURE, "Failed to build ACL trie\n"); > >>+ > >>+ rte_acl_dump(ctx); > >>+ > >>+ return ctx; > >>+} > >>+ > >>+void > >>+sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep) > >>+{ > >>+ const char *name; > >>+ const struct acl4_rules *rules_out, *rules_in; > >>+ unsigned nb_out_rules, nb_in_rules; > >>+ > >>+ if (ctx == NULL) > >>+ rte_exit(EXIT_FAILURE, "NULL context.\n"); > >>+ > >>+ if (ctx->sp_ipv4_in != NULL) > >>+ rte_exit(EXIT_FAILURE, "Inbound SP DB for socket %u already " > >>+ "initialized\n", socket_id); > >>+ > >>+ if (ctx->sp_ipv4_out != NULL) > >>+ rte_exit(EXIT_FAILURE, "Outbound SP DB for socket %u already " > >>+ "initialized\n", socket_id); > >>+ > >>+ if (ep == 0) { > >>+ rules_out = acl4_rules_in; > >>+ nb_out_rules = RTE_DIM(acl4_rules_in); > >>+ rules_in = acl4_rules_out; > >>+ nb_in_rules = RTE_DIM(acl4_rules_out); > >>+ } else if (ep == 1) { > >>+ rules_out = acl4_rules_out; > >>+ nb_out_rules = RTE_DIM(acl4_rules_out); > >>+ rules_in = acl4_rules_in; > >>+ nb_in_rules = RTE_DIM(acl4_rules_in); > >>+ } else > >>+ rte_exit(EXIT_FAILURE, "Invalid EP value %u. " > >>+ "Only 0 or 1 supported.\n", ep); > >>+ > >>+ name = "sp_ipv4_in"; > >>+ ctx->sp_ipv4_in = (struct sp_ctx *)acl4_init(name, socket_id, > >>+ rules_in, nb_in_rules); > >>+ > >>+ name = "sp_ipv4_out"; > >>+ ctx->sp_ipv4_out = (struct sp_ctx *)acl4_init(name, socket_id, > >>+ rules_out, nb_out_rules); > >>+} > >>-- > >>2.4.3 > >> > ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [dpdk-dev] [PATCH] example/ipsec-secgw: ipsec security gateway 2016-02-01 11:26 ` Jerin Jacob @ 2016-02-01 14:09 ` Thomas Monjalon 2016-03-09 23:54 ` Sergio Gonzalez Monroy 1 sibling, 0 replies; 15+ messages in thread From: Thomas Monjalon @ 2016-02-01 14:09 UTC (permalink / raw) To: Jerin Jacob, Sergio Gonzalez Monroy; +Cc: dev 2016-02-01 16:56, Jerin Jacob: > On Mon, Feb 01, 2016 at 11:09:16AM +0000, Sergio Gonzalez Monroy wrote: > > On 31/01/2016 14:39, Jerin Jacob wrote: [...] Please guys, strip the unneeded content. Thanks ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [dpdk-dev] [PATCH] example/ipsec-secgw: ipsec security gateway 2016-02-01 11:26 ` Jerin Jacob 2016-02-01 14:09 ` Thomas Monjalon @ 2016-03-09 23:54 ` Sergio Gonzalez Monroy 2016-03-10 3:41 ` Jerin Jacob 1 sibling, 1 reply; 15+ messages in thread From: Sergio Gonzalez Monroy @ 2016-03-09 23:54 UTC (permalink / raw) To: Jerin Jacob; +Cc: dev On 01/02/2016 11:26, Jerin Jacob wrote: > On Mon, Feb 01, 2016 at 11:09:16AM +0000, Sergio Gonzalez Monroy wrote: >> On 31/01/2016 14:39, Jerin Jacob wrote: >>> On Fri, Jan 29, 2016 at 08:29:12PM +0000, Sergio Gonzalez Monroy wrote: >>> >>> IMO, an option for single SA based outbound processing would be useful >>> measuring performance bottlenecks with SA lookup. >>> >> Hi Jerin, >> >> Are you suggesting to have an option so we basically encrypt all traffic >> using >> a single SA bypassing the SP/ACL ? > Yes. Basicaly an option to bypass "rte_acl_classify" if its for single > SA use case. > > Hi Jerin, After re-reading your comment regarding the single SA I just want to double check that I understood correctly what you were suggesting. Basically an option that we can provide a single SA to use for outbound, skipping rte_acl_classify in outbound path. That same option would also skip rte_acl_classify in inbound path without checking that we accept specific traffic for an SA. Is that correct? Sergio ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [dpdk-dev] [PATCH] example/ipsec-secgw: ipsec security gateway 2016-03-09 23:54 ` Sergio Gonzalez Monroy @ 2016-03-10 3:41 ` Jerin Jacob 0 siblings, 0 replies; 15+ messages in thread From: Jerin Jacob @ 2016-03-10 3:41 UTC (permalink / raw) To: Sergio Gonzalez Monroy; +Cc: dev On Wed, Mar 09, 2016 at 11:54:50PM +0000, Sergio Gonzalez Monroy wrote: > On 01/02/2016 11:26, Jerin Jacob wrote: > >On Mon, Feb 01, 2016 at 11:09:16AM +0000, Sergio Gonzalez Monroy wrote: > >>On 31/01/2016 14:39, Jerin Jacob wrote: > >>>On Fri, Jan 29, 2016 at 08:29:12PM +0000, Sergio Gonzalez Monroy wrote: > >>> > > >>>IMO, an option for single SA based outbound processing would be useful > >>>measuring performance bottlenecks with SA lookup. > >>> > >>Hi Jerin, > >> > >>Are you suggesting to have an option so we basically encrypt all traffic > >>using > >>a single SA bypassing the SP/ACL ? > >Yes. Basicaly an option to bypass "rte_acl_classify" if its for single > >SA use case. > > > > > > Hi Jerin, > > After re-reading your comment regarding the single SA I just want to double > check > that I understood correctly what you were suggesting. > > Basically an option that we can provide a single SA to use for outbound, > skipping rte_acl_classify in outbound path. > That same option would also skip rte_acl_classify in inbound path without > checking > that we accept specific traffic for an SA. > > Is that correct? Yes > > Sergio ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [dpdk-dev] [PATCH] example/ipsec-secgw: ipsec security gateway 2016-01-29 20:29 [dpdk-dev] [PATCH] example/ipsec-secgw: ipsec security gateway Sergio Gonzalez Monroy 2016-01-31 14:39 ` Jerin Jacob @ 2016-02-24 13:32 ` Thomas Monjalon 2016-02-24 14:49 ` Sergio Gonzalez Monroy 2016-03-11 1:38 ` [dpdk-dev] [PATCH v2] " Sergio Gonzalez Monroy 2 siblings, 1 reply; 15+ messages in thread From: Thomas Monjalon @ 2016-02-24 13:32 UTC (permalink / raw) To: Sergio Gonzalez Monroy; +Cc: dev Hi, 2016-01-29 20:29, Sergio Gonzalez Monroy: > Sample app implementing an IPsec Security Geteway. > The main goal of this app is to show the use of cryptodev framework > in a real world application. > > Currently only supported static IPv4 IPsec tunnels using AES-CBC > and HMAC-SHA1. > > Also, currently not supported: > - SA auto negotiation (No IKE support) > - chained mbufs Is 32-bit arch supported? I see this error: error: left shift count >= width of type [-Werror=shift-count-overflow] (ethhdr[1] & (0xffffUL << 48)); ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [dpdk-dev] [PATCH] example/ipsec-secgw: ipsec security gateway 2016-02-24 13:32 ` Thomas Monjalon @ 2016-02-24 14:49 ` Sergio Gonzalez Monroy 0 siblings, 0 replies; 15+ messages in thread From: Sergio Gonzalez Monroy @ 2016-02-24 14:49 UTC (permalink / raw) To: Thomas Monjalon; +Cc: dev On 24/02/2016 13:32, Thomas Monjalon wrote: > Hi, > > 2016-01-29 20:29, Sergio Gonzalez Monroy: >> Sample app implementing an IPsec Security Geteway. >> The main goal of this app is to show the use of cryptodev framework >> in a real world application. >> >> Currently only supported static IPv4 IPsec tunnels using AES-CBC >> and HMAC-SHA1. >> >> Also, currently not supported: >> - SA auto negotiation (No IKE support) >> - chained mbufs > Is 32-bit arch supported? It's meant to. I'll fix it in next version. Sergio > I see this error: > error: left shift count >= width of type [-Werror=shift-count-overflow] > (ethhdr[1] & (0xffffUL << 48)); > > ^ permalink raw reply [flat|nested] 15+ messages in thread
* [dpdk-dev] [PATCH v2] example/ipsec-secgw: ipsec security gateway 2016-01-29 20:29 [dpdk-dev] [PATCH] example/ipsec-secgw: ipsec security gateway Sergio Gonzalez Monroy 2016-01-31 14:39 ` Jerin Jacob 2016-02-24 13:32 ` Thomas Monjalon @ 2016-03-11 1:38 ` Sergio Gonzalez Monroy 2016-03-11 2:12 ` De Lara Guarch, Pablo 2016-03-11 2:12 ` [dpdk-dev] [PATCH v3] " Sergio Gonzalez Monroy 2 siblings, 2 replies; 15+ messages in thread From: Sergio Gonzalez Monroy @ 2016-03-11 1:38 UTC (permalink / raw) To: dev Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> --- v2: - Update to use new cryptodev API - NULL PMD support * dependency on "null_crypto_pmd: PMD to support null crypto operations" http://dpdk.org/dev/patchwork/patch/11428/ - Added --single-sa option to bypass SP/ACL - Removed option for QAT/AESNI and instead expects vdev to be created through EAL with command line options. * dependency on "cryptodev: add capabilities discovery mechanism" http://dpdk.org/dev/patchwork/patch/11434/ - fixed inbound traffic bug - fixed bug with single core bi-directional traffic (inbound and outbound) MAINTAINERS | 4 + doc/guides/rel_notes/release_16_04.rst | 3 + doc/guides/sample_app_ug/index.rst | 1 + doc/guides/sample_app_ug/ipsec_secgw.rst | 524 ++++++++++++ examples/Makefile | 2 + examples/ipsec-secgw/Makefile | 58 ++ examples/ipsec-secgw/esp.c | 250 ++++++ examples/ipsec-secgw/esp.h | 66 ++ examples/ipsec-secgw/ipip.h | 103 +++ examples/ipsec-secgw/ipsec-secgw.c | 1360 ++++++++++++++++++++++++++++++ examples/ipsec-secgw/ipsec.c | 203 +++++ examples/ipsec-secgw/ipsec.h | 192 +++++ examples/ipsec-secgw/rt.c | 144 ++++ examples/ipsec-secgw/sa.c | 438 ++++++++++ examples/ipsec-secgw/sp.c | 364 ++++++++ 15 files changed, 3712 insertions(+) create mode 100644 doc/guides/sample_app_ug/ipsec_secgw.rst create mode 100644 examples/ipsec-secgw/Makefile create mode 100644 examples/ipsec-secgw/esp.c create mode 100644 examples/ipsec-secgw/esp.h create mode 100644 examples/ipsec-secgw/ipip.h create mode 100644 examples/ipsec-secgw/ipsec-secgw.c create mode 100644 examples/ipsec-secgw/ipsec.c create mode 100644 examples/ipsec-secgw/ipsec.h create mode 100644 examples/ipsec-secgw/rt.c create mode 100644 examples/ipsec-secgw/sa.c create mode 100644 examples/ipsec-secgw/sp.c diff --git a/MAINTAINERS b/MAINTAINERS index 2ad628e..8564403 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -616,3 +616,7 @@ F: doc/guides/sample_app_ug/vmdq_dcb_forwarding.rst M: Pablo de Lara <pablo.de.lara.guarch@intel.com> M: Daniel Mrzyglod <danielx.t.mrzyglod@intel.com> F: examples/ptpclient/ + +M: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> +F: doc/guides/sample_app_ug/ipsec-secgw.rst +F: examples/ipsec-secgw/ diff --git a/doc/guides/rel_notes/release_16_04.rst b/doc/guides/rel_notes/release_16_04.rst index f69feac..c3fb18a 100644 --- a/doc/guides/rel_notes/release_16_04.rst +++ b/doc/guides/rel_notes/release_16_04.rst @@ -148,6 +148,9 @@ Examples vhost-switch often fails to allocate mbuf when dequeue from vring because it wrongly calculates the number of mbufs needed. +* **examples/ipsec-secgw: ipsec security gateway** + + New application implementing an IPsec Security Gateway. Other ~~~~~ diff --git a/doc/guides/sample_app_ug/index.rst b/doc/guides/sample_app_ug/index.rst index 8a646dd..88375d2 100644 --- a/doc/guides/sample_app_ug/index.rst +++ b/doc/guides/sample_app_ug/index.rst @@ -73,6 +73,7 @@ Sample Applications User Guide proc_info ptpclient performance_thread + ipsec_secgw **Figures** diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst new file mode 100644 index 0000000..bc41ea8 --- /dev/null +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst @@ -0,0 +1,524 @@ +.. BSD LICENSE + Copyright(c) 2010-2016 Intel Corporation. All rights reserved. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + * Neither the name of Intel Corporation nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +IPsec Security Gateway Sample Application +========================================= + +The IPsec Security Gateway application is an example of a "real world" +application using DPDK cryptodev framework. + +Overview +-------- + +The application demonstrates the implementation of a Security Gateway +(not IPsec compliant, see Constraints bellow) using DPDK based on RFC4301, +RFC4303, RFC3602 and RFC2404. + +Internet Key Exchange (IKE) is not implemented, so only manual setting of +Security Policies and Security Associations is supported. + +The Security Policies (SP) are implemented as ACL rules, the Security +Associations (SA) are stored in a table and the Routing is implemented +using LPM. + +The application classify the ports between Protected and Unprotected. +Thus, traffic received in an Unprotected or Protected port is consider +Inbound or Outbound respectively. + +Path for IPsec Inbound traffic: + +* Read packets from the port +* Classify packets between IPv4 and ESP. +* Inbound SA lookup for ESP packets based on their SPI +* Verification/Decryption +* Removal of ESP and outer IP header +* Inbound SP check using ACL of decrypted packets and any other IPv4 packet + we read. +* Routing +* Write packet to port + +Path for IPsec Outbound traffic: + +* Read packets from the port +* Outbound SP check using ACL of all IPv4 traffic +* Outbound SA lookup for packets that need IPsec protection +* Add ESP and outter IP header +* Encryption/Digest +* Routing +* Write packet to port + +Constraints +----------- +* IPv4 traffic +* ESP tunnel mode +* EAS-CBC, HMAC-SHA1 and NULL +* Each SA must be handle by a unique lcore (1 RX queue per port) +* No chained mbufs + +Compiling the Application +------------------------- + +To compile the application: + +#. Go to the sample application directory: + + .. code-block:: console + + export RTE_SDK=/path/to/rte_sdk + cd ${RTE_SDK}/examples/ipsec-secgw + +#. Set the target (a default target is used if not specified). For example: + + .. code-block:: console + + export RTE_TARGET=x86_64-native-linuxapp-gcc + + See the *DPDK Getting Started Guide* for possible RTE_TARGET values. + +#. Build the application: + + .. code-block:: console + + make + +Running the Application +----------------------- + +The application has a number of command line options: + +.. code-block:: console + + ./build/ipsec-secgw [EAL options] -- -p PORTMASK -P -u PORTMASK --config + (port,queue,lcore)[,(port,queue,lcore] --single-sa SAIDX --ep0|--ep1 + +where, + +* -p PORTMASK: Hexadecimal bitmask of ports to configure + +* -P: optional, sets all ports to promiscuous mode so that packets are + accepted regardless of the packet's Ethernet MAC destination address. + Without this option, only packets with the Ethernet MAC destination address + set to the Ethernet address of the port are accepted (default is enabled). + +* -u PORTMASK: hexadecimal bitmask of unprotected ports + +* --config (port,queue,lcore)[,(port,queue,lcore)]: determines which queues + from which ports are mapped to which cores + +* --single-sa SAIDX: use a single SA for outbound traffic, bypassing the SP + on both Inbound and Outbound. This option is meant for debugging/performance + purposes. + +* --ep0: configure the app as Endpoint 0. + +* --ep1: configure the app as Endpoint 1. + +Either one of --ep0 or --ep1 *must* be specified. +The main purpose of these options is two easily configure two systems +back-to-back that would forward traffic through an IPsec tunnel. + +The mapping of lcores to port/queues is similar to other l3fwd applications. + +For example, given the following command line: + +.. code-block:: console + + ./build/ipsec-secgw -l 20,21 -n 4 --socket-mem 0,2048 + --vdev "cryptodev_null_pmd" -- -p 0xf -P -u 0x3 + --config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)" --ep0 + +where each options means: + +* The -l option enables cores 20 and 21 + +* The -n option sets memory 4 channels + +* The --socket-mem to use 2GB on socket 1 + +* The --vdev "cryptodev_null_pmd" option creates virtual NULL cryptodev PMD + +* The -p option enables ports (detected) 0, 1, 2 and 3 + +* The -P option enables promiscuous mode + +* The -u option sets ports 1 and 2 as unprotected, leaving 2 and 3 as protected + +* The --config option enables one queue per port with the following mapping: + ++----------+-----------+-----------+---------------------------------------+ +| **Port** | **Queue** | **lcore** | **Description** | +| | | | | ++----------+-----------+-----------+---------------------------------------+ +| 0 | 0 | 20 | Map queue 0 from port 0 to lcore 20. | +| | | | | ++----------+-----------+-----------+---------------------------------------+ +| 1 | 0 | 20 | Map queue 0 from port 1 to lcore 20. | +| | | | | ++----------+-----------+-----------+---------------------------------------+ +| 2 | 0 | 21 | Map queue 0 from port 2 to lcore 21. | +| | | | | ++----------+-----------+-----------+---------------------------------------+ +| 3 | 0 | 21 | Map queue 0 from port 3 to lcore 21. | +| | | | | ++----------+-----------+-----------+---------------------------------------+ + +* The --ep0 options configures the app with a given set of SP, SA and Routing + entries as explained below in more detail. + +Refer to the *DPDK Getting Started Guide* for general information on running +applications and the Environment Abstraction Layer (EAL) options. + +The application would do a best effort to "map" crypto devices to cores, with +hardware devices having priority. +This means that if the application is using a single core and both hardware +and software crypto devices are detected, hardware devices will be used. + +A way to achive the case where you want to force the use of virtual crypto +devices is to whitelist the ethernet devices needed and therefore implicitely +blacklisting all hardware crypto devices. + +For example, something like the following command line: + +.. code-block:: console + + ./build/ipsec-secgw -l 20,21 -n 4 --socket-mem 0,2048 + -w 81:00.0 -w 81:00.1 -w 81:00.2 -w 81:00.3 + --vdev "cryptodev_aesni_mb_pmd" --vdev "cryptodev_null_pmd" -- + -p 0xf -P -u 0x3 --config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)" + --ep0 + +Configurations +-------------- + +The following sections provide some details on the default values used to +initialize the SP, SA and Routing tables. +Currently all the configuration is hard coded into the application. + +Security Policy Initialization +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +As mention in the overview, the Security Policies are ACL rules. +The application defines two ACLs, one each of Inbound and Outbound, and +it replicates them per socket in use. + +Following are the default rules: + +Endpoint 0 Outbound Security Policies: + ++---------+------------------+-----------+------------+ +| **Src** | **Dst** | **proto** | **SA idx** | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.105.0/24 | Any | 5 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.106.0/24 | Any | 6 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.107.0/24 | Any | 7 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.108.0/24 | Any | 8 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.200.0/24 | Any | 9 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.250.0/24 | Any | BYPASS | +| | | | | ++---------+------------------+-----------+------------+ + +Endpoint 0 Inbound Security Policies: + ++---------+------------------+-----------+------------+ +| **Src** | **Dst** | **proto** | **SA idx** | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.115.0/24 | Any | 5 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.116.0/24 | Any | 6 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.117.0/24 | Any | 7 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.118.0/24 | Any | 8 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.210.0/24 | Any | 9 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.240.0/24 | Any | BYPASS | +| | | | | ++---------+------------------+-----------+------------+ + +Endpoint 1 Outbound Security Policies: + ++---------+------------------+-----------+------------+ +| **Src** | **Dst** | **proto** | **SA idx** | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.115.0/24 | Any | 5 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.116.0/24 | Any | 6 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.117.0/24 | Any | 7 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.118.0/24 | Any | 8 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.210.0/24 | Any | 9 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.240.0/24 | Any | BYPASS | +| | | | | ++---------+------------------+-----------+------------+ + +Endpoint 1 Inbound Security Policies: + ++---------+------------------+-----------+------------+ +| **Src** | **Dst** | **proto** | **SA idx** | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.105.0/24 | Any | 5 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.106.0/24 | Any | 6 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.107.0/24 | Any | 7 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.108.0/24 | Any | 8 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.200.0/24 | Any | 9 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.250.0/24 | Any | BYPASS | +| | | | | ++---------+------------------+-----------+------------+ + + +Security Association Initialization +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The SAs are kept in a array table. + +For Inbound, the SPI is used as index module the table size. +This means that on a table for 100 SA, SPI 5 and 105 would use the same index +and that is not currently supported. + +Notice that it is not an issue for Outbound traffic as we store the index and +not the SPI in the Security Policy. + +All SAs configured with AES-CBC and HMAC-SHA1 share the same values for cipher +block size and key, and authentication digest size and key. + +Following are the default values: + +Endpoint 0 Outbound Security Associations: + ++---------+------------+-----------+----------------+------------------+ +| **SPI** | **Cipher** | **Auth** | **Tunnel src** | **Tunnel dst** | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 5 | AES-CBC | HMAC-SHA1 | 172.16.1.5 | 172.16.2.5 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 6 | AES-CBC | HMAC-SHA1 | 172.16.1.6 | 172.16.2.6 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 7 | AES-CBC | HMAC-SHA1 | 172.16.1.7 | 172.16.2.7 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 8 | AES-CBC | HMAC-SHA1 | 172.16.1.8 | 172.16.2.8 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 9 | NULL | NULL | 172.16.1.5 | 172.16.2.5 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ + +Endpoint 0 Inbound Security Associations: + ++---------+------------+-----------+----------------+------------------+ +| **SPI** | **Cipher** | **Auth** | **Tunnel src** | **Tunnel dst** | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 5 | AES-CBC | HMAC-SHA1 | 172.16.2.5 | 172.16.1.5 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 6 | AES-CBC | HMAC-SHA1 | 172.16.2.6 | 172.16.1.6 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 7 | AES-CBC | HMAC-SHA1 | 172.16.2.7 | 172.16.1.7 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 8 | AES-CBC | HMAC-SHA1 | 172.16.2.8 | 172.16.1.8 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 9 | NULL | NULL | 172.16.2.5 | 172.16.1.5 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ + +Endpoint 1 Outbound Security Associations: + ++---------+------------+-----------+----------------+------------------+ +| **SPI** | **Cipher** | **Auth** | **Tunnel src** | **Tunnel dst** | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 5 | AES-CBC | HMAC-SHA1 | 172.16.2.5 | 172.16.1.5 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 6 | AES-CBC | HMAC-SHA1 | 172.16.2.6 | 172.16.1.6 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 7 | AES-CBC | HMAC-SHA1 | 172.16.2.7 | 172.16.1.7 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 8 | AES-CBC | HMAC-SHA1 | 172.16.2.8 | 172.16.1.8 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 9 | NULL | NULL | 172.16.2.5 | 172.16.1.5 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ + +Endpoint 1 Inbound Security Associations: + ++---------+------------+-----------+----------------+------------------+ +| **SPI** | **Cipher** | **Auth** | **Tunnel src** | **Tunnel dst** | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 5 | AES-CBC | HMAC-SHA1 | 172.16.1.5 | 172.16.2.5 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 6 | AES-CBC | HMAC-SHA1 | 172.16.1.6 | 172.16.2.6 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 7 | AES-CBC | HMAC-SHA1 | 172.16.1.7 | 172.16.2.7 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 8 | AES-CBC | HMAC-SHA1 | 172.16.1.8 | 172.16.2.8 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 9 | NULL | NULL | 172.16.1.5 | 172.16.2.5 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ + +Routing Initialization +~~~~~~~~~~~~~~~~~~~~~~ + +The Routing is implemented using LPM table. + +Following default values: + +Endpoint 0 Routing Table: + ++------------------+----------+ +| **Dst addr** | **Port** | +| | | ++------------------+----------+ +| 172.16.2.5/32 | 0 | +| | | ++------------------+----------+ +| 172.16.2.6/32 | 0 | +| | | ++------------------+----------+ +| 172.16.2.7/32 | 1 | +| | | ++------------------+----------+ +| 172.16.2.8/32 | 1 | +| | | ++------------------+----------+ +| 192.168.115.0/24 | 2 | +| | | ++------------------+----------+ +| 192.168.116.0/24 | 2 | +| | | ++------------------+----------+ +| 192.168.117.0/24 | 3 | +| | | ++------------------+----------+ +| 192.168.118.0/24 | 3 | +| | | ++------------------+----------+ +| 192.168.210.0/24 | 2 | +| | | ++------------------+----------+ +| 192.168.240.0/24 | 2 | +| | | ++------------------+----------+ +| 192.168.250.0/24 | 0 | +| | | ++------------------+----------+ + +Endpoint 1 Routing Table: + ++------------------+----------+ +| **Dst addr** | **Port** | +| | | ++------------------+----------+ +| 172.16.1.5/32 | 2 | +| | | ++------------------+----------+ +| 172.16.1.6/32 | 2 | +| | | ++------------------+----------+ +| 172.16.1.7/32 | 3 | +| | | ++------------------+----------+ +| 172.16.1.8/32 | 3 | +| | | ++------------------+----------+ +| 192.168.105.0/24 | 0 | +| | | ++------------------+----------+ +| 192.168.106.0/24 | 0 | +| | | ++------------------+----------+ +| 192.168.107.0/24 | 1 | +| | | ++------------------+----------+ +| 192.168.108.0/24 | 1 | +| | | ++------------------+----------+ +| 192.168.200.0/24 | 0 | +| | | ++------------------+----------+ +| 192.168.240.0/24 | 2 | +| | | ++------------------+----------+ +| 192.168.250.0/24 | 0 | +| | | ++------------------+----------+ diff --git a/examples/Makefile b/examples/Makefile index 1665df1..c9d2452 100644 --- a/examples/Makefile +++ b/examples/Makefile @@ -1,6 +1,7 @@ # BSD LICENSE # # Copyright(c) 2014 6WIND S.A. +# Copyright(c) 2010-2016 Intel Corporation. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions @@ -82,5 +83,6 @@ DIRS-y += vmdq DIRS-y += vmdq_dcb DIRS-$(CONFIG_RTE_LIBRTE_POWER) += vm_power_manager DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += l2fwd-crypto +DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += ipsec-secgw include $(RTE_SDK)/mk/rte.extsubdir.mk diff --git a/examples/ipsec-secgw/Makefile b/examples/ipsec-secgw/Makefile new file mode 100644 index 0000000..5f893b8 --- /dev/null +++ b/examples/ipsec-secgw/Makefile @@ -0,0 +1,58 @@ +# BSD LICENSE +# +# Copyright(c) 2010-2016 Intel Corporation. All rights reserved. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# * Neither the name of Intel Corporation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +ifeq ($(RTE_SDK),) + $(error "Please define RTE_SDK environment variable") +endif + +# Default target, can be overridden by command line or environment +RTE_TARGET ?= x86_64-native-linuxapp-gcc + +include $(RTE_SDK)/mk/rte.vars.mk + +APP = ipsec-secgw + +CFLAGS += -O3 -gdwarf-2 +CFLAGS += $(WERROR_FLAGS) + +VPATH += $(SRCDIR)/librte_ipsec + +# +# all source are stored in SRCS-y +# +SRCS-y += ipsec.c +SRCS-y += esp.c +SRCS-y += sp.c +SRCS-y += sa.c +SRCS-y += rt.c +SRCS-y += ipsec-secgw.c + +include $(RTE_SDK)/mk/rte.extapp.mk diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c new file mode 100644 index 0000000..1da2c08 --- /dev/null +++ b/examples/ipsec-secgw/esp.c @@ -0,0 +1,250 @@ +/*- + * BSD LICENSE + * + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include <stdint.h> +#include <stdlib.h> +#include <netinet/ip.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <fcntl.h> +#include <unistd.h> + +#include <rte_common.h> +#include <rte_memcpy.h> +#include <rte_crypto.h> +#include <rte_cryptodev.h> +#include <rte_random.h> + +#include "ipsec.h" +#include "esp.h" +#include "ipip.h" + +#define IP_ESP_HDR_SZ (sizeof(struct ip) + sizeof(struct esp_hdr)) + +static inline void +random_iv_u64(uint64_t *buf, uint16_t n) +{ + unsigned left = n & 0x7; + unsigned i; + + IPSEC_ASSERT((n & 0x3) == 0); + + for (i = 0; i < (n >> 3); i++) + buf[i] = rte_rand(); + + if (left) + *((uint32_t *)&buf[i]) = (uint32_t)lrand48(); +} + +/* IPv4 Tunnel */ +int +esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, + struct rte_crypto_op *cop) +{ + int32_t payload_len; + struct rte_crypto_sym_op *sym_cop; + + IPSEC_ASSERT(m != NULL); + IPSEC_ASSERT(sa != NULL); + IPSEC_ASSERT(cop != NULL); + + payload_len = rte_pktmbuf_pkt_len(m) - IP_ESP_HDR_SZ - sa->iv_len - + sa->digest_len; + + if ((payload_len & (sa->block_size - 1)) || (payload_len <= 0)) { + IPSEC_LOG(DEBUG, IPSEC_ESP, "payload %d not multiple of %u\n", + payload_len, sa->block_size); + return -EINVAL; + } + + sym_cop = (struct rte_crypto_sym_op *)(cop + 1); + + sym_cop->m_src = m; + sym_cop->cipher.data.offset = IP_ESP_HDR_SZ + sa->iv_len; + sym_cop->cipher.data.length = payload_len; + + sym_cop->cipher.iv.data = rte_pktmbuf_mtod_offset(m, void*, + IP_ESP_HDR_SZ); + sym_cop->cipher.iv.phys_addr = rte_pktmbuf_mtophys_offset(m, + IP_ESP_HDR_SZ); + sym_cop->cipher.iv.length = sa->iv_len; + + sym_cop->auth.data.offset = sizeof(struct ip); + if (sa->auth_algo == RTE_CRYPTO_AUTH_AES_GCM) + sym_cop->auth.data.length = sizeof(struct esp_hdr); + else + sym_cop->auth.data.length = sizeof(struct esp_hdr) + + sa->iv_len + payload_len; + + sym_cop->auth.digest.data = rte_pktmbuf_mtod_offset(m, void*, + rte_pktmbuf_pkt_len(m) - sa->digest_len); + sym_cop->auth.digest.phys_addr = rte_pktmbuf_mtophys_offset(m, + rte_pktmbuf_pkt_len(m) - sa->digest_len); + sym_cop->auth.digest.length = sa->digest_len; + + return 0; +} + +int +esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, + struct rte_crypto_op *cop) +{ + uint8_t *nexthdr, *pad_len; + uint8_t *padding; + uint16_t i; + + IPSEC_ASSERT(m != NULL); + IPSEC_ASSERT(sa != NULL); + IPSEC_ASSERT(cop != NULL); + + if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) { + IPSEC_LOG(ERR, IPSEC_ESP, "Failed crypto op\n"); + return -1; + } + + nexthdr = rte_pktmbuf_mtod_offset(m, uint8_t*, + rte_pktmbuf_pkt_len(m) - sa->digest_len - 1); + pad_len = nexthdr - 1; + + padding = pad_len - *pad_len; + for (i = 0; i < *pad_len; i++) { + if (padding[i] != i) { + IPSEC_LOG(ERR, IPSEC_ESP, "invalid pad_len field\n"); + return -EINVAL; + } + } + + if (rte_pktmbuf_trim(m, *pad_len + 2 + sa->digest_len)) { + IPSEC_LOG(ERR, IPSEC_ESP, + "failed to remove pad_len + digest\n"); + return -EINVAL; + } + + return ip4ip_inbound(m, sizeof(struct esp_hdr) + sa->iv_len); +} + +int +esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, + struct rte_crypto_op *cop) +{ + uint16_t pad_payload_len, pad_len; + struct ip *ip; + struct esp_hdr *esp; + int i; + char *padding; + struct rte_crypto_sym_op *sym_cop; + + IPSEC_ASSERT(m != NULL); + IPSEC_ASSERT(sa != NULL); + IPSEC_ASSERT(cop != NULL); + + /* Payload length */ + pad_payload_len = RTE_ALIGN_CEIL(rte_pktmbuf_pkt_len(m) + 2, + sa->block_size); + pad_len = pad_payload_len - rte_pktmbuf_pkt_len(m); + + rte_prefetch0(rte_pktmbuf_mtod_offset(m, void *, + rte_pktmbuf_pkt_len(m))); + + /* Check maximum packet size */ + if (unlikely(IP_ESP_HDR_SZ + sa->iv_len + pad_payload_len + + sa->digest_len > IP_MAXPACKET)) { + IPSEC_LOG(DEBUG, IPSEC_ESP, "ipsec packet is too big\n"); + return -EINVAL; + } + + padding = rte_pktmbuf_append(m, pad_len + sa->digest_len); + + IPSEC_ASSERT(padding != NULL); + + ip = ip4ip_outbound(m, sizeof(struct esp_hdr) + sa->iv_len, + sa->src, sa->dst); + + esp = (struct esp_hdr *)(ip + 1); + esp->spi = sa->spi; + esp->seq = htonl(sa->seq++); + + IPSEC_LOG(DEBUG, IPSEC_ESP, "pktlen %u\n", rte_pktmbuf_pkt_len(m)); + + /* Fill pad_len using default sequential scheme */ + for (i = 0; i < pad_len - 2; i++) + padding[i] = i + 1; + + padding[pad_len - 2] = pad_len - 2; + padding[pad_len - 1] = IPPROTO_IPIP; + + sym_cop = (struct rte_crypto_sym_op *)(cop + 1); + + sym_cop->m_src = m; + sym_cop->cipher.data.offset = IP_ESP_HDR_SZ + sa->iv_len; + sym_cop->cipher.data.length = pad_payload_len; + + sym_cop->cipher.iv.data = rte_pktmbuf_mtod_offset(m, uint8_t *, + IP_ESP_HDR_SZ); + sym_cop->cipher.iv.phys_addr = rte_pktmbuf_mtophys_offset(m, + IP_ESP_HDR_SZ); + sym_cop->cipher.iv.length = sa->iv_len; + + sym_cop->auth.data.offset = sizeof(struct ip); + sym_cop->auth.data.length = sizeof(struct esp_hdr) + sa->iv_len + + pad_payload_len; + + sym_cop->auth.digest.data = rte_pktmbuf_mtod_offset(m, uint8_t *, + IP_ESP_HDR_SZ + sa->iv_len + pad_payload_len); + sym_cop->auth.digest.phys_addr = rte_pktmbuf_mtophys_offset(m, + IP_ESP_HDR_SZ + sa->iv_len + pad_payload_len); + sym_cop->auth.digest.length = sa->digest_len; + + if (sa->cipher_algo == RTE_CRYPTO_CIPHER_AES_CBC) + random_iv_u64((uint64_t *)sym_cop->cipher.iv.data, + sym_cop->cipher.iv.length); + + return 0; +} + +int +esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m __rte_unused, + struct ipsec_sa *sa __rte_unused, + struct rte_crypto_op *cop) +{ + IPSEC_ASSERT(m != NULL); + IPSEC_ASSERT(sa != NULL); + IPSEC_ASSERT(cop != NULL); + + if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) { + IPSEC_LOG(ERR, IPSEC_ESP, "Failed crypto op\n"); + return -1; + } + + return 0; +} diff --git a/examples/ipsec-secgw/esp.h b/examples/ipsec-secgw/esp.h new file mode 100644 index 0000000..d7c8ba6 --- /dev/null +++ b/examples/ipsec-secgw/esp.h @@ -0,0 +1,66 @@ +/*- + * BSD LICENSE + * + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ +#ifndef __RTE_IPSEC_XFORM_ESP_H__ +#define __RTE_IPSEC_XFORM_ESP_H__ + +struct mbuf; + +/* RFC4303 */ +struct esp_hdr { + uint32_t spi; + uint32_t seq; + /* Payload */ + /* Padding */ + /* Pad Length */ + /* Next Header */ + /* Integrity Check Value - ICV */ +}; + +/* IPv4 Tunnel */ +int +esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, + struct rte_crypto_op *cop); + +int +esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, + struct rte_crypto_op *cop); + +int +esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, + struct rte_crypto_op *cop); + +int +esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, + struct rte_crypto_op *cop); + +#endif /* __RTE_IPSEC_XFORM_ESP_H__ */ diff --git a/examples/ipsec-secgw/ipip.h b/examples/ipsec-secgw/ipip.h new file mode 100644 index 0000000..4eb96da --- /dev/null +++ b/examples/ipsec-secgw/ipip.h @@ -0,0 +1,103 @@ +/*- + * BSD LICENSE + * + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef __IPIP_H__ +#define __IPIP_H__ + +#include <stdint.h> +#include <netinet/in.h> +#include <netinet/ip.h> + +#include <rte_mbuf.h> + +#define IPV6_VERSION (6) + +static inline struct ip * +ip4ip_outbound(struct rte_mbuf *m, uint32_t offset, uint32_t src, uint32_t dst) +{ + struct ip *inip, *outip; + + inip = rte_pktmbuf_mtod(m, struct ip*); + + IPSEC_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION); + + offset += sizeof(struct ip); + + outip = (struct ip *)rte_pktmbuf_prepend(m, offset); + + IPSEC_ASSERT(outip != NULL); + + /* Per RFC4301 5.1.2.1 */ + outip->ip_v = IPVERSION; + outip->ip_hl = 5; + outip->ip_tos = inip->ip_tos; + outip->ip_len = htons(rte_pktmbuf_data_len(m)); + + outip->ip_id = 0; + outip->ip_off = 0; + + outip->ip_ttl = IPDEFTTL; + outip->ip_p = IPPROTO_ESP; + + outip->ip_src.s_addr = src; + outip->ip_dst.s_addr = dst; + + return outip; +} + +static inline int +ip4ip_inbound(struct rte_mbuf *m, uint32_t offset) +{ + struct ip *inip; + struct ip *outip; + + outip = rte_pktmbuf_mtod(m, struct ip*); + + IPSEC_ASSERT(outip->ip_v == IPVERSION); + + offset += sizeof(struct ip); + inip = (struct ip *)rte_pktmbuf_adj(m, offset); + IPSEC_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION); + + /* Check packet is still bigger than IP header (inner) */ + IPSEC_ASSERT(rte_pktmbuf_pkt_len(m) > sizeof(struct ip)); + + /* RFC4301 5.1.2.1 Note 6 */ + if ((inip->ip_tos & htons(IPTOS_ECN_ECT0 | IPTOS_ECN_ECT1)) && + ((outip->ip_tos & htons(IPTOS_ECN_CE)) == IPTOS_ECN_CE)) + inip->ip_tos |= htons(IPTOS_ECN_CE); + + return 0; +} + +#endif /* __IPIP_H__ */ diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c new file mode 100644 index 0000000..cc6deee --- /dev/null +++ b/examples/ipsec-secgw/ipsec-secgw.c @@ -0,0 +1,1360 @@ +/*- + * BSD LICENSE + * + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include <stdio.h> +#include <stdlib.h> +#include <stdint.h> +#include <inttypes.h> +#include <sys/types.h> +#include <string.h> +#include <sys/queue.h> +#include <stdarg.h> +#include <errno.h> +#include <getopt.h> + +#include <rte_common.h> +#include <rte_byteorder.h> +#include <rte_log.h> +#include <rte_eal.h> +#include <rte_launch.h> +#include <rte_atomic.h> +#include <rte_cycles.h> +#include <rte_prefetch.h> +#include <rte_lcore.h> +#include <rte_per_lcore.h> +#include <rte_branch_prediction.h> +#include <rte_interrupts.h> +#include <rte_pci.h> +#include <rte_random.h> +#include <rte_debug.h> +#include <rte_ether.h> +#include <rte_ethdev.h> +#include <rte_mempool.h> +#include <rte_mbuf.h> +#include <rte_acl.h> +#include <rte_lpm.h> +#include <rte_hash.h> +#include <rte_jhash.h> +#include <rte_cryptodev.h> + +#include "ipsec.h" + +#define RTE_LOGTYPE_IPSEC RTE_LOGTYPE_USER1 + +#define MAX_JUMBO_PKT_LEN 9600 + +#define MEMPOOL_CACHE_SIZE 256 + +#define NB_MBUF (32000) + +#define CDEV_MAP_ENTRIES 1024 +#define CDEV_MP_NB_OBJS 2048 +#define CDEV_MP_CACHE_SZ 64 +#define MAX_QUEUE_PAIRS 1 + +#define OPTION_CONFIG "config" +#define OPTION_SINGLE_SA "single-sa" +#define OPTION_EP0 "ep0" +#define OPTION_EP1 "ep1" + +#define BURST_TX_DRAIN_US 100 /* TX drain every ~100us */ + +#define NB_SOCKETS 4 + +/* Configure how many packets ahead to prefetch, when reading packets */ +#define PREFETCH_OFFSET 3 + +#define MAX_RX_QUEUE_PER_LCORE 16 + +#define MAX_LCORE_PARAMS 1024 + +#define UNPROTECTED_PORT(port) (unprotected_port_mask & (1 << portid)) + +/* + * Configurable number of RX/TX ring descriptors + */ +#define IPSEC_SECGW_RX_DESC_DEFAULT 128 +#define IPSEC_SECGW_TX_DESC_DEFAULT 512 +static uint16_t nb_rxd = IPSEC_SECGW_RX_DESC_DEFAULT; +static uint16_t nb_txd = IPSEC_SECGW_TX_DESC_DEFAULT; + +#if RTE_BYTE_ORDER != RTE_LITTLE_ENDIAN +#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \ + (((uint64_t)((a) & 0xff) << 56) | \ + ((uint64_t)((b) & 0xff) << 48) | \ + ((uint64_t)((c) & 0xff) << 40) | \ + ((uint64_t)((d) & 0xff) << 32) | \ + ((uint64_t)((e) & 0xff) << 24) | \ + ((uint64_t)((f) & 0xff) << 16) | \ + ((uint64_t)((g) & 0xff) << 8) | \ + ((uint64_t)(h) & 0xff)) +#else +#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \ + (((uint64_t)((h) & 0xff) << 56) | \ + ((uint64_t)((g) & 0xff) << 48) | \ + ((uint64_t)((f) & 0xff) << 40) | \ + ((uint64_t)((e) & 0xff) << 32) | \ + ((uint64_t)((d) & 0xff) << 24) | \ + ((uint64_t)((c) & 0xff) << 16) | \ + ((uint64_t)((b) & 0xff) << 8) | \ + ((uint64_t)(a) & 0xff)) +#endif +#define ETHADDR(a, b, c, d, e, f) (__BYTES_TO_UINT64(a, b, c, d, e, f, 0, 0)) + +#define ETHADDR_TO_UINT64(addr) __BYTES_TO_UINT64( \ + addr.addr_bytes[0], addr.addr_bytes[1], \ + addr.addr_bytes[2], addr.addr_bytes[3], \ + addr.addr_bytes[4], addr.addr_bytes[5], \ + 0, 0) + +/* port/source ethernet addr and destination ethernet addr */ +struct ethaddr_info { + uint64_t src, dst; +}; + +struct ethaddr_info ethaddr_tbl[RTE_MAX_ETHPORTS] = { + { 0, ETHADDR(0x00, 0x16, 0x3e, 0x7e, 0x94, 0x9a) }, + { 0, ETHADDR(0x00, 0x16, 0x3e, 0x22, 0xa1, 0xd9) }, + { 0, ETHADDR(0x00, 0x16, 0x3e, 0x08, 0x69, 0x26) }, + { 0, ETHADDR(0x00, 0x16, 0x3e, 0x49, 0x9e, 0xdd) } +}; + +/* mask of enabled ports */ +static uint32_t enabled_port_mask; +static uint32_t unprotected_port_mask; +static int32_t promiscuous_on = 1; +static int32_t numa_on = 1; /**< NUMA is enabled by default. */ +static int32_t ep = -1; /**< Endpoint configuration (0 or 1) */ +static uint32_t nb_lcores; +static uint32_t single_sa; +static uint32_t single_sa_idx; + +struct lcore_rx_queue { + uint8_t port_id; + uint8_t queue_id; +} __rte_cache_aligned; + +struct lcore_params { + uint8_t port_id; + uint8_t queue_id; + uint8_t lcore_id; +} __rte_cache_aligned; + +static struct lcore_params lcore_params_array[MAX_LCORE_PARAMS]; + +static struct lcore_params *lcore_params; +static uint16_t nb_lcore_params; + +static struct rte_hash *cdev_map_in; +static struct rte_hash *cdev_map_out; + +struct buffer { + uint16_t len; + struct rte_mbuf *m_table[MAX_PKT_BURST] __rte_aligned(sizeof(void *)); +}; + +struct lcore_conf { + uint16_t nb_rx_queue; + struct lcore_rx_queue rx_queue_list[MAX_RX_QUEUE_PER_LCORE]; + uint16_t tx_queue_id[RTE_MAX_ETHPORTS]; + struct buffer tx_mbufs[RTE_MAX_ETHPORTS]; + struct ipsec_ctx inbound; + struct ipsec_ctx outbound; + struct rt_ctx *rt_ctx; +} __rte_cache_aligned; + +static struct lcore_conf lcore_conf[RTE_MAX_LCORE]; + +static struct rte_eth_conf port_conf = { + .rxmode = { + .mq_mode = ETH_MQ_RX_RSS, + .max_rx_pkt_len = ETHER_MAX_LEN, + .split_hdr_size = 0, + .header_split = 0, /**< Header Split disabled */ + .hw_ip_checksum = 1, /**< IP checksum offload enabled */ + .hw_vlan_filter = 0, /**< VLAN filtering disabled */ + .jumbo_frame = 0, /**< Jumbo Frame Support disabled */ + .hw_strip_crc = 0, /**< CRC stripped by hardware */ + }, + .rx_adv_conf = { + .rss_conf = { + .rss_key = NULL, + .rss_hf = ETH_RSS_IP | ETH_RSS_UDP | + ETH_RSS_TCP | ETH_RSS_SCTP, + }, + }, + .txmode = { + .mq_mode = ETH_MQ_TX_NONE, + }, +}; + +static struct socket_ctx socket_ctx[NB_SOCKETS]; + +struct traffic_type { + const uint8_t *data[MAX_PKT_BURST * 2]; + struct rte_mbuf *pkts[MAX_PKT_BURST * 2]; + uint32_t res[MAX_PKT_BURST * 2]; + uint32_t num; +}; + +struct ipsec_traffic { + struct traffic_type ipsec4; + struct traffic_type ipv4; +}; + +static inline void +prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t) +{ + uint8_t *nlp; + + if (RTE_ETH_IS_IPV4_HDR(pkt->packet_type)) { + rte_pktmbuf_adj(pkt, ETHER_HDR_LEN); + nlp = rte_pktmbuf_mtod_offset(pkt, uint8_t *, + offsetof(struct ip, ip_p)); + if (*nlp == IPPROTO_ESP) + t->ipsec4.pkts[(t->ipsec4.num)++] = pkt; + else { + t->ipv4.data[t->ipv4.num] = nlp; + t->ipv4.pkts[(t->ipv4.num)++] = pkt; + } + } else { + /* Unknown/Unsupported type, drop the packet */ + rte_pktmbuf_free(pkt); + } +} + +static inline void +prepare_traffic(struct rte_mbuf **pkts, struct ipsec_traffic *t, + uint16_t nb_pkts) +{ + int32_t i; + + t->ipsec4.num = 0; + t->ipv4.num = 0; + + for (i = 0; i < (nb_pkts - PREFETCH_OFFSET); i++) { + rte_prefetch0(rte_pktmbuf_mtod(pkts[i + PREFETCH_OFFSET], + void *)); + prepare_one_packet(pkts[i], t); + } + /* Process left packets */ + for (; i < nb_pkts; i++) + prepare_one_packet(pkts[i], t); +} + +static inline void +prepare_tx_pkt(struct rte_mbuf *pkt, uint8_t port) +{ + pkt->ol_flags |= PKT_TX_IP_CKSUM | PKT_TX_IPV4; + pkt->l3_len = sizeof(struct ip); + pkt->l2_len = ETHER_HDR_LEN; + + struct ether_hdr *ethhdr = (struct ether_hdr *)rte_pktmbuf_prepend(pkt, + ETHER_HDR_LEN); + + ethhdr->ether_type = rte_cpu_to_be_16(ETHER_TYPE_IPv4); + memcpy(ðhdr->s_addr, ðaddr_tbl[port].src, + sizeof(struct ether_addr)); + memcpy(ðhdr->d_addr, ðaddr_tbl[port].dst, + sizeof(struct ether_addr)); +} + +static inline void +prepare_tx_burst(struct rte_mbuf *pkts[], uint16_t nb_pkts, uint8_t port) +{ + int32_t i; + const int32_t prefetch_offset = 2; + + for (i = 0; i < (nb_pkts - prefetch_offset); i++) { + rte_prefetch0(pkts[i + prefetch_offset]->cacheline1); + prepare_tx_pkt(pkts[i], port); + } + /* Process left packets */ + for (; i < nb_pkts; i++) + prepare_tx_pkt(pkts[i], port); +} + +/* Send burst of packets on an output interface */ +static inline int32_t +send_burst(struct lcore_conf *qconf, uint16_t n, uint8_t port) +{ + struct rte_mbuf **m_table; + int32_t ret; + uint16_t queueid; + + queueid = qconf->tx_queue_id[port]; + m_table = (struct rte_mbuf **)qconf->tx_mbufs[port].m_table; + + prepare_tx_burst(m_table, n, port); + + ret = rte_eth_tx_burst(port, queueid, m_table, n); + if (unlikely(ret < n)) { + do { + rte_pktmbuf_free(m_table[ret]); + } while (++ret < n); + } + + return 0; +} + +/* Enqueue a single packet, and send burst if queue is filled */ +static inline int32_t +send_single_packet(struct rte_mbuf *m, uint8_t port) +{ + uint32_t lcore_id; + uint16_t len; + struct lcore_conf *qconf; + + lcore_id = rte_lcore_id(); + + qconf = &lcore_conf[lcore_id]; + len = qconf->tx_mbufs[port].len; + qconf->tx_mbufs[port].m_table[len] = m; + len++; + + /* enough pkts to be sent */ + if (unlikely(len == MAX_PKT_BURST)) { + send_burst(qconf, MAX_PKT_BURST, port); + len = 0; + } + + qconf->tx_mbufs[port].len = len; + return 0; +} + +static inline void +process_pkts_inbound(struct ipsec_ctx *ipsec_ctx, + struct ipsec_traffic *traffic) +{ + struct rte_mbuf *m; + uint16_t idx, nb_pkts_in, i, j; + uint32_t sa_idx, res; + + nb_pkts_in = ipsec_inbound(ipsec_ctx, traffic->ipsec4.pkts, + traffic->ipsec4.num, MAX_PKT_BURST); + + /* SP/ACL Inbound check ipsec and ipv4 */ + for (i = 0; i < nb_pkts_in; i++) { + idx = traffic->ipv4.num++; + m = traffic->ipsec4.pkts[i]; + traffic->ipv4.pkts[idx] = m; + traffic->ipv4.data[idx] = rte_pktmbuf_mtod_offset(m, + uint8_t *, offsetof(struct ip, ip_p)); + } + + rte_acl_classify((struct rte_acl_ctx *)ipsec_ctx->sp_ctx, + traffic->ipv4.data, traffic->ipv4.res, + traffic->ipv4.num, DEFAULT_MAX_CATEGORIES); + + j = 0; + for (i = 0; i < traffic->ipv4.num - nb_pkts_in; i++) { + m = traffic->ipv4.pkts[i]; + res = traffic->ipv4.res[i]; + if (res & ~BYPASS) { + rte_pktmbuf_free(m); + continue; + } + traffic->ipv4.pkts[j++] = m; + } + /* Check return SA SPI matches pkt SPI */ + for ( ; i < traffic->ipv4.num; i++) { + m = traffic->ipv4.pkts[i]; + sa_idx = traffic->ipv4.res[i] & PROTECT_MASK; + if (sa_idx == 0 || !inbound_sa_check(ipsec_ctx->sa_ctx, + m, sa_idx)) { + rte_pktmbuf_free(m); + continue; + } + traffic->ipv4.pkts[j++] = m; + } + traffic->ipv4.num = j; +} + +static inline void +process_pkts_outbound(struct ipsec_ctx *ipsec_ctx, + struct ipsec_traffic *traffic) +{ + struct rte_mbuf *m; + uint16_t idx, nb_pkts_out, i, j; + uint32_t sa_idx, res; + + rte_acl_classify((struct rte_acl_ctx *)ipsec_ctx->sp_ctx, + traffic->ipv4.data, traffic->ipv4.res, + traffic->ipv4.num, DEFAULT_MAX_CATEGORIES); + + /* Drop any IPsec traffic from protected ports */ + for (i = 0; i < traffic->ipsec4.num; i++) + rte_pktmbuf_free(traffic->ipsec4.pkts[i]); + + traffic->ipsec4.num = 0; + + j = 0; + for (i = 0; i < traffic->ipv4.num; i++) { + m = traffic->ipv4.pkts[i]; + res = traffic->ipv4.res[i]; + sa_idx = res & PROTECT_MASK; + if ((res == 0) || (res & DISCARD)) + rte_pktmbuf_free(m); + else if (sa_idx != 0) { + traffic->ipsec4.res[traffic->ipsec4.num] = sa_idx; + traffic->ipsec4.pkts[traffic->ipsec4.num++] = m; + } else /* BYPASS */ + traffic->ipv4.pkts[j++] = m; + } + traffic->ipv4.num = j; + + nb_pkts_out = ipsec_outbound(ipsec_ctx, traffic->ipsec4.pkts, + traffic->ipsec4.res, traffic->ipsec4.num, + MAX_PKT_BURST); + + for (i = 0; i < nb_pkts_out; i++) { + idx = traffic->ipv4.num++; + m = traffic->ipsec4.pkts[i]; + traffic->ipv4.pkts[idx] = m; + } +} + +static inline void +process_pkts_inbound_nosp(struct ipsec_ctx *ipsec_ctx, + struct ipsec_traffic *traffic) +{ + uint16_t nb_pkts_in, i; + + /* Drop any IPv4 traffic from unprotected ports */ + for (i = 0; i < traffic->ipv4.num; i++) + rte_pktmbuf_free(traffic->ipv4.pkts[i]); + + traffic->ipv4.num = 0; + + nb_pkts_in = ipsec_inbound(ipsec_ctx, traffic->ipsec4.pkts, + traffic->ipsec4.num, MAX_PKT_BURST); + + for (i = 0; i < nb_pkts_in; i++) + traffic->ipv4.pkts[i] = traffic->ipsec4.pkts[i]; + + traffic->ipv4.num = nb_pkts_in; +} + +static inline void +process_pkts_outbound_nosp(struct ipsec_ctx *ipsec_ctx, + struct ipsec_traffic *traffic) +{ + uint16_t nb_pkts_out, i; + + /* Drop any IPsec traffic from protected ports */ + for (i = 0; i < traffic->ipsec4.num; i++) + rte_pktmbuf_free(traffic->ipsec4.pkts[i]); + + traffic->ipsec4.num = 0; + + for (i = 0; i < traffic->ipv4.num; i++) + traffic->ipv4.res[i] = single_sa_idx; + + nb_pkts_out = ipsec_outbound(ipsec_ctx, traffic->ipv4.pkts, + traffic->ipv4.res, traffic->ipv4.num, + MAX_PKT_BURST); + + traffic->ipv4.num = nb_pkts_out; +} + +static inline void +route_pkts(struct rt_ctx *rt_ctx, struct rte_mbuf *pkts[], uint8_t nb_pkts) +{ + uint32_t hop[MAX_PKT_BURST * 2]; + uint32_t dst_ip[MAX_PKT_BURST * 2]; + uint16_t i, offset; + + if (nb_pkts == 0) + return; + + for (i = 0; i < nb_pkts; i++) { + offset = offsetof(struct ip, ip_dst); + dst_ip[i] = *rte_pktmbuf_mtod_offset(pkts[i], + uint32_t *, offset); + dst_ip[i] = rte_be_to_cpu_32(dst_ip[i]); + } + + rte_lpm_lookup_bulk((struct rte_lpm *)rt_ctx, dst_ip, hop, nb_pkts); + + for (i = 0; i < nb_pkts; i++) { + if ((hop[i] & RTE_LPM_LOOKUP_SUCCESS) == 0) { + rte_pktmbuf_free(pkts[i]); + continue; + } + send_single_packet(pkts[i], hop[i] & 0xff); + } +} + +static inline void +process_pkts(struct lcore_conf *qconf, struct rte_mbuf **pkts, + uint8_t nb_pkts, uint8_t portid) +{ + struct ipsec_traffic traffic = { 0 }; + + prepare_traffic(pkts, &traffic, nb_pkts); + + if (single_sa) { + if (UNPROTECTED_PORT(portid)) + process_pkts_inbound_nosp(&qconf->inbound, &traffic); + else + process_pkts_outbound_nosp(&qconf->outbound, &traffic); + } else { + if (UNPROTECTED_PORT(portid)) + process_pkts_inbound(&qconf->inbound, &traffic); + else + process_pkts_outbound(&qconf->outbound, &traffic); + } + + route_pkts(qconf->rt_ctx, traffic.ipv4.pkts, traffic.ipv4.num); +} + +static inline void +drain_buffers(struct lcore_conf *qconf) +{ + struct buffer *buf; + uint32_t portid; + + for (portid = 0; portid < RTE_MAX_ETHPORTS; portid++) { + buf = &qconf->tx_mbufs[portid]; + if (buf->len == 0) + continue; + send_burst(qconf, buf->len, portid); + buf->len = 0; + } +} + +/* main processing loop */ +static int32_t +main_loop(__attribute__((unused)) void *dummy) +{ + struct rte_mbuf *pkts[MAX_PKT_BURST]; + uint32_t lcore_id; + uint64_t prev_tsc, diff_tsc, cur_tsc; + int32_t i, nb_rx; + uint8_t portid, queueid; + struct lcore_conf *qconf; + int32_t socket_id; + const uint64_t drain_tsc = (rte_get_tsc_hz() + US_PER_S - 1) + / US_PER_S * BURST_TX_DRAIN_US; + struct lcore_rx_queue *rxql; + + prev_tsc = 0; + lcore_id = rte_lcore_id(); + qconf = &lcore_conf[lcore_id]; + rxql = qconf->rx_queue_list; + socket_id = rte_lcore_to_socket_id(lcore_id); + + qconf->rt_ctx = socket_ctx[socket_id].rt_ipv4; + qconf->inbound.sp_ctx = socket_ctx[socket_id].sp_ipv4_in; + qconf->inbound.sa_ctx = socket_ctx[socket_id].sa_ipv4_in; + qconf->inbound.cdev_map = cdev_map_in; + qconf->outbound.sp_ctx = socket_ctx[socket_id].sp_ipv4_out; + qconf->outbound.sa_ctx = socket_ctx[socket_id].sa_ipv4_out; + qconf->outbound.cdev_map = cdev_map_out; + + if (qconf->nb_rx_queue == 0) { + RTE_LOG(INFO, IPSEC, "lcore %u has nothing to do\n", lcore_id); + return 0; + } + + RTE_LOG(INFO, IPSEC, "entering main loop on lcore %u\n", lcore_id); + + for (i = 0; i < qconf->nb_rx_queue; i++) { + portid = rxql[i].port_id; + queueid = rxql[i].queue_id; + RTE_LOG(INFO, IPSEC, + " -- lcoreid=%u portid=%hhu rxqueueid=%hhu\n", + lcore_id, portid, queueid); + } + + while (1) { + cur_tsc = rte_rdtsc(); + + /* TX queue buffer drain */ + diff_tsc = cur_tsc - prev_tsc; + + if (unlikely(diff_tsc > drain_tsc)) { + drain_buffers(qconf); + prev_tsc = cur_tsc; + } + + /* Read packet from RX queues */ + for (i = 0; i < qconf->nb_rx_queue; ++i) { + portid = rxql[i].port_id; + queueid = rxql[i].queue_id; + nb_rx = rte_eth_rx_burst(portid, queueid, + pkts, MAX_PKT_BURST); + + if (nb_rx > 0) + process_pkts(qconf, pkts, nb_rx, portid); + } + } +} + +static int32_t +check_params(void) +{ + uint8_t lcore, portid, nb_ports; + uint16_t i; + int32_t socket_id; + + if (lcore_params == NULL) { + printf("Error: No port/queue/core mappings\n"); + return -1; + } + + nb_ports = rte_eth_dev_count(); + if (nb_ports > RTE_MAX_ETHPORTS) + nb_ports = RTE_MAX_ETHPORTS; + + for (i = 0; i < nb_lcore_params; ++i) { + lcore = lcore_params[i].lcore_id; + if (!rte_lcore_is_enabled(lcore)) { + printf("error: lcore %hhu is not enabled in " + "lcore mask\n", lcore); + return -1; + } + socket_id = rte_lcore_to_socket_id(lcore); + if (socket_id != 0 && numa_on == 0) { + printf("warning: lcore %hhu is on socket %d " + "with numa off\n", + lcore, socket_id); + } + portid = lcore_params[i].port_id; + if ((enabled_port_mask & (1 << portid)) == 0) { + printf("port %u is not enabled in port mask\n", portid); + return -1; + } + if (portid >= nb_ports) { + printf("port %u is not present on the board\n", portid); + return -1; + } + } + return 0; +} + +static uint8_t +get_port_nb_rx_queues(const uint8_t port) +{ + int32_t queue = -1; + uint16_t i; + + for (i = 0; i < nb_lcore_params; ++i) { + if (lcore_params[i].port_id == port && + lcore_params[i].queue_id > queue) + queue = lcore_params[i].queue_id; + } + return (uint8_t)(++queue); +} + +static int32_t +init_lcore_rx_queues(void) +{ + uint16_t i, nb_rx_queue; + uint8_t lcore; + + for (i = 0; i < nb_lcore_params; ++i) { + lcore = lcore_params[i].lcore_id; + nb_rx_queue = lcore_conf[lcore].nb_rx_queue; + if (nb_rx_queue >= MAX_RX_QUEUE_PER_LCORE) { + printf("error: too many queues (%u) for lcore: %u\n", + nb_rx_queue + 1, lcore); + return -1; + } + lcore_conf[lcore].rx_queue_list[nb_rx_queue].port_id = + lcore_params[i].port_id; + lcore_conf[lcore].rx_queue_list[nb_rx_queue].queue_id = + lcore_params[i].queue_id; + lcore_conf[lcore].nb_rx_queue++; + } + return 0; +} + +/* display usage */ +static void +print_usage(const char *prgname) +{ + printf("%s [EAL options] -- -p PORTMASK -P -u PORTMASK" + " --"OPTION_CONFIG" (port,queue,lcore)[,(port,queue,lcore]" + " --single-sa SAIDX --ep0|--ep1\n" + " -p PORTMASK: hexadecimal bitmask of ports to configure\n" + " -P : enable promiscuous mode\n" + " -u PORTMASK: hexadecimal bitmask of unprotected ports\n" + " --"OPTION_CONFIG": (port,queue,lcore): " + "rx queues configuration\n" + " --single-sa SAIDX: use single SA index for outbound, " + "bypassing the SP\n" + " --ep0: Configure as Endpoint 0\n" + " --ep1: Configure as Endpoint 1\n", prgname); +} + +static int32_t +parse_portmask(const char *portmask) +{ + char *end = NULL; + unsigned long pm; + + /* parse hexadecimal string */ + pm = strtoul(portmask, &end, 16); + if ((portmask[0] == '\0') || (end == NULL) || (*end != '\0')) + return -1; + + if ((pm == 0) && errno) + return -1; + + return pm; +} + +static int32_t +parse_decimal(const char *str) +{ + char *end = NULL; + unsigned long num; + + num = strtoul(str, &end, 10); + if ((str[0] == '\0') || (end == NULL) || (*end != '\0')) + return -1; + + return num; +} + +static int32_t +parse_config(const char *q_arg) +{ + char s[256]; + const char *p, *p0 = q_arg; + char *end; + enum fieldnames { + FLD_PORT = 0, + FLD_QUEUE, + FLD_LCORE, + _NUM_FLD + }; + int long int_fld[_NUM_FLD]; + char *str_fld[_NUM_FLD]; + int32_t i; + uint32_t size; + + nb_lcore_params = 0; + + while ((p = strchr(p0, '(')) != NULL) { + ++p; + p0 = strchr(p, ')'); + if (p0 == NULL) + return -1; + + size = p0 - p; + if (size >= sizeof(s)) + return -1; + + snprintf(s, sizeof(s), "%.*s", size, p); + if (rte_strsplit(s, sizeof(s), str_fld, _NUM_FLD, ',') != + _NUM_FLD) + return -1; + for (i = 0; i < _NUM_FLD; i++) { + errno = 0; + int_fld[i] = strtoul(str_fld[i], &end, 0); + if (errno != 0 || end == str_fld[i] || int_fld[i] > 255) + return -1; + } + if (nb_lcore_params >= MAX_LCORE_PARAMS) { + printf("exceeded max number of lcore params: %hu\n", + nb_lcore_params); + return -1; + } + lcore_params_array[nb_lcore_params].port_id = + (uint8_t)int_fld[FLD_PORT]; + lcore_params_array[nb_lcore_params].queue_id = + (uint8_t)int_fld[FLD_QUEUE]; + lcore_params_array[nb_lcore_params].lcore_id = + (uint8_t)int_fld[FLD_LCORE]; + ++nb_lcore_params; + } + lcore_params = lcore_params_array; + return 0; +} + +#define __STRNCMP(name, opt) (!strncmp(name, opt, sizeof(opt))) +static int32_t +parse_args_long_options(struct option *lgopts, int32_t option_index) +{ + int32_t ret = -1; + const char *optname = lgopts[option_index].name; + + if (__STRNCMP(optname, OPTION_CONFIG)) { + ret = parse_config(optarg); + if (ret) + printf("invalid config\n"); + } + + if (__STRNCMP(optname, OPTION_SINGLE_SA)) { + ret = parse_decimal(optarg); + if (ret != -1) { + single_sa = 1; + single_sa_idx = ret; + printf("Configured with single SA index %u\n", + single_sa_idx); + ret = 0; + } + } + + if (__STRNCMP(optname, OPTION_EP0)) { + printf("endpoint 0\n"); + ep = 0; + ret = 0; + } + + if (__STRNCMP(optname, OPTION_EP1)) { + printf("endpoint 1\n"); + ep = 1; + ret = 0; + } + + return ret; +} +#undef __STRNCMP + +static int32_t +parse_args(int32_t argc, char **argv) +{ + int32_t opt, ret; + char **argvopt; + int32_t option_index; + char *prgname = argv[0]; + static struct option lgopts[] = { + {OPTION_CONFIG, 1, 0, 0}, + {OPTION_SINGLE_SA, 1, 0, 0}, + {OPTION_EP0, 0, 0, 0}, + {OPTION_EP1, 0, 0, 0}, + {NULL, 0, 0, 0} + }; + + argvopt = argv; + + while ((opt = getopt_long(argc, argvopt, "p:Pu:", + lgopts, &option_index)) != EOF) { + + switch (opt) { + case 'p': + enabled_port_mask = parse_portmask(optarg); + if (enabled_port_mask == 0) { + printf("invalid portmask\n"); + print_usage(prgname); + return -1; + } + break; + case 'P': + printf("Promiscuous mode selected\n"); + promiscuous_on = 1; + break; + case 'u': + unprotected_port_mask = parse_portmask(optarg); + if (unprotected_port_mask == 0) { + printf("invalid unprotected portmask\n"); + print_usage(prgname); + return -1; + } + break; + case 0: + if (parse_args_long_options(lgopts, option_index)) { + print_usage(prgname); + return -1; + } + break; + default: + print_usage(prgname); + return -1; + } + } + + if (optind >= 0) + argv[optind-1] = prgname; + + ret = optind-1; + optind = 0; /* reset getopt lib */ + return ret; +} + +static void +print_ethaddr(const char *name, const struct ether_addr *eth_addr) +{ + char buf[ETHER_ADDR_FMT_SIZE]; + ether_format_addr(buf, ETHER_ADDR_FMT_SIZE, eth_addr); + printf("%s%s", name, buf); +} + +/* Check the link status of all ports in up to 9s, and print them finally */ +static void +check_all_ports_link_status(uint8_t port_num, uint32_t port_mask) +{ +#define CHECK_INTERVAL 100 /* 100ms */ +#define MAX_CHECK_TIME 90 /* 9s (90 * 100ms) in total */ + uint8_t portid, count, all_ports_up, print_flag = 0; + struct rte_eth_link link; + + printf("\nChecking link status"); + fflush(stdout); + for (count = 0; count <= MAX_CHECK_TIME; count++) { + all_ports_up = 1; + for (portid = 0; portid < port_num; portid++) { + if ((port_mask & (1 << portid)) == 0) + continue; + memset(&link, 0, sizeof(link)); + rte_eth_link_get_nowait(portid, &link); + /* print link status if flag set */ + if (print_flag == 1) { + if (link.link_status) + printf("Port %d Link Up - speed %u " + "Mbps - %s\n", (uint8_t)portid, + (uint32_t)link.link_speed, + (link.link_duplex == ETH_LINK_FULL_DUPLEX) ? + ("full-duplex") : ("half-duplex\n")); + else + printf("Port %d Link Down\n", + (uint8_t)portid); + continue; + } + /* clear all_ports_up flag if any link down */ + if (link.link_status == 0) { + all_ports_up = 0; + break; + } + } + /* after finally printing all link status, get out */ + if (print_flag == 1) + break; + + if (all_ports_up == 0) { + printf("."); + fflush(stdout); + rte_delay_ms(CHECK_INTERVAL); + } + + /* set the print_flag if all ports up or timeout */ + if (all_ports_up == 1 || count == (MAX_CHECK_TIME - 1)) { + print_flag = 1; + printf("done\n"); + } + } +} + +static int32_t +add_mapping(struct rte_hash *map, const char *str, uint16_t cdev_id, + uint16_t qp, struct lcore_params *params, + struct ipsec_ctx *ipsec_ctx, + const struct rte_cryptodev_capabilities *cipher, + const struct rte_cryptodev_capabilities *auth) +{ + int32_t ret = 0; + unsigned long i; + struct cdev_key key = { 0 }; + + key.lcore_id = params->lcore_id; + if (cipher) + key.cipher_algo = cipher->sym.cipher.algo; + if (auth) + key.auth_algo = auth->sym.auth.algo; + + ret = rte_hash_lookup(map, &key); + if (ret != -ENOENT) + return 0; + + for (i = 0; i < ipsec_ctx->nb_qps; i++) + if (ipsec_ctx->tbl[i].id == cdev_id) + break; + + if (i == ipsec_ctx->nb_qps) { + if (ipsec_ctx->nb_qps == MAX_QP_PER_LCORE) { + printf("Maximum number of crypto devices assigned to " + "a core, increase MAX_QP_PER_LCORE value\n"); + return 0; + } + ipsec_ctx->tbl[i].id = cdev_id; + ipsec_ctx->tbl[i].qp = qp; + ipsec_ctx->nb_qps++; + printf("%s cdev mapping: lcore %u using cdev %u qp %u " + "(cdev_id_qp %lu)\n", str, key.lcore_id, + cdev_id, qp, i); + } + + ret = rte_hash_add_key_data(map, &key, (void *)i); + if (ret < 0) { + printf("Faled to insert cdev mapping for (lcore %u, " + "cdev %u, qp %u), errno %d\n", + key.lcore_id, ipsec_ctx->tbl[i].id, + ipsec_ctx->tbl[i].qp, ret); + return 0; + } + + return 1; +} + +static int32_t +add_cdev_mapping(struct rte_cryptodev_info *dev_info, uint16_t cdev_id, + uint16_t qp, struct lcore_params *params) +{ + int32_t ret = 0; + const struct rte_cryptodev_capabilities *i, *j; + struct rte_hash *map; + struct lcore_conf *qconf; + struct ipsec_ctx *ipsec_ctx; + const char *str; + + qconf = &lcore_conf[params->lcore_id]; + + if ((unprotected_port_mask & (1 << params->port_id)) == 0) { + map = cdev_map_out; + ipsec_ctx = &qconf->outbound; + str = "Outbound"; + } else { + map = cdev_map_in; + ipsec_ctx = &qconf->inbound; + str = "Inbound"; + } + + /* Required cryptodevs with operation chainning */ + if (!(dev_info->feature_flags & + RTE_CRYPTODEV_FF_SYM_OPERATION_CHAINING)) + return ret; + + for (i = dev_info->capabilities; + i->op != RTE_CRYPTO_OP_TYPE_UNDEFINED; i++) { + if (i->op != RTE_CRYPTO_OP_TYPE_SYMMETRIC) + continue; + + if (i->sym.xform_type != RTE_CRYPTO_SYM_XFORM_CIPHER) + continue; + + for (j = dev_info->capabilities; + j->op != RTE_CRYPTO_OP_TYPE_UNDEFINED; j++) { + if (j->op != RTE_CRYPTO_OP_TYPE_SYMMETRIC) + continue; + + if (j->sym.xform_type != RTE_CRYPTO_SYM_XFORM_AUTH) + continue; + + ret |= add_mapping(map, str, cdev_id, qp, params, + ipsec_ctx, i, j); + } + } + + return ret; +} + +static int32_t +cryptodevs_init(void) +{ + struct rte_cryptodev_config dev_conf; + struct rte_cryptodev_qp_conf qp_conf; + uint16_t idx, max_nb_qps, qp, i; + int16_t cdev_id; + struct rte_hash_parameters params = { 0 }; + + params.entries = CDEV_MAP_ENTRIES; + params.key_len = sizeof(struct cdev_key); + params.hash_func = rte_jhash; + params.hash_func_init_val = 0; + params.socket_id = rte_socket_id(); + + params.name = "cdev_map_in"; + cdev_map_in = rte_hash_create(¶ms); + if (cdev_map_in == NULL) + rte_panic("Failed to create cdev_map hash table, errno = %d\n", + rte_errno); + + params.name = "cdev_map_out"; + cdev_map_out = rte_hash_create(¶ms); + if (cdev_map_out == NULL) + rte_panic("Failed to create cdev_map hash table, errno = %d\n", + rte_errno); + + printf("lcore/cryptodev/qp mappings:\n"); + + idx = 0; + /* Start from last cdev id to give HW priority */ + for (cdev_id = rte_cryptodev_count() - 1; cdev_id >= 0; cdev_id--) { + struct rte_cryptodev_info cdev_info; + + rte_cryptodev_info_get(cdev_id, &cdev_info); + + if (nb_lcore_params > cdev_info.max_nb_queue_pairs) + max_nb_qps = cdev_info.max_nb_queue_pairs; + else + max_nb_qps = nb_lcore_params; + + qp = 0; + i = 0; + while (qp < max_nb_qps && i < nb_lcore_params) { + if (add_cdev_mapping(&cdev_info, cdev_id, qp, + &lcore_params[idx])) + qp++; + idx++; + idx = idx % nb_lcore_params; + i++; + } + + if (qp == 0) + continue; + + dev_conf.socket_id = rte_cryptodev_socket_id(cdev_id); + dev_conf.nb_queue_pairs = qp; + dev_conf.session_mp.nb_objs = CDEV_MP_NB_OBJS; + dev_conf.session_mp.cache_size = CDEV_MP_CACHE_SZ; + + if (rte_cryptodev_configure(cdev_id, &dev_conf)) + rte_panic("Failed to initialize crypodev %u\n", + cdev_id); + + qp_conf.nb_descriptors = CDEV_MP_NB_OBJS; + for (qp = 0; qp < dev_conf.nb_queue_pairs; qp++) + if (rte_cryptodev_queue_pair_setup(cdev_id, qp, + &qp_conf, dev_conf.socket_id)) + rte_panic("Failed to setup queue %u for " + "cdev_id %u\n", 0, cdev_id); + } + + printf("\n"); + + return 0; +} + +static void +port_init(uint8_t portid) +{ + struct rte_eth_dev_info dev_info; + struct rte_eth_txconf *txconf; + uint16_t nb_tx_queue, nb_rx_queue; + uint16_t tx_queueid, rx_queueid, queue, lcore_id; + int32_t ret, socket_id; + struct lcore_conf *qconf; + struct ether_addr ethaddr; + + rte_eth_dev_info_get(portid, &dev_info); + + printf("Configuring device port %u:\n", portid); + + rte_eth_macaddr_get(portid, ðaddr); + ethaddr_tbl[portid].src = ETHADDR_TO_UINT64(ethaddr); + print_ethaddr("Address: ", ðaddr); + printf("\n"); + + nb_rx_queue = get_port_nb_rx_queues(portid); + nb_tx_queue = nb_lcores; + + if (nb_rx_queue > dev_info.max_rx_queues) + rte_exit(EXIT_FAILURE, "Error: queue %u not available " + "(max rx queue is %u)\n", + nb_rx_queue, dev_info.max_rx_queues); + + if (nb_tx_queue > dev_info.max_tx_queues) + rte_exit(EXIT_FAILURE, "Error: queue %u not available " + "(max tx queue is %u)\n", + nb_tx_queue, dev_info.max_tx_queues); + + printf("Creating queues: nb_rx_queue=%d nb_tx_queue=%u...\n", + nb_rx_queue, nb_tx_queue); + + ret = rte_eth_dev_configure(portid, nb_rx_queue, nb_tx_queue, + &port_conf); + if (ret < 0) + rte_exit(EXIT_FAILURE, "Cannot configure device: " + "err=%d, port=%d\n", ret, portid); + + /* init one TX queue per lcore */ + tx_queueid = 0; + for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) { + if (rte_lcore_is_enabled(lcore_id) == 0) + continue; + + if (numa_on) + socket_id = (uint8_t)rte_lcore_to_socket_id(lcore_id); + else + socket_id = 0; + + /* init TX queue */ + printf("Setup txq=%u,%d,%d\n", lcore_id, tx_queueid, socket_id); + + txconf = &dev_info.default_txconf; + txconf->txq_flags = 0; + + ret = rte_eth_tx_queue_setup(portid, tx_queueid, nb_txd, + socket_id, txconf); + if (ret < 0) + rte_exit(EXIT_FAILURE, "rte_eth_tx_queue_setup: " + "err=%d, port=%d\n", ret, portid); + + qconf = &lcore_conf[lcore_id]; + qconf->tx_queue_id[portid] = tx_queueid; + tx_queueid++; + + /* init RX queues */ + for (queue = 0; queue < qconf->nb_rx_queue; ++queue) { + if (portid != qconf->rx_queue_list[queue].port_id) + continue; + + rx_queueid = qconf->rx_queue_list[queue].queue_id; + + printf("Setup rxq=%d,%d,%d\n", portid, rx_queueid, + socket_id); + + ret = rte_eth_rx_queue_setup(portid, rx_queueid, + nb_rxd, socket_id, NULL, + socket_ctx[socket_id].mbuf_pool); + if (ret < 0) + rte_exit(EXIT_FAILURE, + "rte_eth_rx_queue_setup: err=%d, " + "port=%d\n", ret, portid); + } + } + printf("\n"); +} + +static void +pool_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t nb_mbuf) +{ + char s[64]; + + snprintf(s, sizeof(s), "mbuf_pool_%d", socket_id); + ctx->mbuf_pool = rte_pktmbuf_pool_create(s, nb_mbuf, + MEMPOOL_CACHE_SIZE, ipsec_metadata_size(), + RTE_MBUF_DEFAULT_BUF_SIZE, + socket_id); + if (ctx->mbuf_pool == NULL) + rte_exit(EXIT_FAILURE, "Cannot init mbuf pool on socket %d\n", + socket_id); + else + printf("Allocated mbuf pool on socket %d\n", socket_id); +} + +int32_t +main(int32_t argc, char **argv) +{ + int32_t ret; + uint32_t lcore_id, nb_ports; + uint8_t portid, socket_id; + + /* init EAL */ + ret = rte_eal_init(argc, argv); + if (ret < 0) + rte_exit(EXIT_FAILURE, "Invalid EAL parameters\n"); + argc -= ret; + argv += ret; + + /* parse application arguments (after the EAL ones) */ + ret = parse_args(argc, argv); + if (ret < 0) + rte_exit(EXIT_FAILURE, "Invalid parameters\n"); + + if (ep < 0) + rte_exit(EXIT_FAILURE, "need to choose either EP0 or EP1\n"); + + if ((unprotected_port_mask & enabled_port_mask) != + unprotected_port_mask) + rte_exit(EXIT_FAILURE, "Invalid unprotected portmask 0x%x\n", + unprotected_port_mask); + + nb_ports = rte_eth_dev_count(); + if (nb_ports > RTE_MAX_ETHPORTS) + nb_ports = RTE_MAX_ETHPORTS; + + if (check_params() < 0) + rte_exit(EXIT_FAILURE, "check_params failed\n"); + + ret = init_lcore_rx_queues(); + if (ret < 0) + rte_exit(EXIT_FAILURE, "init_lcore_rx_queues failed\n"); + + nb_lcores = rte_lcore_count(); + + /* Replicate each contex per socket */ + for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) { + if (rte_lcore_is_enabled(lcore_id) == 0) + continue; + + if (numa_on) + socket_id = (uint8_t)rte_lcore_to_socket_id(lcore_id); + else + socket_id = 0; + + if (socket_ctx[socket_id].mbuf_pool) + continue; + + sa_init(&socket_ctx[socket_id], socket_id, ep); + + sp_init(&socket_ctx[socket_id], socket_id, ep); + + rt_init(&socket_ctx[socket_id], socket_id, ep); + + pool_init(&socket_ctx[socket_id], socket_id, NB_MBUF); + } + + for (portid = 0; portid < nb_ports; portid++) { + if ((enabled_port_mask & (1 << portid)) == 0) + continue; + + port_init(portid); + } + + cryptodevs_init(); + + /* start ports */ + for (portid = 0; portid < nb_ports; portid++) { + if ((enabled_port_mask & (1 << portid)) == 0) + continue; + + /* Start device */ + ret = rte_eth_dev_start(portid); + if (ret < 0) + rte_exit(EXIT_FAILURE, "rte_eth_dev_start: " + "err=%d, port=%d\n", ret, portid); + /* + * If enabled, put device in promiscuous mode. + * This allows IO forwarding mode to forward packets + * to itself through 2 cross-connected ports of the + * target machine. + */ + if (promiscuous_on) + rte_eth_promiscuous_enable(portid); + } + + check_all_ports_link_status((uint8_t)nb_ports, enabled_port_mask); + + /* launch per-lcore init on every lcore */ + rte_eal_mp_remote_launch(main_loop, NULL, CALL_MASTER); + RTE_LCORE_FOREACH_SLAVE(lcore_id) { + if (rte_eal_wait_lcore(lcore_id) < 0) + return -1; + } + + return 0; +} diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c new file mode 100644 index 0000000..192dddd --- /dev/null +++ b/examples/ipsec-secgw/ipsec.c @@ -0,0 +1,203 @@ +/*- + * BSD LICENSE + * + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include <netinet/in.h> +#include <netinet/ip.h> + +#include <rte_branch_prediction.h> +#include <rte_log.h> +#include <rte_crypto.h> +#include <rte_cryptodev.h> +#include <rte_mbuf.h> +#include <rte_hash.h> + +#include "ipsec.h" + +static inline int +create_session(struct ipsec_ctx *ipsec_ctx __rte_unused, struct ipsec_sa *sa) +{ + uint32_t cdev_id_qp = 0; + int32_t ret; + struct cdev_key key = { 0 }; + + key.lcore_id = (uint8_t)rte_lcore_id(); + + key.cipher_algo = (uint8_t)sa->cipher_algo; + key.auth_algo = (uint8_t)sa->auth_algo; + + ret = rte_hash_lookup_data(ipsec_ctx->cdev_map, &key, + (void **)&cdev_id_qp); + if (ret < 0) { + IPSEC_LOG(ERR, IPSEC, "No cryptodev: core %u, cipher_algo %u, " + "auth_algo %u\n", key.lcore_id, key.cipher_algo, + key.auth_algo); + return -1; + } + + IPSEC_LOG(DEBUG, IPSEC, "Create session for SA spi %u on cryptodev " + "%u qp %u\n", sa->spi, ipsec_ctx->tbl[cdev_id_qp].id, + ipsec_ctx->tbl[cdev_id_qp].qp); + + sa->crypto_session = rte_cryptodev_sym_session_create( + ipsec_ctx->tbl[cdev_id_qp].id, sa->xforms); + + sa->cdev_id_qp = cdev_id_qp; + + return 0; +} + +static inline void +enqueue_cop(struct cdev_qp *cqp, struct rte_crypto_op *cop) +{ + int ret, i; + + cqp->buf[cqp->len++] = cop; + + if (cqp->len == MAX_PKT_BURST) { + ret = rte_cryptodev_enqueue_burst(cqp->id, cqp->qp, + cqp->buf, cqp->len); + if (ret < cqp->len) { + IPSEC_LOG(DEBUG, IPSEC, "Cryptodev %u queue %u:" + " enqueued %u crypto ops out of %u\n", + cqp->id, cqp->qp, + ret, cqp->len); + for (i = ret; i < cqp->len; i++) + rte_pktmbuf_free(cqp->buf[i]->sym->m_src); + } + cqp->in_flight += ret; + cqp->len = 0; + } +} + +static inline uint16_t +ipsec_processing(struct ipsec_ctx *ipsec_ctx, struct rte_mbuf *pkts[], + struct ipsec_sa *sas[], uint16_t nb_pkts, uint16_t max_pkts) +{ + int ret = 0, i, j, nb_cops; + struct ipsec_mbuf_metadata *priv; + struct rte_crypto_op *cops[max_pkts]; + struct ipsec_sa *sa; + struct rte_mbuf *pkt; + + for (i = 0; i < nb_pkts; i++) { + rte_prefetch0(sas[i]); + rte_prefetch0(pkts[i]); + + priv = get_priv(pkts[i]); + sa = sas[i]; + priv->sa = sa; + + IPSEC_ASSERT(sa != NULL); + + priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC; + + rte_prefetch0(&priv->sym_cop); + priv->cop.sym = &priv->sym_cop; + + if ((unlikely(sa->crypto_session == NULL)) && + create_session(ipsec_ctx, sa)) { + rte_pktmbuf_free(pkts[i]); + continue; + } + + rte_crypto_op_attach_sym_session(&priv->cop, + sa->crypto_session); + + ret = sa->pre_crypto(pkts[i], sa, &priv->cop); + if (unlikely(ret)) { + rte_pktmbuf_free(pkts[i]); + continue; + } + + IPSEC_ASSERT(sa->cdev_id_qp < ipsec_ctx->nb_qps); + enqueue_cop(&ipsec_ctx->tbl[sa->cdev_id_qp], &priv->cop); + } + + nb_pkts = 0; + for (i = 0; i < ipsec_ctx->nb_qps && nb_pkts < max_pkts; i++) { + struct cdev_qp *cqp; + + cqp = &ipsec_ctx->tbl[ipsec_ctx->last_qp++]; + if (ipsec_ctx->last_qp == ipsec_ctx->nb_qps) + ipsec_ctx->last_qp %= ipsec_ctx->nb_qps; + + if (cqp->in_flight == 0) + continue; + + nb_cops = rte_cryptodev_dequeue_burst(cqp->id, cqp->qp, + cops, max_pkts - nb_pkts); + + cqp->in_flight -= nb_cops; + + for (j = 0; j < nb_cops; j++) { + pkt = cops[j]->sym->m_src; + rte_prefetch0(pkt); + + priv = get_priv(pkt); + sa = priv->sa; + + IPSEC_ASSERT(sa != NULL); + + ret = sa->post_crypto(pkt, sa, cops[j]); + if (unlikely(ret)) + rte_pktmbuf_free(pkt); + else + pkts[nb_pkts++] = pkt; + } + } + + /* return packets */ + return nb_pkts; +} + +uint16_t +ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], + uint16_t nb_pkts, uint16_t len) +{ + struct ipsec_sa *sas[nb_pkts]; + + inbound_sa_lookup(ctx->sa_ctx, pkts, sas, nb_pkts); + + return ipsec_processing(ctx, pkts, sas, nb_pkts, len); +} + +uint16_t +ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], + uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len) +{ + struct ipsec_sa *sas[nb_pkts]; + + outbound_sa_lookup(ctx->sa_ctx, sa_idx, sas, nb_pkts); + + return ipsec_processing(ctx, pkts, sas, nb_pkts, len); +} diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h new file mode 100644 index 0000000..2ab01fc --- /dev/null +++ b/examples/ipsec-secgw/ipsec.h @@ -0,0 +1,192 @@ +/*- + * BSD LICENSE + * + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef __IPSEC_H__ +#define __IPSEC_H__ + +#include <stdint.h> +#include <netinet/in.h> +#include <netinet/ip.h> + +#include <rte_byteorder.h> +#include <rte_ip.h> +#include <rte_crypto.h> + +#define RTE_LOGTYPE_IPSEC RTE_LOGTYPE_USER1 +#define RTE_LOGTYPE_IPSEC_ESP RTE_LOGTYPE_USER2 +#define RTE_LOGTYPE_IPSEC_IPIP RTE_LOGTYPE_USER3 + +#define MAX_PKT_BURST 32 +#define MAX_QP_PER_LCORE 256 + +#ifdef IPSEC_DEBUG +#define IPSEC_ASSERT(exp) \ +if (!(exp)) { \ + rte_panic("line%d\tassert \"" #exp "\" failed\n", __LINE__); \ +} + +#define IPSEC_LOG RTE_LOG +#else +#define IPSEC_ASSERT(exp) do {} while (0) +#define IPSEC_LOG(...) do {} while (0) +#endif /* IPSEC_DEBUG */ + +#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */ + +#define uint32_t_to_char(ip, a, b, c, d) do {\ + *a = (unsigned char)(ip >> 24 & 0xff);\ + *b = (unsigned char)(ip >> 16 & 0xff);\ + *c = (unsigned char)(ip >> 8 & 0xff);\ + *d = (unsigned char)(ip & 0xff);\ + } while (0) + +#define DEFAULT_MAX_CATEGORIES 1 + +#define IPSEC_SA_MAX_ENTRIES (64) /* must be power of 2, max 2 power 30 */ +#define SPI2IDX(spi) (spi & (IPSEC_SA_MAX_ENTRIES - 1)) +#define INVALID_SPI (0) + +#define DISCARD (0x80000000) +#define BYPASS (0x40000000) +#define PROTECT_MASK (0x3fffffff) +#define PROTECT(sa_idx) (SPI2IDX(sa_idx) & PROTECT_MASK) /* SA idx 30 bits */ + +#define IPSEC_XFORM_MAX 2 + +struct rte_crypto_xform; +struct ipsec_xform; +struct rte_cryptodev_session; +struct rte_mbuf; + +struct ipsec_sa; + +typedef int (*ipsec_xform_fn)(struct rte_mbuf *m, struct ipsec_sa *sa, + struct rte_crypto_op *cop); + +struct ipsec_sa { + uint32_t spi; + uint32_t cdev_id_qp; + uint32_t src; + uint32_t dst; + struct rte_cryptodev_sym_session *crypto_session; + struct rte_crypto_sym_xform *xforms; + ipsec_xform_fn pre_crypto; + ipsec_xform_fn post_crypto; + enum rte_crypto_cipher_algorithm cipher_algo; + enum rte_crypto_auth_algorithm auth_algo; + uint16_t digest_len; + uint16_t iv_len; + uint16_t block_size; + uint16_t flags; + uint32_t seq; +} __rte_cache_aligned; + +struct ipsec_mbuf_metadata { + struct ipsec_sa *sa; + struct rte_crypto_op cop; + struct rte_crypto_sym_op sym_cop; +}; + +struct cdev_qp { + uint16_t id; + uint16_t qp; + uint16_t in_flight; + uint16_t len; + struct rte_crypto_op *buf[MAX_PKT_BURST] __rte_aligned(sizeof(void *)); +}; + +struct ipsec_ctx { + struct rte_hash *cdev_map; + struct sp_ctx *sp_ctx; + struct sa_ctx *sa_ctx; + uint16_t nb_qps; + uint16_t last_qp; + struct cdev_qp tbl[MAX_QP_PER_LCORE]; +}; + +struct cdev_key { + uint16_t lcore_id; + uint8_t cipher_algo; + uint8_t auth_algo; +}; + +struct socket_ctx { + struct sa_ctx *sa_ipv4_in; + struct sa_ctx *sa_ipv4_out; + struct sp_ctx *sp_ipv4_in; + struct sp_ctx *sp_ipv4_out; + struct rt_ctx *rt_ipv4; + struct rte_mempool *mbuf_pool; +}; + +uint16_t +ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], + uint16_t nb_pkts, uint16_t len); + +uint16_t +ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], + uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len); + +static inline uint16_t +ipsec_metadata_size(void) +{ + return sizeof(struct ipsec_mbuf_metadata); +} + +static inline struct ipsec_mbuf_metadata * +get_priv(struct rte_mbuf *m) +{ + return RTE_PTR_ADD(m, sizeof(struct rte_mbuf)); +} + +int +inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx); + +void +inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[], + struct ipsec_sa *sa[], uint16_t nb_pkts); + +void +outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[], + struct ipsec_sa *sa[], uint16_t nb_pkts); + +void +sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep); + +void +sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep); + +void +rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep); + +#endif /* __IPSEC_H__ */ diff --git a/examples/ipsec-secgw/rt.c b/examples/ipsec-secgw/rt.c new file mode 100644 index 0000000..224f200 --- /dev/null +++ b/examples/ipsec-secgw/rt.c @@ -0,0 +1,144 @@ +/*- + * BSD LICENSE + * + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Routing Table (RT) + */ +#include <rte_lpm.h> +#include <rte_errno.h> + +#include "ipsec.h" + +#define RT_IPV4_MAX_RULES 64 + +struct ipv4_route { + uint32_t ip; + uint8_t depth; + uint8_t if_out; +}; + +/* In the default routing table we have: + * ep0 protected ports 0 and 1, and unprotected ports 2 and 3. + */ +static struct ipv4_route rt_ipv4_ep0[] = { + { IPv4(172, 16, 2, 5), 32, 0 }, + { IPv4(172, 16, 2, 6), 32, 0 }, + { IPv4(172, 16, 2, 7), 32, 1 }, + { IPv4(172, 16, 2, 8), 32, 1 }, + + { IPv4(192, 168, 115, 0), 24, 2 }, + { IPv4(192, 168, 116, 0), 24, 2 }, + { IPv4(192, 168, 117, 0), 24, 3 }, + { IPv4(192, 168, 118, 0), 24, 3 }, + + { IPv4(192, 168, 210, 0), 24, 2 }, + + { IPv4(192, 168, 240, 0), 24, 2 }, + { IPv4(192, 168, 250, 0), 24, 0 } +}; + +/* In the default routing table we have: + * ep1 protected ports 0 and 1, and unprotected ports 2 and 3. + */ +static struct ipv4_route rt_ipv4_ep1[] = { + { IPv4(172, 16, 1, 5), 32, 2 }, + { IPv4(172, 16, 1, 6), 32, 2 }, + { IPv4(172, 16, 1, 7), 32, 3 }, + { IPv4(172, 16, 1, 8), 32, 3 }, + + { IPv4(192, 168, 105, 0), 24, 0 }, + { IPv4(192, 168, 106, 0), 24, 0 }, + { IPv4(192, 168, 107, 0), 24, 1 }, + { IPv4(192, 168, 108, 0), 24, 1 }, + + { IPv4(192, 168, 200, 0), 24, 0 }, + + { IPv4(192, 168, 240, 0), 24, 2 }, + { IPv4(192, 168, 250, 0), 24, 0 } +}; + +void +rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep) +{ + char name[PATH_MAX]; + unsigned i; + int ret; + struct rte_lpm *lpm; + struct ipv4_route *rt; + char a, b, c, d; + unsigned nb_routes; + struct rte_lpm_config conf = { 0 }; + + if (ctx == NULL) + rte_exit(EXIT_FAILURE, "NULL context.\n"); + + if (ctx->rt_ipv4 != NULL) + rte_exit(EXIT_FAILURE, "Routing Table for socket %u already " + "initialized\n", socket_id); + + printf("Creating Routing Table (RT) context with %u max routes\n", + RT_IPV4_MAX_RULES); + + if (ep == 0) { + rt = rt_ipv4_ep0; + nb_routes = RTE_DIM(rt_ipv4_ep0); + } else if (ep == 1) { + rt = rt_ipv4_ep1; + nb_routes = RTE_DIM(rt_ipv4_ep1); + } else + rte_exit(EXIT_FAILURE, "Invalid EP value %u. Only 0 or 1 " + "supported.\n", ep); + + /* create the LPM table */ + snprintf(name, sizeof(name), "%s_%u", "rt_ipv4", socket_id); + conf.max_rules = RT_IPV4_MAX_RULES; + conf.number_tbl8s = RTE_LPM_TBL8_NUM_ENTRIES; + lpm = rte_lpm_create(name, socket_id, &conf); + if (lpm == NULL) + rte_exit(EXIT_FAILURE, "Unable to create LPM table " + "on socket %d\n", socket_id); + + /* populate the LPM table */ + for (i = 0; i < nb_routes; i++) { + ret = rte_lpm_add(lpm, rt[i].ip, rt[i].depth, rt[i].if_out); + if (ret < 0) + rte_exit(EXIT_FAILURE, "Unable to add entry num %u to " + "LPM table on socket %d\n", i, socket_id); + + uint32_t_to_char(rt[i].ip, &a, &b, &c, &d); + printf("LPM: Adding route %hhu.%hhu.%hhu.%hhu/%hhu (%hhu)\n", + a, b, c, d, rt[i].depth, rt[i].if_out); + } + + ctx->rt_ipv4 = (struct rt_ctx *)lpm; +} diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c new file mode 100644 index 0000000..5483064 --- /dev/null +++ b/examples/ipsec-secgw/sa.c @@ -0,0 +1,438 @@ +/*- + * BSD LICENSE + * + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Security Associations + */ +#include <netinet/ip.h> + +#include <rte_memzone.h> +#include <rte_crypto.h> +#include <rte_cryptodev.h> +#include <rte_byteorder.h> +#include <rte_errno.h> + +#include "ipsec.h" +#include "esp.h" + +/* SAs EP0 Outbound */ +const struct ipsec_sa sa_ep0_out[] = { + { 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5), + NULL, NULL, + esp4_tunnel_outbound_pre_crypto, + esp4_tunnel_outbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6), + NULL, NULL, + esp4_tunnel_outbound_pre_crypto, + esp4_tunnel_outbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7), + NULL, NULL, + esp4_tunnel_outbound_pre_crypto, + esp4_tunnel_outbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8), + NULL, NULL, + esp4_tunnel_outbound_pre_crypto, + esp4_tunnel_outbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 9, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5), + NULL, NULL, + esp4_tunnel_outbound_pre_crypto, + esp4_tunnel_outbound_post_crypto, + RTE_CRYPTO_CIPHER_NULL, RTE_CRYPTO_AUTH_NULL, + 0, 0, 4, + 0, 0 }, +}; + +/* SAs EP0 Inbound */ +const struct ipsec_sa sa_ep0_in[] = { + { 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5), + NULL, NULL, + esp4_tunnel_inbound_pre_crypto, + esp4_tunnel_inbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6), + NULL, NULL, + esp4_tunnel_inbound_pre_crypto, + esp4_tunnel_inbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7), + NULL, NULL, + esp4_tunnel_inbound_pre_crypto, + esp4_tunnel_inbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8), + NULL, NULL, + esp4_tunnel_inbound_pre_crypto, + esp4_tunnel_inbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 9, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5), + NULL, NULL, + esp4_tunnel_inbound_pre_crypto, + esp4_tunnel_inbound_post_crypto, + RTE_CRYPTO_CIPHER_NULL, RTE_CRYPTO_AUTH_NULL, + 0, 0, 4, + 0, 0 }, +}; + +/* SAs EP1 Outbound */ +const struct ipsec_sa sa_ep1_out[] = { + { 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5), + NULL, NULL, + esp4_tunnel_outbound_pre_crypto, + esp4_tunnel_outbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6), + NULL, NULL, + esp4_tunnel_outbound_pre_crypto, + esp4_tunnel_outbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7), + NULL, NULL, + esp4_tunnel_outbound_pre_crypto, + esp4_tunnel_outbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8), + NULL, NULL, + esp4_tunnel_outbound_pre_crypto, + esp4_tunnel_outbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 9, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5), + NULL, NULL, + esp4_tunnel_outbound_pre_crypto, + esp4_tunnel_outbound_post_crypto, + RTE_CRYPTO_CIPHER_NULL, RTE_CRYPTO_AUTH_NULL, + 0, 0, 4, + 0, 0 }, +}; + +/* SAs EP1 Inbound */ +const struct ipsec_sa sa_ep1_in[] = { + { 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5), + NULL, NULL, + esp4_tunnel_inbound_pre_crypto, + esp4_tunnel_inbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6), + NULL, NULL, + esp4_tunnel_inbound_pre_crypto, + esp4_tunnel_inbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7), + NULL, NULL, + esp4_tunnel_inbound_pre_crypto, + esp4_tunnel_inbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8), + NULL, NULL, + esp4_tunnel_inbound_pre_crypto, + esp4_tunnel_inbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 9, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5), + NULL, NULL, + esp4_tunnel_inbound_pre_crypto, + esp4_tunnel_inbound_post_crypto, + RTE_CRYPTO_CIPHER_NULL, RTE_CRYPTO_AUTH_NULL, + 0, 0, 4, + 0, 0 }, +}; + +static uint8_t cipher_key[256] = "sixteenbytes key"; + +/* AES CBC xform */ +const struct rte_crypto_sym_xform aescbc_enc_xf = { + NULL, + RTE_CRYPTO_SYM_XFORM_CIPHER, + .cipher = { RTE_CRYPTO_CIPHER_OP_ENCRYPT, RTE_CRYPTO_CIPHER_AES_CBC, + .key = { cipher_key, 16 } } +}; + +const struct rte_crypto_sym_xform aescbc_dec_xf = { + NULL, + RTE_CRYPTO_SYM_XFORM_CIPHER, + .cipher = { RTE_CRYPTO_CIPHER_OP_DECRYPT, RTE_CRYPTO_CIPHER_AES_CBC, + .key = { cipher_key, 16 } } +}; + +static uint8_t auth_key[256] = "twentybytes hash key"; + +/* SHA1 HMAC xform */ +const struct rte_crypto_sym_xform sha1hmac_gen_xf = { + NULL, + RTE_CRYPTO_SYM_XFORM_AUTH, + .auth = { RTE_CRYPTO_AUTH_OP_GENERATE, RTE_CRYPTO_AUTH_SHA1_HMAC, + .key = { auth_key, 20 }, 12, 0 } +}; + +const struct rte_crypto_sym_xform sha1hmac_verify_xf = { + NULL, + RTE_CRYPTO_SYM_XFORM_AUTH, + .auth = { RTE_CRYPTO_AUTH_OP_VERIFY, RTE_CRYPTO_AUTH_SHA1_HMAC, + .key = { auth_key, 20 }, 12, 0 } +}; + +/* AES CBC xform */ +const struct rte_crypto_sym_xform null_cipher_xf = { + NULL, + RTE_CRYPTO_SYM_XFORM_CIPHER, + .cipher = { .algo = RTE_CRYPTO_CIPHER_NULL } +}; + +const struct rte_crypto_sym_xform null_auth_xf = { + NULL, + RTE_CRYPTO_SYM_XFORM_AUTH, + .auth = { .algo = RTE_CRYPTO_AUTH_NULL } +}; + +struct sa_ctx { + struct ipsec_sa sa[IPSEC_SA_MAX_ENTRIES]; + struct { + struct rte_crypto_sym_xform a; + struct rte_crypto_sym_xform b; + } xf[IPSEC_SA_MAX_ENTRIES]; +}; + +static struct sa_ctx * +sa_ipv4_create(const char *name, int socket_id) +{ + char s[PATH_MAX]; + struct sa_ctx *sa_ctx; + unsigned mz_size; + const struct rte_memzone *mz; + + snprintf(s, sizeof(s), "%s_%u", name, socket_id); + + /* Create SA array table */ + printf("Creating SA context with %u maximum entries\n", + IPSEC_SA_MAX_ENTRIES); + + mz_size = sizeof(struct sa_ctx); + mz = rte_memzone_reserve(s, mz_size, socket_id, + RTE_MEMZONE_1GB | RTE_MEMZONE_SIZE_HINT_ONLY); + if (mz == NULL) { + printf("Failed to allocate SA DB memory\n"); + rte_errno = -ENOMEM; + return NULL; + } + + sa_ctx = (struct sa_ctx *)mz->addr; + + return sa_ctx; +} + +static int +sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], + unsigned nb_entries, unsigned inbound) +{ + struct ipsec_sa *sa; + unsigned i, idx; + + for (i = 0; i < nb_entries; i++) { + idx = SPI2IDX(entries[i].spi); + sa = &sa_ctx->sa[idx]; + if (sa->spi != 0) { + printf("Index %u already in use by SPI %u\n", + idx, sa->spi); + return -EINVAL; + } + *sa = entries[i]; + sa->src = rte_cpu_to_be_32(sa->src); + sa->dst = rte_cpu_to_be_32(sa->dst); + if (inbound) { + if (sa->cipher_algo == RTE_CRYPTO_CIPHER_NULL) { + sa_ctx->xf[idx].a = null_auth_xf; + sa_ctx->xf[idx].b = null_cipher_xf; + } else { + sa_ctx->xf[idx].a = sha1hmac_verify_xf; + sa_ctx->xf[idx].b = aescbc_dec_xf; + } + } else { /* outbound */ + if (sa->cipher_algo == RTE_CRYPTO_CIPHER_NULL) { + sa_ctx->xf[idx].a = null_cipher_xf; + sa_ctx->xf[idx].b = null_auth_xf; + } else { + sa_ctx->xf[idx].a = aescbc_enc_xf; + sa_ctx->xf[idx].b = sha1hmac_gen_xf; + } + } + sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b; + sa_ctx->xf[idx].b.next = NULL; + sa->xforms = &sa_ctx->xf[idx].a; + } + + return 0; +} + +static inline int +sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], + unsigned nb_entries) +{ + return sa_add_rules(sa_ctx, entries, nb_entries, 0); +} + +static inline int +sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], + unsigned nb_entries) +{ + return sa_add_rules(sa_ctx, entries, nb_entries, 1); +} + +void +sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep) +{ + const struct ipsec_sa *sa_out_entries, *sa_in_entries; + unsigned nb_out_entries, nb_in_entries; + const char *name; + + if (ctx == NULL) + rte_exit(EXIT_FAILURE, "NULL context.\n"); + + if (ctx->sa_ipv4_in != NULL) + rte_exit(EXIT_FAILURE, "Inbound SA DB for socket %u already " + "initialized\n", socket_id); + + if (ctx->sa_ipv4_out != NULL) + rte_exit(EXIT_FAILURE, "Outbound SA DB for socket %u already " + "initialized\n", socket_id); + + if (ep == 0) { + sa_out_entries = sa_ep0_out; + nb_out_entries = RTE_DIM(sa_ep0_out); + sa_in_entries = sa_ep0_in; + nb_in_entries = RTE_DIM(sa_ep0_in); + } else if (ep == 1) { + sa_out_entries = sa_ep1_out; + nb_out_entries = RTE_DIM(sa_ep1_out); + sa_in_entries = sa_ep1_in; + nb_in_entries = RTE_DIM(sa_ep1_in); + } else + rte_exit(EXIT_FAILURE, "Invalid EP value %u. " + "Only 0 or 1 supported.\n", ep); + + name = "sa_ipv4_in"; + ctx->sa_ipv4_in = sa_ipv4_create(name, socket_id); + if (ctx->sa_ipv4_in == NULL) + rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s " + "in socket %d\n", rte_errno, name, socket_id); + + name = "sa_ipv4_out"; + ctx->sa_ipv4_out = sa_ipv4_create(name, socket_id); + if (ctx->sa_ipv4_out == NULL) + rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s " + "in socket %d\n", rte_errno, name, socket_id); + + sa_in_add_rules(ctx->sa_ipv4_in, sa_in_entries, nb_in_entries); + + sa_out_add_rules(ctx->sa_ipv4_out, sa_out_entries, nb_out_entries); +} + +int +inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx) +{ + struct ipsec_mbuf_metadata *priv; + + priv = RTE_PTR_ADD(m, sizeof(struct rte_mbuf)); + + return (sa_ctx->sa[sa_idx].spi == priv->sa->spi); +} + +void +inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[], + struct ipsec_sa *sa[], uint16_t nb_pkts) +{ + unsigned i; + uint32_t *src, spi; + + for (i = 0; i < nb_pkts; i++) { + spi = rte_pktmbuf_mtod_offset(pkts[i], struct esp_hdr *, + sizeof(struct ip))->spi; + + if (spi == INVALID_SPI) + continue; + + sa[i] = &sa_ctx->sa[SPI2IDX(spi)]; + if (spi != sa[i]->spi) { + sa[i] = NULL; + continue; + } + + src = rte_pktmbuf_mtod_offset(pkts[i], uint32_t *, + offsetof(struct ip, ip_src)); + if ((sa[i]->src != *src) || (sa[i]->dst != *(src + 1))) + sa[i] = NULL; + } +} + +void +outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[], + struct ipsec_sa *sa[], uint16_t nb_pkts) +{ + unsigned i; + + for (i = 0; i < nb_pkts; i++) + sa[i] = &sa_ctx->sa[sa_idx[i]]; +} diff --git a/examples/ipsec-secgw/sp.c b/examples/ipsec-secgw/sp.c new file mode 100644 index 0000000..69c9027 --- /dev/null +++ b/examples/ipsec-secgw/sp.c @@ -0,0 +1,364 @@ +/*- + * BSD LICENSE + * + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Security Policies + */ +#include <netinet/ip.h> + +#include <rte_acl.h> + +#include "ipsec.h" + +#define MAX_ACL_RULE_NUM 1000 + +/* + * Rule and trace formats definitions. + */ +enum { + PROTO_FIELD_IPV4, + SRC_FIELD_IPV4, + DST_FIELD_IPV4, + SRCP_FIELD_IPV4, + DSTP_FIELD_IPV4, + NUM_FIELDS_IPV4 +}; + +/* + * That effectively defines order of IPV4 classifications: + * - PROTO + * - SRC IP ADDRESS + * - DST IP ADDRESS + * - PORTS (SRC and DST) + */ +enum { + RTE_ACL_IPV4_PROTO, + RTE_ACL_IPV4_SRC, + RTE_ACL_IPV4_DST, + RTE_ACL_IPV4_PORTS, + RTE_ACL_IPV4_NUM +}; + +struct rte_acl_field_def ipv4_defs[NUM_FIELDS_IPV4] = { + { + .type = RTE_ACL_FIELD_TYPE_BITMASK, + .size = sizeof(uint8_t), + .field_index = PROTO_FIELD_IPV4, + .input_index = RTE_ACL_IPV4_PROTO, + .offset = 0, + }, + { + .type = RTE_ACL_FIELD_TYPE_MASK, + .size = sizeof(uint32_t), + .field_index = SRC_FIELD_IPV4, + .input_index = RTE_ACL_IPV4_SRC, + .offset = offsetof(struct ip, ip_src) - offsetof(struct ip, ip_p) + }, + { + .type = RTE_ACL_FIELD_TYPE_MASK, + .size = sizeof(uint32_t), + .field_index = DST_FIELD_IPV4, + .input_index = RTE_ACL_IPV4_DST, + .offset = offsetof(struct ip, ip_dst) - offsetof(struct ip, ip_p) + }, + { + .type = RTE_ACL_FIELD_TYPE_RANGE, + .size = sizeof(uint16_t), + .field_index = SRCP_FIELD_IPV4, + .input_index = RTE_ACL_IPV4_PORTS, + .offset = sizeof(struct ip) - offsetof(struct ip, ip_p) + }, + { + .type = RTE_ACL_FIELD_TYPE_RANGE, + .size = sizeof(uint16_t), + .field_index = DSTP_FIELD_IPV4, + .input_index = RTE_ACL_IPV4_PORTS, + .offset = sizeof(struct ip) - offsetof(struct ip, ip_p) + + sizeof(uint16_t) + }, +}; + +RTE_ACL_RULE_DEF(acl4_rules, RTE_DIM(ipv4_defs)); + +const struct acl4_rules acl4_rules_in[] = { + { + .data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1}, + /* destination IPv4 */ + .field[2] = {.value.u32 = IPv4(192, 168, 105, 0), + .mask_range.u32 = 24,}, + /* source port */ + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, + /* destination port */ + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} + }, + { + .data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2}, + /* destination IPv4 */ + .field[2] = {.value.u32 = IPv4(192, 168, 106, 0), + .mask_range.u32 = 24,}, + /* source port */ + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, + /* destination port */ + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} + }, + { + .data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3}, + /* destination IPv4 */ + .field[2] = {.value.u32 = IPv4(192, 168, 107, 0), + .mask_range.u32 = 24,}, + /* source port */ + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, + /* destination port */ + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} + }, + { + .data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4}, + /* destination IPv4 */ + .field[2] = {.value.u32 = IPv4(192, 168, 108, 0), + .mask_range.u32 = 24,}, + /* source port */ + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, + /* destination port */ + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} + }, + { + .data = {.userdata = PROTECT(9), .category_mask = 1, .priority = 5}, + /* destination IPv4 */ + .field[2] = {.value.u32 = IPv4(192, 168, 200, 0), + .mask_range.u32 = 24,}, + /* source port */ + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, + /* destination port */ + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} + }, + { + .data = {.userdata = BYPASS, .category_mask = 1, .priority = 6}, + /* destination IPv4 */ + .field[2] = {.value.u32 = IPv4(192, 168, 250, 0), + .mask_range.u32 = 24,}, + /* source port */ + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, + /* destination port */ + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} + } +}; + +const struct acl4_rules acl4_rules_out[] = { + { + .data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1}, + /* destination IPv4 */ + .field[2] = {.value.u32 = IPv4(192, 168, 115, 0), + .mask_range.u32 = 24,}, + /* source port */ + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, + /* destination port */ + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} + }, + { + .data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2}, + /* destination IPv4 */ + .field[2] = {.value.u32 = IPv4(192, 168, 116, 0), + .mask_range.u32 = 24,}, + /* source port */ + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, + /* destination port */ + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} + }, + { + .data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3}, + /* destination IPv4 */ + .field[2] = {.value.u32 = IPv4(192, 168, 117, 0), + .mask_range.u32 = 24,}, + /* source port */ + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, + /* destination port */ + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} + }, + { + .data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4}, + /* destination IPv4 */ + .field[2] = {.value.u32 = IPv4(192, 168, 118, 0), + .mask_range.u32 = 24,}, + /* source port */ + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, + /* destination port */ + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} + }, + { + .data = {.userdata = PROTECT(9), .category_mask = 1, .priority = 5}, + /* destination IPv4 */ + .field[2] = {.value.u32 = IPv4(192, 168, 210, 0), + .mask_range.u32 = 24,}, + /* source port */ + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, + /* destination port */ + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} + }, + { + .data = {.userdata = BYPASS, .category_mask = 1, .priority = 6}, + /* destination IPv4 */ + .field[2] = {.value.u32 = IPv4(192, 168, 240, 0), + .mask_range.u32 = 24,}, + /* source port */ + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, + /* destination port */ + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} + } +}; + +static void +print_one_ipv4_rule(const struct acl4_rules *rule, int extra) +{ + unsigned char a, b, c, d; + + uint32_t_to_char(rule->field[SRC_FIELD_IPV4].value.u32, + &a, &b, &c, &d); + printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d, + rule->field[SRC_FIELD_IPV4].mask_range.u32); + uint32_t_to_char(rule->field[DST_FIELD_IPV4].value.u32, + &a, &b, &c, &d); + printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d, + rule->field[DST_FIELD_IPV4].mask_range.u32); + printf("%hu : %hu %hu : %hu 0x%hhx/0x%hhx ", + rule->field[SRCP_FIELD_IPV4].value.u16, + rule->field[SRCP_FIELD_IPV4].mask_range.u16, + rule->field[DSTP_FIELD_IPV4].value.u16, + rule->field[DSTP_FIELD_IPV4].mask_range.u16, + rule->field[PROTO_FIELD_IPV4].value.u8, + rule->field[PROTO_FIELD_IPV4].mask_range.u8); + if (extra) + printf("0x%x-0x%x-0x%x ", + rule->data.category_mask, + rule->data.priority, + rule->data.userdata); +} + +static inline void +dump_ipv4_rules(const struct acl4_rules *rule, int num, int extra) +{ + int i; + + for (i = 0; i < num; i++, rule++) { + printf("\t%d:", i + 1); + print_one_ipv4_rule(rule, extra); + printf("\n"); + } +} + +static struct rte_acl_ctx * +acl4_init(const char *name, int socketid, const struct acl4_rules *rules, + unsigned rules_nb) +{ + char s[PATH_MAX]; + struct rte_acl_param acl_param; + struct rte_acl_config acl_build_param; + struct rte_acl_ctx *ctx; + + printf("Creating SP context with %u max rules\n", MAX_ACL_RULE_NUM); + + memset(&acl_param, 0, sizeof(acl_param)); + + /* Create ACL contexts */ + snprintf(s, sizeof(s), "%s_%d", name, socketid); + + printf("IPv4 %s entries [%u]:\n", s, rules_nb); + dump_ipv4_rules(rules, rules_nb, 1); + + acl_param.name = s; + acl_param.socket_id = socketid; + acl_param.rule_size = RTE_ACL_RULE_SZ(RTE_DIM(ipv4_defs)); + acl_param.max_rule_num = MAX_ACL_RULE_NUM; + + ctx = rte_acl_create(&acl_param); + if (ctx == NULL) + rte_exit(EXIT_FAILURE, "Failed to create ACL context\n"); + + if (rte_acl_add_rules(ctx, (const struct rte_acl_rule *)rules, + rules_nb) < 0) + rte_exit(EXIT_FAILURE, "add rules failed\n"); + + /* Perform builds */ + memset(&acl_build_param, 0, sizeof(acl_build_param)); + + acl_build_param.num_categories = DEFAULT_MAX_CATEGORIES; + acl_build_param.num_fields = RTE_DIM(ipv4_defs); + memcpy(&acl_build_param.defs, ipv4_defs, sizeof(ipv4_defs)); + + if (rte_acl_build(ctx, &acl_build_param) != 0) + rte_exit(EXIT_FAILURE, "Failed to build ACL trie\n"); + + rte_acl_dump(ctx); + + return ctx; +} + +void +sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep) +{ + const char *name; + const struct acl4_rules *rules_out, *rules_in; + unsigned nb_out_rules, nb_in_rules; + + if (ctx == NULL) + rte_exit(EXIT_FAILURE, "NULL context.\n"); + + if (ctx->sp_ipv4_in != NULL) + rte_exit(EXIT_FAILURE, "Inbound SP DB for socket %u already " + "initialized\n", socket_id); + + if (ctx->sp_ipv4_out != NULL) + rte_exit(EXIT_FAILURE, "Outbound SP DB for socket %u already " + "initialized\n", socket_id); + + if (ep == 0) { + rules_out = acl4_rules_in; + nb_out_rules = RTE_DIM(acl4_rules_in); + rules_in = acl4_rules_out; + nb_in_rules = RTE_DIM(acl4_rules_out); + } else if (ep == 1) { + rules_out = acl4_rules_out; + nb_out_rules = RTE_DIM(acl4_rules_out); + rules_in = acl4_rules_in; + nb_in_rules = RTE_DIM(acl4_rules_in); + } else + rte_exit(EXIT_FAILURE, "Invalid EP value %u. " + "Only 0 or 1 supported.\n", ep); + + name = "sp_ipv4_in"; + ctx->sp_ipv4_in = (struct sp_ctx *)acl4_init(name, socket_id, + rules_in, nb_in_rules); + + name = "sp_ipv4_out"; + ctx->sp_ipv4_out = (struct sp_ctx *)acl4_init(name, socket_id, + rules_out, nb_out_rules); +} -- 2.4.3 ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [dpdk-dev] [PATCH v2] example/ipsec-secgw: ipsec security gateway 2016-03-11 1:38 ` [dpdk-dev] [PATCH v2] " Sergio Gonzalez Monroy @ 2016-03-11 2:12 ` De Lara Guarch, Pablo 2016-03-11 2:12 ` [dpdk-dev] [PATCH v3] " Sergio Gonzalez Monroy 1 sibling, 0 replies; 15+ messages in thread From: De Lara Guarch, Pablo @ 2016-03-11 2:12 UTC (permalink / raw) To: Gonzalez Monroy, Sergio, dev Hi, > -----Original Message----- > From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Sergio Gonzalez > Monroy > Sent: Friday, March 11, 2016 1:39 AM > To: dev@dpdk.org > Subject: [dpdk-dev] [PATCH v2] example/ipsec-secgw: ipsec security gateway > > Sample app implementing an IPsec Security Geteway. > The main goal of this app is to show the use of cryptodev framework > in a "real world" application. > > Currently only supported static IPv4 ESP IPsec tunnels for the following > algorithms: > - Cipher: AES-CBC, NULL > - Authentication: HMAC-SHA1, NULL > > Not supported: > - SA auto negotiation (No IKE implementation) > - chained mbufs > > Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> > --- > > v2: > - Update to use new cryptodev API > - NULL PMD support > * dependency on "null_crypto_pmd: PMD to support null crypto > operations" > http://dpdk.org/dev/patchwork/patch/11428/ > - Added --single-sa option to bypass SP/ACL > - Removed option for QAT/AESNI and instead expects vdev to be created > through EAL with command line options. > * dependency on "cryptodev: add capabilities discovery mechanism" > http://dpdk.org/dev/patchwork/patch/11434/ > - fixed inbound traffic bug > - fixed bug with single core bi-directional traffic (inbound and outbound) > > MAINTAINERS | 4 + > doc/guides/rel_notes/release_16_04.rst | 3 + > doc/guides/sample_app_ug/index.rst | 1 + > doc/guides/sample_app_ug/ipsec_secgw.rst | 524 ++++++++++++ > examples/Makefile | 2 + > examples/ipsec-secgw/Makefile | 58 ++ > examples/ipsec-secgw/esp.c | 250 ++++++ > examples/ipsec-secgw/esp.h | 66 ++ > examples/ipsec-secgw/ipip.h | 103 +++ > examples/ipsec-secgw/ipsec-secgw.c | 1360 > ++++++++++++++++++++++++++++++ > examples/ipsec-secgw/ipsec.c | 203 +++++ > examples/ipsec-secgw/ipsec.h | 192 +++++ > examples/ipsec-secgw/rt.c | 144 ++++ > examples/ipsec-secgw/sa.c | 438 ++++++++++ > examples/ipsec-secgw/sp.c | 364 ++++++++ > 15 files changed, 3712 insertions(+) > create mode 100644 doc/guides/sample_app_ug/ipsec_secgw.rst > create mode 100644 examples/ipsec-secgw/Makefile > create mode 100644 examples/ipsec-secgw/esp.c > create mode 100644 examples/ipsec-secgw/esp.h > create mode 100644 examples/ipsec-secgw/ipip.h > create mode 100644 examples/ipsec-secgw/ipsec-secgw.c > create mode 100644 examples/ipsec-secgw/ipsec.c > create mode 100644 examples/ipsec-secgw/ipsec.h > create mode 100644 examples/ipsec-secgw/rt.c > create mode 100644 examples/ipsec-secgw/sa.c > create mode 100644 examples/ipsec-secgw/sp.c > > diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst > b/doc/guides/sample_app_ug/ipsec_secgw.rst > new file mode 100644 > index 0000000..bc41ea8 > --- /dev/null > +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst > @@ -0,0 +1,524 @@ > +.. BSD LICENSE > + Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > + All rights reserved. Copyright dates should be 2016, not from 2010. > + > + Redistribution and use in source and binary forms, with or without > + modification, are permitted provided that the following conditions > + are met: > + > + * Redistributions of source code must retain the above copyright > + notice, this list of conditions and the following disclaimer. > + * Redistributions in binary form must reproduce the above copyright > + notice, this list of conditions and the following disclaimer in > + the documentation and/or other materials provided with the > + distribution. [...] > +static inline void > +process_pkts(struct lcore_conf *qconf, struct rte_mbuf **pkts, > + uint8_t nb_pkts, uint8_t portid) > +{ > + struct ipsec_traffic traffic = { 0 }; Clang complains here. > + > + prepare_traffic(pkts, &traffic, nb_pkts); > + > + if (single_sa) { > + if (UNPROTECTED_PORT(portid)) > + process_pkts_inbound_nosp(&qconf->inbound, > &traffic); > + else > + process_pkts_outbound_nosp(&qconf->outbound, > &traffic); > + } else { > + if (UNPROTECTED_PORT(portid)) > + process_pkts_inbound(&qconf->inbound, &traffic); > + else > + process_pkts_outbound(&qconf->outbound, > &traffic); > + } > + > + route_pkts(qconf->rt_ctx, traffic.ipv4.pkts, traffic.ipv4.num); > +} > + ^ permalink raw reply [flat|nested] 15+ messages in thread
* [dpdk-dev] [PATCH v3] example/ipsec-secgw: ipsec security gateway 2016-03-11 1:38 ` [dpdk-dev] [PATCH v2] " Sergio Gonzalez Monroy 2016-03-11 2:12 ` De Lara Guarch, Pablo @ 2016-03-11 2:12 ` Sergio Gonzalez Monroy 2016-03-11 10:01 ` De Lara Guarch, Pablo 2016-03-11 10:02 ` Thomas Monjalon 1 sibling, 2 replies; 15+ messages in thread From: Sergio Gonzalez Monroy @ 2016-03-11 2:12 UTC (permalink / raw) To: dev Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> --- v3: - Fix Copyright - Fix clang v2: - Update to use new cryptodev API - NULL PMD support * dependency on "null_crypto_pmd: PMD to support null crypto operations" http://dpdk.org/dev/patchwork/patch/11428/ - Added --single-sa option to bypass SP/ACL - Removed option for QAT/AESNI and instead expects vdev to be created through EAL with command line options. * dependency on "cryptodev: add capabilities discovery mechanism" http://dpdk.org/dev/patchwork/patch/11434/ - fixed inbound traffic bug - fixed bug with single core bi-directional traffic (inbound and outbound) MAINTAINERS | 4 + doc/guides/rel_notes/release_16_04.rst | 3 + doc/guides/sample_app_ug/index.rst | 1 + doc/guides/sample_app_ug/ipsec_secgw.rst | 524 ++++++++++++ examples/Makefile | 1 + examples/ipsec-secgw/Makefile | 58 ++ examples/ipsec-secgw/esp.c | 250 ++++++ examples/ipsec-secgw/esp.h | 66 ++ examples/ipsec-secgw/ipip.h | 103 +++ examples/ipsec-secgw/ipsec-secgw.c | 1360 ++++++++++++++++++++++++++++++ examples/ipsec-secgw/ipsec.c | 203 +++++ examples/ipsec-secgw/ipsec.h | 192 +++++ examples/ipsec-secgw/rt.c | 144 ++++ examples/ipsec-secgw/sa.c | 438 ++++++++++ examples/ipsec-secgw/sp.c | 364 ++++++++ 15 files changed, 3711 insertions(+) create mode 100644 doc/guides/sample_app_ug/ipsec_secgw.rst create mode 100644 examples/ipsec-secgw/Makefile create mode 100644 examples/ipsec-secgw/esp.c create mode 100644 examples/ipsec-secgw/esp.h create mode 100644 examples/ipsec-secgw/ipip.h create mode 100644 examples/ipsec-secgw/ipsec-secgw.c create mode 100644 examples/ipsec-secgw/ipsec.c create mode 100644 examples/ipsec-secgw/ipsec.h create mode 100644 examples/ipsec-secgw/rt.c create mode 100644 examples/ipsec-secgw/sa.c create mode 100644 examples/ipsec-secgw/sp.c diff --git a/MAINTAINERS b/MAINTAINERS index 59e981f..67938bc 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -617,3 +617,7 @@ F: doc/guides/sample_app_ug/vmdq_dcb_forwarding.rst M: Pablo de Lara <pablo.de.lara.guarch@intel.com> M: Daniel Mrzyglod <danielx.t.mrzyglod@intel.com> F: examples/ptpclient/ + +M: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> +F: doc/guides/sample_app_ug/ipsec-secgw.rst +F: examples/ipsec-secgw/ diff --git a/doc/guides/rel_notes/release_16_04.rst b/doc/guides/rel_notes/release_16_04.rst index f69feac..c3fb18a 100644 --- a/doc/guides/rel_notes/release_16_04.rst +++ b/doc/guides/rel_notes/release_16_04.rst @@ -148,6 +148,9 @@ Examples vhost-switch often fails to allocate mbuf when dequeue from vring because it wrongly calculates the number of mbufs needed. +* **examples/ipsec-secgw: ipsec security gateway** + + New application implementing an IPsec Security Gateway. Other ~~~~~ diff --git a/doc/guides/sample_app_ug/index.rst b/doc/guides/sample_app_ug/index.rst index 8a646dd..88375d2 100644 --- a/doc/guides/sample_app_ug/index.rst +++ b/doc/guides/sample_app_ug/index.rst @@ -73,6 +73,7 @@ Sample Applications User Guide proc_info ptpclient performance_thread + ipsec_secgw **Figures** diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst new file mode 100644 index 0000000..9bb5bed --- /dev/null +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst @@ -0,0 +1,524 @@ +.. BSD LICENSE + Copyright(c) 2016 Intel Corporation. All rights reserved. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + * Neither the name of Intel Corporation nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +IPsec Security Gateway Sample Application +========================================= + +The IPsec Security Gateway application is an example of a "real world" +application using DPDK cryptodev framework. + +Overview +-------- + +The application demonstrates the implementation of a Security Gateway +(not IPsec compliant, see Constraints bellow) using DPDK based on RFC4301, +RFC4303, RFC3602 and RFC2404. + +Internet Key Exchange (IKE) is not implemented, so only manual setting of +Security Policies and Security Associations is supported. + +The Security Policies (SP) are implemented as ACL rules, the Security +Associations (SA) are stored in a table and the Routing is implemented +using LPM. + +The application classify the ports between Protected and Unprotected. +Thus, traffic received in an Unprotected or Protected port is consider +Inbound or Outbound respectively. + +Path for IPsec Inbound traffic: + +* Read packets from the port +* Classify packets between IPv4 and ESP. +* Inbound SA lookup for ESP packets based on their SPI +* Verification/Decryption +* Removal of ESP and outer IP header +* Inbound SP check using ACL of decrypted packets and any other IPv4 packet + we read. +* Routing +* Write packet to port + +Path for IPsec Outbound traffic: + +* Read packets from the port +* Outbound SP check using ACL of all IPv4 traffic +* Outbound SA lookup for packets that need IPsec protection +* Add ESP and outter IP header +* Encryption/Digest +* Routing +* Write packet to port + +Constraints +----------- +* IPv4 traffic +* ESP tunnel mode +* EAS-CBC, HMAC-SHA1 and NULL +* Each SA must be handle by a unique lcore (1 RX queue per port) +* No chained mbufs + +Compiling the Application +------------------------- + +To compile the application: + +#. Go to the sample application directory: + + .. code-block:: console + + export RTE_SDK=/path/to/rte_sdk + cd ${RTE_SDK}/examples/ipsec-secgw + +#. Set the target (a default target is used if not specified). For example: + + .. code-block:: console + + export RTE_TARGET=x86_64-native-linuxapp-gcc + + See the *DPDK Getting Started Guide* for possible RTE_TARGET values. + +#. Build the application: + + .. code-block:: console + + make + +Running the Application +----------------------- + +The application has a number of command line options: + +.. code-block:: console + + ./build/ipsec-secgw [EAL options] -- -p PORTMASK -P -u PORTMASK --config + (port,queue,lcore)[,(port,queue,lcore] --single-sa SAIDX --ep0|--ep1 + +where, + +* -p PORTMASK: Hexadecimal bitmask of ports to configure + +* -P: optional, sets all ports to promiscuous mode so that packets are + accepted regardless of the packet's Ethernet MAC destination address. + Without this option, only packets with the Ethernet MAC destination address + set to the Ethernet address of the port are accepted (default is enabled). + +* -u PORTMASK: hexadecimal bitmask of unprotected ports + +* --config (port,queue,lcore)[,(port,queue,lcore)]: determines which queues + from which ports are mapped to which cores + +* --single-sa SAIDX: use a single SA for outbound traffic, bypassing the SP + on both Inbound and Outbound. This option is meant for debugging/performance + purposes. + +* --ep0: configure the app as Endpoint 0. + +* --ep1: configure the app as Endpoint 1. + +Either one of --ep0 or --ep1 *must* be specified. +The main purpose of these options is two easily configure two systems +back-to-back that would forward traffic through an IPsec tunnel. + +The mapping of lcores to port/queues is similar to other l3fwd applications. + +For example, given the following command line: + +.. code-block:: console + + ./build/ipsec-secgw -l 20,21 -n 4 --socket-mem 0,2048 + --vdev "cryptodev_null_pmd" -- -p 0xf -P -u 0x3 + --config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)" --ep0 + +where each options means: + +* The -l option enables cores 20 and 21 + +* The -n option sets memory 4 channels + +* The --socket-mem to use 2GB on socket 1 + +* The --vdev "cryptodev_null_pmd" option creates virtual NULL cryptodev PMD + +* The -p option enables ports (detected) 0, 1, 2 and 3 + +* The -P option enables promiscuous mode + +* The -u option sets ports 1 and 2 as unprotected, leaving 2 and 3 as protected + +* The --config option enables one queue per port with the following mapping: + ++----------+-----------+-----------+---------------------------------------+ +| **Port** | **Queue** | **lcore** | **Description** | +| | | | | ++----------+-----------+-----------+---------------------------------------+ +| 0 | 0 | 20 | Map queue 0 from port 0 to lcore 20. | +| | | | | ++----------+-----------+-----------+---------------------------------------+ +| 1 | 0 | 20 | Map queue 0 from port 1 to lcore 20. | +| | | | | ++----------+-----------+-----------+---------------------------------------+ +| 2 | 0 | 21 | Map queue 0 from port 2 to lcore 21. | +| | | | | ++----------+-----------+-----------+---------------------------------------+ +| 3 | 0 | 21 | Map queue 0 from port 3 to lcore 21. | +| | | | | ++----------+-----------+-----------+---------------------------------------+ + +* The --ep0 options configures the app with a given set of SP, SA and Routing + entries as explained below in more detail. + +Refer to the *DPDK Getting Started Guide* for general information on running +applications and the Environment Abstraction Layer (EAL) options. + +The application would do a best effort to "map" crypto devices to cores, with +hardware devices having priority. +This means that if the application is using a single core and both hardware +and software crypto devices are detected, hardware devices will be used. + +A way to achive the case where you want to force the use of virtual crypto +devices is to whitelist the ethernet devices needed and therefore implicitely +blacklisting all hardware crypto devices. + +For example, something like the following command line: + +.. code-block:: console + + ./build/ipsec-secgw -l 20,21 -n 4 --socket-mem 0,2048 + -w 81:00.0 -w 81:00.1 -w 81:00.2 -w 81:00.3 + --vdev "cryptodev_aesni_mb_pmd" --vdev "cryptodev_null_pmd" -- + -p 0xf -P -u 0x3 --config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)" + --ep0 + +Configurations +-------------- + +The following sections provide some details on the default values used to +initialize the SP, SA and Routing tables. +Currently all the configuration is hard coded into the application. + +Security Policy Initialization +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +As mention in the overview, the Security Policies are ACL rules. +The application defines two ACLs, one each of Inbound and Outbound, and +it replicates them per socket in use. + +Following are the default rules: + +Endpoint 0 Outbound Security Policies: + ++---------+------------------+-----------+------------+ +| **Src** | **Dst** | **proto** | **SA idx** | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.105.0/24 | Any | 5 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.106.0/24 | Any | 6 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.107.0/24 | Any | 7 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.108.0/24 | Any | 8 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.200.0/24 | Any | 9 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.250.0/24 | Any | BYPASS | +| | | | | ++---------+------------------+-----------+------------+ + +Endpoint 0 Inbound Security Policies: + ++---------+------------------+-----------+------------+ +| **Src** | **Dst** | **proto** | **SA idx** | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.115.0/24 | Any | 5 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.116.0/24 | Any | 6 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.117.0/24 | Any | 7 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.118.0/24 | Any | 8 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.210.0/24 | Any | 9 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.240.0/24 | Any | BYPASS | +| | | | | ++---------+------------------+-----------+------------+ + +Endpoint 1 Outbound Security Policies: + ++---------+------------------+-----------+------------+ +| **Src** | **Dst** | **proto** | **SA idx** | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.115.0/24 | Any | 5 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.116.0/24 | Any | 6 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.117.0/24 | Any | 7 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.118.0/24 | Any | 8 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.210.0/24 | Any | 9 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.240.0/24 | Any | BYPASS | +| | | | | ++---------+------------------+-----------+------------+ + +Endpoint 1 Inbound Security Policies: + ++---------+------------------+-----------+------------+ +| **Src** | **Dst** | **proto** | **SA idx** | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.105.0/24 | Any | 5 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.106.0/24 | Any | 6 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.107.0/24 | Any | 7 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.108.0/24 | Any | 8 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.200.0/24 | Any | 9 | +| | | | | ++---------+------------------+-----------+------------+ +| Any | 192.168.250.0/24 | Any | BYPASS | +| | | | | ++---------+------------------+-----------+------------+ + + +Security Association Initialization +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The SAs are kept in a array table. + +For Inbound, the SPI is used as index module the table size. +This means that on a table for 100 SA, SPI 5 and 105 would use the same index +and that is not currently supported. + +Notice that it is not an issue for Outbound traffic as we store the index and +not the SPI in the Security Policy. + +All SAs configured with AES-CBC and HMAC-SHA1 share the same values for cipher +block size and key, and authentication digest size and key. + +Following are the default values: + +Endpoint 0 Outbound Security Associations: + ++---------+------------+-----------+----------------+------------------+ +| **SPI** | **Cipher** | **Auth** | **Tunnel src** | **Tunnel dst** | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 5 | AES-CBC | HMAC-SHA1 | 172.16.1.5 | 172.16.2.5 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 6 | AES-CBC | HMAC-SHA1 | 172.16.1.6 | 172.16.2.6 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 7 | AES-CBC | HMAC-SHA1 | 172.16.1.7 | 172.16.2.7 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 8 | AES-CBC | HMAC-SHA1 | 172.16.1.8 | 172.16.2.8 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 9 | NULL | NULL | 172.16.1.5 | 172.16.2.5 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ + +Endpoint 0 Inbound Security Associations: + ++---------+------------+-----------+----------------+------------------+ +| **SPI** | **Cipher** | **Auth** | **Tunnel src** | **Tunnel dst** | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 5 | AES-CBC | HMAC-SHA1 | 172.16.2.5 | 172.16.1.5 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 6 | AES-CBC | HMAC-SHA1 | 172.16.2.6 | 172.16.1.6 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 7 | AES-CBC | HMAC-SHA1 | 172.16.2.7 | 172.16.1.7 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 8 | AES-CBC | HMAC-SHA1 | 172.16.2.8 | 172.16.1.8 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 9 | NULL | NULL | 172.16.2.5 | 172.16.1.5 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ + +Endpoint 1 Outbound Security Associations: + ++---------+------------+-----------+----------------+------------------+ +| **SPI** | **Cipher** | **Auth** | **Tunnel src** | **Tunnel dst** | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 5 | AES-CBC | HMAC-SHA1 | 172.16.2.5 | 172.16.1.5 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 6 | AES-CBC | HMAC-SHA1 | 172.16.2.6 | 172.16.1.6 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 7 | AES-CBC | HMAC-SHA1 | 172.16.2.7 | 172.16.1.7 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 8 | AES-CBC | HMAC-SHA1 | 172.16.2.8 | 172.16.1.8 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 9 | NULL | NULL | 172.16.2.5 | 172.16.1.5 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ + +Endpoint 1 Inbound Security Associations: + ++---------+------------+-----------+----------------+------------------+ +| **SPI** | **Cipher** | **Auth** | **Tunnel src** | **Tunnel dst** | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 5 | AES-CBC | HMAC-SHA1 | 172.16.1.5 | 172.16.2.5 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 6 | AES-CBC | HMAC-SHA1 | 172.16.1.6 | 172.16.2.6 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 7 | AES-CBC | HMAC-SHA1 | 172.16.1.7 | 172.16.2.7 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 8 | AES-CBC | HMAC-SHA1 | 172.16.1.8 | 172.16.2.8 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ +| 9 | NULL | NULL | 172.16.1.5 | 172.16.2.5 | +| | | | | | ++---------+------------+-----------+----------------+------------------+ + +Routing Initialization +~~~~~~~~~~~~~~~~~~~~~~ + +The Routing is implemented using LPM table. + +Following default values: + +Endpoint 0 Routing Table: + ++------------------+----------+ +| **Dst addr** | **Port** | +| | | ++------------------+----------+ +| 172.16.2.5/32 | 0 | +| | | ++------------------+----------+ +| 172.16.2.6/32 | 0 | +| | | ++------------------+----------+ +| 172.16.2.7/32 | 1 | +| | | ++------------------+----------+ +| 172.16.2.8/32 | 1 | +| | | ++------------------+----------+ +| 192.168.115.0/24 | 2 | +| | | ++------------------+----------+ +| 192.168.116.0/24 | 2 | +| | | ++------------------+----------+ +| 192.168.117.0/24 | 3 | +| | | ++------------------+----------+ +| 192.168.118.0/24 | 3 | +| | | ++------------------+----------+ +| 192.168.210.0/24 | 2 | +| | | ++------------------+----------+ +| 192.168.240.0/24 | 2 | +| | | ++------------------+----------+ +| 192.168.250.0/24 | 0 | +| | | ++------------------+----------+ + +Endpoint 1 Routing Table: + ++------------------+----------+ +| **Dst addr** | **Port** | +| | | ++------------------+----------+ +| 172.16.1.5/32 | 2 | +| | | ++------------------+----------+ +| 172.16.1.6/32 | 2 | +| | | ++------------------+----------+ +| 172.16.1.7/32 | 3 | +| | | ++------------------+----------+ +| 172.16.1.8/32 | 3 | +| | | ++------------------+----------+ +| 192.168.105.0/24 | 0 | +| | | ++------------------+----------+ +| 192.168.106.0/24 | 0 | +| | | ++------------------+----------+ +| 192.168.107.0/24 | 1 | +| | | ++------------------+----------+ +| 192.168.108.0/24 | 1 | +| | | ++------------------+----------+ +| 192.168.200.0/24 | 0 | +| | | ++------------------+----------+ +| 192.168.240.0/24 | 2 | +| | | ++------------------+----------+ +| 192.168.250.0/24 | 0 | +| | | ++------------------+----------+ diff --git a/examples/Makefile b/examples/Makefile index 1665df1..acd93b8 100644 --- a/examples/Makefile +++ b/examples/Makefile @@ -82,5 +82,6 @@ DIRS-y += vmdq DIRS-y += vmdq_dcb DIRS-$(CONFIG_RTE_LIBRTE_POWER) += vm_power_manager DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += l2fwd-crypto +DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += ipsec-secgw include $(RTE_SDK)/mk/rte.extsubdir.mk diff --git a/examples/ipsec-secgw/Makefile b/examples/ipsec-secgw/Makefile new file mode 100644 index 0000000..da39e49 --- /dev/null +++ b/examples/ipsec-secgw/Makefile @@ -0,0 +1,58 @@ +# BSD LICENSE +# +# Copyright(c) 2016 Intel Corporation. All rights reserved. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# * Neither the name of Intel Corporation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +ifeq ($(RTE_SDK),) + $(error "Please define RTE_SDK environment variable") +endif + +# Default target, can be overridden by command line or environment +RTE_TARGET ?= x86_64-native-linuxapp-gcc + +include $(RTE_SDK)/mk/rte.vars.mk + +APP = ipsec-secgw + +CFLAGS += -O3 -gdwarf-2 +CFLAGS += $(WERROR_FLAGS) + +VPATH += $(SRCDIR)/librte_ipsec + +# +# all source are stored in SRCS-y +# +SRCS-y += ipsec.c +SRCS-y += esp.c +SRCS-y += sp.c +SRCS-y += sa.c +SRCS-y += rt.c +SRCS-y += ipsec-secgw.c + +include $(RTE_SDK)/mk/rte.extapp.mk diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c new file mode 100644 index 0000000..ca0fc56 --- /dev/null +++ b/examples/ipsec-secgw/esp.c @@ -0,0 +1,250 @@ +/*- + * BSD LICENSE + * + * Copyright(c) 2016 Intel Corporation. All rights reserved. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include <stdint.h> +#include <stdlib.h> +#include <netinet/ip.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <fcntl.h> +#include <unistd.h> + +#include <rte_common.h> +#include <rte_memcpy.h> +#include <rte_crypto.h> +#include <rte_cryptodev.h> +#include <rte_random.h> + +#include "ipsec.h" +#include "esp.h" +#include "ipip.h" + +#define IP_ESP_HDR_SZ (sizeof(struct ip) + sizeof(struct esp_hdr)) + +static inline void +random_iv_u64(uint64_t *buf, uint16_t n) +{ + unsigned left = n & 0x7; + unsigned i; + + IPSEC_ASSERT((n & 0x3) == 0); + + for (i = 0; i < (n >> 3); i++) + buf[i] = rte_rand(); + + if (left) + *((uint32_t *)&buf[i]) = (uint32_t)lrand48(); +} + +/* IPv4 Tunnel */ +int +esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, + struct rte_crypto_op *cop) +{ + int32_t payload_len; + struct rte_crypto_sym_op *sym_cop; + + IPSEC_ASSERT(m != NULL); + IPSEC_ASSERT(sa != NULL); + IPSEC_ASSERT(cop != NULL); + + payload_len = rte_pktmbuf_pkt_len(m) - IP_ESP_HDR_SZ - sa->iv_len - + sa->digest_len; + + if ((payload_len & (sa->block_size - 1)) || (payload_len <= 0)) { + IPSEC_LOG(DEBUG, IPSEC_ESP, "payload %d not multiple of %u\n", + payload_len, sa->block_size); + return -EINVAL; + } + + sym_cop = (struct rte_crypto_sym_op *)(cop + 1); + + sym_cop->m_src = m; + sym_cop->cipher.data.offset = IP_ESP_HDR_SZ + sa->iv_len; + sym_cop->cipher.data.length = payload_len; + + sym_cop->cipher.iv.data = rte_pktmbuf_mtod_offset(m, void*, + IP_ESP_HDR_SZ); + sym_cop->cipher.iv.phys_addr = rte_pktmbuf_mtophys_offset(m, + IP_ESP_HDR_SZ); + sym_cop->cipher.iv.length = sa->iv_len; + + sym_cop->auth.data.offset = sizeof(struct ip); + if (sa->auth_algo == RTE_CRYPTO_AUTH_AES_GCM) + sym_cop->auth.data.length = sizeof(struct esp_hdr); + else + sym_cop->auth.data.length = sizeof(struct esp_hdr) + + sa->iv_len + payload_len; + + sym_cop->auth.digest.data = rte_pktmbuf_mtod_offset(m, void*, + rte_pktmbuf_pkt_len(m) - sa->digest_len); + sym_cop->auth.digest.phys_addr = rte_pktmbuf_mtophys_offset(m, + rte_pktmbuf_pkt_len(m) - sa->digest_len); + sym_cop->auth.digest.length = sa->digest_len; + + return 0; +} + +int +esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, + struct rte_crypto_op *cop) +{ + uint8_t *nexthdr, *pad_len; + uint8_t *padding; + uint16_t i; + + IPSEC_ASSERT(m != NULL); + IPSEC_ASSERT(sa != NULL); + IPSEC_ASSERT(cop != NULL); + + if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) { + IPSEC_LOG(ERR, IPSEC_ESP, "Failed crypto op\n"); + return -1; + } + + nexthdr = rte_pktmbuf_mtod_offset(m, uint8_t*, + rte_pktmbuf_pkt_len(m) - sa->digest_len - 1); + pad_len = nexthdr - 1; + + padding = pad_len - *pad_len; + for (i = 0; i < *pad_len; i++) { + if (padding[i] != i) { + IPSEC_LOG(ERR, IPSEC_ESP, "invalid pad_len field\n"); + return -EINVAL; + } + } + + if (rte_pktmbuf_trim(m, *pad_len + 2 + sa->digest_len)) { + IPSEC_LOG(ERR, IPSEC_ESP, + "failed to remove pad_len + digest\n"); + return -EINVAL; + } + + return ip4ip_inbound(m, sizeof(struct esp_hdr) + sa->iv_len); +} + +int +esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, + struct rte_crypto_op *cop) +{ + uint16_t pad_payload_len, pad_len; + struct ip *ip; + struct esp_hdr *esp; + int i; + char *padding; + struct rte_crypto_sym_op *sym_cop; + + IPSEC_ASSERT(m != NULL); + IPSEC_ASSERT(sa != NULL); + IPSEC_ASSERT(cop != NULL); + + /* Payload length */ + pad_payload_len = RTE_ALIGN_CEIL(rte_pktmbuf_pkt_len(m) + 2, + sa->block_size); + pad_len = pad_payload_len - rte_pktmbuf_pkt_len(m); + + rte_prefetch0(rte_pktmbuf_mtod_offset(m, void *, + rte_pktmbuf_pkt_len(m))); + + /* Check maximum packet size */ + if (unlikely(IP_ESP_HDR_SZ + sa->iv_len + pad_payload_len + + sa->digest_len > IP_MAXPACKET)) { + IPSEC_LOG(DEBUG, IPSEC_ESP, "ipsec packet is too big\n"); + return -EINVAL; + } + + padding = rte_pktmbuf_append(m, pad_len + sa->digest_len); + + IPSEC_ASSERT(padding != NULL); + + ip = ip4ip_outbound(m, sizeof(struct esp_hdr) + sa->iv_len, + sa->src, sa->dst); + + esp = (struct esp_hdr *)(ip + 1); + esp->spi = sa->spi; + esp->seq = htonl(sa->seq++); + + IPSEC_LOG(DEBUG, IPSEC_ESP, "pktlen %u\n", rte_pktmbuf_pkt_len(m)); + + /* Fill pad_len using default sequential scheme */ + for (i = 0; i < pad_len - 2; i++) + padding[i] = i + 1; + + padding[pad_len - 2] = pad_len - 2; + padding[pad_len - 1] = IPPROTO_IPIP; + + sym_cop = (struct rte_crypto_sym_op *)(cop + 1); + + sym_cop->m_src = m; + sym_cop->cipher.data.offset = IP_ESP_HDR_SZ + sa->iv_len; + sym_cop->cipher.data.length = pad_payload_len; + + sym_cop->cipher.iv.data = rte_pktmbuf_mtod_offset(m, uint8_t *, + IP_ESP_HDR_SZ); + sym_cop->cipher.iv.phys_addr = rte_pktmbuf_mtophys_offset(m, + IP_ESP_HDR_SZ); + sym_cop->cipher.iv.length = sa->iv_len; + + sym_cop->auth.data.offset = sizeof(struct ip); + sym_cop->auth.data.length = sizeof(struct esp_hdr) + sa->iv_len + + pad_payload_len; + + sym_cop->auth.digest.data = rte_pktmbuf_mtod_offset(m, uint8_t *, + IP_ESP_HDR_SZ + sa->iv_len + pad_payload_len); + sym_cop->auth.digest.phys_addr = rte_pktmbuf_mtophys_offset(m, + IP_ESP_HDR_SZ + sa->iv_len + pad_payload_len); + sym_cop->auth.digest.length = sa->digest_len; + + if (sa->cipher_algo == RTE_CRYPTO_CIPHER_AES_CBC) + random_iv_u64((uint64_t *)sym_cop->cipher.iv.data, + sym_cop->cipher.iv.length); + + return 0; +} + +int +esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m __rte_unused, + struct ipsec_sa *sa __rte_unused, + struct rte_crypto_op *cop) +{ + IPSEC_ASSERT(m != NULL); + IPSEC_ASSERT(sa != NULL); + IPSEC_ASSERT(cop != NULL); + + if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) { + IPSEC_LOG(ERR, IPSEC_ESP, "Failed crypto op\n"); + return -1; + } + + return 0; +} diff --git a/examples/ipsec-secgw/esp.h b/examples/ipsec-secgw/esp.h new file mode 100644 index 0000000..3101882 --- /dev/null +++ b/examples/ipsec-secgw/esp.h @@ -0,0 +1,66 @@ +/*- + * BSD LICENSE + * + * Copyright(c) 2016 Intel Corporation. All rights reserved. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ +#ifndef __RTE_IPSEC_XFORM_ESP_H__ +#define __RTE_IPSEC_XFORM_ESP_H__ + +struct mbuf; + +/* RFC4303 */ +struct esp_hdr { + uint32_t spi; + uint32_t seq; + /* Payload */ + /* Padding */ + /* Pad Length */ + /* Next Header */ + /* Integrity Check Value - ICV */ +}; + +/* IPv4 Tunnel */ +int +esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, + struct rte_crypto_op *cop); + +int +esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, + struct rte_crypto_op *cop); + +int +esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, + struct rte_crypto_op *cop); + +int +esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, + struct rte_crypto_op *cop); + +#endif /* __RTE_IPSEC_XFORM_ESP_H__ */ diff --git a/examples/ipsec-secgw/ipip.h b/examples/ipsec-secgw/ipip.h new file mode 100644 index 0000000..322076c --- /dev/null +++ b/examples/ipsec-secgw/ipip.h @@ -0,0 +1,103 @@ +/*- + * BSD LICENSE + * + * Copyright(c) 2016 Intel Corporation. All rights reserved. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef __IPIP_H__ +#define __IPIP_H__ + +#include <stdint.h> +#include <netinet/in.h> +#include <netinet/ip.h> + +#include <rte_mbuf.h> + +#define IPV6_VERSION (6) + +static inline struct ip * +ip4ip_outbound(struct rte_mbuf *m, uint32_t offset, uint32_t src, uint32_t dst) +{ + struct ip *inip, *outip; + + inip = rte_pktmbuf_mtod(m, struct ip*); + + IPSEC_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION); + + offset += sizeof(struct ip); + + outip = (struct ip *)rte_pktmbuf_prepend(m, offset); + + IPSEC_ASSERT(outip != NULL); + + /* Per RFC4301 5.1.2.1 */ + outip->ip_v = IPVERSION; + outip->ip_hl = 5; + outip->ip_tos = inip->ip_tos; + outip->ip_len = htons(rte_pktmbuf_data_len(m)); + + outip->ip_id = 0; + outip->ip_off = 0; + + outip->ip_ttl = IPDEFTTL; + outip->ip_p = IPPROTO_ESP; + + outip->ip_src.s_addr = src; + outip->ip_dst.s_addr = dst; + + return outip; +} + +static inline int +ip4ip_inbound(struct rte_mbuf *m, uint32_t offset) +{ + struct ip *inip; + struct ip *outip; + + outip = rte_pktmbuf_mtod(m, struct ip*); + + IPSEC_ASSERT(outip->ip_v == IPVERSION); + + offset += sizeof(struct ip); + inip = (struct ip *)rte_pktmbuf_adj(m, offset); + IPSEC_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION); + + /* Check packet is still bigger than IP header (inner) */ + IPSEC_ASSERT(rte_pktmbuf_pkt_len(m) > sizeof(struct ip)); + + /* RFC4301 5.1.2.1 Note 6 */ + if ((inip->ip_tos & htons(IPTOS_ECN_ECT0 | IPTOS_ECN_ECT1)) && + ((outip->ip_tos & htons(IPTOS_ECN_CE)) == IPTOS_ECN_CE)) + inip->ip_tos |= htons(IPTOS_ECN_CE); + + return 0; +} + +#endif /* __IPIP_H__ */ diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c new file mode 100644 index 0000000..d6c9a5d --- /dev/null +++ b/examples/ipsec-secgw/ipsec-secgw.c @@ -0,0 +1,1360 @@ +/*- + * BSD LICENSE + * + * Copyright(c) 2016 Intel Corporation. All rights reserved. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include <stdio.h> +#include <stdlib.h> +#include <stdint.h> +#include <inttypes.h> +#include <sys/types.h> +#include <string.h> +#include <sys/queue.h> +#include <stdarg.h> +#include <errno.h> +#include <getopt.h> + +#include <rte_common.h> +#include <rte_byteorder.h> +#include <rte_log.h> +#include <rte_eal.h> +#include <rte_launch.h> +#include <rte_atomic.h> +#include <rte_cycles.h> +#include <rte_prefetch.h> +#include <rte_lcore.h> +#include <rte_per_lcore.h> +#include <rte_branch_prediction.h> +#include <rte_interrupts.h> +#include <rte_pci.h> +#include <rte_random.h> +#include <rte_debug.h> +#include <rte_ether.h> +#include <rte_ethdev.h> +#include <rte_mempool.h> +#include <rte_mbuf.h> +#include <rte_acl.h> +#include <rte_lpm.h> +#include <rte_hash.h> +#include <rte_jhash.h> +#include <rte_cryptodev.h> + +#include "ipsec.h" + +#define RTE_LOGTYPE_IPSEC RTE_LOGTYPE_USER1 + +#define MAX_JUMBO_PKT_LEN 9600 + +#define MEMPOOL_CACHE_SIZE 256 + +#define NB_MBUF (32000) + +#define CDEV_MAP_ENTRIES 1024 +#define CDEV_MP_NB_OBJS 2048 +#define CDEV_MP_CACHE_SZ 64 +#define MAX_QUEUE_PAIRS 1 + +#define OPTION_CONFIG "config" +#define OPTION_SINGLE_SA "single-sa" +#define OPTION_EP0 "ep0" +#define OPTION_EP1 "ep1" + +#define BURST_TX_DRAIN_US 100 /* TX drain every ~100us */ + +#define NB_SOCKETS 4 + +/* Configure how many packets ahead to prefetch, when reading packets */ +#define PREFETCH_OFFSET 3 + +#define MAX_RX_QUEUE_PER_LCORE 16 + +#define MAX_LCORE_PARAMS 1024 + +#define UNPROTECTED_PORT(port) (unprotected_port_mask & (1 << portid)) + +/* + * Configurable number of RX/TX ring descriptors + */ +#define IPSEC_SECGW_RX_DESC_DEFAULT 128 +#define IPSEC_SECGW_TX_DESC_DEFAULT 512 +static uint16_t nb_rxd = IPSEC_SECGW_RX_DESC_DEFAULT; +static uint16_t nb_txd = IPSEC_SECGW_TX_DESC_DEFAULT; + +#if RTE_BYTE_ORDER != RTE_LITTLE_ENDIAN +#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \ + (((uint64_t)((a) & 0xff) << 56) | \ + ((uint64_t)((b) & 0xff) << 48) | \ + ((uint64_t)((c) & 0xff) << 40) | \ + ((uint64_t)((d) & 0xff) << 32) | \ + ((uint64_t)((e) & 0xff) << 24) | \ + ((uint64_t)((f) & 0xff) << 16) | \ + ((uint64_t)((g) & 0xff) << 8) | \ + ((uint64_t)(h) & 0xff)) +#else +#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \ + (((uint64_t)((h) & 0xff) << 56) | \ + ((uint64_t)((g) & 0xff) << 48) | \ + ((uint64_t)((f) & 0xff) << 40) | \ + ((uint64_t)((e) & 0xff) << 32) | \ + ((uint64_t)((d) & 0xff) << 24) | \ + ((uint64_t)((c) & 0xff) << 16) | \ + ((uint64_t)((b) & 0xff) << 8) | \ + ((uint64_t)(a) & 0xff)) +#endif +#define ETHADDR(a, b, c, d, e, f) (__BYTES_TO_UINT64(a, b, c, d, e, f, 0, 0)) + +#define ETHADDR_TO_UINT64(addr) __BYTES_TO_UINT64( \ + addr.addr_bytes[0], addr.addr_bytes[1], \ + addr.addr_bytes[2], addr.addr_bytes[3], \ + addr.addr_bytes[4], addr.addr_bytes[5], \ + 0, 0) + +/* port/source ethernet addr and destination ethernet addr */ +struct ethaddr_info { + uint64_t src, dst; +}; + +struct ethaddr_info ethaddr_tbl[RTE_MAX_ETHPORTS] = { + { 0, ETHADDR(0x00, 0x16, 0x3e, 0x7e, 0x94, 0x9a) }, + { 0, ETHADDR(0x00, 0x16, 0x3e, 0x22, 0xa1, 0xd9) }, + { 0, ETHADDR(0x00, 0x16, 0x3e, 0x08, 0x69, 0x26) }, + { 0, ETHADDR(0x00, 0x16, 0x3e, 0x49, 0x9e, 0xdd) } +}; + +/* mask of enabled ports */ +static uint32_t enabled_port_mask; +static uint32_t unprotected_port_mask; +static int32_t promiscuous_on = 1; +static int32_t numa_on = 1; /**< NUMA is enabled by default. */ +static int32_t ep = -1; /**< Endpoint configuration (0 or 1) */ +static uint32_t nb_lcores; +static uint32_t single_sa; +static uint32_t single_sa_idx; + +struct lcore_rx_queue { + uint8_t port_id; + uint8_t queue_id; +} __rte_cache_aligned; + +struct lcore_params { + uint8_t port_id; + uint8_t queue_id; + uint8_t lcore_id; +} __rte_cache_aligned; + +static struct lcore_params lcore_params_array[MAX_LCORE_PARAMS]; + +static struct lcore_params *lcore_params; +static uint16_t nb_lcore_params; + +static struct rte_hash *cdev_map_in; +static struct rte_hash *cdev_map_out; + +struct buffer { + uint16_t len; + struct rte_mbuf *m_table[MAX_PKT_BURST] __rte_aligned(sizeof(void *)); +}; + +struct lcore_conf { + uint16_t nb_rx_queue; + struct lcore_rx_queue rx_queue_list[MAX_RX_QUEUE_PER_LCORE]; + uint16_t tx_queue_id[RTE_MAX_ETHPORTS]; + struct buffer tx_mbufs[RTE_MAX_ETHPORTS]; + struct ipsec_ctx inbound; + struct ipsec_ctx outbound; + struct rt_ctx *rt_ctx; +} __rte_cache_aligned; + +static struct lcore_conf lcore_conf[RTE_MAX_LCORE]; + +static struct rte_eth_conf port_conf = { + .rxmode = { + .mq_mode = ETH_MQ_RX_RSS, + .max_rx_pkt_len = ETHER_MAX_LEN, + .split_hdr_size = 0, + .header_split = 0, /**< Header Split disabled */ + .hw_ip_checksum = 1, /**< IP checksum offload enabled */ + .hw_vlan_filter = 0, /**< VLAN filtering disabled */ + .jumbo_frame = 0, /**< Jumbo Frame Support disabled */ + .hw_strip_crc = 0, /**< CRC stripped by hardware */ + }, + .rx_adv_conf = { + .rss_conf = { + .rss_key = NULL, + .rss_hf = ETH_RSS_IP | ETH_RSS_UDP | + ETH_RSS_TCP | ETH_RSS_SCTP, + }, + }, + .txmode = { + .mq_mode = ETH_MQ_TX_NONE, + }, +}; + +static struct socket_ctx socket_ctx[NB_SOCKETS]; + +struct traffic_type { + const uint8_t *data[MAX_PKT_BURST * 2]; + struct rte_mbuf *pkts[MAX_PKT_BURST * 2]; + uint32_t res[MAX_PKT_BURST * 2]; + uint32_t num; +}; + +struct ipsec_traffic { + struct traffic_type ipsec4; + struct traffic_type ipv4; +}; + +static inline void +prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t) +{ + uint8_t *nlp; + + if (RTE_ETH_IS_IPV4_HDR(pkt->packet_type)) { + rte_pktmbuf_adj(pkt, ETHER_HDR_LEN); + nlp = rte_pktmbuf_mtod_offset(pkt, uint8_t *, + offsetof(struct ip, ip_p)); + if (*nlp == IPPROTO_ESP) + t->ipsec4.pkts[(t->ipsec4.num)++] = pkt; + else { + t->ipv4.data[t->ipv4.num] = nlp; + t->ipv4.pkts[(t->ipv4.num)++] = pkt; + } + } else { + /* Unknown/Unsupported type, drop the packet */ + rte_pktmbuf_free(pkt); + } +} + +static inline void +prepare_traffic(struct rte_mbuf **pkts, struct ipsec_traffic *t, + uint16_t nb_pkts) +{ + int32_t i; + + t->ipsec4.num = 0; + t->ipv4.num = 0; + + for (i = 0; i < (nb_pkts - PREFETCH_OFFSET); i++) { + rte_prefetch0(rte_pktmbuf_mtod(pkts[i + PREFETCH_OFFSET], + void *)); + prepare_one_packet(pkts[i], t); + } + /* Process left packets */ + for (; i < nb_pkts; i++) + prepare_one_packet(pkts[i], t); +} + +static inline void +prepare_tx_pkt(struct rte_mbuf *pkt, uint8_t port) +{ + pkt->ol_flags |= PKT_TX_IP_CKSUM | PKT_TX_IPV4; + pkt->l3_len = sizeof(struct ip); + pkt->l2_len = ETHER_HDR_LEN; + + struct ether_hdr *ethhdr = (struct ether_hdr *)rte_pktmbuf_prepend(pkt, + ETHER_HDR_LEN); + + ethhdr->ether_type = rte_cpu_to_be_16(ETHER_TYPE_IPv4); + memcpy(ðhdr->s_addr, ðaddr_tbl[port].src, + sizeof(struct ether_addr)); + memcpy(ðhdr->d_addr, ðaddr_tbl[port].dst, + sizeof(struct ether_addr)); +} + +static inline void +prepare_tx_burst(struct rte_mbuf *pkts[], uint16_t nb_pkts, uint8_t port) +{ + int32_t i; + const int32_t prefetch_offset = 2; + + for (i = 0; i < (nb_pkts - prefetch_offset); i++) { + rte_prefetch0(pkts[i + prefetch_offset]->cacheline1); + prepare_tx_pkt(pkts[i], port); + } + /* Process left packets */ + for (; i < nb_pkts; i++) + prepare_tx_pkt(pkts[i], port); +} + +/* Send burst of packets on an output interface */ +static inline int32_t +send_burst(struct lcore_conf *qconf, uint16_t n, uint8_t port) +{ + struct rte_mbuf **m_table; + int32_t ret; + uint16_t queueid; + + queueid = qconf->tx_queue_id[port]; + m_table = (struct rte_mbuf **)qconf->tx_mbufs[port].m_table; + + prepare_tx_burst(m_table, n, port); + + ret = rte_eth_tx_burst(port, queueid, m_table, n); + if (unlikely(ret < n)) { + do { + rte_pktmbuf_free(m_table[ret]); + } while (++ret < n); + } + + return 0; +} + +/* Enqueue a single packet, and send burst if queue is filled */ +static inline int32_t +send_single_packet(struct rte_mbuf *m, uint8_t port) +{ + uint32_t lcore_id; + uint16_t len; + struct lcore_conf *qconf; + + lcore_id = rte_lcore_id(); + + qconf = &lcore_conf[lcore_id]; + len = qconf->tx_mbufs[port].len; + qconf->tx_mbufs[port].m_table[len] = m; + len++; + + /* enough pkts to be sent */ + if (unlikely(len == MAX_PKT_BURST)) { + send_burst(qconf, MAX_PKT_BURST, port); + len = 0; + } + + qconf->tx_mbufs[port].len = len; + return 0; +} + +static inline void +process_pkts_inbound(struct ipsec_ctx *ipsec_ctx, + struct ipsec_traffic *traffic) +{ + struct rte_mbuf *m; + uint16_t idx, nb_pkts_in, i, j; + uint32_t sa_idx, res; + + nb_pkts_in = ipsec_inbound(ipsec_ctx, traffic->ipsec4.pkts, + traffic->ipsec4.num, MAX_PKT_BURST); + + /* SP/ACL Inbound check ipsec and ipv4 */ + for (i = 0; i < nb_pkts_in; i++) { + idx = traffic->ipv4.num++; + m = traffic->ipsec4.pkts[i]; + traffic->ipv4.pkts[idx] = m; + traffic->ipv4.data[idx] = rte_pktmbuf_mtod_offset(m, + uint8_t *, offsetof(struct ip, ip_p)); + } + + rte_acl_classify((struct rte_acl_ctx *)ipsec_ctx->sp_ctx, + traffic->ipv4.data, traffic->ipv4.res, + traffic->ipv4.num, DEFAULT_MAX_CATEGORIES); + + j = 0; + for (i = 0; i < traffic->ipv4.num - nb_pkts_in; i++) { + m = traffic->ipv4.pkts[i]; + res = traffic->ipv4.res[i]; + if (res & ~BYPASS) { + rte_pktmbuf_free(m); + continue; + } + traffic->ipv4.pkts[j++] = m; + } + /* Check return SA SPI matches pkt SPI */ + for ( ; i < traffic->ipv4.num; i++) { + m = traffic->ipv4.pkts[i]; + sa_idx = traffic->ipv4.res[i] & PROTECT_MASK; + if (sa_idx == 0 || !inbound_sa_check(ipsec_ctx->sa_ctx, + m, sa_idx)) { + rte_pktmbuf_free(m); + continue; + } + traffic->ipv4.pkts[j++] = m; + } + traffic->ipv4.num = j; +} + +static inline void +process_pkts_outbound(struct ipsec_ctx *ipsec_ctx, + struct ipsec_traffic *traffic) +{ + struct rte_mbuf *m; + uint16_t idx, nb_pkts_out, i, j; + uint32_t sa_idx, res; + + rte_acl_classify((struct rte_acl_ctx *)ipsec_ctx->sp_ctx, + traffic->ipv4.data, traffic->ipv4.res, + traffic->ipv4.num, DEFAULT_MAX_CATEGORIES); + + /* Drop any IPsec traffic from protected ports */ + for (i = 0; i < traffic->ipsec4.num; i++) + rte_pktmbuf_free(traffic->ipsec4.pkts[i]); + + traffic->ipsec4.num = 0; + + j = 0; + for (i = 0; i < traffic->ipv4.num; i++) { + m = traffic->ipv4.pkts[i]; + res = traffic->ipv4.res[i]; + sa_idx = res & PROTECT_MASK; + if ((res == 0) || (res & DISCARD)) + rte_pktmbuf_free(m); + else if (sa_idx != 0) { + traffic->ipsec4.res[traffic->ipsec4.num] = sa_idx; + traffic->ipsec4.pkts[traffic->ipsec4.num++] = m; + } else /* BYPASS */ + traffic->ipv4.pkts[j++] = m; + } + traffic->ipv4.num = j; + + nb_pkts_out = ipsec_outbound(ipsec_ctx, traffic->ipsec4.pkts, + traffic->ipsec4.res, traffic->ipsec4.num, + MAX_PKT_BURST); + + for (i = 0; i < nb_pkts_out; i++) { + idx = traffic->ipv4.num++; + m = traffic->ipsec4.pkts[i]; + traffic->ipv4.pkts[idx] = m; + } +} + +static inline void +process_pkts_inbound_nosp(struct ipsec_ctx *ipsec_ctx, + struct ipsec_traffic *traffic) +{ + uint16_t nb_pkts_in, i; + + /* Drop any IPv4 traffic from unprotected ports */ + for (i = 0; i < traffic->ipv4.num; i++) + rte_pktmbuf_free(traffic->ipv4.pkts[i]); + + traffic->ipv4.num = 0; + + nb_pkts_in = ipsec_inbound(ipsec_ctx, traffic->ipsec4.pkts, + traffic->ipsec4.num, MAX_PKT_BURST); + + for (i = 0; i < nb_pkts_in; i++) + traffic->ipv4.pkts[i] = traffic->ipsec4.pkts[i]; + + traffic->ipv4.num = nb_pkts_in; +} + +static inline void +process_pkts_outbound_nosp(struct ipsec_ctx *ipsec_ctx, + struct ipsec_traffic *traffic) +{ + uint16_t nb_pkts_out, i; + + /* Drop any IPsec traffic from protected ports */ + for (i = 0; i < traffic->ipsec4.num; i++) + rte_pktmbuf_free(traffic->ipsec4.pkts[i]); + + traffic->ipsec4.num = 0; + + for (i = 0; i < traffic->ipv4.num; i++) + traffic->ipv4.res[i] = single_sa_idx; + + nb_pkts_out = ipsec_outbound(ipsec_ctx, traffic->ipv4.pkts, + traffic->ipv4.res, traffic->ipv4.num, + MAX_PKT_BURST); + + traffic->ipv4.num = nb_pkts_out; +} + +static inline void +route_pkts(struct rt_ctx *rt_ctx, struct rte_mbuf *pkts[], uint8_t nb_pkts) +{ + uint32_t hop[MAX_PKT_BURST * 2]; + uint32_t dst_ip[MAX_PKT_BURST * 2]; + uint16_t i, offset; + + if (nb_pkts == 0) + return; + + for (i = 0; i < nb_pkts; i++) { + offset = offsetof(struct ip, ip_dst); + dst_ip[i] = *rte_pktmbuf_mtod_offset(pkts[i], + uint32_t *, offset); + dst_ip[i] = rte_be_to_cpu_32(dst_ip[i]); + } + + rte_lpm_lookup_bulk((struct rte_lpm *)rt_ctx, dst_ip, hop, nb_pkts); + + for (i = 0; i < nb_pkts; i++) { + if ((hop[i] & RTE_LPM_LOOKUP_SUCCESS) == 0) { + rte_pktmbuf_free(pkts[i]); + continue; + } + send_single_packet(pkts[i], hop[i] & 0xff); + } +} + +static inline void +process_pkts(struct lcore_conf *qconf, struct rte_mbuf **pkts, + uint8_t nb_pkts, uint8_t portid) +{ + struct ipsec_traffic traffic; + + prepare_traffic(pkts, &traffic, nb_pkts); + + if (single_sa) { + if (UNPROTECTED_PORT(portid)) + process_pkts_inbound_nosp(&qconf->inbound, &traffic); + else + process_pkts_outbound_nosp(&qconf->outbound, &traffic); + } else { + if (UNPROTECTED_PORT(portid)) + process_pkts_inbound(&qconf->inbound, &traffic); + else + process_pkts_outbound(&qconf->outbound, &traffic); + } + + route_pkts(qconf->rt_ctx, traffic.ipv4.pkts, traffic.ipv4.num); +} + +static inline void +drain_buffers(struct lcore_conf *qconf) +{ + struct buffer *buf; + uint32_t portid; + + for (portid = 0; portid < RTE_MAX_ETHPORTS; portid++) { + buf = &qconf->tx_mbufs[portid]; + if (buf->len == 0) + continue; + send_burst(qconf, buf->len, portid); + buf->len = 0; + } +} + +/* main processing loop */ +static int32_t +main_loop(__attribute__((unused)) void *dummy) +{ + struct rte_mbuf *pkts[MAX_PKT_BURST]; + uint32_t lcore_id; + uint64_t prev_tsc, diff_tsc, cur_tsc; + int32_t i, nb_rx; + uint8_t portid, queueid; + struct lcore_conf *qconf; + int32_t socket_id; + const uint64_t drain_tsc = (rte_get_tsc_hz() + US_PER_S - 1) + / US_PER_S * BURST_TX_DRAIN_US; + struct lcore_rx_queue *rxql; + + prev_tsc = 0; + lcore_id = rte_lcore_id(); + qconf = &lcore_conf[lcore_id]; + rxql = qconf->rx_queue_list; + socket_id = rte_lcore_to_socket_id(lcore_id); + + qconf->rt_ctx = socket_ctx[socket_id].rt_ipv4; + qconf->inbound.sp_ctx = socket_ctx[socket_id].sp_ipv4_in; + qconf->inbound.sa_ctx = socket_ctx[socket_id].sa_ipv4_in; + qconf->inbound.cdev_map = cdev_map_in; + qconf->outbound.sp_ctx = socket_ctx[socket_id].sp_ipv4_out; + qconf->outbound.sa_ctx = socket_ctx[socket_id].sa_ipv4_out; + qconf->outbound.cdev_map = cdev_map_out; + + if (qconf->nb_rx_queue == 0) { + RTE_LOG(INFO, IPSEC, "lcore %u has nothing to do\n", lcore_id); + return 0; + } + + RTE_LOG(INFO, IPSEC, "entering main loop on lcore %u\n", lcore_id); + + for (i = 0; i < qconf->nb_rx_queue; i++) { + portid = rxql[i].port_id; + queueid = rxql[i].queue_id; + RTE_LOG(INFO, IPSEC, + " -- lcoreid=%u portid=%hhu rxqueueid=%hhu\n", + lcore_id, portid, queueid); + } + + while (1) { + cur_tsc = rte_rdtsc(); + + /* TX queue buffer drain */ + diff_tsc = cur_tsc - prev_tsc; + + if (unlikely(diff_tsc > drain_tsc)) { + drain_buffers(qconf); + prev_tsc = cur_tsc; + } + + /* Read packet from RX queues */ + for (i = 0; i < qconf->nb_rx_queue; ++i) { + portid = rxql[i].port_id; + queueid = rxql[i].queue_id; + nb_rx = rte_eth_rx_burst(portid, queueid, + pkts, MAX_PKT_BURST); + + if (nb_rx > 0) + process_pkts(qconf, pkts, nb_rx, portid); + } + } +} + +static int32_t +check_params(void) +{ + uint8_t lcore, portid, nb_ports; + uint16_t i; + int32_t socket_id; + + if (lcore_params == NULL) { + printf("Error: No port/queue/core mappings\n"); + return -1; + } + + nb_ports = rte_eth_dev_count(); + if (nb_ports > RTE_MAX_ETHPORTS) + nb_ports = RTE_MAX_ETHPORTS; + + for (i = 0; i < nb_lcore_params; ++i) { + lcore = lcore_params[i].lcore_id; + if (!rte_lcore_is_enabled(lcore)) { + printf("error: lcore %hhu is not enabled in " + "lcore mask\n", lcore); + return -1; + } + socket_id = rte_lcore_to_socket_id(lcore); + if (socket_id != 0 && numa_on == 0) { + printf("warning: lcore %hhu is on socket %d " + "with numa off\n", + lcore, socket_id); + } + portid = lcore_params[i].port_id; + if ((enabled_port_mask & (1 << portid)) == 0) { + printf("port %u is not enabled in port mask\n", portid); + return -1; + } + if (portid >= nb_ports) { + printf("port %u is not present on the board\n", portid); + return -1; + } + } + return 0; +} + +static uint8_t +get_port_nb_rx_queues(const uint8_t port) +{ + int32_t queue = -1; + uint16_t i; + + for (i = 0; i < nb_lcore_params; ++i) { + if (lcore_params[i].port_id == port && + lcore_params[i].queue_id > queue) + queue = lcore_params[i].queue_id; + } + return (uint8_t)(++queue); +} + +static int32_t +init_lcore_rx_queues(void) +{ + uint16_t i, nb_rx_queue; + uint8_t lcore; + + for (i = 0; i < nb_lcore_params; ++i) { + lcore = lcore_params[i].lcore_id; + nb_rx_queue = lcore_conf[lcore].nb_rx_queue; + if (nb_rx_queue >= MAX_RX_QUEUE_PER_LCORE) { + printf("error: too many queues (%u) for lcore: %u\n", + nb_rx_queue + 1, lcore); + return -1; + } + lcore_conf[lcore].rx_queue_list[nb_rx_queue].port_id = + lcore_params[i].port_id; + lcore_conf[lcore].rx_queue_list[nb_rx_queue].queue_id = + lcore_params[i].queue_id; + lcore_conf[lcore].nb_rx_queue++; + } + return 0; +} + +/* display usage */ +static void +print_usage(const char *prgname) +{ + printf("%s [EAL options] -- -p PORTMASK -P -u PORTMASK" + " --"OPTION_CONFIG" (port,queue,lcore)[,(port,queue,lcore]" + " --single-sa SAIDX --ep0|--ep1\n" + " -p PORTMASK: hexadecimal bitmask of ports to configure\n" + " -P : enable promiscuous mode\n" + " -u PORTMASK: hexadecimal bitmask of unprotected ports\n" + " --"OPTION_CONFIG": (port,queue,lcore): " + "rx queues configuration\n" + " --single-sa SAIDX: use single SA index for outbound, " + "bypassing the SP\n" + " --ep0: Configure as Endpoint 0\n" + " --ep1: Configure as Endpoint 1\n", prgname); +} + +static int32_t +parse_portmask(const char *portmask) +{ + char *end = NULL; + unsigned long pm; + + /* parse hexadecimal string */ + pm = strtoul(portmask, &end, 16); + if ((portmask[0] == '\0') || (end == NULL) || (*end != '\0')) + return -1; + + if ((pm == 0) && errno) + return -1; + + return pm; +} + +static int32_t +parse_decimal(const char *str) +{ + char *end = NULL; + unsigned long num; + + num = strtoul(str, &end, 10); + if ((str[0] == '\0') || (end == NULL) || (*end != '\0')) + return -1; + + return num; +} + +static int32_t +parse_config(const char *q_arg) +{ + char s[256]; + const char *p, *p0 = q_arg; + char *end; + enum fieldnames { + FLD_PORT = 0, + FLD_QUEUE, + FLD_LCORE, + _NUM_FLD + }; + int long int_fld[_NUM_FLD]; + char *str_fld[_NUM_FLD]; + int32_t i; + uint32_t size; + + nb_lcore_params = 0; + + while ((p = strchr(p0, '(')) != NULL) { + ++p; + p0 = strchr(p, ')'); + if (p0 == NULL) + return -1; + + size = p0 - p; + if (size >= sizeof(s)) + return -1; + + snprintf(s, sizeof(s), "%.*s", size, p); + if (rte_strsplit(s, sizeof(s), str_fld, _NUM_FLD, ',') != + _NUM_FLD) + return -1; + for (i = 0; i < _NUM_FLD; i++) { + errno = 0; + int_fld[i] = strtoul(str_fld[i], &end, 0); + if (errno != 0 || end == str_fld[i] || int_fld[i] > 255) + return -1; + } + if (nb_lcore_params >= MAX_LCORE_PARAMS) { + printf("exceeded max number of lcore params: %hu\n", + nb_lcore_params); + return -1; + } + lcore_params_array[nb_lcore_params].port_id = + (uint8_t)int_fld[FLD_PORT]; + lcore_params_array[nb_lcore_params].queue_id = + (uint8_t)int_fld[FLD_QUEUE]; + lcore_params_array[nb_lcore_params].lcore_id = + (uint8_t)int_fld[FLD_LCORE]; + ++nb_lcore_params; + } + lcore_params = lcore_params_array; + return 0; +} + +#define __STRNCMP(name, opt) (!strncmp(name, opt, sizeof(opt))) +static int32_t +parse_args_long_options(struct option *lgopts, int32_t option_index) +{ + int32_t ret = -1; + const char *optname = lgopts[option_index].name; + + if (__STRNCMP(optname, OPTION_CONFIG)) { + ret = parse_config(optarg); + if (ret) + printf("invalid config\n"); + } + + if (__STRNCMP(optname, OPTION_SINGLE_SA)) { + ret = parse_decimal(optarg); + if (ret != -1) { + single_sa = 1; + single_sa_idx = ret; + printf("Configured with single SA index %u\n", + single_sa_idx); + ret = 0; + } + } + + if (__STRNCMP(optname, OPTION_EP0)) { + printf("endpoint 0\n"); + ep = 0; + ret = 0; + } + + if (__STRNCMP(optname, OPTION_EP1)) { + printf("endpoint 1\n"); + ep = 1; + ret = 0; + } + + return ret; +} +#undef __STRNCMP + +static int32_t +parse_args(int32_t argc, char **argv) +{ + int32_t opt, ret; + char **argvopt; + int32_t option_index; + char *prgname = argv[0]; + static struct option lgopts[] = { + {OPTION_CONFIG, 1, 0, 0}, + {OPTION_SINGLE_SA, 1, 0, 0}, + {OPTION_EP0, 0, 0, 0}, + {OPTION_EP1, 0, 0, 0}, + {NULL, 0, 0, 0} + }; + + argvopt = argv; + + while ((opt = getopt_long(argc, argvopt, "p:Pu:", + lgopts, &option_index)) != EOF) { + + switch (opt) { + case 'p': + enabled_port_mask = parse_portmask(optarg); + if (enabled_port_mask == 0) { + printf("invalid portmask\n"); + print_usage(prgname); + return -1; + } + break; + case 'P': + printf("Promiscuous mode selected\n"); + promiscuous_on = 1; + break; + case 'u': + unprotected_port_mask = parse_portmask(optarg); + if (unprotected_port_mask == 0) { + printf("invalid unprotected portmask\n"); + print_usage(prgname); + return -1; + } + break; + case 0: + if (parse_args_long_options(lgopts, option_index)) { + print_usage(prgname); + return -1; + } + break; + default: + print_usage(prgname); + return -1; + } + } + + if (optind >= 0) + argv[optind-1] = prgname; + + ret = optind-1; + optind = 0; /* reset getopt lib */ + return ret; +} + +static void +print_ethaddr(const char *name, const struct ether_addr *eth_addr) +{ + char buf[ETHER_ADDR_FMT_SIZE]; + ether_format_addr(buf, ETHER_ADDR_FMT_SIZE, eth_addr); + printf("%s%s", name, buf); +} + +/* Check the link status of all ports in up to 9s, and print them finally */ +static void +check_all_ports_link_status(uint8_t port_num, uint32_t port_mask) +{ +#define CHECK_INTERVAL 100 /* 100ms */ +#define MAX_CHECK_TIME 90 /* 9s (90 * 100ms) in total */ + uint8_t portid, count, all_ports_up, print_flag = 0; + struct rte_eth_link link; + + printf("\nChecking link status"); + fflush(stdout); + for (count = 0; count <= MAX_CHECK_TIME; count++) { + all_ports_up = 1; + for (portid = 0; portid < port_num; portid++) { + if ((port_mask & (1 << portid)) == 0) + continue; + memset(&link, 0, sizeof(link)); + rte_eth_link_get_nowait(portid, &link); + /* print link status if flag set */ + if (print_flag == 1) { + if (link.link_status) + printf("Port %d Link Up - speed %u " + "Mbps - %s\n", (uint8_t)portid, + (uint32_t)link.link_speed, + (link.link_duplex == ETH_LINK_FULL_DUPLEX) ? + ("full-duplex") : ("half-duplex\n")); + else + printf("Port %d Link Down\n", + (uint8_t)portid); + continue; + } + /* clear all_ports_up flag if any link down */ + if (link.link_status == 0) { + all_ports_up = 0; + break; + } + } + /* after finally printing all link status, get out */ + if (print_flag == 1) + break; + + if (all_ports_up == 0) { + printf("."); + fflush(stdout); + rte_delay_ms(CHECK_INTERVAL); + } + + /* set the print_flag if all ports up or timeout */ + if (all_ports_up == 1 || count == (MAX_CHECK_TIME - 1)) { + print_flag = 1; + printf("done\n"); + } + } +} + +static int32_t +add_mapping(struct rte_hash *map, const char *str, uint16_t cdev_id, + uint16_t qp, struct lcore_params *params, + struct ipsec_ctx *ipsec_ctx, + const struct rte_cryptodev_capabilities *cipher, + const struct rte_cryptodev_capabilities *auth) +{ + int32_t ret = 0; + unsigned long i; + struct cdev_key key = { 0 }; + + key.lcore_id = params->lcore_id; + if (cipher) + key.cipher_algo = cipher->sym.cipher.algo; + if (auth) + key.auth_algo = auth->sym.auth.algo; + + ret = rte_hash_lookup(map, &key); + if (ret != -ENOENT) + return 0; + + for (i = 0; i < ipsec_ctx->nb_qps; i++) + if (ipsec_ctx->tbl[i].id == cdev_id) + break; + + if (i == ipsec_ctx->nb_qps) { + if (ipsec_ctx->nb_qps == MAX_QP_PER_LCORE) { + printf("Maximum number of crypto devices assigned to " + "a core, increase MAX_QP_PER_LCORE value\n"); + return 0; + } + ipsec_ctx->tbl[i].id = cdev_id; + ipsec_ctx->tbl[i].qp = qp; + ipsec_ctx->nb_qps++; + printf("%s cdev mapping: lcore %u using cdev %u qp %u " + "(cdev_id_qp %lu)\n", str, key.lcore_id, + cdev_id, qp, i); + } + + ret = rte_hash_add_key_data(map, &key, (void *)i); + if (ret < 0) { + printf("Faled to insert cdev mapping for (lcore %u, " + "cdev %u, qp %u), errno %d\n", + key.lcore_id, ipsec_ctx->tbl[i].id, + ipsec_ctx->tbl[i].qp, ret); + return 0; + } + + return 1; +} + +static int32_t +add_cdev_mapping(struct rte_cryptodev_info *dev_info, uint16_t cdev_id, + uint16_t qp, struct lcore_params *params) +{ + int32_t ret = 0; + const struct rte_cryptodev_capabilities *i, *j; + struct rte_hash *map; + struct lcore_conf *qconf; + struct ipsec_ctx *ipsec_ctx; + const char *str; + + qconf = &lcore_conf[params->lcore_id]; + + if ((unprotected_port_mask & (1 << params->port_id)) == 0) { + map = cdev_map_out; + ipsec_ctx = &qconf->outbound; + str = "Outbound"; + } else { + map = cdev_map_in; + ipsec_ctx = &qconf->inbound; + str = "Inbound"; + } + + /* Required cryptodevs with operation chainning */ + if (!(dev_info->feature_flags & + RTE_CRYPTODEV_FF_SYM_OPERATION_CHAINING)) + return ret; + + for (i = dev_info->capabilities; + i->op != RTE_CRYPTO_OP_TYPE_UNDEFINED; i++) { + if (i->op != RTE_CRYPTO_OP_TYPE_SYMMETRIC) + continue; + + if (i->sym.xform_type != RTE_CRYPTO_SYM_XFORM_CIPHER) + continue; + + for (j = dev_info->capabilities; + j->op != RTE_CRYPTO_OP_TYPE_UNDEFINED; j++) { + if (j->op != RTE_CRYPTO_OP_TYPE_SYMMETRIC) + continue; + + if (j->sym.xform_type != RTE_CRYPTO_SYM_XFORM_AUTH) + continue; + + ret |= add_mapping(map, str, cdev_id, qp, params, + ipsec_ctx, i, j); + } + } + + return ret; +} + +static int32_t +cryptodevs_init(void) +{ + struct rte_cryptodev_config dev_conf; + struct rte_cryptodev_qp_conf qp_conf; + uint16_t idx, max_nb_qps, qp, i; + int16_t cdev_id; + struct rte_hash_parameters params = { 0 }; + + params.entries = CDEV_MAP_ENTRIES; + params.key_len = sizeof(struct cdev_key); + params.hash_func = rte_jhash; + params.hash_func_init_val = 0; + params.socket_id = rte_socket_id(); + + params.name = "cdev_map_in"; + cdev_map_in = rte_hash_create(¶ms); + if (cdev_map_in == NULL) + rte_panic("Failed to create cdev_map hash table, errno = %d\n", + rte_errno); + + params.name = "cdev_map_out"; + cdev_map_out = rte_hash_create(¶ms); + if (cdev_map_out == NULL) + rte_panic("Failed to create cdev_map hash table, errno = %d\n", + rte_errno); + + printf("lcore/cryptodev/qp mappings:\n"); + + idx = 0; + /* Start from last cdev id to give HW priority */ + for (cdev_id = rte_cryptodev_count() - 1; cdev_id >= 0; cdev_id--) { + struct rte_cryptodev_info cdev_info; + + rte_cryptodev_info_get(cdev_id, &cdev_info); + + if (nb_lcore_params > cdev_info.max_nb_queue_pairs) + max_nb_qps = cdev_info.max_nb_queue_pairs; + else + max_nb_qps = nb_lcore_params; + + qp = 0; + i = 0; + while (qp < max_nb_qps && i < nb_lcore_params) { + if (add_cdev_mapping(&cdev_info, cdev_id, qp, + &lcore_params[idx])) + qp++; + idx++; + idx = idx % nb_lcore_params; + i++; + } + + if (qp == 0) + continue; + + dev_conf.socket_id = rte_cryptodev_socket_id(cdev_id); + dev_conf.nb_queue_pairs = qp; + dev_conf.session_mp.nb_objs = CDEV_MP_NB_OBJS; + dev_conf.session_mp.cache_size = CDEV_MP_CACHE_SZ; + + if (rte_cryptodev_configure(cdev_id, &dev_conf)) + rte_panic("Failed to initialize crypodev %u\n", + cdev_id); + + qp_conf.nb_descriptors = CDEV_MP_NB_OBJS; + for (qp = 0; qp < dev_conf.nb_queue_pairs; qp++) + if (rte_cryptodev_queue_pair_setup(cdev_id, qp, + &qp_conf, dev_conf.socket_id)) + rte_panic("Failed to setup queue %u for " + "cdev_id %u\n", 0, cdev_id); + } + + printf("\n"); + + return 0; +} + +static void +port_init(uint8_t portid) +{ + struct rte_eth_dev_info dev_info; + struct rte_eth_txconf *txconf; + uint16_t nb_tx_queue, nb_rx_queue; + uint16_t tx_queueid, rx_queueid, queue, lcore_id; + int32_t ret, socket_id; + struct lcore_conf *qconf; + struct ether_addr ethaddr; + + rte_eth_dev_info_get(portid, &dev_info); + + printf("Configuring device port %u:\n", portid); + + rte_eth_macaddr_get(portid, ðaddr); + ethaddr_tbl[portid].src = ETHADDR_TO_UINT64(ethaddr); + print_ethaddr("Address: ", ðaddr); + printf("\n"); + + nb_rx_queue = get_port_nb_rx_queues(portid); + nb_tx_queue = nb_lcores; + + if (nb_rx_queue > dev_info.max_rx_queues) + rte_exit(EXIT_FAILURE, "Error: queue %u not available " + "(max rx queue is %u)\n", + nb_rx_queue, dev_info.max_rx_queues); + + if (nb_tx_queue > dev_info.max_tx_queues) + rte_exit(EXIT_FAILURE, "Error: queue %u not available " + "(max tx queue is %u)\n", + nb_tx_queue, dev_info.max_tx_queues); + + printf("Creating queues: nb_rx_queue=%d nb_tx_queue=%u...\n", + nb_rx_queue, nb_tx_queue); + + ret = rte_eth_dev_configure(portid, nb_rx_queue, nb_tx_queue, + &port_conf); + if (ret < 0) + rte_exit(EXIT_FAILURE, "Cannot configure device: " + "err=%d, port=%d\n", ret, portid); + + /* init one TX queue per lcore */ + tx_queueid = 0; + for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) { + if (rte_lcore_is_enabled(lcore_id) == 0) + continue; + + if (numa_on) + socket_id = (uint8_t)rte_lcore_to_socket_id(lcore_id); + else + socket_id = 0; + + /* init TX queue */ + printf("Setup txq=%u,%d,%d\n", lcore_id, tx_queueid, socket_id); + + txconf = &dev_info.default_txconf; + txconf->txq_flags = 0; + + ret = rte_eth_tx_queue_setup(portid, tx_queueid, nb_txd, + socket_id, txconf); + if (ret < 0) + rte_exit(EXIT_FAILURE, "rte_eth_tx_queue_setup: " + "err=%d, port=%d\n", ret, portid); + + qconf = &lcore_conf[lcore_id]; + qconf->tx_queue_id[portid] = tx_queueid; + tx_queueid++; + + /* init RX queues */ + for (queue = 0; queue < qconf->nb_rx_queue; ++queue) { + if (portid != qconf->rx_queue_list[queue].port_id) + continue; + + rx_queueid = qconf->rx_queue_list[queue].queue_id; + + printf("Setup rxq=%d,%d,%d\n", portid, rx_queueid, + socket_id); + + ret = rte_eth_rx_queue_setup(portid, rx_queueid, + nb_rxd, socket_id, NULL, + socket_ctx[socket_id].mbuf_pool); + if (ret < 0) + rte_exit(EXIT_FAILURE, + "rte_eth_rx_queue_setup: err=%d, " + "port=%d\n", ret, portid); + } + } + printf("\n"); +} + +static void +pool_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t nb_mbuf) +{ + char s[64]; + + snprintf(s, sizeof(s), "mbuf_pool_%d", socket_id); + ctx->mbuf_pool = rte_pktmbuf_pool_create(s, nb_mbuf, + MEMPOOL_CACHE_SIZE, ipsec_metadata_size(), + RTE_MBUF_DEFAULT_BUF_SIZE, + socket_id); + if (ctx->mbuf_pool == NULL) + rte_exit(EXIT_FAILURE, "Cannot init mbuf pool on socket %d\n", + socket_id); + else + printf("Allocated mbuf pool on socket %d\n", socket_id); +} + +int32_t +main(int32_t argc, char **argv) +{ + int32_t ret; + uint32_t lcore_id, nb_ports; + uint8_t portid, socket_id; + + /* init EAL */ + ret = rte_eal_init(argc, argv); + if (ret < 0) + rte_exit(EXIT_FAILURE, "Invalid EAL parameters\n"); + argc -= ret; + argv += ret; + + /* parse application arguments (after the EAL ones) */ + ret = parse_args(argc, argv); + if (ret < 0) + rte_exit(EXIT_FAILURE, "Invalid parameters\n"); + + if (ep < 0) + rte_exit(EXIT_FAILURE, "need to choose either EP0 or EP1\n"); + + if ((unprotected_port_mask & enabled_port_mask) != + unprotected_port_mask) + rte_exit(EXIT_FAILURE, "Invalid unprotected portmask 0x%x\n", + unprotected_port_mask); + + nb_ports = rte_eth_dev_count(); + if (nb_ports > RTE_MAX_ETHPORTS) + nb_ports = RTE_MAX_ETHPORTS; + + if (check_params() < 0) + rte_exit(EXIT_FAILURE, "check_params failed\n"); + + ret = init_lcore_rx_queues(); + if (ret < 0) + rte_exit(EXIT_FAILURE, "init_lcore_rx_queues failed\n"); + + nb_lcores = rte_lcore_count(); + + /* Replicate each contex per socket */ + for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) { + if (rte_lcore_is_enabled(lcore_id) == 0) + continue; + + if (numa_on) + socket_id = (uint8_t)rte_lcore_to_socket_id(lcore_id); + else + socket_id = 0; + + if (socket_ctx[socket_id].mbuf_pool) + continue; + + sa_init(&socket_ctx[socket_id], socket_id, ep); + + sp_init(&socket_ctx[socket_id], socket_id, ep); + + rt_init(&socket_ctx[socket_id], socket_id, ep); + + pool_init(&socket_ctx[socket_id], socket_id, NB_MBUF); + } + + for (portid = 0; portid < nb_ports; portid++) { + if ((enabled_port_mask & (1 << portid)) == 0) + continue; + + port_init(portid); + } + + cryptodevs_init(); + + /* start ports */ + for (portid = 0; portid < nb_ports; portid++) { + if ((enabled_port_mask & (1 << portid)) == 0) + continue; + + /* Start device */ + ret = rte_eth_dev_start(portid); + if (ret < 0) + rte_exit(EXIT_FAILURE, "rte_eth_dev_start: " + "err=%d, port=%d\n", ret, portid); + /* + * If enabled, put device in promiscuous mode. + * This allows IO forwarding mode to forward packets + * to itself through 2 cross-connected ports of the + * target machine. + */ + if (promiscuous_on) + rte_eth_promiscuous_enable(portid); + } + + check_all_ports_link_status((uint8_t)nb_ports, enabled_port_mask); + + /* launch per-lcore init on every lcore */ + rte_eal_mp_remote_launch(main_loop, NULL, CALL_MASTER); + RTE_LCORE_FOREACH_SLAVE(lcore_id) { + if (rte_eal_wait_lcore(lcore_id) < 0) + return -1; + } + + return 0; +} diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c new file mode 100644 index 0000000..d385100 --- /dev/null +++ b/examples/ipsec-secgw/ipsec.c @@ -0,0 +1,203 @@ +/*- + * BSD LICENSE + * + * Copyright(c) 2016 Intel Corporation. All rights reserved. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include <netinet/in.h> +#include <netinet/ip.h> + +#include <rte_branch_prediction.h> +#include <rte_log.h> +#include <rte_crypto.h> +#include <rte_cryptodev.h> +#include <rte_mbuf.h> +#include <rte_hash.h> + +#include "ipsec.h" + +static inline int +create_session(struct ipsec_ctx *ipsec_ctx __rte_unused, struct ipsec_sa *sa) +{ + uint32_t cdev_id_qp = 0; + int32_t ret; + struct cdev_key key = { 0 }; + + key.lcore_id = (uint8_t)rte_lcore_id(); + + key.cipher_algo = (uint8_t)sa->cipher_algo; + key.auth_algo = (uint8_t)sa->auth_algo; + + ret = rte_hash_lookup_data(ipsec_ctx->cdev_map, &key, + (void **)&cdev_id_qp); + if (ret < 0) { + IPSEC_LOG(ERR, IPSEC, "No cryptodev: core %u, cipher_algo %u, " + "auth_algo %u\n", key.lcore_id, key.cipher_algo, + key.auth_algo); + return -1; + } + + IPSEC_LOG(DEBUG, IPSEC, "Create session for SA spi %u on cryptodev " + "%u qp %u\n", sa->spi, ipsec_ctx->tbl[cdev_id_qp].id, + ipsec_ctx->tbl[cdev_id_qp].qp); + + sa->crypto_session = rte_cryptodev_sym_session_create( + ipsec_ctx->tbl[cdev_id_qp].id, sa->xforms); + + sa->cdev_id_qp = cdev_id_qp; + + return 0; +} + +static inline void +enqueue_cop(struct cdev_qp *cqp, struct rte_crypto_op *cop) +{ + int ret, i; + + cqp->buf[cqp->len++] = cop; + + if (cqp->len == MAX_PKT_BURST) { + ret = rte_cryptodev_enqueue_burst(cqp->id, cqp->qp, + cqp->buf, cqp->len); + if (ret < cqp->len) { + IPSEC_LOG(DEBUG, IPSEC, "Cryptodev %u queue %u:" + " enqueued %u crypto ops out of %u\n", + cqp->id, cqp->qp, + ret, cqp->len); + for (i = ret; i < cqp->len; i++) + rte_pktmbuf_free(cqp->buf[i]->sym->m_src); + } + cqp->in_flight += ret; + cqp->len = 0; + } +} + +static inline uint16_t +ipsec_processing(struct ipsec_ctx *ipsec_ctx, struct rte_mbuf *pkts[], + struct ipsec_sa *sas[], uint16_t nb_pkts, uint16_t max_pkts) +{ + int ret = 0, i, j, nb_cops; + struct ipsec_mbuf_metadata *priv; + struct rte_crypto_op *cops[max_pkts]; + struct ipsec_sa *sa; + struct rte_mbuf *pkt; + + for (i = 0; i < nb_pkts; i++) { + rte_prefetch0(sas[i]); + rte_prefetch0(pkts[i]); + + priv = get_priv(pkts[i]); + sa = sas[i]; + priv->sa = sa; + + IPSEC_ASSERT(sa != NULL); + + priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC; + + rte_prefetch0(&priv->sym_cop); + priv->cop.sym = &priv->sym_cop; + + if ((unlikely(sa->crypto_session == NULL)) && + create_session(ipsec_ctx, sa)) { + rte_pktmbuf_free(pkts[i]); + continue; + } + + rte_crypto_op_attach_sym_session(&priv->cop, + sa->crypto_session); + + ret = sa->pre_crypto(pkts[i], sa, &priv->cop); + if (unlikely(ret)) { + rte_pktmbuf_free(pkts[i]); + continue; + } + + IPSEC_ASSERT(sa->cdev_id_qp < ipsec_ctx->nb_qps); + enqueue_cop(&ipsec_ctx->tbl[sa->cdev_id_qp], &priv->cop); + } + + nb_pkts = 0; + for (i = 0; i < ipsec_ctx->nb_qps && nb_pkts < max_pkts; i++) { + struct cdev_qp *cqp; + + cqp = &ipsec_ctx->tbl[ipsec_ctx->last_qp++]; + if (ipsec_ctx->last_qp == ipsec_ctx->nb_qps) + ipsec_ctx->last_qp %= ipsec_ctx->nb_qps; + + if (cqp->in_flight == 0) + continue; + + nb_cops = rte_cryptodev_dequeue_burst(cqp->id, cqp->qp, + cops, max_pkts - nb_pkts); + + cqp->in_flight -= nb_cops; + + for (j = 0; j < nb_cops; j++) { + pkt = cops[j]->sym->m_src; + rte_prefetch0(pkt); + + priv = get_priv(pkt); + sa = priv->sa; + + IPSEC_ASSERT(sa != NULL); + + ret = sa->post_crypto(pkt, sa, cops[j]); + if (unlikely(ret)) + rte_pktmbuf_free(pkt); + else + pkts[nb_pkts++] = pkt; + } + } + + /* return packets */ + return nb_pkts; +} + +uint16_t +ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], + uint16_t nb_pkts, uint16_t len) +{ + struct ipsec_sa *sas[nb_pkts]; + + inbound_sa_lookup(ctx->sa_ctx, pkts, sas, nb_pkts); + + return ipsec_processing(ctx, pkts, sas, nb_pkts, len); +} + +uint16_t +ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], + uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len) +{ + struct ipsec_sa *sas[nb_pkts]; + + outbound_sa_lookup(ctx->sa_ctx, sa_idx, sas, nb_pkts); + + return ipsec_processing(ctx, pkts, sas, nb_pkts, len); +} diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h new file mode 100644 index 0000000..8eb4e76 --- /dev/null +++ b/examples/ipsec-secgw/ipsec.h @@ -0,0 +1,192 @@ +/*- + * BSD LICENSE + * + * Copyright(c) 2016 Intel Corporation. All rights reserved. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef __IPSEC_H__ +#define __IPSEC_H__ + +#include <stdint.h> +#include <netinet/in.h> +#include <netinet/ip.h> + +#include <rte_byteorder.h> +#include <rte_ip.h> +#include <rte_crypto.h> + +#define RTE_LOGTYPE_IPSEC RTE_LOGTYPE_USER1 +#define RTE_LOGTYPE_IPSEC_ESP RTE_LOGTYPE_USER2 +#define RTE_LOGTYPE_IPSEC_IPIP RTE_LOGTYPE_USER3 + +#define MAX_PKT_BURST 32 +#define MAX_QP_PER_LCORE 256 + +#ifdef IPSEC_DEBUG +#define IPSEC_ASSERT(exp) \ +if (!(exp)) { \ + rte_panic("line%d\tassert \"" #exp "\" failed\n", __LINE__); \ +} + +#define IPSEC_LOG RTE_LOG +#else +#define IPSEC_ASSERT(exp) do {} while (0) +#define IPSEC_LOG(...) do {} while (0) +#endif /* IPSEC_DEBUG */ + +#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */ + +#define uint32_t_to_char(ip, a, b, c, d) do {\ + *a = (unsigned char)(ip >> 24 & 0xff);\ + *b = (unsigned char)(ip >> 16 & 0xff);\ + *c = (unsigned char)(ip >> 8 & 0xff);\ + *d = (unsigned char)(ip & 0xff);\ + } while (0) + +#define DEFAULT_MAX_CATEGORIES 1 + +#define IPSEC_SA_MAX_ENTRIES (64) /* must be power of 2, max 2 power 30 */ +#define SPI2IDX(spi) (spi & (IPSEC_SA_MAX_ENTRIES - 1)) +#define INVALID_SPI (0) + +#define DISCARD (0x80000000) +#define BYPASS (0x40000000) +#define PROTECT_MASK (0x3fffffff) +#define PROTECT(sa_idx) (SPI2IDX(sa_idx) & PROTECT_MASK) /* SA idx 30 bits */ + +#define IPSEC_XFORM_MAX 2 + +struct rte_crypto_xform; +struct ipsec_xform; +struct rte_cryptodev_session; +struct rte_mbuf; + +struct ipsec_sa; + +typedef int (*ipsec_xform_fn)(struct rte_mbuf *m, struct ipsec_sa *sa, + struct rte_crypto_op *cop); + +struct ipsec_sa { + uint32_t spi; + uint32_t cdev_id_qp; + uint32_t src; + uint32_t dst; + struct rte_cryptodev_sym_session *crypto_session; + struct rte_crypto_sym_xform *xforms; + ipsec_xform_fn pre_crypto; + ipsec_xform_fn post_crypto; + enum rte_crypto_cipher_algorithm cipher_algo; + enum rte_crypto_auth_algorithm auth_algo; + uint16_t digest_len; + uint16_t iv_len; + uint16_t block_size; + uint16_t flags; + uint32_t seq; +} __rte_cache_aligned; + +struct ipsec_mbuf_metadata { + struct ipsec_sa *sa; + struct rte_crypto_op cop; + struct rte_crypto_sym_op sym_cop; +}; + +struct cdev_qp { + uint16_t id; + uint16_t qp; + uint16_t in_flight; + uint16_t len; + struct rte_crypto_op *buf[MAX_PKT_BURST] __rte_aligned(sizeof(void *)); +}; + +struct ipsec_ctx { + struct rte_hash *cdev_map; + struct sp_ctx *sp_ctx; + struct sa_ctx *sa_ctx; + uint16_t nb_qps; + uint16_t last_qp; + struct cdev_qp tbl[MAX_QP_PER_LCORE]; +}; + +struct cdev_key { + uint16_t lcore_id; + uint8_t cipher_algo; + uint8_t auth_algo; +}; + +struct socket_ctx { + struct sa_ctx *sa_ipv4_in; + struct sa_ctx *sa_ipv4_out; + struct sp_ctx *sp_ipv4_in; + struct sp_ctx *sp_ipv4_out; + struct rt_ctx *rt_ipv4; + struct rte_mempool *mbuf_pool; +}; + +uint16_t +ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], + uint16_t nb_pkts, uint16_t len); + +uint16_t +ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], + uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len); + +static inline uint16_t +ipsec_metadata_size(void) +{ + return sizeof(struct ipsec_mbuf_metadata); +} + +static inline struct ipsec_mbuf_metadata * +get_priv(struct rte_mbuf *m) +{ + return RTE_PTR_ADD(m, sizeof(struct rte_mbuf)); +} + +int +inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx); + +void +inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[], + struct ipsec_sa *sa[], uint16_t nb_pkts); + +void +outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[], + struct ipsec_sa *sa[], uint16_t nb_pkts); + +void +sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep); + +void +sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep); + +void +rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep); + +#endif /* __IPSEC_H__ */ diff --git a/examples/ipsec-secgw/rt.c b/examples/ipsec-secgw/rt.c new file mode 100644 index 0000000..c3bb4de --- /dev/null +++ b/examples/ipsec-secgw/rt.c @@ -0,0 +1,144 @@ +/*- + * BSD LICENSE + * + * Copyright(c) 2016 Intel Corporation. All rights reserved. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Routing Table (RT) + */ +#include <rte_lpm.h> +#include <rte_errno.h> + +#include "ipsec.h" + +#define RT_IPV4_MAX_RULES 64 + +struct ipv4_route { + uint32_t ip; + uint8_t depth; + uint8_t if_out; +}; + +/* In the default routing table we have: + * ep0 protected ports 0 and 1, and unprotected ports 2 and 3. + */ +static struct ipv4_route rt_ipv4_ep0[] = { + { IPv4(172, 16, 2, 5), 32, 0 }, + { IPv4(172, 16, 2, 6), 32, 0 }, + { IPv4(172, 16, 2, 7), 32, 1 }, + { IPv4(172, 16, 2, 8), 32, 1 }, + + { IPv4(192, 168, 115, 0), 24, 2 }, + { IPv4(192, 168, 116, 0), 24, 2 }, + { IPv4(192, 168, 117, 0), 24, 3 }, + { IPv4(192, 168, 118, 0), 24, 3 }, + + { IPv4(192, 168, 210, 0), 24, 2 }, + + { IPv4(192, 168, 240, 0), 24, 2 }, + { IPv4(192, 168, 250, 0), 24, 0 } +}; + +/* In the default routing table we have: + * ep1 protected ports 0 and 1, and unprotected ports 2 and 3. + */ +static struct ipv4_route rt_ipv4_ep1[] = { + { IPv4(172, 16, 1, 5), 32, 2 }, + { IPv4(172, 16, 1, 6), 32, 2 }, + { IPv4(172, 16, 1, 7), 32, 3 }, + { IPv4(172, 16, 1, 8), 32, 3 }, + + { IPv4(192, 168, 105, 0), 24, 0 }, + { IPv4(192, 168, 106, 0), 24, 0 }, + { IPv4(192, 168, 107, 0), 24, 1 }, + { IPv4(192, 168, 108, 0), 24, 1 }, + + { IPv4(192, 168, 200, 0), 24, 0 }, + + { IPv4(192, 168, 240, 0), 24, 2 }, + { IPv4(192, 168, 250, 0), 24, 0 } +}; + +void +rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep) +{ + char name[PATH_MAX]; + unsigned i; + int ret; + struct rte_lpm *lpm; + struct ipv4_route *rt; + char a, b, c, d; + unsigned nb_routes; + struct rte_lpm_config conf = { 0 }; + + if (ctx == NULL) + rte_exit(EXIT_FAILURE, "NULL context.\n"); + + if (ctx->rt_ipv4 != NULL) + rte_exit(EXIT_FAILURE, "Routing Table for socket %u already " + "initialized\n", socket_id); + + printf("Creating Routing Table (RT) context with %u max routes\n", + RT_IPV4_MAX_RULES); + + if (ep == 0) { + rt = rt_ipv4_ep0; + nb_routes = RTE_DIM(rt_ipv4_ep0); + } else if (ep == 1) { + rt = rt_ipv4_ep1; + nb_routes = RTE_DIM(rt_ipv4_ep1); + } else + rte_exit(EXIT_FAILURE, "Invalid EP value %u. Only 0 or 1 " + "supported.\n", ep); + + /* create the LPM table */ + snprintf(name, sizeof(name), "%s_%u", "rt_ipv4", socket_id); + conf.max_rules = RT_IPV4_MAX_RULES; + conf.number_tbl8s = RTE_LPM_TBL8_NUM_ENTRIES; + lpm = rte_lpm_create(name, socket_id, &conf); + if (lpm == NULL) + rte_exit(EXIT_FAILURE, "Unable to create LPM table " + "on socket %d\n", socket_id); + + /* populate the LPM table */ + for (i = 0; i < nb_routes; i++) { + ret = rte_lpm_add(lpm, rt[i].ip, rt[i].depth, rt[i].if_out); + if (ret < 0) + rte_exit(EXIT_FAILURE, "Unable to add entry num %u to " + "LPM table on socket %d\n", i, socket_id); + + uint32_t_to_char(rt[i].ip, &a, &b, &c, &d); + printf("LPM: Adding route %hhu.%hhu.%hhu.%hhu/%hhu (%hhu)\n", + a, b, c, d, rt[i].depth, rt[i].if_out); + } + + ctx->rt_ipv4 = (struct rt_ctx *)lpm; +} diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c new file mode 100644 index 0000000..91a5f6e --- /dev/null +++ b/examples/ipsec-secgw/sa.c @@ -0,0 +1,438 @@ +/*- + * BSD LICENSE + * + * Copyright(c) 2016 Intel Corporation. All rights reserved. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Security Associations + */ +#include <netinet/ip.h> + +#include <rte_memzone.h> +#include <rte_crypto.h> +#include <rte_cryptodev.h> +#include <rte_byteorder.h> +#include <rte_errno.h> + +#include "ipsec.h" +#include "esp.h" + +/* SAs EP0 Outbound */ +const struct ipsec_sa sa_ep0_out[] = { + { 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5), + NULL, NULL, + esp4_tunnel_outbound_pre_crypto, + esp4_tunnel_outbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6), + NULL, NULL, + esp4_tunnel_outbound_pre_crypto, + esp4_tunnel_outbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7), + NULL, NULL, + esp4_tunnel_outbound_pre_crypto, + esp4_tunnel_outbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8), + NULL, NULL, + esp4_tunnel_outbound_pre_crypto, + esp4_tunnel_outbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 9, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5), + NULL, NULL, + esp4_tunnel_outbound_pre_crypto, + esp4_tunnel_outbound_post_crypto, + RTE_CRYPTO_CIPHER_NULL, RTE_CRYPTO_AUTH_NULL, + 0, 0, 4, + 0, 0 }, +}; + +/* SAs EP0 Inbound */ +const struct ipsec_sa sa_ep0_in[] = { + { 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5), + NULL, NULL, + esp4_tunnel_inbound_pre_crypto, + esp4_tunnel_inbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6), + NULL, NULL, + esp4_tunnel_inbound_pre_crypto, + esp4_tunnel_inbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7), + NULL, NULL, + esp4_tunnel_inbound_pre_crypto, + esp4_tunnel_inbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8), + NULL, NULL, + esp4_tunnel_inbound_pre_crypto, + esp4_tunnel_inbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 9, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5), + NULL, NULL, + esp4_tunnel_inbound_pre_crypto, + esp4_tunnel_inbound_post_crypto, + RTE_CRYPTO_CIPHER_NULL, RTE_CRYPTO_AUTH_NULL, + 0, 0, 4, + 0, 0 }, +}; + +/* SAs EP1 Outbound */ +const struct ipsec_sa sa_ep1_out[] = { + { 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5), + NULL, NULL, + esp4_tunnel_outbound_pre_crypto, + esp4_tunnel_outbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6), + NULL, NULL, + esp4_tunnel_outbound_pre_crypto, + esp4_tunnel_outbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7), + NULL, NULL, + esp4_tunnel_outbound_pre_crypto, + esp4_tunnel_outbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8), + NULL, NULL, + esp4_tunnel_outbound_pre_crypto, + esp4_tunnel_outbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 9, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5), + NULL, NULL, + esp4_tunnel_outbound_pre_crypto, + esp4_tunnel_outbound_post_crypto, + RTE_CRYPTO_CIPHER_NULL, RTE_CRYPTO_AUTH_NULL, + 0, 0, 4, + 0, 0 }, +}; + +/* SAs EP1 Inbound */ +const struct ipsec_sa sa_ep1_in[] = { + { 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5), + NULL, NULL, + esp4_tunnel_inbound_pre_crypto, + esp4_tunnel_inbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6), + NULL, NULL, + esp4_tunnel_inbound_pre_crypto, + esp4_tunnel_inbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7), + NULL, NULL, + esp4_tunnel_inbound_pre_crypto, + esp4_tunnel_inbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8), + NULL, NULL, + esp4_tunnel_inbound_pre_crypto, + esp4_tunnel_inbound_post_crypto, + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, + 12, 16, 16, + 0, 0 }, + { 9, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5), + NULL, NULL, + esp4_tunnel_inbound_pre_crypto, + esp4_tunnel_inbound_post_crypto, + RTE_CRYPTO_CIPHER_NULL, RTE_CRYPTO_AUTH_NULL, + 0, 0, 4, + 0, 0 }, +}; + +static uint8_t cipher_key[256] = "sixteenbytes key"; + +/* AES CBC xform */ +const struct rte_crypto_sym_xform aescbc_enc_xf = { + NULL, + RTE_CRYPTO_SYM_XFORM_CIPHER, + .cipher = { RTE_CRYPTO_CIPHER_OP_ENCRYPT, RTE_CRYPTO_CIPHER_AES_CBC, + .key = { cipher_key, 16 } } +}; + +const struct rte_crypto_sym_xform aescbc_dec_xf = { + NULL, + RTE_CRYPTO_SYM_XFORM_CIPHER, + .cipher = { RTE_CRYPTO_CIPHER_OP_DECRYPT, RTE_CRYPTO_CIPHER_AES_CBC, + .key = { cipher_key, 16 } } +}; + +static uint8_t auth_key[256] = "twentybytes hash key"; + +/* SHA1 HMAC xform */ +const struct rte_crypto_sym_xform sha1hmac_gen_xf = { + NULL, + RTE_CRYPTO_SYM_XFORM_AUTH, + .auth = { RTE_CRYPTO_AUTH_OP_GENERATE, RTE_CRYPTO_AUTH_SHA1_HMAC, + .key = { auth_key, 20 }, 12, 0 } +}; + +const struct rte_crypto_sym_xform sha1hmac_verify_xf = { + NULL, + RTE_CRYPTO_SYM_XFORM_AUTH, + .auth = { RTE_CRYPTO_AUTH_OP_VERIFY, RTE_CRYPTO_AUTH_SHA1_HMAC, + .key = { auth_key, 20 }, 12, 0 } +}; + +/* AES CBC xform */ +const struct rte_crypto_sym_xform null_cipher_xf = { + NULL, + RTE_CRYPTO_SYM_XFORM_CIPHER, + .cipher = { .algo = RTE_CRYPTO_CIPHER_NULL } +}; + +const struct rte_crypto_sym_xform null_auth_xf = { + NULL, + RTE_CRYPTO_SYM_XFORM_AUTH, + .auth = { .algo = RTE_CRYPTO_AUTH_NULL } +}; + +struct sa_ctx { + struct ipsec_sa sa[IPSEC_SA_MAX_ENTRIES]; + struct { + struct rte_crypto_sym_xform a; + struct rte_crypto_sym_xform b; + } xf[IPSEC_SA_MAX_ENTRIES]; +}; + +static struct sa_ctx * +sa_ipv4_create(const char *name, int socket_id) +{ + char s[PATH_MAX]; + struct sa_ctx *sa_ctx; + unsigned mz_size; + const struct rte_memzone *mz; + + snprintf(s, sizeof(s), "%s_%u", name, socket_id); + + /* Create SA array table */ + printf("Creating SA context with %u maximum entries\n", + IPSEC_SA_MAX_ENTRIES); + + mz_size = sizeof(struct sa_ctx); + mz = rte_memzone_reserve(s, mz_size, socket_id, + RTE_MEMZONE_1GB | RTE_MEMZONE_SIZE_HINT_ONLY); + if (mz == NULL) { + printf("Failed to allocate SA DB memory\n"); + rte_errno = -ENOMEM; + return NULL; + } + + sa_ctx = (struct sa_ctx *)mz->addr; + + return sa_ctx; +} + +static int +sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], + unsigned nb_entries, unsigned inbound) +{ + struct ipsec_sa *sa; + unsigned i, idx; + + for (i = 0; i < nb_entries; i++) { + idx = SPI2IDX(entries[i].spi); + sa = &sa_ctx->sa[idx]; + if (sa->spi != 0) { + printf("Index %u already in use by SPI %u\n", + idx, sa->spi); + return -EINVAL; + } + *sa = entries[i]; + sa->src = rte_cpu_to_be_32(sa->src); + sa->dst = rte_cpu_to_be_32(sa->dst); + if (inbound) { + if (sa->cipher_algo == RTE_CRYPTO_CIPHER_NULL) { + sa_ctx->xf[idx].a = null_auth_xf; + sa_ctx->xf[idx].b = null_cipher_xf; + } else { + sa_ctx->xf[idx].a = sha1hmac_verify_xf; + sa_ctx->xf[idx].b = aescbc_dec_xf; + } + } else { /* outbound */ + if (sa->cipher_algo == RTE_CRYPTO_CIPHER_NULL) { + sa_ctx->xf[idx].a = null_cipher_xf; + sa_ctx->xf[idx].b = null_auth_xf; + } else { + sa_ctx->xf[idx].a = aescbc_enc_xf; + sa_ctx->xf[idx].b = sha1hmac_gen_xf; + } + } + sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b; + sa_ctx->xf[idx].b.next = NULL; + sa->xforms = &sa_ctx->xf[idx].a; + } + + return 0; +} + +static inline int +sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], + unsigned nb_entries) +{ + return sa_add_rules(sa_ctx, entries, nb_entries, 0); +} + +static inline int +sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], + unsigned nb_entries) +{ + return sa_add_rules(sa_ctx, entries, nb_entries, 1); +} + +void +sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep) +{ + const struct ipsec_sa *sa_out_entries, *sa_in_entries; + unsigned nb_out_entries, nb_in_entries; + const char *name; + + if (ctx == NULL) + rte_exit(EXIT_FAILURE, "NULL context.\n"); + + if (ctx->sa_ipv4_in != NULL) + rte_exit(EXIT_FAILURE, "Inbound SA DB for socket %u already " + "initialized\n", socket_id); + + if (ctx->sa_ipv4_out != NULL) + rte_exit(EXIT_FAILURE, "Outbound SA DB for socket %u already " + "initialized\n", socket_id); + + if (ep == 0) { + sa_out_entries = sa_ep0_out; + nb_out_entries = RTE_DIM(sa_ep0_out); + sa_in_entries = sa_ep0_in; + nb_in_entries = RTE_DIM(sa_ep0_in); + } else if (ep == 1) { + sa_out_entries = sa_ep1_out; + nb_out_entries = RTE_DIM(sa_ep1_out); + sa_in_entries = sa_ep1_in; + nb_in_entries = RTE_DIM(sa_ep1_in); + } else + rte_exit(EXIT_FAILURE, "Invalid EP value %u. " + "Only 0 or 1 supported.\n", ep); + + name = "sa_ipv4_in"; + ctx->sa_ipv4_in = sa_ipv4_create(name, socket_id); + if (ctx->sa_ipv4_in == NULL) + rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s " + "in socket %d\n", rte_errno, name, socket_id); + + name = "sa_ipv4_out"; + ctx->sa_ipv4_out = sa_ipv4_create(name, socket_id); + if (ctx->sa_ipv4_out == NULL) + rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s " + "in socket %d\n", rte_errno, name, socket_id); + + sa_in_add_rules(ctx->sa_ipv4_in, sa_in_entries, nb_in_entries); + + sa_out_add_rules(ctx->sa_ipv4_out, sa_out_entries, nb_out_entries); +} + +int +inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx) +{ + struct ipsec_mbuf_metadata *priv; + + priv = RTE_PTR_ADD(m, sizeof(struct rte_mbuf)); + + return (sa_ctx->sa[sa_idx].spi == priv->sa->spi); +} + +void +inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[], + struct ipsec_sa *sa[], uint16_t nb_pkts) +{ + unsigned i; + uint32_t *src, spi; + + for (i = 0; i < nb_pkts; i++) { + spi = rte_pktmbuf_mtod_offset(pkts[i], struct esp_hdr *, + sizeof(struct ip))->spi; + + if (spi == INVALID_SPI) + continue; + + sa[i] = &sa_ctx->sa[SPI2IDX(spi)]; + if (spi != sa[i]->spi) { + sa[i] = NULL; + continue; + } + + src = rte_pktmbuf_mtod_offset(pkts[i], uint32_t *, + offsetof(struct ip, ip_src)); + if ((sa[i]->src != *src) || (sa[i]->dst != *(src + 1))) + sa[i] = NULL; + } +} + +void +outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[], + struct ipsec_sa *sa[], uint16_t nb_pkts) +{ + unsigned i; + + for (i = 0; i < nb_pkts; i++) + sa[i] = &sa_ctx->sa[sa_idx[i]]; +} diff --git a/examples/ipsec-secgw/sp.c b/examples/ipsec-secgw/sp.c new file mode 100644 index 0000000..7972f40 --- /dev/null +++ b/examples/ipsec-secgw/sp.c @@ -0,0 +1,364 @@ +/*- + * BSD LICENSE + * + * Copyright(c) 2016 Intel Corporation. All rights reserved. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Security Policies + */ +#include <netinet/ip.h> + +#include <rte_acl.h> + +#include "ipsec.h" + +#define MAX_ACL_RULE_NUM 1000 + +/* + * Rule and trace formats definitions. + */ +enum { + PROTO_FIELD_IPV4, + SRC_FIELD_IPV4, + DST_FIELD_IPV4, + SRCP_FIELD_IPV4, + DSTP_FIELD_IPV4, + NUM_FIELDS_IPV4 +}; + +/* + * That effectively defines order of IPV4 classifications: + * - PROTO + * - SRC IP ADDRESS + * - DST IP ADDRESS + * - PORTS (SRC and DST) + */ +enum { + RTE_ACL_IPV4_PROTO, + RTE_ACL_IPV4_SRC, + RTE_ACL_IPV4_DST, + RTE_ACL_IPV4_PORTS, + RTE_ACL_IPV4_NUM +}; + +struct rte_acl_field_def ipv4_defs[NUM_FIELDS_IPV4] = { + { + .type = RTE_ACL_FIELD_TYPE_BITMASK, + .size = sizeof(uint8_t), + .field_index = PROTO_FIELD_IPV4, + .input_index = RTE_ACL_IPV4_PROTO, + .offset = 0, + }, + { + .type = RTE_ACL_FIELD_TYPE_MASK, + .size = sizeof(uint32_t), + .field_index = SRC_FIELD_IPV4, + .input_index = RTE_ACL_IPV4_SRC, + .offset = offsetof(struct ip, ip_src) - offsetof(struct ip, ip_p) + }, + { + .type = RTE_ACL_FIELD_TYPE_MASK, + .size = sizeof(uint32_t), + .field_index = DST_FIELD_IPV4, + .input_index = RTE_ACL_IPV4_DST, + .offset = offsetof(struct ip, ip_dst) - offsetof(struct ip, ip_p) + }, + { + .type = RTE_ACL_FIELD_TYPE_RANGE, + .size = sizeof(uint16_t), + .field_index = SRCP_FIELD_IPV4, + .input_index = RTE_ACL_IPV4_PORTS, + .offset = sizeof(struct ip) - offsetof(struct ip, ip_p) + }, + { + .type = RTE_ACL_FIELD_TYPE_RANGE, + .size = sizeof(uint16_t), + .field_index = DSTP_FIELD_IPV4, + .input_index = RTE_ACL_IPV4_PORTS, + .offset = sizeof(struct ip) - offsetof(struct ip, ip_p) + + sizeof(uint16_t) + }, +}; + +RTE_ACL_RULE_DEF(acl4_rules, RTE_DIM(ipv4_defs)); + +const struct acl4_rules acl4_rules_in[] = { + { + .data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1}, + /* destination IPv4 */ + .field[2] = {.value.u32 = IPv4(192, 168, 105, 0), + .mask_range.u32 = 24,}, + /* source port */ + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, + /* destination port */ + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} + }, + { + .data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2}, + /* destination IPv4 */ + .field[2] = {.value.u32 = IPv4(192, 168, 106, 0), + .mask_range.u32 = 24,}, + /* source port */ + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, + /* destination port */ + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} + }, + { + .data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3}, + /* destination IPv4 */ + .field[2] = {.value.u32 = IPv4(192, 168, 107, 0), + .mask_range.u32 = 24,}, + /* source port */ + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, + /* destination port */ + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} + }, + { + .data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4}, + /* destination IPv4 */ + .field[2] = {.value.u32 = IPv4(192, 168, 108, 0), + .mask_range.u32 = 24,}, + /* source port */ + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, + /* destination port */ + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} + }, + { + .data = {.userdata = PROTECT(9), .category_mask = 1, .priority = 5}, + /* destination IPv4 */ + .field[2] = {.value.u32 = IPv4(192, 168, 200, 0), + .mask_range.u32 = 24,}, + /* source port */ + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, + /* destination port */ + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} + }, + { + .data = {.userdata = BYPASS, .category_mask = 1, .priority = 6}, + /* destination IPv4 */ + .field[2] = {.value.u32 = IPv4(192, 168, 250, 0), + .mask_range.u32 = 24,}, + /* source port */ + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, + /* destination port */ + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} + } +}; + +const struct acl4_rules acl4_rules_out[] = { + { + .data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1}, + /* destination IPv4 */ + .field[2] = {.value.u32 = IPv4(192, 168, 115, 0), + .mask_range.u32 = 24,}, + /* source port */ + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, + /* destination port */ + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} + }, + { + .data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2}, + /* destination IPv4 */ + .field[2] = {.value.u32 = IPv4(192, 168, 116, 0), + .mask_range.u32 = 24,}, + /* source port */ + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, + /* destination port */ + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} + }, + { + .data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3}, + /* destination IPv4 */ + .field[2] = {.value.u32 = IPv4(192, 168, 117, 0), + .mask_range.u32 = 24,}, + /* source port */ + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, + /* destination port */ + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} + }, + { + .data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4}, + /* destination IPv4 */ + .field[2] = {.value.u32 = IPv4(192, 168, 118, 0), + .mask_range.u32 = 24,}, + /* source port */ + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, + /* destination port */ + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} + }, + { + .data = {.userdata = PROTECT(9), .category_mask = 1, .priority = 5}, + /* destination IPv4 */ + .field[2] = {.value.u32 = IPv4(192, 168, 210, 0), + .mask_range.u32 = 24,}, + /* source port */ + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, + /* destination port */ + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} + }, + { + .data = {.userdata = BYPASS, .category_mask = 1, .priority = 6}, + /* destination IPv4 */ + .field[2] = {.value.u32 = IPv4(192, 168, 240, 0), + .mask_range.u32 = 24,}, + /* source port */ + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, + /* destination port */ + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} + } +}; + +static void +print_one_ipv4_rule(const struct acl4_rules *rule, int extra) +{ + unsigned char a, b, c, d; + + uint32_t_to_char(rule->field[SRC_FIELD_IPV4].value.u32, + &a, &b, &c, &d); + printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d, + rule->field[SRC_FIELD_IPV4].mask_range.u32); + uint32_t_to_char(rule->field[DST_FIELD_IPV4].value.u32, + &a, &b, &c, &d); + printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d, + rule->field[DST_FIELD_IPV4].mask_range.u32); + printf("%hu : %hu %hu : %hu 0x%hhx/0x%hhx ", + rule->field[SRCP_FIELD_IPV4].value.u16, + rule->field[SRCP_FIELD_IPV4].mask_range.u16, + rule->field[DSTP_FIELD_IPV4].value.u16, + rule->field[DSTP_FIELD_IPV4].mask_range.u16, + rule->field[PROTO_FIELD_IPV4].value.u8, + rule->field[PROTO_FIELD_IPV4].mask_range.u8); + if (extra) + printf("0x%x-0x%x-0x%x ", + rule->data.category_mask, + rule->data.priority, + rule->data.userdata); +} + +static inline void +dump_ipv4_rules(const struct acl4_rules *rule, int num, int extra) +{ + int i; + + for (i = 0; i < num; i++, rule++) { + printf("\t%d:", i + 1); + print_one_ipv4_rule(rule, extra); + printf("\n"); + } +} + +static struct rte_acl_ctx * +acl4_init(const char *name, int socketid, const struct acl4_rules *rules, + unsigned rules_nb) +{ + char s[PATH_MAX]; + struct rte_acl_param acl_param; + struct rte_acl_config acl_build_param; + struct rte_acl_ctx *ctx; + + printf("Creating SP context with %u max rules\n", MAX_ACL_RULE_NUM); + + memset(&acl_param, 0, sizeof(acl_param)); + + /* Create ACL contexts */ + snprintf(s, sizeof(s), "%s_%d", name, socketid); + + printf("IPv4 %s entries [%u]:\n", s, rules_nb); + dump_ipv4_rules(rules, rules_nb, 1); + + acl_param.name = s; + acl_param.socket_id = socketid; + acl_param.rule_size = RTE_ACL_RULE_SZ(RTE_DIM(ipv4_defs)); + acl_param.max_rule_num = MAX_ACL_RULE_NUM; + + ctx = rte_acl_create(&acl_param); + if (ctx == NULL) + rte_exit(EXIT_FAILURE, "Failed to create ACL context\n"); + + if (rte_acl_add_rules(ctx, (const struct rte_acl_rule *)rules, + rules_nb) < 0) + rte_exit(EXIT_FAILURE, "add rules failed\n"); + + /* Perform builds */ + memset(&acl_build_param, 0, sizeof(acl_build_param)); + + acl_build_param.num_categories = DEFAULT_MAX_CATEGORIES; + acl_build_param.num_fields = RTE_DIM(ipv4_defs); + memcpy(&acl_build_param.defs, ipv4_defs, sizeof(ipv4_defs)); + + if (rte_acl_build(ctx, &acl_build_param) != 0) + rte_exit(EXIT_FAILURE, "Failed to build ACL trie\n"); + + rte_acl_dump(ctx); + + return ctx; +} + +void +sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep) +{ + const char *name; + const struct acl4_rules *rules_out, *rules_in; + unsigned nb_out_rules, nb_in_rules; + + if (ctx == NULL) + rte_exit(EXIT_FAILURE, "NULL context.\n"); + + if (ctx->sp_ipv4_in != NULL) + rte_exit(EXIT_FAILURE, "Inbound SP DB for socket %u already " + "initialized\n", socket_id); + + if (ctx->sp_ipv4_out != NULL) + rte_exit(EXIT_FAILURE, "Outbound SP DB for socket %u already " + "initialized\n", socket_id); + + if (ep == 0) { + rules_out = acl4_rules_in; + nb_out_rules = RTE_DIM(acl4_rules_in); + rules_in = acl4_rules_out; + nb_in_rules = RTE_DIM(acl4_rules_out); + } else if (ep == 1) { + rules_out = acl4_rules_out; + nb_out_rules = RTE_DIM(acl4_rules_out); + rules_in = acl4_rules_in; + nb_in_rules = RTE_DIM(acl4_rules_in); + } else + rte_exit(EXIT_FAILURE, "Invalid EP value %u. " + "Only 0 or 1 supported.\n", ep); + + name = "sp_ipv4_in"; + ctx->sp_ipv4_in = (struct sp_ctx *)acl4_init(name, socket_id, + rules_in, nb_in_rules); + + name = "sp_ipv4_out"; + ctx->sp_ipv4_out = (struct sp_ctx *)acl4_init(name, socket_id, + rules_out, nb_out_rules); +} -- 2.4.3 ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [dpdk-dev] [PATCH v3] example/ipsec-secgw: ipsec security gateway 2016-03-11 2:12 ` [dpdk-dev] [PATCH v3] " Sergio Gonzalez Monroy @ 2016-03-11 10:01 ` De Lara Guarch, Pablo 2016-03-11 10:07 ` Thomas Monjalon 2016-03-11 10:02 ` Thomas Monjalon 1 sibling, 1 reply; 15+ messages in thread From: De Lara Guarch, Pablo @ 2016-03-11 10:01 UTC (permalink / raw) To: Gonzalez Monroy, Sergio, dev > -----Original Message----- > From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Sergio Gonzalez > Monroy > Sent: Friday, March 11, 2016 2:13 AM > To: dev@dpdk.org > Subject: [dpdk-dev] [PATCH v3] example/ipsec-secgw: ipsec security gateway > > Sample app implementing an IPsec Security Geteway. > The main goal of this app is to show the use of cryptodev framework > in a "real world" application. > > Currently only supported static IPv4 ESP IPsec tunnels for the following > algorithms: > - Cipher: AES-CBC, NULL > - Authentication: HMAC-SHA1, NULL > > Not supported: > - SA auto negotiation (No IKE implementation) > - chained mbufs > > Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com> ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [dpdk-dev] [PATCH v3] example/ipsec-secgw: ipsec security gateway 2016-03-11 10:01 ` De Lara Guarch, Pablo @ 2016-03-11 10:07 ` Thomas Monjalon 0 siblings, 0 replies; 15+ messages in thread From: Thomas Monjalon @ 2016-03-11 10:07 UTC (permalink / raw) To: Gonzalez Monroy, Sergio; +Cc: dev > > Sample app implementing an IPsec Security Geteway. > > The main goal of this app is to show the use of cryptodev framework > > in a "real world" application. > > > > Currently only supported static IPv4 ESP IPsec tunnels for the following > > algorithms: > > - Cipher: AES-CBC, NULL > > - Authentication: HMAC-SHA1, NULL > > > > Not supported: > > - SA auto negotiation (No IKE implementation) > > - chained mbufs > > > > Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> > > Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com> Applied, thanks ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [dpdk-dev] [PATCH v3] example/ipsec-secgw: ipsec security gateway 2016-03-11 2:12 ` [dpdk-dev] [PATCH v3] " Sergio Gonzalez Monroy 2016-03-11 10:01 ` De Lara Guarch, Pablo @ 2016-03-11 10:02 ` Thomas Monjalon 1 sibling, 0 replies; 15+ messages in thread From: Thomas Monjalon @ 2016-03-11 10:02 UTC (permalink / raw) To: Sergio Gonzalez Monroy; +Cc: dev 2016-03-11 02:12, Sergio Gonzalez Monroy: > +M: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> > +F: doc/guides/sample_app_ug/ipsec-secgw.rst Typo in filename (will fix) ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2016-03-11 10:09 UTC | newest] Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2016-01-29 20:29 [dpdk-dev] [PATCH] example/ipsec-secgw: ipsec security gateway Sergio Gonzalez Monroy 2016-01-31 14:39 ` Jerin Jacob 2016-02-01 11:09 ` Sergio Gonzalez Monroy 2016-02-01 11:26 ` Jerin Jacob 2016-02-01 14:09 ` Thomas Monjalon 2016-03-09 23:54 ` Sergio Gonzalez Monroy 2016-03-10 3:41 ` Jerin Jacob 2016-02-24 13:32 ` Thomas Monjalon 2016-02-24 14:49 ` Sergio Gonzalez Monroy 2016-03-11 1:38 ` [dpdk-dev] [PATCH v2] " Sergio Gonzalez Monroy 2016-03-11 2:12 ` De Lara Guarch, Pablo 2016-03-11 2:12 ` [dpdk-dev] [PATCH v3] " Sergio Gonzalez Monroy 2016-03-11 10:01 ` De Lara Guarch, Pablo 2016-03-11 10:07 ` Thomas Monjalon 2016-03-11 10:02 ` Thomas Monjalon
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).