DPDK patches and discussions
 help / color / mirror / Atom feed
* [dpdk-dev] [PATCH] example/ipsec-secgw: ipsec security gateway
@ 2016-01-29 20:29 Sergio Gonzalez Monroy
  2016-01-31 14:39 ` Jerin Jacob
                   ` (2 more replies)
  0 siblings, 3 replies; 15+ messages in thread
From: Sergio Gonzalez Monroy @ 2016-01-29 20:29 UTC (permalink / raw)
  To: dev

Sample app implementing an IPsec Security Geteway.
The main goal of this app is to show the use of cryptodev framework
in a real world application.

Currently only supported static IPv4 IPsec tunnels using AES-CBC
and HMAC-SHA1.

Also, currently not supported:
- SA auto negotiation (No IKE support)
- chained mbufs

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
---
 MAINTAINERS                              |    4 +
 doc/guides/sample_app_ug/index.rst       |    1 +
 doc/guides/sample_app_ug/ipsec_secgw.rst |  440 +++++++++++
 examples/Makefile                        |    2 +
 examples/ipsec-secgw/Makefile            |   58 ++
 examples/ipsec-secgw/esp.c               |  256 +++++++
 examples/ipsec-secgw/esp.h               |   66 ++
 examples/ipsec-secgw/ipip.h              |  100 +++
 examples/ipsec-secgw/ipsec-secgw.c       | 1218 ++++++++++++++++++++++++++++++
 examples/ipsec-secgw/ipsec.c             |  138 ++++
 examples/ipsec-secgw/ipsec.h             |  184 +++++
 examples/ipsec-secgw/rt.c                |  131 ++++
 examples/ipsec-secgw/sa.c                |  391 ++++++++++
 examples/ipsec-secgw/sp.c                |  324 ++++++++
 14 files changed, 3313 insertions(+)
 create mode 100644 doc/guides/sample_app_ug/ipsec_secgw.rst
 create mode 100644 examples/ipsec-secgw/Makefile
 create mode 100644 examples/ipsec-secgw/esp.c
 create mode 100644 examples/ipsec-secgw/esp.h
 create mode 100644 examples/ipsec-secgw/ipip.h
 create mode 100644 examples/ipsec-secgw/ipsec-secgw.c
 create mode 100644 examples/ipsec-secgw/ipsec.c
 create mode 100644 examples/ipsec-secgw/ipsec.h
 create mode 100644 examples/ipsec-secgw/rt.c
 create mode 100644 examples/ipsec-secgw/sa.c
 create mode 100644 examples/ipsec-secgw/sp.c

diff --git a/MAINTAINERS b/MAINTAINERS
index b90aeea..996eda6 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -596,3 +596,7 @@ F: doc/guides/sample_app_ug/vmdq_dcb_forwarding.rst
 M: Pablo de Lara <pablo.de.lara.guarch@intel.com>
 M: Daniel Mrzyglod <danielx.t.mrzyglod@intel.com>
 F: examples/ptpclient/
+
+M: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
+F: doc/guides/sample_app_ug/ipsec-secgw.rst
+F: examples/ipsec-secgw/
diff --git a/doc/guides/sample_app_ug/index.rst b/doc/guides/sample_app_ug/index.rst
index 8a646dd..88375d2 100644
--- a/doc/guides/sample_app_ug/index.rst
+++ b/doc/guides/sample_app_ug/index.rst
@@ -73,6 +73,7 @@ Sample Applications User Guide
     proc_info
     ptpclient
     performance_thread
+    ipsec_secgw
 
 **Figures**
 
diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst
new file mode 100644
index 0000000..7be3f7e
--- /dev/null
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -0,0 +1,440 @@
+..  BSD LICENSE
+    Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions
+    are met:
+
+    * Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in
+    the documentation and/or other materials provided with the
+    distribution.
+    * Neither the name of Intel Corporation nor the names of its
+    contributors may be used to endorse or promote products derived
+    from this software without specific prior written permission.
+
+    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+    "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+    LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+    A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+    OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+    SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+    LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+    DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+    THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+    (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+    OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+IPsec Security Gateway Sample Application
+=========================================
+
+The IPsec Security Gateway application is a minimal example of real work
+application using DPDK cryptodev framework.
+
+Overview
+--------
+
+The application demonstrates the implementation of a minimal Security Gateway
+(see Constraints bellow) using DPDK based on RFC4301, RFC4303, RFC3602 and
+RFC2404.
+
+Note that IKE is not supported (therefore not IPsec compliant), so only manual
+setting of Security Policies and Associations is allowed.
+
+The Security Policies (SP) are implemented as ACL rules, the Security
+Associations (SA) are stored in a table and the Routing is implemented
+using LPM.
+
+The application splits the ports between Protected and Unprotected.
+Based on the port the trafic is coming from, the traffic would be consider
+IPsec Inbound or Outbound.
+Traffic from Unprotected ports is consider IPsec Inbound, and traffic from
+Protected ports is consider IPsec Outbound.
+
+Path for IPsec Inbound traffic:
+*  Read packets from the port
+*  Classify packets between IPv4 and ESP.
+*  Inbound SA lookup for ESP packets based on their SPI
+*  Verification/Decryption
+*  Removal of ESP and outter IP header
+*  Inbound SP check using ACL of decrypted packets and any other IPv4 packet
+we read.
+*  Routing
+*  Write packet to port
+
+Path for IPsec Outbound traffic:
+*  Read packets from the port
+*  Outbound SP check using ACL of all IPv4 traffic
+*  Outbound SA lookup for packets that need IPsec protection
+*  Add ESP and outter IP header
+*  Encryption/Digest
+*  Routing
+*  Write packet to port
+
+Constraints
+-----------
+*  IPv4 traffic
+*  ESP tunnel mode
+*  EAS-CBC and HMAC-SHA1
+*  Each SA must be handle by a unique lcore (1 RX queue per port)
+*  No chained mbufs
+
+Compiling the Application
+-------------------------
+
+To compile the application:
+
+#. Go to the sample application directory:
+
+   .. code-block:: console
+
+      export RTE_SDK=/path/to/rte_sdk
+      cd ${RTE_SDK}/examples/ipsec-secgw
+
+#. Set the target (a default target is used if not specified). For example:
+
+   .. code-block:: console
+
+      export RTE_TARGET=x86_64-native-linuxapp-gcc
+
+    See the *DPDK Getting Started Guide* for possible RTE_TARGET values.
+
+#. Build the application:
+
+   .. code-block:: console
+
+       make
+
+Running the Application
+-----------------------
+
+The application has a number of command line options:
+
+.. code-block:: console
+
+   ./build/ipsec-secgw [EAL options] -- -p PORTMASK -P -u PORTMASK --config
+   (port,queue,lcore)[,(port,queue,lcore] --EP0|--EP1 --cdev AESNI|QAT
+
+where,
+
+*   -p PORTMASK: Hexadecimal bitmask of ports to configure
+
+*   -P: optional, sets all ports to promiscuous mode so that packets are
+    accepted regardless of the packet's Ethernet MAC destination address.
+    Without this option, only packets with the Ethernet MAC destination address
+    set to the Ethernet address of the port are accepted (default is enabled).
+
+*   -u PORTMASK: hexadecimal bitmask of unprotected ports
+
+*   --config (port,queue,lcore)[,(port,queue,lcore)]: determines which queues
+    from which ports are mapped to which cores
+
+*   --cdev AESNI/QAT: choose whether to use QAT HW crypto or EASNI SW crypto
+
+*   --EP0: configure the app as Endpoint 0.
+
+*   --EP1: configure the app as Endpoint 1.
+
+Either --EP0 or --EP1 must be specified.
+
+The mapping of lcores to port/queues is similar to other l3fwd applications.
+
+For example, given the following command line:
+.. code-block:: console
+
+    ./build/ipsec-secgw -l 20,21 -n 4 --socket-mem 0,2048 -- -p 0xf -P -u 0x3
+    --config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)" --cdev AESNI --EP0
+
+where each options means:
+
+*   The -l option enables cores 20 and 21
+
+*   The -n option sets memory 4 channels
+
+*   The --socket-mem to use 2GB on socket 1
+
+*   The -p option enables ports (detected) 0, 1, 2 and 3
+
+*   The -P option enables promiscous mode
+
+*   The -u option sets ports 1 and 2 as unprotected, leaving 2 and 3 as protected
+
+*   The --config option enables one queue per port with the following mapping:
+
++----------+-----------+-----------+---------------------------------------+
+| **Port** | **Queue** | **lcore** | **Description**                       |
+|          |           |           |                                       |
++----------+-----------+-----------+---------------------------------------+
+| 0        | 0         | 20        | Map queue 0 from port 0 to lcore 20.  |
+|          |           |           |                                       |
++----------+-----------+-----------+---------------------------------------+
+| 1        | 0         | 20        | Map queue 0 from port 1 to lcore 20.  |
+|          |           |           |                                       |
++----------+-----------+-----------+---------------------------------------+
+| 2        | 0         | 21        | Map queue 0 from port 2 to lcore 21.  |
+|          |           |           |                                       |
++----------+-----------+-----------+---------------------------------------+
+| 3        | 0         | 21        | Map queue 0 from port 3 to lcore 21.  |
+|          |           |           |                                       |
++----------+-----------+-----------+---------------------------------------+
+
+Refer to the *DPDK Getting Started Guide* for general information on running applications and the Environment Abstraction Layer (EAL) options.
+
+Configurations
+--------------
+
+The following sections provide some details on the default values used to
+initialize the SP, SA and Routing tables.
+Currently all the configuration is hardcoded into the application.
+
+Security Policy Initialization
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+As mention in the overview, the Security Policies are ACL rules.
+There are two ACLs, Inbound and Outboud.
+The application would also replicate the set of two ACLs per socket in use.
+
+Following are the default rules:
+
+Endpoint 0 Outbound Security Policies:
+
++---------+------------------+-----------+------------+
+| **Src** | **Dst**          | **proto** | **SA idx** |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.105.0/24 | Any       | 5          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.106.0/24 | Any       | 6          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.107.0/24 | Any       | 7          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.108.0/24 | Any       | 8          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+
+Endpoint 0 Inbound Security Policies:
+
++---------+------------------+-----------+------------+
+| **Src** | **Dst**          | **proto** | **SA idx** |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.115.0/24 | Any       | 5          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.116.0/24 | Any       | 6          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.117.0/24 | Any       | 7          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.118.0/24 | Any       | 8          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+
+Endpoint 1 Outbound Security Policies:
+
++---------+------------------+-----------+------------+
+| **Src** | **Dst**          | **proto** | **SA idx** |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.115.0/24 | Any       | 5          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.116.0/24 | Any       | 6          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.117.0/24 | Any       | 7          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.118.0/24 | Any       | 8          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+
+Endpoint 1 Inbound Security Policies:
+
++---------+------------------+-----------+------------+
+| **Src** | **Dst**          | **proto** | **SA idx** |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.105.0/24 | Any       | 5          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.106.0/24 | Any       | 6          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.107.0/24 | Any       | 7          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.108.0/24 | Any       | 8          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+
+
+Security Association Initialization
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The SAs are kept in a array table.
+
+For Inbound, the SPI is used as index module the table size.
+This means that on a table for 100 SA, SPI 5 and 105 would use the same index
+and that is not currently supported.
+
+Notice that it is not an issue for Outbound traffic as we store the index and
+not the SPI in the Security Policy.
+
+All SAs are configured with the same cipher algo, block size and key (AES-CBC
+16B block), and same authentication algo, digest size and key (HMAC-SHA1, 12B
+digest).
+
+Following are the default values:
+
+Endpoint 0 Outbound Security Associations:
+
++---------+----------------+------------------+
+| **SPI** | **Tunnel src** | **Tunnel dst**   |
+|         |                |                  |
++---------+----------------+------------------+
+| 5       | 172.16.1.5     | 172.16.2.5       |
+|         |                |                  |
++---------+----------------+------------------+
+| 6       | 172.16.1.6     | 172.16.2.6       |
+|         |                |                  |
++---------+----------------+------------------+
+| 7       | 172.16.1.7     | 172.16.2.7       |
+|         |                |                  |
++---------+----------------+------------------+
+| 8       | 172.16.1.8     | 172.16.2.8       |
+|         |                |                  |
++---------+----------------+------------------+
+
+Endpoint 0 Inbound Security Associations:
+
++---------+----------------+------------------+
+| **SPI** | **Tunnel src** | **Tunnel dst**   |
+|         |                |                  |
++---------+----------------+------------------+
+| 5       | 172.16.2.5     | 172.16.1.5       |
+|         |                |                  |
++---------+----------------+------------------+
+| 6       | 172.16.2.6     | 172.16.1.6       |
+|         |                |                  |
++---------+----------------+------------------+
+| 7       | 172.16.2.7     | 172.16.1.7       |
+|         |                |                  |
++---------+----------------+------------------+
+| 8       | 172.16.2.8     | 172.16.1.8       |
+|         |                |                  |
++---------+----------------+------------------+
+
+Endpoint 1 Outbound Security Associations:
+
++---------+----------------+------------------+
+| **SPI** | **Tunnel src** | **Tunnel dst**   |
+|         |                |                  |
++---------+----------------+------------------+
+| 5       | 172.16.2.5     | 172.16.1.5       |
+|         |                |                  |
++---------+----------------+------------------+
+| 6       | 172.16.2.6     | 172.16.1.6       |
+|         |                |                  |
++---------+----------------+------------------+
+| 7       | 172.16.2.7     | 172.16.1.7       |
+|         |                |                  |
++---------+----------------+------------------+
+| 8       | 172.16.2.8     | 172.16.1.8       |
+|         |                |                  |
++---------+----------------+------------------+
+
+Endpoint 1 Inbound Security Associations:
+
++---------+----------------+------------------+
+| **SPI** | **Tunnel src** | **Tunnel dst**   |
+|         |                |                  |
++---------+----------------+------------------+
+| 5       | 172.16.1.5     | 172.16.2.5       |
+|         |                |                  |
++---------+----------------+------------------+
+| 6       | 172.16.1.6     | 172.16.2.6       |
+|         |                |                  |
++---------+----------------+------------------+
+| 7       | 172.16.1.7     | 172.16.2.7       |
+|         |                |                  |
++---------+----------------+------------------+
+| 8       | 172.16.1.8     | 172.16.2.8       |
+|         |                |                  |
++---------+----------------+------------------+
+
+Routing Initialization
+~~~~~~~~~~~~~~~~~~~~~~
+
+The Routing is implemented using LPM table.
+
+Following default values:
+
+Endpoint 0 Routing Table:
+
++------------------+----------+
+| **Dst addr**     | **Port** |
+|                  |          |
++------------------+----------+
+| 172.16.2.5/32    | 0        |
+|                  |          |
++------------------+----------+
+| 172.16.2.6/32    | 0        |
+|                  |          |
++------------------+----------+
+| 172.16.2.7/32    | 1        |
+|                  |          |
++------------------+----------+
+| 172.16.2.8/32    | 1        |
+|                  |          |
++------------------+----------+
+| 192.168.115.0/24 | 2        |
+|                  |          |
++------------------+----------+
+| 192.168.116.0/24 | 2        |
+|                  |          |
++------------------+----------+
+| 192.168.117.0/24 | 3        |
+|                  |          |
++------------------+----------+
+| 192.168.118.0/24 | 3        |
+|                  |          |
++------------------+----------+
+
+Endpoint 1 Routing Table:
+
++------------------+----------+
+| **Dst addr**     | **Port** |
+|                  |          |
++------------------+----------+
+| 172.16.1.5/32    | 2        |
+|                  |          |
++------------------+----------+
+| 172.16.1.6/32    | 2        |
+|                  |          |
++------------------+----------+
+| 172.16.1.7/32    | 3        |
+|                  |          |
++------------------+----------+
+| 172.16.1.8/32    | 3        |
+|                  |          |
++------------------+----------+
+| 192.168.105.0/24 | 0        |
+|                  |          |
++------------------+----------+
+| 192.168.106.0/24 | 0        |
+|                  |          |
++------------------+----------+
+| 192.168.107.0/24 | 1        |
+|                  |          |
++------------------+----------+
+| 192.168.108.0/24 | 1        |
+|                  |          |
++------------------+----------+
diff --git a/examples/Makefile b/examples/Makefile
index 1cb4785..65ce6ce 100644
--- a/examples/Makefile
+++ b/examples/Makefile
@@ -1,6 +1,7 @@
 #   BSD LICENSE
 #
 #   Copyright(c) 2014 6WIND S.A.
+#   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
 #
 #   Redistribution and use in source and binary forms, with or without
 #   modification, are permitted provided that the following conditions
@@ -78,5 +79,6 @@ DIRS-y += vmdq
 DIRS-y += vmdq_dcb
 DIRS-$(CONFIG_RTE_LIBRTE_POWER) += vm_power_manager
 DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += l2fwd-crypto
+DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += ipsec-secgw
 
 include $(RTE_SDK)/mk/rte.extsubdir.mk
diff --git a/examples/ipsec-secgw/Makefile b/examples/ipsec-secgw/Makefile
new file mode 100644
index 0000000..5f893b8
--- /dev/null
+++ b/examples/ipsec-secgw/Makefile
@@ -0,0 +1,58 @@
+#   BSD LICENSE
+#
+#   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+#   All rights reserved.
+#
+#   Redistribution and use in source and binary forms, with or without
+#   modification, are permitted provided that the following conditions
+#   are met:
+#
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above copyright
+#       notice, this list of conditions and the following disclaimer in
+#       the documentation and/or other materials provided with the
+#       distribution.
+#     * Neither the name of Intel Corporation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+#   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+#   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+#   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+#   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+#   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+#   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+#   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+#   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+#   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+#   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+#   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+ifeq ($(RTE_SDK),)
+	$(error "Please define RTE_SDK environment variable")
+endif
+
+# Default target, can be overridden by command line or environment
+RTE_TARGET ?= x86_64-native-linuxapp-gcc
+
+include $(RTE_SDK)/mk/rte.vars.mk
+
+APP = ipsec-secgw
+
+CFLAGS += -O3 -gdwarf-2
+CFLAGS += $(WERROR_FLAGS)
+
+VPATH += $(SRCDIR)/librte_ipsec
+
+#
+# all source are stored in SRCS-y
+#
+SRCS-y += ipsec.c
+SRCS-y += esp.c
+SRCS-y += sp.c
+SRCS-y += sa.c
+SRCS-y += rt.c
+SRCS-y += ipsec-secgw.c
+
+include $(RTE_SDK)/mk/rte.extapp.mk
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
new file mode 100644
index 0000000..1be0621
--- /dev/null
+++ b/examples/ipsec-secgw/esp.c
@@ -0,0 +1,256 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdint.h>
+#include <stdlib.h>
+#include <netinet/ip.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+#include <rte_memcpy.h>
+#include <rte_crypto.h>
+#include <rte_cryptodev.h>
+#include <rte_random.h>
+
+#include "ipsec.h"
+#include "esp.h"
+#include "ipip.h"
+
+static inline void
+random_iv_u64(uint64_t *buf, uint16_t n)
+{
+	unsigned left = n & 0x7;
+	unsigned i;
+
+	IPSEC_ASSERT((n & 0x3) == 0);
+
+	for (i = 0; i < (n >> 3); i++)
+		buf[i] = rte_rand();
+
+	if (left)
+		*((uint32_t *)&buf[i]) = (uint32_t)lrand48();
+}
+
+/* IPv4 Tunnel */
+int
+esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
+		struct rte_crypto_op *cop)
+{
+	uint16_t digest_len, esp_len, iphdr_len;
+	int32_t payload_len;
+
+	IPSEC_ASSERT(m != NULL);
+
+	iphdr_len = sizeof(struct ip);
+	esp_len = sizeof(struct esp_hdr) + sa->iv_len;
+	digest_len = sa->digest_len;
+	payload_len = rte_pktmbuf_pkt_len(m) - iphdr_len - esp_len - digest_len;
+
+	if ((payload_len & (sa->block_size - 1)) || (payload_len <= 0)) {
+		IPSEC_LOG(DEBUG, IPSEC_ESP, "payload %d not a multiple of %u\n",
+				payload_len, sa->block_size);
+		return -EINVAL;
+	}
+
+	cop->data.to_cipher.offset = iphdr_len + esp_len;
+	cop->data.to_cipher.length = payload_len;
+
+	cop->data.to_hash.offset = iphdr_len;
+	if (sa->auth_algo == RTE_CRYPTO_AUTH_AES_GCM)
+		cop->data.to_hash.length = esp_len - sa->iv_len;
+	else
+		cop->data.to_hash.length = esp_len + payload_len;
+
+	cop->iv.data = rte_pktmbuf_mtod_offset(m, void*,
+			iphdr_len + esp_len - sa->iv_len);
+	cop->iv.phys_addr = rte_pktmbuf_mtophys_offset(m,
+			iphdr_len + esp_len - sa->iv_len);
+
+	cop->iv.length = sa->iv_len;
+
+	cop->digest.data = rte_pktmbuf_mtod_offset(m, void*,
+			iphdr_len + esp_len + payload_len);
+	cop->digest.phys_addr = rte_pktmbuf_mtophys_offset(m,
+			iphdr_len + esp_len + payload_len);
+	cop->digest.length = digest_len;
+
+	return 0;
+}
+
+int
+esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
+		struct rte_crypto_op *cop)
+{
+	uint16_t digest_len, esp_len, iphdr_len;
+	uint8_t *nexthdr, *pad_len;
+	uint8_t *padding;
+	uint16_t i;
+
+	IPSEC_ASSERT(m != NULL);
+
+	iphdr_len = sizeof(struct ip);
+	esp_len = sizeof(struct esp_hdr) + sa->iv_len;
+	digest_len = sa->digest_len;
+
+	if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
+		IPSEC_LOG(ERR, IPSEC_ESP, "Failed crypto op\n");
+		return -1;
+	}
+
+	nexthdr = rte_pktmbuf_mtod_offset(m, uint8_t*,
+			rte_pktmbuf_pkt_len(m) - digest_len - 1);
+	pad_len = nexthdr - 1;
+
+	padding = pad_len - *pad_len;
+	for (i = 0; i < *pad_len; i++) {
+		if (padding[i] != i) {
+			IPSEC_LOG(ERR, IPSEC_ESP, "invalid pad_len field\n");
+			return -EINVAL;
+		}
+	}
+
+	if (rte_pktmbuf_trim(m, *pad_len + 2 + digest_len)) {
+		IPSEC_LOG(ERR, IPSEC_ESP,
+				"failed to remove pad_len + digest\n");
+		return -EINVAL;
+	}
+
+	return ip4ip_inbound(m, iphdr_len + esp_len);
+}
+
+int
+esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
+		struct rte_crypto_op *cop)
+{
+	uint16_t digest_len, esp_len, payload_len, block_sz, pad_len;
+	int32_t pad_payload_len;
+	struct ip *ip;
+	struct esp_hdr *esp;
+	int i;
+	char *padding;
+
+	rte_prefetch0(rte_pktmbuf_mtod(m, uint8_t *) - RTE_CACHE_LINE_SIZE);
+	rte_prefetch0(rte_pktmbuf_mtod(m, uint8_t *));
+
+	IPSEC_ASSERT(m != NULL);
+	IPSEC_ASSERT(sa != NULL);
+
+	/* Payload length */
+	payload_len = rte_pktmbuf_pkt_len(m);
+
+	block_sz = sa->block_size;
+
+	/* Per RFC4303:
+	 *  padded payload needs to be multiple of 4 bytes.
+	 * All application supported block sizes must be power of 2
+	 */
+	pad_len = (payload_len + 2) & (block_sz - 1);
+	pad_len = ((block_sz - pad_len) & (block_sz - 1)) + 2;
+
+	/* Padded payload length */
+	pad_payload_len = payload_len + pad_len;
+	/* ESP header length */
+	esp_len = sizeof(struct esp_hdr) + sa->iv_len;
+	/* Digest length */
+	digest_len = sa->digest_len;
+
+	IPSEC_LOG(DEBUG, IPSEC_ESP,
+			"pktlen %u, esp_len %u, digest_len %u, payload_len %u,"
+			" pad_payload_len %u, block_sz %u, pad_len %u\n",
+			rte_pktmbuf_pkt_len(m), esp_len, digest_len,
+			payload_len, pad_payload_len, block_sz,	pad_len);
+
+	/* Check maximum packet size */
+	if (unlikely(esp_len + pad_payload_len + digest_len > IP_MAXPACKET)) {
+		IPSEC_LOG(DEBUG, IPSEC_ESP, "ipsec packet is too big\n");
+		return -EINVAL;
+	}
+
+	padding = rte_pktmbuf_append(m, pad_len + digest_len);
+
+	IPSEC_ASSERT(padding != NULL);
+
+	ip = ip4ip_outbound(m, esp_len, sa->src, sa->dst);
+
+	esp = (struct esp_hdr *)(ip + 1);
+	esp->spi = sa->spi;
+
+	esp->seq = htonl(sa->seq++);
+
+	IPSEC_LOG(DEBUG, IPSEC_ESP, "pktlen %u\n", rte_pktmbuf_pkt_len(m));
+
+	/* Fill pad_len using default sequential scheme */
+	for (i = 0; i < pad_len - 2; i++)
+		padding[i] = i + 1;
+
+	padding[pad_len - 2] = pad_len - 2;
+	padding[pad_len - 1] = IPPROTO_IPIP;
+	ip->ip_p = IPPROTO_ESP;
+
+	cop->data.to_cipher.offset = sizeof(struct ip) + esp_len;
+	cop->data.to_cipher.length = pad_payload_len;
+
+	cop->data.to_hash.offset = sizeof(struct ip);
+	cop->data.to_hash.length = esp_len + pad_payload_len;
+
+	cop->iv.data = rte_pktmbuf_mtod_offset(m, void*,
+			sizeof(struct ip) + esp_len - sa->iv_len);
+	cop->iv.phys_addr = rte_pktmbuf_mtophys_offset(m,
+			sizeof(struct ip) + esp_len - sa->iv_len);
+	cop->iv.length = sa->iv_len;
+
+	cop->digest.data = rte_pktmbuf_mtod_offset(m, void*,
+			sizeof(struct ip) + esp_len + pad_payload_len);
+	cop->digest.phys_addr = rte_pktmbuf_mtophys_offset(m,
+			sizeof(struct ip) + esp_len + pad_payload_len);
+	cop->digest.length = digest_len;
+
+	random_iv_u64((uint64_t *)cop->iv.data, cop->iv.length);
+
+	return 0;
+}
+
+int
+esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m __rte_unused,
+		struct ipsec_sa *sa __rte_unused,
+		struct rte_crypto_op *cop)
+{
+	if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
+		IPSEC_LOG(ERR, IPSEC_ESP, "Failed crypto op\n");
+		return -1;
+	}
+
+	return 0;
+}
diff --git a/examples/ipsec-secgw/esp.h b/examples/ipsec-secgw/esp.h
new file mode 100644
index 0000000..d7c8ba6
--- /dev/null
+++ b/examples/ipsec-secgw/esp.h
@@ -0,0 +1,66 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef __RTE_IPSEC_XFORM_ESP_H__
+#define __RTE_IPSEC_XFORM_ESP_H__
+
+struct mbuf;
+
+/* RFC4303 */
+struct esp_hdr {
+	uint32_t spi;
+	uint32_t seq;
+	/* Payload */
+	/* Padding */
+	/* Pad Length */
+	/* Next Header */
+	/* Integrity Check Value - ICV */
+};
+
+/* IPv4 Tunnel */
+int
+esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
+		struct rte_crypto_op *cop);
+
+int
+esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
+		struct rte_crypto_op *cop);
+
+int
+esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
+		struct rte_crypto_op *cop);
+
+int
+esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
+		struct rte_crypto_op *cop);
+
+#endif /* __RTE_IPSEC_XFORM_ESP_H__ */
diff --git a/examples/ipsec-secgw/ipip.h b/examples/ipsec-secgw/ipip.h
new file mode 100644
index 0000000..16c5dfb
--- /dev/null
+++ b/examples/ipsec-secgw/ipip.h
@@ -0,0 +1,100 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef __IPIP_H__
+#define __IPIP_H__
+
+#include <stdint.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+
+#include <rte_mbuf.h>
+
+static inline  struct ip *
+ip4ip_outbound(struct rte_mbuf *m, uint32_t offset, uint32_t src, uint32_t dst)
+{
+	struct ip *inip, *outip;
+
+	inip = rte_pktmbuf_mtod(m, struct ip*);
+
+	IPSEC_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION);
+
+	offset += sizeof(struct ip);
+
+	outip = (struct ip *)rte_pktmbuf_prepend(m, offset);
+
+	IPSEC_ASSERT(outip != NULL);
+
+	/* Per RFC4301 5.1.2.1 */
+	outip->ip_len = htons(rte_pktmbuf_data_len(m));
+	outip->ip_v = IPVERSION;
+	outip->ip_hl = 5;
+	outip->ip_tos = inip->ip_tos;
+
+	outip->ip_id = 0;
+	outip->ip_off = 0;
+
+	outip->ip_ttl = IPDEFTTL;
+
+	outip->ip_dst.s_addr = dst;
+	outip->ip_src.s_addr = src;
+
+	return outip;
+}
+
+static inline int
+ip4ip_inbound(struct rte_mbuf *m, uint32_t offset)
+{
+	struct ip *inip;
+	struct ip *outip;
+
+	outip = rte_pktmbuf_mtod(m, struct ip*);
+
+	IPSEC_ASSERT(outip->ip_v == IPVERSION);
+
+	offset += sizeof(struct ip);
+	inip = (struct ip *)rte_pktmbuf_adj(m, offset);
+	IPSEC_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION);
+
+	/* Check packet is still bigger than IP header (inner) */
+	IPSEC_ASSERT(rte_pktmbuf_pkt_len(m) > sizeof(struct ip));
+
+	/* RFC4301 5.1.2.1 Note 6 */
+	if ((inip->ip_tos & htons(IPTOS_ECN_ECT0 | IPTOS_ECN_ECT1)) &&
+			((outip->ip_tos & htons(IPTOS_ECN_CE)) == IPTOS_ECN_CE))
+		inip->ip_tos |= htons(IPTOS_ECN_CE);
+
+	return 0;
+}
+
+#endif /* __IPIP_H__ */
diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
new file mode 100644
index 0000000..d2e8972
--- /dev/null
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -0,0 +1,1218 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <inttypes.h>
+#include <sys/types.h>
+#include <string.h>
+#include <sys/queue.h>
+#include <stdarg.h>
+#include <errno.h>
+#include <getopt.h>
+
+#include <rte_common.h>
+#include <rte_byteorder.h>
+#include <rte_log.h>
+#include <rte_eal.h>
+#include <rte_launch.h>
+#include <rte_atomic.h>
+#include <rte_cycles.h>
+#include <rte_prefetch.h>
+#include <rte_lcore.h>
+#include <rte_per_lcore.h>
+#include <rte_branch_prediction.h>
+#include <rte_interrupts.h>
+#include <rte_pci.h>
+#include <rte_random.h>
+#include <rte_debug.h>
+#include <rte_ether.h>
+#include <rte_ethdev.h>
+#include <rte_mempool.h>
+#include <rte_mbuf.h>
+#include <rte_acl.h>
+#include <rte_lpm.h>
+#include <rte_cryptodev.h>
+#include <rte_cryptodev.h>
+
+#include "ipsec.h"
+
+#define RTE_LOGTYPE_IPSEC RTE_LOGTYPE_USER1
+
+#define MAX_JUMBO_PKT_LEN  9600
+
+#define MEMPOOL_CACHE_SIZE 256
+
+#define NB_MBUF	(32000)
+
+#define CDEV_MP_NB_OBJS 2048
+#define CDEV_MP_CACHE_SZ 64
+#define MAX_QUEUE_PAIRS 1
+
+#define OPTION_CONFIG		"config"
+#define OPTION_EP0		"ep0"
+#define OPTION_EP1		"ep1"
+#define OPTION_CDEV_TYPE	"cdev"
+
+#define MAX_PKT_BURST 32
+#define BURST_TX_DRAIN_US 100 /* TX drain every ~100us */
+
+#define NB_SOCKETS 4
+
+/* Configure how many packets ahead to prefetch, when reading packets */
+#define PREFETCH_OFFSET	3
+
+#define MAX_RX_QUEUE_PER_LCORE 16
+
+#define MAX_LCORE_PARAMS 1024
+
+#define UNPROTECTED_PORT(port) (unprotected_port_mask & (1 << portid))
+
+/*
+ * Configurable number of RX/TX ring descriptors
+ */
+#define IPSEC_SECGW_RX_DESC_DEFAULT 128
+#define IPSEC_SECGW_TX_DESC_DEFAULT 512
+static uint16_t nb_rxd = IPSEC_SECGW_RX_DESC_DEFAULT;
+static uint16_t nb_txd = IPSEC_SECGW_TX_DESC_DEFAULT;
+
+#if RTE_BYTE_ORDER != RTE_LITTLE_ENDIAN
+#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \
+	(((uint64_t)((a) & 0xff) << 56) | \
+	((uint64_t)((b) & 0xff) << 48) | \
+	((uint64_t)((c) & 0xff) << 40) | \
+	((uint64_t)((d) & 0xff) << 32) | \
+	((uint64_t)((e) & 0xff) << 24) | \
+	((uint64_t)((f) & 0xff) << 16) | \
+	((uint64_t)((g) & 0xff) << 8)  | \
+	((uint64_t)(h) & 0xff))
+#else
+#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \
+	(((uint64_t)((h) & 0xff) << 56) | \
+	((uint64_t)((g) & 0xff) << 48) | \
+	((uint64_t)((f) & 0xff) << 40) | \
+	((uint64_t)((e) & 0xff) << 32) | \
+	((uint64_t)((d) & 0xff) << 24) | \
+	((uint64_t)((c) & 0xff) << 16) | \
+	((uint64_t)((b) & 0xff) << 8) | \
+	((uint64_t)(a) & 0xff))
+#endif
+#define ETHADDR(a, b, c, d, e, f) (__BYTES_TO_UINT64(a, b, c, d, e, f, 0, 0))
+
+#define ETHADDR_TO_UINT64(addr) __BYTES_TO_UINT64( \
+		addr.addr_bytes[0], addr.addr_bytes[1], \
+		addr.addr_bytes[2], addr.addr_bytes[3], \
+		addr.addr_bytes[4], addr.addr_bytes[5], \
+		0, 0)
+
+/* port/source ethernet addr and destination ethernet addr */
+struct ethaddr_info {
+	uint64_t src, dst;
+};
+
+struct ethaddr_info ethaddr_tbl[RTE_MAX_ETHPORTS] = {
+	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x7e, 0x94, 0x9a) },
+	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x22, 0xa1, 0xd9) },
+	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x08, 0x69, 0x26) },
+	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x49, 0x9e, 0xdd) }
+};
+
+/* mask of enabled ports */
+static uint32_t enabled_port_mask;
+static uint32_t unprotected_port_mask;
+static int promiscuous_on = 1;
+static int numa_on = 1; /**< NUMA is enabled by default. */
+static int ep = -1; /**< Endpoint configuration (0 or 1) */
+static unsigned cdev_type = -1;
+static unsigned nb_lcores;
+
+struct buffer {
+	uint16_t len;
+	struct rte_mbuf *m_table[MAX_PKT_BURST];
+};
+
+struct lcore_rx_queue {
+	uint8_t port_id;
+	uint8_t queue_id;
+} __rte_cache_aligned;
+
+struct lcore_params {
+	uint8_t port_id;
+	uint8_t queue_id;
+	uint8_t lcore_id;
+} __rte_cache_aligned;
+
+static struct lcore_params lcore_params_array[MAX_LCORE_PARAMS];
+
+static struct lcore_params *lcore_params;
+static uint16_t nb_lcore_params;
+
+struct lcore_conf {
+	uint16_t nb_rx_queue;
+	struct lcore_rx_queue rx_queue_list[MAX_RX_QUEUE_PER_LCORE];
+	uint16_t tx_queue_id[RTE_MAX_ETHPORTS];
+	struct buffer tx_mbufs[RTE_MAX_ETHPORTS];
+	uint16_t cdev;
+	uint16_t cdev_q;
+} __rte_cache_aligned;
+
+static struct lcore_conf lcore_conf[RTE_MAX_LCORE];
+
+static struct rte_eth_conf port_conf = {
+	.rxmode = {
+		.mq_mode	= ETH_MQ_RX_RSS,
+		.max_rx_pkt_len = ETHER_MAX_LEN,
+		.split_hdr_size = 0,
+		.header_split   = 0, /**< Header Split disabled */
+		.hw_ip_checksum = 1, /**< IP checksum offload enabled */
+		.hw_vlan_filter = 0, /**< VLAN filtering disabled */
+		.jumbo_frame    = 0, /**< Jumbo Frame Support disabled */
+		.hw_strip_crc   = 0, /**< CRC stripped by hardware */
+	},
+	.rx_adv_conf = {
+		.rss_conf = {
+			.rss_key = NULL,
+			.rss_hf = ETH_RSS_IP | ETH_RSS_UDP |
+				ETH_RSS_TCP | ETH_RSS_SCTP,
+		},
+	},
+	.txmode = {
+		.mq_mode = ETH_MQ_TX_NONE,
+	},
+};
+
+static struct socket_ctx socket_ctx[NB_SOCKETS];
+
+struct traffic_type {
+	const uint8_t *data[MAX_PKT_BURST * 2];
+	struct rte_mbuf *pkts[MAX_PKT_BURST * 2];
+	uint32_t res[MAX_PKT_BURST * 2];
+	uint32_t num;
+};
+
+struct ipsec_traffic {
+	struct traffic_type ipsec4;
+	struct traffic_type ipv4;
+};
+
+static inline void
+prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)
+{
+	uint8_t *nlp;
+
+	if (RTE_ETH_IS_IPV4_HDR(pkt->packet_type)) {
+		rte_pktmbuf_adj(pkt, ETHER_HDR_LEN);
+		nlp = rte_pktmbuf_mtod_offset(pkt, uint8_t *,
+				offsetof(struct ip, ip_p));
+		if (*nlp == IPPROTO_ESP)
+			t->ipsec4.pkts[(t->ipsec4.num)++] = pkt;
+		else {
+			t->ipv4.data[t->ipv4.num] = nlp;
+			t->ipv4.pkts[(t->ipv4.num)++] = pkt;
+		}
+	} else {
+		/* Unknown/Unsupported type, drop the packet */
+		rte_pktmbuf_free(pkt);
+	}
+}
+
+static inline void
+prepare_traffic(struct rte_mbuf **pkts, struct ipsec_traffic *t,
+		uint16_t nb_pkts)
+{
+	int i;
+
+	t->ipsec4.num = 0;
+	t->ipv4.num = 0;
+
+	for (i = 0; i < (nb_pkts - PREFETCH_OFFSET); i++) {
+		rte_prefetch0(rte_pktmbuf_mtod(pkts[i + PREFETCH_OFFSET],
+					void *));
+		prepare_one_packet(pkts[i], t);
+	}
+	/* Process left packets */
+	for (; i < nb_pkts; i++)
+		prepare_one_packet(pkts[i], t);
+}
+
+static inline void
+prepare_tx_pkt(struct rte_mbuf *pkt, uint8_t port)
+{
+	pkt->ol_flags |= PKT_TX_IP_CKSUM | PKT_TX_IPV4;
+	pkt->l3_len = sizeof(struct ip);
+	pkt->l2_len = ETHER_HDR_LEN;
+
+	uint64_t *ethhdr = (uint64_t *)rte_pktmbuf_prepend(pkt, ETHER_HDR_LEN);
+#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN
+	ethhdr[0] = ethaddr_tbl[port].dst |
+		((ethaddr_tbl[port].src & 0xffff) << 48);
+	ethhdr[1] = ethaddr_tbl[port].src >> 16 |
+		((uint64_t)rte_cpu_to_be_16(ETHER_TYPE_IPv4) << 32) |
+		(ethhdr[1] & (0xffffUL << 48));
+#else
+	ethhdr[0] = ethaddr_tbl[port].dst |
+		(ethaddr_tbl[port].src >> 48 & 0xffff);
+	ethhdr[1] = ethaddr_tbl[port].src << 16 | ((ETHER_TYPE_IPv4)UL << 16) |
+		(ethhdr[1] & 0xffffUL);
+#endif
+}
+
+static inline void
+prepare_tx_burst(struct rte_mbuf *pkts[], uint16_t nb_pkts, uint8_t port)
+{
+	int i;
+	const int prefetch_offset = 2;
+
+	for (i = 0; i < (nb_pkts - prefetch_offset); i++) {
+		rte_prefetch0(pkts[i + prefetch_offset]->cacheline1);
+		prepare_tx_pkt(pkts[i], port);
+	}
+	/* Process left packets */
+	for (; i < nb_pkts; i++)
+		prepare_tx_pkt(pkts[i], port);
+}
+
+/* Send burst of packets on an output interface */
+static inline int
+send_burst(struct lcore_conf *qconf, uint16_t n, uint8_t port)
+{
+	struct rte_mbuf **m_table;
+	int ret;
+	uint16_t queueid;
+
+	queueid = qconf->tx_queue_id[port];
+	m_table = (struct rte_mbuf **)qconf->tx_mbufs[port].m_table;
+
+	prepare_tx_burst(m_table, n, port);
+
+	ret = rte_eth_tx_burst(port, queueid, m_table, n);
+	if (unlikely(ret < n)) {
+		do {
+			rte_pktmbuf_free(m_table[ret]);
+		} while (++ret < n);
+	}
+
+	return 0;
+}
+
+/* Enqueue a single packet, and send burst if queue is filled */
+static inline int
+send_single_packet(struct rte_mbuf *m, uint8_t port)
+{
+	uint32_t lcore_id;
+	uint16_t len;
+	struct lcore_conf *qconf;
+
+	lcore_id = rte_lcore_id();
+
+	qconf = &lcore_conf[lcore_id];
+	len = qconf->tx_mbufs[port].len;
+	qconf->tx_mbufs[port].m_table[len] = m;
+	len++;
+
+	/* enough pkts to be sent */
+	if (unlikely(len == MAX_PKT_BURST)) {
+		send_burst(qconf, MAX_PKT_BURST, port);
+		len = 0;
+	}
+
+	qconf->tx_mbufs[port].len = len;
+	return 0;
+}
+
+static inline void
+process_pkts_inbound(struct socket_ctx *ctx, struct ipsec_traffic *traffic)
+{
+	struct sa_ctx *sa_ctx = ctx->sa_ipv4_in;
+	struct sp_ctx *sp_ctx = ctx->sp_ipv4_in;
+	struct rte_mbuf *m;
+	uint16_t idx, nb_pkts_in, i, j;
+	uint32_t sa_idx, res;
+	struct ipsec_ctx ipsec_ctx;
+	struct lcore_conf *qconf;
+
+	qconf = &lcore_conf[rte_lcore_id()];
+	ipsec_ctx.cdev = qconf->cdev;
+	ipsec_ctx.queue = qconf->cdev_q;
+	ipsec_ctx.sa_ctx = sa_ctx;
+
+	nb_pkts_in = ipsec_inbound(&ipsec_ctx, traffic->ipsec4.pkts,
+			traffic->ipsec4.num, MAX_PKT_BURST);
+
+	/* SP/ACL Inbound check ipsec and ipv4 */
+	for (i = 0; i < nb_pkts_in; i++) {
+		idx = traffic->ipv4.num++;
+		m = traffic->ipsec4.pkts[i];
+		traffic->ipv4.pkts[idx] = m;
+		traffic->ipv4.data[idx] = rte_pktmbuf_mtod_offset(m,
+				uint8_t *, offsetof(struct ip, ip_p));
+	}
+
+	rte_acl_classify((struct rte_acl_ctx *)sp_ctx, traffic->ipv4.data,
+			traffic->ipv4.res, traffic->ipv4.num,
+			DEFAULT_MAX_CATEGORIES);
+
+	j = 0;
+	for (i = 0; i < traffic->ipv4.num - nb_pkts_in; i++) {
+		m = traffic->ipv4.pkts[i];
+		res = traffic->ipv4.res[i];
+		if (res & ~BYPASS) {
+			rte_pktmbuf_free(m);
+			continue;
+		}
+		traffic->ipv4.pkts[j++] = m;
+	}
+	/* Check return SA SPI matches pkt SPI */
+	for ( ; i < traffic->ipv4.num; i++) {
+		m = traffic->ipv4.pkts[i];
+		sa_idx = traffic->ipv4.res[i] & PROTECT_MASK;
+		if (sa_idx == 0 || !inbound_sa_check(sa_ctx, m, sa_idx)) {
+			rte_pktmbuf_free(m);
+			continue;
+		}
+		traffic->ipv4.pkts[j++] = m;
+	}
+	traffic->ipv4.num = j;
+}
+
+static inline void
+process_pkts_outbound(struct socket_ctx *ctx, struct ipsec_traffic *traffic)
+{
+	struct sa_ctx *sa_ctx = ctx->sa_ipv4_out;
+	struct sp_ctx *sp_ctx = ctx->sp_ipv4_out;
+	struct rte_mbuf *m;
+	uint16_t idx, nb_pkts_out, i, j;
+	uint32_t sa_idx, res;
+	struct ipsec_ctx ipsec_ctx;
+	struct lcore_conf *qconf;
+
+	qconf = &lcore_conf[rte_lcore_id()];
+	ipsec_ctx.cdev = qconf->cdev;
+	ipsec_ctx.queue = qconf->cdev_q;
+	ipsec_ctx.sa_ctx = sa_ctx;
+
+	rte_acl_classify((struct rte_acl_ctx *)sp_ctx, traffic->ipv4.data,
+			traffic->ipv4.res, traffic->ipv4.num,
+			DEFAULT_MAX_CATEGORIES);
+	j = 0;
+	for (i = 0; i < traffic->ipv4.num; i++) {
+		m = traffic->ipv4.pkts[i];
+		res = traffic->ipv4.res[i];
+		sa_idx = res & PROTECT_MASK;
+		if (res & DISCARD) {
+			rte_pktmbuf_free(m);
+		} else if (sa_idx != 0) {
+			traffic->ipsec4.res[traffic->ipsec4.num] = sa_idx;
+			traffic->ipsec4.pkts[traffic->ipsec4.num++] = m;
+		} else /* BYPASS */
+			traffic->ipv4.pkts[j++] = m;
+	}
+	traffic->ipv4.num = j;
+
+	nb_pkts_out = ipsec_outbound(&ipsec_ctx, traffic->ipsec4.pkts,
+			traffic->ipsec4.res, traffic->ipsec4.num,
+			MAX_PKT_BURST);
+
+	for (i = 0; i < nb_pkts_out; i++) {
+		idx = traffic->ipv4.num++;
+		m = traffic->ipsec4.pkts[i];
+		traffic->ipv4.pkts[idx] = m;
+	}
+}
+
+static inline void
+route_pkts(struct rt_ctx *rt_ctx, struct rte_mbuf *pkts[], uint8_t nb_pkts)
+{
+	uint16_t hop[MAX_PKT_BURST * 2];
+	uint32_t dst_ip[MAX_PKT_BURST * 2];
+	uint16_t i, offset;
+
+	if (nb_pkts == 0)
+		return;
+
+	for (i = 0; i < nb_pkts; i++) {
+		offset = offsetof(struct ip, ip_dst);
+		dst_ip[i] = *rte_pktmbuf_mtod_offset(pkts[i],
+				uint32_t *, offset);
+		dst_ip[i] = rte_be_to_cpu_32(dst_ip[i]);
+	}
+
+	rte_lpm_lookup_bulk((struct rte_lpm *)rt_ctx, dst_ip, hop, nb_pkts);
+
+	for (i = 0; i < nb_pkts; i++) {
+		if ((hop[i] & RTE_LPM_LOOKUP_SUCCESS) == 0) {
+			rte_pktmbuf_free(pkts[i]);
+			continue;
+		}
+		send_single_packet(pkts[i], hop[i] & 0xff);
+	}
+}
+
+static inline void
+process_pkts(struct socket_ctx *ctx, struct rte_mbuf **pkts,
+		uint8_t nb_pkts, uint8_t portid)
+{
+	struct ipsec_traffic traffic;
+
+	prepare_traffic(pkts, &traffic, nb_pkts);
+
+	if (UNPROTECTED_PORT(portid))
+		process_pkts_inbound(ctx, &traffic);
+	else
+		process_pkts_outbound(ctx, &traffic);
+
+	route_pkts(ctx->rt_ipv4, traffic.ipv4.pkts, traffic.ipv4.num);
+}
+
+static inline void
+drain_buffers(struct lcore_conf *qconf)
+{
+	struct buffer *buf;
+	unsigned portid;
+
+	for (portid = 0; portid < RTE_MAX_ETHPORTS; portid++) {
+		buf = &qconf->tx_mbufs[portid];
+		if (buf->len == 0)
+			continue;
+		send_burst(qconf, buf->len, portid);
+		buf->len = 0;
+	}
+}
+
+/* main processing loop */
+static int
+main_loop(__attribute__((unused)) void *dummy)
+{
+	struct rte_mbuf *pkts[MAX_PKT_BURST];
+	unsigned lcore_id;
+	uint64_t prev_tsc, diff_tsc, cur_tsc;
+	int i, nb_rx;
+	uint8_t portid, queueid;
+	struct lcore_conf *qconf;
+	int socket_id;
+	const uint64_t drain_tsc = (rte_get_tsc_hz() + US_PER_S - 1)
+			/ US_PER_S * BURST_TX_DRAIN_US;
+	struct socket_ctx *ctx;
+	struct lcore_rx_queue *rxql;
+
+	prev_tsc = 0;
+	lcore_id = rte_lcore_id();
+	qconf = &lcore_conf[lcore_id];
+	rxql = qconf->rx_queue_list;
+	socket_id = rte_lcore_to_socket_id(lcore_id);
+
+	ctx = &socket_ctx[socket_id];
+
+	if (qconf->nb_rx_queue == 0) {
+		RTE_LOG(INFO, IPSEC, "lcore %u has nothing to do\n", lcore_id);
+		return 0;
+	}
+
+	RTE_LOG(INFO, IPSEC, "entering main loop on lcore %u\n", lcore_id);
+
+	for (i = 0; i < qconf->nb_rx_queue; i++) {
+		portid = rxql[i].port_id;
+		queueid = rxql[i].queue_id;
+		RTE_LOG(INFO, IPSEC,
+			" -- lcoreid=%u portid=%hhu rxqueueid=%hhu\n",
+			lcore_id, portid, queueid);
+	}
+
+	while (1) {
+		cur_tsc = rte_rdtsc();
+
+		/* TX queue buffer drain */
+		diff_tsc = cur_tsc - prev_tsc;
+
+		if (unlikely(diff_tsc > drain_tsc)) {
+			drain_buffers(qconf);
+			prev_tsc = cur_tsc;
+		}
+
+		/* Read packet from RX queues */
+		for (i = 0; i < qconf->nb_rx_queue; ++i) {
+			portid = rxql[i].port_id;
+			queueid = rxql[i].queue_id;
+			nb_rx = rte_eth_rx_burst(portid, queueid,
+					pkts, MAX_PKT_BURST);
+
+			if (nb_rx > 0)
+				process_pkts(ctx, pkts, nb_rx, portid);
+		}
+	}
+}
+
+static int
+check_params(void)
+{
+	uint8_t lcore, portid, nb_ports;
+	uint16_t i;
+	int socket_id;
+
+	if (lcore_params == NULL) {
+		printf("Error: No port/queue/core mappings\n");
+		return -1;
+	}
+
+	nb_ports = rte_eth_dev_count();
+	if (nb_ports > RTE_MAX_ETHPORTS)
+		nb_ports = RTE_MAX_ETHPORTS;
+
+	for (i = 0; i < nb_lcore_params; ++i) {
+		lcore = lcore_params[i].lcore_id;
+		if (!rte_lcore_is_enabled(lcore)) {
+			printf("error: lcore %hhu is not enabled in "
+				"lcore mask\n", lcore);
+			return -1;
+		}
+		socket_id = rte_lcore_to_socket_id(lcore);
+		if (socket_id != 0 && numa_on == 0) {
+			printf("warning: lcore %hhu is on socket %d "
+				"with numa off\n",
+				lcore, socket_id);
+		}
+		portid = lcore_params[i].port_id;
+		if ((enabled_port_mask & (1 << portid)) == 0) {
+			printf("port %u is not enabled in port mask\n", portid);
+			return -1;
+		}
+		if (portid >= nb_ports) {
+			printf("port %u is not present on the board\n", portid);
+			return -1;
+		}
+	}
+	return 0;
+}
+
+static uint8_t
+get_port_nb_rx_queues(const uint8_t port)
+{
+	int queue = -1;
+	uint16_t i;
+
+	for (i = 0; i < nb_lcore_params; ++i) {
+		if (lcore_params[i].port_id == port &&
+				lcore_params[i].queue_id > queue)
+			queue = lcore_params[i].queue_id;
+	}
+	return (uint8_t)(++queue);
+}
+
+static int
+init_lcore_rx_queues(void)
+{
+	uint16_t i, nb_rx_queue;
+	uint8_t lcore;
+
+	for (i = 0; i < nb_lcore_params; ++i) {
+		lcore = lcore_params[i].lcore_id;
+		nb_rx_queue = lcore_conf[lcore].nb_rx_queue;
+		if (nb_rx_queue >= MAX_RX_QUEUE_PER_LCORE) {
+			printf("error: too many queues (%u) for lcore: %u\n",
+					nb_rx_queue + 1, lcore);
+			return -1;
+		}
+		lcore_conf[lcore].rx_queue_list[nb_rx_queue].port_id =
+			lcore_params[i].port_id;
+		lcore_conf[lcore].rx_queue_list[nb_rx_queue].queue_id =
+			lcore_params[i].queue_id;
+		lcore_conf[lcore].nb_rx_queue++;
+	}
+	return 0;
+}
+
+/* display usage */
+static void
+print_usage(const char *prgname)
+{
+	printf("%s [EAL options] -- -p PORTMASK -P -u PORTMASK"
+		"  --"OPTION_CONFIG" (port,queue,lcore)[,(port,queue,lcore]"
+		" --EP0|--EP1 --cdev AESNI|QAT\n"
+		"  -p PORTMASK: hexadecimal bitmask of ports to configure\n"
+		"  -P : enable promiscuous mode\n"
+		"  -u PORTMASK: hexadecimal bitmask of unprotected ports\n"
+		"  --"OPTION_CONFIG": (port,queue,lcore): "
+		"rx queues configuration\n"
+		"  --cdev AESNI | QAT\n"
+		"  --EP0: Configure as Endpoint 0\n"
+		"  --EP1: Configure as Endpoint 1\n", prgname);
+}
+
+static int
+parse_portmask(const char *portmask)
+{
+	char *end = NULL;
+	unsigned long pm;
+
+	/* parse hexadecimal string */
+	pm = strtoul(portmask, &end, 16);
+	if ((portmask[0] == '\0') || (end == NULL) || (*end != '\0'))
+		return -1;
+
+	if (pm == 0)
+		return -1;
+
+	return pm;
+}
+
+static int
+parse_config(const char *q_arg)
+{
+	char s[256];
+	const char *p, *p0 = q_arg;
+	char *end;
+	enum fieldnames {
+		FLD_PORT = 0,
+		FLD_QUEUE,
+		FLD_LCORE,
+		_NUM_FLD
+	};
+	unsigned long int_fld[_NUM_FLD];
+	char *str_fld[_NUM_FLD];
+	int i;
+	unsigned size;
+
+	nb_lcore_params = 0;
+
+	while ((p = strchr(p0, '(')) != NULL) {
+		++p;
+		p0 = strchr(p, ')');
+		if (p0 == NULL)
+			return -1;
+
+		size = p0 - p;
+		if (size >= sizeof(s))
+			return -1;
+
+		snprintf(s, sizeof(s), "%.*s", size, p);
+		if (rte_strsplit(s, sizeof(s), str_fld, _NUM_FLD, ',') !=
+				_NUM_FLD)
+			return -1;
+		for (i = 0; i < _NUM_FLD; i++) {
+			errno = 0;
+			int_fld[i] = strtoul(str_fld[i], &end, 0);
+			if (errno != 0 || end == str_fld[i] || int_fld[i] > 255)
+				return -1;
+		}
+		if (nb_lcore_params >= MAX_LCORE_PARAMS) {
+			printf("exceeded max number of lcore params: %hu\n",
+				nb_lcore_params);
+			return -1;
+		}
+		lcore_params_array[nb_lcore_params].port_id =
+			(uint8_t)int_fld[FLD_PORT];
+		lcore_params_array[nb_lcore_params].queue_id =
+			(uint8_t)int_fld[FLD_QUEUE];
+		lcore_params_array[nb_lcore_params].lcore_id =
+			(uint8_t)int_fld[FLD_LCORE];
+		++nb_lcore_params;
+	}
+	lcore_params = lcore_params_array;
+	return 0;
+}
+
+#define __STRNCMP(name, opt) (!strncmp(name, opt, sizeof(opt)))
+static int
+parse_args_long_options(struct option *lgopts, int option_index)
+{
+	int ret = -1;
+	const char *optname = lgopts[option_index].name;
+
+	if (__STRNCMP(optname, OPTION_CONFIG)) {
+		ret = parse_config(optarg);
+		if (ret)
+			printf("invalid config\n");
+	}
+
+	if (__STRNCMP(optname, OPTION_EP0)) {
+		printf("endpoint 0\n");
+		ep = 0;
+		ret = 0;
+	}
+
+	if (__STRNCMP(optname, OPTION_EP1)) {
+		printf("endpoint 1\n");
+		ep = 1;
+		ret = 0;
+	}
+
+	if (__STRNCMP(optname, OPTION_CDEV_TYPE)) {
+		if (__STRNCMP(optarg, "AESNI")) {
+			cdev_type = RTE_CRYPTODEV_AESNI_MB_PMD;
+			ret = 0;
+		} else if (__STRNCMP(optarg, "QAT")) {
+			cdev_type = RTE_CRYPTODEV_QAT_PMD;
+			ret = 0;
+		}
+	}
+
+	return ret;
+}
+#undef __STRNCMP
+
+static int
+parse_args(int argc, char **argv)
+{
+	int opt, ret;
+	char **argvopt;
+	int option_index;
+	char *prgname = argv[0];
+	static struct option lgopts[] = {
+		{OPTION_CONFIG, 1, 0, 0},
+		{OPTION_EP0, 0, 0, 0},
+		{OPTION_EP1, 0, 0, 0},
+		{OPTION_CDEV_TYPE, 1, 0, 0},
+		{NULL, 0, 0, 0}
+	};
+
+	argvopt = argv;
+
+	while ((opt = getopt_long(argc, argvopt, "p:Pu:",
+				lgopts, &option_index)) != EOF) {
+
+		switch (opt) {
+		case 'p':
+			enabled_port_mask = parse_portmask(optarg);
+			if (enabled_port_mask == 0) {
+				printf("invalid portmask\n");
+				print_usage(prgname);
+				return -1;
+			}
+			break;
+		case 'P':
+			printf("Promiscuous mode selected\n");
+			promiscuous_on = 1;
+			break;
+		case 'u':
+			unprotected_port_mask = parse_portmask(optarg);
+			if (unprotected_port_mask == 0) {
+				printf("invalid unprotected portmask\n");
+				print_usage(prgname);
+				return -1;
+			}
+			break;
+		case 0:
+			if (parse_args_long_options(lgopts, option_index)) {
+				print_usage(prgname);
+				return -1;
+			}
+			break;
+		default:
+			print_usage(prgname);
+			return -1;
+		}
+	}
+
+	if (optind >= 0)
+		argv[optind-1] = prgname;
+
+	ret = optind-1;
+	optind = 0; /* reset getopt lib */
+	return ret;
+}
+
+static void
+print_ethaddr(const char *name, const struct ether_addr *eth_addr)
+{
+	char buf[ETHER_ADDR_FMT_SIZE];
+	ether_format_addr(buf, ETHER_ADDR_FMT_SIZE, eth_addr);
+	printf("%s%s", name, buf);
+}
+
+/* Check the link status of all ports in up to 9s, and print them finally */
+static void
+check_all_ports_link_status(uint8_t port_num, uint32_t port_mask)
+{
+#define CHECK_INTERVAL 100 /* 100ms */
+#define MAX_CHECK_TIME 90 /* 9s (90 * 100ms) in total */
+	uint8_t portid, count, all_ports_up, print_flag = 0;
+	struct rte_eth_link link;
+
+	printf("\nChecking link status");
+	fflush(stdout);
+	for (count = 0; count <= MAX_CHECK_TIME; count++) {
+		all_ports_up = 1;
+		for (portid = 0; portid < port_num; portid++) {
+			if ((port_mask & (1 << portid)) == 0)
+				continue;
+			memset(&link, 0, sizeof(link));
+			rte_eth_link_get_nowait(portid, &link);
+			/* print link status if flag set */
+			if (print_flag == 1) {
+				if (link.link_status)
+					printf("Port %d Link Up - speed %u "
+						"Mbps - %s\n", (uint8_t)portid,
+						(unsigned)link.link_speed,
+				(link.link_duplex == ETH_LINK_FULL_DUPLEX) ?
+					("full-duplex") : ("half-duplex\n"));
+				else
+					printf("Port %d Link Down\n",
+						(uint8_t)portid);
+				continue;
+			}
+			/* clear all_ports_up flag if any link down */
+			if (link.link_status == 0) {
+				all_ports_up = 0;
+				break;
+			}
+		}
+		/* after finally printing all link status, get out */
+		if (print_flag == 1)
+			break;
+
+		if (all_ports_up == 0) {
+			printf(".");
+			fflush(stdout);
+			rte_delay_ms(CHECK_INTERVAL);
+		}
+
+		/* set the print_flag if all ports up or timeout */
+		if (all_ports_up == 1 || count == (MAX_CHECK_TIME - 1)) {
+			print_flag = 1;
+			printf("done\n");
+		}
+	}
+}
+
+static uint16_t
+find_next_cdev(unsigned cdev_type, uint16_t start_cdev_id)
+{
+	uint16_t cdev_id, cnt;
+	struct rte_cryptodev_info info;
+
+	cnt = rte_cryptodev_count();
+	for (cdev_id = start_cdev_id; cdev_id < cnt; cdev_id++) {
+		rte_cryptodev_info_get(cdev_id, &info);
+		if (info.dev_type == cdev_type)
+			return cdev_id;
+	}
+
+	return -1;
+}
+
+static uint16_t
+find_cdev_socket(int socket_id, unsigned cdev_type)
+{
+	uint16_t cdev_id, cnt;
+	struct rte_cryptodev_info info;
+	int cdev_socket;
+
+	cnt = rte_cryptodev_count();
+	for (cdev_id = 0; cdev_id < cnt; cdev_id++) {
+		rte_cryptodev_info_get(cdev_id, &info);
+		cdev_socket = rte_cryptodev_socket_id(cdev_id);
+		if ((info.dev_type == cdev_type) && (cdev_socket == socket_id))
+			return cdev_id;
+	}
+
+	return -1;
+}
+
+static int
+cryptodevs_init(void)
+{
+	struct rte_cryptodev_config dev_conf;
+	struct rte_cryptodev_qp_conf qp_conf;
+	struct lcore_conf *qconf;
+	uint16_t cnt, lcore_id, cdev_id;
+	int ret, i, socket_id;
+
+	if (cdev_type == RTE_CRYPTODEV_QAT_PMD) {
+		cnt = rte_cryptodev_count_devtype(RTE_CRYPTODEV_QAT_PMD);
+		printf("Found %u QAT devices\n", cnt);
+		if (cnt < nb_lcores)
+			rte_panic("Not enough QAT devices detected, "
+					"need %u (1 per core), found %d\n",
+					nb_lcores, cnt);
+	} else if (cdev_type == RTE_CRYPTODEV_AESNI_MB_PMD) {
+		printf("Initializing %u AESNI vdevs\n", rte_lcore_count());
+		for (i = 0; i < (int)rte_lcore_count(); i++) {
+			ret = rte_eal_vdev_init(
+					CRYPTODEV_NAME_AESNI_MB_PMD,
+					NULL);
+			if (ret < 0)
+				rte_panic("Failed to create AESNI-MB vdev\n");
+		}
+	} else
+		rte_panic("Need to set cryptodev type option --cdev\n");
+
+	cdev_id = 0;
+	for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) {
+		if (rte_lcore_is_enabled(lcore_id) == 0)
+			continue;
+
+		socket_id = rte_lcore_to_socket_id(lcore_id);
+		cdev_id = find_next_cdev(cdev_type, cdev_id);
+		qconf = &lcore_conf[lcore_id];
+		qconf->cdev = cdev_id;
+		qconf->cdev_q = 0;
+		if (cdev_type == RTE_CRYPTODEV_AESNI_MB_PMD) {
+			dev_conf.socket_id = socket_id;
+			printf("Initializing AESNI-MB device %u socket %u\n",
+					cdev_id, socket_id);
+		} else {
+			dev_conf.socket_id = rte_cryptodev_socket_id(cdev_id);
+			printf("Initialising QAT device %u\n", cdev_id);
+		}
+
+		dev_conf.nb_queue_pairs = 1;
+		dev_conf.session_mp.nb_objs = CDEV_MP_NB_OBJS;
+		dev_conf.session_mp.cache_size = CDEV_MP_CACHE_SZ;
+
+		if (rte_cryptodev_configure(cdev_id, &dev_conf))
+			rte_panic("Failed to initialize crypodev %u\n",
+					cdev_id);
+
+		qp_conf.nb_descriptors = CDEV_MP_NB_OBJS;
+		if (rte_cryptodev_queue_pair_setup(cdev_id, 0, &qp_conf,
+					dev_conf.socket_id))
+			rte_panic("Failed to setup queue %u for cdev_id %u\n",
+					0, cdev_id);
+		cdev_id++;
+	}
+
+	return 0;
+}
+
+static void
+port_init(uint8_t portid)
+{
+	struct rte_eth_dev_info dev_info;
+	struct rte_eth_txconf *txconf;
+	uint16_t nb_tx_queue, nb_rx_queue;
+	uint16_t tx_queueid, rx_queueid, queue, lcore_id;
+	int ret, socket_id;
+	struct lcore_conf *qconf;
+	struct ether_addr ethaddr;
+
+	rte_eth_dev_info_get(portid, &dev_info);
+
+	printf("Configuring device port %u:\n", portid);
+
+	rte_eth_macaddr_get(portid, &ethaddr);
+	ethaddr_tbl[portid].src = ETHADDR_TO_UINT64(ethaddr);
+	print_ethaddr("Address: ", &ethaddr);
+	printf("\n");
+
+	nb_rx_queue = get_port_nb_rx_queues(portid);
+	nb_tx_queue = nb_lcores;
+
+	if (nb_rx_queue > dev_info.max_rx_queues)
+		rte_exit(EXIT_FAILURE, "Error: queue %u not available "
+				"(max rx queue is %u)\n",
+				nb_rx_queue, dev_info.max_rx_queues);
+
+	if (nb_tx_queue > dev_info.max_tx_queues)
+		rte_exit(EXIT_FAILURE, "Error: queue %u not available "
+				"(max tx queue is %u)\n",
+				nb_tx_queue, dev_info.max_tx_queues);
+
+	printf("Creating queues: nb_rx_queue=%d nb_tx_queue=%u...\n",
+			nb_rx_queue, nb_tx_queue);
+
+	ret = rte_eth_dev_configure(portid, nb_rx_queue, nb_tx_queue,
+			&port_conf);
+	if (ret < 0)
+		rte_exit(EXIT_FAILURE, "Cannot configure device: "
+				"err=%d, port=%d\n", ret, portid);
+
+	/* init one TX queue per lcore */
+	tx_queueid = 0;
+	for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) {
+		if (rte_lcore_is_enabled(lcore_id) == 0)
+			continue;
+
+		if (numa_on)
+			socket_id = (uint8_t)rte_lcore_to_socket_id(lcore_id);
+		else
+			socket_id = 0;
+
+		/* init TX queue */
+		printf("Setup txq=%u,%d,%d\n", lcore_id, tx_queueid, socket_id);
+
+		txconf = &dev_info.default_txconf;
+		txconf->txq_flags = 0;
+
+		ret = rte_eth_tx_queue_setup(portid, tx_queueid, nb_txd,
+				socket_id, txconf);
+		if (ret < 0)
+			rte_exit(EXIT_FAILURE, "rte_eth_tx_queue_setup: "
+					"err=%d, port=%d\n", ret, portid);
+
+		qconf = &lcore_conf[lcore_id];
+		qconf->tx_queue_id[portid] = tx_queueid;
+		tx_queueid++;
+
+		/* init RX queues */
+		for (queue = 0; queue < qconf->nb_rx_queue; ++queue) {
+			if (portid != qconf->rx_queue_list[queue].port_id)
+				continue;
+
+			rx_queueid = qconf->rx_queue_list[queue].queue_id;
+
+			printf("Setup rxq=%d,%d,%d\n", portid, rx_queueid,
+					socket_id);
+
+			ret = rte_eth_rx_queue_setup(portid, rx_queueid,
+					nb_rxd,	socket_id, NULL,
+					socket_ctx[socket_id].mbuf_pool);
+			if (ret < 0)
+				rte_exit(EXIT_FAILURE,
+					"rte_eth_rx_queue_setup: err=%d, "
+					"port=%d\n", ret, portid);
+		}
+	}
+	printf("\n");
+}
+
+static void
+pool_init(struct socket_ctx *ctx, int socket_id, unsigned nb_mbuf)
+{
+	char s[64];
+
+	snprintf(s, sizeof(s), "mbuf_pool_%d", socket_id);
+	ctx->mbuf_pool = rte_pktmbuf_pool_create(s, nb_mbuf,
+			MEMPOOL_CACHE_SIZE, ipsec_metadata_size(),
+			RTE_MBUF_DEFAULT_BUF_SIZE,
+			socket_id);
+	if (ctx->mbuf_pool == NULL)
+		rte_exit(EXIT_FAILURE, "Cannot init mbuf pool on socket %d\n",
+				socket_id);
+	else
+		printf("Allocated mbuf pool on socket %d\n", socket_id);
+}
+
+int
+main(int argc, char **argv)
+{
+	int ret;
+	unsigned lcore_id, nb_ports;
+	uint8_t portid, socket_id;
+
+	/* init EAL */
+	ret = rte_eal_init(argc, argv);
+	if (ret < 0)
+		rte_exit(EXIT_FAILURE, "Invalid EAL parameters\n");
+	argc -= ret;
+	argv += ret;
+
+	/* parse application arguments (after the EAL ones) */
+	ret = parse_args(argc, argv);
+	if (ret < 0)
+		rte_exit(EXIT_FAILURE, "Invalid parameters\n");
+
+	if (ep < 0)
+		rte_exit(EXIT_FAILURE, "need to choose either EP0 or EP1\n");
+
+	if ((unprotected_port_mask & enabled_port_mask) !=
+			unprotected_port_mask)
+		rte_exit(EXIT_FAILURE, "Invalid unprotected portmask 0x%x\n",
+				unprotected_port_mask);
+
+	nb_ports = rte_eth_dev_count();
+	if (nb_ports > RTE_MAX_ETHPORTS)
+		nb_ports = RTE_MAX_ETHPORTS;
+
+	if (check_params() < 0)
+		rte_exit(EXIT_FAILURE, "check_params failed\n");
+
+	ret = init_lcore_rx_queues();
+	if (ret < 0)
+		rte_exit(EXIT_FAILURE, "init_lcore_rx_queues failed\n");
+
+	nb_lcores = rte_lcore_count();
+
+	cryptodevs_init();
+
+	/* Replicate each contex per socket */
+	for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) {
+		if (rte_lcore_is_enabled(lcore_id) == 0)
+			continue;
+
+		if (numa_on)
+			socket_id = (uint8_t)rte_lcore_to_socket_id(lcore_id);
+		else
+			socket_id = 0;
+
+		if (socket_ctx[socket_id].mbuf_pool)
+			continue;
+
+		sa_init(&socket_ctx[socket_id], socket_id, ep,
+				find_cdev_socket(socket_id, cdev_type));
+
+		sp_init(&socket_ctx[socket_id], socket_id, ep);
+
+		rt_init(&socket_ctx[socket_id], socket_id, ep);
+
+		pool_init(&socket_ctx[socket_id], socket_id, NB_MBUF);
+	}
+
+	for (portid = 0; portid < nb_ports; portid++) {
+		if ((enabled_port_mask & (1 << portid)) == 0)
+			continue;
+
+		port_init(portid);
+	}
+
+	/* start ports */
+	for (portid = 0; portid < nb_ports; portid++) {
+		if ((enabled_port_mask & (1 << portid)) == 0)
+			continue;
+
+		/* Start device */
+		ret = rte_eth_dev_start(portid);
+		if (ret < 0)
+			rte_exit(EXIT_FAILURE, "rte_eth_dev_start: "
+					"err=%d, port=%d\n", ret, portid);
+		/*
+		 * If enabled, put device in promiscuous mode.
+		 * This allows IO forwarding mode to forward packets
+		 * to itself through 2 cross-connected  ports of the
+		 * target machine.
+		 */
+		if (promiscuous_on)
+			rte_eth_promiscuous_enable(portid);
+	}
+
+	check_all_ports_link_status((uint8_t)nb_ports, enabled_port_mask);
+
+	/* launch per-lcore init on every lcore */
+	rte_eal_mp_remote_launch(main_loop, NULL, CALL_MASTER);
+	RTE_LCORE_FOREACH_SLAVE(lcore_id) {
+		if (rte_eal_wait_lcore(lcore_id) < 0)
+			return -1;
+	}
+
+	return 0;
+}
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
new file mode 100644
index 0000000..83e3326
--- /dev/null
+++ b/examples/ipsec-secgw/ipsec.c
@@ -0,0 +1,138 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <netinet/in.h>
+#include <netinet/ip.h>
+
+#include <rte_branch_prediction.h>
+#include <rte_log.h>
+#include <rte_crypto.h>
+#include <rte_cryptodev.h>
+#include <rte_mbuf.h>
+
+#include "ipsec.h"
+
+static inline uint16_t
+ipsec_processing(uint8_t cdev_id, uint16_t qp_id, struct rte_mbuf *pkts[],
+		struct ipsec_sa *sas[], uint16_t nb_pkts, uint16_t max_pkts)
+{
+	int ret, i, j;
+	struct ipsec_mbuf_metadata *priv;
+	struct rte_mbuf_offload *ol;
+	struct ipsec_sa *sa;
+
+	j = 0;
+	for (i = 0; i < nb_pkts; i++) {
+		rte_prefetch0(sas[i]);
+		rte_prefetch0(pkts[i]);
+
+		priv = get_priv(pkts[i]);
+		ol = &priv->ol;
+		sa = sas[i];
+		priv->sa = sa;
+
+		IPSEC_ASSERT(sa != NULL);
+
+		__rte_pktmbuf_offload_reset(ol, RTE_PKTMBUF_OL_CRYPTO);
+
+		rte_crypto_op_attach_session(&ol->op.crypto,
+				sa->crypto_session);
+
+		pkts[i]->offload_ops = ol;
+
+		ret = sa->pre_crypto(pkts[i], sa, &ol->op.crypto);
+		if (unlikely(ret))
+			rte_pktmbuf_free(pkts[i]);
+		else
+			pkts[j++] = pkts[i];
+	}
+	nb_pkts = j;
+
+	ret = rte_cryptodev_enqueue_burst(cdev_id, qp_id, pkts, nb_pkts);
+	if (ret < nb_pkts) {
+		IPSEC_LOG(DEBUG, IPSEC, "Cryptodev %u queue %u:"
+				" enqueued %u packets (out of %u)\n",
+				 cdev_id, qp_id, ret, nb_pkts);
+		for (i = ret; i < nb_pkts; i++)
+			rte_pktmbuf_free(pkts[i]);
+	}
+
+	nb_pkts = rte_cryptodev_dequeue_burst(cdev_id, qp_id, pkts, max_pkts);
+	if ((nb_pkts != 0) && (nb_pkts < max_pkts))
+		IPSEC_LOG(DEBUG, IPSEC, "Cryptodev %u queue %u:"
+				" dequeued %u packets (out of %u)\n",
+				 cdev_id, qp_id, nb_pkts, max_pkts);
+
+	j = 0;
+	for (i = 0; i < nb_pkts; i++) {
+		rte_prefetch0(pkts[i]);
+
+		priv = get_priv(pkts[i]);
+		ol = &priv->ol;
+		sa = priv->sa;
+		rte_prefetch0(sa);
+
+		IPSEC_ASSERT(sa != NULL);
+
+		ret = sa->post_crypto(pkts[i], sa, &ol->op.crypto);
+		if (unlikely(ret))
+			rte_pktmbuf_free(pkts[i]);
+		else
+			pkts[j++] = pkts[i];
+	}
+
+	/* return packets */
+	return j;
+}
+
+uint16_t
+ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
+		uint16_t nb_pkts, uint16_t len)
+{
+	struct ipsec_sa *sas[nb_pkts];
+
+	inbound_sa_lookup(ctx->sa_ctx, pkts, sas, nb_pkts);
+
+	return ipsec_processing(ctx->cdev, ctx->queue, pkts, sas, nb_pkts, len);
+}
+
+uint16_t
+ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
+		uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len)
+{
+	struct ipsec_sa *sas[nb_pkts];
+
+	outbound_sa_lookup(ctx->sa_ctx, sa_idx, sas, nb_pkts);
+
+	return ipsec_processing(ctx->cdev, ctx->queue, pkts, sas, nb_pkts, len);
+}
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
new file mode 100644
index 0000000..abf9d5f
--- /dev/null
+++ b/examples/ipsec-secgw/ipsec.h
@@ -0,0 +1,184 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef __IPSEC_H__
+#define __IPSEC_H__
+
+#include <stdint.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+
+#include <rte_mbuf_offload.h>
+#include <rte_byteorder.h>
+#include <rte_ip.h>
+
+#define RTE_LOGTYPE_IPSEC       RTE_LOGTYPE_USER1
+#define RTE_LOGTYPE_IPSEC_ESP   RTE_LOGTYPE_USER2
+#define RTE_LOGTYPE_IPSEC_IPIP  RTE_LOGTYPE_USER3
+
+#ifdef IPSEC_DEBUG
+#define IPSEC_ASSERT(exp)                                            \
+if (!(exp)) {                                                        \
+	rte_panic("line%d\tassert \"" #exp "\" failed\n", __LINE__); \
+}
+
+#define IPSEC_LOG RTE_LOG
+#else
+#define IPSEC_ASSERT(exp) do {} while (0)
+#define IPSEC_LOG(...) do {} while (0)
+#endif /* IPSEC_DEBUG */
+
+#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
+
+#define uint32_t_to_char(ip, a, b, c, d) do {\
+		*a = (unsigned char)(ip >> 24 & 0xff);\
+		*b = (unsigned char)(ip >> 16 & 0xff);\
+		*c = (unsigned char)(ip >> 8 & 0xff);\
+		*d = (unsigned char)(ip & 0xff);\
+	} while (0)
+
+#define DEFAULT_MAX_CATEGORIES	1
+
+#define IPSEC_SA_MAX_ENTRIES (64) /* must be power of 2, max 2 power 30 */
+#define SPI2IDX(spi) (spi & (IPSEC_SA_MAX_ENTRIES - 1))
+#define INVALID_SPI (0)
+
+#define DISCARD (0x80000000)
+#define BYPASS (0x40000000)
+#define PROTECT_MASK (0x3fffffff)
+#define PROTECT(sa_idx) (SPI2IDX(sa_idx) & PROTECT_MASK) /* SA idx 30 bits */
+
+#define IPSEC_XFORM_MAX 2
+
+struct rte_crypto_xform;
+struct ipsec_xform;
+struct rte_cryptodev_session;
+struct rte_mbuf;
+
+struct replay {
+	uint32_t seq_h;
+};
+
+struct lifetime {
+	uint64_t bytes;
+	uint64_t seconds;
+};
+
+struct ipsec_sa;
+
+typedef int (*ipsec_xform_fn)(struct rte_mbuf *m, struct ipsec_sa *sa,
+		struct rte_crypto_op *cop);
+
+struct ipsec_sa {
+	uint32_t spi;
+	uint32_t seq;
+	uint32_t src;
+	uint32_t dst;
+	struct rte_cryptodev_session *crypto_session;
+	struct rte_crypto_xform *xforms;
+	enum rte_crypto_cipher_algorithm cipher_algo;
+	enum rte_crypto_auth_algorithm auth_algo;
+	uint16_t digest_len;
+	uint16_t iv_len;
+	uint16_t block_size;
+	ipsec_xform_fn pre_crypto;
+	ipsec_xform_fn post_crypto;
+	uint32_t flags;
+	/* does not apply if no automated SA management (IKE) support */
+	struct lifetime current;
+	struct lifetime soft;
+	struct lifetime hard;
+	struct replay replay;
+} __rte_cache_aligned;
+
+struct ipsec_mbuf_metadata {
+	struct ipsec_sa *sa;
+	struct rte_mbuf_offload ol;
+};
+
+struct ipsec_ctx {
+	uint16_t cdev;
+	uint16_t queue;
+	struct sa_ctx *sa_ctx;
+};
+
+struct socket_ctx {
+	struct sa_ctx *sa_ipv4_in;
+	struct sa_ctx *sa_ipv4_out;
+	struct sp_ctx *sp_ipv4_in;
+	struct sp_ctx *sp_ipv4_out;
+	struct rt_ctx *rt_ipv4;
+	struct rte_mempool *mbuf_pool;
+};
+
+uint16_t
+ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
+		uint16_t nb_pkts, uint16_t len);
+
+uint16_t
+ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
+		uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len);
+
+static inline uint16_t
+ipsec_metadata_size(void)
+{
+	return sizeof(struct ipsec_mbuf_metadata);
+}
+
+static inline struct ipsec_mbuf_metadata *
+get_priv(struct rte_mbuf *m)
+{
+	return RTE_PTR_ADD(m, sizeof(struct rte_mbuf));
+}
+
+int
+inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx);
+
+void
+inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[],
+		struct ipsec_sa *sa[], uint16_t nb_pkts);
+
+void
+outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[],
+		struct ipsec_sa *sa[], uint16_t nb_pkts);
+
+void
+sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep);
+
+void
+sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep, uint16_t cdev_id);
+
+void
+rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep);
+
+#endif /* __IPSEC_H__ */
diff --git a/examples/ipsec-secgw/rt.c b/examples/ipsec-secgw/rt.c
new file mode 100644
index 0000000..82064b2
--- /dev/null
+++ b/examples/ipsec-secgw/rt.c
@@ -0,0 +1,131 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Routing Table (RT)
+ */
+#include <rte_lpm.h>
+#include <rte_errno.h>
+
+#include "ipsec.h"
+
+#define RT_IPV4_MAX_RULES         64
+
+struct ipv4_route {
+	uint32_t ip;
+	uint8_t  depth;
+	uint8_t  if_out;
+};
+
+/* In the default routing table we have:
+ * ep0 protected ports 0 and 1, and unprotected ports 2 and 3.
+ */
+static struct ipv4_route rt_ipv4_ep0[] = {
+	{ IPv4(172, 16, 2, 5), 32, 0 },
+	{ IPv4(172, 16, 2, 6), 32, 0 },
+	{ IPv4(172, 16, 2, 7), 32, 1 },
+	{ IPv4(172, 16, 2, 8), 32, 1 },
+
+	{ IPv4(192, 168, 115, 0), 24, 2 },
+	{ IPv4(192, 168, 116, 0), 24, 2 },
+	{ IPv4(192, 168, 117, 0), 24, 3 },
+	{ IPv4(192, 168, 118, 0), 24, 3 }
+};
+
+/* In the default routing table we have:
+ * ep1 protected ports 0 and 1, and unprotected ports 2 and 3.
+ */
+static struct ipv4_route rt_ipv4_ep1[] = {
+	{ IPv4(172, 16, 1, 5), 32, 2 },
+	{ IPv4(172, 16, 1, 6), 32, 2 },
+	{ IPv4(172, 16, 1, 7), 32, 3 },
+	{ IPv4(172, 16, 1, 8), 32, 3 },
+
+	{ IPv4(192, 168, 105, 0), 24, 0 },
+	{ IPv4(192, 168, 106, 0), 24, 0 },
+	{ IPv4(192, 168, 107, 0), 24, 1 },
+	{ IPv4(192, 168, 108, 0), 24, 1 }
+};
+
+void
+rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep)
+{
+	char name[PATH_MAX];
+	unsigned i;
+	int ret;
+	struct rte_lpm *lpm;
+	struct ipv4_route *rt;
+	char a, b, c, d;
+	unsigned nb_routes;
+
+	if (ctx == NULL)
+		rte_exit(EXIT_FAILURE, "NULL context.\n");
+
+	if (ctx->rt_ipv4 != NULL)
+		rte_exit(EXIT_FAILURE, "Routing Table for socket %u already "
+			"initialized\n", socket_id);
+
+	printf("Creating Routing Table (RT) context with %u max routes\n",
+			RT_IPV4_MAX_RULES);
+
+	if (ep == 0) {
+		rt = rt_ipv4_ep0;
+		nb_routes = RTE_DIM(rt_ipv4_ep0);
+	} else if (ep == 1) {
+		rt = rt_ipv4_ep1;
+		nb_routes = RTE_DIM(rt_ipv4_ep1);
+	} else
+		rte_exit(EXIT_FAILURE, "Invalid EP value %u. Only 0 or 1 "
+			"supported.\n", ep);
+
+	/* create the LPM table */
+	snprintf(name, sizeof(name), "%s_%u", "rt_ipv4", socket_id);
+	lpm = rte_lpm_create(name, socket_id, RT_IPV4_MAX_RULES, 0);
+	if (lpm == NULL)
+		rte_exit(EXIT_FAILURE, "Unable to create LPM table "
+			"on socket %d\n", socket_id);
+
+	/* populate the LPM table */
+	for (i = 0; i < nb_routes; i++) {
+		ret = rte_lpm_add(lpm, rt[i].ip, rt[i].depth, rt[i].if_out);
+		if (ret < 0)
+			rte_exit(EXIT_FAILURE, "Unable to add entry num %u to "
+				"LPM table on socket %d\n", i, socket_id);
+
+		uint32_t_to_char(rt[i].ip, &a, &b, &c, &d);
+		printf("LPM: Adding route %hhu.%hhu.%hhu.%hhu/%hhu (%hhu)\n",
+				a, b, c, d, rt[i].depth, rt[i].if_out);
+	}
+
+	ctx->rt_ipv4 = (struct rt_ctx *)lpm;
+}
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
new file mode 100644
index 0000000..5ea7592
--- /dev/null
+++ b/examples/ipsec-secgw/sa.c
@@ -0,0 +1,391 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Security Associations
+ */
+#include <netinet/ip.h>
+
+#include <rte_memzone.h>
+#include <rte_crypto.h>
+#include <rte_cryptodev.h>
+#include <rte_byteorder.h>
+#include <rte_errno.h>
+
+#include "ipsec.h"
+#include "esp.h"
+
+/* SAs EP0 Outbound */
+const struct ipsec_sa sa_ep0_out[] = {
+	{ 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5),
+		NULL, NULL,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		esp4_tunnel_outbound_pre_crypto,
+		esp4_tunnel_outbound_post_crypto,
+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
+	{ 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6),
+		NULL, NULL,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		esp4_tunnel_outbound_pre_crypto,
+		esp4_tunnel_outbound_post_crypto,
+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
+	{ 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7),
+		NULL, NULL,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		esp4_tunnel_outbound_pre_crypto,
+		esp4_tunnel_outbound_post_crypto,
+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
+	{ 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8),
+		NULL, NULL,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		esp4_tunnel_outbound_pre_crypto,
+		esp4_tunnel_outbound_post_crypto,
+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }
+};
+
+/* SAs EP0 Inbound */
+const struct ipsec_sa sa_ep0_in[] = {
+	{ 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5),
+		NULL, NULL,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		esp4_tunnel_inbound_pre_crypto,
+		esp4_tunnel_inbound_post_crypto,
+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
+	{ 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6),
+		NULL, NULL,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		esp4_tunnel_inbound_pre_crypto,
+		esp4_tunnel_inbound_post_crypto,
+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
+	{ 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7),
+		NULL, NULL,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		esp4_tunnel_inbound_pre_crypto,
+		esp4_tunnel_inbound_post_crypto,
+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
+	{ 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8),
+		NULL, NULL,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		esp4_tunnel_inbound_pre_crypto,
+		esp4_tunnel_inbound_post_crypto,
+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }
+};
+
+/* SAs EP1 Outbound */
+const struct ipsec_sa sa_ep1_out[] = {
+	{ 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5),
+		NULL, NULL,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		esp4_tunnel_outbound_pre_crypto,
+		esp4_tunnel_outbound_post_crypto,
+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
+	{ 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6),
+		NULL, NULL,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		esp4_tunnel_outbound_pre_crypto,
+		esp4_tunnel_outbound_post_crypto,
+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
+	{ 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7),
+		NULL, NULL,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		esp4_tunnel_outbound_pre_crypto,
+		esp4_tunnel_outbound_post_crypto,
+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
+	{ 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8),
+		NULL, NULL,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		esp4_tunnel_outbound_pre_crypto,
+		esp4_tunnel_outbound_post_crypto,
+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }
+};
+
+/* SAs EP1 Inbound */
+const struct ipsec_sa sa_ep1_in[] = {
+	{ 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5),
+		NULL, NULL,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		esp4_tunnel_inbound_pre_crypto,
+		esp4_tunnel_inbound_post_crypto,
+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
+	{ 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6),
+		NULL, NULL,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		esp4_tunnel_inbound_pre_crypto,
+		esp4_tunnel_inbound_post_crypto,
+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
+	{ 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7),
+		NULL, NULL,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		esp4_tunnel_inbound_pre_crypto,
+		esp4_tunnel_inbound_post_crypto,
+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
+	{ 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8),
+		NULL, NULL,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		esp4_tunnel_inbound_pre_crypto,
+		esp4_tunnel_inbound_post_crypto,
+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }
+};
+
+static uint8_t cipher_key[256] = "sixteenbytes key";
+
+/* AES CBC xform */
+const struct rte_crypto_xform aescbc_enc_xf = {
+	NULL,
+	RTE_CRYPTO_XFORM_CIPHER,
+	.cipher = { RTE_CRYPTO_CIPHER_OP_ENCRYPT, RTE_CRYPTO_CIPHER_AES_CBC,
+		.key = { cipher_key, 0, 16 } }
+};
+
+const struct rte_crypto_xform aescbc_dec_xf = {
+	NULL,
+	RTE_CRYPTO_XFORM_CIPHER,
+	.cipher = { RTE_CRYPTO_CIPHER_OP_DECRYPT, RTE_CRYPTO_CIPHER_AES_CBC,
+		.key = { cipher_key, 0, 16 } }
+};
+
+static uint8_t auth_key[256] = "twentybytes hash key";
+
+/* SHA1 HMAC xform */
+const struct rte_crypto_xform sha1hmac_gen_xf = {
+	NULL,
+	RTE_CRYPTO_XFORM_AUTH,
+	.auth = { RTE_CRYPTO_AUTH_OP_GENERATE, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		.key = { auth_key, 0, 20 }, 12, 0 }
+};
+
+const struct rte_crypto_xform sha1hmac_verify_xf = {
+	NULL,
+	RTE_CRYPTO_XFORM_AUTH,
+	.auth = { RTE_CRYPTO_AUTH_OP_VERIFY, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		.key = { auth_key, 0, 20 }, 12, 0 }
+};
+
+struct sa_ctx {
+	struct ipsec_sa sa[IPSEC_SA_MAX_ENTRIES];
+	struct {
+		struct rte_crypto_xform a;
+		struct rte_crypto_xform b;
+	} xf[IPSEC_SA_MAX_ENTRIES];
+};
+
+static struct sa_ctx *
+sa_ipv4_create(const char *name, int socket_id)
+{
+	char s[PATH_MAX];
+	struct sa_ctx *sa_ctx;
+	unsigned mz_size;
+	const struct rte_memzone *mz;
+
+	snprintf(s, sizeof(s), "%s_%u", name, socket_id);
+
+	/* Create SA array table */
+	printf("Creating SA context with %u maximum entries\n",
+			IPSEC_SA_MAX_ENTRIES);
+
+	mz_size = sizeof(struct sa_ctx);
+	mz = rte_memzone_reserve(s, mz_size, socket_id,
+			RTE_MEMZONE_1GB | RTE_MEMZONE_SIZE_HINT_ONLY);
+	if (mz == NULL) {
+		printf("Failed to allocate SA DB memory\n");
+		rte_errno = -ENOMEM;
+		return NULL;
+	}
+
+	sa_ctx = (struct sa_ctx *)mz->addr;
+
+	return sa_ctx;
+}
+
+static int
+sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
+		unsigned nb_entries, uint16_t cdev_id, unsigned inbound)
+{
+	struct ipsec_sa *sa;
+	unsigned i, idx;
+
+	for (i = 0; i < nb_entries; i++) {
+		idx = SPI2IDX(entries[i].spi);
+		sa = &sa_ctx->sa[idx];
+		if (sa->spi != 0) {
+			printf("Index %u already in use by SPI %u\n",
+					idx, sa->spi);
+			return -EINVAL;
+		}
+		*sa = entries[i];
+		sa->src = rte_cpu_to_be_32(sa->src);
+		sa->dst = rte_cpu_to_be_32(sa->dst);
+		if (inbound) {
+			sa_ctx->xf[idx].a = sha1hmac_verify_xf;
+			sa_ctx->xf[idx].b = aescbc_dec_xf;
+		} else { /* outbound */
+			sa_ctx->xf[idx].a = aescbc_enc_xf;
+			sa_ctx->xf[idx].b = sha1hmac_gen_xf;
+		}
+		sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b;
+		sa_ctx->xf[idx].b.next = NULL;
+		sa->xforms = &sa_ctx->xf[idx].a;
+
+		sa->crypto_session = rte_cryptodev_session_create(cdev_id,
+				sa->xforms);
+	}
+
+	return 0;
+}
+
+static inline int
+sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
+		unsigned nb_entries, uint16_t cdev_id)
+{
+	return sa_add_rules(sa_ctx, entries, nb_entries, cdev_id, 0);
+}
+
+static inline int
+sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
+		unsigned nb_entries, uint16_t cdev_id)
+{
+	return sa_add_rules(sa_ctx, entries, nb_entries, cdev_id, 1);
+}
+
+void
+sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep, uint16_t cdev_id)
+{
+	const struct ipsec_sa *sa_out_entries, *sa_in_entries;
+	unsigned nb_out_entries, nb_in_entries;
+	const char *name;
+
+	if (ctx == NULL)
+		rte_exit(EXIT_FAILURE, "NULL context.\n");
+
+	if (ctx->sa_ipv4_in != NULL)
+		rte_exit(EXIT_FAILURE, "Inbound SA DB for socket %u already "
+				"initialized\n", socket_id);
+
+	if (ctx->sa_ipv4_out != NULL)
+		rte_exit(EXIT_FAILURE, "Outbound SA DB for socket %u already "
+				"initialized\n", socket_id);
+
+	if (ep == 0) {
+		sa_out_entries = sa_ep0_out;
+		nb_out_entries = RTE_DIM(sa_ep0_out);
+		sa_in_entries = sa_ep0_in;
+		nb_in_entries = RTE_DIM(sa_ep0_in);
+	} else if (ep == 1) {
+		sa_out_entries = sa_ep1_out;
+		nb_out_entries = RTE_DIM(sa_ep1_out);
+		sa_in_entries = sa_ep1_in;
+		nb_in_entries = RTE_DIM(sa_ep1_in);
+	} else
+		rte_exit(EXIT_FAILURE, "Invalid EP value %u. "
+				"Only 0 or 1 supported.\n", ep);
+
+	name = "sa_ipv4_in";
+	ctx->sa_ipv4_in = sa_ipv4_create(name, socket_id);
+	if (ctx->sa_ipv4_in == NULL)
+		rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s "
+				"in socket %d\n", rte_errno, name, socket_id);
+
+	name = "sa_ipv4_out";
+	ctx->sa_ipv4_out = sa_ipv4_create(name, socket_id);
+	if (ctx->sa_ipv4_out == NULL)
+		rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s "
+				"in socket %d\n", rte_errno, name, socket_id);
+
+	sa_in_add_rules(ctx->sa_ipv4_in, sa_in_entries,
+			nb_in_entries, cdev_id);
+
+	sa_out_add_rules(ctx->sa_ipv4_out, sa_out_entries,
+			nb_out_entries, cdev_id);
+}
+
+int
+inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx)
+{
+	struct ipsec_mbuf_metadata *priv;
+
+	priv = RTE_PTR_ADD(m, sizeof(struct rte_mbuf));
+
+	return (sa_ctx->sa[sa_idx].spi == priv->sa->spi);
+}
+
+void
+inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[],
+		struct ipsec_sa *sa[], uint16_t nb_pkts)
+{
+	unsigned i;
+	uint32_t *src, spi;
+
+	for (i = 0; i < nb_pkts; i++) {
+		spi = rte_pktmbuf_mtod_offset(pkts[i], struct esp_hdr *,
+				sizeof(struct ip))->spi;
+		if (spi == INVALID_SPI)
+			continue;
+
+		sa[i] = &sa_ctx->sa[SPI2IDX(spi)];
+		if (spi != sa[i]->spi) {
+			sa[i] = NULL;
+			continue;
+		}
+
+		src = rte_pktmbuf_mtod_offset(pkts[i], uint32_t *,
+				offsetof(struct ip, ip_src));
+		if ((sa[i]->src != *src) || (sa[i]->dst != *(src + 1)))
+			sa[i] = NULL;
+	}
+}
+
+void
+outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[],
+		struct ipsec_sa *sa[], uint16_t nb_pkts)
+{
+	unsigned i;
+
+	for (i = 0; i < nb_pkts; i++)
+		sa[i] = &sa_ctx->sa[sa_idx[i]];
+}
diff --git a/examples/ipsec-secgw/sp.c b/examples/ipsec-secgw/sp.c
new file mode 100644
index 0000000..219e478
--- /dev/null
+++ b/examples/ipsec-secgw/sp.c
@@ -0,0 +1,324 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Security Policies
+ */
+#include <netinet/ip.h>
+
+#include <rte_acl.h>
+
+#include "ipsec.h"
+
+#define MAX_ACL_RULE_NUM	1000
+
+/*
+ * Rule and trace formats definitions.
+ */
+enum {
+	PROTO_FIELD_IPV4,
+	SRC_FIELD_IPV4,
+	DST_FIELD_IPV4,
+	SRCP_FIELD_IPV4,
+	DSTP_FIELD_IPV4,
+	NUM_FIELDS_IPV4
+};
+
+/*
+ * That effectively defines order of IPV4 classifications:
+ *  - PROTO
+ *  - SRC IP ADDRESS
+ *  - DST IP ADDRESS
+ *  - PORTS (SRC and DST)
+ */
+enum {
+	RTE_ACL_IPV4_PROTO,
+	RTE_ACL_IPV4_SRC,
+	RTE_ACL_IPV4_DST,
+	RTE_ACL_IPV4_PORTS,
+	RTE_ACL_IPV4_NUM
+};
+
+struct rte_acl_field_def ipv4_defs[NUM_FIELDS_IPV4] = {
+	{
+	.type = RTE_ACL_FIELD_TYPE_BITMASK,
+	.size = sizeof(uint8_t),
+	.field_index = PROTO_FIELD_IPV4,
+	.input_index = RTE_ACL_IPV4_PROTO,
+	.offset = 0,
+	},
+	{
+	.type = RTE_ACL_FIELD_TYPE_MASK,
+	.size = sizeof(uint32_t),
+	.field_index = SRC_FIELD_IPV4,
+	.input_index = RTE_ACL_IPV4_SRC,
+	.offset = offsetof(struct ip, ip_src) -	offsetof(struct ip, ip_p)
+	},
+	{
+	.type = RTE_ACL_FIELD_TYPE_MASK,
+	.size = sizeof(uint32_t),
+	.field_index = DST_FIELD_IPV4,
+	.input_index = RTE_ACL_IPV4_DST,
+	.offset = offsetof(struct ip, ip_dst) - offsetof(struct ip, ip_p)
+	},
+	{
+	.type = RTE_ACL_FIELD_TYPE_RANGE,
+	.size = sizeof(uint16_t),
+	.field_index = SRCP_FIELD_IPV4,
+	.input_index = RTE_ACL_IPV4_PORTS,
+	.offset = sizeof(struct ip) - offsetof(struct ip, ip_p)
+	},
+	{
+	.type = RTE_ACL_FIELD_TYPE_RANGE,
+	.size = sizeof(uint16_t),
+	.field_index = DSTP_FIELD_IPV4,
+	.input_index = RTE_ACL_IPV4_PORTS,
+	.offset = sizeof(struct ip) - offsetof(struct ip, ip_p) +
+		sizeof(uint16_t)
+	},
+};
+
+RTE_ACL_RULE_DEF(acl4_rules, RTE_DIM(ipv4_defs));
+
+const struct acl4_rules acl4_rules_in[] = {
+	{
+	.data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 105, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 106, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 107, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 108, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	}
+};
+
+const struct acl4_rules acl4_rules_out[] = {
+	{
+	.data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 115, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 116, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 117, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 118, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	}
+};
+
+static void
+print_one_ipv4_rule(const struct acl4_rules *rule, int extra)
+{
+	unsigned char a, b, c, d;
+
+	uint32_t_to_char(rule->field[SRC_FIELD_IPV4].value.u32,
+			&a, &b, &c, &d);
+	printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d,
+			rule->field[SRC_FIELD_IPV4].mask_range.u32);
+	uint32_t_to_char(rule->field[DST_FIELD_IPV4].value.u32,
+			&a, &b, &c, &d);
+	printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d,
+			rule->field[DST_FIELD_IPV4].mask_range.u32);
+	printf("%hu : %hu %hu : %hu 0x%hhx/0x%hhx ",
+		rule->field[SRCP_FIELD_IPV4].value.u16,
+		rule->field[SRCP_FIELD_IPV4].mask_range.u16,
+		rule->field[DSTP_FIELD_IPV4].value.u16,
+		rule->field[DSTP_FIELD_IPV4].mask_range.u16,
+		rule->field[PROTO_FIELD_IPV4].value.u8,
+		rule->field[PROTO_FIELD_IPV4].mask_range.u8);
+	if (extra)
+		printf("0x%x-0x%x-0x%x ",
+			rule->data.category_mask,
+			rule->data.priority,
+			rule->data.userdata);
+}
+
+static inline void
+dump_ipv4_rules(const struct acl4_rules *rule, int num, int extra)
+{
+	int i;
+
+	for (i = 0; i < num; i++, rule++) {
+		printf("\t%d:", i + 1);
+		print_one_ipv4_rule(rule, extra);
+		printf("\n");
+	}
+}
+
+static struct rte_acl_ctx *
+acl4_init(const char *name, int socketid, const struct acl4_rules *rules,
+		unsigned rules_nb)
+{
+	char s[PATH_MAX];
+	struct rte_acl_param acl_param;
+	struct rte_acl_config acl_build_param;
+	struct rte_acl_ctx *ctx;
+
+	printf("Creating SP context with %u max rules\n", MAX_ACL_RULE_NUM);
+
+	memset(&acl_param, 0, sizeof(acl_param));
+
+	/* Create ACL contexts */
+	snprintf(s, sizeof(s), "%s_%d", name, socketid);
+
+	printf("IPv4 %s entries [%u]:\n", s, rules_nb);
+	dump_ipv4_rules(rules, rules_nb, 1);
+
+	acl_param.name = s;
+	acl_param.socket_id = socketid;
+	acl_param.rule_size = RTE_ACL_RULE_SZ(RTE_DIM(ipv4_defs));
+	acl_param.max_rule_num = MAX_ACL_RULE_NUM;
+
+	ctx = rte_acl_create(&acl_param);
+	if (ctx == NULL)
+		rte_exit(EXIT_FAILURE, "Failed to create ACL context\n");
+
+	if (rte_acl_add_rules(ctx, (const struct rte_acl_rule *)rules,
+				rules_nb) < 0)
+		rte_exit(EXIT_FAILURE, "add rules failed\n");
+
+	/* Perform builds */
+	memset(&acl_build_param, 0, sizeof(acl_build_param));
+
+	acl_build_param.num_categories = DEFAULT_MAX_CATEGORIES;
+	acl_build_param.num_fields = rules_nb;
+	memcpy(&acl_build_param.defs, ipv4_defs, sizeof(ipv4_defs));
+
+	if (rte_acl_build(ctx, &acl_build_param) != 0)
+		rte_exit(EXIT_FAILURE, "Failed to build ACL trie\n");
+
+	rte_acl_dump(ctx);
+
+	return ctx;
+}
+
+void
+sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep)
+{
+	const char *name;
+	const struct acl4_rules *rules_out, *rules_in;
+	unsigned nb_out_rules, nb_in_rules;
+
+	if (ctx == NULL)
+		rte_exit(EXIT_FAILURE, "NULL context.\n");
+
+	if (ctx->sp_ipv4_in != NULL)
+		rte_exit(EXIT_FAILURE, "Inbound SP DB for socket %u already "
+				"initialized\n", socket_id);
+
+	if (ctx->sp_ipv4_out != NULL)
+		rte_exit(EXIT_FAILURE, "Outbound SP DB for socket %u already "
+				"initialized\n", socket_id);
+
+	if (ep == 0) {
+		rules_out = acl4_rules_in;
+		nb_out_rules = RTE_DIM(acl4_rules_in);
+		rules_in = acl4_rules_out;
+		nb_in_rules = RTE_DIM(acl4_rules_out);
+	} else if (ep == 1) {
+		rules_out = acl4_rules_out;
+		nb_out_rules = RTE_DIM(acl4_rules_out);
+		rules_in = acl4_rules_in;
+		nb_in_rules = RTE_DIM(acl4_rules_in);
+	} else
+		rte_exit(EXIT_FAILURE, "Invalid EP value %u. "
+				"Only 0 or 1 supported.\n", ep);
+
+	name = "sp_ipv4_in";
+	ctx->sp_ipv4_in = (struct sp_ctx *)acl4_init(name, socket_id,
+			rules_in, nb_in_rules);
+
+	name = "sp_ipv4_out";
+	ctx->sp_ipv4_out = (struct sp_ctx *)acl4_init(name, socket_id,
+			rules_out, nb_out_rules);
+}
-- 
2.4.3

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [dpdk-dev] [PATCH] example/ipsec-secgw: ipsec security gateway
  2016-01-29 20:29 [dpdk-dev] [PATCH] example/ipsec-secgw: ipsec security gateway Sergio Gonzalez Monroy
@ 2016-01-31 14:39 ` Jerin Jacob
  2016-02-01 11:09   ` Sergio Gonzalez Monroy
  2016-02-24 13:32 ` Thomas Monjalon
  2016-03-11  1:38 ` [dpdk-dev] [PATCH v2] " Sergio Gonzalez Monroy
  2 siblings, 1 reply; 15+ messages in thread
From: Jerin Jacob @ 2016-01-31 14:39 UTC (permalink / raw)
  To: Sergio Gonzalez Monroy; +Cc: dev

On Fri, Jan 29, 2016 at 08:29:12PM +0000, Sergio Gonzalez Monroy wrote:
> Sample app implementing an IPsec Security Geteway.
> The main goal of this app is to show the use of cryptodev framework
> in a real world application.
> 
> Currently only supported static IPv4 IPsec tunnels using AES-CBC
> and HMAC-SHA1.
> 
> Also, currently not supported:
> - SA auto negotiation (No IKE support)
> - chained mbufs
> 
> Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>

Hi Sergio,

Great effort, one of the best highly integrated sample DPDK application
(ethernet, acl, crypto and lpm)

> ---
>  MAINTAINERS                              |    4 +
>  doc/guides/sample_app_ug/index.rst       |    1 +
>  doc/guides/sample_app_ug/ipsec_secgw.rst |  440 +++++++++++
>  examples/Makefile                        |    2 +
>  examples/ipsec-secgw/Makefile            |   58 ++
>  examples/ipsec-secgw/esp.c               |  256 +++++++
>  examples/ipsec-secgw/esp.h               |   66 ++
>  examples/ipsec-secgw/ipip.h              |  100 +++
>  examples/ipsec-secgw/ipsec-secgw.c       | 1218 ++++++++++++++++++++++++++++++
>  examples/ipsec-secgw/ipsec.c             |  138 ++++
>  examples/ipsec-secgw/ipsec.h             |  184 +++++
>  examples/ipsec-secgw/rt.c                |  131 ++++
>  examples/ipsec-secgw/sa.c                |  391 ++++++++++
>  examples/ipsec-secgw/sp.c                |  324 ++++++++
>  14 files changed, 3313 insertions(+)
>  create mode 100644 doc/guides/sample_app_ug/ipsec_secgw.rst
>  create mode 100644 examples/ipsec-secgw/Makefile
>  create mode 100644 examples/ipsec-secgw/esp.c
>  create mode 100644 examples/ipsec-secgw/esp.h
>  create mode 100644 examples/ipsec-secgw/ipip.h
>  create mode 100644 examples/ipsec-secgw/ipsec-secgw.c
>  create mode 100644 examples/ipsec-secgw/ipsec.c
>  create mode 100644 examples/ipsec-secgw/ipsec.h
>  create mode 100644 examples/ipsec-secgw/rt.c
>  create mode 100644 examples/ipsec-secgw/sa.c
>  create mode 100644 examples/ipsec-secgw/sp.c
> 
> diff --git a/MAINTAINERS b/MAINTAINERS
> index b90aeea..996eda6 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -596,3 +596,7 @@ F: doc/guides/sample_app_ug/vmdq_dcb_forwarding.rst
>  M: Pablo de Lara <pablo.de.lara.guarch@intel.com>
>  M: Daniel Mrzyglod <danielx.t.mrzyglod@intel.com>
>  F: examples/ptpclient/
> +
> +M: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
> +F: doc/guides/sample_app_ug/ipsec-secgw.rst
> +F: examples/ipsec-secgw/
> diff --git a/doc/guides/sample_app_ug/index.rst b/doc/guides/sample_app_ug/index.rst
> index 8a646dd..88375d2 100644
> --- a/doc/guides/sample_app_ug/index.rst
> +++ b/doc/guides/sample_app_ug/index.rst
> @@ -73,6 +73,7 @@ Sample Applications User Guide
>      proc_info
>      ptpclient
>      performance_thread
> +    ipsec_secgw
>  
>  **Figures**
>  
> diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst
> new file mode 100644
> index 0000000..7be3f7e
> --- /dev/null
> +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
> @@ -0,0 +1,440 @@
> +..  BSD LICENSE
> +    Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
> +    All rights reserved.
> +
> +    Redistribution and use in source and binary forms, with or without
> +    modification, are permitted provided that the following conditions
> +    are met:
> +
> +    * Redistributions of source code must retain the above copyright
> +    notice, this list of conditions and the following disclaimer.
> +    * Redistributions in binary form must reproduce the above copyright
> +    notice, this list of conditions and the following disclaimer in
> +    the documentation and/or other materials provided with the
> +    distribution.
> +    * Neither the name of Intel Corporation nor the names of its
> +    contributors may be used to endorse or promote products derived
> +    from this software without specific prior written permission.
> +
> +    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> +    "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> +    LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
> +    A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
> +    OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> +    SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> +    LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> +    DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> +    THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> +    (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> +    OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> +
> +IPsec Security Gateway Sample Application
> +=========================================
> +
> +The IPsec Security Gateway application is a minimal example of real work
> +application using DPDK cryptodev framework.
> +
> +Overview
> +--------
> +
> +The application demonstrates the implementation of a minimal Security Gateway
> +(see Constraints bellow) using DPDK based on RFC4301, RFC4303, RFC3602 and
> +RFC2404.
> +
> +Note that IKE is not supported (therefore not IPsec compliant), so only manual
> +setting of Security Policies and Associations is allowed.
> +
> +The Security Policies (SP) are implemented as ACL rules, the Security
> +Associations (SA) are stored in a table and the Routing is implemented
> +using LPM.
> +
> +The application splits the ports between Protected and Unprotected.
> +Based on the port the trafic is coming from, the traffic would be consider
> +IPsec Inbound or Outbound.
> +Traffic from Unprotected ports is consider IPsec Inbound, and traffic from
> +Protected ports is consider IPsec Outbound.
> +
> +Path for IPsec Inbound traffic:
> +*  Read packets from the port
> +*  Classify packets between IPv4 and ESP.
> +*  Inbound SA lookup for ESP packets based on their SPI
> +*  Verification/Decryption
> +*  Removal of ESP and outter IP header
> +*  Inbound SP check using ACL of decrypted packets and any other IPv4 packet
> +we read.
> +*  Routing
> +*  Write packet to port
> +
> +Path for IPsec Outbound traffic:
> +*  Read packets from the port
> +*  Outbound SP check using ACL of all IPv4 traffic
> +*  Outbound SA lookup for packets that need IPsec protection
> +*  Add ESP and outter IP header
> +*  Encryption/Digest
> +*  Routing
> +*  Write packet to port
> +
> +Constraints
> +-----------
> +*  IPv4 traffic
> +*  ESP tunnel mode
> +*  EAS-CBC and HMAC-SHA1
> +*  Each SA must be handle by a unique lcore (1 RX queue per port)
> +*  No chained mbufs
> +
> +Compiling the Application
> +-------------------------
> +
> +To compile the application:
> +
> +#. Go to the sample application directory:
> +
> +   .. code-block:: console
> +
> +      export RTE_SDK=/path/to/rte_sdk
> +      cd ${RTE_SDK}/examples/ipsec-secgw
> +
> +#. Set the target (a default target is used if not specified). For example:
> +
> +   .. code-block:: console
> +
> +      export RTE_TARGET=x86_64-native-linuxapp-gcc
> +
> +    See the *DPDK Getting Started Guide* for possible RTE_TARGET values.
> +
> +#. Build the application:
> +
> +   .. code-block:: console
> +
> +       make
> +
> +Running the Application
> +-----------------------
> +
> +The application has a number of command line options:
> +
> +.. code-block:: console
> +
> +   ./build/ipsec-secgw [EAL options] -- -p PORTMASK -P -u PORTMASK --config
> +   (port,queue,lcore)[,(port,queue,lcore] --EP0|--EP1 --cdev AESNI|QAT
> +
> +where,
> +
> +*   -p PORTMASK: Hexadecimal bitmask of ports to configure
> +
> +*   -P: optional, sets all ports to promiscuous mode so that packets are
> +    accepted regardless of the packet's Ethernet MAC destination address.
> +    Without this option, only packets with the Ethernet MAC destination address
> +    set to the Ethernet address of the port are accepted (default is enabled).
> +
> +*   -u PORTMASK: hexadecimal bitmask of unprotected ports
> +
> +*   --config (port,queue,lcore)[,(port,queue,lcore)]: determines which queues
> +    from which ports are mapped to which cores
> +
> +*   --cdev AESNI/QAT: choose whether to use QAT HW crypto or EASNI SW crypto
> +
> +*   --EP0: configure the app as Endpoint 0.
> +
> +*   --EP1: configure the app as Endpoint 1.
> +
> +Either --EP0 or --EP1 must be specified.
> +
> +The mapping of lcores to port/queues is similar to other l3fwd applications.
> +
> +For example, given the following command line:
> +.. code-block:: console
> +
> +    ./build/ipsec-secgw -l 20,21 -n 4 --socket-mem 0,2048 -- -p 0xf -P -u 0x3
> +    --config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)" --cdev AESNI --EP0
> +
> +where each options means:
> +
> +*   The -l option enables cores 20 and 21
> +
> +*   The -n option sets memory 4 channels
> +
> +*   The --socket-mem to use 2GB on socket 1
> +
> +*   The -p option enables ports (detected) 0, 1, 2 and 3
> +
> +*   The -P option enables promiscous mode
> +
> +*   The -u option sets ports 1 and 2 as unprotected, leaving 2 and 3 as protected
> +
> +*   The --config option enables one queue per port with the following mapping:
> +
> ++----------+-----------+-----------+---------------------------------------+
> +| **Port** | **Queue** | **lcore** | **Description**                       |
> +|          |           |           |                                       |
> ++----------+-----------+-----------+---------------------------------------+
> +| 0        | 0         | 20        | Map queue 0 from port 0 to lcore 20.  |
> +|          |           |           |                                       |
> ++----------+-----------+-----------+---------------------------------------+
> +| 1        | 0         | 20        | Map queue 0 from port 1 to lcore 20.  |
> +|          |           |           |                                       |
> ++----------+-----------+-----------+---------------------------------------+
> +| 2        | 0         | 21        | Map queue 0 from port 2 to lcore 21.  |
> +|          |           |           |                                       |
> ++----------+-----------+-----------+---------------------------------------+
> +| 3        | 0         | 21        | Map queue 0 from port 3 to lcore 21.  |
> +|          |           |           |                                       |
> ++----------+-----------+-----------+---------------------------------------+
> +
> +Refer to the *DPDK Getting Started Guide* for general information on running applications and the Environment Abstraction Layer (EAL) options.
> +
> +Configurations
> +--------------
> +
> +The following sections provide some details on the default values used to
> +initialize the SP, SA and Routing tables.
> +Currently all the configuration is hardcoded into the application.
> +
> +Security Policy Initialization
> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> +
> +As mention in the overview, the Security Policies are ACL rules.
> +There are two ACLs, Inbound and Outboud.
> +The application would also replicate the set of two ACLs per socket in use.
> +
> +Following are the default rules:
> +
> +Endpoint 0 Outbound Security Policies:
> +
> ++---------+------------------+-----------+------------+
> +| **Src** | **Dst**          | **proto** | **SA idx** |
> +|         |                  |           |            |
> ++---------+------------------+-----------+------------+
> +| Any     | 192.168.105.0/24 | Any       | 5          |
> +|         |                  |           |            |
> ++---------+------------------+-----------+------------+
> +| Any     | 192.168.106.0/24 | Any       | 6          |
> +|         |                  |           |            |
> ++---------+------------------+-----------+------------+
> +| Any     | 192.168.107.0/24 | Any       | 7          |
> +|         |                  |           |            |
> ++---------+------------------+-----------+------------+
> +| Any     | 192.168.108.0/24 | Any       | 8          |
> +|         |                  |           |            |
> ++---------+------------------+-----------+------------+
> +
> +Endpoint 0 Inbound Security Policies:
> +
> ++---------+------------------+-----------+------------+
> +| **Src** | **Dst**          | **proto** | **SA idx** |
> +|         |                  |           |            |
> ++---------+------------------+-----------+------------+
> +| Any     | 192.168.115.0/24 | Any       | 5          |
> +|         |                  |           |            |
> ++---------+------------------+-----------+------------+
> +| Any     | 192.168.116.0/24 | Any       | 6          |
> +|         |                  |           |            |
> ++---------+------------------+-----------+------------+
> +| Any     | 192.168.117.0/24 | Any       | 7          |
> +|         |                  |           |            |
> ++---------+------------------+-----------+------------+
> +| Any     | 192.168.118.0/24 | Any       | 8          |
> +|         |                  |           |            |
> ++---------+------------------+-----------+------------+
> +
> +Endpoint 1 Outbound Security Policies:
> +
> ++---------+------------------+-----------+------------+
> +| **Src** | **Dst**          | **proto** | **SA idx** |
> +|         |                  |           |            |
> ++---------+------------------+-----------+------------+
> +| Any     | 192.168.115.0/24 | Any       | 5          |
> +|         |                  |           |            |
> ++---------+------------------+-----------+------------+
> +| Any     | 192.168.116.0/24 | Any       | 6          |
> +|         |                  |           |            |
> ++---------+------------------+-----------+------------+
> +| Any     | 192.168.117.0/24 | Any       | 7          |
> +|         |                  |           |            |
> ++---------+------------------+-----------+------------+
> +| Any     | 192.168.118.0/24 | Any       | 8          |
> +|         |                  |           |            |
> ++---------+------------------+-----------+------------+
> +
> +Endpoint 1 Inbound Security Policies:
> +
> ++---------+------------------+-----------+------------+
> +| **Src** | **Dst**          | **proto** | **SA idx** |
> +|         |                  |           |            |
> ++---------+------------------+-----------+------------+
> +| Any     | 192.168.105.0/24 | Any       | 5          |
> +|         |                  |           |            |
> ++---------+------------------+-----------+------------+
> +| Any     | 192.168.106.0/24 | Any       | 6          |
> +|         |                  |           |            |
> ++---------+------------------+-----------+------------+
> +| Any     | 192.168.107.0/24 | Any       | 7          |
> +|         |                  |           |            |
> ++---------+------------------+-----------+------------+
> +| Any     | 192.168.108.0/24 | Any       | 8          |
> +|         |                  |           |            |
> ++---------+------------------+-----------+------------+
> +
> +
> +Security Association Initialization
> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> +
> +The SAs are kept in a array table.
> +
> +For Inbound, the SPI is used as index module the table size.
> +This means that on a table for 100 SA, SPI 5 and 105 would use the same index
> +and that is not currently supported.
> +
> +Notice that it is not an issue for Outbound traffic as we store the index and
> +not the SPI in the Security Policy.
> +
> +All SAs are configured with the same cipher algo, block size and key (AES-CBC
> +16B block), and same authentication algo, digest size and key (HMAC-SHA1, 12B
> +digest).
> +
> +Following are the default values:
> +
> +Endpoint 0 Outbound Security Associations:
> +
> ++---------+----------------+------------------+
> +| **SPI** | **Tunnel src** | **Tunnel dst**   |
> +|         |                |                  |
> ++---------+----------------+------------------+
> +| 5       | 172.16.1.5     | 172.16.2.5       |
> +|         |                |                  |
> ++---------+----------------+------------------+
> +| 6       | 172.16.1.6     | 172.16.2.6       |
> +|         |                |                  |
> ++---------+----------------+------------------+
> +| 7       | 172.16.1.7     | 172.16.2.7       |
> +|         |                |                  |
> ++---------+----------------+------------------+
> +| 8       | 172.16.1.8     | 172.16.2.8       |
> +|         |                |                  |
> ++---------+----------------+------------------+
> +
> +Endpoint 0 Inbound Security Associations:
> +
> ++---------+----------------+------------------+
> +| **SPI** | **Tunnel src** | **Tunnel dst**   |
> +|         |                |                  |
> ++---------+----------------+------------------+
> +| 5       | 172.16.2.5     | 172.16.1.5       |
> +|         |                |                  |
> ++---------+----------------+------------------+
> +| 6       | 172.16.2.6     | 172.16.1.6       |
> +|         |                |                  |
> ++---------+----------------+------------------+
> +| 7       | 172.16.2.7     | 172.16.1.7       |
> +|         |                |                  |
> ++---------+----------------+------------------+
> +| 8       | 172.16.2.8     | 172.16.1.8       |
> +|         |                |                  |
> ++---------+----------------+------------------+
> +
> +Endpoint 1 Outbound Security Associations:
> +
> ++---------+----------------+------------------+
> +| **SPI** | **Tunnel src** | **Tunnel dst**   |
> +|         |                |                  |
> ++---------+----------------+------------------+
> +| 5       | 172.16.2.5     | 172.16.1.5       |
> +|         |                |                  |
> ++---------+----------------+------------------+
> +| 6       | 172.16.2.6     | 172.16.1.6       |
> +|         |                |                  |
> ++---------+----------------+------------------+
> +| 7       | 172.16.2.7     | 172.16.1.7       |
> +|         |                |                  |
> ++---------+----------------+------------------+
> +| 8       | 172.16.2.8     | 172.16.1.8       |
> +|         |                |                  |
> ++---------+----------------+------------------+
> +
> +Endpoint 1 Inbound Security Associations:
> +
> ++---------+----------------+------------------+
> +| **SPI** | **Tunnel src** | **Tunnel dst**   |
> +|         |                |                  |
> ++---------+----------------+------------------+
> +| 5       | 172.16.1.5     | 172.16.2.5       |
> +|         |                |                  |
> ++---------+----------------+------------------+
> +| 6       | 172.16.1.6     | 172.16.2.6       |
> +|         |                |                  |
> ++---------+----------------+------------------+
> +| 7       | 172.16.1.7     | 172.16.2.7       |
> +|         |                |                  |
> ++---------+----------------+------------------+
> +| 8       | 172.16.1.8     | 172.16.2.8       |
> +|         |                |                  |
> ++---------+----------------+------------------+
> +
> +Routing Initialization
> +~~~~~~~~~~~~~~~~~~~~~~
> +
> +The Routing is implemented using LPM table.
> +
> +Following default values:
> +
> +Endpoint 0 Routing Table:
> +
> ++------------------+----------+
> +| **Dst addr**     | **Port** |
> +|                  |          |
> ++------------------+----------+
> +| 172.16.2.5/32    | 0        |
> +|                  |          |
> ++------------------+----------+
> +| 172.16.2.6/32    | 0        |
> +|                  |          |
> ++------------------+----------+
> +| 172.16.2.7/32    | 1        |
> +|                  |          |
> ++------------------+----------+
> +| 172.16.2.8/32    | 1        |
> +|                  |          |
> ++------------------+----------+
> +| 192.168.115.0/24 | 2        |
> +|                  |          |
> ++------------------+----------+
> +| 192.168.116.0/24 | 2        |
> +|                  |          |
> ++------------------+----------+
> +| 192.168.117.0/24 | 3        |
> +|                  |          |
> ++------------------+----------+
> +| 192.168.118.0/24 | 3        |
> +|                  |          |
> ++------------------+----------+
> +
> +Endpoint 1 Routing Table:
> +
> ++------------------+----------+
> +| **Dst addr**     | **Port** |
> +|                  |          |
> ++------------------+----------+
> +| 172.16.1.5/32    | 2        |
> +|                  |          |
> ++------------------+----------+
> +| 172.16.1.6/32    | 2        |
> +|                  |          |
> ++------------------+----------+
> +| 172.16.1.7/32    | 3        |
> +|                  |          |
> ++------------------+----------+
> +| 172.16.1.8/32    | 3        |
> +|                  |          |
> ++------------------+----------+
> +| 192.168.105.0/24 | 0        |
> +|                  |          |
> ++------------------+----------+
> +| 192.168.106.0/24 | 0        |
> +|                  |          |
> ++------------------+----------+
> +| 192.168.107.0/24 | 1        |
> +|                  |          |
> ++------------------+----------+
> +| 192.168.108.0/24 | 1        |
> +|                  |          |
> ++------------------+----------+
> diff --git a/examples/Makefile b/examples/Makefile
> index 1cb4785..65ce6ce 100644
> --- a/examples/Makefile
> +++ b/examples/Makefile
> @@ -1,6 +1,7 @@
>  #   BSD LICENSE
>  #
>  #   Copyright(c) 2014 6WIND S.A.
> +#   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
>  #
>  #   Redistribution and use in source and binary forms, with or without
>  #   modification, are permitted provided that the following conditions
> @@ -78,5 +79,6 @@ DIRS-y += vmdq
>  DIRS-y += vmdq_dcb
>  DIRS-$(CONFIG_RTE_LIBRTE_POWER) += vm_power_manager
>  DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += l2fwd-crypto
> +DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += ipsec-secgw
>  
>  include $(RTE_SDK)/mk/rte.extsubdir.mk
> diff --git a/examples/ipsec-secgw/Makefile b/examples/ipsec-secgw/Makefile
> new file mode 100644
> index 0000000..5f893b8
> --- /dev/null
> +++ b/examples/ipsec-secgw/Makefile
> @@ -0,0 +1,58 @@
> +#   BSD LICENSE
> +#
> +#   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
> +#   All rights reserved.
> +#
> +#   Redistribution and use in source and binary forms, with or without
> +#   modification, are permitted provided that the following conditions
> +#   are met:
> +#
> +#     * Redistributions of source code must retain the above copyright
> +#       notice, this list of conditions and the following disclaimer.
> +#     * Redistributions in binary form must reproduce the above copyright
> +#       notice, this list of conditions and the following disclaimer in
> +#       the documentation and/or other materials provided with the
> +#       distribution.
> +#     * Neither the name of Intel Corporation nor the names of its
> +#       contributors may be used to endorse or promote products derived
> +#       from this software without specific prior written permission.
> +#
> +#   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> +#   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> +#   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
> +#   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
> +#   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> +#   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> +#   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> +#   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> +#   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> +#   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> +#   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> +
> +ifeq ($(RTE_SDK),)
> +	$(error "Please define RTE_SDK environment variable")
> +endif
> +
> +# Default target, can be overridden by command line or environment
> +RTE_TARGET ?= x86_64-native-linuxapp-gcc
> +
> +include $(RTE_SDK)/mk/rte.vars.mk
> +
> +APP = ipsec-secgw
> +
> +CFLAGS += -O3 -gdwarf-2
> +CFLAGS += $(WERROR_FLAGS)
> +
> +VPATH += $(SRCDIR)/librte_ipsec
> +
> +#
> +# all source are stored in SRCS-y
> +#
> +SRCS-y += ipsec.c
> +SRCS-y += esp.c
> +SRCS-y += sp.c
> +SRCS-y += sa.c
> +SRCS-y += rt.c
> +SRCS-y += ipsec-secgw.c
> +
> +include $(RTE_SDK)/mk/rte.extapp.mk
> diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
> new file mode 100644
> index 0000000..1be0621
> --- /dev/null
> +++ b/examples/ipsec-secgw/esp.c
> @@ -0,0 +1,256 @@
> +/*-
> + *   BSD LICENSE
> + *
> + *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
> + *   All rights reserved.
> + *
> + *   Redistribution and use in source and binary forms, with or without
> + *   modification, are permitted provided that the following conditions
> + *   are met:
> + *
> + *     * Redistributions of source code must retain the above copyright
> + *       notice, this list of conditions and the following disclaimer.
> + *     * Redistributions in binary form must reproduce the above copyright
> + *       notice, this list of conditions and the following disclaimer in
> + *       the documentation and/or other materials provided with the
> + *       distribution.
> + *     * Neither the name of Intel Corporation nor the names of its
> + *       contributors may be used to endorse or promote products derived
> + *       from this software without specific prior written permission.
> + *
> + *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> + *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> + *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
> + *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
> + *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> + *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> + *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> + *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> + *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> + *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> + *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> + */
> +
> +#include <stdint.h>
> +#include <stdlib.h>
> +#include <netinet/ip.h>
> +#include <sys/types.h>
> +#include <sys/stat.h>
> +#include <fcntl.h>
> +#include <unistd.h>
> +
> +#include <rte_memcpy.h>
> +#include <rte_crypto.h>
> +#include <rte_cryptodev.h>
> +#include <rte_random.h>
> +
> +#include "ipsec.h"
> +#include "esp.h"
> +#include "ipip.h"
> +
> +static inline void
> +random_iv_u64(uint64_t *buf, uint16_t n)
> +{
> +	unsigned left = n & 0x7;
> +	unsigned i;
> +
> +	IPSEC_ASSERT((n & 0x3) == 0);
> +
> +	for (i = 0; i < (n >> 3); i++)
> +		buf[i] = rte_rand();
> +
> +	if (left)
> +		*((uint32_t *)&buf[i]) = (uint32_t)lrand48();
> +}
> +
> +/* IPv4 Tunnel */
> +int
> +esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
> +		struct rte_crypto_op *cop)
> +{
> +	uint16_t digest_len, esp_len, iphdr_len;
> +	int32_t payload_len;
> +
> +	IPSEC_ASSERT(m != NULL);
> +
> +	iphdr_len = sizeof(struct ip);
> +	esp_len = sizeof(struct esp_hdr) + sa->iv_len;
> +	digest_len = sa->digest_len;
> +	payload_len = rte_pktmbuf_pkt_len(m) - iphdr_len - esp_len - digest_len;
> +
> +	if ((payload_len & (sa->block_size - 1)) || (payload_len <= 0)) {
> +		IPSEC_LOG(DEBUG, IPSEC_ESP, "payload %d not a multiple of %u\n",
> +				payload_len, sa->block_size);
> +		return -EINVAL;
> +	}
> +
> +	cop->data.to_cipher.offset = iphdr_len + esp_len;
> +	cop->data.to_cipher.length = payload_len;
> +
> +	cop->data.to_hash.offset = iphdr_len;
> +	if (sa->auth_algo == RTE_CRYPTO_AUTH_AES_GCM)
> +		cop->data.to_hash.length = esp_len - sa->iv_len;
> +	else
> +		cop->data.to_hash.length = esp_len + payload_len;
> +
> +	cop->iv.data = rte_pktmbuf_mtod_offset(m, void*,
> +			iphdr_len + esp_len - sa->iv_len);
> +	cop->iv.phys_addr = rte_pktmbuf_mtophys_offset(m,
> +			iphdr_len + esp_len - sa->iv_len);
> +
> +	cop->iv.length = sa->iv_len;
> +
> +	cop->digest.data = rte_pktmbuf_mtod_offset(m, void*,
> +			iphdr_len + esp_len + payload_len);
> +	cop->digest.phys_addr = rte_pktmbuf_mtophys_offset(m,
> +			iphdr_len + esp_len + payload_len);
> +	cop->digest.length = digest_len;
> +
> +	return 0;
> +}
> +
> +int
> +esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
> +		struct rte_crypto_op *cop)
> +{
> +	uint16_t digest_len, esp_len, iphdr_len;
> +	uint8_t *nexthdr, *pad_len;
> +	uint8_t *padding;
> +	uint16_t i;
> +
> +	IPSEC_ASSERT(m != NULL);
> +
> +	iphdr_len = sizeof(struct ip);
> +	esp_len = sizeof(struct esp_hdr) + sa->iv_len;
> +	digest_len = sa->digest_len;
> +
> +	if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
> +		IPSEC_LOG(ERR, IPSEC_ESP, "Failed crypto op\n");
> +		return -1;
> +	}
> +
> +	nexthdr = rte_pktmbuf_mtod_offset(m, uint8_t*,
> +			rte_pktmbuf_pkt_len(m) - digest_len - 1);
> +	pad_len = nexthdr - 1;
> +
> +	padding = pad_len - *pad_len;
> +	for (i = 0; i < *pad_len; i++) {
> +		if (padding[i] != i) {
> +			IPSEC_LOG(ERR, IPSEC_ESP, "invalid pad_len field\n");
> +			return -EINVAL;
> +		}
> +	}
> +
> +	if (rte_pktmbuf_trim(m, *pad_len + 2 + digest_len)) {
> +		IPSEC_LOG(ERR, IPSEC_ESP,
> +				"failed to remove pad_len + digest\n");
> +		return -EINVAL;
> +	}
> +
> +	return ip4ip_inbound(m, iphdr_len + esp_len);
> +}
> +
> +int
> +esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
> +		struct rte_crypto_op *cop)
> +{
> +	uint16_t digest_len, esp_len, payload_len, block_sz, pad_len;
> +	int32_t pad_payload_len;
> +	struct ip *ip;
> +	struct esp_hdr *esp;
> +	int i;
> +	char *padding;
> +
> +	rte_prefetch0(rte_pktmbuf_mtod(m, uint8_t *) - RTE_CACHE_LINE_SIZE);
> +	rte_prefetch0(rte_pktmbuf_mtod(m, uint8_t *));
> +
> +	IPSEC_ASSERT(m != NULL);
> +	IPSEC_ASSERT(sa != NULL);
> +
> +	/* Payload length */
> +	payload_len = rte_pktmbuf_pkt_len(m);
> +
> +	block_sz = sa->block_size;
> +
> +	/* Per RFC4303:
> +	 *  padded payload needs to be multiple of 4 bytes.
> +	 * All application supported block sizes must be power of 2
> +	 */
> +	pad_len = (payload_len + 2) & (block_sz - 1);
> +	pad_len = ((block_sz - pad_len) & (block_sz - 1)) + 2;
> +
> +	/* Padded payload length */
> +	pad_payload_len = payload_len + pad_len;
> +	/* ESP header length */
> +	esp_len = sizeof(struct esp_hdr) + sa->iv_len;
> +	/* Digest length */
> +	digest_len = sa->digest_len;
> +
> +	IPSEC_LOG(DEBUG, IPSEC_ESP,
> +			"pktlen %u, esp_len %u, digest_len %u, payload_len %u,"
> +			" pad_payload_len %u, block_sz %u, pad_len %u\n",
> +			rte_pktmbuf_pkt_len(m), esp_len, digest_len,
> +			payload_len, pad_payload_len, block_sz,	pad_len);
> +
> +	/* Check maximum packet size */
> +	if (unlikely(esp_len + pad_payload_len + digest_len > IP_MAXPACKET)) {
> +		IPSEC_LOG(DEBUG, IPSEC_ESP, "ipsec packet is too big\n");
> +		return -EINVAL;
> +	}
> +
> +	padding = rte_pktmbuf_append(m, pad_len + digest_len);
> +
> +	IPSEC_ASSERT(padding != NULL);
> +
> +	ip = ip4ip_outbound(m, esp_len, sa->src, sa->dst);
> +
> +	esp = (struct esp_hdr *)(ip + 1);
> +	esp->spi = sa->spi;
> +
> +	esp->seq = htonl(sa->seq++);
> +
> +	IPSEC_LOG(DEBUG, IPSEC_ESP, "pktlen %u\n", rte_pktmbuf_pkt_len(m));
> +
> +	/* Fill pad_len using default sequential scheme */
> +	for (i = 0; i < pad_len - 2; i++)
> +		padding[i] = i + 1;
> +
> +	padding[pad_len - 2] = pad_len - 2;
> +	padding[pad_len - 1] = IPPROTO_IPIP;
> +	ip->ip_p = IPPROTO_ESP;
> +
> +	cop->data.to_cipher.offset = sizeof(struct ip) + esp_len;
> +	cop->data.to_cipher.length = pad_payload_len;
> +
> +	cop->data.to_hash.offset = sizeof(struct ip);
> +	cop->data.to_hash.length = esp_len + pad_payload_len;
> +
> +	cop->iv.data = rte_pktmbuf_mtod_offset(m, void*,
> +			sizeof(struct ip) + esp_len - sa->iv_len);
> +	cop->iv.phys_addr = rte_pktmbuf_mtophys_offset(m,
> +			sizeof(struct ip) + esp_len - sa->iv_len);
> +	cop->iv.length = sa->iv_len;
> +
> +	cop->digest.data = rte_pktmbuf_mtod_offset(m, void*,
> +			sizeof(struct ip) + esp_len + pad_payload_len);
> +	cop->digest.phys_addr = rte_pktmbuf_mtophys_offset(m,
> +			sizeof(struct ip) + esp_len + pad_payload_len);
> +	cop->digest.length = digest_len;
> +
> +	random_iv_u64((uint64_t *)cop->iv.data, cop->iv.length);
> +
> +	return 0;
> +}
> +
> +int
> +esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m __rte_unused,
> +		struct ipsec_sa *sa __rte_unused,
> +		struct rte_crypto_op *cop)
> +{
> +	if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
> +		IPSEC_LOG(ERR, IPSEC_ESP, "Failed crypto op\n");
> +		return -1;
> +	}
> +
> +	return 0;
> +}
> diff --git a/examples/ipsec-secgw/esp.h b/examples/ipsec-secgw/esp.h
> new file mode 100644
> index 0000000..d7c8ba6
> --- /dev/null
> +++ b/examples/ipsec-secgw/esp.h
> @@ -0,0 +1,66 @@
> +/*-
> + *   BSD LICENSE
> + *
> + *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
> + *   All rights reserved.
> + *
> + *   Redistribution and use in source and binary forms, with or without
> + *   modification, are permitted provided that the following conditions
> + *   are met:
> + *
> + *     * Redistributions of source code must retain the above copyright
> + *       notice, this list of conditions and the following disclaimer.
> + *     * Redistributions in binary form must reproduce the above copyright
> + *       notice, this list of conditions and the following disclaimer in
> + *       the documentation and/or other materials provided with the
> + *       distribution.
> + *     * Neither the name of Intel Corporation nor the names of its
> + *       contributors may be used to endorse or promote products derived
> + *       from this software without specific prior written permission.
> + *
> + *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> + *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> + *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
> + *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
> + *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> + *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> + *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> + *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> + *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> + *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> + *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> + */
> +#ifndef __RTE_IPSEC_XFORM_ESP_H__
> +#define __RTE_IPSEC_XFORM_ESP_H__
> +
> +struct mbuf;
> +
> +/* RFC4303 */
> +struct esp_hdr {
> +	uint32_t spi;
> +	uint32_t seq;
> +	/* Payload */
> +	/* Padding */
> +	/* Pad Length */
> +	/* Next Header */
> +	/* Integrity Check Value - ICV */
> +};
> +
> +/* IPv4 Tunnel */
> +int
> +esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
> +		struct rte_crypto_op *cop);
> +
> +int
> +esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
> +		struct rte_crypto_op *cop);
> +
> +int
> +esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
> +		struct rte_crypto_op *cop);
> +
> +int
> +esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
> +		struct rte_crypto_op *cop);
> +
> +#endif /* __RTE_IPSEC_XFORM_ESP_H__ */
> diff --git a/examples/ipsec-secgw/ipip.h b/examples/ipsec-secgw/ipip.h
> new file mode 100644
> index 0000000..16c5dfb
> --- /dev/null
> +++ b/examples/ipsec-secgw/ipip.h
> @@ -0,0 +1,100 @@
> +/*-
> + *   BSD LICENSE
> + *
> + *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
> + *   All rights reserved.
> + *
> + *   Redistribution and use in source and binary forms, with or without
> + *   modification, are permitted provided that the following conditions
> + *   are met:
> + *
> + *     * Redistributions of source code must retain the above copyright
> + *       notice, this list of conditions and the following disclaimer.
> + *     * Redistributions in binary form must reproduce the above copyright
> + *       notice, this list of conditions and the following disclaimer in
> + *       the documentation and/or other materials provided with the
> + *       distribution.
> + *     * Neither the name of Intel Corporation nor the names of its
> + *       contributors may be used to endorse or promote products derived
> + *       from this software without specific prior written permission.
> + *
> + *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> + *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> + *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
> + *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
> + *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> + *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> + *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> + *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> + *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> + *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> + *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> + */
> +
> +#ifndef __IPIP_H__
> +#define __IPIP_H__
> +
> +#include <stdint.h>
> +#include <netinet/in.h>
> +#include <netinet/ip.h>
> +
> +#include <rte_mbuf.h>
> +
> +static inline  struct ip *
> +ip4ip_outbound(struct rte_mbuf *m, uint32_t offset, uint32_t src, uint32_t dst)
> +{
> +	struct ip *inip, *outip;
> +
> +	inip = rte_pktmbuf_mtod(m, struct ip*);
> +
> +	IPSEC_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION);
> +
> +	offset += sizeof(struct ip);
> +
> +	outip = (struct ip *)rte_pktmbuf_prepend(m, offset);
> +
> +	IPSEC_ASSERT(outip != NULL);
> +
> +	/* Per RFC4301 5.1.2.1 */
> +	outip->ip_len = htons(rte_pktmbuf_data_len(m));
> +	outip->ip_v = IPVERSION;
> +	outip->ip_hl = 5;
> +	outip->ip_tos = inip->ip_tos;
> +
> +	outip->ip_id = 0;
> +	outip->ip_off = 0;
> +
> +	outip->ip_ttl = IPDEFTTL;
> +
> +	outip->ip_dst.s_addr = dst;
> +	outip->ip_src.s_addr = src;
> +
> +	return outip;
> +}
> +
> +static inline int
> +ip4ip_inbound(struct rte_mbuf *m, uint32_t offset)
> +{
> +	struct ip *inip;
> +	struct ip *outip;
> +
> +	outip = rte_pktmbuf_mtod(m, struct ip*);
> +
> +	IPSEC_ASSERT(outip->ip_v == IPVERSION);
> +
> +	offset += sizeof(struct ip);
> +	inip = (struct ip *)rte_pktmbuf_adj(m, offset);
> +	IPSEC_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION);
> +
> +	/* Check packet is still bigger than IP header (inner) */
> +	IPSEC_ASSERT(rte_pktmbuf_pkt_len(m) > sizeof(struct ip));
> +
> +	/* RFC4301 5.1.2.1 Note 6 */
> +	if ((inip->ip_tos & htons(IPTOS_ECN_ECT0 | IPTOS_ECN_ECT1)) &&
> +			((outip->ip_tos & htons(IPTOS_ECN_CE)) == IPTOS_ECN_CE))
> +		inip->ip_tos |= htons(IPTOS_ECN_CE);
> +
> +	return 0;
> +}
> +
> +#endif /* __IPIP_H__ */
> diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
> new file mode 100644
> index 0000000..d2e8972
> --- /dev/null
> +++ b/examples/ipsec-secgw/ipsec-secgw.c
> @@ -0,0 +1,1218 @@
> +/*-
> + *   BSD LICENSE
> + *
> + *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
> + *   All rights reserved.
> + *
> + *   Redistribution and use in source and binary forms, with or without
> + *   modification, are permitted provided that the following conditions
> + *   are met:
> + *
> + *     * Redistributions of source code must retain the above copyright
> + *       notice, this list of conditions and the following disclaimer.
> + *     * Redistributions in binary form must reproduce the above copyright
> + *       notice, this list of conditions and the following disclaimer in
> + *       the documentation and/or other materials provided with the
> + *       distribution.
> + *     * Neither the name of Intel Corporation nor the names of its
> + *       contributors may be used to endorse or promote products derived
> + *       from this software without specific prior written permission.
> + *
> + *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> + *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> + *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
> + *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
> + *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> + *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> + *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> + *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> + *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> + *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> + *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> + */
> +
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <stdint.h>
> +#include <inttypes.h>
> +#include <sys/types.h>
> +#include <string.h>
> +#include <sys/queue.h>
> +#include <stdarg.h>
> +#include <errno.h>
> +#include <getopt.h>
> +
> +#include <rte_common.h>
> +#include <rte_byteorder.h>
> +#include <rte_log.h>
> +#include <rte_eal.h>
> +#include <rte_launch.h>
> +#include <rte_atomic.h>
> +#include <rte_cycles.h>
> +#include <rte_prefetch.h>
> +#include <rte_lcore.h>
> +#include <rte_per_lcore.h>
> +#include <rte_branch_prediction.h>
> +#include <rte_interrupts.h>
> +#include <rte_pci.h>
> +#include <rte_random.h>
> +#include <rte_debug.h>
> +#include <rte_ether.h>
> +#include <rte_ethdev.h>
> +#include <rte_mempool.h>
> +#include <rte_mbuf.h>
> +#include <rte_acl.h>
> +#include <rte_lpm.h>
> +#include <rte_cryptodev.h>
> +#include <rte_cryptodev.h>
> +
> +#include "ipsec.h"
> +
> +#define RTE_LOGTYPE_IPSEC RTE_LOGTYPE_USER1
> +
> +#define MAX_JUMBO_PKT_LEN  9600
> +
> +#define MEMPOOL_CACHE_SIZE 256
> +
> +#define NB_MBUF	(32000)
> +
> +#define CDEV_MP_NB_OBJS 2048
> +#define CDEV_MP_CACHE_SZ 64
> +#define MAX_QUEUE_PAIRS 1
> +
> +#define OPTION_CONFIG		"config"
> +#define OPTION_EP0		"ep0"
> +#define OPTION_EP1		"ep1"
> +#define OPTION_CDEV_TYPE	"cdev"
> +
> +#define MAX_PKT_BURST 32
> +#define BURST_TX_DRAIN_US 100 /* TX drain every ~100us */
> +
> +#define NB_SOCKETS 4
> +
> +/* Configure how many packets ahead to prefetch, when reading packets */
> +#define PREFETCH_OFFSET	3
> +
> +#define MAX_RX_QUEUE_PER_LCORE 16
> +
> +#define MAX_LCORE_PARAMS 1024
> +
> +#define UNPROTECTED_PORT(port) (unprotected_port_mask & (1 << portid))
> +
> +/*
> + * Configurable number of RX/TX ring descriptors
> + */
> +#define IPSEC_SECGW_RX_DESC_DEFAULT 128
> +#define IPSEC_SECGW_TX_DESC_DEFAULT 512
> +static uint16_t nb_rxd = IPSEC_SECGW_RX_DESC_DEFAULT;
> +static uint16_t nb_txd = IPSEC_SECGW_TX_DESC_DEFAULT;
> +
> +#if RTE_BYTE_ORDER != RTE_LITTLE_ENDIAN
> +#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \
> +	(((uint64_t)((a) & 0xff) << 56) | \
> +	((uint64_t)((b) & 0xff) << 48) | \
> +	((uint64_t)((c) & 0xff) << 40) | \
> +	((uint64_t)((d) & 0xff) << 32) | \
> +	((uint64_t)((e) & 0xff) << 24) | \
> +	((uint64_t)((f) & 0xff) << 16) | \
> +	((uint64_t)((g) & 0xff) << 8)  | \
> +	((uint64_t)(h) & 0xff))
> +#else
> +#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \
> +	(((uint64_t)((h) & 0xff) << 56) | \
> +	((uint64_t)((g) & 0xff) << 48) | \
> +	((uint64_t)((f) & 0xff) << 40) | \
> +	((uint64_t)((e) & 0xff) << 32) | \
> +	((uint64_t)((d) & 0xff) << 24) | \
> +	((uint64_t)((c) & 0xff) << 16) | \
> +	((uint64_t)((b) & 0xff) << 8) | \
> +	((uint64_t)(a) & 0xff))
> +#endif
> +#define ETHADDR(a, b, c, d, e, f) (__BYTES_TO_UINT64(a, b, c, d, e, f, 0, 0))
> +
> +#define ETHADDR_TO_UINT64(addr) __BYTES_TO_UINT64( \
> +		addr.addr_bytes[0], addr.addr_bytes[1], \
> +		addr.addr_bytes[2], addr.addr_bytes[3], \
> +		addr.addr_bytes[4], addr.addr_bytes[5], \
> +		0, 0)
> +
> +/* port/source ethernet addr and destination ethernet addr */
> +struct ethaddr_info {
> +	uint64_t src, dst;
> +};
> +
> +struct ethaddr_info ethaddr_tbl[RTE_MAX_ETHPORTS] = {
> +	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x7e, 0x94, 0x9a) },
> +	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x22, 0xa1, 0xd9) },
> +	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x08, 0x69, 0x26) },
> +	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x49, 0x9e, 0xdd) }
> +};
> +
> +/* mask of enabled ports */
> +static uint32_t enabled_port_mask;
> +static uint32_t unprotected_port_mask;
> +static int promiscuous_on = 1;
> +static int numa_on = 1; /**< NUMA is enabled by default. */
> +static int ep = -1; /**< Endpoint configuration (0 or 1) */
> +static unsigned cdev_type = -1;
> +static unsigned nb_lcores;
> +
> +struct buffer {
> +	uint16_t len;
> +	struct rte_mbuf *m_table[MAX_PKT_BURST];
> +};
> +
> +struct lcore_rx_queue {
> +	uint8_t port_id;
> +	uint8_t queue_id;
> +} __rte_cache_aligned;
> +
> +struct lcore_params {
> +	uint8_t port_id;
> +	uint8_t queue_id;
> +	uint8_t lcore_id;
> +} __rte_cache_aligned;
> +
> +static struct lcore_params lcore_params_array[MAX_LCORE_PARAMS];
> +
> +static struct lcore_params *lcore_params;
> +static uint16_t nb_lcore_params;
> +
> +struct lcore_conf {
> +	uint16_t nb_rx_queue;
> +	struct lcore_rx_queue rx_queue_list[MAX_RX_QUEUE_PER_LCORE];
> +	uint16_t tx_queue_id[RTE_MAX_ETHPORTS];
> +	struct buffer tx_mbufs[RTE_MAX_ETHPORTS];
> +	uint16_t cdev;
> +	uint16_t cdev_q;
> +} __rte_cache_aligned;
> +
> +static struct lcore_conf lcore_conf[RTE_MAX_LCORE];
> +
> +static struct rte_eth_conf port_conf = {
> +	.rxmode = {
> +		.mq_mode	= ETH_MQ_RX_RSS,
> +		.max_rx_pkt_len = ETHER_MAX_LEN,
> +		.split_hdr_size = 0,
> +		.header_split   = 0, /**< Header Split disabled */
> +		.hw_ip_checksum = 1, /**< IP checksum offload enabled */
> +		.hw_vlan_filter = 0, /**< VLAN filtering disabled */
> +		.jumbo_frame    = 0, /**< Jumbo Frame Support disabled */
> +		.hw_strip_crc   = 0, /**< CRC stripped by hardware */
> +	},
> +	.rx_adv_conf = {
> +		.rss_conf = {
> +			.rss_key = NULL,
> +			.rss_hf = ETH_RSS_IP | ETH_RSS_UDP |
> +				ETH_RSS_TCP | ETH_RSS_SCTP,
> +		},
> +	},
> +	.txmode = {
> +		.mq_mode = ETH_MQ_TX_NONE,
> +	},
> +};
> +
> +static struct socket_ctx socket_ctx[NB_SOCKETS];
> +
> +struct traffic_type {
> +	const uint8_t *data[MAX_PKT_BURST * 2];
> +	struct rte_mbuf *pkts[MAX_PKT_BURST * 2];
> +	uint32_t res[MAX_PKT_BURST * 2];
> +	uint32_t num;
> +};
> +
> +struct ipsec_traffic {
> +	struct traffic_type ipsec4;
> +	struct traffic_type ipv4;
> +};
> +
> +static inline void
> +prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)
> +{
> +	uint8_t *nlp;
> +
> +	if (RTE_ETH_IS_IPV4_HDR(pkt->packet_type)) {
> +		rte_pktmbuf_adj(pkt, ETHER_HDR_LEN);
> +		nlp = rte_pktmbuf_mtod_offset(pkt, uint8_t *,
> +				offsetof(struct ip, ip_p));
> +		if (*nlp == IPPROTO_ESP)
> +			t->ipsec4.pkts[(t->ipsec4.num)++] = pkt;
> +		else {
> +			t->ipv4.data[t->ipv4.num] = nlp;
> +			t->ipv4.pkts[(t->ipv4.num)++] = pkt;
> +		}
> +	} else {
> +		/* Unknown/Unsupported type, drop the packet */
> +		rte_pktmbuf_free(pkt);
> +	}
> +}
> +
> +static inline void
> +prepare_traffic(struct rte_mbuf **pkts, struct ipsec_traffic *t,
> +		uint16_t nb_pkts)
> +{
> +	int i;
> +
> +	t->ipsec4.num = 0;
> +	t->ipv4.num = 0;
> +
> +	for (i = 0; i < (nb_pkts - PREFETCH_OFFSET); i++) {
> +		rte_prefetch0(rte_pktmbuf_mtod(pkts[i + PREFETCH_OFFSET],
> +					void *));
> +		prepare_one_packet(pkts[i], t);
> +	}
> +	/* Process left packets */
> +	for (; i < nb_pkts; i++)
> +		prepare_one_packet(pkts[i], t);
> +}
> +
> +static inline void
> +prepare_tx_pkt(struct rte_mbuf *pkt, uint8_t port)
> +{
> +	pkt->ol_flags |= PKT_TX_IP_CKSUM | PKT_TX_IPV4;
> +	pkt->l3_len = sizeof(struct ip);
> +	pkt->l2_len = ETHER_HDR_LEN;
> +
> +	uint64_t *ethhdr = (uint64_t *)rte_pktmbuf_prepend(pkt, ETHER_HDR_LEN);
> +#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN
> +	ethhdr[0] = ethaddr_tbl[port].dst |
> +		((ethaddr_tbl[port].src & 0xffff) << 48);
> +	ethhdr[1] = ethaddr_tbl[port].src >> 16 |
> +		((uint64_t)rte_cpu_to_be_16(ETHER_TYPE_IPv4) << 32) |
> +		(ethhdr[1] & (0xffffUL << 48));
> +#else
> +	ethhdr[0] = ethaddr_tbl[port].dst |
> +		(ethaddr_tbl[port].src >> 48 & 0xffff);
> +	ethhdr[1] = ethaddr_tbl[port].src << 16 | ((ETHER_TYPE_IPv4)UL << 16) |
> +		(ethhdr[1] & 0xffffUL);
> +#endif
> +}
> +
> +static inline void
> +prepare_tx_burst(struct rte_mbuf *pkts[], uint16_t nb_pkts, uint8_t port)
> +{
> +	int i;
> +	const int prefetch_offset = 2;
> +
> +	for (i = 0; i < (nb_pkts - prefetch_offset); i++) {
> +		rte_prefetch0(pkts[i + prefetch_offset]->cacheline1);
> +		prepare_tx_pkt(pkts[i], port);
> +	}
> +	/* Process left packets */
> +	for (; i < nb_pkts; i++)
> +		prepare_tx_pkt(pkts[i], port);
> +}
> +
> +/* Send burst of packets on an output interface */
> +static inline int
> +send_burst(struct lcore_conf *qconf, uint16_t n, uint8_t port)
> +{
> +	struct rte_mbuf **m_table;
> +	int ret;
> +	uint16_t queueid;
> +
> +	queueid = qconf->tx_queue_id[port];
> +	m_table = (struct rte_mbuf **)qconf->tx_mbufs[port].m_table;
> +
> +	prepare_tx_burst(m_table, n, port);
> +
> +	ret = rte_eth_tx_burst(port, queueid, m_table, n);
> +	if (unlikely(ret < n)) {
> +		do {
> +			rte_pktmbuf_free(m_table[ret]);
> +		} while (++ret < n);
> +	}
> +
> +	return 0;
> +}
> +
> +/* Enqueue a single packet, and send burst if queue is filled */
> +static inline int
> +send_single_packet(struct rte_mbuf *m, uint8_t port)
> +{
> +	uint32_t lcore_id;
> +	uint16_t len;
> +	struct lcore_conf *qconf;
> +
> +	lcore_id = rte_lcore_id();
> +
> +	qconf = &lcore_conf[lcore_id];
> +	len = qconf->tx_mbufs[port].len;
> +	qconf->tx_mbufs[port].m_table[len] = m;
> +	len++;
> +
> +	/* enough pkts to be sent */
> +	if (unlikely(len == MAX_PKT_BURST)) {
> +		send_burst(qconf, MAX_PKT_BURST, port);
> +		len = 0;
> +	}
> +
> +	qconf->tx_mbufs[port].len = len;
> +	return 0;
> +}
> +
> +static inline void
> +process_pkts_inbound(struct socket_ctx *ctx, struct ipsec_traffic *traffic)
> +{
> +	struct sa_ctx *sa_ctx = ctx->sa_ipv4_in;
> +	struct sp_ctx *sp_ctx = ctx->sp_ipv4_in;
> +	struct rte_mbuf *m;
> +	uint16_t idx, nb_pkts_in, i, j;
> +	uint32_t sa_idx, res;
> +	struct ipsec_ctx ipsec_ctx;
> +	struct lcore_conf *qconf;
> +
> +	qconf = &lcore_conf[rte_lcore_id()];
> +	ipsec_ctx.cdev = qconf->cdev;
> +	ipsec_ctx.queue = qconf->cdev_q;
> +	ipsec_ctx.sa_ctx = sa_ctx;
> +
> +	nb_pkts_in = ipsec_inbound(&ipsec_ctx, traffic->ipsec4.pkts,
> +			traffic->ipsec4.num, MAX_PKT_BURST);
> +
> +	/* SP/ACL Inbound check ipsec and ipv4 */
> +	for (i = 0; i < nb_pkts_in; i++) {
> +		idx = traffic->ipv4.num++;
> +		m = traffic->ipsec4.pkts[i];
> +		traffic->ipv4.pkts[idx] = m;
> +		traffic->ipv4.data[idx] = rte_pktmbuf_mtod_offset(m,
> +				uint8_t *, offsetof(struct ip, ip_p));
> +	}
> +
> +	rte_acl_classify((struct rte_acl_ctx *)sp_ctx, traffic->ipv4.data,
> +			traffic->ipv4.res, traffic->ipv4.num,
> +			DEFAULT_MAX_CATEGORIES);
> +
> +	j = 0;
> +	for (i = 0; i < traffic->ipv4.num - nb_pkts_in; i++) {
> +		m = traffic->ipv4.pkts[i];
> +		res = traffic->ipv4.res[i];
> +		if (res & ~BYPASS) {
> +			rte_pktmbuf_free(m);
> +			continue;
> +		}
> +		traffic->ipv4.pkts[j++] = m;
> +	}
> +	/* Check return SA SPI matches pkt SPI */
> +	for ( ; i < traffic->ipv4.num; i++) {
> +		m = traffic->ipv4.pkts[i];
> +		sa_idx = traffic->ipv4.res[i] & PROTECT_MASK;
> +		if (sa_idx == 0 || !inbound_sa_check(sa_ctx, m, sa_idx)) {
> +			rte_pktmbuf_free(m);
> +			continue;
> +		}
> +		traffic->ipv4.pkts[j++] = m;
> +	}
> +	traffic->ipv4.num = j;
> +}
> +
> +static inline void
> +process_pkts_outbound(struct socket_ctx *ctx, struct ipsec_traffic *traffic)
> +{
> +	struct sa_ctx *sa_ctx = ctx->sa_ipv4_out;
> +	struct sp_ctx *sp_ctx = ctx->sp_ipv4_out;
> +	struct rte_mbuf *m;
> +	uint16_t idx, nb_pkts_out, i, j;
> +	uint32_t sa_idx, res;
> +	struct ipsec_ctx ipsec_ctx;
> +	struct lcore_conf *qconf;
> +
> +	qconf = &lcore_conf[rte_lcore_id()];
> +	ipsec_ctx.cdev = qconf->cdev;
> +	ipsec_ctx.queue = qconf->cdev_q;
> +	ipsec_ctx.sa_ctx = sa_ctx;
> +
> +	rte_acl_classify((struct rte_acl_ctx *)sp_ctx, traffic->ipv4.data,
> +			traffic->ipv4.res, traffic->ipv4.num,
> +			DEFAULT_MAX_CATEGORIES);

IMO, an option for single SA based outbound processing would be useful
measuring performance bottlenecks with SA lookup.


> +	j = 0;
> +	for (i = 0; i < traffic->ipv4.num; i++) {
> +		m = traffic->ipv4.pkts[i];
> +		res = traffic->ipv4.res[i];
> +		sa_idx = res & PROTECT_MASK;
> +		if (res & DISCARD) {
> +			rte_pktmbuf_free(m);
> +		} else if (sa_idx != 0) {
> +			traffic->ipsec4.res[traffic->ipsec4.num] = sa_idx;
> +			traffic->ipsec4.pkts[traffic->ipsec4.num++] = m;
> +		} else /* BYPASS */
> +			traffic->ipv4.pkts[j++] = m;
> +	}
> +	traffic->ipv4.num = j;
> +
> +	nb_pkts_out = ipsec_outbound(&ipsec_ctx, traffic->ipsec4.pkts,
> +			traffic->ipsec4.res, traffic->ipsec4.num,
> +			MAX_PKT_BURST);
> +
> +	for (i = 0; i < nb_pkts_out; i++) {
> +		idx = traffic->ipv4.num++;
> +		m = traffic->ipsec4.pkts[i];
> +		traffic->ipv4.pkts[idx] = m;
> +	}
> +}
> +
> +static inline void
> +route_pkts(struct rt_ctx *rt_ctx, struct rte_mbuf *pkts[], uint8_t nb_pkts)
> +{
> +	uint16_t hop[MAX_PKT_BURST * 2];
> +	uint32_t dst_ip[MAX_PKT_BURST * 2];
> +	uint16_t i, offset;
> +
> +	if (nb_pkts == 0)
> +		return;
> +
> +	for (i = 0; i < nb_pkts; i++) {
> +		offset = offsetof(struct ip, ip_dst);
> +		dst_ip[i] = *rte_pktmbuf_mtod_offset(pkts[i],
> +				uint32_t *, offset);
> +		dst_ip[i] = rte_be_to_cpu_32(dst_ip[i]);
> +	}
> +
> +	rte_lpm_lookup_bulk((struct rte_lpm *)rt_ctx, dst_ip, hop, nb_pkts);
> +
> +	for (i = 0; i < nb_pkts; i++) {
> +		if ((hop[i] & RTE_LPM_LOOKUP_SUCCESS) == 0) {
> +			rte_pktmbuf_free(pkts[i]);
> +			continue;
> +		}
> +		send_single_packet(pkts[i], hop[i] & 0xff);
> +	}
> +}
> +
> +static inline void
> +process_pkts(struct socket_ctx *ctx, struct rte_mbuf **pkts,
> +		uint8_t nb_pkts, uint8_t portid)
> +{
> +	struct ipsec_traffic traffic;
> +
> +	prepare_traffic(pkts, &traffic, nb_pkts);
> +
> +	if (UNPROTECTED_PORT(portid))
> +		process_pkts_inbound(ctx, &traffic);
> +	else
> +		process_pkts_outbound(ctx, &traffic);
> +
> +	route_pkts(ctx->rt_ipv4, traffic.ipv4.pkts, traffic.ipv4.num);
> +}
> +
> +static inline void
> +drain_buffers(struct lcore_conf *qconf)
> +{
> +	struct buffer *buf;
> +	unsigned portid;
> +
> +	for (portid = 0; portid < RTE_MAX_ETHPORTS; portid++) {
> +		buf = &qconf->tx_mbufs[portid];
> +		if (buf->len == 0)
> +			continue;
> +		send_burst(qconf, buf->len, portid);
> +		buf->len = 0;
> +	}
> +}
> +
> +/* main processing loop */
> +static int
> +main_loop(__attribute__((unused)) void *dummy)
> +{
> +	struct rte_mbuf *pkts[MAX_PKT_BURST];
> +	unsigned lcore_id;
> +	uint64_t prev_tsc, diff_tsc, cur_tsc;
> +	int i, nb_rx;
> +	uint8_t portid, queueid;
> +	struct lcore_conf *qconf;
> +	int socket_id;
> +	const uint64_t drain_tsc = (rte_get_tsc_hz() + US_PER_S - 1)
> +			/ US_PER_S * BURST_TX_DRAIN_US;
> +	struct socket_ctx *ctx;
> +	struct lcore_rx_queue *rxql;
> +
> +	prev_tsc = 0;
> +	lcore_id = rte_lcore_id();
> +	qconf = &lcore_conf[lcore_id];
> +	rxql = qconf->rx_queue_list;
> +	socket_id = rte_lcore_to_socket_id(lcore_id);
> +
> +	ctx = &socket_ctx[socket_id];
> +
> +	if (qconf->nb_rx_queue == 0) {
> +		RTE_LOG(INFO, IPSEC, "lcore %u has nothing to do\n", lcore_id);
> +		return 0;
> +	}
> +
> +	RTE_LOG(INFO, IPSEC, "entering main loop on lcore %u\n", lcore_id);
> +
> +	for (i = 0; i < qconf->nb_rx_queue; i++) {
> +		portid = rxql[i].port_id;
> +		queueid = rxql[i].queue_id;
> +		RTE_LOG(INFO, IPSEC,
> +			" -- lcoreid=%u portid=%hhu rxqueueid=%hhu\n",
> +			lcore_id, portid, queueid);
> +	}
> +
> +	while (1) {
> +		cur_tsc = rte_rdtsc();
> +
> +		/* TX queue buffer drain */
> +		diff_tsc = cur_tsc - prev_tsc;
> +
> +		if (unlikely(diff_tsc > drain_tsc)) {
> +			drain_buffers(qconf);
> +			prev_tsc = cur_tsc;
> +		}
> +
> +		/* Read packet from RX queues */
> +		for (i = 0; i < qconf->nb_rx_queue; ++i) {
> +			portid = rxql[i].port_id;
> +			queueid = rxql[i].queue_id;
> +			nb_rx = rte_eth_rx_burst(portid, queueid,
> +					pkts, MAX_PKT_BURST);
> +
> +			if (nb_rx > 0)
> +				process_pkts(ctx, pkts, nb_rx, portid);
> +		}
> +	}
> +}
> +
> +static int
> +check_params(void)
> +{
> +	uint8_t lcore, portid, nb_ports;
> +	uint16_t i;
> +	int socket_id;
> +
> +	if (lcore_params == NULL) {
> +		printf("Error: No port/queue/core mappings\n");
> +		return -1;
> +	}
> +
> +	nb_ports = rte_eth_dev_count();
> +	if (nb_ports > RTE_MAX_ETHPORTS)
> +		nb_ports = RTE_MAX_ETHPORTS;
> +
> +	for (i = 0; i < nb_lcore_params; ++i) {
> +		lcore = lcore_params[i].lcore_id;
> +		if (!rte_lcore_is_enabled(lcore)) {
> +			printf("error: lcore %hhu is not enabled in "
> +				"lcore mask\n", lcore);
> +			return -1;
> +		}
> +		socket_id = rte_lcore_to_socket_id(lcore);
> +		if (socket_id != 0 && numa_on == 0) {
> +			printf("warning: lcore %hhu is on socket %d "
> +				"with numa off\n",
> +				lcore, socket_id);
> +		}
> +		portid = lcore_params[i].port_id;
> +		if ((enabled_port_mask & (1 << portid)) == 0) {
> +			printf("port %u is not enabled in port mask\n", portid);
> +			return -1;
> +		}
> +		if (portid >= nb_ports) {
> +			printf("port %u is not present on the board\n", portid);
> +			return -1;
> +		}
> +	}
> +	return 0;
> +}
> +
> +static uint8_t
> +get_port_nb_rx_queues(const uint8_t port)
> +{
> +	int queue = -1;
> +	uint16_t i;
> +
> +	for (i = 0; i < nb_lcore_params; ++i) {
> +		if (lcore_params[i].port_id == port &&
> +				lcore_params[i].queue_id > queue)
> +			queue = lcore_params[i].queue_id;
> +	}
> +	return (uint8_t)(++queue);
> +}
> +
> +static int
> +init_lcore_rx_queues(void)
> +{
> +	uint16_t i, nb_rx_queue;
> +	uint8_t lcore;
> +
> +	for (i = 0; i < nb_lcore_params; ++i) {
> +		lcore = lcore_params[i].lcore_id;
> +		nb_rx_queue = lcore_conf[lcore].nb_rx_queue;
> +		if (nb_rx_queue >= MAX_RX_QUEUE_PER_LCORE) {
> +			printf("error: too many queues (%u) for lcore: %u\n",
> +					nb_rx_queue + 1, lcore);
> +			return -1;
> +		}
> +		lcore_conf[lcore].rx_queue_list[nb_rx_queue].port_id =
> +			lcore_params[i].port_id;
> +		lcore_conf[lcore].rx_queue_list[nb_rx_queue].queue_id =
> +			lcore_params[i].queue_id;
> +		lcore_conf[lcore].nb_rx_queue++;
> +	}
> +	return 0;
> +}
> +
> +/* display usage */
> +static void
> +print_usage(const char *prgname)
> +{
> +	printf("%s [EAL options] -- -p PORTMASK -P -u PORTMASK"
> +		"  --"OPTION_CONFIG" (port,queue,lcore)[,(port,queue,lcore]"
> +		" --EP0|--EP1 --cdev AESNI|QAT\n"
> +		"  -p PORTMASK: hexadecimal bitmask of ports to configure\n"
> +		"  -P : enable promiscuous mode\n"
> +		"  -u PORTMASK: hexadecimal bitmask of unprotected ports\n"
> +		"  --"OPTION_CONFIG": (port,queue,lcore): "
> +		"rx queues configuration\n"
> +		"  --cdev AESNI | QAT\n"
> +		"  --EP0: Configure as Endpoint 0\n"
> +		"  --EP1: Configure as Endpoint 1\n", prgname);
> +}
> +
> +static int
> +parse_portmask(const char *portmask)
> +{
> +	char *end = NULL;
> +	unsigned long pm;
> +
> +	/* parse hexadecimal string */
> +	pm = strtoul(portmask, &end, 16);
> +	if ((portmask[0] == '\0') || (end == NULL) || (*end != '\0'))
> +		return -1;
> +
> +	if (pm == 0)
> +		return -1;
> +
> +	return pm;
> +}
> +
> +static int
> +parse_config(const char *q_arg)
> +{
> +	char s[256];
> +	const char *p, *p0 = q_arg;
> +	char *end;
> +	enum fieldnames {
> +		FLD_PORT = 0,
> +		FLD_QUEUE,
> +		FLD_LCORE,
> +		_NUM_FLD
> +	};
> +	unsigned long int_fld[_NUM_FLD];
> +	char *str_fld[_NUM_FLD];
> +	int i;
> +	unsigned size;
> +
> +	nb_lcore_params = 0;
> +
> +	while ((p = strchr(p0, '(')) != NULL) {
> +		++p;
> +		p0 = strchr(p, ')');
> +		if (p0 == NULL)
> +			return -1;
> +
> +		size = p0 - p;
> +		if (size >= sizeof(s))
> +			return -1;
> +
> +		snprintf(s, sizeof(s), "%.*s", size, p);
> +		if (rte_strsplit(s, sizeof(s), str_fld, _NUM_FLD, ',') !=
> +				_NUM_FLD)
> +			return -1;
> +		for (i = 0; i < _NUM_FLD; i++) {
> +			errno = 0;
> +			int_fld[i] = strtoul(str_fld[i], &end, 0);
> +			if (errno != 0 || end == str_fld[i] || int_fld[i] > 255)
> +				return -1;
> +		}
> +		if (nb_lcore_params >= MAX_LCORE_PARAMS) {
> +			printf("exceeded max number of lcore params: %hu\n",
> +				nb_lcore_params);
> +			return -1;
> +		}
> +		lcore_params_array[nb_lcore_params].port_id =
> +			(uint8_t)int_fld[FLD_PORT];
> +		lcore_params_array[nb_lcore_params].queue_id =
> +			(uint8_t)int_fld[FLD_QUEUE];
> +		lcore_params_array[nb_lcore_params].lcore_id =
> +			(uint8_t)int_fld[FLD_LCORE];
> +		++nb_lcore_params;
> +	}
> +	lcore_params = lcore_params_array;
> +	return 0;
> +}
> +
> +#define __STRNCMP(name, opt) (!strncmp(name, opt, sizeof(opt)))
> +static int
> +parse_args_long_options(struct option *lgopts, int option_index)
> +{
> +	int ret = -1;
> +	const char *optname = lgopts[option_index].name;
> +
> +	if (__STRNCMP(optname, OPTION_CONFIG)) {
> +		ret = parse_config(optarg);
> +		if (ret)
> +			printf("invalid config\n");
> +	}
> +
> +	if (__STRNCMP(optname, OPTION_EP0)) {
> +		printf("endpoint 0\n");
> +		ep = 0;
> +		ret = 0;
> +	}
> +
> +	if (__STRNCMP(optname, OPTION_EP1)) {
> +		printf("endpoint 1\n");
> +		ep = 1;
> +		ret = 0;
> +	}
> +
> +	if (__STRNCMP(optname, OPTION_CDEV_TYPE)) {
> +		if (__STRNCMP(optarg, "AESNI")) {
> +			cdev_type = RTE_CRYPTODEV_AESNI_MB_PMD;
> +			ret = 0;
> +		} else if (__STRNCMP(optarg, "QAT")) {
> +			cdev_type = RTE_CRYPTODEV_QAT_PMD;
> +			ret = 0;
> +		}
> +	}
> +
> +	return ret;
> +}
> +#undef __STRNCMP
> +
> +static int
> +parse_args(int argc, char **argv)
> +{
> +	int opt, ret;
> +	char **argvopt;
> +	int option_index;
> +	char *prgname = argv[0];
> +	static struct option lgopts[] = {
> +		{OPTION_CONFIG, 1, 0, 0},
> +		{OPTION_EP0, 0, 0, 0},
> +		{OPTION_EP1, 0, 0, 0},
> +		{OPTION_CDEV_TYPE, 1, 0, 0},
> +		{NULL, 0, 0, 0}
> +	};
> +
> +	argvopt = argv;
> +
> +	while ((opt = getopt_long(argc, argvopt, "p:Pu:",
> +				lgopts, &option_index)) != EOF) {
> +
> +		switch (opt) {
> +		case 'p':
> +			enabled_port_mask = parse_portmask(optarg);
> +			if (enabled_port_mask == 0) {
> +				printf("invalid portmask\n");
> +				print_usage(prgname);
> +				return -1;
> +			}
> +			break;
> +		case 'P':
> +			printf("Promiscuous mode selected\n");
> +			promiscuous_on = 1;
> +			break;
> +		case 'u':
> +			unprotected_port_mask = parse_portmask(optarg);
> +			if (unprotected_port_mask == 0) {
> +				printf("invalid unprotected portmask\n");
> +				print_usage(prgname);
> +				return -1;
> +			}
> +			break;
> +		case 0:
> +			if (parse_args_long_options(lgopts, option_index)) {
> +				print_usage(prgname);
> +				return -1;
> +			}
> +			break;
> +		default:
> +			print_usage(prgname);
> +			return -1;
> +		}
> +	}
> +
> +	if (optind >= 0)
> +		argv[optind-1] = prgname;
> +
> +	ret = optind-1;
> +	optind = 0; /* reset getopt lib */
> +	return ret;
> +}
> +
> +static void
> +print_ethaddr(const char *name, const struct ether_addr *eth_addr)
> +{
> +	char buf[ETHER_ADDR_FMT_SIZE];
> +	ether_format_addr(buf, ETHER_ADDR_FMT_SIZE, eth_addr);
> +	printf("%s%s", name, buf);
> +}
> +
> +/* Check the link status of all ports in up to 9s, and print them finally */
> +static void
> +check_all_ports_link_status(uint8_t port_num, uint32_t port_mask)
> +{
> +#define CHECK_INTERVAL 100 /* 100ms */
> +#define MAX_CHECK_TIME 90 /* 9s (90 * 100ms) in total */
> +	uint8_t portid, count, all_ports_up, print_flag = 0;
> +	struct rte_eth_link link;
> +
> +	printf("\nChecking link status");
> +	fflush(stdout);
> +	for (count = 0; count <= MAX_CHECK_TIME; count++) {
> +		all_ports_up = 1;
> +		for (portid = 0; portid < port_num; portid++) {
> +			if ((port_mask & (1 << portid)) == 0)
> +				continue;
> +			memset(&link, 0, sizeof(link));
> +			rte_eth_link_get_nowait(portid, &link);
> +			/* print link status if flag set */
> +			if (print_flag == 1) {
> +				if (link.link_status)
> +					printf("Port %d Link Up - speed %u "
> +						"Mbps - %s\n", (uint8_t)portid,
> +						(unsigned)link.link_speed,
> +				(link.link_duplex == ETH_LINK_FULL_DUPLEX) ?
> +					("full-duplex") : ("half-duplex\n"));
> +				else
> +					printf("Port %d Link Down\n",
> +						(uint8_t)portid);
> +				continue;
> +			}
> +			/* clear all_ports_up flag if any link down */
> +			if (link.link_status == 0) {
> +				all_ports_up = 0;
> +				break;
> +			}
> +		}
> +		/* after finally printing all link status, get out */
> +		if (print_flag == 1)
> +			break;
> +
> +		if (all_ports_up == 0) {
> +			printf(".");
> +			fflush(stdout);
> +			rte_delay_ms(CHECK_INTERVAL);
> +		}
> +
> +		/* set the print_flag if all ports up or timeout */
> +		if (all_ports_up == 1 || count == (MAX_CHECK_TIME - 1)) {
> +			print_flag = 1;
> +			printf("done\n");
> +		}
> +	}
> +}
> +
> +static uint16_t
> +find_next_cdev(unsigned cdev_type, uint16_t start_cdev_id)
> +{
> +	uint16_t cdev_id, cnt;
> +	struct rte_cryptodev_info info;
> +
> +	cnt = rte_cryptodev_count();
> +	for (cdev_id = start_cdev_id; cdev_id < cnt; cdev_id++) {
> +		rte_cryptodev_info_get(cdev_id, &info);
> +		if (info.dev_type == cdev_type)
> +			return cdev_id;
> +	}
> +
> +	return -1;
> +}
> +
> +static uint16_t
> +find_cdev_socket(int socket_id, unsigned cdev_type)
> +{
> +	uint16_t cdev_id, cnt;
> +	struct rte_cryptodev_info info;
> +	int cdev_socket;
> +
> +	cnt = rte_cryptodev_count();
> +	for (cdev_id = 0; cdev_id < cnt; cdev_id++) {
> +		rte_cryptodev_info_get(cdev_id, &info);
> +		cdev_socket = rte_cryptodev_socket_id(cdev_id);
> +		if ((info.dev_type == cdev_type) && (cdev_socket == socket_id))
> +			return cdev_id;
> +	}
> +
> +	return -1;
> +}
> +
> +static int
> +cryptodevs_init(void)
> +{
> +	struct rte_cryptodev_config dev_conf;
> +	struct rte_cryptodev_qp_conf qp_conf;
> +	struct lcore_conf *qconf;
> +	uint16_t cnt, lcore_id, cdev_id;
> +	int ret, i, socket_id;
> +
> +	if (cdev_type == RTE_CRYPTODEV_QAT_PMD) {
> +		cnt = rte_cryptodev_count_devtype(RTE_CRYPTODEV_QAT_PMD);
> +		printf("Found %u QAT devices\n", cnt);
> +		if (cnt < nb_lcores)
> +			rte_panic("Not enough QAT devices detected, "
> +					"need %u (1 per core), found %d\n",
> +					nb_lcores, cnt);
> +	} else if (cdev_type == RTE_CRYPTODEV_AESNI_MB_PMD) {
> +		printf("Initializing %u AESNI vdevs\n", rte_lcore_count());

Is it possible to remove PMD specific Initialization code from the
application and move driver layer so that new crypto pmd inclusion will
not have any change in this place.

> +		for (i = 0; i < (int)rte_lcore_count(); i++) {
> +			ret = rte_eal_vdev_init(
> +					CRYPTODEV_NAME_AESNI_MB_PMD,
> +					NULL);
> +			if (ret < 0)
> +				rte_panic("Failed to create AESNI-MB vdev\n");
> +		}
> +	} else
> +		rte_panic("Need to set cryptodev type option --cdev\n");
> +
> +	cdev_id = 0;
> +	for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) {
> +		if (rte_lcore_is_enabled(lcore_id) == 0)
> +			continue;
> +
> +		socket_id = rte_lcore_to_socket_id(lcore_id);
> +		cdev_id = find_next_cdev(cdev_type, cdev_id);
> +		qconf = &lcore_conf[lcore_id];
> +		qconf->cdev = cdev_id;
> +		qconf->cdev_q = 0;
> +		if (cdev_type == RTE_CRYPTODEV_AESNI_MB_PMD) {
> +			dev_conf.socket_id = socket_id;
> +			printf("Initializing AESNI-MB device %u socket %u\n",
> +					cdev_id, socket_id);
> +		} else {
> +			dev_conf.socket_id = rte_cryptodev_socket_id(cdev_id);
> +			printf("Initialising QAT device %u\n", cdev_id);
> +		}
> +
> +		dev_conf.nb_queue_pairs = 1;
> +		dev_conf.session_mp.nb_objs = CDEV_MP_NB_OBJS;
> +		dev_conf.session_mp.cache_size = CDEV_MP_CACHE_SZ;
> +
> +		if (rte_cryptodev_configure(cdev_id, &dev_conf))
> +			rte_panic("Failed to initialize crypodev %u\n",
> +					cdev_id);
> +
> +		qp_conf.nb_descriptors = CDEV_MP_NB_OBJS;
> +		if (rte_cryptodev_queue_pair_setup(cdev_id, 0, &qp_conf,
> +					dev_conf.socket_id))
> +			rte_panic("Failed to setup queue %u for cdev_id %u\n",
> +					0, cdev_id);
> +		cdev_id++;
> +	}
> +
> +	return 0;
> +}
> +
> +static void
> +port_init(uint8_t portid)
> +{
> +	struct rte_eth_dev_info dev_info;
> +	struct rte_eth_txconf *txconf;
> +	uint16_t nb_tx_queue, nb_rx_queue;
> +	uint16_t tx_queueid, rx_queueid, queue, lcore_id;
> +	int ret, socket_id;
> +	struct lcore_conf *qconf;
> +	struct ether_addr ethaddr;
> +
> +	rte_eth_dev_info_get(portid, &dev_info);
> +
> +	printf("Configuring device port %u:\n", portid);
> +
> +	rte_eth_macaddr_get(portid, &ethaddr);
> +	ethaddr_tbl[portid].src = ETHADDR_TO_UINT64(ethaddr);
> +	print_ethaddr("Address: ", &ethaddr);
> +	printf("\n");
> +
> +	nb_rx_queue = get_port_nb_rx_queues(portid);
> +	nb_tx_queue = nb_lcores;
> +
> +	if (nb_rx_queue > dev_info.max_rx_queues)
> +		rte_exit(EXIT_FAILURE, "Error: queue %u not available "
> +				"(max rx queue is %u)\n",
> +				nb_rx_queue, dev_info.max_rx_queues);
> +
> +	if (nb_tx_queue > dev_info.max_tx_queues)
> +		rte_exit(EXIT_FAILURE, "Error: queue %u not available "
> +				"(max tx queue is %u)\n",
> +				nb_tx_queue, dev_info.max_tx_queues);
> +
> +	printf("Creating queues: nb_rx_queue=%d nb_tx_queue=%u...\n",
> +			nb_rx_queue, nb_tx_queue);
> +
> +	ret = rte_eth_dev_configure(portid, nb_rx_queue, nb_tx_queue,
> +			&port_conf);
> +	if (ret < 0)
> +		rte_exit(EXIT_FAILURE, "Cannot configure device: "
> +				"err=%d, port=%d\n", ret, portid);
> +
> +	/* init one TX queue per lcore */
> +	tx_queueid = 0;
> +	for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) {
> +		if (rte_lcore_is_enabled(lcore_id) == 0)
> +			continue;
> +
> +		if (numa_on)
> +			socket_id = (uint8_t)rte_lcore_to_socket_id(lcore_id);
> +		else
> +			socket_id = 0;
> +
> +		/* init TX queue */
> +		printf("Setup txq=%u,%d,%d\n", lcore_id, tx_queueid, socket_id);
> +
> +		txconf = &dev_info.default_txconf;
> +		txconf->txq_flags = 0;
> +
> +		ret = rte_eth_tx_queue_setup(portid, tx_queueid, nb_txd,
> +				socket_id, txconf);
> +		if (ret < 0)
> +			rte_exit(EXIT_FAILURE, "rte_eth_tx_queue_setup: "
> +					"err=%d, port=%d\n", ret, portid);
> +
> +		qconf = &lcore_conf[lcore_id];
> +		qconf->tx_queue_id[portid] = tx_queueid;
> +		tx_queueid++;
> +
> +		/* init RX queues */
> +		for (queue = 0; queue < qconf->nb_rx_queue; ++queue) {
> +			if (portid != qconf->rx_queue_list[queue].port_id)
> +				continue;
> +
> +			rx_queueid = qconf->rx_queue_list[queue].queue_id;
> +
> +			printf("Setup rxq=%d,%d,%d\n", portid, rx_queueid,
> +					socket_id);
> +
> +			ret = rte_eth_rx_queue_setup(portid, rx_queueid,
> +					nb_rxd,	socket_id, NULL,
> +					socket_ctx[socket_id].mbuf_pool);
> +			if (ret < 0)
> +				rte_exit(EXIT_FAILURE,
> +					"rte_eth_rx_queue_setup: err=%d, "
> +					"port=%d\n", ret, portid);
> +		}
> +	}
> +	printf("\n");
> +}
> +
> +static void
> +pool_init(struct socket_ctx *ctx, int socket_id, unsigned nb_mbuf)
> +{
> +	char s[64];
> +
> +	snprintf(s, sizeof(s), "mbuf_pool_%d", socket_id);
> +	ctx->mbuf_pool = rte_pktmbuf_pool_create(s, nb_mbuf,
> +			MEMPOOL_CACHE_SIZE, ipsec_metadata_size(),
> +			RTE_MBUF_DEFAULT_BUF_SIZE,
> +			socket_id);
> +	if (ctx->mbuf_pool == NULL)
> +		rte_exit(EXIT_FAILURE, "Cannot init mbuf pool on socket %d\n",
> +				socket_id);
> +	else
> +		printf("Allocated mbuf pool on socket %d\n", socket_id);
> +}
> +
> +int
> +main(int argc, char **argv)
> +{
> +	int ret;
> +	unsigned lcore_id, nb_ports;
> +	uint8_t portid, socket_id;
> +
> +	/* init EAL */
> +	ret = rte_eal_init(argc, argv);
> +	if (ret < 0)
> +		rte_exit(EXIT_FAILURE, "Invalid EAL parameters\n");
> +	argc -= ret;
> +	argv += ret;
> +
> +	/* parse application arguments (after the EAL ones) */
> +	ret = parse_args(argc, argv);
> +	if (ret < 0)
> +		rte_exit(EXIT_FAILURE, "Invalid parameters\n");
> +
> +	if (ep < 0)
> +		rte_exit(EXIT_FAILURE, "need to choose either EP0 or EP1\n");
> +
> +	if ((unprotected_port_mask & enabled_port_mask) !=
> +			unprotected_port_mask)
> +		rte_exit(EXIT_FAILURE, "Invalid unprotected portmask 0x%x\n",
> +				unprotected_port_mask);
> +
> +	nb_ports = rte_eth_dev_count();
> +	if (nb_ports > RTE_MAX_ETHPORTS)
> +		nb_ports = RTE_MAX_ETHPORTS;
> +
> +	if (check_params() < 0)
> +		rte_exit(EXIT_FAILURE, "check_params failed\n");
> +
> +	ret = init_lcore_rx_queues();
> +	if (ret < 0)
> +		rte_exit(EXIT_FAILURE, "init_lcore_rx_queues failed\n");
> +
> +	nb_lcores = rte_lcore_count();
> +
> +	cryptodevs_init();
> +
> +	/* Replicate each contex per socket */
> +	for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) {
> +		if (rte_lcore_is_enabled(lcore_id) == 0)
> +			continue;
> +
> +		if (numa_on)
> +			socket_id = (uint8_t)rte_lcore_to_socket_id(lcore_id);
> +		else
> +			socket_id = 0;
> +
> +		if (socket_ctx[socket_id].mbuf_pool)
> +			continue;
> +
> +		sa_init(&socket_ctx[socket_id], socket_id, ep,
> +				find_cdev_socket(socket_id, cdev_type));
> +
> +		sp_init(&socket_ctx[socket_id], socket_id, ep);
> +
> +		rt_init(&socket_ctx[socket_id], socket_id, ep);
> +
> +		pool_init(&socket_ctx[socket_id], socket_id, NB_MBUF);
> +	}
> +
> +	for (portid = 0; portid < nb_ports; portid++) {
> +		if ((enabled_port_mask & (1 << portid)) == 0)
> +			continue;
> +
> +		port_init(portid);
> +	}
> +
> +	/* start ports */
> +	for (portid = 0; portid < nb_ports; portid++) {
> +		if ((enabled_port_mask & (1 << portid)) == 0)
> +			continue;
> +
> +		/* Start device */
> +		ret = rte_eth_dev_start(portid);
> +		if (ret < 0)
> +			rte_exit(EXIT_FAILURE, "rte_eth_dev_start: "
> +					"err=%d, port=%d\n", ret, portid);
> +		/*
> +		 * If enabled, put device in promiscuous mode.
> +		 * This allows IO forwarding mode to forward packets
> +		 * to itself through 2 cross-connected  ports of the
> +		 * target machine.
> +		 */
> +		if (promiscuous_on)
> +			rte_eth_promiscuous_enable(portid);
> +	}
> +
> +	check_all_ports_link_status((uint8_t)nb_ports, enabled_port_mask);
> +
> +	/* launch per-lcore init on every lcore */
> +	rte_eal_mp_remote_launch(main_loop, NULL, CALL_MASTER);
> +	RTE_LCORE_FOREACH_SLAVE(lcore_id) {
> +		if (rte_eal_wait_lcore(lcore_id) < 0)
> +			return -1;
> +	}
> +
> +	return 0;
> +}
> diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
> new file mode 100644
> index 0000000..83e3326
> --- /dev/null
> +++ b/examples/ipsec-secgw/ipsec.c
> @@ -0,0 +1,138 @@
> +/*-
> + *   BSD LICENSE
> + *
> + *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
> + *   All rights reserved.
> + *
> + *   Redistribution and use in source and binary forms, with or without
> + *   modification, are permitted provided that the following conditions
> + *   are met:
> + *
> + *     * Redistributions of source code must retain the above copyright
> + *       notice, this list of conditions and the following disclaimer.
> + *     * Redistributions in binary form must reproduce the above copyright
> + *       notice, this list of conditions and the following disclaimer in
> + *       the documentation and/or other materials provided with the
> + *       distribution.
> + *     * Neither the name of Intel Corporation nor the names of its
> + *       contributors may be used to endorse or promote products derived
> + *       from this software without specific prior written permission.
> + *
> + *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> + *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> + *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
> + *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
> + *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> + *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> + *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> + *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> + *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> + *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> + *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> + */
> +
> +#include <netinet/in.h>
> +#include <netinet/ip.h>
> +
> +#include <rte_branch_prediction.h>
> +#include <rte_log.h>
> +#include <rte_crypto.h>
> +#include <rte_cryptodev.h>
> +#include <rte_mbuf.h>
> +
> +#include "ipsec.h"
> +
> +static inline uint16_t
> +ipsec_processing(uint8_t cdev_id, uint16_t qp_id, struct rte_mbuf *pkts[],
> +		struct ipsec_sa *sas[], uint16_t nb_pkts, uint16_t max_pkts)
> +{
> +	int ret, i, j;
> +	struct ipsec_mbuf_metadata *priv;
> +	struct rte_mbuf_offload *ol;
> +	struct ipsec_sa *sa;
> +
> +	j = 0;
> +	for (i = 0; i < nb_pkts; i++) {
> +		rte_prefetch0(sas[i]);
> +		rte_prefetch0(pkts[i]);
> +
> +		priv = get_priv(pkts[i]);
> +		ol = &priv->ol;
> +		sa = sas[i];
> +		priv->sa = sa;
> +
> +		IPSEC_ASSERT(sa != NULL);
> +
> +		__rte_pktmbuf_offload_reset(ol, RTE_PKTMBUF_OL_CRYPTO);
> +
> +		rte_crypto_op_attach_session(&ol->op.crypto,
> +				sa->crypto_session);
> +
> +		pkts[i]->offload_ops = ol;
> +
> +		ret = sa->pre_crypto(pkts[i], sa, &ol->op.crypto);
> +		if (unlikely(ret))
> +			rte_pktmbuf_free(pkts[i]);
> +		else
> +			pkts[j++] = pkts[i];
> +	}
> +	nb_pkts = j;
> +
> +	ret = rte_cryptodev_enqueue_burst(cdev_id, qp_id, pkts, nb_pkts);
> +	if (ret < nb_pkts) {
> +		IPSEC_LOG(DEBUG, IPSEC, "Cryptodev %u queue %u:"
> +				" enqueued %u packets (out of %u)\n",
> +				 cdev_id, qp_id, ret, nb_pkts);
> +		for (i = ret; i < nb_pkts; i++)
> +			rte_pktmbuf_free(pkts[i]);
> +	}
> +
> +	nb_pkts = rte_cryptodev_dequeue_burst(cdev_id, qp_id, pkts, max_pkts);
> +	if ((nb_pkts != 0) && (nb_pkts < max_pkts))
> +		IPSEC_LOG(DEBUG, IPSEC, "Cryptodev %u queue %u:"
> +				" dequeued %u packets (out of %u)\n",
> +				 cdev_id, qp_id, nb_pkts, max_pkts);
> +
> +	j = 0;
> +	for (i = 0; i < nb_pkts; i++) {
> +		rte_prefetch0(pkts[i]);
> +
> +		priv = get_priv(pkts[i]);
> +		ol = &priv->ol;
> +		sa = priv->sa;
> +		rte_prefetch0(sa);
> +
> +		IPSEC_ASSERT(sa != NULL);
> +
> +		ret = sa->post_crypto(pkts[i], sa, &ol->op.crypto);
> +		if (unlikely(ret))
> +			rte_pktmbuf_free(pkts[i]);
> +		else
> +			pkts[j++] = pkts[i];
> +	}
> +
> +	/* return packets */
> +	return j;
> +}
> +
> +uint16_t
> +ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
> +		uint16_t nb_pkts, uint16_t len)
> +{
> +	struct ipsec_sa *sas[nb_pkts];
> +
> +	inbound_sa_lookup(ctx->sa_ctx, pkts, sas, nb_pkts);
> +
> +	return ipsec_processing(ctx->cdev, ctx->queue, pkts, sas, nb_pkts, len);
> +}
> +
> +uint16_t
> +ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
> +		uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len)
> +{
> +	struct ipsec_sa *sas[nb_pkts];
> +
> +	outbound_sa_lookup(ctx->sa_ctx, sa_idx, sas, nb_pkts);
> +
> +	return ipsec_processing(ctx->cdev, ctx->queue, pkts, sas, nb_pkts, len);
> +}
> diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
> new file mode 100644
> index 0000000..abf9d5f
> --- /dev/null
> +++ b/examples/ipsec-secgw/ipsec.h
> @@ -0,0 +1,184 @@
> +/*-
> + *   BSD LICENSE
> + *
> + *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
> + *   All rights reserved.
> + *
> + *   Redistribution and use in source and binary forms, with or without
> + *   modification, are permitted provided that the following conditions
> + *   are met:
> + *
> + *     * Redistributions of source code must retain the above copyright
> + *       notice, this list of conditions and the following disclaimer.
> + *     * Redistributions in binary form must reproduce the above copyright
> + *       notice, this list of conditions and the following disclaimer in
> + *       the documentation and/or other materials provided with the
> + *       distribution.
> + *     * Neither the name of Intel Corporation nor the names of its
> + *       contributors may be used to endorse or promote products derived
> + *       from this software without specific prior written permission.
> + *
> + *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> + *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> + *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
> + *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
> + *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> + *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> + *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> + *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> + *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> + *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> + *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> + */
> +
> +#ifndef __IPSEC_H__
> +#define __IPSEC_H__
> +
> +#include <stdint.h>
> +#include <netinet/in.h>
> +#include <netinet/ip.h>
> +
> +#include <rte_mbuf_offload.h>
> +#include <rte_byteorder.h>
> +#include <rte_ip.h>
> +
> +#define RTE_LOGTYPE_IPSEC       RTE_LOGTYPE_USER1
> +#define RTE_LOGTYPE_IPSEC_ESP   RTE_LOGTYPE_USER2
> +#define RTE_LOGTYPE_IPSEC_IPIP  RTE_LOGTYPE_USER3
> +
> +#ifdef IPSEC_DEBUG
> +#define IPSEC_ASSERT(exp)                                            \
> +if (!(exp)) {                                                        \
> +	rte_panic("line%d\tassert \"" #exp "\" failed\n", __LINE__); \
> +}
> +
> +#define IPSEC_LOG RTE_LOG
> +#else
> +#define IPSEC_ASSERT(exp) do {} while (0)
> +#define IPSEC_LOG(...) do {} while (0)
> +#endif /* IPSEC_DEBUG */
> +
> +#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
> +
> +#define uint32_t_to_char(ip, a, b, c, d) do {\
> +		*a = (unsigned char)(ip >> 24 & 0xff);\
> +		*b = (unsigned char)(ip >> 16 & 0xff);\
> +		*c = (unsigned char)(ip >> 8 & 0xff);\
> +		*d = (unsigned char)(ip & 0xff);\
> +	} while (0)
> +
> +#define DEFAULT_MAX_CATEGORIES	1
> +
> +#define IPSEC_SA_MAX_ENTRIES (64) /* must be power of 2, max 2 power 30 */
> +#define SPI2IDX(spi) (spi & (IPSEC_SA_MAX_ENTRIES - 1))
> +#define INVALID_SPI (0)
> +
> +#define DISCARD (0x80000000)
> +#define BYPASS (0x40000000)
> +#define PROTECT_MASK (0x3fffffff)
> +#define PROTECT(sa_idx) (SPI2IDX(sa_idx) & PROTECT_MASK) /* SA idx 30 bits */
> +
> +#define IPSEC_XFORM_MAX 2
> +
> +struct rte_crypto_xform;
> +struct ipsec_xform;
> +struct rte_cryptodev_session;
> +struct rte_mbuf;
> +
> +struct replay {
> +	uint32_t seq_h;
> +};
> +
> +struct lifetime {
> +	uint64_t bytes;
> +	uint64_t seconds;
> +};
> +
> +struct ipsec_sa;
> +
> +typedef int (*ipsec_xform_fn)(struct rte_mbuf *m, struct ipsec_sa *sa,
> +		struct rte_crypto_op *cop);
> +
> +struct ipsec_sa {
> +	uint32_t spi;
> +	uint32_t seq;
> +	uint32_t src;
> +	uint32_t dst;
> +	struct rte_cryptodev_session *crypto_session;
> +	struct rte_crypto_xform *xforms;
> +	enum rte_crypto_cipher_algorithm cipher_algo;
> +	enum rte_crypto_auth_algorithm auth_algo;
> +	uint16_t digest_len;
> +	uint16_t iv_len;
> +	uint16_t block_size;
> +	ipsec_xform_fn pre_crypto;
> +	ipsec_xform_fn post_crypto;
> +	uint32_t flags;
> +	/* does not apply if no automated SA management (IKE) support */
> +	struct lifetime current;
> +	struct lifetime soft;
> +	struct lifetime hard;
> +	struct replay replay;
> +} __rte_cache_aligned;
> +
> +struct ipsec_mbuf_metadata {
> +	struct ipsec_sa *sa;
> +	struct rte_mbuf_offload ol;
> +};
> +
> +struct ipsec_ctx {
> +	uint16_t cdev;
> +	uint16_t queue;
> +	struct sa_ctx *sa_ctx;
> +};
> +
> +struct socket_ctx {
> +	struct sa_ctx *sa_ipv4_in;
> +	struct sa_ctx *sa_ipv4_out;
> +	struct sp_ctx *sp_ipv4_in;
> +	struct sp_ctx *sp_ipv4_out;
> +	struct rt_ctx *rt_ipv4;
> +	struct rte_mempool *mbuf_pool;
> +};
> +
> +uint16_t
> +ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
> +		uint16_t nb_pkts, uint16_t len);
> +
> +uint16_t
> +ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
> +		uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len);
> +
> +static inline uint16_t
> +ipsec_metadata_size(void)
> +{
> +	return sizeof(struct ipsec_mbuf_metadata);
> +}
> +
> +static inline struct ipsec_mbuf_metadata *
> +get_priv(struct rte_mbuf *m)
> +{
> +	return RTE_PTR_ADD(m, sizeof(struct rte_mbuf));
> +}
> +
> +int
> +inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx);
> +
> +void
> +inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[],
> +		struct ipsec_sa *sa[], uint16_t nb_pkts);
> +
> +void
> +outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[],
> +		struct ipsec_sa *sa[], uint16_t nb_pkts);
> +
> +void
> +sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep);
> +
> +void
> +sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep, uint16_t cdev_id);
> +
> +void
> +rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep);
> +
> +#endif /* __IPSEC_H__ */
> diff --git a/examples/ipsec-secgw/rt.c b/examples/ipsec-secgw/rt.c
> new file mode 100644
> index 0000000..82064b2
> --- /dev/null
> +++ b/examples/ipsec-secgw/rt.c
> @@ -0,0 +1,131 @@
> +/*-
> + *   BSD LICENSE
> + *
> + *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
> + *   All rights reserved.
> + *
> + *   Redistribution and use in source and binary forms, with or without
> + *   modification, are permitted provided that the following conditions
> + *   are met:
> + *
> + *     * Redistributions of source code must retain the above copyright
> + *       notice, this list of conditions and the following disclaimer.
> + *     * Redistributions in binary form must reproduce the above copyright
> + *       notice, this list of conditions and the following disclaimer in
> + *       the documentation and/or other materials provided with the
> + *       distribution.
> + *     * Neither the name of Intel Corporation nor the names of its
> + *       contributors may be used to endorse or promote products derived
> + *       from this software without specific prior written permission.
> + *
> + *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> + *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> + *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
> + *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
> + *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> + *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> + *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> + *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> + *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> + *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> + *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> + */
> +
> +/*
> + * Routing Table (RT)
> + */
> +#include <rte_lpm.h>
> +#include <rte_errno.h>
> +
> +#include "ipsec.h"
> +
> +#define RT_IPV4_MAX_RULES         64
> +
> +struct ipv4_route {
> +	uint32_t ip;
> +	uint8_t  depth;
> +	uint8_t  if_out;
> +};
> +
> +/* In the default routing table we have:
> + * ep0 protected ports 0 and 1, and unprotected ports 2 and 3.
> + */
> +static struct ipv4_route rt_ipv4_ep0[] = {
> +	{ IPv4(172, 16, 2, 5), 32, 0 },
> +	{ IPv4(172, 16, 2, 6), 32, 0 },
> +	{ IPv4(172, 16, 2, 7), 32, 1 },
> +	{ IPv4(172, 16, 2, 8), 32, 1 },
> +
> +	{ IPv4(192, 168, 115, 0), 24, 2 },
> +	{ IPv4(192, 168, 116, 0), 24, 2 },
> +	{ IPv4(192, 168, 117, 0), 24, 3 },
> +	{ IPv4(192, 168, 118, 0), 24, 3 }
> +};
> +
> +/* In the default routing table we have:
> + * ep1 protected ports 0 and 1, and unprotected ports 2 and 3.
> + */
> +static struct ipv4_route rt_ipv4_ep1[] = {
> +	{ IPv4(172, 16, 1, 5), 32, 2 },
> +	{ IPv4(172, 16, 1, 6), 32, 2 },
> +	{ IPv4(172, 16, 1, 7), 32, 3 },
> +	{ IPv4(172, 16, 1, 8), 32, 3 },
> +
> +	{ IPv4(192, 168, 105, 0), 24, 0 },
> +	{ IPv4(192, 168, 106, 0), 24, 0 },
> +	{ IPv4(192, 168, 107, 0), 24, 1 },
> +	{ IPv4(192, 168, 108, 0), 24, 1 }
> +};
> +
> +void
> +rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep)
> +{
> +	char name[PATH_MAX];
> +	unsigned i;
> +	int ret;
> +	struct rte_lpm *lpm;
> +	struct ipv4_route *rt;
> +	char a, b, c, d;
> +	unsigned nb_routes;
> +
> +	if (ctx == NULL)
> +		rte_exit(EXIT_FAILURE, "NULL context.\n");
> +
> +	if (ctx->rt_ipv4 != NULL)
> +		rte_exit(EXIT_FAILURE, "Routing Table for socket %u already "
> +			"initialized\n", socket_id);
> +
> +	printf("Creating Routing Table (RT) context with %u max routes\n",
> +			RT_IPV4_MAX_RULES);
> +
> +	if (ep == 0) {
> +		rt = rt_ipv4_ep0;
> +		nb_routes = RTE_DIM(rt_ipv4_ep0);
> +	} else if (ep == 1) {
> +		rt = rt_ipv4_ep1;
> +		nb_routes = RTE_DIM(rt_ipv4_ep1);
> +	} else
> +		rte_exit(EXIT_FAILURE, "Invalid EP value %u. Only 0 or 1 "
> +			"supported.\n", ep);
> +
> +	/* create the LPM table */
> +	snprintf(name, sizeof(name), "%s_%u", "rt_ipv4", socket_id);
> +	lpm = rte_lpm_create(name, socket_id, RT_IPV4_MAX_RULES, 0);
> +	if (lpm == NULL)
> +		rte_exit(EXIT_FAILURE, "Unable to create LPM table "
> +			"on socket %d\n", socket_id);
> +
> +	/* populate the LPM table */
> +	for (i = 0; i < nb_routes; i++) {
> +		ret = rte_lpm_add(lpm, rt[i].ip, rt[i].depth, rt[i].if_out);
> +		if (ret < 0)
> +			rte_exit(EXIT_FAILURE, "Unable to add entry num %u to "
> +				"LPM table on socket %d\n", i, socket_id);
> +
> +		uint32_t_to_char(rt[i].ip, &a, &b, &c, &d);
> +		printf("LPM: Adding route %hhu.%hhu.%hhu.%hhu/%hhu (%hhu)\n",
> +				a, b, c, d, rt[i].depth, rt[i].if_out);
> +	}
> +
> +	ctx->rt_ipv4 = (struct rt_ctx *)lpm;
> +}
> diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
> new file mode 100644
> index 0000000..5ea7592
> --- /dev/null
> +++ b/examples/ipsec-secgw/sa.c
> @@ -0,0 +1,391 @@
> +/*-
> + *   BSD LICENSE
> + *
> + *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
> + *   All rights reserved.
> + *
> + *   Redistribution and use in source and binary forms, with or without
> + *   modification, are permitted provided that the following conditions
> + *   are met:
> + *
> + *     * Redistributions of source code must retain the above copyright
> + *       notice, this list of conditions and the following disclaimer.
> + *     * Redistributions in binary form must reproduce the above copyright
> + *       notice, this list of conditions and the following disclaimer in
> + *       the documentation and/or other materials provided with the
> + *       distribution.
> + *     * Neither the name of Intel Corporation nor the names of its
> + *       contributors may be used to endorse or promote products derived
> + *       from this software without specific prior written permission.
> + *
> + *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> + *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> + *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
> + *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
> + *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> + *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> + *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> + *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> + *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> + *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> + *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> + */
> +
> +/*
> + * Security Associations
> + */
> +#include <netinet/ip.h>
> +
> +#include <rte_memzone.h>
> +#include <rte_crypto.h>
> +#include <rte_cryptodev.h>
> +#include <rte_byteorder.h>
> +#include <rte_errno.h>
> +
> +#include "ipsec.h"
> +#include "esp.h"
> +
> +/* SAs EP0 Outbound */
> +const struct ipsec_sa sa_ep0_out[] = {
> +	{ 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5),
> +		NULL, NULL,
> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> +		12, 16, 16,
> +		esp4_tunnel_outbound_pre_crypto,
> +		esp4_tunnel_outbound_post_crypto,
> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
> +	{ 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6),
> +		NULL, NULL,
> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> +		12, 16, 16,
> +		esp4_tunnel_outbound_pre_crypto,
> +		esp4_tunnel_outbound_post_crypto,
> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
> +	{ 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7),
> +		NULL, NULL,
> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> +		12, 16, 16,
> +		esp4_tunnel_outbound_pre_crypto,
> +		esp4_tunnel_outbound_post_crypto,
> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
> +	{ 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8),
> +		NULL, NULL,
> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,

IMO, a SA with NULL crypto (rfc2410) operation will be useful for ESP
packet processing debugging and measuring the performance impact with
the crypto block in fast path. 


> +		12, 16, 16,
> +		esp4_tunnel_outbound_pre_crypto,
> +		esp4_tunnel_outbound_post_crypto,
> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }
> +};
> +
> +/* SAs EP0 Inbound */
> +const struct ipsec_sa sa_ep0_in[] = {
> +	{ 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5),
> +		NULL, NULL,
> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> +		12, 16, 16,
> +		esp4_tunnel_inbound_pre_crypto,
> +		esp4_tunnel_inbound_post_crypto,
> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
> +	{ 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6),
> +		NULL, NULL,
> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> +		12, 16, 16,
> +		esp4_tunnel_inbound_pre_crypto,
> +		esp4_tunnel_inbound_post_crypto,
> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
> +	{ 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7),
> +		NULL, NULL,
> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> +		12, 16, 16,
> +		esp4_tunnel_inbound_pre_crypto,
> +		esp4_tunnel_inbound_post_crypto,
> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
> +	{ 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8),
> +		NULL, NULL,
> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> +		12, 16, 16,
> +		esp4_tunnel_inbound_pre_crypto,
> +		esp4_tunnel_inbound_post_crypto,
> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }
> +};
> +
> +/* SAs EP1 Outbound */
> +const struct ipsec_sa sa_ep1_out[] = {
> +	{ 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5),
> +		NULL, NULL,
> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> +		12, 16, 16,
> +		esp4_tunnel_outbound_pre_crypto,
> +		esp4_tunnel_outbound_post_crypto,
> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
> +	{ 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6),
> +		NULL, NULL,
> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> +		12, 16, 16,
> +		esp4_tunnel_outbound_pre_crypto,
> +		esp4_tunnel_outbound_post_crypto,
> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
> +	{ 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7),
> +		NULL, NULL,
> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> +		12, 16, 16,
> +		esp4_tunnel_outbound_pre_crypto,
> +		esp4_tunnel_outbound_post_crypto,
> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
> +	{ 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8),
> +		NULL, NULL,
> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> +		12, 16, 16,
> +		esp4_tunnel_outbound_pre_crypto,
> +		esp4_tunnel_outbound_post_crypto,
> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }
> +};
> +
> +/* SAs EP1 Inbound */
> +const struct ipsec_sa sa_ep1_in[] = {
> +	{ 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5),
> +		NULL, NULL,
> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> +		12, 16, 16,
> +		esp4_tunnel_inbound_pre_crypto,
> +		esp4_tunnel_inbound_post_crypto,
> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
> +	{ 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6),
> +		NULL, NULL,
> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> +		12, 16, 16,
> +		esp4_tunnel_inbound_pre_crypto,
> +		esp4_tunnel_inbound_post_crypto,
> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
> +	{ 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7),
> +		NULL, NULL,
> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> +		12, 16, 16,
> +		esp4_tunnel_inbound_pre_crypto,
> +		esp4_tunnel_inbound_post_crypto,
> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
> +	{ 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8),
> +		NULL, NULL,
> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> +		12, 16, 16,
> +		esp4_tunnel_inbound_pre_crypto,
> +		esp4_tunnel_inbound_post_crypto,
> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }
> +};
> +
> +static uint8_t cipher_key[256] = "sixteenbytes key";
> +
> +/* AES CBC xform */
> +const struct rte_crypto_xform aescbc_enc_xf = {
> +	NULL,
> +	RTE_CRYPTO_XFORM_CIPHER,
> +	.cipher = { RTE_CRYPTO_CIPHER_OP_ENCRYPT, RTE_CRYPTO_CIPHER_AES_CBC,
> +		.key = { cipher_key, 0, 16 } }
> +};
> +
> +const struct rte_crypto_xform aescbc_dec_xf = {
> +	NULL,
> +	RTE_CRYPTO_XFORM_CIPHER,
> +	.cipher = { RTE_CRYPTO_CIPHER_OP_DECRYPT, RTE_CRYPTO_CIPHER_AES_CBC,
> +		.key = { cipher_key, 0, 16 } }
> +};
> +
> +static uint8_t auth_key[256] = "twentybytes hash key";
> +
> +/* SHA1 HMAC xform */
> +const struct rte_crypto_xform sha1hmac_gen_xf = {
> +	NULL,
> +	RTE_CRYPTO_XFORM_AUTH,
> +	.auth = { RTE_CRYPTO_AUTH_OP_GENERATE, RTE_CRYPTO_AUTH_SHA1_HMAC,
> +		.key = { auth_key, 0, 20 }, 12, 0 }
> +};
> +
> +const struct rte_crypto_xform sha1hmac_verify_xf = {
> +	NULL,
> +	RTE_CRYPTO_XFORM_AUTH,
> +	.auth = { RTE_CRYPTO_AUTH_OP_VERIFY, RTE_CRYPTO_AUTH_SHA1_HMAC,
> +		.key = { auth_key, 0, 20 }, 12, 0 }
> +};
> +
> +struct sa_ctx {
> +	struct ipsec_sa sa[IPSEC_SA_MAX_ENTRIES];
> +	struct {
> +		struct rte_crypto_xform a;
> +		struct rte_crypto_xform b;
> +	} xf[IPSEC_SA_MAX_ENTRIES];
> +};
> +
> +static struct sa_ctx *
> +sa_ipv4_create(const char *name, int socket_id)
> +{
> +	char s[PATH_MAX];
> +	struct sa_ctx *sa_ctx;
> +	unsigned mz_size;
> +	const struct rte_memzone *mz;
> +
> +	snprintf(s, sizeof(s), "%s_%u", name, socket_id);
> +
> +	/* Create SA array table */
> +	printf("Creating SA context with %u maximum entries\n",
> +			IPSEC_SA_MAX_ENTRIES);
> +
> +	mz_size = sizeof(struct sa_ctx);
> +	mz = rte_memzone_reserve(s, mz_size, socket_id,
> +			RTE_MEMZONE_1GB | RTE_MEMZONE_SIZE_HINT_ONLY);
> +	if (mz == NULL) {
> +		printf("Failed to allocate SA DB memory\n");
> +		rte_errno = -ENOMEM;
> +		return NULL;
> +	}
> +
> +	sa_ctx = (struct sa_ctx *)mz->addr;
> +
> +	return sa_ctx;
> +}
> +
> +static int
> +sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
> +		unsigned nb_entries, uint16_t cdev_id, unsigned inbound)
> +{
> +	struct ipsec_sa *sa;
> +	unsigned i, idx;
> +
> +	for (i = 0; i < nb_entries; i++) {
> +		idx = SPI2IDX(entries[i].spi);
> +		sa = &sa_ctx->sa[idx];
> +		if (sa->spi != 0) {
> +			printf("Index %u already in use by SPI %u\n",
> +					idx, sa->spi);
> +			return -EINVAL;
> +		}
> +		*sa = entries[i];
> +		sa->src = rte_cpu_to_be_32(sa->src);
> +		sa->dst = rte_cpu_to_be_32(sa->dst);
> +		if (inbound) {
> +			sa_ctx->xf[idx].a = sha1hmac_verify_xf;
> +			sa_ctx->xf[idx].b = aescbc_dec_xf;
> +		} else { /* outbound */
> +			sa_ctx->xf[idx].a = aescbc_enc_xf;
> +			sa_ctx->xf[idx].b = sha1hmac_gen_xf;
> +		}
> +		sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b;
> +		sa_ctx->xf[idx].b.next = NULL;
> +		sa->xforms = &sa_ctx->xf[idx].a;
> +
> +		sa->crypto_session = rte_cryptodev_session_create(cdev_id,
> +				sa->xforms);
> +	}
> +
> +	return 0;
> +}
> +
> +static inline int
> +sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
> +		unsigned nb_entries, uint16_t cdev_id)
> +{
> +	return sa_add_rules(sa_ctx, entries, nb_entries, cdev_id, 0);
> +}
> +
> +static inline int
> +sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
> +		unsigned nb_entries, uint16_t cdev_id)
> +{
> +	return sa_add_rules(sa_ctx, entries, nb_entries, cdev_id, 1);
> +}
> +
> +void
> +sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep, uint16_t cdev_id)
> +{
> +	const struct ipsec_sa *sa_out_entries, *sa_in_entries;
> +	unsigned nb_out_entries, nb_in_entries;
> +	const char *name;
> +
> +	if (ctx == NULL)
> +		rte_exit(EXIT_FAILURE, "NULL context.\n");
> +
> +	if (ctx->sa_ipv4_in != NULL)
> +		rte_exit(EXIT_FAILURE, "Inbound SA DB for socket %u already "
> +				"initialized\n", socket_id);
> +
> +	if (ctx->sa_ipv4_out != NULL)
> +		rte_exit(EXIT_FAILURE, "Outbound SA DB for socket %u already "
> +				"initialized\n", socket_id);
> +
> +	if (ep == 0) {
> +		sa_out_entries = sa_ep0_out;
> +		nb_out_entries = RTE_DIM(sa_ep0_out);
> +		sa_in_entries = sa_ep0_in;
> +		nb_in_entries = RTE_DIM(sa_ep0_in);
> +	} else if (ep == 1) {
> +		sa_out_entries = sa_ep1_out;
> +		nb_out_entries = RTE_DIM(sa_ep1_out);
> +		sa_in_entries = sa_ep1_in;
> +		nb_in_entries = RTE_DIM(sa_ep1_in);
> +	} else
> +		rte_exit(EXIT_FAILURE, "Invalid EP value %u. "
> +				"Only 0 or 1 supported.\n", ep);
> +
> +	name = "sa_ipv4_in";
> +	ctx->sa_ipv4_in = sa_ipv4_create(name, socket_id);
> +	if (ctx->sa_ipv4_in == NULL)
> +		rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s "
> +				"in socket %d\n", rte_errno, name, socket_id);
> +
> +	name = "sa_ipv4_out";
> +	ctx->sa_ipv4_out = sa_ipv4_create(name, socket_id);
> +	if (ctx->sa_ipv4_out == NULL)
> +		rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s "
> +				"in socket %d\n", rte_errno, name, socket_id);
> +
> +	sa_in_add_rules(ctx->sa_ipv4_in, sa_in_entries,
> +			nb_in_entries, cdev_id);
> +
> +	sa_out_add_rules(ctx->sa_ipv4_out, sa_out_entries,
> +			nb_out_entries, cdev_id);
> +}
> +
> +int
> +inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx)
> +{
> +	struct ipsec_mbuf_metadata *priv;
> +
> +	priv = RTE_PTR_ADD(m, sizeof(struct rte_mbuf));
> +
> +	return (sa_ctx->sa[sa_idx].spi == priv->sa->spi);
> +}
> +
> +void
> +inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[],
> +		struct ipsec_sa *sa[], uint16_t nb_pkts)
> +{
> +	unsigned i;
> +	uint32_t *src, spi;
> +
> +	for (i = 0; i < nb_pkts; i++) {
> +		spi = rte_pktmbuf_mtod_offset(pkts[i], struct esp_hdr *,
> +				sizeof(struct ip))->spi;
> +		if (spi == INVALID_SPI)
> +			continue;
> +
> +		sa[i] = &sa_ctx->sa[SPI2IDX(spi)];
> +		if (spi != sa[i]->spi) {
> +			sa[i] = NULL;
> +			continue;
> +		}
> +
> +		src = rte_pktmbuf_mtod_offset(pkts[i], uint32_t *,
> +				offsetof(struct ip, ip_src));
> +		if ((sa[i]->src != *src) || (sa[i]->dst != *(src + 1)))
> +			sa[i] = NULL;
> +	}
> +}
> +
> +void
> +outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[],
> +		struct ipsec_sa *sa[], uint16_t nb_pkts)
> +{
> +	unsigned i;
> +
> +	for (i = 0; i < nb_pkts; i++)
> +		sa[i] = &sa_ctx->sa[sa_idx[i]];
> +}
> diff --git a/examples/ipsec-secgw/sp.c b/examples/ipsec-secgw/sp.c
> new file mode 100644
> index 0000000..219e478
> --- /dev/null
> +++ b/examples/ipsec-secgw/sp.c
> @@ -0,0 +1,324 @@
> +/*-
> + *   BSD LICENSE
> + *
> + *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
> + *   All rights reserved.
> + *
> + *   Redistribution and use in source and binary forms, with or without
> + *   modification, are permitted provided that the following conditions
> + *   are met:
> + *
> + *     * Redistributions of source code must retain the above copyright
> + *       notice, this list of conditions and the following disclaimer.
> + *     * Redistributions in binary form must reproduce the above copyright
> + *       notice, this list of conditions and the following disclaimer in
> + *       the documentation and/or other materials provided with the
> + *       distribution.
> + *     * Neither the name of Intel Corporation nor the names of its
> + *       contributors may be used to endorse or promote products derived
> + *       from this software without specific prior written permission.
> + *
> + *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> + *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> + *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
> + *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
> + *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> + *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> + *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> + *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> + *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> + *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> + *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> + */
> +
> +/*
> + * Security Policies
> + */
> +#include <netinet/ip.h>
> +
> +#include <rte_acl.h>
> +
> +#include "ipsec.h"
> +
> +#define MAX_ACL_RULE_NUM	1000
> +
> +/*
> + * Rule and trace formats definitions.
> + */
> +enum {
> +	PROTO_FIELD_IPV4,
> +	SRC_FIELD_IPV4,
> +	DST_FIELD_IPV4,
> +	SRCP_FIELD_IPV4,
> +	DSTP_FIELD_IPV4,
> +	NUM_FIELDS_IPV4
> +};
> +
> +/*
> + * That effectively defines order of IPV4 classifications:
> + *  - PROTO
> + *  - SRC IP ADDRESS
> + *  - DST IP ADDRESS
> + *  - PORTS (SRC and DST)
> + */
> +enum {
> +	RTE_ACL_IPV4_PROTO,
> +	RTE_ACL_IPV4_SRC,
> +	RTE_ACL_IPV4_DST,
> +	RTE_ACL_IPV4_PORTS,
> +	RTE_ACL_IPV4_NUM
> +};
> +
> +struct rte_acl_field_def ipv4_defs[NUM_FIELDS_IPV4] = {
> +	{
> +	.type = RTE_ACL_FIELD_TYPE_BITMASK,
> +	.size = sizeof(uint8_t),
> +	.field_index = PROTO_FIELD_IPV4,
> +	.input_index = RTE_ACL_IPV4_PROTO,
> +	.offset = 0,
> +	},
> +	{
> +	.type = RTE_ACL_FIELD_TYPE_MASK,
> +	.size = sizeof(uint32_t),
> +	.field_index = SRC_FIELD_IPV4,
> +	.input_index = RTE_ACL_IPV4_SRC,
> +	.offset = offsetof(struct ip, ip_src) -	offsetof(struct ip, ip_p)
> +	},
> +	{
> +	.type = RTE_ACL_FIELD_TYPE_MASK,
> +	.size = sizeof(uint32_t),
> +	.field_index = DST_FIELD_IPV4,
> +	.input_index = RTE_ACL_IPV4_DST,
> +	.offset = offsetof(struct ip, ip_dst) - offsetof(struct ip, ip_p)
> +	},
> +	{
> +	.type = RTE_ACL_FIELD_TYPE_RANGE,
> +	.size = sizeof(uint16_t),
> +	.field_index = SRCP_FIELD_IPV4,
> +	.input_index = RTE_ACL_IPV4_PORTS,
> +	.offset = sizeof(struct ip) - offsetof(struct ip, ip_p)
> +	},
> +	{
> +	.type = RTE_ACL_FIELD_TYPE_RANGE,
> +	.size = sizeof(uint16_t),
> +	.field_index = DSTP_FIELD_IPV4,
> +	.input_index = RTE_ACL_IPV4_PORTS,
> +	.offset = sizeof(struct ip) - offsetof(struct ip, ip_p) +
> +		sizeof(uint16_t)
> +	},
> +};
> +
> +RTE_ACL_RULE_DEF(acl4_rules, RTE_DIM(ipv4_defs));
> +
> +const struct acl4_rules acl4_rules_in[] = {
> +	{
> +	.data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1},
> +	/* destination IPv4 */
> +	.field[2] = {.value.u32 = IPv4(192, 168, 105, 0),
> +				.mask_range.u32 = 24,},
> +	/* source port */
> +	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
> +	/* destination port */
> +	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
> +	},
> +	{
> +	.data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2},
> +	/* destination IPv4 */
> +	.field[2] = {.value.u32 = IPv4(192, 168, 106, 0),
> +				.mask_range.u32 = 24,},
> +	/* source port */
> +	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
> +	/* destination port */
> +	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
> +	},
> +	{
> +	.data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3},
> +	/* destination IPv4 */
> +	.field[2] = {.value.u32 = IPv4(192, 168, 107, 0),
> +				.mask_range.u32 = 24,},
> +	/* source port */
> +	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
> +	/* destination port */
> +	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
> +	},
> +	{
> +	.data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4},
> +	/* destination IPv4 */
> +	.field[2] = {.value.u32 = IPv4(192, 168, 108, 0),
> +				.mask_range.u32 = 24,},
> +	/* source port */
> +	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
> +	/* destination port */
> +	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
> +	}
> +};
> +
> +const struct acl4_rules acl4_rules_out[] = {
> +	{
> +	.data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1},
> +	/* destination IPv4 */
> +	.field[2] = {.value.u32 = IPv4(192, 168, 115, 0),
> +				.mask_range.u32 = 24,},
> +	/* source port */
> +	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
> +	/* destination port */
> +	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
> +	},
> +	{
> +	.data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2},
> +	/* destination IPv4 */
> +	.field[2] = {.value.u32 = IPv4(192, 168, 116, 0),
> +				.mask_range.u32 = 24,},
> +	/* source port */
> +	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
> +	/* destination port */
> +	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
> +	},
> +	{
> +	.data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3},
> +	/* destination IPv4 */
> +	.field[2] = {.value.u32 = IPv4(192, 168, 117, 0),
> +				.mask_range.u32 = 24,},
> +	/* source port */
> +	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
> +	/* destination port */
> +	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
> +	},
> +	{
> +	.data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4},
> +	/* destination IPv4 */
> +	.field[2] = {.value.u32 = IPv4(192, 168, 118, 0),
> +				.mask_range.u32 = 24,},
> +	/* source port */
> +	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
> +	/* destination port */
> +	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
> +	}
> +};
> +
> +static void
> +print_one_ipv4_rule(const struct acl4_rules *rule, int extra)
> +{
> +	unsigned char a, b, c, d;
> +
> +	uint32_t_to_char(rule->field[SRC_FIELD_IPV4].value.u32,
> +			&a, &b, &c, &d);
> +	printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d,
> +			rule->field[SRC_FIELD_IPV4].mask_range.u32);
> +	uint32_t_to_char(rule->field[DST_FIELD_IPV4].value.u32,
> +			&a, &b, &c, &d);
> +	printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d,
> +			rule->field[DST_FIELD_IPV4].mask_range.u32);
> +	printf("%hu : %hu %hu : %hu 0x%hhx/0x%hhx ",
> +		rule->field[SRCP_FIELD_IPV4].value.u16,
> +		rule->field[SRCP_FIELD_IPV4].mask_range.u16,
> +		rule->field[DSTP_FIELD_IPV4].value.u16,
> +		rule->field[DSTP_FIELD_IPV4].mask_range.u16,
> +		rule->field[PROTO_FIELD_IPV4].value.u8,
> +		rule->field[PROTO_FIELD_IPV4].mask_range.u8);
> +	if (extra)
> +		printf("0x%x-0x%x-0x%x ",
> +			rule->data.category_mask,
> +			rule->data.priority,
> +			rule->data.userdata);
> +}
> +
> +static inline void
> +dump_ipv4_rules(const struct acl4_rules *rule, int num, int extra)
> +{
> +	int i;
> +
> +	for (i = 0; i < num; i++, rule++) {
> +		printf("\t%d:", i + 1);
> +		print_one_ipv4_rule(rule, extra);
> +		printf("\n");
> +	}
> +}
> +
> +static struct rte_acl_ctx *
> +acl4_init(const char *name, int socketid, const struct acl4_rules *rules,
> +		unsigned rules_nb)
> +{
> +	char s[PATH_MAX];
> +	struct rte_acl_param acl_param;
> +	struct rte_acl_config acl_build_param;
> +	struct rte_acl_ctx *ctx;
> +
> +	printf("Creating SP context with %u max rules\n", MAX_ACL_RULE_NUM);
> +
> +	memset(&acl_param, 0, sizeof(acl_param));
> +
> +	/* Create ACL contexts */
> +	snprintf(s, sizeof(s), "%s_%d", name, socketid);
> +
> +	printf("IPv4 %s entries [%u]:\n", s, rules_nb);
> +	dump_ipv4_rules(rules, rules_nb, 1);
> +
> +	acl_param.name = s;
> +	acl_param.socket_id = socketid;
> +	acl_param.rule_size = RTE_ACL_RULE_SZ(RTE_DIM(ipv4_defs));
> +	acl_param.max_rule_num = MAX_ACL_RULE_NUM;
> +
> +	ctx = rte_acl_create(&acl_param);
> +	if (ctx == NULL)
> +		rte_exit(EXIT_FAILURE, "Failed to create ACL context\n");
> +
> +	if (rte_acl_add_rules(ctx, (const struct rte_acl_rule *)rules,
> +				rules_nb) < 0)
> +		rte_exit(EXIT_FAILURE, "add rules failed\n");
> +
> +	/* Perform builds */
> +	memset(&acl_build_param, 0, sizeof(acl_build_param));
> +
> +	acl_build_param.num_categories = DEFAULT_MAX_CATEGORIES;
> +	acl_build_param.num_fields = rules_nb;
> +	memcpy(&acl_build_param.defs, ipv4_defs, sizeof(ipv4_defs));
> +
> +	if (rte_acl_build(ctx, &acl_build_param) != 0)
> +		rte_exit(EXIT_FAILURE, "Failed to build ACL trie\n");
> +
> +	rte_acl_dump(ctx);
> +
> +	return ctx;
> +}
> +
> +void
> +sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep)
> +{
> +	const char *name;
> +	const struct acl4_rules *rules_out, *rules_in;
> +	unsigned nb_out_rules, nb_in_rules;
> +
> +	if (ctx == NULL)
> +		rte_exit(EXIT_FAILURE, "NULL context.\n");
> +
> +	if (ctx->sp_ipv4_in != NULL)
> +		rte_exit(EXIT_FAILURE, "Inbound SP DB for socket %u already "
> +				"initialized\n", socket_id);
> +
> +	if (ctx->sp_ipv4_out != NULL)
> +		rte_exit(EXIT_FAILURE, "Outbound SP DB for socket %u already "
> +				"initialized\n", socket_id);
> +
> +	if (ep == 0) {
> +		rules_out = acl4_rules_in;
> +		nb_out_rules = RTE_DIM(acl4_rules_in);
> +		rules_in = acl4_rules_out;
> +		nb_in_rules = RTE_DIM(acl4_rules_out);
> +	} else if (ep == 1) {
> +		rules_out = acl4_rules_out;
> +		nb_out_rules = RTE_DIM(acl4_rules_out);
> +		rules_in = acl4_rules_in;
> +		nb_in_rules = RTE_DIM(acl4_rules_in);
> +	} else
> +		rte_exit(EXIT_FAILURE, "Invalid EP value %u. "
> +				"Only 0 or 1 supported.\n", ep);
> +
> +	name = "sp_ipv4_in";
> +	ctx->sp_ipv4_in = (struct sp_ctx *)acl4_init(name, socket_id,
> +			rules_in, nb_in_rules);
> +
> +	name = "sp_ipv4_out";
> +	ctx->sp_ipv4_out = (struct sp_ctx *)acl4_init(name, socket_id,
> +			rules_out, nb_out_rules);
> +}
> -- 
> 2.4.3
> 

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [dpdk-dev] [PATCH] example/ipsec-secgw: ipsec security gateway
  2016-01-31 14:39 ` Jerin Jacob
@ 2016-02-01 11:09   ` Sergio Gonzalez Monroy
  2016-02-01 11:26     ` Jerin Jacob
  0 siblings, 1 reply; 15+ messages in thread
From: Sergio Gonzalez Monroy @ 2016-02-01 11:09 UTC (permalink / raw)
  To: Jerin Jacob; +Cc: dev

On 31/01/2016 14:39, Jerin Jacob wrote:
> On Fri, Jan 29, 2016 at 08:29:12PM +0000, Sergio Gonzalez Monroy wrote:
>> Sample app implementing an IPsec Security Geteway.
>> The main goal of this app is to show the use of cryptodev framework
>> in a real world application.
>>
>> Currently only supported static IPv4 IPsec tunnels using AES-CBC
>> and HMAC-SHA1.
>>
>> Also, currently not supported:
>> - SA auto negotiation (No IKE support)
>> - chained mbufs
>>
>> Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
> Hi Sergio,
>
> Great effort, one of the best highly integrated sample DPDK application
> (ethernet, acl, crypto and lpm)
>
>> ---
>>   MAINTAINERS                              |    4 +
>>   doc/guides/sample_app_ug/index.rst       |    1 +
>>   doc/guides/sample_app_ug/ipsec_secgw.rst |  440 +++++++++++
>>   examples/Makefile                        |    2 +
>>   examples/ipsec-secgw/Makefile            |   58 ++
>>   examples/ipsec-secgw/esp.c               |  256 +++++++
>>   examples/ipsec-secgw/esp.h               |   66 ++
>>   examples/ipsec-secgw/ipip.h              |  100 +++
>>   examples/ipsec-secgw/ipsec-secgw.c       | 1218 ++++++++++++++++++++++++++++++
>>   examples/ipsec-secgw/ipsec.c             |  138 ++++
>>   examples/ipsec-secgw/ipsec.h             |  184 +++++
>>   examples/ipsec-secgw/rt.c                |  131 ++++
>>   examples/ipsec-secgw/sa.c                |  391 ++++++++++
>>   examples/ipsec-secgw/sp.c                |  324 ++++++++
>>   14 files changed, 3313 insertions(+)
>>   create mode 100644 doc/guides/sample_app_ug/ipsec_secgw.rst
>>   create mode 100644 examples/ipsec-secgw/Makefile
>>   create mode 100644 examples/ipsec-secgw/esp.c
>>   create mode 100644 examples/ipsec-secgw/esp.h
>>   create mode 100644 examples/ipsec-secgw/ipip.h
>>   create mode 100644 examples/ipsec-secgw/ipsec-secgw.c
>>   create mode 100644 examples/ipsec-secgw/ipsec.c
>>   create mode 100644 examples/ipsec-secgw/ipsec.h
>>   create mode 100644 examples/ipsec-secgw/rt.c
>>   create mode 100644 examples/ipsec-secgw/sa.c
>>   create mode 100644 examples/ipsec-secgw/sp.c
>>
>> diff --git a/MAINTAINERS b/MAINTAINERS
>> index b90aeea..996eda6 100644
>> --- a/MAINTAINERS
>> +++ b/MAINTAINERS
>> @@ -596,3 +596,7 @@ F: doc/guides/sample_app_ug/vmdq_dcb_forwarding.rst
>>   M: Pablo de Lara <pablo.de.lara.guarch@intel.com>
>>   M: Daniel Mrzyglod <danielx.t.mrzyglod@intel.com>
>>   F: examples/ptpclient/
>> +
>> +M: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
>> +F: doc/guides/sample_app_ug/ipsec-secgw.rst
>> +F: examples/ipsec-secgw/
>> diff --git a/doc/guides/sample_app_ug/index.rst b/doc/guides/sample_app_ug/index.rst
>> index 8a646dd..88375d2 100644
>> --- a/doc/guides/sample_app_ug/index.rst
>> +++ b/doc/guides/sample_app_ug/index.rst
>> @@ -73,6 +73,7 @@ Sample Applications User Guide
>>       proc_info
>>       ptpclient
>>       performance_thread
>> +    ipsec_secgw
>>   
>>   **Figures**
>>   
>> diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst
>> new file mode 100644
>> index 0000000..7be3f7e
>> --- /dev/null
>> +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
>> @@ -0,0 +1,440 @@
>> +..  BSD LICENSE
>> +    Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
>> +    All rights reserved.
>> +
>> +    Redistribution and use in source and binary forms, with or without
>> +    modification, are permitted provided that the following conditions
>> +    are met:
>> +
>> +    * Redistributions of source code must retain the above copyright
>> +    notice, this list of conditions and the following disclaimer.
>> +    * Redistributions in binary form must reproduce the above copyright
>> +    notice, this list of conditions and the following disclaimer in
>> +    the documentation and/or other materials provided with the
>> +    distribution.
>> +    * Neither the name of Intel Corporation nor the names of its
>> +    contributors may be used to endorse or promote products derived
>> +    from this software without specific prior written permission.
>> +
>> +    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
>> +    "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
>> +    LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
>> +    A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
>> +    OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
>> +    SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
>> +    LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
>> +    DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
>> +    THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
>> +    (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
>> +    OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>> +
>> +IPsec Security Gateway Sample Application
>> +=========================================
>> +
>> +The IPsec Security Gateway application is a minimal example of real work
>> +application using DPDK cryptodev framework.
>> +
>> +Overview
>> +--------
>> +
>> +The application demonstrates the implementation of a minimal Security Gateway
>> +(see Constraints bellow) using DPDK based on RFC4301, RFC4303, RFC3602 and
>> +RFC2404.
>> +
>> +Note that IKE is not supported (therefore not IPsec compliant), so only manual
>> +setting of Security Policies and Associations is allowed.
>> +
>> +The Security Policies (SP) are implemented as ACL rules, the Security
>> +Associations (SA) are stored in a table and the Routing is implemented
>> +using LPM.
>> +
>> +The application splits the ports between Protected and Unprotected.
>> +Based on the port the trafic is coming from, the traffic would be consider
>> +IPsec Inbound or Outbound.
>> +Traffic from Unprotected ports is consider IPsec Inbound, and traffic from
>> +Protected ports is consider IPsec Outbound.
>> +
>> +Path for IPsec Inbound traffic:
>> +*  Read packets from the port
>> +*  Classify packets between IPv4 and ESP.
>> +*  Inbound SA lookup for ESP packets based on their SPI
>> +*  Verification/Decryption
>> +*  Removal of ESP and outter IP header
>> +*  Inbound SP check using ACL of decrypted packets and any other IPv4 packet
>> +we read.
>> +*  Routing
>> +*  Write packet to port
>> +
>> +Path for IPsec Outbound traffic:
>> +*  Read packets from the port
>> +*  Outbound SP check using ACL of all IPv4 traffic
>> +*  Outbound SA lookup for packets that need IPsec protection
>> +*  Add ESP and outter IP header
>> +*  Encryption/Digest
>> +*  Routing
>> +*  Write packet to port
>> +
>> +Constraints
>> +-----------
>> +*  IPv4 traffic
>> +*  ESP tunnel mode
>> +*  EAS-CBC and HMAC-SHA1
>> +*  Each SA must be handle by a unique lcore (1 RX queue per port)
>> +*  No chained mbufs
>> +
>> +Compiling the Application
>> +-------------------------
>> +
>> +To compile the application:
>> +
>> +#. Go to the sample application directory:
>> +
>> +   .. code-block:: console
>> +
>> +      export RTE_SDK=/path/to/rte_sdk
>> +      cd ${RTE_SDK}/examples/ipsec-secgw
>> +
>> +#. Set the target (a default target is used if not specified). For example:
>> +
>> +   .. code-block:: console
>> +
>> +      export RTE_TARGET=x86_64-native-linuxapp-gcc
>> +
>> +    See the *DPDK Getting Started Guide* for possible RTE_TARGET values.
>> +
>> +#. Build the application:
>> +
>> +   .. code-block:: console
>> +
>> +       make
>> +
>> +Running the Application
>> +-----------------------
>> +
>> +The application has a number of command line options:
>> +
>> +.. code-block:: console
>> +
>> +   ./build/ipsec-secgw [EAL options] -- -p PORTMASK -P -u PORTMASK --config
>> +   (port,queue,lcore)[,(port,queue,lcore] --EP0|--EP1 --cdev AESNI|QAT
>> +
>> +where,
>> +
>> +*   -p PORTMASK: Hexadecimal bitmask of ports to configure
>> +
>> +*   -P: optional, sets all ports to promiscuous mode so that packets are
>> +    accepted regardless of the packet's Ethernet MAC destination address.
>> +    Without this option, only packets with the Ethernet MAC destination address
>> +    set to the Ethernet address of the port are accepted (default is enabled).
>> +
>> +*   -u PORTMASK: hexadecimal bitmask of unprotected ports
>> +
>> +*   --config (port,queue,lcore)[,(port,queue,lcore)]: determines which queues
>> +    from which ports are mapped to which cores
>> +
>> +*   --cdev AESNI/QAT: choose whether to use QAT HW crypto or EASNI SW crypto
>> +
>> +*   --EP0: configure the app as Endpoint 0.
>> +
>> +*   --EP1: configure the app as Endpoint 1.
>> +
>> +Either --EP0 or --EP1 must be specified.
>> +
>> +The mapping of lcores to port/queues is similar to other l3fwd applications.
>> +
>> +For example, given the following command line:
>> +.. code-block:: console
>> +
>> +    ./build/ipsec-secgw -l 20,21 -n 4 --socket-mem 0,2048 -- -p 0xf -P -u 0x3
>> +    --config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)" --cdev AESNI --EP0
>> +
>> +where each options means:
>> +
>> +*   The -l option enables cores 20 and 21
>> +
>> +*   The -n option sets memory 4 channels
>> +
>> +*   The --socket-mem to use 2GB on socket 1
>> +
>> +*   The -p option enables ports (detected) 0, 1, 2 and 3
>> +
>> +*   The -P option enables promiscous mode
>> +
>> +*   The -u option sets ports 1 and 2 as unprotected, leaving 2 and 3 as protected
>> +
>> +*   The --config option enables one queue per port with the following mapping:
>> +
>> ++----------+-----------+-----------+---------------------------------------+
>> +| **Port** | **Queue** | **lcore** | **Description**                       |
>> +|          |           |           |                                       |
>> ++----------+-----------+-----------+---------------------------------------+
>> +| 0        | 0         | 20        | Map queue 0 from port 0 to lcore 20.  |
>> +|          |           |           |                                       |
>> ++----------+-----------+-----------+---------------------------------------+
>> +| 1        | 0         | 20        | Map queue 0 from port 1 to lcore 20.  |
>> +|          |           |           |                                       |
>> ++----------+-----------+-----------+---------------------------------------+
>> +| 2        | 0         | 21        | Map queue 0 from port 2 to lcore 21.  |
>> +|          |           |           |                                       |
>> ++----------+-----------+-----------+---------------------------------------+
>> +| 3        | 0         | 21        | Map queue 0 from port 3 to lcore 21.  |
>> +|          |           |           |                                       |
>> ++----------+-----------+-----------+---------------------------------------+
>> +
>> +Refer to the *DPDK Getting Started Guide* for general information on running applications and the Environment Abstraction Layer (EAL) options.
>> +
>> +Configurations
>> +--------------
>> +
>> +The following sections provide some details on the default values used to
>> +initialize the SP, SA and Routing tables.
>> +Currently all the configuration is hardcoded into the application.
>> +
>> +Security Policy Initialization
>> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> +
>> +As mention in the overview, the Security Policies are ACL rules.
>> +There are two ACLs, Inbound and Outboud.
>> +The application would also replicate the set of two ACLs per socket in use.
>> +
>> +Following are the default rules:
>> +
>> +Endpoint 0 Outbound Security Policies:
>> +
>> ++---------+------------------+-----------+------------+
>> +| **Src** | **Dst**          | **proto** | **SA idx** |
>> +|         |                  |           |            |
>> ++---------+------------------+-----------+------------+
>> +| Any     | 192.168.105.0/24 | Any       | 5          |
>> +|         |                  |           |            |
>> ++---------+------------------+-----------+------------+
>> +| Any     | 192.168.106.0/24 | Any       | 6          |
>> +|         |                  |           |            |
>> ++---------+------------------+-----------+------------+
>> +| Any     | 192.168.107.0/24 | Any       | 7          |
>> +|         |                  |           |            |
>> ++---------+------------------+-----------+------------+
>> +| Any     | 192.168.108.0/24 | Any       | 8          |
>> +|         |                  |           |            |
>> ++---------+------------------+-----------+------------+
>> +
>> +Endpoint 0 Inbound Security Policies:
>> +
>> ++---------+------------------+-----------+------------+
>> +| **Src** | **Dst**          | **proto** | **SA idx** |
>> +|         |                  |           |            |
>> ++---------+------------------+-----------+------------+
>> +| Any     | 192.168.115.0/24 | Any       | 5          |
>> +|         |                  |           |            |
>> ++---------+------------------+-----------+------------+
>> +| Any     | 192.168.116.0/24 | Any       | 6          |
>> +|         |                  |           |            |
>> ++---------+------------------+-----------+------------+
>> +| Any     | 192.168.117.0/24 | Any       | 7          |
>> +|         |                  |           |            |
>> ++---------+------------------+-----------+------------+
>> +| Any     | 192.168.118.0/24 | Any       | 8          |
>> +|         |                  |           |            |
>> ++---------+------------------+-----------+------------+
>> +
>> +Endpoint 1 Outbound Security Policies:
>> +
>> ++---------+------------------+-----------+------------+
>> +| **Src** | **Dst**          | **proto** | **SA idx** |
>> +|         |                  |           |            |
>> ++---------+------------------+-----------+------------+
>> +| Any     | 192.168.115.0/24 | Any       | 5          |
>> +|         |                  |           |            |
>> ++---------+------------------+-----------+------------+
>> +| Any     | 192.168.116.0/24 | Any       | 6          |
>> +|         |                  |           |            |
>> ++---------+------------------+-----------+------------+
>> +| Any     | 192.168.117.0/24 | Any       | 7          |
>> +|         |                  |           |            |
>> ++---------+------------------+-----------+------------+
>> +| Any     | 192.168.118.0/24 | Any       | 8          |
>> +|         |                  |           |            |
>> ++---------+------------------+-----------+------------+
>> +
>> +Endpoint 1 Inbound Security Policies:
>> +
>> ++---------+------------------+-----------+------------+
>> +| **Src** | **Dst**          | **proto** | **SA idx** |
>> +|         |                  |           |            |
>> ++---------+------------------+-----------+------------+
>> +| Any     | 192.168.105.0/24 | Any       | 5          |
>> +|         |                  |           |            |
>> ++---------+------------------+-----------+------------+
>> +| Any     | 192.168.106.0/24 | Any       | 6          |
>> +|         |                  |           |            |
>> ++---------+------------------+-----------+------------+
>> +| Any     | 192.168.107.0/24 | Any       | 7          |
>> +|         |                  |           |            |
>> ++---------+------------------+-----------+------------+
>> +| Any     | 192.168.108.0/24 | Any       | 8          |
>> +|         |                  |           |            |
>> ++---------+------------------+-----------+------------+
>> +
>> +
>> +Security Association Initialization
>> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> +
>> +The SAs are kept in a array table.
>> +
>> +For Inbound, the SPI is used as index module the table size.
>> +This means that on a table for 100 SA, SPI 5 and 105 would use the same index
>> +and that is not currently supported.
>> +
>> +Notice that it is not an issue for Outbound traffic as we store the index and
>> +not the SPI in the Security Policy.
>> +
>> +All SAs are configured with the same cipher algo, block size and key (AES-CBC
>> +16B block), and same authentication algo, digest size and key (HMAC-SHA1, 12B
>> +digest).
>> +
>> +Following are the default values:
>> +
>> +Endpoint 0 Outbound Security Associations:
>> +
>> ++---------+----------------+------------------+
>> +| **SPI** | **Tunnel src** | **Tunnel dst**   |
>> +|         |                |                  |
>> ++---------+----------------+------------------+
>> +| 5       | 172.16.1.5     | 172.16.2.5       |
>> +|         |                |                  |
>> ++---------+----------------+------------------+
>> +| 6       | 172.16.1.6     | 172.16.2.6       |
>> +|         |                |                  |
>> ++---------+----------------+------------------+
>> +| 7       | 172.16.1.7     | 172.16.2.7       |
>> +|         |                |                  |
>> ++---------+----------------+------------------+
>> +| 8       | 172.16.1.8     | 172.16.2.8       |
>> +|         |                |                  |
>> ++---------+----------------+------------------+
>> +
>> +Endpoint 0 Inbound Security Associations:
>> +
>> ++---------+----------------+------------------+
>> +| **SPI** | **Tunnel src** | **Tunnel dst**   |
>> +|         |                |                  |
>> ++---------+----------------+------------------+
>> +| 5       | 172.16.2.5     | 172.16.1.5       |
>> +|         |                |                  |
>> ++---------+----------------+------------------+
>> +| 6       | 172.16.2.6     | 172.16.1.6       |
>> +|         |                |                  |
>> ++---------+----------------+------------------+
>> +| 7       | 172.16.2.7     | 172.16.1.7       |
>> +|         |                |                  |
>> ++---------+----------------+------------------+
>> +| 8       | 172.16.2.8     | 172.16.1.8       |
>> +|         |                |                  |
>> ++---------+----------------+------------------+
>> +
>> +Endpoint 1 Outbound Security Associations:
>> +
>> ++---------+----------------+------------------+
>> +| **SPI** | **Tunnel src** | **Tunnel dst**   |
>> +|         |                |                  |
>> ++---------+----------------+------------------+
>> +| 5       | 172.16.2.5     | 172.16.1.5       |
>> +|         |                |                  |
>> ++---------+----------------+------------------+
>> +| 6       | 172.16.2.6     | 172.16.1.6       |
>> +|         |                |                  |
>> ++---------+----------------+------------------+
>> +| 7       | 172.16.2.7     | 172.16.1.7       |
>> +|         |                |                  |
>> ++---------+----------------+------------------+
>> +| 8       | 172.16.2.8     | 172.16.1.8       |
>> +|         |                |                  |
>> ++---------+----------------+------------------+
>> +
>> +Endpoint 1 Inbound Security Associations:
>> +
>> ++---------+----------------+------------------+
>> +| **SPI** | **Tunnel src** | **Tunnel dst**   |
>> +|         |                |                  |
>> ++---------+----------------+------------------+
>> +| 5       | 172.16.1.5     | 172.16.2.5       |
>> +|         |                |                  |
>> ++---------+----------------+------------------+
>> +| 6       | 172.16.1.6     | 172.16.2.6       |
>> +|         |                |                  |
>> ++---------+----------------+------------------+
>> +| 7       | 172.16.1.7     | 172.16.2.7       |
>> +|         |                |                  |
>> ++---------+----------------+------------------+
>> +| 8       | 172.16.1.8     | 172.16.2.8       |
>> +|         |                |                  |
>> ++---------+----------------+------------------+
>> +
>> +Routing Initialization
>> +~~~~~~~~~~~~~~~~~~~~~~
>> +
>> +The Routing is implemented using LPM table.
>> +
>> +Following default values:
>> +
>> +Endpoint 0 Routing Table:
>> +
>> ++------------------+----------+
>> +| **Dst addr**     | **Port** |
>> +|                  |          |
>> ++------------------+----------+
>> +| 172.16.2.5/32    | 0        |
>> +|                  |          |
>> ++------------------+----------+
>> +| 172.16.2.6/32    | 0        |
>> +|                  |          |
>> ++------------------+----------+
>> +| 172.16.2.7/32    | 1        |
>> +|                  |          |
>> ++------------------+----------+
>> +| 172.16.2.8/32    | 1        |
>> +|                  |          |
>> ++------------------+----------+
>> +| 192.168.115.0/24 | 2        |
>> +|                  |          |
>> ++------------------+----------+
>> +| 192.168.116.0/24 | 2        |
>> +|                  |          |
>> ++------------------+----------+
>> +| 192.168.117.0/24 | 3        |
>> +|                  |          |
>> ++------------------+----------+
>> +| 192.168.118.0/24 | 3        |
>> +|                  |          |
>> ++------------------+----------+
>> +
>> +Endpoint 1 Routing Table:
>> +
>> ++------------------+----------+
>> +| **Dst addr**     | **Port** |
>> +|                  |          |
>> ++------------------+----------+
>> +| 172.16.1.5/32    | 2        |
>> +|                  |          |
>> ++------------------+----------+
>> +| 172.16.1.6/32    | 2        |
>> +|                  |          |
>> ++------------------+----------+
>> +| 172.16.1.7/32    | 3        |
>> +|                  |          |
>> ++------------------+----------+
>> +| 172.16.1.8/32    | 3        |
>> +|                  |          |
>> ++------------------+----------+
>> +| 192.168.105.0/24 | 0        |
>> +|                  |          |
>> ++------------------+----------+
>> +| 192.168.106.0/24 | 0        |
>> +|                  |          |
>> ++------------------+----------+
>> +| 192.168.107.0/24 | 1        |
>> +|                  |          |
>> ++------------------+----------+
>> +| 192.168.108.0/24 | 1        |
>> +|                  |          |
>> ++------------------+----------+
>> diff --git a/examples/Makefile b/examples/Makefile
>> index 1cb4785..65ce6ce 100644
>> --- a/examples/Makefile
>> +++ b/examples/Makefile
>> @@ -1,6 +1,7 @@
>>   #   BSD LICENSE
>>   #
>>   #   Copyright(c) 2014 6WIND S.A.
>> +#   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
>>   #
>>   #   Redistribution and use in source and binary forms, with or without
>>   #   modification, are permitted provided that the following conditions
>> @@ -78,5 +79,6 @@ DIRS-y += vmdq
>>   DIRS-y += vmdq_dcb
>>   DIRS-$(CONFIG_RTE_LIBRTE_POWER) += vm_power_manager
>>   DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += l2fwd-crypto
>> +DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += ipsec-secgw
>>   
>>   include $(RTE_SDK)/mk/rte.extsubdir.mk
>> diff --git a/examples/ipsec-secgw/Makefile b/examples/ipsec-secgw/Makefile
>> new file mode 100644
>> index 0000000..5f893b8
>> --- /dev/null
>> +++ b/examples/ipsec-secgw/Makefile
>> @@ -0,0 +1,58 @@
>> +#   BSD LICENSE
>> +#
>> +#   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
>> +#   All rights reserved.
>> +#
>> +#   Redistribution and use in source and binary forms, with or without
>> +#   modification, are permitted provided that the following conditions
>> +#   are met:
>> +#
>> +#     * Redistributions of source code must retain the above copyright
>> +#       notice, this list of conditions and the following disclaimer.
>> +#     * Redistributions in binary form must reproduce the above copyright
>> +#       notice, this list of conditions and the following disclaimer in
>> +#       the documentation and/or other materials provided with the
>> +#       distribution.
>> +#     * Neither the name of Intel Corporation nor the names of its
>> +#       contributors may be used to endorse or promote products derived
>> +#       from this software without specific prior written permission.
>> +#
>> +#   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
>> +#   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
>> +#   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
>> +#   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
>> +#   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
>> +#   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
>> +#   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
>> +#   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
>> +#   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
>> +#   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
>> +#   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>> +
>> +ifeq ($(RTE_SDK),)
>> +	$(error "Please define RTE_SDK environment variable")
>> +endif
>> +
>> +# Default target, can be overridden by command line or environment
>> +RTE_TARGET ?= x86_64-native-linuxapp-gcc
>> +
>> +include $(RTE_SDK)/mk/rte.vars.mk
>> +
>> +APP = ipsec-secgw
>> +
>> +CFLAGS += -O3 -gdwarf-2
>> +CFLAGS += $(WERROR_FLAGS)
>> +
>> +VPATH += $(SRCDIR)/librte_ipsec
>> +
>> +#
>> +# all source are stored in SRCS-y
>> +#
>> +SRCS-y += ipsec.c
>> +SRCS-y += esp.c
>> +SRCS-y += sp.c
>> +SRCS-y += sa.c
>> +SRCS-y += rt.c
>> +SRCS-y += ipsec-secgw.c
>> +
>> +include $(RTE_SDK)/mk/rte.extapp.mk
>> diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
>> new file mode 100644
>> index 0000000..1be0621
>> --- /dev/null
>> +++ b/examples/ipsec-secgw/esp.c
>> @@ -0,0 +1,256 @@
>> +/*-
>> + *   BSD LICENSE
>> + *
>> + *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
>> + *   All rights reserved.
>> + *
>> + *   Redistribution and use in source and binary forms, with or without
>> + *   modification, are permitted provided that the following conditions
>> + *   are met:
>> + *
>> + *     * Redistributions of source code must retain the above copyright
>> + *       notice, this list of conditions and the following disclaimer.
>> + *     * Redistributions in binary form must reproduce the above copyright
>> + *       notice, this list of conditions and the following disclaimer in
>> + *       the documentation and/or other materials provided with the
>> + *       distribution.
>> + *     * Neither the name of Intel Corporation nor the names of its
>> + *       contributors may be used to endorse or promote products derived
>> + *       from this software without specific prior written permission.
>> + *
>> + *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
>> + *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
>> + *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
>> + *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
>> + *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
>> + *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
>> + *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
>> + *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
>> + *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
>> + *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
>> + *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>> + */
>> +
>> +#include <stdint.h>
>> +#include <stdlib.h>
>> +#include <netinet/ip.h>
>> +#include <sys/types.h>
>> +#include <sys/stat.h>
>> +#include <fcntl.h>
>> +#include <unistd.h>
>> +
>> +#include <rte_memcpy.h>
>> +#include <rte_crypto.h>
>> +#include <rte_cryptodev.h>
>> +#include <rte_random.h>
>> +
>> +#include "ipsec.h"
>> +#include "esp.h"
>> +#include "ipip.h"
>> +
>> +static inline void
>> +random_iv_u64(uint64_t *buf, uint16_t n)
>> +{
>> +	unsigned left = n & 0x7;
>> +	unsigned i;
>> +
>> +	IPSEC_ASSERT((n & 0x3) == 0);
>> +
>> +	for (i = 0; i < (n >> 3); i++)
>> +		buf[i] = rte_rand();
>> +
>> +	if (left)
>> +		*((uint32_t *)&buf[i]) = (uint32_t)lrand48();
>> +}
>> +
>> +/* IPv4 Tunnel */
>> +int
>> +esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
>> +		struct rte_crypto_op *cop)
>> +{
>> +	uint16_t digest_len, esp_len, iphdr_len;
>> +	int32_t payload_len;
>> +
>> +	IPSEC_ASSERT(m != NULL);
>> +
>> +	iphdr_len = sizeof(struct ip);
>> +	esp_len = sizeof(struct esp_hdr) + sa->iv_len;
>> +	digest_len = sa->digest_len;
>> +	payload_len = rte_pktmbuf_pkt_len(m) - iphdr_len - esp_len - digest_len;
>> +
>> +	if ((payload_len & (sa->block_size - 1)) || (payload_len <= 0)) {
>> +		IPSEC_LOG(DEBUG, IPSEC_ESP, "payload %d not a multiple of %u\n",
>> +				payload_len, sa->block_size);
>> +		return -EINVAL;
>> +	}
>> +
>> +	cop->data.to_cipher.offset = iphdr_len + esp_len;
>> +	cop->data.to_cipher.length = payload_len;
>> +
>> +	cop->data.to_hash.offset = iphdr_len;
>> +	if (sa->auth_algo == RTE_CRYPTO_AUTH_AES_GCM)
>> +		cop->data.to_hash.length = esp_len - sa->iv_len;
>> +	else
>> +		cop->data.to_hash.length = esp_len + payload_len;
>> +
>> +	cop->iv.data = rte_pktmbuf_mtod_offset(m, void*,
>> +			iphdr_len + esp_len - sa->iv_len);
>> +	cop->iv.phys_addr = rte_pktmbuf_mtophys_offset(m,
>> +			iphdr_len + esp_len - sa->iv_len);
>> +
>> +	cop->iv.length = sa->iv_len;
>> +
>> +	cop->digest.data = rte_pktmbuf_mtod_offset(m, void*,
>> +			iphdr_len + esp_len + payload_len);
>> +	cop->digest.phys_addr = rte_pktmbuf_mtophys_offset(m,
>> +			iphdr_len + esp_len + payload_len);
>> +	cop->digest.length = digest_len;
>> +
>> +	return 0;
>> +}
>> +
>> +int
>> +esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
>> +		struct rte_crypto_op *cop)
>> +{
>> +	uint16_t digest_len, esp_len, iphdr_len;
>> +	uint8_t *nexthdr, *pad_len;
>> +	uint8_t *padding;
>> +	uint16_t i;
>> +
>> +	IPSEC_ASSERT(m != NULL);
>> +
>> +	iphdr_len = sizeof(struct ip);
>> +	esp_len = sizeof(struct esp_hdr) + sa->iv_len;
>> +	digest_len = sa->digest_len;
>> +
>> +	if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
>> +		IPSEC_LOG(ERR, IPSEC_ESP, "Failed crypto op\n");
>> +		return -1;
>> +	}
>> +
>> +	nexthdr = rte_pktmbuf_mtod_offset(m, uint8_t*,
>> +			rte_pktmbuf_pkt_len(m) - digest_len - 1);
>> +	pad_len = nexthdr - 1;
>> +
>> +	padding = pad_len - *pad_len;
>> +	for (i = 0; i < *pad_len; i++) {
>> +		if (padding[i] != i) {
>> +			IPSEC_LOG(ERR, IPSEC_ESP, "invalid pad_len field\n");
>> +			return -EINVAL;
>> +		}
>> +	}
>> +
>> +	if (rte_pktmbuf_trim(m, *pad_len + 2 + digest_len)) {
>> +		IPSEC_LOG(ERR, IPSEC_ESP,
>> +				"failed to remove pad_len + digest\n");
>> +		return -EINVAL;
>> +	}
>> +
>> +	return ip4ip_inbound(m, iphdr_len + esp_len);
>> +}
>> +
>> +int
>> +esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
>> +		struct rte_crypto_op *cop)
>> +{
>> +	uint16_t digest_len, esp_len, payload_len, block_sz, pad_len;
>> +	int32_t pad_payload_len;
>> +	struct ip *ip;
>> +	struct esp_hdr *esp;
>> +	int i;
>> +	char *padding;
>> +
>> +	rte_prefetch0(rte_pktmbuf_mtod(m, uint8_t *) - RTE_CACHE_LINE_SIZE);
>> +	rte_prefetch0(rte_pktmbuf_mtod(m, uint8_t *));
>> +
>> +	IPSEC_ASSERT(m != NULL);
>> +	IPSEC_ASSERT(sa != NULL);
>> +
>> +	/* Payload length */
>> +	payload_len = rte_pktmbuf_pkt_len(m);
>> +
>> +	block_sz = sa->block_size;
>> +
>> +	/* Per RFC4303:
>> +	 *  padded payload needs to be multiple of 4 bytes.
>> +	 * All application supported block sizes must be power of 2
>> +	 */
>> +	pad_len = (payload_len + 2) & (block_sz - 1);
>> +	pad_len = ((block_sz - pad_len) & (block_sz - 1)) + 2;
>> +
>> +	/* Padded payload length */
>> +	pad_payload_len = payload_len + pad_len;
>> +	/* ESP header length */
>> +	esp_len = sizeof(struct esp_hdr) + sa->iv_len;
>> +	/* Digest length */
>> +	digest_len = sa->digest_len;
>> +
>> +	IPSEC_LOG(DEBUG, IPSEC_ESP,
>> +			"pktlen %u, esp_len %u, digest_len %u, payload_len %u,"
>> +			" pad_payload_len %u, block_sz %u, pad_len %u\n",
>> +			rte_pktmbuf_pkt_len(m), esp_len, digest_len,
>> +			payload_len, pad_payload_len, block_sz,	pad_len);
>> +
>> +	/* Check maximum packet size */
>> +	if (unlikely(esp_len + pad_payload_len + digest_len > IP_MAXPACKET)) {
>> +		IPSEC_LOG(DEBUG, IPSEC_ESP, "ipsec packet is too big\n");
>> +		return -EINVAL;
>> +	}
>> +
>> +	padding = rte_pktmbuf_append(m, pad_len + digest_len);
>> +
>> +	IPSEC_ASSERT(padding != NULL);
>> +
>> +	ip = ip4ip_outbound(m, esp_len, sa->src, sa->dst);
>> +
>> +	esp = (struct esp_hdr *)(ip + 1);
>> +	esp->spi = sa->spi;
>> +
>> +	esp->seq = htonl(sa->seq++);
>> +
>> +	IPSEC_LOG(DEBUG, IPSEC_ESP, "pktlen %u\n", rte_pktmbuf_pkt_len(m));
>> +
>> +	/* Fill pad_len using default sequential scheme */
>> +	for (i = 0; i < pad_len - 2; i++)
>> +		padding[i] = i + 1;
>> +
>> +	padding[pad_len - 2] = pad_len - 2;
>> +	padding[pad_len - 1] = IPPROTO_IPIP;
>> +	ip->ip_p = IPPROTO_ESP;
>> +
>> +	cop->data.to_cipher.offset = sizeof(struct ip) + esp_len;
>> +	cop->data.to_cipher.length = pad_payload_len;
>> +
>> +	cop->data.to_hash.offset = sizeof(struct ip);
>> +	cop->data.to_hash.length = esp_len + pad_payload_len;
>> +
>> +	cop->iv.data = rte_pktmbuf_mtod_offset(m, void*,
>> +			sizeof(struct ip) + esp_len - sa->iv_len);
>> +	cop->iv.phys_addr = rte_pktmbuf_mtophys_offset(m,
>> +			sizeof(struct ip) + esp_len - sa->iv_len);
>> +	cop->iv.length = sa->iv_len;
>> +
>> +	cop->digest.data = rte_pktmbuf_mtod_offset(m, void*,
>> +			sizeof(struct ip) + esp_len + pad_payload_len);
>> +	cop->digest.phys_addr = rte_pktmbuf_mtophys_offset(m,
>> +			sizeof(struct ip) + esp_len + pad_payload_len);
>> +	cop->digest.length = digest_len;
>> +
>> +	random_iv_u64((uint64_t *)cop->iv.data, cop->iv.length);
>> +
>> +	return 0;
>> +}
>> +
>> +int
>> +esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m __rte_unused,
>> +		struct ipsec_sa *sa __rte_unused,
>> +		struct rte_crypto_op *cop)
>> +{
>> +	if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
>> +		IPSEC_LOG(ERR, IPSEC_ESP, "Failed crypto op\n");
>> +		return -1;
>> +	}
>> +
>> +	return 0;
>> +}
>> diff --git a/examples/ipsec-secgw/esp.h b/examples/ipsec-secgw/esp.h
>> new file mode 100644
>> index 0000000..d7c8ba6
>> --- /dev/null
>> +++ b/examples/ipsec-secgw/esp.h
>> @@ -0,0 +1,66 @@
>> +/*-
>> + *   BSD LICENSE
>> + *
>> + *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
>> + *   All rights reserved.
>> + *
>> + *   Redistribution and use in source and binary forms, with or without
>> + *   modification, are permitted provided that the following conditions
>> + *   are met:
>> + *
>> + *     * Redistributions of source code must retain the above copyright
>> + *       notice, this list of conditions and the following disclaimer.
>> + *     * Redistributions in binary form must reproduce the above copyright
>> + *       notice, this list of conditions and the following disclaimer in
>> + *       the documentation and/or other materials provided with the
>> + *       distribution.
>> + *     * Neither the name of Intel Corporation nor the names of its
>> + *       contributors may be used to endorse or promote products derived
>> + *       from this software without specific prior written permission.
>> + *
>> + *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
>> + *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
>> + *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
>> + *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
>> + *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
>> + *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
>> + *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
>> + *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
>> + *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
>> + *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
>> + *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>> + */
>> +#ifndef __RTE_IPSEC_XFORM_ESP_H__
>> +#define __RTE_IPSEC_XFORM_ESP_H__
>> +
>> +struct mbuf;
>> +
>> +/* RFC4303 */
>> +struct esp_hdr {
>> +	uint32_t spi;
>> +	uint32_t seq;
>> +	/* Payload */
>> +	/* Padding */
>> +	/* Pad Length */
>> +	/* Next Header */
>> +	/* Integrity Check Value - ICV */
>> +};
>> +
>> +/* IPv4 Tunnel */
>> +int
>> +esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
>> +		struct rte_crypto_op *cop);
>> +
>> +int
>> +esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
>> +		struct rte_crypto_op *cop);
>> +
>> +int
>> +esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
>> +		struct rte_crypto_op *cop);
>> +
>> +int
>> +esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
>> +		struct rte_crypto_op *cop);
>> +
>> +#endif /* __RTE_IPSEC_XFORM_ESP_H__ */
>> diff --git a/examples/ipsec-secgw/ipip.h b/examples/ipsec-secgw/ipip.h
>> new file mode 100644
>> index 0000000..16c5dfb
>> --- /dev/null
>> +++ b/examples/ipsec-secgw/ipip.h
>> @@ -0,0 +1,100 @@
>> +/*-
>> + *   BSD LICENSE
>> + *
>> + *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
>> + *   All rights reserved.
>> + *
>> + *   Redistribution and use in source and binary forms, with or without
>> + *   modification, are permitted provided that the following conditions
>> + *   are met:
>> + *
>> + *     * Redistributions of source code must retain the above copyright
>> + *       notice, this list of conditions and the following disclaimer.
>> + *     * Redistributions in binary form must reproduce the above copyright
>> + *       notice, this list of conditions and the following disclaimer in
>> + *       the documentation and/or other materials provided with the
>> + *       distribution.
>> + *     * Neither the name of Intel Corporation nor the names of its
>> + *       contributors may be used to endorse or promote products derived
>> + *       from this software without specific prior written permission.
>> + *
>> + *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
>> + *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
>> + *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
>> + *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
>> + *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
>> + *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
>> + *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
>> + *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
>> + *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
>> + *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
>> + *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>> + */
>> +
>> +#ifndef __IPIP_H__
>> +#define __IPIP_H__
>> +
>> +#include <stdint.h>
>> +#include <netinet/in.h>
>> +#include <netinet/ip.h>
>> +
>> +#include <rte_mbuf.h>
>> +
>> +static inline  struct ip *
>> +ip4ip_outbound(struct rte_mbuf *m, uint32_t offset, uint32_t src, uint32_t dst)
>> +{
>> +	struct ip *inip, *outip;
>> +
>> +	inip = rte_pktmbuf_mtod(m, struct ip*);
>> +
>> +	IPSEC_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION);
>> +
>> +	offset += sizeof(struct ip);
>> +
>> +	outip = (struct ip *)rte_pktmbuf_prepend(m, offset);
>> +
>> +	IPSEC_ASSERT(outip != NULL);
>> +
>> +	/* Per RFC4301 5.1.2.1 */
>> +	outip->ip_len = htons(rte_pktmbuf_data_len(m));
>> +	outip->ip_v = IPVERSION;
>> +	outip->ip_hl = 5;
>> +	outip->ip_tos = inip->ip_tos;
>> +
>> +	outip->ip_id = 0;
>> +	outip->ip_off = 0;
>> +
>> +	outip->ip_ttl = IPDEFTTL;
>> +
>> +	outip->ip_dst.s_addr = dst;
>> +	outip->ip_src.s_addr = src;
>> +
>> +	return outip;
>> +}
>> +
>> +static inline int
>> +ip4ip_inbound(struct rte_mbuf *m, uint32_t offset)
>> +{
>> +	struct ip *inip;
>> +	struct ip *outip;
>> +
>> +	outip = rte_pktmbuf_mtod(m, struct ip*);
>> +
>> +	IPSEC_ASSERT(outip->ip_v == IPVERSION);
>> +
>> +	offset += sizeof(struct ip);
>> +	inip = (struct ip *)rte_pktmbuf_adj(m, offset);
>> +	IPSEC_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION);
>> +
>> +	/* Check packet is still bigger than IP header (inner) */
>> +	IPSEC_ASSERT(rte_pktmbuf_pkt_len(m) > sizeof(struct ip));
>> +
>> +	/* RFC4301 5.1.2.1 Note 6 */
>> +	if ((inip->ip_tos & htons(IPTOS_ECN_ECT0 | IPTOS_ECN_ECT1)) &&
>> +			((outip->ip_tos & htons(IPTOS_ECN_CE)) == IPTOS_ECN_CE))
>> +		inip->ip_tos |= htons(IPTOS_ECN_CE);
>> +
>> +	return 0;
>> +}
>> +
>> +#endif /* __IPIP_H__ */
>> diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
>> new file mode 100644
>> index 0000000..d2e8972
>> --- /dev/null
>> +++ b/examples/ipsec-secgw/ipsec-secgw.c
>> @@ -0,0 +1,1218 @@
>> +/*-
>> + *   BSD LICENSE
>> + *
>> + *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
>> + *   All rights reserved.
>> + *
>> + *   Redistribution and use in source and binary forms, with or without
>> + *   modification, are permitted provided that the following conditions
>> + *   are met:
>> + *
>> + *     * Redistributions of source code must retain the above copyright
>> + *       notice, this list of conditions and the following disclaimer.
>> + *     * Redistributions in binary form must reproduce the above copyright
>> + *       notice, this list of conditions and the following disclaimer in
>> + *       the documentation and/or other materials provided with the
>> + *       distribution.
>> + *     * Neither the name of Intel Corporation nor the names of its
>> + *       contributors may be used to endorse or promote products derived
>> + *       from this software without specific prior written permission.
>> + *
>> + *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
>> + *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
>> + *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
>> + *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
>> + *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
>> + *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
>> + *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
>> + *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
>> + *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
>> + *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
>> + *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>> + */
>> +
>> +#include <stdio.h>
>> +#include <stdlib.h>
>> +#include <stdint.h>
>> +#include <inttypes.h>
>> +#include <sys/types.h>
>> +#include <string.h>
>> +#include <sys/queue.h>
>> +#include <stdarg.h>
>> +#include <errno.h>
>> +#include <getopt.h>
>> +
>> +#include <rte_common.h>
>> +#include <rte_byteorder.h>
>> +#include <rte_log.h>
>> +#include <rte_eal.h>
>> +#include <rte_launch.h>
>> +#include <rte_atomic.h>
>> +#include <rte_cycles.h>
>> +#include <rte_prefetch.h>
>> +#include <rte_lcore.h>
>> +#include <rte_per_lcore.h>
>> +#include <rte_branch_prediction.h>
>> +#include <rte_interrupts.h>
>> +#include <rte_pci.h>
>> +#include <rte_random.h>
>> +#include <rte_debug.h>
>> +#include <rte_ether.h>
>> +#include <rte_ethdev.h>
>> +#include <rte_mempool.h>
>> +#include <rte_mbuf.h>
>> +#include <rte_acl.h>
>> +#include <rte_lpm.h>
>> +#include <rte_cryptodev.h>
>> +#include <rte_cryptodev.h>
>> +
>> +#include "ipsec.h"
>> +
>> +#define RTE_LOGTYPE_IPSEC RTE_LOGTYPE_USER1
>> +
>> +#define MAX_JUMBO_PKT_LEN  9600
>> +
>> +#define MEMPOOL_CACHE_SIZE 256
>> +
>> +#define NB_MBUF	(32000)
>> +
>> +#define CDEV_MP_NB_OBJS 2048
>> +#define CDEV_MP_CACHE_SZ 64
>> +#define MAX_QUEUE_PAIRS 1
>> +
>> +#define OPTION_CONFIG		"config"
>> +#define OPTION_EP0		"ep0"
>> +#define OPTION_EP1		"ep1"
>> +#define OPTION_CDEV_TYPE	"cdev"
>> +
>> +#define MAX_PKT_BURST 32
>> +#define BURST_TX_DRAIN_US 100 /* TX drain every ~100us */
>> +
>> +#define NB_SOCKETS 4
>> +
>> +/* Configure how many packets ahead to prefetch, when reading packets */
>> +#define PREFETCH_OFFSET	3
>> +
>> +#define MAX_RX_QUEUE_PER_LCORE 16
>> +
>> +#define MAX_LCORE_PARAMS 1024
>> +
>> +#define UNPROTECTED_PORT(port) (unprotected_port_mask & (1 << portid))
>> +
>> +/*
>> + * Configurable number of RX/TX ring descriptors
>> + */
>> +#define IPSEC_SECGW_RX_DESC_DEFAULT 128
>> +#define IPSEC_SECGW_TX_DESC_DEFAULT 512
>> +static uint16_t nb_rxd = IPSEC_SECGW_RX_DESC_DEFAULT;
>> +static uint16_t nb_txd = IPSEC_SECGW_TX_DESC_DEFAULT;
>> +
>> +#if RTE_BYTE_ORDER != RTE_LITTLE_ENDIAN
>> +#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \
>> +	(((uint64_t)((a) & 0xff) << 56) | \
>> +	((uint64_t)((b) & 0xff) << 48) | \
>> +	((uint64_t)((c) & 0xff) << 40) | \
>> +	((uint64_t)((d) & 0xff) << 32) | \
>> +	((uint64_t)((e) & 0xff) << 24) | \
>> +	((uint64_t)((f) & 0xff) << 16) | \
>> +	((uint64_t)((g) & 0xff) << 8)  | \
>> +	((uint64_t)(h) & 0xff))
>> +#else
>> +#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \
>> +	(((uint64_t)((h) & 0xff) << 56) | \
>> +	((uint64_t)((g) & 0xff) << 48) | \
>> +	((uint64_t)((f) & 0xff) << 40) | \
>> +	((uint64_t)((e) & 0xff) << 32) | \
>> +	((uint64_t)((d) & 0xff) << 24) | \
>> +	((uint64_t)((c) & 0xff) << 16) | \
>> +	((uint64_t)((b) & 0xff) << 8) | \
>> +	((uint64_t)(a) & 0xff))
>> +#endif
>> +#define ETHADDR(a, b, c, d, e, f) (__BYTES_TO_UINT64(a, b, c, d, e, f, 0, 0))
>> +
>> +#define ETHADDR_TO_UINT64(addr) __BYTES_TO_UINT64( \
>> +		addr.addr_bytes[0], addr.addr_bytes[1], \
>> +		addr.addr_bytes[2], addr.addr_bytes[3], \
>> +		addr.addr_bytes[4], addr.addr_bytes[5], \
>> +		0, 0)
>> +
>> +/* port/source ethernet addr and destination ethernet addr */
>> +struct ethaddr_info {
>> +	uint64_t src, dst;
>> +};
>> +
>> +struct ethaddr_info ethaddr_tbl[RTE_MAX_ETHPORTS] = {
>> +	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x7e, 0x94, 0x9a) },
>> +	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x22, 0xa1, 0xd9) },
>> +	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x08, 0x69, 0x26) },
>> +	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x49, 0x9e, 0xdd) }
>> +};
>> +
>> +/* mask of enabled ports */
>> +static uint32_t enabled_port_mask;
>> +static uint32_t unprotected_port_mask;
>> +static int promiscuous_on = 1;
>> +static int numa_on = 1; /**< NUMA is enabled by default. */
>> +static int ep = -1; /**< Endpoint configuration (0 or 1) */
>> +static unsigned cdev_type = -1;
>> +static unsigned nb_lcores;
>> +
>> +struct buffer {
>> +	uint16_t len;
>> +	struct rte_mbuf *m_table[MAX_PKT_BURST];
>> +};
>> +
>> +struct lcore_rx_queue {
>> +	uint8_t port_id;
>> +	uint8_t queue_id;
>> +} __rte_cache_aligned;
>> +
>> +struct lcore_params {
>> +	uint8_t port_id;
>> +	uint8_t queue_id;
>> +	uint8_t lcore_id;
>> +} __rte_cache_aligned;
>> +
>> +static struct lcore_params lcore_params_array[MAX_LCORE_PARAMS];
>> +
>> +static struct lcore_params *lcore_params;
>> +static uint16_t nb_lcore_params;
>> +
>> +struct lcore_conf {
>> +	uint16_t nb_rx_queue;
>> +	struct lcore_rx_queue rx_queue_list[MAX_RX_QUEUE_PER_LCORE];
>> +	uint16_t tx_queue_id[RTE_MAX_ETHPORTS];
>> +	struct buffer tx_mbufs[RTE_MAX_ETHPORTS];
>> +	uint16_t cdev;
>> +	uint16_t cdev_q;
>> +} __rte_cache_aligned;
>> +
>> +static struct lcore_conf lcore_conf[RTE_MAX_LCORE];
>> +
>> +static struct rte_eth_conf port_conf = {
>> +	.rxmode = {
>> +		.mq_mode	= ETH_MQ_RX_RSS,
>> +		.max_rx_pkt_len = ETHER_MAX_LEN,
>> +		.split_hdr_size = 0,
>> +		.header_split   = 0, /**< Header Split disabled */
>> +		.hw_ip_checksum = 1, /**< IP checksum offload enabled */
>> +		.hw_vlan_filter = 0, /**< VLAN filtering disabled */
>> +		.jumbo_frame    = 0, /**< Jumbo Frame Support disabled */
>> +		.hw_strip_crc   = 0, /**< CRC stripped by hardware */
>> +	},
>> +	.rx_adv_conf = {
>> +		.rss_conf = {
>> +			.rss_key = NULL,
>> +			.rss_hf = ETH_RSS_IP | ETH_RSS_UDP |
>> +				ETH_RSS_TCP | ETH_RSS_SCTP,
>> +		},
>> +	},
>> +	.txmode = {
>> +		.mq_mode = ETH_MQ_TX_NONE,
>> +	},
>> +};
>> +
>> +static struct socket_ctx socket_ctx[NB_SOCKETS];
>> +
>> +struct traffic_type {
>> +	const uint8_t *data[MAX_PKT_BURST * 2];
>> +	struct rte_mbuf *pkts[MAX_PKT_BURST * 2];
>> +	uint32_t res[MAX_PKT_BURST * 2];
>> +	uint32_t num;
>> +};
>> +
>> +struct ipsec_traffic {
>> +	struct traffic_type ipsec4;
>> +	struct traffic_type ipv4;
>> +};
>> +
>> +static inline void
>> +prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)
>> +{
>> +	uint8_t *nlp;
>> +
>> +	if (RTE_ETH_IS_IPV4_HDR(pkt->packet_type)) {
>> +		rte_pktmbuf_adj(pkt, ETHER_HDR_LEN);
>> +		nlp = rte_pktmbuf_mtod_offset(pkt, uint8_t *,
>> +				offsetof(struct ip, ip_p));
>> +		if (*nlp == IPPROTO_ESP)
>> +			t->ipsec4.pkts[(t->ipsec4.num)++] = pkt;
>> +		else {
>> +			t->ipv4.data[t->ipv4.num] = nlp;
>> +			t->ipv4.pkts[(t->ipv4.num)++] = pkt;
>> +		}
>> +	} else {
>> +		/* Unknown/Unsupported type, drop the packet */
>> +		rte_pktmbuf_free(pkt);
>> +	}
>> +}
>> +
>> +static inline void
>> +prepare_traffic(struct rte_mbuf **pkts, struct ipsec_traffic *t,
>> +		uint16_t nb_pkts)
>> +{
>> +	int i;
>> +
>> +	t->ipsec4.num = 0;
>> +	t->ipv4.num = 0;
>> +
>> +	for (i = 0; i < (nb_pkts - PREFETCH_OFFSET); i++) {
>> +		rte_prefetch0(rte_pktmbuf_mtod(pkts[i + PREFETCH_OFFSET],
>> +					void *));
>> +		prepare_one_packet(pkts[i], t);
>> +	}
>> +	/* Process left packets */
>> +	for (; i < nb_pkts; i++)
>> +		prepare_one_packet(pkts[i], t);
>> +}
>> +
>> +static inline void
>> +prepare_tx_pkt(struct rte_mbuf *pkt, uint8_t port)
>> +{
>> +	pkt->ol_flags |= PKT_TX_IP_CKSUM | PKT_TX_IPV4;
>> +	pkt->l3_len = sizeof(struct ip);
>> +	pkt->l2_len = ETHER_HDR_LEN;
>> +
>> +	uint64_t *ethhdr = (uint64_t *)rte_pktmbuf_prepend(pkt, ETHER_HDR_LEN);
>> +#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN
>> +	ethhdr[0] = ethaddr_tbl[port].dst |
>> +		((ethaddr_tbl[port].src & 0xffff) << 48);
>> +	ethhdr[1] = ethaddr_tbl[port].src >> 16 |
>> +		((uint64_t)rte_cpu_to_be_16(ETHER_TYPE_IPv4) << 32) |
>> +		(ethhdr[1] & (0xffffUL << 48));
>> +#else
>> +	ethhdr[0] = ethaddr_tbl[port].dst |
>> +		(ethaddr_tbl[port].src >> 48 & 0xffff);
>> +	ethhdr[1] = ethaddr_tbl[port].src << 16 | ((ETHER_TYPE_IPv4)UL << 16) |
>> +		(ethhdr[1] & 0xffffUL);
>> +#endif
>> +}
>> +
>> +static inline void
>> +prepare_tx_burst(struct rte_mbuf *pkts[], uint16_t nb_pkts, uint8_t port)
>> +{
>> +	int i;
>> +	const int prefetch_offset = 2;
>> +
>> +	for (i = 0; i < (nb_pkts - prefetch_offset); i++) {
>> +		rte_prefetch0(pkts[i + prefetch_offset]->cacheline1);
>> +		prepare_tx_pkt(pkts[i], port);
>> +	}
>> +	/* Process left packets */
>> +	for (; i < nb_pkts; i++)
>> +		prepare_tx_pkt(pkts[i], port);
>> +}
>> +
>> +/* Send burst of packets on an output interface */
>> +static inline int
>> +send_burst(struct lcore_conf *qconf, uint16_t n, uint8_t port)
>> +{
>> +	struct rte_mbuf **m_table;
>> +	int ret;
>> +	uint16_t queueid;
>> +
>> +	queueid = qconf->tx_queue_id[port];
>> +	m_table = (struct rte_mbuf **)qconf->tx_mbufs[port].m_table;
>> +
>> +	prepare_tx_burst(m_table, n, port);
>> +
>> +	ret = rte_eth_tx_burst(port, queueid, m_table, n);
>> +	if (unlikely(ret < n)) {
>> +		do {
>> +			rte_pktmbuf_free(m_table[ret]);
>> +		} while (++ret < n);
>> +	}
>> +
>> +	return 0;
>> +}
>> +
>> +/* Enqueue a single packet, and send burst if queue is filled */
>> +static inline int
>> +send_single_packet(struct rte_mbuf *m, uint8_t port)
>> +{
>> +	uint32_t lcore_id;
>> +	uint16_t len;
>> +	struct lcore_conf *qconf;
>> +
>> +	lcore_id = rte_lcore_id();
>> +
>> +	qconf = &lcore_conf[lcore_id];
>> +	len = qconf->tx_mbufs[port].len;
>> +	qconf->tx_mbufs[port].m_table[len] = m;
>> +	len++;
>> +
>> +	/* enough pkts to be sent */
>> +	if (unlikely(len == MAX_PKT_BURST)) {
>> +		send_burst(qconf, MAX_PKT_BURST, port);
>> +		len = 0;
>> +	}
>> +
>> +	qconf->tx_mbufs[port].len = len;
>> +	return 0;
>> +}
>> +
>> +static inline void
>> +process_pkts_inbound(struct socket_ctx *ctx, struct ipsec_traffic *traffic)
>> +{
>> +	struct sa_ctx *sa_ctx = ctx->sa_ipv4_in;
>> +	struct sp_ctx *sp_ctx = ctx->sp_ipv4_in;
>> +	struct rte_mbuf *m;
>> +	uint16_t idx, nb_pkts_in, i, j;
>> +	uint32_t sa_idx, res;
>> +	struct ipsec_ctx ipsec_ctx;
>> +	struct lcore_conf *qconf;
>> +
>> +	qconf = &lcore_conf[rte_lcore_id()];
>> +	ipsec_ctx.cdev = qconf->cdev;
>> +	ipsec_ctx.queue = qconf->cdev_q;
>> +	ipsec_ctx.sa_ctx = sa_ctx;
>> +
>> +	nb_pkts_in = ipsec_inbound(&ipsec_ctx, traffic->ipsec4.pkts,
>> +			traffic->ipsec4.num, MAX_PKT_BURST);
>> +
>> +	/* SP/ACL Inbound check ipsec and ipv4 */
>> +	for (i = 0; i < nb_pkts_in; i++) {
>> +		idx = traffic->ipv4.num++;
>> +		m = traffic->ipsec4.pkts[i];
>> +		traffic->ipv4.pkts[idx] = m;
>> +		traffic->ipv4.data[idx] = rte_pktmbuf_mtod_offset(m,
>> +				uint8_t *, offsetof(struct ip, ip_p));
>> +	}
>> +
>> +	rte_acl_classify((struct rte_acl_ctx *)sp_ctx, traffic->ipv4.data,
>> +			traffic->ipv4.res, traffic->ipv4.num,
>> +			DEFAULT_MAX_CATEGORIES);
>> +
>> +	j = 0;
>> +	for (i = 0; i < traffic->ipv4.num - nb_pkts_in; i++) {
>> +		m = traffic->ipv4.pkts[i];
>> +		res = traffic->ipv4.res[i];
>> +		if (res & ~BYPASS) {
>> +			rte_pktmbuf_free(m);
>> +			continue;
>> +		}
>> +		traffic->ipv4.pkts[j++] = m;
>> +	}
>> +	/* Check return SA SPI matches pkt SPI */
>> +	for ( ; i < traffic->ipv4.num; i++) {
>> +		m = traffic->ipv4.pkts[i];
>> +		sa_idx = traffic->ipv4.res[i] & PROTECT_MASK;
>> +		if (sa_idx == 0 || !inbound_sa_check(sa_ctx, m, sa_idx)) {
>> +			rte_pktmbuf_free(m);
>> +			continue;
>> +		}
>> +		traffic->ipv4.pkts[j++] = m;
>> +	}
>> +	traffic->ipv4.num = j;
>> +}
>> +
>> +static inline void
>> +process_pkts_outbound(struct socket_ctx *ctx, struct ipsec_traffic *traffic)
>> +{
>> +	struct sa_ctx *sa_ctx = ctx->sa_ipv4_out;
>> +	struct sp_ctx *sp_ctx = ctx->sp_ipv4_out;
>> +	struct rte_mbuf *m;
>> +	uint16_t idx, nb_pkts_out, i, j;
>> +	uint32_t sa_idx, res;
>> +	struct ipsec_ctx ipsec_ctx;
>> +	struct lcore_conf *qconf;
>> +
>> +	qconf = &lcore_conf[rte_lcore_id()];
>> +	ipsec_ctx.cdev = qconf->cdev;
>> +	ipsec_ctx.queue = qconf->cdev_q;
>> +	ipsec_ctx.sa_ctx = sa_ctx;
>> +
>> +	rte_acl_classify((struct rte_acl_ctx *)sp_ctx, traffic->ipv4.data,
>> +			traffic->ipv4.res, traffic->ipv4.num,
>> +			DEFAULT_MAX_CATEGORIES);
> IMO, an option for single SA based outbound processing would be useful
> measuring performance bottlenecks with SA lookup.
>

Hi Jerin,

Are you suggesting to have an option so we basically encrypt all traffic 
using
a single SA bypassing the SP/ACL ?

Currently the ACL entry contains the SA index in the SA table, so there 
is no SA
lookup on outbound.
That might have to change a bit if we were to add IKE support.

>> +	j = 0;
>> +	for (i = 0; i < traffic->ipv4.num; i++) {
>> +		m = traffic->ipv4.pkts[i];
>> +		res = traffic->ipv4.res[i];
>> +		sa_idx = res & PROTECT_MASK;
>> +		if (res & DISCARD) {
>> +			rte_pktmbuf_free(m);
>> +		} else if (sa_idx != 0) {
>> +			traffic->ipsec4.res[traffic->ipsec4.num] = sa_idx;
>> +			traffic->ipsec4.pkts[traffic->ipsec4.num++] = m;
>> +		} else /* BYPASS */
>> +			traffic->ipv4.pkts[j++] = m;
>> +	}
>> +	traffic->ipv4.num = j;
>> +
>> +	nb_pkts_out = ipsec_outbound(&ipsec_ctx, traffic->ipsec4.pkts,
>> +			traffic->ipsec4.res, traffic->ipsec4.num,
>> +			MAX_PKT_BURST);
>> +
>> +	for (i = 0; i < nb_pkts_out; i++) {
>> +		idx = traffic->ipv4.num++;
>> +		m = traffic->ipsec4.pkts[i];
>> +		traffic->ipv4.pkts[idx] = m;
>> +	}
>> +}
>> +
>> +static inline void
>> +route_pkts(struct rt_ctx *rt_ctx, struct rte_mbuf *pkts[], uint8_t nb_pkts)
>> +{
>> +	uint16_t hop[MAX_PKT_BURST * 2];
>> +	uint32_t dst_ip[MAX_PKT_BURST * 2];
>> +	uint16_t i, offset;
>> +
>> +	if (nb_pkts == 0)
>> +		return;
>> +
>> +	for (i = 0; i < nb_pkts; i++) {
>> +		offset = offsetof(struct ip, ip_dst);
>> +		dst_ip[i] = *rte_pktmbuf_mtod_offset(pkts[i],
>> +				uint32_t *, offset);
>> +		dst_ip[i] = rte_be_to_cpu_32(dst_ip[i]);
>> +	}
>> +
>> +	rte_lpm_lookup_bulk((struct rte_lpm *)rt_ctx, dst_ip, hop, nb_pkts);
>> +
>> +	for (i = 0; i < nb_pkts; i++) {
>> +		if ((hop[i] & RTE_LPM_LOOKUP_SUCCESS) == 0) {
>> +			rte_pktmbuf_free(pkts[i]);
>> +			continue;
>> +		}
>> +		send_single_packet(pkts[i], hop[i] & 0xff);
>> +	}
>> +}
>> +
>> +static inline void
>> +process_pkts(struct socket_ctx *ctx, struct rte_mbuf **pkts,
>> +		uint8_t nb_pkts, uint8_t portid)
>> +{
>> +	struct ipsec_traffic traffic;
>> +
>> +	prepare_traffic(pkts, &traffic, nb_pkts);
>> +
>> +	if (UNPROTECTED_PORT(portid))
>> +		process_pkts_inbound(ctx, &traffic);
>> +	else
>> +		process_pkts_outbound(ctx, &traffic);
>> +
>> +	route_pkts(ctx->rt_ipv4, traffic.ipv4.pkts, traffic.ipv4.num);
>> +}
>> +
>> +static inline void
>> +drain_buffers(struct lcore_conf *qconf)
>> +{
>> +	struct buffer *buf;
>> +	unsigned portid;
>> +
>> +	for (portid = 0; portid < RTE_MAX_ETHPORTS; portid++) {
>> +		buf = &qconf->tx_mbufs[portid];
>> +		if (buf->len == 0)
>> +			continue;
>> +		send_burst(qconf, buf->len, portid);
>> +		buf->len = 0;
>> +	}
>> +}
>> +
>> +/* main processing loop */
>> +static int
>> +main_loop(__attribute__((unused)) void *dummy)
>> +{
>> +	struct rte_mbuf *pkts[MAX_PKT_BURST];
>> +	unsigned lcore_id;
>> +	uint64_t prev_tsc, diff_tsc, cur_tsc;
>> +	int i, nb_rx;
>> +	uint8_t portid, queueid;
>> +	struct lcore_conf *qconf;
>> +	int socket_id;
>> +	const uint64_t drain_tsc = (rte_get_tsc_hz() + US_PER_S - 1)
>> +			/ US_PER_S * BURST_TX_DRAIN_US;
>> +	struct socket_ctx *ctx;
>> +	struct lcore_rx_queue *rxql;
>> +
>> +	prev_tsc = 0;
>> +	lcore_id = rte_lcore_id();
>> +	qconf = &lcore_conf[lcore_id];
>> +	rxql = qconf->rx_queue_list;
>> +	socket_id = rte_lcore_to_socket_id(lcore_id);
>> +
>> +	ctx = &socket_ctx[socket_id];
>> +
>> +	if (qconf->nb_rx_queue == 0) {
>> +		RTE_LOG(INFO, IPSEC, "lcore %u has nothing to do\n", lcore_id);
>> +		return 0;
>> +	}
>> +
>> +	RTE_LOG(INFO, IPSEC, "entering main loop on lcore %u\n", lcore_id);
>> +
>> +	for (i = 0; i < qconf->nb_rx_queue; i++) {
>> +		portid = rxql[i].port_id;
>> +		queueid = rxql[i].queue_id;
>> +		RTE_LOG(INFO, IPSEC,
>> +			" -- lcoreid=%u portid=%hhu rxqueueid=%hhu\n",
>> +			lcore_id, portid, queueid);
>> +	}
>> +
>> +	while (1) {
>> +		cur_tsc = rte_rdtsc();
>> +
>> +		/* TX queue buffer drain */
>> +		diff_tsc = cur_tsc - prev_tsc;
>> +
>> +		if (unlikely(diff_tsc > drain_tsc)) {
>> +			drain_buffers(qconf);
>> +			prev_tsc = cur_tsc;
>> +		}
>> +
>> +		/* Read packet from RX queues */
>> +		for (i = 0; i < qconf->nb_rx_queue; ++i) {
>> +			portid = rxql[i].port_id;
>> +			queueid = rxql[i].queue_id;
>> +			nb_rx = rte_eth_rx_burst(portid, queueid,
>> +					pkts, MAX_PKT_BURST);
>> +
>> +			if (nb_rx > 0)
>> +				process_pkts(ctx, pkts, nb_rx, portid);
>> +		}
>> +	}
>> +}
>> +
>> +static int
>> +check_params(void)
>> +{
>> +	uint8_t lcore, portid, nb_ports;
>> +	uint16_t i;
>> +	int socket_id;
>> +
>> +	if (lcore_params == NULL) {
>> +		printf("Error: No port/queue/core mappings\n");
>> +		return -1;
>> +	}
>> +
>> +	nb_ports = rte_eth_dev_count();
>> +	if (nb_ports > RTE_MAX_ETHPORTS)
>> +		nb_ports = RTE_MAX_ETHPORTS;
>> +
>> +	for (i = 0; i < nb_lcore_params; ++i) {
>> +		lcore = lcore_params[i].lcore_id;
>> +		if (!rte_lcore_is_enabled(lcore)) {
>> +			printf("error: lcore %hhu is not enabled in "
>> +				"lcore mask\n", lcore);
>> +			return -1;
>> +		}
>> +		socket_id = rte_lcore_to_socket_id(lcore);
>> +		if (socket_id != 0 && numa_on == 0) {
>> +			printf("warning: lcore %hhu is on socket %d "
>> +				"with numa off\n",
>> +				lcore, socket_id);
>> +		}
>> +		portid = lcore_params[i].port_id;
>> +		if ((enabled_port_mask & (1 << portid)) == 0) {
>> +			printf("port %u is not enabled in port mask\n", portid);
>> +			return -1;
>> +		}
>> +		if (portid >= nb_ports) {
>> +			printf("port %u is not present on the board\n", portid);
>> +			return -1;
>> +		}
>> +	}
>> +	return 0;
>> +}
>> +
>> +static uint8_t
>> +get_port_nb_rx_queues(const uint8_t port)
>> +{
>> +	int queue = -1;
>> +	uint16_t i;
>> +
>> +	for (i = 0; i < nb_lcore_params; ++i) {
>> +		if (lcore_params[i].port_id == port &&
>> +				lcore_params[i].queue_id > queue)
>> +			queue = lcore_params[i].queue_id;
>> +	}
>> +	return (uint8_t)(++queue);
>> +}
>> +
>> +static int
>> +init_lcore_rx_queues(void)
>> +{
>> +	uint16_t i, nb_rx_queue;
>> +	uint8_t lcore;
>> +
>> +	for (i = 0; i < nb_lcore_params; ++i) {
>> +		lcore = lcore_params[i].lcore_id;
>> +		nb_rx_queue = lcore_conf[lcore].nb_rx_queue;
>> +		if (nb_rx_queue >= MAX_RX_QUEUE_PER_LCORE) {
>> +			printf("error: too many queues (%u) for lcore: %u\n",
>> +					nb_rx_queue + 1, lcore);
>> +			return -1;
>> +		}
>> +		lcore_conf[lcore].rx_queue_list[nb_rx_queue].port_id =
>> +			lcore_params[i].port_id;
>> +		lcore_conf[lcore].rx_queue_list[nb_rx_queue].queue_id =
>> +			lcore_params[i].queue_id;
>> +		lcore_conf[lcore].nb_rx_queue++;
>> +	}
>> +	return 0;
>> +}
>> +
>> +/* display usage */
>> +static void
>> +print_usage(const char *prgname)
>> +{
>> +	printf("%s [EAL options] -- -p PORTMASK -P -u PORTMASK"
>> +		"  --"OPTION_CONFIG" (port,queue,lcore)[,(port,queue,lcore]"
>> +		" --EP0|--EP1 --cdev AESNI|QAT\n"
>> +		"  -p PORTMASK: hexadecimal bitmask of ports to configure\n"
>> +		"  -P : enable promiscuous mode\n"
>> +		"  -u PORTMASK: hexadecimal bitmask of unprotected ports\n"
>> +		"  --"OPTION_CONFIG": (port,queue,lcore): "
>> +		"rx queues configuration\n"
>> +		"  --cdev AESNI | QAT\n"
>> +		"  --EP0: Configure as Endpoint 0\n"
>> +		"  --EP1: Configure as Endpoint 1\n", prgname);
>> +}
>> +
>> +static int
>> +parse_portmask(const char *portmask)
>> +{
>> +	char *end = NULL;
>> +	unsigned long pm;
>> +
>> +	/* parse hexadecimal string */
>> +	pm = strtoul(portmask, &end, 16);
>> +	if ((portmask[0] == '\0') || (end == NULL) || (*end != '\0'))
>> +		return -1;
>> +
>> +	if (pm == 0)
>> +		return -1;
>> +
>> +	return pm;
>> +}
>> +
>> +static int
>> +parse_config(const char *q_arg)
>> +{
>> +	char s[256];
>> +	const char *p, *p0 = q_arg;
>> +	char *end;
>> +	enum fieldnames {
>> +		FLD_PORT = 0,
>> +		FLD_QUEUE,
>> +		FLD_LCORE,
>> +		_NUM_FLD
>> +	};
>> +	unsigned long int_fld[_NUM_FLD];
>> +	char *str_fld[_NUM_FLD];
>> +	int i;
>> +	unsigned size;
>> +
>> +	nb_lcore_params = 0;
>> +
>> +	while ((p = strchr(p0, '(')) != NULL) {
>> +		++p;
>> +		p0 = strchr(p, ')');
>> +		if (p0 == NULL)
>> +			return -1;
>> +
>> +		size = p0 - p;
>> +		if (size >= sizeof(s))
>> +			return -1;
>> +
>> +		snprintf(s, sizeof(s), "%.*s", size, p);
>> +		if (rte_strsplit(s, sizeof(s), str_fld, _NUM_FLD, ',') !=
>> +				_NUM_FLD)
>> +			return -1;
>> +		for (i = 0; i < _NUM_FLD; i++) {
>> +			errno = 0;
>> +			int_fld[i] = strtoul(str_fld[i], &end, 0);
>> +			if (errno != 0 || end == str_fld[i] || int_fld[i] > 255)
>> +				return -1;
>> +		}
>> +		if (nb_lcore_params >= MAX_LCORE_PARAMS) {
>> +			printf("exceeded max number of lcore params: %hu\n",
>> +				nb_lcore_params);
>> +			return -1;
>> +		}
>> +		lcore_params_array[nb_lcore_params].port_id =
>> +			(uint8_t)int_fld[FLD_PORT];
>> +		lcore_params_array[nb_lcore_params].queue_id =
>> +			(uint8_t)int_fld[FLD_QUEUE];
>> +		lcore_params_array[nb_lcore_params].lcore_id =
>> +			(uint8_t)int_fld[FLD_LCORE];
>> +		++nb_lcore_params;
>> +	}
>> +	lcore_params = lcore_params_array;
>> +	return 0;
>> +}
>> +
>> +#define __STRNCMP(name, opt) (!strncmp(name, opt, sizeof(opt)))
>> +static int
>> +parse_args_long_options(struct option *lgopts, int option_index)
>> +{
>> +	int ret = -1;
>> +	const char *optname = lgopts[option_index].name;
>> +
>> +	if (__STRNCMP(optname, OPTION_CONFIG)) {
>> +		ret = parse_config(optarg);
>> +		if (ret)
>> +			printf("invalid config\n");
>> +	}
>> +
>> +	if (__STRNCMP(optname, OPTION_EP0)) {
>> +		printf("endpoint 0\n");
>> +		ep = 0;
>> +		ret = 0;
>> +	}
>> +
>> +	if (__STRNCMP(optname, OPTION_EP1)) {
>> +		printf("endpoint 1\n");
>> +		ep = 1;
>> +		ret = 0;
>> +	}
>> +
>> +	if (__STRNCMP(optname, OPTION_CDEV_TYPE)) {
>> +		if (__STRNCMP(optarg, "AESNI")) {
>> +			cdev_type = RTE_CRYPTODEV_AESNI_MB_PMD;
>> +			ret = 0;
>> +		} else if (__STRNCMP(optarg, "QAT")) {
>> +			cdev_type = RTE_CRYPTODEV_QAT_PMD;
>> +			ret = 0;
>> +		}
>> +	}
>> +
>> +	return ret;
>> +}
>> +#undef __STRNCMP
>> +
>> +static int
>> +parse_args(int argc, char **argv)
>> +{
>> +	int opt, ret;
>> +	char **argvopt;
>> +	int option_index;
>> +	char *prgname = argv[0];
>> +	static struct option lgopts[] = {
>> +		{OPTION_CONFIG, 1, 0, 0},
>> +		{OPTION_EP0, 0, 0, 0},
>> +		{OPTION_EP1, 0, 0, 0},
>> +		{OPTION_CDEV_TYPE, 1, 0, 0},
>> +		{NULL, 0, 0, 0}
>> +	};
>> +
>> +	argvopt = argv;
>> +
>> +	while ((opt = getopt_long(argc, argvopt, "p:Pu:",
>> +				lgopts, &option_index)) != EOF) {
>> +
>> +		switch (opt) {
>> +		case 'p':
>> +			enabled_port_mask = parse_portmask(optarg);
>> +			if (enabled_port_mask == 0) {
>> +				printf("invalid portmask\n");
>> +				print_usage(prgname);
>> +				return -1;
>> +			}
>> +			break;
>> +		case 'P':
>> +			printf("Promiscuous mode selected\n");
>> +			promiscuous_on = 1;
>> +			break;
>> +		case 'u':
>> +			unprotected_port_mask = parse_portmask(optarg);
>> +			if (unprotected_port_mask == 0) {
>> +				printf("invalid unprotected portmask\n");
>> +				print_usage(prgname);
>> +				return -1;
>> +			}
>> +			break;
>> +		case 0:
>> +			if (parse_args_long_options(lgopts, option_index)) {
>> +				print_usage(prgname);
>> +				return -1;
>> +			}
>> +			break;
>> +		default:
>> +			print_usage(prgname);
>> +			return -1;
>> +		}
>> +	}
>> +
>> +	if (optind >= 0)
>> +		argv[optind-1] = prgname;
>> +
>> +	ret = optind-1;
>> +	optind = 0; /* reset getopt lib */
>> +	return ret;
>> +}
>> +
>> +static void
>> +print_ethaddr(const char *name, const struct ether_addr *eth_addr)
>> +{
>> +	char buf[ETHER_ADDR_FMT_SIZE];
>> +	ether_format_addr(buf, ETHER_ADDR_FMT_SIZE, eth_addr);
>> +	printf("%s%s", name, buf);
>> +}
>> +
>> +/* Check the link status of all ports in up to 9s, and print them finally */
>> +static void
>> +check_all_ports_link_status(uint8_t port_num, uint32_t port_mask)
>> +{
>> +#define CHECK_INTERVAL 100 /* 100ms */
>> +#define MAX_CHECK_TIME 90 /* 9s (90 * 100ms) in total */
>> +	uint8_t portid, count, all_ports_up, print_flag = 0;
>> +	struct rte_eth_link link;
>> +
>> +	printf("\nChecking link status");
>> +	fflush(stdout);
>> +	for (count = 0; count <= MAX_CHECK_TIME; count++) {
>> +		all_ports_up = 1;
>> +		for (portid = 0; portid < port_num; portid++) {
>> +			if ((port_mask & (1 << portid)) == 0)
>> +				continue;
>> +			memset(&link, 0, sizeof(link));
>> +			rte_eth_link_get_nowait(portid, &link);
>> +			/* print link status if flag set */
>> +			if (print_flag == 1) {
>> +				if (link.link_status)
>> +					printf("Port %d Link Up - speed %u "
>> +						"Mbps - %s\n", (uint8_t)portid,
>> +						(unsigned)link.link_speed,
>> +				(link.link_duplex == ETH_LINK_FULL_DUPLEX) ?
>> +					("full-duplex") : ("half-duplex\n"));
>> +				else
>> +					printf("Port %d Link Down\n",
>> +						(uint8_t)portid);
>> +				continue;
>> +			}
>> +			/* clear all_ports_up flag if any link down */
>> +			if (link.link_status == 0) {
>> +				all_ports_up = 0;
>> +				break;
>> +			}
>> +		}
>> +		/* after finally printing all link status, get out */
>> +		if (print_flag == 1)
>> +			break;
>> +
>> +		if (all_ports_up == 0) {
>> +			printf(".");
>> +			fflush(stdout);
>> +			rte_delay_ms(CHECK_INTERVAL);
>> +		}
>> +
>> +		/* set the print_flag if all ports up or timeout */
>> +		if (all_ports_up == 1 || count == (MAX_CHECK_TIME - 1)) {
>> +			print_flag = 1;
>> +			printf("done\n");
>> +		}
>> +	}
>> +}
>> +
>> +static uint16_t
>> +find_next_cdev(unsigned cdev_type, uint16_t start_cdev_id)
>> +{
>> +	uint16_t cdev_id, cnt;
>> +	struct rte_cryptodev_info info;
>> +
>> +	cnt = rte_cryptodev_count();
>> +	for (cdev_id = start_cdev_id; cdev_id < cnt; cdev_id++) {
>> +		rte_cryptodev_info_get(cdev_id, &info);
>> +		if (info.dev_type == cdev_type)
>> +			return cdev_id;
>> +	}
>> +
>> +	return -1;
>> +}
>> +
>> +static uint16_t
>> +find_cdev_socket(int socket_id, unsigned cdev_type)
>> +{
>> +	uint16_t cdev_id, cnt;
>> +	struct rte_cryptodev_info info;
>> +	int cdev_socket;
>> +
>> +	cnt = rte_cryptodev_count();
>> +	for (cdev_id = 0; cdev_id < cnt; cdev_id++) {
>> +		rte_cryptodev_info_get(cdev_id, &info);
>> +		cdev_socket = rte_cryptodev_socket_id(cdev_id);
>> +		if ((info.dev_type == cdev_type) && (cdev_socket == socket_id))
>> +			return cdev_id;
>> +	}
>> +
>> +	return -1;
>> +}
>> +
>> +static int
>> +cryptodevs_init(void)
>> +{
>> +	struct rte_cryptodev_config dev_conf;
>> +	struct rte_cryptodev_qp_conf qp_conf;
>> +	struct lcore_conf *qconf;
>> +	uint16_t cnt, lcore_id, cdev_id;
>> +	int ret, i, socket_id;
>> +
>> +	if (cdev_type == RTE_CRYPTODEV_QAT_PMD) {
>> +		cnt = rte_cryptodev_count_devtype(RTE_CRYPTODEV_QAT_PMD);
>> +		printf("Found %u QAT devices\n", cnt);
>> +		if (cnt < nb_lcores)
>> +			rte_panic("Not enough QAT devices detected, "
>> +					"need %u (1 per core), found %d\n",
>> +					nb_lcores, cnt);
>> +	} else if (cdev_type == RTE_CRYPTODEV_AESNI_MB_PMD) {
>> +		printf("Initializing %u AESNI vdevs\n", rte_lcore_count());
> Is it possible to remove PMD specific Initialization code from the
> application and move driver layer so that new crypto pmd inclusion will
> not have any change in this place.

Yes, it should be possible now that we have:
http://dpdk.org/ml/archives/dev/2016-January/032448.html

I also plan to rework the code a bit to use the new cryptodev API:
http://dpdk.org/ml/archives/dev/2016-January/032445.html

>> +		for (i = 0; i < (int)rte_lcore_count(); i++) {
>> +			ret = rte_eal_vdev_init(
>> +					CRYPTODEV_NAME_AESNI_MB_PMD,
>> +					NULL);
>> +			if (ret < 0)
>> +				rte_panic("Failed to create AESNI-MB vdev\n");
>> +		}
>> +	} else
>> +		rte_panic("Need to set cryptodev type option --cdev\n");
>> +
>> +	cdev_id = 0;
>> +	for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) {
>> +		if (rte_lcore_is_enabled(lcore_id) == 0)
>> +			continue;
>> +
>> +		socket_id = rte_lcore_to_socket_id(lcore_id);
>> +		cdev_id = find_next_cdev(cdev_type, cdev_id);
>> +		qconf = &lcore_conf[lcore_id];
>> +		qconf->cdev = cdev_id;
>> +		qconf->cdev_q = 0;
>> +		if (cdev_type == RTE_CRYPTODEV_AESNI_MB_PMD) {
>> +			dev_conf.socket_id = socket_id;
>> +			printf("Initializing AESNI-MB device %u socket %u\n",
>> +					cdev_id, socket_id);
>> +		} else {
>> +			dev_conf.socket_id = rte_cryptodev_socket_id(cdev_id);
>> +			printf("Initialising QAT device %u\n", cdev_id);
>> +		}
>> +
>> +		dev_conf.nb_queue_pairs = 1;
>> +		dev_conf.session_mp.nb_objs = CDEV_MP_NB_OBJS;
>> +		dev_conf.session_mp.cache_size = CDEV_MP_CACHE_SZ;
>> +
>> +		if (rte_cryptodev_configure(cdev_id, &dev_conf))
>> +			rte_panic("Failed to initialize crypodev %u\n",
>> +					cdev_id);
>> +
>> +		qp_conf.nb_descriptors = CDEV_MP_NB_OBJS;
>> +		if (rte_cryptodev_queue_pair_setup(cdev_id, 0, &qp_conf,
>> +					dev_conf.socket_id))
>> +			rte_panic("Failed to setup queue %u for cdev_id %u\n",
>> +					0, cdev_id);
>> +		cdev_id++;
>> +	}
>> +
>> +	return 0;
>> +}
>> +
>> +static void
>> +port_init(uint8_t portid)
>> +{
>> +	struct rte_eth_dev_info dev_info;
>> +	struct rte_eth_txconf *txconf;
>> +	uint16_t nb_tx_queue, nb_rx_queue;
>> +	uint16_t tx_queueid, rx_queueid, queue, lcore_id;
>> +	int ret, socket_id;
>> +	struct lcore_conf *qconf;
>> +	struct ether_addr ethaddr;
>> +
>> +	rte_eth_dev_info_get(portid, &dev_info);
>> +
>> +	printf("Configuring device port %u:\n", portid);
>> +
>> +	rte_eth_macaddr_get(portid, &ethaddr);
>> +	ethaddr_tbl[portid].src = ETHADDR_TO_UINT64(ethaddr);
>> +	print_ethaddr("Address: ", &ethaddr);
>> +	printf("\n");
>> +
>> +	nb_rx_queue = get_port_nb_rx_queues(portid);
>> +	nb_tx_queue = nb_lcores;
>> +
>> +	if (nb_rx_queue > dev_info.max_rx_queues)
>> +		rte_exit(EXIT_FAILURE, "Error: queue %u not available "
>> +				"(max rx queue is %u)\n",
>> +				nb_rx_queue, dev_info.max_rx_queues);
>> +
>> +	if (nb_tx_queue > dev_info.max_tx_queues)
>> +		rte_exit(EXIT_FAILURE, "Error: queue %u not available "
>> +				"(max tx queue is %u)\n",
>> +				nb_tx_queue, dev_info.max_tx_queues);
>> +
>> +	printf("Creating queues: nb_rx_queue=%d nb_tx_queue=%u...\n",
>> +			nb_rx_queue, nb_tx_queue);
>> +
>> +	ret = rte_eth_dev_configure(portid, nb_rx_queue, nb_tx_queue,
>> +			&port_conf);
>> +	if (ret < 0)
>> +		rte_exit(EXIT_FAILURE, "Cannot configure device: "
>> +				"err=%d, port=%d\n", ret, portid);
>> +
>> +	/* init one TX queue per lcore */
>> +	tx_queueid = 0;
>> +	for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) {
>> +		if (rte_lcore_is_enabled(lcore_id) == 0)
>> +			continue;
>> +
>> +		if (numa_on)
>> +			socket_id = (uint8_t)rte_lcore_to_socket_id(lcore_id);
>> +		else
>> +			socket_id = 0;
>> +
>> +		/* init TX queue */
>> +		printf("Setup txq=%u,%d,%d\n", lcore_id, tx_queueid, socket_id);
>> +
>> +		txconf = &dev_info.default_txconf;
>> +		txconf->txq_flags = 0;
>> +
>> +		ret = rte_eth_tx_queue_setup(portid, tx_queueid, nb_txd,
>> +				socket_id, txconf);
>> +		if (ret < 0)
>> +			rte_exit(EXIT_FAILURE, "rte_eth_tx_queue_setup: "
>> +					"err=%d, port=%d\n", ret, portid);
>> +
>> +		qconf = &lcore_conf[lcore_id];
>> +		qconf->tx_queue_id[portid] = tx_queueid;
>> +		tx_queueid++;
>> +
>> +		/* init RX queues */
>> +		for (queue = 0; queue < qconf->nb_rx_queue; ++queue) {
>> +			if (portid != qconf->rx_queue_list[queue].port_id)
>> +				continue;
>> +
>> +			rx_queueid = qconf->rx_queue_list[queue].queue_id;
>> +
>> +			printf("Setup rxq=%d,%d,%d\n", portid, rx_queueid,
>> +					socket_id);
>> +
>> +			ret = rte_eth_rx_queue_setup(portid, rx_queueid,
>> +					nb_rxd,	socket_id, NULL,
>> +					socket_ctx[socket_id].mbuf_pool);
>> +			if (ret < 0)
>> +				rte_exit(EXIT_FAILURE,
>> +					"rte_eth_rx_queue_setup: err=%d, "
>> +					"port=%d\n", ret, portid);
>> +		}
>> +	}
>> +	printf("\n");
>> +}
>> +
>> +static void
>> +pool_init(struct socket_ctx *ctx, int socket_id, unsigned nb_mbuf)
>> +{
>> +	char s[64];
>> +
>> +	snprintf(s, sizeof(s), "mbuf_pool_%d", socket_id);
>> +	ctx->mbuf_pool = rte_pktmbuf_pool_create(s, nb_mbuf,
>> +			MEMPOOL_CACHE_SIZE, ipsec_metadata_size(),
>> +			RTE_MBUF_DEFAULT_BUF_SIZE,
>> +			socket_id);
>> +	if (ctx->mbuf_pool == NULL)
>> +		rte_exit(EXIT_FAILURE, "Cannot init mbuf pool on socket %d\n",
>> +				socket_id);
>> +	else
>> +		printf("Allocated mbuf pool on socket %d\n", socket_id);
>> +}
>> +
>> +int
>> +main(int argc, char **argv)
>> +{
>> +	int ret;
>> +	unsigned lcore_id, nb_ports;
>> +	uint8_t portid, socket_id;
>> +
>> +	/* init EAL */
>> +	ret = rte_eal_init(argc, argv);
>> +	if (ret < 0)
>> +		rte_exit(EXIT_FAILURE, "Invalid EAL parameters\n");
>> +	argc -= ret;
>> +	argv += ret;
>> +
>> +	/* parse application arguments (after the EAL ones) */
>> +	ret = parse_args(argc, argv);
>> +	if (ret < 0)
>> +		rte_exit(EXIT_FAILURE, "Invalid parameters\n");
>> +
>> +	if (ep < 0)
>> +		rte_exit(EXIT_FAILURE, "need to choose either EP0 or EP1\n");
>> +
>> +	if ((unprotected_port_mask & enabled_port_mask) !=
>> +			unprotected_port_mask)
>> +		rte_exit(EXIT_FAILURE, "Invalid unprotected portmask 0x%x\n",
>> +				unprotected_port_mask);
>> +
>> +	nb_ports = rte_eth_dev_count();
>> +	if (nb_ports > RTE_MAX_ETHPORTS)
>> +		nb_ports = RTE_MAX_ETHPORTS;
>> +
>> +	if (check_params() < 0)
>> +		rte_exit(EXIT_FAILURE, "check_params failed\n");
>> +
>> +	ret = init_lcore_rx_queues();
>> +	if (ret < 0)
>> +		rte_exit(EXIT_FAILURE, "init_lcore_rx_queues failed\n");
>> +
>> +	nb_lcores = rte_lcore_count();
>> +
>> +	cryptodevs_init();
>> +
>> +	/* Replicate each contex per socket */
>> +	for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) {
>> +		if (rte_lcore_is_enabled(lcore_id) == 0)
>> +			continue;
>> +
>> +		if (numa_on)
>> +			socket_id = (uint8_t)rte_lcore_to_socket_id(lcore_id);
>> +		else
>> +			socket_id = 0;
>> +
>> +		if (socket_ctx[socket_id].mbuf_pool)
>> +			continue;
>> +
>> +		sa_init(&socket_ctx[socket_id], socket_id, ep,
>> +				find_cdev_socket(socket_id, cdev_type));
>> +
>> +		sp_init(&socket_ctx[socket_id], socket_id, ep);
>> +
>> +		rt_init(&socket_ctx[socket_id], socket_id, ep);
>> +
>> +		pool_init(&socket_ctx[socket_id], socket_id, NB_MBUF);
>> +	}
>> +
>> +	for (portid = 0; portid < nb_ports; portid++) {
>> +		if ((enabled_port_mask & (1 << portid)) == 0)
>> +			continue;
>> +
>> +		port_init(portid);
>> +	}
>> +
>> +	/* start ports */
>> +	for (portid = 0; portid < nb_ports; portid++) {
>> +		if ((enabled_port_mask & (1 << portid)) == 0)
>> +			continue;
>> +
>> +		/* Start device */
>> +		ret = rte_eth_dev_start(portid);
>> +		if (ret < 0)
>> +			rte_exit(EXIT_FAILURE, "rte_eth_dev_start: "
>> +					"err=%d, port=%d\n", ret, portid);
>> +		/*
>> +		 * If enabled, put device in promiscuous mode.
>> +		 * This allows IO forwarding mode to forward packets
>> +		 * to itself through 2 cross-connected  ports of the
>> +		 * target machine.
>> +		 */
>> +		if (promiscuous_on)
>> +			rte_eth_promiscuous_enable(portid);
>> +	}
>> +
>> +	check_all_ports_link_status((uint8_t)nb_ports, enabled_port_mask);
>> +
>> +	/* launch per-lcore init on every lcore */
>> +	rte_eal_mp_remote_launch(main_loop, NULL, CALL_MASTER);
>> +	RTE_LCORE_FOREACH_SLAVE(lcore_id) {
>> +		if (rte_eal_wait_lcore(lcore_id) < 0)
>> +			return -1;
>> +	}
>> +
>> +	return 0;
>> +}
>> diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
>> new file mode 100644
>> index 0000000..83e3326
>> --- /dev/null
>> +++ b/examples/ipsec-secgw/ipsec.c
>> @@ -0,0 +1,138 @@
>> +/*-
>> + *   BSD LICENSE
>> + *
>> + *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
>> + *   All rights reserved.
>> + *
>> + *   Redistribution and use in source and binary forms, with or without
>> + *   modification, are permitted provided that the following conditions
>> + *   are met:
>> + *
>> + *     * Redistributions of source code must retain the above copyright
>> + *       notice, this list of conditions and the following disclaimer.
>> + *     * Redistributions in binary form must reproduce the above copyright
>> + *       notice, this list of conditions and the following disclaimer in
>> + *       the documentation and/or other materials provided with the
>> + *       distribution.
>> + *     * Neither the name of Intel Corporation nor the names of its
>> + *       contributors may be used to endorse or promote products derived
>> + *       from this software without specific prior written permission.
>> + *
>> + *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
>> + *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
>> + *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
>> + *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
>> + *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
>> + *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
>> + *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
>> + *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
>> + *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
>> + *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
>> + *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>> + */
>> +
>> +#include <netinet/in.h>
>> +#include <netinet/ip.h>
>> +
>> +#include <rte_branch_prediction.h>
>> +#include <rte_log.h>
>> +#include <rte_crypto.h>
>> +#include <rte_cryptodev.h>
>> +#include <rte_mbuf.h>
>> +
>> +#include "ipsec.h"
>> +
>> +static inline uint16_t
>> +ipsec_processing(uint8_t cdev_id, uint16_t qp_id, struct rte_mbuf *pkts[],
>> +		struct ipsec_sa *sas[], uint16_t nb_pkts, uint16_t max_pkts)
>> +{
>> +	int ret, i, j;
>> +	struct ipsec_mbuf_metadata *priv;
>> +	struct rte_mbuf_offload *ol;
>> +	struct ipsec_sa *sa;
>> +
>> +	j = 0;
>> +	for (i = 0; i < nb_pkts; i++) {
>> +		rte_prefetch0(sas[i]);
>> +		rte_prefetch0(pkts[i]);
>> +
>> +		priv = get_priv(pkts[i]);
>> +		ol = &priv->ol;
>> +		sa = sas[i];
>> +		priv->sa = sa;
>> +
>> +		IPSEC_ASSERT(sa != NULL);
>> +
>> +		__rte_pktmbuf_offload_reset(ol, RTE_PKTMBUF_OL_CRYPTO);
>> +
>> +		rte_crypto_op_attach_session(&ol->op.crypto,
>> +				sa->crypto_session);
>> +
>> +		pkts[i]->offload_ops = ol;
>> +
>> +		ret = sa->pre_crypto(pkts[i], sa, &ol->op.crypto);
>> +		if (unlikely(ret))
>> +			rte_pktmbuf_free(pkts[i]);
>> +		else
>> +			pkts[j++] = pkts[i];
>> +	}
>> +	nb_pkts = j;
>> +
>> +	ret = rte_cryptodev_enqueue_burst(cdev_id, qp_id, pkts, nb_pkts);
>> +	if (ret < nb_pkts) {
>> +		IPSEC_LOG(DEBUG, IPSEC, "Cryptodev %u queue %u:"
>> +				" enqueued %u packets (out of %u)\n",
>> +				 cdev_id, qp_id, ret, nb_pkts);
>> +		for (i = ret; i < nb_pkts; i++)
>> +			rte_pktmbuf_free(pkts[i]);
>> +	}
>> +
>> +	nb_pkts = rte_cryptodev_dequeue_burst(cdev_id, qp_id, pkts, max_pkts);
>> +	if ((nb_pkts != 0) && (nb_pkts < max_pkts))
>> +		IPSEC_LOG(DEBUG, IPSEC, "Cryptodev %u queue %u:"
>> +				" dequeued %u packets (out of %u)\n",
>> +				 cdev_id, qp_id, nb_pkts, max_pkts);
>> +
>> +	j = 0;
>> +	for (i = 0; i < nb_pkts; i++) {
>> +		rte_prefetch0(pkts[i]);
>> +
>> +		priv = get_priv(pkts[i]);
>> +		ol = &priv->ol;
>> +		sa = priv->sa;
>> +		rte_prefetch0(sa);
>> +
>> +		IPSEC_ASSERT(sa != NULL);
>> +
>> +		ret = sa->post_crypto(pkts[i], sa, &ol->op.crypto);
>> +		if (unlikely(ret))
>> +			rte_pktmbuf_free(pkts[i]);
>> +		else
>> +			pkts[j++] = pkts[i];
>> +	}
>> +
>> +	/* return packets */
>> +	return j;
>> +}
>> +
>> +uint16_t
>> +ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
>> +		uint16_t nb_pkts, uint16_t len)
>> +{
>> +	struct ipsec_sa *sas[nb_pkts];
>> +
>> +	inbound_sa_lookup(ctx->sa_ctx, pkts, sas, nb_pkts);
>> +
>> +	return ipsec_processing(ctx->cdev, ctx->queue, pkts, sas, nb_pkts, len);
>> +}
>> +
>> +uint16_t
>> +ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
>> +		uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len)
>> +{
>> +	struct ipsec_sa *sas[nb_pkts];
>> +
>> +	outbound_sa_lookup(ctx->sa_ctx, sa_idx, sas, nb_pkts);
>> +
>> +	return ipsec_processing(ctx->cdev, ctx->queue, pkts, sas, nb_pkts, len);
>> +}
>> diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
>> new file mode 100644
>> index 0000000..abf9d5f
>> --- /dev/null
>> +++ b/examples/ipsec-secgw/ipsec.h
>> @@ -0,0 +1,184 @@
>> +/*-
>> + *   BSD LICENSE
>> + *
>> + *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
>> + *   All rights reserved.
>> + *
>> + *   Redistribution and use in source and binary forms, with or without
>> + *   modification, are permitted provided that the following conditions
>> + *   are met:
>> + *
>> + *     * Redistributions of source code must retain the above copyright
>> + *       notice, this list of conditions and the following disclaimer.
>> + *     * Redistributions in binary form must reproduce the above copyright
>> + *       notice, this list of conditions and the following disclaimer in
>> + *       the documentation and/or other materials provided with the
>> + *       distribution.
>> + *     * Neither the name of Intel Corporation nor the names of its
>> + *       contributors may be used to endorse or promote products derived
>> + *       from this software without specific prior written permission.
>> + *
>> + *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
>> + *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
>> + *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
>> + *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
>> + *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
>> + *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
>> + *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
>> + *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
>> + *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
>> + *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
>> + *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>> + */
>> +
>> +#ifndef __IPSEC_H__
>> +#define __IPSEC_H__
>> +
>> +#include <stdint.h>
>> +#include <netinet/in.h>
>> +#include <netinet/ip.h>
>> +
>> +#include <rte_mbuf_offload.h>
>> +#include <rte_byteorder.h>
>> +#include <rte_ip.h>
>> +
>> +#define RTE_LOGTYPE_IPSEC       RTE_LOGTYPE_USER1
>> +#define RTE_LOGTYPE_IPSEC_ESP   RTE_LOGTYPE_USER2
>> +#define RTE_LOGTYPE_IPSEC_IPIP  RTE_LOGTYPE_USER3
>> +
>> +#ifdef IPSEC_DEBUG
>> +#define IPSEC_ASSERT(exp)                                            \
>> +if (!(exp)) {                                                        \
>> +	rte_panic("line%d\tassert \"" #exp "\" failed\n", __LINE__); \
>> +}
>> +
>> +#define IPSEC_LOG RTE_LOG
>> +#else
>> +#define IPSEC_ASSERT(exp) do {} while (0)
>> +#define IPSEC_LOG(...) do {} while (0)
>> +#endif /* IPSEC_DEBUG */
>> +
>> +#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
>> +
>> +#define uint32_t_to_char(ip, a, b, c, d) do {\
>> +		*a = (unsigned char)(ip >> 24 & 0xff);\
>> +		*b = (unsigned char)(ip >> 16 & 0xff);\
>> +		*c = (unsigned char)(ip >> 8 & 0xff);\
>> +		*d = (unsigned char)(ip & 0xff);\
>> +	} while (0)
>> +
>> +#define DEFAULT_MAX_CATEGORIES	1
>> +
>> +#define IPSEC_SA_MAX_ENTRIES (64) /* must be power of 2, max 2 power 30 */
>> +#define SPI2IDX(spi) (spi & (IPSEC_SA_MAX_ENTRIES - 1))
>> +#define INVALID_SPI (0)
>> +
>> +#define DISCARD (0x80000000)
>> +#define BYPASS (0x40000000)
>> +#define PROTECT_MASK (0x3fffffff)
>> +#define PROTECT(sa_idx) (SPI2IDX(sa_idx) & PROTECT_MASK) /* SA idx 30 bits */
>> +
>> +#define IPSEC_XFORM_MAX 2
>> +
>> +struct rte_crypto_xform;
>> +struct ipsec_xform;
>> +struct rte_cryptodev_session;
>> +struct rte_mbuf;
>> +
>> +struct replay {
>> +	uint32_t seq_h;
>> +};
>> +
>> +struct lifetime {
>> +	uint64_t bytes;
>> +	uint64_t seconds;
>> +};
>> +
>> +struct ipsec_sa;
>> +
>> +typedef int (*ipsec_xform_fn)(struct rte_mbuf *m, struct ipsec_sa *sa,
>> +		struct rte_crypto_op *cop);
>> +
>> +struct ipsec_sa {
>> +	uint32_t spi;
>> +	uint32_t seq;
>> +	uint32_t src;
>> +	uint32_t dst;
>> +	struct rte_cryptodev_session *crypto_session;
>> +	struct rte_crypto_xform *xforms;
>> +	enum rte_crypto_cipher_algorithm cipher_algo;
>> +	enum rte_crypto_auth_algorithm auth_algo;
>> +	uint16_t digest_len;
>> +	uint16_t iv_len;
>> +	uint16_t block_size;
>> +	ipsec_xform_fn pre_crypto;
>> +	ipsec_xform_fn post_crypto;
>> +	uint32_t flags;
>> +	/* does not apply if no automated SA management (IKE) support */
>> +	struct lifetime current;
>> +	struct lifetime soft;
>> +	struct lifetime hard;
>> +	struct replay replay;
>> +} __rte_cache_aligned;
>> +
>> +struct ipsec_mbuf_metadata {
>> +	struct ipsec_sa *sa;
>> +	struct rte_mbuf_offload ol;
>> +};
>> +
>> +struct ipsec_ctx {
>> +	uint16_t cdev;
>> +	uint16_t queue;
>> +	struct sa_ctx *sa_ctx;
>> +};
>> +
>> +struct socket_ctx {
>> +	struct sa_ctx *sa_ipv4_in;
>> +	struct sa_ctx *sa_ipv4_out;
>> +	struct sp_ctx *sp_ipv4_in;
>> +	struct sp_ctx *sp_ipv4_out;
>> +	struct rt_ctx *rt_ipv4;
>> +	struct rte_mempool *mbuf_pool;
>> +};
>> +
>> +uint16_t
>> +ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
>> +		uint16_t nb_pkts, uint16_t len);
>> +
>> +uint16_t
>> +ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
>> +		uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len);
>> +
>> +static inline uint16_t
>> +ipsec_metadata_size(void)
>> +{
>> +	return sizeof(struct ipsec_mbuf_metadata);
>> +}
>> +
>> +static inline struct ipsec_mbuf_metadata *
>> +get_priv(struct rte_mbuf *m)
>> +{
>> +	return RTE_PTR_ADD(m, sizeof(struct rte_mbuf));
>> +}
>> +
>> +int
>> +inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx);
>> +
>> +void
>> +inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[],
>> +		struct ipsec_sa *sa[], uint16_t nb_pkts);
>> +
>> +void
>> +outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[],
>> +		struct ipsec_sa *sa[], uint16_t nb_pkts);
>> +
>> +void
>> +sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep);
>> +
>> +void
>> +sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep, uint16_t cdev_id);
>> +
>> +void
>> +rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep);
>> +
>> +#endif /* __IPSEC_H__ */
>> diff --git a/examples/ipsec-secgw/rt.c b/examples/ipsec-secgw/rt.c
>> new file mode 100644
>> index 0000000..82064b2
>> --- /dev/null
>> +++ b/examples/ipsec-secgw/rt.c
>> @@ -0,0 +1,131 @@
>> +/*-
>> + *   BSD LICENSE
>> + *
>> + *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
>> + *   All rights reserved.
>> + *
>> + *   Redistribution and use in source and binary forms, with or without
>> + *   modification, are permitted provided that the following conditions
>> + *   are met:
>> + *
>> + *     * Redistributions of source code must retain the above copyright
>> + *       notice, this list of conditions and the following disclaimer.
>> + *     * Redistributions in binary form must reproduce the above copyright
>> + *       notice, this list of conditions and the following disclaimer in
>> + *       the documentation and/or other materials provided with the
>> + *       distribution.
>> + *     * Neither the name of Intel Corporation nor the names of its
>> + *       contributors may be used to endorse or promote products derived
>> + *       from this software without specific prior written permission.
>> + *
>> + *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
>> + *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
>> + *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
>> + *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
>> + *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
>> + *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
>> + *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
>> + *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
>> + *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
>> + *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
>> + *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>> + */
>> +
>> +/*
>> + * Routing Table (RT)
>> + */
>> +#include <rte_lpm.h>
>> +#include <rte_errno.h>
>> +
>> +#include "ipsec.h"
>> +
>> +#define RT_IPV4_MAX_RULES         64
>> +
>> +struct ipv4_route {
>> +	uint32_t ip;
>> +	uint8_t  depth;
>> +	uint8_t  if_out;
>> +};
>> +
>> +/* In the default routing table we have:
>> + * ep0 protected ports 0 and 1, and unprotected ports 2 and 3.
>> + */
>> +static struct ipv4_route rt_ipv4_ep0[] = {
>> +	{ IPv4(172, 16, 2, 5), 32, 0 },
>> +	{ IPv4(172, 16, 2, 6), 32, 0 },
>> +	{ IPv4(172, 16, 2, 7), 32, 1 },
>> +	{ IPv4(172, 16, 2, 8), 32, 1 },
>> +
>> +	{ IPv4(192, 168, 115, 0), 24, 2 },
>> +	{ IPv4(192, 168, 116, 0), 24, 2 },
>> +	{ IPv4(192, 168, 117, 0), 24, 3 },
>> +	{ IPv4(192, 168, 118, 0), 24, 3 }
>> +};
>> +
>> +/* In the default routing table we have:
>> + * ep1 protected ports 0 and 1, and unprotected ports 2 and 3.
>> + */
>> +static struct ipv4_route rt_ipv4_ep1[] = {
>> +	{ IPv4(172, 16, 1, 5), 32, 2 },
>> +	{ IPv4(172, 16, 1, 6), 32, 2 },
>> +	{ IPv4(172, 16, 1, 7), 32, 3 },
>> +	{ IPv4(172, 16, 1, 8), 32, 3 },
>> +
>> +	{ IPv4(192, 168, 105, 0), 24, 0 },
>> +	{ IPv4(192, 168, 106, 0), 24, 0 },
>> +	{ IPv4(192, 168, 107, 0), 24, 1 },
>> +	{ IPv4(192, 168, 108, 0), 24, 1 }
>> +};
>> +
>> +void
>> +rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep)
>> +{
>> +	char name[PATH_MAX];
>> +	unsigned i;
>> +	int ret;
>> +	struct rte_lpm *lpm;
>> +	struct ipv4_route *rt;
>> +	char a, b, c, d;
>> +	unsigned nb_routes;
>> +
>> +	if (ctx == NULL)
>> +		rte_exit(EXIT_FAILURE, "NULL context.\n");
>> +
>> +	if (ctx->rt_ipv4 != NULL)
>> +		rte_exit(EXIT_FAILURE, "Routing Table for socket %u already "
>> +			"initialized\n", socket_id);
>> +
>> +	printf("Creating Routing Table (RT) context with %u max routes\n",
>> +			RT_IPV4_MAX_RULES);
>> +
>> +	if (ep == 0) {
>> +		rt = rt_ipv4_ep0;
>> +		nb_routes = RTE_DIM(rt_ipv4_ep0);
>> +	} else if (ep == 1) {
>> +		rt = rt_ipv4_ep1;
>> +		nb_routes = RTE_DIM(rt_ipv4_ep1);
>> +	} else
>> +		rte_exit(EXIT_FAILURE, "Invalid EP value %u. Only 0 or 1 "
>> +			"supported.\n", ep);
>> +
>> +	/* create the LPM table */
>> +	snprintf(name, sizeof(name), "%s_%u", "rt_ipv4", socket_id);
>> +	lpm = rte_lpm_create(name, socket_id, RT_IPV4_MAX_RULES, 0);
>> +	if (lpm == NULL)
>> +		rte_exit(EXIT_FAILURE, "Unable to create LPM table "
>> +			"on socket %d\n", socket_id);
>> +
>> +	/* populate the LPM table */
>> +	for (i = 0; i < nb_routes; i++) {
>> +		ret = rte_lpm_add(lpm, rt[i].ip, rt[i].depth, rt[i].if_out);
>> +		if (ret < 0)
>> +			rte_exit(EXIT_FAILURE, "Unable to add entry num %u to "
>> +				"LPM table on socket %d\n", i, socket_id);
>> +
>> +		uint32_t_to_char(rt[i].ip, &a, &b, &c, &d);
>> +		printf("LPM: Adding route %hhu.%hhu.%hhu.%hhu/%hhu (%hhu)\n",
>> +				a, b, c, d, rt[i].depth, rt[i].if_out);
>> +	}
>> +
>> +	ctx->rt_ipv4 = (struct rt_ctx *)lpm;
>> +}
>> diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
>> new file mode 100644
>> index 0000000..5ea7592
>> --- /dev/null
>> +++ b/examples/ipsec-secgw/sa.c
>> @@ -0,0 +1,391 @@
>> +/*-
>> + *   BSD LICENSE
>> + *
>> + *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
>> + *   All rights reserved.
>> + *
>> + *   Redistribution and use in source and binary forms, with or without
>> + *   modification, are permitted provided that the following conditions
>> + *   are met:
>> + *
>> + *     * Redistributions of source code must retain the above copyright
>> + *       notice, this list of conditions and the following disclaimer.
>> + *     * Redistributions in binary form must reproduce the above copyright
>> + *       notice, this list of conditions and the following disclaimer in
>> + *       the documentation and/or other materials provided with the
>> + *       distribution.
>> + *     * Neither the name of Intel Corporation nor the names of its
>> + *       contributors may be used to endorse or promote products derived
>> + *       from this software without specific prior written permission.
>> + *
>> + *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
>> + *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
>> + *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
>> + *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
>> + *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
>> + *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
>> + *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
>> + *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
>> + *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
>> + *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
>> + *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>> + */
>> +
>> +/*
>> + * Security Associations
>> + */
>> +#include <netinet/ip.h>
>> +
>> +#include <rte_memzone.h>
>> +#include <rte_crypto.h>
>> +#include <rte_cryptodev.h>
>> +#include <rte_byteorder.h>
>> +#include <rte_errno.h>
>> +
>> +#include "ipsec.h"
>> +#include "esp.h"
>> +
>> +/* SAs EP0 Outbound */
>> +const struct ipsec_sa sa_ep0_out[] = {
>> +	{ 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5),
>> +		NULL, NULL,
>> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
>> +		12, 16, 16,
>> +		esp4_tunnel_outbound_pre_crypto,
>> +		esp4_tunnel_outbound_post_crypto,
>> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
>> +	{ 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6),
>> +		NULL, NULL,
>> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
>> +		12, 16, 16,
>> +		esp4_tunnel_outbound_pre_crypto,
>> +		esp4_tunnel_outbound_post_crypto,
>> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
>> +	{ 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7),
>> +		NULL, NULL,
>> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
>> +		12, 16, 16,
>> +		esp4_tunnel_outbound_pre_crypto,
>> +		esp4_tunnel_outbound_post_crypto,
>> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
>> +	{ 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8),
>> +		NULL, NULL,
>> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> IMO, a SA with NULL crypto (rfc2410) operation will be useful for ESP
> packet processing debugging and measuring the performance impact with
> the crypto block in fast path.
>

I couldn't agree more.

I'll add support for NULL crypto in the app with dependency on previously
mentioned cryptodev capabilities patch set and:
http://dpdk.org/ml/archives/dev/2016-January/032458.html

Sergio

>> +		12, 16, 16,
>> +		esp4_tunnel_outbound_pre_crypto,
>> +		esp4_tunnel_outbound_post_crypto,
>> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }
>> +};
>> +
>> +/* SAs EP0 Inbound */
>> +const struct ipsec_sa sa_ep0_in[] = {
>> +	{ 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5),
>> +		NULL, NULL,
>> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
>> +		12, 16, 16,
>> +		esp4_tunnel_inbound_pre_crypto,
>> +		esp4_tunnel_inbound_post_crypto,
>> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
>> +	{ 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6),
>> +		NULL, NULL,
>> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
>> +		12, 16, 16,
>> +		esp4_tunnel_inbound_pre_crypto,
>> +		esp4_tunnel_inbound_post_crypto,
>> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
>> +	{ 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7),
>> +		NULL, NULL,
>> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
>> +		12, 16, 16,
>> +		esp4_tunnel_inbound_pre_crypto,
>> +		esp4_tunnel_inbound_post_crypto,
>> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
>> +	{ 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8),
>> +		NULL, NULL,
>> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
>> +		12, 16, 16,
>> +		esp4_tunnel_inbound_pre_crypto,
>> +		esp4_tunnel_inbound_post_crypto,
>> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }
>> +};
>> +
>> +/* SAs EP1 Outbound */
>> +const struct ipsec_sa sa_ep1_out[] = {
>> +	{ 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5),
>> +		NULL, NULL,
>> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
>> +		12, 16, 16,
>> +		esp4_tunnel_outbound_pre_crypto,
>> +		esp4_tunnel_outbound_post_crypto,
>> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
>> +	{ 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6),
>> +		NULL, NULL,
>> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
>> +		12, 16, 16,
>> +		esp4_tunnel_outbound_pre_crypto,
>> +		esp4_tunnel_outbound_post_crypto,
>> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
>> +	{ 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7),
>> +		NULL, NULL,
>> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
>> +		12, 16, 16,
>> +		esp4_tunnel_outbound_pre_crypto,
>> +		esp4_tunnel_outbound_post_crypto,
>> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
>> +	{ 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8),
>> +		NULL, NULL,
>> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
>> +		12, 16, 16,
>> +		esp4_tunnel_outbound_pre_crypto,
>> +		esp4_tunnel_outbound_post_crypto,
>> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }
>> +};
>> +
>> +/* SAs EP1 Inbound */
>> +const struct ipsec_sa sa_ep1_in[] = {
>> +	{ 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5),
>> +		NULL, NULL,
>> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
>> +		12, 16, 16,
>> +		esp4_tunnel_inbound_pre_crypto,
>> +		esp4_tunnel_inbound_post_crypto,
>> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
>> +	{ 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6),
>> +		NULL, NULL,
>> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
>> +		12, 16, 16,
>> +		esp4_tunnel_inbound_pre_crypto,
>> +		esp4_tunnel_inbound_post_crypto,
>> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
>> +	{ 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7),
>> +		NULL, NULL,
>> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
>> +		12, 16, 16,
>> +		esp4_tunnel_inbound_pre_crypto,
>> +		esp4_tunnel_inbound_post_crypto,
>> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
>> +	{ 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8),
>> +		NULL, NULL,
>> +		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
>> +		12, 16, 16,
>> +		esp4_tunnel_inbound_pre_crypto,
>> +		esp4_tunnel_inbound_post_crypto,
>> +		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }
>> +};
>> +
>> +static uint8_t cipher_key[256] = "sixteenbytes key";
>> +
>> +/* AES CBC xform */
>> +const struct rte_crypto_xform aescbc_enc_xf = {
>> +	NULL,
>> +	RTE_CRYPTO_XFORM_CIPHER,
>> +	.cipher = { RTE_CRYPTO_CIPHER_OP_ENCRYPT, RTE_CRYPTO_CIPHER_AES_CBC,
>> +		.key = { cipher_key, 0, 16 } }
>> +};
>> +
>> +const struct rte_crypto_xform aescbc_dec_xf = {
>> +	NULL,
>> +	RTE_CRYPTO_XFORM_CIPHER,
>> +	.cipher = { RTE_CRYPTO_CIPHER_OP_DECRYPT, RTE_CRYPTO_CIPHER_AES_CBC,
>> +		.key = { cipher_key, 0, 16 } }
>> +};
>> +
>> +static uint8_t auth_key[256] = "twentybytes hash key";
>> +
>> +/* SHA1 HMAC xform */
>> +const struct rte_crypto_xform sha1hmac_gen_xf = {
>> +	NULL,
>> +	RTE_CRYPTO_XFORM_AUTH,
>> +	.auth = { RTE_CRYPTO_AUTH_OP_GENERATE, RTE_CRYPTO_AUTH_SHA1_HMAC,
>> +		.key = { auth_key, 0, 20 }, 12, 0 }
>> +};
>> +
>> +const struct rte_crypto_xform sha1hmac_verify_xf = {
>> +	NULL,
>> +	RTE_CRYPTO_XFORM_AUTH,
>> +	.auth = { RTE_CRYPTO_AUTH_OP_VERIFY, RTE_CRYPTO_AUTH_SHA1_HMAC,
>> +		.key = { auth_key, 0, 20 }, 12, 0 }
>> +};
>> +
>> +struct sa_ctx {
>> +	struct ipsec_sa sa[IPSEC_SA_MAX_ENTRIES];
>> +	struct {
>> +		struct rte_crypto_xform a;
>> +		struct rte_crypto_xform b;
>> +	} xf[IPSEC_SA_MAX_ENTRIES];
>> +};
>> +
>> +static struct sa_ctx *
>> +sa_ipv4_create(const char *name, int socket_id)
>> +{
>> +	char s[PATH_MAX];
>> +	struct sa_ctx *sa_ctx;
>> +	unsigned mz_size;
>> +	const struct rte_memzone *mz;
>> +
>> +	snprintf(s, sizeof(s), "%s_%u", name, socket_id);
>> +
>> +	/* Create SA array table */
>> +	printf("Creating SA context with %u maximum entries\n",
>> +			IPSEC_SA_MAX_ENTRIES);
>> +
>> +	mz_size = sizeof(struct sa_ctx);
>> +	mz = rte_memzone_reserve(s, mz_size, socket_id,
>> +			RTE_MEMZONE_1GB | RTE_MEMZONE_SIZE_HINT_ONLY);
>> +	if (mz == NULL) {
>> +		printf("Failed to allocate SA DB memory\n");
>> +		rte_errno = -ENOMEM;
>> +		return NULL;
>> +	}
>> +
>> +	sa_ctx = (struct sa_ctx *)mz->addr;
>> +
>> +	return sa_ctx;
>> +}
>> +
>> +static int
>> +sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
>> +		unsigned nb_entries, uint16_t cdev_id, unsigned inbound)
>> +{
>> +	struct ipsec_sa *sa;
>> +	unsigned i, idx;
>> +
>> +	for (i = 0; i < nb_entries; i++) {
>> +		idx = SPI2IDX(entries[i].spi);
>> +		sa = &sa_ctx->sa[idx];
>> +		if (sa->spi != 0) {
>> +			printf("Index %u already in use by SPI %u\n",
>> +					idx, sa->spi);
>> +			return -EINVAL;
>> +		}
>> +		*sa = entries[i];
>> +		sa->src = rte_cpu_to_be_32(sa->src);
>> +		sa->dst = rte_cpu_to_be_32(sa->dst);
>> +		if (inbound) {
>> +			sa_ctx->xf[idx].a = sha1hmac_verify_xf;
>> +			sa_ctx->xf[idx].b = aescbc_dec_xf;
>> +		} else { /* outbound */
>> +			sa_ctx->xf[idx].a = aescbc_enc_xf;
>> +			sa_ctx->xf[idx].b = sha1hmac_gen_xf;
>> +		}
>> +		sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b;
>> +		sa_ctx->xf[idx].b.next = NULL;
>> +		sa->xforms = &sa_ctx->xf[idx].a;
>> +
>> +		sa->crypto_session = rte_cryptodev_session_create(cdev_id,
>> +				sa->xforms);
>> +	}
>> +
>> +	return 0;
>> +}
>> +
>> +static inline int
>> +sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
>> +		unsigned nb_entries, uint16_t cdev_id)
>> +{
>> +	return sa_add_rules(sa_ctx, entries, nb_entries, cdev_id, 0);
>> +}
>> +
>> +static inline int
>> +sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
>> +		unsigned nb_entries, uint16_t cdev_id)
>> +{
>> +	return sa_add_rules(sa_ctx, entries, nb_entries, cdev_id, 1);
>> +}
>> +
>> +void
>> +sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep, uint16_t cdev_id)
>> +{
>> +	const struct ipsec_sa *sa_out_entries, *sa_in_entries;
>> +	unsigned nb_out_entries, nb_in_entries;
>> +	const char *name;
>> +
>> +	if (ctx == NULL)
>> +		rte_exit(EXIT_FAILURE, "NULL context.\n");
>> +
>> +	if (ctx->sa_ipv4_in != NULL)
>> +		rte_exit(EXIT_FAILURE, "Inbound SA DB for socket %u already "
>> +				"initialized\n", socket_id);
>> +
>> +	if (ctx->sa_ipv4_out != NULL)
>> +		rte_exit(EXIT_FAILURE, "Outbound SA DB for socket %u already "
>> +				"initialized\n", socket_id);
>> +
>> +	if (ep == 0) {
>> +		sa_out_entries = sa_ep0_out;
>> +		nb_out_entries = RTE_DIM(sa_ep0_out);
>> +		sa_in_entries = sa_ep0_in;
>> +		nb_in_entries = RTE_DIM(sa_ep0_in);
>> +	} else if (ep == 1) {
>> +		sa_out_entries = sa_ep1_out;
>> +		nb_out_entries = RTE_DIM(sa_ep1_out);
>> +		sa_in_entries = sa_ep1_in;
>> +		nb_in_entries = RTE_DIM(sa_ep1_in);
>> +	} else
>> +		rte_exit(EXIT_FAILURE, "Invalid EP value %u. "
>> +				"Only 0 or 1 supported.\n", ep);
>> +
>> +	name = "sa_ipv4_in";
>> +	ctx->sa_ipv4_in = sa_ipv4_create(name, socket_id);
>> +	if (ctx->sa_ipv4_in == NULL)
>> +		rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s "
>> +				"in socket %d\n", rte_errno, name, socket_id);
>> +
>> +	name = "sa_ipv4_out";
>> +	ctx->sa_ipv4_out = sa_ipv4_create(name, socket_id);
>> +	if (ctx->sa_ipv4_out == NULL)
>> +		rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s "
>> +				"in socket %d\n", rte_errno, name, socket_id);
>> +
>> +	sa_in_add_rules(ctx->sa_ipv4_in, sa_in_entries,
>> +			nb_in_entries, cdev_id);
>> +
>> +	sa_out_add_rules(ctx->sa_ipv4_out, sa_out_entries,
>> +			nb_out_entries, cdev_id);
>> +}
>> +
>> +int
>> +inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx)
>> +{
>> +	struct ipsec_mbuf_metadata *priv;
>> +
>> +	priv = RTE_PTR_ADD(m, sizeof(struct rte_mbuf));
>> +
>> +	return (sa_ctx->sa[sa_idx].spi == priv->sa->spi);
>> +}
>> +
>> +void
>> +inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[],
>> +		struct ipsec_sa *sa[], uint16_t nb_pkts)
>> +{
>> +	unsigned i;
>> +	uint32_t *src, spi;
>> +
>> +	for (i = 0; i < nb_pkts; i++) {
>> +		spi = rte_pktmbuf_mtod_offset(pkts[i], struct esp_hdr *,
>> +				sizeof(struct ip))->spi;
>> +		if (spi == INVALID_SPI)
>> +			continue;
>> +
>> +		sa[i] = &sa_ctx->sa[SPI2IDX(spi)];
>> +		if (spi != sa[i]->spi) {
>> +			sa[i] = NULL;
>> +			continue;
>> +		}
>> +
>> +		src = rte_pktmbuf_mtod_offset(pkts[i], uint32_t *,
>> +				offsetof(struct ip, ip_src));
>> +		if ((sa[i]->src != *src) || (sa[i]->dst != *(src + 1)))
>> +			sa[i] = NULL;
>> +	}
>> +}
>> +
>> +void
>> +outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[],
>> +		struct ipsec_sa *sa[], uint16_t nb_pkts)
>> +{
>> +	unsigned i;
>> +
>> +	for (i = 0; i < nb_pkts; i++)
>> +		sa[i] = &sa_ctx->sa[sa_idx[i]];
>> +}
>> diff --git a/examples/ipsec-secgw/sp.c b/examples/ipsec-secgw/sp.c
>> new file mode 100644
>> index 0000000..219e478
>> --- /dev/null
>> +++ b/examples/ipsec-secgw/sp.c
>> @@ -0,0 +1,324 @@
>> +/*-
>> + *   BSD LICENSE
>> + *
>> + *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
>> + *   All rights reserved.
>> + *
>> + *   Redistribution and use in source and binary forms, with or without
>> + *   modification, are permitted provided that the following conditions
>> + *   are met:
>> + *
>> + *     * Redistributions of source code must retain the above copyright
>> + *       notice, this list of conditions and the following disclaimer.
>> + *     * Redistributions in binary form must reproduce the above copyright
>> + *       notice, this list of conditions and the following disclaimer in
>> + *       the documentation and/or other materials provided with the
>> + *       distribution.
>> + *     * Neither the name of Intel Corporation nor the names of its
>> + *       contributors may be used to endorse or promote products derived
>> + *       from this software without specific prior written permission.
>> + *
>> + *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
>> + *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
>> + *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
>> + *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
>> + *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
>> + *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
>> + *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
>> + *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
>> + *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
>> + *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
>> + *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>> + */
>> +
>> +/*
>> + * Security Policies
>> + */
>> +#include <netinet/ip.h>
>> +
>> +#include <rte_acl.h>
>> +
>> +#include "ipsec.h"
>> +
>> +#define MAX_ACL_RULE_NUM	1000
>> +
>> +/*
>> + * Rule and trace formats definitions.
>> + */
>> +enum {
>> +	PROTO_FIELD_IPV4,
>> +	SRC_FIELD_IPV4,
>> +	DST_FIELD_IPV4,
>> +	SRCP_FIELD_IPV4,
>> +	DSTP_FIELD_IPV4,
>> +	NUM_FIELDS_IPV4
>> +};
>> +
>> +/*
>> + * That effectively defines order of IPV4 classifications:
>> + *  - PROTO
>> + *  - SRC IP ADDRESS
>> + *  - DST IP ADDRESS
>> + *  - PORTS (SRC and DST)
>> + */
>> +enum {
>> +	RTE_ACL_IPV4_PROTO,
>> +	RTE_ACL_IPV4_SRC,
>> +	RTE_ACL_IPV4_DST,
>> +	RTE_ACL_IPV4_PORTS,
>> +	RTE_ACL_IPV4_NUM
>> +};
>> +
>> +struct rte_acl_field_def ipv4_defs[NUM_FIELDS_IPV4] = {
>> +	{
>> +	.type = RTE_ACL_FIELD_TYPE_BITMASK,
>> +	.size = sizeof(uint8_t),
>> +	.field_index = PROTO_FIELD_IPV4,
>> +	.input_index = RTE_ACL_IPV4_PROTO,
>> +	.offset = 0,
>> +	},
>> +	{
>> +	.type = RTE_ACL_FIELD_TYPE_MASK,
>> +	.size = sizeof(uint32_t),
>> +	.field_index = SRC_FIELD_IPV4,
>> +	.input_index = RTE_ACL_IPV4_SRC,
>> +	.offset = offsetof(struct ip, ip_src) -	offsetof(struct ip, ip_p)
>> +	},
>> +	{
>> +	.type = RTE_ACL_FIELD_TYPE_MASK,
>> +	.size = sizeof(uint32_t),
>> +	.field_index = DST_FIELD_IPV4,
>> +	.input_index = RTE_ACL_IPV4_DST,
>> +	.offset = offsetof(struct ip, ip_dst) - offsetof(struct ip, ip_p)
>> +	},
>> +	{
>> +	.type = RTE_ACL_FIELD_TYPE_RANGE,
>> +	.size = sizeof(uint16_t),
>> +	.field_index = SRCP_FIELD_IPV4,
>> +	.input_index = RTE_ACL_IPV4_PORTS,
>> +	.offset = sizeof(struct ip) - offsetof(struct ip, ip_p)
>> +	},
>> +	{
>> +	.type = RTE_ACL_FIELD_TYPE_RANGE,
>> +	.size = sizeof(uint16_t),
>> +	.field_index = DSTP_FIELD_IPV4,
>> +	.input_index = RTE_ACL_IPV4_PORTS,
>> +	.offset = sizeof(struct ip) - offsetof(struct ip, ip_p) +
>> +		sizeof(uint16_t)
>> +	},
>> +};
>> +
>> +RTE_ACL_RULE_DEF(acl4_rules, RTE_DIM(ipv4_defs));
>> +
>> +const struct acl4_rules acl4_rules_in[] = {
>> +	{
>> +	.data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1},
>> +	/* destination IPv4 */
>> +	.field[2] = {.value.u32 = IPv4(192, 168, 105, 0),
>> +				.mask_range.u32 = 24,},
>> +	/* source port */
>> +	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
>> +	/* destination port */
>> +	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
>> +	},
>> +	{
>> +	.data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2},
>> +	/* destination IPv4 */
>> +	.field[2] = {.value.u32 = IPv4(192, 168, 106, 0),
>> +				.mask_range.u32 = 24,},
>> +	/* source port */
>> +	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
>> +	/* destination port */
>> +	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
>> +	},
>> +	{
>> +	.data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3},
>> +	/* destination IPv4 */
>> +	.field[2] = {.value.u32 = IPv4(192, 168, 107, 0),
>> +				.mask_range.u32 = 24,},
>> +	/* source port */
>> +	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
>> +	/* destination port */
>> +	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
>> +	},
>> +	{
>> +	.data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4},
>> +	/* destination IPv4 */
>> +	.field[2] = {.value.u32 = IPv4(192, 168, 108, 0),
>> +				.mask_range.u32 = 24,},
>> +	/* source port */
>> +	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
>> +	/* destination port */
>> +	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
>> +	}
>> +};
>> +
>> +const struct acl4_rules acl4_rules_out[] = {
>> +	{
>> +	.data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1},
>> +	/* destination IPv4 */
>> +	.field[2] = {.value.u32 = IPv4(192, 168, 115, 0),
>> +				.mask_range.u32 = 24,},
>> +	/* source port */
>> +	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
>> +	/* destination port */
>> +	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
>> +	},
>> +	{
>> +	.data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2},
>> +	/* destination IPv4 */
>> +	.field[2] = {.value.u32 = IPv4(192, 168, 116, 0),
>> +				.mask_range.u32 = 24,},
>> +	/* source port */
>> +	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
>> +	/* destination port */
>> +	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
>> +	},
>> +	{
>> +	.data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3},
>> +	/* destination IPv4 */
>> +	.field[2] = {.value.u32 = IPv4(192, 168, 117, 0),
>> +				.mask_range.u32 = 24,},
>> +	/* source port */
>> +	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
>> +	/* destination port */
>> +	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
>> +	},
>> +	{
>> +	.data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4},
>> +	/* destination IPv4 */
>> +	.field[2] = {.value.u32 = IPv4(192, 168, 118, 0),
>> +				.mask_range.u32 = 24,},
>> +	/* source port */
>> +	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
>> +	/* destination port */
>> +	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
>> +	}
>> +};
>> +
>> +static void
>> +print_one_ipv4_rule(const struct acl4_rules *rule, int extra)
>> +{
>> +	unsigned char a, b, c, d;
>> +
>> +	uint32_t_to_char(rule->field[SRC_FIELD_IPV4].value.u32,
>> +			&a, &b, &c, &d);
>> +	printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d,
>> +			rule->field[SRC_FIELD_IPV4].mask_range.u32);
>> +	uint32_t_to_char(rule->field[DST_FIELD_IPV4].value.u32,
>> +			&a, &b, &c, &d);
>> +	printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d,
>> +			rule->field[DST_FIELD_IPV4].mask_range.u32);
>> +	printf("%hu : %hu %hu : %hu 0x%hhx/0x%hhx ",
>> +		rule->field[SRCP_FIELD_IPV4].value.u16,
>> +		rule->field[SRCP_FIELD_IPV4].mask_range.u16,
>> +		rule->field[DSTP_FIELD_IPV4].value.u16,
>> +		rule->field[DSTP_FIELD_IPV4].mask_range.u16,
>> +		rule->field[PROTO_FIELD_IPV4].value.u8,
>> +		rule->field[PROTO_FIELD_IPV4].mask_range.u8);
>> +	if (extra)
>> +		printf("0x%x-0x%x-0x%x ",
>> +			rule->data.category_mask,
>> +			rule->data.priority,
>> +			rule->data.userdata);
>> +}
>> +
>> +static inline void
>> +dump_ipv4_rules(const struct acl4_rules *rule, int num, int extra)
>> +{
>> +	int i;
>> +
>> +	for (i = 0; i < num; i++, rule++) {
>> +		printf("\t%d:", i + 1);
>> +		print_one_ipv4_rule(rule, extra);
>> +		printf("\n");
>> +	}
>> +}
>> +
>> +static struct rte_acl_ctx *
>> +acl4_init(const char *name, int socketid, const struct acl4_rules *rules,
>> +		unsigned rules_nb)
>> +{
>> +	char s[PATH_MAX];
>> +	struct rte_acl_param acl_param;
>> +	struct rte_acl_config acl_build_param;
>> +	struct rte_acl_ctx *ctx;
>> +
>> +	printf("Creating SP context with %u max rules\n", MAX_ACL_RULE_NUM);
>> +
>> +	memset(&acl_param, 0, sizeof(acl_param));
>> +
>> +	/* Create ACL contexts */
>> +	snprintf(s, sizeof(s), "%s_%d", name, socketid);
>> +
>> +	printf("IPv4 %s entries [%u]:\n", s, rules_nb);
>> +	dump_ipv4_rules(rules, rules_nb, 1);
>> +
>> +	acl_param.name = s;
>> +	acl_param.socket_id = socketid;
>> +	acl_param.rule_size = RTE_ACL_RULE_SZ(RTE_DIM(ipv4_defs));
>> +	acl_param.max_rule_num = MAX_ACL_RULE_NUM;
>> +
>> +	ctx = rte_acl_create(&acl_param);
>> +	if (ctx == NULL)
>> +		rte_exit(EXIT_FAILURE, "Failed to create ACL context\n");
>> +
>> +	if (rte_acl_add_rules(ctx, (const struct rte_acl_rule *)rules,
>> +				rules_nb) < 0)
>> +		rte_exit(EXIT_FAILURE, "add rules failed\n");
>> +
>> +	/* Perform builds */
>> +	memset(&acl_build_param, 0, sizeof(acl_build_param));
>> +
>> +	acl_build_param.num_categories = DEFAULT_MAX_CATEGORIES;
>> +	acl_build_param.num_fields = rules_nb;
>> +	memcpy(&acl_build_param.defs, ipv4_defs, sizeof(ipv4_defs));
>> +
>> +	if (rte_acl_build(ctx, &acl_build_param) != 0)
>> +		rte_exit(EXIT_FAILURE, "Failed to build ACL trie\n");
>> +
>> +	rte_acl_dump(ctx);
>> +
>> +	return ctx;
>> +}
>> +
>> +void
>> +sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep)
>> +{
>> +	const char *name;
>> +	const struct acl4_rules *rules_out, *rules_in;
>> +	unsigned nb_out_rules, nb_in_rules;
>> +
>> +	if (ctx == NULL)
>> +		rte_exit(EXIT_FAILURE, "NULL context.\n");
>> +
>> +	if (ctx->sp_ipv4_in != NULL)
>> +		rte_exit(EXIT_FAILURE, "Inbound SP DB for socket %u already "
>> +				"initialized\n", socket_id);
>> +
>> +	if (ctx->sp_ipv4_out != NULL)
>> +		rte_exit(EXIT_FAILURE, "Outbound SP DB for socket %u already "
>> +				"initialized\n", socket_id);
>> +
>> +	if (ep == 0) {
>> +		rules_out = acl4_rules_in;
>> +		nb_out_rules = RTE_DIM(acl4_rules_in);
>> +		rules_in = acl4_rules_out;
>> +		nb_in_rules = RTE_DIM(acl4_rules_out);
>> +	} else if (ep == 1) {
>> +		rules_out = acl4_rules_out;
>> +		nb_out_rules = RTE_DIM(acl4_rules_out);
>> +		rules_in = acl4_rules_in;
>> +		nb_in_rules = RTE_DIM(acl4_rules_in);
>> +	} else
>> +		rte_exit(EXIT_FAILURE, "Invalid EP value %u. "
>> +				"Only 0 or 1 supported.\n", ep);
>> +
>> +	name = "sp_ipv4_in";
>> +	ctx->sp_ipv4_in = (struct sp_ctx *)acl4_init(name, socket_id,
>> +			rules_in, nb_in_rules);
>> +
>> +	name = "sp_ipv4_out";
>> +	ctx->sp_ipv4_out = (struct sp_ctx *)acl4_init(name, socket_id,
>> +			rules_out, nb_out_rules);
>> +}
>> -- 
>> 2.4.3
>>

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [dpdk-dev] [PATCH] example/ipsec-secgw: ipsec security gateway
  2016-02-01 11:09   ` Sergio Gonzalez Monroy
@ 2016-02-01 11:26     ` Jerin Jacob
  2016-02-01 14:09       ` Thomas Monjalon
  2016-03-09 23:54       ` Sergio Gonzalez Monroy
  0 siblings, 2 replies; 15+ messages in thread
From: Jerin Jacob @ 2016-02-01 11:26 UTC (permalink / raw)
  To: Sergio Gonzalez Monroy; +Cc: dev

On Mon, Feb 01, 2016 at 11:09:16AM +0000, Sergio Gonzalez Monroy wrote:
> On 31/01/2016 14:39, Jerin Jacob wrote:
> >On Fri, Jan 29, 2016 at 08:29:12PM +0000, Sergio Gonzalez Monroy wrote:
> >>Sample app implementing an IPsec Security Geteway.
> >>The main goal of this app is to show the use of cryptodev framework
> >>in a real world application.
> >>
> >>Currently only supported static IPv4 IPsec tunnels using AES-CBC
> >>and HMAC-SHA1.
> >>
> >>Also, currently not supported:
> >>- SA auto negotiation (No IKE support)
> >>- chained mbufs
> >>
> >>Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
> >Hi Sergio,
> >
> >Great effort, one of the best highly integrated sample DPDK application
> >(ethernet, acl, crypto and lpm)
> >
> >>---
> >>  MAINTAINERS                              |    4 +
> >>  doc/guides/sample_app_ug/index.rst       |    1 +
> >>  doc/guides/sample_app_ug/ipsec_secgw.rst |  440 +++++++++++
> >>  examples/Makefile                        |    2 +
> >>  examples/ipsec-secgw/Makefile            |   58 ++
> >>  examples/ipsec-secgw/esp.c               |  256 +++++++
> >>  examples/ipsec-secgw/esp.h               |   66 ++
> >>  examples/ipsec-secgw/ipip.h              |  100 +++
> >>  examples/ipsec-secgw/ipsec-secgw.c       | 1218 ++++++++++++++++++++++++++++++
> >>  examples/ipsec-secgw/ipsec.c             |  138 ++++
> >>  examples/ipsec-secgw/ipsec.h             |  184 +++++
> >>  examples/ipsec-secgw/rt.c                |  131 ++++
> >>  examples/ipsec-secgw/sa.c                |  391 ++++++++++
> >>  examples/ipsec-secgw/sp.c                |  324 ++++++++
> >>  14 files changed, 3313 insertions(+)
> >>  create mode 100644 doc/guides/sample_app_ug/ipsec_secgw.rst
> >>  create mode 100644 examples/ipsec-secgw/Makefile
> >>  create mode 100644 examples/ipsec-secgw/esp.c
> >>  create mode 100644 examples/ipsec-secgw/esp.h
> >>  create mode 100644 examples/ipsec-secgw/ipip.h
> >>  create mode 100644 examples/ipsec-secgw/ipsec-secgw.c
> >>  create mode 100644 examples/ipsec-secgw/ipsec.c
> >>  create mode 100644 examples/ipsec-secgw/ipsec.h
> >>  create mode 100644 examples/ipsec-secgw/rt.c
> >>  create mode 100644 examples/ipsec-secgw/sa.c
> >>  create mode 100644 examples/ipsec-secgw/sp.c
> >>
> >>diff --git a/MAINTAINERS b/MAINTAINERS
> >>index b90aeea..996eda6 100644
> >>--- a/MAINTAINERS
> >>+++ b/MAINTAINERS
> >>@@ -596,3 +596,7 @@ F: doc/guides/sample_app_ug/vmdq_dcb_forwarding.rst
> >>  M: Pablo de Lara <pablo.de.lara.guarch@intel.com>
> >>  M: Daniel Mrzyglod <danielx.t.mrzyglod@intel.com>
> >>  F: examples/ptpclient/
> >>+
> >>+M: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
> >>+F: doc/guides/sample_app_ug/ipsec-secgw.rst
> >>+F: examples/ipsec-secgw/
> >>diff --git a/doc/guides/sample_app_ug/index.rst b/doc/guides/sample_app_ug/index.rst
> >>index 8a646dd..88375d2 100644
> >>--- a/doc/guides/sample_app_ug/index.rst
> >>+++ b/doc/guides/sample_app_ug/index.rst
> >>@@ -73,6 +73,7 @@ Sample Applications User Guide
> >>      proc_info
> >>      ptpclient
> >>      performance_thread
> >>+    ipsec_secgw
> >>  **Figures**
> >>diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst
> >>new file mode 100644
> >>index 0000000..7be3f7e
> >>--- /dev/null
> >>+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
> >>@@ -0,0 +1,440 @@
> >>+..  BSD LICENSE
> >>+    Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
> >>+    All rights reserved.
> >>+
> >>+    Redistribution and use in source and binary forms, with or without
> >>+    modification, are permitted provided that the following conditions
> >>+    are met:
> >>+
> >>+    * Redistributions of source code must retain the above copyright
> >>+    notice, this list of conditions and the following disclaimer.
> >>+    * Redistributions in binary form must reproduce the above copyright
> >>+    notice, this list of conditions and the following disclaimer in
> >>+    the documentation and/or other materials provided with the
> >>+    distribution.
> >>+    * Neither the name of Intel Corporation nor the names of its
> >>+    contributors may be used to endorse or promote products derived
> >>+    from this software without specific prior written permission.
> >>+
> >>+    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> >>+    "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> >>+    LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
> >>+    A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
> >>+    OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> >>+    SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> >>+    LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> >>+    DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> >>+    THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> >>+    (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> >>+    OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> >>+
> >>+IPsec Security Gateway Sample Application
> >>+=========================================
> >>+
> >>+The IPsec Security Gateway application is a minimal example of real work
> >>+application using DPDK cryptodev framework.
> >>+
> >>+Overview
> >>+--------
> >>+
> >>+The application demonstrates the implementation of a minimal Security Gateway
> >>+(see Constraints bellow) using DPDK based on RFC4301, RFC4303, RFC3602 and
> >>+RFC2404.
> >>+
> >>+Note that IKE is not supported (therefore not IPsec compliant), so only manual
> >>+setting of Security Policies and Associations is allowed.
> >>+
> >>+The Security Policies (SP) are implemented as ACL rules, the Security
> >>+Associations (SA) are stored in a table and the Routing is implemented
> >>+using LPM.
> >>+
> >>+The application splits the ports between Protected and Unprotected.
> >>+Based on the port the trafic is coming from, the traffic would be consider
> >>+IPsec Inbound or Outbound.
> >>+Traffic from Unprotected ports is consider IPsec Inbound, and traffic from
> >>+Protected ports is consider IPsec Outbound.
> >>+
> >>+Path for IPsec Inbound traffic:
> >>+*  Read packets from the port
> >>+*  Classify packets between IPv4 and ESP.
> >>+*  Inbound SA lookup for ESP packets based on their SPI
> >>+*  Verification/Decryption
> >>+*  Removal of ESP and outter IP header
> >>+*  Inbound SP check using ACL of decrypted packets and any other IPv4 packet
> >>+we read.
> >>+*  Routing
> >>+*  Write packet to port
> >>+
> >>+Path for IPsec Outbound traffic:
> >>+*  Read packets from the port
> >>+*  Outbound SP check using ACL of all IPv4 traffic
> >>+*  Outbound SA lookup for packets that need IPsec protection
> >>+*  Add ESP and outter IP header
> >>+*  Encryption/Digest
> >>+*  Routing
> >>+*  Write packet to port
> >>+
> >>+Constraints
> >>+-----------
> >>+*  IPv4 traffic
> >>+*  ESP tunnel mode
> >>+*  EAS-CBC and HMAC-SHA1
> >>+*  Each SA must be handle by a unique lcore (1 RX queue per port)
> >>+*  No chained mbufs
> >>+
> >>+Compiling the Application
> >>+-------------------------
> >>+
> >>+To compile the application:
> >>+
> >>+#. Go to the sample application directory:
> >>+
> >>+   .. code-block:: console
> >>+
> >>+      export RTE_SDK=/path/to/rte_sdk
> >>+      cd ${RTE_SDK}/examples/ipsec-secgw
> >>+
> >>+#. Set the target (a default target is used if not specified). For example:
> >>+
> >>+   .. code-block:: console
> >>+
> >>+      export RTE_TARGET=x86_64-native-linuxapp-gcc
> >>+
> >>+    See the *DPDK Getting Started Guide* for possible RTE_TARGET values.
> >>+
> >>+#. Build the application:
> >>+
> >>+   .. code-block:: console
> >>+
> >>+       make
> >>+
> >>+Running the Application
> >>+-----------------------
> >>+
> >>+The application has a number of command line options:
> >>+
> >>+.. code-block:: console
> >>+
> >>+   ./build/ipsec-secgw [EAL options] -- -p PORTMASK -P -u PORTMASK --config
> >>+   (port,queue,lcore)[,(port,queue,lcore] --EP0|--EP1 --cdev AESNI|QAT
> >>+
> >>+where,
> >>+
> >>+*   -p PORTMASK: Hexadecimal bitmask of ports to configure
> >>+
> >>+*   -P: optional, sets all ports to promiscuous mode so that packets are
> >>+    accepted regardless of the packet's Ethernet MAC destination address.
> >>+    Without this option, only packets with the Ethernet MAC destination address
> >>+    set to the Ethernet address of the port are accepted (default is enabled).
> >>+
> >>+*   -u PORTMASK: hexadecimal bitmask of unprotected ports
> >>+
> >>+*   --config (port,queue,lcore)[,(port,queue,lcore)]: determines which queues
> >>+    from which ports are mapped to which cores
> >>+
> >>+*   --cdev AESNI/QAT: choose whether to use QAT HW crypto or EASNI SW crypto
> >>+
> >>+*   --EP0: configure the app as Endpoint 0.
> >>+
> >>+*   --EP1: configure the app as Endpoint 1.
> >>+
> >>+Either --EP0 or --EP1 must be specified.
> >>+
> >>+The mapping of lcores to port/queues is similar to other l3fwd applications.
> >>+
> >>+For example, given the following command line:
> >>+.. code-block:: console
> >>+
> >>+    ./build/ipsec-secgw -l 20,21 -n 4 --socket-mem 0,2048 -- -p 0xf -P -u 0x3
> >>+    --config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)" --cdev AESNI --EP0
> >>+
> >>+where each options means:
> >>+
> >>+*   The -l option enables cores 20 and 21
> >>+
> >>+*   The -n option sets memory 4 channels
> >>+
> >>+*   The --socket-mem to use 2GB on socket 1
> >>+
> >>+*   The -p option enables ports (detected) 0, 1, 2 and 3
> >>+
> >>+*   The -P option enables promiscous mode
> >>+
> >>+*   The -u option sets ports 1 and 2 as unprotected, leaving 2 and 3 as protected
> >>+
> >>+*   The --config option enables one queue per port with the following mapping:
> >>+
> >>++----------+-----------+-----------+---------------------------------------+
> >>+| **Port** | **Queue** | **lcore** | **Description**                       |
> >>+|          |           |           |                                       |
> >>++----------+-----------+-----------+---------------------------------------+
> >>+| 0        | 0         | 20        | Map queue 0 from port 0 to lcore 20.  |
> >>+|          |           |           |                                       |
> >>++----------+-----------+-----------+---------------------------------------+
> >>+| 1        | 0         | 20        | Map queue 0 from port 1 to lcore 20.  |
> >>+|          |           |           |                                       |
> >>++----------+-----------+-----------+---------------------------------------+
> >>+| 2        | 0         | 21        | Map queue 0 from port 2 to lcore 21.  |
> >>+|          |           |           |                                       |
> >>++----------+-----------+-----------+---------------------------------------+
> >>+| 3        | 0         | 21        | Map queue 0 from port 3 to lcore 21.  |
> >>+|          |           |           |                                       |
> >>++----------+-----------+-----------+---------------------------------------+
> >>+
> >>+Refer to the *DPDK Getting Started Guide* for general information on running applications and the Environment Abstraction Layer (EAL) options.
> >>+
> >>+Configurations
> >>+--------------
> >>+
> >>+The following sections provide some details on the default values used to
> >>+initialize the SP, SA and Routing tables.
> >>+Currently all the configuration is hardcoded into the application.
> >>+
> >>+Security Policy Initialization
> >>+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >>+
> >>+As mention in the overview, the Security Policies are ACL rules.
> >>+There are two ACLs, Inbound and Outboud.
> >>+The application would also replicate the set of two ACLs per socket in use.
> >>+
> >>+Following are the default rules:
> >>+
> >>+Endpoint 0 Outbound Security Policies:
> >>+
> >>++---------+------------------+-----------+------------+
> >>+| **Src** | **Dst**          | **proto** | **SA idx** |
> >>+|         |                  |           |            |
> >>++---------+------------------+-----------+------------+
> >>+| Any     | 192.168.105.0/24 | Any       | 5          |
> >>+|         |                  |           |            |
> >>++---------+------------------+-----------+------------+
> >>+| Any     | 192.168.106.0/24 | Any       | 6          |
> >>+|         |                  |           |            |
> >>++---------+------------------+-----------+------------+
> >>+| Any     | 192.168.107.0/24 | Any       | 7          |
> >>+|         |                  |           |            |
> >>++---------+------------------+-----------+------------+
> >>+| Any     | 192.168.108.0/24 | Any       | 8          |
> >>+|         |                  |           |            |
> >>++---------+------------------+-----------+------------+
> >>+
> >>+Endpoint 0 Inbound Security Policies:
> >>+
> >>++---------+------------------+-----------+------------+
> >>+| **Src** | **Dst**          | **proto** | **SA idx** |
> >>+|         |                  |           |            |
> >>++---------+------------------+-----------+------------+
> >>+| Any     | 192.168.115.0/24 | Any       | 5          |
> >>+|         |                  |           |            |
> >>++---------+------------------+-----------+------------+
> >>+| Any     | 192.168.116.0/24 | Any       | 6          |
> >>+|         |                  |           |            |
> >>++---------+------------------+-----------+------------+
> >>+| Any     | 192.168.117.0/24 | Any       | 7          |
> >>+|         |                  |           |            |
> >>++---------+------------------+-----------+------------+
> >>+| Any     | 192.168.118.0/24 | Any       | 8          |
> >>+|         |                  |           |            |
> >>++---------+------------------+-----------+------------+
> >>+
> >>+Endpoint 1 Outbound Security Policies:
> >>+
> >>++---------+------------------+-----------+------------+
> >>+| **Src** | **Dst**          | **proto** | **SA idx** |
> >>+|         |                  |           |            |
> >>++---------+------------------+-----------+------------+
> >>+| Any     | 192.168.115.0/24 | Any       | 5          |
> >>+|         |                  |           |            |
> >>++---------+------------------+-----------+------------+
> >>+| Any     | 192.168.116.0/24 | Any       | 6          |
> >>+|         |                  |           |            |
> >>++---------+------------------+-----------+------------+
> >>+| Any     | 192.168.117.0/24 | Any       | 7          |
> >>+|         |                  |           |            |
> >>++---------+------------------+-----------+------------+
> >>+| Any     | 192.168.118.0/24 | Any       | 8          |
> >>+|         |                  |           |            |
> >>++---------+------------------+-----------+------------+
> >>+
> >>+Endpoint 1 Inbound Security Policies:
> >>+
> >>++---------+------------------+-----------+------------+
> >>+| **Src** | **Dst**          | **proto** | **SA idx** |
> >>+|         |                  |           |            |
> >>++---------+------------------+-----------+------------+
> >>+| Any     | 192.168.105.0/24 | Any       | 5          |
> >>+|         |                  |           |            |
> >>++---------+------------------+-----------+------------+
> >>+| Any     | 192.168.106.0/24 | Any       | 6          |
> >>+|         |                  |           |            |
> >>++---------+------------------+-----------+------------+
> >>+| Any     | 192.168.107.0/24 | Any       | 7          |
> >>+|         |                  |           |            |
> >>++---------+------------------+-----------+------------+
> >>+| Any     | 192.168.108.0/24 | Any       | 8          |
> >>+|         |                  |           |            |
> >>++---------+------------------+-----------+------------+
> >>+
> >>+
> >>+Security Association Initialization
> >>+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >>+
> >>+The SAs are kept in a array table.
> >>+
> >>+For Inbound, the SPI is used as index module the table size.
> >>+This means that on a table for 100 SA, SPI 5 and 105 would use the same index
> >>+and that is not currently supported.
> >>+
> >>+Notice that it is not an issue for Outbound traffic as we store the index and
> >>+not the SPI in the Security Policy.
> >>+
> >>+All SAs are configured with the same cipher algo, block size and key (AES-CBC
> >>+16B block), and same authentication algo, digest size and key (HMAC-SHA1, 12B
> >>+digest).
> >>+
> >>+Following are the default values:
> >>+
> >>+Endpoint 0 Outbound Security Associations:
> >>+
> >>++---------+----------------+------------------+
> >>+| **SPI** | **Tunnel src** | **Tunnel dst**   |
> >>+|         |                |                  |
> >>++---------+----------------+------------------+
> >>+| 5       | 172.16.1.5     | 172.16.2.5       |
> >>+|         |                |                  |
> >>++---------+----------------+------------------+
> >>+| 6       | 172.16.1.6     | 172.16.2.6       |
> >>+|         |                |                  |
> >>++---------+----------------+------------------+
> >>+| 7       | 172.16.1.7     | 172.16.2.7       |
> >>+|         |                |                  |
> >>++---------+----------------+------------------+
> >>+| 8       | 172.16.1.8     | 172.16.2.8       |
> >>+|         |                |                  |
> >>++---------+----------------+------------------+
> >>+
> >>+Endpoint 0 Inbound Security Associations:
> >>+
> >>++---------+----------------+------------------+
> >>+| **SPI** | **Tunnel src** | **Tunnel dst**   |
> >>+|         |                |                  |
> >>++---------+----------------+------------------+
> >>+| 5       | 172.16.2.5     | 172.16.1.5       |
> >>+|         |                |                  |
> >>++---------+----------------+------------------+
> >>+| 6       | 172.16.2.6     | 172.16.1.6       |
> >>+|         |                |                  |
> >>++---------+----------------+------------------+
> >>+| 7       | 172.16.2.7     | 172.16.1.7       |
> >>+|         |                |                  |
> >>++---------+----------------+------------------+
> >>+| 8       | 172.16.2.8     | 172.16.1.8       |
> >>+|         |                |                  |
> >>++---------+----------------+------------------+
> >>+
> >>+Endpoint 1 Outbound Security Associations:
> >>+
> >>++---------+----------------+------------------+
> >>+| **SPI** | **Tunnel src** | **Tunnel dst**   |
> >>+|         |                |                  |
> >>++---------+----------------+------------------+
> >>+| 5       | 172.16.2.5     | 172.16.1.5       |
> >>+|         |                |                  |
> >>++---------+----------------+------------------+
> >>+| 6       | 172.16.2.6     | 172.16.1.6       |
> >>+|         |                |                  |
> >>++---------+----------------+------------------+
> >>+| 7       | 172.16.2.7     | 172.16.1.7       |
> >>+|         |                |                  |
> >>++---------+----------------+------------------+
> >>+| 8       | 172.16.2.8     | 172.16.1.8       |
> >>+|         |                |                  |
> >>++---------+----------------+------------------+
> >>+
> >>+Endpoint 1 Inbound Security Associations:
> >>+
> >>++---------+----------------+------------------+
> >>+| **SPI** | **Tunnel src** | **Tunnel dst**   |
> >>+|         |                |                  |
> >>++---------+----------------+------------------+
> >>+| 5       | 172.16.1.5     | 172.16.2.5       |
> >>+|         |                |                  |
> >>++---------+----------------+------------------+
> >>+| 6       | 172.16.1.6     | 172.16.2.6       |
> >>+|         |                |                  |
> >>++---------+----------------+------------------+
> >>+| 7       | 172.16.1.7     | 172.16.2.7       |
> >>+|         |                |                  |
> >>++---------+----------------+------------------+
> >>+| 8       | 172.16.1.8     | 172.16.2.8       |
> >>+|         |                |                  |
> >>++---------+----------------+------------------+
> >>+
> >>+Routing Initialization
> >>+~~~~~~~~~~~~~~~~~~~~~~
> >>+
> >>+The Routing is implemented using LPM table.
> >>+
> >>+Following default values:
> >>+
> >>+Endpoint 0 Routing Table:
> >>+
> >>++------------------+----------+
> >>+| **Dst addr**     | **Port** |
> >>+|                  |          |
> >>++------------------+----------+
> >>+| 172.16.2.5/32    | 0        |
> >>+|                  |          |
> >>++------------------+----------+
> >>+| 172.16.2.6/32    | 0        |
> >>+|                  |          |
> >>++------------------+----------+
> >>+| 172.16.2.7/32    | 1        |
> >>+|                  |          |
> >>++------------------+----------+
> >>+| 172.16.2.8/32    | 1        |
> >>+|                  |          |
> >>++------------------+----------+
> >>+| 192.168.115.0/24 | 2        |
> >>+|                  |          |
> >>++------------------+----------+
> >>+| 192.168.116.0/24 | 2        |
> >>+|                  |          |
> >>++------------------+----------+
> >>+| 192.168.117.0/24 | 3        |
> >>+|                  |          |
> >>++------------------+----------+
> >>+| 192.168.118.0/24 | 3        |
> >>+|                  |          |
> >>++------------------+----------+
> >>+
> >>+Endpoint 1 Routing Table:
> >>+
> >>++------------------+----------+
> >>+| **Dst addr**     | **Port** |
> >>+|                  |          |
> >>++------------------+----------+
> >>+| 172.16.1.5/32    | 2        |
> >>+|                  |          |
> >>++------------------+----------+
> >>+| 172.16.1.6/32    | 2        |
> >>+|                  |          |
> >>++------------------+----------+
> >>+| 172.16.1.7/32    | 3        |
> >>+|                  |          |
> >>++------------------+----------+
> >>+| 172.16.1.8/32    | 3        |
> >>+|                  |          |
> >>++------------------+----------+
> >>+| 192.168.105.0/24 | 0        |
> >>+|                  |          |
> >>++------------------+----------+
> >>+| 192.168.106.0/24 | 0        |
> >>+|                  |          |
> >>++------------------+----------+
> >>+| 192.168.107.0/24 | 1        |
> >>+|                  |          |
> >>++------------------+----------+
> >>+| 192.168.108.0/24 | 1        |
> >>+|                  |          |
> >>++------------------+----------+
> >>diff --git a/examples/Makefile b/examples/Makefile
> >>index 1cb4785..65ce6ce 100644
> >>--- a/examples/Makefile
> >>+++ b/examples/Makefile
> >>@@ -1,6 +1,7 @@
> >>  #   BSD LICENSE
> >>  #
> >>  #   Copyright(c) 2014 6WIND S.A.
> >>+#   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
> >>  #
> >>  #   Redistribution and use in source and binary forms, with or without
> >>  #   modification, are permitted provided that the following conditions
> >>@@ -78,5 +79,6 @@ DIRS-y += vmdq
> >>  DIRS-y += vmdq_dcb
> >>  DIRS-$(CONFIG_RTE_LIBRTE_POWER) += vm_power_manager
> >>  DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += l2fwd-crypto
> >>+DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += ipsec-secgw
> >>  include $(RTE_SDK)/mk/rte.extsubdir.mk
> >>diff --git a/examples/ipsec-secgw/Makefile b/examples/ipsec-secgw/Makefile
> >>new file mode 100644
> >>index 0000000..5f893b8
> >>--- /dev/null
> >>+++ b/examples/ipsec-secgw/Makefile
> >>@@ -0,0 +1,58 @@
> >>+#   BSD LICENSE
> >>+#
> >>+#   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
> >>+#   All rights reserved.
> >>+#
> >>+#   Redistribution and use in source and binary forms, with or without
> >>+#   modification, are permitted provided that the following conditions
> >>+#   are met:
> >>+#
> >>+#     * Redistributions of source code must retain the above copyright
> >>+#       notice, this list of conditions and the following disclaimer.
> >>+#     * Redistributions in binary form must reproduce the above copyright
> >>+#       notice, this list of conditions and the following disclaimer in
> >>+#       the documentation and/or other materials provided with the
> >>+#       distribution.
> >>+#     * Neither the name of Intel Corporation nor the names of its
> >>+#       contributors may be used to endorse or promote products derived
> >>+#       from this software without specific prior written permission.
> >>+#
> >>+#   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> >>+#   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> >>+#   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
> >>+#   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
> >>+#   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> >>+#   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> >>+#   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> >>+#   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> >>+#   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> >>+#   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> >>+#   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> >>+
> >>+ifeq ($(RTE_SDK),)
> >>+	$(error "Please define RTE_SDK environment variable")
> >>+endif
> >>+
> >>+# Default target, can be overridden by command line or environment
> >>+RTE_TARGET ?= x86_64-native-linuxapp-gcc
> >>+
> >>+include $(RTE_SDK)/mk/rte.vars.mk
> >>+
> >>+APP = ipsec-secgw
> >>+
> >>+CFLAGS += -O3 -gdwarf-2
> >>+CFLAGS += $(WERROR_FLAGS)
> >>+
> >>+VPATH += $(SRCDIR)/librte_ipsec
> >>+
> >>+#
> >>+# all source are stored in SRCS-y
> >>+#
> >>+SRCS-y += ipsec.c
> >>+SRCS-y += esp.c
> >>+SRCS-y += sp.c
> >>+SRCS-y += sa.c
> >>+SRCS-y += rt.c
> >>+SRCS-y += ipsec-secgw.c
> >>+
> >>+include $(RTE_SDK)/mk/rte.extapp.mk
> >>diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
> >>new file mode 100644
> >>index 0000000..1be0621
> >>--- /dev/null
> >>+++ b/examples/ipsec-secgw/esp.c
> >>@@ -0,0 +1,256 @@
> >>+/*-
> >>+ *   BSD LICENSE
> >>+ *
> >>+ *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
> >>+ *   All rights reserved.
> >>+ *
> >>+ *   Redistribution and use in source and binary forms, with or without
> >>+ *   modification, are permitted provided that the following conditions
> >>+ *   are met:
> >>+ *
> >>+ *     * Redistributions of source code must retain the above copyright
> >>+ *       notice, this list of conditions and the following disclaimer.
> >>+ *     * Redistributions in binary form must reproduce the above copyright
> >>+ *       notice, this list of conditions and the following disclaimer in
> >>+ *       the documentation and/or other materials provided with the
> >>+ *       distribution.
> >>+ *     * Neither the name of Intel Corporation nor the names of its
> >>+ *       contributors may be used to endorse or promote products derived
> >>+ *       from this software without specific prior written permission.
> >>+ *
> >>+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> >>+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> >>+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
> >>+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
> >>+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> >>+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> >>+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> >>+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> >>+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> >>+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> >>+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> >>+ */
> >>+
> >>+#include <stdint.h>
> >>+#include <stdlib.h>
> >>+#include <netinet/ip.h>
> >>+#include <sys/types.h>
> >>+#include <sys/stat.h>
> >>+#include <fcntl.h>
> >>+#include <unistd.h>
> >>+
> >>+#include <rte_memcpy.h>
> >>+#include <rte_crypto.h>
> >>+#include <rte_cryptodev.h>
> >>+#include <rte_random.h>
> >>+
> >>+#include "ipsec.h"
> >>+#include "esp.h"
> >>+#include "ipip.h"
> >>+
> >>+static inline void
> >>+random_iv_u64(uint64_t *buf, uint16_t n)
> >>+{
> >>+	unsigned left = n & 0x7;
> >>+	unsigned i;
> >>+
> >>+	IPSEC_ASSERT((n & 0x3) == 0);
> >>+
> >>+	for (i = 0; i < (n >> 3); i++)
> >>+		buf[i] = rte_rand();
> >>+
> >>+	if (left)
> >>+		*((uint32_t *)&buf[i]) = (uint32_t)lrand48();
> >>+}
> >>+
> >>+/* IPv4 Tunnel */
> >>+int
> >>+esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
> >>+		struct rte_crypto_op *cop)
> >>+{
> >>+	uint16_t digest_len, esp_len, iphdr_len;
> >>+	int32_t payload_len;
> >>+
> >>+	IPSEC_ASSERT(m != NULL);
> >>+
> >>+	iphdr_len = sizeof(struct ip);
> >>+	esp_len = sizeof(struct esp_hdr) + sa->iv_len;
> >>+	digest_len = sa->digest_len;
> >>+	payload_len = rte_pktmbuf_pkt_len(m) - iphdr_len - esp_len - digest_len;
> >>+
> >>+	if ((payload_len & (sa->block_size - 1)) || (payload_len <= 0)) {
> >>+		IPSEC_LOG(DEBUG, IPSEC_ESP, "payload %d not a multiple of %u\n",
> >>+				payload_len, sa->block_size);
> >>+		return -EINVAL;
> >>+	}
> >>+
> >>+	cop->data.to_cipher.offset = iphdr_len + esp_len;
> >>+	cop->data.to_cipher.length = payload_len;
> >>+
> >>+	cop->data.to_hash.offset = iphdr_len;
> >>+	if (sa->auth_algo == RTE_CRYPTO_AUTH_AES_GCM)
> >>+		cop->data.to_hash.length = esp_len - sa->iv_len;
> >>+	else
> >>+		cop->data.to_hash.length = esp_len + payload_len;
> >>+
> >>+	cop->iv.data = rte_pktmbuf_mtod_offset(m, void*,
> >>+			iphdr_len + esp_len - sa->iv_len);
> >>+	cop->iv.phys_addr = rte_pktmbuf_mtophys_offset(m,
> >>+			iphdr_len + esp_len - sa->iv_len);
> >>+
> >>+	cop->iv.length = sa->iv_len;
> >>+
> >>+	cop->digest.data = rte_pktmbuf_mtod_offset(m, void*,
> >>+			iphdr_len + esp_len + payload_len);
> >>+	cop->digest.phys_addr = rte_pktmbuf_mtophys_offset(m,
> >>+			iphdr_len + esp_len + payload_len);
> >>+	cop->digest.length = digest_len;
> >>+
> >>+	return 0;
> >>+}
> >>+
> >>+int
> >>+esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
> >>+		struct rte_crypto_op *cop)
> >>+{
> >>+	uint16_t digest_len, esp_len, iphdr_len;
> >>+	uint8_t *nexthdr, *pad_len;
> >>+	uint8_t *padding;
> >>+	uint16_t i;
> >>+
> >>+	IPSEC_ASSERT(m != NULL);
> >>+
> >>+	iphdr_len = sizeof(struct ip);
> >>+	esp_len = sizeof(struct esp_hdr) + sa->iv_len;
> >>+	digest_len = sa->digest_len;
> >>+
> >>+	if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
> >>+		IPSEC_LOG(ERR, IPSEC_ESP, "Failed crypto op\n");
> >>+		return -1;
> >>+	}
> >>+
> >>+	nexthdr = rte_pktmbuf_mtod_offset(m, uint8_t*,
> >>+			rte_pktmbuf_pkt_len(m) - digest_len - 1);
> >>+	pad_len = nexthdr - 1;
> >>+
> >>+	padding = pad_len - *pad_len;
> >>+	for (i = 0; i < *pad_len; i++) {
> >>+		if (padding[i] != i) {
> >>+			IPSEC_LOG(ERR, IPSEC_ESP, "invalid pad_len field\n");
> >>+			return -EINVAL;
> >>+		}
> >>+	}
> >>+
> >>+	if (rte_pktmbuf_trim(m, *pad_len + 2 + digest_len)) {
> >>+		IPSEC_LOG(ERR, IPSEC_ESP,
> >>+				"failed to remove pad_len + digest\n");
> >>+		return -EINVAL;
> >>+	}
> >>+
> >>+	return ip4ip_inbound(m, iphdr_len + esp_len);
> >>+}
> >>+
> >>+int
> >>+esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
> >>+		struct rte_crypto_op *cop)
> >>+{
> >>+	uint16_t digest_len, esp_len, payload_len, block_sz, pad_len;
> >>+	int32_t pad_payload_len;
> >>+	struct ip *ip;
> >>+	struct esp_hdr *esp;
> >>+	int i;
> >>+	char *padding;
> >>+
> >>+	rte_prefetch0(rte_pktmbuf_mtod(m, uint8_t *) - RTE_CACHE_LINE_SIZE);
> >>+	rte_prefetch0(rte_pktmbuf_mtod(m, uint8_t *));
> >>+
> >>+	IPSEC_ASSERT(m != NULL);
> >>+	IPSEC_ASSERT(sa != NULL);
> >>+
> >>+	/* Payload length */
> >>+	payload_len = rte_pktmbuf_pkt_len(m);
> >>+
> >>+	block_sz = sa->block_size;
> >>+
> >>+	/* Per RFC4303:
> >>+	 *  padded payload needs to be multiple of 4 bytes.
> >>+	 * All application supported block sizes must be power of 2
> >>+	 */
> >>+	pad_len = (payload_len + 2) & (block_sz - 1);
> >>+	pad_len = ((block_sz - pad_len) & (block_sz - 1)) + 2;
> >>+
> >>+	/* Padded payload length */
> >>+	pad_payload_len = payload_len + pad_len;
> >>+	/* ESP header length */
> >>+	esp_len = sizeof(struct esp_hdr) + sa->iv_len;
> >>+	/* Digest length */
> >>+	digest_len = sa->digest_len;
> >>+
> >>+	IPSEC_LOG(DEBUG, IPSEC_ESP,
> >>+			"pktlen %u, esp_len %u, digest_len %u, payload_len %u,"
> >>+			" pad_payload_len %u, block_sz %u, pad_len %u\n",
> >>+			rte_pktmbuf_pkt_len(m), esp_len, digest_len,
> >>+			payload_len, pad_payload_len, block_sz,	pad_len);
> >>+
> >>+	/* Check maximum packet size */
> >>+	if (unlikely(esp_len + pad_payload_len + digest_len > IP_MAXPACKET)) {
> >>+		IPSEC_LOG(DEBUG, IPSEC_ESP, "ipsec packet is too big\n");
> >>+		return -EINVAL;
> >>+	}
> >>+
> >>+	padding = rte_pktmbuf_append(m, pad_len + digest_len);
> >>+
> >>+	IPSEC_ASSERT(padding != NULL);
> >>+
> >>+	ip = ip4ip_outbound(m, esp_len, sa->src, sa->dst);
> >>+
> >>+	esp = (struct esp_hdr *)(ip + 1);
> >>+	esp->spi = sa->spi;
> >>+
> >>+	esp->seq = htonl(sa->seq++);
> >>+
> >>+	IPSEC_LOG(DEBUG, IPSEC_ESP, "pktlen %u\n", rte_pktmbuf_pkt_len(m));
> >>+
> >>+	/* Fill pad_len using default sequential scheme */
> >>+	for (i = 0; i < pad_len - 2; i++)
> >>+		padding[i] = i + 1;
> >>+
> >>+	padding[pad_len - 2] = pad_len - 2;
> >>+	padding[pad_len - 1] = IPPROTO_IPIP;
> >>+	ip->ip_p = IPPROTO_ESP;
> >>+
> >>+	cop->data.to_cipher.offset = sizeof(struct ip) + esp_len;
> >>+	cop->data.to_cipher.length = pad_payload_len;
> >>+
> >>+	cop->data.to_hash.offset = sizeof(struct ip);
> >>+	cop->data.to_hash.length = esp_len + pad_payload_len;
> >>+
> >>+	cop->iv.data = rte_pktmbuf_mtod_offset(m, void*,
> >>+			sizeof(struct ip) + esp_len - sa->iv_len);
> >>+	cop->iv.phys_addr = rte_pktmbuf_mtophys_offset(m,
> >>+			sizeof(struct ip) + esp_len - sa->iv_len);
> >>+	cop->iv.length = sa->iv_len;
> >>+
> >>+	cop->digest.data = rte_pktmbuf_mtod_offset(m, void*,
> >>+			sizeof(struct ip) + esp_len + pad_payload_len);
> >>+	cop->digest.phys_addr = rte_pktmbuf_mtophys_offset(m,
> >>+			sizeof(struct ip) + esp_len + pad_payload_len);
> >>+	cop->digest.length = digest_len;
> >>+
> >>+	random_iv_u64((uint64_t *)cop->iv.data, cop->iv.length);
> >>+
> >>+	return 0;
> >>+}
> >>+
> >>+int
> >>+esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m __rte_unused,
> >>+		struct ipsec_sa *sa __rte_unused,
> >>+		struct rte_crypto_op *cop)
> >>+{
> >>+	if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
> >>+		IPSEC_LOG(ERR, IPSEC_ESP, "Failed crypto op\n");
> >>+		return -1;
> >>+	}
> >>+
> >>+	return 0;
> >>+}
> >>diff --git a/examples/ipsec-secgw/esp.h b/examples/ipsec-secgw/esp.h
> >>new file mode 100644
> >>index 0000000..d7c8ba6
> >>--- /dev/null
> >>+++ b/examples/ipsec-secgw/esp.h
> >>@@ -0,0 +1,66 @@
> >>+/*-
> >>+ *   BSD LICENSE
> >>+ *
> >>+ *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
> >>+ *   All rights reserved.
> >>+ *
> >>+ *   Redistribution and use in source and binary forms, with or without
> >>+ *   modification, are permitted provided that the following conditions
> >>+ *   are met:
> >>+ *
> >>+ *     * Redistributions of source code must retain the above copyright
> >>+ *       notice, this list of conditions and the following disclaimer.
> >>+ *     * Redistributions in binary form must reproduce the above copyright
> >>+ *       notice, this list of conditions and the following disclaimer in
> >>+ *       the documentation and/or other materials provided with the
> >>+ *       distribution.
> >>+ *     * Neither the name of Intel Corporation nor the names of its
> >>+ *       contributors may be used to endorse or promote products derived
> >>+ *       from this software without specific prior written permission.
> >>+ *
> >>+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> >>+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> >>+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
> >>+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
> >>+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> >>+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> >>+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> >>+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> >>+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> >>+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> >>+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> >>+ */
> >>+#ifndef __RTE_IPSEC_XFORM_ESP_H__
> >>+#define __RTE_IPSEC_XFORM_ESP_H__
> >>+
> >>+struct mbuf;
> >>+
> >>+/* RFC4303 */
> >>+struct esp_hdr {
> >>+	uint32_t spi;
> >>+	uint32_t seq;
> >>+	/* Payload */
> >>+	/* Padding */
> >>+	/* Pad Length */
> >>+	/* Next Header */
> >>+	/* Integrity Check Value - ICV */
> >>+};
> >>+
> >>+/* IPv4 Tunnel */
> >>+int
> >>+esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
> >>+		struct rte_crypto_op *cop);
> >>+
> >>+int
> >>+esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
> >>+		struct rte_crypto_op *cop);
> >>+
> >>+int
> >>+esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
> >>+		struct rte_crypto_op *cop);
> >>+
> >>+int
> >>+esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
> >>+		struct rte_crypto_op *cop);
> >>+
> >>+#endif /* __RTE_IPSEC_XFORM_ESP_H__ */
> >>diff --git a/examples/ipsec-secgw/ipip.h b/examples/ipsec-secgw/ipip.h
> >>new file mode 100644
> >>index 0000000..16c5dfb
> >>--- /dev/null
> >>+++ b/examples/ipsec-secgw/ipip.h
> >>@@ -0,0 +1,100 @@
> >>+/*-
> >>+ *   BSD LICENSE
> >>+ *
> >>+ *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
> >>+ *   All rights reserved.
> >>+ *
> >>+ *   Redistribution and use in source and binary forms, with or without
> >>+ *   modification, are permitted provided that the following conditions
> >>+ *   are met:
> >>+ *
> >>+ *     * Redistributions of source code must retain the above copyright
> >>+ *       notice, this list of conditions and the following disclaimer.
> >>+ *     * Redistributions in binary form must reproduce the above copyright
> >>+ *       notice, this list of conditions and the following disclaimer in
> >>+ *       the documentation and/or other materials provided with the
> >>+ *       distribution.
> >>+ *     * Neither the name of Intel Corporation nor the names of its
> >>+ *       contributors may be used to endorse or promote products derived
> >>+ *       from this software without specific prior written permission.
> >>+ *
> >>+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> >>+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> >>+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
> >>+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
> >>+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> >>+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> >>+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> >>+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> >>+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> >>+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> >>+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> >>+ */
> >>+
> >>+#ifndef __IPIP_H__
> >>+#define __IPIP_H__
> >>+
> >>+#include <stdint.h>
> >>+#include <netinet/in.h>
> >>+#include <netinet/ip.h>
> >>+
> >>+#include <rte_mbuf.h>
> >>+
> >>+static inline  struct ip *
> >>+ip4ip_outbound(struct rte_mbuf *m, uint32_t offset, uint32_t src, uint32_t dst)
> >>+{
> >>+	struct ip *inip, *outip;
> >>+
> >>+	inip = rte_pktmbuf_mtod(m, struct ip*);
> >>+
> >>+	IPSEC_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION);
> >>+
> >>+	offset += sizeof(struct ip);
> >>+
> >>+	outip = (struct ip *)rte_pktmbuf_prepend(m, offset);
> >>+
> >>+	IPSEC_ASSERT(outip != NULL);
> >>+
> >>+	/* Per RFC4301 5.1.2.1 */
> >>+	outip->ip_len = htons(rte_pktmbuf_data_len(m));
> >>+	outip->ip_v = IPVERSION;
> >>+	outip->ip_hl = 5;
> >>+	outip->ip_tos = inip->ip_tos;
> >>+
> >>+	outip->ip_id = 0;
> >>+	outip->ip_off = 0;
> >>+
> >>+	outip->ip_ttl = IPDEFTTL;
> >>+
> >>+	outip->ip_dst.s_addr = dst;
> >>+	outip->ip_src.s_addr = src;
> >>+
> >>+	return outip;
> >>+}
> >>+
> >>+static inline int
> >>+ip4ip_inbound(struct rte_mbuf *m, uint32_t offset)
> >>+{
> >>+	struct ip *inip;
> >>+	struct ip *outip;
> >>+
> >>+	outip = rte_pktmbuf_mtod(m, struct ip*);
> >>+
> >>+	IPSEC_ASSERT(outip->ip_v == IPVERSION);
> >>+
> >>+	offset += sizeof(struct ip);
> >>+	inip = (struct ip *)rte_pktmbuf_adj(m, offset);
> >>+	IPSEC_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION);
> >>+
> >>+	/* Check packet is still bigger than IP header (inner) */
> >>+	IPSEC_ASSERT(rte_pktmbuf_pkt_len(m) > sizeof(struct ip));
> >>+
> >>+	/* RFC4301 5.1.2.1 Note 6 */
> >>+	if ((inip->ip_tos & htons(IPTOS_ECN_ECT0 | IPTOS_ECN_ECT1)) &&
> >>+			((outip->ip_tos & htons(IPTOS_ECN_CE)) == IPTOS_ECN_CE))
> >>+		inip->ip_tos |= htons(IPTOS_ECN_CE);
> >>+
> >>+	return 0;
> >>+}
> >>+
> >>+#endif /* __IPIP_H__ */
> >>diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
> >>new file mode 100644
> >>index 0000000..d2e8972
> >>--- /dev/null
> >>+++ b/examples/ipsec-secgw/ipsec-secgw.c
> >>@@ -0,0 +1,1218 @@
> >>+/*-
> >>+ *   BSD LICENSE
> >>+ *
> >>+ *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
> >>+ *   All rights reserved.
> >>+ *
> >>+ *   Redistribution and use in source and binary forms, with or without
> >>+ *   modification, are permitted provided that the following conditions
> >>+ *   are met:
> >>+ *
> >>+ *     * Redistributions of source code must retain the above copyright
> >>+ *       notice, this list of conditions and the following disclaimer.
> >>+ *     * Redistributions in binary form must reproduce the above copyright
> >>+ *       notice, this list of conditions and the following disclaimer in
> >>+ *       the documentation and/or other materials provided with the
> >>+ *       distribution.
> >>+ *     * Neither the name of Intel Corporation nor the names of its
> >>+ *       contributors may be used to endorse or promote products derived
> >>+ *       from this software without specific prior written permission.
> >>+ *
> >>+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> >>+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> >>+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
> >>+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
> >>+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> >>+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> >>+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> >>+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> >>+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> >>+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> >>+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> >>+ */
> >>+
> >>+#include <stdio.h>
> >>+#include <stdlib.h>
> >>+#include <stdint.h>
> >>+#include <inttypes.h>
> >>+#include <sys/types.h>
> >>+#include <string.h>
> >>+#include <sys/queue.h>
> >>+#include <stdarg.h>
> >>+#include <errno.h>
> >>+#include <getopt.h>
> >>+
> >>+#include <rte_common.h>
> >>+#include <rte_byteorder.h>
> >>+#include <rte_log.h>
> >>+#include <rte_eal.h>
> >>+#include <rte_launch.h>
> >>+#include <rte_atomic.h>
> >>+#include <rte_cycles.h>
> >>+#include <rte_prefetch.h>
> >>+#include <rte_lcore.h>
> >>+#include <rte_per_lcore.h>
> >>+#include <rte_branch_prediction.h>
> >>+#include <rte_interrupts.h>
> >>+#include <rte_pci.h>
> >>+#include <rte_random.h>
> >>+#include <rte_debug.h>
> >>+#include <rte_ether.h>
> >>+#include <rte_ethdev.h>
> >>+#include <rte_mempool.h>
> >>+#include <rte_mbuf.h>
> >>+#include <rte_acl.h>
> >>+#include <rte_lpm.h>
> >>+#include <rte_cryptodev.h>
> >>+#include <rte_cryptodev.h>
> >>+
> >>+#include "ipsec.h"
> >>+
> >>+#define RTE_LOGTYPE_IPSEC RTE_LOGTYPE_USER1
> >>+
> >>+#define MAX_JUMBO_PKT_LEN  9600
> >>+
> >>+#define MEMPOOL_CACHE_SIZE 256
> >>+
> >>+#define NB_MBUF	(32000)
> >>+
> >>+#define CDEV_MP_NB_OBJS 2048
> >>+#define CDEV_MP_CACHE_SZ 64
> >>+#define MAX_QUEUE_PAIRS 1
> >>+
> >>+#define OPTION_CONFIG		"config"
> >>+#define OPTION_EP0		"ep0"
> >>+#define OPTION_EP1		"ep1"
> >>+#define OPTION_CDEV_TYPE	"cdev"
> >>+
> >>+#define MAX_PKT_BURST 32
> >>+#define BURST_TX_DRAIN_US 100 /* TX drain every ~100us */
> >>+
> >>+#define NB_SOCKETS 4
> >>+
> >>+/* Configure how many packets ahead to prefetch, when reading packets */
> >>+#define PREFETCH_OFFSET	3
> >>+
> >>+#define MAX_RX_QUEUE_PER_LCORE 16
> >>+
> >>+#define MAX_LCORE_PARAMS 1024
> >>+
> >>+#define UNPROTECTED_PORT(port) (unprotected_port_mask & (1 << portid))
> >>+
> >>+/*
> >>+ * Configurable number of RX/TX ring descriptors
> >>+ */
> >>+#define IPSEC_SECGW_RX_DESC_DEFAULT 128
> >>+#define IPSEC_SECGW_TX_DESC_DEFAULT 512
> >>+static uint16_t nb_rxd = IPSEC_SECGW_RX_DESC_DEFAULT;
> >>+static uint16_t nb_txd = IPSEC_SECGW_TX_DESC_DEFAULT;
> >>+
> >>+#if RTE_BYTE_ORDER != RTE_LITTLE_ENDIAN
> >>+#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \
> >>+	(((uint64_t)((a) & 0xff) << 56) | \
> >>+	((uint64_t)((b) & 0xff) << 48) | \
> >>+	((uint64_t)((c) & 0xff) << 40) | \
> >>+	((uint64_t)((d) & 0xff) << 32) | \
> >>+	((uint64_t)((e) & 0xff) << 24) | \
> >>+	((uint64_t)((f) & 0xff) << 16) | \
> >>+	((uint64_t)((g) & 0xff) << 8)  | \
> >>+	((uint64_t)(h) & 0xff))
> >>+#else
> >>+#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \
> >>+	(((uint64_t)((h) & 0xff) << 56) | \
> >>+	((uint64_t)((g) & 0xff) << 48) | \
> >>+	((uint64_t)((f) & 0xff) << 40) | \
> >>+	((uint64_t)((e) & 0xff) << 32) | \
> >>+	((uint64_t)((d) & 0xff) << 24) | \
> >>+	((uint64_t)((c) & 0xff) << 16) | \
> >>+	((uint64_t)((b) & 0xff) << 8) | \
> >>+	((uint64_t)(a) & 0xff))
> >>+#endif
> >>+#define ETHADDR(a, b, c, d, e, f) (__BYTES_TO_UINT64(a, b, c, d, e, f, 0, 0))
> >>+
> >>+#define ETHADDR_TO_UINT64(addr) __BYTES_TO_UINT64( \
> >>+		addr.addr_bytes[0], addr.addr_bytes[1], \
> >>+		addr.addr_bytes[2], addr.addr_bytes[3], \
> >>+		addr.addr_bytes[4], addr.addr_bytes[5], \
> >>+		0, 0)
> >>+
> >>+/* port/source ethernet addr and destination ethernet addr */
> >>+struct ethaddr_info {
> >>+	uint64_t src, dst;
> >>+};
> >>+
> >>+struct ethaddr_info ethaddr_tbl[RTE_MAX_ETHPORTS] = {
> >>+	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x7e, 0x94, 0x9a) },
> >>+	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x22, 0xa1, 0xd9) },
> >>+	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x08, 0x69, 0x26) },
> >>+	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x49, 0x9e, 0xdd) }
> >>+};
> >>+
> >>+/* mask of enabled ports */
> >>+static uint32_t enabled_port_mask;
> >>+static uint32_t unprotected_port_mask;
> >>+static int promiscuous_on = 1;
> >>+static int numa_on = 1; /**< NUMA is enabled by default. */
> >>+static int ep = -1; /**< Endpoint configuration (0 or 1) */
> >>+static unsigned cdev_type = -1;
> >>+static unsigned nb_lcores;
> >>+
> >>+struct buffer {
> >>+	uint16_t len;
> >>+	struct rte_mbuf *m_table[MAX_PKT_BURST];
> >>+};
> >>+
> >>+struct lcore_rx_queue {
> >>+	uint8_t port_id;
> >>+	uint8_t queue_id;
> >>+} __rte_cache_aligned;
> >>+
> >>+struct lcore_params {
> >>+	uint8_t port_id;
> >>+	uint8_t queue_id;
> >>+	uint8_t lcore_id;
> >>+} __rte_cache_aligned;
> >>+
> >>+static struct lcore_params lcore_params_array[MAX_LCORE_PARAMS];
> >>+
> >>+static struct lcore_params *lcore_params;
> >>+static uint16_t nb_lcore_params;
> >>+
> >>+struct lcore_conf {
> >>+	uint16_t nb_rx_queue;
> >>+	struct lcore_rx_queue rx_queue_list[MAX_RX_QUEUE_PER_LCORE];
> >>+	uint16_t tx_queue_id[RTE_MAX_ETHPORTS];
> >>+	struct buffer tx_mbufs[RTE_MAX_ETHPORTS];
> >>+	uint16_t cdev;
> >>+	uint16_t cdev_q;
> >>+} __rte_cache_aligned;
> >>+
> >>+static struct lcore_conf lcore_conf[RTE_MAX_LCORE];
> >>+
> >>+static struct rte_eth_conf port_conf = {
> >>+	.rxmode = {
> >>+		.mq_mode	= ETH_MQ_RX_RSS,
> >>+		.max_rx_pkt_len = ETHER_MAX_LEN,
> >>+		.split_hdr_size = 0,
> >>+		.header_split   = 0, /**< Header Split disabled */
> >>+		.hw_ip_checksum = 1, /**< IP checksum offload enabled */
> >>+		.hw_vlan_filter = 0, /**< VLAN filtering disabled */
> >>+		.jumbo_frame    = 0, /**< Jumbo Frame Support disabled */
> >>+		.hw_strip_crc   = 0, /**< CRC stripped by hardware */
> >>+	},
> >>+	.rx_adv_conf = {
> >>+		.rss_conf = {
> >>+			.rss_key = NULL,
> >>+			.rss_hf = ETH_RSS_IP | ETH_RSS_UDP |
> >>+				ETH_RSS_TCP | ETH_RSS_SCTP,
> >>+		},
> >>+	},
> >>+	.txmode = {
> >>+		.mq_mode = ETH_MQ_TX_NONE,
> >>+	},
> >>+};
> >>+
> >>+static struct socket_ctx socket_ctx[NB_SOCKETS];
> >>+
> >>+struct traffic_type {
> >>+	const uint8_t *data[MAX_PKT_BURST * 2];
> >>+	struct rte_mbuf *pkts[MAX_PKT_BURST * 2];
> >>+	uint32_t res[MAX_PKT_BURST * 2];
> >>+	uint32_t num;
> >>+};
> >>+
> >>+struct ipsec_traffic {
> >>+	struct traffic_type ipsec4;
> >>+	struct traffic_type ipv4;
> >>+};
> >>+
> >>+static inline void
> >>+prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)
> >>+{
> >>+	uint8_t *nlp;
> >>+
> >>+	if (RTE_ETH_IS_IPV4_HDR(pkt->packet_type)) {
> >>+		rte_pktmbuf_adj(pkt, ETHER_HDR_LEN);
> >>+		nlp = rte_pktmbuf_mtod_offset(pkt, uint8_t *,
> >>+				offsetof(struct ip, ip_p));
> >>+		if (*nlp == IPPROTO_ESP)
> >>+			t->ipsec4.pkts[(t->ipsec4.num)++] = pkt;
> >>+		else {
> >>+			t->ipv4.data[t->ipv4.num] = nlp;
> >>+			t->ipv4.pkts[(t->ipv4.num)++] = pkt;
> >>+		}
> >>+	} else {
> >>+		/* Unknown/Unsupported type, drop the packet */
> >>+		rte_pktmbuf_free(pkt);
> >>+	}
> >>+}
> >>+
> >>+static inline void
> >>+prepare_traffic(struct rte_mbuf **pkts, struct ipsec_traffic *t,
> >>+		uint16_t nb_pkts)
> >>+{
> >>+	int i;
> >>+
> >>+	t->ipsec4.num = 0;
> >>+	t->ipv4.num = 0;
> >>+
> >>+	for (i = 0; i < (nb_pkts - PREFETCH_OFFSET); i++) {
> >>+		rte_prefetch0(rte_pktmbuf_mtod(pkts[i + PREFETCH_OFFSET],
> >>+					void *));
> >>+		prepare_one_packet(pkts[i], t);
> >>+	}
> >>+	/* Process left packets */
> >>+	for (; i < nb_pkts; i++)
> >>+		prepare_one_packet(pkts[i], t);
> >>+}
> >>+
> >>+static inline void
> >>+prepare_tx_pkt(struct rte_mbuf *pkt, uint8_t port)
> >>+{
> >>+	pkt->ol_flags |= PKT_TX_IP_CKSUM | PKT_TX_IPV4;
> >>+	pkt->l3_len = sizeof(struct ip);
> >>+	pkt->l2_len = ETHER_HDR_LEN;
> >>+
> >>+	uint64_t *ethhdr = (uint64_t *)rte_pktmbuf_prepend(pkt, ETHER_HDR_LEN);
> >>+#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN
> >>+	ethhdr[0] = ethaddr_tbl[port].dst |
> >>+		((ethaddr_tbl[port].src & 0xffff) << 48);
> >>+	ethhdr[1] = ethaddr_tbl[port].src >> 16 |
> >>+		((uint64_t)rte_cpu_to_be_16(ETHER_TYPE_IPv4) << 32) |
> >>+		(ethhdr[1] & (0xffffUL << 48));
> >>+#else
> >>+	ethhdr[0] = ethaddr_tbl[port].dst |
> >>+		(ethaddr_tbl[port].src >> 48 & 0xffff);
> >>+	ethhdr[1] = ethaddr_tbl[port].src << 16 | ((ETHER_TYPE_IPv4)UL << 16) |
> >>+		(ethhdr[1] & 0xffffUL);
> >>+#endif
> >>+}
> >>+
> >>+static inline void
> >>+prepare_tx_burst(struct rte_mbuf *pkts[], uint16_t nb_pkts, uint8_t port)
> >>+{
> >>+	int i;
> >>+	const int prefetch_offset = 2;
> >>+
> >>+	for (i = 0; i < (nb_pkts - prefetch_offset); i++) {
> >>+		rte_prefetch0(pkts[i + prefetch_offset]->cacheline1);
> >>+		prepare_tx_pkt(pkts[i], port);
> >>+	}
> >>+	/* Process left packets */
> >>+	for (; i < nb_pkts; i++)
> >>+		prepare_tx_pkt(pkts[i], port);
> >>+}
> >>+
> >>+/* Send burst of packets on an output interface */
> >>+static inline int
> >>+send_burst(struct lcore_conf *qconf, uint16_t n, uint8_t port)
> >>+{
> >>+	struct rte_mbuf **m_table;
> >>+	int ret;
> >>+	uint16_t queueid;
> >>+
> >>+	queueid = qconf->tx_queue_id[port];
> >>+	m_table = (struct rte_mbuf **)qconf->tx_mbufs[port].m_table;
> >>+
> >>+	prepare_tx_burst(m_table, n, port);
> >>+
> >>+	ret = rte_eth_tx_burst(port, queueid, m_table, n);
> >>+	if (unlikely(ret < n)) {
> >>+		do {
> >>+			rte_pktmbuf_free(m_table[ret]);
> >>+		} while (++ret < n);
> >>+	}
> >>+
> >>+	return 0;
> >>+}
> >>+
> >>+/* Enqueue a single packet, and send burst if queue is filled */
> >>+static inline int
> >>+send_single_packet(struct rte_mbuf *m, uint8_t port)
> >>+{
> >>+	uint32_t lcore_id;
> >>+	uint16_t len;
> >>+	struct lcore_conf *qconf;
> >>+
> >>+	lcore_id = rte_lcore_id();
> >>+
> >>+	qconf = &lcore_conf[lcore_id];
> >>+	len = qconf->tx_mbufs[port].len;
> >>+	qconf->tx_mbufs[port].m_table[len] = m;
> >>+	len++;
> >>+
> >>+	/* enough pkts to be sent */
> >>+	if (unlikely(len == MAX_PKT_BURST)) {
> >>+		send_burst(qconf, MAX_PKT_BURST, port);
> >>+		len = 0;
> >>+	}
> >>+
> >>+	qconf->tx_mbufs[port].len = len;
> >>+	return 0;
> >>+}
> >>+
> >>+static inline void
> >>+process_pkts_inbound(struct socket_ctx *ctx, struct ipsec_traffic *traffic)
> >>+{
> >>+	struct sa_ctx *sa_ctx = ctx->sa_ipv4_in;
> >>+	struct sp_ctx *sp_ctx = ctx->sp_ipv4_in;
> >>+	struct rte_mbuf *m;
> >>+	uint16_t idx, nb_pkts_in, i, j;
> >>+	uint32_t sa_idx, res;
> >>+	struct ipsec_ctx ipsec_ctx;
> >>+	struct lcore_conf *qconf;
> >>+
> >>+	qconf = &lcore_conf[rte_lcore_id()];
> >>+	ipsec_ctx.cdev = qconf->cdev;
> >>+	ipsec_ctx.queue = qconf->cdev_q;
> >>+	ipsec_ctx.sa_ctx = sa_ctx;
> >>+
> >>+	nb_pkts_in = ipsec_inbound(&ipsec_ctx, traffic->ipsec4.pkts,
> >>+			traffic->ipsec4.num, MAX_PKT_BURST);
> >>+
> >>+	/* SP/ACL Inbound check ipsec and ipv4 */
> >>+	for (i = 0; i < nb_pkts_in; i++) {
> >>+		idx = traffic->ipv4.num++;
> >>+		m = traffic->ipsec4.pkts[i];
> >>+		traffic->ipv4.pkts[idx] = m;
> >>+		traffic->ipv4.data[idx] = rte_pktmbuf_mtod_offset(m,
> >>+				uint8_t *, offsetof(struct ip, ip_p));
> >>+	}
> >>+
> >>+	rte_acl_classify((struct rte_acl_ctx *)sp_ctx, traffic->ipv4.data,
> >>+			traffic->ipv4.res, traffic->ipv4.num,
> >>+			DEFAULT_MAX_CATEGORIES);
> >>+
> >>+	j = 0;
> >>+	for (i = 0; i < traffic->ipv4.num - nb_pkts_in; i++) {
> >>+		m = traffic->ipv4.pkts[i];
> >>+		res = traffic->ipv4.res[i];
> >>+		if (res & ~BYPASS) {
> >>+			rte_pktmbuf_free(m);
> >>+			continue;
> >>+		}
> >>+		traffic->ipv4.pkts[j++] = m;
> >>+	}
> >>+	/* Check return SA SPI matches pkt SPI */
> >>+	for ( ; i < traffic->ipv4.num; i++) {
> >>+		m = traffic->ipv4.pkts[i];
> >>+		sa_idx = traffic->ipv4.res[i] & PROTECT_MASK;
> >>+		if (sa_idx == 0 || !inbound_sa_check(sa_ctx, m, sa_idx)) {
> >>+			rte_pktmbuf_free(m);
> >>+			continue;
> >>+		}
> >>+		traffic->ipv4.pkts[j++] = m;
> >>+	}
> >>+	traffic->ipv4.num = j;
> >>+}
> >>+
> >>+static inline void
> >>+process_pkts_outbound(struct socket_ctx *ctx, struct ipsec_traffic *traffic)
> >>+{
> >>+	struct sa_ctx *sa_ctx = ctx->sa_ipv4_out;
> >>+	struct sp_ctx *sp_ctx = ctx->sp_ipv4_out;
> >>+	struct rte_mbuf *m;
> >>+	uint16_t idx, nb_pkts_out, i, j;
> >>+	uint32_t sa_idx, res;
> >>+	struct ipsec_ctx ipsec_ctx;
> >>+	struct lcore_conf *qconf;
> >>+
> >>+	qconf = &lcore_conf[rte_lcore_id()];
> >>+	ipsec_ctx.cdev = qconf->cdev;
> >>+	ipsec_ctx.queue = qconf->cdev_q;
> >>+	ipsec_ctx.sa_ctx = sa_ctx;
> >>+
> >>+	rte_acl_classify((struct rte_acl_ctx *)sp_ctx, traffic->ipv4.data,
> >>+			traffic->ipv4.res, traffic->ipv4.num,
> >>+			DEFAULT_MAX_CATEGORIES);
> >IMO, an option for single SA based outbound processing would be useful
> >measuring performance bottlenecks with SA lookup.
> >
> 
> Hi Jerin,
> 
> Are you suggesting to have an option so we basically encrypt all traffic
> using
> a single SA bypassing the SP/ACL ?

Yes. Basicaly an option to bypass  "rte_acl_classify" if its for single
SA use case.


> 
> Currently the ACL entry contains the SA index in the SA table, so there is
> no SA
> lookup on outbound.
> That might have to change a bit if we were to add IKE support.
> 
> >>+	j = 0;
> >>+	for (i = 0; i < traffic->ipv4.num; i++) {
> >>+		m = traffic->ipv4.pkts[i];
> >>+		res = traffic->ipv4.res[i];
> >>+		sa_idx = res & PROTECT_MASK;
> >>+		if (res & DISCARD) {
> >>+			rte_pktmbuf_free(m);
> >>+		} else if (sa_idx != 0) {
> >>+			traffic->ipsec4.res[traffic->ipsec4.num] = sa_idx;
> >>+			traffic->ipsec4.pkts[traffic->ipsec4.num++] = m;
> >>+		} else /* BYPASS */
> >>+			traffic->ipv4.pkts[j++] = m;
> >>+	}
> >>+	traffic->ipv4.num = j;
> >>+
> >>+	nb_pkts_out = ipsec_outbound(&ipsec_ctx, traffic->ipsec4.pkts,
> >>+			traffic->ipsec4.res, traffic->ipsec4.num,
> >>+			MAX_PKT_BURST);
> >>+
> >>+	for (i = 0; i < nb_pkts_out; i++) {
> >>+		idx = traffic->ipv4.num++;
> >>+		m = traffic->ipsec4.pkts[i];
> >>+		traffic->ipv4.pkts[idx] = m;
> >>+	}
> >>+}
> >>+
> >>+static inline void
> >>+route_pkts(struct rt_ctx *rt_ctx, struct rte_mbuf *pkts[], uint8_t nb_pkts)
> >>+{
> >>+	uint16_t hop[MAX_PKT_BURST * 2];
> >>+	uint32_t dst_ip[MAX_PKT_BURST * 2];
> >>+	uint16_t i, offset;
> >>+
> >>+	if (nb_pkts == 0)
> >>+		return;
> >>+
> >>+	for (i = 0; i < nb_pkts; i++) {
> >>+		offset = offsetof(struct ip, ip_dst);
> >>+		dst_ip[i] = *rte_pktmbuf_mtod_offset(pkts[i],
> >>+				uint32_t *, offset);
> >>+		dst_ip[i] = rte_be_to_cpu_32(dst_ip[i]);
> >>+	}
> >>+
> >>+	rte_lpm_lookup_bulk((struct rte_lpm *)rt_ctx, dst_ip, hop, nb_pkts);
> >>+
> >>+	for (i = 0; i < nb_pkts; i++) {
> >>+		if ((hop[i] & RTE_LPM_LOOKUP_SUCCESS) == 0) {
> >>+			rte_pktmbuf_free(pkts[i]);
> >>+			continue;
> >>+		}
> >>+		send_single_packet(pkts[i], hop[i] & 0xff);
> >>+	}
> >>+}
> >>+
> >>+static inline void
> >>+process_pkts(struct socket_ctx *ctx, struct rte_mbuf **pkts,
> >>+		uint8_t nb_pkts, uint8_t portid)
> >>+{
> >>+	struct ipsec_traffic traffic;
> >>+
> >>+	prepare_traffic(pkts, &traffic, nb_pkts);
> >>+
> >>+	if (UNPROTECTED_PORT(portid))
> >>+		process_pkts_inbound(ctx, &traffic);
> >>+	else
> >>+		process_pkts_outbound(ctx, &traffic);
> >>+
> >>+	route_pkts(ctx->rt_ipv4, traffic.ipv4.pkts, traffic.ipv4.num);
> >>+}
> >>+
> >>+static inline void
> >>+drain_buffers(struct lcore_conf *qconf)
> >>+{
> >>+	struct buffer *buf;
> >>+	unsigned portid;
> >>+
> >>+	for (portid = 0; portid < RTE_MAX_ETHPORTS; portid++) {
> >>+		buf = &qconf->tx_mbufs[portid];
> >>+		if (buf->len == 0)
> >>+			continue;
> >>+		send_burst(qconf, buf->len, portid);
> >>+		buf->len = 0;
> >>+	}
> >>+}
> >>+
> >>+/* main processing loop */
> >>+static int
> >>+main_loop(__attribute__((unused)) void *dummy)
> >>+{
> >>+	struct rte_mbuf *pkts[MAX_PKT_BURST];
> >>+	unsigned lcore_id;
> >>+	uint64_t prev_tsc, diff_tsc, cur_tsc;
> >>+	int i, nb_rx;
> >>+	uint8_t portid, queueid;
> >>+	struct lcore_conf *qconf;
> >>+	int socket_id;
> >>+	const uint64_t drain_tsc = (rte_get_tsc_hz() + US_PER_S - 1)
> >>+			/ US_PER_S * BURST_TX_DRAIN_US;
> >>+	struct socket_ctx *ctx;
> >>+	struct lcore_rx_queue *rxql;
> >>+
> >>+	prev_tsc = 0;
> >>+	lcore_id = rte_lcore_id();
> >>+	qconf = &lcore_conf[lcore_id];
> >>+	rxql = qconf->rx_queue_list;
> >>+	socket_id = rte_lcore_to_socket_id(lcore_id);
> >>+
> >>+	ctx = &socket_ctx[socket_id];
> >>+
> >>+	if (qconf->nb_rx_queue == 0) {
> >>+		RTE_LOG(INFO, IPSEC, "lcore %u has nothing to do\n", lcore_id);
> >>+		return 0;
> >>+	}
> >>+
> >>+	RTE_LOG(INFO, IPSEC, "entering main loop on lcore %u\n", lcore_id);
> >>+
> >>+	for (i = 0; i < qconf->nb_rx_queue; i++) {
> >>+		portid = rxql[i].port_id;
> >>+		queueid = rxql[i].queue_id;
> >>+		RTE_LOG(INFO, IPSEC,
> >>+			" -- lcoreid=%u portid=%hhu rxqueueid=%hhu\n",
> >>+			lcore_id, portid, queueid);
> >>+	}
> >>+
> >>+	while (1) {
> >>+		cur_tsc = rte_rdtsc();
> >>+
> >>+		/* TX queue buffer drain */
> >>+		diff_tsc = cur_tsc - prev_tsc;
> >>+
> >>+		if (unlikely(diff_tsc > drain_tsc)) {
> >>+			drain_buffers(qconf);
> >>+			prev_tsc = cur_tsc;
> >>+		}
> >>+
> >>+		/* Read packet from RX queues */
> >>+		for (i = 0; i < qconf->nb_rx_queue; ++i) {
> >>+			portid = rxql[i].port_id;
> >>+			queueid = rxql[i].queue_id;
> >>+			nb_rx = rte_eth_rx_burst(portid, queueid,
> >>+					pkts, MAX_PKT_BURST);
> >>+
> >>+			if (nb_rx > 0)
> >>+				process_pkts(ctx, pkts, nb_rx, portid);
> >>+		}
> >>+	}
> >>+}
> >>+
> >>+static int
> >>+check_params(void)
> >>+{
> >>+	uint8_t lcore, portid, nb_ports;
> >>+	uint16_t i;
> >>+	int socket_id;
> >>+
> >>+	if (lcore_params == NULL) {
> >>+		printf("Error: No port/queue/core mappings\n");
> >>+		return -1;
> >>+	}
> >>+
> >>+	nb_ports = rte_eth_dev_count();
> >>+	if (nb_ports > RTE_MAX_ETHPORTS)
> >>+		nb_ports = RTE_MAX_ETHPORTS;
> >>+
> >>+	for (i = 0; i < nb_lcore_params; ++i) {
> >>+		lcore = lcore_params[i].lcore_id;
> >>+		if (!rte_lcore_is_enabled(lcore)) {
> >>+			printf("error: lcore %hhu is not enabled in "
> >>+				"lcore mask\n", lcore);
> >>+			return -1;
> >>+		}
> >>+		socket_id = rte_lcore_to_socket_id(lcore);
> >>+		if (socket_id != 0 && numa_on == 0) {
> >>+			printf("warning: lcore %hhu is on socket %d "
> >>+				"with numa off\n",
> >>+				lcore, socket_id);
> >>+		}
> >>+		portid = lcore_params[i].port_id;
> >>+		if ((enabled_port_mask & (1 << portid)) == 0) {
> >>+			printf("port %u is not enabled in port mask\n", portid);
> >>+			return -1;
> >>+		}
> >>+		if (portid >= nb_ports) {
> >>+			printf("port %u is not present on the board\n", portid);
> >>+			return -1;
> >>+		}
> >>+	}
> >>+	return 0;
> >>+}
> >>+
> >>+static uint8_t
> >>+get_port_nb_rx_queues(const uint8_t port)
> >>+{
> >>+	int queue = -1;
> >>+	uint16_t i;
> >>+
> >>+	for (i = 0; i < nb_lcore_params; ++i) {
> >>+		if (lcore_params[i].port_id == port &&
> >>+				lcore_params[i].queue_id > queue)
> >>+			queue = lcore_params[i].queue_id;
> >>+	}
> >>+	return (uint8_t)(++queue);
> >>+}
> >>+
> >>+static int
> >>+init_lcore_rx_queues(void)
> >>+{
> >>+	uint16_t i, nb_rx_queue;
> >>+	uint8_t lcore;
> >>+
> >>+	for (i = 0; i < nb_lcore_params; ++i) {
> >>+		lcore = lcore_params[i].lcore_id;
> >>+		nb_rx_queue = lcore_conf[lcore].nb_rx_queue;
> >>+		if (nb_rx_queue >= MAX_RX_QUEUE_PER_LCORE) {
> >>+			printf("error: too many queues (%u) for lcore: %u\n",
> >>+					nb_rx_queue + 1, lcore);
> >>+			return -1;
> >>+		}
> >>+		lcore_conf[lcore].rx_queue_list[nb_rx_queue].port_id =
> >>+			lcore_params[i].port_id;
> >>+		lcore_conf[lcore].rx_queue_list[nb_rx_queue].queue_id =
> >>+			lcore_params[i].queue_id;
> >>+		lcore_conf[lcore].nb_rx_queue++;
> >>+	}
> >>+	return 0;
> >>+}
> >>+
> >>+/* display usage */
> >>+static void
> >>+print_usage(const char *prgname)
> >>+{
> >>+	printf("%s [EAL options] -- -p PORTMASK -P -u PORTMASK"
> >>+		"  --"OPTION_CONFIG" (port,queue,lcore)[,(port,queue,lcore]"
> >>+		" --EP0|--EP1 --cdev AESNI|QAT\n"
> >>+		"  -p PORTMASK: hexadecimal bitmask of ports to configure\n"
> >>+		"  -P : enable promiscuous mode\n"
> >>+		"  -u PORTMASK: hexadecimal bitmask of unprotected ports\n"
> >>+		"  --"OPTION_CONFIG": (port,queue,lcore): "
> >>+		"rx queues configuration\n"
> >>+		"  --cdev AESNI | QAT\n"
> >>+		"  --EP0: Configure as Endpoint 0\n"
> >>+		"  --EP1: Configure as Endpoint 1\n", prgname);
> >>+}
> >>+
> >>+static int
> >>+parse_portmask(const char *portmask)
> >>+{
> >>+	char *end = NULL;
> >>+	unsigned long pm;
> >>+
> >>+	/* parse hexadecimal string */
> >>+	pm = strtoul(portmask, &end, 16);
> >>+	if ((portmask[0] == '\0') || (end == NULL) || (*end != '\0'))
> >>+		return -1;
> >>+
> >>+	if (pm == 0)
> >>+		return -1;
> >>+
> >>+	return pm;
> >>+}
> >>+
> >>+static int
> >>+parse_config(const char *q_arg)
> >>+{
> >>+	char s[256];
> >>+	const char *p, *p0 = q_arg;
> >>+	char *end;
> >>+	enum fieldnames {
> >>+		FLD_PORT = 0,
> >>+		FLD_QUEUE,
> >>+		FLD_LCORE,
> >>+		_NUM_FLD
> >>+	};
> >>+	unsigned long int_fld[_NUM_FLD];
> >>+	char *str_fld[_NUM_FLD];
> >>+	int i;
> >>+	unsigned size;
> >>+
> >>+	nb_lcore_params = 0;
> >>+
> >>+	while ((p = strchr(p0, '(')) != NULL) {
> >>+		++p;
> >>+		p0 = strchr(p, ')');
> >>+		if (p0 == NULL)
> >>+			return -1;
> >>+
> >>+		size = p0 - p;
> >>+		if (size >= sizeof(s))
> >>+			return -1;
> >>+
> >>+		snprintf(s, sizeof(s), "%.*s", size, p);
> >>+		if (rte_strsplit(s, sizeof(s), str_fld, _NUM_FLD, ',') !=
> >>+				_NUM_FLD)
> >>+			return -1;
> >>+		for (i = 0; i < _NUM_FLD; i++) {
> >>+			errno = 0;
> >>+			int_fld[i] = strtoul(str_fld[i], &end, 0);
> >>+			if (errno != 0 || end == str_fld[i] || int_fld[i] > 255)
> >>+				return -1;
> >>+		}
> >>+		if (nb_lcore_params >= MAX_LCORE_PARAMS) {
> >>+			printf("exceeded max number of lcore params: %hu\n",
> >>+				nb_lcore_params);
> >>+			return -1;
> >>+		}
> >>+		lcore_params_array[nb_lcore_params].port_id =
> >>+			(uint8_t)int_fld[FLD_PORT];
> >>+		lcore_params_array[nb_lcore_params].queue_id =
> >>+			(uint8_t)int_fld[FLD_QUEUE];
> >>+		lcore_params_array[nb_lcore_params].lcore_id =
> >>+			(uint8_t)int_fld[FLD_LCORE];
> >>+		++nb_lcore_params;
> >>+	}
> >>+	lcore_params = lcore_params_array;
> >>+	return 0;
> >>+}
> >>+
> >>+#define __STRNCMP(name, opt) (!strncmp(name, opt, sizeof(opt)))
> >>+static int
> >>+parse_args_long_options(struct option *lgopts, int option_index)
> >>+{
> >>+	int ret = -1;
> >>+	const char *optname = lgopts[option_index].name;
> >>+
> >>+	if (__STRNCMP(optname, OPTION_CONFIG)) {
> >>+		ret = parse_config(optarg);
> >>+		if (ret)
> >>+			printf("invalid config\n");
> >>+	}
> >>+
> >>+	if (__STRNCMP(optname, OPTION_EP0)) {
> >>+		printf("endpoint 0\n");
> >>+		ep = 0;
> >>+		ret = 0;
> >>+	}
> >>+
> >>+	if (__STRNCMP(optname, OPTION_EP1)) {
> >>+		printf("endpoint 1\n");
> >>+		ep = 1;
> >>+		ret = 0;
> >>+	}
> >>+
> >>+	if (__STRNCMP(optname, OPTION_CDEV_TYPE)) {
> >>+		if (__STRNCMP(optarg, "AESNI")) {
> >>+			cdev_type = RTE_CRYPTODEV_AESNI_MB_PMD;
> >>+			ret = 0;
> >>+		} else if (__STRNCMP(optarg, "QAT")) {
> >>+			cdev_type = RTE_CRYPTODEV_QAT_PMD;
> >>+			ret = 0;
> >>+		}
> >>+	}
> >>+
> >>+	return ret;
> >>+}
> >>+#undef __STRNCMP
> >>+
> >>+static int
> >>+parse_args(int argc, char **argv)
> >>+{
> >>+	int opt, ret;
> >>+	char **argvopt;
> >>+	int option_index;
> >>+	char *prgname = argv[0];
> >>+	static struct option lgopts[] = {
> >>+		{OPTION_CONFIG, 1, 0, 0},
> >>+		{OPTION_EP0, 0, 0, 0},
> >>+		{OPTION_EP1, 0, 0, 0},
> >>+		{OPTION_CDEV_TYPE, 1, 0, 0},
> >>+		{NULL, 0, 0, 0}
> >>+	};
> >>+
> >>+	argvopt = argv;
> >>+
> >>+	while ((opt = getopt_long(argc, argvopt, "p:Pu:",
> >>+				lgopts, &option_index)) != EOF) {
> >>+
> >>+		switch (opt) {
> >>+		case 'p':
> >>+			enabled_port_mask = parse_portmask(optarg);
> >>+			if (enabled_port_mask == 0) {
> >>+				printf("invalid portmask\n");
> >>+				print_usage(prgname);
> >>+				return -1;
> >>+			}
> >>+			break;
> >>+		case 'P':
> >>+			printf("Promiscuous mode selected\n");
> >>+			promiscuous_on = 1;
> >>+			break;
> >>+		case 'u':
> >>+			unprotected_port_mask = parse_portmask(optarg);
> >>+			if (unprotected_port_mask == 0) {
> >>+				printf("invalid unprotected portmask\n");
> >>+				print_usage(prgname);
> >>+				return -1;
> >>+			}
> >>+			break;
> >>+		case 0:
> >>+			if (parse_args_long_options(lgopts, option_index)) {
> >>+				print_usage(prgname);
> >>+				return -1;
> >>+			}
> >>+			break;
> >>+		default:
> >>+			print_usage(prgname);
> >>+			return -1;
> >>+		}
> >>+	}
> >>+
> >>+	if (optind >= 0)
> >>+		argv[optind-1] = prgname;
> >>+
> >>+	ret = optind-1;
> >>+	optind = 0; /* reset getopt lib */
> >>+	return ret;
> >>+}
> >>+
> >>+static void
> >>+print_ethaddr(const char *name, const struct ether_addr *eth_addr)
> >>+{
> >>+	char buf[ETHER_ADDR_FMT_SIZE];
> >>+	ether_format_addr(buf, ETHER_ADDR_FMT_SIZE, eth_addr);
> >>+	printf("%s%s", name, buf);
> >>+}
> >>+
> >>+/* Check the link status of all ports in up to 9s, and print them finally */
> >>+static void
> >>+check_all_ports_link_status(uint8_t port_num, uint32_t port_mask)
> >>+{
> >>+#define CHECK_INTERVAL 100 /* 100ms */
> >>+#define MAX_CHECK_TIME 90 /* 9s (90 * 100ms) in total */
> >>+	uint8_t portid, count, all_ports_up, print_flag = 0;
> >>+	struct rte_eth_link link;
> >>+
> >>+	printf("\nChecking link status");
> >>+	fflush(stdout);
> >>+	for (count = 0; count <= MAX_CHECK_TIME; count++) {
> >>+		all_ports_up = 1;
> >>+		for (portid = 0; portid < port_num; portid++) {
> >>+			if ((port_mask & (1 << portid)) == 0)
> >>+				continue;
> >>+			memset(&link, 0, sizeof(link));
> >>+			rte_eth_link_get_nowait(portid, &link);
> >>+			/* print link status if flag set */
> >>+			if (print_flag == 1) {
> >>+				if (link.link_status)
> >>+					printf("Port %d Link Up - speed %u "
> >>+						"Mbps - %s\n", (uint8_t)portid,
> >>+						(unsigned)link.link_speed,
> >>+				(link.link_duplex == ETH_LINK_FULL_DUPLEX) ?
> >>+					("full-duplex") : ("half-duplex\n"));
> >>+				else
> >>+					printf("Port %d Link Down\n",
> >>+						(uint8_t)portid);
> >>+				continue;
> >>+			}
> >>+			/* clear all_ports_up flag if any link down */
> >>+			if (link.link_status == 0) {
> >>+				all_ports_up = 0;
> >>+				break;
> >>+			}
> >>+		}
> >>+		/* after finally printing all link status, get out */
> >>+		if (print_flag == 1)
> >>+			break;
> >>+
> >>+		if (all_ports_up == 0) {
> >>+			printf(".");
> >>+			fflush(stdout);
> >>+			rte_delay_ms(CHECK_INTERVAL);
> >>+		}
> >>+
> >>+		/* set the print_flag if all ports up or timeout */
> >>+		if (all_ports_up == 1 || count == (MAX_CHECK_TIME - 1)) {
> >>+			print_flag = 1;
> >>+			printf("done\n");
> >>+		}
> >>+	}
> >>+}
> >>+
> >>+static uint16_t
> >>+find_next_cdev(unsigned cdev_type, uint16_t start_cdev_id)
> >>+{
> >>+	uint16_t cdev_id, cnt;
> >>+	struct rte_cryptodev_info info;
> >>+
> >>+	cnt = rte_cryptodev_count();
> >>+	for (cdev_id = start_cdev_id; cdev_id < cnt; cdev_id++) {
> >>+		rte_cryptodev_info_get(cdev_id, &info);
> >>+		if (info.dev_type == cdev_type)
> >>+			return cdev_id;
> >>+	}
> >>+
> >>+	return -1;
> >>+}
> >>+
> >>+static uint16_t
> >>+find_cdev_socket(int socket_id, unsigned cdev_type)
> >>+{
> >>+	uint16_t cdev_id, cnt;
> >>+	struct rte_cryptodev_info info;
> >>+	int cdev_socket;
> >>+
> >>+	cnt = rte_cryptodev_count();
> >>+	for (cdev_id = 0; cdev_id < cnt; cdev_id++) {
> >>+		rte_cryptodev_info_get(cdev_id, &info);
> >>+		cdev_socket = rte_cryptodev_socket_id(cdev_id);
> >>+		if ((info.dev_type == cdev_type) && (cdev_socket == socket_id))
> >>+			return cdev_id;
> >>+	}
> >>+
> >>+	return -1;
> >>+}
> >>+
> >>+static int
> >>+cryptodevs_init(void)
> >>+{
> >>+	struct rte_cryptodev_config dev_conf;
> >>+	struct rte_cryptodev_qp_conf qp_conf;
> >>+	struct lcore_conf *qconf;
> >>+	uint16_t cnt, lcore_id, cdev_id;
> >>+	int ret, i, socket_id;
> >>+
> >>+	if (cdev_type == RTE_CRYPTODEV_QAT_PMD) {
> >>+		cnt = rte_cryptodev_count_devtype(RTE_CRYPTODEV_QAT_PMD);
> >>+		printf("Found %u QAT devices\n", cnt);
> >>+		if (cnt < nb_lcores)
> >>+			rte_panic("Not enough QAT devices detected, "
> >>+					"need %u (1 per core), found %d\n",
> >>+					nb_lcores, cnt);
> >>+	} else if (cdev_type == RTE_CRYPTODEV_AESNI_MB_PMD) {
> >>+		printf("Initializing %u AESNI vdevs\n", rte_lcore_count());
> >Is it possible to remove PMD specific Initialization code from the
> >application and move driver layer so that new crypto pmd inclusion will
> >not have any change in this place.
> 
> Yes, it should be possible now that we have:
> http://dpdk.org/ml/archives/dev/2016-January/032448.html
> 
> I also plan to rework the code a bit to use the new cryptodev API:
> http://dpdk.org/ml/archives/dev/2016-January/032445.html
> 
> >>+		for (i = 0; i < (int)rte_lcore_count(); i++) {
> >>+			ret = rte_eal_vdev_init(
> >>+					CRYPTODEV_NAME_AESNI_MB_PMD,
> >>+					NULL);
> >>+			if (ret < 0)
> >>+				rte_panic("Failed to create AESNI-MB vdev\n");
> >>+		}
> >>+	} else
> >>+		rte_panic("Need to set cryptodev type option --cdev\n");
> >>+
> >>+	cdev_id = 0;
> >>+	for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) {
> >>+		if (rte_lcore_is_enabled(lcore_id) == 0)
> >>+			continue;
> >>+
> >>+		socket_id = rte_lcore_to_socket_id(lcore_id);
> >>+		cdev_id = find_next_cdev(cdev_type, cdev_id);
> >>+		qconf = &lcore_conf[lcore_id];
> >>+		qconf->cdev = cdev_id;
> >>+		qconf->cdev_q = 0;
> >>+		if (cdev_type == RTE_CRYPTODEV_AESNI_MB_PMD) {
> >>+			dev_conf.socket_id = socket_id;
> >>+			printf("Initializing AESNI-MB device %u socket %u\n",
> >>+					cdev_id, socket_id);
> >>+		} else {
> >>+			dev_conf.socket_id = rte_cryptodev_socket_id(cdev_id);
> >>+			printf("Initialising QAT device %u\n", cdev_id);
> >>+		}
> >>+
> >>+		dev_conf.nb_queue_pairs = 1;
> >>+		dev_conf.session_mp.nb_objs = CDEV_MP_NB_OBJS;
> >>+		dev_conf.session_mp.cache_size = CDEV_MP_CACHE_SZ;
> >>+
> >>+		if (rte_cryptodev_configure(cdev_id, &dev_conf))
> >>+			rte_panic("Failed to initialize crypodev %u\n",
> >>+					cdev_id);
> >>+
> >>+		qp_conf.nb_descriptors = CDEV_MP_NB_OBJS;
> >>+		if (rte_cryptodev_queue_pair_setup(cdev_id, 0, &qp_conf,
> >>+					dev_conf.socket_id))
> >>+			rte_panic("Failed to setup queue %u for cdev_id %u\n",
> >>+					0, cdev_id);
> >>+		cdev_id++;
> >>+	}
> >>+
> >>+	return 0;
> >>+}
> >>+
> >>+static void
> >>+port_init(uint8_t portid)
> >>+{
> >>+	struct rte_eth_dev_info dev_info;
> >>+	struct rte_eth_txconf *txconf;
> >>+	uint16_t nb_tx_queue, nb_rx_queue;
> >>+	uint16_t tx_queueid, rx_queueid, queue, lcore_id;
> >>+	int ret, socket_id;
> >>+	struct lcore_conf *qconf;
> >>+	struct ether_addr ethaddr;
> >>+
> >>+	rte_eth_dev_info_get(portid, &dev_info);
> >>+
> >>+	printf("Configuring device port %u:\n", portid);
> >>+
> >>+	rte_eth_macaddr_get(portid, &ethaddr);
> >>+	ethaddr_tbl[portid].src = ETHADDR_TO_UINT64(ethaddr);
> >>+	print_ethaddr("Address: ", &ethaddr);
> >>+	printf("\n");
> >>+
> >>+	nb_rx_queue = get_port_nb_rx_queues(portid);
> >>+	nb_tx_queue = nb_lcores;
> >>+
> >>+	if (nb_rx_queue > dev_info.max_rx_queues)
> >>+		rte_exit(EXIT_FAILURE, "Error: queue %u not available "
> >>+				"(max rx queue is %u)\n",
> >>+				nb_rx_queue, dev_info.max_rx_queues);
> >>+
> >>+	if (nb_tx_queue > dev_info.max_tx_queues)
> >>+		rte_exit(EXIT_FAILURE, "Error: queue %u not available "
> >>+				"(max tx queue is %u)\n",
> >>+				nb_tx_queue, dev_info.max_tx_queues);
> >>+
> >>+	printf("Creating queues: nb_rx_queue=%d nb_tx_queue=%u...\n",
> >>+			nb_rx_queue, nb_tx_queue);
> >>+
> >>+	ret = rte_eth_dev_configure(portid, nb_rx_queue, nb_tx_queue,
> >>+			&port_conf);
> >>+	if (ret < 0)
> >>+		rte_exit(EXIT_FAILURE, "Cannot configure device: "
> >>+				"err=%d, port=%d\n", ret, portid);
> >>+
> >>+	/* init one TX queue per lcore */
> >>+	tx_queueid = 0;
> >>+	for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) {
> >>+		if (rte_lcore_is_enabled(lcore_id) == 0)
> >>+			continue;
> >>+
> >>+		if (numa_on)
> >>+			socket_id = (uint8_t)rte_lcore_to_socket_id(lcore_id);
> >>+		else
> >>+			socket_id = 0;
> >>+
> >>+		/* init TX queue */
> >>+		printf("Setup txq=%u,%d,%d\n", lcore_id, tx_queueid, socket_id);
> >>+
> >>+		txconf = &dev_info.default_txconf;
> >>+		txconf->txq_flags = 0;
> >>+
> >>+		ret = rte_eth_tx_queue_setup(portid, tx_queueid, nb_txd,
> >>+				socket_id, txconf);
> >>+		if (ret < 0)
> >>+			rte_exit(EXIT_FAILURE, "rte_eth_tx_queue_setup: "
> >>+					"err=%d, port=%d\n", ret, portid);
> >>+
> >>+		qconf = &lcore_conf[lcore_id];
> >>+		qconf->tx_queue_id[portid] = tx_queueid;
> >>+		tx_queueid++;
> >>+
> >>+		/* init RX queues */
> >>+		for (queue = 0; queue < qconf->nb_rx_queue; ++queue) {
> >>+			if (portid != qconf->rx_queue_list[queue].port_id)
> >>+				continue;
> >>+
> >>+			rx_queueid = qconf->rx_queue_list[queue].queue_id;
> >>+
> >>+			printf("Setup rxq=%d,%d,%d\n", portid, rx_queueid,
> >>+					socket_id);
> >>+
> >>+			ret = rte_eth_rx_queue_setup(portid, rx_queueid,
> >>+					nb_rxd,	socket_id, NULL,
> >>+					socket_ctx[socket_id].mbuf_pool);
> >>+			if (ret < 0)
> >>+				rte_exit(EXIT_FAILURE,
> >>+					"rte_eth_rx_queue_setup: err=%d, "
> >>+					"port=%d\n", ret, portid);
> >>+		}
> >>+	}
> >>+	printf("\n");
> >>+}
> >>+
> >>+static void
> >>+pool_init(struct socket_ctx *ctx, int socket_id, unsigned nb_mbuf)
> >>+{
> >>+	char s[64];
> >>+
> >>+	snprintf(s, sizeof(s), "mbuf_pool_%d", socket_id);
> >>+	ctx->mbuf_pool = rte_pktmbuf_pool_create(s, nb_mbuf,
> >>+			MEMPOOL_CACHE_SIZE, ipsec_metadata_size(),
> >>+			RTE_MBUF_DEFAULT_BUF_SIZE,
> >>+			socket_id);
> >>+	if (ctx->mbuf_pool == NULL)
> >>+		rte_exit(EXIT_FAILURE, "Cannot init mbuf pool on socket %d\n",
> >>+				socket_id);
> >>+	else
> >>+		printf("Allocated mbuf pool on socket %d\n", socket_id);
> >>+}
> >>+
> >>+int
> >>+main(int argc, char **argv)
> >>+{
> >>+	int ret;
> >>+	unsigned lcore_id, nb_ports;
> >>+	uint8_t portid, socket_id;
> >>+
> >>+	/* init EAL */
> >>+	ret = rte_eal_init(argc, argv);
> >>+	if (ret < 0)
> >>+		rte_exit(EXIT_FAILURE, "Invalid EAL parameters\n");
> >>+	argc -= ret;
> >>+	argv += ret;
> >>+
> >>+	/* parse application arguments (after the EAL ones) */
> >>+	ret = parse_args(argc, argv);
> >>+	if (ret < 0)
> >>+		rte_exit(EXIT_FAILURE, "Invalid parameters\n");
> >>+
> >>+	if (ep < 0)
> >>+		rte_exit(EXIT_FAILURE, "need to choose either EP0 or EP1\n");
> >>+
> >>+	if ((unprotected_port_mask & enabled_port_mask) !=
> >>+			unprotected_port_mask)
> >>+		rte_exit(EXIT_FAILURE, "Invalid unprotected portmask 0x%x\n",
> >>+				unprotected_port_mask);
> >>+
> >>+	nb_ports = rte_eth_dev_count();
> >>+	if (nb_ports > RTE_MAX_ETHPORTS)
> >>+		nb_ports = RTE_MAX_ETHPORTS;
> >>+
> >>+	if (check_params() < 0)
> >>+		rte_exit(EXIT_FAILURE, "check_params failed\n");
> >>+
> >>+	ret = init_lcore_rx_queues();
> >>+	if (ret < 0)
> >>+		rte_exit(EXIT_FAILURE, "init_lcore_rx_queues failed\n");
> >>+
> >>+	nb_lcores = rte_lcore_count();
> >>+
> >>+	cryptodevs_init();
> >>+
> >>+	/* Replicate each contex per socket */
> >>+	for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) {
> >>+		if (rte_lcore_is_enabled(lcore_id) == 0)
> >>+			continue;
> >>+
> >>+		if (numa_on)
> >>+			socket_id = (uint8_t)rte_lcore_to_socket_id(lcore_id);
> >>+		else
> >>+			socket_id = 0;
> >>+
> >>+		if (socket_ctx[socket_id].mbuf_pool)
> >>+			continue;
> >>+
> >>+		sa_init(&socket_ctx[socket_id], socket_id, ep,
> >>+				find_cdev_socket(socket_id, cdev_type));
> >>+
> >>+		sp_init(&socket_ctx[socket_id], socket_id, ep);
> >>+
> >>+		rt_init(&socket_ctx[socket_id], socket_id, ep);
> >>+
> >>+		pool_init(&socket_ctx[socket_id], socket_id, NB_MBUF);
> >>+	}
> >>+
> >>+	for (portid = 0; portid < nb_ports; portid++) {
> >>+		if ((enabled_port_mask & (1 << portid)) == 0)
> >>+			continue;
> >>+
> >>+		port_init(portid);
> >>+	}
> >>+
> >>+	/* start ports */
> >>+	for (portid = 0; portid < nb_ports; portid++) {
> >>+		if ((enabled_port_mask & (1 << portid)) == 0)
> >>+			continue;
> >>+
> >>+		/* Start device */
> >>+		ret = rte_eth_dev_start(portid);
> >>+		if (ret < 0)
> >>+			rte_exit(EXIT_FAILURE, "rte_eth_dev_start: "
> >>+					"err=%d, port=%d\n", ret, portid);
> >>+		/*
> >>+		 * If enabled, put device in promiscuous mode.
> >>+		 * This allows IO forwarding mode to forward packets
> >>+		 * to itself through 2 cross-connected  ports of the
> >>+		 * target machine.
> >>+		 */
> >>+		if (promiscuous_on)
> >>+			rte_eth_promiscuous_enable(portid);
> >>+	}
> >>+
> >>+	check_all_ports_link_status((uint8_t)nb_ports, enabled_port_mask);
> >>+
> >>+	/* launch per-lcore init on every lcore */
> >>+	rte_eal_mp_remote_launch(main_loop, NULL, CALL_MASTER);
> >>+	RTE_LCORE_FOREACH_SLAVE(lcore_id) {
> >>+		if (rte_eal_wait_lcore(lcore_id) < 0)
> >>+			return -1;
> >>+	}
> >>+
> >>+	return 0;
> >>+}
> >>diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
> >>new file mode 100644
> >>index 0000000..83e3326
> >>--- /dev/null
> >>+++ b/examples/ipsec-secgw/ipsec.c
> >>@@ -0,0 +1,138 @@
> >>+/*-
> >>+ *   BSD LICENSE
> >>+ *
> >>+ *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
> >>+ *   All rights reserved.
> >>+ *
> >>+ *   Redistribution and use in source and binary forms, with or without
> >>+ *   modification, are permitted provided that the following conditions
> >>+ *   are met:
> >>+ *
> >>+ *     * Redistributions of source code must retain the above copyright
> >>+ *       notice, this list of conditions and the following disclaimer.
> >>+ *     * Redistributions in binary form must reproduce the above copyright
> >>+ *       notice, this list of conditions and the following disclaimer in
> >>+ *       the documentation and/or other materials provided with the
> >>+ *       distribution.
> >>+ *     * Neither the name of Intel Corporation nor the names of its
> >>+ *       contributors may be used to endorse or promote products derived
> >>+ *       from this software without specific prior written permission.
> >>+ *
> >>+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> >>+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> >>+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
> >>+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
> >>+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> >>+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> >>+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> >>+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> >>+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> >>+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> >>+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> >>+ */
> >>+
> >>+#include <netinet/in.h>
> >>+#include <netinet/ip.h>
> >>+
> >>+#include <rte_branch_prediction.h>
> >>+#include <rte_log.h>
> >>+#include <rte_crypto.h>
> >>+#include <rte_cryptodev.h>
> >>+#include <rte_mbuf.h>
> >>+
> >>+#include "ipsec.h"
> >>+
> >>+static inline uint16_t
> >>+ipsec_processing(uint8_t cdev_id, uint16_t qp_id, struct rte_mbuf *pkts[],
> >>+		struct ipsec_sa *sas[], uint16_t nb_pkts, uint16_t max_pkts)
> >>+{
> >>+	int ret, i, j;
> >>+	struct ipsec_mbuf_metadata *priv;
> >>+	struct rte_mbuf_offload *ol;
> >>+	struct ipsec_sa *sa;
> >>+
> >>+	j = 0;
> >>+	for (i = 0; i < nb_pkts; i++) {
> >>+		rte_prefetch0(sas[i]);
> >>+		rte_prefetch0(pkts[i]);
> >>+
> >>+		priv = get_priv(pkts[i]);
> >>+		ol = &priv->ol;
> >>+		sa = sas[i];
> >>+		priv->sa = sa;
> >>+
> >>+		IPSEC_ASSERT(sa != NULL);
> >>+
> >>+		__rte_pktmbuf_offload_reset(ol, RTE_PKTMBUF_OL_CRYPTO);
> >>+
> >>+		rte_crypto_op_attach_session(&ol->op.crypto,
> >>+				sa->crypto_session);
> >>+
> >>+		pkts[i]->offload_ops = ol;
> >>+
> >>+		ret = sa->pre_crypto(pkts[i], sa, &ol->op.crypto);
> >>+		if (unlikely(ret))
> >>+			rte_pktmbuf_free(pkts[i]);
> >>+		else
> >>+			pkts[j++] = pkts[i];
> >>+	}
> >>+	nb_pkts = j;
> >>+
> >>+	ret = rte_cryptodev_enqueue_burst(cdev_id, qp_id, pkts, nb_pkts);
> >>+	if (ret < nb_pkts) {
> >>+		IPSEC_LOG(DEBUG, IPSEC, "Cryptodev %u queue %u:"
> >>+				" enqueued %u packets (out of %u)\n",
> >>+				 cdev_id, qp_id, ret, nb_pkts);
> >>+		for (i = ret; i < nb_pkts; i++)
> >>+			rte_pktmbuf_free(pkts[i]);
> >>+	}
> >>+
> >>+	nb_pkts = rte_cryptodev_dequeue_burst(cdev_id, qp_id, pkts, max_pkts);
> >>+	if ((nb_pkts != 0) && (nb_pkts < max_pkts))
> >>+		IPSEC_LOG(DEBUG, IPSEC, "Cryptodev %u queue %u:"
> >>+				" dequeued %u packets (out of %u)\n",
> >>+				 cdev_id, qp_id, nb_pkts, max_pkts);
> >>+
> >>+	j = 0;
> >>+	for (i = 0; i < nb_pkts; i++) {
> >>+		rte_prefetch0(pkts[i]);
> >>+
> >>+		priv = get_priv(pkts[i]);
> >>+		ol = &priv->ol;
> >>+		sa = priv->sa;
> >>+		rte_prefetch0(sa);
> >>+
> >>+		IPSEC_ASSERT(sa != NULL);
> >>+
> >>+		ret = sa->post_crypto(pkts[i], sa, &ol->op.crypto);
> >>+		if (unlikely(ret))
> >>+			rte_pktmbuf_free(pkts[i]);
> >>+		else
> >>+			pkts[j++] = pkts[i];
> >>+	}
> >>+
> >>+	/* return packets */
> >>+	return j;
> >>+}
> >>+
> >>+uint16_t
> >>+ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
> >>+		uint16_t nb_pkts, uint16_t len)
> >>+{
> >>+	struct ipsec_sa *sas[nb_pkts];
> >>+
> >>+	inbound_sa_lookup(ctx->sa_ctx, pkts, sas, nb_pkts);
> >>+
> >>+	return ipsec_processing(ctx->cdev, ctx->queue, pkts, sas, nb_pkts, len);
> >>+}
> >>+
> >>+uint16_t
> >>+ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
> >>+		uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len)
> >>+{
> >>+	struct ipsec_sa *sas[nb_pkts];
> >>+
> >>+	outbound_sa_lookup(ctx->sa_ctx, sa_idx, sas, nb_pkts);
> >>+
> >>+	return ipsec_processing(ctx->cdev, ctx->queue, pkts, sas, nb_pkts, len);
> >>+}
> >>diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
> >>new file mode 100644
> >>index 0000000..abf9d5f
> >>--- /dev/null
> >>+++ b/examples/ipsec-secgw/ipsec.h
> >>@@ -0,0 +1,184 @@
> >>+/*-
> >>+ *   BSD LICENSE
> >>+ *
> >>+ *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
> >>+ *   All rights reserved.
> >>+ *
> >>+ *   Redistribution and use in source and binary forms, with or without
> >>+ *   modification, are permitted provided that the following conditions
> >>+ *   are met:
> >>+ *
> >>+ *     * Redistributions of source code must retain the above copyright
> >>+ *       notice, this list of conditions and the following disclaimer.
> >>+ *     * Redistributions in binary form must reproduce the above copyright
> >>+ *       notice, this list of conditions and the following disclaimer in
> >>+ *       the documentation and/or other materials provided with the
> >>+ *       distribution.
> >>+ *     * Neither the name of Intel Corporation nor the names of its
> >>+ *       contributors may be used to endorse or promote products derived
> >>+ *       from this software without specific prior written permission.
> >>+ *
> >>+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> >>+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> >>+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
> >>+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
> >>+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> >>+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> >>+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> >>+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> >>+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> >>+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> >>+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> >>+ */
> >>+
> >>+#ifndef __IPSEC_H__
> >>+#define __IPSEC_H__
> >>+
> >>+#include <stdint.h>
> >>+#include <netinet/in.h>
> >>+#include <netinet/ip.h>
> >>+
> >>+#include <rte_mbuf_offload.h>
> >>+#include <rte_byteorder.h>
> >>+#include <rte_ip.h>
> >>+
> >>+#define RTE_LOGTYPE_IPSEC       RTE_LOGTYPE_USER1
> >>+#define RTE_LOGTYPE_IPSEC_ESP   RTE_LOGTYPE_USER2
> >>+#define RTE_LOGTYPE_IPSEC_IPIP  RTE_LOGTYPE_USER3
> >>+
> >>+#ifdef IPSEC_DEBUG
> >>+#define IPSEC_ASSERT(exp)                                            \
> >>+if (!(exp)) {                                                        \
> >>+	rte_panic("line%d\tassert \"" #exp "\" failed\n", __LINE__); \
> >>+}
> >>+
> >>+#define IPSEC_LOG RTE_LOG
> >>+#else
> >>+#define IPSEC_ASSERT(exp) do {} while (0)
> >>+#define IPSEC_LOG(...) do {} while (0)
> >>+#endif /* IPSEC_DEBUG */
> >>+
> >>+#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
> >>+
> >>+#define uint32_t_to_char(ip, a, b, c, d) do {\
> >>+		*a = (unsigned char)(ip >> 24 & 0xff);\
> >>+		*b = (unsigned char)(ip >> 16 & 0xff);\
> >>+		*c = (unsigned char)(ip >> 8 & 0xff);\
> >>+		*d = (unsigned char)(ip & 0xff);\
> >>+	} while (0)
> >>+
> >>+#define DEFAULT_MAX_CATEGORIES	1
> >>+
> >>+#define IPSEC_SA_MAX_ENTRIES (64) /* must be power of 2, max 2 power 30 */
> >>+#define SPI2IDX(spi) (spi & (IPSEC_SA_MAX_ENTRIES - 1))
> >>+#define INVALID_SPI (0)
> >>+
> >>+#define DISCARD (0x80000000)
> >>+#define BYPASS (0x40000000)
> >>+#define PROTECT_MASK (0x3fffffff)
> >>+#define PROTECT(sa_idx) (SPI2IDX(sa_idx) & PROTECT_MASK) /* SA idx 30 bits */
> >>+
> >>+#define IPSEC_XFORM_MAX 2
> >>+
> >>+struct rte_crypto_xform;
> >>+struct ipsec_xform;
> >>+struct rte_cryptodev_session;
> >>+struct rte_mbuf;
> >>+
> >>+struct replay {
> >>+	uint32_t seq_h;
> >>+};
> >>+
> >>+struct lifetime {
> >>+	uint64_t bytes;
> >>+	uint64_t seconds;
> >>+};
> >>+
> >>+struct ipsec_sa;
> >>+
> >>+typedef int (*ipsec_xform_fn)(struct rte_mbuf *m, struct ipsec_sa *sa,
> >>+		struct rte_crypto_op *cop);
> >>+
> >>+struct ipsec_sa {
> >>+	uint32_t spi;
> >>+	uint32_t seq;
> >>+	uint32_t src;
> >>+	uint32_t dst;
> >>+	struct rte_cryptodev_session *crypto_session;
> >>+	struct rte_crypto_xform *xforms;
> >>+	enum rte_crypto_cipher_algorithm cipher_algo;
> >>+	enum rte_crypto_auth_algorithm auth_algo;
> >>+	uint16_t digest_len;
> >>+	uint16_t iv_len;
> >>+	uint16_t block_size;
> >>+	ipsec_xform_fn pre_crypto;
> >>+	ipsec_xform_fn post_crypto;
> >>+	uint32_t flags;
> >>+	/* does not apply if no automated SA management (IKE) support */
> >>+	struct lifetime current;
> >>+	struct lifetime soft;
> >>+	struct lifetime hard;
> >>+	struct replay replay;
> >>+} __rte_cache_aligned;
> >>+
> >>+struct ipsec_mbuf_metadata {
> >>+	struct ipsec_sa *sa;
> >>+	struct rte_mbuf_offload ol;
> >>+};
> >>+
> >>+struct ipsec_ctx {
> >>+	uint16_t cdev;
> >>+	uint16_t queue;
> >>+	struct sa_ctx *sa_ctx;
> >>+};
> >>+
> >>+struct socket_ctx {
> >>+	struct sa_ctx *sa_ipv4_in;
> >>+	struct sa_ctx *sa_ipv4_out;
> >>+	struct sp_ctx *sp_ipv4_in;
> >>+	struct sp_ctx *sp_ipv4_out;
> >>+	struct rt_ctx *rt_ipv4;
> >>+	struct rte_mempool *mbuf_pool;
> >>+};
> >>+
> >>+uint16_t
> >>+ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
> >>+		uint16_t nb_pkts, uint16_t len);
> >>+
> >>+uint16_t
> >>+ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
> >>+		uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len);
> >>+
> >>+static inline uint16_t
> >>+ipsec_metadata_size(void)
> >>+{
> >>+	return sizeof(struct ipsec_mbuf_metadata);
> >>+}
> >>+
> >>+static inline struct ipsec_mbuf_metadata *
> >>+get_priv(struct rte_mbuf *m)
> >>+{
> >>+	return RTE_PTR_ADD(m, sizeof(struct rte_mbuf));
> >>+}
> >>+
> >>+int
> >>+inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx);
> >>+
> >>+void
> >>+inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[],
> >>+		struct ipsec_sa *sa[], uint16_t nb_pkts);
> >>+
> >>+void
> >>+outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[],
> >>+		struct ipsec_sa *sa[], uint16_t nb_pkts);
> >>+
> >>+void
> >>+sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep);
> >>+
> >>+void
> >>+sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep, uint16_t cdev_id);
> >>+
> >>+void
> >>+rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep);
> >>+
> >>+#endif /* __IPSEC_H__ */
> >>diff --git a/examples/ipsec-secgw/rt.c b/examples/ipsec-secgw/rt.c
> >>new file mode 100644
> >>index 0000000..82064b2
> >>--- /dev/null
> >>+++ b/examples/ipsec-secgw/rt.c
> >>@@ -0,0 +1,131 @@
> >>+/*-
> >>+ *   BSD LICENSE
> >>+ *
> >>+ *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
> >>+ *   All rights reserved.
> >>+ *
> >>+ *   Redistribution and use in source and binary forms, with or without
> >>+ *   modification, are permitted provided that the following conditions
> >>+ *   are met:
> >>+ *
> >>+ *     * Redistributions of source code must retain the above copyright
> >>+ *       notice, this list of conditions and the following disclaimer.
> >>+ *     * Redistributions in binary form must reproduce the above copyright
> >>+ *       notice, this list of conditions and the following disclaimer in
> >>+ *       the documentation and/or other materials provided with the
> >>+ *       distribution.
> >>+ *     * Neither the name of Intel Corporation nor the names of its
> >>+ *       contributors may be used to endorse or promote products derived
> >>+ *       from this software without specific prior written permission.
> >>+ *
> >>+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> >>+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> >>+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
> >>+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
> >>+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> >>+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> >>+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> >>+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> >>+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> >>+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> >>+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> >>+ */
> >>+
> >>+/*
> >>+ * Routing Table (RT)
> >>+ */
> >>+#include <rte_lpm.h>
> >>+#include <rte_errno.h>
> >>+
> >>+#include "ipsec.h"
> >>+
> >>+#define RT_IPV4_MAX_RULES         64
> >>+
> >>+struct ipv4_route {
> >>+	uint32_t ip;
> >>+	uint8_t  depth;
> >>+	uint8_t  if_out;
> >>+};
> >>+
> >>+/* In the default routing table we have:
> >>+ * ep0 protected ports 0 and 1, and unprotected ports 2 and 3.
> >>+ */
> >>+static struct ipv4_route rt_ipv4_ep0[] = {
> >>+	{ IPv4(172, 16, 2, 5), 32, 0 },
> >>+	{ IPv4(172, 16, 2, 6), 32, 0 },
> >>+	{ IPv4(172, 16, 2, 7), 32, 1 },
> >>+	{ IPv4(172, 16, 2, 8), 32, 1 },
> >>+
> >>+	{ IPv4(192, 168, 115, 0), 24, 2 },
> >>+	{ IPv4(192, 168, 116, 0), 24, 2 },
> >>+	{ IPv4(192, 168, 117, 0), 24, 3 },
> >>+	{ IPv4(192, 168, 118, 0), 24, 3 }
> >>+};
> >>+
> >>+/* In the default routing table we have:
> >>+ * ep1 protected ports 0 and 1, and unprotected ports 2 and 3.
> >>+ */
> >>+static struct ipv4_route rt_ipv4_ep1[] = {
> >>+	{ IPv4(172, 16, 1, 5), 32, 2 },
> >>+	{ IPv4(172, 16, 1, 6), 32, 2 },
> >>+	{ IPv4(172, 16, 1, 7), 32, 3 },
> >>+	{ IPv4(172, 16, 1, 8), 32, 3 },
> >>+
> >>+	{ IPv4(192, 168, 105, 0), 24, 0 },
> >>+	{ IPv4(192, 168, 106, 0), 24, 0 },
> >>+	{ IPv4(192, 168, 107, 0), 24, 1 },
> >>+	{ IPv4(192, 168, 108, 0), 24, 1 }
> >>+};
> >>+
> >>+void
> >>+rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep)
> >>+{
> >>+	char name[PATH_MAX];
> >>+	unsigned i;
> >>+	int ret;
> >>+	struct rte_lpm *lpm;
> >>+	struct ipv4_route *rt;
> >>+	char a, b, c, d;
> >>+	unsigned nb_routes;
> >>+
> >>+	if (ctx == NULL)
> >>+		rte_exit(EXIT_FAILURE, "NULL context.\n");
> >>+
> >>+	if (ctx->rt_ipv4 != NULL)
> >>+		rte_exit(EXIT_FAILURE, "Routing Table for socket %u already "
> >>+			"initialized\n", socket_id);
> >>+
> >>+	printf("Creating Routing Table (RT) context with %u max routes\n",
> >>+			RT_IPV4_MAX_RULES);
> >>+
> >>+	if (ep == 0) {
> >>+		rt = rt_ipv4_ep0;
> >>+		nb_routes = RTE_DIM(rt_ipv4_ep0);
> >>+	} else if (ep == 1) {
> >>+		rt = rt_ipv4_ep1;
> >>+		nb_routes = RTE_DIM(rt_ipv4_ep1);
> >>+	} else
> >>+		rte_exit(EXIT_FAILURE, "Invalid EP value %u. Only 0 or 1 "
> >>+			"supported.\n", ep);
> >>+
> >>+	/* create the LPM table */
> >>+	snprintf(name, sizeof(name), "%s_%u", "rt_ipv4", socket_id);
> >>+	lpm = rte_lpm_create(name, socket_id, RT_IPV4_MAX_RULES, 0);
> >>+	if (lpm == NULL)
> >>+		rte_exit(EXIT_FAILURE, "Unable to create LPM table "
> >>+			"on socket %d\n", socket_id);
> >>+
> >>+	/* populate the LPM table */
> >>+	for (i = 0; i < nb_routes; i++) {
> >>+		ret = rte_lpm_add(lpm, rt[i].ip, rt[i].depth, rt[i].if_out);
> >>+		if (ret < 0)
> >>+			rte_exit(EXIT_FAILURE, "Unable to add entry num %u to "
> >>+				"LPM table on socket %d\n", i, socket_id);
> >>+
> >>+		uint32_t_to_char(rt[i].ip, &a, &b, &c, &d);
> >>+		printf("LPM: Adding route %hhu.%hhu.%hhu.%hhu/%hhu (%hhu)\n",
> >>+				a, b, c, d, rt[i].depth, rt[i].if_out);
> >>+	}
> >>+
> >>+	ctx->rt_ipv4 = (struct rt_ctx *)lpm;
> >>+}
> >>diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
> >>new file mode 100644
> >>index 0000000..5ea7592
> >>--- /dev/null
> >>+++ b/examples/ipsec-secgw/sa.c
> >>@@ -0,0 +1,391 @@
> >>+/*-
> >>+ *   BSD LICENSE
> >>+ *
> >>+ *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
> >>+ *   All rights reserved.
> >>+ *
> >>+ *   Redistribution and use in source and binary forms, with or without
> >>+ *   modification, are permitted provided that the following conditions
> >>+ *   are met:
> >>+ *
> >>+ *     * Redistributions of source code must retain the above copyright
> >>+ *       notice, this list of conditions and the following disclaimer.
> >>+ *     * Redistributions in binary form must reproduce the above copyright
> >>+ *       notice, this list of conditions and the following disclaimer in
> >>+ *       the documentation and/or other materials provided with the
> >>+ *       distribution.
> >>+ *     * Neither the name of Intel Corporation nor the names of its
> >>+ *       contributors may be used to endorse or promote products derived
> >>+ *       from this software without specific prior written permission.
> >>+ *
> >>+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> >>+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> >>+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
> >>+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
> >>+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> >>+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> >>+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> >>+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> >>+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> >>+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> >>+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> >>+ */
> >>+
> >>+/*
> >>+ * Security Associations
> >>+ */
> >>+#include <netinet/ip.h>
> >>+
> >>+#include <rte_memzone.h>
> >>+#include <rte_crypto.h>
> >>+#include <rte_cryptodev.h>
> >>+#include <rte_byteorder.h>
> >>+#include <rte_errno.h>
> >>+
> >>+#include "ipsec.h"
> >>+#include "esp.h"
> >>+
> >>+/* SAs EP0 Outbound */
> >>+const struct ipsec_sa sa_ep0_out[] = {
> >>+	{ 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5),
> >>+		NULL, NULL,
> >>+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> >>+		12, 16, 16,
> >>+		esp4_tunnel_outbound_pre_crypto,
> >>+		esp4_tunnel_outbound_post_crypto,
> >>+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
> >>+	{ 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6),
> >>+		NULL, NULL,
> >>+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> >>+		12, 16, 16,
> >>+		esp4_tunnel_outbound_pre_crypto,
> >>+		esp4_tunnel_outbound_post_crypto,
> >>+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
> >>+	{ 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7),
> >>+		NULL, NULL,
> >>+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> >>+		12, 16, 16,
> >>+		esp4_tunnel_outbound_pre_crypto,
> >>+		esp4_tunnel_outbound_post_crypto,
> >>+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
> >>+	{ 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8),
> >>+		NULL, NULL,
> >>+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> >IMO, a SA with NULL crypto (rfc2410) operation will be useful for ESP
> >packet processing debugging and measuring the performance impact with
> >the crypto block in fast path.
> >
> 
> I couldn't agree more.
> 
> I'll add support for NULL crypto in the app with dependency on previously
> mentioned cryptodev capabilities patch set and:
> http://dpdk.org/ml/archives/dev/2016-January/032458.html
> 
> Sergio
> 
> >>+		12, 16, 16,
> >>+		esp4_tunnel_outbound_pre_crypto,
> >>+		esp4_tunnel_outbound_post_crypto,
> >>+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }
> >>+};
> >>+
> >>+/* SAs EP0 Inbound */
> >>+const struct ipsec_sa sa_ep0_in[] = {
> >>+	{ 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5),
> >>+		NULL, NULL,
> >>+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> >>+		12, 16, 16,
> >>+		esp4_tunnel_inbound_pre_crypto,
> >>+		esp4_tunnel_inbound_post_crypto,
> >>+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
> >>+	{ 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6),
> >>+		NULL, NULL,
> >>+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> >>+		12, 16, 16,
> >>+		esp4_tunnel_inbound_pre_crypto,
> >>+		esp4_tunnel_inbound_post_crypto,
> >>+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
> >>+	{ 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7),
> >>+		NULL, NULL,
> >>+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> >>+		12, 16, 16,
> >>+		esp4_tunnel_inbound_pre_crypto,
> >>+		esp4_tunnel_inbound_post_crypto,
> >>+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
> >>+	{ 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8),
> >>+		NULL, NULL,
> >>+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> >>+		12, 16, 16,
> >>+		esp4_tunnel_inbound_pre_crypto,
> >>+		esp4_tunnel_inbound_post_crypto,
> >>+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }
> >>+};
> >>+
> >>+/* SAs EP1 Outbound */
> >>+const struct ipsec_sa sa_ep1_out[] = {
> >>+	{ 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5),
> >>+		NULL, NULL,
> >>+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> >>+		12, 16, 16,
> >>+		esp4_tunnel_outbound_pre_crypto,
> >>+		esp4_tunnel_outbound_post_crypto,
> >>+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
> >>+	{ 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6),
> >>+		NULL, NULL,
> >>+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> >>+		12, 16, 16,
> >>+		esp4_tunnel_outbound_pre_crypto,
> >>+		esp4_tunnel_outbound_post_crypto,
> >>+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
> >>+	{ 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7),
> >>+		NULL, NULL,
> >>+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> >>+		12, 16, 16,
> >>+		esp4_tunnel_outbound_pre_crypto,
> >>+		esp4_tunnel_outbound_post_crypto,
> >>+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
> >>+	{ 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8),
> >>+		NULL, NULL,
> >>+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> >>+		12, 16, 16,
> >>+		esp4_tunnel_outbound_pre_crypto,
> >>+		esp4_tunnel_outbound_post_crypto,
> >>+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }
> >>+};
> >>+
> >>+/* SAs EP1 Inbound */
> >>+const struct ipsec_sa sa_ep1_in[] = {
> >>+	{ 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5),
> >>+		NULL, NULL,
> >>+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> >>+		12, 16, 16,
> >>+		esp4_tunnel_inbound_pre_crypto,
> >>+		esp4_tunnel_inbound_post_crypto,
> >>+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
> >>+	{ 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6),
> >>+		NULL, NULL,
> >>+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> >>+		12, 16, 16,
> >>+		esp4_tunnel_inbound_pre_crypto,
> >>+		esp4_tunnel_inbound_post_crypto,
> >>+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
> >>+	{ 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7),
> >>+		NULL, NULL,
> >>+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> >>+		12, 16, 16,
> >>+		esp4_tunnel_inbound_pre_crypto,
> >>+		esp4_tunnel_inbound_post_crypto,
> >>+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } },
> >>+	{ 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8),
> >>+		NULL, NULL,
> >>+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
> >>+		12, 16, 16,
> >>+		esp4_tunnel_inbound_pre_crypto,
> >>+		esp4_tunnel_inbound_post_crypto,
> >>+		0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }
> >>+};
> >>+
> >>+static uint8_t cipher_key[256] = "sixteenbytes key";
> >>+
> >>+/* AES CBC xform */
> >>+const struct rte_crypto_xform aescbc_enc_xf = {
> >>+	NULL,
> >>+	RTE_CRYPTO_XFORM_CIPHER,
> >>+	.cipher = { RTE_CRYPTO_CIPHER_OP_ENCRYPT, RTE_CRYPTO_CIPHER_AES_CBC,
> >>+		.key = { cipher_key, 0, 16 } }
> >>+};
> >>+
> >>+const struct rte_crypto_xform aescbc_dec_xf = {
> >>+	NULL,
> >>+	RTE_CRYPTO_XFORM_CIPHER,
> >>+	.cipher = { RTE_CRYPTO_CIPHER_OP_DECRYPT, RTE_CRYPTO_CIPHER_AES_CBC,
> >>+		.key = { cipher_key, 0, 16 } }
> >>+};
> >>+
> >>+static uint8_t auth_key[256] = "twentybytes hash key";
> >>+
> >>+/* SHA1 HMAC xform */
> >>+const struct rte_crypto_xform sha1hmac_gen_xf = {
> >>+	NULL,
> >>+	RTE_CRYPTO_XFORM_AUTH,
> >>+	.auth = { RTE_CRYPTO_AUTH_OP_GENERATE, RTE_CRYPTO_AUTH_SHA1_HMAC,
> >>+		.key = { auth_key, 0, 20 }, 12, 0 }
> >>+};
> >>+
> >>+const struct rte_crypto_xform sha1hmac_verify_xf = {
> >>+	NULL,
> >>+	RTE_CRYPTO_XFORM_AUTH,
> >>+	.auth = { RTE_CRYPTO_AUTH_OP_VERIFY, RTE_CRYPTO_AUTH_SHA1_HMAC,
> >>+		.key = { auth_key, 0, 20 }, 12, 0 }
> >>+};
> >>+
> >>+struct sa_ctx {
> >>+	struct ipsec_sa sa[IPSEC_SA_MAX_ENTRIES];
> >>+	struct {
> >>+		struct rte_crypto_xform a;
> >>+		struct rte_crypto_xform b;
> >>+	} xf[IPSEC_SA_MAX_ENTRIES];
> >>+};
> >>+
> >>+static struct sa_ctx *
> >>+sa_ipv4_create(const char *name, int socket_id)
> >>+{
> >>+	char s[PATH_MAX];
> >>+	struct sa_ctx *sa_ctx;
> >>+	unsigned mz_size;
> >>+	const struct rte_memzone *mz;
> >>+
> >>+	snprintf(s, sizeof(s), "%s_%u", name, socket_id);
> >>+
> >>+	/* Create SA array table */
> >>+	printf("Creating SA context with %u maximum entries\n",
> >>+			IPSEC_SA_MAX_ENTRIES);
> >>+
> >>+	mz_size = sizeof(struct sa_ctx);
> >>+	mz = rte_memzone_reserve(s, mz_size, socket_id,
> >>+			RTE_MEMZONE_1GB | RTE_MEMZONE_SIZE_HINT_ONLY);
> >>+	if (mz == NULL) {
> >>+		printf("Failed to allocate SA DB memory\n");
> >>+		rte_errno = -ENOMEM;
> >>+		return NULL;
> >>+	}
> >>+
> >>+	sa_ctx = (struct sa_ctx *)mz->addr;
> >>+
> >>+	return sa_ctx;
> >>+}
> >>+
> >>+static int
> >>+sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
> >>+		unsigned nb_entries, uint16_t cdev_id, unsigned inbound)
> >>+{
> >>+	struct ipsec_sa *sa;
> >>+	unsigned i, idx;
> >>+
> >>+	for (i = 0; i < nb_entries; i++) {
> >>+		idx = SPI2IDX(entries[i].spi);
> >>+		sa = &sa_ctx->sa[idx];
> >>+		if (sa->spi != 0) {
> >>+			printf("Index %u already in use by SPI %u\n",
> >>+					idx, sa->spi);
> >>+			return -EINVAL;
> >>+		}
> >>+		*sa = entries[i];
> >>+		sa->src = rte_cpu_to_be_32(sa->src);
> >>+		sa->dst = rte_cpu_to_be_32(sa->dst);
> >>+		if (inbound) {
> >>+			sa_ctx->xf[idx].a = sha1hmac_verify_xf;
> >>+			sa_ctx->xf[idx].b = aescbc_dec_xf;
> >>+		} else { /* outbound */
> >>+			sa_ctx->xf[idx].a = aescbc_enc_xf;
> >>+			sa_ctx->xf[idx].b = sha1hmac_gen_xf;
> >>+		}
> >>+		sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b;
> >>+		sa_ctx->xf[idx].b.next = NULL;
> >>+		sa->xforms = &sa_ctx->xf[idx].a;
> >>+
> >>+		sa->crypto_session = rte_cryptodev_session_create(cdev_id,
> >>+				sa->xforms);
> >>+	}
> >>+
> >>+	return 0;
> >>+}
> >>+
> >>+static inline int
> >>+sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
> >>+		unsigned nb_entries, uint16_t cdev_id)
> >>+{
> >>+	return sa_add_rules(sa_ctx, entries, nb_entries, cdev_id, 0);
> >>+}
> >>+
> >>+static inline int
> >>+sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
> >>+		unsigned nb_entries, uint16_t cdev_id)
> >>+{
> >>+	return sa_add_rules(sa_ctx, entries, nb_entries, cdev_id, 1);
> >>+}
> >>+
> >>+void
> >>+sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep, uint16_t cdev_id)
> >>+{
> >>+	const struct ipsec_sa *sa_out_entries, *sa_in_entries;
> >>+	unsigned nb_out_entries, nb_in_entries;
> >>+	const char *name;
> >>+
> >>+	if (ctx == NULL)
> >>+		rte_exit(EXIT_FAILURE, "NULL context.\n");
> >>+
> >>+	if (ctx->sa_ipv4_in != NULL)
> >>+		rte_exit(EXIT_FAILURE, "Inbound SA DB for socket %u already "
> >>+				"initialized\n", socket_id);
> >>+
> >>+	if (ctx->sa_ipv4_out != NULL)
> >>+		rte_exit(EXIT_FAILURE, "Outbound SA DB for socket %u already "
> >>+				"initialized\n", socket_id);
> >>+
> >>+	if (ep == 0) {
> >>+		sa_out_entries = sa_ep0_out;
> >>+		nb_out_entries = RTE_DIM(sa_ep0_out);
> >>+		sa_in_entries = sa_ep0_in;
> >>+		nb_in_entries = RTE_DIM(sa_ep0_in);
> >>+	} else if (ep == 1) {
> >>+		sa_out_entries = sa_ep1_out;
> >>+		nb_out_entries = RTE_DIM(sa_ep1_out);
> >>+		sa_in_entries = sa_ep1_in;
> >>+		nb_in_entries = RTE_DIM(sa_ep1_in);
> >>+	} else
> >>+		rte_exit(EXIT_FAILURE, "Invalid EP value %u. "
> >>+				"Only 0 or 1 supported.\n", ep);
> >>+
> >>+	name = "sa_ipv4_in";
> >>+	ctx->sa_ipv4_in = sa_ipv4_create(name, socket_id);
> >>+	if (ctx->sa_ipv4_in == NULL)
> >>+		rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s "
> >>+				"in socket %d\n", rte_errno, name, socket_id);
> >>+
> >>+	name = "sa_ipv4_out";
> >>+	ctx->sa_ipv4_out = sa_ipv4_create(name, socket_id);
> >>+	if (ctx->sa_ipv4_out == NULL)
> >>+		rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s "
> >>+				"in socket %d\n", rte_errno, name, socket_id);
> >>+
> >>+	sa_in_add_rules(ctx->sa_ipv4_in, sa_in_entries,
> >>+			nb_in_entries, cdev_id);
> >>+
> >>+	sa_out_add_rules(ctx->sa_ipv4_out, sa_out_entries,
> >>+			nb_out_entries, cdev_id);
> >>+}
> >>+
> >>+int
> >>+inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx)
> >>+{
> >>+	struct ipsec_mbuf_metadata *priv;
> >>+
> >>+	priv = RTE_PTR_ADD(m, sizeof(struct rte_mbuf));
> >>+
> >>+	return (sa_ctx->sa[sa_idx].spi == priv->sa->spi);
> >>+}
> >>+
> >>+void
> >>+inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[],
> >>+		struct ipsec_sa *sa[], uint16_t nb_pkts)
> >>+{
> >>+	unsigned i;
> >>+	uint32_t *src, spi;
> >>+
> >>+	for (i = 0; i < nb_pkts; i++) {
> >>+		spi = rte_pktmbuf_mtod_offset(pkts[i], struct esp_hdr *,
> >>+				sizeof(struct ip))->spi;
> >>+		if (spi == INVALID_SPI)
> >>+			continue;
> >>+
> >>+		sa[i] = &sa_ctx->sa[SPI2IDX(spi)];
> >>+		if (spi != sa[i]->spi) {
> >>+			sa[i] = NULL;
> >>+			continue;
> >>+		}
> >>+
> >>+		src = rte_pktmbuf_mtod_offset(pkts[i], uint32_t *,
> >>+				offsetof(struct ip, ip_src));
> >>+		if ((sa[i]->src != *src) || (sa[i]->dst != *(src + 1)))
> >>+			sa[i] = NULL;
> >>+	}
> >>+}
> >>+
> >>+void
> >>+outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[],
> >>+		struct ipsec_sa *sa[], uint16_t nb_pkts)
> >>+{
> >>+	unsigned i;
> >>+
> >>+	for (i = 0; i < nb_pkts; i++)
> >>+		sa[i] = &sa_ctx->sa[sa_idx[i]];
> >>+}
> >>diff --git a/examples/ipsec-secgw/sp.c b/examples/ipsec-secgw/sp.c
> >>new file mode 100644
> >>index 0000000..219e478
> >>--- /dev/null
> >>+++ b/examples/ipsec-secgw/sp.c
> >>@@ -0,0 +1,324 @@
> >>+/*-
> >>+ *   BSD LICENSE
> >>+ *
> >>+ *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
> >>+ *   All rights reserved.
> >>+ *
> >>+ *   Redistribution and use in source and binary forms, with or without
> >>+ *   modification, are permitted provided that the following conditions
> >>+ *   are met:
> >>+ *
> >>+ *     * Redistributions of source code must retain the above copyright
> >>+ *       notice, this list of conditions and the following disclaimer.
> >>+ *     * Redistributions in binary form must reproduce the above copyright
> >>+ *       notice, this list of conditions and the following disclaimer in
> >>+ *       the documentation and/or other materials provided with the
> >>+ *       distribution.
> >>+ *     * Neither the name of Intel Corporation nor the names of its
> >>+ *       contributors may be used to endorse or promote products derived
> >>+ *       from this software without specific prior written permission.
> >>+ *
> >>+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> >>+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> >>+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
> >>+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
> >>+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> >>+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> >>+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> >>+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> >>+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> >>+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> >>+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> >>+ */
> >>+
> >>+/*
> >>+ * Security Policies
> >>+ */
> >>+#include <netinet/ip.h>
> >>+
> >>+#include <rte_acl.h>
> >>+
> >>+#include "ipsec.h"
> >>+
> >>+#define MAX_ACL_RULE_NUM	1000
> >>+
> >>+/*
> >>+ * Rule and trace formats definitions.
> >>+ */
> >>+enum {
> >>+	PROTO_FIELD_IPV4,
> >>+	SRC_FIELD_IPV4,
> >>+	DST_FIELD_IPV4,
> >>+	SRCP_FIELD_IPV4,
> >>+	DSTP_FIELD_IPV4,
> >>+	NUM_FIELDS_IPV4
> >>+};
> >>+
> >>+/*
> >>+ * That effectively defines order of IPV4 classifications:
> >>+ *  - PROTO
> >>+ *  - SRC IP ADDRESS
> >>+ *  - DST IP ADDRESS
> >>+ *  - PORTS (SRC and DST)
> >>+ */
> >>+enum {
> >>+	RTE_ACL_IPV4_PROTO,
> >>+	RTE_ACL_IPV4_SRC,
> >>+	RTE_ACL_IPV4_DST,
> >>+	RTE_ACL_IPV4_PORTS,
> >>+	RTE_ACL_IPV4_NUM
> >>+};
> >>+
> >>+struct rte_acl_field_def ipv4_defs[NUM_FIELDS_IPV4] = {
> >>+	{
> >>+	.type = RTE_ACL_FIELD_TYPE_BITMASK,
> >>+	.size = sizeof(uint8_t),
> >>+	.field_index = PROTO_FIELD_IPV4,
> >>+	.input_index = RTE_ACL_IPV4_PROTO,
> >>+	.offset = 0,
> >>+	},
> >>+	{
> >>+	.type = RTE_ACL_FIELD_TYPE_MASK,
> >>+	.size = sizeof(uint32_t),
> >>+	.field_index = SRC_FIELD_IPV4,
> >>+	.input_index = RTE_ACL_IPV4_SRC,
> >>+	.offset = offsetof(struct ip, ip_src) -	offsetof(struct ip, ip_p)
> >>+	},
> >>+	{
> >>+	.type = RTE_ACL_FIELD_TYPE_MASK,
> >>+	.size = sizeof(uint32_t),
> >>+	.field_index = DST_FIELD_IPV4,
> >>+	.input_index = RTE_ACL_IPV4_DST,
> >>+	.offset = offsetof(struct ip, ip_dst) - offsetof(struct ip, ip_p)
> >>+	},
> >>+	{
> >>+	.type = RTE_ACL_FIELD_TYPE_RANGE,
> >>+	.size = sizeof(uint16_t),
> >>+	.field_index = SRCP_FIELD_IPV4,
> >>+	.input_index = RTE_ACL_IPV4_PORTS,
> >>+	.offset = sizeof(struct ip) - offsetof(struct ip, ip_p)
> >>+	},
> >>+	{
> >>+	.type = RTE_ACL_FIELD_TYPE_RANGE,
> >>+	.size = sizeof(uint16_t),
> >>+	.field_index = DSTP_FIELD_IPV4,
> >>+	.input_index = RTE_ACL_IPV4_PORTS,
> >>+	.offset = sizeof(struct ip) - offsetof(struct ip, ip_p) +
> >>+		sizeof(uint16_t)
> >>+	},
> >>+};
> >>+
> >>+RTE_ACL_RULE_DEF(acl4_rules, RTE_DIM(ipv4_defs));
> >>+
> >>+const struct acl4_rules acl4_rules_in[] = {
> >>+	{
> >>+	.data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1},
> >>+	/* destination IPv4 */
> >>+	.field[2] = {.value.u32 = IPv4(192, 168, 105, 0),
> >>+				.mask_range.u32 = 24,},
> >>+	/* source port */
> >>+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
> >>+	/* destination port */
> >>+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
> >>+	},
> >>+	{
> >>+	.data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2},
> >>+	/* destination IPv4 */
> >>+	.field[2] = {.value.u32 = IPv4(192, 168, 106, 0),
> >>+				.mask_range.u32 = 24,},
> >>+	/* source port */
> >>+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
> >>+	/* destination port */
> >>+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
> >>+	},
> >>+	{
> >>+	.data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3},
> >>+	/* destination IPv4 */
> >>+	.field[2] = {.value.u32 = IPv4(192, 168, 107, 0),
> >>+				.mask_range.u32 = 24,},
> >>+	/* source port */
> >>+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
> >>+	/* destination port */
> >>+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
> >>+	},
> >>+	{
> >>+	.data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4},
> >>+	/* destination IPv4 */
> >>+	.field[2] = {.value.u32 = IPv4(192, 168, 108, 0),
> >>+				.mask_range.u32 = 24,},
> >>+	/* source port */
> >>+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
> >>+	/* destination port */
> >>+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
> >>+	}
> >>+};
> >>+
> >>+const struct acl4_rules acl4_rules_out[] = {
> >>+	{
> >>+	.data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1},
> >>+	/* destination IPv4 */
> >>+	.field[2] = {.value.u32 = IPv4(192, 168, 115, 0),
> >>+				.mask_range.u32 = 24,},
> >>+	/* source port */
> >>+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
> >>+	/* destination port */
> >>+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
> >>+	},
> >>+	{
> >>+	.data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2},
> >>+	/* destination IPv4 */
> >>+	.field[2] = {.value.u32 = IPv4(192, 168, 116, 0),
> >>+				.mask_range.u32 = 24,},
> >>+	/* source port */
> >>+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
> >>+	/* destination port */
> >>+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
> >>+	},
> >>+	{
> >>+	.data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3},
> >>+	/* destination IPv4 */
> >>+	.field[2] = {.value.u32 = IPv4(192, 168, 117, 0),
> >>+				.mask_range.u32 = 24,},
> >>+	/* source port */
> >>+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
> >>+	/* destination port */
> >>+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
> >>+	},
> >>+	{
> >>+	.data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4},
> >>+	/* destination IPv4 */
> >>+	.field[2] = {.value.u32 = IPv4(192, 168, 118, 0),
> >>+				.mask_range.u32 = 24,},
> >>+	/* source port */
> >>+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
> >>+	/* destination port */
> >>+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
> >>+	}
> >>+};
> >>+
> >>+static void
> >>+print_one_ipv4_rule(const struct acl4_rules *rule, int extra)
> >>+{
> >>+	unsigned char a, b, c, d;
> >>+
> >>+	uint32_t_to_char(rule->field[SRC_FIELD_IPV4].value.u32,
> >>+			&a, &b, &c, &d);
> >>+	printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d,
> >>+			rule->field[SRC_FIELD_IPV4].mask_range.u32);
> >>+	uint32_t_to_char(rule->field[DST_FIELD_IPV4].value.u32,
> >>+			&a, &b, &c, &d);
> >>+	printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d,
> >>+			rule->field[DST_FIELD_IPV4].mask_range.u32);
> >>+	printf("%hu : %hu %hu : %hu 0x%hhx/0x%hhx ",
> >>+		rule->field[SRCP_FIELD_IPV4].value.u16,
> >>+		rule->field[SRCP_FIELD_IPV4].mask_range.u16,
> >>+		rule->field[DSTP_FIELD_IPV4].value.u16,
> >>+		rule->field[DSTP_FIELD_IPV4].mask_range.u16,
> >>+		rule->field[PROTO_FIELD_IPV4].value.u8,
> >>+		rule->field[PROTO_FIELD_IPV4].mask_range.u8);
> >>+	if (extra)
> >>+		printf("0x%x-0x%x-0x%x ",
> >>+			rule->data.category_mask,
> >>+			rule->data.priority,
> >>+			rule->data.userdata);
> >>+}
> >>+
> >>+static inline void
> >>+dump_ipv4_rules(const struct acl4_rules *rule, int num, int extra)
> >>+{
> >>+	int i;
> >>+
> >>+	for (i = 0; i < num; i++, rule++) {
> >>+		printf("\t%d:", i + 1);
> >>+		print_one_ipv4_rule(rule, extra);
> >>+		printf("\n");
> >>+	}
> >>+}
> >>+
> >>+static struct rte_acl_ctx *
> >>+acl4_init(const char *name, int socketid, const struct acl4_rules *rules,
> >>+		unsigned rules_nb)
> >>+{
> >>+	char s[PATH_MAX];
> >>+	struct rte_acl_param acl_param;
> >>+	struct rte_acl_config acl_build_param;
> >>+	struct rte_acl_ctx *ctx;
> >>+
> >>+	printf("Creating SP context with %u max rules\n", MAX_ACL_RULE_NUM);
> >>+
> >>+	memset(&acl_param, 0, sizeof(acl_param));
> >>+
> >>+	/* Create ACL contexts */
> >>+	snprintf(s, sizeof(s), "%s_%d", name, socketid);
> >>+
> >>+	printf("IPv4 %s entries [%u]:\n", s, rules_nb);
> >>+	dump_ipv4_rules(rules, rules_nb, 1);
> >>+
> >>+	acl_param.name = s;
> >>+	acl_param.socket_id = socketid;
> >>+	acl_param.rule_size = RTE_ACL_RULE_SZ(RTE_DIM(ipv4_defs));
> >>+	acl_param.max_rule_num = MAX_ACL_RULE_NUM;
> >>+
> >>+	ctx = rte_acl_create(&acl_param);
> >>+	if (ctx == NULL)
> >>+		rte_exit(EXIT_FAILURE, "Failed to create ACL context\n");
> >>+
> >>+	if (rte_acl_add_rules(ctx, (const struct rte_acl_rule *)rules,
> >>+				rules_nb) < 0)
> >>+		rte_exit(EXIT_FAILURE, "add rules failed\n");
> >>+
> >>+	/* Perform builds */
> >>+	memset(&acl_build_param, 0, sizeof(acl_build_param));
> >>+
> >>+	acl_build_param.num_categories = DEFAULT_MAX_CATEGORIES;
> >>+	acl_build_param.num_fields = rules_nb;
> >>+	memcpy(&acl_build_param.defs, ipv4_defs, sizeof(ipv4_defs));
> >>+
> >>+	if (rte_acl_build(ctx, &acl_build_param) != 0)
> >>+		rte_exit(EXIT_FAILURE, "Failed to build ACL trie\n");
> >>+
> >>+	rte_acl_dump(ctx);
> >>+
> >>+	return ctx;
> >>+}
> >>+
> >>+void
> >>+sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep)
> >>+{
> >>+	const char *name;
> >>+	const struct acl4_rules *rules_out, *rules_in;
> >>+	unsigned nb_out_rules, nb_in_rules;
> >>+
> >>+	if (ctx == NULL)
> >>+		rte_exit(EXIT_FAILURE, "NULL context.\n");
> >>+
> >>+	if (ctx->sp_ipv4_in != NULL)
> >>+		rte_exit(EXIT_FAILURE, "Inbound SP DB for socket %u already "
> >>+				"initialized\n", socket_id);
> >>+
> >>+	if (ctx->sp_ipv4_out != NULL)
> >>+		rte_exit(EXIT_FAILURE, "Outbound SP DB for socket %u already "
> >>+				"initialized\n", socket_id);
> >>+
> >>+	if (ep == 0) {
> >>+		rules_out = acl4_rules_in;
> >>+		nb_out_rules = RTE_DIM(acl4_rules_in);
> >>+		rules_in = acl4_rules_out;
> >>+		nb_in_rules = RTE_DIM(acl4_rules_out);
> >>+	} else if (ep == 1) {
> >>+		rules_out = acl4_rules_out;
> >>+		nb_out_rules = RTE_DIM(acl4_rules_out);
> >>+		rules_in = acl4_rules_in;
> >>+		nb_in_rules = RTE_DIM(acl4_rules_in);
> >>+	} else
> >>+		rte_exit(EXIT_FAILURE, "Invalid EP value %u. "
> >>+				"Only 0 or 1 supported.\n", ep);
> >>+
> >>+	name = "sp_ipv4_in";
> >>+	ctx->sp_ipv4_in = (struct sp_ctx *)acl4_init(name, socket_id,
> >>+			rules_in, nb_in_rules);
> >>+
> >>+	name = "sp_ipv4_out";
> >>+	ctx->sp_ipv4_out = (struct sp_ctx *)acl4_init(name, socket_id,
> >>+			rules_out, nb_out_rules);
> >>+}
> >>-- 
> >>2.4.3
> >>
> 

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [dpdk-dev] [PATCH] example/ipsec-secgw: ipsec security gateway
  2016-02-01 11:26     ` Jerin Jacob
@ 2016-02-01 14:09       ` Thomas Monjalon
  2016-03-09 23:54       ` Sergio Gonzalez Monroy
  1 sibling, 0 replies; 15+ messages in thread
From: Thomas Monjalon @ 2016-02-01 14:09 UTC (permalink / raw)
  To: Jerin Jacob, Sergio Gonzalez Monroy; +Cc: dev

2016-02-01 16:56, Jerin Jacob:
> On Mon, Feb 01, 2016 at 11:09:16AM +0000, Sergio Gonzalez Monroy wrote:
> > On 31/01/2016 14:39, Jerin Jacob wrote:
[...]

Please guys, strip the unneeded content.
Thanks

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [dpdk-dev] [PATCH] example/ipsec-secgw: ipsec security gateway
  2016-01-29 20:29 [dpdk-dev] [PATCH] example/ipsec-secgw: ipsec security gateway Sergio Gonzalez Monroy
  2016-01-31 14:39 ` Jerin Jacob
@ 2016-02-24 13:32 ` Thomas Monjalon
  2016-02-24 14:49   ` Sergio Gonzalez Monroy
  2016-03-11  1:38 ` [dpdk-dev] [PATCH v2] " Sergio Gonzalez Monroy
  2 siblings, 1 reply; 15+ messages in thread
From: Thomas Monjalon @ 2016-02-24 13:32 UTC (permalink / raw)
  To: Sergio Gonzalez Monroy; +Cc: dev

Hi,

2016-01-29 20:29, Sergio Gonzalez Monroy:
> Sample app implementing an IPsec Security Geteway.
> The main goal of this app is to show the use of cryptodev framework
> in a real world application.
> 
> Currently only supported static IPv4 IPsec tunnels using AES-CBC
> and HMAC-SHA1.
> 
> Also, currently not supported:
> - SA auto negotiation (No IKE support)
> - chained mbufs

Is 32-bit arch supported?

I see this error:
error: left shift count >= width of type [-Werror=shift-count-overflow]
   (ethhdr[1] & (0xffffUL << 48));

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [dpdk-dev] [PATCH] example/ipsec-secgw: ipsec security gateway
  2016-02-24 13:32 ` Thomas Monjalon
@ 2016-02-24 14:49   ` Sergio Gonzalez Monroy
  0 siblings, 0 replies; 15+ messages in thread
From: Sergio Gonzalez Monroy @ 2016-02-24 14:49 UTC (permalink / raw)
  To: Thomas Monjalon; +Cc: dev

On 24/02/2016 13:32, Thomas Monjalon wrote:
> Hi,
>
> 2016-01-29 20:29, Sergio Gonzalez Monroy:
>> Sample app implementing an IPsec Security Geteway.
>> The main goal of this app is to show the use of cryptodev framework
>> in a real world application.
>>
>> Currently only supported static IPv4 IPsec tunnels using AES-CBC
>> and HMAC-SHA1.
>>
>> Also, currently not supported:
>> - SA auto negotiation (No IKE support)
>> - chained mbufs
> Is 32-bit arch supported?

It's meant to.

I'll fix it in next version.

Sergio
> I see this error:
> error: left shift count >= width of type [-Werror=shift-count-overflow]
>     (ethhdr[1] & (0xffffUL << 48));
>
>

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [dpdk-dev] [PATCH] example/ipsec-secgw: ipsec security gateway
  2016-02-01 11:26     ` Jerin Jacob
  2016-02-01 14:09       ` Thomas Monjalon
@ 2016-03-09 23:54       ` Sergio Gonzalez Monroy
  2016-03-10  3:41         ` Jerin Jacob
  1 sibling, 1 reply; 15+ messages in thread
From: Sergio Gonzalez Monroy @ 2016-03-09 23:54 UTC (permalink / raw)
  To: Jerin Jacob; +Cc: dev

On 01/02/2016 11:26, Jerin Jacob wrote:
> On Mon, Feb 01, 2016 at 11:09:16AM +0000, Sergio Gonzalez Monroy wrote:
>> On 31/01/2016 14:39, Jerin Jacob wrote:
>>> On Fri, Jan 29, 2016 at 08:29:12PM +0000, Sergio Gonzalez Monroy wrote:
>>>

>>> IMO, an option for single SA based outbound processing would be useful
>>> measuring performance bottlenecks with SA lookup.
>>>
>> Hi Jerin,
>>
>> Are you suggesting to have an option so we basically encrypt all traffic
>> using
>> a single SA bypassing the SP/ACL ?
> Yes. Basicaly an option to bypass  "rte_acl_classify" if its for single
> SA use case.
>
>

Hi Jerin,

After re-reading your comment regarding the single SA I just want to 
double check
that I understood correctly what you were suggesting.

Basically an option that we can provide a single SA to use for outbound,
skipping rte_acl_classify in outbound path.
That same option would also skip rte_acl_classify in inbound path 
without checking
that we accept specific traffic for an SA.

Is that correct?

Sergio

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [dpdk-dev] [PATCH] example/ipsec-secgw: ipsec security gateway
  2016-03-09 23:54       ` Sergio Gonzalez Monroy
@ 2016-03-10  3:41         ` Jerin Jacob
  0 siblings, 0 replies; 15+ messages in thread
From: Jerin Jacob @ 2016-03-10  3:41 UTC (permalink / raw)
  To: Sergio Gonzalez Monroy; +Cc: dev

On Wed, Mar 09, 2016 at 11:54:50PM +0000, Sergio Gonzalez Monroy wrote:
> On 01/02/2016 11:26, Jerin Jacob wrote:
> >On Mon, Feb 01, 2016 at 11:09:16AM +0000, Sergio Gonzalez Monroy wrote:
> >>On 31/01/2016 14:39, Jerin Jacob wrote:
> >>>On Fri, Jan 29, 2016 at 08:29:12PM +0000, Sergio Gonzalez Monroy wrote:
> >>>
> 
> >>>IMO, an option for single SA based outbound processing would be useful
> >>>measuring performance bottlenecks with SA lookup.
> >>>
> >>Hi Jerin,
> >>
> >>Are you suggesting to have an option so we basically encrypt all traffic
> >>using
> >>a single SA bypassing the SP/ACL ?
> >Yes. Basicaly an option to bypass  "rte_acl_classify" if its for single
> >SA use case.
> >
> >
> 
> Hi Jerin,
> 
> After re-reading your comment regarding the single SA I just want to double
> check
> that I understood correctly what you were suggesting.
> 
> Basically an option that we can provide a single SA to use for outbound,
> skipping rte_acl_classify in outbound path.
> That same option would also skip rte_acl_classify in inbound path without
> checking
> that we accept specific traffic for an SA.
> 
> Is that correct?

Yes

> 
> Sergio

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [dpdk-dev] [PATCH v2] example/ipsec-secgw: ipsec security gateway
  2016-01-29 20:29 [dpdk-dev] [PATCH] example/ipsec-secgw: ipsec security gateway Sergio Gonzalez Monroy
  2016-01-31 14:39 ` Jerin Jacob
  2016-02-24 13:32 ` Thomas Monjalon
@ 2016-03-11  1:38 ` Sergio Gonzalez Monroy
  2016-03-11  2:12   ` De Lara Guarch, Pablo
  2016-03-11  2:12   ` [dpdk-dev] [PATCH v3] " Sergio Gonzalez Monroy
  2 siblings, 2 replies; 15+ messages in thread
From: Sergio Gonzalez Monroy @ 2016-03-11  1:38 UTC (permalink / raw)
  To: dev

Sample app implementing an IPsec Security Geteway.
The main goal of this app is to show the use of cryptodev framework
in a "real world" application.

Currently only supported static IPv4 ESP IPsec tunnels for the following
algorithms:
- Cipher: AES-CBC, NULL
- Authentication: HMAC-SHA1, NULL

Not supported:
- SA auto negotiation (No IKE implementation)
- chained mbufs

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
---

v2:
 - Update to use new cryptodev API
 - NULL PMD support
   * dependency on "null_crypto_pmd: PMD to support null crypto operations"
   http://dpdk.org/dev/patchwork/patch/11428/
 - Added --single-sa option to bypass SP/ACL
 - Removed option for QAT/AESNI and instead expects vdev to be created
   through EAL with command line options.
   * dependency on "cryptodev: add capabilities discovery mechanism"
   http://dpdk.org/dev/patchwork/patch/11434/
 - fixed inbound traffic bug
 - fixed bug with single core bi-directional traffic (inbound and outbound)

 MAINTAINERS                              |    4 +
 doc/guides/rel_notes/release_16_04.rst   |    3 +
 doc/guides/sample_app_ug/index.rst       |    1 +
 doc/guides/sample_app_ug/ipsec_secgw.rst |  524 ++++++++++++
 examples/Makefile                        |    2 +
 examples/ipsec-secgw/Makefile            |   58 ++
 examples/ipsec-secgw/esp.c               |  250 ++++++
 examples/ipsec-secgw/esp.h               |   66 ++
 examples/ipsec-secgw/ipip.h              |  103 +++
 examples/ipsec-secgw/ipsec-secgw.c       | 1360 ++++++++++++++++++++++++++++++
 examples/ipsec-secgw/ipsec.c             |  203 +++++
 examples/ipsec-secgw/ipsec.h             |  192 +++++
 examples/ipsec-secgw/rt.c                |  144 ++++
 examples/ipsec-secgw/sa.c                |  438 ++++++++++
 examples/ipsec-secgw/sp.c                |  364 ++++++++
 15 files changed, 3712 insertions(+)
 create mode 100644 doc/guides/sample_app_ug/ipsec_secgw.rst
 create mode 100644 examples/ipsec-secgw/Makefile
 create mode 100644 examples/ipsec-secgw/esp.c
 create mode 100644 examples/ipsec-secgw/esp.h
 create mode 100644 examples/ipsec-secgw/ipip.h
 create mode 100644 examples/ipsec-secgw/ipsec-secgw.c
 create mode 100644 examples/ipsec-secgw/ipsec.c
 create mode 100644 examples/ipsec-secgw/ipsec.h
 create mode 100644 examples/ipsec-secgw/rt.c
 create mode 100644 examples/ipsec-secgw/sa.c
 create mode 100644 examples/ipsec-secgw/sp.c

diff --git a/MAINTAINERS b/MAINTAINERS
index 2ad628e..8564403 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -616,3 +616,7 @@ F: doc/guides/sample_app_ug/vmdq_dcb_forwarding.rst
 M: Pablo de Lara <pablo.de.lara.guarch@intel.com>
 M: Daniel Mrzyglod <danielx.t.mrzyglod@intel.com>
 F: examples/ptpclient/
+
+M: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
+F: doc/guides/sample_app_ug/ipsec-secgw.rst
+F: examples/ipsec-secgw/
diff --git a/doc/guides/rel_notes/release_16_04.rst b/doc/guides/rel_notes/release_16_04.rst
index f69feac..c3fb18a 100644
--- a/doc/guides/rel_notes/release_16_04.rst
+++ b/doc/guides/rel_notes/release_16_04.rst
@@ -148,6 +148,9 @@ Examples
   vhost-switch often fails to allocate mbuf when dequeue from vring because it
   wrongly calculates the number of mbufs needed.
 
+* **examples/ipsec-secgw: ipsec security gateway**
+
+  New application implementing an IPsec Security Gateway.
 
 Other
 ~~~~~
diff --git a/doc/guides/sample_app_ug/index.rst b/doc/guides/sample_app_ug/index.rst
index 8a646dd..88375d2 100644
--- a/doc/guides/sample_app_ug/index.rst
+++ b/doc/guides/sample_app_ug/index.rst
@@ -73,6 +73,7 @@ Sample Applications User Guide
     proc_info
     ptpclient
     performance_thread
+    ipsec_secgw
 
 **Figures**
 
diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst
new file mode 100644
index 0000000..bc41ea8
--- /dev/null
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -0,0 +1,524 @@
+..  BSD LICENSE
+    Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions
+    are met:
+
+    * Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in
+    the documentation and/or other materials provided with the
+    distribution.
+    * Neither the name of Intel Corporation nor the names of its
+    contributors may be used to endorse or promote products derived
+    from this software without specific prior written permission.
+
+    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+    "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+    LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+    A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+    OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+    SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+    LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+    DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+    THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+    (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+    OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+IPsec Security Gateway Sample Application
+=========================================
+
+The IPsec Security Gateway application is an example of a "real world"
+application using DPDK cryptodev framework.
+
+Overview
+--------
+
+The application demonstrates the implementation of a Security Gateway
+(not IPsec compliant, see Constraints bellow) using DPDK based on RFC4301,
+RFC4303, RFC3602 and RFC2404.
+
+Internet Key Exchange (IKE) is not implemented, so only manual setting of
+Security Policies and Security Associations is supported.
+
+The Security Policies (SP) are implemented as ACL rules, the Security
+Associations (SA) are stored in a table and the Routing is implemented
+using LPM.
+
+The application classify the ports between Protected and Unprotected.
+Thus, traffic received in an Unprotected or Protected port is consider
+Inbound or Outbound respectively.
+
+Path for IPsec Inbound traffic:
+
+*  Read packets from the port
+*  Classify packets between IPv4 and ESP.
+*  Inbound SA lookup for ESP packets based on their SPI
+*  Verification/Decryption
+*  Removal of ESP and outer IP header
+*  Inbound SP check using ACL of decrypted packets and any other IPv4 packet
+   we read.
+*  Routing
+*  Write packet to port
+
+Path for IPsec Outbound traffic:
+
+*  Read packets from the port
+*  Outbound SP check using ACL of all IPv4 traffic
+*  Outbound SA lookup for packets that need IPsec protection
+*  Add ESP and outter IP header
+*  Encryption/Digest
+*  Routing
+*  Write packet to port
+
+Constraints
+-----------
+*  IPv4 traffic
+*  ESP tunnel mode
+*  EAS-CBC, HMAC-SHA1 and NULL
+*  Each SA must be handle by a unique lcore (1 RX queue per port)
+*  No chained mbufs
+
+Compiling the Application
+-------------------------
+
+To compile the application:
+
+#. Go to the sample application directory:
+
+   .. code-block:: console
+
+      export RTE_SDK=/path/to/rte_sdk
+      cd ${RTE_SDK}/examples/ipsec-secgw
+
+#. Set the target (a default target is used if not specified). For example:
+
+   .. code-block:: console
+
+      export RTE_TARGET=x86_64-native-linuxapp-gcc
+
+   See the *DPDK Getting Started Guide* for possible RTE_TARGET values.
+
+#. Build the application:
+
+   .. code-block:: console
+
+       make
+
+Running the Application
+-----------------------
+
+The application has a number of command line options:
+
+.. code-block:: console
+
+   ./build/ipsec-secgw [EAL options] -- -p PORTMASK -P -u PORTMASK --config
+   (port,queue,lcore)[,(port,queue,lcore] --single-sa SAIDX --ep0|--ep1
+
+where,
+
+*   -p PORTMASK: Hexadecimal bitmask of ports to configure
+
+*   -P: optional, sets all ports to promiscuous mode so that packets are
+    accepted regardless of the packet's Ethernet MAC destination address.
+    Without this option, only packets with the Ethernet MAC destination address
+    set to the Ethernet address of the port are accepted (default is enabled).
+
+*   -u PORTMASK: hexadecimal bitmask of unprotected ports
+
+*   --config (port,queue,lcore)[,(port,queue,lcore)]: determines which queues
+    from which ports are mapped to which cores
+
+*   --single-sa SAIDX: use a single SA for outbound traffic, bypassing the SP
+    on both Inbound and Outbound. This option is meant for debugging/performance
+    purposes.
+
+*   --ep0: configure the app as Endpoint 0.
+
+*   --ep1: configure the app as Endpoint 1.
+
+Either one of --ep0 or --ep1 *must* be specified.
+The main purpose of these options is two easily configure two systems
+back-to-back that would forward traffic through an IPsec tunnel.
+
+The mapping of lcores to port/queues is similar to other l3fwd applications.
+
+For example, given the following command line:
+
+.. code-block:: console
+
+    ./build/ipsec-secgw -l 20,21 -n 4 --socket-mem 0,2048
+           --vdev "cryptodev_null_pmd" -- -p 0xf -P -u 0x3
+           --config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)" --ep0
+
+where each options means:
+
+*   The -l option enables cores 20 and 21
+
+*   The -n option sets memory 4 channels
+
+*   The --socket-mem to use 2GB on socket 1
+
+*   The --vdev "cryptodev_null_pmd" option creates virtual NULL cryptodev PMD
+
+*   The -p option enables ports (detected) 0, 1, 2 and 3
+
+*   The -P option enables promiscuous mode
+
+*   The -u option sets ports 1 and 2 as unprotected, leaving 2 and 3 as protected
+
+*   The --config option enables one queue per port with the following mapping:
+
++----------+-----------+-----------+---------------------------------------+
+| **Port** | **Queue** | **lcore** | **Description**                       |
+|          |           |           |                                       |
++----------+-----------+-----------+---------------------------------------+
+| 0        | 0         | 20        | Map queue 0 from port 0 to lcore 20.  |
+|          |           |           |                                       |
++----------+-----------+-----------+---------------------------------------+
+| 1        | 0         | 20        | Map queue 0 from port 1 to lcore 20.  |
+|          |           |           |                                       |
++----------+-----------+-----------+---------------------------------------+
+| 2        | 0         | 21        | Map queue 0 from port 2 to lcore 21.  |
+|          |           |           |                                       |
++----------+-----------+-----------+---------------------------------------+
+| 3        | 0         | 21        | Map queue 0 from port 3 to lcore 21.  |
+|          |           |           |                                       |
++----------+-----------+-----------+---------------------------------------+
+
+*   The --ep0 options configures the app with a given set of SP, SA and Routing
+    entries as explained below in more detail.
+
+Refer to the *DPDK Getting Started Guide* for general information on running
+applications and the Environment Abstraction Layer (EAL) options.
+
+The application would do a best effort to "map" crypto devices to cores, with
+hardware devices having priority.
+This means that if the application is using a single core and both hardware
+and software crypto devices are detected, hardware devices will be used.
+
+A way to achive the case where you want to force the use of virtual crypto
+devices is to whitelist the ethernet devices needed and therefore implicitely
+blacklisting all hardware crypto devices.
+
+For example, something like the following command line:
+
+.. code-block:: console
+
+    ./build/ipsec-secgw -l 20,21 -n 4 --socket-mem 0,2048
+            -w 81:00.0 -w 81:00.1 -w 81:00.2 -w 81:00.3
+            --vdev "cryptodev_aesni_mb_pmd" --vdev "cryptodev_null_pmd" --
+            -p 0xf -P -u 0x3 --config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)"
+            --ep0
+
+Configurations
+--------------
+
+The following sections provide some details on the default values used to
+initialize the SP, SA and Routing tables.
+Currently all the configuration is hard coded into the application.
+
+Security Policy Initialization
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+As mention in the overview, the Security Policies are ACL rules.
+The application defines two ACLs, one each of Inbound and Outbound, and
+it replicates them per socket in use.
+
+Following are the default rules:
+
+Endpoint 0 Outbound Security Policies:
+
++---------+------------------+-----------+------------+
+| **Src** | **Dst**          | **proto** | **SA idx** |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.105.0/24 | Any       | 5          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.106.0/24 | Any       | 6          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.107.0/24 | Any       | 7          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.108.0/24 | Any       | 8          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.200.0/24 | Any       | 9          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.250.0/24 | Any       | BYPASS     |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+
+Endpoint 0 Inbound Security Policies:
+
++---------+------------------+-----------+------------+
+| **Src** | **Dst**          | **proto** | **SA idx** |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.115.0/24 | Any       | 5          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.116.0/24 | Any       | 6          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.117.0/24 | Any       | 7          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.118.0/24 | Any       | 8          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.210.0/24 | Any       | 9          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.240.0/24 | Any       | BYPASS     |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+
+Endpoint 1 Outbound Security Policies:
+
++---------+------------------+-----------+------------+
+| **Src** | **Dst**          | **proto** | **SA idx** |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.115.0/24 | Any       | 5          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.116.0/24 | Any       | 6          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.117.0/24 | Any       | 7          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.118.0/24 | Any       | 8          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.210.0/24 | Any       | 9          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.240.0/24 | Any       | BYPASS     |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+
+Endpoint 1 Inbound Security Policies:
+
++---------+------------------+-----------+------------+
+| **Src** | **Dst**          | **proto** | **SA idx** |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.105.0/24 | Any       | 5          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.106.0/24 | Any       | 6          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.107.0/24 | Any       | 7          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.108.0/24 | Any       | 8          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.200.0/24 | Any       | 9          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.250.0/24 | Any       | BYPASS     |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+
+
+Security Association Initialization
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The SAs are kept in a array table.
+
+For Inbound, the SPI is used as index module the table size.
+This means that on a table for 100 SA, SPI 5 and 105 would use the same index
+and that is not currently supported.
+
+Notice that it is not an issue for Outbound traffic as we store the index and
+not the SPI in the Security Policy.
+
+All SAs configured with AES-CBC and HMAC-SHA1 share the same values for cipher
+block size and key, and authentication digest size and key.
+
+Following are the default values:
+
+Endpoint 0 Outbound Security Associations:
+
++---------+------------+-----------+----------------+------------------+
+| **SPI** | **Cipher** | **Auth**  | **Tunnel src** | **Tunnel dst**   |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 5       | AES-CBC    | HMAC-SHA1 | 172.16.1.5     | 172.16.2.5       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 6       | AES-CBC    | HMAC-SHA1 | 172.16.1.6     | 172.16.2.6       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 7       | AES-CBC    | HMAC-SHA1 | 172.16.1.7     | 172.16.2.7       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 8       | AES-CBC    | HMAC-SHA1 | 172.16.1.8     | 172.16.2.8       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 9       | NULL       | NULL      | 172.16.1.5     | 172.16.2.5       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+
+Endpoint 0 Inbound Security Associations:
+
++---------+------------+-----------+----------------+------------------+
+| **SPI** | **Cipher** | **Auth**  | **Tunnel src** | **Tunnel dst**   |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 5       | AES-CBC    | HMAC-SHA1 | 172.16.2.5     | 172.16.1.5       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 6       | AES-CBC    | HMAC-SHA1 | 172.16.2.6     | 172.16.1.6       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 7       | AES-CBC    | HMAC-SHA1 | 172.16.2.7     | 172.16.1.7       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 8       | AES-CBC    | HMAC-SHA1 | 172.16.2.8     | 172.16.1.8       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 9       | NULL       | NULL      | 172.16.2.5     | 172.16.1.5       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+
+Endpoint 1 Outbound Security Associations:
+
++---------+------------+-----------+----------------+------------------+
+| **SPI** | **Cipher** | **Auth**  | **Tunnel src** | **Tunnel dst**   |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 5       | AES-CBC    | HMAC-SHA1 | 172.16.2.5     | 172.16.1.5       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 6       | AES-CBC    | HMAC-SHA1 | 172.16.2.6     | 172.16.1.6       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 7       | AES-CBC    | HMAC-SHA1 | 172.16.2.7     | 172.16.1.7       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 8       | AES-CBC    | HMAC-SHA1 | 172.16.2.8     | 172.16.1.8       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 9       | NULL       | NULL      | 172.16.2.5     | 172.16.1.5       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+
+Endpoint 1 Inbound Security Associations:
+
++---------+------------+-----------+----------------+------------------+
+| **SPI** | **Cipher** | **Auth**  | **Tunnel src** | **Tunnel dst**   |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 5       | AES-CBC    | HMAC-SHA1 | 172.16.1.5     | 172.16.2.5       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 6       | AES-CBC    | HMAC-SHA1 | 172.16.1.6     | 172.16.2.6       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 7       | AES-CBC    | HMAC-SHA1 | 172.16.1.7     | 172.16.2.7       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 8       | AES-CBC    | HMAC-SHA1 | 172.16.1.8     | 172.16.2.8       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 9       | NULL       | NULL      | 172.16.1.5     | 172.16.2.5       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+
+Routing Initialization
+~~~~~~~~~~~~~~~~~~~~~~
+
+The Routing is implemented using LPM table.
+
+Following default values:
+
+Endpoint 0 Routing Table:
+
++------------------+----------+
+| **Dst addr**     | **Port** |
+|                  |          |
++------------------+----------+
+| 172.16.2.5/32    | 0        |
+|                  |          |
++------------------+----------+
+| 172.16.2.6/32    | 0        |
+|                  |          |
++------------------+----------+
+| 172.16.2.7/32    | 1        |
+|                  |          |
++------------------+----------+
+| 172.16.2.8/32    | 1        |
+|                  |          |
++------------------+----------+
+| 192.168.115.0/24 | 2        |
+|                  |          |
++------------------+----------+
+| 192.168.116.0/24 | 2        |
+|                  |          |
++------------------+----------+
+| 192.168.117.0/24 | 3        |
+|                  |          |
++------------------+----------+
+| 192.168.118.0/24 | 3        |
+|                  |          |
++------------------+----------+
+| 192.168.210.0/24 | 2        |
+|                  |          |
++------------------+----------+
+| 192.168.240.0/24 | 2        |
+|                  |          |
++------------------+----------+
+| 192.168.250.0/24 | 0        |
+|                  |          |
++------------------+----------+
+
+Endpoint 1 Routing Table:
+
++------------------+----------+
+| **Dst addr**     | **Port** |
+|                  |          |
++------------------+----------+
+| 172.16.1.5/32    | 2        |
+|                  |          |
++------------------+----------+
+| 172.16.1.6/32    | 2        |
+|                  |          |
++------------------+----------+
+| 172.16.1.7/32    | 3        |
+|                  |          |
++------------------+----------+
+| 172.16.1.8/32    | 3        |
+|                  |          |
++------------------+----------+
+| 192.168.105.0/24 | 0        |
+|                  |          |
++------------------+----------+
+| 192.168.106.0/24 | 0        |
+|                  |          |
++------------------+----------+
+| 192.168.107.0/24 | 1        |
+|                  |          |
++------------------+----------+
+| 192.168.108.0/24 | 1        |
+|                  |          |
++------------------+----------+
+| 192.168.200.0/24 | 0        |
+|                  |          |
++------------------+----------+
+| 192.168.240.0/24 | 2        |
+|                  |          |
++------------------+----------+
+| 192.168.250.0/24 | 0        |
+|                  |          |
++------------------+----------+
diff --git a/examples/Makefile b/examples/Makefile
index 1665df1..c9d2452 100644
--- a/examples/Makefile
+++ b/examples/Makefile
@@ -1,6 +1,7 @@
 #   BSD LICENSE
 #
 #   Copyright(c) 2014 6WIND S.A.
+#   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
 #
 #   Redistribution and use in source and binary forms, with or without
 #   modification, are permitted provided that the following conditions
@@ -82,5 +83,6 @@ DIRS-y += vmdq
 DIRS-y += vmdq_dcb
 DIRS-$(CONFIG_RTE_LIBRTE_POWER) += vm_power_manager
 DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += l2fwd-crypto
+DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += ipsec-secgw
 
 include $(RTE_SDK)/mk/rte.extsubdir.mk
diff --git a/examples/ipsec-secgw/Makefile b/examples/ipsec-secgw/Makefile
new file mode 100644
index 0000000..5f893b8
--- /dev/null
+++ b/examples/ipsec-secgw/Makefile
@@ -0,0 +1,58 @@
+#   BSD LICENSE
+#
+#   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+#   All rights reserved.
+#
+#   Redistribution and use in source and binary forms, with or without
+#   modification, are permitted provided that the following conditions
+#   are met:
+#
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above copyright
+#       notice, this list of conditions and the following disclaimer in
+#       the documentation and/or other materials provided with the
+#       distribution.
+#     * Neither the name of Intel Corporation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+#   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+#   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+#   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+#   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+#   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+#   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+#   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+#   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+#   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+#   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+#   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+ifeq ($(RTE_SDK),)
+	$(error "Please define RTE_SDK environment variable")
+endif
+
+# Default target, can be overridden by command line or environment
+RTE_TARGET ?= x86_64-native-linuxapp-gcc
+
+include $(RTE_SDK)/mk/rte.vars.mk
+
+APP = ipsec-secgw
+
+CFLAGS += -O3 -gdwarf-2
+CFLAGS += $(WERROR_FLAGS)
+
+VPATH += $(SRCDIR)/librte_ipsec
+
+#
+# all source are stored in SRCS-y
+#
+SRCS-y += ipsec.c
+SRCS-y += esp.c
+SRCS-y += sp.c
+SRCS-y += sa.c
+SRCS-y += rt.c
+SRCS-y += ipsec-secgw.c
+
+include $(RTE_SDK)/mk/rte.extapp.mk
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
new file mode 100644
index 0000000..1da2c08
--- /dev/null
+++ b/examples/ipsec-secgw/esp.c
@@ -0,0 +1,250 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdint.h>
+#include <stdlib.h>
+#include <netinet/ip.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+#include <rte_common.h>
+#include <rte_memcpy.h>
+#include <rte_crypto.h>
+#include <rte_cryptodev.h>
+#include <rte_random.h>
+
+#include "ipsec.h"
+#include "esp.h"
+#include "ipip.h"
+
+#define IP_ESP_HDR_SZ (sizeof(struct ip) + sizeof(struct esp_hdr))
+
+static inline void
+random_iv_u64(uint64_t *buf, uint16_t n)
+{
+	unsigned left = n & 0x7;
+	unsigned i;
+
+	IPSEC_ASSERT((n & 0x3) == 0);
+
+	for (i = 0; i < (n >> 3); i++)
+		buf[i] = rte_rand();
+
+	if (left)
+		*((uint32_t *)&buf[i]) = (uint32_t)lrand48();
+}
+
+/* IPv4 Tunnel */
+int
+esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
+		struct rte_crypto_op *cop)
+{
+	int32_t payload_len;
+	struct rte_crypto_sym_op *sym_cop;
+
+	IPSEC_ASSERT(m != NULL);
+	IPSEC_ASSERT(sa != NULL);
+	IPSEC_ASSERT(cop != NULL);
+
+	payload_len = rte_pktmbuf_pkt_len(m) - IP_ESP_HDR_SZ - sa->iv_len -
+		sa->digest_len;
+
+	if ((payload_len & (sa->block_size - 1)) || (payload_len <= 0)) {
+		IPSEC_LOG(DEBUG, IPSEC_ESP, "payload %d not multiple of %u\n",
+				payload_len, sa->block_size);
+		return -EINVAL;
+	}
+
+	sym_cop = (struct rte_crypto_sym_op *)(cop + 1);
+
+	sym_cop->m_src = m;
+	sym_cop->cipher.data.offset = IP_ESP_HDR_SZ + sa->iv_len;
+	sym_cop->cipher.data.length = payload_len;
+
+	sym_cop->cipher.iv.data = rte_pktmbuf_mtod_offset(m, void*,
+			IP_ESP_HDR_SZ);
+	sym_cop->cipher.iv.phys_addr = rte_pktmbuf_mtophys_offset(m,
+			IP_ESP_HDR_SZ);
+	sym_cop->cipher.iv.length = sa->iv_len;
+
+	sym_cop->auth.data.offset = sizeof(struct ip);
+	if (sa->auth_algo == RTE_CRYPTO_AUTH_AES_GCM)
+		sym_cop->auth.data.length = sizeof(struct esp_hdr);
+	else
+		sym_cop->auth.data.length = sizeof(struct esp_hdr) +
+			sa->iv_len + payload_len;
+
+	sym_cop->auth.digest.data = rte_pktmbuf_mtod_offset(m, void*,
+			rte_pktmbuf_pkt_len(m) - sa->digest_len);
+	sym_cop->auth.digest.phys_addr = rte_pktmbuf_mtophys_offset(m,
+			rte_pktmbuf_pkt_len(m) - sa->digest_len);
+	sym_cop->auth.digest.length = sa->digest_len;
+
+	return 0;
+}
+
+int
+esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
+		struct rte_crypto_op *cop)
+{
+	uint8_t *nexthdr, *pad_len;
+	uint8_t *padding;
+	uint16_t i;
+
+	IPSEC_ASSERT(m != NULL);
+	IPSEC_ASSERT(sa != NULL);
+	IPSEC_ASSERT(cop != NULL);
+
+	if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
+		IPSEC_LOG(ERR, IPSEC_ESP, "Failed crypto op\n");
+		return -1;
+	}
+
+	nexthdr = rte_pktmbuf_mtod_offset(m, uint8_t*,
+			rte_pktmbuf_pkt_len(m) - sa->digest_len - 1);
+	pad_len = nexthdr - 1;
+
+	padding = pad_len - *pad_len;
+	for (i = 0; i < *pad_len; i++) {
+		if (padding[i] != i) {
+			IPSEC_LOG(ERR, IPSEC_ESP, "invalid pad_len field\n");
+			return -EINVAL;
+		}
+	}
+
+	if (rte_pktmbuf_trim(m, *pad_len + 2 + sa->digest_len)) {
+		IPSEC_LOG(ERR, IPSEC_ESP,
+				"failed to remove pad_len + digest\n");
+		return -EINVAL;
+	}
+
+	return ip4ip_inbound(m, sizeof(struct esp_hdr) + sa->iv_len);
+}
+
+int
+esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
+		struct rte_crypto_op *cop)
+{
+	uint16_t pad_payload_len, pad_len;
+	struct ip *ip;
+	struct esp_hdr *esp;
+	int i;
+	char *padding;
+	struct rte_crypto_sym_op *sym_cop;
+
+	IPSEC_ASSERT(m != NULL);
+	IPSEC_ASSERT(sa != NULL);
+	IPSEC_ASSERT(cop != NULL);
+
+	/* Payload length */
+	pad_payload_len = RTE_ALIGN_CEIL(rte_pktmbuf_pkt_len(m) + 2,
+			sa->block_size);
+	pad_len = pad_payload_len - rte_pktmbuf_pkt_len(m);
+
+	rte_prefetch0(rte_pktmbuf_mtod_offset(m, void *,
+				rte_pktmbuf_pkt_len(m)));
+
+	/* Check maximum packet size */
+	if (unlikely(IP_ESP_HDR_SZ + sa->iv_len + pad_payload_len +
+				sa->digest_len > IP_MAXPACKET)) {
+		IPSEC_LOG(DEBUG, IPSEC_ESP, "ipsec packet is too big\n");
+		return -EINVAL;
+	}
+
+	padding = rte_pktmbuf_append(m, pad_len + sa->digest_len);
+
+	IPSEC_ASSERT(padding != NULL);
+
+	ip = ip4ip_outbound(m, sizeof(struct esp_hdr) + sa->iv_len,
+			sa->src, sa->dst);
+
+	esp = (struct esp_hdr *)(ip + 1);
+	esp->spi = sa->spi;
+	esp->seq = htonl(sa->seq++);
+
+	IPSEC_LOG(DEBUG, IPSEC_ESP, "pktlen %u\n", rte_pktmbuf_pkt_len(m));
+
+	/* Fill pad_len using default sequential scheme */
+	for (i = 0; i < pad_len - 2; i++)
+		padding[i] = i + 1;
+
+	padding[pad_len - 2] = pad_len - 2;
+	padding[pad_len - 1] = IPPROTO_IPIP;
+
+	sym_cop = (struct rte_crypto_sym_op *)(cop + 1);
+
+	sym_cop->m_src = m;
+	sym_cop->cipher.data.offset = IP_ESP_HDR_SZ + sa->iv_len;
+	sym_cop->cipher.data.length = pad_payload_len;
+
+	sym_cop->cipher.iv.data = rte_pktmbuf_mtod_offset(m, uint8_t *,
+			IP_ESP_HDR_SZ);
+	sym_cop->cipher.iv.phys_addr = rte_pktmbuf_mtophys_offset(m,
+			IP_ESP_HDR_SZ);
+	sym_cop->cipher.iv.length = sa->iv_len;
+
+	sym_cop->auth.data.offset = sizeof(struct ip);
+	sym_cop->auth.data.length = sizeof(struct esp_hdr) + sa->iv_len +
+		pad_payload_len;
+
+	sym_cop->auth.digest.data = rte_pktmbuf_mtod_offset(m, uint8_t *,
+			IP_ESP_HDR_SZ + sa->iv_len + pad_payload_len);
+	sym_cop->auth.digest.phys_addr = rte_pktmbuf_mtophys_offset(m,
+			IP_ESP_HDR_SZ + sa->iv_len + pad_payload_len);
+	sym_cop->auth.digest.length = sa->digest_len;
+
+	if (sa->cipher_algo == RTE_CRYPTO_CIPHER_AES_CBC)
+		random_iv_u64((uint64_t *)sym_cop->cipher.iv.data,
+				sym_cop->cipher.iv.length);
+
+	return 0;
+}
+
+int
+esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m __rte_unused,
+		struct ipsec_sa *sa __rte_unused,
+		struct rte_crypto_op *cop)
+{
+	IPSEC_ASSERT(m != NULL);
+	IPSEC_ASSERT(sa != NULL);
+	IPSEC_ASSERT(cop != NULL);
+
+	if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
+		IPSEC_LOG(ERR, IPSEC_ESP, "Failed crypto op\n");
+		return -1;
+	}
+
+	return 0;
+}
diff --git a/examples/ipsec-secgw/esp.h b/examples/ipsec-secgw/esp.h
new file mode 100644
index 0000000..d7c8ba6
--- /dev/null
+++ b/examples/ipsec-secgw/esp.h
@@ -0,0 +1,66 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef __RTE_IPSEC_XFORM_ESP_H__
+#define __RTE_IPSEC_XFORM_ESP_H__
+
+struct mbuf;
+
+/* RFC4303 */
+struct esp_hdr {
+	uint32_t spi;
+	uint32_t seq;
+	/* Payload */
+	/* Padding */
+	/* Pad Length */
+	/* Next Header */
+	/* Integrity Check Value - ICV */
+};
+
+/* IPv4 Tunnel */
+int
+esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
+		struct rte_crypto_op *cop);
+
+int
+esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
+		struct rte_crypto_op *cop);
+
+int
+esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
+		struct rte_crypto_op *cop);
+
+int
+esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
+		struct rte_crypto_op *cop);
+
+#endif /* __RTE_IPSEC_XFORM_ESP_H__ */
diff --git a/examples/ipsec-secgw/ipip.h b/examples/ipsec-secgw/ipip.h
new file mode 100644
index 0000000..4eb96da
--- /dev/null
+++ b/examples/ipsec-secgw/ipip.h
@@ -0,0 +1,103 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef __IPIP_H__
+#define __IPIP_H__
+
+#include <stdint.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+
+#include <rte_mbuf.h>
+
+#define IPV6_VERSION (6)
+
+static inline  struct ip *
+ip4ip_outbound(struct rte_mbuf *m, uint32_t offset, uint32_t src, uint32_t dst)
+{
+	struct ip *inip, *outip;
+
+	inip = rte_pktmbuf_mtod(m, struct ip*);
+
+	IPSEC_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION);
+
+	offset += sizeof(struct ip);
+
+	outip = (struct ip *)rte_pktmbuf_prepend(m, offset);
+
+	IPSEC_ASSERT(outip != NULL);
+
+	/* Per RFC4301 5.1.2.1 */
+	outip->ip_v = IPVERSION;
+	outip->ip_hl = 5;
+	outip->ip_tos = inip->ip_tos;
+	outip->ip_len = htons(rte_pktmbuf_data_len(m));
+
+	outip->ip_id = 0;
+	outip->ip_off = 0;
+
+	outip->ip_ttl = IPDEFTTL;
+	outip->ip_p = IPPROTO_ESP;
+
+	outip->ip_src.s_addr = src;
+	outip->ip_dst.s_addr = dst;
+
+	return outip;
+}
+
+static inline int
+ip4ip_inbound(struct rte_mbuf *m, uint32_t offset)
+{
+	struct ip *inip;
+	struct ip *outip;
+
+	outip = rte_pktmbuf_mtod(m, struct ip*);
+
+	IPSEC_ASSERT(outip->ip_v == IPVERSION);
+
+	offset += sizeof(struct ip);
+	inip = (struct ip *)rte_pktmbuf_adj(m, offset);
+	IPSEC_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION);
+
+	/* Check packet is still bigger than IP header (inner) */
+	IPSEC_ASSERT(rte_pktmbuf_pkt_len(m) > sizeof(struct ip));
+
+	/* RFC4301 5.1.2.1 Note 6 */
+	if ((inip->ip_tos & htons(IPTOS_ECN_ECT0 | IPTOS_ECN_ECT1)) &&
+			((outip->ip_tos & htons(IPTOS_ECN_CE)) == IPTOS_ECN_CE))
+		inip->ip_tos |= htons(IPTOS_ECN_CE);
+
+	return 0;
+}
+
+#endif /* __IPIP_H__ */
diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
new file mode 100644
index 0000000..cc6deee
--- /dev/null
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -0,0 +1,1360 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <inttypes.h>
+#include <sys/types.h>
+#include <string.h>
+#include <sys/queue.h>
+#include <stdarg.h>
+#include <errno.h>
+#include <getopt.h>
+
+#include <rte_common.h>
+#include <rte_byteorder.h>
+#include <rte_log.h>
+#include <rte_eal.h>
+#include <rte_launch.h>
+#include <rte_atomic.h>
+#include <rte_cycles.h>
+#include <rte_prefetch.h>
+#include <rte_lcore.h>
+#include <rte_per_lcore.h>
+#include <rte_branch_prediction.h>
+#include <rte_interrupts.h>
+#include <rte_pci.h>
+#include <rte_random.h>
+#include <rte_debug.h>
+#include <rte_ether.h>
+#include <rte_ethdev.h>
+#include <rte_mempool.h>
+#include <rte_mbuf.h>
+#include <rte_acl.h>
+#include <rte_lpm.h>
+#include <rte_hash.h>
+#include <rte_jhash.h>
+#include <rte_cryptodev.h>
+
+#include "ipsec.h"
+
+#define RTE_LOGTYPE_IPSEC RTE_LOGTYPE_USER1
+
+#define MAX_JUMBO_PKT_LEN  9600
+
+#define MEMPOOL_CACHE_SIZE 256
+
+#define NB_MBUF	(32000)
+
+#define CDEV_MAP_ENTRIES 1024
+#define CDEV_MP_NB_OBJS 2048
+#define CDEV_MP_CACHE_SZ 64
+#define MAX_QUEUE_PAIRS 1
+
+#define OPTION_CONFIG		"config"
+#define OPTION_SINGLE_SA	"single-sa"
+#define OPTION_EP0		"ep0"
+#define OPTION_EP1		"ep1"
+
+#define BURST_TX_DRAIN_US 100 /* TX drain every ~100us */
+
+#define NB_SOCKETS 4
+
+/* Configure how many packets ahead to prefetch, when reading packets */
+#define PREFETCH_OFFSET	3
+
+#define MAX_RX_QUEUE_PER_LCORE 16
+
+#define MAX_LCORE_PARAMS 1024
+
+#define UNPROTECTED_PORT(port) (unprotected_port_mask & (1 << portid))
+
+/*
+ * Configurable number of RX/TX ring descriptors
+ */
+#define IPSEC_SECGW_RX_DESC_DEFAULT 128
+#define IPSEC_SECGW_TX_DESC_DEFAULT 512
+static uint16_t nb_rxd = IPSEC_SECGW_RX_DESC_DEFAULT;
+static uint16_t nb_txd = IPSEC_SECGW_TX_DESC_DEFAULT;
+
+#if RTE_BYTE_ORDER != RTE_LITTLE_ENDIAN
+#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \
+	(((uint64_t)((a) & 0xff) << 56) | \
+	((uint64_t)((b) & 0xff) << 48) | \
+	((uint64_t)((c) & 0xff) << 40) | \
+	((uint64_t)((d) & 0xff) << 32) | \
+	((uint64_t)((e) & 0xff) << 24) | \
+	((uint64_t)((f) & 0xff) << 16) | \
+	((uint64_t)((g) & 0xff) << 8)  | \
+	((uint64_t)(h) & 0xff))
+#else
+#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \
+	(((uint64_t)((h) & 0xff) << 56) | \
+	((uint64_t)((g) & 0xff) << 48) | \
+	((uint64_t)((f) & 0xff) << 40) | \
+	((uint64_t)((e) & 0xff) << 32) | \
+	((uint64_t)((d) & 0xff) << 24) | \
+	((uint64_t)((c) & 0xff) << 16) | \
+	((uint64_t)((b) & 0xff) << 8) | \
+	((uint64_t)(a) & 0xff))
+#endif
+#define ETHADDR(a, b, c, d, e, f) (__BYTES_TO_UINT64(a, b, c, d, e, f, 0, 0))
+
+#define ETHADDR_TO_UINT64(addr) __BYTES_TO_UINT64( \
+		addr.addr_bytes[0], addr.addr_bytes[1], \
+		addr.addr_bytes[2], addr.addr_bytes[3], \
+		addr.addr_bytes[4], addr.addr_bytes[5], \
+		0, 0)
+
+/* port/source ethernet addr and destination ethernet addr */
+struct ethaddr_info {
+	uint64_t src, dst;
+};
+
+struct ethaddr_info ethaddr_tbl[RTE_MAX_ETHPORTS] = {
+	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x7e, 0x94, 0x9a) },
+	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x22, 0xa1, 0xd9) },
+	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x08, 0x69, 0x26) },
+	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x49, 0x9e, 0xdd) }
+};
+
+/* mask of enabled ports */
+static uint32_t enabled_port_mask;
+static uint32_t unprotected_port_mask;
+static int32_t promiscuous_on = 1;
+static int32_t numa_on = 1; /**< NUMA is enabled by default. */
+static int32_t ep = -1; /**< Endpoint configuration (0 or 1) */
+static uint32_t nb_lcores;
+static uint32_t single_sa;
+static uint32_t single_sa_idx;
+
+struct lcore_rx_queue {
+	uint8_t port_id;
+	uint8_t queue_id;
+} __rte_cache_aligned;
+
+struct lcore_params {
+	uint8_t port_id;
+	uint8_t queue_id;
+	uint8_t lcore_id;
+} __rte_cache_aligned;
+
+static struct lcore_params lcore_params_array[MAX_LCORE_PARAMS];
+
+static struct lcore_params *lcore_params;
+static uint16_t nb_lcore_params;
+
+static struct rte_hash *cdev_map_in;
+static struct rte_hash *cdev_map_out;
+
+struct buffer {
+	uint16_t len;
+	struct rte_mbuf *m_table[MAX_PKT_BURST] __rte_aligned(sizeof(void *));
+};
+
+struct lcore_conf {
+	uint16_t nb_rx_queue;
+	struct lcore_rx_queue rx_queue_list[MAX_RX_QUEUE_PER_LCORE];
+	uint16_t tx_queue_id[RTE_MAX_ETHPORTS];
+	struct buffer tx_mbufs[RTE_MAX_ETHPORTS];
+	struct ipsec_ctx inbound;
+	struct ipsec_ctx outbound;
+	struct rt_ctx *rt_ctx;
+} __rte_cache_aligned;
+
+static struct lcore_conf lcore_conf[RTE_MAX_LCORE];
+
+static struct rte_eth_conf port_conf = {
+	.rxmode = {
+		.mq_mode	= ETH_MQ_RX_RSS,
+		.max_rx_pkt_len = ETHER_MAX_LEN,
+		.split_hdr_size = 0,
+		.header_split   = 0, /**< Header Split disabled */
+		.hw_ip_checksum = 1, /**< IP checksum offload enabled */
+		.hw_vlan_filter = 0, /**< VLAN filtering disabled */
+		.jumbo_frame    = 0, /**< Jumbo Frame Support disabled */
+		.hw_strip_crc   = 0, /**< CRC stripped by hardware */
+	},
+	.rx_adv_conf = {
+		.rss_conf = {
+			.rss_key = NULL,
+			.rss_hf = ETH_RSS_IP | ETH_RSS_UDP |
+				ETH_RSS_TCP | ETH_RSS_SCTP,
+		},
+	},
+	.txmode = {
+		.mq_mode = ETH_MQ_TX_NONE,
+	},
+};
+
+static struct socket_ctx socket_ctx[NB_SOCKETS];
+
+struct traffic_type {
+	const uint8_t *data[MAX_PKT_BURST * 2];
+	struct rte_mbuf *pkts[MAX_PKT_BURST * 2];
+	uint32_t res[MAX_PKT_BURST * 2];
+	uint32_t num;
+};
+
+struct ipsec_traffic {
+	struct traffic_type ipsec4;
+	struct traffic_type ipv4;
+};
+
+static inline void
+prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)
+{
+	uint8_t *nlp;
+
+	if (RTE_ETH_IS_IPV4_HDR(pkt->packet_type)) {
+		rte_pktmbuf_adj(pkt, ETHER_HDR_LEN);
+		nlp = rte_pktmbuf_mtod_offset(pkt, uint8_t *,
+				offsetof(struct ip, ip_p));
+		if (*nlp == IPPROTO_ESP)
+			t->ipsec4.pkts[(t->ipsec4.num)++] = pkt;
+		else {
+			t->ipv4.data[t->ipv4.num] = nlp;
+			t->ipv4.pkts[(t->ipv4.num)++] = pkt;
+		}
+	} else {
+		/* Unknown/Unsupported type, drop the packet */
+		rte_pktmbuf_free(pkt);
+	}
+}
+
+static inline void
+prepare_traffic(struct rte_mbuf **pkts, struct ipsec_traffic *t,
+		uint16_t nb_pkts)
+{
+	int32_t i;
+
+	t->ipsec4.num = 0;
+	t->ipv4.num = 0;
+
+	for (i = 0; i < (nb_pkts - PREFETCH_OFFSET); i++) {
+		rte_prefetch0(rte_pktmbuf_mtod(pkts[i + PREFETCH_OFFSET],
+					void *));
+		prepare_one_packet(pkts[i], t);
+	}
+	/* Process left packets */
+	for (; i < nb_pkts; i++)
+		prepare_one_packet(pkts[i], t);
+}
+
+static inline void
+prepare_tx_pkt(struct rte_mbuf *pkt, uint8_t port)
+{
+	pkt->ol_flags |= PKT_TX_IP_CKSUM | PKT_TX_IPV4;
+	pkt->l3_len = sizeof(struct ip);
+	pkt->l2_len = ETHER_HDR_LEN;
+
+	struct ether_hdr *ethhdr = (struct ether_hdr *)rte_pktmbuf_prepend(pkt,
+			ETHER_HDR_LEN);
+
+	ethhdr->ether_type = rte_cpu_to_be_16(ETHER_TYPE_IPv4);
+	memcpy(&ethhdr->s_addr, &ethaddr_tbl[port].src,
+			sizeof(struct ether_addr));
+	memcpy(&ethhdr->d_addr, &ethaddr_tbl[port].dst,
+			sizeof(struct ether_addr));
+}
+
+static inline void
+prepare_tx_burst(struct rte_mbuf *pkts[], uint16_t nb_pkts, uint8_t port)
+{
+	int32_t i;
+	const int32_t prefetch_offset = 2;
+
+	for (i = 0; i < (nb_pkts - prefetch_offset); i++) {
+		rte_prefetch0(pkts[i + prefetch_offset]->cacheline1);
+		prepare_tx_pkt(pkts[i], port);
+	}
+	/* Process left packets */
+	for (; i < nb_pkts; i++)
+		prepare_tx_pkt(pkts[i], port);
+}
+
+/* Send burst of packets on an output interface */
+static inline int32_t
+send_burst(struct lcore_conf *qconf, uint16_t n, uint8_t port)
+{
+	struct rte_mbuf **m_table;
+	int32_t ret;
+	uint16_t queueid;
+
+	queueid = qconf->tx_queue_id[port];
+	m_table = (struct rte_mbuf **)qconf->tx_mbufs[port].m_table;
+
+	prepare_tx_burst(m_table, n, port);
+
+	ret = rte_eth_tx_burst(port, queueid, m_table, n);
+	if (unlikely(ret < n)) {
+		do {
+			rte_pktmbuf_free(m_table[ret]);
+		} while (++ret < n);
+	}
+
+	return 0;
+}
+
+/* Enqueue a single packet, and send burst if queue is filled */
+static inline int32_t
+send_single_packet(struct rte_mbuf *m, uint8_t port)
+{
+	uint32_t lcore_id;
+	uint16_t len;
+	struct lcore_conf *qconf;
+
+	lcore_id = rte_lcore_id();
+
+	qconf = &lcore_conf[lcore_id];
+	len = qconf->tx_mbufs[port].len;
+	qconf->tx_mbufs[port].m_table[len] = m;
+	len++;
+
+	/* enough pkts to be sent */
+	if (unlikely(len == MAX_PKT_BURST)) {
+		send_burst(qconf, MAX_PKT_BURST, port);
+		len = 0;
+	}
+
+	qconf->tx_mbufs[port].len = len;
+	return 0;
+}
+
+static inline void
+process_pkts_inbound(struct ipsec_ctx *ipsec_ctx,
+		struct ipsec_traffic *traffic)
+{
+	struct rte_mbuf *m;
+	uint16_t idx, nb_pkts_in, i, j;
+	uint32_t sa_idx, res;
+
+	nb_pkts_in = ipsec_inbound(ipsec_ctx, traffic->ipsec4.pkts,
+			traffic->ipsec4.num, MAX_PKT_BURST);
+
+	/* SP/ACL Inbound check ipsec and ipv4 */
+	for (i = 0; i < nb_pkts_in; i++) {
+		idx = traffic->ipv4.num++;
+		m = traffic->ipsec4.pkts[i];
+		traffic->ipv4.pkts[idx] = m;
+		traffic->ipv4.data[idx] = rte_pktmbuf_mtod_offset(m,
+				uint8_t *, offsetof(struct ip, ip_p));
+	}
+
+	rte_acl_classify((struct rte_acl_ctx *)ipsec_ctx->sp_ctx,
+			traffic->ipv4.data, traffic->ipv4.res,
+			traffic->ipv4.num, DEFAULT_MAX_CATEGORIES);
+
+	j = 0;
+	for (i = 0; i < traffic->ipv4.num - nb_pkts_in; i++) {
+		m = traffic->ipv4.pkts[i];
+		res = traffic->ipv4.res[i];
+		if (res & ~BYPASS) {
+			rte_pktmbuf_free(m);
+			continue;
+		}
+		traffic->ipv4.pkts[j++] = m;
+	}
+	/* Check return SA SPI matches pkt SPI */
+	for ( ; i < traffic->ipv4.num; i++) {
+		m = traffic->ipv4.pkts[i];
+		sa_idx = traffic->ipv4.res[i] & PROTECT_MASK;
+		if (sa_idx == 0 || !inbound_sa_check(ipsec_ctx->sa_ctx,
+					m, sa_idx)) {
+			rte_pktmbuf_free(m);
+			continue;
+		}
+		traffic->ipv4.pkts[j++] = m;
+	}
+	traffic->ipv4.num = j;
+}
+
+static inline void
+process_pkts_outbound(struct ipsec_ctx *ipsec_ctx,
+		struct ipsec_traffic *traffic)
+{
+	struct rte_mbuf *m;
+	uint16_t idx, nb_pkts_out, i, j;
+	uint32_t sa_idx, res;
+
+	rte_acl_classify((struct rte_acl_ctx *)ipsec_ctx->sp_ctx,
+			traffic->ipv4.data, traffic->ipv4.res,
+			traffic->ipv4.num, DEFAULT_MAX_CATEGORIES);
+
+	/* Drop any IPsec traffic from protected ports */
+	for (i = 0; i < traffic->ipsec4.num; i++)
+		rte_pktmbuf_free(traffic->ipsec4.pkts[i]);
+
+	traffic->ipsec4.num = 0;
+
+	j = 0;
+	for (i = 0; i < traffic->ipv4.num; i++) {
+		m = traffic->ipv4.pkts[i];
+		res = traffic->ipv4.res[i];
+		sa_idx = res & PROTECT_MASK;
+		if ((res == 0) || (res & DISCARD))
+			rte_pktmbuf_free(m);
+		else if (sa_idx != 0) {
+			traffic->ipsec4.res[traffic->ipsec4.num] = sa_idx;
+			traffic->ipsec4.pkts[traffic->ipsec4.num++] = m;
+		} else /* BYPASS */
+			traffic->ipv4.pkts[j++] = m;
+	}
+	traffic->ipv4.num = j;
+
+	nb_pkts_out = ipsec_outbound(ipsec_ctx, traffic->ipsec4.pkts,
+			traffic->ipsec4.res, traffic->ipsec4.num,
+			MAX_PKT_BURST);
+
+	for (i = 0; i < nb_pkts_out; i++) {
+		idx = traffic->ipv4.num++;
+		m = traffic->ipsec4.pkts[i];
+		traffic->ipv4.pkts[idx] = m;
+	}
+}
+
+static inline void
+process_pkts_inbound_nosp(struct ipsec_ctx *ipsec_ctx,
+		struct ipsec_traffic *traffic)
+{
+	uint16_t nb_pkts_in, i;
+
+	/* Drop any IPv4 traffic from unprotected ports */
+	for (i = 0; i < traffic->ipv4.num; i++)
+		rte_pktmbuf_free(traffic->ipv4.pkts[i]);
+
+	traffic->ipv4.num = 0;
+
+	nb_pkts_in = ipsec_inbound(ipsec_ctx, traffic->ipsec4.pkts,
+			traffic->ipsec4.num, MAX_PKT_BURST);
+
+	for (i = 0; i < nb_pkts_in; i++)
+		traffic->ipv4.pkts[i] = traffic->ipsec4.pkts[i];
+
+	traffic->ipv4.num = nb_pkts_in;
+}
+
+static inline void
+process_pkts_outbound_nosp(struct ipsec_ctx *ipsec_ctx,
+		struct ipsec_traffic *traffic)
+{
+	uint16_t nb_pkts_out, i;
+
+	/* Drop any IPsec traffic from protected ports */
+	for (i = 0; i < traffic->ipsec4.num; i++)
+		rte_pktmbuf_free(traffic->ipsec4.pkts[i]);
+
+	traffic->ipsec4.num = 0;
+
+	for (i = 0; i < traffic->ipv4.num; i++)
+		traffic->ipv4.res[i] = single_sa_idx;
+
+	nb_pkts_out = ipsec_outbound(ipsec_ctx, traffic->ipv4.pkts,
+			traffic->ipv4.res, traffic->ipv4.num,
+			MAX_PKT_BURST);
+
+	traffic->ipv4.num = nb_pkts_out;
+}
+
+static inline void
+route_pkts(struct rt_ctx *rt_ctx, struct rte_mbuf *pkts[], uint8_t nb_pkts)
+{
+	uint32_t hop[MAX_PKT_BURST * 2];
+	uint32_t dst_ip[MAX_PKT_BURST * 2];
+	uint16_t i, offset;
+
+	if (nb_pkts == 0)
+		return;
+
+	for (i = 0; i < nb_pkts; i++) {
+		offset = offsetof(struct ip, ip_dst);
+		dst_ip[i] = *rte_pktmbuf_mtod_offset(pkts[i],
+				uint32_t *, offset);
+		dst_ip[i] = rte_be_to_cpu_32(dst_ip[i]);
+	}
+
+	rte_lpm_lookup_bulk((struct rte_lpm *)rt_ctx, dst_ip, hop, nb_pkts);
+
+	for (i = 0; i < nb_pkts; i++) {
+		if ((hop[i] & RTE_LPM_LOOKUP_SUCCESS) == 0) {
+			rte_pktmbuf_free(pkts[i]);
+			continue;
+		}
+		send_single_packet(pkts[i], hop[i] & 0xff);
+	}
+}
+
+static inline void
+process_pkts(struct lcore_conf *qconf, struct rte_mbuf **pkts,
+		uint8_t nb_pkts, uint8_t portid)
+{
+	struct ipsec_traffic traffic = { 0 };
+
+	prepare_traffic(pkts, &traffic, nb_pkts);
+
+	if (single_sa) {
+		if (UNPROTECTED_PORT(portid))
+			process_pkts_inbound_nosp(&qconf->inbound, &traffic);
+		else
+			process_pkts_outbound_nosp(&qconf->outbound, &traffic);
+	} else {
+		if (UNPROTECTED_PORT(portid))
+			process_pkts_inbound(&qconf->inbound, &traffic);
+		else
+			process_pkts_outbound(&qconf->outbound, &traffic);
+	}
+
+	route_pkts(qconf->rt_ctx, traffic.ipv4.pkts, traffic.ipv4.num);
+}
+
+static inline void
+drain_buffers(struct lcore_conf *qconf)
+{
+	struct buffer *buf;
+	uint32_t portid;
+
+	for (portid = 0; portid < RTE_MAX_ETHPORTS; portid++) {
+		buf = &qconf->tx_mbufs[portid];
+		if (buf->len == 0)
+			continue;
+		send_burst(qconf, buf->len, portid);
+		buf->len = 0;
+	}
+}
+
+/* main processing loop */
+static int32_t
+main_loop(__attribute__((unused)) void *dummy)
+{
+	struct rte_mbuf *pkts[MAX_PKT_BURST];
+	uint32_t lcore_id;
+	uint64_t prev_tsc, diff_tsc, cur_tsc;
+	int32_t i, nb_rx;
+	uint8_t portid, queueid;
+	struct lcore_conf *qconf;
+	int32_t socket_id;
+	const uint64_t drain_tsc = (rte_get_tsc_hz() + US_PER_S - 1)
+			/ US_PER_S * BURST_TX_DRAIN_US;
+	struct lcore_rx_queue *rxql;
+
+	prev_tsc = 0;
+	lcore_id = rte_lcore_id();
+	qconf = &lcore_conf[lcore_id];
+	rxql = qconf->rx_queue_list;
+	socket_id = rte_lcore_to_socket_id(lcore_id);
+
+	qconf->rt_ctx = socket_ctx[socket_id].rt_ipv4;
+	qconf->inbound.sp_ctx = socket_ctx[socket_id].sp_ipv4_in;
+	qconf->inbound.sa_ctx = socket_ctx[socket_id].sa_ipv4_in;
+	qconf->inbound.cdev_map = cdev_map_in;
+	qconf->outbound.sp_ctx = socket_ctx[socket_id].sp_ipv4_out;
+	qconf->outbound.sa_ctx = socket_ctx[socket_id].sa_ipv4_out;
+	qconf->outbound.cdev_map = cdev_map_out;
+
+	if (qconf->nb_rx_queue == 0) {
+		RTE_LOG(INFO, IPSEC, "lcore %u has nothing to do\n", lcore_id);
+		return 0;
+	}
+
+	RTE_LOG(INFO, IPSEC, "entering main loop on lcore %u\n", lcore_id);
+
+	for (i = 0; i < qconf->nb_rx_queue; i++) {
+		portid = rxql[i].port_id;
+		queueid = rxql[i].queue_id;
+		RTE_LOG(INFO, IPSEC,
+			" -- lcoreid=%u portid=%hhu rxqueueid=%hhu\n",
+			lcore_id, portid, queueid);
+	}
+
+	while (1) {
+		cur_tsc = rte_rdtsc();
+
+		/* TX queue buffer drain */
+		diff_tsc = cur_tsc - prev_tsc;
+
+		if (unlikely(diff_tsc > drain_tsc)) {
+			drain_buffers(qconf);
+			prev_tsc = cur_tsc;
+		}
+
+		/* Read packet from RX queues */
+		for (i = 0; i < qconf->nb_rx_queue; ++i) {
+			portid = rxql[i].port_id;
+			queueid = rxql[i].queue_id;
+			nb_rx = rte_eth_rx_burst(portid, queueid,
+					pkts, MAX_PKT_BURST);
+
+			if (nb_rx > 0)
+				process_pkts(qconf, pkts, nb_rx, portid);
+		}
+	}
+}
+
+static int32_t
+check_params(void)
+{
+	uint8_t lcore, portid, nb_ports;
+	uint16_t i;
+	int32_t socket_id;
+
+	if (lcore_params == NULL) {
+		printf("Error: No port/queue/core mappings\n");
+		return -1;
+	}
+
+	nb_ports = rte_eth_dev_count();
+	if (nb_ports > RTE_MAX_ETHPORTS)
+		nb_ports = RTE_MAX_ETHPORTS;
+
+	for (i = 0; i < nb_lcore_params; ++i) {
+		lcore = lcore_params[i].lcore_id;
+		if (!rte_lcore_is_enabled(lcore)) {
+			printf("error: lcore %hhu is not enabled in "
+				"lcore mask\n", lcore);
+			return -1;
+		}
+		socket_id = rte_lcore_to_socket_id(lcore);
+		if (socket_id != 0 && numa_on == 0) {
+			printf("warning: lcore %hhu is on socket %d "
+				"with numa off\n",
+				lcore, socket_id);
+		}
+		portid = lcore_params[i].port_id;
+		if ((enabled_port_mask & (1 << portid)) == 0) {
+			printf("port %u is not enabled in port mask\n", portid);
+			return -1;
+		}
+		if (portid >= nb_ports) {
+			printf("port %u is not present on the board\n", portid);
+			return -1;
+		}
+	}
+	return 0;
+}
+
+static uint8_t
+get_port_nb_rx_queues(const uint8_t port)
+{
+	int32_t queue = -1;
+	uint16_t i;
+
+	for (i = 0; i < nb_lcore_params; ++i) {
+		if (lcore_params[i].port_id == port &&
+				lcore_params[i].queue_id > queue)
+			queue = lcore_params[i].queue_id;
+	}
+	return (uint8_t)(++queue);
+}
+
+static int32_t
+init_lcore_rx_queues(void)
+{
+	uint16_t i, nb_rx_queue;
+	uint8_t lcore;
+
+	for (i = 0; i < nb_lcore_params; ++i) {
+		lcore = lcore_params[i].lcore_id;
+		nb_rx_queue = lcore_conf[lcore].nb_rx_queue;
+		if (nb_rx_queue >= MAX_RX_QUEUE_PER_LCORE) {
+			printf("error: too many queues (%u) for lcore: %u\n",
+					nb_rx_queue + 1, lcore);
+			return -1;
+		}
+		lcore_conf[lcore].rx_queue_list[nb_rx_queue].port_id =
+			lcore_params[i].port_id;
+		lcore_conf[lcore].rx_queue_list[nb_rx_queue].queue_id =
+			lcore_params[i].queue_id;
+		lcore_conf[lcore].nb_rx_queue++;
+	}
+	return 0;
+}
+
+/* display usage */
+static void
+print_usage(const char *prgname)
+{
+	printf("%s [EAL options] -- -p PORTMASK -P -u PORTMASK"
+		"  --"OPTION_CONFIG" (port,queue,lcore)[,(port,queue,lcore]"
+		" --single-sa SAIDX --ep0|--ep1\n"
+		"  -p PORTMASK: hexadecimal bitmask of ports to configure\n"
+		"  -P : enable promiscuous mode\n"
+		"  -u PORTMASK: hexadecimal bitmask of unprotected ports\n"
+		"  --"OPTION_CONFIG": (port,queue,lcore): "
+		"rx queues configuration\n"
+		"  --single-sa SAIDX: use single SA index for outbound, "
+		"bypassing the SP\n"
+		"  --ep0: Configure as Endpoint 0\n"
+		"  --ep1: Configure as Endpoint 1\n", prgname);
+}
+
+static int32_t
+parse_portmask(const char *portmask)
+{
+	char *end = NULL;
+	unsigned long pm;
+
+	/* parse hexadecimal string */
+	pm = strtoul(portmask, &end, 16);
+	if ((portmask[0] == '\0') || (end == NULL) || (*end != '\0'))
+		return -1;
+
+	if ((pm == 0) && errno)
+		return -1;
+
+	return pm;
+}
+
+static int32_t
+parse_decimal(const char *str)
+{
+	char *end = NULL;
+	unsigned long num;
+
+	num = strtoul(str, &end, 10);
+	if ((str[0] == '\0') || (end == NULL) || (*end != '\0'))
+		return -1;
+
+	return num;
+}
+
+static int32_t
+parse_config(const char *q_arg)
+{
+	char s[256];
+	const char *p, *p0 = q_arg;
+	char *end;
+	enum fieldnames {
+		FLD_PORT = 0,
+		FLD_QUEUE,
+		FLD_LCORE,
+		_NUM_FLD
+	};
+	int long int_fld[_NUM_FLD];
+	char *str_fld[_NUM_FLD];
+	int32_t i;
+	uint32_t size;
+
+	nb_lcore_params = 0;
+
+	while ((p = strchr(p0, '(')) != NULL) {
+		++p;
+		p0 = strchr(p, ')');
+		if (p0 == NULL)
+			return -1;
+
+		size = p0 - p;
+		if (size >= sizeof(s))
+			return -1;
+
+		snprintf(s, sizeof(s), "%.*s", size, p);
+		if (rte_strsplit(s, sizeof(s), str_fld, _NUM_FLD, ',') !=
+				_NUM_FLD)
+			return -1;
+		for (i = 0; i < _NUM_FLD; i++) {
+			errno = 0;
+			int_fld[i] = strtoul(str_fld[i], &end, 0);
+			if (errno != 0 || end == str_fld[i] || int_fld[i] > 255)
+				return -1;
+		}
+		if (nb_lcore_params >= MAX_LCORE_PARAMS) {
+			printf("exceeded max number of lcore params: %hu\n",
+				nb_lcore_params);
+			return -1;
+		}
+		lcore_params_array[nb_lcore_params].port_id =
+			(uint8_t)int_fld[FLD_PORT];
+		lcore_params_array[nb_lcore_params].queue_id =
+			(uint8_t)int_fld[FLD_QUEUE];
+		lcore_params_array[nb_lcore_params].lcore_id =
+			(uint8_t)int_fld[FLD_LCORE];
+		++nb_lcore_params;
+	}
+	lcore_params = lcore_params_array;
+	return 0;
+}
+
+#define __STRNCMP(name, opt) (!strncmp(name, opt, sizeof(opt)))
+static int32_t
+parse_args_long_options(struct option *lgopts, int32_t option_index)
+{
+	int32_t ret = -1;
+	const char *optname = lgopts[option_index].name;
+
+	if (__STRNCMP(optname, OPTION_CONFIG)) {
+		ret = parse_config(optarg);
+		if (ret)
+			printf("invalid config\n");
+	}
+
+	if (__STRNCMP(optname, OPTION_SINGLE_SA)) {
+		ret = parse_decimal(optarg);
+		if (ret != -1) {
+			single_sa = 1;
+			single_sa_idx = ret;
+			printf("Configured with single SA index %u\n",
+					single_sa_idx);
+			ret = 0;
+		}
+	}
+
+	if (__STRNCMP(optname, OPTION_EP0)) {
+		printf("endpoint 0\n");
+		ep = 0;
+		ret = 0;
+	}
+
+	if (__STRNCMP(optname, OPTION_EP1)) {
+		printf("endpoint 1\n");
+		ep = 1;
+		ret = 0;
+	}
+
+	return ret;
+}
+#undef __STRNCMP
+
+static int32_t
+parse_args(int32_t argc, char **argv)
+{
+	int32_t opt, ret;
+	char **argvopt;
+	int32_t option_index;
+	char *prgname = argv[0];
+	static struct option lgopts[] = {
+		{OPTION_CONFIG, 1, 0, 0},
+		{OPTION_SINGLE_SA, 1, 0, 0},
+		{OPTION_EP0, 0, 0, 0},
+		{OPTION_EP1, 0, 0, 0},
+		{NULL, 0, 0, 0}
+	};
+
+	argvopt = argv;
+
+	while ((opt = getopt_long(argc, argvopt, "p:Pu:",
+				lgopts, &option_index)) != EOF) {
+
+		switch (opt) {
+		case 'p':
+			enabled_port_mask = parse_portmask(optarg);
+			if (enabled_port_mask == 0) {
+				printf("invalid portmask\n");
+				print_usage(prgname);
+				return -1;
+			}
+			break;
+		case 'P':
+			printf("Promiscuous mode selected\n");
+			promiscuous_on = 1;
+			break;
+		case 'u':
+			unprotected_port_mask = parse_portmask(optarg);
+			if (unprotected_port_mask == 0) {
+				printf("invalid unprotected portmask\n");
+				print_usage(prgname);
+				return -1;
+			}
+			break;
+		case 0:
+			if (parse_args_long_options(lgopts, option_index)) {
+				print_usage(prgname);
+				return -1;
+			}
+			break;
+		default:
+			print_usage(prgname);
+			return -1;
+		}
+	}
+
+	if (optind >= 0)
+		argv[optind-1] = prgname;
+
+	ret = optind-1;
+	optind = 0; /* reset getopt lib */
+	return ret;
+}
+
+static void
+print_ethaddr(const char *name, const struct ether_addr *eth_addr)
+{
+	char buf[ETHER_ADDR_FMT_SIZE];
+	ether_format_addr(buf, ETHER_ADDR_FMT_SIZE, eth_addr);
+	printf("%s%s", name, buf);
+}
+
+/* Check the link status of all ports in up to 9s, and print them finally */
+static void
+check_all_ports_link_status(uint8_t port_num, uint32_t port_mask)
+{
+#define CHECK_INTERVAL 100 /* 100ms */
+#define MAX_CHECK_TIME 90 /* 9s (90 * 100ms) in total */
+	uint8_t portid, count, all_ports_up, print_flag = 0;
+	struct rte_eth_link link;
+
+	printf("\nChecking link status");
+	fflush(stdout);
+	for (count = 0; count <= MAX_CHECK_TIME; count++) {
+		all_ports_up = 1;
+		for (portid = 0; portid < port_num; portid++) {
+			if ((port_mask & (1 << portid)) == 0)
+				continue;
+			memset(&link, 0, sizeof(link));
+			rte_eth_link_get_nowait(portid, &link);
+			/* print link status if flag set */
+			if (print_flag == 1) {
+				if (link.link_status)
+					printf("Port %d Link Up - speed %u "
+						"Mbps - %s\n", (uint8_t)portid,
+						(uint32_t)link.link_speed,
+				(link.link_duplex == ETH_LINK_FULL_DUPLEX) ?
+					("full-duplex") : ("half-duplex\n"));
+				else
+					printf("Port %d Link Down\n",
+						(uint8_t)portid);
+				continue;
+			}
+			/* clear all_ports_up flag if any link down */
+			if (link.link_status == 0) {
+				all_ports_up = 0;
+				break;
+			}
+		}
+		/* after finally printing all link status, get out */
+		if (print_flag == 1)
+			break;
+
+		if (all_ports_up == 0) {
+			printf(".");
+			fflush(stdout);
+			rte_delay_ms(CHECK_INTERVAL);
+		}
+
+		/* set the print_flag if all ports up or timeout */
+		if (all_ports_up == 1 || count == (MAX_CHECK_TIME - 1)) {
+			print_flag = 1;
+			printf("done\n");
+		}
+	}
+}
+
+static int32_t
+add_mapping(struct rte_hash *map, const char *str, uint16_t cdev_id,
+		uint16_t qp, struct lcore_params *params,
+		struct ipsec_ctx *ipsec_ctx,
+		const struct rte_cryptodev_capabilities *cipher,
+		const struct rte_cryptodev_capabilities *auth)
+{
+	int32_t ret = 0;
+	unsigned long i;
+	struct cdev_key key = { 0 };
+
+	key.lcore_id = params->lcore_id;
+	if (cipher)
+		key.cipher_algo = cipher->sym.cipher.algo;
+	if (auth)
+		key.auth_algo = auth->sym.auth.algo;
+
+	ret = rte_hash_lookup(map, &key);
+	if (ret != -ENOENT)
+		return 0;
+
+	for (i = 0; i < ipsec_ctx->nb_qps; i++)
+		if (ipsec_ctx->tbl[i].id == cdev_id)
+			break;
+
+	if (i == ipsec_ctx->nb_qps) {
+		if (ipsec_ctx->nb_qps == MAX_QP_PER_LCORE) {
+			printf("Maximum number of crypto devices assigned to "
+				"a core, increase MAX_QP_PER_LCORE value\n");
+			return 0;
+		}
+		ipsec_ctx->tbl[i].id = cdev_id;
+		ipsec_ctx->tbl[i].qp = qp;
+		ipsec_ctx->nb_qps++;
+		printf("%s cdev mapping: lcore %u using cdev %u qp %u "
+				"(cdev_id_qp %lu)\n", str, key.lcore_id,
+				cdev_id, qp, i);
+	}
+
+	ret = rte_hash_add_key_data(map, &key, (void *)i);
+	if (ret < 0) {
+		printf("Faled to insert cdev mapping for (lcore %u, "
+				"cdev %u, qp %u), errno %d\n",
+				key.lcore_id, ipsec_ctx->tbl[i].id,
+				ipsec_ctx->tbl[i].qp, ret);
+		return 0;
+	}
+
+	return 1;
+}
+
+static int32_t
+add_cdev_mapping(struct rte_cryptodev_info *dev_info, uint16_t cdev_id,
+		uint16_t qp, struct lcore_params *params)
+{
+	int32_t ret = 0;
+	const struct rte_cryptodev_capabilities *i, *j;
+	struct rte_hash *map;
+	struct lcore_conf *qconf;
+	struct ipsec_ctx *ipsec_ctx;
+	const char *str;
+
+	qconf = &lcore_conf[params->lcore_id];
+
+	if ((unprotected_port_mask & (1 << params->port_id)) == 0) {
+		map = cdev_map_out;
+		ipsec_ctx = &qconf->outbound;
+		str = "Outbound";
+	} else {
+		map = cdev_map_in;
+		ipsec_ctx = &qconf->inbound;
+		str = "Inbound";
+	}
+
+	/* Required cryptodevs with operation chainning */
+	if (!(dev_info->feature_flags &
+				RTE_CRYPTODEV_FF_SYM_OPERATION_CHAINING))
+		return ret;
+
+	for (i = dev_info->capabilities;
+			i->op != RTE_CRYPTO_OP_TYPE_UNDEFINED; i++) {
+		if (i->op != RTE_CRYPTO_OP_TYPE_SYMMETRIC)
+			continue;
+
+		if (i->sym.xform_type != RTE_CRYPTO_SYM_XFORM_CIPHER)
+			continue;
+
+		for (j = dev_info->capabilities;
+				j->op != RTE_CRYPTO_OP_TYPE_UNDEFINED; j++) {
+			if (j->op != RTE_CRYPTO_OP_TYPE_SYMMETRIC)
+				continue;
+
+			if (j->sym.xform_type != RTE_CRYPTO_SYM_XFORM_AUTH)
+				continue;
+
+			ret |= add_mapping(map, str, cdev_id, qp, params,
+					ipsec_ctx, i, j);
+		}
+	}
+
+	return ret;
+}
+
+static int32_t
+cryptodevs_init(void)
+{
+	struct rte_cryptodev_config dev_conf;
+	struct rte_cryptodev_qp_conf qp_conf;
+	uint16_t idx, max_nb_qps, qp, i;
+	int16_t cdev_id;
+	struct rte_hash_parameters params = { 0 };
+
+	params.entries = CDEV_MAP_ENTRIES;
+	params.key_len = sizeof(struct cdev_key);
+	params.hash_func = rte_jhash;
+	params.hash_func_init_val = 0;
+	params.socket_id = rte_socket_id();
+
+	params.name = "cdev_map_in";
+	cdev_map_in = rte_hash_create(&params);
+	if (cdev_map_in == NULL)
+		rte_panic("Failed to create cdev_map hash table, errno = %d\n",
+				rte_errno);
+
+	params.name = "cdev_map_out";
+	cdev_map_out = rte_hash_create(&params);
+	if (cdev_map_out == NULL)
+		rte_panic("Failed to create cdev_map hash table, errno = %d\n",
+				rte_errno);
+
+	printf("lcore/cryptodev/qp mappings:\n");
+
+	idx = 0;
+	/* Start from last cdev id to give HW priority */
+	for (cdev_id = rte_cryptodev_count() - 1; cdev_id >= 0; cdev_id--) {
+		struct rte_cryptodev_info cdev_info;
+
+		rte_cryptodev_info_get(cdev_id, &cdev_info);
+
+		if (nb_lcore_params > cdev_info.max_nb_queue_pairs)
+			max_nb_qps = cdev_info.max_nb_queue_pairs;
+		else
+			max_nb_qps = nb_lcore_params;
+
+		qp = 0;
+		i = 0;
+		while (qp < max_nb_qps && i < nb_lcore_params) {
+			if (add_cdev_mapping(&cdev_info, cdev_id, qp,
+						&lcore_params[idx]))
+				qp++;
+			idx++;
+			idx = idx % nb_lcore_params;
+			i++;
+		}
+
+		if (qp == 0)
+			continue;
+
+		dev_conf.socket_id = rte_cryptodev_socket_id(cdev_id);
+		dev_conf.nb_queue_pairs = qp;
+		dev_conf.session_mp.nb_objs = CDEV_MP_NB_OBJS;
+		dev_conf.session_mp.cache_size = CDEV_MP_CACHE_SZ;
+
+		if (rte_cryptodev_configure(cdev_id, &dev_conf))
+			rte_panic("Failed to initialize crypodev %u\n",
+					cdev_id);
+
+		qp_conf.nb_descriptors = CDEV_MP_NB_OBJS;
+		for (qp = 0; qp < dev_conf.nb_queue_pairs; qp++)
+			if (rte_cryptodev_queue_pair_setup(cdev_id, qp,
+						&qp_conf, dev_conf.socket_id))
+				rte_panic("Failed to setup queue %u for "
+						"cdev_id %u\n",	0, cdev_id);
+	}
+
+	printf("\n");
+
+	return 0;
+}
+
+static void
+port_init(uint8_t portid)
+{
+	struct rte_eth_dev_info dev_info;
+	struct rte_eth_txconf *txconf;
+	uint16_t nb_tx_queue, nb_rx_queue;
+	uint16_t tx_queueid, rx_queueid, queue, lcore_id;
+	int32_t ret, socket_id;
+	struct lcore_conf *qconf;
+	struct ether_addr ethaddr;
+
+	rte_eth_dev_info_get(portid, &dev_info);
+
+	printf("Configuring device port %u:\n", portid);
+
+	rte_eth_macaddr_get(portid, &ethaddr);
+	ethaddr_tbl[portid].src = ETHADDR_TO_UINT64(ethaddr);
+	print_ethaddr("Address: ", &ethaddr);
+	printf("\n");
+
+	nb_rx_queue = get_port_nb_rx_queues(portid);
+	nb_tx_queue = nb_lcores;
+
+	if (nb_rx_queue > dev_info.max_rx_queues)
+		rte_exit(EXIT_FAILURE, "Error: queue %u not available "
+				"(max rx queue is %u)\n",
+				nb_rx_queue, dev_info.max_rx_queues);
+
+	if (nb_tx_queue > dev_info.max_tx_queues)
+		rte_exit(EXIT_FAILURE, "Error: queue %u not available "
+				"(max tx queue is %u)\n",
+				nb_tx_queue, dev_info.max_tx_queues);
+
+	printf("Creating queues: nb_rx_queue=%d nb_tx_queue=%u...\n",
+			nb_rx_queue, nb_tx_queue);
+
+	ret = rte_eth_dev_configure(portid, nb_rx_queue, nb_tx_queue,
+			&port_conf);
+	if (ret < 0)
+		rte_exit(EXIT_FAILURE, "Cannot configure device: "
+				"err=%d, port=%d\n", ret, portid);
+
+	/* init one TX queue per lcore */
+	tx_queueid = 0;
+	for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) {
+		if (rte_lcore_is_enabled(lcore_id) == 0)
+			continue;
+
+		if (numa_on)
+			socket_id = (uint8_t)rte_lcore_to_socket_id(lcore_id);
+		else
+			socket_id = 0;
+
+		/* init TX queue */
+		printf("Setup txq=%u,%d,%d\n", lcore_id, tx_queueid, socket_id);
+
+		txconf = &dev_info.default_txconf;
+		txconf->txq_flags = 0;
+
+		ret = rte_eth_tx_queue_setup(portid, tx_queueid, nb_txd,
+				socket_id, txconf);
+		if (ret < 0)
+			rte_exit(EXIT_FAILURE, "rte_eth_tx_queue_setup: "
+					"err=%d, port=%d\n", ret, portid);
+
+		qconf = &lcore_conf[lcore_id];
+		qconf->tx_queue_id[portid] = tx_queueid;
+		tx_queueid++;
+
+		/* init RX queues */
+		for (queue = 0; queue < qconf->nb_rx_queue; ++queue) {
+			if (portid != qconf->rx_queue_list[queue].port_id)
+				continue;
+
+			rx_queueid = qconf->rx_queue_list[queue].queue_id;
+
+			printf("Setup rxq=%d,%d,%d\n", portid, rx_queueid,
+					socket_id);
+
+			ret = rte_eth_rx_queue_setup(portid, rx_queueid,
+					nb_rxd,	socket_id, NULL,
+					socket_ctx[socket_id].mbuf_pool);
+			if (ret < 0)
+				rte_exit(EXIT_FAILURE,
+					"rte_eth_rx_queue_setup: err=%d, "
+					"port=%d\n", ret, portid);
+		}
+	}
+	printf("\n");
+}
+
+static void
+pool_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t nb_mbuf)
+{
+	char s[64];
+
+	snprintf(s, sizeof(s), "mbuf_pool_%d", socket_id);
+	ctx->mbuf_pool = rte_pktmbuf_pool_create(s, nb_mbuf,
+			MEMPOOL_CACHE_SIZE, ipsec_metadata_size(),
+			RTE_MBUF_DEFAULT_BUF_SIZE,
+			socket_id);
+	if (ctx->mbuf_pool == NULL)
+		rte_exit(EXIT_FAILURE, "Cannot init mbuf pool on socket %d\n",
+				socket_id);
+	else
+		printf("Allocated mbuf pool on socket %d\n", socket_id);
+}
+
+int32_t
+main(int32_t argc, char **argv)
+{
+	int32_t ret;
+	uint32_t lcore_id, nb_ports;
+	uint8_t portid, socket_id;
+
+	/* init EAL */
+	ret = rte_eal_init(argc, argv);
+	if (ret < 0)
+		rte_exit(EXIT_FAILURE, "Invalid EAL parameters\n");
+	argc -= ret;
+	argv += ret;
+
+	/* parse application arguments (after the EAL ones) */
+	ret = parse_args(argc, argv);
+	if (ret < 0)
+		rte_exit(EXIT_FAILURE, "Invalid parameters\n");
+
+	if (ep < 0)
+		rte_exit(EXIT_FAILURE, "need to choose either EP0 or EP1\n");
+
+	if ((unprotected_port_mask & enabled_port_mask) !=
+			unprotected_port_mask)
+		rte_exit(EXIT_FAILURE, "Invalid unprotected portmask 0x%x\n",
+				unprotected_port_mask);
+
+	nb_ports = rte_eth_dev_count();
+	if (nb_ports > RTE_MAX_ETHPORTS)
+		nb_ports = RTE_MAX_ETHPORTS;
+
+	if (check_params() < 0)
+		rte_exit(EXIT_FAILURE, "check_params failed\n");
+
+	ret = init_lcore_rx_queues();
+	if (ret < 0)
+		rte_exit(EXIT_FAILURE, "init_lcore_rx_queues failed\n");
+
+	nb_lcores = rte_lcore_count();
+
+	/* Replicate each contex per socket */
+	for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) {
+		if (rte_lcore_is_enabled(lcore_id) == 0)
+			continue;
+
+		if (numa_on)
+			socket_id = (uint8_t)rte_lcore_to_socket_id(lcore_id);
+		else
+			socket_id = 0;
+
+		if (socket_ctx[socket_id].mbuf_pool)
+			continue;
+
+		sa_init(&socket_ctx[socket_id], socket_id, ep);
+
+		sp_init(&socket_ctx[socket_id], socket_id, ep);
+
+		rt_init(&socket_ctx[socket_id], socket_id, ep);
+
+		pool_init(&socket_ctx[socket_id], socket_id, NB_MBUF);
+	}
+
+	for (portid = 0; portid < nb_ports; portid++) {
+		if ((enabled_port_mask & (1 << portid)) == 0)
+			continue;
+
+		port_init(portid);
+	}
+
+	cryptodevs_init();
+
+	/* start ports */
+	for (portid = 0; portid < nb_ports; portid++) {
+		if ((enabled_port_mask & (1 << portid)) == 0)
+			continue;
+
+		/* Start device */
+		ret = rte_eth_dev_start(portid);
+		if (ret < 0)
+			rte_exit(EXIT_FAILURE, "rte_eth_dev_start: "
+					"err=%d, port=%d\n", ret, portid);
+		/*
+		 * If enabled, put device in promiscuous mode.
+		 * This allows IO forwarding mode to forward packets
+		 * to itself through 2 cross-connected  ports of the
+		 * target machine.
+		 */
+		if (promiscuous_on)
+			rte_eth_promiscuous_enable(portid);
+	}
+
+	check_all_ports_link_status((uint8_t)nb_ports, enabled_port_mask);
+
+	/* launch per-lcore init on every lcore */
+	rte_eal_mp_remote_launch(main_loop, NULL, CALL_MASTER);
+	RTE_LCORE_FOREACH_SLAVE(lcore_id) {
+		if (rte_eal_wait_lcore(lcore_id) < 0)
+			return -1;
+	}
+
+	return 0;
+}
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
new file mode 100644
index 0000000..192dddd
--- /dev/null
+++ b/examples/ipsec-secgw/ipsec.c
@@ -0,0 +1,203 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <netinet/in.h>
+#include <netinet/ip.h>
+
+#include <rte_branch_prediction.h>
+#include <rte_log.h>
+#include <rte_crypto.h>
+#include <rte_cryptodev.h>
+#include <rte_mbuf.h>
+#include <rte_hash.h>
+
+#include "ipsec.h"
+
+static inline int
+create_session(struct ipsec_ctx *ipsec_ctx __rte_unused, struct ipsec_sa *sa)
+{
+	uint32_t cdev_id_qp = 0;
+	int32_t ret;
+	struct cdev_key key = { 0 };
+
+	key.lcore_id = (uint8_t)rte_lcore_id();
+
+	key.cipher_algo = (uint8_t)sa->cipher_algo;
+	key.auth_algo = (uint8_t)sa->auth_algo;
+
+	ret = rte_hash_lookup_data(ipsec_ctx->cdev_map, &key,
+			(void **)&cdev_id_qp);
+	if (ret < 0) {
+		IPSEC_LOG(ERR, IPSEC, "No cryptodev: core %u, cipher_algo %u, "
+				"auth_algo %u\n", key.lcore_id, key.cipher_algo,
+				key.auth_algo);
+		return -1;
+	}
+
+	IPSEC_LOG(DEBUG, IPSEC, "Create session for SA spi %u on cryptodev "
+			"%u qp %u\n", sa->spi, ipsec_ctx->tbl[cdev_id_qp].id,
+			ipsec_ctx->tbl[cdev_id_qp].qp);
+
+	sa->crypto_session = rte_cryptodev_sym_session_create(
+			ipsec_ctx->tbl[cdev_id_qp].id, sa->xforms);
+
+	sa->cdev_id_qp = cdev_id_qp;
+
+	return 0;
+}
+
+static inline void
+enqueue_cop(struct cdev_qp *cqp, struct rte_crypto_op *cop)
+{
+	int ret, i;
+
+	cqp->buf[cqp->len++] = cop;
+
+	if (cqp->len == MAX_PKT_BURST) {
+		ret = rte_cryptodev_enqueue_burst(cqp->id, cqp->qp,
+				cqp->buf, cqp->len);
+		if (ret < cqp->len) {
+			IPSEC_LOG(DEBUG, IPSEC, "Cryptodev %u queue %u:"
+					" enqueued %u crypto ops out of %u\n",
+					 cqp->id, cqp->qp,
+					 ret, cqp->len);
+			for (i = ret; i < cqp->len; i++)
+				rte_pktmbuf_free(cqp->buf[i]->sym->m_src);
+		}
+		cqp->in_flight += ret;
+		cqp->len = 0;
+	}
+}
+
+static inline uint16_t
+ipsec_processing(struct ipsec_ctx *ipsec_ctx, struct rte_mbuf *pkts[],
+		struct ipsec_sa *sas[], uint16_t nb_pkts, uint16_t max_pkts)
+{
+	int ret = 0, i, j, nb_cops;
+	struct ipsec_mbuf_metadata *priv;
+	struct rte_crypto_op *cops[max_pkts];
+	struct ipsec_sa *sa;
+	struct rte_mbuf *pkt;
+
+	for (i = 0; i < nb_pkts; i++) {
+		rte_prefetch0(sas[i]);
+		rte_prefetch0(pkts[i]);
+
+		priv = get_priv(pkts[i]);
+		sa = sas[i];
+		priv->sa = sa;
+
+		IPSEC_ASSERT(sa != NULL);
+
+		priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC;
+
+		rte_prefetch0(&priv->sym_cop);
+		priv->cop.sym = &priv->sym_cop;
+
+		if ((unlikely(sa->crypto_session == NULL)) &&
+				create_session(ipsec_ctx, sa)) {
+			rte_pktmbuf_free(pkts[i]);
+			continue;
+		}
+
+		rte_crypto_op_attach_sym_session(&priv->cop,
+				sa->crypto_session);
+
+		ret = sa->pre_crypto(pkts[i], sa, &priv->cop);
+		if (unlikely(ret)) {
+			rte_pktmbuf_free(pkts[i]);
+			continue;
+		}
+
+		IPSEC_ASSERT(sa->cdev_id_qp < ipsec_ctx->nb_qps);
+		enqueue_cop(&ipsec_ctx->tbl[sa->cdev_id_qp], &priv->cop);
+	}
+
+	nb_pkts = 0;
+	for (i = 0; i < ipsec_ctx->nb_qps && nb_pkts < max_pkts; i++) {
+		struct cdev_qp *cqp;
+
+		cqp = &ipsec_ctx->tbl[ipsec_ctx->last_qp++];
+		if (ipsec_ctx->last_qp == ipsec_ctx->nb_qps)
+			ipsec_ctx->last_qp %= ipsec_ctx->nb_qps;
+
+		if (cqp->in_flight == 0)
+			continue;
+
+		nb_cops = rte_cryptodev_dequeue_burst(cqp->id, cqp->qp,
+				cops, max_pkts - nb_pkts);
+
+		cqp->in_flight -= nb_cops;
+
+		for (j = 0; j < nb_cops; j++) {
+			pkt = cops[j]->sym->m_src;
+			rte_prefetch0(pkt);
+
+			priv = get_priv(pkt);
+			sa = priv->sa;
+
+			IPSEC_ASSERT(sa != NULL);
+
+			ret = sa->post_crypto(pkt, sa, cops[j]);
+			if (unlikely(ret))
+				rte_pktmbuf_free(pkt);
+			else
+				pkts[nb_pkts++] = pkt;
+		}
+	}
+
+	/* return packets */
+	return nb_pkts;
+}
+
+uint16_t
+ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
+		uint16_t nb_pkts, uint16_t len)
+{
+	struct ipsec_sa *sas[nb_pkts];
+
+	inbound_sa_lookup(ctx->sa_ctx, pkts, sas, nb_pkts);
+
+	return ipsec_processing(ctx, pkts, sas, nb_pkts, len);
+}
+
+uint16_t
+ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
+		uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len)
+{
+	struct ipsec_sa *sas[nb_pkts];
+
+	outbound_sa_lookup(ctx->sa_ctx, sa_idx, sas, nb_pkts);
+
+	return ipsec_processing(ctx, pkts, sas, nb_pkts, len);
+}
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
new file mode 100644
index 0000000..2ab01fc
--- /dev/null
+++ b/examples/ipsec-secgw/ipsec.h
@@ -0,0 +1,192 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef __IPSEC_H__
+#define __IPSEC_H__
+
+#include <stdint.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+
+#include <rte_byteorder.h>
+#include <rte_ip.h>
+#include <rte_crypto.h>
+
+#define RTE_LOGTYPE_IPSEC       RTE_LOGTYPE_USER1
+#define RTE_LOGTYPE_IPSEC_ESP   RTE_LOGTYPE_USER2
+#define RTE_LOGTYPE_IPSEC_IPIP  RTE_LOGTYPE_USER3
+
+#define MAX_PKT_BURST 32
+#define MAX_QP_PER_LCORE 256
+
+#ifdef IPSEC_DEBUG
+#define IPSEC_ASSERT(exp)                                            \
+if (!(exp)) {                                                        \
+	rte_panic("line%d\tassert \"" #exp "\" failed\n", __LINE__); \
+}
+
+#define IPSEC_LOG RTE_LOG
+#else
+#define IPSEC_ASSERT(exp) do {} while (0)
+#define IPSEC_LOG(...) do {} while (0)
+#endif /* IPSEC_DEBUG */
+
+#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
+
+#define uint32_t_to_char(ip, a, b, c, d) do {\
+		*a = (unsigned char)(ip >> 24 & 0xff);\
+		*b = (unsigned char)(ip >> 16 & 0xff);\
+		*c = (unsigned char)(ip >> 8 & 0xff);\
+		*d = (unsigned char)(ip & 0xff);\
+	} while (0)
+
+#define DEFAULT_MAX_CATEGORIES	1
+
+#define IPSEC_SA_MAX_ENTRIES (64) /* must be power of 2, max 2 power 30 */
+#define SPI2IDX(spi) (spi & (IPSEC_SA_MAX_ENTRIES - 1))
+#define INVALID_SPI (0)
+
+#define DISCARD (0x80000000)
+#define BYPASS (0x40000000)
+#define PROTECT_MASK (0x3fffffff)
+#define PROTECT(sa_idx) (SPI2IDX(sa_idx) & PROTECT_MASK) /* SA idx 30 bits */
+
+#define IPSEC_XFORM_MAX 2
+
+struct rte_crypto_xform;
+struct ipsec_xform;
+struct rte_cryptodev_session;
+struct rte_mbuf;
+
+struct ipsec_sa;
+
+typedef int (*ipsec_xform_fn)(struct rte_mbuf *m, struct ipsec_sa *sa,
+		struct rte_crypto_op *cop);
+
+struct ipsec_sa {
+	uint32_t spi;
+	uint32_t cdev_id_qp;
+	uint32_t src;
+	uint32_t dst;
+	struct rte_cryptodev_sym_session *crypto_session;
+	struct rte_crypto_sym_xform *xforms;
+	ipsec_xform_fn pre_crypto;
+	ipsec_xform_fn post_crypto;
+	enum rte_crypto_cipher_algorithm cipher_algo;
+	enum rte_crypto_auth_algorithm auth_algo;
+	uint16_t digest_len;
+	uint16_t iv_len;
+	uint16_t block_size;
+	uint16_t flags;
+	uint32_t seq;
+} __rte_cache_aligned;
+
+struct ipsec_mbuf_metadata {
+	struct ipsec_sa *sa;
+	struct rte_crypto_op cop;
+	struct rte_crypto_sym_op sym_cop;
+};
+
+struct cdev_qp {
+	uint16_t id;
+	uint16_t qp;
+	uint16_t in_flight;
+	uint16_t len;
+	struct rte_crypto_op *buf[MAX_PKT_BURST] __rte_aligned(sizeof(void *));
+};
+
+struct ipsec_ctx {
+	struct rte_hash *cdev_map;
+	struct sp_ctx *sp_ctx;
+	struct sa_ctx *sa_ctx;
+	uint16_t nb_qps;
+	uint16_t last_qp;
+	struct cdev_qp tbl[MAX_QP_PER_LCORE];
+};
+
+struct cdev_key {
+	uint16_t lcore_id;
+	uint8_t cipher_algo;
+	uint8_t auth_algo;
+};
+
+struct socket_ctx {
+	struct sa_ctx *sa_ipv4_in;
+	struct sa_ctx *sa_ipv4_out;
+	struct sp_ctx *sp_ipv4_in;
+	struct sp_ctx *sp_ipv4_out;
+	struct rt_ctx *rt_ipv4;
+	struct rte_mempool *mbuf_pool;
+};
+
+uint16_t
+ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
+		uint16_t nb_pkts, uint16_t len);
+
+uint16_t
+ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
+		uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len);
+
+static inline uint16_t
+ipsec_metadata_size(void)
+{
+	return sizeof(struct ipsec_mbuf_metadata);
+}
+
+static inline struct ipsec_mbuf_metadata *
+get_priv(struct rte_mbuf *m)
+{
+	return RTE_PTR_ADD(m, sizeof(struct rte_mbuf));
+}
+
+int
+inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx);
+
+void
+inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[],
+		struct ipsec_sa *sa[], uint16_t nb_pkts);
+
+void
+outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[],
+		struct ipsec_sa *sa[], uint16_t nb_pkts);
+
+void
+sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep);
+
+void
+sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep);
+
+void
+rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep);
+
+#endif /* __IPSEC_H__ */
diff --git a/examples/ipsec-secgw/rt.c b/examples/ipsec-secgw/rt.c
new file mode 100644
index 0000000..224f200
--- /dev/null
+++ b/examples/ipsec-secgw/rt.c
@@ -0,0 +1,144 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Routing Table (RT)
+ */
+#include <rte_lpm.h>
+#include <rte_errno.h>
+
+#include "ipsec.h"
+
+#define RT_IPV4_MAX_RULES         64
+
+struct ipv4_route {
+	uint32_t ip;
+	uint8_t  depth;
+	uint8_t  if_out;
+};
+
+/* In the default routing table we have:
+ * ep0 protected ports 0 and 1, and unprotected ports 2 and 3.
+ */
+static struct ipv4_route rt_ipv4_ep0[] = {
+	{ IPv4(172, 16, 2, 5), 32, 0 },
+	{ IPv4(172, 16, 2, 6), 32, 0 },
+	{ IPv4(172, 16, 2, 7), 32, 1 },
+	{ IPv4(172, 16, 2, 8), 32, 1 },
+
+	{ IPv4(192, 168, 115, 0), 24, 2 },
+	{ IPv4(192, 168, 116, 0), 24, 2 },
+	{ IPv4(192, 168, 117, 0), 24, 3 },
+	{ IPv4(192, 168, 118, 0), 24, 3 },
+
+	{ IPv4(192, 168, 210, 0), 24, 2 },
+
+	{ IPv4(192, 168, 240, 0), 24, 2 },
+	{ IPv4(192, 168, 250, 0), 24, 0 }
+};
+
+/* In the default routing table we have:
+ * ep1 protected ports 0 and 1, and unprotected ports 2 and 3.
+ */
+static struct ipv4_route rt_ipv4_ep1[] = {
+	{ IPv4(172, 16, 1, 5), 32, 2 },
+	{ IPv4(172, 16, 1, 6), 32, 2 },
+	{ IPv4(172, 16, 1, 7), 32, 3 },
+	{ IPv4(172, 16, 1, 8), 32, 3 },
+
+	{ IPv4(192, 168, 105, 0), 24, 0 },
+	{ IPv4(192, 168, 106, 0), 24, 0 },
+	{ IPv4(192, 168, 107, 0), 24, 1 },
+	{ IPv4(192, 168, 108, 0), 24, 1 },
+
+	{ IPv4(192, 168, 200, 0), 24, 0 },
+
+	{ IPv4(192, 168, 240, 0), 24, 2 },
+	{ IPv4(192, 168, 250, 0), 24, 0 }
+};
+
+void
+rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep)
+{
+	char name[PATH_MAX];
+	unsigned i;
+	int ret;
+	struct rte_lpm *lpm;
+	struct ipv4_route *rt;
+	char a, b, c, d;
+	unsigned nb_routes;
+	struct rte_lpm_config conf = { 0 };
+
+	if (ctx == NULL)
+		rte_exit(EXIT_FAILURE, "NULL context.\n");
+
+	if (ctx->rt_ipv4 != NULL)
+		rte_exit(EXIT_FAILURE, "Routing Table for socket %u already "
+			"initialized\n", socket_id);
+
+	printf("Creating Routing Table (RT) context with %u max routes\n",
+			RT_IPV4_MAX_RULES);
+
+	if (ep == 0) {
+		rt = rt_ipv4_ep0;
+		nb_routes = RTE_DIM(rt_ipv4_ep0);
+	} else if (ep == 1) {
+		rt = rt_ipv4_ep1;
+		nb_routes = RTE_DIM(rt_ipv4_ep1);
+	} else
+		rte_exit(EXIT_FAILURE, "Invalid EP value %u. Only 0 or 1 "
+			"supported.\n", ep);
+
+	/* create the LPM table */
+	snprintf(name, sizeof(name), "%s_%u", "rt_ipv4", socket_id);
+	conf.max_rules = RT_IPV4_MAX_RULES;
+	conf.number_tbl8s = RTE_LPM_TBL8_NUM_ENTRIES;
+	lpm = rte_lpm_create(name, socket_id, &conf);
+	if (lpm == NULL)
+		rte_exit(EXIT_FAILURE, "Unable to create LPM table "
+			"on socket %d\n", socket_id);
+
+	/* populate the LPM table */
+	for (i = 0; i < nb_routes; i++) {
+		ret = rte_lpm_add(lpm, rt[i].ip, rt[i].depth, rt[i].if_out);
+		if (ret < 0)
+			rte_exit(EXIT_FAILURE, "Unable to add entry num %u to "
+				"LPM table on socket %d\n", i, socket_id);
+
+		uint32_t_to_char(rt[i].ip, &a, &b, &c, &d);
+		printf("LPM: Adding route %hhu.%hhu.%hhu.%hhu/%hhu (%hhu)\n",
+				a, b, c, d, rt[i].depth, rt[i].if_out);
+	}
+
+	ctx->rt_ipv4 = (struct rt_ctx *)lpm;
+}
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
new file mode 100644
index 0000000..5483064
--- /dev/null
+++ b/examples/ipsec-secgw/sa.c
@@ -0,0 +1,438 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Security Associations
+ */
+#include <netinet/ip.h>
+
+#include <rte_memzone.h>
+#include <rte_crypto.h>
+#include <rte_cryptodev.h>
+#include <rte_byteorder.h>
+#include <rte_errno.h>
+
+#include "ipsec.h"
+#include "esp.h"
+
+/* SAs EP0 Outbound */
+const struct ipsec_sa sa_ep0_out[] = {
+	{ 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5),
+		NULL, NULL,
+		esp4_tunnel_outbound_pre_crypto,
+		esp4_tunnel_outbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6),
+		NULL, NULL,
+		esp4_tunnel_outbound_pre_crypto,
+		esp4_tunnel_outbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7),
+		NULL, NULL,
+		esp4_tunnel_outbound_pre_crypto,
+		esp4_tunnel_outbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8),
+		NULL, NULL,
+		esp4_tunnel_outbound_pre_crypto,
+		esp4_tunnel_outbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 9, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5),
+		NULL, NULL,
+		esp4_tunnel_outbound_pre_crypto,
+		esp4_tunnel_outbound_post_crypto,
+		RTE_CRYPTO_CIPHER_NULL, RTE_CRYPTO_AUTH_NULL,
+		0, 0, 4,
+		0, 0 },
+};
+
+/* SAs EP0 Inbound */
+const struct ipsec_sa sa_ep0_in[] = {
+	{ 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5),
+		NULL, NULL,
+		esp4_tunnel_inbound_pre_crypto,
+		esp4_tunnel_inbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6),
+		NULL, NULL,
+		esp4_tunnel_inbound_pre_crypto,
+		esp4_tunnel_inbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7),
+		NULL, NULL,
+		esp4_tunnel_inbound_pre_crypto,
+		esp4_tunnel_inbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8),
+		NULL, NULL,
+		esp4_tunnel_inbound_pre_crypto,
+		esp4_tunnel_inbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 9, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5),
+		NULL, NULL,
+		esp4_tunnel_inbound_pre_crypto,
+		esp4_tunnel_inbound_post_crypto,
+		RTE_CRYPTO_CIPHER_NULL, RTE_CRYPTO_AUTH_NULL,
+		0, 0, 4,
+		0, 0 },
+};
+
+/* SAs EP1 Outbound */
+const struct ipsec_sa sa_ep1_out[] = {
+	{ 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5),
+		NULL, NULL,
+		esp4_tunnel_outbound_pre_crypto,
+		esp4_tunnel_outbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6),
+		NULL, NULL,
+		esp4_tunnel_outbound_pre_crypto,
+		esp4_tunnel_outbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7),
+		NULL, NULL,
+		esp4_tunnel_outbound_pre_crypto,
+		esp4_tunnel_outbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8),
+		NULL, NULL,
+		esp4_tunnel_outbound_pre_crypto,
+		esp4_tunnel_outbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 9, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5),
+		NULL, NULL,
+		esp4_tunnel_outbound_pre_crypto,
+		esp4_tunnel_outbound_post_crypto,
+		RTE_CRYPTO_CIPHER_NULL, RTE_CRYPTO_AUTH_NULL,
+		0, 0, 4,
+		0, 0 },
+};
+
+/* SAs EP1 Inbound */
+const struct ipsec_sa sa_ep1_in[] = {
+	{ 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5),
+		NULL, NULL,
+		esp4_tunnel_inbound_pre_crypto,
+		esp4_tunnel_inbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6),
+		NULL, NULL,
+		esp4_tunnel_inbound_pre_crypto,
+		esp4_tunnel_inbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7),
+		NULL, NULL,
+		esp4_tunnel_inbound_pre_crypto,
+		esp4_tunnel_inbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8),
+		NULL, NULL,
+		esp4_tunnel_inbound_pre_crypto,
+		esp4_tunnel_inbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 9, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5),
+		NULL, NULL,
+		esp4_tunnel_inbound_pre_crypto,
+		esp4_tunnel_inbound_post_crypto,
+		RTE_CRYPTO_CIPHER_NULL, RTE_CRYPTO_AUTH_NULL,
+		0, 0, 4,
+		0, 0 },
+};
+
+static uint8_t cipher_key[256] = "sixteenbytes key";
+
+/* AES CBC xform */
+const struct rte_crypto_sym_xform aescbc_enc_xf = {
+	NULL,
+	RTE_CRYPTO_SYM_XFORM_CIPHER,
+	.cipher = { RTE_CRYPTO_CIPHER_OP_ENCRYPT, RTE_CRYPTO_CIPHER_AES_CBC,
+		.key = { cipher_key, 16 } }
+};
+
+const struct rte_crypto_sym_xform aescbc_dec_xf = {
+	NULL,
+	RTE_CRYPTO_SYM_XFORM_CIPHER,
+	.cipher = { RTE_CRYPTO_CIPHER_OP_DECRYPT, RTE_CRYPTO_CIPHER_AES_CBC,
+		.key = { cipher_key, 16 } }
+};
+
+static uint8_t auth_key[256] = "twentybytes hash key";
+
+/* SHA1 HMAC xform */
+const struct rte_crypto_sym_xform sha1hmac_gen_xf = {
+	NULL,
+	RTE_CRYPTO_SYM_XFORM_AUTH,
+	.auth = { RTE_CRYPTO_AUTH_OP_GENERATE, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		.key = { auth_key, 20 }, 12, 0 }
+};
+
+const struct rte_crypto_sym_xform sha1hmac_verify_xf = {
+	NULL,
+	RTE_CRYPTO_SYM_XFORM_AUTH,
+	.auth = { RTE_CRYPTO_AUTH_OP_VERIFY, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		.key = { auth_key, 20 }, 12, 0 }
+};
+
+/* AES CBC xform */
+const struct rte_crypto_sym_xform null_cipher_xf = {
+	NULL,
+	RTE_CRYPTO_SYM_XFORM_CIPHER,
+	.cipher = { .algo = RTE_CRYPTO_CIPHER_NULL }
+};
+
+const struct rte_crypto_sym_xform null_auth_xf = {
+	NULL,
+	RTE_CRYPTO_SYM_XFORM_AUTH,
+	.auth = { .algo = RTE_CRYPTO_AUTH_NULL }
+};
+
+struct sa_ctx {
+	struct ipsec_sa sa[IPSEC_SA_MAX_ENTRIES];
+	struct {
+		struct rte_crypto_sym_xform a;
+		struct rte_crypto_sym_xform b;
+	} xf[IPSEC_SA_MAX_ENTRIES];
+};
+
+static struct sa_ctx *
+sa_ipv4_create(const char *name, int socket_id)
+{
+	char s[PATH_MAX];
+	struct sa_ctx *sa_ctx;
+	unsigned mz_size;
+	const struct rte_memzone *mz;
+
+	snprintf(s, sizeof(s), "%s_%u", name, socket_id);
+
+	/* Create SA array table */
+	printf("Creating SA context with %u maximum entries\n",
+			IPSEC_SA_MAX_ENTRIES);
+
+	mz_size = sizeof(struct sa_ctx);
+	mz = rte_memzone_reserve(s, mz_size, socket_id,
+			RTE_MEMZONE_1GB | RTE_MEMZONE_SIZE_HINT_ONLY);
+	if (mz == NULL) {
+		printf("Failed to allocate SA DB memory\n");
+		rte_errno = -ENOMEM;
+		return NULL;
+	}
+
+	sa_ctx = (struct sa_ctx *)mz->addr;
+
+	return sa_ctx;
+}
+
+static int
+sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
+		unsigned nb_entries, unsigned inbound)
+{
+	struct ipsec_sa *sa;
+	unsigned i, idx;
+
+	for (i = 0; i < nb_entries; i++) {
+		idx = SPI2IDX(entries[i].spi);
+		sa = &sa_ctx->sa[idx];
+		if (sa->spi != 0) {
+			printf("Index %u already in use by SPI %u\n",
+					idx, sa->spi);
+			return -EINVAL;
+		}
+		*sa = entries[i];
+		sa->src = rte_cpu_to_be_32(sa->src);
+		sa->dst = rte_cpu_to_be_32(sa->dst);
+		if (inbound) {
+			if (sa->cipher_algo == RTE_CRYPTO_CIPHER_NULL) {
+				sa_ctx->xf[idx].a = null_auth_xf;
+				sa_ctx->xf[idx].b = null_cipher_xf;
+			} else {
+				sa_ctx->xf[idx].a = sha1hmac_verify_xf;
+				sa_ctx->xf[idx].b = aescbc_dec_xf;
+			}
+		} else { /* outbound */
+			if (sa->cipher_algo == RTE_CRYPTO_CIPHER_NULL) {
+				sa_ctx->xf[idx].a = null_cipher_xf;
+				sa_ctx->xf[idx].b = null_auth_xf;
+			} else {
+				sa_ctx->xf[idx].a = aescbc_enc_xf;
+				sa_ctx->xf[idx].b = sha1hmac_gen_xf;
+			}
+		}
+		sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b;
+		sa_ctx->xf[idx].b.next = NULL;
+		sa->xforms = &sa_ctx->xf[idx].a;
+	}
+
+	return 0;
+}
+
+static inline int
+sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
+		unsigned nb_entries)
+{
+	return sa_add_rules(sa_ctx, entries, nb_entries, 0);
+}
+
+static inline int
+sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
+		unsigned nb_entries)
+{
+	return sa_add_rules(sa_ctx, entries, nb_entries, 1);
+}
+
+void
+sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep)
+{
+	const struct ipsec_sa *sa_out_entries, *sa_in_entries;
+	unsigned nb_out_entries, nb_in_entries;
+	const char *name;
+
+	if (ctx == NULL)
+		rte_exit(EXIT_FAILURE, "NULL context.\n");
+
+	if (ctx->sa_ipv4_in != NULL)
+		rte_exit(EXIT_FAILURE, "Inbound SA DB for socket %u already "
+				"initialized\n", socket_id);
+
+	if (ctx->sa_ipv4_out != NULL)
+		rte_exit(EXIT_FAILURE, "Outbound SA DB for socket %u already "
+				"initialized\n", socket_id);
+
+	if (ep == 0) {
+		sa_out_entries = sa_ep0_out;
+		nb_out_entries = RTE_DIM(sa_ep0_out);
+		sa_in_entries = sa_ep0_in;
+		nb_in_entries = RTE_DIM(sa_ep0_in);
+	} else if (ep == 1) {
+		sa_out_entries = sa_ep1_out;
+		nb_out_entries = RTE_DIM(sa_ep1_out);
+		sa_in_entries = sa_ep1_in;
+		nb_in_entries = RTE_DIM(sa_ep1_in);
+	} else
+		rte_exit(EXIT_FAILURE, "Invalid EP value %u. "
+				"Only 0 or 1 supported.\n", ep);
+
+	name = "sa_ipv4_in";
+	ctx->sa_ipv4_in = sa_ipv4_create(name, socket_id);
+	if (ctx->sa_ipv4_in == NULL)
+		rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s "
+				"in socket %d\n", rte_errno, name, socket_id);
+
+	name = "sa_ipv4_out";
+	ctx->sa_ipv4_out = sa_ipv4_create(name, socket_id);
+	if (ctx->sa_ipv4_out == NULL)
+		rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s "
+				"in socket %d\n", rte_errno, name, socket_id);
+
+	sa_in_add_rules(ctx->sa_ipv4_in, sa_in_entries, nb_in_entries);
+
+	sa_out_add_rules(ctx->sa_ipv4_out, sa_out_entries, nb_out_entries);
+}
+
+int
+inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx)
+{
+	struct ipsec_mbuf_metadata *priv;
+
+	priv = RTE_PTR_ADD(m, sizeof(struct rte_mbuf));
+
+	return (sa_ctx->sa[sa_idx].spi == priv->sa->spi);
+}
+
+void
+inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[],
+		struct ipsec_sa *sa[], uint16_t nb_pkts)
+{
+	unsigned i;
+	uint32_t *src, spi;
+
+	for (i = 0; i < nb_pkts; i++) {
+		spi = rte_pktmbuf_mtod_offset(pkts[i], struct esp_hdr *,
+				sizeof(struct ip))->spi;
+
+		if (spi == INVALID_SPI)
+			continue;
+
+		sa[i] = &sa_ctx->sa[SPI2IDX(spi)];
+		if (spi != sa[i]->spi) {
+			sa[i] = NULL;
+			continue;
+		}
+
+		src = rte_pktmbuf_mtod_offset(pkts[i], uint32_t *,
+				offsetof(struct ip, ip_src));
+		if ((sa[i]->src != *src) || (sa[i]->dst != *(src + 1)))
+			sa[i] = NULL;
+	}
+}
+
+void
+outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[],
+		struct ipsec_sa *sa[], uint16_t nb_pkts)
+{
+	unsigned i;
+
+	for (i = 0; i < nb_pkts; i++)
+		sa[i] = &sa_ctx->sa[sa_idx[i]];
+}
diff --git a/examples/ipsec-secgw/sp.c b/examples/ipsec-secgw/sp.c
new file mode 100644
index 0000000..69c9027
--- /dev/null
+++ b/examples/ipsec-secgw/sp.c
@@ -0,0 +1,364 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Security Policies
+ */
+#include <netinet/ip.h>
+
+#include <rte_acl.h>
+
+#include "ipsec.h"
+
+#define MAX_ACL_RULE_NUM	1000
+
+/*
+ * Rule and trace formats definitions.
+ */
+enum {
+	PROTO_FIELD_IPV4,
+	SRC_FIELD_IPV4,
+	DST_FIELD_IPV4,
+	SRCP_FIELD_IPV4,
+	DSTP_FIELD_IPV4,
+	NUM_FIELDS_IPV4
+};
+
+/*
+ * That effectively defines order of IPV4 classifications:
+ *  - PROTO
+ *  - SRC IP ADDRESS
+ *  - DST IP ADDRESS
+ *  - PORTS (SRC and DST)
+ */
+enum {
+	RTE_ACL_IPV4_PROTO,
+	RTE_ACL_IPV4_SRC,
+	RTE_ACL_IPV4_DST,
+	RTE_ACL_IPV4_PORTS,
+	RTE_ACL_IPV4_NUM
+};
+
+struct rte_acl_field_def ipv4_defs[NUM_FIELDS_IPV4] = {
+	{
+	.type = RTE_ACL_FIELD_TYPE_BITMASK,
+	.size = sizeof(uint8_t),
+	.field_index = PROTO_FIELD_IPV4,
+	.input_index = RTE_ACL_IPV4_PROTO,
+	.offset = 0,
+	},
+	{
+	.type = RTE_ACL_FIELD_TYPE_MASK,
+	.size = sizeof(uint32_t),
+	.field_index = SRC_FIELD_IPV4,
+	.input_index = RTE_ACL_IPV4_SRC,
+	.offset = offsetof(struct ip, ip_src) -	offsetof(struct ip, ip_p)
+	},
+	{
+	.type = RTE_ACL_FIELD_TYPE_MASK,
+	.size = sizeof(uint32_t),
+	.field_index = DST_FIELD_IPV4,
+	.input_index = RTE_ACL_IPV4_DST,
+	.offset = offsetof(struct ip, ip_dst) - offsetof(struct ip, ip_p)
+	},
+	{
+	.type = RTE_ACL_FIELD_TYPE_RANGE,
+	.size = sizeof(uint16_t),
+	.field_index = SRCP_FIELD_IPV4,
+	.input_index = RTE_ACL_IPV4_PORTS,
+	.offset = sizeof(struct ip) - offsetof(struct ip, ip_p)
+	},
+	{
+	.type = RTE_ACL_FIELD_TYPE_RANGE,
+	.size = sizeof(uint16_t),
+	.field_index = DSTP_FIELD_IPV4,
+	.input_index = RTE_ACL_IPV4_PORTS,
+	.offset = sizeof(struct ip) - offsetof(struct ip, ip_p) +
+		sizeof(uint16_t)
+	},
+};
+
+RTE_ACL_RULE_DEF(acl4_rules, RTE_DIM(ipv4_defs));
+
+const struct acl4_rules acl4_rules_in[] = {
+	{
+	.data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 105, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 106, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 107, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 108, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(9), .category_mask = 1, .priority = 5},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 200, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = BYPASS, .category_mask = 1, .priority = 6},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 250, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	}
+};
+
+const struct acl4_rules acl4_rules_out[] = {
+	{
+	.data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 115, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 116, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 117, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 118, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(9), .category_mask = 1, .priority = 5},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 210, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = BYPASS, .category_mask = 1, .priority = 6},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 240, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	}
+};
+
+static void
+print_one_ipv4_rule(const struct acl4_rules *rule, int extra)
+{
+	unsigned char a, b, c, d;
+
+	uint32_t_to_char(rule->field[SRC_FIELD_IPV4].value.u32,
+			&a, &b, &c, &d);
+	printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d,
+			rule->field[SRC_FIELD_IPV4].mask_range.u32);
+	uint32_t_to_char(rule->field[DST_FIELD_IPV4].value.u32,
+			&a, &b, &c, &d);
+	printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d,
+			rule->field[DST_FIELD_IPV4].mask_range.u32);
+	printf("%hu : %hu %hu : %hu 0x%hhx/0x%hhx ",
+		rule->field[SRCP_FIELD_IPV4].value.u16,
+		rule->field[SRCP_FIELD_IPV4].mask_range.u16,
+		rule->field[DSTP_FIELD_IPV4].value.u16,
+		rule->field[DSTP_FIELD_IPV4].mask_range.u16,
+		rule->field[PROTO_FIELD_IPV4].value.u8,
+		rule->field[PROTO_FIELD_IPV4].mask_range.u8);
+	if (extra)
+		printf("0x%x-0x%x-0x%x ",
+			rule->data.category_mask,
+			rule->data.priority,
+			rule->data.userdata);
+}
+
+static inline void
+dump_ipv4_rules(const struct acl4_rules *rule, int num, int extra)
+{
+	int i;
+
+	for (i = 0; i < num; i++, rule++) {
+		printf("\t%d:", i + 1);
+		print_one_ipv4_rule(rule, extra);
+		printf("\n");
+	}
+}
+
+static struct rte_acl_ctx *
+acl4_init(const char *name, int socketid, const struct acl4_rules *rules,
+		unsigned rules_nb)
+{
+	char s[PATH_MAX];
+	struct rte_acl_param acl_param;
+	struct rte_acl_config acl_build_param;
+	struct rte_acl_ctx *ctx;
+
+	printf("Creating SP context with %u max rules\n", MAX_ACL_RULE_NUM);
+
+	memset(&acl_param, 0, sizeof(acl_param));
+
+	/* Create ACL contexts */
+	snprintf(s, sizeof(s), "%s_%d", name, socketid);
+
+	printf("IPv4 %s entries [%u]:\n", s, rules_nb);
+	dump_ipv4_rules(rules, rules_nb, 1);
+
+	acl_param.name = s;
+	acl_param.socket_id = socketid;
+	acl_param.rule_size = RTE_ACL_RULE_SZ(RTE_DIM(ipv4_defs));
+	acl_param.max_rule_num = MAX_ACL_RULE_NUM;
+
+	ctx = rte_acl_create(&acl_param);
+	if (ctx == NULL)
+		rte_exit(EXIT_FAILURE, "Failed to create ACL context\n");
+
+	if (rte_acl_add_rules(ctx, (const struct rte_acl_rule *)rules,
+				rules_nb) < 0)
+		rte_exit(EXIT_FAILURE, "add rules failed\n");
+
+	/* Perform builds */
+	memset(&acl_build_param, 0, sizeof(acl_build_param));
+
+	acl_build_param.num_categories = DEFAULT_MAX_CATEGORIES;
+	acl_build_param.num_fields = RTE_DIM(ipv4_defs);
+	memcpy(&acl_build_param.defs, ipv4_defs, sizeof(ipv4_defs));
+
+	if (rte_acl_build(ctx, &acl_build_param) != 0)
+		rte_exit(EXIT_FAILURE, "Failed to build ACL trie\n");
+
+	rte_acl_dump(ctx);
+
+	return ctx;
+}
+
+void
+sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep)
+{
+	const char *name;
+	const struct acl4_rules *rules_out, *rules_in;
+	unsigned nb_out_rules, nb_in_rules;
+
+	if (ctx == NULL)
+		rte_exit(EXIT_FAILURE, "NULL context.\n");
+
+	if (ctx->sp_ipv4_in != NULL)
+		rte_exit(EXIT_FAILURE, "Inbound SP DB for socket %u already "
+				"initialized\n", socket_id);
+
+	if (ctx->sp_ipv4_out != NULL)
+		rte_exit(EXIT_FAILURE, "Outbound SP DB for socket %u already "
+				"initialized\n", socket_id);
+
+	if (ep == 0) {
+		rules_out = acl4_rules_in;
+		nb_out_rules = RTE_DIM(acl4_rules_in);
+		rules_in = acl4_rules_out;
+		nb_in_rules = RTE_DIM(acl4_rules_out);
+	} else if (ep == 1) {
+		rules_out = acl4_rules_out;
+		nb_out_rules = RTE_DIM(acl4_rules_out);
+		rules_in = acl4_rules_in;
+		nb_in_rules = RTE_DIM(acl4_rules_in);
+	} else
+		rte_exit(EXIT_FAILURE, "Invalid EP value %u. "
+				"Only 0 or 1 supported.\n", ep);
+
+	name = "sp_ipv4_in";
+	ctx->sp_ipv4_in = (struct sp_ctx *)acl4_init(name, socket_id,
+			rules_in, nb_in_rules);
+
+	name = "sp_ipv4_out";
+	ctx->sp_ipv4_out = (struct sp_ctx *)acl4_init(name, socket_id,
+			rules_out, nb_out_rules);
+}
-- 
2.4.3

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [dpdk-dev] [PATCH v2] example/ipsec-secgw: ipsec security gateway
  2016-03-11  1:38 ` [dpdk-dev] [PATCH v2] " Sergio Gonzalez Monroy
@ 2016-03-11  2:12   ` De Lara Guarch, Pablo
  2016-03-11  2:12   ` [dpdk-dev] [PATCH v3] " Sergio Gonzalez Monroy
  1 sibling, 0 replies; 15+ messages in thread
From: De Lara Guarch, Pablo @ 2016-03-11  2:12 UTC (permalink / raw)
  To: Gonzalez Monroy, Sergio, dev

Hi,

> -----Original Message-----
> From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Sergio Gonzalez
> Monroy
> Sent: Friday, March 11, 2016 1:39 AM
> To: dev@dpdk.org
> Subject: [dpdk-dev] [PATCH v2] example/ipsec-secgw: ipsec security gateway
> 
> Sample app implementing an IPsec Security Geteway.
> The main goal of this app is to show the use of cryptodev framework
> in a "real world" application.
> 
> Currently only supported static IPv4 ESP IPsec tunnels for the following
> algorithms:
> - Cipher: AES-CBC, NULL
> - Authentication: HMAC-SHA1, NULL
> 
> Not supported:
> - SA auto negotiation (No IKE implementation)
> - chained mbufs
> 
> Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
> ---
> 
> v2:
>  - Update to use new cryptodev API
>  - NULL PMD support
>    * dependency on "null_crypto_pmd: PMD to support null crypto
> operations"
>    http://dpdk.org/dev/patchwork/patch/11428/
>  - Added --single-sa option to bypass SP/ACL
>  - Removed option for QAT/AESNI and instead expects vdev to be created
>    through EAL with command line options.
>    * dependency on "cryptodev: add capabilities discovery mechanism"
>    http://dpdk.org/dev/patchwork/patch/11434/
>  - fixed inbound traffic bug
>  - fixed bug with single core bi-directional traffic (inbound and outbound)
> 
>  MAINTAINERS                              |    4 +
>  doc/guides/rel_notes/release_16_04.rst   |    3 +
>  doc/guides/sample_app_ug/index.rst       |    1 +
>  doc/guides/sample_app_ug/ipsec_secgw.rst |  524 ++++++++++++
>  examples/Makefile                        |    2 +
>  examples/ipsec-secgw/Makefile            |   58 ++
>  examples/ipsec-secgw/esp.c               |  250 ++++++
>  examples/ipsec-secgw/esp.h               |   66 ++
>  examples/ipsec-secgw/ipip.h              |  103 +++
>  examples/ipsec-secgw/ipsec-secgw.c       | 1360
> ++++++++++++++++++++++++++++++
>  examples/ipsec-secgw/ipsec.c             |  203 +++++
>  examples/ipsec-secgw/ipsec.h             |  192 +++++
>  examples/ipsec-secgw/rt.c                |  144 ++++
>  examples/ipsec-secgw/sa.c                |  438 ++++++++++
>  examples/ipsec-secgw/sp.c                |  364 ++++++++
>  15 files changed, 3712 insertions(+)
>  create mode 100644 doc/guides/sample_app_ug/ipsec_secgw.rst
>  create mode 100644 examples/ipsec-secgw/Makefile
>  create mode 100644 examples/ipsec-secgw/esp.c
>  create mode 100644 examples/ipsec-secgw/esp.h
>  create mode 100644 examples/ipsec-secgw/ipip.h
>  create mode 100644 examples/ipsec-secgw/ipsec-secgw.c
>  create mode 100644 examples/ipsec-secgw/ipsec.c
>  create mode 100644 examples/ipsec-secgw/ipsec.h
>  create mode 100644 examples/ipsec-secgw/rt.c
>  create mode 100644 examples/ipsec-secgw/sa.c
>  create mode 100644 examples/ipsec-secgw/sp.c
> 


> diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst
> b/doc/guides/sample_app_ug/ipsec_secgw.rst
> new file mode 100644
> index 0000000..bc41ea8
> --- /dev/null
> +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
> @@ -0,0 +1,524 @@
> +..  BSD LICENSE
> +    Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
> +    All rights reserved.

Copyright dates should be 2016, not from 2010.

> +
> +    Redistribution and use in source and binary forms, with or without
> +    modification, are permitted provided that the following conditions
> +    are met:
> +
> +    * Redistributions of source code must retain the above copyright
> +    notice, this list of conditions and the following disclaimer.
> +    * Redistributions in binary form must reproduce the above copyright
> +    notice, this list of conditions and the following disclaimer in
> +    the documentation and/or other materials provided with the
> +    distribution.

[...]

> +static inline void
> +process_pkts(struct lcore_conf *qconf, struct rte_mbuf **pkts,
> +		uint8_t nb_pkts, uint8_t portid)
> +{
> +	struct ipsec_traffic traffic = { 0 };

Clang complains here.

> +
> +	prepare_traffic(pkts, &traffic, nb_pkts);
> +
> +	if (single_sa) {
> +		if (UNPROTECTED_PORT(portid))
> +			process_pkts_inbound_nosp(&qconf->inbound,
> &traffic);
> +		else
> +			process_pkts_outbound_nosp(&qconf->outbound,
> &traffic);
> +	} else {
> +		if (UNPROTECTED_PORT(portid))
> +			process_pkts_inbound(&qconf->inbound, &traffic);
> +		else
> +			process_pkts_outbound(&qconf->outbound,
> &traffic);
> +	}
> +
> +	route_pkts(qconf->rt_ctx, traffic.ipv4.pkts, traffic.ipv4.num);
> +}
> +

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [dpdk-dev] [PATCH v3] example/ipsec-secgw: ipsec security gateway
  2016-03-11  1:38 ` [dpdk-dev] [PATCH v2] " Sergio Gonzalez Monroy
  2016-03-11  2:12   ` De Lara Guarch, Pablo
@ 2016-03-11  2:12   ` Sergio Gonzalez Monroy
  2016-03-11 10:01     ` De Lara Guarch, Pablo
  2016-03-11 10:02     ` Thomas Monjalon
  1 sibling, 2 replies; 15+ messages in thread
From: Sergio Gonzalez Monroy @ 2016-03-11  2:12 UTC (permalink / raw)
  To: dev

Sample app implementing an IPsec Security Geteway.
The main goal of this app is to show the use of cryptodev framework
in a "real world" application.

Currently only supported static IPv4 ESP IPsec tunnels for the following
algorithms:
- Cipher: AES-CBC, NULL
- Authentication: HMAC-SHA1, NULL

Not supported:
- SA auto negotiation (No IKE implementation)
- chained mbufs

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
---

v3:
 - Fix Copyright
 - Fix clang

v2:
 - Update to use new cryptodev API
 - NULL PMD support
   * dependency on "null_crypto_pmd: PMD to support null crypto operations"
   http://dpdk.org/dev/patchwork/patch/11428/
 - Added --single-sa option to bypass SP/ACL
 - Removed option for QAT/AESNI and instead expects vdev to be created
   through EAL with command line options.
   * dependency on "cryptodev: add capabilities discovery mechanism"
   http://dpdk.org/dev/patchwork/patch/11434/
 - fixed inbound traffic bug
 - fixed bug with single core bi-directional traffic (inbound and outbound)

 MAINTAINERS                              |    4 +
 doc/guides/rel_notes/release_16_04.rst   |    3 +
 doc/guides/sample_app_ug/index.rst       |    1 +
 doc/guides/sample_app_ug/ipsec_secgw.rst |  524 ++++++++++++
 examples/Makefile                        |    1 +
 examples/ipsec-secgw/Makefile            |   58 ++
 examples/ipsec-secgw/esp.c               |  250 ++++++
 examples/ipsec-secgw/esp.h               |   66 ++
 examples/ipsec-secgw/ipip.h              |  103 +++
 examples/ipsec-secgw/ipsec-secgw.c       | 1360 ++++++++++++++++++++++++++++++
 examples/ipsec-secgw/ipsec.c             |  203 +++++
 examples/ipsec-secgw/ipsec.h             |  192 +++++
 examples/ipsec-secgw/rt.c                |  144 ++++
 examples/ipsec-secgw/sa.c                |  438 ++++++++++
 examples/ipsec-secgw/sp.c                |  364 ++++++++
 15 files changed, 3711 insertions(+)
 create mode 100644 doc/guides/sample_app_ug/ipsec_secgw.rst
 create mode 100644 examples/ipsec-secgw/Makefile
 create mode 100644 examples/ipsec-secgw/esp.c
 create mode 100644 examples/ipsec-secgw/esp.h
 create mode 100644 examples/ipsec-secgw/ipip.h
 create mode 100644 examples/ipsec-secgw/ipsec-secgw.c
 create mode 100644 examples/ipsec-secgw/ipsec.c
 create mode 100644 examples/ipsec-secgw/ipsec.h
 create mode 100644 examples/ipsec-secgw/rt.c
 create mode 100644 examples/ipsec-secgw/sa.c
 create mode 100644 examples/ipsec-secgw/sp.c

diff --git a/MAINTAINERS b/MAINTAINERS
index 59e981f..67938bc 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -617,3 +617,7 @@ F: doc/guides/sample_app_ug/vmdq_dcb_forwarding.rst
 M: Pablo de Lara <pablo.de.lara.guarch@intel.com>
 M: Daniel Mrzyglod <danielx.t.mrzyglod@intel.com>
 F: examples/ptpclient/
+
+M: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
+F: doc/guides/sample_app_ug/ipsec-secgw.rst
+F: examples/ipsec-secgw/
diff --git a/doc/guides/rel_notes/release_16_04.rst b/doc/guides/rel_notes/release_16_04.rst
index f69feac..c3fb18a 100644
--- a/doc/guides/rel_notes/release_16_04.rst
+++ b/doc/guides/rel_notes/release_16_04.rst
@@ -148,6 +148,9 @@ Examples
   vhost-switch often fails to allocate mbuf when dequeue from vring because it
   wrongly calculates the number of mbufs needed.
 
+* **examples/ipsec-secgw: ipsec security gateway**
+
+  New application implementing an IPsec Security Gateway.
 
 Other
 ~~~~~
diff --git a/doc/guides/sample_app_ug/index.rst b/doc/guides/sample_app_ug/index.rst
index 8a646dd..88375d2 100644
--- a/doc/guides/sample_app_ug/index.rst
+++ b/doc/guides/sample_app_ug/index.rst
@@ -73,6 +73,7 @@ Sample Applications User Guide
     proc_info
     ptpclient
     performance_thread
+    ipsec_secgw
 
 **Figures**
 
diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst
new file mode 100644
index 0000000..9bb5bed
--- /dev/null
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -0,0 +1,524 @@
+..  BSD LICENSE
+    Copyright(c) 2016 Intel Corporation. All rights reserved.
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions
+    are met:
+
+    * Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in
+    the documentation and/or other materials provided with the
+    distribution.
+    * Neither the name of Intel Corporation nor the names of its
+    contributors may be used to endorse or promote products derived
+    from this software without specific prior written permission.
+
+    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+    "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+    LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+    A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+    OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+    SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+    LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+    DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+    THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+    (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+    OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+IPsec Security Gateway Sample Application
+=========================================
+
+The IPsec Security Gateway application is an example of a "real world"
+application using DPDK cryptodev framework.
+
+Overview
+--------
+
+The application demonstrates the implementation of a Security Gateway
+(not IPsec compliant, see Constraints bellow) using DPDK based on RFC4301,
+RFC4303, RFC3602 and RFC2404.
+
+Internet Key Exchange (IKE) is not implemented, so only manual setting of
+Security Policies and Security Associations is supported.
+
+The Security Policies (SP) are implemented as ACL rules, the Security
+Associations (SA) are stored in a table and the Routing is implemented
+using LPM.
+
+The application classify the ports between Protected and Unprotected.
+Thus, traffic received in an Unprotected or Protected port is consider
+Inbound or Outbound respectively.
+
+Path for IPsec Inbound traffic:
+
+*  Read packets from the port
+*  Classify packets between IPv4 and ESP.
+*  Inbound SA lookup for ESP packets based on their SPI
+*  Verification/Decryption
+*  Removal of ESP and outer IP header
+*  Inbound SP check using ACL of decrypted packets and any other IPv4 packet
+   we read.
+*  Routing
+*  Write packet to port
+
+Path for IPsec Outbound traffic:
+
+*  Read packets from the port
+*  Outbound SP check using ACL of all IPv4 traffic
+*  Outbound SA lookup for packets that need IPsec protection
+*  Add ESP and outter IP header
+*  Encryption/Digest
+*  Routing
+*  Write packet to port
+
+Constraints
+-----------
+*  IPv4 traffic
+*  ESP tunnel mode
+*  EAS-CBC, HMAC-SHA1 and NULL
+*  Each SA must be handle by a unique lcore (1 RX queue per port)
+*  No chained mbufs
+
+Compiling the Application
+-------------------------
+
+To compile the application:
+
+#. Go to the sample application directory:
+
+   .. code-block:: console
+
+      export RTE_SDK=/path/to/rte_sdk
+      cd ${RTE_SDK}/examples/ipsec-secgw
+
+#. Set the target (a default target is used if not specified). For example:
+
+   .. code-block:: console
+
+      export RTE_TARGET=x86_64-native-linuxapp-gcc
+
+   See the *DPDK Getting Started Guide* for possible RTE_TARGET values.
+
+#. Build the application:
+
+   .. code-block:: console
+
+       make
+
+Running the Application
+-----------------------
+
+The application has a number of command line options:
+
+.. code-block:: console
+
+   ./build/ipsec-secgw [EAL options] -- -p PORTMASK -P -u PORTMASK --config
+   (port,queue,lcore)[,(port,queue,lcore] --single-sa SAIDX --ep0|--ep1
+
+where,
+
+*   -p PORTMASK: Hexadecimal bitmask of ports to configure
+
+*   -P: optional, sets all ports to promiscuous mode so that packets are
+    accepted regardless of the packet's Ethernet MAC destination address.
+    Without this option, only packets with the Ethernet MAC destination address
+    set to the Ethernet address of the port are accepted (default is enabled).
+
+*   -u PORTMASK: hexadecimal bitmask of unprotected ports
+
+*   --config (port,queue,lcore)[,(port,queue,lcore)]: determines which queues
+    from which ports are mapped to which cores
+
+*   --single-sa SAIDX: use a single SA for outbound traffic, bypassing the SP
+    on both Inbound and Outbound. This option is meant for debugging/performance
+    purposes.
+
+*   --ep0: configure the app as Endpoint 0.
+
+*   --ep1: configure the app as Endpoint 1.
+
+Either one of --ep0 or --ep1 *must* be specified.
+The main purpose of these options is two easily configure two systems
+back-to-back that would forward traffic through an IPsec tunnel.
+
+The mapping of lcores to port/queues is similar to other l3fwd applications.
+
+For example, given the following command line:
+
+.. code-block:: console
+
+    ./build/ipsec-secgw -l 20,21 -n 4 --socket-mem 0,2048
+           --vdev "cryptodev_null_pmd" -- -p 0xf -P -u 0x3
+           --config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)" --ep0
+
+where each options means:
+
+*   The -l option enables cores 20 and 21
+
+*   The -n option sets memory 4 channels
+
+*   The --socket-mem to use 2GB on socket 1
+
+*   The --vdev "cryptodev_null_pmd" option creates virtual NULL cryptodev PMD
+
+*   The -p option enables ports (detected) 0, 1, 2 and 3
+
+*   The -P option enables promiscuous mode
+
+*   The -u option sets ports 1 and 2 as unprotected, leaving 2 and 3 as protected
+
+*   The --config option enables one queue per port with the following mapping:
+
++----------+-----------+-----------+---------------------------------------+
+| **Port** | **Queue** | **lcore** | **Description**                       |
+|          |           |           |                                       |
++----------+-----------+-----------+---------------------------------------+
+| 0        | 0         | 20        | Map queue 0 from port 0 to lcore 20.  |
+|          |           |           |                                       |
++----------+-----------+-----------+---------------------------------------+
+| 1        | 0         | 20        | Map queue 0 from port 1 to lcore 20.  |
+|          |           |           |                                       |
++----------+-----------+-----------+---------------------------------------+
+| 2        | 0         | 21        | Map queue 0 from port 2 to lcore 21.  |
+|          |           |           |                                       |
++----------+-----------+-----------+---------------------------------------+
+| 3        | 0         | 21        | Map queue 0 from port 3 to lcore 21.  |
+|          |           |           |                                       |
++----------+-----------+-----------+---------------------------------------+
+
+*   The --ep0 options configures the app with a given set of SP, SA and Routing
+    entries as explained below in more detail.
+
+Refer to the *DPDK Getting Started Guide* for general information on running
+applications and the Environment Abstraction Layer (EAL) options.
+
+The application would do a best effort to "map" crypto devices to cores, with
+hardware devices having priority.
+This means that if the application is using a single core and both hardware
+and software crypto devices are detected, hardware devices will be used.
+
+A way to achive the case where you want to force the use of virtual crypto
+devices is to whitelist the ethernet devices needed and therefore implicitely
+blacklisting all hardware crypto devices.
+
+For example, something like the following command line:
+
+.. code-block:: console
+
+    ./build/ipsec-secgw -l 20,21 -n 4 --socket-mem 0,2048
+            -w 81:00.0 -w 81:00.1 -w 81:00.2 -w 81:00.3
+            --vdev "cryptodev_aesni_mb_pmd" --vdev "cryptodev_null_pmd" --
+            -p 0xf -P -u 0x3 --config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)"
+            --ep0
+
+Configurations
+--------------
+
+The following sections provide some details on the default values used to
+initialize the SP, SA and Routing tables.
+Currently all the configuration is hard coded into the application.
+
+Security Policy Initialization
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+As mention in the overview, the Security Policies are ACL rules.
+The application defines two ACLs, one each of Inbound and Outbound, and
+it replicates them per socket in use.
+
+Following are the default rules:
+
+Endpoint 0 Outbound Security Policies:
+
++---------+------------------+-----------+------------+
+| **Src** | **Dst**          | **proto** | **SA idx** |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.105.0/24 | Any       | 5          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.106.0/24 | Any       | 6          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.107.0/24 | Any       | 7          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.108.0/24 | Any       | 8          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.200.0/24 | Any       | 9          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.250.0/24 | Any       | BYPASS     |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+
+Endpoint 0 Inbound Security Policies:
+
++---------+------------------+-----------+------------+
+| **Src** | **Dst**          | **proto** | **SA idx** |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.115.0/24 | Any       | 5          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.116.0/24 | Any       | 6          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.117.0/24 | Any       | 7          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.118.0/24 | Any       | 8          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.210.0/24 | Any       | 9          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.240.0/24 | Any       | BYPASS     |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+
+Endpoint 1 Outbound Security Policies:
+
++---------+------------------+-----------+------------+
+| **Src** | **Dst**          | **proto** | **SA idx** |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.115.0/24 | Any       | 5          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.116.0/24 | Any       | 6          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.117.0/24 | Any       | 7          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.118.0/24 | Any       | 8          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.210.0/24 | Any       | 9          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.240.0/24 | Any       | BYPASS     |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+
+Endpoint 1 Inbound Security Policies:
+
++---------+------------------+-----------+------------+
+| **Src** | **Dst**          | **proto** | **SA idx** |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.105.0/24 | Any       | 5          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.106.0/24 | Any       | 6          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.107.0/24 | Any       | 7          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.108.0/24 | Any       | 8          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.200.0/24 | Any       | 9          |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+| Any     | 192.168.250.0/24 | Any       | BYPASS     |
+|         |                  |           |            |
++---------+------------------+-----------+------------+
+
+
+Security Association Initialization
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The SAs are kept in a array table.
+
+For Inbound, the SPI is used as index module the table size.
+This means that on a table for 100 SA, SPI 5 and 105 would use the same index
+and that is not currently supported.
+
+Notice that it is not an issue for Outbound traffic as we store the index and
+not the SPI in the Security Policy.
+
+All SAs configured with AES-CBC and HMAC-SHA1 share the same values for cipher
+block size and key, and authentication digest size and key.
+
+Following are the default values:
+
+Endpoint 0 Outbound Security Associations:
+
++---------+------------+-----------+----------------+------------------+
+| **SPI** | **Cipher** | **Auth**  | **Tunnel src** | **Tunnel dst**   |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 5       | AES-CBC    | HMAC-SHA1 | 172.16.1.5     | 172.16.2.5       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 6       | AES-CBC    | HMAC-SHA1 | 172.16.1.6     | 172.16.2.6       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 7       | AES-CBC    | HMAC-SHA1 | 172.16.1.7     | 172.16.2.7       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 8       | AES-CBC    | HMAC-SHA1 | 172.16.1.8     | 172.16.2.8       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 9       | NULL       | NULL      | 172.16.1.5     | 172.16.2.5       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+
+Endpoint 0 Inbound Security Associations:
+
++---------+------------+-----------+----------------+------------------+
+| **SPI** | **Cipher** | **Auth**  | **Tunnel src** | **Tunnel dst**   |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 5       | AES-CBC    | HMAC-SHA1 | 172.16.2.5     | 172.16.1.5       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 6       | AES-CBC    | HMAC-SHA1 | 172.16.2.6     | 172.16.1.6       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 7       | AES-CBC    | HMAC-SHA1 | 172.16.2.7     | 172.16.1.7       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 8       | AES-CBC    | HMAC-SHA1 | 172.16.2.8     | 172.16.1.8       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 9       | NULL       | NULL      | 172.16.2.5     | 172.16.1.5       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+
+Endpoint 1 Outbound Security Associations:
+
++---------+------------+-----------+----------------+------------------+
+| **SPI** | **Cipher** | **Auth**  | **Tunnel src** | **Tunnel dst**   |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 5       | AES-CBC    | HMAC-SHA1 | 172.16.2.5     | 172.16.1.5       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 6       | AES-CBC    | HMAC-SHA1 | 172.16.2.6     | 172.16.1.6       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 7       | AES-CBC    | HMAC-SHA1 | 172.16.2.7     | 172.16.1.7       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 8       | AES-CBC    | HMAC-SHA1 | 172.16.2.8     | 172.16.1.8       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 9       | NULL       | NULL      | 172.16.2.5     | 172.16.1.5       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+
+Endpoint 1 Inbound Security Associations:
+
++---------+------------+-----------+----------------+------------------+
+| **SPI** | **Cipher** | **Auth**  | **Tunnel src** | **Tunnel dst**   |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 5       | AES-CBC    | HMAC-SHA1 | 172.16.1.5     | 172.16.2.5       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 6       | AES-CBC    | HMAC-SHA1 | 172.16.1.6     | 172.16.2.6       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 7       | AES-CBC    | HMAC-SHA1 | 172.16.1.7     | 172.16.2.7       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 8       | AES-CBC    | HMAC-SHA1 | 172.16.1.8     | 172.16.2.8       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+| 9       | NULL       | NULL      | 172.16.1.5     | 172.16.2.5       |
+|         |            |           |                |                  |
++---------+------------+-----------+----------------+------------------+
+
+Routing Initialization
+~~~~~~~~~~~~~~~~~~~~~~
+
+The Routing is implemented using LPM table.
+
+Following default values:
+
+Endpoint 0 Routing Table:
+
++------------------+----------+
+| **Dst addr**     | **Port** |
+|                  |          |
++------------------+----------+
+| 172.16.2.5/32    | 0        |
+|                  |          |
++------------------+----------+
+| 172.16.2.6/32    | 0        |
+|                  |          |
++------------------+----------+
+| 172.16.2.7/32    | 1        |
+|                  |          |
++------------------+----------+
+| 172.16.2.8/32    | 1        |
+|                  |          |
++------------------+----------+
+| 192.168.115.0/24 | 2        |
+|                  |          |
++------------------+----------+
+| 192.168.116.0/24 | 2        |
+|                  |          |
++------------------+----------+
+| 192.168.117.0/24 | 3        |
+|                  |          |
++------------------+----------+
+| 192.168.118.0/24 | 3        |
+|                  |          |
++------------------+----------+
+| 192.168.210.0/24 | 2        |
+|                  |          |
++------------------+----------+
+| 192.168.240.0/24 | 2        |
+|                  |          |
++------------------+----------+
+| 192.168.250.0/24 | 0        |
+|                  |          |
++------------------+----------+
+
+Endpoint 1 Routing Table:
+
++------------------+----------+
+| **Dst addr**     | **Port** |
+|                  |          |
++------------------+----------+
+| 172.16.1.5/32    | 2        |
+|                  |          |
++------------------+----------+
+| 172.16.1.6/32    | 2        |
+|                  |          |
++------------------+----------+
+| 172.16.1.7/32    | 3        |
+|                  |          |
++------------------+----------+
+| 172.16.1.8/32    | 3        |
+|                  |          |
++------------------+----------+
+| 192.168.105.0/24 | 0        |
+|                  |          |
++------------------+----------+
+| 192.168.106.0/24 | 0        |
+|                  |          |
++------------------+----------+
+| 192.168.107.0/24 | 1        |
+|                  |          |
++------------------+----------+
+| 192.168.108.0/24 | 1        |
+|                  |          |
++------------------+----------+
+| 192.168.200.0/24 | 0        |
+|                  |          |
++------------------+----------+
+| 192.168.240.0/24 | 2        |
+|                  |          |
++------------------+----------+
+| 192.168.250.0/24 | 0        |
+|                  |          |
++------------------+----------+
diff --git a/examples/Makefile b/examples/Makefile
index 1665df1..acd93b8 100644
--- a/examples/Makefile
+++ b/examples/Makefile
@@ -82,5 +82,6 @@ DIRS-y += vmdq
 DIRS-y += vmdq_dcb
 DIRS-$(CONFIG_RTE_LIBRTE_POWER) += vm_power_manager
 DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += l2fwd-crypto
+DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += ipsec-secgw
 
 include $(RTE_SDK)/mk/rte.extsubdir.mk
diff --git a/examples/ipsec-secgw/Makefile b/examples/ipsec-secgw/Makefile
new file mode 100644
index 0000000..da39e49
--- /dev/null
+++ b/examples/ipsec-secgw/Makefile
@@ -0,0 +1,58 @@
+#   BSD LICENSE
+#
+#   Copyright(c) 2016 Intel Corporation. All rights reserved.
+#   All rights reserved.
+#
+#   Redistribution and use in source and binary forms, with or without
+#   modification, are permitted provided that the following conditions
+#   are met:
+#
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above copyright
+#       notice, this list of conditions and the following disclaimer in
+#       the documentation and/or other materials provided with the
+#       distribution.
+#     * Neither the name of Intel Corporation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+#   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+#   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+#   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+#   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+#   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+#   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+#   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+#   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+#   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+#   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+#   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+ifeq ($(RTE_SDK),)
+	$(error "Please define RTE_SDK environment variable")
+endif
+
+# Default target, can be overridden by command line or environment
+RTE_TARGET ?= x86_64-native-linuxapp-gcc
+
+include $(RTE_SDK)/mk/rte.vars.mk
+
+APP = ipsec-secgw
+
+CFLAGS += -O3 -gdwarf-2
+CFLAGS += $(WERROR_FLAGS)
+
+VPATH += $(SRCDIR)/librte_ipsec
+
+#
+# all source are stored in SRCS-y
+#
+SRCS-y += ipsec.c
+SRCS-y += esp.c
+SRCS-y += sp.c
+SRCS-y += sa.c
+SRCS-y += rt.c
+SRCS-y += ipsec-secgw.c
+
+include $(RTE_SDK)/mk/rte.extapp.mk
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
new file mode 100644
index 0000000..ca0fc56
--- /dev/null
+++ b/examples/ipsec-secgw/esp.c
@@ -0,0 +1,250 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdint.h>
+#include <stdlib.h>
+#include <netinet/ip.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+#include <rte_common.h>
+#include <rte_memcpy.h>
+#include <rte_crypto.h>
+#include <rte_cryptodev.h>
+#include <rte_random.h>
+
+#include "ipsec.h"
+#include "esp.h"
+#include "ipip.h"
+
+#define IP_ESP_HDR_SZ (sizeof(struct ip) + sizeof(struct esp_hdr))
+
+static inline void
+random_iv_u64(uint64_t *buf, uint16_t n)
+{
+	unsigned left = n & 0x7;
+	unsigned i;
+
+	IPSEC_ASSERT((n & 0x3) == 0);
+
+	for (i = 0; i < (n >> 3); i++)
+		buf[i] = rte_rand();
+
+	if (left)
+		*((uint32_t *)&buf[i]) = (uint32_t)lrand48();
+}
+
+/* IPv4 Tunnel */
+int
+esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
+		struct rte_crypto_op *cop)
+{
+	int32_t payload_len;
+	struct rte_crypto_sym_op *sym_cop;
+
+	IPSEC_ASSERT(m != NULL);
+	IPSEC_ASSERT(sa != NULL);
+	IPSEC_ASSERT(cop != NULL);
+
+	payload_len = rte_pktmbuf_pkt_len(m) - IP_ESP_HDR_SZ - sa->iv_len -
+		sa->digest_len;
+
+	if ((payload_len & (sa->block_size - 1)) || (payload_len <= 0)) {
+		IPSEC_LOG(DEBUG, IPSEC_ESP, "payload %d not multiple of %u\n",
+				payload_len, sa->block_size);
+		return -EINVAL;
+	}
+
+	sym_cop = (struct rte_crypto_sym_op *)(cop + 1);
+
+	sym_cop->m_src = m;
+	sym_cop->cipher.data.offset = IP_ESP_HDR_SZ + sa->iv_len;
+	sym_cop->cipher.data.length = payload_len;
+
+	sym_cop->cipher.iv.data = rte_pktmbuf_mtod_offset(m, void*,
+			IP_ESP_HDR_SZ);
+	sym_cop->cipher.iv.phys_addr = rte_pktmbuf_mtophys_offset(m,
+			IP_ESP_HDR_SZ);
+	sym_cop->cipher.iv.length = sa->iv_len;
+
+	sym_cop->auth.data.offset = sizeof(struct ip);
+	if (sa->auth_algo == RTE_CRYPTO_AUTH_AES_GCM)
+		sym_cop->auth.data.length = sizeof(struct esp_hdr);
+	else
+		sym_cop->auth.data.length = sizeof(struct esp_hdr) +
+			sa->iv_len + payload_len;
+
+	sym_cop->auth.digest.data = rte_pktmbuf_mtod_offset(m, void*,
+			rte_pktmbuf_pkt_len(m) - sa->digest_len);
+	sym_cop->auth.digest.phys_addr = rte_pktmbuf_mtophys_offset(m,
+			rte_pktmbuf_pkt_len(m) - sa->digest_len);
+	sym_cop->auth.digest.length = sa->digest_len;
+
+	return 0;
+}
+
+int
+esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
+		struct rte_crypto_op *cop)
+{
+	uint8_t *nexthdr, *pad_len;
+	uint8_t *padding;
+	uint16_t i;
+
+	IPSEC_ASSERT(m != NULL);
+	IPSEC_ASSERT(sa != NULL);
+	IPSEC_ASSERT(cop != NULL);
+
+	if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
+		IPSEC_LOG(ERR, IPSEC_ESP, "Failed crypto op\n");
+		return -1;
+	}
+
+	nexthdr = rte_pktmbuf_mtod_offset(m, uint8_t*,
+			rte_pktmbuf_pkt_len(m) - sa->digest_len - 1);
+	pad_len = nexthdr - 1;
+
+	padding = pad_len - *pad_len;
+	for (i = 0; i < *pad_len; i++) {
+		if (padding[i] != i) {
+			IPSEC_LOG(ERR, IPSEC_ESP, "invalid pad_len field\n");
+			return -EINVAL;
+		}
+	}
+
+	if (rte_pktmbuf_trim(m, *pad_len + 2 + sa->digest_len)) {
+		IPSEC_LOG(ERR, IPSEC_ESP,
+				"failed to remove pad_len + digest\n");
+		return -EINVAL;
+	}
+
+	return ip4ip_inbound(m, sizeof(struct esp_hdr) + sa->iv_len);
+}
+
+int
+esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
+		struct rte_crypto_op *cop)
+{
+	uint16_t pad_payload_len, pad_len;
+	struct ip *ip;
+	struct esp_hdr *esp;
+	int i;
+	char *padding;
+	struct rte_crypto_sym_op *sym_cop;
+
+	IPSEC_ASSERT(m != NULL);
+	IPSEC_ASSERT(sa != NULL);
+	IPSEC_ASSERT(cop != NULL);
+
+	/* Payload length */
+	pad_payload_len = RTE_ALIGN_CEIL(rte_pktmbuf_pkt_len(m) + 2,
+			sa->block_size);
+	pad_len = pad_payload_len - rte_pktmbuf_pkt_len(m);
+
+	rte_prefetch0(rte_pktmbuf_mtod_offset(m, void *,
+				rte_pktmbuf_pkt_len(m)));
+
+	/* Check maximum packet size */
+	if (unlikely(IP_ESP_HDR_SZ + sa->iv_len + pad_payload_len +
+				sa->digest_len > IP_MAXPACKET)) {
+		IPSEC_LOG(DEBUG, IPSEC_ESP, "ipsec packet is too big\n");
+		return -EINVAL;
+	}
+
+	padding = rte_pktmbuf_append(m, pad_len + sa->digest_len);
+
+	IPSEC_ASSERT(padding != NULL);
+
+	ip = ip4ip_outbound(m, sizeof(struct esp_hdr) + sa->iv_len,
+			sa->src, sa->dst);
+
+	esp = (struct esp_hdr *)(ip + 1);
+	esp->spi = sa->spi;
+	esp->seq = htonl(sa->seq++);
+
+	IPSEC_LOG(DEBUG, IPSEC_ESP, "pktlen %u\n", rte_pktmbuf_pkt_len(m));
+
+	/* Fill pad_len using default sequential scheme */
+	for (i = 0; i < pad_len - 2; i++)
+		padding[i] = i + 1;
+
+	padding[pad_len - 2] = pad_len - 2;
+	padding[pad_len - 1] = IPPROTO_IPIP;
+
+	sym_cop = (struct rte_crypto_sym_op *)(cop + 1);
+
+	sym_cop->m_src = m;
+	sym_cop->cipher.data.offset = IP_ESP_HDR_SZ + sa->iv_len;
+	sym_cop->cipher.data.length = pad_payload_len;
+
+	sym_cop->cipher.iv.data = rte_pktmbuf_mtod_offset(m, uint8_t *,
+			IP_ESP_HDR_SZ);
+	sym_cop->cipher.iv.phys_addr = rte_pktmbuf_mtophys_offset(m,
+			IP_ESP_HDR_SZ);
+	sym_cop->cipher.iv.length = sa->iv_len;
+
+	sym_cop->auth.data.offset = sizeof(struct ip);
+	sym_cop->auth.data.length = sizeof(struct esp_hdr) + sa->iv_len +
+		pad_payload_len;
+
+	sym_cop->auth.digest.data = rte_pktmbuf_mtod_offset(m, uint8_t *,
+			IP_ESP_HDR_SZ + sa->iv_len + pad_payload_len);
+	sym_cop->auth.digest.phys_addr = rte_pktmbuf_mtophys_offset(m,
+			IP_ESP_HDR_SZ + sa->iv_len + pad_payload_len);
+	sym_cop->auth.digest.length = sa->digest_len;
+
+	if (sa->cipher_algo == RTE_CRYPTO_CIPHER_AES_CBC)
+		random_iv_u64((uint64_t *)sym_cop->cipher.iv.data,
+				sym_cop->cipher.iv.length);
+
+	return 0;
+}
+
+int
+esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m __rte_unused,
+		struct ipsec_sa *sa __rte_unused,
+		struct rte_crypto_op *cop)
+{
+	IPSEC_ASSERT(m != NULL);
+	IPSEC_ASSERT(sa != NULL);
+	IPSEC_ASSERT(cop != NULL);
+
+	if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
+		IPSEC_LOG(ERR, IPSEC_ESP, "Failed crypto op\n");
+		return -1;
+	}
+
+	return 0;
+}
diff --git a/examples/ipsec-secgw/esp.h b/examples/ipsec-secgw/esp.h
new file mode 100644
index 0000000..3101882
--- /dev/null
+++ b/examples/ipsec-secgw/esp.h
@@ -0,0 +1,66 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef __RTE_IPSEC_XFORM_ESP_H__
+#define __RTE_IPSEC_XFORM_ESP_H__
+
+struct mbuf;
+
+/* RFC4303 */
+struct esp_hdr {
+	uint32_t spi;
+	uint32_t seq;
+	/* Payload */
+	/* Padding */
+	/* Pad Length */
+	/* Next Header */
+	/* Integrity Check Value - ICV */
+};
+
+/* IPv4 Tunnel */
+int
+esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
+		struct rte_crypto_op *cop);
+
+int
+esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
+		struct rte_crypto_op *cop);
+
+int
+esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
+		struct rte_crypto_op *cop);
+
+int
+esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa,
+		struct rte_crypto_op *cop);
+
+#endif /* __RTE_IPSEC_XFORM_ESP_H__ */
diff --git a/examples/ipsec-secgw/ipip.h b/examples/ipsec-secgw/ipip.h
new file mode 100644
index 0000000..322076c
--- /dev/null
+++ b/examples/ipsec-secgw/ipip.h
@@ -0,0 +1,103 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef __IPIP_H__
+#define __IPIP_H__
+
+#include <stdint.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+
+#include <rte_mbuf.h>
+
+#define IPV6_VERSION (6)
+
+static inline  struct ip *
+ip4ip_outbound(struct rte_mbuf *m, uint32_t offset, uint32_t src, uint32_t dst)
+{
+	struct ip *inip, *outip;
+
+	inip = rte_pktmbuf_mtod(m, struct ip*);
+
+	IPSEC_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION);
+
+	offset += sizeof(struct ip);
+
+	outip = (struct ip *)rte_pktmbuf_prepend(m, offset);
+
+	IPSEC_ASSERT(outip != NULL);
+
+	/* Per RFC4301 5.1.2.1 */
+	outip->ip_v = IPVERSION;
+	outip->ip_hl = 5;
+	outip->ip_tos = inip->ip_tos;
+	outip->ip_len = htons(rte_pktmbuf_data_len(m));
+
+	outip->ip_id = 0;
+	outip->ip_off = 0;
+
+	outip->ip_ttl = IPDEFTTL;
+	outip->ip_p = IPPROTO_ESP;
+
+	outip->ip_src.s_addr = src;
+	outip->ip_dst.s_addr = dst;
+
+	return outip;
+}
+
+static inline int
+ip4ip_inbound(struct rte_mbuf *m, uint32_t offset)
+{
+	struct ip *inip;
+	struct ip *outip;
+
+	outip = rte_pktmbuf_mtod(m, struct ip*);
+
+	IPSEC_ASSERT(outip->ip_v == IPVERSION);
+
+	offset += sizeof(struct ip);
+	inip = (struct ip *)rte_pktmbuf_adj(m, offset);
+	IPSEC_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION);
+
+	/* Check packet is still bigger than IP header (inner) */
+	IPSEC_ASSERT(rte_pktmbuf_pkt_len(m) > sizeof(struct ip));
+
+	/* RFC4301 5.1.2.1 Note 6 */
+	if ((inip->ip_tos & htons(IPTOS_ECN_ECT0 | IPTOS_ECN_ECT1)) &&
+			((outip->ip_tos & htons(IPTOS_ECN_CE)) == IPTOS_ECN_CE))
+		inip->ip_tos |= htons(IPTOS_ECN_CE);
+
+	return 0;
+}
+
+#endif /* __IPIP_H__ */
diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
new file mode 100644
index 0000000..d6c9a5d
--- /dev/null
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -0,0 +1,1360 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <inttypes.h>
+#include <sys/types.h>
+#include <string.h>
+#include <sys/queue.h>
+#include <stdarg.h>
+#include <errno.h>
+#include <getopt.h>
+
+#include <rte_common.h>
+#include <rte_byteorder.h>
+#include <rte_log.h>
+#include <rte_eal.h>
+#include <rte_launch.h>
+#include <rte_atomic.h>
+#include <rte_cycles.h>
+#include <rte_prefetch.h>
+#include <rte_lcore.h>
+#include <rte_per_lcore.h>
+#include <rte_branch_prediction.h>
+#include <rte_interrupts.h>
+#include <rte_pci.h>
+#include <rte_random.h>
+#include <rte_debug.h>
+#include <rte_ether.h>
+#include <rte_ethdev.h>
+#include <rte_mempool.h>
+#include <rte_mbuf.h>
+#include <rte_acl.h>
+#include <rte_lpm.h>
+#include <rte_hash.h>
+#include <rte_jhash.h>
+#include <rte_cryptodev.h>
+
+#include "ipsec.h"
+
+#define RTE_LOGTYPE_IPSEC RTE_LOGTYPE_USER1
+
+#define MAX_JUMBO_PKT_LEN  9600
+
+#define MEMPOOL_CACHE_SIZE 256
+
+#define NB_MBUF	(32000)
+
+#define CDEV_MAP_ENTRIES 1024
+#define CDEV_MP_NB_OBJS 2048
+#define CDEV_MP_CACHE_SZ 64
+#define MAX_QUEUE_PAIRS 1
+
+#define OPTION_CONFIG		"config"
+#define OPTION_SINGLE_SA	"single-sa"
+#define OPTION_EP0		"ep0"
+#define OPTION_EP1		"ep1"
+
+#define BURST_TX_DRAIN_US 100 /* TX drain every ~100us */
+
+#define NB_SOCKETS 4
+
+/* Configure how many packets ahead to prefetch, when reading packets */
+#define PREFETCH_OFFSET	3
+
+#define MAX_RX_QUEUE_PER_LCORE 16
+
+#define MAX_LCORE_PARAMS 1024
+
+#define UNPROTECTED_PORT(port) (unprotected_port_mask & (1 << portid))
+
+/*
+ * Configurable number of RX/TX ring descriptors
+ */
+#define IPSEC_SECGW_RX_DESC_DEFAULT 128
+#define IPSEC_SECGW_TX_DESC_DEFAULT 512
+static uint16_t nb_rxd = IPSEC_SECGW_RX_DESC_DEFAULT;
+static uint16_t nb_txd = IPSEC_SECGW_TX_DESC_DEFAULT;
+
+#if RTE_BYTE_ORDER != RTE_LITTLE_ENDIAN
+#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \
+	(((uint64_t)((a) & 0xff) << 56) | \
+	((uint64_t)((b) & 0xff) << 48) | \
+	((uint64_t)((c) & 0xff) << 40) | \
+	((uint64_t)((d) & 0xff) << 32) | \
+	((uint64_t)((e) & 0xff) << 24) | \
+	((uint64_t)((f) & 0xff) << 16) | \
+	((uint64_t)((g) & 0xff) << 8)  | \
+	((uint64_t)(h) & 0xff))
+#else
+#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \
+	(((uint64_t)((h) & 0xff) << 56) | \
+	((uint64_t)((g) & 0xff) << 48) | \
+	((uint64_t)((f) & 0xff) << 40) | \
+	((uint64_t)((e) & 0xff) << 32) | \
+	((uint64_t)((d) & 0xff) << 24) | \
+	((uint64_t)((c) & 0xff) << 16) | \
+	((uint64_t)((b) & 0xff) << 8) | \
+	((uint64_t)(a) & 0xff))
+#endif
+#define ETHADDR(a, b, c, d, e, f) (__BYTES_TO_UINT64(a, b, c, d, e, f, 0, 0))
+
+#define ETHADDR_TO_UINT64(addr) __BYTES_TO_UINT64( \
+		addr.addr_bytes[0], addr.addr_bytes[1], \
+		addr.addr_bytes[2], addr.addr_bytes[3], \
+		addr.addr_bytes[4], addr.addr_bytes[5], \
+		0, 0)
+
+/* port/source ethernet addr and destination ethernet addr */
+struct ethaddr_info {
+	uint64_t src, dst;
+};
+
+struct ethaddr_info ethaddr_tbl[RTE_MAX_ETHPORTS] = {
+	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x7e, 0x94, 0x9a) },
+	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x22, 0xa1, 0xd9) },
+	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x08, 0x69, 0x26) },
+	{ 0, ETHADDR(0x00, 0x16, 0x3e, 0x49, 0x9e, 0xdd) }
+};
+
+/* mask of enabled ports */
+static uint32_t enabled_port_mask;
+static uint32_t unprotected_port_mask;
+static int32_t promiscuous_on = 1;
+static int32_t numa_on = 1; /**< NUMA is enabled by default. */
+static int32_t ep = -1; /**< Endpoint configuration (0 or 1) */
+static uint32_t nb_lcores;
+static uint32_t single_sa;
+static uint32_t single_sa_idx;
+
+struct lcore_rx_queue {
+	uint8_t port_id;
+	uint8_t queue_id;
+} __rte_cache_aligned;
+
+struct lcore_params {
+	uint8_t port_id;
+	uint8_t queue_id;
+	uint8_t lcore_id;
+} __rte_cache_aligned;
+
+static struct lcore_params lcore_params_array[MAX_LCORE_PARAMS];
+
+static struct lcore_params *lcore_params;
+static uint16_t nb_lcore_params;
+
+static struct rte_hash *cdev_map_in;
+static struct rte_hash *cdev_map_out;
+
+struct buffer {
+	uint16_t len;
+	struct rte_mbuf *m_table[MAX_PKT_BURST] __rte_aligned(sizeof(void *));
+};
+
+struct lcore_conf {
+	uint16_t nb_rx_queue;
+	struct lcore_rx_queue rx_queue_list[MAX_RX_QUEUE_PER_LCORE];
+	uint16_t tx_queue_id[RTE_MAX_ETHPORTS];
+	struct buffer tx_mbufs[RTE_MAX_ETHPORTS];
+	struct ipsec_ctx inbound;
+	struct ipsec_ctx outbound;
+	struct rt_ctx *rt_ctx;
+} __rte_cache_aligned;
+
+static struct lcore_conf lcore_conf[RTE_MAX_LCORE];
+
+static struct rte_eth_conf port_conf = {
+	.rxmode = {
+		.mq_mode	= ETH_MQ_RX_RSS,
+		.max_rx_pkt_len = ETHER_MAX_LEN,
+		.split_hdr_size = 0,
+		.header_split   = 0, /**< Header Split disabled */
+		.hw_ip_checksum = 1, /**< IP checksum offload enabled */
+		.hw_vlan_filter = 0, /**< VLAN filtering disabled */
+		.jumbo_frame    = 0, /**< Jumbo Frame Support disabled */
+		.hw_strip_crc   = 0, /**< CRC stripped by hardware */
+	},
+	.rx_adv_conf = {
+		.rss_conf = {
+			.rss_key = NULL,
+			.rss_hf = ETH_RSS_IP | ETH_RSS_UDP |
+				ETH_RSS_TCP | ETH_RSS_SCTP,
+		},
+	},
+	.txmode = {
+		.mq_mode = ETH_MQ_TX_NONE,
+	},
+};
+
+static struct socket_ctx socket_ctx[NB_SOCKETS];
+
+struct traffic_type {
+	const uint8_t *data[MAX_PKT_BURST * 2];
+	struct rte_mbuf *pkts[MAX_PKT_BURST * 2];
+	uint32_t res[MAX_PKT_BURST * 2];
+	uint32_t num;
+};
+
+struct ipsec_traffic {
+	struct traffic_type ipsec4;
+	struct traffic_type ipv4;
+};
+
+static inline void
+prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)
+{
+	uint8_t *nlp;
+
+	if (RTE_ETH_IS_IPV4_HDR(pkt->packet_type)) {
+		rte_pktmbuf_adj(pkt, ETHER_HDR_LEN);
+		nlp = rte_pktmbuf_mtod_offset(pkt, uint8_t *,
+				offsetof(struct ip, ip_p));
+		if (*nlp == IPPROTO_ESP)
+			t->ipsec4.pkts[(t->ipsec4.num)++] = pkt;
+		else {
+			t->ipv4.data[t->ipv4.num] = nlp;
+			t->ipv4.pkts[(t->ipv4.num)++] = pkt;
+		}
+	} else {
+		/* Unknown/Unsupported type, drop the packet */
+		rte_pktmbuf_free(pkt);
+	}
+}
+
+static inline void
+prepare_traffic(struct rte_mbuf **pkts, struct ipsec_traffic *t,
+		uint16_t nb_pkts)
+{
+	int32_t i;
+
+	t->ipsec4.num = 0;
+	t->ipv4.num = 0;
+
+	for (i = 0; i < (nb_pkts - PREFETCH_OFFSET); i++) {
+		rte_prefetch0(rte_pktmbuf_mtod(pkts[i + PREFETCH_OFFSET],
+					void *));
+		prepare_one_packet(pkts[i], t);
+	}
+	/* Process left packets */
+	for (; i < nb_pkts; i++)
+		prepare_one_packet(pkts[i], t);
+}
+
+static inline void
+prepare_tx_pkt(struct rte_mbuf *pkt, uint8_t port)
+{
+	pkt->ol_flags |= PKT_TX_IP_CKSUM | PKT_TX_IPV4;
+	pkt->l3_len = sizeof(struct ip);
+	pkt->l2_len = ETHER_HDR_LEN;
+
+	struct ether_hdr *ethhdr = (struct ether_hdr *)rte_pktmbuf_prepend(pkt,
+			ETHER_HDR_LEN);
+
+	ethhdr->ether_type = rte_cpu_to_be_16(ETHER_TYPE_IPv4);
+	memcpy(&ethhdr->s_addr, &ethaddr_tbl[port].src,
+			sizeof(struct ether_addr));
+	memcpy(&ethhdr->d_addr, &ethaddr_tbl[port].dst,
+			sizeof(struct ether_addr));
+}
+
+static inline void
+prepare_tx_burst(struct rte_mbuf *pkts[], uint16_t nb_pkts, uint8_t port)
+{
+	int32_t i;
+	const int32_t prefetch_offset = 2;
+
+	for (i = 0; i < (nb_pkts - prefetch_offset); i++) {
+		rte_prefetch0(pkts[i + prefetch_offset]->cacheline1);
+		prepare_tx_pkt(pkts[i], port);
+	}
+	/* Process left packets */
+	for (; i < nb_pkts; i++)
+		prepare_tx_pkt(pkts[i], port);
+}
+
+/* Send burst of packets on an output interface */
+static inline int32_t
+send_burst(struct lcore_conf *qconf, uint16_t n, uint8_t port)
+{
+	struct rte_mbuf **m_table;
+	int32_t ret;
+	uint16_t queueid;
+
+	queueid = qconf->tx_queue_id[port];
+	m_table = (struct rte_mbuf **)qconf->tx_mbufs[port].m_table;
+
+	prepare_tx_burst(m_table, n, port);
+
+	ret = rte_eth_tx_burst(port, queueid, m_table, n);
+	if (unlikely(ret < n)) {
+		do {
+			rte_pktmbuf_free(m_table[ret]);
+		} while (++ret < n);
+	}
+
+	return 0;
+}
+
+/* Enqueue a single packet, and send burst if queue is filled */
+static inline int32_t
+send_single_packet(struct rte_mbuf *m, uint8_t port)
+{
+	uint32_t lcore_id;
+	uint16_t len;
+	struct lcore_conf *qconf;
+
+	lcore_id = rte_lcore_id();
+
+	qconf = &lcore_conf[lcore_id];
+	len = qconf->tx_mbufs[port].len;
+	qconf->tx_mbufs[port].m_table[len] = m;
+	len++;
+
+	/* enough pkts to be sent */
+	if (unlikely(len == MAX_PKT_BURST)) {
+		send_burst(qconf, MAX_PKT_BURST, port);
+		len = 0;
+	}
+
+	qconf->tx_mbufs[port].len = len;
+	return 0;
+}
+
+static inline void
+process_pkts_inbound(struct ipsec_ctx *ipsec_ctx,
+		struct ipsec_traffic *traffic)
+{
+	struct rte_mbuf *m;
+	uint16_t idx, nb_pkts_in, i, j;
+	uint32_t sa_idx, res;
+
+	nb_pkts_in = ipsec_inbound(ipsec_ctx, traffic->ipsec4.pkts,
+			traffic->ipsec4.num, MAX_PKT_BURST);
+
+	/* SP/ACL Inbound check ipsec and ipv4 */
+	for (i = 0; i < nb_pkts_in; i++) {
+		idx = traffic->ipv4.num++;
+		m = traffic->ipsec4.pkts[i];
+		traffic->ipv4.pkts[idx] = m;
+		traffic->ipv4.data[idx] = rte_pktmbuf_mtod_offset(m,
+				uint8_t *, offsetof(struct ip, ip_p));
+	}
+
+	rte_acl_classify((struct rte_acl_ctx *)ipsec_ctx->sp_ctx,
+			traffic->ipv4.data, traffic->ipv4.res,
+			traffic->ipv4.num, DEFAULT_MAX_CATEGORIES);
+
+	j = 0;
+	for (i = 0; i < traffic->ipv4.num - nb_pkts_in; i++) {
+		m = traffic->ipv4.pkts[i];
+		res = traffic->ipv4.res[i];
+		if (res & ~BYPASS) {
+			rte_pktmbuf_free(m);
+			continue;
+		}
+		traffic->ipv4.pkts[j++] = m;
+	}
+	/* Check return SA SPI matches pkt SPI */
+	for ( ; i < traffic->ipv4.num; i++) {
+		m = traffic->ipv4.pkts[i];
+		sa_idx = traffic->ipv4.res[i] & PROTECT_MASK;
+		if (sa_idx == 0 || !inbound_sa_check(ipsec_ctx->sa_ctx,
+					m, sa_idx)) {
+			rte_pktmbuf_free(m);
+			continue;
+		}
+		traffic->ipv4.pkts[j++] = m;
+	}
+	traffic->ipv4.num = j;
+}
+
+static inline void
+process_pkts_outbound(struct ipsec_ctx *ipsec_ctx,
+		struct ipsec_traffic *traffic)
+{
+	struct rte_mbuf *m;
+	uint16_t idx, nb_pkts_out, i, j;
+	uint32_t sa_idx, res;
+
+	rte_acl_classify((struct rte_acl_ctx *)ipsec_ctx->sp_ctx,
+			traffic->ipv4.data, traffic->ipv4.res,
+			traffic->ipv4.num, DEFAULT_MAX_CATEGORIES);
+
+	/* Drop any IPsec traffic from protected ports */
+	for (i = 0; i < traffic->ipsec4.num; i++)
+		rte_pktmbuf_free(traffic->ipsec4.pkts[i]);
+
+	traffic->ipsec4.num = 0;
+
+	j = 0;
+	for (i = 0; i < traffic->ipv4.num; i++) {
+		m = traffic->ipv4.pkts[i];
+		res = traffic->ipv4.res[i];
+		sa_idx = res & PROTECT_MASK;
+		if ((res == 0) || (res & DISCARD))
+			rte_pktmbuf_free(m);
+		else if (sa_idx != 0) {
+			traffic->ipsec4.res[traffic->ipsec4.num] = sa_idx;
+			traffic->ipsec4.pkts[traffic->ipsec4.num++] = m;
+		} else /* BYPASS */
+			traffic->ipv4.pkts[j++] = m;
+	}
+	traffic->ipv4.num = j;
+
+	nb_pkts_out = ipsec_outbound(ipsec_ctx, traffic->ipsec4.pkts,
+			traffic->ipsec4.res, traffic->ipsec4.num,
+			MAX_PKT_BURST);
+
+	for (i = 0; i < nb_pkts_out; i++) {
+		idx = traffic->ipv4.num++;
+		m = traffic->ipsec4.pkts[i];
+		traffic->ipv4.pkts[idx] = m;
+	}
+}
+
+static inline void
+process_pkts_inbound_nosp(struct ipsec_ctx *ipsec_ctx,
+		struct ipsec_traffic *traffic)
+{
+	uint16_t nb_pkts_in, i;
+
+	/* Drop any IPv4 traffic from unprotected ports */
+	for (i = 0; i < traffic->ipv4.num; i++)
+		rte_pktmbuf_free(traffic->ipv4.pkts[i]);
+
+	traffic->ipv4.num = 0;
+
+	nb_pkts_in = ipsec_inbound(ipsec_ctx, traffic->ipsec4.pkts,
+			traffic->ipsec4.num, MAX_PKT_BURST);
+
+	for (i = 0; i < nb_pkts_in; i++)
+		traffic->ipv4.pkts[i] = traffic->ipsec4.pkts[i];
+
+	traffic->ipv4.num = nb_pkts_in;
+}
+
+static inline void
+process_pkts_outbound_nosp(struct ipsec_ctx *ipsec_ctx,
+		struct ipsec_traffic *traffic)
+{
+	uint16_t nb_pkts_out, i;
+
+	/* Drop any IPsec traffic from protected ports */
+	for (i = 0; i < traffic->ipsec4.num; i++)
+		rte_pktmbuf_free(traffic->ipsec4.pkts[i]);
+
+	traffic->ipsec4.num = 0;
+
+	for (i = 0; i < traffic->ipv4.num; i++)
+		traffic->ipv4.res[i] = single_sa_idx;
+
+	nb_pkts_out = ipsec_outbound(ipsec_ctx, traffic->ipv4.pkts,
+			traffic->ipv4.res, traffic->ipv4.num,
+			MAX_PKT_BURST);
+
+	traffic->ipv4.num = nb_pkts_out;
+}
+
+static inline void
+route_pkts(struct rt_ctx *rt_ctx, struct rte_mbuf *pkts[], uint8_t nb_pkts)
+{
+	uint32_t hop[MAX_PKT_BURST * 2];
+	uint32_t dst_ip[MAX_PKT_BURST * 2];
+	uint16_t i, offset;
+
+	if (nb_pkts == 0)
+		return;
+
+	for (i = 0; i < nb_pkts; i++) {
+		offset = offsetof(struct ip, ip_dst);
+		dst_ip[i] = *rte_pktmbuf_mtod_offset(pkts[i],
+				uint32_t *, offset);
+		dst_ip[i] = rte_be_to_cpu_32(dst_ip[i]);
+	}
+
+	rte_lpm_lookup_bulk((struct rte_lpm *)rt_ctx, dst_ip, hop, nb_pkts);
+
+	for (i = 0; i < nb_pkts; i++) {
+		if ((hop[i] & RTE_LPM_LOOKUP_SUCCESS) == 0) {
+			rte_pktmbuf_free(pkts[i]);
+			continue;
+		}
+		send_single_packet(pkts[i], hop[i] & 0xff);
+	}
+}
+
+static inline void
+process_pkts(struct lcore_conf *qconf, struct rte_mbuf **pkts,
+		uint8_t nb_pkts, uint8_t portid)
+{
+	struct ipsec_traffic traffic;
+
+	prepare_traffic(pkts, &traffic, nb_pkts);
+
+	if (single_sa) {
+		if (UNPROTECTED_PORT(portid))
+			process_pkts_inbound_nosp(&qconf->inbound, &traffic);
+		else
+			process_pkts_outbound_nosp(&qconf->outbound, &traffic);
+	} else {
+		if (UNPROTECTED_PORT(portid))
+			process_pkts_inbound(&qconf->inbound, &traffic);
+		else
+			process_pkts_outbound(&qconf->outbound, &traffic);
+	}
+
+	route_pkts(qconf->rt_ctx, traffic.ipv4.pkts, traffic.ipv4.num);
+}
+
+static inline void
+drain_buffers(struct lcore_conf *qconf)
+{
+	struct buffer *buf;
+	uint32_t portid;
+
+	for (portid = 0; portid < RTE_MAX_ETHPORTS; portid++) {
+		buf = &qconf->tx_mbufs[portid];
+		if (buf->len == 0)
+			continue;
+		send_burst(qconf, buf->len, portid);
+		buf->len = 0;
+	}
+}
+
+/* main processing loop */
+static int32_t
+main_loop(__attribute__((unused)) void *dummy)
+{
+	struct rte_mbuf *pkts[MAX_PKT_BURST];
+	uint32_t lcore_id;
+	uint64_t prev_tsc, diff_tsc, cur_tsc;
+	int32_t i, nb_rx;
+	uint8_t portid, queueid;
+	struct lcore_conf *qconf;
+	int32_t socket_id;
+	const uint64_t drain_tsc = (rte_get_tsc_hz() + US_PER_S - 1)
+			/ US_PER_S * BURST_TX_DRAIN_US;
+	struct lcore_rx_queue *rxql;
+
+	prev_tsc = 0;
+	lcore_id = rte_lcore_id();
+	qconf = &lcore_conf[lcore_id];
+	rxql = qconf->rx_queue_list;
+	socket_id = rte_lcore_to_socket_id(lcore_id);
+
+	qconf->rt_ctx = socket_ctx[socket_id].rt_ipv4;
+	qconf->inbound.sp_ctx = socket_ctx[socket_id].sp_ipv4_in;
+	qconf->inbound.sa_ctx = socket_ctx[socket_id].sa_ipv4_in;
+	qconf->inbound.cdev_map = cdev_map_in;
+	qconf->outbound.sp_ctx = socket_ctx[socket_id].sp_ipv4_out;
+	qconf->outbound.sa_ctx = socket_ctx[socket_id].sa_ipv4_out;
+	qconf->outbound.cdev_map = cdev_map_out;
+
+	if (qconf->nb_rx_queue == 0) {
+		RTE_LOG(INFO, IPSEC, "lcore %u has nothing to do\n", lcore_id);
+		return 0;
+	}
+
+	RTE_LOG(INFO, IPSEC, "entering main loop on lcore %u\n", lcore_id);
+
+	for (i = 0; i < qconf->nb_rx_queue; i++) {
+		portid = rxql[i].port_id;
+		queueid = rxql[i].queue_id;
+		RTE_LOG(INFO, IPSEC,
+			" -- lcoreid=%u portid=%hhu rxqueueid=%hhu\n",
+			lcore_id, portid, queueid);
+	}
+
+	while (1) {
+		cur_tsc = rte_rdtsc();
+
+		/* TX queue buffer drain */
+		diff_tsc = cur_tsc - prev_tsc;
+
+		if (unlikely(diff_tsc > drain_tsc)) {
+			drain_buffers(qconf);
+			prev_tsc = cur_tsc;
+		}
+
+		/* Read packet from RX queues */
+		for (i = 0; i < qconf->nb_rx_queue; ++i) {
+			portid = rxql[i].port_id;
+			queueid = rxql[i].queue_id;
+			nb_rx = rte_eth_rx_burst(portid, queueid,
+					pkts, MAX_PKT_BURST);
+
+			if (nb_rx > 0)
+				process_pkts(qconf, pkts, nb_rx, portid);
+		}
+	}
+}
+
+static int32_t
+check_params(void)
+{
+	uint8_t lcore, portid, nb_ports;
+	uint16_t i;
+	int32_t socket_id;
+
+	if (lcore_params == NULL) {
+		printf("Error: No port/queue/core mappings\n");
+		return -1;
+	}
+
+	nb_ports = rte_eth_dev_count();
+	if (nb_ports > RTE_MAX_ETHPORTS)
+		nb_ports = RTE_MAX_ETHPORTS;
+
+	for (i = 0; i < nb_lcore_params; ++i) {
+		lcore = lcore_params[i].lcore_id;
+		if (!rte_lcore_is_enabled(lcore)) {
+			printf("error: lcore %hhu is not enabled in "
+				"lcore mask\n", lcore);
+			return -1;
+		}
+		socket_id = rte_lcore_to_socket_id(lcore);
+		if (socket_id != 0 && numa_on == 0) {
+			printf("warning: lcore %hhu is on socket %d "
+				"with numa off\n",
+				lcore, socket_id);
+		}
+		portid = lcore_params[i].port_id;
+		if ((enabled_port_mask & (1 << portid)) == 0) {
+			printf("port %u is not enabled in port mask\n", portid);
+			return -1;
+		}
+		if (portid >= nb_ports) {
+			printf("port %u is not present on the board\n", portid);
+			return -1;
+		}
+	}
+	return 0;
+}
+
+static uint8_t
+get_port_nb_rx_queues(const uint8_t port)
+{
+	int32_t queue = -1;
+	uint16_t i;
+
+	for (i = 0; i < nb_lcore_params; ++i) {
+		if (lcore_params[i].port_id == port &&
+				lcore_params[i].queue_id > queue)
+			queue = lcore_params[i].queue_id;
+	}
+	return (uint8_t)(++queue);
+}
+
+static int32_t
+init_lcore_rx_queues(void)
+{
+	uint16_t i, nb_rx_queue;
+	uint8_t lcore;
+
+	for (i = 0; i < nb_lcore_params; ++i) {
+		lcore = lcore_params[i].lcore_id;
+		nb_rx_queue = lcore_conf[lcore].nb_rx_queue;
+		if (nb_rx_queue >= MAX_RX_QUEUE_PER_LCORE) {
+			printf("error: too many queues (%u) for lcore: %u\n",
+					nb_rx_queue + 1, lcore);
+			return -1;
+		}
+		lcore_conf[lcore].rx_queue_list[nb_rx_queue].port_id =
+			lcore_params[i].port_id;
+		lcore_conf[lcore].rx_queue_list[nb_rx_queue].queue_id =
+			lcore_params[i].queue_id;
+		lcore_conf[lcore].nb_rx_queue++;
+	}
+	return 0;
+}
+
+/* display usage */
+static void
+print_usage(const char *prgname)
+{
+	printf("%s [EAL options] -- -p PORTMASK -P -u PORTMASK"
+		"  --"OPTION_CONFIG" (port,queue,lcore)[,(port,queue,lcore]"
+		" --single-sa SAIDX --ep0|--ep1\n"
+		"  -p PORTMASK: hexadecimal bitmask of ports to configure\n"
+		"  -P : enable promiscuous mode\n"
+		"  -u PORTMASK: hexadecimal bitmask of unprotected ports\n"
+		"  --"OPTION_CONFIG": (port,queue,lcore): "
+		"rx queues configuration\n"
+		"  --single-sa SAIDX: use single SA index for outbound, "
+		"bypassing the SP\n"
+		"  --ep0: Configure as Endpoint 0\n"
+		"  --ep1: Configure as Endpoint 1\n", prgname);
+}
+
+static int32_t
+parse_portmask(const char *portmask)
+{
+	char *end = NULL;
+	unsigned long pm;
+
+	/* parse hexadecimal string */
+	pm = strtoul(portmask, &end, 16);
+	if ((portmask[0] == '\0') || (end == NULL) || (*end != '\0'))
+		return -1;
+
+	if ((pm == 0) && errno)
+		return -1;
+
+	return pm;
+}
+
+static int32_t
+parse_decimal(const char *str)
+{
+	char *end = NULL;
+	unsigned long num;
+
+	num = strtoul(str, &end, 10);
+	if ((str[0] == '\0') || (end == NULL) || (*end != '\0'))
+		return -1;
+
+	return num;
+}
+
+static int32_t
+parse_config(const char *q_arg)
+{
+	char s[256];
+	const char *p, *p0 = q_arg;
+	char *end;
+	enum fieldnames {
+		FLD_PORT = 0,
+		FLD_QUEUE,
+		FLD_LCORE,
+		_NUM_FLD
+	};
+	int long int_fld[_NUM_FLD];
+	char *str_fld[_NUM_FLD];
+	int32_t i;
+	uint32_t size;
+
+	nb_lcore_params = 0;
+
+	while ((p = strchr(p0, '(')) != NULL) {
+		++p;
+		p0 = strchr(p, ')');
+		if (p0 == NULL)
+			return -1;
+
+		size = p0 - p;
+		if (size >= sizeof(s))
+			return -1;
+
+		snprintf(s, sizeof(s), "%.*s", size, p);
+		if (rte_strsplit(s, sizeof(s), str_fld, _NUM_FLD, ',') !=
+				_NUM_FLD)
+			return -1;
+		for (i = 0; i < _NUM_FLD; i++) {
+			errno = 0;
+			int_fld[i] = strtoul(str_fld[i], &end, 0);
+			if (errno != 0 || end == str_fld[i] || int_fld[i] > 255)
+				return -1;
+		}
+		if (nb_lcore_params >= MAX_LCORE_PARAMS) {
+			printf("exceeded max number of lcore params: %hu\n",
+				nb_lcore_params);
+			return -1;
+		}
+		lcore_params_array[nb_lcore_params].port_id =
+			(uint8_t)int_fld[FLD_PORT];
+		lcore_params_array[nb_lcore_params].queue_id =
+			(uint8_t)int_fld[FLD_QUEUE];
+		lcore_params_array[nb_lcore_params].lcore_id =
+			(uint8_t)int_fld[FLD_LCORE];
+		++nb_lcore_params;
+	}
+	lcore_params = lcore_params_array;
+	return 0;
+}
+
+#define __STRNCMP(name, opt) (!strncmp(name, opt, sizeof(opt)))
+static int32_t
+parse_args_long_options(struct option *lgopts, int32_t option_index)
+{
+	int32_t ret = -1;
+	const char *optname = lgopts[option_index].name;
+
+	if (__STRNCMP(optname, OPTION_CONFIG)) {
+		ret = parse_config(optarg);
+		if (ret)
+			printf("invalid config\n");
+	}
+
+	if (__STRNCMP(optname, OPTION_SINGLE_SA)) {
+		ret = parse_decimal(optarg);
+		if (ret != -1) {
+			single_sa = 1;
+			single_sa_idx = ret;
+			printf("Configured with single SA index %u\n",
+					single_sa_idx);
+			ret = 0;
+		}
+	}
+
+	if (__STRNCMP(optname, OPTION_EP0)) {
+		printf("endpoint 0\n");
+		ep = 0;
+		ret = 0;
+	}
+
+	if (__STRNCMP(optname, OPTION_EP1)) {
+		printf("endpoint 1\n");
+		ep = 1;
+		ret = 0;
+	}
+
+	return ret;
+}
+#undef __STRNCMP
+
+static int32_t
+parse_args(int32_t argc, char **argv)
+{
+	int32_t opt, ret;
+	char **argvopt;
+	int32_t option_index;
+	char *prgname = argv[0];
+	static struct option lgopts[] = {
+		{OPTION_CONFIG, 1, 0, 0},
+		{OPTION_SINGLE_SA, 1, 0, 0},
+		{OPTION_EP0, 0, 0, 0},
+		{OPTION_EP1, 0, 0, 0},
+		{NULL, 0, 0, 0}
+	};
+
+	argvopt = argv;
+
+	while ((opt = getopt_long(argc, argvopt, "p:Pu:",
+				lgopts, &option_index)) != EOF) {
+
+		switch (opt) {
+		case 'p':
+			enabled_port_mask = parse_portmask(optarg);
+			if (enabled_port_mask == 0) {
+				printf("invalid portmask\n");
+				print_usage(prgname);
+				return -1;
+			}
+			break;
+		case 'P':
+			printf("Promiscuous mode selected\n");
+			promiscuous_on = 1;
+			break;
+		case 'u':
+			unprotected_port_mask = parse_portmask(optarg);
+			if (unprotected_port_mask == 0) {
+				printf("invalid unprotected portmask\n");
+				print_usage(prgname);
+				return -1;
+			}
+			break;
+		case 0:
+			if (parse_args_long_options(lgopts, option_index)) {
+				print_usage(prgname);
+				return -1;
+			}
+			break;
+		default:
+			print_usage(prgname);
+			return -1;
+		}
+	}
+
+	if (optind >= 0)
+		argv[optind-1] = prgname;
+
+	ret = optind-1;
+	optind = 0; /* reset getopt lib */
+	return ret;
+}
+
+static void
+print_ethaddr(const char *name, const struct ether_addr *eth_addr)
+{
+	char buf[ETHER_ADDR_FMT_SIZE];
+	ether_format_addr(buf, ETHER_ADDR_FMT_SIZE, eth_addr);
+	printf("%s%s", name, buf);
+}
+
+/* Check the link status of all ports in up to 9s, and print them finally */
+static void
+check_all_ports_link_status(uint8_t port_num, uint32_t port_mask)
+{
+#define CHECK_INTERVAL 100 /* 100ms */
+#define MAX_CHECK_TIME 90 /* 9s (90 * 100ms) in total */
+	uint8_t portid, count, all_ports_up, print_flag = 0;
+	struct rte_eth_link link;
+
+	printf("\nChecking link status");
+	fflush(stdout);
+	for (count = 0; count <= MAX_CHECK_TIME; count++) {
+		all_ports_up = 1;
+		for (portid = 0; portid < port_num; portid++) {
+			if ((port_mask & (1 << portid)) == 0)
+				continue;
+			memset(&link, 0, sizeof(link));
+			rte_eth_link_get_nowait(portid, &link);
+			/* print link status if flag set */
+			if (print_flag == 1) {
+				if (link.link_status)
+					printf("Port %d Link Up - speed %u "
+						"Mbps - %s\n", (uint8_t)portid,
+						(uint32_t)link.link_speed,
+				(link.link_duplex == ETH_LINK_FULL_DUPLEX) ?
+					("full-duplex") : ("half-duplex\n"));
+				else
+					printf("Port %d Link Down\n",
+						(uint8_t)portid);
+				continue;
+			}
+			/* clear all_ports_up flag if any link down */
+			if (link.link_status == 0) {
+				all_ports_up = 0;
+				break;
+			}
+		}
+		/* after finally printing all link status, get out */
+		if (print_flag == 1)
+			break;
+
+		if (all_ports_up == 0) {
+			printf(".");
+			fflush(stdout);
+			rte_delay_ms(CHECK_INTERVAL);
+		}
+
+		/* set the print_flag if all ports up or timeout */
+		if (all_ports_up == 1 || count == (MAX_CHECK_TIME - 1)) {
+			print_flag = 1;
+			printf("done\n");
+		}
+	}
+}
+
+static int32_t
+add_mapping(struct rte_hash *map, const char *str, uint16_t cdev_id,
+		uint16_t qp, struct lcore_params *params,
+		struct ipsec_ctx *ipsec_ctx,
+		const struct rte_cryptodev_capabilities *cipher,
+		const struct rte_cryptodev_capabilities *auth)
+{
+	int32_t ret = 0;
+	unsigned long i;
+	struct cdev_key key = { 0 };
+
+	key.lcore_id = params->lcore_id;
+	if (cipher)
+		key.cipher_algo = cipher->sym.cipher.algo;
+	if (auth)
+		key.auth_algo = auth->sym.auth.algo;
+
+	ret = rte_hash_lookup(map, &key);
+	if (ret != -ENOENT)
+		return 0;
+
+	for (i = 0; i < ipsec_ctx->nb_qps; i++)
+		if (ipsec_ctx->tbl[i].id == cdev_id)
+			break;
+
+	if (i == ipsec_ctx->nb_qps) {
+		if (ipsec_ctx->nb_qps == MAX_QP_PER_LCORE) {
+			printf("Maximum number of crypto devices assigned to "
+				"a core, increase MAX_QP_PER_LCORE value\n");
+			return 0;
+		}
+		ipsec_ctx->tbl[i].id = cdev_id;
+		ipsec_ctx->tbl[i].qp = qp;
+		ipsec_ctx->nb_qps++;
+		printf("%s cdev mapping: lcore %u using cdev %u qp %u "
+				"(cdev_id_qp %lu)\n", str, key.lcore_id,
+				cdev_id, qp, i);
+	}
+
+	ret = rte_hash_add_key_data(map, &key, (void *)i);
+	if (ret < 0) {
+		printf("Faled to insert cdev mapping for (lcore %u, "
+				"cdev %u, qp %u), errno %d\n",
+				key.lcore_id, ipsec_ctx->tbl[i].id,
+				ipsec_ctx->tbl[i].qp, ret);
+		return 0;
+	}
+
+	return 1;
+}
+
+static int32_t
+add_cdev_mapping(struct rte_cryptodev_info *dev_info, uint16_t cdev_id,
+		uint16_t qp, struct lcore_params *params)
+{
+	int32_t ret = 0;
+	const struct rte_cryptodev_capabilities *i, *j;
+	struct rte_hash *map;
+	struct lcore_conf *qconf;
+	struct ipsec_ctx *ipsec_ctx;
+	const char *str;
+
+	qconf = &lcore_conf[params->lcore_id];
+
+	if ((unprotected_port_mask & (1 << params->port_id)) == 0) {
+		map = cdev_map_out;
+		ipsec_ctx = &qconf->outbound;
+		str = "Outbound";
+	} else {
+		map = cdev_map_in;
+		ipsec_ctx = &qconf->inbound;
+		str = "Inbound";
+	}
+
+	/* Required cryptodevs with operation chainning */
+	if (!(dev_info->feature_flags &
+				RTE_CRYPTODEV_FF_SYM_OPERATION_CHAINING))
+		return ret;
+
+	for (i = dev_info->capabilities;
+			i->op != RTE_CRYPTO_OP_TYPE_UNDEFINED; i++) {
+		if (i->op != RTE_CRYPTO_OP_TYPE_SYMMETRIC)
+			continue;
+
+		if (i->sym.xform_type != RTE_CRYPTO_SYM_XFORM_CIPHER)
+			continue;
+
+		for (j = dev_info->capabilities;
+				j->op != RTE_CRYPTO_OP_TYPE_UNDEFINED; j++) {
+			if (j->op != RTE_CRYPTO_OP_TYPE_SYMMETRIC)
+				continue;
+
+			if (j->sym.xform_type != RTE_CRYPTO_SYM_XFORM_AUTH)
+				continue;
+
+			ret |= add_mapping(map, str, cdev_id, qp, params,
+					ipsec_ctx, i, j);
+		}
+	}
+
+	return ret;
+}
+
+static int32_t
+cryptodevs_init(void)
+{
+	struct rte_cryptodev_config dev_conf;
+	struct rte_cryptodev_qp_conf qp_conf;
+	uint16_t idx, max_nb_qps, qp, i;
+	int16_t cdev_id;
+	struct rte_hash_parameters params = { 0 };
+
+	params.entries = CDEV_MAP_ENTRIES;
+	params.key_len = sizeof(struct cdev_key);
+	params.hash_func = rte_jhash;
+	params.hash_func_init_val = 0;
+	params.socket_id = rte_socket_id();
+
+	params.name = "cdev_map_in";
+	cdev_map_in = rte_hash_create(&params);
+	if (cdev_map_in == NULL)
+		rte_panic("Failed to create cdev_map hash table, errno = %d\n",
+				rte_errno);
+
+	params.name = "cdev_map_out";
+	cdev_map_out = rte_hash_create(&params);
+	if (cdev_map_out == NULL)
+		rte_panic("Failed to create cdev_map hash table, errno = %d\n",
+				rte_errno);
+
+	printf("lcore/cryptodev/qp mappings:\n");
+
+	idx = 0;
+	/* Start from last cdev id to give HW priority */
+	for (cdev_id = rte_cryptodev_count() - 1; cdev_id >= 0; cdev_id--) {
+		struct rte_cryptodev_info cdev_info;
+
+		rte_cryptodev_info_get(cdev_id, &cdev_info);
+
+		if (nb_lcore_params > cdev_info.max_nb_queue_pairs)
+			max_nb_qps = cdev_info.max_nb_queue_pairs;
+		else
+			max_nb_qps = nb_lcore_params;
+
+		qp = 0;
+		i = 0;
+		while (qp < max_nb_qps && i < nb_lcore_params) {
+			if (add_cdev_mapping(&cdev_info, cdev_id, qp,
+						&lcore_params[idx]))
+				qp++;
+			idx++;
+			idx = idx % nb_lcore_params;
+			i++;
+		}
+
+		if (qp == 0)
+			continue;
+
+		dev_conf.socket_id = rte_cryptodev_socket_id(cdev_id);
+		dev_conf.nb_queue_pairs = qp;
+		dev_conf.session_mp.nb_objs = CDEV_MP_NB_OBJS;
+		dev_conf.session_mp.cache_size = CDEV_MP_CACHE_SZ;
+
+		if (rte_cryptodev_configure(cdev_id, &dev_conf))
+			rte_panic("Failed to initialize crypodev %u\n",
+					cdev_id);
+
+		qp_conf.nb_descriptors = CDEV_MP_NB_OBJS;
+		for (qp = 0; qp < dev_conf.nb_queue_pairs; qp++)
+			if (rte_cryptodev_queue_pair_setup(cdev_id, qp,
+						&qp_conf, dev_conf.socket_id))
+				rte_panic("Failed to setup queue %u for "
+						"cdev_id %u\n",	0, cdev_id);
+	}
+
+	printf("\n");
+
+	return 0;
+}
+
+static void
+port_init(uint8_t portid)
+{
+	struct rte_eth_dev_info dev_info;
+	struct rte_eth_txconf *txconf;
+	uint16_t nb_tx_queue, nb_rx_queue;
+	uint16_t tx_queueid, rx_queueid, queue, lcore_id;
+	int32_t ret, socket_id;
+	struct lcore_conf *qconf;
+	struct ether_addr ethaddr;
+
+	rte_eth_dev_info_get(portid, &dev_info);
+
+	printf("Configuring device port %u:\n", portid);
+
+	rte_eth_macaddr_get(portid, &ethaddr);
+	ethaddr_tbl[portid].src = ETHADDR_TO_UINT64(ethaddr);
+	print_ethaddr("Address: ", &ethaddr);
+	printf("\n");
+
+	nb_rx_queue = get_port_nb_rx_queues(portid);
+	nb_tx_queue = nb_lcores;
+
+	if (nb_rx_queue > dev_info.max_rx_queues)
+		rte_exit(EXIT_FAILURE, "Error: queue %u not available "
+				"(max rx queue is %u)\n",
+				nb_rx_queue, dev_info.max_rx_queues);
+
+	if (nb_tx_queue > dev_info.max_tx_queues)
+		rte_exit(EXIT_FAILURE, "Error: queue %u not available "
+				"(max tx queue is %u)\n",
+				nb_tx_queue, dev_info.max_tx_queues);
+
+	printf("Creating queues: nb_rx_queue=%d nb_tx_queue=%u...\n",
+			nb_rx_queue, nb_tx_queue);
+
+	ret = rte_eth_dev_configure(portid, nb_rx_queue, nb_tx_queue,
+			&port_conf);
+	if (ret < 0)
+		rte_exit(EXIT_FAILURE, "Cannot configure device: "
+				"err=%d, port=%d\n", ret, portid);
+
+	/* init one TX queue per lcore */
+	tx_queueid = 0;
+	for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) {
+		if (rte_lcore_is_enabled(lcore_id) == 0)
+			continue;
+
+		if (numa_on)
+			socket_id = (uint8_t)rte_lcore_to_socket_id(lcore_id);
+		else
+			socket_id = 0;
+
+		/* init TX queue */
+		printf("Setup txq=%u,%d,%d\n", lcore_id, tx_queueid, socket_id);
+
+		txconf = &dev_info.default_txconf;
+		txconf->txq_flags = 0;
+
+		ret = rte_eth_tx_queue_setup(portid, tx_queueid, nb_txd,
+				socket_id, txconf);
+		if (ret < 0)
+			rte_exit(EXIT_FAILURE, "rte_eth_tx_queue_setup: "
+					"err=%d, port=%d\n", ret, portid);
+
+		qconf = &lcore_conf[lcore_id];
+		qconf->tx_queue_id[portid] = tx_queueid;
+		tx_queueid++;
+
+		/* init RX queues */
+		for (queue = 0; queue < qconf->nb_rx_queue; ++queue) {
+			if (portid != qconf->rx_queue_list[queue].port_id)
+				continue;
+
+			rx_queueid = qconf->rx_queue_list[queue].queue_id;
+
+			printf("Setup rxq=%d,%d,%d\n", portid, rx_queueid,
+					socket_id);
+
+			ret = rte_eth_rx_queue_setup(portid, rx_queueid,
+					nb_rxd,	socket_id, NULL,
+					socket_ctx[socket_id].mbuf_pool);
+			if (ret < 0)
+				rte_exit(EXIT_FAILURE,
+					"rte_eth_rx_queue_setup: err=%d, "
+					"port=%d\n", ret, portid);
+		}
+	}
+	printf("\n");
+}
+
+static void
+pool_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t nb_mbuf)
+{
+	char s[64];
+
+	snprintf(s, sizeof(s), "mbuf_pool_%d", socket_id);
+	ctx->mbuf_pool = rte_pktmbuf_pool_create(s, nb_mbuf,
+			MEMPOOL_CACHE_SIZE, ipsec_metadata_size(),
+			RTE_MBUF_DEFAULT_BUF_SIZE,
+			socket_id);
+	if (ctx->mbuf_pool == NULL)
+		rte_exit(EXIT_FAILURE, "Cannot init mbuf pool on socket %d\n",
+				socket_id);
+	else
+		printf("Allocated mbuf pool on socket %d\n", socket_id);
+}
+
+int32_t
+main(int32_t argc, char **argv)
+{
+	int32_t ret;
+	uint32_t lcore_id, nb_ports;
+	uint8_t portid, socket_id;
+
+	/* init EAL */
+	ret = rte_eal_init(argc, argv);
+	if (ret < 0)
+		rte_exit(EXIT_FAILURE, "Invalid EAL parameters\n");
+	argc -= ret;
+	argv += ret;
+
+	/* parse application arguments (after the EAL ones) */
+	ret = parse_args(argc, argv);
+	if (ret < 0)
+		rte_exit(EXIT_FAILURE, "Invalid parameters\n");
+
+	if (ep < 0)
+		rte_exit(EXIT_FAILURE, "need to choose either EP0 or EP1\n");
+
+	if ((unprotected_port_mask & enabled_port_mask) !=
+			unprotected_port_mask)
+		rte_exit(EXIT_FAILURE, "Invalid unprotected portmask 0x%x\n",
+				unprotected_port_mask);
+
+	nb_ports = rte_eth_dev_count();
+	if (nb_ports > RTE_MAX_ETHPORTS)
+		nb_ports = RTE_MAX_ETHPORTS;
+
+	if (check_params() < 0)
+		rte_exit(EXIT_FAILURE, "check_params failed\n");
+
+	ret = init_lcore_rx_queues();
+	if (ret < 0)
+		rte_exit(EXIT_FAILURE, "init_lcore_rx_queues failed\n");
+
+	nb_lcores = rte_lcore_count();
+
+	/* Replicate each contex per socket */
+	for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) {
+		if (rte_lcore_is_enabled(lcore_id) == 0)
+			continue;
+
+		if (numa_on)
+			socket_id = (uint8_t)rte_lcore_to_socket_id(lcore_id);
+		else
+			socket_id = 0;
+
+		if (socket_ctx[socket_id].mbuf_pool)
+			continue;
+
+		sa_init(&socket_ctx[socket_id], socket_id, ep);
+
+		sp_init(&socket_ctx[socket_id], socket_id, ep);
+
+		rt_init(&socket_ctx[socket_id], socket_id, ep);
+
+		pool_init(&socket_ctx[socket_id], socket_id, NB_MBUF);
+	}
+
+	for (portid = 0; portid < nb_ports; portid++) {
+		if ((enabled_port_mask & (1 << portid)) == 0)
+			continue;
+
+		port_init(portid);
+	}
+
+	cryptodevs_init();
+
+	/* start ports */
+	for (portid = 0; portid < nb_ports; portid++) {
+		if ((enabled_port_mask & (1 << portid)) == 0)
+			continue;
+
+		/* Start device */
+		ret = rte_eth_dev_start(portid);
+		if (ret < 0)
+			rte_exit(EXIT_FAILURE, "rte_eth_dev_start: "
+					"err=%d, port=%d\n", ret, portid);
+		/*
+		 * If enabled, put device in promiscuous mode.
+		 * This allows IO forwarding mode to forward packets
+		 * to itself through 2 cross-connected  ports of the
+		 * target machine.
+		 */
+		if (promiscuous_on)
+			rte_eth_promiscuous_enable(portid);
+	}
+
+	check_all_ports_link_status((uint8_t)nb_ports, enabled_port_mask);
+
+	/* launch per-lcore init on every lcore */
+	rte_eal_mp_remote_launch(main_loop, NULL, CALL_MASTER);
+	RTE_LCORE_FOREACH_SLAVE(lcore_id) {
+		if (rte_eal_wait_lcore(lcore_id) < 0)
+			return -1;
+	}
+
+	return 0;
+}
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
new file mode 100644
index 0000000..d385100
--- /dev/null
+++ b/examples/ipsec-secgw/ipsec.c
@@ -0,0 +1,203 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <netinet/in.h>
+#include <netinet/ip.h>
+
+#include <rte_branch_prediction.h>
+#include <rte_log.h>
+#include <rte_crypto.h>
+#include <rte_cryptodev.h>
+#include <rte_mbuf.h>
+#include <rte_hash.h>
+
+#include "ipsec.h"
+
+static inline int
+create_session(struct ipsec_ctx *ipsec_ctx __rte_unused, struct ipsec_sa *sa)
+{
+	uint32_t cdev_id_qp = 0;
+	int32_t ret;
+	struct cdev_key key = { 0 };
+
+	key.lcore_id = (uint8_t)rte_lcore_id();
+
+	key.cipher_algo = (uint8_t)sa->cipher_algo;
+	key.auth_algo = (uint8_t)sa->auth_algo;
+
+	ret = rte_hash_lookup_data(ipsec_ctx->cdev_map, &key,
+			(void **)&cdev_id_qp);
+	if (ret < 0) {
+		IPSEC_LOG(ERR, IPSEC, "No cryptodev: core %u, cipher_algo %u, "
+				"auth_algo %u\n", key.lcore_id, key.cipher_algo,
+				key.auth_algo);
+		return -1;
+	}
+
+	IPSEC_LOG(DEBUG, IPSEC, "Create session for SA spi %u on cryptodev "
+			"%u qp %u\n", sa->spi, ipsec_ctx->tbl[cdev_id_qp].id,
+			ipsec_ctx->tbl[cdev_id_qp].qp);
+
+	sa->crypto_session = rte_cryptodev_sym_session_create(
+			ipsec_ctx->tbl[cdev_id_qp].id, sa->xforms);
+
+	sa->cdev_id_qp = cdev_id_qp;
+
+	return 0;
+}
+
+static inline void
+enqueue_cop(struct cdev_qp *cqp, struct rte_crypto_op *cop)
+{
+	int ret, i;
+
+	cqp->buf[cqp->len++] = cop;
+
+	if (cqp->len == MAX_PKT_BURST) {
+		ret = rte_cryptodev_enqueue_burst(cqp->id, cqp->qp,
+				cqp->buf, cqp->len);
+		if (ret < cqp->len) {
+			IPSEC_LOG(DEBUG, IPSEC, "Cryptodev %u queue %u:"
+					" enqueued %u crypto ops out of %u\n",
+					 cqp->id, cqp->qp,
+					 ret, cqp->len);
+			for (i = ret; i < cqp->len; i++)
+				rte_pktmbuf_free(cqp->buf[i]->sym->m_src);
+		}
+		cqp->in_flight += ret;
+		cqp->len = 0;
+	}
+}
+
+static inline uint16_t
+ipsec_processing(struct ipsec_ctx *ipsec_ctx, struct rte_mbuf *pkts[],
+		struct ipsec_sa *sas[], uint16_t nb_pkts, uint16_t max_pkts)
+{
+	int ret = 0, i, j, nb_cops;
+	struct ipsec_mbuf_metadata *priv;
+	struct rte_crypto_op *cops[max_pkts];
+	struct ipsec_sa *sa;
+	struct rte_mbuf *pkt;
+
+	for (i = 0; i < nb_pkts; i++) {
+		rte_prefetch0(sas[i]);
+		rte_prefetch0(pkts[i]);
+
+		priv = get_priv(pkts[i]);
+		sa = sas[i];
+		priv->sa = sa;
+
+		IPSEC_ASSERT(sa != NULL);
+
+		priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC;
+
+		rte_prefetch0(&priv->sym_cop);
+		priv->cop.sym = &priv->sym_cop;
+
+		if ((unlikely(sa->crypto_session == NULL)) &&
+				create_session(ipsec_ctx, sa)) {
+			rte_pktmbuf_free(pkts[i]);
+			continue;
+		}
+
+		rte_crypto_op_attach_sym_session(&priv->cop,
+				sa->crypto_session);
+
+		ret = sa->pre_crypto(pkts[i], sa, &priv->cop);
+		if (unlikely(ret)) {
+			rte_pktmbuf_free(pkts[i]);
+			continue;
+		}
+
+		IPSEC_ASSERT(sa->cdev_id_qp < ipsec_ctx->nb_qps);
+		enqueue_cop(&ipsec_ctx->tbl[sa->cdev_id_qp], &priv->cop);
+	}
+
+	nb_pkts = 0;
+	for (i = 0; i < ipsec_ctx->nb_qps && nb_pkts < max_pkts; i++) {
+		struct cdev_qp *cqp;
+
+		cqp = &ipsec_ctx->tbl[ipsec_ctx->last_qp++];
+		if (ipsec_ctx->last_qp == ipsec_ctx->nb_qps)
+			ipsec_ctx->last_qp %= ipsec_ctx->nb_qps;
+
+		if (cqp->in_flight == 0)
+			continue;
+
+		nb_cops = rte_cryptodev_dequeue_burst(cqp->id, cqp->qp,
+				cops, max_pkts - nb_pkts);
+
+		cqp->in_flight -= nb_cops;
+
+		for (j = 0; j < nb_cops; j++) {
+			pkt = cops[j]->sym->m_src;
+			rte_prefetch0(pkt);
+
+			priv = get_priv(pkt);
+			sa = priv->sa;
+
+			IPSEC_ASSERT(sa != NULL);
+
+			ret = sa->post_crypto(pkt, sa, cops[j]);
+			if (unlikely(ret))
+				rte_pktmbuf_free(pkt);
+			else
+				pkts[nb_pkts++] = pkt;
+		}
+	}
+
+	/* return packets */
+	return nb_pkts;
+}
+
+uint16_t
+ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
+		uint16_t nb_pkts, uint16_t len)
+{
+	struct ipsec_sa *sas[nb_pkts];
+
+	inbound_sa_lookup(ctx->sa_ctx, pkts, sas, nb_pkts);
+
+	return ipsec_processing(ctx, pkts, sas, nb_pkts, len);
+}
+
+uint16_t
+ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
+		uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len)
+{
+	struct ipsec_sa *sas[nb_pkts];
+
+	outbound_sa_lookup(ctx->sa_ctx, sa_idx, sas, nb_pkts);
+
+	return ipsec_processing(ctx, pkts, sas, nb_pkts, len);
+}
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
new file mode 100644
index 0000000..8eb4e76
--- /dev/null
+++ b/examples/ipsec-secgw/ipsec.h
@@ -0,0 +1,192 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef __IPSEC_H__
+#define __IPSEC_H__
+
+#include <stdint.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+
+#include <rte_byteorder.h>
+#include <rte_ip.h>
+#include <rte_crypto.h>
+
+#define RTE_LOGTYPE_IPSEC       RTE_LOGTYPE_USER1
+#define RTE_LOGTYPE_IPSEC_ESP   RTE_LOGTYPE_USER2
+#define RTE_LOGTYPE_IPSEC_IPIP  RTE_LOGTYPE_USER3
+
+#define MAX_PKT_BURST 32
+#define MAX_QP_PER_LCORE 256
+
+#ifdef IPSEC_DEBUG
+#define IPSEC_ASSERT(exp)                                            \
+if (!(exp)) {                                                        \
+	rte_panic("line%d\tassert \"" #exp "\" failed\n", __LINE__); \
+}
+
+#define IPSEC_LOG RTE_LOG
+#else
+#define IPSEC_ASSERT(exp) do {} while (0)
+#define IPSEC_LOG(...) do {} while (0)
+#endif /* IPSEC_DEBUG */
+
+#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
+
+#define uint32_t_to_char(ip, a, b, c, d) do {\
+		*a = (unsigned char)(ip >> 24 & 0xff);\
+		*b = (unsigned char)(ip >> 16 & 0xff);\
+		*c = (unsigned char)(ip >> 8 & 0xff);\
+		*d = (unsigned char)(ip & 0xff);\
+	} while (0)
+
+#define DEFAULT_MAX_CATEGORIES	1
+
+#define IPSEC_SA_MAX_ENTRIES (64) /* must be power of 2, max 2 power 30 */
+#define SPI2IDX(spi) (spi & (IPSEC_SA_MAX_ENTRIES - 1))
+#define INVALID_SPI (0)
+
+#define DISCARD (0x80000000)
+#define BYPASS (0x40000000)
+#define PROTECT_MASK (0x3fffffff)
+#define PROTECT(sa_idx) (SPI2IDX(sa_idx) & PROTECT_MASK) /* SA idx 30 bits */
+
+#define IPSEC_XFORM_MAX 2
+
+struct rte_crypto_xform;
+struct ipsec_xform;
+struct rte_cryptodev_session;
+struct rte_mbuf;
+
+struct ipsec_sa;
+
+typedef int (*ipsec_xform_fn)(struct rte_mbuf *m, struct ipsec_sa *sa,
+		struct rte_crypto_op *cop);
+
+struct ipsec_sa {
+	uint32_t spi;
+	uint32_t cdev_id_qp;
+	uint32_t src;
+	uint32_t dst;
+	struct rte_cryptodev_sym_session *crypto_session;
+	struct rte_crypto_sym_xform *xforms;
+	ipsec_xform_fn pre_crypto;
+	ipsec_xform_fn post_crypto;
+	enum rte_crypto_cipher_algorithm cipher_algo;
+	enum rte_crypto_auth_algorithm auth_algo;
+	uint16_t digest_len;
+	uint16_t iv_len;
+	uint16_t block_size;
+	uint16_t flags;
+	uint32_t seq;
+} __rte_cache_aligned;
+
+struct ipsec_mbuf_metadata {
+	struct ipsec_sa *sa;
+	struct rte_crypto_op cop;
+	struct rte_crypto_sym_op sym_cop;
+};
+
+struct cdev_qp {
+	uint16_t id;
+	uint16_t qp;
+	uint16_t in_flight;
+	uint16_t len;
+	struct rte_crypto_op *buf[MAX_PKT_BURST] __rte_aligned(sizeof(void *));
+};
+
+struct ipsec_ctx {
+	struct rte_hash *cdev_map;
+	struct sp_ctx *sp_ctx;
+	struct sa_ctx *sa_ctx;
+	uint16_t nb_qps;
+	uint16_t last_qp;
+	struct cdev_qp tbl[MAX_QP_PER_LCORE];
+};
+
+struct cdev_key {
+	uint16_t lcore_id;
+	uint8_t cipher_algo;
+	uint8_t auth_algo;
+};
+
+struct socket_ctx {
+	struct sa_ctx *sa_ipv4_in;
+	struct sa_ctx *sa_ipv4_out;
+	struct sp_ctx *sp_ipv4_in;
+	struct sp_ctx *sp_ipv4_out;
+	struct rt_ctx *rt_ipv4;
+	struct rte_mempool *mbuf_pool;
+};
+
+uint16_t
+ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
+		uint16_t nb_pkts, uint16_t len);
+
+uint16_t
+ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
+		uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len);
+
+static inline uint16_t
+ipsec_metadata_size(void)
+{
+	return sizeof(struct ipsec_mbuf_metadata);
+}
+
+static inline struct ipsec_mbuf_metadata *
+get_priv(struct rte_mbuf *m)
+{
+	return RTE_PTR_ADD(m, sizeof(struct rte_mbuf));
+}
+
+int
+inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx);
+
+void
+inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[],
+		struct ipsec_sa *sa[], uint16_t nb_pkts);
+
+void
+outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[],
+		struct ipsec_sa *sa[], uint16_t nb_pkts);
+
+void
+sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep);
+
+void
+sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep);
+
+void
+rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep);
+
+#endif /* __IPSEC_H__ */
diff --git a/examples/ipsec-secgw/rt.c b/examples/ipsec-secgw/rt.c
new file mode 100644
index 0000000..c3bb4de
--- /dev/null
+++ b/examples/ipsec-secgw/rt.c
@@ -0,0 +1,144 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Routing Table (RT)
+ */
+#include <rte_lpm.h>
+#include <rte_errno.h>
+
+#include "ipsec.h"
+
+#define RT_IPV4_MAX_RULES         64
+
+struct ipv4_route {
+	uint32_t ip;
+	uint8_t  depth;
+	uint8_t  if_out;
+};
+
+/* In the default routing table we have:
+ * ep0 protected ports 0 and 1, and unprotected ports 2 and 3.
+ */
+static struct ipv4_route rt_ipv4_ep0[] = {
+	{ IPv4(172, 16, 2, 5), 32, 0 },
+	{ IPv4(172, 16, 2, 6), 32, 0 },
+	{ IPv4(172, 16, 2, 7), 32, 1 },
+	{ IPv4(172, 16, 2, 8), 32, 1 },
+
+	{ IPv4(192, 168, 115, 0), 24, 2 },
+	{ IPv4(192, 168, 116, 0), 24, 2 },
+	{ IPv4(192, 168, 117, 0), 24, 3 },
+	{ IPv4(192, 168, 118, 0), 24, 3 },
+
+	{ IPv4(192, 168, 210, 0), 24, 2 },
+
+	{ IPv4(192, 168, 240, 0), 24, 2 },
+	{ IPv4(192, 168, 250, 0), 24, 0 }
+};
+
+/* In the default routing table we have:
+ * ep1 protected ports 0 and 1, and unprotected ports 2 and 3.
+ */
+static struct ipv4_route rt_ipv4_ep1[] = {
+	{ IPv4(172, 16, 1, 5), 32, 2 },
+	{ IPv4(172, 16, 1, 6), 32, 2 },
+	{ IPv4(172, 16, 1, 7), 32, 3 },
+	{ IPv4(172, 16, 1, 8), 32, 3 },
+
+	{ IPv4(192, 168, 105, 0), 24, 0 },
+	{ IPv4(192, 168, 106, 0), 24, 0 },
+	{ IPv4(192, 168, 107, 0), 24, 1 },
+	{ IPv4(192, 168, 108, 0), 24, 1 },
+
+	{ IPv4(192, 168, 200, 0), 24, 0 },
+
+	{ IPv4(192, 168, 240, 0), 24, 2 },
+	{ IPv4(192, 168, 250, 0), 24, 0 }
+};
+
+void
+rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep)
+{
+	char name[PATH_MAX];
+	unsigned i;
+	int ret;
+	struct rte_lpm *lpm;
+	struct ipv4_route *rt;
+	char a, b, c, d;
+	unsigned nb_routes;
+	struct rte_lpm_config conf = { 0 };
+
+	if (ctx == NULL)
+		rte_exit(EXIT_FAILURE, "NULL context.\n");
+
+	if (ctx->rt_ipv4 != NULL)
+		rte_exit(EXIT_FAILURE, "Routing Table for socket %u already "
+			"initialized\n", socket_id);
+
+	printf("Creating Routing Table (RT) context with %u max routes\n",
+			RT_IPV4_MAX_RULES);
+
+	if (ep == 0) {
+		rt = rt_ipv4_ep0;
+		nb_routes = RTE_DIM(rt_ipv4_ep0);
+	} else if (ep == 1) {
+		rt = rt_ipv4_ep1;
+		nb_routes = RTE_DIM(rt_ipv4_ep1);
+	} else
+		rte_exit(EXIT_FAILURE, "Invalid EP value %u. Only 0 or 1 "
+			"supported.\n", ep);
+
+	/* create the LPM table */
+	snprintf(name, sizeof(name), "%s_%u", "rt_ipv4", socket_id);
+	conf.max_rules = RT_IPV4_MAX_RULES;
+	conf.number_tbl8s = RTE_LPM_TBL8_NUM_ENTRIES;
+	lpm = rte_lpm_create(name, socket_id, &conf);
+	if (lpm == NULL)
+		rte_exit(EXIT_FAILURE, "Unable to create LPM table "
+			"on socket %d\n", socket_id);
+
+	/* populate the LPM table */
+	for (i = 0; i < nb_routes; i++) {
+		ret = rte_lpm_add(lpm, rt[i].ip, rt[i].depth, rt[i].if_out);
+		if (ret < 0)
+			rte_exit(EXIT_FAILURE, "Unable to add entry num %u to "
+				"LPM table on socket %d\n", i, socket_id);
+
+		uint32_t_to_char(rt[i].ip, &a, &b, &c, &d);
+		printf("LPM: Adding route %hhu.%hhu.%hhu.%hhu/%hhu (%hhu)\n",
+				a, b, c, d, rt[i].depth, rt[i].if_out);
+	}
+
+	ctx->rt_ipv4 = (struct rt_ctx *)lpm;
+}
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
new file mode 100644
index 0000000..91a5f6e
--- /dev/null
+++ b/examples/ipsec-secgw/sa.c
@@ -0,0 +1,438 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Security Associations
+ */
+#include <netinet/ip.h>
+
+#include <rte_memzone.h>
+#include <rte_crypto.h>
+#include <rte_cryptodev.h>
+#include <rte_byteorder.h>
+#include <rte_errno.h>
+
+#include "ipsec.h"
+#include "esp.h"
+
+/* SAs EP0 Outbound */
+const struct ipsec_sa sa_ep0_out[] = {
+	{ 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5),
+		NULL, NULL,
+		esp4_tunnel_outbound_pre_crypto,
+		esp4_tunnel_outbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6),
+		NULL, NULL,
+		esp4_tunnel_outbound_pre_crypto,
+		esp4_tunnel_outbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7),
+		NULL, NULL,
+		esp4_tunnel_outbound_pre_crypto,
+		esp4_tunnel_outbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8),
+		NULL, NULL,
+		esp4_tunnel_outbound_pre_crypto,
+		esp4_tunnel_outbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 9, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5),
+		NULL, NULL,
+		esp4_tunnel_outbound_pre_crypto,
+		esp4_tunnel_outbound_post_crypto,
+		RTE_CRYPTO_CIPHER_NULL, RTE_CRYPTO_AUTH_NULL,
+		0, 0, 4,
+		0, 0 },
+};
+
+/* SAs EP0 Inbound */
+const struct ipsec_sa sa_ep0_in[] = {
+	{ 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5),
+		NULL, NULL,
+		esp4_tunnel_inbound_pre_crypto,
+		esp4_tunnel_inbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6),
+		NULL, NULL,
+		esp4_tunnel_inbound_pre_crypto,
+		esp4_tunnel_inbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7),
+		NULL, NULL,
+		esp4_tunnel_inbound_pre_crypto,
+		esp4_tunnel_inbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8),
+		NULL, NULL,
+		esp4_tunnel_inbound_pre_crypto,
+		esp4_tunnel_inbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 9, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5),
+		NULL, NULL,
+		esp4_tunnel_inbound_pre_crypto,
+		esp4_tunnel_inbound_post_crypto,
+		RTE_CRYPTO_CIPHER_NULL, RTE_CRYPTO_AUTH_NULL,
+		0, 0, 4,
+		0, 0 },
+};
+
+/* SAs EP1 Outbound */
+const struct ipsec_sa sa_ep1_out[] = {
+	{ 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5),
+		NULL, NULL,
+		esp4_tunnel_outbound_pre_crypto,
+		esp4_tunnel_outbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6),
+		NULL, NULL,
+		esp4_tunnel_outbound_pre_crypto,
+		esp4_tunnel_outbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7),
+		NULL, NULL,
+		esp4_tunnel_outbound_pre_crypto,
+		esp4_tunnel_outbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8),
+		NULL, NULL,
+		esp4_tunnel_outbound_pre_crypto,
+		esp4_tunnel_outbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 9, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5),
+		NULL, NULL,
+		esp4_tunnel_outbound_pre_crypto,
+		esp4_tunnel_outbound_post_crypto,
+		RTE_CRYPTO_CIPHER_NULL, RTE_CRYPTO_AUTH_NULL,
+		0, 0, 4,
+		0, 0 },
+};
+
+/* SAs EP1 Inbound */
+const struct ipsec_sa sa_ep1_in[] = {
+	{ 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5),
+		NULL, NULL,
+		esp4_tunnel_inbound_pre_crypto,
+		esp4_tunnel_inbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6),
+		NULL, NULL,
+		esp4_tunnel_inbound_pre_crypto,
+		esp4_tunnel_inbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7),
+		NULL, NULL,
+		esp4_tunnel_inbound_pre_crypto,
+		esp4_tunnel_inbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8),
+		NULL, NULL,
+		esp4_tunnel_inbound_pre_crypto,
+		esp4_tunnel_inbound_post_crypto,
+		RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		12, 16, 16,
+		0, 0 },
+	{ 9, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5),
+		NULL, NULL,
+		esp4_tunnel_inbound_pre_crypto,
+		esp4_tunnel_inbound_post_crypto,
+		RTE_CRYPTO_CIPHER_NULL, RTE_CRYPTO_AUTH_NULL,
+		0, 0, 4,
+		0, 0 },
+};
+
+static uint8_t cipher_key[256] = "sixteenbytes key";
+
+/* AES CBC xform */
+const struct rte_crypto_sym_xform aescbc_enc_xf = {
+	NULL,
+	RTE_CRYPTO_SYM_XFORM_CIPHER,
+	.cipher = { RTE_CRYPTO_CIPHER_OP_ENCRYPT, RTE_CRYPTO_CIPHER_AES_CBC,
+		.key = { cipher_key, 16 } }
+};
+
+const struct rte_crypto_sym_xform aescbc_dec_xf = {
+	NULL,
+	RTE_CRYPTO_SYM_XFORM_CIPHER,
+	.cipher = { RTE_CRYPTO_CIPHER_OP_DECRYPT, RTE_CRYPTO_CIPHER_AES_CBC,
+		.key = { cipher_key, 16 } }
+};
+
+static uint8_t auth_key[256] = "twentybytes hash key";
+
+/* SHA1 HMAC xform */
+const struct rte_crypto_sym_xform sha1hmac_gen_xf = {
+	NULL,
+	RTE_CRYPTO_SYM_XFORM_AUTH,
+	.auth = { RTE_CRYPTO_AUTH_OP_GENERATE, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		.key = { auth_key, 20 }, 12, 0 }
+};
+
+const struct rte_crypto_sym_xform sha1hmac_verify_xf = {
+	NULL,
+	RTE_CRYPTO_SYM_XFORM_AUTH,
+	.auth = { RTE_CRYPTO_AUTH_OP_VERIFY, RTE_CRYPTO_AUTH_SHA1_HMAC,
+		.key = { auth_key, 20 }, 12, 0 }
+};
+
+/* AES CBC xform */
+const struct rte_crypto_sym_xform null_cipher_xf = {
+	NULL,
+	RTE_CRYPTO_SYM_XFORM_CIPHER,
+	.cipher = { .algo = RTE_CRYPTO_CIPHER_NULL }
+};
+
+const struct rte_crypto_sym_xform null_auth_xf = {
+	NULL,
+	RTE_CRYPTO_SYM_XFORM_AUTH,
+	.auth = { .algo = RTE_CRYPTO_AUTH_NULL }
+};
+
+struct sa_ctx {
+	struct ipsec_sa sa[IPSEC_SA_MAX_ENTRIES];
+	struct {
+		struct rte_crypto_sym_xform a;
+		struct rte_crypto_sym_xform b;
+	} xf[IPSEC_SA_MAX_ENTRIES];
+};
+
+static struct sa_ctx *
+sa_ipv4_create(const char *name, int socket_id)
+{
+	char s[PATH_MAX];
+	struct sa_ctx *sa_ctx;
+	unsigned mz_size;
+	const struct rte_memzone *mz;
+
+	snprintf(s, sizeof(s), "%s_%u", name, socket_id);
+
+	/* Create SA array table */
+	printf("Creating SA context with %u maximum entries\n",
+			IPSEC_SA_MAX_ENTRIES);
+
+	mz_size = sizeof(struct sa_ctx);
+	mz = rte_memzone_reserve(s, mz_size, socket_id,
+			RTE_MEMZONE_1GB | RTE_MEMZONE_SIZE_HINT_ONLY);
+	if (mz == NULL) {
+		printf("Failed to allocate SA DB memory\n");
+		rte_errno = -ENOMEM;
+		return NULL;
+	}
+
+	sa_ctx = (struct sa_ctx *)mz->addr;
+
+	return sa_ctx;
+}
+
+static int
+sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
+		unsigned nb_entries, unsigned inbound)
+{
+	struct ipsec_sa *sa;
+	unsigned i, idx;
+
+	for (i = 0; i < nb_entries; i++) {
+		idx = SPI2IDX(entries[i].spi);
+		sa = &sa_ctx->sa[idx];
+		if (sa->spi != 0) {
+			printf("Index %u already in use by SPI %u\n",
+					idx, sa->spi);
+			return -EINVAL;
+		}
+		*sa = entries[i];
+		sa->src = rte_cpu_to_be_32(sa->src);
+		sa->dst = rte_cpu_to_be_32(sa->dst);
+		if (inbound) {
+			if (sa->cipher_algo == RTE_CRYPTO_CIPHER_NULL) {
+				sa_ctx->xf[idx].a = null_auth_xf;
+				sa_ctx->xf[idx].b = null_cipher_xf;
+			} else {
+				sa_ctx->xf[idx].a = sha1hmac_verify_xf;
+				sa_ctx->xf[idx].b = aescbc_dec_xf;
+			}
+		} else { /* outbound */
+			if (sa->cipher_algo == RTE_CRYPTO_CIPHER_NULL) {
+				sa_ctx->xf[idx].a = null_cipher_xf;
+				sa_ctx->xf[idx].b = null_auth_xf;
+			} else {
+				sa_ctx->xf[idx].a = aescbc_enc_xf;
+				sa_ctx->xf[idx].b = sha1hmac_gen_xf;
+			}
+		}
+		sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b;
+		sa_ctx->xf[idx].b.next = NULL;
+		sa->xforms = &sa_ctx->xf[idx].a;
+	}
+
+	return 0;
+}
+
+static inline int
+sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
+		unsigned nb_entries)
+{
+	return sa_add_rules(sa_ctx, entries, nb_entries, 0);
+}
+
+static inline int
+sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
+		unsigned nb_entries)
+{
+	return sa_add_rules(sa_ctx, entries, nb_entries, 1);
+}
+
+void
+sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep)
+{
+	const struct ipsec_sa *sa_out_entries, *sa_in_entries;
+	unsigned nb_out_entries, nb_in_entries;
+	const char *name;
+
+	if (ctx == NULL)
+		rte_exit(EXIT_FAILURE, "NULL context.\n");
+
+	if (ctx->sa_ipv4_in != NULL)
+		rte_exit(EXIT_FAILURE, "Inbound SA DB for socket %u already "
+				"initialized\n", socket_id);
+
+	if (ctx->sa_ipv4_out != NULL)
+		rte_exit(EXIT_FAILURE, "Outbound SA DB for socket %u already "
+				"initialized\n", socket_id);
+
+	if (ep == 0) {
+		sa_out_entries = sa_ep0_out;
+		nb_out_entries = RTE_DIM(sa_ep0_out);
+		sa_in_entries = sa_ep0_in;
+		nb_in_entries = RTE_DIM(sa_ep0_in);
+	} else if (ep == 1) {
+		sa_out_entries = sa_ep1_out;
+		nb_out_entries = RTE_DIM(sa_ep1_out);
+		sa_in_entries = sa_ep1_in;
+		nb_in_entries = RTE_DIM(sa_ep1_in);
+	} else
+		rte_exit(EXIT_FAILURE, "Invalid EP value %u. "
+				"Only 0 or 1 supported.\n", ep);
+
+	name = "sa_ipv4_in";
+	ctx->sa_ipv4_in = sa_ipv4_create(name, socket_id);
+	if (ctx->sa_ipv4_in == NULL)
+		rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s "
+				"in socket %d\n", rte_errno, name, socket_id);
+
+	name = "sa_ipv4_out";
+	ctx->sa_ipv4_out = sa_ipv4_create(name, socket_id);
+	if (ctx->sa_ipv4_out == NULL)
+		rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s "
+				"in socket %d\n", rte_errno, name, socket_id);
+
+	sa_in_add_rules(ctx->sa_ipv4_in, sa_in_entries, nb_in_entries);
+
+	sa_out_add_rules(ctx->sa_ipv4_out, sa_out_entries, nb_out_entries);
+}
+
+int
+inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx)
+{
+	struct ipsec_mbuf_metadata *priv;
+
+	priv = RTE_PTR_ADD(m, sizeof(struct rte_mbuf));
+
+	return (sa_ctx->sa[sa_idx].spi == priv->sa->spi);
+}
+
+void
+inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[],
+		struct ipsec_sa *sa[], uint16_t nb_pkts)
+{
+	unsigned i;
+	uint32_t *src, spi;
+
+	for (i = 0; i < nb_pkts; i++) {
+		spi = rte_pktmbuf_mtod_offset(pkts[i], struct esp_hdr *,
+				sizeof(struct ip))->spi;
+
+		if (spi == INVALID_SPI)
+			continue;
+
+		sa[i] = &sa_ctx->sa[SPI2IDX(spi)];
+		if (spi != sa[i]->spi) {
+			sa[i] = NULL;
+			continue;
+		}
+
+		src = rte_pktmbuf_mtod_offset(pkts[i], uint32_t *,
+				offsetof(struct ip, ip_src));
+		if ((sa[i]->src != *src) || (sa[i]->dst != *(src + 1)))
+			sa[i] = NULL;
+	}
+}
+
+void
+outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[],
+		struct ipsec_sa *sa[], uint16_t nb_pkts)
+{
+	unsigned i;
+
+	for (i = 0; i < nb_pkts; i++)
+		sa[i] = &sa_ctx->sa[sa_idx[i]];
+}
diff --git a/examples/ipsec-secgw/sp.c b/examples/ipsec-secgw/sp.c
new file mode 100644
index 0000000..7972f40
--- /dev/null
+++ b/examples/ipsec-secgw/sp.c
@@ -0,0 +1,364 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2016 Intel Corporation. All rights reserved.
+ *   All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Security Policies
+ */
+#include <netinet/ip.h>
+
+#include <rte_acl.h>
+
+#include "ipsec.h"
+
+#define MAX_ACL_RULE_NUM	1000
+
+/*
+ * Rule and trace formats definitions.
+ */
+enum {
+	PROTO_FIELD_IPV4,
+	SRC_FIELD_IPV4,
+	DST_FIELD_IPV4,
+	SRCP_FIELD_IPV4,
+	DSTP_FIELD_IPV4,
+	NUM_FIELDS_IPV4
+};
+
+/*
+ * That effectively defines order of IPV4 classifications:
+ *  - PROTO
+ *  - SRC IP ADDRESS
+ *  - DST IP ADDRESS
+ *  - PORTS (SRC and DST)
+ */
+enum {
+	RTE_ACL_IPV4_PROTO,
+	RTE_ACL_IPV4_SRC,
+	RTE_ACL_IPV4_DST,
+	RTE_ACL_IPV4_PORTS,
+	RTE_ACL_IPV4_NUM
+};
+
+struct rte_acl_field_def ipv4_defs[NUM_FIELDS_IPV4] = {
+	{
+	.type = RTE_ACL_FIELD_TYPE_BITMASK,
+	.size = sizeof(uint8_t),
+	.field_index = PROTO_FIELD_IPV4,
+	.input_index = RTE_ACL_IPV4_PROTO,
+	.offset = 0,
+	},
+	{
+	.type = RTE_ACL_FIELD_TYPE_MASK,
+	.size = sizeof(uint32_t),
+	.field_index = SRC_FIELD_IPV4,
+	.input_index = RTE_ACL_IPV4_SRC,
+	.offset = offsetof(struct ip, ip_src) -	offsetof(struct ip, ip_p)
+	},
+	{
+	.type = RTE_ACL_FIELD_TYPE_MASK,
+	.size = sizeof(uint32_t),
+	.field_index = DST_FIELD_IPV4,
+	.input_index = RTE_ACL_IPV4_DST,
+	.offset = offsetof(struct ip, ip_dst) - offsetof(struct ip, ip_p)
+	},
+	{
+	.type = RTE_ACL_FIELD_TYPE_RANGE,
+	.size = sizeof(uint16_t),
+	.field_index = SRCP_FIELD_IPV4,
+	.input_index = RTE_ACL_IPV4_PORTS,
+	.offset = sizeof(struct ip) - offsetof(struct ip, ip_p)
+	},
+	{
+	.type = RTE_ACL_FIELD_TYPE_RANGE,
+	.size = sizeof(uint16_t),
+	.field_index = DSTP_FIELD_IPV4,
+	.input_index = RTE_ACL_IPV4_PORTS,
+	.offset = sizeof(struct ip) - offsetof(struct ip, ip_p) +
+		sizeof(uint16_t)
+	},
+};
+
+RTE_ACL_RULE_DEF(acl4_rules, RTE_DIM(ipv4_defs));
+
+const struct acl4_rules acl4_rules_in[] = {
+	{
+	.data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 105, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 106, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 107, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 108, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(9), .category_mask = 1, .priority = 5},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 200, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = BYPASS, .category_mask = 1, .priority = 6},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 250, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	}
+};
+
+const struct acl4_rules acl4_rules_out[] = {
+	{
+	.data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 115, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 116, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 117, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 118, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = PROTECT(9), .category_mask = 1, .priority = 5},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 210, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	},
+	{
+	.data = {.userdata = BYPASS, .category_mask = 1, .priority = 6},
+	/* destination IPv4 */
+	.field[2] = {.value.u32 = IPv4(192, 168, 240, 0),
+				.mask_range.u32 = 24,},
+	/* source port */
+	.field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},
+	/* destination port */
+	.field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}
+	}
+};
+
+static void
+print_one_ipv4_rule(const struct acl4_rules *rule, int extra)
+{
+	unsigned char a, b, c, d;
+
+	uint32_t_to_char(rule->field[SRC_FIELD_IPV4].value.u32,
+			&a, &b, &c, &d);
+	printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d,
+			rule->field[SRC_FIELD_IPV4].mask_range.u32);
+	uint32_t_to_char(rule->field[DST_FIELD_IPV4].value.u32,
+			&a, &b, &c, &d);
+	printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d,
+			rule->field[DST_FIELD_IPV4].mask_range.u32);
+	printf("%hu : %hu %hu : %hu 0x%hhx/0x%hhx ",
+		rule->field[SRCP_FIELD_IPV4].value.u16,
+		rule->field[SRCP_FIELD_IPV4].mask_range.u16,
+		rule->field[DSTP_FIELD_IPV4].value.u16,
+		rule->field[DSTP_FIELD_IPV4].mask_range.u16,
+		rule->field[PROTO_FIELD_IPV4].value.u8,
+		rule->field[PROTO_FIELD_IPV4].mask_range.u8);
+	if (extra)
+		printf("0x%x-0x%x-0x%x ",
+			rule->data.category_mask,
+			rule->data.priority,
+			rule->data.userdata);
+}
+
+static inline void
+dump_ipv4_rules(const struct acl4_rules *rule, int num, int extra)
+{
+	int i;
+
+	for (i = 0; i < num; i++, rule++) {
+		printf("\t%d:", i + 1);
+		print_one_ipv4_rule(rule, extra);
+		printf("\n");
+	}
+}
+
+static struct rte_acl_ctx *
+acl4_init(const char *name, int socketid, const struct acl4_rules *rules,
+		unsigned rules_nb)
+{
+	char s[PATH_MAX];
+	struct rte_acl_param acl_param;
+	struct rte_acl_config acl_build_param;
+	struct rte_acl_ctx *ctx;
+
+	printf("Creating SP context with %u max rules\n", MAX_ACL_RULE_NUM);
+
+	memset(&acl_param, 0, sizeof(acl_param));
+
+	/* Create ACL contexts */
+	snprintf(s, sizeof(s), "%s_%d", name, socketid);
+
+	printf("IPv4 %s entries [%u]:\n", s, rules_nb);
+	dump_ipv4_rules(rules, rules_nb, 1);
+
+	acl_param.name = s;
+	acl_param.socket_id = socketid;
+	acl_param.rule_size = RTE_ACL_RULE_SZ(RTE_DIM(ipv4_defs));
+	acl_param.max_rule_num = MAX_ACL_RULE_NUM;
+
+	ctx = rte_acl_create(&acl_param);
+	if (ctx == NULL)
+		rte_exit(EXIT_FAILURE, "Failed to create ACL context\n");
+
+	if (rte_acl_add_rules(ctx, (const struct rte_acl_rule *)rules,
+				rules_nb) < 0)
+		rte_exit(EXIT_FAILURE, "add rules failed\n");
+
+	/* Perform builds */
+	memset(&acl_build_param, 0, sizeof(acl_build_param));
+
+	acl_build_param.num_categories = DEFAULT_MAX_CATEGORIES;
+	acl_build_param.num_fields = RTE_DIM(ipv4_defs);
+	memcpy(&acl_build_param.defs, ipv4_defs, sizeof(ipv4_defs));
+
+	if (rte_acl_build(ctx, &acl_build_param) != 0)
+		rte_exit(EXIT_FAILURE, "Failed to build ACL trie\n");
+
+	rte_acl_dump(ctx);
+
+	return ctx;
+}
+
+void
+sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep)
+{
+	const char *name;
+	const struct acl4_rules *rules_out, *rules_in;
+	unsigned nb_out_rules, nb_in_rules;
+
+	if (ctx == NULL)
+		rte_exit(EXIT_FAILURE, "NULL context.\n");
+
+	if (ctx->sp_ipv4_in != NULL)
+		rte_exit(EXIT_FAILURE, "Inbound SP DB for socket %u already "
+				"initialized\n", socket_id);
+
+	if (ctx->sp_ipv4_out != NULL)
+		rte_exit(EXIT_FAILURE, "Outbound SP DB for socket %u already "
+				"initialized\n", socket_id);
+
+	if (ep == 0) {
+		rules_out = acl4_rules_in;
+		nb_out_rules = RTE_DIM(acl4_rules_in);
+		rules_in = acl4_rules_out;
+		nb_in_rules = RTE_DIM(acl4_rules_out);
+	} else if (ep == 1) {
+		rules_out = acl4_rules_out;
+		nb_out_rules = RTE_DIM(acl4_rules_out);
+		rules_in = acl4_rules_in;
+		nb_in_rules = RTE_DIM(acl4_rules_in);
+	} else
+		rte_exit(EXIT_FAILURE, "Invalid EP value %u. "
+				"Only 0 or 1 supported.\n", ep);
+
+	name = "sp_ipv4_in";
+	ctx->sp_ipv4_in = (struct sp_ctx *)acl4_init(name, socket_id,
+			rules_in, nb_in_rules);
+
+	name = "sp_ipv4_out";
+	ctx->sp_ipv4_out = (struct sp_ctx *)acl4_init(name, socket_id,
+			rules_out, nb_out_rules);
+}
-- 
2.4.3

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [dpdk-dev] [PATCH v3] example/ipsec-secgw: ipsec security gateway
  2016-03-11  2:12   ` [dpdk-dev] [PATCH v3] " Sergio Gonzalez Monroy
@ 2016-03-11 10:01     ` De Lara Guarch, Pablo
  2016-03-11 10:07       ` Thomas Monjalon
  2016-03-11 10:02     ` Thomas Monjalon
  1 sibling, 1 reply; 15+ messages in thread
From: De Lara Guarch, Pablo @ 2016-03-11 10:01 UTC (permalink / raw)
  To: Gonzalez Monroy, Sergio, dev

> -----Original Message-----
> From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Sergio Gonzalez
> Monroy
> Sent: Friday, March 11, 2016 2:13 AM
> To: dev@dpdk.org
> Subject: [dpdk-dev] [PATCH v3] example/ipsec-secgw: ipsec security gateway
> 
> Sample app implementing an IPsec Security Geteway.
> The main goal of this app is to show the use of cryptodev framework
> in a "real world" application.
> 
> Currently only supported static IPv4 ESP IPsec tunnels for the following
> algorithms:
> - Cipher: AES-CBC, NULL
> - Authentication: HMAC-SHA1, NULL
> 
> Not supported:
> - SA auto negotiation (No IKE implementation)
> - chained mbufs
> 
> Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>

Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [dpdk-dev] [PATCH v3] example/ipsec-secgw: ipsec security gateway
  2016-03-11  2:12   ` [dpdk-dev] [PATCH v3] " Sergio Gonzalez Monroy
  2016-03-11 10:01     ` De Lara Guarch, Pablo
@ 2016-03-11 10:02     ` Thomas Monjalon
  1 sibling, 0 replies; 15+ messages in thread
From: Thomas Monjalon @ 2016-03-11 10:02 UTC (permalink / raw)
  To: Sergio Gonzalez Monroy; +Cc: dev

2016-03-11 02:12, Sergio Gonzalez Monroy:
> +M: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
> +F: doc/guides/sample_app_ug/ipsec-secgw.rst

Typo in filename (will fix)

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [dpdk-dev] [PATCH v3] example/ipsec-secgw: ipsec security gateway
  2016-03-11 10:01     ` De Lara Guarch, Pablo
@ 2016-03-11 10:07       ` Thomas Monjalon
  0 siblings, 0 replies; 15+ messages in thread
From: Thomas Monjalon @ 2016-03-11 10:07 UTC (permalink / raw)
  To: Gonzalez Monroy, Sergio; +Cc: dev

> > Sample app implementing an IPsec Security Geteway.
> > The main goal of this app is to show the use of cryptodev framework
> > in a "real world" application.
> > 
> > Currently only supported static IPv4 ESP IPsec tunnels for the following
> > algorithms:
> > - Cipher: AES-CBC, NULL
> > - Authentication: HMAC-SHA1, NULL
> > 
> > Not supported:
> > - SA auto negotiation (No IKE implementation)
> > - chained mbufs
> > 
> > Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
> 
> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>

Applied, thanks

^ permalink raw reply	[flat|nested] 15+ messages in thread

end of thread, other threads:[~2016-03-11 10:09 UTC | newest]

Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-01-29 20:29 [dpdk-dev] [PATCH] example/ipsec-secgw: ipsec security gateway Sergio Gonzalez Monroy
2016-01-31 14:39 ` Jerin Jacob
2016-02-01 11:09   ` Sergio Gonzalez Monroy
2016-02-01 11:26     ` Jerin Jacob
2016-02-01 14:09       ` Thomas Monjalon
2016-03-09 23:54       ` Sergio Gonzalez Monroy
2016-03-10  3:41         ` Jerin Jacob
2016-02-24 13:32 ` Thomas Monjalon
2016-02-24 14:49   ` Sergio Gonzalez Monroy
2016-03-11  1:38 ` [dpdk-dev] [PATCH v2] " Sergio Gonzalez Monroy
2016-03-11  2:12   ` De Lara Guarch, Pablo
2016-03-11  2:12   ` [dpdk-dev] [PATCH v3] " Sergio Gonzalez Monroy
2016-03-11 10:01     ` De Lara Guarch, Pablo
2016-03-11 10:07       ` Thomas Monjalon
2016-03-11 10:02     ` Thomas Monjalon

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).