From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0089.outbound.protection.outlook.com [207.46.100.89]) by dpdk.org (Postfix) with ESMTP id 1D274377E for ; Mon, 1 Feb 2016 12:27:23 +0100 (CET) Authentication-Results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=caviumnetworks.com; Received: from localhost.localdomain (122.172.118.100) by BLUPR0701MB1715.namprd07.prod.outlook.com (10.163.85.141) with Microsoft SMTP Server (TLS) id 15.1.396.15; Mon, 1 Feb 2016 11:27:13 +0000 Date: Mon, 1 Feb 2016 16:56:49 +0530 From: Jerin Jacob To: Sergio Gonzalez Monroy Message-ID: <20160201112646.GA10490@localhost.localdomain> References: <1454099352-29040-1-git-send-email-sergio.gonzalez.monroy@intel.com> <20160131143918.GA12763@localhost.localdomain> <56AF3CDC.5090105@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <56AF3CDC.5090105@intel.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-Originating-IP: [122.172.118.100] X-ClientProxiedBy: BM1PR01CA0025.INDPRD01.PROD.OUTLOOK.COM (25.163.198.160) To BLUPR0701MB1715.namprd07.prod.outlook.com (25.163.85.141) X-Microsoft-Exchange-Diagnostics: 1; BLUPR0701MB1715; 2:9rV1RDWjwOXuTdejEv6c+71EA30gikh//hgFmjBfF9INq/1cZPL02U8izm6FlvCrrsV2iDpf/02hAgbz3v8xpjFQEhWSxTNb8pIj8J3QR6icf6J/QY8CA10K3UewtbnMSGcVY3uPXtHoipkSYle/UQ==; 3:b+fYZjuQgBEnP20tSl9Le6Mgr1GCqn1rQUSkJzncSMMlRRXt8CU7pRxeH9k3dVq1/B6bsKv7OQrfvTp8ISK0ArfitCZXVVlkH/5Ox5J5smcOweTVvgpw8JUdNohOB6kL; 25:xU50K5RcIYaE8U5eyLSqp6aJMT67QN65vpqjRAXqBbbCPJYmj+QSwot2QT2or/IpjY7elq2r8S+zhBv7tyyejNNwNDWB4FfZfzzxBGoUYkgWoy5dGU8HQxQVJqtjWKLWLWBoreCLi7Pzy/OBSIop8+YMpXb+GrHlwsg4A0j2Uy3c/MqzTJHT/QEWT065foSs2rpfUyb/nLee/kvVmO0U9pDTUC7OjJ3slo5LGlvBxVzR1AeNa/2PhCHygCn9jPV5 X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR0701MB1715; X-MS-Office365-Filtering-Correlation-Id: 7464109a-0733-42e5-5d55-08d32afaa2c1 X-Microsoft-Exchange-Diagnostics: 1; BLUPR0701MB1715; 20:80FSX0tAk+oL1EMhdgWmw2RSwmvhiK5D0Q8JNcP6nY5byHoLjmI5QHNu4V+97A39IJNHdc1KboOxryppB8L71OXmJHohpenRqIfoqi4EerDKLvE6QRO+j/tnFb9CEMM89MzbydwuOPBcjeFaJ3zKTgf4q7l+6SiG+umFLlomcwvVXoKI9TpzefREWELSyEvheByBZiLL1YyTDZX6lWJsH8BlDS1+4/BBV68L1hBpNhNED+F3U02SwLsh0kyvwpNRMb60hzqrhhjZ/jhSCVIy0ctzrkX/4G0MXUX7vLT0mh7fQVYqFBCbjFYhEN5KnYLoEpcMKt9NRy1JRrzph4xklU78qpSRMOoyr+JDcpslcowZh+a/YtF4XSMW+5ocnNJPqdHgsdzP08icrjndYpxsBlGpoyVrBFU4JICrI4DvwsjEevkqdXClrsI/PHMA++aPCCg8cidDVLYq1H6ngiIzoXiA2TPch5NioMQ7h63VVrkRuu1E/fYd72ZZurYocvneh8k5w37dkXOhIthIEEQyqQ9zojZzNBJJ+g/36qCBZehEUfMUvgCHsa3B8HuHt5Xt6EnPIwkIpDRgXuAxeNKqlKMdNnW7h/EKK+FlqoCdOt4= X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001); SRVR:BLUPR0701MB1715; BCL:0; PCL:0; RULEID:; SRVR:BLUPR0701MB1715; X-Microsoft-Exchange-Diagnostics: 1; BLUPR0701MB1715; 4:O2yM86Uo25OW+Awd09YNavpTABWaALFTI7tHYIrv6PpOUTtp523ikDfL1YgvDq4noZOahtd26Mq0t/s4gvlz2F0+7rjH9TfbcjALgvyQLi6U19xhnkY7wRToZLAZ7A5Pzhd2NLbxDzU44yeoOPvr2VK5gIzfES2XBPcZ3/VPd0JKN0ZpOV3WjQPHH9KxN9LYxvYH0n71pfXD32ZOgR8KkPymu844vnY/LBeuUyniT2irw9jjx6ZAoxEaiLh/gdPkBYHE2p2IYvfcwTYcMknkyHjy2H7jHpABfqdj8ecuAc586Ee1en+gtVL+ACUPJXGoB6XHVkbIGbBXg0s6P27DetJalgly0Ijf3LW8xv8JtmlLf70SCgJFetb8/Cu/qK7c X-Forefront-PRVS: 0839D067E7 X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(6009001)(6069001)(479174004)(24454002)(15975445007)(2950100001)(33656002)(586003)(1096002)(23726003)(15395725005)(77096005)(1076002)(3846002)(42186005)(46406003)(110136002)(5004730100002)(189998001)(50466002)(4326007)(92566002)(10710500007)(7110500001)(3470700001)(2420400006)(5890100001)(122386002)(40100003)(2906002)(47776003)(76176999)(19580395003)(50986999)(86362001)(5008740100001)(97756001)(19580405001)(54356999)(4001350100001)(5001960100002)(87976001)(83506001)(66066001)(559001)(579004); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR0701MB1715; H:localhost.localdomain; FPR:; SPF:None; MLV:sfv; LANG:en; X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; BLUPR0701MB1715; 23:ULfhLr+Q9r/1sxFonOpMbBewHRip7tpsGPSpv2I?= =?us-ascii?Q?2cVZN6AGgXGmbtYkTvjCXZdzx173r1sZdUYDH0WO6FNYrIp5z4qXj4IdF4qO?= =?us-ascii?Q?5C/mSHPrrHzvEqG48xLm3AQ3sH3PaktjxIiJPPODeXVGoLC+5wEs3pxteCK6?= =?us-ascii?Q?iuw+SMBdVTPbTDUia+MKMaukSvuhNgKIUkPLo2yyYpNW0DwNMcnXlCtrCYLG?= =?us-ascii?Q?+Uvi1N/75/iJfsTJEhpzCz+cWyHa5eZS0SnUTehJj24U5lnmbz9UX0WI676n?= =?us-ascii?Q?4aTh3gl2jPvJVYBdnJXEGvuBo4L7wSLEFhvaxvZjFK/A+/MAk+dQrwBHJNOT?= =?us-ascii?Q?HPHPbl0ac3zIhRVQZyb4nec0EWJ1gLcuO79AcAp8I6Uc2B7FOLjVoynMt7lk?= =?us-ascii?Q?uDQMuz8ecIUZdSTSX/HdluNdXGVDWpvk293bMexWMmoJwZma8vWn/fECaGrp?= =?us-ascii?Q?P4KXbZ52qgUYS0AUYzktEdpUAxBC7TK/cN69dinO4tgepNCoBHuZxpOlQkgK?= =?us-ascii?Q?FuaeXfseU4fX14je5crn/Del1JjTWL35YgsYhTqDwX6MXvXhRu/4+1PElZ37?= =?us-ascii?Q?AiIx4doc/Zua5MHa5QjuoQ3mbSX1zt9igDTKB+lsgwXJIIP9D41DJ+3a1fGN?= =?us-ascii?Q?FmObk3uS1d9f6epD06P7KdJNasbuTgRKK0/Z9i6Q87aWVEC1AEhzyxqsizrL?= =?us-ascii?Q?Z3IpY7eHyDTypsIoZdgVL4EsKJPnZRLXp84YsesdDxY16Gh2HobgtCxT9SDV?= =?us-ascii?Q?hXQQgCa+iqyoxPzhvnJk+p+GkAzSdej0auc5CvNoAvZIcurPV8jdbrtSf8uy?= =?us-ascii?Q?D+yKQhBeEmG7QHkXgJmEP9h+QDqfZ7TuNBK4UMY0zVBD+zGD7ZSuGjMFSRHf?= =?us-ascii?Q?XpfilbPbMhwUS+bAAoO1jO4FGzGwgT6UKfRU0cx8Mp4nuV5Q5247iItCKgud?= =?us-ascii?Q?jJ1sVUBFQp3gFxpV0K8+ZTrF/hej7hh40u5VshciK7ewvZn+/P35XLFr45+n?= =?us-ascii?Q?hQOLwNsFQ6NWLww4d6KlThSK4Z7rEIQcntKHb9UtpFlLWws/5wYjJPMCfXfS?= =?us-ascii?Q?bh0kdIMK2jdl+7IjXPIETEk4HadoerE3koOs7vBR1KG/dOBz2P4z5V0qK1Be?= =?us-ascii?Q?60IAUOJNQpOk/eFbvJeHDxuXadS65Ws8HPvcsDguNgXgsiDnMVHL2gejsfgb?= =?us-ascii?Q?d9HqAPBmmXhUZUsax3cYREtkHKJ0tHD9UkD2/FoBOSgbYmHM86iDX3w86dw?= =?us-ascii?Q?=3D=3D?= X-Microsoft-Exchange-Diagnostics: 1; BLUPR0701MB1715; 5:cz1DOXLlgZ4iiS50HVD4frnfm0bMANsnbQm48AbsA+JaEIASNyeD2uGbnIcj/TzHW4tJFMdCY415+itovYTW2uI9qOoUXsYOzJniGSm3y4E1zxAh1aZyJhjpdFI2dERbfph7SYEt+PLsNBIFnj0J+g==; 24:zs53xWGzXwZCpLjBebS1P8uCcTlzS9R6pBtOGb2PVtCefxPSeWVGIUX7z1iZI68Wu16BjOME5oReIhSBPKEHoz1g41ertkpw+uYMhVb9cFA= SpamDiagnosticOutput: 1:23 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: caviumnetworks.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Feb 2016 11:27:13.2330 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR0701MB1715 Cc: dev@dpdk.org Subject: Re: [dpdk-dev] [PATCH] example/ipsec-secgw: ipsec security gateway X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Feb 2016 11:27:24 -0000 On Mon, Feb 01, 2016 at 11:09:16AM +0000, Sergio Gonzalez Monroy wrote: > On 31/01/2016 14:39, Jerin Jacob wrote: > >On Fri, Jan 29, 2016 at 08:29:12PM +0000, Sergio Gonzalez Monroy wrote: > >>Sample app implementing an IPsec Security Geteway. > >>The main goal of this app is to show the use of cryptodev framework > >>in a real world application. > >> > >>Currently only supported static IPv4 IPsec tunnels using AES-CBC > >>and HMAC-SHA1. > >> > >>Also, currently not supported: > >>- SA auto negotiation (No IKE support) > >>- chained mbufs > >> > >>Signed-off-by: Sergio Gonzalez Monroy > >Hi Sergio, > > > >Great effort, one of the best highly integrated sample DPDK application > >(ethernet, acl, crypto and lpm) > > > >>--- > >> MAINTAINERS | 4 + > >> doc/guides/sample_app_ug/index.rst | 1 + > >> doc/guides/sample_app_ug/ipsec_secgw.rst | 440 +++++++++++ > >> examples/Makefile | 2 + > >> examples/ipsec-secgw/Makefile | 58 ++ > >> examples/ipsec-secgw/esp.c | 256 +++++++ > >> examples/ipsec-secgw/esp.h | 66 ++ > >> examples/ipsec-secgw/ipip.h | 100 +++ > >> examples/ipsec-secgw/ipsec-secgw.c | 1218 ++++++++++++++++++++++++++++++ > >> examples/ipsec-secgw/ipsec.c | 138 ++++ > >> examples/ipsec-secgw/ipsec.h | 184 +++++ > >> examples/ipsec-secgw/rt.c | 131 ++++ > >> examples/ipsec-secgw/sa.c | 391 ++++++++++ > >> examples/ipsec-secgw/sp.c | 324 ++++++++ > >> 14 files changed, 3313 insertions(+) > >> create mode 100644 doc/guides/sample_app_ug/ipsec_secgw.rst > >> create mode 100644 examples/ipsec-secgw/Makefile > >> create mode 100644 examples/ipsec-secgw/esp.c > >> create mode 100644 examples/ipsec-secgw/esp.h > >> create mode 100644 examples/ipsec-secgw/ipip.h > >> create mode 100644 examples/ipsec-secgw/ipsec-secgw.c > >> create mode 100644 examples/ipsec-secgw/ipsec.c > >> create mode 100644 examples/ipsec-secgw/ipsec.h > >> create mode 100644 examples/ipsec-secgw/rt.c > >> create mode 100644 examples/ipsec-secgw/sa.c > >> create mode 100644 examples/ipsec-secgw/sp.c > >> > >>diff --git a/MAINTAINERS b/MAINTAINERS > >>index b90aeea..996eda6 100644 > >>--- a/MAINTAINERS > >>+++ b/MAINTAINERS > >>@@ -596,3 +596,7 @@ F: doc/guides/sample_app_ug/vmdq_dcb_forwarding.rst > >> M: Pablo de Lara > >> M: Daniel Mrzyglod > >> F: examples/ptpclient/ > >>+ > >>+M: Sergio Gonzalez Monroy > >>+F: doc/guides/sample_app_ug/ipsec-secgw.rst > >>+F: examples/ipsec-secgw/ > >>diff --git a/doc/guides/sample_app_ug/index.rst b/doc/guides/sample_app_ug/index.rst > >>index 8a646dd..88375d2 100644 > >>--- a/doc/guides/sample_app_ug/index.rst > >>+++ b/doc/guides/sample_app_ug/index.rst > >>@@ -73,6 +73,7 @@ Sample Applications User Guide > >> proc_info > >> ptpclient > >> performance_thread > >>+ ipsec_secgw > >> **Figures** > >>diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst > >>new file mode 100644 > >>index 0000000..7be3f7e > >>--- /dev/null > >>+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst > >>@@ -0,0 +1,440 @@ > >>+.. BSD LICENSE > >>+ Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > >>+ All rights reserved. > >>+ > >>+ Redistribution and use in source and binary forms, with or without > >>+ modification, are permitted provided that the following conditions > >>+ are met: > >>+ > >>+ * Redistributions of source code must retain the above copyright > >>+ notice, this list of conditions and the following disclaimer. > >>+ * Redistributions in binary form must reproduce the above copyright > >>+ notice, this list of conditions and the following disclaimer in > >>+ the documentation and/or other materials provided with the > >>+ distribution. > >>+ * Neither the name of Intel Corporation nor the names of its > >>+ contributors may be used to endorse or promote products derived > >>+ from this software without specific prior written permission. > >>+ > >>+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > >>+ "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > >>+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > >>+ A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > >>+ OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > >>+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > >>+ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > >>+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > >>+ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > >>+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > >>+ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > >>+ > >>+IPsec Security Gateway Sample Application > >>+========================================= > >>+ > >>+The IPsec Security Gateway application is a minimal example of real work > >>+application using DPDK cryptodev framework. > >>+ > >>+Overview > >>+-------- > >>+ > >>+The application demonstrates the implementation of a minimal Security Gateway > >>+(see Constraints bellow) using DPDK based on RFC4301, RFC4303, RFC3602 and > >>+RFC2404. > >>+ > >>+Note that IKE is not supported (therefore not IPsec compliant), so only manual > >>+setting of Security Policies and Associations is allowed. > >>+ > >>+The Security Policies (SP) are implemented as ACL rules, the Security > >>+Associations (SA) are stored in a table and the Routing is implemented > >>+using LPM. > >>+ > >>+The application splits the ports between Protected and Unprotected. > >>+Based on the port the trafic is coming from, the traffic would be consider > >>+IPsec Inbound or Outbound. > >>+Traffic from Unprotected ports is consider IPsec Inbound, and traffic from > >>+Protected ports is consider IPsec Outbound. > >>+ > >>+Path for IPsec Inbound traffic: > >>+* Read packets from the port > >>+* Classify packets between IPv4 and ESP. > >>+* Inbound SA lookup for ESP packets based on their SPI > >>+* Verification/Decryption > >>+* Removal of ESP and outter IP header > >>+* Inbound SP check using ACL of decrypted packets and any other IPv4 packet > >>+we read. > >>+* Routing > >>+* Write packet to port > >>+ > >>+Path for IPsec Outbound traffic: > >>+* Read packets from the port > >>+* Outbound SP check using ACL of all IPv4 traffic > >>+* Outbound SA lookup for packets that need IPsec protection > >>+* Add ESP and outter IP header > >>+* Encryption/Digest > >>+* Routing > >>+* Write packet to port > >>+ > >>+Constraints > >>+----------- > >>+* IPv4 traffic > >>+* ESP tunnel mode > >>+* EAS-CBC and HMAC-SHA1 > >>+* Each SA must be handle by a unique lcore (1 RX queue per port) > >>+* No chained mbufs > >>+ > >>+Compiling the Application > >>+------------------------- > >>+ > >>+To compile the application: > >>+ > >>+#. Go to the sample application directory: > >>+ > >>+ .. code-block:: console > >>+ > >>+ export RTE_SDK=/path/to/rte_sdk > >>+ cd ${RTE_SDK}/examples/ipsec-secgw > >>+ > >>+#. Set the target (a default target is used if not specified). For example: > >>+ > >>+ .. code-block:: console > >>+ > >>+ export RTE_TARGET=x86_64-native-linuxapp-gcc > >>+ > >>+ See the *DPDK Getting Started Guide* for possible RTE_TARGET values. > >>+ > >>+#. Build the application: > >>+ > >>+ .. code-block:: console > >>+ > >>+ make > >>+ > >>+Running the Application > >>+----------------------- > >>+ > >>+The application has a number of command line options: > >>+ > >>+.. code-block:: console > >>+ > >>+ ./build/ipsec-secgw [EAL options] -- -p PORTMASK -P -u PORTMASK --config > >>+ (port,queue,lcore)[,(port,queue,lcore] --EP0|--EP1 --cdev AESNI|QAT > >>+ > >>+where, > >>+ > >>+* -p PORTMASK: Hexadecimal bitmask of ports to configure > >>+ > >>+* -P: optional, sets all ports to promiscuous mode so that packets are > >>+ accepted regardless of the packet's Ethernet MAC destination address. > >>+ Without this option, only packets with the Ethernet MAC destination address > >>+ set to the Ethernet address of the port are accepted (default is enabled). > >>+ > >>+* -u PORTMASK: hexadecimal bitmask of unprotected ports > >>+ > >>+* --config (port,queue,lcore)[,(port,queue,lcore)]: determines which queues > >>+ from which ports are mapped to which cores > >>+ > >>+* --cdev AESNI/QAT: choose whether to use QAT HW crypto or EASNI SW crypto > >>+ > >>+* --EP0: configure the app as Endpoint 0. > >>+ > >>+* --EP1: configure the app as Endpoint 1. > >>+ > >>+Either --EP0 or --EP1 must be specified. > >>+ > >>+The mapping of lcores to port/queues is similar to other l3fwd applications. > >>+ > >>+For example, given the following command line: > >>+.. code-block:: console > >>+ > >>+ ./build/ipsec-secgw -l 20,21 -n 4 --socket-mem 0,2048 -- -p 0xf -P -u 0x3 > >>+ --config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)" --cdev AESNI --EP0 > >>+ > >>+where each options means: > >>+ > >>+* The -l option enables cores 20 and 21 > >>+ > >>+* The -n option sets memory 4 channels > >>+ > >>+* The --socket-mem to use 2GB on socket 1 > >>+ > >>+* The -p option enables ports (detected) 0, 1, 2 and 3 > >>+ > >>+* The -P option enables promiscous mode > >>+ > >>+* The -u option sets ports 1 and 2 as unprotected, leaving 2 and 3 as protected > >>+ > >>+* The --config option enables one queue per port with the following mapping: > >>+ > >>++----------+-----------+-----------+---------------------------------------+ > >>+| **Port** | **Queue** | **lcore** | **Description** | > >>+| | | | | > >>++----------+-----------+-----------+---------------------------------------+ > >>+| 0 | 0 | 20 | Map queue 0 from port 0 to lcore 20. | > >>+| | | | | > >>++----------+-----------+-----------+---------------------------------------+ > >>+| 1 | 0 | 20 | Map queue 0 from port 1 to lcore 20. | > >>+| | | | | > >>++----------+-----------+-----------+---------------------------------------+ > >>+| 2 | 0 | 21 | Map queue 0 from port 2 to lcore 21. | > >>+| | | | | > >>++----------+-----------+-----------+---------------------------------------+ > >>+| 3 | 0 | 21 | Map queue 0 from port 3 to lcore 21. | > >>+| | | | | > >>++----------+-----------+-----------+---------------------------------------+ > >>+ > >>+Refer to the *DPDK Getting Started Guide* for general information on running applications and the Environment Abstraction Layer (EAL) options. > >>+ > >>+Configurations > >>+-------------- > >>+ > >>+The following sections provide some details on the default values used to > >>+initialize the SP, SA and Routing tables. > >>+Currently all the configuration is hardcoded into the application. > >>+ > >>+Security Policy Initialization > >>+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > >>+ > >>+As mention in the overview, the Security Policies are ACL rules. > >>+There are two ACLs, Inbound and Outboud. > >>+The application would also replicate the set of two ACLs per socket in use. > >>+ > >>+Following are the default rules: > >>+ > >>+Endpoint 0 Outbound Security Policies: > >>+ > >>++---------+------------------+-----------+------------+ > >>+| **Src** | **Dst** | **proto** | **SA idx** | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.105.0/24 | Any | 5 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.106.0/24 | Any | 6 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.107.0/24 | Any | 7 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.108.0/24 | Any | 8 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+ > >>+Endpoint 0 Inbound Security Policies: > >>+ > >>++---------+------------------+-----------+------------+ > >>+| **Src** | **Dst** | **proto** | **SA idx** | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.115.0/24 | Any | 5 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.116.0/24 | Any | 6 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.117.0/24 | Any | 7 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.118.0/24 | Any | 8 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+ > >>+Endpoint 1 Outbound Security Policies: > >>+ > >>++---------+------------------+-----------+------------+ > >>+| **Src** | **Dst** | **proto** | **SA idx** | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.115.0/24 | Any | 5 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.116.0/24 | Any | 6 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.117.0/24 | Any | 7 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.118.0/24 | Any | 8 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+ > >>+Endpoint 1 Inbound Security Policies: > >>+ > >>++---------+------------------+-----------+------------+ > >>+| **Src** | **Dst** | **proto** | **SA idx** | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.105.0/24 | Any | 5 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.106.0/24 | Any | 6 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.107.0/24 | Any | 7 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+| Any | 192.168.108.0/24 | Any | 8 | > >>+| | | | | > >>++---------+------------------+-----------+------------+ > >>+ > >>+ > >>+Security Association Initialization > >>+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > >>+ > >>+The SAs are kept in a array table. > >>+ > >>+For Inbound, the SPI is used as index module the table size. > >>+This means that on a table for 100 SA, SPI 5 and 105 would use the same index > >>+and that is not currently supported. > >>+ > >>+Notice that it is not an issue for Outbound traffic as we store the index and > >>+not the SPI in the Security Policy. > >>+ > >>+All SAs are configured with the same cipher algo, block size and key (AES-CBC > >>+16B block), and same authentication algo, digest size and key (HMAC-SHA1, 12B > >>+digest). > >>+ > >>+Following are the default values: > >>+ > >>+Endpoint 0 Outbound Security Associations: > >>+ > >>++---------+----------------+------------------+ > >>+| **SPI** | **Tunnel src** | **Tunnel dst** | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 5 | 172.16.1.5 | 172.16.2.5 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 6 | 172.16.1.6 | 172.16.2.6 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 7 | 172.16.1.7 | 172.16.2.7 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 8 | 172.16.1.8 | 172.16.2.8 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+ > >>+Endpoint 0 Inbound Security Associations: > >>+ > >>++---------+----------------+------------------+ > >>+| **SPI** | **Tunnel src** | **Tunnel dst** | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 5 | 172.16.2.5 | 172.16.1.5 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 6 | 172.16.2.6 | 172.16.1.6 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 7 | 172.16.2.7 | 172.16.1.7 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 8 | 172.16.2.8 | 172.16.1.8 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+ > >>+Endpoint 1 Outbound Security Associations: > >>+ > >>++---------+----------------+------------------+ > >>+| **SPI** | **Tunnel src** | **Tunnel dst** | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 5 | 172.16.2.5 | 172.16.1.5 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 6 | 172.16.2.6 | 172.16.1.6 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 7 | 172.16.2.7 | 172.16.1.7 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 8 | 172.16.2.8 | 172.16.1.8 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+ > >>+Endpoint 1 Inbound Security Associations: > >>+ > >>++---------+----------------+------------------+ > >>+| **SPI** | **Tunnel src** | **Tunnel dst** | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 5 | 172.16.1.5 | 172.16.2.5 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 6 | 172.16.1.6 | 172.16.2.6 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 7 | 172.16.1.7 | 172.16.2.7 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+| 8 | 172.16.1.8 | 172.16.2.8 | > >>+| | | | > >>++---------+----------------+------------------+ > >>+ > >>+Routing Initialization > >>+~~~~~~~~~~~~~~~~~~~~~~ > >>+ > >>+The Routing is implemented using LPM table. > >>+ > >>+Following default values: > >>+ > >>+Endpoint 0 Routing Table: > >>+ > >>++------------------+----------+ > >>+| **Dst addr** | **Port** | > >>+| | | > >>++------------------+----------+ > >>+| 172.16.2.5/32 | 0 | > >>+| | | > >>++------------------+----------+ > >>+| 172.16.2.6/32 | 0 | > >>+| | | > >>++------------------+----------+ > >>+| 172.16.2.7/32 | 1 | > >>+| | | > >>++------------------+----------+ > >>+| 172.16.2.8/32 | 1 | > >>+| | | > >>++------------------+----------+ > >>+| 192.168.115.0/24 | 2 | > >>+| | | > >>++------------------+----------+ > >>+| 192.168.116.0/24 | 2 | > >>+| | | > >>++------------------+----------+ > >>+| 192.168.117.0/24 | 3 | > >>+| | | > >>++------------------+----------+ > >>+| 192.168.118.0/24 | 3 | > >>+| | | > >>++------------------+----------+ > >>+ > >>+Endpoint 1 Routing Table: > >>+ > >>++------------------+----------+ > >>+| **Dst addr** | **Port** | > >>+| | | > >>++------------------+----------+ > >>+| 172.16.1.5/32 | 2 | > >>+| | | > >>++------------------+----------+ > >>+| 172.16.1.6/32 | 2 | > >>+| | | > >>++------------------+----------+ > >>+| 172.16.1.7/32 | 3 | > >>+| | | > >>++------------------+----------+ > >>+| 172.16.1.8/32 | 3 | > >>+| | | > >>++------------------+----------+ > >>+| 192.168.105.0/24 | 0 | > >>+| | | > >>++------------------+----------+ > >>+| 192.168.106.0/24 | 0 | > >>+| | | > >>++------------------+----------+ > >>+| 192.168.107.0/24 | 1 | > >>+| | | > >>++------------------+----------+ > >>+| 192.168.108.0/24 | 1 | > >>+| | | > >>++------------------+----------+ > >>diff --git a/examples/Makefile b/examples/Makefile > >>index 1cb4785..65ce6ce 100644 > >>--- a/examples/Makefile > >>+++ b/examples/Makefile > >>@@ -1,6 +1,7 @@ > >> # BSD LICENSE > >> # > >> # Copyright(c) 2014 6WIND S.A. > >>+# Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > >> # > >> # Redistribution and use in source and binary forms, with or without > >> # modification, are permitted provided that the following conditions > >>@@ -78,5 +79,6 @@ DIRS-y += vmdq > >> DIRS-y += vmdq_dcb > >> DIRS-$(CONFIG_RTE_LIBRTE_POWER) += vm_power_manager > >> DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += l2fwd-crypto > >>+DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += ipsec-secgw > >> include $(RTE_SDK)/mk/rte.extsubdir.mk > >>diff --git a/examples/ipsec-secgw/Makefile b/examples/ipsec-secgw/Makefile > >>new file mode 100644 > >>index 0000000..5f893b8 > >>--- /dev/null > >>+++ b/examples/ipsec-secgw/Makefile > >>@@ -0,0 +1,58 @@ > >>+# BSD LICENSE > >>+# > >>+# Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > >>+# All rights reserved. > >>+# > >>+# Redistribution and use in source and binary forms, with or without > >>+# modification, are permitted provided that the following conditions > >>+# are met: > >>+# > >>+# * Redistributions of source code must retain the above copyright > >>+# notice, this list of conditions and the following disclaimer. > >>+# * Redistributions in binary form must reproduce the above copyright > >>+# notice, this list of conditions and the following disclaimer in > >>+# the documentation and/or other materials provided with the > >>+# distribution. > >>+# * Neither the name of Intel Corporation nor the names of its > >>+# contributors may be used to endorse or promote products derived > >>+# from this software without specific prior written permission. > >>+# > >>+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > >>+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > >>+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > >>+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > >>+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > >>+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > >>+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > >>+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > >>+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > >>+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > >>+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > >>+ > >>+ifeq ($(RTE_SDK),) > >>+ $(error "Please define RTE_SDK environment variable") > >>+endif > >>+ > >>+# Default target, can be overridden by command line or environment > >>+RTE_TARGET ?= x86_64-native-linuxapp-gcc > >>+ > >>+include $(RTE_SDK)/mk/rte.vars.mk > >>+ > >>+APP = ipsec-secgw > >>+ > >>+CFLAGS += -O3 -gdwarf-2 > >>+CFLAGS += $(WERROR_FLAGS) > >>+ > >>+VPATH += $(SRCDIR)/librte_ipsec > >>+ > >>+# > >>+# all source are stored in SRCS-y > >>+# > >>+SRCS-y += ipsec.c > >>+SRCS-y += esp.c > >>+SRCS-y += sp.c > >>+SRCS-y += sa.c > >>+SRCS-y += rt.c > >>+SRCS-y += ipsec-secgw.c > >>+ > >>+include $(RTE_SDK)/mk/rte.extapp.mk > >>diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c > >>new file mode 100644 > >>index 0000000..1be0621 > >>--- /dev/null > >>+++ b/examples/ipsec-secgw/esp.c > >>@@ -0,0 +1,256 @@ > >>+/*- > >>+ * BSD LICENSE > >>+ * > >>+ * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > >>+ * All rights reserved. > >>+ * > >>+ * Redistribution and use in source and binary forms, with or without > >>+ * modification, are permitted provided that the following conditions > >>+ * are met: > >>+ * > >>+ * * Redistributions of source code must retain the above copyright > >>+ * notice, this list of conditions and the following disclaimer. > >>+ * * Redistributions in binary form must reproduce the above copyright > >>+ * notice, this list of conditions and the following disclaimer in > >>+ * the documentation and/or other materials provided with the > >>+ * distribution. > >>+ * * Neither the name of Intel Corporation nor the names of its > >>+ * contributors may be used to endorse or promote products derived > >>+ * from this software without specific prior written permission. > >>+ * > >>+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > >>+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > >>+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > >>+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > >>+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > >>+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > >>+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > >>+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > >>+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > >>+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > >>+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > >>+ */ > >>+ > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+ > >>+#include > >>+#include > >>+#include > >>+#include > >>+ > >>+#include "ipsec.h" > >>+#include "esp.h" > >>+#include "ipip.h" > >>+ > >>+static inline void > >>+random_iv_u64(uint64_t *buf, uint16_t n) > >>+{ > >>+ unsigned left = n & 0x7; > >>+ unsigned i; > >>+ > >>+ IPSEC_ASSERT((n & 0x3) == 0); > >>+ > >>+ for (i = 0; i < (n >> 3); i++) > >>+ buf[i] = rte_rand(); > >>+ > >>+ if (left) > >>+ *((uint32_t *)&buf[i]) = (uint32_t)lrand48(); > >>+} > >>+ > >>+/* IPv4 Tunnel */ > >>+int > >>+esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, > >>+ struct rte_crypto_op *cop) > >>+{ > >>+ uint16_t digest_len, esp_len, iphdr_len; > >>+ int32_t payload_len; > >>+ > >>+ IPSEC_ASSERT(m != NULL); > >>+ > >>+ iphdr_len = sizeof(struct ip); > >>+ esp_len = sizeof(struct esp_hdr) + sa->iv_len; > >>+ digest_len = sa->digest_len; > >>+ payload_len = rte_pktmbuf_pkt_len(m) - iphdr_len - esp_len - digest_len; > >>+ > >>+ if ((payload_len & (sa->block_size - 1)) || (payload_len <= 0)) { > >>+ IPSEC_LOG(DEBUG, IPSEC_ESP, "payload %d not a multiple of %u\n", > >>+ payload_len, sa->block_size); > >>+ return -EINVAL; > >>+ } > >>+ > >>+ cop->data.to_cipher.offset = iphdr_len + esp_len; > >>+ cop->data.to_cipher.length = payload_len; > >>+ > >>+ cop->data.to_hash.offset = iphdr_len; > >>+ if (sa->auth_algo == RTE_CRYPTO_AUTH_AES_GCM) > >>+ cop->data.to_hash.length = esp_len - sa->iv_len; > >>+ else > >>+ cop->data.to_hash.length = esp_len + payload_len; > >>+ > >>+ cop->iv.data = rte_pktmbuf_mtod_offset(m, void*, > >>+ iphdr_len + esp_len - sa->iv_len); > >>+ cop->iv.phys_addr = rte_pktmbuf_mtophys_offset(m, > >>+ iphdr_len + esp_len - sa->iv_len); > >>+ > >>+ cop->iv.length = sa->iv_len; > >>+ > >>+ cop->digest.data = rte_pktmbuf_mtod_offset(m, void*, > >>+ iphdr_len + esp_len + payload_len); > >>+ cop->digest.phys_addr = rte_pktmbuf_mtophys_offset(m, > >>+ iphdr_len + esp_len + payload_len); > >>+ cop->digest.length = digest_len; > >>+ > >>+ return 0; > >>+} > >>+ > >>+int > >>+esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, > >>+ struct rte_crypto_op *cop) > >>+{ > >>+ uint16_t digest_len, esp_len, iphdr_len; > >>+ uint8_t *nexthdr, *pad_len; > >>+ uint8_t *padding; > >>+ uint16_t i; > >>+ > >>+ IPSEC_ASSERT(m != NULL); > >>+ > >>+ iphdr_len = sizeof(struct ip); > >>+ esp_len = sizeof(struct esp_hdr) + sa->iv_len; > >>+ digest_len = sa->digest_len; > >>+ > >>+ if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) { > >>+ IPSEC_LOG(ERR, IPSEC_ESP, "Failed crypto op\n"); > >>+ return -1; > >>+ } > >>+ > >>+ nexthdr = rte_pktmbuf_mtod_offset(m, uint8_t*, > >>+ rte_pktmbuf_pkt_len(m) - digest_len - 1); > >>+ pad_len = nexthdr - 1; > >>+ > >>+ padding = pad_len - *pad_len; > >>+ for (i = 0; i < *pad_len; i++) { > >>+ if (padding[i] != i) { > >>+ IPSEC_LOG(ERR, IPSEC_ESP, "invalid pad_len field\n"); > >>+ return -EINVAL; > >>+ } > >>+ } > >>+ > >>+ if (rte_pktmbuf_trim(m, *pad_len + 2 + digest_len)) { > >>+ IPSEC_LOG(ERR, IPSEC_ESP, > >>+ "failed to remove pad_len + digest\n"); > >>+ return -EINVAL; > >>+ } > >>+ > >>+ return ip4ip_inbound(m, iphdr_len + esp_len); > >>+} > >>+ > >>+int > >>+esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, > >>+ struct rte_crypto_op *cop) > >>+{ > >>+ uint16_t digest_len, esp_len, payload_len, block_sz, pad_len; > >>+ int32_t pad_payload_len; > >>+ struct ip *ip; > >>+ struct esp_hdr *esp; > >>+ int i; > >>+ char *padding; > >>+ > >>+ rte_prefetch0(rte_pktmbuf_mtod(m, uint8_t *) - RTE_CACHE_LINE_SIZE); > >>+ rte_prefetch0(rte_pktmbuf_mtod(m, uint8_t *)); > >>+ > >>+ IPSEC_ASSERT(m != NULL); > >>+ IPSEC_ASSERT(sa != NULL); > >>+ > >>+ /* Payload length */ > >>+ payload_len = rte_pktmbuf_pkt_len(m); > >>+ > >>+ block_sz = sa->block_size; > >>+ > >>+ /* Per RFC4303: > >>+ * padded payload needs to be multiple of 4 bytes. > >>+ * All application supported block sizes must be power of 2 > >>+ */ > >>+ pad_len = (payload_len + 2) & (block_sz - 1); > >>+ pad_len = ((block_sz - pad_len) & (block_sz - 1)) + 2; > >>+ > >>+ /* Padded payload length */ > >>+ pad_payload_len = payload_len + pad_len; > >>+ /* ESP header length */ > >>+ esp_len = sizeof(struct esp_hdr) + sa->iv_len; > >>+ /* Digest length */ > >>+ digest_len = sa->digest_len; > >>+ > >>+ IPSEC_LOG(DEBUG, IPSEC_ESP, > >>+ "pktlen %u, esp_len %u, digest_len %u, payload_len %u," > >>+ " pad_payload_len %u, block_sz %u, pad_len %u\n", > >>+ rte_pktmbuf_pkt_len(m), esp_len, digest_len, > >>+ payload_len, pad_payload_len, block_sz, pad_len); > >>+ > >>+ /* Check maximum packet size */ > >>+ if (unlikely(esp_len + pad_payload_len + digest_len > IP_MAXPACKET)) { > >>+ IPSEC_LOG(DEBUG, IPSEC_ESP, "ipsec packet is too big\n"); > >>+ return -EINVAL; > >>+ } > >>+ > >>+ padding = rte_pktmbuf_append(m, pad_len + digest_len); > >>+ > >>+ IPSEC_ASSERT(padding != NULL); > >>+ > >>+ ip = ip4ip_outbound(m, esp_len, sa->src, sa->dst); > >>+ > >>+ esp = (struct esp_hdr *)(ip + 1); > >>+ esp->spi = sa->spi; > >>+ > >>+ esp->seq = htonl(sa->seq++); > >>+ > >>+ IPSEC_LOG(DEBUG, IPSEC_ESP, "pktlen %u\n", rte_pktmbuf_pkt_len(m)); > >>+ > >>+ /* Fill pad_len using default sequential scheme */ > >>+ for (i = 0; i < pad_len - 2; i++) > >>+ padding[i] = i + 1; > >>+ > >>+ padding[pad_len - 2] = pad_len - 2; > >>+ padding[pad_len - 1] = IPPROTO_IPIP; > >>+ ip->ip_p = IPPROTO_ESP; > >>+ > >>+ cop->data.to_cipher.offset = sizeof(struct ip) + esp_len; > >>+ cop->data.to_cipher.length = pad_payload_len; > >>+ > >>+ cop->data.to_hash.offset = sizeof(struct ip); > >>+ cop->data.to_hash.length = esp_len + pad_payload_len; > >>+ > >>+ cop->iv.data = rte_pktmbuf_mtod_offset(m, void*, > >>+ sizeof(struct ip) + esp_len - sa->iv_len); > >>+ cop->iv.phys_addr = rte_pktmbuf_mtophys_offset(m, > >>+ sizeof(struct ip) + esp_len - sa->iv_len); > >>+ cop->iv.length = sa->iv_len; > >>+ > >>+ cop->digest.data = rte_pktmbuf_mtod_offset(m, void*, > >>+ sizeof(struct ip) + esp_len + pad_payload_len); > >>+ cop->digest.phys_addr = rte_pktmbuf_mtophys_offset(m, > >>+ sizeof(struct ip) + esp_len + pad_payload_len); > >>+ cop->digest.length = digest_len; > >>+ > >>+ random_iv_u64((uint64_t *)cop->iv.data, cop->iv.length); > >>+ > >>+ return 0; > >>+} > >>+ > >>+int > >>+esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m __rte_unused, > >>+ struct ipsec_sa *sa __rte_unused, > >>+ struct rte_crypto_op *cop) > >>+{ > >>+ if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) { > >>+ IPSEC_LOG(ERR, IPSEC_ESP, "Failed crypto op\n"); > >>+ return -1; > >>+ } > >>+ > >>+ return 0; > >>+} > >>diff --git a/examples/ipsec-secgw/esp.h b/examples/ipsec-secgw/esp.h > >>new file mode 100644 > >>index 0000000..d7c8ba6 > >>--- /dev/null > >>+++ b/examples/ipsec-secgw/esp.h > >>@@ -0,0 +1,66 @@ > >>+/*- > >>+ * BSD LICENSE > >>+ * > >>+ * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > >>+ * All rights reserved. > >>+ * > >>+ * Redistribution and use in source and binary forms, with or without > >>+ * modification, are permitted provided that the following conditions > >>+ * are met: > >>+ * > >>+ * * Redistributions of source code must retain the above copyright > >>+ * notice, this list of conditions and the following disclaimer. > >>+ * * Redistributions in binary form must reproduce the above copyright > >>+ * notice, this list of conditions and the following disclaimer in > >>+ * the documentation and/or other materials provided with the > >>+ * distribution. > >>+ * * Neither the name of Intel Corporation nor the names of its > >>+ * contributors may be used to endorse or promote products derived > >>+ * from this software without specific prior written permission. > >>+ * > >>+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > >>+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > >>+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > >>+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > >>+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > >>+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > >>+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > >>+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > >>+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > >>+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > >>+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > >>+ */ > >>+#ifndef __RTE_IPSEC_XFORM_ESP_H__ > >>+#define __RTE_IPSEC_XFORM_ESP_H__ > >>+ > >>+struct mbuf; > >>+ > >>+/* RFC4303 */ > >>+struct esp_hdr { > >>+ uint32_t spi; > >>+ uint32_t seq; > >>+ /* Payload */ > >>+ /* Padding */ > >>+ /* Pad Length */ > >>+ /* Next Header */ > >>+ /* Integrity Check Value - ICV */ > >>+}; > >>+ > >>+/* IPv4 Tunnel */ > >>+int > >>+esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, > >>+ struct rte_crypto_op *cop); > >>+ > >>+int > >>+esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, > >>+ struct rte_crypto_op *cop); > >>+ > >>+int > >>+esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, > >>+ struct rte_crypto_op *cop); > >>+ > >>+int > >>+esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, > >>+ struct rte_crypto_op *cop); > >>+ > >>+#endif /* __RTE_IPSEC_XFORM_ESP_H__ */ > >>diff --git a/examples/ipsec-secgw/ipip.h b/examples/ipsec-secgw/ipip.h > >>new file mode 100644 > >>index 0000000..16c5dfb > >>--- /dev/null > >>+++ b/examples/ipsec-secgw/ipip.h > >>@@ -0,0 +1,100 @@ > >>+/*- > >>+ * BSD LICENSE > >>+ * > >>+ * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > >>+ * All rights reserved. > >>+ * > >>+ * Redistribution and use in source and binary forms, with or without > >>+ * modification, are permitted provided that the following conditions > >>+ * are met: > >>+ * > >>+ * * Redistributions of source code must retain the above copyright > >>+ * notice, this list of conditions and the following disclaimer. > >>+ * * Redistributions in binary form must reproduce the above copyright > >>+ * notice, this list of conditions and the following disclaimer in > >>+ * the documentation and/or other materials provided with the > >>+ * distribution. > >>+ * * Neither the name of Intel Corporation nor the names of its > >>+ * contributors may be used to endorse or promote products derived > >>+ * from this software without specific prior written permission. > >>+ * > >>+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > >>+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > >>+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > >>+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > >>+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > >>+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > >>+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > >>+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > >>+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > >>+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > >>+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > >>+ */ > >>+ > >>+#ifndef __IPIP_H__ > >>+#define __IPIP_H__ > >>+ > >>+#include > >>+#include > >>+#include > >>+ > >>+#include > >>+ > >>+static inline struct ip * > >>+ip4ip_outbound(struct rte_mbuf *m, uint32_t offset, uint32_t src, uint32_t dst) > >>+{ > >>+ struct ip *inip, *outip; > >>+ > >>+ inip = rte_pktmbuf_mtod(m, struct ip*); > >>+ > >>+ IPSEC_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION); > >>+ > >>+ offset += sizeof(struct ip); > >>+ > >>+ outip = (struct ip *)rte_pktmbuf_prepend(m, offset); > >>+ > >>+ IPSEC_ASSERT(outip != NULL); > >>+ > >>+ /* Per RFC4301 5.1.2.1 */ > >>+ outip->ip_len = htons(rte_pktmbuf_data_len(m)); > >>+ outip->ip_v = IPVERSION; > >>+ outip->ip_hl = 5; > >>+ outip->ip_tos = inip->ip_tos; > >>+ > >>+ outip->ip_id = 0; > >>+ outip->ip_off = 0; > >>+ > >>+ outip->ip_ttl = IPDEFTTL; > >>+ > >>+ outip->ip_dst.s_addr = dst; > >>+ outip->ip_src.s_addr = src; > >>+ > >>+ return outip; > >>+} > >>+ > >>+static inline int > >>+ip4ip_inbound(struct rte_mbuf *m, uint32_t offset) > >>+{ > >>+ struct ip *inip; > >>+ struct ip *outip; > >>+ > >>+ outip = rte_pktmbuf_mtod(m, struct ip*); > >>+ > >>+ IPSEC_ASSERT(outip->ip_v == IPVERSION); > >>+ > >>+ offset += sizeof(struct ip); > >>+ inip = (struct ip *)rte_pktmbuf_adj(m, offset); > >>+ IPSEC_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION); > >>+ > >>+ /* Check packet is still bigger than IP header (inner) */ > >>+ IPSEC_ASSERT(rte_pktmbuf_pkt_len(m) > sizeof(struct ip)); > >>+ > >>+ /* RFC4301 5.1.2.1 Note 6 */ > >>+ if ((inip->ip_tos & htons(IPTOS_ECN_ECT0 | IPTOS_ECN_ECT1)) && > >>+ ((outip->ip_tos & htons(IPTOS_ECN_CE)) == IPTOS_ECN_CE)) > >>+ inip->ip_tos |= htons(IPTOS_ECN_CE); > >>+ > >>+ return 0; > >>+} > >>+ > >>+#endif /* __IPIP_H__ */ > >>diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c > >>new file mode 100644 > >>index 0000000..d2e8972 > >>--- /dev/null > >>+++ b/examples/ipsec-secgw/ipsec-secgw.c > >>@@ -0,0 +1,1218 @@ > >>+/*- > >>+ * BSD LICENSE > >>+ * > >>+ * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > >>+ * All rights reserved. > >>+ * > >>+ * Redistribution and use in source and binary forms, with or without > >>+ * modification, are permitted provided that the following conditions > >>+ * are met: > >>+ * > >>+ * * Redistributions of source code must retain the above copyright > >>+ * notice, this list of conditions and the following disclaimer. > >>+ * * Redistributions in binary form must reproduce the above copyright > >>+ * notice, this list of conditions and the following disclaimer in > >>+ * the documentation and/or other materials provided with the > >>+ * distribution. > >>+ * * Neither the name of Intel Corporation nor the names of its > >>+ * contributors may be used to endorse or promote products derived > >>+ * from this software without specific prior written permission. > >>+ * > >>+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > >>+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > >>+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > >>+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > >>+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > >>+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > >>+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > >>+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > >>+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > >>+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > >>+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > >>+ */ > >>+ > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+ > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+ > >>+#include "ipsec.h" > >>+ > >>+#define RTE_LOGTYPE_IPSEC RTE_LOGTYPE_USER1 > >>+ > >>+#define MAX_JUMBO_PKT_LEN 9600 > >>+ > >>+#define MEMPOOL_CACHE_SIZE 256 > >>+ > >>+#define NB_MBUF (32000) > >>+ > >>+#define CDEV_MP_NB_OBJS 2048 > >>+#define CDEV_MP_CACHE_SZ 64 > >>+#define MAX_QUEUE_PAIRS 1 > >>+ > >>+#define OPTION_CONFIG "config" > >>+#define OPTION_EP0 "ep0" > >>+#define OPTION_EP1 "ep1" > >>+#define OPTION_CDEV_TYPE "cdev" > >>+ > >>+#define MAX_PKT_BURST 32 > >>+#define BURST_TX_DRAIN_US 100 /* TX drain every ~100us */ > >>+ > >>+#define NB_SOCKETS 4 > >>+ > >>+/* Configure how many packets ahead to prefetch, when reading packets */ > >>+#define PREFETCH_OFFSET 3 > >>+ > >>+#define MAX_RX_QUEUE_PER_LCORE 16 > >>+ > >>+#define MAX_LCORE_PARAMS 1024 > >>+ > >>+#define UNPROTECTED_PORT(port) (unprotected_port_mask & (1 << portid)) > >>+ > >>+/* > >>+ * Configurable number of RX/TX ring descriptors > >>+ */ > >>+#define IPSEC_SECGW_RX_DESC_DEFAULT 128 > >>+#define IPSEC_SECGW_TX_DESC_DEFAULT 512 > >>+static uint16_t nb_rxd = IPSEC_SECGW_RX_DESC_DEFAULT; > >>+static uint16_t nb_txd = IPSEC_SECGW_TX_DESC_DEFAULT; > >>+ > >>+#if RTE_BYTE_ORDER != RTE_LITTLE_ENDIAN > >>+#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \ > >>+ (((uint64_t)((a) & 0xff) << 56) | \ > >>+ ((uint64_t)((b) & 0xff) << 48) | \ > >>+ ((uint64_t)((c) & 0xff) << 40) | \ > >>+ ((uint64_t)((d) & 0xff) << 32) | \ > >>+ ((uint64_t)((e) & 0xff) << 24) | \ > >>+ ((uint64_t)((f) & 0xff) << 16) | \ > >>+ ((uint64_t)((g) & 0xff) << 8) | \ > >>+ ((uint64_t)(h) & 0xff)) > >>+#else > >>+#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \ > >>+ (((uint64_t)((h) & 0xff) << 56) | \ > >>+ ((uint64_t)((g) & 0xff) << 48) | \ > >>+ ((uint64_t)((f) & 0xff) << 40) | \ > >>+ ((uint64_t)((e) & 0xff) << 32) | \ > >>+ ((uint64_t)((d) & 0xff) << 24) | \ > >>+ ((uint64_t)((c) & 0xff) << 16) | \ > >>+ ((uint64_t)((b) & 0xff) << 8) | \ > >>+ ((uint64_t)(a) & 0xff)) > >>+#endif > >>+#define ETHADDR(a, b, c, d, e, f) (__BYTES_TO_UINT64(a, b, c, d, e, f, 0, 0)) > >>+ > >>+#define ETHADDR_TO_UINT64(addr) __BYTES_TO_UINT64( \ > >>+ addr.addr_bytes[0], addr.addr_bytes[1], \ > >>+ addr.addr_bytes[2], addr.addr_bytes[3], \ > >>+ addr.addr_bytes[4], addr.addr_bytes[5], \ > >>+ 0, 0) > >>+ > >>+/* port/source ethernet addr and destination ethernet addr */ > >>+struct ethaddr_info { > >>+ uint64_t src, dst; > >>+}; > >>+ > >>+struct ethaddr_info ethaddr_tbl[RTE_MAX_ETHPORTS] = { > >>+ { 0, ETHADDR(0x00, 0x16, 0x3e, 0x7e, 0x94, 0x9a) }, > >>+ { 0, ETHADDR(0x00, 0x16, 0x3e, 0x22, 0xa1, 0xd9) }, > >>+ { 0, ETHADDR(0x00, 0x16, 0x3e, 0x08, 0x69, 0x26) }, > >>+ { 0, ETHADDR(0x00, 0x16, 0x3e, 0x49, 0x9e, 0xdd) } > >>+}; > >>+ > >>+/* mask of enabled ports */ > >>+static uint32_t enabled_port_mask; > >>+static uint32_t unprotected_port_mask; > >>+static int promiscuous_on = 1; > >>+static int numa_on = 1; /**< NUMA is enabled by default. */ > >>+static int ep = -1; /**< Endpoint configuration (0 or 1) */ > >>+static unsigned cdev_type = -1; > >>+static unsigned nb_lcores; > >>+ > >>+struct buffer { > >>+ uint16_t len; > >>+ struct rte_mbuf *m_table[MAX_PKT_BURST]; > >>+}; > >>+ > >>+struct lcore_rx_queue { > >>+ uint8_t port_id; > >>+ uint8_t queue_id; > >>+} __rte_cache_aligned; > >>+ > >>+struct lcore_params { > >>+ uint8_t port_id; > >>+ uint8_t queue_id; > >>+ uint8_t lcore_id; > >>+} __rte_cache_aligned; > >>+ > >>+static struct lcore_params lcore_params_array[MAX_LCORE_PARAMS]; > >>+ > >>+static struct lcore_params *lcore_params; > >>+static uint16_t nb_lcore_params; > >>+ > >>+struct lcore_conf { > >>+ uint16_t nb_rx_queue; > >>+ struct lcore_rx_queue rx_queue_list[MAX_RX_QUEUE_PER_LCORE]; > >>+ uint16_t tx_queue_id[RTE_MAX_ETHPORTS]; > >>+ struct buffer tx_mbufs[RTE_MAX_ETHPORTS]; > >>+ uint16_t cdev; > >>+ uint16_t cdev_q; > >>+} __rte_cache_aligned; > >>+ > >>+static struct lcore_conf lcore_conf[RTE_MAX_LCORE]; > >>+ > >>+static struct rte_eth_conf port_conf = { > >>+ .rxmode = { > >>+ .mq_mode = ETH_MQ_RX_RSS, > >>+ .max_rx_pkt_len = ETHER_MAX_LEN, > >>+ .split_hdr_size = 0, > >>+ .header_split = 0, /**< Header Split disabled */ > >>+ .hw_ip_checksum = 1, /**< IP checksum offload enabled */ > >>+ .hw_vlan_filter = 0, /**< VLAN filtering disabled */ > >>+ .jumbo_frame = 0, /**< Jumbo Frame Support disabled */ > >>+ .hw_strip_crc = 0, /**< CRC stripped by hardware */ > >>+ }, > >>+ .rx_adv_conf = { > >>+ .rss_conf = { > >>+ .rss_key = NULL, > >>+ .rss_hf = ETH_RSS_IP | ETH_RSS_UDP | > >>+ ETH_RSS_TCP | ETH_RSS_SCTP, > >>+ }, > >>+ }, > >>+ .txmode = { > >>+ .mq_mode = ETH_MQ_TX_NONE, > >>+ }, > >>+}; > >>+ > >>+static struct socket_ctx socket_ctx[NB_SOCKETS]; > >>+ > >>+struct traffic_type { > >>+ const uint8_t *data[MAX_PKT_BURST * 2]; > >>+ struct rte_mbuf *pkts[MAX_PKT_BURST * 2]; > >>+ uint32_t res[MAX_PKT_BURST * 2]; > >>+ uint32_t num; > >>+}; > >>+ > >>+struct ipsec_traffic { > >>+ struct traffic_type ipsec4; > >>+ struct traffic_type ipv4; > >>+}; > >>+ > >>+static inline void > >>+prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t) > >>+{ > >>+ uint8_t *nlp; > >>+ > >>+ if (RTE_ETH_IS_IPV4_HDR(pkt->packet_type)) { > >>+ rte_pktmbuf_adj(pkt, ETHER_HDR_LEN); > >>+ nlp = rte_pktmbuf_mtod_offset(pkt, uint8_t *, > >>+ offsetof(struct ip, ip_p)); > >>+ if (*nlp == IPPROTO_ESP) > >>+ t->ipsec4.pkts[(t->ipsec4.num)++] = pkt; > >>+ else { > >>+ t->ipv4.data[t->ipv4.num] = nlp; > >>+ t->ipv4.pkts[(t->ipv4.num)++] = pkt; > >>+ } > >>+ } else { > >>+ /* Unknown/Unsupported type, drop the packet */ > >>+ rte_pktmbuf_free(pkt); > >>+ } > >>+} > >>+ > >>+static inline void > >>+prepare_traffic(struct rte_mbuf **pkts, struct ipsec_traffic *t, > >>+ uint16_t nb_pkts) > >>+{ > >>+ int i; > >>+ > >>+ t->ipsec4.num = 0; > >>+ t->ipv4.num = 0; > >>+ > >>+ for (i = 0; i < (nb_pkts - PREFETCH_OFFSET); i++) { > >>+ rte_prefetch0(rte_pktmbuf_mtod(pkts[i + PREFETCH_OFFSET], > >>+ void *)); > >>+ prepare_one_packet(pkts[i], t); > >>+ } > >>+ /* Process left packets */ > >>+ for (; i < nb_pkts; i++) > >>+ prepare_one_packet(pkts[i], t); > >>+} > >>+ > >>+static inline void > >>+prepare_tx_pkt(struct rte_mbuf *pkt, uint8_t port) > >>+{ > >>+ pkt->ol_flags |= PKT_TX_IP_CKSUM | PKT_TX_IPV4; > >>+ pkt->l3_len = sizeof(struct ip); > >>+ pkt->l2_len = ETHER_HDR_LEN; > >>+ > >>+ uint64_t *ethhdr = (uint64_t *)rte_pktmbuf_prepend(pkt, ETHER_HDR_LEN); > >>+#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN > >>+ ethhdr[0] = ethaddr_tbl[port].dst | > >>+ ((ethaddr_tbl[port].src & 0xffff) << 48); > >>+ ethhdr[1] = ethaddr_tbl[port].src >> 16 | > >>+ ((uint64_t)rte_cpu_to_be_16(ETHER_TYPE_IPv4) << 32) | > >>+ (ethhdr[1] & (0xffffUL << 48)); > >>+#else > >>+ ethhdr[0] = ethaddr_tbl[port].dst | > >>+ (ethaddr_tbl[port].src >> 48 & 0xffff); > >>+ ethhdr[1] = ethaddr_tbl[port].src << 16 | ((ETHER_TYPE_IPv4)UL << 16) | > >>+ (ethhdr[1] & 0xffffUL); > >>+#endif > >>+} > >>+ > >>+static inline void > >>+prepare_tx_burst(struct rte_mbuf *pkts[], uint16_t nb_pkts, uint8_t port) > >>+{ > >>+ int i; > >>+ const int prefetch_offset = 2; > >>+ > >>+ for (i = 0; i < (nb_pkts - prefetch_offset); i++) { > >>+ rte_prefetch0(pkts[i + prefetch_offset]->cacheline1); > >>+ prepare_tx_pkt(pkts[i], port); > >>+ } > >>+ /* Process left packets */ > >>+ for (; i < nb_pkts; i++) > >>+ prepare_tx_pkt(pkts[i], port); > >>+} > >>+ > >>+/* Send burst of packets on an output interface */ > >>+static inline int > >>+send_burst(struct lcore_conf *qconf, uint16_t n, uint8_t port) > >>+{ > >>+ struct rte_mbuf **m_table; > >>+ int ret; > >>+ uint16_t queueid; > >>+ > >>+ queueid = qconf->tx_queue_id[port]; > >>+ m_table = (struct rte_mbuf **)qconf->tx_mbufs[port].m_table; > >>+ > >>+ prepare_tx_burst(m_table, n, port); > >>+ > >>+ ret = rte_eth_tx_burst(port, queueid, m_table, n); > >>+ if (unlikely(ret < n)) { > >>+ do { > >>+ rte_pktmbuf_free(m_table[ret]); > >>+ } while (++ret < n); > >>+ } > >>+ > >>+ return 0; > >>+} > >>+ > >>+/* Enqueue a single packet, and send burst if queue is filled */ > >>+static inline int > >>+send_single_packet(struct rte_mbuf *m, uint8_t port) > >>+{ > >>+ uint32_t lcore_id; > >>+ uint16_t len; > >>+ struct lcore_conf *qconf; > >>+ > >>+ lcore_id = rte_lcore_id(); > >>+ > >>+ qconf = &lcore_conf[lcore_id]; > >>+ len = qconf->tx_mbufs[port].len; > >>+ qconf->tx_mbufs[port].m_table[len] = m; > >>+ len++; > >>+ > >>+ /* enough pkts to be sent */ > >>+ if (unlikely(len == MAX_PKT_BURST)) { > >>+ send_burst(qconf, MAX_PKT_BURST, port); > >>+ len = 0; > >>+ } > >>+ > >>+ qconf->tx_mbufs[port].len = len; > >>+ return 0; > >>+} > >>+ > >>+static inline void > >>+process_pkts_inbound(struct socket_ctx *ctx, struct ipsec_traffic *traffic) > >>+{ > >>+ struct sa_ctx *sa_ctx = ctx->sa_ipv4_in; > >>+ struct sp_ctx *sp_ctx = ctx->sp_ipv4_in; > >>+ struct rte_mbuf *m; > >>+ uint16_t idx, nb_pkts_in, i, j; > >>+ uint32_t sa_idx, res; > >>+ struct ipsec_ctx ipsec_ctx; > >>+ struct lcore_conf *qconf; > >>+ > >>+ qconf = &lcore_conf[rte_lcore_id()]; > >>+ ipsec_ctx.cdev = qconf->cdev; > >>+ ipsec_ctx.queue = qconf->cdev_q; > >>+ ipsec_ctx.sa_ctx = sa_ctx; > >>+ > >>+ nb_pkts_in = ipsec_inbound(&ipsec_ctx, traffic->ipsec4.pkts, > >>+ traffic->ipsec4.num, MAX_PKT_BURST); > >>+ > >>+ /* SP/ACL Inbound check ipsec and ipv4 */ > >>+ for (i = 0; i < nb_pkts_in; i++) { > >>+ idx = traffic->ipv4.num++; > >>+ m = traffic->ipsec4.pkts[i]; > >>+ traffic->ipv4.pkts[idx] = m; > >>+ traffic->ipv4.data[idx] = rte_pktmbuf_mtod_offset(m, > >>+ uint8_t *, offsetof(struct ip, ip_p)); > >>+ } > >>+ > >>+ rte_acl_classify((struct rte_acl_ctx *)sp_ctx, traffic->ipv4.data, > >>+ traffic->ipv4.res, traffic->ipv4.num, > >>+ DEFAULT_MAX_CATEGORIES); > >>+ > >>+ j = 0; > >>+ for (i = 0; i < traffic->ipv4.num - nb_pkts_in; i++) { > >>+ m = traffic->ipv4.pkts[i]; > >>+ res = traffic->ipv4.res[i]; > >>+ if (res & ~BYPASS) { > >>+ rte_pktmbuf_free(m); > >>+ continue; > >>+ } > >>+ traffic->ipv4.pkts[j++] = m; > >>+ } > >>+ /* Check return SA SPI matches pkt SPI */ > >>+ for ( ; i < traffic->ipv4.num; i++) { > >>+ m = traffic->ipv4.pkts[i]; > >>+ sa_idx = traffic->ipv4.res[i] & PROTECT_MASK; > >>+ if (sa_idx == 0 || !inbound_sa_check(sa_ctx, m, sa_idx)) { > >>+ rte_pktmbuf_free(m); > >>+ continue; > >>+ } > >>+ traffic->ipv4.pkts[j++] = m; > >>+ } > >>+ traffic->ipv4.num = j; > >>+} > >>+ > >>+static inline void > >>+process_pkts_outbound(struct socket_ctx *ctx, struct ipsec_traffic *traffic) > >>+{ > >>+ struct sa_ctx *sa_ctx = ctx->sa_ipv4_out; > >>+ struct sp_ctx *sp_ctx = ctx->sp_ipv4_out; > >>+ struct rte_mbuf *m; > >>+ uint16_t idx, nb_pkts_out, i, j; > >>+ uint32_t sa_idx, res; > >>+ struct ipsec_ctx ipsec_ctx; > >>+ struct lcore_conf *qconf; > >>+ > >>+ qconf = &lcore_conf[rte_lcore_id()]; > >>+ ipsec_ctx.cdev = qconf->cdev; > >>+ ipsec_ctx.queue = qconf->cdev_q; > >>+ ipsec_ctx.sa_ctx = sa_ctx; > >>+ > >>+ rte_acl_classify((struct rte_acl_ctx *)sp_ctx, traffic->ipv4.data, > >>+ traffic->ipv4.res, traffic->ipv4.num, > >>+ DEFAULT_MAX_CATEGORIES); > >IMO, an option for single SA based outbound processing would be useful > >measuring performance bottlenecks with SA lookup. > > > > Hi Jerin, > > Are you suggesting to have an option so we basically encrypt all traffic > using > a single SA bypassing the SP/ACL ? Yes. Basicaly an option to bypass "rte_acl_classify" if its for single SA use case. > > Currently the ACL entry contains the SA index in the SA table, so there is > no SA > lookup on outbound. > That might have to change a bit if we were to add IKE support. > > >>+ j = 0; > >>+ for (i = 0; i < traffic->ipv4.num; i++) { > >>+ m = traffic->ipv4.pkts[i]; > >>+ res = traffic->ipv4.res[i]; > >>+ sa_idx = res & PROTECT_MASK; > >>+ if (res & DISCARD) { > >>+ rte_pktmbuf_free(m); > >>+ } else if (sa_idx != 0) { > >>+ traffic->ipsec4.res[traffic->ipsec4.num] = sa_idx; > >>+ traffic->ipsec4.pkts[traffic->ipsec4.num++] = m; > >>+ } else /* BYPASS */ > >>+ traffic->ipv4.pkts[j++] = m; > >>+ } > >>+ traffic->ipv4.num = j; > >>+ > >>+ nb_pkts_out = ipsec_outbound(&ipsec_ctx, traffic->ipsec4.pkts, > >>+ traffic->ipsec4.res, traffic->ipsec4.num, > >>+ MAX_PKT_BURST); > >>+ > >>+ for (i = 0; i < nb_pkts_out; i++) { > >>+ idx = traffic->ipv4.num++; > >>+ m = traffic->ipsec4.pkts[i]; > >>+ traffic->ipv4.pkts[idx] = m; > >>+ } > >>+} > >>+ > >>+static inline void > >>+route_pkts(struct rt_ctx *rt_ctx, struct rte_mbuf *pkts[], uint8_t nb_pkts) > >>+{ > >>+ uint16_t hop[MAX_PKT_BURST * 2]; > >>+ uint32_t dst_ip[MAX_PKT_BURST * 2]; > >>+ uint16_t i, offset; > >>+ > >>+ if (nb_pkts == 0) > >>+ return; > >>+ > >>+ for (i = 0; i < nb_pkts; i++) { > >>+ offset = offsetof(struct ip, ip_dst); > >>+ dst_ip[i] = *rte_pktmbuf_mtod_offset(pkts[i], > >>+ uint32_t *, offset); > >>+ dst_ip[i] = rte_be_to_cpu_32(dst_ip[i]); > >>+ } > >>+ > >>+ rte_lpm_lookup_bulk((struct rte_lpm *)rt_ctx, dst_ip, hop, nb_pkts); > >>+ > >>+ for (i = 0; i < nb_pkts; i++) { > >>+ if ((hop[i] & RTE_LPM_LOOKUP_SUCCESS) == 0) { > >>+ rte_pktmbuf_free(pkts[i]); > >>+ continue; > >>+ } > >>+ send_single_packet(pkts[i], hop[i] & 0xff); > >>+ } > >>+} > >>+ > >>+static inline void > >>+process_pkts(struct socket_ctx *ctx, struct rte_mbuf **pkts, > >>+ uint8_t nb_pkts, uint8_t portid) > >>+{ > >>+ struct ipsec_traffic traffic; > >>+ > >>+ prepare_traffic(pkts, &traffic, nb_pkts); > >>+ > >>+ if (UNPROTECTED_PORT(portid)) > >>+ process_pkts_inbound(ctx, &traffic); > >>+ else > >>+ process_pkts_outbound(ctx, &traffic); > >>+ > >>+ route_pkts(ctx->rt_ipv4, traffic.ipv4.pkts, traffic.ipv4.num); > >>+} > >>+ > >>+static inline void > >>+drain_buffers(struct lcore_conf *qconf) > >>+{ > >>+ struct buffer *buf; > >>+ unsigned portid; > >>+ > >>+ for (portid = 0; portid < RTE_MAX_ETHPORTS; portid++) { > >>+ buf = &qconf->tx_mbufs[portid]; > >>+ if (buf->len == 0) > >>+ continue; > >>+ send_burst(qconf, buf->len, portid); > >>+ buf->len = 0; > >>+ } > >>+} > >>+ > >>+/* main processing loop */ > >>+static int > >>+main_loop(__attribute__((unused)) void *dummy) > >>+{ > >>+ struct rte_mbuf *pkts[MAX_PKT_BURST]; > >>+ unsigned lcore_id; > >>+ uint64_t prev_tsc, diff_tsc, cur_tsc; > >>+ int i, nb_rx; > >>+ uint8_t portid, queueid; > >>+ struct lcore_conf *qconf; > >>+ int socket_id; > >>+ const uint64_t drain_tsc = (rte_get_tsc_hz() + US_PER_S - 1) > >>+ / US_PER_S * BURST_TX_DRAIN_US; > >>+ struct socket_ctx *ctx; > >>+ struct lcore_rx_queue *rxql; > >>+ > >>+ prev_tsc = 0; > >>+ lcore_id = rte_lcore_id(); > >>+ qconf = &lcore_conf[lcore_id]; > >>+ rxql = qconf->rx_queue_list; > >>+ socket_id = rte_lcore_to_socket_id(lcore_id); > >>+ > >>+ ctx = &socket_ctx[socket_id]; > >>+ > >>+ if (qconf->nb_rx_queue == 0) { > >>+ RTE_LOG(INFO, IPSEC, "lcore %u has nothing to do\n", lcore_id); > >>+ return 0; > >>+ } > >>+ > >>+ RTE_LOG(INFO, IPSEC, "entering main loop on lcore %u\n", lcore_id); > >>+ > >>+ for (i = 0; i < qconf->nb_rx_queue; i++) { > >>+ portid = rxql[i].port_id; > >>+ queueid = rxql[i].queue_id; > >>+ RTE_LOG(INFO, IPSEC, > >>+ " -- lcoreid=%u portid=%hhu rxqueueid=%hhu\n", > >>+ lcore_id, portid, queueid); > >>+ } > >>+ > >>+ while (1) { > >>+ cur_tsc = rte_rdtsc(); > >>+ > >>+ /* TX queue buffer drain */ > >>+ diff_tsc = cur_tsc - prev_tsc; > >>+ > >>+ if (unlikely(diff_tsc > drain_tsc)) { > >>+ drain_buffers(qconf); > >>+ prev_tsc = cur_tsc; > >>+ } > >>+ > >>+ /* Read packet from RX queues */ > >>+ for (i = 0; i < qconf->nb_rx_queue; ++i) { > >>+ portid = rxql[i].port_id; > >>+ queueid = rxql[i].queue_id; > >>+ nb_rx = rte_eth_rx_burst(portid, queueid, > >>+ pkts, MAX_PKT_BURST); > >>+ > >>+ if (nb_rx > 0) > >>+ process_pkts(ctx, pkts, nb_rx, portid); > >>+ } > >>+ } > >>+} > >>+ > >>+static int > >>+check_params(void) > >>+{ > >>+ uint8_t lcore, portid, nb_ports; > >>+ uint16_t i; > >>+ int socket_id; > >>+ > >>+ if (lcore_params == NULL) { > >>+ printf("Error: No port/queue/core mappings\n"); > >>+ return -1; > >>+ } > >>+ > >>+ nb_ports = rte_eth_dev_count(); > >>+ if (nb_ports > RTE_MAX_ETHPORTS) > >>+ nb_ports = RTE_MAX_ETHPORTS; > >>+ > >>+ for (i = 0; i < nb_lcore_params; ++i) { > >>+ lcore = lcore_params[i].lcore_id; > >>+ if (!rte_lcore_is_enabled(lcore)) { > >>+ printf("error: lcore %hhu is not enabled in " > >>+ "lcore mask\n", lcore); > >>+ return -1; > >>+ } > >>+ socket_id = rte_lcore_to_socket_id(lcore); > >>+ if (socket_id != 0 && numa_on == 0) { > >>+ printf("warning: lcore %hhu is on socket %d " > >>+ "with numa off\n", > >>+ lcore, socket_id); > >>+ } > >>+ portid = lcore_params[i].port_id; > >>+ if ((enabled_port_mask & (1 << portid)) == 0) { > >>+ printf("port %u is not enabled in port mask\n", portid); > >>+ return -1; > >>+ } > >>+ if (portid >= nb_ports) { > >>+ printf("port %u is not present on the board\n", portid); > >>+ return -1; > >>+ } > >>+ } > >>+ return 0; > >>+} > >>+ > >>+static uint8_t > >>+get_port_nb_rx_queues(const uint8_t port) > >>+{ > >>+ int queue = -1; > >>+ uint16_t i; > >>+ > >>+ for (i = 0; i < nb_lcore_params; ++i) { > >>+ if (lcore_params[i].port_id == port && > >>+ lcore_params[i].queue_id > queue) > >>+ queue = lcore_params[i].queue_id; > >>+ } > >>+ return (uint8_t)(++queue); > >>+} > >>+ > >>+static int > >>+init_lcore_rx_queues(void) > >>+{ > >>+ uint16_t i, nb_rx_queue; > >>+ uint8_t lcore; > >>+ > >>+ for (i = 0; i < nb_lcore_params; ++i) { > >>+ lcore = lcore_params[i].lcore_id; > >>+ nb_rx_queue = lcore_conf[lcore].nb_rx_queue; > >>+ if (nb_rx_queue >= MAX_RX_QUEUE_PER_LCORE) { > >>+ printf("error: too many queues (%u) for lcore: %u\n", > >>+ nb_rx_queue + 1, lcore); > >>+ return -1; > >>+ } > >>+ lcore_conf[lcore].rx_queue_list[nb_rx_queue].port_id = > >>+ lcore_params[i].port_id; > >>+ lcore_conf[lcore].rx_queue_list[nb_rx_queue].queue_id = > >>+ lcore_params[i].queue_id; > >>+ lcore_conf[lcore].nb_rx_queue++; > >>+ } > >>+ return 0; > >>+} > >>+ > >>+/* display usage */ > >>+static void > >>+print_usage(const char *prgname) > >>+{ > >>+ printf("%s [EAL options] -- -p PORTMASK -P -u PORTMASK" > >>+ " --"OPTION_CONFIG" (port,queue,lcore)[,(port,queue,lcore]" > >>+ " --EP0|--EP1 --cdev AESNI|QAT\n" > >>+ " -p PORTMASK: hexadecimal bitmask of ports to configure\n" > >>+ " -P : enable promiscuous mode\n" > >>+ " -u PORTMASK: hexadecimal bitmask of unprotected ports\n" > >>+ " --"OPTION_CONFIG": (port,queue,lcore): " > >>+ "rx queues configuration\n" > >>+ " --cdev AESNI | QAT\n" > >>+ " --EP0: Configure as Endpoint 0\n" > >>+ " --EP1: Configure as Endpoint 1\n", prgname); > >>+} > >>+ > >>+static int > >>+parse_portmask(const char *portmask) > >>+{ > >>+ char *end = NULL; > >>+ unsigned long pm; > >>+ > >>+ /* parse hexadecimal string */ > >>+ pm = strtoul(portmask, &end, 16); > >>+ if ((portmask[0] == '\0') || (end == NULL) || (*end != '\0')) > >>+ return -1; > >>+ > >>+ if (pm == 0) > >>+ return -1; > >>+ > >>+ return pm; > >>+} > >>+ > >>+static int > >>+parse_config(const char *q_arg) > >>+{ > >>+ char s[256]; > >>+ const char *p, *p0 = q_arg; > >>+ char *end; > >>+ enum fieldnames { > >>+ FLD_PORT = 0, > >>+ FLD_QUEUE, > >>+ FLD_LCORE, > >>+ _NUM_FLD > >>+ }; > >>+ unsigned long int_fld[_NUM_FLD]; > >>+ char *str_fld[_NUM_FLD]; > >>+ int i; > >>+ unsigned size; > >>+ > >>+ nb_lcore_params = 0; > >>+ > >>+ while ((p = strchr(p0, '(')) != NULL) { > >>+ ++p; > >>+ p0 = strchr(p, ')'); > >>+ if (p0 == NULL) > >>+ return -1; > >>+ > >>+ size = p0 - p; > >>+ if (size >= sizeof(s)) > >>+ return -1; > >>+ > >>+ snprintf(s, sizeof(s), "%.*s", size, p); > >>+ if (rte_strsplit(s, sizeof(s), str_fld, _NUM_FLD, ',') != > >>+ _NUM_FLD) > >>+ return -1; > >>+ for (i = 0; i < _NUM_FLD; i++) { > >>+ errno = 0; > >>+ int_fld[i] = strtoul(str_fld[i], &end, 0); > >>+ if (errno != 0 || end == str_fld[i] || int_fld[i] > 255) > >>+ return -1; > >>+ } > >>+ if (nb_lcore_params >= MAX_LCORE_PARAMS) { > >>+ printf("exceeded max number of lcore params: %hu\n", > >>+ nb_lcore_params); > >>+ return -1; > >>+ } > >>+ lcore_params_array[nb_lcore_params].port_id = > >>+ (uint8_t)int_fld[FLD_PORT]; > >>+ lcore_params_array[nb_lcore_params].queue_id = > >>+ (uint8_t)int_fld[FLD_QUEUE]; > >>+ lcore_params_array[nb_lcore_params].lcore_id = > >>+ (uint8_t)int_fld[FLD_LCORE]; > >>+ ++nb_lcore_params; > >>+ } > >>+ lcore_params = lcore_params_array; > >>+ return 0; > >>+} > >>+ > >>+#define __STRNCMP(name, opt) (!strncmp(name, opt, sizeof(opt))) > >>+static int > >>+parse_args_long_options(struct option *lgopts, int option_index) > >>+{ > >>+ int ret = -1; > >>+ const char *optname = lgopts[option_index].name; > >>+ > >>+ if (__STRNCMP(optname, OPTION_CONFIG)) { > >>+ ret = parse_config(optarg); > >>+ if (ret) > >>+ printf("invalid config\n"); > >>+ } > >>+ > >>+ if (__STRNCMP(optname, OPTION_EP0)) { > >>+ printf("endpoint 0\n"); > >>+ ep = 0; > >>+ ret = 0; > >>+ } > >>+ > >>+ if (__STRNCMP(optname, OPTION_EP1)) { > >>+ printf("endpoint 1\n"); > >>+ ep = 1; > >>+ ret = 0; > >>+ } > >>+ > >>+ if (__STRNCMP(optname, OPTION_CDEV_TYPE)) { > >>+ if (__STRNCMP(optarg, "AESNI")) { > >>+ cdev_type = RTE_CRYPTODEV_AESNI_MB_PMD; > >>+ ret = 0; > >>+ } else if (__STRNCMP(optarg, "QAT")) { > >>+ cdev_type = RTE_CRYPTODEV_QAT_PMD; > >>+ ret = 0; > >>+ } > >>+ } > >>+ > >>+ return ret; > >>+} > >>+#undef __STRNCMP > >>+ > >>+static int > >>+parse_args(int argc, char **argv) > >>+{ > >>+ int opt, ret; > >>+ char **argvopt; > >>+ int option_index; > >>+ char *prgname = argv[0]; > >>+ static struct option lgopts[] = { > >>+ {OPTION_CONFIG, 1, 0, 0}, > >>+ {OPTION_EP0, 0, 0, 0}, > >>+ {OPTION_EP1, 0, 0, 0}, > >>+ {OPTION_CDEV_TYPE, 1, 0, 0}, > >>+ {NULL, 0, 0, 0} > >>+ }; > >>+ > >>+ argvopt = argv; > >>+ > >>+ while ((opt = getopt_long(argc, argvopt, "p:Pu:", > >>+ lgopts, &option_index)) != EOF) { > >>+ > >>+ switch (opt) { > >>+ case 'p': > >>+ enabled_port_mask = parse_portmask(optarg); > >>+ if (enabled_port_mask == 0) { > >>+ printf("invalid portmask\n"); > >>+ print_usage(prgname); > >>+ return -1; > >>+ } > >>+ break; > >>+ case 'P': > >>+ printf("Promiscuous mode selected\n"); > >>+ promiscuous_on = 1; > >>+ break; > >>+ case 'u': > >>+ unprotected_port_mask = parse_portmask(optarg); > >>+ if (unprotected_port_mask == 0) { > >>+ printf("invalid unprotected portmask\n"); > >>+ print_usage(prgname); > >>+ return -1; > >>+ } > >>+ break; > >>+ case 0: > >>+ if (parse_args_long_options(lgopts, option_index)) { > >>+ print_usage(prgname); > >>+ return -1; > >>+ } > >>+ break; > >>+ default: > >>+ print_usage(prgname); > >>+ return -1; > >>+ } > >>+ } > >>+ > >>+ if (optind >= 0) > >>+ argv[optind-1] = prgname; > >>+ > >>+ ret = optind-1; > >>+ optind = 0; /* reset getopt lib */ > >>+ return ret; > >>+} > >>+ > >>+static void > >>+print_ethaddr(const char *name, const struct ether_addr *eth_addr) > >>+{ > >>+ char buf[ETHER_ADDR_FMT_SIZE]; > >>+ ether_format_addr(buf, ETHER_ADDR_FMT_SIZE, eth_addr); > >>+ printf("%s%s", name, buf); > >>+} > >>+ > >>+/* Check the link status of all ports in up to 9s, and print them finally */ > >>+static void > >>+check_all_ports_link_status(uint8_t port_num, uint32_t port_mask) > >>+{ > >>+#define CHECK_INTERVAL 100 /* 100ms */ > >>+#define MAX_CHECK_TIME 90 /* 9s (90 * 100ms) in total */ > >>+ uint8_t portid, count, all_ports_up, print_flag = 0; > >>+ struct rte_eth_link link; > >>+ > >>+ printf("\nChecking link status"); > >>+ fflush(stdout); > >>+ for (count = 0; count <= MAX_CHECK_TIME; count++) { > >>+ all_ports_up = 1; > >>+ for (portid = 0; portid < port_num; portid++) { > >>+ if ((port_mask & (1 << portid)) == 0) > >>+ continue; > >>+ memset(&link, 0, sizeof(link)); > >>+ rte_eth_link_get_nowait(portid, &link); > >>+ /* print link status if flag set */ > >>+ if (print_flag == 1) { > >>+ if (link.link_status) > >>+ printf("Port %d Link Up - speed %u " > >>+ "Mbps - %s\n", (uint8_t)portid, > >>+ (unsigned)link.link_speed, > >>+ (link.link_duplex == ETH_LINK_FULL_DUPLEX) ? > >>+ ("full-duplex") : ("half-duplex\n")); > >>+ else > >>+ printf("Port %d Link Down\n", > >>+ (uint8_t)portid); > >>+ continue; > >>+ } > >>+ /* clear all_ports_up flag if any link down */ > >>+ if (link.link_status == 0) { > >>+ all_ports_up = 0; > >>+ break; > >>+ } > >>+ } > >>+ /* after finally printing all link status, get out */ > >>+ if (print_flag == 1) > >>+ break; > >>+ > >>+ if (all_ports_up == 0) { > >>+ printf("."); > >>+ fflush(stdout); > >>+ rte_delay_ms(CHECK_INTERVAL); > >>+ } > >>+ > >>+ /* set the print_flag if all ports up or timeout */ > >>+ if (all_ports_up == 1 || count == (MAX_CHECK_TIME - 1)) { > >>+ print_flag = 1; > >>+ printf("done\n"); > >>+ } > >>+ } > >>+} > >>+ > >>+static uint16_t > >>+find_next_cdev(unsigned cdev_type, uint16_t start_cdev_id) > >>+{ > >>+ uint16_t cdev_id, cnt; > >>+ struct rte_cryptodev_info info; > >>+ > >>+ cnt = rte_cryptodev_count(); > >>+ for (cdev_id = start_cdev_id; cdev_id < cnt; cdev_id++) { > >>+ rte_cryptodev_info_get(cdev_id, &info); > >>+ if (info.dev_type == cdev_type) > >>+ return cdev_id; > >>+ } > >>+ > >>+ return -1; > >>+} > >>+ > >>+static uint16_t > >>+find_cdev_socket(int socket_id, unsigned cdev_type) > >>+{ > >>+ uint16_t cdev_id, cnt; > >>+ struct rte_cryptodev_info info; > >>+ int cdev_socket; > >>+ > >>+ cnt = rte_cryptodev_count(); > >>+ for (cdev_id = 0; cdev_id < cnt; cdev_id++) { > >>+ rte_cryptodev_info_get(cdev_id, &info); > >>+ cdev_socket = rte_cryptodev_socket_id(cdev_id); > >>+ if ((info.dev_type == cdev_type) && (cdev_socket == socket_id)) > >>+ return cdev_id; > >>+ } > >>+ > >>+ return -1; > >>+} > >>+ > >>+static int > >>+cryptodevs_init(void) > >>+{ > >>+ struct rte_cryptodev_config dev_conf; > >>+ struct rte_cryptodev_qp_conf qp_conf; > >>+ struct lcore_conf *qconf; > >>+ uint16_t cnt, lcore_id, cdev_id; > >>+ int ret, i, socket_id; > >>+ > >>+ if (cdev_type == RTE_CRYPTODEV_QAT_PMD) { > >>+ cnt = rte_cryptodev_count_devtype(RTE_CRYPTODEV_QAT_PMD); > >>+ printf("Found %u QAT devices\n", cnt); > >>+ if (cnt < nb_lcores) > >>+ rte_panic("Not enough QAT devices detected, " > >>+ "need %u (1 per core), found %d\n", > >>+ nb_lcores, cnt); > >>+ } else if (cdev_type == RTE_CRYPTODEV_AESNI_MB_PMD) { > >>+ printf("Initializing %u AESNI vdevs\n", rte_lcore_count()); > >Is it possible to remove PMD specific Initialization code from the > >application and move driver layer so that new crypto pmd inclusion will > >not have any change in this place. > > Yes, it should be possible now that we have: > http://dpdk.org/ml/archives/dev/2016-January/032448.html > > I also plan to rework the code a bit to use the new cryptodev API: > http://dpdk.org/ml/archives/dev/2016-January/032445.html > > >>+ for (i = 0; i < (int)rte_lcore_count(); i++) { > >>+ ret = rte_eal_vdev_init( > >>+ CRYPTODEV_NAME_AESNI_MB_PMD, > >>+ NULL); > >>+ if (ret < 0) > >>+ rte_panic("Failed to create AESNI-MB vdev\n"); > >>+ } > >>+ } else > >>+ rte_panic("Need to set cryptodev type option --cdev\n"); > >>+ > >>+ cdev_id = 0; > >>+ for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) { > >>+ if (rte_lcore_is_enabled(lcore_id) == 0) > >>+ continue; > >>+ > >>+ socket_id = rte_lcore_to_socket_id(lcore_id); > >>+ cdev_id = find_next_cdev(cdev_type, cdev_id); > >>+ qconf = &lcore_conf[lcore_id]; > >>+ qconf->cdev = cdev_id; > >>+ qconf->cdev_q = 0; > >>+ if (cdev_type == RTE_CRYPTODEV_AESNI_MB_PMD) { > >>+ dev_conf.socket_id = socket_id; > >>+ printf("Initializing AESNI-MB device %u socket %u\n", > >>+ cdev_id, socket_id); > >>+ } else { > >>+ dev_conf.socket_id = rte_cryptodev_socket_id(cdev_id); > >>+ printf("Initialising QAT device %u\n", cdev_id); > >>+ } > >>+ > >>+ dev_conf.nb_queue_pairs = 1; > >>+ dev_conf.session_mp.nb_objs = CDEV_MP_NB_OBJS; > >>+ dev_conf.session_mp.cache_size = CDEV_MP_CACHE_SZ; > >>+ > >>+ if (rte_cryptodev_configure(cdev_id, &dev_conf)) > >>+ rte_panic("Failed to initialize crypodev %u\n", > >>+ cdev_id); > >>+ > >>+ qp_conf.nb_descriptors = CDEV_MP_NB_OBJS; > >>+ if (rte_cryptodev_queue_pair_setup(cdev_id, 0, &qp_conf, > >>+ dev_conf.socket_id)) > >>+ rte_panic("Failed to setup queue %u for cdev_id %u\n", > >>+ 0, cdev_id); > >>+ cdev_id++; > >>+ } > >>+ > >>+ return 0; > >>+} > >>+ > >>+static void > >>+port_init(uint8_t portid) > >>+{ > >>+ struct rte_eth_dev_info dev_info; > >>+ struct rte_eth_txconf *txconf; > >>+ uint16_t nb_tx_queue, nb_rx_queue; > >>+ uint16_t tx_queueid, rx_queueid, queue, lcore_id; > >>+ int ret, socket_id; > >>+ struct lcore_conf *qconf; > >>+ struct ether_addr ethaddr; > >>+ > >>+ rte_eth_dev_info_get(portid, &dev_info); > >>+ > >>+ printf("Configuring device port %u:\n", portid); > >>+ > >>+ rte_eth_macaddr_get(portid, ðaddr); > >>+ ethaddr_tbl[portid].src = ETHADDR_TO_UINT64(ethaddr); > >>+ print_ethaddr("Address: ", ðaddr); > >>+ printf("\n"); > >>+ > >>+ nb_rx_queue = get_port_nb_rx_queues(portid); > >>+ nb_tx_queue = nb_lcores; > >>+ > >>+ if (nb_rx_queue > dev_info.max_rx_queues) > >>+ rte_exit(EXIT_FAILURE, "Error: queue %u not available " > >>+ "(max rx queue is %u)\n", > >>+ nb_rx_queue, dev_info.max_rx_queues); > >>+ > >>+ if (nb_tx_queue > dev_info.max_tx_queues) > >>+ rte_exit(EXIT_FAILURE, "Error: queue %u not available " > >>+ "(max tx queue is %u)\n", > >>+ nb_tx_queue, dev_info.max_tx_queues); > >>+ > >>+ printf("Creating queues: nb_rx_queue=%d nb_tx_queue=%u...\n", > >>+ nb_rx_queue, nb_tx_queue); > >>+ > >>+ ret = rte_eth_dev_configure(portid, nb_rx_queue, nb_tx_queue, > >>+ &port_conf); > >>+ if (ret < 0) > >>+ rte_exit(EXIT_FAILURE, "Cannot configure device: " > >>+ "err=%d, port=%d\n", ret, portid); > >>+ > >>+ /* init one TX queue per lcore */ > >>+ tx_queueid = 0; > >>+ for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) { > >>+ if (rte_lcore_is_enabled(lcore_id) == 0) > >>+ continue; > >>+ > >>+ if (numa_on) > >>+ socket_id = (uint8_t)rte_lcore_to_socket_id(lcore_id); > >>+ else > >>+ socket_id = 0; > >>+ > >>+ /* init TX queue */ > >>+ printf("Setup txq=%u,%d,%d\n", lcore_id, tx_queueid, socket_id); > >>+ > >>+ txconf = &dev_info.default_txconf; > >>+ txconf->txq_flags = 0; > >>+ > >>+ ret = rte_eth_tx_queue_setup(portid, tx_queueid, nb_txd, > >>+ socket_id, txconf); > >>+ if (ret < 0) > >>+ rte_exit(EXIT_FAILURE, "rte_eth_tx_queue_setup: " > >>+ "err=%d, port=%d\n", ret, portid); > >>+ > >>+ qconf = &lcore_conf[lcore_id]; > >>+ qconf->tx_queue_id[portid] = tx_queueid; > >>+ tx_queueid++; > >>+ > >>+ /* init RX queues */ > >>+ for (queue = 0; queue < qconf->nb_rx_queue; ++queue) { > >>+ if (portid != qconf->rx_queue_list[queue].port_id) > >>+ continue; > >>+ > >>+ rx_queueid = qconf->rx_queue_list[queue].queue_id; > >>+ > >>+ printf("Setup rxq=%d,%d,%d\n", portid, rx_queueid, > >>+ socket_id); > >>+ > >>+ ret = rte_eth_rx_queue_setup(portid, rx_queueid, > >>+ nb_rxd, socket_id, NULL, > >>+ socket_ctx[socket_id].mbuf_pool); > >>+ if (ret < 0) > >>+ rte_exit(EXIT_FAILURE, > >>+ "rte_eth_rx_queue_setup: err=%d, " > >>+ "port=%d\n", ret, portid); > >>+ } > >>+ } > >>+ printf("\n"); > >>+} > >>+ > >>+static void > >>+pool_init(struct socket_ctx *ctx, int socket_id, unsigned nb_mbuf) > >>+{ > >>+ char s[64]; > >>+ > >>+ snprintf(s, sizeof(s), "mbuf_pool_%d", socket_id); > >>+ ctx->mbuf_pool = rte_pktmbuf_pool_create(s, nb_mbuf, > >>+ MEMPOOL_CACHE_SIZE, ipsec_metadata_size(), > >>+ RTE_MBUF_DEFAULT_BUF_SIZE, > >>+ socket_id); > >>+ if (ctx->mbuf_pool == NULL) > >>+ rte_exit(EXIT_FAILURE, "Cannot init mbuf pool on socket %d\n", > >>+ socket_id); > >>+ else > >>+ printf("Allocated mbuf pool on socket %d\n", socket_id); > >>+} > >>+ > >>+int > >>+main(int argc, char **argv) > >>+{ > >>+ int ret; > >>+ unsigned lcore_id, nb_ports; > >>+ uint8_t portid, socket_id; > >>+ > >>+ /* init EAL */ > >>+ ret = rte_eal_init(argc, argv); > >>+ if (ret < 0) > >>+ rte_exit(EXIT_FAILURE, "Invalid EAL parameters\n"); > >>+ argc -= ret; > >>+ argv += ret; > >>+ > >>+ /* parse application arguments (after the EAL ones) */ > >>+ ret = parse_args(argc, argv); > >>+ if (ret < 0) > >>+ rte_exit(EXIT_FAILURE, "Invalid parameters\n"); > >>+ > >>+ if (ep < 0) > >>+ rte_exit(EXIT_FAILURE, "need to choose either EP0 or EP1\n"); > >>+ > >>+ if ((unprotected_port_mask & enabled_port_mask) != > >>+ unprotected_port_mask) > >>+ rte_exit(EXIT_FAILURE, "Invalid unprotected portmask 0x%x\n", > >>+ unprotected_port_mask); > >>+ > >>+ nb_ports = rte_eth_dev_count(); > >>+ if (nb_ports > RTE_MAX_ETHPORTS) > >>+ nb_ports = RTE_MAX_ETHPORTS; > >>+ > >>+ if (check_params() < 0) > >>+ rte_exit(EXIT_FAILURE, "check_params failed\n"); > >>+ > >>+ ret = init_lcore_rx_queues(); > >>+ if (ret < 0) > >>+ rte_exit(EXIT_FAILURE, "init_lcore_rx_queues failed\n"); > >>+ > >>+ nb_lcores = rte_lcore_count(); > >>+ > >>+ cryptodevs_init(); > >>+ > >>+ /* Replicate each contex per socket */ > >>+ for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) { > >>+ if (rte_lcore_is_enabled(lcore_id) == 0) > >>+ continue; > >>+ > >>+ if (numa_on) > >>+ socket_id = (uint8_t)rte_lcore_to_socket_id(lcore_id); > >>+ else > >>+ socket_id = 0; > >>+ > >>+ if (socket_ctx[socket_id].mbuf_pool) > >>+ continue; > >>+ > >>+ sa_init(&socket_ctx[socket_id], socket_id, ep, > >>+ find_cdev_socket(socket_id, cdev_type)); > >>+ > >>+ sp_init(&socket_ctx[socket_id], socket_id, ep); > >>+ > >>+ rt_init(&socket_ctx[socket_id], socket_id, ep); > >>+ > >>+ pool_init(&socket_ctx[socket_id], socket_id, NB_MBUF); > >>+ } > >>+ > >>+ for (portid = 0; portid < nb_ports; portid++) { > >>+ if ((enabled_port_mask & (1 << portid)) == 0) > >>+ continue; > >>+ > >>+ port_init(portid); > >>+ } > >>+ > >>+ /* start ports */ > >>+ for (portid = 0; portid < nb_ports; portid++) { > >>+ if ((enabled_port_mask & (1 << portid)) == 0) > >>+ continue; > >>+ > >>+ /* Start device */ > >>+ ret = rte_eth_dev_start(portid); > >>+ if (ret < 0) > >>+ rte_exit(EXIT_FAILURE, "rte_eth_dev_start: " > >>+ "err=%d, port=%d\n", ret, portid); > >>+ /* > >>+ * If enabled, put device in promiscuous mode. > >>+ * This allows IO forwarding mode to forward packets > >>+ * to itself through 2 cross-connected ports of the > >>+ * target machine. > >>+ */ > >>+ if (promiscuous_on) > >>+ rte_eth_promiscuous_enable(portid); > >>+ } > >>+ > >>+ check_all_ports_link_status((uint8_t)nb_ports, enabled_port_mask); > >>+ > >>+ /* launch per-lcore init on every lcore */ > >>+ rte_eal_mp_remote_launch(main_loop, NULL, CALL_MASTER); > >>+ RTE_LCORE_FOREACH_SLAVE(lcore_id) { > >>+ if (rte_eal_wait_lcore(lcore_id) < 0) > >>+ return -1; > >>+ } > >>+ > >>+ return 0; > >>+} > >>diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c > >>new file mode 100644 > >>index 0000000..83e3326 > >>--- /dev/null > >>+++ b/examples/ipsec-secgw/ipsec.c > >>@@ -0,0 +1,138 @@ > >>+/*- > >>+ * BSD LICENSE > >>+ * > >>+ * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > >>+ * All rights reserved. > >>+ * > >>+ * Redistribution and use in source and binary forms, with or without > >>+ * modification, are permitted provided that the following conditions > >>+ * are met: > >>+ * > >>+ * * Redistributions of source code must retain the above copyright > >>+ * notice, this list of conditions and the following disclaimer. > >>+ * * Redistributions in binary form must reproduce the above copyright > >>+ * notice, this list of conditions and the following disclaimer in > >>+ * the documentation and/or other materials provided with the > >>+ * distribution. > >>+ * * Neither the name of Intel Corporation nor the names of its > >>+ * contributors may be used to endorse or promote products derived > >>+ * from this software without specific prior written permission. > >>+ * > >>+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > >>+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > >>+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > >>+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > >>+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > >>+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > >>+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > >>+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > >>+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > >>+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > >>+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > >>+ */ > >>+ > >>+#include > >>+#include > >>+ > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+ > >>+#include "ipsec.h" > >>+ > >>+static inline uint16_t > >>+ipsec_processing(uint8_t cdev_id, uint16_t qp_id, struct rte_mbuf *pkts[], > >>+ struct ipsec_sa *sas[], uint16_t nb_pkts, uint16_t max_pkts) > >>+{ > >>+ int ret, i, j; > >>+ struct ipsec_mbuf_metadata *priv; > >>+ struct rte_mbuf_offload *ol; > >>+ struct ipsec_sa *sa; > >>+ > >>+ j = 0; > >>+ for (i = 0; i < nb_pkts; i++) { > >>+ rte_prefetch0(sas[i]); > >>+ rte_prefetch0(pkts[i]); > >>+ > >>+ priv = get_priv(pkts[i]); > >>+ ol = &priv->ol; > >>+ sa = sas[i]; > >>+ priv->sa = sa; > >>+ > >>+ IPSEC_ASSERT(sa != NULL); > >>+ > >>+ __rte_pktmbuf_offload_reset(ol, RTE_PKTMBUF_OL_CRYPTO); > >>+ > >>+ rte_crypto_op_attach_session(&ol->op.crypto, > >>+ sa->crypto_session); > >>+ > >>+ pkts[i]->offload_ops = ol; > >>+ > >>+ ret = sa->pre_crypto(pkts[i], sa, &ol->op.crypto); > >>+ if (unlikely(ret)) > >>+ rte_pktmbuf_free(pkts[i]); > >>+ else > >>+ pkts[j++] = pkts[i]; > >>+ } > >>+ nb_pkts = j; > >>+ > >>+ ret = rte_cryptodev_enqueue_burst(cdev_id, qp_id, pkts, nb_pkts); > >>+ if (ret < nb_pkts) { > >>+ IPSEC_LOG(DEBUG, IPSEC, "Cryptodev %u queue %u:" > >>+ " enqueued %u packets (out of %u)\n", > >>+ cdev_id, qp_id, ret, nb_pkts); > >>+ for (i = ret; i < nb_pkts; i++) > >>+ rte_pktmbuf_free(pkts[i]); > >>+ } > >>+ > >>+ nb_pkts = rte_cryptodev_dequeue_burst(cdev_id, qp_id, pkts, max_pkts); > >>+ if ((nb_pkts != 0) && (nb_pkts < max_pkts)) > >>+ IPSEC_LOG(DEBUG, IPSEC, "Cryptodev %u queue %u:" > >>+ " dequeued %u packets (out of %u)\n", > >>+ cdev_id, qp_id, nb_pkts, max_pkts); > >>+ > >>+ j = 0; > >>+ for (i = 0; i < nb_pkts; i++) { > >>+ rte_prefetch0(pkts[i]); > >>+ > >>+ priv = get_priv(pkts[i]); > >>+ ol = &priv->ol; > >>+ sa = priv->sa; > >>+ rte_prefetch0(sa); > >>+ > >>+ IPSEC_ASSERT(sa != NULL); > >>+ > >>+ ret = sa->post_crypto(pkts[i], sa, &ol->op.crypto); > >>+ if (unlikely(ret)) > >>+ rte_pktmbuf_free(pkts[i]); > >>+ else > >>+ pkts[j++] = pkts[i]; > >>+ } > >>+ > >>+ /* return packets */ > >>+ return j; > >>+} > >>+ > >>+uint16_t > >>+ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], > >>+ uint16_t nb_pkts, uint16_t len) > >>+{ > >>+ struct ipsec_sa *sas[nb_pkts]; > >>+ > >>+ inbound_sa_lookup(ctx->sa_ctx, pkts, sas, nb_pkts); > >>+ > >>+ return ipsec_processing(ctx->cdev, ctx->queue, pkts, sas, nb_pkts, len); > >>+} > >>+ > >>+uint16_t > >>+ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], > >>+ uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len) > >>+{ > >>+ struct ipsec_sa *sas[nb_pkts]; > >>+ > >>+ outbound_sa_lookup(ctx->sa_ctx, sa_idx, sas, nb_pkts); > >>+ > >>+ return ipsec_processing(ctx->cdev, ctx->queue, pkts, sas, nb_pkts, len); > >>+} > >>diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h > >>new file mode 100644 > >>index 0000000..abf9d5f > >>--- /dev/null > >>+++ b/examples/ipsec-secgw/ipsec.h > >>@@ -0,0 +1,184 @@ > >>+/*- > >>+ * BSD LICENSE > >>+ * > >>+ * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > >>+ * All rights reserved. > >>+ * > >>+ * Redistribution and use in source and binary forms, with or without > >>+ * modification, are permitted provided that the following conditions > >>+ * are met: > >>+ * > >>+ * * Redistributions of source code must retain the above copyright > >>+ * notice, this list of conditions and the following disclaimer. > >>+ * * Redistributions in binary form must reproduce the above copyright > >>+ * notice, this list of conditions and the following disclaimer in > >>+ * the documentation and/or other materials provided with the > >>+ * distribution. > >>+ * * Neither the name of Intel Corporation nor the names of its > >>+ * contributors may be used to endorse or promote products derived > >>+ * from this software without specific prior written permission. > >>+ * > >>+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > >>+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > >>+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > >>+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > >>+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > >>+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > >>+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > >>+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > >>+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > >>+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > >>+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > >>+ */ > >>+ > >>+#ifndef __IPSEC_H__ > >>+#define __IPSEC_H__ > >>+ > >>+#include > >>+#include > >>+#include > >>+ > >>+#include > >>+#include > >>+#include > >>+ > >>+#define RTE_LOGTYPE_IPSEC RTE_LOGTYPE_USER1 > >>+#define RTE_LOGTYPE_IPSEC_ESP RTE_LOGTYPE_USER2 > >>+#define RTE_LOGTYPE_IPSEC_IPIP RTE_LOGTYPE_USER3 > >>+ > >>+#ifdef IPSEC_DEBUG > >>+#define IPSEC_ASSERT(exp) \ > >>+if (!(exp)) { \ > >>+ rte_panic("line%d\tassert \"" #exp "\" failed\n", __LINE__); \ > >>+} > >>+ > >>+#define IPSEC_LOG RTE_LOG > >>+#else > >>+#define IPSEC_ASSERT(exp) do {} while (0) > >>+#define IPSEC_LOG(...) do {} while (0) > >>+#endif /* IPSEC_DEBUG */ > >>+ > >>+#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */ > >>+ > >>+#define uint32_t_to_char(ip, a, b, c, d) do {\ > >>+ *a = (unsigned char)(ip >> 24 & 0xff);\ > >>+ *b = (unsigned char)(ip >> 16 & 0xff);\ > >>+ *c = (unsigned char)(ip >> 8 & 0xff);\ > >>+ *d = (unsigned char)(ip & 0xff);\ > >>+ } while (0) > >>+ > >>+#define DEFAULT_MAX_CATEGORIES 1 > >>+ > >>+#define IPSEC_SA_MAX_ENTRIES (64) /* must be power of 2, max 2 power 30 */ > >>+#define SPI2IDX(spi) (spi & (IPSEC_SA_MAX_ENTRIES - 1)) > >>+#define INVALID_SPI (0) > >>+ > >>+#define DISCARD (0x80000000) > >>+#define BYPASS (0x40000000) > >>+#define PROTECT_MASK (0x3fffffff) > >>+#define PROTECT(sa_idx) (SPI2IDX(sa_idx) & PROTECT_MASK) /* SA idx 30 bits */ > >>+ > >>+#define IPSEC_XFORM_MAX 2 > >>+ > >>+struct rte_crypto_xform; > >>+struct ipsec_xform; > >>+struct rte_cryptodev_session; > >>+struct rte_mbuf; > >>+ > >>+struct replay { > >>+ uint32_t seq_h; > >>+}; > >>+ > >>+struct lifetime { > >>+ uint64_t bytes; > >>+ uint64_t seconds; > >>+}; > >>+ > >>+struct ipsec_sa; > >>+ > >>+typedef int (*ipsec_xform_fn)(struct rte_mbuf *m, struct ipsec_sa *sa, > >>+ struct rte_crypto_op *cop); > >>+ > >>+struct ipsec_sa { > >>+ uint32_t spi; > >>+ uint32_t seq; > >>+ uint32_t src; > >>+ uint32_t dst; > >>+ struct rte_cryptodev_session *crypto_session; > >>+ struct rte_crypto_xform *xforms; > >>+ enum rte_crypto_cipher_algorithm cipher_algo; > >>+ enum rte_crypto_auth_algorithm auth_algo; > >>+ uint16_t digest_len; > >>+ uint16_t iv_len; > >>+ uint16_t block_size; > >>+ ipsec_xform_fn pre_crypto; > >>+ ipsec_xform_fn post_crypto; > >>+ uint32_t flags; > >>+ /* does not apply if no automated SA management (IKE) support */ > >>+ struct lifetime current; > >>+ struct lifetime soft; > >>+ struct lifetime hard; > >>+ struct replay replay; > >>+} __rte_cache_aligned; > >>+ > >>+struct ipsec_mbuf_metadata { > >>+ struct ipsec_sa *sa; > >>+ struct rte_mbuf_offload ol; > >>+}; > >>+ > >>+struct ipsec_ctx { > >>+ uint16_t cdev; > >>+ uint16_t queue; > >>+ struct sa_ctx *sa_ctx; > >>+}; > >>+ > >>+struct socket_ctx { > >>+ struct sa_ctx *sa_ipv4_in; > >>+ struct sa_ctx *sa_ipv4_out; > >>+ struct sp_ctx *sp_ipv4_in; > >>+ struct sp_ctx *sp_ipv4_out; > >>+ struct rt_ctx *rt_ipv4; > >>+ struct rte_mempool *mbuf_pool; > >>+}; > >>+ > >>+uint16_t > >>+ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], > >>+ uint16_t nb_pkts, uint16_t len); > >>+ > >>+uint16_t > >>+ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], > >>+ uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len); > >>+ > >>+static inline uint16_t > >>+ipsec_metadata_size(void) > >>+{ > >>+ return sizeof(struct ipsec_mbuf_metadata); > >>+} > >>+ > >>+static inline struct ipsec_mbuf_metadata * > >>+get_priv(struct rte_mbuf *m) > >>+{ > >>+ return RTE_PTR_ADD(m, sizeof(struct rte_mbuf)); > >>+} > >>+ > >>+int > >>+inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx); > >>+ > >>+void > >>+inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[], > >>+ struct ipsec_sa *sa[], uint16_t nb_pkts); > >>+ > >>+void > >>+outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[], > >>+ struct ipsec_sa *sa[], uint16_t nb_pkts); > >>+ > >>+void > >>+sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep); > >>+ > >>+void > >>+sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep, uint16_t cdev_id); > >>+ > >>+void > >>+rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep); > >>+ > >>+#endif /* __IPSEC_H__ */ > >>diff --git a/examples/ipsec-secgw/rt.c b/examples/ipsec-secgw/rt.c > >>new file mode 100644 > >>index 0000000..82064b2 > >>--- /dev/null > >>+++ b/examples/ipsec-secgw/rt.c > >>@@ -0,0 +1,131 @@ > >>+/*- > >>+ * BSD LICENSE > >>+ * > >>+ * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > >>+ * All rights reserved. > >>+ * > >>+ * Redistribution and use in source and binary forms, with or without > >>+ * modification, are permitted provided that the following conditions > >>+ * are met: > >>+ * > >>+ * * Redistributions of source code must retain the above copyright > >>+ * notice, this list of conditions and the following disclaimer. > >>+ * * Redistributions in binary form must reproduce the above copyright > >>+ * notice, this list of conditions and the following disclaimer in > >>+ * the documentation and/or other materials provided with the > >>+ * distribution. > >>+ * * Neither the name of Intel Corporation nor the names of its > >>+ * contributors may be used to endorse or promote products derived > >>+ * from this software without specific prior written permission. > >>+ * > >>+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > >>+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > >>+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > >>+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > >>+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > >>+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > >>+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > >>+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > >>+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > >>+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > >>+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > >>+ */ > >>+ > >>+/* > >>+ * Routing Table (RT) > >>+ */ > >>+#include > >>+#include > >>+ > >>+#include "ipsec.h" > >>+ > >>+#define RT_IPV4_MAX_RULES 64 > >>+ > >>+struct ipv4_route { > >>+ uint32_t ip; > >>+ uint8_t depth; > >>+ uint8_t if_out; > >>+}; > >>+ > >>+/* In the default routing table we have: > >>+ * ep0 protected ports 0 and 1, and unprotected ports 2 and 3. > >>+ */ > >>+static struct ipv4_route rt_ipv4_ep0[] = { > >>+ { IPv4(172, 16, 2, 5), 32, 0 }, > >>+ { IPv4(172, 16, 2, 6), 32, 0 }, > >>+ { IPv4(172, 16, 2, 7), 32, 1 }, > >>+ { IPv4(172, 16, 2, 8), 32, 1 }, > >>+ > >>+ { IPv4(192, 168, 115, 0), 24, 2 }, > >>+ { IPv4(192, 168, 116, 0), 24, 2 }, > >>+ { IPv4(192, 168, 117, 0), 24, 3 }, > >>+ { IPv4(192, 168, 118, 0), 24, 3 } > >>+}; > >>+ > >>+/* In the default routing table we have: > >>+ * ep1 protected ports 0 and 1, and unprotected ports 2 and 3. > >>+ */ > >>+static struct ipv4_route rt_ipv4_ep1[] = { > >>+ { IPv4(172, 16, 1, 5), 32, 2 }, > >>+ { IPv4(172, 16, 1, 6), 32, 2 }, > >>+ { IPv4(172, 16, 1, 7), 32, 3 }, > >>+ { IPv4(172, 16, 1, 8), 32, 3 }, > >>+ > >>+ { IPv4(192, 168, 105, 0), 24, 0 }, > >>+ { IPv4(192, 168, 106, 0), 24, 0 }, > >>+ { IPv4(192, 168, 107, 0), 24, 1 }, > >>+ { IPv4(192, 168, 108, 0), 24, 1 } > >>+}; > >>+ > >>+void > >>+rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep) > >>+{ > >>+ char name[PATH_MAX]; > >>+ unsigned i; > >>+ int ret; > >>+ struct rte_lpm *lpm; > >>+ struct ipv4_route *rt; > >>+ char a, b, c, d; > >>+ unsigned nb_routes; > >>+ > >>+ if (ctx == NULL) > >>+ rte_exit(EXIT_FAILURE, "NULL context.\n"); > >>+ > >>+ if (ctx->rt_ipv4 != NULL) > >>+ rte_exit(EXIT_FAILURE, "Routing Table for socket %u already " > >>+ "initialized\n", socket_id); > >>+ > >>+ printf("Creating Routing Table (RT) context with %u max routes\n", > >>+ RT_IPV4_MAX_RULES); > >>+ > >>+ if (ep == 0) { > >>+ rt = rt_ipv4_ep0; > >>+ nb_routes = RTE_DIM(rt_ipv4_ep0); > >>+ } else if (ep == 1) { > >>+ rt = rt_ipv4_ep1; > >>+ nb_routes = RTE_DIM(rt_ipv4_ep1); > >>+ } else > >>+ rte_exit(EXIT_FAILURE, "Invalid EP value %u. Only 0 or 1 " > >>+ "supported.\n", ep); > >>+ > >>+ /* create the LPM table */ > >>+ snprintf(name, sizeof(name), "%s_%u", "rt_ipv4", socket_id); > >>+ lpm = rte_lpm_create(name, socket_id, RT_IPV4_MAX_RULES, 0); > >>+ if (lpm == NULL) > >>+ rte_exit(EXIT_FAILURE, "Unable to create LPM table " > >>+ "on socket %d\n", socket_id); > >>+ > >>+ /* populate the LPM table */ > >>+ for (i = 0; i < nb_routes; i++) { > >>+ ret = rte_lpm_add(lpm, rt[i].ip, rt[i].depth, rt[i].if_out); > >>+ if (ret < 0) > >>+ rte_exit(EXIT_FAILURE, "Unable to add entry num %u to " > >>+ "LPM table on socket %d\n", i, socket_id); > >>+ > >>+ uint32_t_to_char(rt[i].ip, &a, &b, &c, &d); > >>+ printf("LPM: Adding route %hhu.%hhu.%hhu.%hhu/%hhu (%hhu)\n", > >>+ a, b, c, d, rt[i].depth, rt[i].if_out); > >>+ } > >>+ > >>+ ctx->rt_ipv4 = (struct rt_ctx *)lpm; > >>+} > >>diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c > >>new file mode 100644 > >>index 0000000..5ea7592 > >>--- /dev/null > >>+++ b/examples/ipsec-secgw/sa.c > >>@@ -0,0 +1,391 @@ > >>+/*- > >>+ * BSD LICENSE > >>+ * > >>+ * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > >>+ * All rights reserved. > >>+ * > >>+ * Redistribution and use in source and binary forms, with or without > >>+ * modification, are permitted provided that the following conditions > >>+ * are met: > >>+ * > >>+ * * Redistributions of source code must retain the above copyright > >>+ * notice, this list of conditions and the following disclaimer. > >>+ * * Redistributions in binary form must reproduce the above copyright > >>+ * notice, this list of conditions and the following disclaimer in > >>+ * the documentation and/or other materials provided with the > >>+ * distribution. > >>+ * * Neither the name of Intel Corporation nor the names of its > >>+ * contributors may be used to endorse or promote products derived > >>+ * from this software without specific prior written permission. > >>+ * > >>+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > >>+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > >>+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > >>+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > >>+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > >>+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > >>+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > >>+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > >>+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > >>+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > >>+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > >>+ */ > >>+ > >>+/* > >>+ * Security Associations > >>+ */ > >>+#include > >>+ > >>+#include > >>+#include > >>+#include > >>+#include > >>+#include > >>+ > >>+#include "ipsec.h" > >>+#include "esp.h" > >>+ > >>+/* SAs EP0 Outbound */ > >>+const struct ipsec_sa sa_ep0_out[] = { > >>+ { 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_outbound_pre_crypto, > >>+ esp4_tunnel_outbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > >>+ { 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_outbound_pre_crypto, > >>+ esp4_tunnel_outbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > >>+ { 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_outbound_pre_crypto, > >>+ esp4_tunnel_outbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > >>+ { 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >IMO, a SA with NULL crypto (rfc2410) operation will be useful for ESP > >packet processing debugging and measuring the performance impact with > >the crypto block in fast path. > > > > I couldn't agree more. > > I'll add support for NULL crypto in the app with dependency on previously > mentioned cryptodev capabilities patch set and: > http://dpdk.org/ml/archives/dev/2016-January/032458.html > > Sergio > > >>+ 12, 16, 16, > >>+ esp4_tunnel_outbound_pre_crypto, > >>+ esp4_tunnel_outbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } } > >>+}; > >>+ > >>+/* SAs EP0 Inbound */ > >>+const struct ipsec_sa sa_ep0_in[] = { > >>+ { 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_inbound_pre_crypto, > >>+ esp4_tunnel_inbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > >>+ { 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_inbound_pre_crypto, > >>+ esp4_tunnel_inbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > >>+ { 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_inbound_pre_crypto, > >>+ esp4_tunnel_inbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > >>+ { 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_inbound_pre_crypto, > >>+ esp4_tunnel_inbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } } > >>+}; > >>+ > >>+/* SAs EP1 Outbound */ > >>+const struct ipsec_sa sa_ep1_out[] = { > >>+ { 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_outbound_pre_crypto, > >>+ esp4_tunnel_outbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > >>+ { 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_outbound_pre_crypto, > >>+ esp4_tunnel_outbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > >>+ { 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_outbound_pre_crypto, > >>+ esp4_tunnel_outbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > >>+ { 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_outbound_pre_crypto, > >>+ esp4_tunnel_outbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } } > >>+}; > >>+ > >>+/* SAs EP1 Inbound */ > >>+const struct ipsec_sa sa_ep1_in[] = { > >>+ { 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_inbound_pre_crypto, > >>+ esp4_tunnel_inbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > >>+ { 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_inbound_pre_crypto, > >>+ esp4_tunnel_inbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > >>+ { 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_inbound_pre_crypto, > >>+ esp4_tunnel_inbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, > >>+ { 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8), > >>+ NULL, NULL, > >>+ RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ 12, 16, 16, > >>+ esp4_tunnel_inbound_pre_crypto, > >>+ esp4_tunnel_inbound_post_crypto, > >>+ 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } } > >>+}; > >>+ > >>+static uint8_t cipher_key[256] = "sixteenbytes key"; > >>+ > >>+/* AES CBC xform */ > >>+const struct rte_crypto_xform aescbc_enc_xf = { > >>+ NULL, > >>+ RTE_CRYPTO_XFORM_CIPHER, > >>+ .cipher = { RTE_CRYPTO_CIPHER_OP_ENCRYPT, RTE_CRYPTO_CIPHER_AES_CBC, > >>+ .key = { cipher_key, 0, 16 } } > >>+}; > >>+ > >>+const struct rte_crypto_xform aescbc_dec_xf = { > >>+ NULL, > >>+ RTE_CRYPTO_XFORM_CIPHER, > >>+ .cipher = { RTE_CRYPTO_CIPHER_OP_DECRYPT, RTE_CRYPTO_CIPHER_AES_CBC, > >>+ .key = { cipher_key, 0, 16 } } > >>+}; > >>+ > >>+static uint8_t auth_key[256] = "twentybytes hash key"; > >>+ > >>+/* SHA1 HMAC xform */ > >>+const struct rte_crypto_xform sha1hmac_gen_xf = { > >>+ NULL, > >>+ RTE_CRYPTO_XFORM_AUTH, > >>+ .auth = { RTE_CRYPTO_AUTH_OP_GENERATE, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ .key = { auth_key, 0, 20 }, 12, 0 } > >>+}; > >>+ > >>+const struct rte_crypto_xform sha1hmac_verify_xf = { > >>+ NULL, > >>+ RTE_CRYPTO_XFORM_AUTH, > >>+ .auth = { RTE_CRYPTO_AUTH_OP_VERIFY, RTE_CRYPTO_AUTH_SHA1_HMAC, > >>+ .key = { auth_key, 0, 20 }, 12, 0 } > >>+}; > >>+ > >>+struct sa_ctx { > >>+ struct ipsec_sa sa[IPSEC_SA_MAX_ENTRIES]; > >>+ struct { > >>+ struct rte_crypto_xform a; > >>+ struct rte_crypto_xform b; > >>+ } xf[IPSEC_SA_MAX_ENTRIES]; > >>+}; > >>+ > >>+static struct sa_ctx * > >>+sa_ipv4_create(const char *name, int socket_id) > >>+{ > >>+ char s[PATH_MAX]; > >>+ struct sa_ctx *sa_ctx; > >>+ unsigned mz_size; > >>+ const struct rte_memzone *mz; > >>+ > >>+ snprintf(s, sizeof(s), "%s_%u", name, socket_id); > >>+ > >>+ /* Create SA array table */ > >>+ printf("Creating SA context with %u maximum entries\n", > >>+ IPSEC_SA_MAX_ENTRIES); > >>+ > >>+ mz_size = sizeof(struct sa_ctx); > >>+ mz = rte_memzone_reserve(s, mz_size, socket_id, > >>+ RTE_MEMZONE_1GB | RTE_MEMZONE_SIZE_HINT_ONLY); > >>+ if (mz == NULL) { > >>+ printf("Failed to allocate SA DB memory\n"); > >>+ rte_errno = -ENOMEM; > >>+ return NULL; > >>+ } > >>+ > >>+ sa_ctx = (struct sa_ctx *)mz->addr; > >>+ > >>+ return sa_ctx; > >>+} > >>+ > >>+static int > >>+sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], > >>+ unsigned nb_entries, uint16_t cdev_id, unsigned inbound) > >>+{ > >>+ struct ipsec_sa *sa; > >>+ unsigned i, idx; > >>+ > >>+ for (i = 0; i < nb_entries; i++) { > >>+ idx = SPI2IDX(entries[i].spi); > >>+ sa = &sa_ctx->sa[idx]; > >>+ if (sa->spi != 0) { > >>+ printf("Index %u already in use by SPI %u\n", > >>+ idx, sa->spi); > >>+ return -EINVAL; > >>+ } > >>+ *sa = entries[i]; > >>+ sa->src = rte_cpu_to_be_32(sa->src); > >>+ sa->dst = rte_cpu_to_be_32(sa->dst); > >>+ if (inbound) { > >>+ sa_ctx->xf[idx].a = sha1hmac_verify_xf; > >>+ sa_ctx->xf[idx].b = aescbc_dec_xf; > >>+ } else { /* outbound */ > >>+ sa_ctx->xf[idx].a = aescbc_enc_xf; > >>+ sa_ctx->xf[idx].b = sha1hmac_gen_xf; > >>+ } > >>+ sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b; > >>+ sa_ctx->xf[idx].b.next = NULL; > >>+ sa->xforms = &sa_ctx->xf[idx].a; > >>+ > >>+ sa->crypto_session = rte_cryptodev_session_create(cdev_id, > >>+ sa->xforms); > >>+ } > >>+ > >>+ return 0; > >>+} > >>+ > >>+static inline int > >>+sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], > >>+ unsigned nb_entries, uint16_t cdev_id) > >>+{ > >>+ return sa_add_rules(sa_ctx, entries, nb_entries, cdev_id, 0); > >>+} > >>+ > >>+static inline int > >>+sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], > >>+ unsigned nb_entries, uint16_t cdev_id) > >>+{ > >>+ return sa_add_rules(sa_ctx, entries, nb_entries, cdev_id, 1); > >>+} > >>+ > >>+void > >>+sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep, uint16_t cdev_id) > >>+{ > >>+ const struct ipsec_sa *sa_out_entries, *sa_in_entries; > >>+ unsigned nb_out_entries, nb_in_entries; > >>+ const char *name; > >>+ > >>+ if (ctx == NULL) > >>+ rte_exit(EXIT_FAILURE, "NULL context.\n"); > >>+ > >>+ if (ctx->sa_ipv4_in != NULL) > >>+ rte_exit(EXIT_FAILURE, "Inbound SA DB for socket %u already " > >>+ "initialized\n", socket_id); > >>+ > >>+ if (ctx->sa_ipv4_out != NULL) > >>+ rte_exit(EXIT_FAILURE, "Outbound SA DB for socket %u already " > >>+ "initialized\n", socket_id); > >>+ > >>+ if (ep == 0) { > >>+ sa_out_entries = sa_ep0_out; > >>+ nb_out_entries = RTE_DIM(sa_ep0_out); > >>+ sa_in_entries = sa_ep0_in; > >>+ nb_in_entries = RTE_DIM(sa_ep0_in); > >>+ } else if (ep == 1) { > >>+ sa_out_entries = sa_ep1_out; > >>+ nb_out_entries = RTE_DIM(sa_ep1_out); > >>+ sa_in_entries = sa_ep1_in; > >>+ nb_in_entries = RTE_DIM(sa_ep1_in); > >>+ } else > >>+ rte_exit(EXIT_FAILURE, "Invalid EP value %u. " > >>+ "Only 0 or 1 supported.\n", ep); > >>+ > >>+ name = "sa_ipv4_in"; > >>+ ctx->sa_ipv4_in = sa_ipv4_create(name, socket_id); > >>+ if (ctx->sa_ipv4_in == NULL) > >>+ rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s " > >>+ "in socket %d\n", rte_errno, name, socket_id); > >>+ > >>+ name = "sa_ipv4_out"; > >>+ ctx->sa_ipv4_out = sa_ipv4_create(name, socket_id); > >>+ if (ctx->sa_ipv4_out == NULL) > >>+ rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s " > >>+ "in socket %d\n", rte_errno, name, socket_id); > >>+ > >>+ sa_in_add_rules(ctx->sa_ipv4_in, sa_in_entries, > >>+ nb_in_entries, cdev_id); > >>+ > >>+ sa_out_add_rules(ctx->sa_ipv4_out, sa_out_entries, > >>+ nb_out_entries, cdev_id); > >>+} > >>+ > >>+int > >>+inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx) > >>+{ > >>+ struct ipsec_mbuf_metadata *priv; > >>+ > >>+ priv = RTE_PTR_ADD(m, sizeof(struct rte_mbuf)); > >>+ > >>+ return (sa_ctx->sa[sa_idx].spi == priv->sa->spi); > >>+} > >>+ > >>+void > >>+inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[], > >>+ struct ipsec_sa *sa[], uint16_t nb_pkts) > >>+{ > >>+ unsigned i; > >>+ uint32_t *src, spi; > >>+ > >>+ for (i = 0; i < nb_pkts; i++) { > >>+ spi = rte_pktmbuf_mtod_offset(pkts[i], struct esp_hdr *, > >>+ sizeof(struct ip))->spi; > >>+ if (spi == INVALID_SPI) > >>+ continue; > >>+ > >>+ sa[i] = &sa_ctx->sa[SPI2IDX(spi)]; > >>+ if (spi != sa[i]->spi) { > >>+ sa[i] = NULL; > >>+ continue; > >>+ } > >>+ > >>+ src = rte_pktmbuf_mtod_offset(pkts[i], uint32_t *, > >>+ offsetof(struct ip, ip_src)); > >>+ if ((sa[i]->src != *src) || (sa[i]->dst != *(src + 1))) > >>+ sa[i] = NULL; > >>+ } > >>+} > >>+ > >>+void > >>+outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[], > >>+ struct ipsec_sa *sa[], uint16_t nb_pkts) > >>+{ > >>+ unsigned i; > >>+ > >>+ for (i = 0; i < nb_pkts; i++) > >>+ sa[i] = &sa_ctx->sa[sa_idx[i]]; > >>+} > >>diff --git a/examples/ipsec-secgw/sp.c b/examples/ipsec-secgw/sp.c > >>new file mode 100644 > >>index 0000000..219e478 > >>--- /dev/null > >>+++ b/examples/ipsec-secgw/sp.c > >>@@ -0,0 +1,324 @@ > >>+/*- > >>+ * BSD LICENSE > >>+ * > >>+ * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. > >>+ * All rights reserved. > >>+ * > >>+ * Redistribution and use in source and binary forms, with or without > >>+ * modification, are permitted provided that the following conditions > >>+ * are met: > >>+ * > >>+ * * Redistributions of source code must retain the above copyright > >>+ * notice, this list of conditions and the following disclaimer. > >>+ * * Redistributions in binary form must reproduce the above copyright > >>+ * notice, this list of conditions and the following disclaimer in > >>+ * the documentation and/or other materials provided with the > >>+ * distribution. > >>+ * * Neither the name of Intel Corporation nor the names of its > >>+ * contributors may be used to endorse or promote products derived > >>+ * from this software without specific prior written permission. > >>+ * > >>+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > >>+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > >>+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > >>+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > >>+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > >>+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > >>+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > >>+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > >>+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > >>+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > >>+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > >>+ */ > >>+ > >>+/* > >>+ * Security Policies > >>+ */ > >>+#include > >>+ > >>+#include > >>+ > >>+#include "ipsec.h" > >>+ > >>+#define MAX_ACL_RULE_NUM 1000 > >>+ > >>+/* > >>+ * Rule and trace formats definitions. > >>+ */ > >>+enum { > >>+ PROTO_FIELD_IPV4, > >>+ SRC_FIELD_IPV4, > >>+ DST_FIELD_IPV4, > >>+ SRCP_FIELD_IPV4, > >>+ DSTP_FIELD_IPV4, > >>+ NUM_FIELDS_IPV4 > >>+}; > >>+ > >>+/* > >>+ * That effectively defines order of IPV4 classifications: > >>+ * - PROTO > >>+ * - SRC IP ADDRESS > >>+ * - DST IP ADDRESS > >>+ * - PORTS (SRC and DST) > >>+ */ > >>+enum { > >>+ RTE_ACL_IPV4_PROTO, > >>+ RTE_ACL_IPV4_SRC, > >>+ RTE_ACL_IPV4_DST, > >>+ RTE_ACL_IPV4_PORTS, > >>+ RTE_ACL_IPV4_NUM > >>+}; > >>+ > >>+struct rte_acl_field_def ipv4_defs[NUM_FIELDS_IPV4] = { > >>+ { > >>+ .type = RTE_ACL_FIELD_TYPE_BITMASK, > >>+ .size = sizeof(uint8_t), > >>+ .field_index = PROTO_FIELD_IPV4, > >>+ .input_index = RTE_ACL_IPV4_PROTO, > >>+ .offset = 0, > >>+ }, > >>+ { > >>+ .type = RTE_ACL_FIELD_TYPE_MASK, > >>+ .size = sizeof(uint32_t), > >>+ .field_index = SRC_FIELD_IPV4, > >>+ .input_index = RTE_ACL_IPV4_SRC, > >>+ .offset = offsetof(struct ip, ip_src) - offsetof(struct ip, ip_p) > >>+ }, > >>+ { > >>+ .type = RTE_ACL_FIELD_TYPE_MASK, > >>+ .size = sizeof(uint32_t), > >>+ .field_index = DST_FIELD_IPV4, > >>+ .input_index = RTE_ACL_IPV4_DST, > >>+ .offset = offsetof(struct ip, ip_dst) - offsetof(struct ip, ip_p) > >>+ }, > >>+ { > >>+ .type = RTE_ACL_FIELD_TYPE_RANGE, > >>+ .size = sizeof(uint16_t), > >>+ .field_index = SRCP_FIELD_IPV4, > >>+ .input_index = RTE_ACL_IPV4_PORTS, > >>+ .offset = sizeof(struct ip) - offsetof(struct ip, ip_p) > >>+ }, > >>+ { > >>+ .type = RTE_ACL_FIELD_TYPE_RANGE, > >>+ .size = sizeof(uint16_t), > >>+ .field_index = DSTP_FIELD_IPV4, > >>+ .input_index = RTE_ACL_IPV4_PORTS, > >>+ .offset = sizeof(struct ip) - offsetof(struct ip, ip_p) + > >>+ sizeof(uint16_t) > >>+ }, > >>+}; > >>+ > >>+RTE_ACL_RULE_DEF(acl4_rules, RTE_DIM(ipv4_defs)); > >>+ > >>+const struct acl4_rules acl4_rules_in[] = { > >>+ { > >>+ .data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1}, > >>+ /* destination IPv4 */ > >>+ .field[2] = {.value.u32 = IPv4(192, 168, 105, 0), > >>+ .mask_range.u32 = 24,}, > >>+ /* source port */ > >>+ .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, > >>+ /* destination port */ > >>+ .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} > >>+ }, > >>+ { > >>+ .data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2}, > >>+ /* destination IPv4 */ > >>+ .field[2] = {.value.u32 = IPv4(192, 168, 106, 0), > >>+ .mask_range.u32 = 24,}, > >>+ /* source port */ > >>+ .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, > >>+ /* destination port */ > >>+ .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} > >>+ }, > >>+ { > >>+ .data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3}, > >>+ /* destination IPv4 */ > >>+ .field[2] = {.value.u32 = IPv4(192, 168, 107, 0), > >>+ .mask_range.u32 = 24,}, > >>+ /* source port */ > >>+ .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, > >>+ /* destination port */ > >>+ .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} > >>+ }, > >>+ { > >>+ .data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4}, > >>+ /* destination IPv4 */ > >>+ .field[2] = {.value.u32 = IPv4(192, 168, 108, 0), > >>+ .mask_range.u32 = 24,}, > >>+ /* source port */ > >>+ .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, > >>+ /* destination port */ > >>+ .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} > >>+ } > >>+}; > >>+ > >>+const struct acl4_rules acl4_rules_out[] = { > >>+ { > >>+ .data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1}, > >>+ /* destination IPv4 */ > >>+ .field[2] = {.value.u32 = IPv4(192, 168, 115, 0), > >>+ .mask_range.u32 = 24,}, > >>+ /* source port */ > >>+ .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, > >>+ /* destination port */ > >>+ .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} > >>+ }, > >>+ { > >>+ .data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2}, > >>+ /* destination IPv4 */ > >>+ .field[2] = {.value.u32 = IPv4(192, 168, 116, 0), > >>+ .mask_range.u32 = 24,}, > >>+ /* source port */ > >>+ .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, > >>+ /* destination port */ > >>+ .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} > >>+ }, > >>+ { > >>+ .data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3}, > >>+ /* destination IPv4 */ > >>+ .field[2] = {.value.u32 = IPv4(192, 168, 117, 0), > >>+ .mask_range.u32 = 24,}, > >>+ /* source port */ > >>+ .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, > >>+ /* destination port */ > >>+ .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} > >>+ }, > >>+ { > >>+ .data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4}, > >>+ /* destination IPv4 */ > >>+ .field[2] = {.value.u32 = IPv4(192, 168, 118, 0), > >>+ .mask_range.u32 = 24,}, > >>+ /* source port */ > >>+ .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, > >>+ /* destination port */ > >>+ .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} > >>+ } > >>+}; > >>+ > >>+static void > >>+print_one_ipv4_rule(const struct acl4_rules *rule, int extra) > >>+{ > >>+ unsigned char a, b, c, d; > >>+ > >>+ uint32_t_to_char(rule->field[SRC_FIELD_IPV4].value.u32, > >>+ &a, &b, &c, &d); > >>+ printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d, > >>+ rule->field[SRC_FIELD_IPV4].mask_range.u32); > >>+ uint32_t_to_char(rule->field[DST_FIELD_IPV4].value.u32, > >>+ &a, &b, &c, &d); > >>+ printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d, > >>+ rule->field[DST_FIELD_IPV4].mask_range.u32); > >>+ printf("%hu : %hu %hu : %hu 0x%hhx/0x%hhx ", > >>+ rule->field[SRCP_FIELD_IPV4].value.u16, > >>+ rule->field[SRCP_FIELD_IPV4].mask_range.u16, > >>+ rule->field[DSTP_FIELD_IPV4].value.u16, > >>+ rule->field[DSTP_FIELD_IPV4].mask_range.u16, > >>+ rule->field[PROTO_FIELD_IPV4].value.u8, > >>+ rule->field[PROTO_FIELD_IPV4].mask_range.u8); > >>+ if (extra) > >>+ printf("0x%x-0x%x-0x%x ", > >>+ rule->data.category_mask, > >>+ rule->data.priority, > >>+ rule->data.userdata); > >>+} > >>+ > >>+static inline void > >>+dump_ipv4_rules(const struct acl4_rules *rule, int num, int extra) > >>+{ > >>+ int i; > >>+ > >>+ for (i = 0; i < num; i++, rule++) { > >>+ printf("\t%d:", i + 1); > >>+ print_one_ipv4_rule(rule, extra); > >>+ printf("\n"); > >>+ } > >>+} > >>+ > >>+static struct rte_acl_ctx * > >>+acl4_init(const char *name, int socketid, const struct acl4_rules *rules, > >>+ unsigned rules_nb) > >>+{ > >>+ char s[PATH_MAX]; > >>+ struct rte_acl_param acl_param; > >>+ struct rte_acl_config acl_build_param; > >>+ struct rte_acl_ctx *ctx; > >>+ > >>+ printf("Creating SP context with %u max rules\n", MAX_ACL_RULE_NUM); > >>+ > >>+ memset(&acl_param, 0, sizeof(acl_param)); > >>+ > >>+ /* Create ACL contexts */ > >>+ snprintf(s, sizeof(s), "%s_%d", name, socketid); > >>+ > >>+ printf("IPv4 %s entries [%u]:\n", s, rules_nb); > >>+ dump_ipv4_rules(rules, rules_nb, 1); > >>+ > >>+ acl_param.name = s; > >>+ acl_param.socket_id = socketid; > >>+ acl_param.rule_size = RTE_ACL_RULE_SZ(RTE_DIM(ipv4_defs)); > >>+ acl_param.max_rule_num = MAX_ACL_RULE_NUM; > >>+ > >>+ ctx = rte_acl_create(&acl_param); > >>+ if (ctx == NULL) > >>+ rte_exit(EXIT_FAILURE, "Failed to create ACL context\n"); > >>+ > >>+ if (rte_acl_add_rules(ctx, (const struct rte_acl_rule *)rules, > >>+ rules_nb) < 0) > >>+ rte_exit(EXIT_FAILURE, "add rules failed\n"); > >>+ > >>+ /* Perform builds */ > >>+ memset(&acl_build_param, 0, sizeof(acl_build_param)); > >>+ > >>+ acl_build_param.num_categories = DEFAULT_MAX_CATEGORIES; > >>+ acl_build_param.num_fields = rules_nb; > >>+ memcpy(&acl_build_param.defs, ipv4_defs, sizeof(ipv4_defs)); > >>+ > >>+ if (rte_acl_build(ctx, &acl_build_param) != 0) > >>+ rte_exit(EXIT_FAILURE, "Failed to build ACL trie\n"); > >>+ > >>+ rte_acl_dump(ctx); > >>+ > >>+ return ctx; > >>+} > >>+ > >>+void > >>+sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep) > >>+{ > >>+ const char *name; > >>+ const struct acl4_rules *rules_out, *rules_in; > >>+ unsigned nb_out_rules, nb_in_rules; > >>+ > >>+ if (ctx == NULL) > >>+ rte_exit(EXIT_FAILURE, "NULL context.\n"); > >>+ > >>+ if (ctx->sp_ipv4_in != NULL) > >>+ rte_exit(EXIT_FAILURE, "Inbound SP DB for socket %u already " > >>+ "initialized\n", socket_id); > >>+ > >>+ if (ctx->sp_ipv4_out != NULL) > >>+ rte_exit(EXIT_FAILURE, "Outbound SP DB for socket %u already " > >>+ "initialized\n", socket_id); > >>+ > >>+ if (ep == 0) { > >>+ rules_out = acl4_rules_in; > >>+ nb_out_rules = RTE_DIM(acl4_rules_in); > >>+ rules_in = acl4_rules_out; > >>+ nb_in_rules = RTE_DIM(acl4_rules_out); > >>+ } else if (ep == 1) { > >>+ rules_out = acl4_rules_out; > >>+ nb_out_rules = RTE_DIM(acl4_rules_out); > >>+ rules_in = acl4_rules_in; > >>+ nb_in_rules = RTE_DIM(acl4_rules_in); > >>+ } else > >>+ rte_exit(EXIT_FAILURE, "Invalid EP value %u. " > >>+ "Only 0 or 1 supported.\n", ep); > >>+ > >>+ name = "sp_ipv4_in"; > >>+ ctx->sp_ipv4_in = (struct sp_ctx *)acl4_init(name, socket_id, > >>+ rules_in, nb_in_rules); > >>+ > >>+ name = "sp_ipv4_out"; > >>+ ctx->sp_ipv4_out = (struct sp_ctx *)acl4_init(name, socket_id, > >>+ rules_out, nb_out_rules); > >>+} > >>-- > >>2.4.3 > >> >