From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01on0055.outbound.protection.outlook.com [104.47.32.55]) by dpdk.org (Postfix) with ESMTP id 1C4411B38C for ; Tue, 3 Oct 2017 15:17:28 +0200 (CEST) Received: from CY4PR03CA0092.namprd03.prod.outlook.com (10.171.242.161) by CY1PR03MB2363.namprd03.prod.outlook.com (10.166.207.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.7; Tue, 3 Oct 2017 13:17:27 +0000 Received: from BY2FFO11OLC002.protection.gbl (2a01:111:f400:7c0c::100) by CY4PR03CA0092.outlook.office365.com (2603:10b6:910:4d::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.56.11 via Frontend Transport; Tue, 3 Oct 2017 13:17:27 +0000 Authentication-Results: spf=fail (sender IP is 192.88.158.2) smtp.mailfrom=nxp.com; NXP1.onmicrosoft.com; dkim=none (message not signed) header.d=none;NXP1.onmicrosoft.com; dmarc=fail action=none header.from=nxp.com; Received-SPF: Fail (protection.outlook.com: domain of nxp.com does not designate 192.88.158.2 as permitted sender) receiver=protection.outlook.com; client-ip=192.88.158.2; helo=az84smr01.freescale.net; Received: from az84smr01.freescale.net (192.88.158.2) by BY2FFO11OLC002.mail.protection.outlook.com (10.1.15.178) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.20.77.10 via Frontend Transport; Tue, 3 Oct 2017 13:17:27 +0000 Received: from netperf2.ap.freescale.net ([10.232.133.164]) by az84smr01.freescale.net (8.14.3/8.14.0) with ESMTP id v93DGfTJ030592; Tue, 3 Oct 2017 06:17:22 -0700 From: Akhil Goyal To: CC: , , , , , , , , , , Date: Tue, 3 Oct 2017 18:44:09 +0530 Message-ID: <20171003131413.23846-9-akhil.goyal@nxp.com> X-Mailer: git-send-email 2.9.3 In-Reply-To: <20171003131413.23846-1-akhil.goyal@nxp.com> References: <20170914082651.26232-1-akhil.goyal@nxp.com> <20171003131413.23846-1-akhil.goyal@nxp.com> X-EOPAttributedMessage: 0 X-Matching-Connectors: 131515102475767039; (91ab9b29-cfa4-454e-5278-08d120cd25b8); () X-Forefront-Antispam-Report: CIP:192.88.158.2; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10009020)(6009001)(336005)(39380400002)(346002)(376002)(39860400002)(2980300002)(1109001)(1110001)(339900001)(199003)(189002)(50466002)(54906003)(85426001)(97736004)(81166006)(53936002)(8936002)(81156014)(47776003)(305945005)(4326008)(8676002)(1076002)(105606002)(36756003)(33646002)(498600001)(106466001)(16586007)(86362001)(48376002)(2351001)(316002)(2906002)(77096006)(5003940100001)(6916009)(50986999)(8656003)(6666003)(50226002)(15650500001)(104016004)(68736007)(7416002)(356003)(76176999)(5660300001)(69596002)(2950100002)(189998001); DIR:OUT; SFP:1101; SCL:1; SRVR:CY1PR03MB2363; H:az84smr01.freescale.net; FPR:; SPF:Fail; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; BY2FFO11OLC002; 1:L+PUAgZkSH0kLz07IK3lMtsc2Vv8dEfHILi5S06yTnEPuBd8NlXEy+8cQwTlbLWpq56gNcqGCktEYXmV1UFbHFi0v5I/X4etUzbZLqiRiZ3OVp8xW4Zy2k0HZAXM+0wQ MIME-Version: 1.0 Content-Type: text/plain X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 02ddc6b5-3288-41b2-c1ff-08d50a61180e X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017052603199)(201703131430075)(201703131517081); SRVR:CY1PR03MB2363; X-Microsoft-Exchange-Diagnostics: 1; CY1PR03MB2363; 3:XfMGMqKwTp2W4KVdoQRICCdRoJPBBUNOT/dCXm5sLyWbALVfXhg8cSZYlxgg3VluMP5ll/pupizJmiVHQUju+uOK4eSzoM6a3xmdJc/FYIIo68iT0FbN3Agr9WWy5qbWrjzVP7czhPFeovT+ZT5vEOQVJg7/HuiKVPzUDxBHru8IAg320pfw25sE7Xh2MDIoErz72nByjiEoBWdOcs89d0f+oOED5IVW2VtQ1kEvuaUUuW1uOhjTfLmonVmMC6zUv2yRNYtfdOi0PVXDWj5fqs2IwejmljK7TF6LW77UWTh0ZpP9kGxNUhfhfTBVO0jJlxNJL+xIhcX5j71dsq8L3w==; 25:fI2fh60JLz386+tzSTVETtKKOII9ZaSRP2H+xwP6FfN96z9TOwcCnbA6wyZswiY1lLOk/KbxGM1nuJ8JqYFKJPzTrZvK/kIEd1CR0q6Hgw+24vhgx04vhFCIMrlebQYj8c1dQ+xSDWPCMK29x11QaECWj2hsPn2PhKymfOtWpxRR/TSBVrVwTmNfkTkr3Zp60TrAk5fM2jJ4033d+0QHUqP6Olj162cu3EEnIXnXT0Q2m954D4tV8AwHkZx191tcl9mR0+5ucVYpJgjWh5b4Ov50JRYMJrzK1ZNZmSQq5XslRIShbC64mVbpPG9Q9IDPnbZA98CLAlKVaF2wrDG0Bg==; 31:Fbz32nzeVidRiArdOZzkO1HbNOsHeWA4UHNT0g6okry4rUh/TejEP2qhWGUp5D4x2d6uGpIxJ64y08sYBWTOcpLUbfWn8FAsv8N+dO60fmp21RBUKyqOHpabaK2stdCPQOIKq6feo5b7fAeOt00vWJ756k9Ds4XNERpVH5i5q/i/Qw489DPLqUxbWyi60j0YPpMiFUeXkgaY9s0zM2JvkAuQn7ad0SkoUW4EW5eEmWg= X-MS-TrafficTypeDiagnostic: CY1PR03MB2363: X-Exchange-Antispam-Report-Test: UriScan:(192374486261705); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6095135)(2401047)(5005006)(8121501046)(100000703101)(100105400095)(3002001)(10201501046)(93006095)(93001095)(6055026)(6096035)(201703131430075)(201703131448075)(201703131433075)(201703161259150)(201703151042153)(20161123563025)(20161123565025)(20161123559100)(20161123561025)(20161123556025)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY1PR03MB2363; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(400006)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY1PR03MB2363; X-Microsoft-Exchange-Diagnostics: 1; CY1PR03MB2363; 4:Y41XYZHYOy/9piL9v5fbXrp716XjXPSq8S8AKyLiu/OcGRfjNBak9YuMS9ZqSn5jX90tnm45cYIZETCMn5cOcYbutYrmAO4Id33DyxSYl24xytGTI8DmpUw62+ez3lGmG7wwaSdISC/xRDRHWVAF0IWyEt/Tc0qtZHvCG3k347zLSR5IAOfTy/MvlN7weCONB9qW4apx29X6aYVPZKN2qKYEuDNBtkypmVue1eMwZxqO6zfMlGAKsb9PUvO7azT+25QCPrKBQsW69jsmcnmi3WsR/QpxEInOBhSvSzFqsnI= X-Forefront-PRVS: 044968D9E1 X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; CY1PR03MB2363; 23:1svvLrUVvC1OwpmsaVHqObJRYC7lHzFtmgWAuW5iA?= =?us-ascii?Q?gl7CO+fV3PPQcHc/0/LDsc2fqPeSmgvb45ujObqMbdcNcvnadR+Evhyo95E5?= =?us-ascii?Q?vOEExt8m12kHpryDQm2sb+C514MiZcTOYour7vhNzMIIpYuHYRab3byyhgsq?= =?us-ascii?Q?cPkZWCRiW7CZoY4AKvb9Ys+BToGOl8HTWPnoUBUjtiYFPUoZnGS51f4RLOQu?= =?us-ascii?Q?9VJEoVjjp2MB2rGUpX6MjrQnMbIvdXh1Cre1tvzPoPDbeaYwh7I6gP+5NQ+I?= =?us-ascii?Q?nATL/C07rsmIFu81ZGYGaDe0aUYIZxMrIRKCB1/uhE4uC2vVPiscRmug1yhM?= =?us-ascii?Q?Yc5iX57jfgNZRFcRC6m02gIVCvOS/aIizuQ3RVeqjF3KvSnsNg8AeLjHoUo8?= =?us-ascii?Q?5RTvfhFdsy6QAQcOMcPd+Q9lU4e2oyr1idnz1MQtcn5vW9HGjZAx7lLqsAI4?= =?us-ascii?Q?W++BL8lz1BstUzgrXaqCCcaUUINVii37A6m5tmpn4bgzoTLC7xLzkP4nN6tF?= =?us-ascii?Q?gA44sS2ayJJ6UBYJoS6hYMLGY3eshZwcnJXZn6aEWaoPnwx3YKTBBn9HPUgL?= =?us-ascii?Q?Xj69tEEYd9wVq4S/y1a3/6r/CTWIKGBeN0GyGWqFPYglah6SRKnmVE96PUy5?= =?us-ascii?Q?Z7CifQgnHk8yPG+flRb5VH/B7GcjNR5fj3xf5v/tJUFJvGmwJtcYndiWTtQa?= =?us-ascii?Q?jh3coFrbuz7d8g9Yt/qGdUk4ptI09j9OrlE6yXki6fxF98DFb1pqVoXSKyqa?= =?us-ascii?Q?q5ct5YgP5uP4PsQxnwlAhegb8O4pldPh4TRQYK2ja9P4nzvXuiag6uuk/uXV?= =?us-ascii?Q?jG0IYetqW65hFNE3C8VZIS6hrH3h+uttaO7jeOEwX2e19CPSoiaOamkHj9Kv?= =?us-ascii?Q?m5FTpr+vb0mqbxzBAT7G/cBu+58HXi1b+uGMX/WIOb7WyYCproPyZzbY2ZTL?= =?us-ascii?Q?IaDu9VaCwYHnE/9Ebchsit0laMbO9/N4VDo4Vj7QfZ8IRgqIUIkmztaWRpQA?= =?us-ascii?Q?ZMwnAMrvCg3dlZrxWOXjlpJc9fBDhBfmnSzV7pTk2kbR6bL3RlcPGEHdIKmi?= =?us-ascii?Q?0FTuFnwGUKxo2ds3F9PFFHqas6rhCm30xE/Uztdy9BVhOQ1KutQHZY90nxJO?= =?us-ascii?Q?oyeHH+dpNijzZUyI7neT0eyuACD4imMITJp2L5uGcJaPSFk+skhF+Lsobyt6?= =?us-ascii?Q?CWS3Y5lgRWitbCGynPLjIOeZxndeiJF1Lc+s2ylPFwuh6mnKUiwgh/1/4SDE?= =?us-ascii?Q?u5UUR2Ad3x16guoHpA=3D?= X-Microsoft-Exchange-Diagnostics: 1; CY1PR03MB2363; 6:HGTRm7sbH+VVZ725lFy6bxc+uOp+oP8HnpzIpN1GhoRdmFZlgF6y1bNruA98SV0oMoB7F0LXwTpv1b+8f6iEjQyXdw+G466WtAV6BM7RKwJxAszOlB+UX0OWo8MChI2urGVaEwrvi07tv8egRL9z3Kr8X6jclaiGXDmesSRG3DRFIN2JfkAyCq6nbboE5us11aRfpR3xwJ29fXfsht+f2qTX6C4khkEaD6kK4zOJ7JulejVd79kktINbyQ3VOR59zSMYjjRUpYZl0bIcEVvaTi/onDard9FYdRs/O/NzBQXszDevMFleuIhZa639qeV+Tzoq8J83KKp/99EeUC+iIQ==; 5:TbgjUwtdqNno8WDBbh3oN7v/sdFxWK9msOmxoZsS3SBa0aALQfzlJEWlCrRBC3hL8cwuheaLsV332Q1QZtOjNAfMij5wqgiDgD+CInX8BUrHlAdxyR7eaLwwjBl2cp0vm6pQISnKpEcykkwg1Z9Z9g==; 24:ajZqbICIU+EwaslFZJiJ9PkPTV6w0fV7b3hKcabHdIrxgnhHGmMsp6eEO5TdZOUyz1UtHu6vszXyGdUE6oP9gDuCNWQc5OX4yeybPlAycIo=; 7:yLiLTm3HdCjVocQx9FqxDdsmYL5sYfF3zZ/OeOL80aZe6iwW96V1b/h35R+pUDz4zjmv9gYXW9FZ0Rtylmohq5MSwzfSiNPdl3Ds6USAP0gJrtDS5v9CAT1+LDIgjNjAodovof5UNthT0CxR+JwDRvJ4uVzGz2kR230V1h/AOVRNes5IXcvt4Ne/UdadcFHEmAhcG29M9Yos4RlcLO/X09sXVLRjeJz47R2HHhXikXg= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Oct 2017 13:17:27.3271 (UTC) X-MS-Exchange-CrossTenant-Id: 5afe0b00-7697-4969-b663-5eab37d5f47e X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5afe0b00-7697-4969-b663-5eab37d5f47e; Ip=[192.88.158.2]; Helo=[az84smr01.freescale.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR03MB2363 Subject: [dpdk-dev] [PATCH v2 08/12] doc: add details of rte_flow security actions X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Oct 2017 13:17:29 -0000 From: Boris Pismenny Signed-off-by: Boris Pismenny --- doc/guides/prog_guide/rte_flow.rst | 83 +++++++++++++++++++++++++++++++++++++- 1 file changed, 81 insertions(+), 2 deletions(-) diff --git a/doc/guides/prog_guide/rte_flow.rst b/doc/guides/prog_guide/rte_flow.rst index 662a912..62da436 100644 --- a/doc/guides/prog_guide/rte_flow.rst +++ b/doc/guides/prog_guide/rte_flow.rst @@ -187,7 +187,7 @@ Pattern item Pattern items fall in two categories: - Matching protocol headers and packet data (ANY, RAW, ETH, VLAN, IPV4, - IPV6, ICMP, UDP, TCP, SCTP, VXLAN, MPLS, GRE and so on), usually + IPV6, ICMP, UDP, TCP, SCTP, VXLAN, MPLS, GRE, ESP and so on), usually associated with a specification structure. - Matching meta-data or affecting pattern processing (END, VOID, INVERT, PF, @@ -955,6 +955,14 @@ Usage example, fuzzy match a TCPv4 packets: | 4 | END | +-------+----------+ +Item: ``ESP`` +^^^^^^^^^^^^^ + +Matches an ESP header. + +- ``hdr``: ESP header definition (``rte_esp.h``). +- Default ``mask`` matches SPI only. + Actions ~~~~~~~ @@ -972,7 +980,7 @@ They fall in three categories: additional processing by subsequent flow rules. - Other non-terminating meta actions that do not affect the fate of packets - (END, VOID, MARK, FLAG, COUNT). + (END, VOID, MARK, FLAG, COUNT, SECURITY). When several actions are combined in a flow rule, they should all have different types (e.g. dropping a packet twice is not possible). @@ -1354,6 +1362,77 @@ rule or if packets are not addressed to a VF in the first place. | ``vf`` | VF ID to redirect packets to | +--------------+--------------------------------+ +Action: ``SECURITY`` +^^^^^^^^^^^^^^^^^^^^ + +Perform the security action on flows matched by the pattern items +according to the configuration of the security session. + +This action modifies the payload of matched flows. For INLINE_CRYPTO, the +security protocol headers and IV are fully provided by the application as +specified in the flow pattern. The payload of matching packets is +encrypted on egress, and decrypted and authenticated on ingress. +For INLINE_PROTOCOL, the security protocol is fully offloaded to HW, +providing full encapsulation and decapsulation of packets in security +protocols. The flow pattern specifies both the outer security header fields +and the inner packet fields. The security session specified in the action +must match the pattern parameters. + +The security session specified in the action must be created on the same +port as the flow action that is being specified. + +The ingress/egress flow attribute should match that specified in the +security session if the security session supports the definition of the +direction. + +Multiple flows can be configured to use the same security session. + +- Non-terminating by default. + +.. _table_rte_flow_action_security + +.. table:: SECURITY + + +----------------------+--------------------------------------+ + | Field | Value | + +======================+======================================+ + | ``security_session`` | security session to apply | + +----------------------+--------------------------------------+ + +Usage example, configure IPsec inline using INLINE_CRYPTO security session: + +The encryption algorithm, keys and salt are part of the opaque +``rte_security_session``. The SA is identified according to the IP and ESP +fields in the pattern items. + +.. _table_rte_flow_item_esp_inline_example: + +.. table:: IPsec inline crypto flow pattern items. + + +-------+----------+ + | Index | Item | + +=======+==========+ + | 0 | Ethernet | + +-------+----------+ + | 1 | IPv4 | + +-------+----------+ + | 2 | ESP | + +-------+----------+ + | 3 | END | + +-------+----------+ + +.. _table_rte_flow_action_esp_inline_example: + +.. table:: IPsec inline flow actions. + + +-------+----------+ + | Index | Action | + +=======+==========+ + | 0 | SECURITY | + +-------+----------+ + | 1 | END | + +-------+----------+ + Negative types ~~~~~~~~~~~~~~ -- 2.9.3