From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0044.outbound.protection.outlook.com [104.47.40.44]) by dpdk.org (Postfix) with ESMTP id B2E9D1B281 for ; Fri, 6 Oct 2017 20:15:20 +0200 (CEST) Received: from CY4PR03CA0094.namprd03.prod.outlook.com (10.171.242.163) by BN6PR03MB2689.namprd03.prod.outlook.com (10.173.144.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.7; Fri, 6 Oct 2017 18:15:19 +0000 Received: from BN1AFFO11FD037.protection.gbl (2a01:111:f400:7c10::166) by CY4PR03CA0094.outlook.office365.com (2603:10b6:910:4d::35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.56.11 via Frontend Transport; Fri, 6 Oct 2017 18:15:19 +0000 Authentication-Results: spf=fail (sender IP is 192.88.158.2) smtp.mailfrom=nxp.com; NXP1.onmicrosoft.com; dkim=none (message not signed) header.d=none;NXP1.onmicrosoft.com; dmarc=fail action=none header.from=nxp.com; Received-SPF: Fail (protection.outlook.com: domain of nxp.com does not designate 192.88.158.2 as permitted sender) receiver=protection.outlook.com; client-ip=192.88.158.2; helo=az84smr01.freescale.net; Received: from az84smr01.freescale.net (192.88.158.2) by BN1AFFO11FD037.mail.protection.outlook.com (10.58.52.241) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.20.77.10 via Frontend Transport; Fri, 6 Oct 2017 18:15:18 +0000 Received: from netperf2.ap.freescale.net ([10.232.133.164]) by az84smr01.freescale.net (8.14.3/8.14.0) with ESMTP id v96IERog027297; Fri, 6 Oct 2017 11:15:12 -0700 From: Akhil Goyal To: CC: , , , , , , , , , , , , Date: Fri, 6 Oct 2017 23:41:47 +0530 Message-ID: <20171006181151.4758-9-akhil.goyal@nxp.com> X-Mailer: git-send-email 2.9.3 In-Reply-To: <20171006181151.4758-1-akhil.goyal@nxp.com> References: <20171003131413.23846-1-akhil.goyal@nxp.com> <20171006181151.4758-1-akhil.goyal@nxp.com> X-EOPAttributedMessage: 0 X-Matching-Connectors: 131517873187700812; (91ab9b29-cfa4-454e-5278-08d120cd25b8); () X-Forefront-Antispam-Report: CIP:192.88.158.2; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10009020)(6009001)(336005)(7966004)(346002)(376002)(39380400002)(39860400002)(2980300002)(1110001)(1109001)(339900001)(189002)(199003)(4326008)(81156014)(76176999)(8656003)(53936002)(36756003)(69596002)(68736007)(6666003)(105606002)(85426001)(316002)(50986999)(16586007)(97736004)(498600001)(1076002)(2950100002)(6916009)(77096006)(104016004)(15650500001)(5003940100001)(54906003)(189998001)(50226002)(7416002)(8676002)(106466001)(47776003)(81166006)(5660300001)(86362001)(305945005)(33646002)(2906002)(48376002)(356003)(8936002)(50466002)(2351001); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR03MB2689; H:az84smr01.freescale.net; FPR:; SPF:Fail; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11FD037; 1://2fyhOvMzRKKMtfdH/CACBtrFYzod968fUmfpgGrb8BO8pgeEOasrObqGZ8/DjwDL7wd0vJvwyHDqLHNcFFwhF5oNgg8nYeJlv13aljCY8VPNNZnIqLvM7VsDkvSnMm MIME-Version: 1.0 Content-Type: text/plain X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 0cdbb5ec-a764-4c77-fd8a-08d50ce63369 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017052603199)(201703131430075)(201703131517081); SRVR:BN6PR03MB2689; X-Microsoft-Exchange-Diagnostics: 1; BN6PR03MB2689; 3:gNg+UWFjIQ9TaWhUdXpvgZFRyGQD7+d0uc2+3kh/OIRiWVYyDJ4+Ej5x4Gc8XbMxeClkMQKKqWLBcxDSrl2IEThN4ES6efR6K3rg1yfeiYGaLsPkpSiU/mF/W0+dQa96Ug3Mck+q8NEx9smfuBGb5DXChnYSVkxdIaJr8typoZMgsSWaHVHSEDEE7HEMc7at5BGgKGKjXwGfjdwLEgOLcEK/Sx49fTB0H4N741D70sT0U42kYMoVBzW8O6JgFO0tizHE+zeEdExSDMlTJzPs8VOlKq3tQTB6/CBG1Cks1x0Aow/caqzSEhj8DQuozeNrF3Fg/NSCIUey0zP0kCH4fO3RQV22jdvoKzNjvYc7msg=; 25:IxkMJiXNgatotRu1Zn4iwbG4v5plr/9xp27ZeBQ3SHzMTFhRmu29Q/D9LhgIjYuUrTPQYjYutA5rpJLzAS9NWr7XQiyZ0qpC2acdMRzKk69FpjKhWFAY/uEeVSYMGbZ0GOpAiauXpYCdXD9Z7NNYSiwigUEG4hHAsnYHXpzGzd8h7aGzOlIVg+6KxwUakXXhfgVA9h8WDjF58qLXRv35Omddek3nCGvSHgYTGCWcZrTdjtkgQhnm2yqTnIazMpayZ1WyyegZweshL76xKqj2XcEqCu5mrvcEVVLHCeb1aAxOicj3Mc8uuVLHA3m7dciZvivF3K//f/4l2j1hs3eaWQ== X-MS-TrafficTypeDiagnostic: BN6PR03MB2689: X-Microsoft-Exchange-Diagnostics: 1; BN6PR03MB2689; 31:TFHSBVXfUrjQNp2RzSCHF8it8+Bei7f62nRrkTneBsY/JiwGz++zxZp0h5RhQRaSmI4cNo7SasEncS7WKSvlS/lmHtSnk0/vRs5Xsxb8kGM9NX0wrqscUV3q4xg7zt3LN7oI/8x2Y6OXn2mIG99+PntidGCAmh5WFQUGtF1GNefn1rnkF5qhcFAHs39lKCQGTD4cNBsgXBbpgpfT9HkAkvLS2AAqAi09eRfyNGTvgkI=; 4:bIzbTxv6zB3WdA6q+Pt7mOny0yc95KhZDadBdccUOfviv0QPu7F+oyiaDFlErcfn7w1DNGPJGrMVzCnidLyMwGYPxzIliK9mAyPSmRzlEvVn17pV7NCLPqWYkESCphMWxLwT1WZK6ZTMvxSS5Ej4NRfGhxtQgMYdmE+bdNTu985LyzovNtQGqaW6/dspAtLXgorY/5uCWGGMenqwTS4hbPPisp+T9r9/OxubMzEzP3i+9YB5I/7HxUtJ5GssMB091qS7zbPNkKVKBYPc12t8wvWWlJodnFlOzyBmW8Y2QJEQFgmYbl6r86mHQq4zB8cFStcbvTaYEaOa3owgDF/K+g== X-Exchange-Antispam-Report-Test: UriScan:(192374486261705)(228905959029699); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6095135)(2401047)(5005006)(8121501046)(100000703101)(100105400095)(3002001)(10201501046)(93006095)(93001095)(6055026)(6096035)(20161123556025)(20161123563025)(20161123559100)(20161123561025)(201703131430075)(201703131441075)(201703131448075)(201703131433075)(201703161259150)(20161123565025)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BN6PR03MB2689; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(400006)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BN6PR03MB2689; X-Forefront-PRVS: 0452022BE1 X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; BN6PR03MB2689; 23:Qtfephge5ULFPWtKayQpBGRnh9wtcqWUKGj+3Vw2j?= =?us-ascii?Q?uKFJsNH75BiWCOCj9cTF5ew2+Qnt89CbT50GGap7Y2+InMWNwl0Y1Pmp9nil?= =?us-ascii?Q?heC+vGHjf6Cm6AkoSwlyZBARy/npPmDMO9SlpZZcBlzljgL5rokAZ/zeB7qm?= =?us-ascii?Q?deyUShCXC2UZU5g6UA1HeGQBFtVW+lvOOEUbaaQA/yC/5fpfl0Yx3GytWmFp?= =?us-ascii?Q?oNEZnxTMKgi7d3YWYHNXjBoVeFKBfRzYA8FlTGhehGGFTD+6jO4A84HPVJD9?= =?us-ascii?Q?VpdQT8Lw/NOORW2f9CL/SkHdqdMhOkxTZIbLN1Cmbu5JBSKpfjR1XhTZCTrC?= =?us-ascii?Q?i25ph6WMW6oXCcDh4iVCANuyIc89RN6Kw94p7IbaHm+9bHiosQZC+YsYpbXD?= =?us-ascii?Q?vxCbCrbpwSgZaHwEILY8M9lwc1WzZI/PNFZhBTty1Ren7mLgKUTTKpQiSRyS?= =?us-ascii?Q?AKKBUtdcluPypTlIwwXhzNujGajfsf29H/U8MY3/N5BPrm/sL743zwblZx2l?= =?us-ascii?Q?RhzMOMvY133gtL6RGq8NRkr9eujfYbvbpi2GHg/Bz8TUOsXVcmoKMesppxHS?= =?us-ascii?Q?/wka2MFeDQdTUdVBymnutLQLkm4VHdatNIztX9kCzD/4cBW3uUwMKuQ8yED3?= =?us-ascii?Q?Awdd0eNN5ah84h8y+Ua/xt6Tswep5Ko5BXv58SZnW+dAfIcuLuxQnvIsgXul?= =?us-ascii?Q?JnrLHG0T9c3CfDteGTld49u386kIm91COOrAQX2zqpVGrXAY/OZT1sI5fFcp?= =?us-ascii?Q?HrgSKDow1oQGSMo1iEFEyXpAqNDixAOixB/r2xiA39r+AApQqyadiv3Cj0xS?= =?us-ascii?Q?5OD0KP3LXX92DfPIqBsPNKdy28VQKrAOZXNc+ctuReTs067atYfhdQsva4g9?= =?us-ascii?Q?dIvwPs4JqBn1+BWorm/JX8I78qTOzyWazxjwtxrrrAYRNw/NlNvmIuEXAeIo?= =?us-ascii?Q?ZXc8Gi8VTNeIN+dCE0hCRvyw80tNmnIrI6I/3kO22Bp/UvT8n5cSeH9RGuBm?= =?us-ascii?Q?ODkmCB1dai1TeRJA7NIT/LZ6MLl6fWXG/W8TJ6ES2Q4D8uf8aevo+5WHGp1s?= =?us-ascii?Q?7Q4RZDYR6s4leHA14HyGi1lE3Rw0pEuaz9THh4k1VVaDu4JBZUCAsEliZRh/?= =?us-ascii?Q?feAVFvliP4aA021FllV5W08+F6yEDfgpOuxJXy8rNchdUKvmPEikyGf32kiq?= =?us-ascii?Q?iIXi9QDBaJ1LX/SMJil2YnHHtRd/7/abvLTYeGpRszHpNoGPm9lqv0YsyBZ/?= =?us-ascii?Q?WZUK/WBT/i0GQ+pSDqa81GYzB/IeWj8oTrL6Tb0?= X-Microsoft-Exchange-Diagnostics: 1; BN6PR03MB2689; 6:nTk1Nzzmf2wGzDKbIRQmcCbmYyk5/CW3I7jKOycMXXU0k2LHqCSlcyf5B4Eg7IDIhhd3Zvo8WHfoF2rxObenRchNsdROgY2rH8Qq4svrAfsayb2crqZq+LtHGe1hIGv3djbGG0ip2XWYTPhwO8m85bLy/SMqqf3hmZmT3GkQ8O5qRwUbBdD5Bf+lqw42NjEY75sITe6Qw3b/pxc5pNDm6mduqagD0bIYt9ouc1E3JMR0Bi750YhILCTpNLTTuP6dppNutDS32hfmWwQRprffd4RsUhaAYoWK+piXdfa51rbe8za+34u9TsgMhShd9g+6UH1z9r+hVp1TqTCn/C+Pkw==; 5:4Qj3prlEsuicRS1GUAranPaioIp4V6FeL4A3uN/seIVfc8tJwqVV4Kf0LhVsQa1eZfQ9SODNNGg3+bivK1P0mpGPXPWKGiqb0QUkJ3NgL6jEXbA0D0/mSed1JwK4wbXewyhLIIV+icUuzWDZZGwETw==; 24:fXeB4oFsUHPUfzH8GSCaQHjwOdb8kyCpDCarsAsKWGKrgcB1rN2cRW+YOQ3nTST2wxBqjvvN4IEJAiZ//5kbM3x2J/vfI5ok8MZx2rMOV4E=; 7:JwoN9N8y+mNWr39chnd4jJXZtD7tum4wuqLHVHsqvBhI85afXRldGN3omW0FU812SGxJWRSiwWooFgdtOvxtBZbaTnsLas4CZjR3P5ayYTZhXp6QdQNbcDS401S99mVrucBomFlKfMhMefFGN+wGXVwIeA3Cw/VzILwXN3BSMvRfOuakroeWW3xCM+IKJEXsDyuB7CbEeHUJARDa6aQuYsQL37guGMrUO5ovwP2vIzU= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Oct 2017 18:15:18.5048 (UTC) X-MS-Exchange-CrossTenant-Id: 5afe0b00-7697-4969-b663-5eab37d5f47e X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5afe0b00-7697-4969-b663-5eab37d5f47e; Ip=[192.88.158.2]; Helo=[az84smr01.freescale.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR03MB2689 Subject: [dpdk-dev] [PATCH v3 08/12] doc: add details of rte_flow security actions X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Oct 2017 18:15:22 -0000 From: Boris Pismenny Signed-off-by: Boris Pismenny Reviewed-by: John McNamara --- doc/guides/prog_guide/rte_flow.rst | 84 +++++++++++++++++++++++++++++++++++++- 1 file changed, 82 insertions(+), 2 deletions(-) diff --git a/doc/guides/prog_guide/rte_flow.rst b/doc/guides/prog_guide/rte_flow.rst index 662a912..1161096 100644 --- a/doc/guides/prog_guide/rte_flow.rst +++ b/doc/guides/prog_guide/rte_flow.rst @@ -187,7 +187,7 @@ Pattern item Pattern items fall in two categories: - Matching protocol headers and packet data (ANY, RAW, ETH, VLAN, IPV4, - IPV6, ICMP, UDP, TCP, SCTP, VXLAN, MPLS, GRE and so on), usually + IPV6, ICMP, UDP, TCP, SCTP, VXLAN, MPLS, GRE, ESP and so on), usually associated with a specification structure. - Matching meta-data or affecting pattern processing (END, VOID, INVERT, PF, @@ -955,6 +955,14 @@ Usage example, fuzzy match a TCPv4 packets: | 4 | END | +-------+----------+ +Item: ``ESP`` +^^^^^^^^^^^^^ + +Matches an ESP header. + +- ``hdr``: ESP header definition (``rte_esp.h``). +- Default ``mask`` matches SPI only. + Actions ~~~~~~~ @@ -972,7 +980,7 @@ They fall in three categories: additional processing by subsequent flow rules. - Other non-terminating meta actions that do not affect the fate of packets - (END, VOID, MARK, FLAG, COUNT). + (END, VOID, MARK, FLAG, COUNT, SECURITY). When several actions are combined in a flow rule, they should all have different types (e.g. dropping a packet twice is not possible). @@ -1354,6 +1362,78 @@ rule or if packets are not addressed to a VF in the first place. | ``vf`` | VF ID to redirect packets to | +--------------+--------------------------------+ +Action: ``SECURITY`` +^^^^^^^^^^^^^^^^^^^^ + +Perform the security action on flows matched by the pattern items +according to the configuration of the security session. + +This action modifies the payload of matched flows. For INLINE_CRYPTO, the +security protocol headers and IV are fully provided by the application as +specified in the flow pattern. The payload of matching packets is +encrypted on egress, and decrypted and authenticated on ingress. +For INLINE_PROTOCOL, the security protocol is fully offloaded to HW, +providing full encapsulation and decapsulation of packets in security +protocols. The flow pattern specifies both the outer security header fields +and the inner packet fields. The security session specified in the action +must match the pattern parameters. + +The security session specified in the action must be created on the same +port as the flow action that is being specified. + +The ingress/egress flow attribute should match that specified in the +security session if the security session supports the definition of the +direction. + +Multiple flows can be configured to use the same security session. + +- Non-terminating by default. + +.. _table_rte_flow_action_security: + +.. table:: SECURITY + + +----------------------+--------------------------------------+ + | Field | Value | + +======================+======================================+ + | ``security_session`` | security session to apply | + +----------------------+--------------------------------------+ + +The following is an example of configuring IPsec inline using the +INLINE_CRYPTO security session: + +The encryption algorithm, keys and salt are part of the opaque +``rte_security_session``. The SA is identified according to the IP and ESP +fields in the pattern items. + +.. _table_rte_flow_item_esp_inline_example: + +.. table:: IPsec inline crypto flow pattern items. + + +-------+----------+ + | Index | Item | + +=======+==========+ + | 0 | Ethernet | + +-------+----------+ + | 1 | IPv4 | + +-------+----------+ + | 2 | ESP | + +-------+----------+ + | 3 | END | + +-------+----------+ + +.. _table_rte_flow_action_esp_inline_example: + +.. table:: IPsec inline flow actions. + + +-------+----------+ + | Index | Action | + +=======+==========+ + | 0 | SECURITY | + +-------+----------+ + | 1 | END | + +-------+----------+ + Negative types ~~~~~~~~~~~~~~ -- 2.9.3