From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03on0068.outbound.protection.outlook.com [104.47.42.68]) by dpdk.org (Postfix) with ESMTP id 24CDE1B395 for ; Sun, 15 Oct 2017 00:21:12 +0200 (CEST) Received: from CY1PR03CA0012.namprd03.prod.outlook.com (10.174.128.22) by BY2PR0301MB0728.namprd03.prod.outlook.com (10.160.63.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.7; Sat, 14 Oct 2017 22:21:10 +0000 Received: from BY2FFO11FD013.protection.gbl (2a01:111:f400:7c0c::118) by CY1PR03CA0012.outlook.office365.com (2603:10b6:600::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.56.8 via Frontend Transport; Sat, 14 Oct 2017 22:21:10 +0000 Authentication-Results: spf=fail (sender IP is 192.88.158.2) smtp.mailfrom=nxp.com; NXP1.onmicrosoft.com; dkim=none (message not signed) header.d=none;NXP1.onmicrosoft.com; dmarc=fail action=none header.from=nxp.com; Received-SPF: Fail (protection.outlook.com: domain of nxp.com does not designate 192.88.158.2 as permitted sender) receiver=protection.outlook.com; client-ip=192.88.158.2; helo=az84smr01.freescale.net; Received: from az84smr01.freescale.net (192.88.158.2) by BY2FFO11FD013.mail.protection.outlook.com (10.1.14.75) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.20.77.10 via Frontend Transport; Sat, 14 Oct 2017 22:21:09 +0000 Received: from netperf2.ap.freescale.net ([10.232.133.164]) by az84smr01.freescale.net (8.14.3/8.14.0) with ESMTP id v9EMKCMR018714; Sat, 14 Oct 2017 15:21:03 -0700 From: Akhil Goyal To: CC: , , , , , , , , , , , , Date: Sun, 15 Oct 2017 03:47:30 +0530 Message-ID: <20171014221734.15511-9-akhil.goyal@nxp.com> X-Mailer: git-send-email 2.9.3 In-Reply-To: <20171014221734.15511-1-akhil.goyal@nxp.com> References: <20171006181151.4758-1-akhil.goyal@nxp.com> <20171014221734.15511-1-akhil.goyal@nxp.com> X-EOPAttributedMessage: 0 X-Matching-Connectors: 131524932698931451; (91ab9b29-cfa4-454e-5278-08d120cd25b8); () X-Forefront-Antispam-Report: CIP:192.88.158.2; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10009020)(6009001)(336005)(39860400002)(376002)(346002)(39380400002)(2980300002)(1109001)(1110001)(339900001)(199003)(189002)(36756003)(2351001)(48376002)(33646002)(2906002)(50226002)(50466002)(53936002)(86362001)(68736007)(356003)(8656003)(305945005)(47776003)(105606002)(104016004)(2950100002)(6916009)(498600001)(7416002)(106466001)(77096006)(54906003)(6666003)(97736004)(16586007)(8936002)(76176999)(316002)(1076002)(69596002)(81156014)(81166006)(5003940100001)(85426001)(189998001)(8676002)(50986999)(4326008)(15650500001)(5660300001); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR0301MB0728; H:az84smr01.freescale.net; FPR:; SPF:Fail; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; BY2FFO11FD013; 1:zKH41m6V04LRQAmBwu3lUrDofUDezL0FY8ibuG/BlDXiEZF6N/LxYmmTWqo48mdsp2DQxAJ+LAHCHz4Ntf1D/NNOVgsVsb+08CofQYpbRnoPgH824l6xP5q/dypNuMlr MIME-Version: 1.0 Content-Type: text/plain X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 367ce708-12aa-44bb-75f3-08d51351df04 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017052603199)(201703131430075)(201703131517081); SRVR:BY2PR0301MB0728; X-Microsoft-Exchange-Diagnostics: 1; BY2PR0301MB0728; 3:EtprV+jSNgg9IyQ3gmQ//xt2mHAUEb9NQacqK9Qj5uLMZon9JIDYHbpZvB04SXPAc6Z5Sj6ZSw5Rl2WizQnRwu3yYdz0FXEPQlYaIZRZFutNsQ/DI8Iv/V5acE6LEJUal3LJnOKoRQu0JFqE03LSUmVFCQ3mzbrsz8QHSygv/zGzdpRNxZ/AFrHzqrshM5PM6cjUEFXEnduQ/lgrbKymp4cMflPYq7ffSkwBm7Si+/aQdRg5KjRV9PYLrjLsWXNPovs6oRpEmu+YmtbTUaTkHvc7P5wNz+09kKIJ/5t5CCRZMNbjikOhaM9ntYbV2o70rhIesOX0rLzkVlss9qhRQgDUJVXKbcziPIHJR0mYLxU=; 25:+ySutYesNkYXX2JQREnKZ64LS3sboGpJRjXASWGLh8cMDBLuGYUsKFCnV6qUS+cXWa7abXsOSxGY7VLyft0rWACUDFe4XWz9Xsy8nh+Twrld1MAF4OP+AdKXkuq/fJQuI73PxoC6Wx8uuOGdi7R/HnlSeMlOfAfyK8GhRqzWwgDhFuLToarP1qyRRlIl3cGFNdSHUn/f//m5MxBVRTZ8GhV147w22S1p7gRgu6lWBYNeyHv3266NY2g1GarzxS0fH9t5EKKIPAhxpSsbraRb3PSDVpjXo+GbnB6Zl+4qm10yTXX3HEIlFPqCDvfqDZJjE9NaJ1rvLRASNoandwvDct7JStNvgQy9qlOo6v+IrJM= X-MS-TrafficTypeDiagnostic: BY2PR0301MB0728: X-Microsoft-Exchange-Diagnostics: 1; BY2PR0301MB0728; 31:YNYTd6T/2/Lo2H7Lfaxaxkw7fXLG93owdLcy+e7Hezeelk7cByNWt+DH8y1lJI0DXzjXxr0YlzPdTudtmRC/k59dYQEgg4jtRST6n+VdYW9+8BEGPKKvgZUxf/ZJEVWy2WJ+bADKmoEkFNNBe8wbb4AwIspgfH05orG8Pac83qjAgSrplSL/BaL+NmSAuP5elH6NGdgz4mgvIjv8/pu649+bCZ4mtSxPuJ202rR51fI=; 4:FqdSULbO7brZs1/DVj15DCocYfoss8/GsRmlzjrWg+MoQhLIWxCfrKTFBmNSU/tifnImqJWKI52KLX+IfdoUXgk20WMPKIcY3Lklo9J2ACpaZLewtpQAPUDzQqbs8B1L1t22PQc/GOEoCc8GML6WvxCCv0g8AKVsnl/L6e/K46hZ41U/36L8+e/ID4e8++ez2/AW8GNK3QbWSG4mmAh4AfoTuo45wgyUA01LWiI1fnH8LakLst5vvgOqneDH0JBseIsFxyzIUKSohyTeuuoFdcKpJ/Qt8ZwCSbEtoRUNZm2NUA0NLvd/vA9rHegLwIG494FVhd6gxTc6GcwYCaTnQQ== X-Exchange-Antispam-Report-Test: UriScan:(192374486261705)(228905959029699); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6095135)(2401047)(8121501046)(5005006)(100000703101)(100105400095)(10201501046)(93006095)(93001095)(3002001)(6055026)(6096035)(201703131430075)(201703131433075)(201703131448075)(201703161259150)(201703151042153)(20161123561025)(20161123563025)(20161123565025)(20161123559100)(20161123556025)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BY2PR0301MB0728; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(400006)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BY2PR0301MB0728; X-Forefront-PRVS: 046060344D X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; BY2PR0301MB0728; 23:ou7fws7tPHyLv1ONBctu/dLrjbA4BWdpJ4eOvXm?= =?us-ascii?Q?12eBOPCYjidm2N/homHubH3ZYBaBlvigJ0vi3PnpuJ1ul6h45z5WGZ8Xf2D5?= =?us-ascii?Q?tYFIGUFkhZI8OR3X3QuydoMcqNNF93pF1G8c9kiOxB5g5Rg/Gk+BQwa+mX/8?= =?us-ascii?Q?tdGhOBZKSq5LEIN9dI/qMSIQ52nwS0C7t+fhSunrdMA8QnF+8iShoQG5BFXq?= =?us-ascii?Q?dV1khyoiHviGzE4Sn0mggzVW2+I+cQVfbp6+DMMTWOF/iBKJ2QmSjCiRq/TF?= =?us-ascii?Q?C09cGQbuV02QZutCFrjxqcTzk6KnI2oVHh1tOROn2aeZndFL7AZkqjQ/vmvU?= =?us-ascii?Q?EbDJ2bRVZ+y/sdLe04GktxkPoLIjgZq1uf18VdgWk1j78OrQNXFcG5aBrKhN?= =?us-ascii?Q?eohFPsJe3Cmvd29pcw1o/Tjl3dyEejSY8V62bRToXwtgCM2xH7bj1Ux9qoQf?= =?us-ascii?Q?PflV4zg8ALNw7kIDUjLLoBKbagcZXFQj7cWDbXVq7NPK9H03Y9tVaIUFFbcB?= =?us-ascii?Q?rNo3jMp8SOmvoob/hK5KpysJA2nABCjWa3zS15WTeRj5nZjtb36J9PDq6DOs?= =?us-ascii?Q?jaai8ThxdFRiVX+Q05+mc/3MC2lkMxz8NbQebhYyTvlsBGBa+buapy9kmZji?= =?us-ascii?Q?2Ed4rg5HDBElasnrSjV5N2rgmfDp8FZ+7402eCLA91ChmKFmnDeTsQaiS3yG?= =?us-ascii?Q?TJzuoYwNiEHgCZf3bJLM54OlSrmR54tstGgBuNRzvBk3L/0t5EPh/ksZN4Sa?= =?us-ascii?Q?7ReIrjZxenDXng163lXL70H4UY4BWRPdC2goOy5J+RfvLi2RZh43T7+/PxCW?= =?us-ascii?Q?+ZgTJheVAFsaM6fp9dBQelFGkERZXY1bKzU7zMJ9/6BMfCGK/oXsN/zw/JSs?= =?us-ascii?Q?zRQ3RLTn20GuroIsVHsRGawfld4TTrThszfJkcrax9uaRltxvlIdBJPJuu/n?= =?us-ascii?Q?M5r/BM536y/BX9f8Y93p2NZ3MmsqajAeih4qsxja5jeMtffGwEbSRZpFdV9e?= =?us-ascii?Q?+yCSv1SXaklYPbFFzcjUGFMZj+xnLbAY58iGAE0FILavA3i7vMMswUrL7Nyc?= =?us-ascii?Q?+iU7dLVG6hoThVDhRVzrECYKhIySZ4p8DjnzDAcL9NRH7EZ7rx087sN8w7I1?= =?us-ascii?Q?g0YqQ7ehSH9LBexWy1xBTeXuuYISV02t1NWdN28KeeH7OsmLFp+xalkEF7MG?= =?us-ascii?Q?P85g/tir31eOoWbTFkt9bGSX1BGcQkXtCwR0fnDP0iI/jsSOwP3cjkz7UUVy?= =?us-ascii?Q?ZqJgD5ykUxwUbUiNIZSs=3D?= X-Microsoft-Exchange-Diagnostics: 1; BY2PR0301MB0728; 6:63vqe6J7SL7UF9LAGPo4A8D/dLweJRLZsQ+UVehM+aSOZXiydVjfZjIM5Ss+K05mh+yU0p/inGg35JHWhXHjZTgsASd9EQ+lVN2nQ89zZMVK8wgem7O0ZqLiO3ARAXbKPp4UHvGzI3JNZ9PhlSu2ebbpoTtoxUWQF1vSFxQFECD+bN6+1N18AZ2d3r1sJ6haQA6VTBb4txOGo62VHbdjg/oKPNISx0GvtOdPvmbylg0C6r2ORqKlrNuWf78MNKzxCUZmFEZIAGkkkf4rAJ7Nh1qk8E+8HOsnb8vSDuFqanq+uN9kIjuxZBxqKtGoPl924Js4xsxu3H2AYL62s1iNFQ==; 5:BXtR8JxfuPDR0L6kUWQH/7XJHzbFT1gOPxW6Fvbb9iF1lb6H+qTCuN9r/NLhE5BWXkmSCNKZR+qOfGC6e0bXDi024/gH3oqCwzC5raazC9Nd3QzISXGu31/5Z0jrTvEwFqjZ2o8xU7Q0g11sNKzGQA==; 24:5bGPHXMfjnj5fjG5KIgA0DE6S68xXMMgwB3M2bLp7xMYc7cqpyLi9zUoHjx1a7Z8fa1acEub+tFCdQRiGX0y689Y3aZEGYltrzlz/rBWw40=; 7:5357soEaWOP32otLwtouBC7JjgX7qUaPiIOGKosw1tEbl7aJysaKIL520zBsPYzd05NUZzgztDxscJePW8WaixW9xEcFdWLfopwnu5nGYOrG757mko7gZ6+nnVUia+EFoKeG/GXIaiElgwl07kiLURbu/NLoU+/cYx1MwnlRVOpMiciD5o+2G+vdxIdPCpLOmRRmMWNgQ30Pd+f0g5ffb+AFfsKd9sXF/xw4QtPcjTQ= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Oct 2017 22:21:09.6435 (UTC) X-MS-Exchange-CrossTenant-Id: 5afe0b00-7697-4969-b663-5eab37d5f47e X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5afe0b00-7697-4969-b663-5eab37d5f47e; Ip=[192.88.158.2]; Helo=[az84smr01.freescale.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR0301MB0728 Subject: [dpdk-dev] [PATCH v4 08/12] doc: add details of rte_flow security actions X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Oct 2017 22:21:12 -0000 From: Boris Pismenny Signed-off-by: Boris Pismenny Reviewed-by: John McNamara --- doc/guides/prog_guide/rte_flow.rst | 84 +++++++++++++++++++++++++++++++++++++- 1 file changed, 82 insertions(+), 2 deletions(-) diff --git a/doc/guides/prog_guide/rte_flow.rst b/doc/guides/prog_guide/rte_flow.rst index 13e3dbe..ac1adf9 100644 --- a/doc/guides/prog_guide/rte_flow.rst +++ b/doc/guides/prog_guide/rte_flow.rst @@ -187,7 +187,7 @@ Pattern item Pattern items fall in two categories: - Matching protocol headers and packet data (ANY, RAW, ETH, VLAN, IPV4, - IPV6, ICMP, UDP, TCP, SCTP, VXLAN, MPLS, GRE and so on), usually + IPV6, ICMP, UDP, TCP, SCTP, VXLAN, MPLS, GRE, ESP and so on), usually associated with a specification structure. - Matching meta-data or affecting pattern processing (END, VOID, INVERT, PF, @@ -972,6 +972,14 @@ flow rules. - ``teid``: tunnel endpoint identifier. - Default ``mask`` matches teid only. +Item: ``ESP`` +^^^^^^^^^^^^^ + +Matches an ESP header. + +- ``hdr``: ESP header definition (``rte_esp.h``). +- Default ``mask`` matches SPI only. + Actions ~~~~~~~ @@ -989,7 +997,7 @@ They fall in three categories: additional processing by subsequent flow rules. - Other non-terminating meta actions that do not affect the fate of packets - (END, VOID, MARK, FLAG, COUNT). + (END, VOID, MARK, FLAG, COUNT, SECURITY). When several actions are combined in a flow rule, they should all have different types (e.g. dropping a packet twice is not possible). @@ -1371,6 +1379,78 @@ rule or if packets are not addressed to a VF in the first place. | ``vf`` | VF ID to redirect packets to | +--------------+--------------------------------+ +Action: ``SECURITY`` +^^^^^^^^^^^^^^^^^^^^ + +Perform the security action on flows matched by the pattern items +according to the configuration of the security session. + +This action modifies the payload of matched flows. For INLINE_CRYPTO, the +security protocol headers and IV are fully provided by the application as +specified in the flow pattern. The payload of matching packets is +encrypted on egress, and decrypted and authenticated on ingress. +For INLINE_PROTOCOL, the security protocol is fully offloaded to HW, +providing full encapsulation and decapsulation of packets in security +protocols. The flow pattern specifies both the outer security header fields +and the inner packet fields. The security session specified in the action +must match the pattern parameters. + +The security session specified in the action must be created on the same +port as the flow action that is being specified. + +The ingress/egress flow attribute should match that specified in the +security session if the security session supports the definition of the +direction. + +Multiple flows can be configured to use the same security session. + +- Non-terminating by default. + +.. _table_rte_flow_action_security: + +.. table:: SECURITY + + +----------------------+--------------------------------------+ + | Field | Value | + +======================+======================================+ + | ``security_session`` | security session to apply | + +----------------------+--------------------------------------+ + +The following is an example of configuring IPsec inline using the +INLINE_CRYPTO security session: + +The encryption algorithm, keys and salt are part of the opaque +``rte_security_session``. The SA is identified according to the IP and ESP +fields in the pattern items. + +.. _table_rte_flow_item_esp_inline_example: + +.. table:: IPsec inline crypto flow pattern items. + + +-------+----------+ + | Index | Item | + +=======+==========+ + | 0 | Ethernet | + +-------+----------+ + | 1 | IPv4 | + +-------+----------+ + | 2 | ESP | + +-------+----------+ + | 3 | END | + +-------+----------+ + +.. _table_rte_flow_action_esp_inline_example: + +.. table:: IPsec inline flow actions. + + +-------+----------+ + | Index | Action | + +=======+==========+ + | 0 | SECURITY | + +-------+----------+ + | 1 | END | + +-------+----------+ + Negative types ~~~~~~~~~~~~~~ -- 2.9.3