From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 40936A0548; Thu, 1 Apr 2021 12:30:32 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 8FDCC140FEB; Thu, 1 Apr 2021 12:30:22 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id D72D94067B for ; Thu, 1 Apr 2021 12:30:21 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 131ALAOx014433; Thu, 1 Apr 2021 03:30:21 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=r0kMrStl5LTZ2q8USnvgM/Qrr6xYxXSaSPziLnjK55o=; b=M9AQ6XkVKb7zpA7K4sOzWofHqSHvX1e9QGqGEIgMmlRUdbUFJ5I8ixoBIwoJOjOPRa5j kXmWd6l0RyuoVyyeS5EEi04xV2rgEUgGQV26TUhFocqE1v9rvFMGT0FG1Ro0KudA25bw +c+lxE1OMUUjb9Q3xP0pLujabyZZ6tZUIMQirIJoHueWJE8ydthHn3iqOih5/ttgE3LY lZtNLTl3fkpgYjN4yzuTLcbWo5+2nPTuS+5+ESW+hX0Fh4h9UUYjzrwozdsAfAtD1CdD 8LF145yeVDoYJg4xNfrMYoBbD7cCT3iU46Sw+fBD9OQKEkdCOWksPDK7UUErNT/cYswW pQ== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0b-0016f401.pphosted.com with ESMTP id 37n28jj1qf-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 01 Apr 2021 03:30:19 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 1 Apr 2021 03:30:17 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Thu, 1 Apr 2021 03:30:16 -0700 Received: from hyd1554T5810.caveonetworks.com.com (unknown [10.29.57.11]) by maili.marvell.com (Postfix) with ESMTP id 485123F7043; Thu, 1 Apr 2021 03:30:14 -0700 (PDT) From: Tejasree Kondoj To: Akhil Goyal , Radu Nicolau , Konstantin Ananyev CC: Tejasree Kondoj , Anoob Joseph , Ankur Dwivedi , Jerin Jacob , Date: Thu, 1 Apr 2021 16:56:22 +0530 Message-ID: <20210401112623.20951-4-ktejasree@marvell.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210401112623.20951-1-ktejasree@marvell.com> References: <20210401112623.20951-1-ktejasree@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Proofpoint-GUID: 58bnfbU3tiB4Oc4xFb3VfrCyWcyL3Rsj X-Proofpoint-ORIG-GUID: 58bnfbU3tiB4Oc4xFb3VfrCyWcyL3Rsj X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-04-01_04:2021-03-31, 2021-04-01 signatures=0 Subject: [dpdk-dev] [PATCH v2 3/4] examples/ipsec-secgw: add UDP encapsulation support X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Adding lookaside IPsec UDP encapsulation support for NAT traversal. Application has to add udp-encap option to sa config file to enable UDP encapsulation on the SA. Signed-off-by: Tejasree Kondoj --- doc/guides/rel_notes/release_21_05.rst | 5 ++++ doc/guides/sample_app_ug/ipsec_secgw.rst | 15 ++++++++++-- examples/ipsec-secgw/ipsec-secgw.c | 29 +++++++++++++++++++++--- examples/ipsec-secgw/ipsec-secgw.h | 2 ++ examples/ipsec-secgw/ipsec.c | 9 ++++++++ examples/ipsec-secgw/ipsec.h | 2 ++ examples/ipsec-secgw/sa.c | 18 +++++++++++++++ examples/ipsec-secgw/sad.h | 7 +++++- 8 files changed, 81 insertions(+), 6 deletions(-) diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst index 4ab2d7500f..9ef2537b1a 100644 --- a/doc/guides/rel_notes/release_21_05.rst +++ b/doc/guides/rel_notes/release_21_05.rst @@ -111,6 +111,11 @@ New Features * Added command to display Rx queue used descriptor count. ``show port (port_id) rxq (queue_id) desc used count`` +* **Updated ipsec-secgw sample application.** + + * Updated the ``ipsec-secgw`` sample application with UDP encapsulation + support for NAT Traversal. + Removed Items ------------- diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst index 176e292d3f..07bbbb5916 100644 --- a/doc/guides/sample_app_ug/ipsec_secgw.rst +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst @@ -500,7 +500,7 @@ The SA rule syntax is shown as follows: sa - + where each options means: @@ -709,6 +709,17 @@ where each options means: * *port_id*: Port ID of the NIC for which the SA is configured. * *queue_id*: Queue ID to which traffic should be redirected. + ```` + + * Option to enable IPsec UDP encapsulation for NAT Traversal. + Only lookaside-protocol-offload mode is supported at the moment. + + * Optional: Yes, it is disabled by default + + * Syntax: + + * *udp-encap* + Example SA rules: .. code-block:: console @@ -1023,4 +1034,4 @@ Available options: * ``-h`` Show usage. If is specified, only tests for that mode will be invoked. For the -list of available modes please refer to run_test.sh. \ No newline at end of file +list of available modes please refer to run_test.sh. diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c index 20d69ba813..6f6f2aa796 100644 --- a/examples/ipsec-secgw/ipsec-secgw.c +++ b/examples/ipsec-secgw/ipsec-secgw.c @@ -184,7 +184,8 @@ static uint64_t frag_ttl_ns = MAX_FRAG_TTL_NS; /* application wide librte_ipsec/SA parameters */ struct app_sa_prm app_sa_prm = { .enable = 0, - .cache_sz = SA_CACHE_SZ + .cache_sz = SA_CACHE_SZ, + .udp_encap = 0 }; static const char *cfgfile; @@ -360,6 +361,9 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t) const struct rte_ether_hdr *eth; const struct rte_ipv4_hdr *iph4; const struct rte_ipv6_hdr *iph6; + const struct rte_udp_hdr *udp; + uint16_t ip4_hdr_len; + uint16_t nat_port; eth = rte_pktmbuf_mtod(pkt, const struct rte_ether_hdr *); if (eth->ether_type == rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4)) { @@ -368,9 +372,28 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t) RTE_ETHER_HDR_LEN); adjust_ipv4_pktlen(pkt, iph4, 0); - if (iph4->next_proto_id == IPPROTO_ESP) + switch (iph4->next_proto_id) { + case IPPROTO_ESP: t->ipsec.pkts[(t->ipsec.num)++] = pkt; - else { + break; + case IPPROTO_UDP: + if (app_sa_prm.udp_encap == 1) { + ip4_hdr_len = ((iph4->version_ihl & + RTE_IPV4_HDR_IHL_MASK) * + RTE_IPV4_IHL_MULTIPLIER); + udp = rte_pktmbuf_mtod_offset(pkt, + struct rte_udp_hdr *, ip4_hdr_len); + nat_port = rte_cpu_to_be_16(IPSEC_NAT_T_PORT); + if (udp->src_port == nat_port || + udp->dst_port == nat_port){ + t->ipsec.pkts[(t->ipsec.num)++] = pkt; + pkt->packet_type |= + RTE_PTYPE_TUNNEL_ESP_IN_UDP; + break; + } + } + /* Fall through */ + default: t->ip4.data[t->ip4.num] = &iph4->next_proto_id; t->ip4.pkts[(t->ip4.num)++] = pkt; } diff --git a/examples/ipsec-secgw/ipsec-secgw.h b/examples/ipsec-secgw/ipsec-secgw.h index f2281e73cf..6887d752ab 100644 --- a/examples/ipsec-secgw/ipsec-secgw.h +++ b/examples/ipsec-secgw/ipsec-secgw.h @@ -47,6 +47,8 @@ #define ETHADDR(a, b, c, d, e, f) (__BYTES_TO_UINT64(a, b, c, d, e, f, 0, 0)) +#define IPSEC_NAT_T_PORT 4500 + struct traffic_type { const uint8_t *data[MAX_PKT_BURST * 2]; struct rte_mbuf *pkts[MAX_PKT_BURST * 2]; diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index 6baeeb342f..79382f0fa2 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -52,6 +52,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; ipsec->replay_win_sz = app_sa_prm.window_size; ipsec->options.esn = app_sa_prm.enable_esn; + ipsec->options.udp_encap = sa->udp_encap; } int @@ -528,6 +529,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, struct rte_crypto_sym_op *sym_cop; struct ipsec_sa *sa; struct rte_ipsec_session *ips; + int is_udp_esp; for (i = 0; i < nb_pkts; i++) { if (unlikely(sas[i] == NULL)) { @@ -556,6 +558,13 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, continue; } + is_udp_esp = pkts[i]->packet_type & + RTE_PTYPE_TUNNEL_ESP_IN_UDP; + if (unlikely(is_udp_esp && sa->udp_encap != 1)) { + free_pkts(&pkts[i], 1); + continue; + } + sym_cop = get_sym_cop(&priv->cop); sym_cop->m_src = pkts[i]; diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h index 7031e28c46..ae5058de27 100644 --- a/examples/ipsec-secgw/ipsec.h +++ b/examples/ipsec-secgw/ipsec.h @@ -75,6 +75,7 @@ struct app_sa_prm { uint32_t window_size; /* replay window size */ uint32_t enable_esn; /* enable/disable ESN support */ uint32_t cache_sz; /* per lcore SA cache size */ + uint32_t udp_encap; /* enable/disable UDP Encapsulation */ uint64_t flags; /* rte_ipsec_sa_prm.flags */ }; @@ -136,6 +137,7 @@ struct ipsec_sa { struct rte_security_ipsec_xform *sec_xform; }; enum rte_security_ipsec_sa_direction direction; + uint8_t udp_encap; uint16_t portid; uint8_t fdir_qid; uint8_t fdir_flag; diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index cd1397531a..7bb9ef36c2 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -298,6 +298,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, uint32_t portid_p = 0; uint32_t fallback_p = 0; int16_t status_p = 0; + uint16_t udp_encap_p = 0; if (strcmp(tokens[0], "in") == 0) { ri = &nb_sa_in; @@ -757,6 +758,23 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, } continue; } + if (strcmp(tokens[ti], "udp-encap") == 0) { + APP_CHECK(ips->type == + RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + status, "UDP encapsulation is allowed if the " + "session is of type lookaside-protocol-offload " + "only."); + if (status->status < 0) + return; + APP_CHECK_PRESENCE(udp_encap_p, tokens[ti], status); + if (status->status < 0) + return; + + rule->udp_encap = 1; + app_sa_prm.udp_encap = 1; + udp_encap_p = 1; + continue; + } /* unrecognizeable input */ APP_CHECK(0, status, "unrecognized input \"%s\"", diff --git a/examples/ipsec-secgw/sad.h b/examples/ipsec-secgw/sad.h index 473aaa938e..9616a80948 100644 --- a/examples/ipsec-secgw/sad.h +++ b/examples/ipsec-secgw/sad.h @@ -77,6 +77,8 @@ sad_lookup(struct ipsec_sad *sad, struct rte_mbuf *pkts[], uint32_t spi, cache_idx; struct ipsec_sad_cache *cache; struct ipsec_sa *cached_sa; + uint16_t udp_hdr_len = 0; + int is_udp_esp; int is_ipv4; cache = &RTE_PER_LCORE(sad_cache); @@ -85,8 +87,11 @@ sad_lookup(struct ipsec_sad *sad, struct rte_mbuf *pkts[], for (i = 0; i < nb_pkts; i++) { ipv4 = rte_pktmbuf_mtod(pkts[i], struct rte_ipv4_hdr *); ipv6 = rte_pktmbuf_mtod(pkts[i], struct rte_ipv6_hdr *); + is_udp_esp = pkts[i]->packet_type & RTE_PTYPE_TUNNEL_ESP_IN_UDP; + if (is_udp_esp) + udp_hdr_len = sizeof(struct rte_udp_hdr); esp = rte_pktmbuf_mtod_offset(pkts[i], struct rte_esp_hdr *, - pkts[i]->l3_len); + pkts[i]->l3_len + udp_hdr_len); is_ipv4 = pkts[i]->packet_type & RTE_PTYPE_L3_IPV4; spi = rte_be_to_cpu_32(esp->spi); -- 2.27.0