This series adds lookaside IPsec UDP encapsulation and transport mode support. The functionality has been tested with ipsec-secgw application running in lookaside protocol offload mode. v2: * Supported per SA UDP encapsulation in ipsec-secgw * Added new packet type for UDP-ESP packets in mbuf Tejasree Kondoj (4): crypto/octeontx2: add UDP encapsulation support mbuf: add packet type for UDP-ESP tunnel packets examples/ipsec-secgw: add UDP encapsulation support crypto/octeontx2: support lookaside IPv4 transport mode doc/guides/cryptodevs/octeontx2.rst | 2 + doc/guides/rel_notes/release_21_05.rst | 17 +++ doc/guides/sample_app_ug/ipsec_secgw.rst | 15 ++- drivers/crypto/octeontx2/otx2_cryptodev_ops.c | 7 +- drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 126 ++++++++---------- drivers/crypto/octeontx2/otx2_cryptodev_sec.h | 4 +- drivers/crypto/octeontx2/otx2_ipsec_po.h | 6 + drivers/crypto/octeontx2/otx2_ipsec_po_ops.h | 8 +- examples/ipsec-secgw/ipsec-secgw.c | 29 +++- examples/ipsec-secgw/ipsec-secgw.h | 2 + examples/ipsec-secgw/ipsec.c | 9 ++ examples/ipsec-secgw/ipsec.h | 2 + examples/ipsec-secgw/sa.c | 18 +++ examples/ipsec-secgw/sad.h | 7 +- lib/librte_mbuf/rte_mbuf_ptype.h | 21 +++ 15 files changed, 191 insertions(+), 82 deletions(-) -- 2.27.0
Adding UDP encapsulation support for IPsec in lookaside protocol mode. Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- doc/guides/cryptodevs/octeontx2.rst | 1 + doc/guides/rel_notes/release_21_05.rst | 5 +++ drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 40 ++++++------------- 3 files changed, 18 insertions(+), 28 deletions(-) diff --git a/doc/guides/cryptodevs/octeontx2.rst b/doc/guides/cryptodevs/octeontx2.rst index d312eeb74c..b30f98180a 100644 --- a/doc/guides/cryptodevs/octeontx2.rst +++ b/doc/guides/cryptodevs/octeontx2.rst @@ -181,6 +181,7 @@ Features supported * Tunnel mode * ESN * Anti-replay +* UDP Encapsulation * AES-128/192/256-GCM * AES-128/192/256-CBC-SHA1-HMAC * AES-128/192/256-CBC-SHA256-128-HMAC diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst index 8e686cc627..8065b3daf8 100644 --- a/doc/guides/rel_notes/release_21_05.rst +++ b/doc/guides/rel_notes/release_21_05.rst @@ -94,6 +94,11 @@ New Features * Added support for preferred busy polling. +* **Updated the OCTEON TX2 crypto PMD.** + + * Updated the OCTEON TX2 crypto PMD lookaside protocol offload for IPsec with + UDP encapsulation support for NAT Traversal. + * **Updated testpmd.** * Added a command line option to configure forced speed for Ethernet port. diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c index 342f089df8..8942ff1fac 100644 --- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c +++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c @@ -203,6 +203,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, struct rte_security_session *sec_sess) { struct rte_crypto_sym_xform *auth_xform, *cipher_xform; + struct otx2_ipsec_po_ip_template *template; const uint8_t *cipher_key, *auth_key; struct otx2_sec_session_ipsec_lp *lp; struct otx2_ipsec_po_sa_ctl *ctl; @@ -248,11 +249,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) { if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) { - if (ipsec->options.udp_encap) { - sa->aes_gcm.template.ip4.udp_src = 4500; - sa->aes_gcm.template.ip4.udp_dst = 4500; - } - ip = &sa->aes_gcm.template.ip4.ipv4_hdr; + template = &sa->aes_gcm.template; ctx_len = offsetof(struct otx2_ipsec_po_out_sa, aes_gcm.template) + sizeof( sa->aes_gcm.template.ip4); @@ -260,11 +257,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, lp->ctx_len = ctx_len >> 3; } else if (ctl->auth_type == OTX2_IPSEC_PO_SA_AUTH_SHA1) { - if (ipsec->options.udp_encap) { - sa->sha1.template.ip4.udp_src = 4500; - sa->sha1.template.ip4.udp_dst = 4500; - } - ip = &sa->sha1.template.ip4.ipv4_hdr; + template = &sa->sha1.template; ctx_len = offsetof(struct otx2_ipsec_po_out_sa, sha1.template) + sizeof( sa->sha1.template.ip4); @@ -272,11 +265,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, lp->ctx_len = ctx_len >> 3; } else if (ctl->auth_type == OTX2_IPSEC_PO_SA_AUTH_SHA2_256) { - if (ipsec->options.udp_encap) { - sa->sha2.template.ip4.udp_src = 4500; - sa->sha2.template.ip4.udp_dst = 4500; - } - ip = &sa->sha2.template.ip4.ipv4_hdr; + template = &sa->sha2.template; ctx_len = offsetof(struct otx2_ipsec_po_out_sa, sha2.template) + sizeof( sa->sha2.template.ip4); @@ -285,8 +274,15 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, } else { return -EINVAL; } + ip = &template->ip4.ipv4_hdr; + if (ipsec->options.udp_encap) { + ip->next_proto_id = IPPROTO_UDP; + template->ip4.udp_src = rte_be_to_cpu_16(4500); + template->ip4.udp_dst = rte_be_to_cpu_16(4500); + } else { + ip->next_proto_id = IPPROTO_ESP; + } ip->version_ihl = RTE_IPV4_VHL_DEF; - ip->next_proto_id = IPPROTO_ESP; ip->time_to_live = ipsec->tunnel.ipv4.ttl; ip->type_of_service |= (ipsec->tunnel.ipv4.dscp << 2); if (ipsec->tunnel.ipv4.df) @@ -299,10 +295,6 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, RTE_SECURITY_IPSEC_TUNNEL_IPV6) { if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) { - if (ipsec->options.udp_encap) { - sa->aes_gcm.template.ip6.udp_src = 4500; - sa->aes_gcm.template.ip6.udp_dst = 4500; - } ip6 = &sa->aes_gcm.template.ip6.ipv6_hdr; ctx_len = offsetof(struct otx2_ipsec_po_out_sa, aes_gcm.template) + sizeof( @@ -311,10 +303,6 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, lp->ctx_len = ctx_len >> 3; } else if (ctl->auth_type == OTX2_IPSEC_PO_SA_AUTH_SHA1) { - if (ipsec->options.udp_encap) { - sa->sha1.template.ip6.udp_src = 4500; - sa->sha1.template.ip6.udp_dst = 4500; - } ip6 = &sa->sha1.template.ip6.ipv6_hdr; ctx_len = offsetof(struct otx2_ipsec_po_out_sa, sha1.template) + sizeof( @@ -323,10 +311,6 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, lp->ctx_len = ctx_len >> 3; } else if (ctl->auth_type == OTX2_IPSEC_PO_SA_AUTH_SHA2_256) { - if (ipsec->options.udp_encap) { - sa->sha2.template.ip6.udp_src = 4500; - sa->sha2.template.ip6.udp_dst = 4500; - } ip6 = &sa->sha2.template.ip6.ipv6_hdr; ctx_len = offsetof(struct otx2_ipsec_po_out_sa, sha2.template) + sizeof( -- 2.27.0
Adding new mbuf packet type for UDP encapsulated ESP packets. Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- doc/guides/rel_notes/release_21_05.rst | 5 +++++ lib/librte_mbuf/rte_mbuf_ptype.h | 21 +++++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst index 8065b3daf8..4ab2d7500f 100644 --- a/doc/guides/rel_notes/release_21_05.rst +++ b/doc/guides/rel_notes/release_21_05.rst @@ -55,6 +55,11 @@ New Features Also, make sure to start the actual text at the margin. ======================================================= +* **Added new packet type for UDP-ESP packets in mbuf.** + + Added new packet type ``RTE_PTYPE_TUNNEL_ESP_IN_UDP`` which can be + used to identify UDP encapsulated ESP packets. + * **Enhanced ethdev representor syntax.** * Introduced representor type of VF, SF and PF. diff --git a/lib/librte_mbuf/rte_mbuf_ptype.h b/lib/librte_mbuf/rte_mbuf_ptype.h index 17a2dd3576..bf92ce0c1a 100644 --- a/lib/librte_mbuf/rte_mbuf_ptype.h +++ b/lib/librte_mbuf/rte_mbuf_ptype.h @@ -491,6 +491,27 @@ extern "C" { * | 'destination port'=6635> */ #define RTE_PTYPE_TUNNEL_MPLS_IN_UDP 0x0000d000 +/** + * ESP-in-UDP tunneling packet type (RFC 3948). + * + * Packet format: + * <'ether type'=0x0800 + * | 'version'=4, 'protocol'=17 + * | 'destination port'=4500> + * or, + * <'ether type'=0x86DD + * | 'version'=6, 'next header'=17 + * | 'destination port'=4500> + * or, + * <'ether type'=0x0800 + * | 'version'=4, 'protocol'=17 + * | 'source port'=4500> + * or, + * <'ether type'=0x86DD + * | 'version'=6, 'next header'=17 + * | 'source port'=4500> + */ +#define RTE_PTYPE_TUNNEL_ESP_IN_UDP 0x0000e000 /** * Mask of tunneling packet types. */ -- 2.27.0
Adding lookaside IPsec UDP encapsulation support for NAT traversal. Application has to add udp-encap option to sa config file to enable UDP encapsulation on the SA. Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- doc/guides/rel_notes/release_21_05.rst | 5 ++++ doc/guides/sample_app_ug/ipsec_secgw.rst | 15 ++++++++++-- examples/ipsec-secgw/ipsec-secgw.c | 29 +++++++++++++++++++++--- examples/ipsec-secgw/ipsec-secgw.h | 2 ++ examples/ipsec-secgw/ipsec.c | 9 ++++++++ examples/ipsec-secgw/ipsec.h | 2 ++ examples/ipsec-secgw/sa.c | 18 +++++++++++++++ examples/ipsec-secgw/sad.h | 7 +++++- 8 files changed, 81 insertions(+), 6 deletions(-) diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst index 4ab2d7500f..9ef2537b1a 100644 --- a/doc/guides/rel_notes/release_21_05.rst +++ b/doc/guides/rel_notes/release_21_05.rst @@ -111,6 +111,11 @@ New Features * Added command to display Rx queue used descriptor count. ``show port (port_id) rxq (queue_id) desc used count`` +* **Updated ipsec-secgw sample application.** + + * Updated the ``ipsec-secgw`` sample application with UDP encapsulation + support for NAT Traversal. + Removed Items ------------- diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst index 176e292d3f..07bbbb5916 100644 --- a/doc/guides/sample_app_ug/ipsec_secgw.rst +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst @@ -500,7 +500,7 @@ The SA rule syntax is shown as follows: sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key> <mode> <src_ip> <dst_ip> <action_type> <port_id> <fallback> - <flow-direction> <port_id> <queue_id> + <flow-direction> <port_id> <queue_id> <udp-encap> where each options means: @@ -709,6 +709,17 @@ where each options means: * *port_id*: Port ID of the NIC for which the SA is configured. * *queue_id*: Queue ID to which traffic should be redirected. + ``<udp-encap>`` + + * Option to enable IPsec UDP encapsulation for NAT Traversal. + Only lookaside-protocol-offload mode is supported at the moment. + + * Optional: Yes, it is disabled by default + + * Syntax: + + * *udp-encap* + Example SA rules: .. code-block:: console @@ -1023,4 +1034,4 @@ Available options: * ``-h`` Show usage. If <ipsec_mode> is specified, only tests for that mode will be invoked. For the -list of available modes please refer to run_test.sh. \ No newline at end of file +list of available modes please refer to run_test.sh. diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c index 20d69ba813..6f6f2aa796 100644 --- a/examples/ipsec-secgw/ipsec-secgw.c +++ b/examples/ipsec-secgw/ipsec-secgw.c @@ -184,7 +184,8 @@ static uint64_t frag_ttl_ns = MAX_FRAG_TTL_NS; /* application wide librte_ipsec/SA parameters */ struct app_sa_prm app_sa_prm = { .enable = 0, - .cache_sz = SA_CACHE_SZ + .cache_sz = SA_CACHE_SZ, + .udp_encap = 0 }; static const char *cfgfile; @@ -360,6 +361,9 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t) const struct rte_ether_hdr *eth; const struct rte_ipv4_hdr *iph4; const struct rte_ipv6_hdr *iph6; + const struct rte_udp_hdr *udp; + uint16_t ip4_hdr_len; + uint16_t nat_port; eth = rte_pktmbuf_mtod(pkt, const struct rte_ether_hdr *); if (eth->ether_type == rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4)) { @@ -368,9 +372,28 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t) RTE_ETHER_HDR_LEN); adjust_ipv4_pktlen(pkt, iph4, 0); - if (iph4->next_proto_id == IPPROTO_ESP) + switch (iph4->next_proto_id) { + case IPPROTO_ESP: t->ipsec.pkts[(t->ipsec.num)++] = pkt; - else { + break; + case IPPROTO_UDP: + if (app_sa_prm.udp_encap == 1) { + ip4_hdr_len = ((iph4->version_ihl & + RTE_IPV4_HDR_IHL_MASK) * + RTE_IPV4_IHL_MULTIPLIER); + udp = rte_pktmbuf_mtod_offset(pkt, + struct rte_udp_hdr *, ip4_hdr_len); + nat_port = rte_cpu_to_be_16(IPSEC_NAT_T_PORT); + if (udp->src_port == nat_port || + udp->dst_port == nat_port){ + t->ipsec.pkts[(t->ipsec.num)++] = pkt; + pkt->packet_type |= + RTE_PTYPE_TUNNEL_ESP_IN_UDP; + break; + } + } + /* Fall through */ + default: t->ip4.data[t->ip4.num] = &iph4->next_proto_id; t->ip4.pkts[(t->ip4.num)++] = pkt; } diff --git a/examples/ipsec-secgw/ipsec-secgw.h b/examples/ipsec-secgw/ipsec-secgw.h index f2281e73cf..6887d752ab 100644 --- a/examples/ipsec-secgw/ipsec-secgw.h +++ b/examples/ipsec-secgw/ipsec-secgw.h @@ -47,6 +47,8 @@ #define ETHADDR(a, b, c, d, e, f) (__BYTES_TO_UINT64(a, b, c, d, e, f, 0, 0)) +#define IPSEC_NAT_T_PORT 4500 + struct traffic_type { const uint8_t *data[MAX_PKT_BURST * 2]; struct rte_mbuf *pkts[MAX_PKT_BURST * 2]; diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index 6baeeb342f..79382f0fa2 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -52,6 +52,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; ipsec->replay_win_sz = app_sa_prm.window_size; ipsec->options.esn = app_sa_prm.enable_esn; + ipsec->options.udp_encap = sa->udp_encap; } int @@ -528,6 +529,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, struct rte_crypto_sym_op *sym_cop; struct ipsec_sa *sa; struct rte_ipsec_session *ips; + int is_udp_esp; for (i = 0; i < nb_pkts; i++) { if (unlikely(sas[i] == NULL)) { @@ -556,6 +558,13 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, continue; } + is_udp_esp = pkts[i]->packet_type & + RTE_PTYPE_TUNNEL_ESP_IN_UDP; + if (unlikely(is_udp_esp && sa->udp_encap != 1)) { + free_pkts(&pkts[i], 1); + continue; + } + sym_cop = get_sym_cop(&priv->cop); sym_cop->m_src = pkts[i]; diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h index 7031e28c46..ae5058de27 100644 --- a/examples/ipsec-secgw/ipsec.h +++ b/examples/ipsec-secgw/ipsec.h @@ -75,6 +75,7 @@ struct app_sa_prm { uint32_t window_size; /* replay window size */ uint32_t enable_esn; /* enable/disable ESN support */ uint32_t cache_sz; /* per lcore SA cache size */ + uint32_t udp_encap; /* enable/disable UDP Encapsulation */ uint64_t flags; /* rte_ipsec_sa_prm.flags */ }; @@ -136,6 +137,7 @@ struct ipsec_sa { struct rte_security_ipsec_xform *sec_xform; }; enum rte_security_ipsec_sa_direction direction; + uint8_t udp_encap; uint16_t portid; uint8_t fdir_qid; uint8_t fdir_flag; diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index cd1397531a..7bb9ef36c2 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -298,6 +298,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, uint32_t portid_p = 0; uint32_t fallback_p = 0; int16_t status_p = 0; + uint16_t udp_encap_p = 0; if (strcmp(tokens[0], "in") == 0) { ri = &nb_sa_in; @@ -757,6 +758,23 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, } continue; } + if (strcmp(tokens[ti], "udp-encap") == 0) { + APP_CHECK(ips->type == + RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + status, "UDP encapsulation is allowed if the " + "session is of type lookaside-protocol-offload " + "only."); + if (status->status < 0) + return; + APP_CHECK_PRESENCE(udp_encap_p, tokens[ti], status); + if (status->status < 0) + return; + + rule->udp_encap = 1; + app_sa_prm.udp_encap = 1; + udp_encap_p = 1; + continue; + } /* unrecognizeable input */ APP_CHECK(0, status, "unrecognized input \"%s\"", diff --git a/examples/ipsec-secgw/sad.h b/examples/ipsec-secgw/sad.h index 473aaa938e..9616a80948 100644 --- a/examples/ipsec-secgw/sad.h +++ b/examples/ipsec-secgw/sad.h @@ -77,6 +77,8 @@ sad_lookup(struct ipsec_sad *sad, struct rte_mbuf *pkts[], uint32_t spi, cache_idx; struct ipsec_sad_cache *cache; struct ipsec_sa *cached_sa; + uint16_t udp_hdr_len = 0; + int is_udp_esp; int is_ipv4; cache = &RTE_PER_LCORE(sad_cache); @@ -85,8 +87,11 @@ sad_lookup(struct ipsec_sad *sad, struct rte_mbuf *pkts[], for (i = 0; i < nb_pkts; i++) { ipv4 = rte_pktmbuf_mtod(pkts[i], struct rte_ipv4_hdr *); ipv6 = rte_pktmbuf_mtod(pkts[i], struct rte_ipv6_hdr *); + is_udp_esp = pkts[i]->packet_type & RTE_PTYPE_TUNNEL_ESP_IN_UDP; + if (is_udp_esp) + udp_hdr_len = sizeof(struct rte_udp_hdr); esp = rte_pktmbuf_mtod_offset(pkts[i], struct rte_esp_hdr *, - pkts[i]->l3_len); + pkts[i]->l3_len + udp_hdr_len); is_ipv4 = pkts[i]->packet_type & RTE_PTYPE_L3_IPV4; spi = rte_be_to_cpu_32(esp->spi); -- 2.27.0
Adding support for IPv4 lookaside IPsec transport mode. Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- doc/guides/cryptodevs/octeontx2.rst | 1 + doc/guides/rel_notes/release_21_05.rst | 2 + drivers/crypto/octeontx2/otx2_cryptodev_ops.c | 7 +- drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 110 ++++++++++-------- drivers/crypto/octeontx2/otx2_cryptodev_sec.h | 4 +- drivers/crypto/octeontx2/otx2_ipsec_po.h | 6 + drivers/crypto/octeontx2/otx2_ipsec_po_ops.h | 8 +- 7 files changed, 78 insertions(+), 60 deletions(-) diff --git a/doc/guides/cryptodevs/octeontx2.rst b/doc/guides/cryptodevs/octeontx2.rst index b30f98180a..811e61a1f6 100644 --- a/doc/guides/cryptodevs/octeontx2.rst +++ b/doc/guides/cryptodevs/octeontx2.rst @@ -179,6 +179,7 @@ Features supported * IPv6 * ESP * Tunnel mode +* Transport mode(IPv4) * ESN * Anti-replay * UDP Encapsulation diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst index 9ef2537b1a..be8c36b92e 100644 --- a/doc/guides/rel_notes/release_21_05.rst +++ b/doc/guides/rel_notes/release_21_05.rst @@ -103,6 +103,8 @@ New Features * Updated the OCTEON TX2 crypto PMD lookaside protocol offload for IPsec with UDP encapsulation support for NAT Traversal. + * Updated the OCTEON TX2 crypto PMD lookaside protocol offload for IPsec with + IPv4 transport mode support. * **Updated testpmd.** diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c index cec20b5c6d..c20170bcaa 100644 --- a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c +++ b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c @@ -928,7 +928,7 @@ otx2_cpt_sec_post_process(struct rte_crypto_op *cop, uintptr_t *rsp) struct rte_mbuf *m = sym_op->m_src; struct rte_ipv6_hdr *ip6; struct rte_ipv4_hdr *ip; - uint16_t m_len; + uint16_t m_len = 0; int mdata_len; char *data; @@ -938,11 +938,12 @@ otx2_cpt_sec_post_process(struct rte_crypto_op *cop, uintptr_t *rsp) if (word0->s.opcode.major == OTX2_IPSEC_PO_PROCESS_IPSEC_INB) { data = rte_pktmbuf_mtod(m, char *); - if (rsp[4] == RTE_SECURITY_IPSEC_TUNNEL_IPV4) { + if (rsp[4] == OTX2_IPSEC_PO_TRANSPORT || + rsp[4] == OTX2_IPSEC_PO_TUNNEL_IPV4) { ip = (struct rte_ipv4_hdr *)(data + OTX2_IPSEC_PO_INB_RPTR_HDR); m_len = rte_be_to_cpu_16(ip->total_length); - } else { + } else if (rsp[4] == OTX2_IPSEC_PO_TUNNEL_IPV6) { ip6 = (struct rte_ipv6_hdr *)(data + OTX2_IPSEC_PO_INB_RPTR_HDR); m_len = rte_be_to_cpu_16(ip6->payload_len) + diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c index 8942ff1fac..6493ce8370 100644 --- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c +++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c @@ -25,12 +25,15 @@ ipsec_lp_len_precalc(struct rte_security_ipsec_xform *ipsec, { struct rte_crypto_sym_xform *cipher_xform, *auth_xform; - if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) - lp->partial_len = sizeof(struct rte_ipv4_hdr); - else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6) - lp->partial_len = sizeof(struct rte_ipv6_hdr); - else - return -EINVAL; + lp->partial_len = 0; + if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) { + if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) + lp->partial_len = sizeof(struct rte_ipv4_hdr); + else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6) + lp->partial_len = sizeof(struct rte_ipv6_hdr); + else + return -EINVAL; + } if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP) { lp->partial_len += sizeof(struct rte_esp_hdr); @@ -203,7 +206,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, struct rte_security_session *sec_sess) { struct rte_crypto_sym_xform *auth_xform, *cipher_xform; - struct otx2_ipsec_po_ip_template *template; + struct otx2_ipsec_po_ip_template *template = NULL; const uint8_t *cipher_key, *auth_key; struct otx2_sec_session_ipsec_lp *lp; struct otx2_ipsec_po_sa_ctl *ctl; @@ -229,10 +232,10 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, memset(sa, 0, sizeof(struct otx2_ipsec_po_out_sa)); /* Initialize lookaside ipsec private data */ + lp->mode_type = OTX2_IPSEC_PO_TRANSPORT; lp->ip_id = 0; lp->seq_lo = 1; lp->seq_hi = 0; - lp->tunnel_type = ipsec->tunnel.type; ret = ipsec_po_sa_ctl_set(ipsec, crypto_xform, ctl); if (ret) @@ -242,46 +245,47 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, if (ret) return ret; - if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) { - /* Start ip id from 1 */ - lp->ip_id = 1; + /* Start ip id from 1 */ + lp->ip_id = 1; + + if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) { + template = &sa->aes_gcm.template; + ctx_len = offsetof(struct otx2_ipsec_po_out_sa, + aes_gcm.template) + sizeof( + sa->aes_gcm.template.ip4); + ctx_len = RTE_ALIGN_CEIL(ctx_len, 8); + lp->ctx_len = ctx_len >> 3; + } else if (ctl->auth_type == + OTX2_IPSEC_PO_SA_AUTH_SHA1) { + template = &sa->sha1.template; + ctx_len = offsetof(struct otx2_ipsec_po_out_sa, + sha1.template) + sizeof( + sa->sha1.template.ip4); + ctx_len = RTE_ALIGN_CEIL(ctx_len, 8); + lp->ctx_len = ctx_len >> 3; + } else if (ctl->auth_type == + OTX2_IPSEC_PO_SA_AUTH_SHA2_256) { + template = &sa->sha2.template; + ctx_len = offsetof(struct otx2_ipsec_po_out_sa, + sha2.template) + sizeof( + sa->sha2.template.ip4); + ctx_len = RTE_ALIGN_CEIL(ctx_len, 8); + lp->ctx_len = ctx_len >> 3; + } else { + return -EINVAL; + } + ip = &template->ip4.ipv4_hdr; + if (ipsec->options.udp_encap) { + ip->next_proto_id = IPPROTO_UDP; + template->ip4.udp_src = rte_be_to_cpu_16(4500); + template->ip4.udp_dst = rte_be_to_cpu_16(4500); + } else { + ip->next_proto_id = IPPROTO_ESP; + } + if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) { if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) { - - if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) { - template = &sa->aes_gcm.template; - ctx_len = offsetof(struct otx2_ipsec_po_out_sa, - aes_gcm.template) + sizeof( - sa->aes_gcm.template.ip4); - ctx_len = RTE_ALIGN_CEIL(ctx_len, 8); - lp->ctx_len = ctx_len >> 3; - } else if (ctl->auth_type == - OTX2_IPSEC_PO_SA_AUTH_SHA1) { - template = &sa->sha1.template; - ctx_len = offsetof(struct otx2_ipsec_po_out_sa, - sha1.template) + sizeof( - sa->sha1.template.ip4); - ctx_len = RTE_ALIGN_CEIL(ctx_len, 8); - lp->ctx_len = ctx_len >> 3; - } else if (ctl->auth_type == - OTX2_IPSEC_PO_SA_AUTH_SHA2_256) { - template = &sa->sha2.template; - ctx_len = offsetof(struct otx2_ipsec_po_out_sa, - sha2.template) + sizeof( - sa->sha2.template.ip4); - ctx_len = RTE_ALIGN_CEIL(ctx_len, 8); - lp->ctx_len = ctx_len >> 3; - } else { - return -EINVAL; - } - ip = &template->ip4.ipv4_hdr; - if (ipsec->options.udp_encap) { - ip->next_proto_id = IPPROTO_UDP; - template->ip4.udp_src = rte_be_to_cpu_16(4500); - template->ip4.udp_dst = rte_be_to_cpu_16(4500); - } else { - ip->next_proto_id = IPPROTO_ESP; - } + lp->mode_type = OTX2_IPSEC_PO_TUNNEL_IPV4; ip->version_ihl = RTE_IPV4_VHL_DEF; ip->time_to_live = ipsec->tunnel.ipv4.ttl; ip->type_of_service |= (ipsec->tunnel.ipv4.dscp << 2); @@ -294,6 +298,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, } else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6) { + lp->mode_type = OTX2_IPSEC_PO_TUNNEL_IPV6; if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) { ip6 = &sa->aes_gcm.template.ip6.ipv6_hdr; ctx_len = offsetof(struct otx2_ipsec_po_out_sa, @@ -336,11 +341,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, sizeof(struct in6_addr)); memcpy(&ip6->dst_addr, &ipsec->tunnel.ipv6.dst_addr, sizeof(struct in6_addr)); - } else { - return -EINVAL; } - } else { - return -EINVAL; } cipher_xform = crypto_xform; @@ -421,13 +422,20 @@ crypto_sec_ipsec_inb_session_create(struct rte_cryptodev *crypto_dev, if (ret) return ret; - lp->tunnel_type = ipsec->tunnel.type; + lp->mode_type = OTX2_IPSEC_PO_TRANSPORT; + auth_xform = crypto_xform; cipher_xform = crypto_xform->next; cipher_key_len = 0; auth_key_len = 0; + if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) + lp->mode_type = (ipsec->tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV4) ? + OTX2_IPSEC_PO_TUNNEL_IPV4 : + OTX2_IPSEC_PO_TUNNEL_IPV6; + if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) { if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) memcpy(sa->iv.gcm.nonce, &ipsec->salt, 4); diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.h b/drivers/crypto/octeontx2/otx2_cryptodev_sec.h index 2849c1ab75..87f55c97fe 100644 --- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.h +++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.h @@ -55,8 +55,8 @@ struct otx2_sec_session_ipsec_lp { uint8_t iv_length; /** Auth IV length in bytes */ uint8_t auth_iv_length; - /** IPsec tunnel type */ - enum rte_security_ipsec_tunnel_type tunnel_type; + /** IPsec mode and tunnel type */ + enum otx2_ipsec_po_mode_type mode_type; }; int otx2_crypto_sec_ctx_create(struct rte_cryptodev *crypto_dev); diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po.h b/drivers/crypto/octeontx2/otx2_ipsec_po.h index eda9f19738..b3e7456551 100644 --- a/drivers/crypto/octeontx2/otx2_ipsec_po.h +++ b/drivers/crypto/octeontx2/otx2_ipsec_po.h @@ -20,6 +20,12 @@ #define OTX2_IPSEC_PO_INB_RPTR_HDR 0x8 +enum otx2_ipsec_po_mode_type { + OTX2_IPSEC_PO_TRANSPORT = 1, + OTX2_IPSEC_PO_TUNNEL_IPV4, + OTX2_IPSEC_PO_TUNNEL_IPV6, +}; + enum otx2_ipsec_po_comp_e { OTX2_IPSEC_PO_CC_SUCCESS = 0x00, OTX2_IPSEC_PO_CC_AUTH_UNSUPPORTED = 0xB0, diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h b/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h index f4cab19811..58b199f4f3 100644 --- a/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h +++ b/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h @@ -26,7 +26,7 @@ otx2_ipsec_po_out_rlen_get(struct otx2_sec_session_ipsec_lp *sess, static __rte_always_inline struct cpt_request_info * alloc_request_struct(char *maddr, void *cop, int mdata_len, - enum rte_security_ipsec_tunnel_type tunnel_type) + enum otx2_ipsec_po_mode_type mode_type) { struct cpt_request_info *req; struct cpt_meta_info *meta; @@ -48,7 +48,7 @@ alloc_request_struct(char *maddr, void *cop, int mdata_len, op[1] = (uintptr_t)cop; op[2] = (uintptr_t)req; op[3] = mdata_len; - op[4] = tunnel_type; + op[4] = mode_type; return req; } @@ -89,7 +89,7 @@ process_outb_sa(struct rte_crypto_op *cop, mdata += extend_tail; /* mdata follows encrypted data */ req = alloc_request_struct(mdata, (void *)cop, mdata_len, - sess->tunnel_type); + sess->mode_type); data = rte_pktmbuf_prepend(m_src, extend_head); if (unlikely(data == NULL)) { @@ -162,7 +162,7 @@ process_inb_sa(struct rte_crypto_op *cop, } req = alloc_request_struct(mdata, (void *)cop, mdata_len, - sess->tunnel_type); + sess->mode_type); /* Prepare CPT instruction */ word0.u64 = sess->ucmd_w0; -- 2.27.0
> Adding new mbuf packet type for UDP encapsulated
> ESP packets.
>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> ---
> doc/guides/rel_notes/release_21_05.rst | 5 +++++
> lib/librte_mbuf/rte_mbuf_ptype.h | 21 +++++++++++++++++++++
> 2 files changed, 26 insertions(+)
>
Acked-by: Akhil Goyal <gakhil@marvell.com>
++Olivier
Thomas,
Can this patch be part of crypto tree if acked by Olivier?
Regards,
Akhil
> Adding UDP encapsulation support for IPsec in
> lookaside protocol mode.
>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> ---
Acked-by: Akhil Goyal <gakhil@marvell.com>
>
> Adding support for IPv4 lookaside IPsec transport mode.
>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> ---
Acked-by: Akhil Goyal <gakhil@marvell.com>
>
> Adding lookaside IPsec UDP encapsulation support
> for NAT traversal.
> Application has to add udp-encap option to sa config file
> to enable UDP encapsulation on the SA.
>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> ---
Acked-by: Akhil Goyal <gakhil@marvell.com>
Konstantin,
Any more comments on this?
Regards,
Akhil
05/04/2021 20:11, Akhil Goyal:
> > Adding new mbuf packet type for UDP encapsulated
> > ESP packets.
> >
> > Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > ---
> > doc/guides/rel_notes/release_21_05.rst | 5 +++++
> > lib/librte_mbuf/rte_mbuf_ptype.h | 21 +++++++++++++++++++++
> > 2 files changed, 26 insertions(+)
> >
> Acked-by: Akhil Goyal <gakhil@marvell.com>
>
> ++Olivier
>
> Thomas,
> Can this patch be part of crypto tree if acked by Olivier?
Yes, adding a packet type is OK if reviewed by Olivier or Andrew.
Olivier, Andrew, please could you review?
Hi Akhil,
> >
> > Adding lookaside IPsec UDP encapsulation support
> > for NAT traversal.
> > Application has to add udp-encap option to sa config file
> > to enable UDP encapsulation on the SA.
> >
> > Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > ---
> Acked-by: Akhil Goyal <gakhil@marvell.com>
>
> Konstantin,
> Any more comments on this?
Didn't look at v2 yet.
Will try to do that during this week.
Konstantin
>
> Adding lookaside IPsec UDP encapsulation support
> for NAT traversal.
> Application has to add udp-encap option to sa config file
> to enable UDP encapsulation on the SA.
>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> ---
> doc/guides/rel_notes/release_21_05.rst | 5 ++++
> doc/guides/sample_app_ug/ipsec_secgw.rst | 15 ++++++++++--
> examples/ipsec-secgw/ipsec-secgw.c | 29 +++++++++++++++++++++---
> examples/ipsec-secgw/ipsec-secgw.h | 2 ++
> examples/ipsec-secgw/ipsec.c | 9 ++++++++
> examples/ipsec-secgw/ipsec.h | 2 ++
> examples/ipsec-secgw/sa.c | 18 +++++++++++++++
> examples/ipsec-secgw/sad.h | 7 +++++-
> 8 files changed, 81 insertions(+), 6 deletions(-)
>
> diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst
> index 4ab2d7500f..9ef2537b1a 100644
> --- a/doc/guides/rel_notes/release_21_05.rst
> +++ b/doc/guides/rel_notes/release_21_05.rst
> @@ -111,6 +111,11 @@ New Features
> * Added command to display Rx queue used descriptor count.
> ``show port (port_id) rxq (queue_id) desc used count``
>
> +* **Updated ipsec-secgw sample application.**
> +
> + * Updated the ``ipsec-secgw`` sample application with UDP encapsulation
> + support for NAT Traversal.
> +
>
> Removed Items
> -------------
> diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst
> index 176e292d3f..07bbbb5916 100644
> --- a/doc/guides/sample_app_ug/ipsec_secgw.rst
> +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
> @@ -500,7 +500,7 @@ The SA rule syntax is shown as follows:
>
> sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key>
> <mode> <src_ip> <dst_ip> <action_type> <port_id> <fallback>
> - <flow-direction> <port_id> <queue_id>
> + <flow-direction> <port_id> <queue_id> <udp-encap>
>
> where each options means:
>
> @@ -709,6 +709,17 @@ where each options means:
> * *port_id*: Port ID of the NIC for which the SA is configured.
> * *queue_id*: Queue ID to which traffic should be redirected.
>
> + ``<udp-encap>``
> +
> + * Option to enable IPsec UDP encapsulation for NAT Traversal.
> + Only lookaside-protocol-offload mode is supported at the moment.
> +
> + * Optional: Yes, it is disabled by default
> +
> + * Syntax:
> +
> + * *udp-encap*
> +
> Example SA rules:
>
> .. code-block:: console
> @@ -1023,4 +1034,4 @@ Available options:
> * ``-h`` Show usage.
>
> If <ipsec_mode> is specified, only tests for that mode will be invoked. For the
> -list of available modes please refer to run_test.sh.
> \ No newline at end of file
> +list of available modes please refer to run_test.sh.
> diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
> index 20d69ba813..6f6f2aa796 100644
> --- a/examples/ipsec-secgw/ipsec-secgw.c
> +++ b/examples/ipsec-secgw/ipsec-secgw.c
> @@ -184,7 +184,8 @@ static uint64_t frag_ttl_ns = MAX_FRAG_TTL_NS;
> /* application wide librte_ipsec/SA parameters */
> struct app_sa_prm app_sa_prm = {
> .enable = 0,
> - .cache_sz = SA_CACHE_SZ
> + .cache_sz = SA_CACHE_SZ,
> + .udp_encap = 0
> };
> static const char *cfgfile;
>
> @@ -360,6 +361,9 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)
> const struct rte_ether_hdr *eth;
> const struct rte_ipv4_hdr *iph4;
> const struct rte_ipv6_hdr *iph6;
> + const struct rte_udp_hdr *udp;
> + uint16_t ip4_hdr_len;
> + uint16_t nat_port;
>
> eth = rte_pktmbuf_mtod(pkt, const struct rte_ether_hdr *);
> if (eth->ether_type == rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4)) {
> @@ -368,9 +372,28 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)
> RTE_ETHER_HDR_LEN);
> adjust_ipv4_pktlen(pkt, iph4, 0);
>
> - if (iph4->next_proto_id == IPPROTO_ESP)
> + switch (iph4->next_proto_id) {
> + case IPPROTO_ESP:
> t->ipsec.pkts[(t->ipsec.num)++] = pkt;
> - else {
> + break;
> + case IPPROTO_UDP:
> + if (app_sa_prm.udp_encap == 1) {
> + ip4_hdr_len = ((iph4->version_ihl &
> + RTE_IPV4_HDR_IHL_MASK) *
> + RTE_IPV4_IHL_MULTIPLIER);
> + udp = rte_pktmbuf_mtod_offset(pkt,
> + struct rte_udp_hdr *, ip4_hdr_len);
> + nat_port = rte_cpu_to_be_16(IPSEC_NAT_T_PORT);
> + if (udp->src_port == nat_port ||
> + udp->dst_port == nat_port){
> + t->ipsec.pkts[(t->ipsec.num)++] = pkt;
> + pkt->packet_type |=
> + RTE_PTYPE_TUNNEL_ESP_IN_UDP;
> + break;
> + }
> + }
> + /* Fall through */
> + default:
> t->ip4.data[t->ip4.num] = &iph4->next_proto_id;
> t->ip4.pkts[(t->ip4.num)++] = pkt;
> }
As I understand you don't support UDP tunneling for ipv6 packets for now.
If so, then it probably worth to notice that in the doc, and in parse_sa_tokens()
add a check for ipv4.
Apart from that all seems ok to me.
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Hi Konstantin,
Please see inline.
Thanks
Tejasree
> -----Original Message-----
> From: Ananyev, Konstantin <konstantin.ananyev@intel.com>
> Sent: Tuesday, April 6, 2021 7:08 PM
> To: Tejasree Kondoj <ktejasree@marvell.com>; Akhil Goyal
> <gakhil@marvell.com>; Nicolau, Radu <radu.nicolau@intel.com>
> Cc: Anoob Joseph <anoobj@marvell.com>; Ankur Dwivedi
> <adwivedi@marvell.com>; Jerin Jacob Kollanukkaran <jerinj@marvell.com>;
> dev@dpdk.org
> Subject: [EXT] RE: [PATCH v2 3/4] examples/ipsec-secgw: add UDP
> encapsulation support
>
> External Email
>
> ----------------------------------------------------------------------
>
> >
> > Adding lookaside IPsec UDP encapsulation support for NAT traversal.
> > Application has to add udp-encap option to sa config file to enable
> > UDP encapsulation on the SA.
> >
> > Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > ---
> > doc/guides/rel_notes/release_21_05.rst | 5 ++++
> > doc/guides/sample_app_ug/ipsec_secgw.rst | 15 ++++++++++--
> > examples/ipsec-secgw/ipsec-secgw.c | 29 +++++++++++++++++++++---
> > examples/ipsec-secgw/ipsec-secgw.h | 2 ++
> > examples/ipsec-secgw/ipsec.c | 9 ++++++++
> > examples/ipsec-secgw/ipsec.h | 2 ++
> > examples/ipsec-secgw/sa.c | 18 +++++++++++++++
> > examples/ipsec-secgw/sad.h | 7 +++++-
> > 8 files changed, 81 insertions(+), 6 deletions(-)
> >
> > diff --git a/doc/guides/rel_notes/release_21_05.rst
> > b/doc/guides/rel_notes/release_21_05.rst
> > index 4ab2d7500f..9ef2537b1a 100644
> > --- a/doc/guides/rel_notes/release_21_05.rst
> > +++ b/doc/guides/rel_notes/release_21_05.rst
> > @@ -111,6 +111,11 @@ New Features
> > * Added command to display Rx queue used descriptor count.
> > ``show port (port_id) rxq (queue_id) desc used count``
> >
> > +* **Updated ipsec-secgw sample application.**
> > +
> > + * Updated the ``ipsec-secgw`` sample application with UDP encapsulation
> > + support for NAT Traversal.
> > +
> >
> > Removed Items
> > -------------
> > diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst
> > b/doc/guides/sample_app_ug/ipsec_secgw.rst
> > index 176e292d3f..07bbbb5916 100644
> > --- a/doc/guides/sample_app_ug/ipsec_secgw.rst
> > +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
> > @@ -500,7 +500,7 @@ The SA rule syntax is shown as follows:
> >
> > sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key>
> > <mode> <src_ip> <dst_ip> <action_type> <port_id> <fallback>
> > - <flow-direction> <port_id> <queue_id>
> > + <flow-direction> <port_id> <queue_id> <udp-encap>
> >
> > where each options means:
> >
> > @@ -709,6 +709,17 @@ where each options means:
> > * *port_id*: Port ID of the NIC for which the SA is configured.
> > * *queue_id*: Queue ID to which traffic should be redirected.
> >
> > + ``<udp-encap>``
> > +
> > + * Option to enable IPsec UDP encapsulation for NAT Traversal.
> > + Only lookaside-protocol-offload mode is supported at the moment.
> > +
> > + * Optional: Yes, it is disabled by default
> > +
> > + * Syntax:
> > +
> > + * *udp-encap*
> > +
> > Example SA rules:
> >
> > .. code-block:: console
> > @@ -1023,4 +1034,4 @@ Available options:
> > * ``-h`` Show usage.
> >
> > If <ipsec_mode> is specified, only tests for that mode will be
> > invoked. For the -list of available modes please refer to run_test.sh.
> > \ No newline at end of file
> > +list of available modes please refer to run_test.sh.
> > diff --git a/examples/ipsec-secgw/ipsec-secgw.c
> > b/examples/ipsec-secgw/ipsec-secgw.c
> > index 20d69ba813..6f6f2aa796 100644
> > --- a/examples/ipsec-secgw/ipsec-secgw.c
> > +++ b/examples/ipsec-secgw/ipsec-secgw.c
> > @@ -184,7 +184,8 @@ static uint64_t frag_ttl_ns = MAX_FRAG_TTL_NS;
> > /* application wide librte_ipsec/SA parameters */ struct app_sa_prm
> > app_sa_prm = {
> > .enable = 0,
> > - .cache_sz = SA_CACHE_SZ
> > + .cache_sz = SA_CACHE_SZ,
> > + .udp_encap = 0
> > };
> > static const char *cfgfile;
> >
> > @@ -360,6 +361,9 @@ prepare_one_packet(struct rte_mbuf *pkt, struct
> ipsec_traffic *t)
> > const struct rte_ether_hdr *eth;
> > const struct rte_ipv4_hdr *iph4;
> > const struct rte_ipv6_hdr *iph6;
> > + const struct rte_udp_hdr *udp;
> > + uint16_t ip4_hdr_len;
> > + uint16_t nat_port;
> >
> > eth = rte_pktmbuf_mtod(pkt, const struct rte_ether_hdr *);
> > if (eth->ether_type == rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4)) {
> @@
> > -368,9 +372,28 @@ prepare_one_packet(struct rte_mbuf *pkt, struct
> ipsec_traffic *t)
> > RTE_ETHER_HDR_LEN);
> > adjust_ipv4_pktlen(pkt, iph4, 0);
> >
> > - if (iph4->next_proto_id == IPPROTO_ESP)
> > + switch (iph4->next_proto_id) {
> > + case IPPROTO_ESP:
> > t->ipsec.pkts[(t->ipsec.num)++] = pkt;
> > - else {
> > + break;
> > + case IPPROTO_UDP:
> > + if (app_sa_prm.udp_encap == 1) {
> > + ip4_hdr_len = ((iph4->version_ihl &
> > + RTE_IPV4_HDR_IHL_MASK) *
> > + RTE_IPV4_IHL_MULTIPLIER);
> > + udp = rte_pktmbuf_mtod_offset(pkt,
> > + struct rte_udp_hdr *, ip4_hdr_len);
> > + nat_port =
> rte_cpu_to_be_16(IPSEC_NAT_T_PORT);
> > + if (udp->src_port == nat_port ||
> > + udp->dst_port == nat_port){
> > + t->ipsec.pkts[(t->ipsec.num)++] = pkt;
> > + pkt->packet_type |=
> > +
> RTE_PTYPE_TUNNEL_ESP_IN_UDP;
> > + break;
> > + }
> > + }
> > + /* Fall through */
> > + default:
> > t->ip4.data[t->ip4.num] = &iph4->next_proto_id;
> > t->ip4.pkts[(t->ip4.num)++] = pkt;
> > }
>
> As I understand you don't support UDP tunneling for ipv6 packets for now.
> If so, then it probably worth to notice that in the doc, and in
> parse_sa_tokens() add a check for ipv4.
> Apart from that all seems ok to me.
> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
[Tejasree] Added support for IPv6 packets in v3. Could you please review?