From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id B39D4A0351; Thu, 24 Feb 2022 13:27:35 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 01D1841155; Thu, 24 Feb 2022 13:27:35 +0100 (CET) Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by mails.dpdk.org (Postfix) with ESMTP id 8ECF44114D for ; Thu, 24 Feb 2022 13:27:33 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1645705653; x=1677241653; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=4vjfgAi8N089rWuc3CnPTg810z1d9idIVMF427iWD2Y=; b=jgH0tsfW+TDIcM/GPFpRpISK3dZkjArbTwcFnacMWjZ+pw+Jhk1JXBG2 iA4yQ8SLGUjlMYEqlr3c+StNuNhqCt2JCLjhbPTqtSuSZoddLWgUjYDC+ uPSDZp0upLgRBTn/7PkhX5j/rFubss38PEaXWQDl51gjv7O4cPzhkOgbq dKtSSMnBUHAlFeHC72T2CS/X0fG/VYjHPjsXZB9FefurDMye1+p7VkgNZ TecsQ+3Ovh5WNYC36tn/Je+fhbTPTFz1BS/4e4ORnaftWRVEUWtwfE3u8 VPsHKYjatgVzR87KJYYdZY9CoO541sCvkSwtee4DHGupx0mAm9RSvxohN A==; X-IronPort-AV: E=McAfee;i="6200,9189,10267"; a="251050472" X-IronPort-AV: E=Sophos;i="5.90,133,1643702400"; d="scan'208";a="251050472" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Feb 2022 04:27:32 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.90,133,1643702400"; d="scan'208";a="491587304" Received: from silpixa00400884.ir.intel.com ([10.243.22.82]) by orsmga003.jf.intel.com with ESMTP; 24 Feb 2022 04:27:31 -0800 From: Radu Nicolau To: Jingjing Wu , Beilei Xing Cc: dev@dpdk.org, Radu Nicolau Subject: [PATCH] net/iavf: add NAT-T / UDP encapsulation support Date: Thu, 24 Feb 2022 12:27:28 +0000 Message-Id: <20220224122729.1777159-1-radu.nicolau@intel.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Add support for NAT-T / UDP encapsulated ESP. Signed-off-by: Radu Nicolau --- drivers/common/iavf/virtchnl_inline_ipsec.h | 9 +++++++++ drivers/net/iavf/iavf_ipsec_crypto.c | 16 +++++++++++++--- drivers/net/iavf/iavf_ipsec_crypto.h | 4 +++- 3 files changed, 25 insertions(+), 4 deletions(-) diff --git a/drivers/common/iavf/virtchnl_inline_ipsec.h b/drivers/common/iavf/virtchnl_inline_ipsec.h index 1e9134501e..2f4bf15725 100644 --- a/drivers/common/iavf/virtchnl_inline_ipsec.h +++ b/drivers/common/iavf/virtchnl_inline_ipsec.h @@ -446,6 +446,15 @@ struct virtchnl_ipsec_sp_cfg { /* Set TC (congestion domain) if true. For future use. */ u8 set_tc; + + /* 0 for NAT-T unsupported, 1 for NAT-T supported */ + u8 is_udp; + + /* reserved */ + u8 reserved; + + /* NAT-T UDP port number. Only valid in case NAT-T supported */ + u16 udp_port; } __rte_packed; diff --git a/drivers/net/iavf/iavf_ipsec_crypto.c b/drivers/net/iavf/iavf_ipsec_crypto.c index 6ac1b213db..35aa420a1b 100644 --- a/drivers/net/iavf/iavf_ipsec_crypto.c +++ b/drivers/net/iavf/iavf_ipsec_crypto.c @@ -736,7 +736,9 @@ iavf_ipsec_crypto_inbound_security_policy_add(struct iavf_adapter *adapter, uint8_t is_v4, rte_be32_t v4_dst_addr, uint8_t *v6_dst_addr, - uint8_t drop) + uint8_t drop, + bool is_udp, + uint16_t udp_port) { struct inline_ipsec_msg *request = NULL, *response = NULL; size_t request_len, response_len; @@ -781,6 +783,8 @@ iavf_ipsec_crypto_inbound_security_policy_add(struct iavf_adapter *adapter, /** Traffic Class/Congestion Domain currently not support */ request->ipsec_data.sp_cfg->set_tc = 0; request->ipsec_data.sp_cfg->cgd = 0; + request->ipsec_data.sp_cfg->is_udp = is_udp; + request->ipsec_data.sp_cfg->udp_port = htons(udp_port); response_len = sizeof(struct inline_ipsec_msg) + sizeof(struct virtchnl_ipsec_sp_cfg_resp); @@ -1625,6 +1629,7 @@ struct iavf_ipsec_flow_item { struct rte_ipv6_hdr ipv6_hdr; }; struct rte_udp_hdr udp_hdr; + uint8_t is_udp; }; static void @@ -1737,6 +1742,7 @@ iavf_ipsec_flow_item_parse(struct rte_eth_dev *ethdev, parse_udp_item((const struct rte_flow_item_udp *) pattern[2].spec, &ipsec_flow->udp_hdr); + ipsec_flow->is_udp = true; ipsec_flow->spi = ((const struct rte_flow_item_esp *) pattern[3].spec)->hdr.spi; @@ -1806,7 +1812,9 @@ iavf_ipsec_flow_create(struct iavf_adapter *ad, 1, ipsec_flow->ipv4_hdr.dst_addr, NULL, - 0); + 0, + ipsec_flow->is_udp, + ipsec_flow->udp_hdr.dst_port); } else { ipsec_flow->id = iavf_ipsec_crypto_inbound_security_policy_add(ad, @@ -1814,7 +1822,9 @@ iavf_ipsec_flow_create(struct iavf_adapter *ad, 0, 0, ipsec_flow->ipv6_hdr.dst_addr, - 0); + 0, + ipsec_flow->is_udp, + ipsec_flow->udp_hdr.dst_port); } if (ipsec_flow->id < 1) { diff --git a/drivers/net/iavf/iavf_ipsec_crypto.h b/drivers/net/iavf/iavf_ipsec_crypto.h index 687541077a..8ea0f9540e 100644 --- a/drivers/net/iavf/iavf_ipsec_crypto.h +++ b/drivers/net/iavf/iavf_ipsec_crypto.h @@ -145,7 +145,9 @@ iavf_ipsec_crypto_inbound_security_policy_add(struct iavf_adapter *adapter, uint8_t is_v4, rte_be32_t v4_dst_addr, uint8_t *v6_dst_addr, - uint8_t drop); + uint8_t drop, + bool is_udp, + uint16_t udp_port); /** * Delete inbound security policy rule from hardware -- 2.25.1