From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by dpdk.org (Postfix) with ESMTP id 0DC883005 for ; Mon, 1 Feb 2016 12:09:22 +0100 (CET) Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga104.fm.intel.com with ESMTP; 01 Feb 2016 03:09:21 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.22,379,1449561600"; d="scan'208";a="902877245" Received: from smonroyx-mobl.ger.corp.intel.com (HELO [10.237.220.47]) ([10.237.220.47]) by orsmga002.jf.intel.com with ESMTP; 01 Feb 2016 03:09:18 -0800 To: Jerin Jacob References: <1454099352-29040-1-git-send-email-sergio.gonzalez.monroy@intel.com> <20160131143918.GA12763@localhost.localdomain> From: Sergio Gonzalez Monroy Message-ID: <56AF3CDC.5090105@intel.com> Date: Mon, 1 Feb 2016 11:09:16 +0000 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 In-Reply-To: <20160131143918.GA12763@localhost.localdomain> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Cc: dev@dpdk.org Subject: Re: [dpdk-dev] [PATCH] example/ipsec-secgw: ipsec security gateway X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Feb 2016 11:09:24 -0000 On 31/01/2016 14:39, Jerin Jacob wrote: > On Fri, Jan 29, 2016 at 08:29:12PM +0000, Sergio Gonzalez Monroy wrote: >> Sample app implementing an IPsec Security Geteway. >> The main goal of this app is to show the use of cryptodev framework >> in a real world application. >> >> Currently only supported static IPv4 IPsec tunnels using AES-CBC >> and HMAC-SHA1. >> >> Also, currently not supported: >> - SA auto negotiation (No IKE support) >> - chained mbufs >> >> Signed-off-by: Sergio Gonzalez Monroy > Hi Sergio, > > Great effort, one of the best highly integrated sample DPDK application > (ethernet, acl, crypto and lpm) > >> --- >> MAINTAINERS | 4 + >> doc/guides/sample_app_ug/index.rst | 1 + >> doc/guides/sample_app_ug/ipsec_secgw.rst | 440 +++++++++++ >> examples/Makefile | 2 + >> examples/ipsec-secgw/Makefile | 58 ++ >> examples/ipsec-secgw/esp.c | 256 +++++++ >> examples/ipsec-secgw/esp.h | 66 ++ >> examples/ipsec-secgw/ipip.h | 100 +++ >> examples/ipsec-secgw/ipsec-secgw.c | 1218 ++++++++++++++++++++++++++++++ >> examples/ipsec-secgw/ipsec.c | 138 ++++ >> examples/ipsec-secgw/ipsec.h | 184 +++++ >> examples/ipsec-secgw/rt.c | 131 ++++ >> examples/ipsec-secgw/sa.c | 391 ++++++++++ >> examples/ipsec-secgw/sp.c | 324 ++++++++ >> 14 files changed, 3313 insertions(+) >> create mode 100644 doc/guides/sample_app_ug/ipsec_secgw.rst >> create mode 100644 examples/ipsec-secgw/Makefile >> create mode 100644 examples/ipsec-secgw/esp.c >> create mode 100644 examples/ipsec-secgw/esp.h >> create mode 100644 examples/ipsec-secgw/ipip.h >> create mode 100644 examples/ipsec-secgw/ipsec-secgw.c >> create mode 100644 examples/ipsec-secgw/ipsec.c >> create mode 100644 examples/ipsec-secgw/ipsec.h >> create mode 100644 examples/ipsec-secgw/rt.c >> create mode 100644 examples/ipsec-secgw/sa.c >> create mode 100644 examples/ipsec-secgw/sp.c >> >> diff --git a/MAINTAINERS b/MAINTAINERS >> index b90aeea..996eda6 100644 >> --- a/MAINTAINERS >> +++ b/MAINTAINERS >> @@ -596,3 +596,7 @@ F: doc/guides/sample_app_ug/vmdq_dcb_forwarding.rst >> M: Pablo de Lara >> M: Daniel Mrzyglod >> F: examples/ptpclient/ >> + >> +M: Sergio Gonzalez Monroy >> +F: doc/guides/sample_app_ug/ipsec-secgw.rst >> +F: examples/ipsec-secgw/ >> diff --git a/doc/guides/sample_app_ug/index.rst b/doc/guides/sample_app_ug/index.rst >> index 8a646dd..88375d2 100644 >> --- a/doc/guides/sample_app_ug/index.rst >> +++ b/doc/guides/sample_app_ug/index.rst >> @@ -73,6 +73,7 @@ Sample Applications User Guide >> proc_info >> ptpclient >> performance_thread >> + ipsec_secgw >> >> **Figures** >> >> diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst >> new file mode 100644 >> index 0000000..7be3f7e >> --- /dev/null >> +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst >> @@ -0,0 +1,440 @@ >> +.. BSD LICENSE >> + Copyright(c) 2010-2016 Intel Corporation. All rights reserved. >> + All rights reserved. >> + >> + Redistribution and use in source and binary forms, with or without >> + modification, are permitted provided that the following conditions >> + are met: >> + >> + * Redistributions of source code must retain the above copyright >> + notice, this list of conditions and the following disclaimer. >> + * Redistributions in binary form must reproduce the above copyright >> + notice, this list of conditions and the following disclaimer in >> + the documentation and/or other materials provided with the >> + distribution. >> + * Neither the name of Intel Corporation nor the names of its >> + contributors may be used to endorse or promote products derived >> + from this software without specific prior written permission. >> + >> + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS >> + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT >> + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR >> + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT >> + OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, >> + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT >> + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >> + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >> + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >> + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >> + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >> + >> +IPsec Security Gateway Sample Application >> +========================================= >> + >> +The IPsec Security Gateway application is a minimal example of real work >> +application using DPDK cryptodev framework. >> + >> +Overview >> +-------- >> + >> +The application demonstrates the implementation of a minimal Security Gateway >> +(see Constraints bellow) using DPDK based on RFC4301, RFC4303, RFC3602 and >> +RFC2404. >> + >> +Note that IKE is not supported (therefore not IPsec compliant), so only manual >> +setting of Security Policies and Associations is allowed. >> + >> +The Security Policies (SP) are implemented as ACL rules, the Security >> +Associations (SA) are stored in a table and the Routing is implemented >> +using LPM. >> + >> +The application splits the ports between Protected and Unprotected. >> +Based on the port the trafic is coming from, the traffic would be consider >> +IPsec Inbound or Outbound. >> +Traffic from Unprotected ports is consider IPsec Inbound, and traffic from >> +Protected ports is consider IPsec Outbound. >> + >> +Path for IPsec Inbound traffic: >> +* Read packets from the port >> +* Classify packets between IPv4 and ESP. >> +* Inbound SA lookup for ESP packets based on their SPI >> +* Verification/Decryption >> +* Removal of ESP and outter IP header >> +* Inbound SP check using ACL of decrypted packets and any other IPv4 packet >> +we read. >> +* Routing >> +* Write packet to port >> + >> +Path for IPsec Outbound traffic: >> +* Read packets from the port >> +* Outbound SP check using ACL of all IPv4 traffic >> +* Outbound SA lookup for packets that need IPsec protection >> +* Add ESP and outter IP header >> +* Encryption/Digest >> +* Routing >> +* Write packet to port >> + >> +Constraints >> +----------- >> +* IPv4 traffic >> +* ESP tunnel mode >> +* EAS-CBC and HMAC-SHA1 >> +* Each SA must be handle by a unique lcore (1 RX queue per port) >> +* No chained mbufs >> + >> +Compiling the Application >> +------------------------- >> + >> +To compile the application: >> + >> +#. Go to the sample application directory: >> + >> + .. code-block:: console >> + >> + export RTE_SDK=/path/to/rte_sdk >> + cd ${RTE_SDK}/examples/ipsec-secgw >> + >> +#. Set the target (a default target is used if not specified). For example: >> + >> + .. code-block:: console >> + >> + export RTE_TARGET=x86_64-native-linuxapp-gcc >> + >> + See the *DPDK Getting Started Guide* for possible RTE_TARGET values. >> + >> +#. Build the application: >> + >> + .. code-block:: console >> + >> + make >> + >> +Running the Application >> +----------------------- >> + >> +The application has a number of command line options: >> + >> +.. code-block:: console >> + >> + ./build/ipsec-secgw [EAL options] -- -p PORTMASK -P -u PORTMASK --config >> + (port,queue,lcore)[,(port,queue,lcore] --EP0|--EP1 --cdev AESNI|QAT >> + >> +where, >> + >> +* -p PORTMASK: Hexadecimal bitmask of ports to configure >> + >> +* -P: optional, sets all ports to promiscuous mode so that packets are >> + accepted regardless of the packet's Ethernet MAC destination address. >> + Without this option, only packets with the Ethernet MAC destination address >> + set to the Ethernet address of the port are accepted (default is enabled). >> + >> +* -u PORTMASK: hexadecimal bitmask of unprotected ports >> + >> +* --config (port,queue,lcore)[,(port,queue,lcore)]: determines which queues >> + from which ports are mapped to which cores >> + >> +* --cdev AESNI/QAT: choose whether to use QAT HW crypto or EASNI SW crypto >> + >> +* --EP0: configure the app as Endpoint 0. >> + >> +* --EP1: configure the app as Endpoint 1. >> + >> +Either --EP0 or --EP1 must be specified. >> + >> +The mapping of lcores to port/queues is similar to other l3fwd applications. >> + >> +For example, given the following command line: >> +.. code-block:: console >> + >> + ./build/ipsec-secgw -l 20,21 -n 4 --socket-mem 0,2048 -- -p 0xf -P -u 0x3 >> + --config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)" --cdev AESNI --EP0 >> + >> +where each options means: >> + >> +* The -l option enables cores 20 and 21 >> + >> +* The -n option sets memory 4 channels >> + >> +* The --socket-mem to use 2GB on socket 1 >> + >> +* The -p option enables ports (detected) 0, 1, 2 and 3 >> + >> +* The -P option enables promiscous mode >> + >> +* The -u option sets ports 1 and 2 as unprotected, leaving 2 and 3 as protected >> + >> +* The --config option enables one queue per port with the following mapping: >> + >> ++----------+-----------+-----------+---------------------------------------+ >> +| **Port** | **Queue** | **lcore** | **Description** | >> +| | | | | >> ++----------+-----------+-----------+---------------------------------------+ >> +| 0 | 0 | 20 | Map queue 0 from port 0 to lcore 20. | >> +| | | | | >> ++----------+-----------+-----------+---------------------------------------+ >> +| 1 | 0 | 20 | Map queue 0 from port 1 to lcore 20. | >> +| | | | | >> ++----------+-----------+-----------+---------------------------------------+ >> +| 2 | 0 | 21 | Map queue 0 from port 2 to lcore 21. | >> +| | | | | >> ++----------+-----------+-----------+---------------------------------------+ >> +| 3 | 0 | 21 | Map queue 0 from port 3 to lcore 21. | >> +| | | | | >> ++----------+-----------+-----------+---------------------------------------+ >> + >> +Refer to the *DPDK Getting Started Guide* for general information on running applications and the Environment Abstraction Layer (EAL) options. >> + >> +Configurations >> +-------------- >> + >> +The following sections provide some details on the default values used to >> +initialize the SP, SA and Routing tables. >> +Currently all the configuration is hardcoded into the application. >> + >> +Security Policy Initialization >> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> + >> +As mention in the overview, the Security Policies are ACL rules. >> +There are two ACLs, Inbound and Outboud. >> +The application would also replicate the set of two ACLs per socket in use. >> + >> +Following are the default rules: >> + >> +Endpoint 0 Outbound Security Policies: >> + >> ++---------+------------------+-----------+------------+ >> +| **Src** | **Dst** | **proto** | **SA idx** | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.105.0/24 | Any | 5 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.106.0/24 | Any | 6 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.107.0/24 | Any | 7 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.108.0/24 | Any | 8 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> + >> +Endpoint 0 Inbound Security Policies: >> + >> ++---------+------------------+-----------+------------+ >> +| **Src** | **Dst** | **proto** | **SA idx** | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.115.0/24 | Any | 5 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.116.0/24 | Any | 6 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.117.0/24 | Any | 7 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.118.0/24 | Any | 8 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> + >> +Endpoint 1 Outbound Security Policies: >> + >> ++---------+------------------+-----------+------------+ >> +| **Src** | **Dst** | **proto** | **SA idx** | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.115.0/24 | Any | 5 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.116.0/24 | Any | 6 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.117.0/24 | Any | 7 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.118.0/24 | Any | 8 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> + >> +Endpoint 1 Inbound Security Policies: >> + >> ++---------+------------------+-----------+------------+ >> +| **Src** | **Dst** | **proto** | **SA idx** | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.105.0/24 | Any | 5 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.106.0/24 | Any | 6 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.107.0/24 | Any | 7 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> +| Any | 192.168.108.0/24 | Any | 8 | >> +| | | | | >> ++---------+------------------+-----------+------------+ >> + >> + >> +Security Association Initialization >> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> + >> +The SAs are kept in a array table. >> + >> +For Inbound, the SPI is used as index module the table size. >> +This means that on a table for 100 SA, SPI 5 and 105 would use the same index >> +and that is not currently supported. >> + >> +Notice that it is not an issue for Outbound traffic as we store the index and >> +not the SPI in the Security Policy. >> + >> +All SAs are configured with the same cipher algo, block size and key (AES-CBC >> +16B block), and same authentication algo, digest size and key (HMAC-SHA1, 12B >> +digest). >> + >> +Following are the default values: >> + >> +Endpoint 0 Outbound Security Associations: >> + >> ++---------+----------------+------------------+ >> +| **SPI** | **Tunnel src** | **Tunnel dst** | >> +| | | | >> ++---------+----------------+------------------+ >> +| 5 | 172.16.1.5 | 172.16.2.5 | >> +| | | | >> ++---------+----------------+------------------+ >> +| 6 | 172.16.1.6 | 172.16.2.6 | >> +| | | | >> ++---------+----------------+------------------+ >> +| 7 | 172.16.1.7 | 172.16.2.7 | >> +| | | | >> ++---------+----------------+------------------+ >> +| 8 | 172.16.1.8 | 172.16.2.8 | >> +| | | | >> ++---------+----------------+------------------+ >> + >> +Endpoint 0 Inbound Security Associations: >> + >> ++---------+----------------+------------------+ >> +| **SPI** | **Tunnel src** | **Tunnel dst** | >> +| | | | >> ++---------+----------------+------------------+ >> +| 5 | 172.16.2.5 | 172.16.1.5 | >> +| | | | >> ++---------+----------------+------------------+ >> +| 6 | 172.16.2.6 | 172.16.1.6 | >> +| | | | >> ++---------+----------------+------------------+ >> +| 7 | 172.16.2.7 | 172.16.1.7 | >> +| | | | >> ++---------+----------------+------------------+ >> +| 8 | 172.16.2.8 | 172.16.1.8 | >> +| | | | >> ++---------+----------------+------------------+ >> + >> +Endpoint 1 Outbound Security Associations: >> + >> ++---------+----------------+------------------+ >> +| **SPI** | **Tunnel src** | **Tunnel dst** | >> +| | | | >> ++---------+----------------+------------------+ >> +| 5 | 172.16.2.5 | 172.16.1.5 | >> +| | | | >> ++---------+----------------+------------------+ >> +| 6 | 172.16.2.6 | 172.16.1.6 | >> +| | | | >> ++---------+----------------+------------------+ >> +| 7 | 172.16.2.7 | 172.16.1.7 | >> +| | | | >> ++---------+----------------+------------------+ >> +| 8 | 172.16.2.8 | 172.16.1.8 | >> +| | | | >> ++---------+----------------+------------------+ >> + >> +Endpoint 1 Inbound Security Associations: >> + >> ++---------+----------------+------------------+ >> +| **SPI** | **Tunnel src** | **Tunnel dst** | >> +| | | | >> ++---------+----------------+------------------+ >> +| 5 | 172.16.1.5 | 172.16.2.5 | >> +| | | | >> ++---------+----------------+------------------+ >> +| 6 | 172.16.1.6 | 172.16.2.6 | >> +| | | | >> ++---------+----------------+------------------+ >> +| 7 | 172.16.1.7 | 172.16.2.7 | >> +| | | | >> ++---------+----------------+------------------+ >> +| 8 | 172.16.1.8 | 172.16.2.8 | >> +| | | | >> ++---------+----------------+------------------+ >> + >> +Routing Initialization >> +~~~~~~~~~~~~~~~~~~~~~~ >> + >> +The Routing is implemented using LPM table. >> + >> +Following default values: >> + >> +Endpoint 0 Routing Table: >> + >> ++------------------+----------+ >> +| **Dst addr** | **Port** | >> +| | | >> ++------------------+----------+ >> +| 172.16.2.5/32 | 0 | >> +| | | >> ++------------------+----------+ >> +| 172.16.2.6/32 | 0 | >> +| | | >> ++------------------+----------+ >> +| 172.16.2.7/32 | 1 | >> +| | | >> ++------------------+----------+ >> +| 172.16.2.8/32 | 1 | >> +| | | >> ++------------------+----------+ >> +| 192.168.115.0/24 | 2 | >> +| | | >> ++------------------+----------+ >> +| 192.168.116.0/24 | 2 | >> +| | | >> ++------------------+----------+ >> +| 192.168.117.0/24 | 3 | >> +| | | >> ++------------------+----------+ >> +| 192.168.118.0/24 | 3 | >> +| | | >> ++------------------+----------+ >> + >> +Endpoint 1 Routing Table: >> + >> ++------------------+----------+ >> +| **Dst addr** | **Port** | >> +| | | >> ++------------------+----------+ >> +| 172.16.1.5/32 | 2 | >> +| | | >> ++------------------+----------+ >> +| 172.16.1.6/32 | 2 | >> +| | | >> ++------------------+----------+ >> +| 172.16.1.7/32 | 3 | >> +| | | >> ++------------------+----------+ >> +| 172.16.1.8/32 | 3 | >> +| | | >> ++------------------+----------+ >> +| 192.168.105.0/24 | 0 | >> +| | | >> ++------------------+----------+ >> +| 192.168.106.0/24 | 0 | >> +| | | >> ++------------------+----------+ >> +| 192.168.107.0/24 | 1 | >> +| | | >> ++------------------+----------+ >> +| 192.168.108.0/24 | 1 | >> +| | | >> ++------------------+----------+ >> diff --git a/examples/Makefile b/examples/Makefile >> index 1cb4785..65ce6ce 100644 >> --- a/examples/Makefile >> +++ b/examples/Makefile >> @@ -1,6 +1,7 @@ >> # BSD LICENSE >> # >> # Copyright(c) 2014 6WIND S.A. >> +# Copyright(c) 2010-2016 Intel Corporation. All rights reserved. >> # >> # Redistribution and use in source and binary forms, with or without >> # modification, are permitted provided that the following conditions >> @@ -78,5 +79,6 @@ DIRS-y += vmdq >> DIRS-y += vmdq_dcb >> DIRS-$(CONFIG_RTE_LIBRTE_POWER) += vm_power_manager >> DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += l2fwd-crypto >> +DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += ipsec-secgw >> >> include $(RTE_SDK)/mk/rte.extsubdir.mk >> diff --git a/examples/ipsec-secgw/Makefile b/examples/ipsec-secgw/Makefile >> new file mode 100644 >> index 0000000..5f893b8 >> --- /dev/null >> +++ b/examples/ipsec-secgw/Makefile >> @@ -0,0 +1,58 @@ >> +# BSD LICENSE >> +# >> +# Copyright(c) 2010-2016 Intel Corporation. All rights reserved. >> +# All rights reserved. >> +# >> +# Redistribution and use in source and binary forms, with or without >> +# modification, are permitted provided that the following conditions >> +# are met: >> +# >> +# * Redistributions of source code must retain the above copyright >> +# notice, this list of conditions and the following disclaimer. >> +# * Redistributions in binary form must reproduce the above copyright >> +# notice, this list of conditions and the following disclaimer in >> +# the documentation and/or other materials provided with the >> +# distribution. >> +# * Neither the name of Intel Corporation nor the names of its >> +# contributors may be used to endorse or promote products derived >> +# from this software without specific prior written permission. >> +# >> +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS >> +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT >> +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR >> +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT >> +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, >> +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT >> +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >> +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >> +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >> +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >> +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >> + >> +ifeq ($(RTE_SDK),) >> + $(error "Please define RTE_SDK environment variable") >> +endif >> + >> +# Default target, can be overridden by command line or environment >> +RTE_TARGET ?= x86_64-native-linuxapp-gcc >> + >> +include $(RTE_SDK)/mk/rte.vars.mk >> + >> +APP = ipsec-secgw >> + >> +CFLAGS += -O3 -gdwarf-2 >> +CFLAGS += $(WERROR_FLAGS) >> + >> +VPATH += $(SRCDIR)/librte_ipsec >> + >> +# >> +# all source are stored in SRCS-y >> +# >> +SRCS-y += ipsec.c >> +SRCS-y += esp.c >> +SRCS-y += sp.c >> +SRCS-y += sa.c >> +SRCS-y += rt.c >> +SRCS-y += ipsec-secgw.c >> + >> +include $(RTE_SDK)/mk/rte.extapp.mk >> diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c >> new file mode 100644 >> index 0000000..1be0621 >> --- /dev/null >> +++ b/examples/ipsec-secgw/esp.c >> @@ -0,0 +1,256 @@ >> +/*- >> + * BSD LICENSE >> + * >> + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. >> + * All rights reserved. >> + * >> + * Redistribution and use in source and binary forms, with or without >> + * modification, are permitted provided that the following conditions >> + * are met: >> + * >> + * * Redistributions of source code must retain the above copyright >> + * notice, this list of conditions and the following disclaimer. >> + * * Redistributions in binary form must reproduce the above copyright >> + * notice, this list of conditions and the following disclaimer in >> + * the documentation and/or other materials provided with the >> + * distribution. >> + * * Neither the name of Intel Corporation nor the names of its >> + * contributors may be used to endorse or promote products derived >> + * from this software without specific prior written permission. >> + * >> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS >> + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT >> + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR >> + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT >> + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, >> + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT >> + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >> + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >> + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >> + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >> + */ >> + >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> + >> +#include >> +#include >> +#include >> +#include >> + >> +#include "ipsec.h" >> +#include "esp.h" >> +#include "ipip.h" >> + >> +static inline void >> +random_iv_u64(uint64_t *buf, uint16_t n) >> +{ >> + unsigned left = n & 0x7; >> + unsigned i; >> + >> + IPSEC_ASSERT((n & 0x3) == 0); >> + >> + for (i = 0; i < (n >> 3); i++) >> + buf[i] = rte_rand(); >> + >> + if (left) >> + *((uint32_t *)&buf[i]) = (uint32_t)lrand48(); >> +} >> + >> +/* IPv4 Tunnel */ >> +int >> +esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, >> + struct rte_crypto_op *cop) >> +{ >> + uint16_t digest_len, esp_len, iphdr_len; >> + int32_t payload_len; >> + >> + IPSEC_ASSERT(m != NULL); >> + >> + iphdr_len = sizeof(struct ip); >> + esp_len = sizeof(struct esp_hdr) + sa->iv_len; >> + digest_len = sa->digest_len; >> + payload_len = rte_pktmbuf_pkt_len(m) - iphdr_len - esp_len - digest_len; >> + >> + if ((payload_len & (sa->block_size - 1)) || (payload_len <= 0)) { >> + IPSEC_LOG(DEBUG, IPSEC_ESP, "payload %d not a multiple of %u\n", >> + payload_len, sa->block_size); >> + return -EINVAL; >> + } >> + >> + cop->data.to_cipher.offset = iphdr_len + esp_len; >> + cop->data.to_cipher.length = payload_len; >> + >> + cop->data.to_hash.offset = iphdr_len; >> + if (sa->auth_algo == RTE_CRYPTO_AUTH_AES_GCM) >> + cop->data.to_hash.length = esp_len - sa->iv_len; >> + else >> + cop->data.to_hash.length = esp_len + payload_len; >> + >> + cop->iv.data = rte_pktmbuf_mtod_offset(m, void*, >> + iphdr_len + esp_len - sa->iv_len); >> + cop->iv.phys_addr = rte_pktmbuf_mtophys_offset(m, >> + iphdr_len + esp_len - sa->iv_len); >> + >> + cop->iv.length = sa->iv_len; >> + >> + cop->digest.data = rte_pktmbuf_mtod_offset(m, void*, >> + iphdr_len + esp_len + payload_len); >> + cop->digest.phys_addr = rte_pktmbuf_mtophys_offset(m, >> + iphdr_len + esp_len + payload_len); >> + cop->digest.length = digest_len; >> + >> + return 0; >> +} >> + >> +int >> +esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, >> + struct rte_crypto_op *cop) >> +{ >> + uint16_t digest_len, esp_len, iphdr_len; >> + uint8_t *nexthdr, *pad_len; >> + uint8_t *padding; >> + uint16_t i; >> + >> + IPSEC_ASSERT(m != NULL); >> + >> + iphdr_len = sizeof(struct ip); >> + esp_len = sizeof(struct esp_hdr) + sa->iv_len; >> + digest_len = sa->digest_len; >> + >> + if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) { >> + IPSEC_LOG(ERR, IPSEC_ESP, "Failed crypto op\n"); >> + return -1; >> + } >> + >> + nexthdr = rte_pktmbuf_mtod_offset(m, uint8_t*, >> + rte_pktmbuf_pkt_len(m) - digest_len - 1); >> + pad_len = nexthdr - 1; >> + >> + padding = pad_len - *pad_len; >> + for (i = 0; i < *pad_len; i++) { >> + if (padding[i] != i) { >> + IPSEC_LOG(ERR, IPSEC_ESP, "invalid pad_len field\n"); >> + return -EINVAL; >> + } >> + } >> + >> + if (rte_pktmbuf_trim(m, *pad_len + 2 + digest_len)) { >> + IPSEC_LOG(ERR, IPSEC_ESP, >> + "failed to remove pad_len + digest\n"); >> + return -EINVAL; >> + } >> + >> + return ip4ip_inbound(m, iphdr_len + esp_len); >> +} >> + >> +int >> +esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, >> + struct rte_crypto_op *cop) >> +{ >> + uint16_t digest_len, esp_len, payload_len, block_sz, pad_len; >> + int32_t pad_payload_len; >> + struct ip *ip; >> + struct esp_hdr *esp; >> + int i; >> + char *padding; >> + >> + rte_prefetch0(rte_pktmbuf_mtod(m, uint8_t *) - RTE_CACHE_LINE_SIZE); >> + rte_prefetch0(rte_pktmbuf_mtod(m, uint8_t *)); >> + >> + IPSEC_ASSERT(m != NULL); >> + IPSEC_ASSERT(sa != NULL); >> + >> + /* Payload length */ >> + payload_len = rte_pktmbuf_pkt_len(m); >> + >> + block_sz = sa->block_size; >> + >> + /* Per RFC4303: >> + * padded payload needs to be multiple of 4 bytes. >> + * All application supported block sizes must be power of 2 >> + */ >> + pad_len = (payload_len + 2) & (block_sz - 1); >> + pad_len = ((block_sz - pad_len) & (block_sz - 1)) + 2; >> + >> + /* Padded payload length */ >> + pad_payload_len = payload_len + pad_len; >> + /* ESP header length */ >> + esp_len = sizeof(struct esp_hdr) + sa->iv_len; >> + /* Digest length */ >> + digest_len = sa->digest_len; >> + >> + IPSEC_LOG(DEBUG, IPSEC_ESP, >> + "pktlen %u, esp_len %u, digest_len %u, payload_len %u," >> + " pad_payload_len %u, block_sz %u, pad_len %u\n", >> + rte_pktmbuf_pkt_len(m), esp_len, digest_len, >> + payload_len, pad_payload_len, block_sz, pad_len); >> + >> + /* Check maximum packet size */ >> + if (unlikely(esp_len + pad_payload_len + digest_len > IP_MAXPACKET)) { >> + IPSEC_LOG(DEBUG, IPSEC_ESP, "ipsec packet is too big\n"); >> + return -EINVAL; >> + } >> + >> + padding = rte_pktmbuf_append(m, pad_len + digest_len); >> + >> + IPSEC_ASSERT(padding != NULL); >> + >> + ip = ip4ip_outbound(m, esp_len, sa->src, sa->dst); >> + >> + esp = (struct esp_hdr *)(ip + 1); >> + esp->spi = sa->spi; >> + >> + esp->seq = htonl(sa->seq++); >> + >> + IPSEC_LOG(DEBUG, IPSEC_ESP, "pktlen %u\n", rte_pktmbuf_pkt_len(m)); >> + >> + /* Fill pad_len using default sequential scheme */ >> + for (i = 0; i < pad_len - 2; i++) >> + padding[i] = i + 1; >> + >> + padding[pad_len - 2] = pad_len - 2; >> + padding[pad_len - 1] = IPPROTO_IPIP; >> + ip->ip_p = IPPROTO_ESP; >> + >> + cop->data.to_cipher.offset = sizeof(struct ip) + esp_len; >> + cop->data.to_cipher.length = pad_payload_len; >> + >> + cop->data.to_hash.offset = sizeof(struct ip); >> + cop->data.to_hash.length = esp_len + pad_payload_len; >> + >> + cop->iv.data = rte_pktmbuf_mtod_offset(m, void*, >> + sizeof(struct ip) + esp_len - sa->iv_len); >> + cop->iv.phys_addr = rte_pktmbuf_mtophys_offset(m, >> + sizeof(struct ip) + esp_len - sa->iv_len); >> + cop->iv.length = sa->iv_len; >> + >> + cop->digest.data = rte_pktmbuf_mtod_offset(m, void*, >> + sizeof(struct ip) + esp_len + pad_payload_len); >> + cop->digest.phys_addr = rte_pktmbuf_mtophys_offset(m, >> + sizeof(struct ip) + esp_len + pad_payload_len); >> + cop->digest.length = digest_len; >> + >> + random_iv_u64((uint64_t *)cop->iv.data, cop->iv.length); >> + >> + return 0; >> +} >> + >> +int >> +esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m __rte_unused, >> + struct ipsec_sa *sa __rte_unused, >> + struct rte_crypto_op *cop) >> +{ >> + if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) { >> + IPSEC_LOG(ERR, IPSEC_ESP, "Failed crypto op\n"); >> + return -1; >> + } >> + >> + return 0; >> +} >> diff --git a/examples/ipsec-secgw/esp.h b/examples/ipsec-secgw/esp.h >> new file mode 100644 >> index 0000000..d7c8ba6 >> --- /dev/null >> +++ b/examples/ipsec-secgw/esp.h >> @@ -0,0 +1,66 @@ >> +/*- >> + * BSD LICENSE >> + * >> + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. >> + * All rights reserved. >> + * >> + * Redistribution and use in source and binary forms, with or without >> + * modification, are permitted provided that the following conditions >> + * are met: >> + * >> + * * Redistributions of source code must retain the above copyright >> + * notice, this list of conditions and the following disclaimer. >> + * * Redistributions in binary form must reproduce the above copyright >> + * notice, this list of conditions and the following disclaimer in >> + * the documentation and/or other materials provided with the >> + * distribution. >> + * * Neither the name of Intel Corporation nor the names of its >> + * contributors may be used to endorse or promote products derived >> + * from this software without specific prior written permission. >> + * >> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS >> + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT >> + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR >> + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT >> + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, >> + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT >> + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >> + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >> + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >> + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >> + */ >> +#ifndef __RTE_IPSEC_XFORM_ESP_H__ >> +#define __RTE_IPSEC_XFORM_ESP_H__ >> + >> +struct mbuf; >> + >> +/* RFC4303 */ >> +struct esp_hdr { >> + uint32_t spi; >> + uint32_t seq; >> + /* Payload */ >> + /* Padding */ >> + /* Pad Length */ >> + /* Next Header */ >> + /* Integrity Check Value - ICV */ >> +}; >> + >> +/* IPv4 Tunnel */ >> +int >> +esp4_tunnel_inbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, >> + struct rte_crypto_op *cop); >> + >> +int >> +esp4_tunnel_inbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, >> + struct rte_crypto_op *cop); >> + >> +int >> +esp4_tunnel_outbound_pre_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, >> + struct rte_crypto_op *cop); >> + >> +int >> +esp4_tunnel_outbound_post_crypto(struct rte_mbuf *m, struct ipsec_sa *sa, >> + struct rte_crypto_op *cop); >> + >> +#endif /* __RTE_IPSEC_XFORM_ESP_H__ */ >> diff --git a/examples/ipsec-secgw/ipip.h b/examples/ipsec-secgw/ipip.h >> new file mode 100644 >> index 0000000..16c5dfb >> --- /dev/null >> +++ b/examples/ipsec-secgw/ipip.h >> @@ -0,0 +1,100 @@ >> +/*- >> + * BSD LICENSE >> + * >> + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. >> + * All rights reserved. >> + * >> + * Redistribution and use in source and binary forms, with or without >> + * modification, are permitted provided that the following conditions >> + * are met: >> + * >> + * * Redistributions of source code must retain the above copyright >> + * notice, this list of conditions and the following disclaimer. >> + * * Redistributions in binary form must reproduce the above copyright >> + * notice, this list of conditions and the following disclaimer in >> + * the documentation and/or other materials provided with the >> + * distribution. >> + * * Neither the name of Intel Corporation nor the names of its >> + * contributors may be used to endorse or promote products derived >> + * from this software without specific prior written permission. >> + * >> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS >> + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT >> + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR >> + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT >> + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, >> + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT >> + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >> + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >> + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >> + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >> + */ >> + >> +#ifndef __IPIP_H__ >> +#define __IPIP_H__ >> + >> +#include >> +#include >> +#include >> + >> +#include >> + >> +static inline struct ip * >> +ip4ip_outbound(struct rte_mbuf *m, uint32_t offset, uint32_t src, uint32_t dst) >> +{ >> + struct ip *inip, *outip; >> + >> + inip = rte_pktmbuf_mtod(m, struct ip*); >> + >> + IPSEC_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION); >> + >> + offset += sizeof(struct ip); >> + >> + outip = (struct ip *)rte_pktmbuf_prepend(m, offset); >> + >> + IPSEC_ASSERT(outip != NULL); >> + >> + /* Per RFC4301 5.1.2.1 */ >> + outip->ip_len = htons(rte_pktmbuf_data_len(m)); >> + outip->ip_v = IPVERSION; >> + outip->ip_hl = 5; >> + outip->ip_tos = inip->ip_tos; >> + >> + outip->ip_id = 0; >> + outip->ip_off = 0; >> + >> + outip->ip_ttl = IPDEFTTL; >> + >> + outip->ip_dst.s_addr = dst; >> + outip->ip_src.s_addr = src; >> + >> + return outip; >> +} >> + >> +static inline int >> +ip4ip_inbound(struct rte_mbuf *m, uint32_t offset) >> +{ >> + struct ip *inip; >> + struct ip *outip; >> + >> + outip = rte_pktmbuf_mtod(m, struct ip*); >> + >> + IPSEC_ASSERT(outip->ip_v == IPVERSION); >> + >> + offset += sizeof(struct ip); >> + inip = (struct ip *)rte_pktmbuf_adj(m, offset); >> + IPSEC_ASSERT(inip->ip_v == IPVERSION || inip->ip_v == IPV6_VERSION); >> + >> + /* Check packet is still bigger than IP header (inner) */ >> + IPSEC_ASSERT(rte_pktmbuf_pkt_len(m) > sizeof(struct ip)); >> + >> + /* RFC4301 5.1.2.1 Note 6 */ >> + if ((inip->ip_tos & htons(IPTOS_ECN_ECT0 | IPTOS_ECN_ECT1)) && >> + ((outip->ip_tos & htons(IPTOS_ECN_CE)) == IPTOS_ECN_CE)) >> + inip->ip_tos |= htons(IPTOS_ECN_CE); >> + >> + return 0; >> +} >> + >> +#endif /* __IPIP_H__ */ >> diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c >> new file mode 100644 >> index 0000000..d2e8972 >> --- /dev/null >> +++ b/examples/ipsec-secgw/ipsec-secgw.c >> @@ -0,0 +1,1218 @@ >> +/*- >> + * BSD LICENSE >> + * >> + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. >> + * All rights reserved. >> + * >> + * Redistribution and use in source and binary forms, with or without >> + * modification, are permitted provided that the following conditions >> + * are met: >> + * >> + * * Redistributions of source code must retain the above copyright >> + * notice, this list of conditions and the following disclaimer. >> + * * Redistributions in binary form must reproduce the above copyright >> + * notice, this list of conditions and the following disclaimer in >> + * the documentation and/or other materials provided with the >> + * distribution. >> + * * Neither the name of Intel Corporation nor the names of its >> + * contributors may be used to endorse or promote products derived >> + * from this software without specific prior written permission. >> + * >> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS >> + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT >> + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR >> + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT >> + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, >> + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT >> + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >> + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >> + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >> + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >> + */ >> + >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> + >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> + >> +#include "ipsec.h" >> + >> +#define RTE_LOGTYPE_IPSEC RTE_LOGTYPE_USER1 >> + >> +#define MAX_JUMBO_PKT_LEN 9600 >> + >> +#define MEMPOOL_CACHE_SIZE 256 >> + >> +#define NB_MBUF (32000) >> + >> +#define CDEV_MP_NB_OBJS 2048 >> +#define CDEV_MP_CACHE_SZ 64 >> +#define MAX_QUEUE_PAIRS 1 >> + >> +#define OPTION_CONFIG "config" >> +#define OPTION_EP0 "ep0" >> +#define OPTION_EP1 "ep1" >> +#define OPTION_CDEV_TYPE "cdev" >> + >> +#define MAX_PKT_BURST 32 >> +#define BURST_TX_DRAIN_US 100 /* TX drain every ~100us */ >> + >> +#define NB_SOCKETS 4 >> + >> +/* Configure how many packets ahead to prefetch, when reading packets */ >> +#define PREFETCH_OFFSET 3 >> + >> +#define MAX_RX_QUEUE_PER_LCORE 16 >> + >> +#define MAX_LCORE_PARAMS 1024 >> + >> +#define UNPROTECTED_PORT(port) (unprotected_port_mask & (1 << portid)) >> + >> +/* >> + * Configurable number of RX/TX ring descriptors >> + */ >> +#define IPSEC_SECGW_RX_DESC_DEFAULT 128 >> +#define IPSEC_SECGW_TX_DESC_DEFAULT 512 >> +static uint16_t nb_rxd = IPSEC_SECGW_RX_DESC_DEFAULT; >> +static uint16_t nb_txd = IPSEC_SECGW_TX_DESC_DEFAULT; >> + >> +#if RTE_BYTE_ORDER != RTE_LITTLE_ENDIAN >> +#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \ >> + (((uint64_t)((a) & 0xff) << 56) | \ >> + ((uint64_t)((b) & 0xff) << 48) | \ >> + ((uint64_t)((c) & 0xff) << 40) | \ >> + ((uint64_t)((d) & 0xff) << 32) | \ >> + ((uint64_t)((e) & 0xff) << 24) | \ >> + ((uint64_t)((f) & 0xff) << 16) | \ >> + ((uint64_t)((g) & 0xff) << 8) | \ >> + ((uint64_t)(h) & 0xff)) >> +#else >> +#define __BYTES_TO_UINT64(a, b, c, d, e, f, g, h) \ >> + (((uint64_t)((h) & 0xff) << 56) | \ >> + ((uint64_t)((g) & 0xff) << 48) | \ >> + ((uint64_t)((f) & 0xff) << 40) | \ >> + ((uint64_t)((e) & 0xff) << 32) | \ >> + ((uint64_t)((d) & 0xff) << 24) | \ >> + ((uint64_t)((c) & 0xff) << 16) | \ >> + ((uint64_t)((b) & 0xff) << 8) | \ >> + ((uint64_t)(a) & 0xff)) >> +#endif >> +#define ETHADDR(a, b, c, d, e, f) (__BYTES_TO_UINT64(a, b, c, d, e, f, 0, 0)) >> + >> +#define ETHADDR_TO_UINT64(addr) __BYTES_TO_UINT64( \ >> + addr.addr_bytes[0], addr.addr_bytes[1], \ >> + addr.addr_bytes[2], addr.addr_bytes[3], \ >> + addr.addr_bytes[4], addr.addr_bytes[5], \ >> + 0, 0) >> + >> +/* port/source ethernet addr and destination ethernet addr */ >> +struct ethaddr_info { >> + uint64_t src, dst; >> +}; >> + >> +struct ethaddr_info ethaddr_tbl[RTE_MAX_ETHPORTS] = { >> + { 0, ETHADDR(0x00, 0x16, 0x3e, 0x7e, 0x94, 0x9a) }, >> + { 0, ETHADDR(0x00, 0x16, 0x3e, 0x22, 0xa1, 0xd9) }, >> + { 0, ETHADDR(0x00, 0x16, 0x3e, 0x08, 0x69, 0x26) }, >> + { 0, ETHADDR(0x00, 0x16, 0x3e, 0x49, 0x9e, 0xdd) } >> +}; >> + >> +/* mask of enabled ports */ >> +static uint32_t enabled_port_mask; >> +static uint32_t unprotected_port_mask; >> +static int promiscuous_on = 1; >> +static int numa_on = 1; /**< NUMA is enabled by default. */ >> +static int ep = -1; /**< Endpoint configuration (0 or 1) */ >> +static unsigned cdev_type = -1; >> +static unsigned nb_lcores; >> + >> +struct buffer { >> + uint16_t len; >> + struct rte_mbuf *m_table[MAX_PKT_BURST]; >> +}; >> + >> +struct lcore_rx_queue { >> + uint8_t port_id; >> + uint8_t queue_id; >> +} __rte_cache_aligned; >> + >> +struct lcore_params { >> + uint8_t port_id; >> + uint8_t queue_id; >> + uint8_t lcore_id; >> +} __rte_cache_aligned; >> + >> +static struct lcore_params lcore_params_array[MAX_LCORE_PARAMS]; >> + >> +static struct lcore_params *lcore_params; >> +static uint16_t nb_lcore_params; >> + >> +struct lcore_conf { >> + uint16_t nb_rx_queue; >> + struct lcore_rx_queue rx_queue_list[MAX_RX_QUEUE_PER_LCORE]; >> + uint16_t tx_queue_id[RTE_MAX_ETHPORTS]; >> + struct buffer tx_mbufs[RTE_MAX_ETHPORTS]; >> + uint16_t cdev; >> + uint16_t cdev_q; >> +} __rte_cache_aligned; >> + >> +static struct lcore_conf lcore_conf[RTE_MAX_LCORE]; >> + >> +static struct rte_eth_conf port_conf = { >> + .rxmode = { >> + .mq_mode = ETH_MQ_RX_RSS, >> + .max_rx_pkt_len = ETHER_MAX_LEN, >> + .split_hdr_size = 0, >> + .header_split = 0, /**< Header Split disabled */ >> + .hw_ip_checksum = 1, /**< IP checksum offload enabled */ >> + .hw_vlan_filter = 0, /**< VLAN filtering disabled */ >> + .jumbo_frame = 0, /**< Jumbo Frame Support disabled */ >> + .hw_strip_crc = 0, /**< CRC stripped by hardware */ >> + }, >> + .rx_adv_conf = { >> + .rss_conf = { >> + .rss_key = NULL, >> + .rss_hf = ETH_RSS_IP | ETH_RSS_UDP | >> + ETH_RSS_TCP | ETH_RSS_SCTP, >> + }, >> + }, >> + .txmode = { >> + .mq_mode = ETH_MQ_TX_NONE, >> + }, >> +}; >> + >> +static struct socket_ctx socket_ctx[NB_SOCKETS]; >> + >> +struct traffic_type { >> + const uint8_t *data[MAX_PKT_BURST * 2]; >> + struct rte_mbuf *pkts[MAX_PKT_BURST * 2]; >> + uint32_t res[MAX_PKT_BURST * 2]; >> + uint32_t num; >> +}; >> + >> +struct ipsec_traffic { >> + struct traffic_type ipsec4; >> + struct traffic_type ipv4; >> +}; >> + >> +static inline void >> +prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t) >> +{ >> + uint8_t *nlp; >> + >> + if (RTE_ETH_IS_IPV4_HDR(pkt->packet_type)) { >> + rte_pktmbuf_adj(pkt, ETHER_HDR_LEN); >> + nlp = rte_pktmbuf_mtod_offset(pkt, uint8_t *, >> + offsetof(struct ip, ip_p)); >> + if (*nlp == IPPROTO_ESP) >> + t->ipsec4.pkts[(t->ipsec4.num)++] = pkt; >> + else { >> + t->ipv4.data[t->ipv4.num] = nlp; >> + t->ipv4.pkts[(t->ipv4.num)++] = pkt; >> + } >> + } else { >> + /* Unknown/Unsupported type, drop the packet */ >> + rte_pktmbuf_free(pkt); >> + } >> +} >> + >> +static inline void >> +prepare_traffic(struct rte_mbuf **pkts, struct ipsec_traffic *t, >> + uint16_t nb_pkts) >> +{ >> + int i; >> + >> + t->ipsec4.num = 0; >> + t->ipv4.num = 0; >> + >> + for (i = 0; i < (nb_pkts - PREFETCH_OFFSET); i++) { >> + rte_prefetch0(rte_pktmbuf_mtod(pkts[i + PREFETCH_OFFSET], >> + void *)); >> + prepare_one_packet(pkts[i], t); >> + } >> + /* Process left packets */ >> + for (; i < nb_pkts; i++) >> + prepare_one_packet(pkts[i], t); >> +} >> + >> +static inline void >> +prepare_tx_pkt(struct rte_mbuf *pkt, uint8_t port) >> +{ >> + pkt->ol_flags |= PKT_TX_IP_CKSUM | PKT_TX_IPV4; >> + pkt->l3_len = sizeof(struct ip); >> + pkt->l2_len = ETHER_HDR_LEN; >> + >> + uint64_t *ethhdr = (uint64_t *)rte_pktmbuf_prepend(pkt, ETHER_HDR_LEN); >> +#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN >> + ethhdr[0] = ethaddr_tbl[port].dst | >> + ((ethaddr_tbl[port].src & 0xffff) << 48); >> + ethhdr[1] = ethaddr_tbl[port].src >> 16 | >> + ((uint64_t)rte_cpu_to_be_16(ETHER_TYPE_IPv4) << 32) | >> + (ethhdr[1] & (0xffffUL << 48)); >> +#else >> + ethhdr[0] = ethaddr_tbl[port].dst | >> + (ethaddr_tbl[port].src >> 48 & 0xffff); >> + ethhdr[1] = ethaddr_tbl[port].src << 16 | ((ETHER_TYPE_IPv4)UL << 16) | >> + (ethhdr[1] & 0xffffUL); >> +#endif >> +} >> + >> +static inline void >> +prepare_tx_burst(struct rte_mbuf *pkts[], uint16_t nb_pkts, uint8_t port) >> +{ >> + int i; >> + const int prefetch_offset = 2; >> + >> + for (i = 0; i < (nb_pkts - prefetch_offset); i++) { >> + rte_prefetch0(pkts[i + prefetch_offset]->cacheline1); >> + prepare_tx_pkt(pkts[i], port); >> + } >> + /* Process left packets */ >> + for (; i < nb_pkts; i++) >> + prepare_tx_pkt(pkts[i], port); >> +} >> + >> +/* Send burst of packets on an output interface */ >> +static inline int >> +send_burst(struct lcore_conf *qconf, uint16_t n, uint8_t port) >> +{ >> + struct rte_mbuf **m_table; >> + int ret; >> + uint16_t queueid; >> + >> + queueid = qconf->tx_queue_id[port]; >> + m_table = (struct rte_mbuf **)qconf->tx_mbufs[port].m_table; >> + >> + prepare_tx_burst(m_table, n, port); >> + >> + ret = rte_eth_tx_burst(port, queueid, m_table, n); >> + if (unlikely(ret < n)) { >> + do { >> + rte_pktmbuf_free(m_table[ret]); >> + } while (++ret < n); >> + } >> + >> + return 0; >> +} >> + >> +/* Enqueue a single packet, and send burst if queue is filled */ >> +static inline int >> +send_single_packet(struct rte_mbuf *m, uint8_t port) >> +{ >> + uint32_t lcore_id; >> + uint16_t len; >> + struct lcore_conf *qconf; >> + >> + lcore_id = rte_lcore_id(); >> + >> + qconf = &lcore_conf[lcore_id]; >> + len = qconf->tx_mbufs[port].len; >> + qconf->tx_mbufs[port].m_table[len] = m; >> + len++; >> + >> + /* enough pkts to be sent */ >> + if (unlikely(len == MAX_PKT_BURST)) { >> + send_burst(qconf, MAX_PKT_BURST, port); >> + len = 0; >> + } >> + >> + qconf->tx_mbufs[port].len = len; >> + return 0; >> +} >> + >> +static inline void >> +process_pkts_inbound(struct socket_ctx *ctx, struct ipsec_traffic *traffic) >> +{ >> + struct sa_ctx *sa_ctx = ctx->sa_ipv4_in; >> + struct sp_ctx *sp_ctx = ctx->sp_ipv4_in; >> + struct rte_mbuf *m; >> + uint16_t idx, nb_pkts_in, i, j; >> + uint32_t sa_idx, res; >> + struct ipsec_ctx ipsec_ctx; >> + struct lcore_conf *qconf; >> + >> + qconf = &lcore_conf[rte_lcore_id()]; >> + ipsec_ctx.cdev = qconf->cdev; >> + ipsec_ctx.queue = qconf->cdev_q; >> + ipsec_ctx.sa_ctx = sa_ctx; >> + >> + nb_pkts_in = ipsec_inbound(&ipsec_ctx, traffic->ipsec4.pkts, >> + traffic->ipsec4.num, MAX_PKT_BURST); >> + >> + /* SP/ACL Inbound check ipsec and ipv4 */ >> + for (i = 0; i < nb_pkts_in; i++) { >> + idx = traffic->ipv4.num++; >> + m = traffic->ipsec4.pkts[i]; >> + traffic->ipv4.pkts[idx] = m; >> + traffic->ipv4.data[idx] = rte_pktmbuf_mtod_offset(m, >> + uint8_t *, offsetof(struct ip, ip_p)); >> + } >> + >> + rte_acl_classify((struct rte_acl_ctx *)sp_ctx, traffic->ipv4.data, >> + traffic->ipv4.res, traffic->ipv4.num, >> + DEFAULT_MAX_CATEGORIES); >> + >> + j = 0; >> + for (i = 0; i < traffic->ipv4.num - nb_pkts_in; i++) { >> + m = traffic->ipv4.pkts[i]; >> + res = traffic->ipv4.res[i]; >> + if (res & ~BYPASS) { >> + rte_pktmbuf_free(m); >> + continue; >> + } >> + traffic->ipv4.pkts[j++] = m; >> + } >> + /* Check return SA SPI matches pkt SPI */ >> + for ( ; i < traffic->ipv4.num; i++) { >> + m = traffic->ipv4.pkts[i]; >> + sa_idx = traffic->ipv4.res[i] & PROTECT_MASK; >> + if (sa_idx == 0 || !inbound_sa_check(sa_ctx, m, sa_idx)) { >> + rte_pktmbuf_free(m); >> + continue; >> + } >> + traffic->ipv4.pkts[j++] = m; >> + } >> + traffic->ipv4.num = j; >> +} >> + >> +static inline void >> +process_pkts_outbound(struct socket_ctx *ctx, struct ipsec_traffic *traffic) >> +{ >> + struct sa_ctx *sa_ctx = ctx->sa_ipv4_out; >> + struct sp_ctx *sp_ctx = ctx->sp_ipv4_out; >> + struct rte_mbuf *m; >> + uint16_t idx, nb_pkts_out, i, j; >> + uint32_t sa_idx, res; >> + struct ipsec_ctx ipsec_ctx; >> + struct lcore_conf *qconf; >> + >> + qconf = &lcore_conf[rte_lcore_id()]; >> + ipsec_ctx.cdev = qconf->cdev; >> + ipsec_ctx.queue = qconf->cdev_q; >> + ipsec_ctx.sa_ctx = sa_ctx; >> + >> + rte_acl_classify((struct rte_acl_ctx *)sp_ctx, traffic->ipv4.data, >> + traffic->ipv4.res, traffic->ipv4.num, >> + DEFAULT_MAX_CATEGORIES); > IMO, an option for single SA based outbound processing would be useful > measuring performance bottlenecks with SA lookup. > Hi Jerin, Are you suggesting to have an option so we basically encrypt all traffic using a single SA bypassing the SP/ACL ? Currently the ACL entry contains the SA index in the SA table, so there is no SA lookup on outbound. That might have to change a bit if we were to add IKE support. >> + j = 0; >> + for (i = 0; i < traffic->ipv4.num; i++) { >> + m = traffic->ipv4.pkts[i]; >> + res = traffic->ipv4.res[i]; >> + sa_idx = res & PROTECT_MASK; >> + if (res & DISCARD) { >> + rte_pktmbuf_free(m); >> + } else if (sa_idx != 0) { >> + traffic->ipsec4.res[traffic->ipsec4.num] = sa_idx; >> + traffic->ipsec4.pkts[traffic->ipsec4.num++] = m; >> + } else /* BYPASS */ >> + traffic->ipv4.pkts[j++] = m; >> + } >> + traffic->ipv4.num = j; >> + >> + nb_pkts_out = ipsec_outbound(&ipsec_ctx, traffic->ipsec4.pkts, >> + traffic->ipsec4.res, traffic->ipsec4.num, >> + MAX_PKT_BURST); >> + >> + for (i = 0; i < nb_pkts_out; i++) { >> + idx = traffic->ipv4.num++; >> + m = traffic->ipsec4.pkts[i]; >> + traffic->ipv4.pkts[idx] = m; >> + } >> +} >> + >> +static inline void >> +route_pkts(struct rt_ctx *rt_ctx, struct rte_mbuf *pkts[], uint8_t nb_pkts) >> +{ >> + uint16_t hop[MAX_PKT_BURST * 2]; >> + uint32_t dst_ip[MAX_PKT_BURST * 2]; >> + uint16_t i, offset; >> + >> + if (nb_pkts == 0) >> + return; >> + >> + for (i = 0; i < nb_pkts; i++) { >> + offset = offsetof(struct ip, ip_dst); >> + dst_ip[i] = *rte_pktmbuf_mtod_offset(pkts[i], >> + uint32_t *, offset); >> + dst_ip[i] = rte_be_to_cpu_32(dst_ip[i]); >> + } >> + >> + rte_lpm_lookup_bulk((struct rte_lpm *)rt_ctx, dst_ip, hop, nb_pkts); >> + >> + for (i = 0; i < nb_pkts; i++) { >> + if ((hop[i] & RTE_LPM_LOOKUP_SUCCESS) == 0) { >> + rte_pktmbuf_free(pkts[i]); >> + continue; >> + } >> + send_single_packet(pkts[i], hop[i] & 0xff); >> + } >> +} >> + >> +static inline void >> +process_pkts(struct socket_ctx *ctx, struct rte_mbuf **pkts, >> + uint8_t nb_pkts, uint8_t portid) >> +{ >> + struct ipsec_traffic traffic; >> + >> + prepare_traffic(pkts, &traffic, nb_pkts); >> + >> + if (UNPROTECTED_PORT(portid)) >> + process_pkts_inbound(ctx, &traffic); >> + else >> + process_pkts_outbound(ctx, &traffic); >> + >> + route_pkts(ctx->rt_ipv4, traffic.ipv4.pkts, traffic.ipv4.num); >> +} >> + >> +static inline void >> +drain_buffers(struct lcore_conf *qconf) >> +{ >> + struct buffer *buf; >> + unsigned portid; >> + >> + for (portid = 0; portid < RTE_MAX_ETHPORTS; portid++) { >> + buf = &qconf->tx_mbufs[portid]; >> + if (buf->len == 0) >> + continue; >> + send_burst(qconf, buf->len, portid); >> + buf->len = 0; >> + } >> +} >> + >> +/* main processing loop */ >> +static int >> +main_loop(__attribute__((unused)) void *dummy) >> +{ >> + struct rte_mbuf *pkts[MAX_PKT_BURST]; >> + unsigned lcore_id; >> + uint64_t prev_tsc, diff_tsc, cur_tsc; >> + int i, nb_rx; >> + uint8_t portid, queueid; >> + struct lcore_conf *qconf; >> + int socket_id; >> + const uint64_t drain_tsc = (rte_get_tsc_hz() + US_PER_S - 1) >> + / US_PER_S * BURST_TX_DRAIN_US; >> + struct socket_ctx *ctx; >> + struct lcore_rx_queue *rxql; >> + >> + prev_tsc = 0; >> + lcore_id = rte_lcore_id(); >> + qconf = &lcore_conf[lcore_id]; >> + rxql = qconf->rx_queue_list; >> + socket_id = rte_lcore_to_socket_id(lcore_id); >> + >> + ctx = &socket_ctx[socket_id]; >> + >> + if (qconf->nb_rx_queue == 0) { >> + RTE_LOG(INFO, IPSEC, "lcore %u has nothing to do\n", lcore_id); >> + return 0; >> + } >> + >> + RTE_LOG(INFO, IPSEC, "entering main loop on lcore %u\n", lcore_id); >> + >> + for (i = 0; i < qconf->nb_rx_queue; i++) { >> + portid = rxql[i].port_id; >> + queueid = rxql[i].queue_id; >> + RTE_LOG(INFO, IPSEC, >> + " -- lcoreid=%u portid=%hhu rxqueueid=%hhu\n", >> + lcore_id, portid, queueid); >> + } >> + >> + while (1) { >> + cur_tsc = rte_rdtsc(); >> + >> + /* TX queue buffer drain */ >> + diff_tsc = cur_tsc - prev_tsc; >> + >> + if (unlikely(diff_tsc > drain_tsc)) { >> + drain_buffers(qconf); >> + prev_tsc = cur_tsc; >> + } >> + >> + /* Read packet from RX queues */ >> + for (i = 0; i < qconf->nb_rx_queue; ++i) { >> + portid = rxql[i].port_id; >> + queueid = rxql[i].queue_id; >> + nb_rx = rte_eth_rx_burst(portid, queueid, >> + pkts, MAX_PKT_BURST); >> + >> + if (nb_rx > 0) >> + process_pkts(ctx, pkts, nb_rx, portid); >> + } >> + } >> +} >> + >> +static int >> +check_params(void) >> +{ >> + uint8_t lcore, portid, nb_ports; >> + uint16_t i; >> + int socket_id; >> + >> + if (lcore_params == NULL) { >> + printf("Error: No port/queue/core mappings\n"); >> + return -1; >> + } >> + >> + nb_ports = rte_eth_dev_count(); >> + if (nb_ports > RTE_MAX_ETHPORTS) >> + nb_ports = RTE_MAX_ETHPORTS; >> + >> + for (i = 0; i < nb_lcore_params; ++i) { >> + lcore = lcore_params[i].lcore_id; >> + if (!rte_lcore_is_enabled(lcore)) { >> + printf("error: lcore %hhu is not enabled in " >> + "lcore mask\n", lcore); >> + return -1; >> + } >> + socket_id = rte_lcore_to_socket_id(lcore); >> + if (socket_id != 0 && numa_on == 0) { >> + printf("warning: lcore %hhu is on socket %d " >> + "with numa off\n", >> + lcore, socket_id); >> + } >> + portid = lcore_params[i].port_id; >> + if ((enabled_port_mask & (1 << portid)) == 0) { >> + printf("port %u is not enabled in port mask\n", portid); >> + return -1; >> + } >> + if (portid >= nb_ports) { >> + printf("port %u is not present on the board\n", portid); >> + return -1; >> + } >> + } >> + return 0; >> +} >> + >> +static uint8_t >> +get_port_nb_rx_queues(const uint8_t port) >> +{ >> + int queue = -1; >> + uint16_t i; >> + >> + for (i = 0; i < nb_lcore_params; ++i) { >> + if (lcore_params[i].port_id == port && >> + lcore_params[i].queue_id > queue) >> + queue = lcore_params[i].queue_id; >> + } >> + return (uint8_t)(++queue); >> +} >> + >> +static int >> +init_lcore_rx_queues(void) >> +{ >> + uint16_t i, nb_rx_queue; >> + uint8_t lcore; >> + >> + for (i = 0; i < nb_lcore_params; ++i) { >> + lcore = lcore_params[i].lcore_id; >> + nb_rx_queue = lcore_conf[lcore].nb_rx_queue; >> + if (nb_rx_queue >= MAX_RX_QUEUE_PER_LCORE) { >> + printf("error: too many queues (%u) for lcore: %u\n", >> + nb_rx_queue + 1, lcore); >> + return -1; >> + } >> + lcore_conf[lcore].rx_queue_list[nb_rx_queue].port_id = >> + lcore_params[i].port_id; >> + lcore_conf[lcore].rx_queue_list[nb_rx_queue].queue_id = >> + lcore_params[i].queue_id; >> + lcore_conf[lcore].nb_rx_queue++; >> + } >> + return 0; >> +} >> + >> +/* display usage */ >> +static void >> +print_usage(const char *prgname) >> +{ >> + printf("%s [EAL options] -- -p PORTMASK -P -u PORTMASK" >> + " --"OPTION_CONFIG" (port,queue,lcore)[,(port,queue,lcore]" >> + " --EP0|--EP1 --cdev AESNI|QAT\n" >> + " -p PORTMASK: hexadecimal bitmask of ports to configure\n" >> + " -P : enable promiscuous mode\n" >> + " -u PORTMASK: hexadecimal bitmask of unprotected ports\n" >> + " --"OPTION_CONFIG": (port,queue,lcore): " >> + "rx queues configuration\n" >> + " --cdev AESNI | QAT\n" >> + " --EP0: Configure as Endpoint 0\n" >> + " --EP1: Configure as Endpoint 1\n", prgname); >> +} >> + >> +static int >> +parse_portmask(const char *portmask) >> +{ >> + char *end = NULL; >> + unsigned long pm; >> + >> + /* parse hexadecimal string */ >> + pm = strtoul(portmask, &end, 16); >> + if ((portmask[0] == '\0') || (end == NULL) || (*end != '\0')) >> + return -1; >> + >> + if (pm == 0) >> + return -1; >> + >> + return pm; >> +} >> + >> +static int >> +parse_config(const char *q_arg) >> +{ >> + char s[256]; >> + const char *p, *p0 = q_arg; >> + char *end; >> + enum fieldnames { >> + FLD_PORT = 0, >> + FLD_QUEUE, >> + FLD_LCORE, >> + _NUM_FLD >> + }; >> + unsigned long int_fld[_NUM_FLD]; >> + char *str_fld[_NUM_FLD]; >> + int i; >> + unsigned size; >> + >> + nb_lcore_params = 0; >> + >> + while ((p = strchr(p0, '(')) != NULL) { >> + ++p; >> + p0 = strchr(p, ')'); >> + if (p0 == NULL) >> + return -1; >> + >> + size = p0 - p; >> + if (size >= sizeof(s)) >> + return -1; >> + >> + snprintf(s, sizeof(s), "%.*s", size, p); >> + if (rte_strsplit(s, sizeof(s), str_fld, _NUM_FLD, ',') != >> + _NUM_FLD) >> + return -1; >> + for (i = 0; i < _NUM_FLD; i++) { >> + errno = 0; >> + int_fld[i] = strtoul(str_fld[i], &end, 0); >> + if (errno != 0 || end == str_fld[i] || int_fld[i] > 255) >> + return -1; >> + } >> + if (nb_lcore_params >= MAX_LCORE_PARAMS) { >> + printf("exceeded max number of lcore params: %hu\n", >> + nb_lcore_params); >> + return -1; >> + } >> + lcore_params_array[nb_lcore_params].port_id = >> + (uint8_t)int_fld[FLD_PORT]; >> + lcore_params_array[nb_lcore_params].queue_id = >> + (uint8_t)int_fld[FLD_QUEUE]; >> + lcore_params_array[nb_lcore_params].lcore_id = >> + (uint8_t)int_fld[FLD_LCORE]; >> + ++nb_lcore_params; >> + } >> + lcore_params = lcore_params_array; >> + return 0; >> +} >> + >> +#define __STRNCMP(name, opt) (!strncmp(name, opt, sizeof(opt))) >> +static int >> +parse_args_long_options(struct option *lgopts, int option_index) >> +{ >> + int ret = -1; >> + const char *optname = lgopts[option_index].name; >> + >> + if (__STRNCMP(optname, OPTION_CONFIG)) { >> + ret = parse_config(optarg); >> + if (ret) >> + printf("invalid config\n"); >> + } >> + >> + if (__STRNCMP(optname, OPTION_EP0)) { >> + printf("endpoint 0\n"); >> + ep = 0; >> + ret = 0; >> + } >> + >> + if (__STRNCMP(optname, OPTION_EP1)) { >> + printf("endpoint 1\n"); >> + ep = 1; >> + ret = 0; >> + } >> + >> + if (__STRNCMP(optname, OPTION_CDEV_TYPE)) { >> + if (__STRNCMP(optarg, "AESNI")) { >> + cdev_type = RTE_CRYPTODEV_AESNI_MB_PMD; >> + ret = 0; >> + } else if (__STRNCMP(optarg, "QAT")) { >> + cdev_type = RTE_CRYPTODEV_QAT_PMD; >> + ret = 0; >> + } >> + } >> + >> + return ret; >> +} >> +#undef __STRNCMP >> + >> +static int >> +parse_args(int argc, char **argv) >> +{ >> + int opt, ret; >> + char **argvopt; >> + int option_index; >> + char *prgname = argv[0]; >> + static struct option lgopts[] = { >> + {OPTION_CONFIG, 1, 0, 0}, >> + {OPTION_EP0, 0, 0, 0}, >> + {OPTION_EP1, 0, 0, 0}, >> + {OPTION_CDEV_TYPE, 1, 0, 0}, >> + {NULL, 0, 0, 0} >> + }; >> + >> + argvopt = argv; >> + >> + while ((opt = getopt_long(argc, argvopt, "p:Pu:", >> + lgopts, &option_index)) != EOF) { >> + >> + switch (opt) { >> + case 'p': >> + enabled_port_mask = parse_portmask(optarg); >> + if (enabled_port_mask == 0) { >> + printf("invalid portmask\n"); >> + print_usage(prgname); >> + return -1; >> + } >> + break; >> + case 'P': >> + printf("Promiscuous mode selected\n"); >> + promiscuous_on = 1; >> + break; >> + case 'u': >> + unprotected_port_mask = parse_portmask(optarg); >> + if (unprotected_port_mask == 0) { >> + printf("invalid unprotected portmask\n"); >> + print_usage(prgname); >> + return -1; >> + } >> + break; >> + case 0: >> + if (parse_args_long_options(lgopts, option_index)) { >> + print_usage(prgname); >> + return -1; >> + } >> + break; >> + default: >> + print_usage(prgname); >> + return -1; >> + } >> + } >> + >> + if (optind >= 0) >> + argv[optind-1] = prgname; >> + >> + ret = optind-1; >> + optind = 0; /* reset getopt lib */ >> + return ret; >> +} >> + >> +static void >> +print_ethaddr(const char *name, const struct ether_addr *eth_addr) >> +{ >> + char buf[ETHER_ADDR_FMT_SIZE]; >> + ether_format_addr(buf, ETHER_ADDR_FMT_SIZE, eth_addr); >> + printf("%s%s", name, buf); >> +} >> + >> +/* Check the link status of all ports in up to 9s, and print them finally */ >> +static void >> +check_all_ports_link_status(uint8_t port_num, uint32_t port_mask) >> +{ >> +#define CHECK_INTERVAL 100 /* 100ms */ >> +#define MAX_CHECK_TIME 90 /* 9s (90 * 100ms) in total */ >> + uint8_t portid, count, all_ports_up, print_flag = 0; >> + struct rte_eth_link link; >> + >> + printf("\nChecking link status"); >> + fflush(stdout); >> + for (count = 0; count <= MAX_CHECK_TIME; count++) { >> + all_ports_up = 1; >> + for (portid = 0; portid < port_num; portid++) { >> + if ((port_mask & (1 << portid)) == 0) >> + continue; >> + memset(&link, 0, sizeof(link)); >> + rte_eth_link_get_nowait(portid, &link); >> + /* print link status if flag set */ >> + if (print_flag == 1) { >> + if (link.link_status) >> + printf("Port %d Link Up - speed %u " >> + "Mbps - %s\n", (uint8_t)portid, >> + (unsigned)link.link_speed, >> + (link.link_duplex == ETH_LINK_FULL_DUPLEX) ? >> + ("full-duplex") : ("half-duplex\n")); >> + else >> + printf("Port %d Link Down\n", >> + (uint8_t)portid); >> + continue; >> + } >> + /* clear all_ports_up flag if any link down */ >> + if (link.link_status == 0) { >> + all_ports_up = 0; >> + break; >> + } >> + } >> + /* after finally printing all link status, get out */ >> + if (print_flag == 1) >> + break; >> + >> + if (all_ports_up == 0) { >> + printf("."); >> + fflush(stdout); >> + rte_delay_ms(CHECK_INTERVAL); >> + } >> + >> + /* set the print_flag if all ports up or timeout */ >> + if (all_ports_up == 1 || count == (MAX_CHECK_TIME - 1)) { >> + print_flag = 1; >> + printf("done\n"); >> + } >> + } >> +} >> + >> +static uint16_t >> +find_next_cdev(unsigned cdev_type, uint16_t start_cdev_id) >> +{ >> + uint16_t cdev_id, cnt; >> + struct rte_cryptodev_info info; >> + >> + cnt = rte_cryptodev_count(); >> + for (cdev_id = start_cdev_id; cdev_id < cnt; cdev_id++) { >> + rte_cryptodev_info_get(cdev_id, &info); >> + if (info.dev_type == cdev_type) >> + return cdev_id; >> + } >> + >> + return -1; >> +} >> + >> +static uint16_t >> +find_cdev_socket(int socket_id, unsigned cdev_type) >> +{ >> + uint16_t cdev_id, cnt; >> + struct rte_cryptodev_info info; >> + int cdev_socket; >> + >> + cnt = rte_cryptodev_count(); >> + for (cdev_id = 0; cdev_id < cnt; cdev_id++) { >> + rte_cryptodev_info_get(cdev_id, &info); >> + cdev_socket = rte_cryptodev_socket_id(cdev_id); >> + if ((info.dev_type == cdev_type) && (cdev_socket == socket_id)) >> + return cdev_id; >> + } >> + >> + return -1; >> +} >> + >> +static int >> +cryptodevs_init(void) >> +{ >> + struct rte_cryptodev_config dev_conf; >> + struct rte_cryptodev_qp_conf qp_conf; >> + struct lcore_conf *qconf; >> + uint16_t cnt, lcore_id, cdev_id; >> + int ret, i, socket_id; >> + >> + if (cdev_type == RTE_CRYPTODEV_QAT_PMD) { >> + cnt = rte_cryptodev_count_devtype(RTE_CRYPTODEV_QAT_PMD); >> + printf("Found %u QAT devices\n", cnt); >> + if (cnt < nb_lcores) >> + rte_panic("Not enough QAT devices detected, " >> + "need %u (1 per core), found %d\n", >> + nb_lcores, cnt); >> + } else if (cdev_type == RTE_CRYPTODEV_AESNI_MB_PMD) { >> + printf("Initializing %u AESNI vdevs\n", rte_lcore_count()); > Is it possible to remove PMD specific Initialization code from the > application and move driver layer so that new crypto pmd inclusion will > not have any change in this place. Yes, it should be possible now that we have: http://dpdk.org/ml/archives/dev/2016-January/032448.html I also plan to rework the code a bit to use the new cryptodev API: http://dpdk.org/ml/archives/dev/2016-January/032445.html >> + for (i = 0; i < (int)rte_lcore_count(); i++) { >> + ret = rte_eal_vdev_init( >> + CRYPTODEV_NAME_AESNI_MB_PMD, >> + NULL); >> + if (ret < 0) >> + rte_panic("Failed to create AESNI-MB vdev\n"); >> + } >> + } else >> + rte_panic("Need to set cryptodev type option --cdev\n"); >> + >> + cdev_id = 0; >> + for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) { >> + if (rte_lcore_is_enabled(lcore_id) == 0) >> + continue; >> + >> + socket_id = rte_lcore_to_socket_id(lcore_id); >> + cdev_id = find_next_cdev(cdev_type, cdev_id); >> + qconf = &lcore_conf[lcore_id]; >> + qconf->cdev = cdev_id; >> + qconf->cdev_q = 0; >> + if (cdev_type == RTE_CRYPTODEV_AESNI_MB_PMD) { >> + dev_conf.socket_id = socket_id; >> + printf("Initializing AESNI-MB device %u socket %u\n", >> + cdev_id, socket_id); >> + } else { >> + dev_conf.socket_id = rte_cryptodev_socket_id(cdev_id); >> + printf("Initialising QAT device %u\n", cdev_id); >> + } >> + >> + dev_conf.nb_queue_pairs = 1; >> + dev_conf.session_mp.nb_objs = CDEV_MP_NB_OBJS; >> + dev_conf.session_mp.cache_size = CDEV_MP_CACHE_SZ; >> + >> + if (rte_cryptodev_configure(cdev_id, &dev_conf)) >> + rte_panic("Failed to initialize crypodev %u\n", >> + cdev_id); >> + >> + qp_conf.nb_descriptors = CDEV_MP_NB_OBJS; >> + if (rte_cryptodev_queue_pair_setup(cdev_id, 0, &qp_conf, >> + dev_conf.socket_id)) >> + rte_panic("Failed to setup queue %u for cdev_id %u\n", >> + 0, cdev_id); >> + cdev_id++; >> + } >> + >> + return 0; >> +} >> + >> +static void >> +port_init(uint8_t portid) >> +{ >> + struct rte_eth_dev_info dev_info; >> + struct rte_eth_txconf *txconf; >> + uint16_t nb_tx_queue, nb_rx_queue; >> + uint16_t tx_queueid, rx_queueid, queue, lcore_id; >> + int ret, socket_id; >> + struct lcore_conf *qconf; >> + struct ether_addr ethaddr; >> + >> + rte_eth_dev_info_get(portid, &dev_info); >> + >> + printf("Configuring device port %u:\n", portid); >> + >> + rte_eth_macaddr_get(portid, ðaddr); >> + ethaddr_tbl[portid].src = ETHADDR_TO_UINT64(ethaddr); >> + print_ethaddr("Address: ", ðaddr); >> + printf("\n"); >> + >> + nb_rx_queue = get_port_nb_rx_queues(portid); >> + nb_tx_queue = nb_lcores; >> + >> + if (nb_rx_queue > dev_info.max_rx_queues) >> + rte_exit(EXIT_FAILURE, "Error: queue %u not available " >> + "(max rx queue is %u)\n", >> + nb_rx_queue, dev_info.max_rx_queues); >> + >> + if (nb_tx_queue > dev_info.max_tx_queues) >> + rte_exit(EXIT_FAILURE, "Error: queue %u not available " >> + "(max tx queue is %u)\n", >> + nb_tx_queue, dev_info.max_tx_queues); >> + >> + printf("Creating queues: nb_rx_queue=%d nb_tx_queue=%u...\n", >> + nb_rx_queue, nb_tx_queue); >> + >> + ret = rte_eth_dev_configure(portid, nb_rx_queue, nb_tx_queue, >> + &port_conf); >> + if (ret < 0) >> + rte_exit(EXIT_FAILURE, "Cannot configure device: " >> + "err=%d, port=%d\n", ret, portid); >> + >> + /* init one TX queue per lcore */ >> + tx_queueid = 0; >> + for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) { >> + if (rte_lcore_is_enabled(lcore_id) == 0) >> + continue; >> + >> + if (numa_on) >> + socket_id = (uint8_t)rte_lcore_to_socket_id(lcore_id); >> + else >> + socket_id = 0; >> + >> + /* init TX queue */ >> + printf("Setup txq=%u,%d,%d\n", lcore_id, tx_queueid, socket_id); >> + >> + txconf = &dev_info.default_txconf; >> + txconf->txq_flags = 0; >> + >> + ret = rte_eth_tx_queue_setup(portid, tx_queueid, nb_txd, >> + socket_id, txconf); >> + if (ret < 0) >> + rte_exit(EXIT_FAILURE, "rte_eth_tx_queue_setup: " >> + "err=%d, port=%d\n", ret, portid); >> + >> + qconf = &lcore_conf[lcore_id]; >> + qconf->tx_queue_id[portid] = tx_queueid; >> + tx_queueid++; >> + >> + /* init RX queues */ >> + for (queue = 0; queue < qconf->nb_rx_queue; ++queue) { >> + if (portid != qconf->rx_queue_list[queue].port_id) >> + continue; >> + >> + rx_queueid = qconf->rx_queue_list[queue].queue_id; >> + >> + printf("Setup rxq=%d,%d,%d\n", portid, rx_queueid, >> + socket_id); >> + >> + ret = rte_eth_rx_queue_setup(portid, rx_queueid, >> + nb_rxd, socket_id, NULL, >> + socket_ctx[socket_id].mbuf_pool); >> + if (ret < 0) >> + rte_exit(EXIT_FAILURE, >> + "rte_eth_rx_queue_setup: err=%d, " >> + "port=%d\n", ret, portid); >> + } >> + } >> + printf("\n"); >> +} >> + >> +static void >> +pool_init(struct socket_ctx *ctx, int socket_id, unsigned nb_mbuf) >> +{ >> + char s[64]; >> + >> + snprintf(s, sizeof(s), "mbuf_pool_%d", socket_id); >> + ctx->mbuf_pool = rte_pktmbuf_pool_create(s, nb_mbuf, >> + MEMPOOL_CACHE_SIZE, ipsec_metadata_size(), >> + RTE_MBUF_DEFAULT_BUF_SIZE, >> + socket_id); >> + if (ctx->mbuf_pool == NULL) >> + rte_exit(EXIT_FAILURE, "Cannot init mbuf pool on socket %d\n", >> + socket_id); >> + else >> + printf("Allocated mbuf pool on socket %d\n", socket_id); >> +} >> + >> +int >> +main(int argc, char **argv) >> +{ >> + int ret; >> + unsigned lcore_id, nb_ports; >> + uint8_t portid, socket_id; >> + >> + /* init EAL */ >> + ret = rte_eal_init(argc, argv); >> + if (ret < 0) >> + rte_exit(EXIT_FAILURE, "Invalid EAL parameters\n"); >> + argc -= ret; >> + argv += ret; >> + >> + /* parse application arguments (after the EAL ones) */ >> + ret = parse_args(argc, argv); >> + if (ret < 0) >> + rte_exit(EXIT_FAILURE, "Invalid parameters\n"); >> + >> + if (ep < 0) >> + rte_exit(EXIT_FAILURE, "need to choose either EP0 or EP1\n"); >> + >> + if ((unprotected_port_mask & enabled_port_mask) != >> + unprotected_port_mask) >> + rte_exit(EXIT_FAILURE, "Invalid unprotected portmask 0x%x\n", >> + unprotected_port_mask); >> + >> + nb_ports = rte_eth_dev_count(); >> + if (nb_ports > RTE_MAX_ETHPORTS) >> + nb_ports = RTE_MAX_ETHPORTS; >> + >> + if (check_params() < 0) >> + rte_exit(EXIT_FAILURE, "check_params failed\n"); >> + >> + ret = init_lcore_rx_queues(); >> + if (ret < 0) >> + rte_exit(EXIT_FAILURE, "init_lcore_rx_queues failed\n"); >> + >> + nb_lcores = rte_lcore_count(); >> + >> + cryptodevs_init(); >> + >> + /* Replicate each contex per socket */ >> + for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) { >> + if (rte_lcore_is_enabled(lcore_id) == 0) >> + continue; >> + >> + if (numa_on) >> + socket_id = (uint8_t)rte_lcore_to_socket_id(lcore_id); >> + else >> + socket_id = 0; >> + >> + if (socket_ctx[socket_id].mbuf_pool) >> + continue; >> + >> + sa_init(&socket_ctx[socket_id], socket_id, ep, >> + find_cdev_socket(socket_id, cdev_type)); >> + >> + sp_init(&socket_ctx[socket_id], socket_id, ep); >> + >> + rt_init(&socket_ctx[socket_id], socket_id, ep); >> + >> + pool_init(&socket_ctx[socket_id], socket_id, NB_MBUF); >> + } >> + >> + for (portid = 0; portid < nb_ports; portid++) { >> + if ((enabled_port_mask & (1 << portid)) == 0) >> + continue; >> + >> + port_init(portid); >> + } >> + >> + /* start ports */ >> + for (portid = 0; portid < nb_ports; portid++) { >> + if ((enabled_port_mask & (1 << portid)) == 0) >> + continue; >> + >> + /* Start device */ >> + ret = rte_eth_dev_start(portid); >> + if (ret < 0) >> + rte_exit(EXIT_FAILURE, "rte_eth_dev_start: " >> + "err=%d, port=%d\n", ret, portid); >> + /* >> + * If enabled, put device in promiscuous mode. >> + * This allows IO forwarding mode to forward packets >> + * to itself through 2 cross-connected ports of the >> + * target machine. >> + */ >> + if (promiscuous_on) >> + rte_eth_promiscuous_enable(portid); >> + } >> + >> + check_all_ports_link_status((uint8_t)nb_ports, enabled_port_mask); >> + >> + /* launch per-lcore init on every lcore */ >> + rte_eal_mp_remote_launch(main_loop, NULL, CALL_MASTER); >> + RTE_LCORE_FOREACH_SLAVE(lcore_id) { >> + if (rte_eal_wait_lcore(lcore_id) < 0) >> + return -1; >> + } >> + >> + return 0; >> +} >> diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c >> new file mode 100644 >> index 0000000..83e3326 >> --- /dev/null >> +++ b/examples/ipsec-secgw/ipsec.c >> @@ -0,0 +1,138 @@ >> +/*- >> + * BSD LICENSE >> + * >> + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. >> + * All rights reserved. >> + * >> + * Redistribution and use in source and binary forms, with or without >> + * modification, are permitted provided that the following conditions >> + * are met: >> + * >> + * * Redistributions of source code must retain the above copyright >> + * notice, this list of conditions and the following disclaimer. >> + * * Redistributions in binary form must reproduce the above copyright >> + * notice, this list of conditions and the following disclaimer in >> + * the documentation and/or other materials provided with the >> + * distribution. >> + * * Neither the name of Intel Corporation nor the names of its >> + * contributors may be used to endorse or promote products derived >> + * from this software without specific prior written permission. >> + * >> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS >> + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT >> + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR >> + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT >> + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, >> + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT >> + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >> + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >> + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >> + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >> + */ >> + >> +#include >> +#include >> + >> +#include >> +#include >> +#include >> +#include >> +#include >> + >> +#include "ipsec.h" >> + >> +static inline uint16_t >> +ipsec_processing(uint8_t cdev_id, uint16_t qp_id, struct rte_mbuf *pkts[], >> + struct ipsec_sa *sas[], uint16_t nb_pkts, uint16_t max_pkts) >> +{ >> + int ret, i, j; >> + struct ipsec_mbuf_metadata *priv; >> + struct rte_mbuf_offload *ol; >> + struct ipsec_sa *sa; >> + >> + j = 0; >> + for (i = 0; i < nb_pkts; i++) { >> + rte_prefetch0(sas[i]); >> + rte_prefetch0(pkts[i]); >> + >> + priv = get_priv(pkts[i]); >> + ol = &priv->ol; >> + sa = sas[i]; >> + priv->sa = sa; >> + >> + IPSEC_ASSERT(sa != NULL); >> + >> + __rte_pktmbuf_offload_reset(ol, RTE_PKTMBUF_OL_CRYPTO); >> + >> + rte_crypto_op_attach_session(&ol->op.crypto, >> + sa->crypto_session); >> + >> + pkts[i]->offload_ops = ol; >> + >> + ret = sa->pre_crypto(pkts[i], sa, &ol->op.crypto); >> + if (unlikely(ret)) >> + rte_pktmbuf_free(pkts[i]); >> + else >> + pkts[j++] = pkts[i]; >> + } >> + nb_pkts = j; >> + >> + ret = rte_cryptodev_enqueue_burst(cdev_id, qp_id, pkts, nb_pkts); >> + if (ret < nb_pkts) { >> + IPSEC_LOG(DEBUG, IPSEC, "Cryptodev %u queue %u:" >> + " enqueued %u packets (out of %u)\n", >> + cdev_id, qp_id, ret, nb_pkts); >> + for (i = ret; i < nb_pkts; i++) >> + rte_pktmbuf_free(pkts[i]); >> + } >> + >> + nb_pkts = rte_cryptodev_dequeue_burst(cdev_id, qp_id, pkts, max_pkts); >> + if ((nb_pkts != 0) && (nb_pkts < max_pkts)) >> + IPSEC_LOG(DEBUG, IPSEC, "Cryptodev %u queue %u:" >> + " dequeued %u packets (out of %u)\n", >> + cdev_id, qp_id, nb_pkts, max_pkts); >> + >> + j = 0; >> + for (i = 0; i < nb_pkts; i++) { >> + rte_prefetch0(pkts[i]); >> + >> + priv = get_priv(pkts[i]); >> + ol = &priv->ol; >> + sa = priv->sa; >> + rte_prefetch0(sa); >> + >> + IPSEC_ASSERT(sa != NULL); >> + >> + ret = sa->post_crypto(pkts[i], sa, &ol->op.crypto); >> + if (unlikely(ret)) >> + rte_pktmbuf_free(pkts[i]); >> + else >> + pkts[j++] = pkts[i]; >> + } >> + >> + /* return packets */ >> + return j; >> +} >> + >> +uint16_t >> +ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], >> + uint16_t nb_pkts, uint16_t len) >> +{ >> + struct ipsec_sa *sas[nb_pkts]; >> + >> + inbound_sa_lookup(ctx->sa_ctx, pkts, sas, nb_pkts); >> + >> + return ipsec_processing(ctx->cdev, ctx->queue, pkts, sas, nb_pkts, len); >> +} >> + >> +uint16_t >> +ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], >> + uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len) >> +{ >> + struct ipsec_sa *sas[nb_pkts]; >> + >> + outbound_sa_lookup(ctx->sa_ctx, sa_idx, sas, nb_pkts); >> + >> + return ipsec_processing(ctx->cdev, ctx->queue, pkts, sas, nb_pkts, len); >> +} >> diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h >> new file mode 100644 >> index 0000000..abf9d5f >> --- /dev/null >> +++ b/examples/ipsec-secgw/ipsec.h >> @@ -0,0 +1,184 @@ >> +/*- >> + * BSD LICENSE >> + * >> + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. >> + * All rights reserved. >> + * >> + * Redistribution and use in source and binary forms, with or without >> + * modification, are permitted provided that the following conditions >> + * are met: >> + * >> + * * Redistributions of source code must retain the above copyright >> + * notice, this list of conditions and the following disclaimer. >> + * * Redistributions in binary form must reproduce the above copyright >> + * notice, this list of conditions and the following disclaimer in >> + * the documentation and/or other materials provided with the >> + * distribution. >> + * * Neither the name of Intel Corporation nor the names of its >> + * contributors may be used to endorse or promote products derived >> + * from this software without specific prior written permission. >> + * >> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS >> + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT >> + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR >> + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT >> + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, >> + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT >> + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >> + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >> + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >> + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >> + */ >> + >> +#ifndef __IPSEC_H__ >> +#define __IPSEC_H__ >> + >> +#include >> +#include >> +#include >> + >> +#include >> +#include >> +#include >> + >> +#define RTE_LOGTYPE_IPSEC RTE_LOGTYPE_USER1 >> +#define RTE_LOGTYPE_IPSEC_ESP RTE_LOGTYPE_USER2 >> +#define RTE_LOGTYPE_IPSEC_IPIP RTE_LOGTYPE_USER3 >> + >> +#ifdef IPSEC_DEBUG >> +#define IPSEC_ASSERT(exp) \ >> +if (!(exp)) { \ >> + rte_panic("line%d\tassert \"" #exp "\" failed\n", __LINE__); \ >> +} >> + >> +#define IPSEC_LOG RTE_LOG >> +#else >> +#define IPSEC_ASSERT(exp) do {} while (0) >> +#define IPSEC_LOG(...) do {} while (0) >> +#endif /* IPSEC_DEBUG */ >> + >> +#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */ >> + >> +#define uint32_t_to_char(ip, a, b, c, d) do {\ >> + *a = (unsigned char)(ip >> 24 & 0xff);\ >> + *b = (unsigned char)(ip >> 16 & 0xff);\ >> + *c = (unsigned char)(ip >> 8 & 0xff);\ >> + *d = (unsigned char)(ip & 0xff);\ >> + } while (0) >> + >> +#define DEFAULT_MAX_CATEGORIES 1 >> + >> +#define IPSEC_SA_MAX_ENTRIES (64) /* must be power of 2, max 2 power 30 */ >> +#define SPI2IDX(spi) (spi & (IPSEC_SA_MAX_ENTRIES - 1)) >> +#define INVALID_SPI (0) >> + >> +#define DISCARD (0x80000000) >> +#define BYPASS (0x40000000) >> +#define PROTECT_MASK (0x3fffffff) >> +#define PROTECT(sa_idx) (SPI2IDX(sa_idx) & PROTECT_MASK) /* SA idx 30 bits */ >> + >> +#define IPSEC_XFORM_MAX 2 >> + >> +struct rte_crypto_xform; >> +struct ipsec_xform; >> +struct rte_cryptodev_session; >> +struct rte_mbuf; >> + >> +struct replay { >> + uint32_t seq_h; >> +}; >> + >> +struct lifetime { >> + uint64_t bytes; >> + uint64_t seconds; >> +}; >> + >> +struct ipsec_sa; >> + >> +typedef int (*ipsec_xform_fn)(struct rte_mbuf *m, struct ipsec_sa *sa, >> + struct rte_crypto_op *cop); >> + >> +struct ipsec_sa { >> + uint32_t spi; >> + uint32_t seq; >> + uint32_t src; >> + uint32_t dst; >> + struct rte_cryptodev_session *crypto_session; >> + struct rte_crypto_xform *xforms; >> + enum rte_crypto_cipher_algorithm cipher_algo; >> + enum rte_crypto_auth_algorithm auth_algo; >> + uint16_t digest_len; >> + uint16_t iv_len; >> + uint16_t block_size; >> + ipsec_xform_fn pre_crypto; >> + ipsec_xform_fn post_crypto; >> + uint32_t flags; >> + /* does not apply if no automated SA management (IKE) support */ >> + struct lifetime current; >> + struct lifetime soft; >> + struct lifetime hard; >> + struct replay replay; >> +} __rte_cache_aligned; >> + >> +struct ipsec_mbuf_metadata { >> + struct ipsec_sa *sa; >> + struct rte_mbuf_offload ol; >> +}; >> + >> +struct ipsec_ctx { >> + uint16_t cdev; >> + uint16_t queue; >> + struct sa_ctx *sa_ctx; >> +}; >> + >> +struct socket_ctx { >> + struct sa_ctx *sa_ipv4_in; >> + struct sa_ctx *sa_ipv4_out; >> + struct sp_ctx *sp_ipv4_in; >> + struct sp_ctx *sp_ipv4_out; >> + struct rt_ctx *rt_ipv4; >> + struct rte_mempool *mbuf_pool; >> +}; >> + >> +uint16_t >> +ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], >> + uint16_t nb_pkts, uint16_t len); >> + >> +uint16_t >> +ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], >> + uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len); >> + >> +static inline uint16_t >> +ipsec_metadata_size(void) >> +{ >> + return sizeof(struct ipsec_mbuf_metadata); >> +} >> + >> +static inline struct ipsec_mbuf_metadata * >> +get_priv(struct rte_mbuf *m) >> +{ >> + return RTE_PTR_ADD(m, sizeof(struct rte_mbuf)); >> +} >> + >> +int >> +inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx); >> + >> +void >> +inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[], >> + struct ipsec_sa *sa[], uint16_t nb_pkts); >> + >> +void >> +outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[], >> + struct ipsec_sa *sa[], uint16_t nb_pkts); >> + >> +void >> +sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep); >> + >> +void >> +sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep, uint16_t cdev_id); >> + >> +void >> +rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep); >> + >> +#endif /* __IPSEC_H__ */ >> diff --git a/examples/ipsec-secgw/rt.c b/examples/ipsec-secgw/rt.c >> new file mode 100644 >> index 0000000..82064b2 >> --- /dev/null >> +++ b/examples/ipsec-secgw/rt.c >> @@ -0,0 +1,131 @@ >> +/*- >> + * BSD LICENSE >> + * >> + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. >> + * All rights reserved. >> + * >> + * Redistribution and use in source and binary forms, with or without >> + * modification, are permitted provided that the following conditions >> + * are met: >> + * >> + * * Redistributions of source code must retain the above copyright >> + * notice, this list of conditions and the following disclaimer. >> + * * Redistributions in binary form must reproduce the above copyright >> + * notice, this list of conditions and the following disclaimer in >> + * the documentation and/or other materials provided with the >> + * distribution. >> + * * Neither the name of Intel Corporation nor the names of its >> + * contributors may be used to endorse or promote products derived >> + * from this software without specific prior written permission. >> + * >> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS >> + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT >> + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR >> + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT >> + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, >> + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT >> + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >> + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >> + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >> + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >> + */ >> + >> +/* >> + * Routing Table (RT) >> + */ >> +#include >> +#include >> + >> +#include "ipsec.h" >> + >> +#define RT_IPV4_MAX_RULES 64 >> + >> +struct ipv4_route { >> + uint32_t ip; >> + uint8_t depth; >> + uint8_t if_out; >> +}; >> + >> +/* In the default routing table we have: >> + * ep0 protected ports 0 and 1, and unprotected ports 2 and 3. >> + */ >> +static struct ipv4_route rt_ipv4_ep0[] = { >> + { IPv4(172, 16, 2, 5), 32, 0 }, >> + { IPv4(172, 16, 2, 6), 32, 0 }, >> + { IPv4(172, 16, 2, 7), 32, 1 }, >> + { IPv4(172, 16, 2, 8), 32, 1 }, >> + >> + { IPv4(192, 168, 115, 0), 24, 2 }, >> + { IPv4(192, 168, 116, 0), 24, 2 }, >> + { IPv4(192, 168, 117, 0), 24, 3 }, >> + { IPv4(192, 168, 118, 0), 24, 3 } >> +}; >> + >> +/* In the default routing table we have: >> + * ep1 protected ports 0 and 1, and unprotected ports 2 and 3. >> + */ >> +static struct ipv4_route rt_ipv4_ep1[] = { >> + { IPv4(172, 16, 1, 5), 32, 2 }, >> + { IPv4(172, 16, 1, 6), 32, 2 }, >> + { IPv4(172, 16, 1, 7), 32, 3 }, >> + { IPv4(172, 16, 1, 8), 32, 3 }, >> + >> + { IPv4(192, 168, 105, 0), 24, 0 }, >> + { IPv4(192, 168, 106, 0), 24, 0 }, >> + { IPv4(192, 168, 107, 0), 24, 1 }, >> + { IPv4(192, 168, 108, 0), 24, 1 } >> +}; >> + >> +void >> +rt_init(struct socket_ctx *ctx, int socket_id, unsigned ep) >> +{ >> + char name[PATH_MAX]; >> + unsigned i; >> + int ret; >> + struct rte_lpm *lpm; >> + struct ipv4_route *rt; >> + char a, b, c, d; >> + unsigned nb_routes; >> + >> + if (ctx == NULL) >> + rte_exit(EXIT_FAILURE, "NULL context.\n"); >> + >> + if (ctx->rt_ipv4 != NULL) >> + rte_exit(EXIT_FAILURE, "Routing Table for socket %u already " >> + "initialized\n", socket_id); >> + >> + printf("Creating Routing Table (RT) context with %u max routes\n", >> + RT_IPV4_MAX_RULES); >> + >> + if (ep == 0) { >> + rt = rt_ipv4_ep0; >> + nb_routes = RTE_DIM(rt_ipv4_ep0); >> + } else if (ep == 1) { >> + rt = rt_ipv4_ep1; >> + nb_routes = RTE_DIM(rt_ipv4_ep1); >> + } else >> + rte_exit(EXIT_FAILURE, "Invalid EP value %u. Only 0 or 1 " >> + "supported.\n", ep); >> + >> + /* create the LPM table */ >> + snprintf(name, sizeof(name), "%s_%u", "rt_ipv4", socket_id); >> + lpm = rte_lpm_create(name, socket_id, RT_IPV4_MAX_RULES, 0); >> + if (lpm == NULL) >> + rte_exit(EXIT_FAILURE, "Unable to create LPM table " >> + "on socket %d\n", socket_id); >> + >> + /* populate the LPM table */ >> + for (i = 0; i < nb_routes; i++) { >> + ret = rte_lpm_add(lpm, rt[i].ip, rt[i].depth, rt[i].if_out); >> + if (ret < 0) >> + rte_exit(EXIT_FAILURE, "Unable to add entry num %u to " >> + "LPM table on socket %d\n", i, socket_id); >> + >> + uint32_t_to_char(rt[i].ip, &a, &b, &c, &d); >> + printf("LPM: Adding route %hhu.%hhu.%hhu.%hhu/%hhu (%hhu)\n", >> + a, b, c, d, rt[i].depth, rt[i].if_out); >> + } >> + >> + ctx->rt_ipv4 = (struct rt_ctx *)lpm; >> +} >> diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c >> new file mode 100644 >> index 0000000..5ea7592 >> --- /dev/null >> +++ b/examples/ipsec-secgw/sa.c >> @@ -0,0 +1,391 @@ >> +/*- >> + * BSD LICENSE >> + * >> + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. >> + * All rights reserved. >> + * >> + * Redistribution and use in source and binary forms, with or without >> + * modification, are permitted provided that the following conditions >> + * are met: >> + * >> + * * Redistributions of source code must retain the above copyright >> + * notice, this list of conditions and the following disclaimer. >> + * * Redistributions in binary form must reproduce the above copyright >> + * notice, this list of conditions and the following disclaimer in >> + * the documentation and/or other materials provided with the >> + * distribution. >> + * * Neither the name of Intel Corporation nor the names of its >> + * contributors may be used to endorse or promote products derived >> + * from this software without specific prior written permission. >> + * >> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS >> + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT >> + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR >> + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT >> + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, >> + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT >> + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >> + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >> + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >> + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >> + */ >> + >> +/* >> + * Security Associations >> + */ >> +#include >> + >> +#include >> +#include >> +#include >> +#include >> +#include >> + >> +#include "ipsec.h" >> +#include "esp.h" >> + >> +/* SAs EP0 Outbound */ >> +const struct ipsec_sa sa_ep0_out[] = { >> + { 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_outbound_pre_crypto, >> + esp4_tunnel_outbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, >> + { 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_outbound_pre_crypto, >> + esp4_tunnel_outbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, >> + { 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_outbound_pre_crypto, >> + esp4_tunnel_outbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, >> + { 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, > IMO, a SA with NULL crypto (rfc2410) operation will be useful for ESP > packet processing debugging and measuring the performance impact with > the crypto block in fast path. > I couldn't agree more. I'll add support for NULL crypto in the app with dependency on previously mentioned cryptodev capabilities patch set and: http://dpdk.org/ml/archives/dev/2016-January/032458.html Sergio >> + 12, 16, 16, >> + esp4_tunnel_outbound_pre_crypto, >> + esp4_tunnel_outbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } } >> +}; >> + >> +/* SAs EP0 Inbound */ >> +const struct ipsec_sa sa_ep0_in[] = { >> + { 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_inbound_pre_crypto, >> + esp4_tunnel_inbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, >> + { 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_inbound_pre_crypto, >> + esp4_tunnel_inbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, >> + { 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_inbound_pre_crypto, >> + esp4_tunnel_inbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, >> + { 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_inbound_pre_crypto, >> + esp4_tunnel_inbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } } >> +}; >> + >> +/* SAs EP1 Outbound */ >> +const struct ipsec_sa sa_ep1_out[] = { >> + { 5, 0, IPv4(172, 16, 2, 5), IPv4(172, 16, 1, 5), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_outbound_pre_crypto, >> + esp4_tunnel_outbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, >> + { 6, 0, IPv4(172, 16, 2, 6), IPv4(172, 16, 1, 6), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_outbound_pre_crypto, >> + esp4_tunnel_outbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, >> + { 7, 0, IPv4(172, 16, 2, 7), IPv4(172, 16, 1, 7), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_outbound_pre_crypto, >> + esp4_tunnel_outbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, >> + { 8, 0, IPv4(172, 16, 2, 8), IPv4(172, 16, 1, 8), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_outbound_pre_crypto, >> + esp4_tunnel_outbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } } >> +}; >> + >> +/* SAs EP1 Inbound */ >> +const struct ipsec_sa sa_ep1_in[] = { >> + { 5, 0, IPv4(172, 16, 1, 5), IPv4(172, 16, 2, 5), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_inbound_pre_crypto, >> + esp4_tunnel_inbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, >> + { 6, 0, IPv4(172, 16, 1, 6), IPv4(172, 16, 2, 6), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_inbound_pre_crypto, >> + esp4_tunnel_inbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, >> + { 7, 0, IPv4(172, 16, 1, 7), IPv4(172, 16, 2, 7), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_inbound_pre_crypto, >> + esp4_tunnel_inbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } }, >> + { 8, 0, IPv4(172, 16, 1, 8), IPv4(172, 16, 2, 8), >> + NULL, NULL, >> + RTE_CRYPTO_CIPHER_AES_CBC, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + 12, 16, 16, >> + esp4_tunnel_inbound_pre_crypto, >> + esp4_tunnel_inbound_post_crypto, >> + 0, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0 } } >> +}; >> + >> +static uint8_t cipher_key[256] = "sixteenbytes key"; >> + >> +/* AES CBC xform */ >> +const struct rte_crypto_xform aescbc_enc_xf = { >> + NULL, >> + RTE_CRYPTO_XFORM_CIPHER, >> + .cipher = { RTE_CRYPTO_CIPHER_OP_ENCRYPT, RTE_CRYPTO_CIPHER_AES_CBC, >> + .key = { cipher_key, 0, 16 } } >> +}; >> + >> +const struct rte_crypto_xform aescbc_dec_xf = { >> + NULL, >> + RTE_CRYPTO_XFORM_CIPHER, >> + .cipher = { RTE_CRYPTO_CIPHER_OP_DECRYPT, RTE_CRYPTO_CIPHER_AES_CBC, >> + .key = { cipher_key, 0, 16 } } >> +}; >> + >> +static uint8_t auth_key[256] = "twentybytes hash key"; >> + >> +/* SHA1 HMAC xform */ >> +const struct rte_crypto_xform sha1hmac_gen_xf = { >> + NULL, >> + RTE_CRYPTO_XFORM_AUTH, >> + .auth = { RTE_CRYPTO_AUTH_OP_GENERATE, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + .key = { auth_key, 0, 20 }, 12, 0 } >> +}; >> + >> +const struct rte_crypto_xform sha1hmac_verify_xf = { >> + NULL, >> + RTE_CRYPTO_XFORM_AUTH, >> + .auth = { RTE_CRYPTO_AUTH_OP_VERIFY, RTE_CRYPTO_AUTH_SHA1_HMAC, >> + .key = { auth_key, 0, 20 }, 12, 0 } >> +}; >> + >> +struct sa_ctx { >> + struct ipsec_sa sa[IPSEC_SA_MAX_ENTRIES]; >> + struct { >> + struct rte_crypto_xform a; >> + struct rte_crypto_xform b; >> + } xf[IPSEC_SA_MAX_ENTRIES]; >> +}; >> + >> +static struct sa_ctx * >> +sa_ipv4_create(const char *name, int socket_id) >> +{ >> + char s[PATH_MAX]; >> + struct sa_ctx *sa_ctx; >> + unsigned mz_size; >> + const struct rte_memzone *mz; >> + >> + snprintf(s, sizeof(s), "%s_%u", name, socket_id); >> + >> + /* Create SA array table */ >> + printf("Creating SA context with %u maximum entries\n", >> + IPSEC_SA_MAX_ENTRIES); >> + >> + mz_size = sizeof(struct sa_ctx); >> + mz = rte_memzone_reserve(s, mz_size, socket_id, >> + RTE_MEMZONE_1GB | RTE_MEMZONE_SIZE_HINT_ONLY); >> + if (mz == NULL) { >> + printf("Failed to allocate SA DB memory\n"); >> + rte_errno = -ENOMEM; >> + return NULL; >> + } >> + >> + sa_ctx = (struct sa_ctx *)mz->addr; >> + >> + return sa_ctx; >> +} >> + >> +static int >> +sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], >> + unsigned nb_entries, uint16_t cdev_id, unsigned inbound) >> +{ >> + struct ipsec_sa *sa; >> + unsigned i, idx; >> + >> + for (i = 0; i < nb_entries; i++) { >> + idx = SPI2IDX(entries[i].spi); >> + sa = &sa_ctx->sa[idx]; >> + if (sa->spi != 0) { >> + printf("Index %u already in use by SPI %u\n", >> + idx, sa->spi); >> + return -EINVAL; >> + } >> + *sa = entries[i]; >> + sa->src = rte_cpu_to_be_32(sa->src); >> + sa->dst = rte_cpu_to_be_32(sa->dst); >> + if (inbound) { >> + sa_ctx->xf[idx].a = sha1hmac_verify_xf; >> + sa_ctx->xf[idx].b = aescbc_dec_xf; >> + } else { /* outbound */ >> + sa_ctx->xf[idx].a = aescbc_enc_xf; >> + sa_ctx->xf[idx].b = sha1hmac_gen_xf; >> + } >> + sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b; >> + sa_ctx->xf[idx].b.next = NULL; >> + sa->xforms = &sa_ctx->xf[idx].a; >> + >> + sa->crypto_session = rte_cryptodev_session_create(cdev_id, >> + sa->xforms); >> + } >> + >> + return 0; >> +} >> + >> +static inline int >> +sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], >> + unsigned nb_entries, uint16_t cdev_id) >> +{ >> + return sa_add_rules(sa_ctx, entries, nb_entries, cdev_id, 0); >> +} >> + >> +static inline int >> +sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], >> + unsigned nb_entries, uint16_t cdev_id) >> +{ >> + return sa_add_rules(sa_ctx, entries, nb_entries, cdev_id, 1); >> +} >> + >> +void >> +sa_init(struct socket_ctx *ctx, int socket_id, unsigned ep, uint16_t cdev_id) >> +{ >> + const struct ipsec_sa *sa_out_entries, *sa_in_entries; >> + unsigned nb_out_entries, nb_in_entries; >> + const char *name; >> + >> + if (ctx == NULL) >> + rte_exit(EXIT_FAILURE, "NULL context.\n"); >> + >> + if (ctx->sa_ipv4_in != NULL) >> + rte_exit(EXIT_FAILURE, "Inbound SA DB for socket %u already " >> + "initialized\n", socket_id); >> + >> + if (ctx->sa_ipv4_out != NULL) >> + rte_exit(EXIT_FAILURE, "Outbound SA DB for socket %u already " >> + "initialized\n", socket_id); >> + >> + if (ep == 0) { >> + sa_out_entries = sa_ep0_out; >> + nb_out_entries = RTE_DIM(sa_ep0_out); >> + sa_in_entries = sa_ep0_in; >> + nb_in_entries = RTE_DIM(sa_ep0_in); >> + } else if (ep == 1) { >> + sa_out_entries = sa_ep1_out; >> + nb_out_entries = RTE_DIM(sa_ep1_out); >> + sa_in_entries = sa_ep1_in; >> + nb_in_entries = RTE_DIM(sa_ep1_in); >> + } else >> + rte_exit(EXIT_FAILURE, "Invalid EP value %u. " >> + "Only 0 or 1 supported.\n", ep); >> + >> + name = "sa_ipv4_in"; >> + ctx->sa_ipv4_in = sa_ipv4_create(name, socket_id); >> + if (ctx->sa_ipv4_in == NULL) >> + rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s " >> + "in socket %d\n", rte_errno, name, socket_id); >> + >> + name = "sa_ipv4_out"; >> + ctx->sa_ipv4_out = sa_ipv4_create(name, socket_id); >> + if (ctx->sa_ipv4_out == NULL) >> + rte_exit(EXIT_FAILURE, "Error [%d] creating SA context %s " >> + "in socket %d\n", rte_errno, name, socket_id); >> + >> + sa_in_add_rules(ctx->sa_ipv4_in, sa_in_entries, >> + nb_in_entries, cdev_id); >> + >> + sa_out_add_rules(ctx->sa_ipv4_out, sa_out_entries, >> + nb_out_entries, cdev_id); >> +} >> + >> +int >> +inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx) >> +{ >> + struct ipsec_mbuf_metadata *priv; >> + >> + priv = RTE_PTR_ADD(m, sizeof(struct rte_mbuf)); >> + >> + return (sa_ctx->sa[sa_idx].spi == priv->sa->spi); >> +} >> + >> +void >> +inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[], >> + struct ipsec_sa *sa[], uint16_t nb_pkts) >> +{ >> + unsigned i; >> + uint32_t *src, spi; >> + >> + for (i = 0; i < nb_pkts; i++) { >> + spi = rte_pktmbuf_mtod_offset(pkts[i], struct esp_hdr *, >> + sizeof(struct ip))->spi; >> + if (spi == INVALID_SPI) >> + continue; >> + >> + sa[i] = &sa_ctx->sa[SPI2IDX(spi)]; >> + if (spi != sa[i]->spi) { >> + sa[i] = NULL; >> + continue; >> + } >> + >> + src = rte_pktmbuf_mtod_offset(pkts[i], uint32_t *, >> + offsetof(struct ip, ip_src)); >> + if ((sa[i]->src != *src) || (sa[i]->dst != *(src + 1))) >> + sa[i] = NULL; >> + } >> +} >> + >> +void >> +outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[], >> + struct ipsec_sa *sa[], uint16_t nb_pkts) >> +{ >> + unsigned i; >> + >> + for (i = 0; i < nb_pkts; i++) >> + sa[i] = &sa_ctx->sa[sa_idx[i]]; >> +} >> diff --git a/examples/ipsec-secgw/sp.c b/examples/ipsec-secgw/sp.c >> new file mode 100644 >> index 0000000..219e478 >> --- /dev/null >> +++ b/examples/ipsec-secgw/sp.c >> @@ -0,0 +1,324 @@ >> +/*- >> + * BSD LICENSE >> + * >> + * Copyright(c) 2010-2016 Intel Corporation. All rights reserved. >> + * All rights reserved. >> + * >> + * Redistribution and use in source and binary forms, with or without >> + * modification, are permitted provided that the following conditions >> + * are met: >> + * >> + * * Redistributions of source code must retain the above copyright >> + * notice, this list of conditions and the following disclaimer. >> + * * Redistributions in binary form must reproduce the above copyright >> + * notice, this list of conditions and the following disclaimer in >> + * the documentation and/or other materials provided with the >> + * distribution. >> + * * Neither the name of Intel Corporation nor the names of its >> + * contributors may be used to endorse or promote products derived >> + * from this software without specific prior written permission. >> + * >> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS >> + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT >> + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR >> + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT >> + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, >> + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT >> + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >> + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >> + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >> + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >> + */ >> + >> +/* >> + * Security Policies >> + */ >> +#include >> + >> +#include >> + >> +#include "ipsec.h" >> + >> +#define MAX_ACL_RULE_NUM 1000 >> + >> +/* >> + * Rule and trace formats definitions. >> + */ >> +enum { >> + PROTO_FIELD_IPV4, >> + SRC_FIELD_IPV4, >> + DST_FIELD_IPV4, >> + SRCP_FIELD_IPV4, >> + DSTP_FIELD_IPV4, >> + NUM_FIELDS_IPV4 >> +}; >> + >> +/* >> + * That effectively defines order of IPV4 classifications: >> + * - PROTO >> + * - SRC IP ADDRESS >> + * - DST IP ADDRESS >> + * - PORTS (SRC and DST) >> + */ >> +enum { >> + RTE_ACL_IPV4_PROTO, >> + RTE_ACL_IPV4_SRC, >> + RTE_ACL_IPV4_DST, >> + RTE_ACL_IPV4_PORTS, >> + RTE_ACL_IPV4_NUM >> +}; >> + >> +struct rte_acl_field_def ipv4_defs[NUM_FIELDS_IPV4] = { >> + { >> + .type = RTE_ACL_FIELD_TYPE_BITMASK, >> + .size = sizeof(uint8_t), >> + .field_index = PROTO_FIELD_IPV4, >> + .input_index = RTE_ACL_IPV4_PROTO, >> + .offset = 0, >> + }, >> + { >> + .type = RTE_ACL_FIELD_TYPE_MASK, >> + .size = sizeof(uint32_t), >> + .field_index = SRC_FIELD_IPV4, >> + .input_index = RTE_ACL_IPV4_SRC, >> + .offset = offsetof(struct ip, ip_src) - offsetof(struct ip, ip_p) >> + }, >> + { >> + .type = RTE_ACL_FIELD_TYPE_MASK, >> + .size = sizeof(uint32_t), >> + .field_index = DST_FIELD_IPV4, >> + .input_index = RTE_ACL_IPV4_DST, >> + .offset = offsetof(struct ip, ip_dst) - offsetof(struct ip, ip_p) >> + }, >> + { >> + .type = RTE_ACL_FIELD_TYPE_RANGE, >> + .size = sizeof(uint16_t), >> + .field_index = SRCP_FIELD_IPV4, >> + .input_index = RTE_ACL_IPV4_PORTS, >> + .offset = sizeof(struct ip) - offsetof(struct ip, ip_p) >> + }, >> + { >> + .type = RTE_ACL_FIELD_TYPE_RANGE, >> + .size = sizeof(uint16_t), >> + .field_index = DSTP_FIELD_IPV4, >> + .input_index = RTE_ACL_IPV4_PORTS, >> + .offset = sizeof(struct ip) - offsetof(struct ip, ip_p) + >> + sizeof(uint16_t) >> + }, >> +}; >> + >> +RTE_ACL_RULE_DEF(acl4_rules, RTE_DIM(ipv4_defs)); >> + >> +const struct acl4_rules acl4_rules_in[] = { >> + { >> + .data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1}, >> + /* destination IPv4 */ >> + .field[2] = {.value.u32 = IPv4(192, 168, 105, 0), >> + .mask_range.u32 = 24,}, >> + /* source port */ >> + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, >> + /* destination port */ >> + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} >> + }, >> + { >> + .data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2}, >> + /* destination IPv4 */ >> + .field[2] = {.value.u32 = IPv4(192, 168, 106, 0), >> + .mask_range.u32 = 24,}, >> + /* source port */ >> + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, >> + /* destination port */ >> + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} >> + }, >> + { >> + .data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3}, >> + /* destination IPv4 */ >> + .field[2] = {.value.u32 = IPv4(192, 168, 107, 0), >> + .mask_range.u32 = 24,}, >> + /* source port */ >> + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, >> + /* destination port */ >> + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} >> + }, >> + { >> + .data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4}, >> + /* destination IPv4 */ >> + .field[2] = {.value.u32 = IPv4(192, 168, 108, 0), >> + .mask_range.u32 = 24,}, >> + /* source port */ >> + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, >> + /* destination port */ >> + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} >> + } >> +}; >> + >> +const struct acl4_rules acl4_rules_out[] = { >> + { >> + .data = {.userdata = PROTECT(5), .category_mask = 1, .priority = 1}, >> + /* destination IPv4 */ >> + .field[2] = {.value.u32 = IPv4(192, 168, 115, 0), >> + .mask_range.u32 = 24,}, >> + /* source port */ >> + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, >> + /* destination port */ >> + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} >> + }, >> + { >> + .data = {.userdata = PROTECT(6), .category_mask = 1, .priority = 2}, >> + /* destination IPv4 */ >> + .field[2] = {.value.u32 = IPv4(192, 168, 116, 0), >> + .mask_range.u32 = 24,}, >> + /* source port */ >> + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, >> + /* destination port */ >> + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} >> + }, >> + { >> + .data = {.userdata = PROTECT(7), .category_mask = 1, .priority = 3}, >> + /* destination IPv4 */ >> + .field[2] = {.value.u32 = IPv4(192, 168, 117, 0), >> + .mask_range.u32 = 24,}, >> + /* source port */ >> + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, >> + /* destination port */ >> + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} >> + }, >> + { >> + .data = {.userdata = PROTECT(8), .category_mask = 1, .priority = 4}, >> + /* destination IPv4 */ >> + .field[2] = {.value.u32 = IPv4(192, 168, 118, 0), >> + .mask_range.u32 = 24,}, >> + /* source port */ >> + .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,}, >> + /* destination port */ >> + .field[4] = {.value.u16 = 0, .mask_range.u16 = 0xffff,} >> + } >> +}; >> + >> +static void >> +print_one_ipv4_rule(const struct acl4_rules *rule, int extra) >> +{ >> + unsigned char a, b, c, d; >> + >> + uint32_t_to_char(rule->field[SRC_FIELD_IPV4].value.u32, >> + &a, &b, &c, &d); >> + printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d, >> + rule->field[SRC_FIELD_IPV4].mask_range.u32); >> + uint32_t_to_char(rule->field[DST_FIELD_IPV4].value.u32, >> + &a, &b, &c, &d); >> + printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d, >> + rule->field[DST_FIELD_IPV4].mask_range.u32); >> + printf("%hu : %hu %hu : %hu 0x%hhx/0x%hhx ", >> + rule->field[SRCP_FIELD_IPV4].value.u16, >> + rule->field[SRCP_FIELD_IPV4].mask_range.u16, >> + rule->field[DSTP_FIELD_IPV4].value.u16, >> + rule->field[DSTP_FIELD_IPV4].mask_range.u16, >> + rule->field[PROTO_FIELD_IPV4].value.u8, >> + rule->field[PROTO_FIELD_IPV4].mask_range.u8); >> + if (extra) >> + printf("0x%x-0x%x-0x%x ", >> + rule->data.category_mask, >> + rule->data.priority, >> + rule->data.userdata); >> +} >> + >> +static inline void >> +dump_ipv4_rules(const struct acl4_rules *rule, int num, int extra) >> +{ >> + int i; >> + >> + for (i = 0; i < num; i++, rule++) { >> + printf("\t%d:", i + 1); >> + print_one_ipv4_rule(rule, extra); >> + printf("\n"); >> + } >> +} >> + >> +static struct rte_acl_ctx * >> +acl4_init(const char *name, int socketid, const struct acl4_rules *rules, >> + unsigned rules_nb) >> +{ >> + char s[PATH_MAX]; >> + struct rte_acl_param acl_param; >> + struct rte_acl_config acl_build_param; >> + struct rte_acl_ctx *ctx; >> + >> + printf("Creating SP context with %u max rules\n", MAX_ACL_RULE_NUM); >> + >> + memset(&acl_param, 0, sizeof(acl_param)); >> + >> + /* Create ACL contexts */ >> + snprintf(s, sizeof(s), "%s_%d", name, socketid); >> + >> + printf("IPv4 %s entries [%u]:\n", s, rules_nb); >> + dump_ipv4_rules(rules, rules_nb, 1); >> + >> + acl_param.name = s; >> + acl_param.socket_id = socketid; >> + acl_param.rule_size = RTE_ACL_RULE_SZ(RTE_DIM(ipv4_defs)); >> + acl_param.max_rule_num = MAX_ACL_RULE_NUM; >> + >> + ctx = rte_acl_create(&acl_param); >> + if (ctx == NULL) >> + rte_exit(EXIT_FAILURE, "Failed to create ACL context\n"); >> + >> + if (rte_acl_add_rules(ctx, (const struct rte_acl_rule *)rules, >> + rules_nb) < 0) >> + rte_exit(EXIT_FAILURE, "add rules failed\n"); >> + >> + /* Perform builds */ >> + memset(&acl_build_param, 0, sizeof(acl_build_param)); >> + >> + acl_build_param.num_categories = DEFAULT_MAX_CATEGORIES; >> + acl_build_param.num_fields = rules_nb; >> + memcpy(&acl_build_param.defs, ipv4_defs, sizeof(ipv4_defs)); >> + >> + if (rte_acl_build(ctx, &acl_build_param) != 0) >> + rte_exit(EXIT_FAILURE, "Failed to build ACL trie\n"); >> + >> + rte_acl_dump(ctx); >> + >> + return ctx; >> +} >> + >> +void >> +sp_init(struct socket_ctx *ctx, int socket_id, unsigned ep) >> +{ >> + const char *name; >> + const struct acl4_rules *rules_out, *rules_in; >> + unsigned nb_out_rules, nb_in_rules; >> + >> + if (ctx == NULL) >> + rte_exit(EXIT_FAILURE, "NULL context.\n"); >> + >> + if (ctx->sp_ipv4_in != NULL) >> + rte_exit(EXIT_FAILURE, "Inbound SP DB for socket %u already " >> + "initialized\n", socket_id); >> + >> + if (ctx->sp_ipv4_out != NULL) >> + rte_exit(EXIT_FAILURE, "Outbound SP DB for socket %u already " >> + "initialized\n", socket_id); >> + >> + if (ep == 0) { >> + rules_out = acl4_rules_in; >> + nb_out_rules = RTE_DIM(acl4_rules_in); >> + rules_in = acl4_rules_out; >> + nb_in_rules = RTE_DIM(acl4_rules_out); >> + } else if (ep == 1) { >> + rules_out = acl4_rules_out; >> + nb_out_rules = RTE_DIM(acl4_rules_out); >> + rules_in = acl4_rules_in; >> + nb_in_rules = RTE_DIM(acl4_rules_in); >> + } else >> + rte_exit(EXIT_FAILURE, "Invalid EP value %u. " >> + "Only 0 or 1 supported.\n", ep); >> + >> + name = "sp_ipv4_in"; >> + ctx->sp_ipv4_in = (struct sp_ctx *)acl4_init(name, socket_id, >> + rules_in, nb_in_rules); >> + >> + name = "sp_ipv4_out"; >> + ctx->sp_ipv4_out = (struct sp_ctx *)acl4_init(name, socket_id, >> + rules_out, nb_out_rules); >> +} >> -- >> 2.4.3 >>