[PATCH 1/4] mbuf: clarify meta data needed for Outbound Inline

[PATCH 1/4] mbuf: clarify meta data needed for Outbound Inline

[Nithin Dabilpuram]

Clarify mbuf meta data needed for Outbound Inline processing.
Application needs to provide mbuf.l3_len and L3 type in
mbuf.ol_flags so that like tunnel mode using mbuf.l2_len, transport mode
can make use of l3_len and l3_type to determine perform
proper transport mode IPsec processing.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
---
 doc/guides/nics/features.rst | 2 +-
 lib/mbuf/rte_mbuf_core.h     | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/doc/guides/nics/features.rst b/doc/guides/nics/features.rst
index 7f6cb91..b4a8e98 100644
--- a/doc/guides/nics/features.rst
+++ b/doc/guides/nics/features.rst
@@ -431,7 +431,7 @@ protocol operations. See security library and PMD documentation for more details
 
 * **[uses]       rte_eth_rxconf,rte_eth_rxmode**: ``offloads:RTE_ETH_RX_OFFLOAD_SECURITY``,
 * **[uses]       rte_eth_txconf,rte_eth_txmode**: ``offloads:RTE_ETH_TX_OFFLOAD_SECURITY``.
-* **[uses]       mbuf**: ``mbuf.l2_len``.
+* **[uses]       mbuf**: ``mbuf.l2_len``, ``mbuf.l3_len``, ``mbuf.ol_flags``.
 * **[implements] rte_security_ops**: ``session_create``, ``session_update``,
   ``session_stats_get``, ``session_destroy``, ``set_pkt_metadata``, ``get_userdata``,
   ``capabilities_get``.
diff --git a/lib/mbuf/rte_mbuf_core.h b/lib/mbuf/rte_mbuf_core.h
index 3d6ddd6..b62a7c6 100644
--- a/lib/mbuf/rte_mbuf_core.h
+++ b/lib/mbuf/rte_mbuf_core.h
@@ -267,7 +267,8 @@ extern "C" {
 /**
  * Request security offload processing on the TX packet.
  * To use Tx security offload, the user needs to fill l2_len in mbuf
- * indicating L2 header size and where L3 header starts.
+ * indicating L2 header size and where L3 header starts. Similarly,
+ * l3_len should also be filled along with ol_flags reflecting current L3 type.
  */
 #define RTE_MBUF_F_TX_SEC_OFFLOAD	(1ULL << 43)
 #define PKT_TX_SEC_OFFLOAD RTE_DEPRECATED(PKT_TX_SEC_OFFLOAD) \
-- 
2.8.4

[PATCH 2/4] security: clarify L2 header requirement for outbound inline

[Nithin Dabilpuram]

Clarify that for Outbound Inline IPsec processing, L2 header
needs to be up to date with ether type which will be applicable
post IPsec processing as the IPsec offload only touches L3 and above.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
---
 doc/guides/prog_guide/rte_security.rst | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst
index 72ca0bd..be158f6 100644
--- a/doc/guides/prog_guide/rte_security.rst
+++ b/doc/guides/prog_guide/rte_security.rst
@@ -146,7 +146,9 @@ adding the relevant protocol headers and encrypting the data before sending
 the packet out. The software should make sure that the buffer
 has required head room and tail room for any protocol header addition. The
 software may also do early fragmentation if the resultant packet is expected
-to cross the MTU size.
+to cross the MTU size. The software should also make sure that L2 header contents
+are updated with the final L2 header which is expected post IPsec processing as
+the IPsec offload will only update L3 and above in egress path.
 
 
 .. note::
-- 
2.8.4

[PATCH 3/4] net/cnxk: remove l2 header update for outbound inline pkts

[Nithin Dabilpuram]

Remove L2 header update for outbound inline packets as
application is already taking care of the same.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
---
 drivers/net/cnxk/cn10k_tx.h | 17 -----------------
 1 file changed, 17 deletions(-)

diff --git a/drivers/net/cnxk/cn10k_tx.h b/drivers/net/cnxk/cn10k_tx.h
index ea13866..4bd47ef 100644
--- a/drivers/net/cnxk/cn10k_tx.h
+++ b/drivers/net/cnxk/cn10k_tx.h
@@ -362,15 +362,6 @@ cn10k_nix_prep_sec_vec(struct rte_mbuf *m, uint64x2_t *cmd0, uint64x2_t *cmd1,
 
 	dptr += l2_len;
 
-	if (sess_priv.mode == ROC_IE_SA_MODE_TUNNEL) {
-		if (sess_priv.outer_ip_ver == ROC_IE_SA_IP_VERSION_4)
-			*((uint16_t *)(dptr - 2)) =
-				rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4);
-		else
-			*((uint16_t *)(dptr - 2)) =
-				rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV6);
-	}
-
 	ucode_cmd[1] = dptr;
 	ucode_cmd[2] = dptr;
 
@@ -490,14 +481,6 @@ cn10k_nix_prep_sec(struct rte_mbuf *m, uint64_t *cmd, uintptr_t *nixtx_addr,
 
 	dptr += l2_len;
 
-	if (sess_priv.mode == ROC_IE_SA_MODE_TUNNEL) {
-		if (sess_priv.outer_ip_ver == ROC_IE_SA_IP_VERSION_4)
-			*((uint16_t *)(dptr - 2)) =
-				rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4);
-		else
-			*((uint16_t *)(dptr - 2)) =
-				rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV6);
-	}
 	ucode_cmd[1] = dptr;
 	ucode_cmd[2] = dptr;
 
-- 
2.8.4

[PATCH 4/4] app/test: update l2 header based on tunnel ip version

[Nithin Dabilpuram]

Update l2 header based on tunnel ip version.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
---
 app/test/test_security_inline_proto.c | 34 +++++++++++++++++++++++++++++-----
 1 file changed, 29 insertions(+), 5 deletions(-)

diff --git a/app/test/test_security_inline_proto.c b/app/test/test_security_inline_proto.c
index 5f26a04..b282e7d 100644
--- a/app/test/test_security_inline_proto.c
+++ b/app/test/test_security_inline_proto.c
@@ -418,15 +418,29 @@ copy_buf_to_pkt_segs(const uint8_t *buf, unsigned int len,
 	rte_memcpy(seg_buf, buf + copied, (size_t) len);
 }
 
+static bool
+is_outer_ipv4(struct ipsec_test_data *td)
+{
+	bool outer_ipv4;
+
+	if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS ||
+	    td->ipsec_xform.mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT)
+		outer_ipv4 = (((td->input_text.data[0] & 0xF0) >> 4) == IPVERSION);
+	else
+		outer_ipv4 = (td->ipsec_xform.tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4);
+	return outer_ipv4;
+}
+
 static inline struct rte_mbuf *
-init_packet(struct rte_mempool *mp, const uint8_t *data, unsigned int len)
+init_packet(struct rte_mempool *mp, const uint8_t *data, unsigned int len, bool outer_ipv4)
 {
 	struct rte_mbuf *pkt;
 
 	pkt = rte_pktmbuf_alloc(mp);
 	if (pkt == NULL)
 		return NULL;
-	if (((data[0] & 0xF0) >> 4) == IPVERSION) {
+
+	if (outer_ipv4) {
 		rte_memcpy(rte_pktmbuf_append(pkt, RTE_ETHER_HDR_LEN),
 				&dummy_ipv4_eth_hdr, RTE_ETHER_HDR_LEN);
 		pkt->l3_len = sizeof(struct rte_ipv4_hdr);
@@ -711,6 +725,7 @@ test_ipsec_with_reassembly(struct reassembly_vector *vector,
 	struct rte_security_ctx *ctx;
 	unsigned int i, nb_rx = 0, j;
 	uint32_t ol_flags;
+	bool outer_ipv4;
 	int ret = 0;
 
 	burst_sz = vector->burst ? ENCAP_DECAP_BURST_SZ : 1;
@@ -740,11 +755,15 @@ test_ipsec_with_reassembly(struct reassembly_vector *vector,
 	memset(tx_pkts_burst, 0, sizeof(tx_pkts_burst[0]) * nb_tx);
 	memset(rx_pkts_burst, 0, sizeof(rx_pkts_burst[0]) * nb_tx);
 
+	memcpy(&sa_data, vector->sa_data, sizeof(struct ipsec_test_data));
+	sa_data.ipsec_xform.direction =	RTE_SECURITY_IPSEC_SA_DIR_EGRESS;
+	outer_ipv4 = is_outer_ipv4(&sa_data);
+
 	for (i = 0; i < nb_tx; i += vector->nb_frags) {
 		for (j = 0; j < vector->nb_frags; j++) {
 			tx_pkts_burst[i+j] = init_packet(mbufpool,
 						vector->frags[j]->data,
-						vector->frags[j]->len);
+						vector->frags[j]->len, outer_ipv4);
 			if (tx_pkts_burst[i+j] == NULL) {
 				ret = -1;
 				printf("\n packed init failed\n");
@@ -963,6 +982,7 @@ test_ipsec_inline_proto_process(struct ipsec_test_data *td,
 	int nb_rx = 0, nb_sent;
 	uint32_t ol_flags;
 	int i, j = 0, ret;
+	bool outer_ipv4;
 
 	memset(rx_pkts_burst, 0, sizeof(rx_pkts_burst[0]) * nb_pkts);
 
@@ -994,9 +1014,11 @@ test_ipsec_inline_proto_process(struct ipsec_test_data *td,
 		if (ret)
 			goto out;
 	}
+	outer_ipv4 = is_outer_ipv4(td);
+
 	for (i = 0; i < nb_pkts; i++) {
 		tx_pkts_burst[i] = init_packet(mbufpool, td->input_text.data,
-						td->input_text.len);
+						td->input_text.len, outer_ipv4);
 		if (tx_pkts_burst[i] == NULL) {
 			while (i--)
 				rte_pktmbuf_free(tx_pkts_burst[i]);
@@ -1194,6 +1216,7 @@ test_ipsec_inline_proto_process_with_esn(struct ipsec_test_data td[],
 	struct rte_security_session *ses;
 	struct rte_security_ctx *ctx;
 	uint32_t ol_flags;
+	bool outer_ipv4;
 	int i, ret;
 
 	if (td[0].aead) {
@@ -1224,10 +1247,11 @@ test_ipsec_inline_proto_process_with_esn(struct ipsec_test_data td[],
 		if (ret)
 			goto out;
 	}
+	outer_ipv4 = is_outer_ipv4(td);
 
 	for (i = 0; i < nb_pkts; i++) {
 		tx_pkt = init_packet(mbufpool, td[i].input_text.data,
-					td[i].input_text.len);
+					td[i].input_text.len, outer_ipv4);
 		if (tx_pkt == NULL) {
 			ret = TEST_FAILED;
 			goto out;
-- 
2.8.4

[PATCH v2 1/5] mbuf: clarify meta data needed for Outbound Inline

[Nithin Dabilpuram]

Clarify mbuf meta data needed for Outbound Inline processing.
Application needs to provide mbuf.l3_len and L3 type in
mbuf.ol_flags so that like tunnel mode using mbuf.l2_len, transport mode
can make use of l3_len and l3_type to determine perform
proper transport mode IPsec processing.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
---
v2:
- Modified ipsec-secgw to do ether type update for outbound path.

 doc/guides/nics/features.rst | 2 +-
 lib/mbuf/rte_mbuf_core.h     | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/doc/guides/nics/features.rst b/doc/guides/nics/features.rst
index 7f6cb91..b4a8e98 100644
--- a/doc/guides/nics/features.rst
+++ b/doc/guides/nics/features.rst
@@ -431,7 +431,7 @@ protocol operations. See security library and PMD documentation for more details
 
 * **[uses]       rte_eth_rxconf,rte_eth_rxmode**: ``offloads:RTE_ETH_RX_OFFLOAD_SECURITY``,
 * **[uses]       rte_eth_txconf,rte_eth_txmode**: ``offloads:RTE_ETH_TX_OFFLOAD_SECURITY``.
-* **[uses]       mbuf**: ``mbuf.l2_len``.
+* **[uses]       mbuf**: ``mbuf.l2_len``, ``mbuf.l3_len``, ``mbuf.ol_flags``.
 * **[implements] rte_security_ops**: ``session_create``, ``session_update``,
   ``session_stats_get``, ``session_destroy``, ``set_pkt_metadata``, ``get_userdata``,
   ``capabilities_get``.
diff --git a/lib/mbuf/rte_mbuf_core.h b/lib/mbuf/rte_mbuf_core.h
index 3d6ddd6..b62a7c6 100644
--- a/lib/mbuf/rte_mbuf_core.h
+++ b/lib/mbuf/rte_mbuf_core.h
@@ -267,7 +267,8 @@ extern "C" {
 /**
  * Request security offload processing on the TX packet.
  * To use Tx security offload, the user needs to fill l2_len in mbuf
- * indicating L2 header size and where L3 header starts.
+ * indicating L2 header size and where L3 header starts. Similarly,
+ * l3_len should also be filled along with ol_flags reflecting current L3 type.
  */
 #define RTE_MBUF_F_TX_SEC_OFFLOAD	(1ULL << 43)
 #define PKT_TX_SEC_OFFLOAD RTE_DEPRECATED(PKT_TX_SEC_OFFLOAD) \
-- 
2.8.4

[PATCH v2 2/5] security: clarify L2 header requirement for outbound inline

[Nithin Dabilpuram]

Clarify that for Outbound Inline IPsec processing, L2 header
needs to be up to date with ether type which will be applicable
post IPsec processing as the IPsec offload only touches L3 and above.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
---
 doc/guides/prog_guide/rte_security.rst | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst
index 72ca0bd..be158f6 100644
--- a/doc/guides/prog_guide/rte_security.rst
+++ b/doc/guides/prog_guide/rte_security.rst
@@ -146,7 +146,9 @@ adding the relevant protocol headers and encrypting the data before sending
 the packet out. The software should make sure that the buffer
 has required head room and tail room for any protocol header addition. The
 software may also do early fragmentation if the resultant packet is expected
-to cross the MTU size.
+to cross the MTU size. The software should also make sure that L2 header contents
+are updated with the final L2 header which is expected post IPsec processing as
+the IPsec offload will only update L3 and above in egress path.
 
 
 .. note::
-- 
2.8.4

[PATCH v2 3/5] net/cnxk: remove L2 header update for outbound inline pkts

[Nithin Dabilpuram]

Remove L2 header update for outbound inline packets as
application is already taking care of the same.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
---
 drivers/net/cnxk/cn10k_tx.h | 17 -----------------
 1 file changed, 17 deletions(-)

diff --git a/drivers/net/cnxk/cn10k_tx.h b/drivers/net/cnxk/cn10k_tx.h
index ea13866..4bd47ef 100644
--- a/drivers/net/cnxk/cn10k_tx.h
+++ b/drivers/net/cnxk/cn10k_tx.h
@@ -362,15 +362,6 @@ cn10k_nix_prep_sec_vec(struct rte_mbuf *m, uint64x2_t *cmd0, uint64x2_t *cmd1,
 
 	dptr += l2_len;
 
-	if (sess_priv.mode == ROC_IE_SA_MODE_TUNNEL) {
-		if (sess_priv.outer_ip_ver == ROC_IE_SA_IP_VERSION_4)
-			*((uint16_t *)(dptr - 2)) =
-				rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4);
-		else
-			*((uint16_t *)(dptr - 2)) =
-				rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV6);
-	}
-
 	ucode_cmd[1] = dptr;
 	ucode_cmd[2] = dptr;
 
@@ -490,14 +481,6 @@ cn10k_nix_prep_sec(struct rte_mbuf *m, uint64_t *cmd, uintptr_t *nixtx_addr,
 
 	dptr += l2_len;
 
-	if (sess_priv.mode == ROC_IE_SA_MODE_TUNNEL) {
-		if (sess_priv.outer_ip_ver == ROC_IE_SA_IP_VERSION_4)
-			*((uint16_t *)(dptr - 2)) =
-				rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4);
-		else
-			*((uint16_t *)(dptr - 2)) =
-				rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV6);
-	}
 	ucode_cmd[1] = dptr;
 	ucode_cmd[2] = dptr;
 
-- 
2.8.4

[PATCH v2 4/5] app/test: update L2 header based on tunnel IP version

[Nithin Dabilpuram]

Update L2 header based on tunnel IP version.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
---
 app/test/test_security_inline_proto.c | 34 +++++++++++++++++++++++++++++-----
 1 file changed, 29 insertions(+), 5 deletions(-)

diff --git a/app/test/test_security_inline_proto.c b/app/test/test_security_inline_proto.c
index 5f26a04..b282e7d 100644
--- a/app/test/test_security_inline_proto.c
+++ b/app/test/test_security_inline_proto.c
@@ -418,15 +418,29 @@ copy_buf_to_pkt_segs(const uint8_t *buf, unsigned int len,
 	rte_memcpy(seg_buf, buf + copied, (size_t) len);
 }
 
+static bool
+is_outer_ipv4(struct ipsec_test_data *td)
+{
+	bool outer_ipv4;
+
+	if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS ||
+	    td->ipsec_xform.mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT)
+		outer_ipv4 = (((td->input_text.data[0] & 0xF0) >> 4) == IPVERSION);
+	else
+		outer_ipv4 = (td->ipsec_xform.tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4);
+	return outer_ipv4;
+}
+
 static inline struct rte_mbuf *
-init_packet(struct rte_mempool *mp, const uint8_t *data, unsigned int len)
+init_packet(struct rte_mempool *mp, const uint8_t *data, unsigned int len, bool outer_ipv4)
 {
 	struct rte_mbuf *pkt;
 
 	pkt = rte_pktmbuf_alloc(mp);
 	if (pkt == NULL)
 		return NULL;
-	if (((data[0] & 0xF0) >> 4) == IPVERSION) {
+
+	if (outer_ipv4) {
 		rte_memcpy(rte_pktmbuf_append(pkt, RTE_ETHER_HDR_LEN),
 				&dummy_ipv4_eth_hdr, RTE_ETHER_HDR_LEN);
 		pkt->l3_len = sizeof(struct rte_ipv4_hdr);
@@ -711,6 +725,7 @@ test_ipsec_with_reassembly(struct reassembly_vector *vector,
 	struct rte_security_ctx *ctx;
 	unsigned int i, nb_rx = 0, j;
 	uint32_t ol_flags;
+	bool outer_ipv4;
 	int ret = 0;
 
 	burst_sz = vector->burst ? ENCAP_DECAP_BURST_SZ : 1;
@@ -740,11 +755,15 @@ test_ipsec_with_reassembly(struct reassembly_vector *vector,
 	memset(tx_pkts_burst, 0, sizeof(tx_pkts_burst[0]) * nb_tx);
 	memset(rx_pkts_burst, 0, sizeof(rx_pkts_burst[0]) * nb_tx);
 
+	memcpy(&sa_data, vector->sa_data, sizeof(struct ipsec_test_data));
+	sa_data.ipsec_xform.direction =	RTE_SECURITY_IPSEC_SA_DIR_EGRESS;
+	outer_ipv4 = is_outer_ipv4(&sa_data);
+
 	for (i = 0; i < nb_tx; i += vector->nb_frags) {
 		for (j = 0; j < vector->nb_frags; j++) {
 			tx_pkts_burst[i+j] = init_packet(mbufpool,
 						vector->frags[j]->data,
-						vector->frags[j]->len);
+						vector->frags[j]->len, outer_ipv4);
 			if (tx_pkts_burst[i+j] == NULL) {
 				ret = -1;
 				printf("\n packed init failed\n");
@@ -963,6 +982,7 @@ test_ipsec_inline_proto_process(struct ipsec_test_data *td,
 	int nb_rx = 0, nb_sent;
 	uint32_t ol_flags;
 	int i, j = 0, ret;
+	bool outer_ipv4;
 
 	memset(rx_pkts_burst, 0, sizeof(rx_pkts_burst[0]) * nb_pkts);
 
@@ -994,9 +1014,11 @@ test_ipsec_inline_proto_process(struct ipsec_test_data *td,
 		if (ret)
 			goto out;
 	}
+	outer_ipv4 = is_outer_ipv4(td);
+
 	for (i = 0; i < nb_pkts; i++) {
 		tx_pkts_burst[i] = init_packet(mbufpool, td->input_text.data,
-						td->input_text.len);
+						td->input_text.len, outer_ipv4);
 		if (tx_pkts_burst[i] == NULL) {
 			while (i--)
 				rte_pktmbuf_free(tx_pkts_burst[i]);
@@ -1194,6 +1216,7 @@ test_ipsec_inline_proto_process_with_esn(struct ipsec_test_data td[],
 	struct rte_security_session *ses;
 	struct rte_security_ctx *ctx;
 	uint32_t ol_flags;
+	bool outer_ipv4;
 	int i, ret;
 
 	if (td[0].aead) {
@@ -1224,10 +1247,11 @@ test_ipsec_inline_proto_process_with_esn(struct ipsec_test_data td[],
 		if (ret)
 			goto out;
 	}
+	outer_ipv4 = is_outer_ipv4(td);
 
 	for (i = 0; i < nb_pkts; i++) {
 		tx_pkt = init_packet(mbufpool, td[i].input_text.data,
-					td[i].input_text.len);
+					td[i].input_text.len, outer_ipv4);
 		if (tx_pkt == NULL) {
 			ret = TEST_FAILED;
 			goto out;
-- 
2.8.4

[PATCH v2 5/5] examples/ipsec-secgw: update ether type using tunnel info

[Nithin Dabilpuram]

Update ether type for outbound SA processing based on tunnel header
information in both NEON functions for poll mode and event mode worker
functions.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
---
 examples/ipsec-secgw/ipsec_neon.h   | 41 +++++++++++++++++++++++++------------
 examples/ipsec-secgw/ipsec_worker.c | 30 +++++++++++++++++++--------
 2 files changed, 49 insertions(+), 22 deletions(-)

diff --git a/examples/ipsec-secgw/ipsec_neon.h b/examples/ipsec-secgw/ipsec_neon.h
index 3f2d0a0..9c0498b 100644
--- a/examples/ipsec-secgw/ipsec_neon.h
+++ b/examples/ipsec-secgw/ipsec_neon.h
@@ -18,12 +18,13 @@ extern xmm_t val_eth[RTE_MAX_ETHPORTS];
  */
 static inline void
 processx4_step3(struct rte_mbuf *pkts[FWDSTEP], uint16_t dst_port[FWDSTEP],
-		uint64_t tx_offloads, bool ip_cksum, uint8_t *l_pkt)
+		uint64_t tx_offloads, bool ip_cksum, bool is_ipv4, uint8_t *l_pkt)
 {
 	uint32x4_t te[FWDSTEP];
 	uint32x4_t ve[FWDSTEP];
 	uint32_t *p[FWDSTEP];
 	struct rte_mbuf *pkt;
+	uint32_t val;
 	uint8_t i;
 
 	for (i = 0; i < FWDSTEP; i++) {
@@ -38,7 +39,15 @@ processx4_step3(struct rte_mbuf *pkts[FWDSTEP], uint16_t dst_port[FWDSTEP],
 		te[i] = vld1q_u32(p[i]);
 
 		/* Update last 4 bytes */
-		ve[i] = vsetq_lane_u32(vgetq_lane_u32(te[i], 3), ve[i], 3);
+		val = vgetq_lane_u32(te[i], 3);
+#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN
+		val &= 0xFFFFUL << 16;
+		val |= rte_cpu_to_be_16(is_ipv4 ? RTE_ETHER_TYPE_IPV4 : RTE_ETHER_TYPE_IPV6);
+#else
+		val &= 0xFFFFUL;
+		val |= rte_cpu_to_be_16(is_ipv4 ? RTE_ETHER_TYPE_IPV4 : RTE_ETHER_TYPE_IPV6) << 16;
+#endif
+		ve[i] = vsetq_lane_u32(val, ve[i], 3);
 		vst1q_u32(p[i], ve[i]);
 
 		if (ip_cksum) {
@@ -64,10 +73,11 @@ processx4_step3(struct rte_mbuf *pkts[FWDSTEP], uint16_t dst_port[FWDSTEP],
  */
 static inline void
 process_packet(struct rte_mbuf *pkt, uint16_t *dst_port, uint64_t tx_offloads,
-	       bool ip_cksum, uint8_t *l_pkt)
+	       bool ip_cksum, bool is_ipv4, uint8_t *l_pkt)
 {
 	struct rte_ether_hdr *eth_hdr;
 	uint32x4_t te, ve;
+	uint32_t val;
 
 	/* Check if it is a large packet */
 	if (pkt->pkt_len - RTE_ETHER_HDR_LEN > mtu_size)
@@ -78,7 +88,15 @@ process_packet(struct rte_mbuf *pkt, uint16_t *dst_port, uint64_t tx_offloads,
 	te = vld1q_u32((uint32_t *)eth_hdr);
 	ve = vreinterpretq_u32_s32(val_eth[dst_port[0]]);
 
-	ve = vcopyq_laneq_u32(ve, 3, te, 3);
+	val = vgetq_lane_u32(te, 3);
+#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN
+	val &= 0xFFFFUL << 16;
+	val |= rte_cpu_to_be_16(is_ipv4 ? RTE_ETHER_TYPE_IPV4 : RTE_ETHER_TYPE_IPV6);
+#else
+	val &= 0xFFFFUL;
+	val |= rte_cpu_to_be_16(is_ipv4 ? RTE_ETHER_TYPE_IPV4 : RTE_ETHER_TYPE_IPV6) << 16;
+#endif
+	ve = vsetq_lane_u32(val, ve, 3);
 	vst1q_u32((uint32_t *)eth_hdr, ve);
 
 	if (ip_cksum) {
@@ -223,14 +241,14 @@ send_multi_pkts(struct rte_mbuf **pkts, uint16_t dst_port[MAX_PKT_BURST],
 		lp = pnum;
 		lp[0] = 1;
 
-		processx4_step3(pkts, dst_port, tx_offloads, ip_cksum, &l_pkt);
+		processx4_step3(pkts, dst_port, tx_offloads, ip_cksum, is_ipv4, &l_pkt);
 
 		/* dp1: <d[0], d[1], d[2], d[3], ... > */
 		dp1 = vld1q_u16(dst_port);
 
 		for (i = FWDSTEP; i != k; i += FWDSTEP) {
-			processx4_step3(&pkts[i], &dst_port[i], tx_offloads,
-					ip_cksum, &l_pkt);
+			processx4_step3(&pkts[i], &dst_port[i], tx_offloads, ip_cksum, is_ipv4,
+					&l_pkt);
 
 			/*
 			 * dp2:
@@ -268,20 +286,17 @@ send_multi_pkts(struct rte_mbuf **pkts, uint16_t dst_port[MAX_PKT_BURST],
 	/* Process up to last 3 packets one by one. */
 	switch (nb_rx % FWDSTEP) {
 	case 3:
-		process_packet(pkts[i], dst_port + i, tx_offloads, ip_cksum,
-			       &l_pkt);
+		process_packet(pkts[i], dst_port + i, tx_offloads, ip_cksum, is_ipv4, &l_pkt);
 		GROUP_PORT_STEP(dlp, dst_port, lp, pnum, i);
 		i++;
 		/* fallthrough */
 	case 2:
-		process_packet(pkts[i], dst_port + i, tx_offloads, ip_cksum,
-			       &l_pkt);
+		process_packet(pkts[i], dst_port + i, tx_offloads, ip_cksum, is_ipv4, &l_pkt);
 		GROUP_PORT_STEP(dlp, dst_port, lp, pnum, i);
 		i++;
 		/* fallthrough */
 	case 1:
-		process_packet(pkts[i], dst_port + i, tx_offloads, ip_cksum,
-			       &l_pkt);
+		process_packet(pkts[i], dst_port + i, tx_offloads, ip_cksum, is_ipv4, &l_pkt);
 		GROUP_PORT_STEP(dlp, dst_port, lp, pnum, i);
 	}
 
diff --git a/examples/ipsec-secgw/ipsec_worker.c b/examples/ipsec-secgw/ipsec_worker.c
index 803157d..5e69450 100644
--- a/examples/ipsec-secgw/ipsec_worker.c
+++ b/examples/ipsec-secgw/ipsec_worker.c
@@ -53,11 +53,8 @@ process_ipsec_get_pkt_type(struct rte_mbuf *pkt, uint8_t **nlp)
 }
 
 static inline void
-update_mac_addrs(struct rte_mbuf *pkt, uint16_t portid)
+update_mac_addrs(struct rte_ether_hdr *ethhdr, uint16_t portid)
 {
-	struct rte_ether_hdr *ethhdr;
-
-	ethhdr = rte_pktmbuf_mtod(pkt, struct rte_ether_hdr *);
 	memcpy(&ethhdr->src_addr, &ethaddr_tbl[portid].src, RTE_ETHER_ADDR_LEN);
 	memcpy(&ethhdr->dst_addr, &ethaddr_tbl[portid].dst, RTE_ETHER_ADDR_LEN);
 }
@@ -374,7 +371,7 @@ process_ipsec_ev_inbound(struct ipsec_ctx *ctx, struct route_table *rt,
 	/* else, we have a matching route */
 
 	/* Update mac addresses */
-	update_mac_addrs(pkt, port_id);
+	update_mac_addrs(rte_pktmbuf_mtod(pkt, struct rte_ether_hdr *), port_id);
 
 	/* Update the event with the dest port */
 	ipsec_event_pre_forward(pkt, port_id);
@@ -392,6 +389,7 @@ process_ipsec_ev_outbound(struct ipsec_ctx *ctx, struct route_table *rt,
 		struct rte_event *ev)
 {
 	struct rte_ipsec_session *sess;
+	struct rte_ether_hdr *ethhdr;
 	struct sa_ctx *sa_ctx;
 	struct rte_mbuf *pkt;
 	uint16_t port_id = 0;
@@ -430,6 +428,7 @@ process_ipsec_ev_outbound(struct ipsec_ctx *ctx, struct route_table *rt,
 		goto drop_pkt_and_exit;
 	}
 
+	ethhdr = rte_pktmbuf_mtod(pkt, struct rte_ether_hdr *);
 	/* Check if the packet has to be bypassed */
 	if (sa_idx == BYPASS) {
 		port_id = get_route(pkt, rt, type);
@@ -467,6 +466,9 @@ process_ipsec_ev_outbound(struct ipsec_ctx *ctx, struct route_table *rt,
 
 	/* Mark the packet for Tx security offload */
 	pkt->ol_flags |= RTE_MBUF_F_TX_SEC_OFFLOAD;
+	/* Update ether type */
+	ethhdr->ether_type = (IS_IP4(sa->flags) ? rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4) :
+			      rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV6));
 
 	/* Get the port to which this pkt need to be submitted */
 	port_id = sa->portid;
@@ -476,7 +478,7 @@ process_ipsec_ev_outbound(struct ipsec_ctx *ctx, struct route_table *rt,
 	pkt->l2_len = RTE_ETHER_HDR_LEN;
 
 	/* Update mac addresses */
-	update_mac_addrs(pkt, port_id);
+	update_mac_addrs(ethhdr, port_id);
 
 	/* Update the event with the dest port */
 	ipsec_event_pre_forward(pkt, port_id);
@@ -494,6 +496,7 @@ ipsec_ev_route_pkts(struct rte_event_vector *vec, struct route_table *rt,
 		    struct ipsec_traffic *t, struct sa_ctx *sa_ctx)
 {
 	struct rte_ipsec_session *sess;
+	struct rte_ether_hdr *ethhdr;
 	uint32_t sa_idx, i, j = 0;
 	uint16_t port_id = 0;
 	struct rte_mbuf *pkt;
@@ -505,7 +508,8 @@ ipsec_ev_route_pkts(struct rte_event_vector *vec, struct route_table *rt,
 		port_id = route4_pkt(pkt, rt->rt4_ctx);
 		if (port_id != RTE_MAX_ETHPORTS) {
 			/* Update mac addresses */
-			update_mac_addrs(pkt, port_id);
+			ethhdr = rte_pktmbuf_mtod(pkt, struct rte_ether_hdr *);
+			update_mac_addrs(ethhdr, port_id);
 			/* Update the event with the dest port */
 			ipsec_event_pre_forward(pkt, port_id);
 			ev_vector_attr_update(vec, pkt);
@@ -520,7 +524,8 @@ ipsec_ev_route_pkts(struct rte_event_vector *vec, struct route_table *rt,
 		port_id = route6_pkt(pkt, rt->rt6_ctx);
 		if (port_id != RTE_MAX_ETHPORTS) {
 			/* Update mac addresses */
-			update_mac_addrs(pkt, port_id);
+			ethhdr = rte_pktmbuf_mtod(pkt, struct rte_ether_hdr *);
+			update_mac_addrs(ethhdr, port_id);
 			/* Update the event with the dest port */
 			ipsec_event_pre_forward(pkt, port_id);
 			ev_vector_attr_update(vec, pkt);
@@ -553,7 +558,14 @@ ipsec_ev_route_pkts(struct rte_event_vector *vec, struct route_table *rt,
 
 			pkt->ol_flags |= RTE_MBUF_F_TX_SEC_OFFLOAD;
 			port_id = sa->portid;
-			update_mac_addrs(pkt, port_id);
+
+			/* Fetch outer ip type and update */
+			ethhdr = rte_pktmbuf_mtod(pkt, struct rte_ether_hdr *);
+			ethhdr->ether_type = (IS_IP4(sa->flags) ?
+					      rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4) :
+					      rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV6));
+			update_mac_addrs(ethhdr, port_id);
+
 			ipsec_event_pre_forward(pkt, port_id);
 			ev_vector_attr_update(vec, pkt);
 			vec->mbufs[j++] = pkt;
-- 
2.8.4

RE: [PATCH v2 5/5] examples/ipsec-secgw: update ether type using tunnel info

[Ruifeng Wang]

> -----Original Message-----
> From: Nithin Dabilpuram <ndabilpuram@marvell.com>
> Sent: Thursday, August 18, 2022 3:12 AM
> To: Ruifeng Wang <Ruifeng.Wang@arm.com>; Radu Nicolau <radu.nicolau@intel.com>; Akhil
> Goyal <gakhil@marvell.com>
> Cc: jerinj@marvell.com; dev@dpdk.org; Nithin Dabilpuram <ndabilpuram@marvell.com>
> Subject: [PATCH v2 5/5] examples/ipsec-secgw: update ether type using tunnel info
> 
> Update ether type for outbound SA processing based on tunnel header information in both
> NEON functions for poll mode and event mode worker functions.
> 
> Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
> ---
>  examples/ipsec-secgw/ipsec_neon.h   | 41 +++++++++++++++++++++++++------------
>  examples/ipsec-secgw/ipsec_worker.c | 30 +++++++++++++++++++--------
>  2 files changed, 49 insertions(+), 22 deletions(-)
> 
Reviewed-by: Ruifeng Wang <ruifeng.wang@arm.com>

RE: [PATCH v2 5/5] examples/ipsec-secgw: update ether type using tunnel info

[Akhil Goyal]

> Subject: [PATCH v2 5/5] examples/ipsec-secgw: update ether type using tunnel
> info
> 
> Update ether type for outbound SA processing based on tunnel header
> information in both NEON functions for poll mode and event mode worker
> functions.
> 
> Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
> ---
Acked-by: Akhil Goyal <gakhil@marvell.com>

RE: [PATCH v2 4/5] app/test: update L2 header based on tunnel IP version

[Akhil Goyal]

> Subject: [PATCH v2 4/5] app/test: update L2 header based on tunnel IP version
> 
> Update L2 header based on tunnel IP version.
> 
> Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
Description need to be reworded. It is not clear why the change is done.

Apart from that
Acked-by: Akhil Goyal <gakhil@marvell.com> 

[PATCH v3 1/5] mbuf: clarify meta data needed for Outbound Inline

[Nithin Dabilpuram]

Clarify mbuf meta data needed for Outbound Inline processing.
Application needs to provide mbuf.l3_len and L3 type in
mbuf.ol_flags so that like tunnel mode using mbuf.l2_len, transport mode
can make use of l3_len and l3_type to determine perform
proper transport mode IPsec processing.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
---
v3:
- Addressed comments on patch 4/5 and added acks.
v2:
- Modified ipsec-secgw to do ether type update for outbound path.

 doc/guides/nics/features.rst | 2 +-
 lib/mbuf/rte_mbuf_core.h     | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/doc/guides/nics/features.rst b/doc/guides/nics/features.rst
index 7f6cb91..b4a8e98 100644
--- a/doc/guides/nics/features.rst
+++ b/doc/guides/nics/features.rst
@@ -431,7 +431,7 @@ protocol operations. See security library and PMD documentation for more details
 
 * **[uses]       rte_eth_rxconf,rte_eth_rxmode**: ``offloads:RTE_ETH_RX_OFFLOAD_SECURITY``,
 * **[uses]       rte_eth_txconf,rte_eth_txmode**: ``offloads:RTE_ETH_TX_OFFLOAD_SECURITY``.
-* **[uses]       mbuf**: ``mbuf.l2_len``.
+* **[uses]       mbuf**: ``mbuf.l2_len``, ``mbuf.l3_len``, ``mbuf.ol_flags``.
 * **[implements] rte_security_ops**: ``session_create``, ``session_update``,
   ``session_stats_get``, ``session_destroy``, ``set_pkt_metadata``, ``get_userdata``,
   ``capabilities_get``.
diff --git a/lib/mbuf/rte_mbuf_core.h b/lib/mbuf/rte_mbuf_core.h
index 3d6ddd6..b62a7c6 100644
--- a/lib/mbuf/rte_mbuf_core.h
+++ b/lib/mbuf/rte_mbuf_core.h
@@ -267,7 +267,8 @@ extern "C" {
 /**
  * Request security offload processing on the TX packet.
  * To use Tx security offload, the user needs to fill l2_len in mbuf
- * indicating L2 header size and where L3 header starts.
+ * indicating L2 header size and where L3 header starts. Similarly,
+ * l3_len should also be filled along with ol_flags reflecting current L3 type.
  */
 #define RTE_MBUF_F_TX_SEC_OFFLOAD	(1ULL << 43)
 #define PKT_TX_SEC_OFFLOAD RTE_DEPRECATED(PKT_TX_SEC_OFFLOAD) \
-- 
2.8.4

[PATCH v3 2/5] security: clarify L2 header requirement for outbound inline

[Nithin Dabilpuram]

Clarify that for Outbound Inline IPsec processing, L2 header
needs to be up to date with ether type which will be applicable
post IPsec processing as the IPsec offload only touches L3 and above.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
---
 doc/guides/prog_guide/rte_security.rst | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst
index 72ca0bd..be158f6 100644
--- a/doc/guides/prog_guide/rte_security.rst
+++ b/doc/guides/prog_guide/rte_security.rst
@@ -146,7 +146,9 @@ adding the relevant protocol headers and encrypting the data before sending
 the packet out. The software should make sure that the buffer
 has required head room and tail room for any protocol header addition. The
 software may also do early fragmentation if the resultant packet is expected
-to cross the MTU size.
+to cross the MTU size. The software should also make sure that L2 header contents
+are updated with the final L2 header which is expected post IPsec processing as
+the IPsec offload will only update L3 and above in egress path.
 
 
 .. note::
-- 
2.8.4

[PATCH v3 3/5] net/cnxk: remove L2 header update for outbound inline pkts

[Nithin Dabilpuram]

Remove L2 header update for outbound inline packets as
application is already taking care of the same.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
---
 drivers/net/cnxk/cn10k_tx.h | 17 -----------------
 1 file changed, 17 deletions(-)

diff --git a/drivers/net/cnxk/cn10k_tx.h b/drivers/net/cnxk/cn10k_tx.h
index ea13866..4bd47ef 100644
--- a/drivers/net/cnxk/cn10k_tx.h
+++ b/drivers/net/cnxk/cn10k_tx.h
@@ -362,15 +362,6 @@ cn10k_nix_prep_sec_vec(struct rte_mbuf *m, uint64x2_t *cmd0, uint64x2_t *cmd1,
 
 	dptr += l2_len;
 
-	if (sess_priv.mode == ROC_IE_SA_MODE_TUNNEL) {
-		if (sess_priv.outer_ip_ver == ROC_IE_SA_IP_VERSION_4)
-			*((uint16_t *)(dptr - 2)) =
-				rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4);
-		else
-			*((uint16_t *)(dptr - 2)) =
-				rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV6);
-	}
-
 	ucode_cmd[1] = dptr;
 	ucode_cmd[2] = dptr;
 
@@ -490,14 +481,6 @@ cn10k_nix_prep_sec(struct rte_mbuf *m, uint64_t *cmd, uintptr_t *nixtx_addr,
 
 	dptr += l2_len;
 
-	if (sess_priv.mode == ROC_IE_SA_MODE_TUNNEL) {
-		if (sess_priv.outer_ip_ver == ROC_IE_SA_IP_VERSION_4)
-			*((uint16_t *)(dptr - 2)) =
-				rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4);
-		else
-			*((uint16_t *)(dptr - 2)) =
-				rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV6);
-	}
 	ucode_cmd[1] = dptr;
 	ucode_cmd[2] = dptr;
 
-- 
2.8.4

[PATCH v3 4/5] app/test: update L2 header based on tunnel IP version

[Nithin Dabilpuram]

Update L2 header based on tunnel IP version in the application
as driver/HW is not expected to update L2 ether type post
Outbound Inline protocol offload processing.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security_inline_proto.c | 34 +++++++++++++++++++++++++++++-----
 1 file changed, 29 insertions(+), 5 deletions(-)

diff --git a/app/test/test_security_inline_proto.c b/app/test/test_security_inline_proto.c
index 5f26a04..b282e7d 100644
--- a/app/test/test_security_inline_proto.c
+++ b/app/test/test_security_inline_proto.c
@@ -418,15 +418,29 @@ copy_buf_to_pkt_segs(const uint8_t *buf, unsigned int len,
 	rte_memcpy(seg_buf, buf + copied, (size_t) len);
 }
 
+static bool
+is_outer_ipv4(struct ipsec_test_data *td)
+{
+	bool outer_ipv4;
+
+	if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS ||
+	    td->ipsec_xform.mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT)
+		outer_ipv4 = (((td->input_text.data[0] & 0xF0) >> 4) == IPVERSION);
+	else
+		outer_ipv4 = (td->ipsec_xform.tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4);
+	return outer_ipv4;
+}
+
 static inline struct rte_mbuf *
-init_packet(struct rte_mempool *mp, const uint8_t *data, unsigned int len)
+init_packet(struct rte_mempool *mp, const uint8_t *data, unsigned int len, bool outer_ipv4)
 {
 	struct rte_mbuf *pkt;
 
 	pkt = rte_pktmbuf_alloc(mp);
 	if (pkt == NULL)
 		return NULL;
-	if (((data[0] & 0xF0) >> 4) == IPVERSION) {
+
+	if (outer_ipv4) {
 		rte_memcpy(rte_pktmbuf_append(pkt, RTE_ETHER_HDR_LEN),
 				&dummy_ipv4_eth_hdr, RTE_ETHER_HDR_LEN);
 		pkt->l3_len = sizeof(struct rte_ipv4_hdr);
@@ -711,6 +725,7 @@ test_ipsec_with_reassembly(struct reassembly_vector *vector,
 	struct rte_security_ctx *ctx;
 	unsigned int i, nb_rx = 0, j;
 	uint32_t ol_flags;
+	bool outer_ipv4;
 	int ret = 0;
 
 	burst_sz = vector->burst ? ENCAP_DECAP_BURST_SZ : 1;
@@ -740,11 +755,15 @@ test_ipsec_with_reassembly(struct reassembly_vector *vector,
 	memset(tx_pkts_burst, 0, sizeof(tx_pkts_burst[0]) * nb_tx);
 	memset(rx_pkts_burst, 0, sizeof(rx_pkts_burst[0]) * nb_tx);
 
+	memcpy(&sa_data, vector->sa_data, sizeof(struct ipsec_test_data));
+	sa_data.ipsec_xform.direction =	RTE_SECURITY_IPSEC_SA_DIR_EGRESS;
+	outer_ipv4 = is_outer_ipv4(&sa_data);
+
 	for (i = 0; i < nb_tx; i += vector->nb_frags) {
 		for (j = 0; j < vector->nb_frags; j++) {
 			tx_pkts_burst[i+j] = init_packet(mbufpool,
 						vector->frags[j]->data,
-						vector->frags[j]->len);
+						vector->frags[j]->len, outer_ipv4);
 			if (tx_pkts_burst[i+j] == NULL) {
 				ret = -1;
 				printf("\n packed init failed\n");
@@ -963,6 +982,7 @@ test_ipsec_inline_proto_process(struct ipsec_test_data *td,
 	int nb_rx = 0, nb_sent;
 	uint32_t ol_flags;
 	int i, j = 0, ret;
+	bool outer_ipv4;
 
 	memset(rx_pkts_burst, 0, sizeof(rx_pkts_burst[0]) * nb_pkts);
 
@@ -994,9 +1014,11 @@ test_ipsec_inline_proto_process(struct ipsec_test_data *td,
 		if (ret)
 			goto out;
 	}
+	outer_ipv4 = is_outer_ipv4(td);
+
 	for (i = 0; i < nb_pkts; i++) {
 		tx_pkts_burst[i] = init_packet(mbufpool, td->input_text.data,
-						td->input_text.len);
+						td->input_text.len, outer_ipv4);
 		if (tx_pkts_burst[i] == NULL) {
 			while (i--)
 				rte_pktmbuf_free(tx_pkts_burst[i]);
@@ -1194,6 +1216,7 @@ test_ipsec_inline_proto_process_with_esn(struct ipsec_test_data td[],
 	struct rte_security_session *ses;
 	struct rte_security_ctx *ctx;
 	uint32_t ol_flags;
+	bool outer_ipv4;
 	int i, ret;
 
 	if (td[0].aead) {
@@ -1224,10 +1247,11 @@ test_ipsec_inline_proto_process_with_esn(struct ipsec_test_data td[],
 		if (ret)
 			goto out;
 	}
+	outer_ipv4 = is_outer_ipv4(td);
 
 	for (i = 0; i < nb_pkts; i++) {
 		tx_pkt = init_packet(mbufpool, td[i].input_text.data,
-					td[i].input_text.len);
+					td[i].input_text.len, outer_ipv4);
 		if (tx_pkt == NULL) {
 			ret = TEST_FAILED;
 			goto out;
-- 
2.8.4

[PATCH v3 5/5] examples/ipsec-secgw: update ether type using tunnel info

[Nithin Dabilpuram]

Update ether type for outbound SA processing based on tunnel header
information in both NEON functions for poll mode and event mode worker
functions.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
Reviewed-by: Ruifeng Wang <ruifeng.wang@arm.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
---
 examples/ipsec-secgw/ipsec_neon.h   | 41 +++++++++++++++++++++++++------------
 examples/ipsec-secgw/ipsec_worker.c | 30 +++++++++++++++++++--------
 2 files changed, 49 insertions(+), 22 deletions(-)

diff --git a/examples/ipsec-secgw/ipsec_neon.h b/examples/ipsec-secgw/ipsec_neon.h
index 3f2d0a0..9c0498b 100644
--- a/examples/ipsec-secgw/ipsec_neon.h
+++ b/examples/ipsec-secgw/ipsec_neon.h
@@ -18,12 +18,13 @@ extern xmm_t val_eth[RTE_MAX_ETHPORTS];
  */
 static inline void
 processx4_step3(struct rte_mbuf *pkts[FWDSTEP], uint16_t dst_port[FWDSTEP],
-		uint64_t tx_offloads, bool ip_cksum, uint8_t *l_pkt)
+		uint64_t tx_offloads, bool ip_cksum, bool is_ipv4, uint8_t *l_pkt)
 {
 	uint32x4_t te[FWDSTEP];
 	uint32x4_t ve[FWDSTEP];
 	uint32_t *p[FWDSTEP];
 	struct rte_mbuf *pkt;
+	uint32_t val;
 	uint8_t i;
 
 	for (i = 0; i < FWDSTEP; i++) {
@@ -38,7 +39,15 @@ processx4_step3(struct rte_mbuf *pkts[FWDSTEP], uint16_t dst_port[FWDSTEP],
 		te[i] = vld1q_u32(p[i]);
 
 		/* Update last 4 bytes */
-		ve[i] = vsetq_lane_u32(vgetq_lane_u32(te[i], 3), ve[i], 3);
+		val = vgetq_lane_u32(te[i], 3);
+#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN
+		val &= 0xFFFFUL << 16;
+		val |= rte_cpu_to_be_16(is_ipv4 ? RTE_ETHER_TYPE_IPV4 : RTE_ETHER_TYPE_IPV6);
+#else
+		val &= 0xFFFFUL;
+		val |= rte_cpu_to_be_16(is_ipv4 ? RTE_ETHER_TYPE_IPV4 : RTE_ETHER_TYPE_IPV6) << 16;
+#endif
+		ve[i] = vsetq_lane_u32(val, ve[i], 3);
 		vst1q_u32(p[i], ve[i]);
 
 		if (ip_cksum) {
@@ -64,10 +73,11 @@ processx4_step3(struct rte_mbuf *pkts[FWDSTEP], uint16_t dst_port[FWDSTEP],
  */
 static inline void
 process_packet(struct rte_mbuf *pkt, uint16_t *dst_port, uint64_t tx_offloads,
-	       bool ip_cksum, uint8_t *l_pkt)
+	       bool ip_cksum, bool is_ipv4, uint8_t *l_pkt)
 {
 	struct rte_ether_hdr *eth_hdr;
 	uint32x4_t te, ve;
+	uint32_t val;
 
 	/* Check if it is a large packet */
 	if (pkt->pkt_len - RTE_ETHER_HDR_LEN > mtu_size)
@@ -78,7 +88,15 @@ process_packet(struct rte_mbuf *pkt, uint16_t *dst_port, uint64_t tx_offloads,
 	te = vld1q_u32((uint32_t *)eth_hdr);
 	ve = vreinterpretq_u32_s32(val_eth[dst_port[0]]);
 
-	ve = vcopyq_laneq_u32(ve, 3, te, 3);
+	val = vgetq_lane_u32(te, 3);
+#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN
+	val &= 0xFFFFUL << 16;
+	val |= rte_cpu_to_be_16(is_ipv4 ? RTE_ETHER_TYPE_IPV4 : RTE_ETHER_TYPE_IPV6);
+#else
+	val &= 0xFFFFUL;
+	val |= rte_cpu_to_be_16(is_ipv4 ? RTE_ETHER_TYPE_IPV4 : RTE_ETHER_TYPE_IPV6) << 16;
+#endif
+	ve = vsetq_lane_u32(val, ve, 3);
 	vst1q_u32((uint32_t *)eth_hdr, ve);
 
 	if (ip_cksum) {
@@ -223,14 +241,14 @@ send_multi_pkts(struct rte_mbuf **pkts, uint16_t dst_port[MAX_PKT_BURST],
 		lp = pnum;
 		lp[0] = 1;
 
-		processx4_step3(pkts, dst_port, tx_offloads, ip_cksum, &l_pkt);
+		processx4_step3(pkts, dst_port, tx_offloads, ip_cksum, is_ipv4, &l_pkt);
 
 		/* dp1: <d[0], d[1], d[2], d[3], ... > */
 		dp1 = vld1q_u16(dst_port);
 
 		for (i = FWDSTEP; i != k; i += FWDSTEP) {
-			processx4_step3(&pkts[i], &dst_port[i], tx_offloads,
-					ip_cksum, &l_pkt);
+			processx4_step3(&pkts[i], &dst_port[i], tx_offloads, ip_cksum, is_ipv4,
+					&l_pkt);
 
 			/*
 			 * dp2:
@@ -268,20 +286,17 @@ send_multi_pkts(struct rte_mbuf **pkts, uint16_t dst_port[MAX_PKT_BURST],
 	/* Process up to last 3 packets one by one. */
 	switch (nb_rx % FWDSTEP) {
 	case 3:
-		process_packet(pkts[i], dst_port + i, tx_offloads, ip_cksum,
-			       &l_pkt);
+		process_packet(pkts[i], dst_port + i, tx_offloads, ip_cksum, is_ipv4, &l_pkt);
 		GROUP_PORT_STEP(dlp, dst_port, lp, pnum, i);
 		i++;
 		/* fallthrough */
 	case 2:
-		process_packet(pkts[i], dst_port + i, tx_offloads, ip_cksum,
-			       &l_pkt);
+		process_packet(pkts[i], dst_port + i, tx_offloads, ip_cksum, is_ipv4, &l_pkt);
 		GROUP_PORT_STEP(dlp, dst_port, lp, pnum, i);
 		i++;
 		/* fallthrough */
 	case 1:
-		process_packet(pkts[i], dst_port + i, tx_offloads, ip_cksum,
-			       &l_pkt);
+		process_packet(pkts[i], dst_port + i, tx_offloads, ip_cksum, is_ipv4, &l_pkt);
 		GROUP_PORT_STEP(dlp, dst_port, lp, pnum, i);
 	}
 
diff --git a/examples/ipsec-secgw/ipsec_worker.c b/examples/ipsec-secgw/ipsec_worker.c
index 803157d..5e69450 100644
--- a/examples/ipsec-secgw/ipsec_worker.c
+++ b/examples/ipsec-secgw/ipsec_worker.c
@@ -53,11 +53,8 @@ process_ipsec_get_pkt_type(struct rte_mbuf *pkt, uint8_t **nlp)
 }
 
 static inline void
-update_mac_addrs(struct rte_mbuf *pkt, uint16_t portid)
+update_mac_addrs(struct rte_ether_hdr *ethhdr, uint16_t portid)
 {
-	struct rte_ether_hdr *ethhdr;
-
-	ethhdr = rte_pktmbuf_mtod(pkt, struct rte_ether_hdr *);
 	memcpy(&ethhdr->src_addr, &ethaddr_tbl[portid].src, RTE_ETHER_ADDR_LEN);
 	memcpy(&ethhdr->dst_addr, &ethaddr_tbl[portid].dst, RTE_ETHER_ADDR_LEN);
 }
@@ -374,7 +371,7 @@ process_ipsec_ev_inbound(struct ipsec_ctx *ctx, struct route_table *rt,
 	/* else, we have a matching route */
 
 	/* Update mac addresses */
-	update_mac_addrs(pkt, port_id);
+	update_mac_addrs(rte_pktmbuf_mtod(pkt, struct rte_ether_hdr *), port_id);
 
 	/* Update the event with the dest port */
 	ipsec_event_pre_forward(pkt, port_id);
@@ -392,6 +389,7 @@ process_ipsec_ev_outbound(struct ipsec_ctx *ctx, struct route_table *rt,
 		struct rte_event *ev)
 {
 	struct rte_ipsec_session *sess;
+	struct rte_ether_hdr *ethhdr;
 	struct sa_ctx *sa_ctx;
 	struct rte_mbuf *pkt;
 	uint16_t port_id = 0;
@@ -430,6 +428,7 @@ process_ipsec_ev_outbound(struct ipsec_ctx *ctx, struct route_table *rt,
 		goto drop_pkt_and_exit;
 	}
 
+	ethhdr = rte_pktmbuf_mtod(pkt, struct rte_ether_hdr *);
 	/* Check if the packet has to be bypassed */
 	if (sa_idx == BYPASS) {
 		port_id = get_route(pkt, rt, type);
@@ -467,6 +466,9 @@ process_ipsec_ev_outbound(struct ipsec_ctx *ctx, struct route_table *rt,
 
 	/* Mark the packet for Tx security offload */
 	pkt->ol_flags |= RTE_MBUF_F_TX_SEC_OFFLOAD;
+	/* Update ether type */
+	ethhdr->ether_type = (IS_IP4(sa->flags) ? rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4) :
+			      rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV6));
 
 	/* Get the port to which this pkt need to be submitted */
 	port_id = sa->portid;
@@ -476,7 +478,7 @@ process_ipsec_ev_outbound(struct ipsec_ctx *ctx, struct route_table *rt,
 	pkt->l2_len = RTE_ETHER_HDR_LEN;
 
 	/* Update mac addresses */
-	update_mac_addrs(pkt, port_id);
+	update_mac_addrs(ethhdr, port_id);
 
 	/* Update the event with the dest port */
 	ipsec_event_pre_forward(pkt, port_id);
@@ -494,6 +496,7 @@ ipsec_ev_route_pkts(struct rte_event_vector *vec, struct route_table *rt,
 		    struct ipsec_traffic *t, struct sa_ctx *sa_ctx)
 {
 	struct rte_ipsec_session *sess;
+	struct rte_ether_hdr *ethhdr;
 	uint32_t sa_idx, i, j = 0;
 	uint16_t port_id = 0;
 	struct rte_mbuf *pkt;
@@ -505,7 +508,8 @@ ipsec_ev_route_pkts(struct rte_event_vector *vec, struct route_table *rt,
 		port_id = route4_pkt(pkt, rt->rt4_ctx);
 		if (port_id != RTE_MAX_ETHPORTS) {
 			/* Update mac addresses */
-			update_mac_addrs(pkt, port_id);
+			ethhdr = rte_pktmbuf_mtod(pkt, struct rte_ether_hdr *);
+			update_mac_addrs(ethhdr, port_id);
 			/* Update the event with the dest port */
 			ipsec_event_pre_forward(pkt, port_id);
 			ev_vector_attr_update(vec, pkt);
@@ -520,7 +524,8 @@ ipsec_ev_route_pkts(struct rte_event_vector *vec, struct route_table *rt,
 		port_id = route6_pkt(pkt, rt->rt6_ctx);
 		if (port_id != RTE_MAX_ETHPORTS) {
 			/* Update mac addresses */
-			update_mac_addrs(pkt, port_id);
+			ethhdr = rte_pktmbuf_mtod(pkt, struct rte_ether_hdr *);
+			update_mac_addrs(ethhdr, port_id);
 			/* Update the event with the dest port */
 			ipsec_event_pre_forward(pkt, port_id);
 			ev_vector_attr_update(vec, pkt);
@@ -553,7 +558,14 @@ ipsec_ev_route_pkts(struct rte_event_vector *vec, struct route_table *rt,
 
 			pkt->ol_flags |= RTE_MBUF_F_TX_SEC_OFFLOAD;
 			port_id = sa->portid;
-			update_mac_addrs(pkt, port_id);
+
+			/* Fetch outer ip type and update */
+			ethhdr = rte_pktmbuf_mtod(pkt, struct rte_ether_hdr *);
+			ethhdr->ether_type = (IS_IP4(sa->flags) ?
+					      rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4) :
+					      rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV6));
+			update_mac_addrs(ethhdr, port_id);
+
 			ipsec_event_pre_forward(pkt, port_id);
 			ev_vector_attr_update(vec, pkt);
 			vec->mbufs[j++] = pkt;
-- 
2.8.4

Re: [PATCH v3 1/5] mbuf: clarify meta data needed for Outbound Inline

[Nithin Kumar Dabilpuram]

Ping. Any thoughts on this ?

This is just clarification of existing assumptions for Inline Outbound 
that are being made.


On 2022-08-22 8:08 PM, Nithin Dabilpuram wrote:
> Clarify mbuf meta data needed for Outbound Inline processing.
> Application needs to provide mbuf.l3_len and L3 type in
> mbuf.ol_flags so that like tunnel mode using mbuf.l2_len, transport mode
> can make use of l3_len and l3_type to determine perform
> proper transport mode IPsec processing.
>
> Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
> ---
> v3:
> - Addressed comments on patch 4/5 and added acks.
> v2:
> - Modified ipsec-secgw to do ether type update for outbound path.
>
>   doc/guides/nics/features.rst | 2 +-
>   lib/mbuf/rte_mbuf_core.h     | 3 ++-
>   2 files changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/doc/guides/nics/features.rst b/doc/guides/nics/features.rst
> index 7f6cb91..b4a8e98 100644
> --- a/doc/guides/nics/features.rst
> +++ b/doc/guides/nics/features.rst
> @@ -431,7 +431,7 @@ protocol operations. See security library and PMD documentation for more details
>   
>   * **[uses]       rte_eth_rxconf,rte_eth_rxmode**: ``offloads:RTE_ETH_RX_OFFLOAD_SECURITY``,
>   * **[uses]       rte_eth_txconf,rte_eth_txmode**: ``offloads:RTE_ETH_TX_OFFLOAD_SECURITY``.
> -* **[uses]       mbuf**: ``mbuf.l2_len``.
> +* **[uses]       mbuf**: ``mbuf.l2_len``, ``mbuf.l3_len``, ``mbuf.ol_flags``.
>   * **[implements] rte_security_ops**: ``session_create``, ``session_update``,
>     ``session_stats_get``, ``session_destroy``, ``set_pkt_metadata``, ``get_userdata``,
>     ``capabilities_get``.
> diff --git a/lib/mbuf/rte_mbuf_core.h b/lib/mbuf/rte_mbuf_core.h
> index 3d6ddd6..b62a7c6 100644
> --- a/lib/mbuf/rte_mbuf_core.h
> +++ b/lib/mbuf/rte_mbuf_core.h
> @@ -267,7 +267,8 @@ extern "C" {
>   /**
>    * Request security offload processing on the TX packet.
>    * To use Tx security offload, the user needs to fill l2_len in mbuf
> - * indicating L2 header size and where L3 header starts.
> + * indicating L2 header size and where L3 header starts. Similarly,
> + * l3_len should also be filled along with ol_flags reflecting current L3 type.
>    */
>   #define RTE_MBUF_F_TX_SEC_OFFLOAD	(1ULL << 43)
>   #define PKT_TX_SEC_OFFLOAD RTE_DEPRECATED(PKT_TX_SEC_OFFLOAD) \

RE: [PATCH v3 1/5] mbuf: clarify meta data needed for Outbound Inline

[Akhil Goyal]

> Ping. Any thoughts on this ?
> 
> This is just clarification of existing assumptions for Inline Outbound
> that are being made.
> 
> 
> On 2022-08-22 8:08 PM, Nithin Dabilpuram wrote:
> > Clarify mbuf meta data needed for Outbound Inline processing.
> > Application needs to provide mbuf.l3_len and L3 type in
> > mbuf.ol_flags so that like tunnel mode using mbuf.l2_len, transport mode
> > can make use of l3_len and l3_type to determine perform
> > proper transport mode IPsec processing.
> >
> > Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>

Series
Acked-by: Akhil Goyal <gakhil@marvell.com>

@Thomas : Can this series be merged into crypto tree?

Any objections?

RE: [PATCH v3 2/5] security: clarify L2 header requirement for outbound inline

[Akhil Goyal]

> 
> Clarify that for Outbound Inline IPsec processing, L2 header
> needs to be up to date with ether type which will be applicable
> post IPsec processing as the IPsec offload only touches L3 and above.
> 
> Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
> ---
Acked-by: Akhil Goyal <gakhil@marvell.com>

Re: [PATCH v3 1/5] mbuf: clarify meta data needed for Outbound Inline

[Thomas Monjalon]

21/09/2022 20:21, Akhil Goyal:
> > Ping. Any thoughts on this ?
> > 
> > This is just clarification of existing assumptions for Inline Outbound
> > that are being made.
> > 
> > 
> > On 2022-08-22 8:08 PM, Nithin Dabilpuram wrote:
> > > Clarify mbuf meta data needed for Outbound Inline processing.
> > > Application needs to provide mbuf.l3_len and L3 type in
> > > mbuf.ol_flags so that like tunnel mode using mbuf.l2_len, transport mode
> > > can make use of l3_len and l3_type to determine perform
> > > proper transport mode IPsec processing.
> > >
> > > Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
> 
> Series
> Acked-by: Akhil Goyal <gakhil@marvell.com>
> 
> @Thomas : Can this series be merged into crypto tree?
> 
> Any objections?

That's all about crypto, so that's perfectly fine to merge in crypto tree.

RE: [PATCH v3 1/5] mbuf: clarify meta data needed for Outbound Inline

[Akhil Goyal]

> Subject: [PATCH v3 1/5] mbuf: clarify meta data needed for Outbound Inline
> 
> Clarify mbuf meta data needed for Outbound Inline processing.
> Application needs to provide mbuf.l3_len and L3 type in
> mbuf.ol_flags so that like tunnel mode using mbuf.l2_len, transport mode
> can make use of l3_len and l3_type to determine perform
> proper transport mode IPsec processing.
> 
> Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
> ---
> v3:
> - Addressed comments on patch 4/5 and added acks.
> v2:
> - Modified ipsec-secgw to do ether type update for outbound path.
Series Applied to dpdk-next-crypto

Thanks.