d/numam-dpdk
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
10b71caecb
numam-dpdk/examples/ipsec-secgw/ipsec.h

416 lines
9.0 KiB
C
Raw Normal View History

examples: use SPDX tag for Intel copyright files Replace the BSD license header with the SPDX tag for files with only an Intel copyright on them. Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
2017-12-19 15:49:02 +00:00
/* SPDX-License-Identifier: BSD-3-Clause
* Copyright(c) 2016-2017 Intel Corporation
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
*/
#ifndef __IPSEC_H__
#define __IPSEC_H__
#include <stdint.h>
#include <rte_byteorder.h>
#include <rte_crypto.h>
examples/ipsec-secgw: support security offload Ipsec-secgw application is modified so that it can support following type of actions for crypto operations 1. full protocol offload using crypto devices. 2. inline ipsec using ethernet devices to perform crypto operations 3. full protocol offload using ethernet devices. 4. non protocol offload Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com> Signed-off-by: Radu Nicolau <radu.nicolau@intel.com> Signed-off-by: Boris Pismenny <borisp@mellanox.com> Signed-off-by: Declan Doherty <declan.doherty@intel.com> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
2017-10-25 15:07:27 +00:00
#include <rte_security.h>
#include <rte_flow.h>
examples/ipsec-secgw: make app to use IPsec library Changes to make ipsec-secgw to utilize librte_ipsec library. That patch provides: - changes in the related data structures. - changes in the initialization code. - new command-line parameters to enable librte_ipsec codepath and related features. Note that right now by default current (non-librte_ipsec) code-path will be used. User has to run application with new command-line option ('-l') to enable new codepath. The main reason for that: - current librte_ipsec doesn't support all ipsec algorithms and features that the app does. - allow users to run both versions in parallel for some time to figure out any functional or performance degradation with the new code. It is planned to deprecate and remove non-librte_ipsec code path in future releases. Signed-off-by: Mohammad Abdul Awal <mohammad.abdul.awal@intel.com> Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com> Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Radu Nicolau <radu.nicolau@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-01-10 21:09:10 +00:00
#include <rte_ipsec.h>
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
examples/ipsec-secgw: add driver mode worker Add driver inbound and outbound worker thread for ipsec-secgw. In driver mode application does as little as possible. It simply forwards packets back to port from which traffic was received instructing HW to apply inline security processing using first outbound SA configured for a given port. If a port does not have SA configured outbound traffic on that port will be silently dropped. The aim of this mode is to measure HW capabilities. Driver mode is selected with single-sa option. The single-sa option accepts SA index however in event mode the SA index is ignored. Example command to run ipsec-secgw in driver mode: ipsec-secgw -w 0002:02:00.0,ipsec_in_max_spi=128 -w 0002:03:00.0,ipsec_in_max_spi=128 -w 0002:0e:00.0 -w 0002:10:00.1 --log-level=8 -c 0x1 -- -P -p 0x3 -u 0x1 -f aes-gcm.cfg --transfer-mode event --event-schedule-type parallel --single-sa 0 Signed-off-by: Anoob Joseph <anoobj@marvell.com> Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com> Signed-off-by: Lukasz Bartosik <lbartosik@marvell.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-02-27 16:18:33 +00:00
#include "ipsec-secgw.h"
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
#define RTE_LOGTYPE_IPSEC_ESP RTE_LOGTYPE_USER2
#define RTE_LOGTYPE_IPSEC_IPIP RTE_LOGTYPE_USER3
examples/ipsec-secgw: limit inflight packets count Revert previous patch that introduce a performance degradation in certain scenarios and add a configurable limit for number inflight packets. Revert commit 84d4b5e4ec48 ("examples/ipsec-secgw: improve IPsec dequeue logic") Cc: stable@dpdk.org Signed-off-by: Radu Nicolau <radu.nicolau@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2018-05-09 08:58:41 +00:00
#define MAX_INFLIGHT 128
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
#define MAX_QP_PER_LCORE 256
#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
examples/ipsec-secgw: handle ESN soft limit event For inline protocol processing, the PMD/device is required to maintain the ESN. But the application is required to monitor ESN overflow to initiate SA expiry. For such cases, application would set the ESN soft limit. An IPsec event would be raised by rte_eth_event framework, when ESN hits the soft limit set by the application. Signed-off-by: Anoob Joseph <anoob.joseph@caviumnetworks.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2018-04-11 06:40:45 +00:00
#define IPSEC_OFFLOAD_ESN_SOFTLIMIT 0xffffff00
cryptodev: move IV parameters to session Since IV parameters (offset and length) should not change for operations in the same session, these parameters are moved to the crypto transform structure, so they will be stored in the sessions. Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com> Acked-by: Declan Doherty <declan.doherty@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Acked-by: Fiona Trahe <fiona.trahe@intel.com>
2017-07-02 05:41:14 +00:00
#define IV_OFFSET (sizeof(struct rte_crypto_op) + \
sizeof(struct rte_crypto_sym_op))
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
#define DEFAULT_MAX_CATEGORIES 1
#define INVALID_SPI (0)
examples/ipsec-secgw: fix SPD no-match case acl_classify() returns zero value when no matching rule was found. Currently ipsec-secgw treats it as a valid SPI value, though it has to discard such packets. Error could be easily observed by sending outbound unmatched packets, user will see something like that in the log: IPSEC: No cryptodev: core 7, cipher_algo 0, auth_algo 0, aead_algo 0 To fix it we need to treat packets with zero result from acl_classify() as invalid ones. Also we can change DISCARD and BYPASS values to simplify checks and save some extra space for valid SPI values. To summarize the approach: 1. have special SPI values for DISCARD and BYPASS. 2. store in SPD full SPI value. 3. after acl_classify(), first check SPI value for DISCARD and BYPASS, then convert it in SA index. 4. add check at initilisation time that for each SPD rule there is a corresponding SA entry (with the same SPI). Also marked few global variables as *static*. Fixes: 906257e965b7 ("examples/ipsec-secgw: support IPv6") Fixes: 2a5106af132b ("examples/ipsec-secgw: fix corner case for SPI value") Cc: stable@dpdk.org Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-04-04 12:13:26 +00:00
#define DISCARD INVALID_SPI
#define BYPASS UINT32_MAX
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
#define IPSEC_XFORM_MAX 2
examples/ipsec-secgw: support IPv6 Support IPSec IPv6 allowing IPv4/IPv6 traffic in IPv4 or IPv6 tunnel. We need separate Routing (LPM) and SP (ACL) tables for IPv4 and IPv6, but a common SA table. Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-06-09 08:42:48 +00:00
#define IP6_VERSION (6)
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
struct rte_crypto_xform;
struct ipsec_xform;
struct rte_mbuf;
struct ipsec_sa;
examples/ipsec-secgw: implement inbound SAD Add initial support for librte_ipsec SAD library Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Acked-by: Anoob Joseph <anoobj@marvell.com>
2020-01-31 17:39:39 +00:00
/*
* Keeps number of configured SA's for each address family:
*/
struct ipsec_sa_cnt {
uint32_t nb_v4;
uint32_t nb_v6;
};
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
examples/ipsec-secgw: support IPv6 Support IPSec IPv6 allowing IPv4/IPv6 traffic in IPv4 or IPv6 tunnel. We need separate Routing (LPM) and SP (ACL) tables for IPv4 and IPv6, but a common SA table. Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-06-09 08:42:48 +00:00
typedef int32_t (*ipsec_xform_fn)(struct rte_mbuf *m, struct ipsec_sa *sa,
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
struct rte_crypto_op *cop);
examples/ipsec-secgw: support IPv6 Support IPSec IPv6 allowing IPv4/IPv6 traffic in IPv4 or IPv6 tunnel. We need separate Routing (LPM) and SP (ACL) tables for IPv4 and IPv6, but a common SA table. Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-06-09 08:42:48 +00:00
struct ip_addr {
union {
uint32_t ip4;
union {
uint64_t ip6[2];
uint8_t ip6_b[16];
examples/ipsec-secgw: fix build with gcc 4.5 GCC 4.5.x does not handle well initializing anonymous union and/or structs. To make the compiler happy we name those anonymous union/struct. Fixes: 906257e965b7 ("examples/ipsec-secgw: support IPv6") Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2016-07-19 11:06:00 +00:00
} ip6;
} ip;
examples/ipsec-secgw: support IPv6 Support IPSec IPv6 allowing IPv4/IPv6 traffic in IPv4 or IPv6 tunnel. We need separate Routing (LPM) and SP (ACL) tables for IPv4 and IPv6, but a common SA table. Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-06-09 08:42:48 +00:00
};
examples/ipsec-secgw: support 192/256 AES key sizes Adding support for the following, 1. AES-192-GCM 2. AES-256-GCM 3. AES-192-CBC Signed-off-by: Anoob Joseph <anoobj@marvell.com> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-04-07 06:30:42 +00:00
#define MAX_KEY_SIZE 36
examples/ipsec-secgw: support configuration file This patch adds the configuration file support to ipsec_secgw sample application. Instead of hard-coded rules, the users can specify their own SP, SA, and routing rules in the configuration file. A command line option "-f" is added to pass the configuration file location to the application. Configuration item formats: SP rule format: sp <ip_ver> <dir> esp <action> <priority> <src_ip> <dst_ip> \ <proto> <sport> <dport> SA rule format: sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key> \ <mode> <src_ip> <dst_ip> Routing rule format: rt <ip_ver> <src_ip> <dst_ip> <port> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2016-09-21 12:05:18 +00:00
examples/ipsec-secgw: make app to use IPsec library Changes to make ipsec-secgw to utilize librte_ipsec library. That patch provides: - changes in the related data structures. - changes in the initialization code. - new command-line parameters to enable librte_ipsec codepath and related features. Note that right now by default current (non-librte_ipsec) code-path will be used. User has to run application with new command-line option ('-l') to enable new codepath. The main reason for that: - current librte_ipsec doesn't support all ipsec algorithms and features that the app does. - allow users to run both versions in parallel for some time to figure out any functional or performance degradation with the new code. It is planned to deprecate and remove non-librte_ipsec code path in future releases. Signed-off-by: Mohammad Abdul Awal <mohammad.abdul.awal@intel.com> Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com> Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Radu Nicolau <radu.nicolau@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-01-10 21:09:10 +00:00
/*
* application wide SA parameters
*/
struct app_sa_prm {
uint32_t enable; /* use librte_ipsec API for ipsec pkt processing */
uint32_t window_size; /* replay window size */
uint32_t enable_esn; /* enable/disable ESN support */
examples/ipsec-secgw: add SAD cache Introduce SAD cache. Stores the most recent SA in a per lcore cache. Cache represents flat array containing SA's indexed by SPI. Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Acked-by: Anoob Joseph <anoobj@marvell.com>
2020-01-31 17:39:43 +00:00
uint32_t cache_sz; /* per lcore SA cache size */
examples/ipsec-secgw: make app to use IPsec library Changes to make ipsec-secgw to utilize librte_ipsec library. That patch provides: - changes in the related data structures. - changes in the initialization code. - new command-line parameters to enable librte_ipsec codepath and related features. Note that right now by default current (non-librte_ipsec) code-path will be used. User has to run application with new command-line option ('-l') to enable new codepath. The main reason for that: - current librte_ipsec doesn't support all ipsec algorithms and features that the app does. - allow users to run both versions in parallel for some time to figure out any functional or performance degradation with the new code. It is planned to deprecate and remove non-librte_ipsec code path in future releases. Signed-off-by: Mohammad Abdul Awal <mohammad.abdul.awal@intel.com> Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com> Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Radu Nicolau <radu.nicolau@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-01-10 21:09:10 +00:00
uint64_t flags; /* rte_ipsec_sa_prm.flags */
};
extern struct app_sa_prm app_sa_prm;
examples/ipsec-secgw: add default flow for inline Rx The default flow created would enable security processing on all ESP packets. If the default flow is created, SA based rte_flow creation would be skipped. Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com> Signed-off-by: Anoob Joseph <anoobj@marvell.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-02-27 16:18:23 +00:00
struct flow_info {
struct rte_flow *rx_def_flow;
};
extern struct flow_info flow_info_tbl[RTE_MAX_ETHPORTS];
examples/ipsec-secgw: support fallback session Inline processing is limited to a specified subset of traffic. It is often unable to handle more complicated situations, such as fragmented traffic. When using inline processing such traffic is dropped. Introduce fallback session for inline crypto processing allowing handling packets that normally would be dropped. A fallback session is configured by adding 'fallback' keyword with 'lookaside-none' parameter to an SA configuration. Only 'inline-crypto-offload" as a primary session and 'lookaside-none' as a fall-back session combination is supported by this patch. Fallback session feature is not available in the legacy mode. Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Tested-by: Bernard Iremonger <bernard.iremonger@intel.com>
2019-10-14 13:48:40 +00:00
enum {
IPSEC_SESSION_PRIMARY = 0,
IPSEC_SESSION_FALLBACK = 1,
IPSEC_SESSION_MAX
};
#define IPSEC_SA_OFFLOAD_FALLBACK_FLAG (1)
static inline struct ipsec_sa *
ipsec_mask_saptr(void *ptr)
{
uintptr_t i = (uintptr_t)ptr;
static const uintptr_t mask = IPSEC_SA_OFFLOAD_FALLBACK_FLAG;
i &= ~mask;
return (struct ipsec_sa *)i;
}
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
struct ipsec_sa {
examples/ipsec-secgw: support fallback session Inline processing is limited to a specified subset of traffic. It is often unable to handle more complicated situations, such as fragmented traffic. When using inline processing such traffic is dropped. Introduce fallback session for inline crypto processing allowing handling packets that normally would be dropped. A fallback session is configured by adding 'fallback' keyword with 'lookaside-none' parameter to an SA configuration. Only 'inline-crypto-offload" as a primary session and 'lookaside-none' as a fall-back session combination is supported by this patch. Fallback session feature is not available in the legacy mode. Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Tested-by: Bernard Iremonger <bernard.iremonger@intel.com>
2019-10-14 13:48:40 +00:00
struct rte_ipsec_session sessions[IPSEC_SESSION_MAX];
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
uint32_t spi;
uint32_t cdev_id_qp;
examples/ipsec-secgw: change CBC IV generation NIST SP800-38A recommends two methods to generate unpredictable IVs (Initilisation Vector) for CBC mode: 1) Apply the forward function to a nonce (ie. counter) 2) Use a FIPS-approved random number generator This patch implements the first recommended method by using the forward function to generate the IV. Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-09-29 15:44:07 +00:00
uint64_t seq;
uint32_t salt;
examples/ipsec-secgw: support fallback session Inline processing is limited to a specified subset of traffic. It is often unable to handle more complicated situations, such as fragmented traffic. When using inline processing such traffic is dropped. Introduce fallback session for inline crypto processing allowing handling packets that normally would be dropped. A fallback session is configured by adding 'fallback' keyword with 'lookaside-none' parameter to an SA configuration. Only 'inline-crypto-offload" as a primary session and 'lookaside-none' as a fall-back session combination is supported by this patch. Fallback session feature is not available in the legacy mode. Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Tested-by: Bernard Iremonger <bernard.iremonger@intel.com>
2019-10-14 13:48:40 +00:00
uint32_t fallback_sessions;
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
enum rte_crypto_cipher_algorithm cipher_algo;
enum rte_crypto_auth_algorithm auth_algo;
examples/ipsec-secgw: add AEAD parameters Since there is a new operation type (AEAD), add parameters for this in the application. Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com> Acked-by: Declan Doherty <declan.doherty@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Acked-by: Fiona Trahe <fiona.trahe@intel.com>
2017-07-02 05:41:24 +00:00
enum rte_crypto_aead_algorithm aead_algo;
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
uint16_t digest_len;
uint16_t iv_len;
uint16_t block_size;
uint16_t flags;
examples/ipsec-secgw: support IPv6 Support IPSec IPv6 allowing IPv4/IPv6 traffic in IPv4 or IPv6 tunnel. We need separate Routing (LPM) and SP (ACL) tables for IPv4 and IPv6, but a common SA table. Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-06-09 08:42:48 +00:00
#define IP4_TUNNEL (1 << 0)
#define IP6_TUNNEL (1 << 1)
examples/ipsec-secgw: support transport mode IPSec transport mode support. Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-06-09 08:42:49 +00:00
#define TRANSPORT (1 << 2)
examples/ipsec-secgw: fix inline modes Application ipsec-secgw is not working for IPv4 transport mode and for IPv6 both transport and tunnel mode. IPv6 tunnel mode is not working due to wrongly assigned fields of security association patterns, as it was IPv4, during creation of inline crypto session. IPv6 and IPv4 transport mode is iterating through security capabilities until it reaches tunnel, which causes session to be created as tunnel, instead of transport. Another issue, is that config file does not provide source and destination ip addresses for transport mode, which are required by NIC to perform inline crypto. It uses default addresses stored in security association (all zeroes), which causes dropped packages. To fix that, reorganization of code in create_session() is needed, to behave appropriately to given protocol (IPv6/IPv4). Change in iteration through security capabilities is also required, to check for expected mode (not only tunnel). For lack of addresses issue, some resolving mechanism is needed. Approach is to store addresses in security association, as it is for tunnel mode. Difference is that they are obtained from sp rules, instead of config file. To do that, sp[4/6]_spi_present() function is used to find addresses based on spi value, and then stored in corresponding sa rule. This approach assumes, that every sp rule for inline crypto have valid addresses, as well as range of addresses is not supported. New flags for ipsec_sa structure are required to distinguish between IPv4 and IPv6 transport modes. Because of that, there is need to change all checks done on these flags, so they work as expected. Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload") Fixes: 9a0752f498d2 ("net/ixgbe: enable inline IPsec") Cc: stable@dpdk.org Signed-off-by: Mariusz Drost <mariuszx.drost@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2019-06-26 13:26:17 +00:00
#define IP4_TRANSPORT (1 << 3)
#define IP6_TRANSPORT (1 << 4)
examples/ipsec-secgw: support IPv6 Support IPSec IPv6 allowing IPv4/IPv6 traffic in IPv4 or IPv6 tunnel. We need separate Routing (LPM) and SP (ACL) tables for IPv4 and IPv6, but a common SA table. Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-06-09 08:42:48 +00:00
struct ip_addr src;
struct ip_addr dst;
examples/ipsec-secgw: support configuration file This patch adds the configuration file support to ipsec_secgw sample application. Instead of hard-coded rules, the users can specify their own SP, SA, and routing rules in the configuration file. A command line option "-f" is added to pass the configuration file location to the application. Configuration item formats: SP rule format: sp <ip_ver> <dir> esp <action> <priority> <src_ip> <dst_ip> \ <proto> <sport> <dport> SA rule format: sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key> \ <mode> <src_ip> <dst_ip> Routing rule format: rt <ip_ver> <src_ip> <dst_ip> <port> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2016-09-21 12:05:18 +00:00
uint8_t cipher_key[MAX_KEY_SIZE];
uint16_t cipher_key_len;
uint8_t auth_key[MAX_KEY_SIZE];
uint16_t auth_key_len;
examples/ipsec-secgw: add AES-GCM Add support for AES-GCM (Galois-Counter Mode). RFC4106: The Use of Galois-Counter Mode (GCM) in IPSec ESP. Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-09-29 15:44:09 +00:00
uint16_t aad_len;
examples/ipsec-secgw: support security offload Ipsec-secgw application is modified so that it can support following type of actions for crypto operations 1. full protocol offload using crypto devices. 2. inline ipsec using ethernet devices to perform crypto operations 3. full protocol offload using ethernet devices. 4. non protocol offload Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com> Signed-off-by: Radu Nicolau <radu.nicolau@intel.com> Signed-off-by: Boris Pismenny <borisp@mellanox.com> Signed-off-by: Declan Doherty <declan.doherty@intel.com> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
2017-10-25 15:07:27 +00:00
union {
struct rte_crypto_sym_xform *xforms;
struct rte_security_ipsec_xform *sec_xform;
};
enum rte_security_ipsec_sa_direction direction;
uint16_t portid;
examples/ipsec-secgw: support flow director Support load distribution in security gateway application using NIC load distribution feature (Flow Director). Flow Director is used to redirect the specified inbound ipsec flow to a specified queue. This is achieved by extending the SA rule syntax to support specification by adding new action_type of <flow-direction> to a specified <port_id> <queue_id>. Signed-off-by: Praveen Shetty <praveen.shetty@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-04-16 16:47:29 +00:00
uint8_t fdir_qid;
uint8_t fdir_flag;
examples/ipsec-secgw: support security offload Ipsec-secgw application is modified so that it can support following type of actions for crypto operations 1. full protocol offload using crypto devices. 2. inline ipsec using ethernet devices to perform crypto operations 3. full protocol offload using ethernet devices. 4. non protocol offload Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com> Signed-off-by: Radu Nicolau <radu.nicolau@intel.com> Signed-off-by: Boris Pismenny <borisp@mellanox.com> Signed-off-by: Declan Doherty <declan.doherty@intel.com> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
2017-10-25 15:07:27 +00:00
#define MAX_RTE_FLOW_PATTERN (4)
examples/ipsec-secgw: add target queues in flow actions Mellanox INNOVA NIC needs to have final target queue actions to perform inline crypto. Signed-off-by: Nelio Laranjeiro <nelio.laranjeiro@6wind.com> Acked-by: Anoob Joseph <anoob.joseph@caviumnetworks.com>
2017-12-18 10:24:36 +00:00
#define MAX_RTE_FLOW_ACTIONS (3)
examples/ipsec-secgw: support security offload Ipsec-secgw application is modified so that it can support following type of actions for crypto operations 1. full protocol offload using crypto devices. 2. inline ipsec using ethernet devices to perform crypto operations 3. full protocol offload using ethernet devices. 4. non protocol offload Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com> Signed-off-by: Radu Nicolau <radu.nicolau@intel.com> Signed-off-by: Boris Pismenny <borisp@mellanox.com> Signed-off-by: Declan Doherty <declan.doherty@intel.com> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
2017-10-25 15:07:27 +00:00
struct rte_flow_item pattern[MAX_RTE_FLOW_PATTERN];
struct rte_flow_action action[MAX_RTE_FLOW_ACTIONS];
struct rte_flow_attr attr;
union {
struct rte_flow_item_ipv4 ipv4_spec;
struct rte_flow_item_ipv6 ipv6_spec;
};
struct rte_flow_item_esp esp_spec;
struct rte_flow *flow;
struct rte_security_session_conf sess_conf;
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
} __rte_cache_aligned;
examples/ipsec-secgw: add event mode Add eventmode support to ipsec-secgw. With the aid of event helper configure and use the eventmode capabilities. Signed-off-by: Anoob Joseph <anoobj@marvell.com> Signed-off-by: Lukasz Bartosik <lbartosik@marvell.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-02-27 16:18:32 +00:00
struct ipsec_xf {
struct rte_crypto_sym_xform a;
struct rte_crypto_sym_xform b;
};
struct ipsec_sad {
struct rte_ipsec_sad *sad_v4;
struct rte_ipsec_sad *sad_v6;
};
struct sa_ctx {
void *satbl; /* pointer to array of rte_ipsec_sa objects*/
struct ipsec_sad sad;
struct ipsec_xf *xf;
uint32_t nb_sa;
struct ipsec_sa sa[];
};
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
struct ipsec_mbuf_metadata {
struct ipsec_sa *sa;
struct rte_crypto_op cop;
struct rte_crypto_sym_op sym_cop;
examples/ipsec-secgw: move IV to crypto op private data Usually, IV will change for each crypto operation. Therefore, instead of pointing at the same location, IV is copied after each crypto operation. This will let the IV to be passed as an offset from the beginning of the crypto operation, instead of a pointer. Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com> Acked-by: Declan Doherty <declan.doherty@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Acked-by: Fiona Trahe <fiona.trahe@intel.com>
2017-07-02 05:41:12 +00:00
uint8_t buf[32];
examples/ipsec-secgw: change CBC IV generation NIST SP800-38A recommends two methods to generate unpredictable IVs (Initilisation Vector) for CBC mode: 1) Apply the forward function to a nonce (ie. counter) 2) Use a FIPS-approved random number generator This patch implements the first recommended method by using the forward function to generate the IV. Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-09-29 15:44:07 +00:00
} __rte_cache_aligned;
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
examples/ipsec-secgw: fix inline modes Application ipsec-secgw is not working for IPv4 transport mode and for IPv6 both transport and tunnel mode. IPv6 tunnel mode is not working due to wrongly assigned fields of security association patterns, as it was IPv4, during creation of inline crypto session. IPv6 and IPv4 transport mode is iterating through security capabilities until it reaches tunnel, which causes session to be created as tunnel, instead of transport. Another issue, is that config file does not provide source and destination ip addresses for transport mode, which are required by NIC to perform inline crypto. It uses default addresses stored in security association (all zeroes), which causes dropped packages. To fix that, reorganization of code in create_session() is needed, to behave appropriately to given protocol (IPv6/IPv4). Change in iteration through security capabilities is also required, to check for expected mode (not only tunnel). For lack of addresses issue, some resolving mechanism is needed. Approach is to store addresses in security association, as it is for tunnel mode. Difference is that they are obtained from sp rules, instead of config file. To do that, sp[4/6]_spi_present() function is used to find addresses based on spi value, and then stored in corresponding sa rule. This approach assumes, that every sp rule for inline crypto have valid addresses, as well as range of addresses is not supported. New flags for ipsec_sa structure are required to distinguish between IPv4 and IPv6 transport modes. Because of that, there is need to change all checks done on these flags, so they work as expected. Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload") Fixes: 9a0752f498d2 ("net/ixgbe: enable inline IPsec") Cc: stable@dpdk.org Signed-off-by: Mariusz Drost <mariuszx.drost@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2019-06-26 13:26:17 +00:00
#define IS_TRANSPORT(flags) ((flags) & TRANSPORT)
#define IS_TUNNEL(flags) ((flags) & (IP4_TUNNEL | IP6_TUNNEL))
#define IS_IP4(flags) ((flags) & (IP4_TUNNEL | IP4_TRANSPORT))
#define IS_IP6(flags) ((flags) & (IP6_TUNNEL | IP6_TRANSPORT))
#define IS_IP4_TUNNEL(flags) ((flags) & IP4_TUNNEL)
#define IS_IP6_TUNNEL(flags) ((flags) & IP6_TUNNEL)
/*
* Macro for getting ipsec_sa flags statuses without version of protocol
* used for transport (IP4_TRANSPORT and IP6_TRANSPORT flags).
*/
#define WITHOUT_TRANSPORT_VERSION(flags) \
((flags) & (IP4_TUNNEL | \
IP6_TUNNEL | \
TRANSPORT))
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
struct cdev_qp {
uint16_t id;
uint16_t qp;
uint16_t in_flight;
uint16_t len;
struct rte_crypto_op *buf[MAX_PKT_BURST] __rte_aligned(sizeof(void *));
};
struct ipsec_ctx {
struct rte_hash *cdev_map;
examples/ipsec-secgw: support IPv6 Support IPSec IPv6 allowing IPv4/IPv6 traffic in IPv4 or IPv6 tunnel. We need separate Routing (LPM) and SP (ACL) tables for IPv4 and IPv6, but a common SA table. Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-06-09 08:42:48 +00:00
struct sp_ctx *sp4_ctx;
struct sp_ctx *sp6_ctx;
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
struct sa_ctx *sa_ctx;
uint16_t nb_qps;
uint16_t last_qp;
struct cdev_qp tbl[MAX_QP_PER_LCORE];
cryptodev: do not create session mempool internally Instead of creating the session mempool while configuring the crypto device, apps will create the mempool themselves. This way, it gives flexibility to the user to have a single mempool for all devices (as long as the objects are big enough to contain the biggest private session size) or separate mempools for different drivers. Also, since the mempool is now created outside the device configuration function, now it needs to be passed through this function, which will be eventually passed when setting up the queue pairs, as ethernet devices do. Signed-off-by: Slawomir Mrozowicz <slawomirx.mrozowicz@intel.com> Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com> Acked-by: Declan Doherty <declan.doherty@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2017-07-05 05:26:12 +00:00
struct rte_mempool *session_pool;
examples: use separate crypto session mempools This patch uses the two session mempool approach to all cryptodev sample applications. One mempool is for session header objects, and the other is for session private data. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Fiona Trahe <fiona.trahe@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-01-10 14:50:15 +00:00
struct rte_mempool *session_priv_pool;
examples/ipsec_secgw: create session mempools for ethdevs Also moved offloaded packets from cryptodev queues Signed-off-by: Radu Nicolau <radu.nicolau@intel.com> Reviewed-by: Akhil Goyal <akhil.goyal@nxp.com>
2018-01-18 15:41:43 +00:00
struct rte_mbuf *ol_pkts[MAX_PKT_BURST] __rte_aligned(sizeof(void *));
uint16_t ol_pkts_cnt;
examples/ipsec-secgw: allow disabling some Rx/Tx offloads Right now ipsec-secgw always enables TX offloads (DEV_TX_OFFLOAD_MULTI_SEGS, DEV_TX_OFFLOAD_SECURITY), even when they are not requested by the config. That causes many PMD to choose full-featured TX function, which in many cases is much slower then one without offloads. That patch adds ability for the user to disable unneeded HW offloads. If DEV_TX_OFFLOAD_IPV4_CKSUM is disabled by user, then SW version of ip cksum calculation is used. That allows to use vector TX function, when inline-ipsec is not requested. Signed-off-by: Remy Horton <remy.horton@intel.com> Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Radu Nicolau <radu.nicolau@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-01-10 21:09:04 +00:00
uint64_t ipv4_offloads;
uint64_t ipv6_offloads;
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
};
struct cdev_key {
uint16_t lcore_id;
uint8_t cipher_algo;
uint8_t auth_algo;
examples/ipsec-secgw: fix crypto device mapping AEAD algorithms were not being added in the mapping between algorithms and crypto devices, only cipher and authentication chained algorithms. Fixes: 501e9c226adf ("examples/ipsec-secgw: add AEAD parameters") Cc: stable@dpdk.org Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com> Acked-by: Radu Nicolau <radu.nicolau@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2017-10-24 12:48:57 +00:00
uint8_t aead_algo;
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
};
struct socket_ctx {
examples/ipsec-secgw: support IPv6 Support IPSec IPv6 allowing IPv4/IPv6 traffic in IPv4 or IPv6 tunnel. We need separate Routing (LPM) and SP (ACL) tables for IPv4 and IPv6, but a common SA table. Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-06-09 08:42:48 +00:00
struct sa_ctx *sa_in;
struct sa_ctx *sa_out;
struct sp_ctx *sp_ip4_in;
struct sp_ctx *sp_ip4_out;
struct sp_ctx *sp_ip6_in;
struct sp_ctx *sp_ip6_out;
struct rt_ctx *rt_ip4;
struct rt_ctx *rt_ip6;
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
struct rte_mempool *mbuf_pool;
examples/ipsec-secgw: support fragmentation and reassembly Add optional ability to fragment packet bigger then mtu, and reassemble fragmented packet. To minimize possible performance effect, reassembly is implemented as RX callback. To support these features ipsec-secgw relies on librte_ipsec ability to handle multi-segment packets. Also when reassemble/fragmentation support is enabled, attached crypto devices have to support 'In Place SGL' offload capability. To enable/disable this functionality, two new optional command-line options are introduced: --reassemble <val> - number of entries in reassemble table --mtu <val> - MTU value for all attached ports As separate '--mtu' option is introduced, '-j <val>' option is now used to specify mbuf data buffer size only. Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-06-25 23:16:47 +00:00
struct rte_mempool *mbuf_pool_indir;
cryptodev: do not create session mempool internally Instead of creating the session mempool while configuring the crypto device, apps will create the mempool themselves. This way, it gives flexibility to the user to have a single mempool for all devices (as long as the objects are big enough to contain the biggest private session size) or separate mempools for different drivers. Also, since the mempool is now created outside the device configuration function, now it needs to be passed through this function, which will be eventually passed when setting up the queue pairs, as ethernet devices do. Signed-off-by: Slawomir Mrozowicz <slawomirx.mrozowicz@intel.com> Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com> Acked-by: Declan Doherty <declan.doherty@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2017-07-05 05:26:12 +00:00
struct rte_mempool *session_pool;
examples: use separate crypto session mempools This patch uses the two session mempool approach to all cryptodev sample applications. One mempool is for session header objects, and the other is for session private data. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Fiona Trahe <fiona.trahe@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-01-10 14:50:15 +00:00
struct rte_mempool *session_priv_pool;
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
};
examples/ipsec-secgw: change CBC IV generation NIST SP800-38A recommends two methods to generate unpredictable IVs (Initilisation Vector) for CBC mode: 1) Apply the forward function to a nonce (ie. counter) 2) Use a FIPS-approved random number generator This patch implements the first recommended method by using the forward function to generate the IV. Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-09-29 15:44:07 +00:00
struct cnt_blk {
uint32_t salt;
uint64_t iv;
uint32_t cnt;
replace packed attributes There is a common macro __rte_packed for packing structs, which is now used where appropriate for consistency. Signed-off-by: Thomas Monjalon <thomas@monjalon.net>
2020-02-09 17:29:23 +00:00
} __rte_packed;
examples/ipsec-secgw: change CBC IV generation NIST SP800-38A recommends two methods to generate unpredictable IVs (Initilisation Vector) for CBC mode: 1) Apply the forward function to a nonce (ie. counter) 2) Use a FIPS-approved random number generator This patch implements the first recommended method by using the forward function to generate the IV. Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-09-29 15:44:07 +00:00
examples/ipsec-secgw: add driver mode worker Add driver inbound and outbound worker thread for ipsec-secgw. In driver mode application does as little as possible. It simply forwards packets back to port from which traffic was received instructing HW to apply inline security processing using first outbound SA configured for a given port. If a port does not have SA configured outbound traffic on that port will be silently dropped. The aim of this mode is to measure HW capabilities. Driver mode is selected with single-sa option. The single-sa option accepts SA index however in event mode the SA index is ignored. Example command to run ipsec-secgw in driver mode: ipsec-secgw -w 0002:02:00.0,ipsec_in_max_spi=128 -w 0002:03:00.0,ipsec_in_max_spi=128 -w 0002:0e:00.0 -w 0002:10:00.1 --log-level=8 -c 0x1 -- -P -p 0x3 -u 0x1 -f aes-gcm.cfg --transfer-mode event --event-schedule-type parallel --single-sa 0 Signed-off-by: Anoob Joseph <anoobj@marvell.com> Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com> Signed-off-by: Lukasz Bartosik <lbartosik@marvell.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-02-27 16:18:33 +00:00
/* Socket ctx */
extern struct socket_ctx socket_ctx[NB_SOCKETS];
void
ipsec_poll_mode_worker(void);
int
ipsec_launch_one_lcore(void *args);
examples/ipsec-secgw: add event mode Add eventmode support to ipsec-secgw. With the aid of event helper configure and use the eventmode capabilities. Signed-off-by: Anoob Joseph <anoobj@marvell.com> Signed-off-by: Lukasz Bartosik <lbartosik@marvell.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-02-27 16:18:32 +00:00
extern struct ipsec_sa *sa_out;
extern uint32_t nb_sa_out;
extern struct ipsec_sa *sa_in;
extern uint32_t nb_sa_in;
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
uint16_t
ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
uint16_t nb_pkts, uint16_t len);
uint16_t
ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len);
examples/ipsec-secgw: fix crypto-op might never get dequeued In some cases crypto-ops could never be dequeued from the crypto-device. The easiest way to reproduce: start ipsec-secgw with crypto-dev and send to it less then 32 packets. none packets will be forwarded. Reason for that is that the application does dequeue() from crypto-queues only when new packets arrive. This patch makes the app to call dequeue() on a regular basis. Also to make code cleaner and easier to understand, it separates crypto-dev enqueue() and dequeue() code paths. pkt_process() now only enqueues packets into crypto device, dequeuing and final processing is done by drain_crypto_queues(). Fixes: c64278c0c18b ("examples/ipsec-secgw: rework processing loop") Cc: stable@dpdk.org Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Radu Nicolau <radu.nicolau@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-01-10 21:09:06 +00:00
uint16_t
ipsec_inbound_cqp_dequeue(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
uint16_t len);
uint16_t
ipsec_outbound_cqp_dequeue(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
uint16_t len);
examples/ipsec-secgw: make data-path to use IPsec library Changes to make ipsec-secgw data-path code to utilize librte_ipsec library. Note that right now by default current (non-librte_ipsec) code-path will be used. User has to run application with new command-line option ('-l') to enable new codepath. Signed-off-by: Mohammad Abdul Awal <mohammad.abdul.awal@intel.com> Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com> Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Radu Nicolau <radu.nicolau@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-01-10 21:09:11 +00:00
void
ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf);
void
ipsec_cqp_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf);
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
static inline uint16_t
ipsec_metadata_size(void)
{
return sizeof(struct ipsec_mbuf_metadata);
}
static inline struct ipsec_mbuf_metadata *
get_priv(struct rte_mbuf *m)
{
examples/ipsec-secgw: use function to access mbuf private Update get_priv() to use rte_mbuf_to_priv() to access the private area in the mbuf. In inbound_sa_check(), use the application's get_priv() function to access the private area in the mbuf. Signed-off-by: Dan Gora <dg@adax.com>
2018-06-18 23:36:18 +00:00
return rte_mbuf_to_priv(m);
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
}
examples/ipsec-secgw: change CBC IV generation NIST SP800-38A recommends two methods to generate unpredictable IVs (Initilisation Vector) for CBC mode: 1) Apply the forward function to a nonce (ie. counter) 2) Use a FIPS-approved random number generator This patch implements the first recommended method by using the forward function to generate the IV. Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-09-29 15:44:07 +00:00
static inline void *
get_cnt_blk(struct rte_mbuf *m)
{
struct ipsec_mbuf_metadata *priv = get_priv(m);
return &priv->buf[0];
}
examples/ipsec-secgw: add AES-GCM Add support for AES-GCM (Galois-Counter Mode). RFC4106: The Use of Galois-Counter Mode (GCM) in IPSec ESP. Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-09-29 15:44:09 +00:00
static inline void *
get_aad(struct rte_mbuf *m)
{
struct ipsec_mbuf_metadata *priv = get_priv(m);
return &priv->buf[16];
}
examples/ipsec-secgw: change CBC IV generation NIST SP800-38A recommends two methods to generate unpredictable IVs (Initilisation Vector) for CBC mode: 1) Apply the forward function to a nonce (ie. counter) 2) Use a FIPS-approved random number generator This patch implements the first recommended method by using the forward function to generate the IV. Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-09-29 15:44:07 +00:00
static inline void *
get_sym_cop(struct rte_crypto_op *cop)
{
return (cop + 1);
}
examples/ipsec-secgw: clean SA structure Cleanup ipsec_sa structure by removing every field that is already in the rte_ipsec_session structure: * cryptodev/security session union * action type * offload flags * security context References to abovementioned fields are changed to direct references to matching fields of rte_ipsec_session structure. Such refactoring is needed to introduce many sessions per SA feature, e.g. fallback session for inline offload processing. Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Radu Nicolau <radu.nicolau@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Tested-by: Bernard Iremonger <bernard.iremonger@intel.com>
2019-10-14 13:48:39 +00:00
static inline struct rte_ipsec_session *
examples/ipsec-secgw: support fallback session Inline processing is limited to a specified subset of traffic. It is often unable to handle more complicated situations, such as fragmented traffic. When using inline processing such traffic is dropped. Introduce fallback session for inline crypto processing allowing handling packets that normally would be dropped. A fallback session is configured by adding 'fallback' keyword with 'lookaside-none' parameter to an SA configuration. Only 'inline-crypto-offload" as a primary session and 'lookaside-none' as a fall-back session combination is supported by this patch. Fallback session feature is not available in the legacy mode. Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Tested-by: Bernard Iremonger <bernard.iremonger@intel.com>
2019-10-14 13:48:40 +00:00
ipsec_get_primary_session(struct ipsec_sa *sa)
{
return &sa->sessions[IPSEC_SESSION_PRIMARY];
}
static inline struct rte_ipsec_session *
ipsec_get_fallback_session(struct ipsec_sa *sa)
examples/ipsec-secgw: clean SA structure Cleanup ipsec_sa structure by removing every field that is already in the rte_ipsec_session structure: * cryptodev/security session union * action type * offload flags * security context References to abovementioned fields are changed to direct references to matching fields of rte_ipsec_session structure. Such refactoring is needed to introduce many sessions per SA feature, e.g. fallback session for inline offload processing. Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Radu Nicolau <radu.nicolau@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Tested-by: Bernard Iremonger <bernard.iremonger@intel.com>
2019-10-14 13:48:39 +00:00
{
examples/ipsec-secgw: support fallback session Inline processing is limited to a specified subset of traffic. It is often unable to handle more complicated situations, such as fragmented traffic. When using inline processing such traffic is dropped. Introduce fallback session for inline crypto processing allowing handling packets that normally would be dropped. A fallback session is configured by adding 'fallback' keyword with 'lookaside-none' parameter to an SA configuration. Only 'inline-crypto-offload" as a primary session and 'lookaside-none' as a fall-back session combination is supported by this patch. Fallback session feature is not available in the legacy mode. Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Tested-by: Bernard Iremonger <bernard.iremonger@intel.com>
2019-10-14 13:48:40 +00:00
return &sa->sessions[IPSEC_SESSION_FALLBACK];
examples/ipsec-secgw: clean SA structure Cleanup ipsec_sa structure by removing every field that is already in the rte_ipsec_session structure: * cryptodev/security session union * action type * offload flags * security context References to abovementioned fields are changed to direct references to matching fields of rte_ipsec_session structure. Such refactoring is needed to introduce many sessions per SA feature, e.g. fallback session for inline offload processing. Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Radu Nicolau <radu.nicolau@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Tested-by: Bernard Iremonger <bernard.iremonger@intel.com>
2019-10-14 13:48:39 +00:00
}
static inline enum rte_security_session_action_type
ipsec_get_action_type(struct ipsec_sa *sa)
{
struct rte_ipsec_session *ips;
examples/ipsec-secgw: support fallback session Inline processing is limited to a specified subset of traffic. It is often unable to handle more complicated situations, such as fragmented traffic. When using inline processing such traffic is dropped. Introduce fallback session for inline crypto processing allowing handling packets that normally would be dropped. A fallback session is configured by adding 'fallback' keyword with 'lookaside-none' parameter to an SA configuration. Only 'inline-crypto-offload" as a primary session and 'lookaside-none' as a fall-back session combination is supported by this patch. Fallback session feature is not available in the legacy mode. Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Tested-by: Bernard Iremonger <bernard.iremonger@intel.com>
2019-10-14 13:48:40 +00:00
ips = ipsec_get_primary_session(sa);
examples/ipsec-secgw: clean SA structure Cleanup ipsec_sa structure by removing every field that is already in the rte_ipsec_session structure: * cryptodev/security session union * action type * offload flags * security context References to abovementioned fields are changed to direct references to matching fields of rte_ipsec_session structure. Such refactoring is needed to introduce many sessions per SA feature, e.g. fallback session for inline offload processing. Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Radu Nicolau <radu.nicolau@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Tested-by: Bernard Iremonger <bernard.iremonger@intel.com>
2019-10-14 13:48:39 +00:00
return ips->type;
}
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
int
inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx);
void
inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[],
examples/ipsec-secgw: support fallback session Inline processing is limited to a specified subset of traffic. It is often unable to handle more complicated situations, such as fragmented traffic. When using inline processing such traffic is dropped. Introduce fallback session for inline crypto processing allowing handling packets that normally would be dropped. A fallback session is configured by adding 'fallback' keyword with 'lookaside-none' parameter to an SA configuration. Only 'inline-crypto-offload" as a primary session and 'lookaside-none' as a fall-back session combination is supported by this patch. Fallback session feature is not available in the legacy mode. Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Tested-by: Bernard Iremonger <bernard.iremonger@intel.com>
2019-10-14 13:48:40 +00:00
void *sa[], uint16_t nb_pkts);
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
void
outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[],
examples/ipsec-secgw: support fallback session Inline processing is limited to a specified subset of traffic. It is often unable to handle more complicated situations, such as fragmented traffic. When using inline processing such traffic is dropped. Introduce fallback session for inline crypto processing allowing handling packets that normally would be dropped. A fallback session is configured by adding 'fallback' keyword with 'lookaside-none' parameter to an SA configuration. Only 'inline-crypto-offload" as a primary session and 'lookaside-none' as a fall-back session combination is supported by this patch. Fallback session feature is not available in the legacy mode. Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Tested-by: Bernard Iremonger <bernard.iremonger@intel.com>
2019-10-14 13:48:40 +00:00
void *sa[], uint16_t nb_pkts);
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
void
examples/ipsec-secgw: support configuration file This patch adds the configuration file support to ipsec_secgw sample application. Instead of hard-coded rules, the users can specify their own SP, SA, and routing rules in the configuration file. A command line option "-f" is added to pass the configuration file location to the application. Configuration item formats: SP rule format: sp <ip_ver> <dir> esp <action> <priority> <src_ip> <dst_ip> \ <proto> <sport> <dport> SA rule format: sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key> \ <mode> <src_ip> <dst_ip> Routing rule format: rt <ip_ver> <src_ip> <dst_ip> <port> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2016-09-21 12:05:18 +00:00
sp4_init(struct socket_ctx *ctx, int32_t socket_id);
examples/ipsec-secgw: support IPv6 Support IPSec IPv6 allowing IPv4/IPv6 traffic in IPv4 or IPv6 tunnel. We need separate Routing (LPM) and SP (ACL) tables for IPv4 and IPv6, but a common SA table. Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-06-09 08:42:48 +00:00
void
examples/ipsec-secgw: support configuration file This patch adds the configuration file support to ipsec_secgw sample application. Instead of hard-coded rules, the users can specify their own SP, SA, and routing rules in the configuration file. A command line option "-f" is added to pass the configuration file location to the application. Configuration item formats: SP rule format: sp <ip_ver> <dir> esp <action> <priority> <src_ip> <dst_ip> \ <proto> <sport> <dport> SA rule format: sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key> \ <mode> <src_ip> <dst_ip> Routing rule format: rt <ip_ver> <src_ip> <dst_ip> <port> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2016-09-21 12:05:18 +00:00
sp6_init(struct socket_ctx *ctx, int32_t socket_id);
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
examples/ipsec-secgw: make app to use IPsec library Changes to make ipsec-secgw to utilize librte_ipsec library. That patch provides: - changes in the related data structures. - changes in the initialization code. - new command-line parameters to enable librte_ipsec codepath and related features. Note that right now by default current (non-librte_ipsec) code-path will be used. User has to run application with new command-line option ('-l') to enable new codepath. The main reason for that: - current librte_ipsec doesn't support all ipsec algorithms and features that the app does. - allow users to run both versions in parallel for some time to figure out any functional or performance degradation with the new code. It is planned to deprecate and remove non-librte_ipsec code path in future releases. Signed-off-by: Mohammad Abdul Awal <mohammad.abdul.awal@intel.com> Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com> Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Radu Nicolau <radu.nicolau@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-01-10 21:09:10 +00:00
/*
* Search through SP rules for given SPI.
* Returns first rule index if found(greater or equal then zero),
* or -ENOENT otherwise.
*/
int
examples/ipsec-secgw: fix inline modes Application ipsec-secgw is not working for IPv4 transport mode and for IPv6 both transport and tunnel mode. IPv6 tunnel mode is not working due to wrongly assigned fields of security association patterns, as it was IPv4, during creation of inline crypto session. IPv6 and IPv4 transport mode is iterating through security capabilities until it reaches tunnel, which causes session to be created as tunnel, instead of transport. Another issue, is that config file does not provide source and destination ip addresses for transport mode, which are required by NIC to perform inline crypto. It uses default addresses stored in security association (all zeroes), which causes dropped packages. To fix that, reorganization of code in create_session() is needed, to behave appropriately to given protocol (IPv6/IPv4). Change in iteration through security capabilities is also required, to check for expected mode (not only tunnel). For lack of addresses issue, some resolving mechanism is needed. Approach is to store addresses in security association, as it is for tunnel mode. Difference is that they are obtained from sp rules, instead of config file. To do that, sp[4/6]_spi_present() function is used to find addresses based on spi value, and then stored in corresponding sa rule. This approach assumes, that every sp rule for inline crypto have valid addresses, as well as range of addresses is not supported. New flags for ipsec_sa structure are required to distinguish between IPv4 and IPv6 transport modes. Because of that, there is need to change all checks done on these flags, so they work as expected. Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload") Fixes: 9a0752f498d2 ("net/ixgbe: enable inline IPsec") Cc: stable@dpdk.org Signed-off-by: Mariusz Drost <mariuszx.drost@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2019-06-26 13:26:17 +00:00
sp4_spi_present(uint32_t spi, int inbound, struct ip_addr ip_addr[2],
uint32_t mask[2]);
examples/ipsec-secgw: make app to use IPsec library Changes to make ipsec-secgw to utilize librte_ipsec library. That patch provides: - changes in the related data structures. - changes in the initialization code. - new command-line parameters to enable librte_ipsec codepath and related features. Note that right now by default current (non-librte_ipsec) code-path will be used. User has to run application with new command-line option ('-l') to enable new codepath. The main reason for that: - current librte_ipsec doesn't support all ipsec algorithms and features that the app does. - allow users to run both versions in parallel for some time to figure out any functional or performance degradation with the new code. It is planned to deprecate and remove non-librte_ipsec code path in future releases. Signed-off-by: Mohammad Abdul Awal <mohammad.abdul.awal@intel.com> Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com> Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Radu Nicolau <radu.nicolau@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-01-10 21:09:10 +00:00
int
examples/ipsec-secgw: fix inline modes Application ipsec-secgw is not working for IPv4 transport mode and for IPv6 both transport and tunnel mode. IPv6 tunnel mode is not working due to wrongly assigned fields of security association patterns, as it was IPv4, during creation of inline crypto session. IPv6 and IPv4 transport mode is iterating through security capabilities until it reaches tunnel, which causes session to be created as tunnel, instead of transport. Another issue, is that config file does not provide source and destination ip addresses for transport mode, which are required by NIC to perform inline crypto. It uses default addresses stored in security association (all zeroes), which causes dropped packages. To fix that, reorganization of code in create_session() is needed, to behave appropriately to given protocol (IPv6/IPv4). Change in iteration through security capabilities is also required, to check for expected mode (not only tunnel). For lack of addresses issue, some resolving mechanism is needed. Approach is to store addresses in security association, as it is for tunnel mode. Difference is that they are obtained from sp rules, instead of config file. To do that, sp[4/6]_spi_present() function is used to find addresses based on spi value, and then stored in corresponding sa rule. This approach assumes, that every sp rule for inline crypto have valid addresses, as well as range of addresses is not supported. New flags for ipsec_sa structure are required to distinguish between IPv4 and IPv6 transport modes. Because of that, there is need to change all checks done on these flags, so they work as expected. Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload") Fixes: 9a0752f498d2 ("net/ixgbe: enable inline IPsec") Cc: stable@dpdk.org Signed-off-by: Mariusz Drost <mariuszx.drost@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2019-06-26 13:26:17 +00:00
sp6_spi_present(uint32_t spi, int inbound, struct ip_addr ip_addr[2],
uint32_t mask[2]);
examples/ipsec-secgw: make app to use IPsec library Changes to make ipsec-secgw to utilize librte_ipsec library. That patch provides: - changes in the related data structures. - changes in the initialization code. - new command-line parameters to enable librte_ipsec codepath and related features. Note that right now by default current (non-librte_ipsec) code-path will be used. User has to run application with new command-line option ('-l') to enable new codepath. The main reason for that: - current librte_ipsec doesn't support all ipsec algorithms and features that the app does. - allow users to run both versions in parallel for some time to figure out any functional or performance degradation with the new code. It is planned to deprecate and remove non-librte_ipsec code path in future releases. Signed-off-by: Mohammad Abdul Awal <mohammad.abdul.awal@intel.com> Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com> Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Radu Nicolau <radu.nicolau@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-01-10 21:09:10 +00:00
examples/ipsec-secgw: fix SPD no-match case acl_classify() returns zero value when no matching rule was found. Currently ipsec-secgw treats it as a valid SPI value, though it has to discard such packets. Error could be easily observed by sending outbound unmatched packets, user will see something like that in the log: IPSEC: No cryptodev: core 7, cipher_algo 0, auth_algo 0, aead_algo 0 To fix it we need to treat packets with zero result from acl_classify() as invalid ones. Also we can change DISCARD and BYPASS values to simplify checks and save some extra space for valid SPI values. To summarize the approach: 1. have special SPI values for DISCARD and BYPASS. 2. store in SPD full SPI value. 3. after acl_classify(), first check SPI value for DISCARD and BYPASS, then convert it in SA index. 4. add check at initilisation time that for each SPD rule there is a corresponding SA entry (with the same SPI). Also marked few global variables as *static*. Fixes: 906257e965b7 ("examples/ipsec-secgw: support IPv6") Fixes: 2a5106af132b ("examples/ipsec-secgw: fix corner case for SPI value") Cc: stable@dpdk.org Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-04-04 12:13:26 +00:00
/*
* Search through SA entries for given SPI.
* Returns first entry index if found(greater or equal then zero),
* or -ENOENT otherwise.
*/
int
examples/ipsec-secgw: integrate inbound SAD Integrate ipsec SAD support into secgw app: 1. Use SAD library for inbound SA lookup 2. Changes in struct sa_ctx: - sa array allocates dynamically depending on number of configured sa - All SA's are kept one by one without using SPI2IDX 3. SP's userdata now contain index of SA in sa_ctx instead of SPI 4. Get rid of SPI2IDX macro Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Acked-by: Anoob Joseph <anoobj@marvell.com>
2020-01-31 17:39:40 +00:00
sa_spi_present(struct sa_ctx *sa_ctx, uint32_t spi, int inbound);
examples/ipsec-secgw: fix SPD no-match case acl_classify() returns zero value when no matching rule was found. Currently ipsec-secgw treats it as a valid SPI value, though it has to discard such packets. Error could be easily observed by sending outbound unmatched packets, user will see something like that in the log: IPSEC: No cryptodev: core 7, cipher_algo 0, auth_algo 0, aead_algo 0 To fix it we need to treat packets with zero result from acl_classify() as invalid ones. Also we can change DISCARD and BYPASS values to simplify checks and save some extra space for valid SPI values. To summarize the approach: 1. have special SPI values for DISCARD and BYPASS. 2. store in SPD full SPI value. 3. after acl_classify(), first check SPI value for DISCARD and BYPASS, then convert it in SA index. 4. add check at initilisation time that for each SPD rule there is a corresponding SA entry (with the same SPI). Also marked few global variables as *static*. Fixes: 906257e965b7 ("examples/ipsec-secgw: support IPv6") Fixes: 2a5106af132b ("examples/ipsec-secgw: fix corner case for SPI value") Cc: stable@dpdk.org Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-04-04 12:13:26 +00:00
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
void
examples/ipsec-secgw: support configuration file This patch adds the configuration file support to ipsec_secgw sample application. Instead of hard-coded rules, the users can specify their own SP, SA, and routing rules in the configuration file. A command line option "-f" is added to pass the configuration file location to the application. Configuration item formats: SP rule format: sp <ip_ver> <dir> esp <action> <priority> <src_ip> <dst_ip> \ <proto> <sport> <dport> SA rule format: sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key> \ <mode> <src_ip> <dst_ip> Routing rule format: rt <ip_ver> <src_ip> <dst_ip> <port> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2016-09-21 12:05:18 +00:00
sa_init(struct socket_ctx *ctx, int32_t socket_id);
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
void
examples/ipsec-secgw: support configuration file This patch adds the configuration file support to ipsec_secgw sample application. Instead of hard-coded rules, the users can specify their own SP, SA, and routing rules in the configuration file. A command line option "-f" is added to pass the configuration file location to the application. Configuration item formats: SP rule format: sp <ip_ver> <dir> esp <action> <priority> <src_ip> <dst_ip> \ <proto> <sport> <dport> SA rule format: sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key> \ <mode> <src_ip> <dst_ip> Routing rule format: rt <ip_ver> <src_ip> <dst_ip> <port> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2016-09-21 12:05:18 +00:00
rt_init(struct socket_ctx *ctx, int32_t socket_id);
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
examples/ipsec-secgw: allow disabling some Rx/Tx offloads Right now ipsec-secgw always enables TX offloads (DEV_TX_OFFLOAD_MULTI_SEGS, DEV_TX_OFFLOAD_SECURITY), even when they are not requested by the config. That causes many PMD to choose full-featured TX function, which in many cases is much slower then one without offloads. That patch adds ability for the user to disable unneeded HW offloads. If DEV_TX_OFFLOAD_IPV4_CKSUM is disabled by user, then SW version of ip cksum calculation is used. That allows to use vector TX function, when inline-ipsec is not requested. Signed-off-by: Remy Horton <remy.horton@intel.com> Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Radu Nicolau <radu.nicolau@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-01-10 21:09:04 +00:00
int
sa_check_offloads(uint16_t port_id, uint64_t *rx_offloads,
uint64_t *tx_offloads);
examples/ipsec-secgw: allow to specify neighbour MAC address In some cases it is useful to allow user to specify destination ether address for outgoing packets. This patch adds such ability by introducing new 'neigh' config file option. Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Radu Nicolau <radu.nicolau@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-01-10 21:09:05 +00:00
int
net: add rte prefix to ether structures Add 'rte_' prefix to structures: - rename struct ether_addr as struct rte_ether_addr. - rename struct ether_hdr as struct rte_ether_hdr. - rename struct vlan_hdr as struct rte_vlan_hdr. - rename struct vxlan_hdr as struct rte_vxlan_hdr. - rename struct vxlan_gpe_hdr as struct rte_vxlan_gpe_hdr. Do not update the command line library to avoid adding a dependency to librte_net. Signed-off-by: Olivier Matz <olivier.matz@6wind.com> Reviewed-by: Stephen Hemminger <stephen@networkplumber.org> Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com> Reviewed-by: Ferruh Yigit <ferruh.yigit@intel.com>
2019-05-21 16:13:03 +00:00
add_dst_ethaddr(uint16_t port, const struct rte_ether_addr *addr);
examples/ipsec-secgw: allow to specify neighbour MAC address In some cases it is useful to allow user to specify destination ether address for outgoing packets. This patch adds such ability by introducing new 'neigh' config file option. Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Radu Nicolau <radu.nicolau@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-01-10 21:09:05 +00:00
examples/ipsec-secgw: fix crypto-op might never get dequeued In some cases crypto-ops could never be dequeued from the crypto-device. The easiest way to reproduce: start ipsec-secgw with crypto-dev and send to it less then 32 packets. none packets will be forwarded. Reason for that is that the application does dequeue() from crypto-queues only when new packets arrive. This patch makes the app to call dequeue() on a regular basis. Also to make code cleaner and easier to understand, it separates crypto-dev enqueue() and dequeue() code paths. pkt_process() now only enqueues packets into crypto device, dequeuing and final processing is done by drain_crypto_queues(). Fixes: c64278c0c18b ("examples/ipsec-secgw: rework processing loop") Cc: stable@dpdk.org Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Radu Nicolau <radu.nicolau@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-01-10 21:09:06 +00:00
void
enqueue_cop_burst(struct cdev_qp *cqp);
examples/ipsec-secgw: make data-path to use IPsec library Changes to make ipsec-secgw data-path code to utilize librte_ipsec library. Note that right now by default current (non-librte_ipsec) code-path will be used. User has to run application with new command-line option ('-l') to enable new codepath. Signed-off-by: Mohammad Abdul Awal <mohammad.abdul.awal@intel.com> Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com> Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Radu Nicolau <radu.nicolau@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-01-10 21:09:11 +00:00
int
examples/ipsec-secgw: clean SA structure Cleanup ipsec_sa structure by removing every field that is already in the rte_ipsec_session structure: * cryptodev/security session union * action type * offload flags * security context References to abovementioned fields are changed to direct references to matching fields of rte_ipsec_session structure. Such refactoring is needed to introduce many sessions per SA feature, e.g. fallback session for inline offload processing. Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Radu Nicolau <radu.nicolau@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Tested-by: Bernard Iremonger <bernard.iremonger@intel.com>
2019-10-14 13:48:39 +00:00
create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa,
struct rte_ipsec_session *ips);
examples/ipsec-secgw: fix first packet with inline crypto Inline crypto installs a flow rule in the NIC. This flow rule must be installed before the first inbound packet is received. The create_session() function installs the flow rule, create_session() has been refactored into create_inline_session() and create_lookaside_session(). The create_inline_session() function uses the socket_ctx data and is now called at initialisation in sa_add_rules(). The max_session_size() function has been added to calculate memory requirements. The cryprodev_init() function has been refactored to drop calls to rte_mempool_create() and to drop calculation of memory requirements. The main() function has been refactored to call max_session_size() and to call session_pool_init() and session_priv_pool_init() earlier. The ports are started now before adding a flow rule in main(). The sa_init(), sp4_init(), sp6_init() and rt_init() functions are now called after the ports have been started. The rte_ipsec_session_prepare() function is called in fill_ipsec_session() for inline which is called from the ipsec_sa_init() function. Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload") Fixes: d299106e8e31 ("examples/ipsec-secgw: add IPsec sample application") Cc: stable@dpdk.org Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-07-19 12:22:32 +00:00
int
examples/ipsec-secgw: clean SA structure Cleanup ipsec_sa structure by removing every field that is already in the rte_ipsec_session structure: * cryptodev/security session union * action type * offload flags * security context References to abovementioned fields are changed to direct references to matching fields of rte_ipsec_session structure. Such refactoring is needed to introduce many sessions per SA feature, e.g. fallback session for inline offload processing. Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Radu Nicolau <radu.nicolau@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Tested-by: Bernard Iremonger <bernard.iremonger@intel.com>
2019-10-14 13:48:39 +00:00
create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
struct rte_ipsec_session *ips);
examples/ipsec-secgw: support flow director Support load distribution in security gateway application using NIC load distribution feature (Flow Director). Flow Director is used to redirect the specified inbound ipsec flow to a specified queue. This is achieved by extending the SA rule syntax to support specification by adding new action_type of <flow-direction> to a specified <port_id> <queue_id>. Signed-off-by: Praveen Shetty <praveen.shetty@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-04-16 16:47:29 +00:00
int
check_flow_params(uint16_t fdir_portid, uint8_t fdir_qid);
int
create_ipsec_esp_flow(struct ipsec_sa *sa);
examples/ipsec-secgw: make data-path to use IPsec library Changes to make ipsec-secgw data-path code to utilize librte_ipsec library. Note that right now by default current (non-librte_ipsec) code-path will be used. User has to run application with new command-line option ('-l') to enable new codepath. Signed-off-by: Mohammad Abdul Awal <mohammad.abdul.awal@intel.com> Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com> Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Radu Nicolau <radu.nicolau@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-01-10 21:09:11 +00:00
examples/ipsec-secgw: remove limitation for crypto sessions Get rid of hardcoded limit of cryptodev sessions. Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com> Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2020-04-20 19:16:35 +00:00
uint32_t
get_nb_crypto_sessions(void);
examples/ipsec-secgw: add IPsec sample application Sample app implementing an IPsec Security Geteway. The main goal of this app is to show the use of cryptodev framework in a "real world" application. Currently only supported static IPv4 ESP IPsec tunnels for the following algorithms: - Cipher: AES-CBC, NULL - Authentication: HMAC-SHA1, NULL Not supported: - SA auto negotiation (No IKE implementation) - chained mbufs Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 02:12:40 +00:00
#endif /* __IPSEC_H__ */
Reference in New Issue Copy Permalink