Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/90849/?format=api
{ "id": 90849, "url": "http://patchwork.dpdk.org/api/patches/90849/?format=api", "web_url": "http://patchwork.dpdk.org/project/dpdk/patch/20210408081720.23314-4-ktejasree@marvell.com/", "project": { "id": 1, "url": "http://patchwork.dpdk.org/api/projects/1/?format=api", "name": "DPDK", "link_name": "dpdk", "list_id": "dev.dpdk.org", "list_email": "dev@dpdk.org", "web_url": "http://core.dpdk.org", "scm_url": "git://dpdk.org/dpdk", "webscm_url": "http://git.dpdk.org/dpdk", "list_archive_url": "https://inbox.dpdk.org/dev", "list_archive_url_format": "https://inbox.dpdk.org/dev/{}", "commit_url_format": "" }, "msgid": "<20210408081720.23314-4-ktejasree@marvell.com>", "list_archive_url": "https://inbox.dpdk.org/dev/20210408081720.23314-4-ktejasree@marvell.com", "date": "2021-04-08T08:17:19", "name": "[v3,3/4] examples/ipsec-secgw: add UDP encapsulation support", "commit_ref": null, "pull_url": null, "state": "superseded", "archived": true, "hash": "d69e17dd9c4a4309b4c2607d5db8f920df2a97da", "submitter": { "id": 1789, "url": "http://patchwork.dpdk.org/api/people/1789/?format=api", "name": "Tejasree Kondoj", "email": "ktejasree@marvell.com" }, "delegate": { "id": 6690, "url": "http://patchwork.dpdk.org/api/users/6690/?format=api", "username": "akhil", "first_name": "akhil", "last_name": "goyal", "email": "gakhil@marvell.com" }, "mbox": "http://patchwork.dpdk.org/project/dpdk/patch/20210408081720.23314-4-ktejasree@marvell.com/mbox/", "series": [ { "id": 16192, "url": "http://patchwork.dpdk.org/api/series/16192/?format=api", "web_url": "http://patchwork.dpdk.org/project/dpdk/list/?series=16192", "date": "2021-04-08T08:17:18", "name": "add lookaside IPsec UDP encapsulation and transport mode", "version": 3, "mbox": "http://patchwork.dpdk.org/series/16192/mbox/" } ], "comments": "http://patchwork.dpdk.org/api/patches/90849/comments/", "check": "success", "checks": "http://patchwork.dpdk.org/api/patches/90849/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<dev-bounces@dpdk.org>", "X-Original-To": "patchwork@inbox.dpdk.org", "Delivered-To": "patchwork@inbox.dpdk.org", "Received": [ "from mails.dpdk.org (mails.dpdk.org [217.70.189.124])\n\tby inbox.dpdk.org (Postfix) with ESMTP id 39C8DA0579;\n\tThu, 8 Apr 2021 09:54:06 +0200 (CEST)", "from [217.70.189.124] (localhost [127.0.0.1])\n\tby mails.dpdk.org (Postfix) with ESMTP id 26C4F1410D7;\n\tThu, 8 Apr 2021 09:54:06 +0200 (CEST)", "from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com\n [67.231.148.174])\n by mails.dpdk.org (Postfix) with ESMTP id 8AE671410D7\n for <dev@dpdk.org>; Thu, 8 Apr 2021 09:54:04 +0200 (CEST)", "from pps.filterd (m0045849.ppops.net [127.0.0.1])\n by mx0a-0016f401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id\n 1387oKGr007507; Thu, 8 Apr 2021 00:54:03 -0700", "from dc5-exch02.marvell.com ([199.233.59.182])\n by mx0a-0016f401.pphosted.com with ESMTP id 37shqxj4wa-2\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT);\n Thu, 08 Apr 2021 00:54:03 -0700", "from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH02.marvell.com\n (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.2;\n Thu, 8 Apr 2021 00:54:01 -0700", "from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com\n (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.2 via Frontend\n Transport; Thu, 8 Apr 2021 00:54:02 -0700", "from hyd1554T5810.caveonetworks.com.com (unknown [10.29.57.11])\n by maili.marvell.com (Postfix) with ESMTP id 12B3F5C6934;\n Thu, 8 Apr 2021 00:21:32 -0700 (PDT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com;\n h=from : to : cc :\n subject : date : message-id : in-reply-to : references : mime-version :\n content-transfer-encoding : content-type; s=pfpt0220;\n bh=6/twnTy3eQgMa6PfFm7pHV5UjkKkozUmH5uy4N0slN4=;\n b=ar5huAs16iXVIjmryP30jA/2VKxpjXMYkfg0eEYja+X1EitAMomakXN3bs7NdAmVWXcV\n Sy6IGbiX2U35W1HqOjQL6kkK++gDxnatKUOJ5TAg67VNlXm+PKe3JJdcx+GO5uzYBtCZ\n lWyhPv8Z5wV12HZ0Qtsi6OpqsIPcpC4fMbQ7NUaba4JML67RWVdgZ9Lvi6Et+jIyE+KB\n oMF5lWsJYmYTXCVolrgPGl0Vyx/c5XS0kMeRrIs9HCNagLffo47oL5HVqOx43DcFzVGZ\n 0VRldDmq9/iJ7qs++Qvk756/WzTQYX2cp4rjW2aZ76Xl7c0M66bxLyU01v3g9IPTs/s1 ow==", "From": "Tejasree Kondoj <ktejasree@marvell.com>", "To": "Akhil Goyal <gakhil@marvell.com>, Radu Nicolau <radu.nicolau@intel.com>,\n Konstantin Ananyev <konstantin.ananyev@intel.com>", "CC": "Tejasree Kondoj <ktejasree@marvell.com>,\n Anoob Joseph <anoobj@marvell.com>,\n Ankur Dwivedi <adwivedi@marvell.com>, Jerin Jacob\n <jerinj@marvell.com>, <dev@dpdk.org>", "Date": "Thu, 8 Apr 2021 13:47:19 +0530", "Message-ID": "<20210408081720.23314-4-ktejasree@marvell.com>", "X-Mailer": "git-send-email 2.27.0", "In-Reply-To": "<20210408081720.23314-1-ktejasree@marvell.com>", "References": "<20210408081720.23314-1-ktejasree@marvell.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "Content-Type": "text/plain", "X-Proofpoint-ORIG-GUID": "NZHj9dAa1B0RFTXynt0_O24RnhCF9QGx", "X-Proofpoint-GUID": "NZHj9dAa1B0RFTXynt0_O24RnhCF9QGx", "X-Proofpoint-Virus-Version": "vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761\n definitions=2021-04-08_02:2021-04-08,\n 2021-04-08 signatures=0", "Subject": "[dpdk-dev] [PATCH v3 3/4] examples/ipsec-secgw: add UDP\n encapsulation support", "X-BeenThere": "dev@dpdk.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "DPDK patches and discussions <dev.dpdk.org>", "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n <mailto:dev-request@dpdk.org?subject=unsubscribe>", "List-Archive": "<http://mails.dpdk.org/archives/dev/>", "List-Post": "<mailto:dev@dpdk.org>", "List-Help": "<mailto:dev-request@dpdk.org?subject=help>", "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n <mailto:dev-request@dpdk.org?subject=subscribe>", "Errors-To": "dev-bounces@dpdk.org", "Sender": "\"dev\" <dev-bounces@dpdk.org>" }, "content": "Adding lookaside IPsec UDP encapsulation support\nfor NAT traversal.\nApplication has to add udp-encap option to sa config file\nto enable UDP encapsulation on the SA.\n\nSigned-off-by: Tejasree Kondoj <ktejasree@marvell.com>\n---\n doc/guides/rel_notes/release_21_05.rst | 5 +++\n doc/guides/sample_app_ug/ipsec_secgw.rst | 15 +++++++-\n examples/ipsec-secgw/ipsec-secgw.c | 49 +++++++++++++++++++++---\n examples/ipsec-secgw/ipsec-secgw.h | 2 +\n examples/ipsec-secgw/ipsec.c | 9 +++++\n examples/ipsec-secgw/ipsec.h | 2 +\n examples/ipsec-secgw/sa.c | 18 +++++++++\n examples/ipsec-secgw/sad.h | 6 ++-\n 8 files changed, 98 insertions(+), 8 deletions(-)", "diff": "diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst\nindex c9e9e2ec22..d71422c452 100644\n--- a/doc/guides/rel_notes/release_21_05.rst\n+++ b/doc/guides/rel_notes/release_21_05.rst\n@@ -141,6 +141,11 @@ New Features\n * Added command to display Rx queue used descriptor count.\n ``show port (port_id) rxq (queue_id) desc used count``\n \n+* **Updated ipsec-secgw sample application.**\n+\n+ * Updated the ``ipsec-secgw`` sample application with UDP encapsulation\n+ support for NAT Traversal.\n+\n \n Removed Items\n -------------\ndiff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst\nindex 176e292d3f..2dc39aa50a 100644\n--- a/doc/guides/sample_app_ug/ipsec_secgw.rst\n+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst\n@@ -500,7 +500,7 @@ The SA rule syntax is shown as follows:\n \n sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key>\n <mode> <src_ip> <dst_ip> <action_type> <port_id> <fallback>\n- <flow-direction> <port_id> <queue_id>\n+ <flow-direction> <port_id> <queue_id> <udp-encap>\n \n where each options means:\n \n@@ -709,6 +709,17 @@ where each options means:\n * *port_id*: Port ID of the NIC for which the SA is configured.\n * *queue_id*: Queue ID to which traffic should be redirected.\n \n+ ``<udp-encap>``\n+\n+ * Option to enable IPsec UDP encapsulation for NAT Traversal.\n+ Only *lookaside-protocol-offload* mode is supported at the moment.\n+\n+ * Optional: Yes, it is disabled by default\n+\n+ * Syntax:\n+\n+ * *udp-encap*\n+\n Example SA rules:\n \n .. code-block:: console\n@@ -1023,4 +1034,4 @@ Available options:\n * ``-h`` Show usage.\n \n If <ipsec_mode> is specified, only tests for that mode will be invoked. For the\n-list of available modes please refer to run_test.sh.\n\\ No newline at end of file\n+list of available modes please refer to run_test.sh.\ndiff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c\nindex 20d69ba813..0555d6d00f 100644\n--- a/examples/ipsec-secgw/ipsec-secgw.c\n+++ b/examples/ipsec-secgw/ipsec-secgw.c\n@@ -184,7 +184,8 @@ static uint64_t frag_ttl_ns = MAX_FRAG_TTL_NS;\n /* application wide librte_ipsec/SA parameters */\n struct app_sa_prm app_sa_prm = {\n \t\t\t.enable = 0,\n-\t\t\t.cache_sz = SA_CACHE_SZ\n+\t\t\t.cache_sz = SA_CACHE_SZ,\n+\t\t\t.udp_encap = 0\n \t\t};\n static const char *cfgfile;\n \n@@ -360,6 +361,9 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)\n \tconst struct rte_ether_hdr *eth;\n \tconst struct rte_ipv4_hdr *iph4;\n \tconst struct rte_ipv6_hdr *iph6;\n+\tconst struct rte_udp_hdr *udp;\n+\tuint16_t ip4_hdr_len;\n+\tuint16_t nat_port;\n \n \teth = rte_pktmbuf_mtod(pkt, const struct rte_ether_hdr *);\n \tif (eth->ether_type == rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4)) {\n@@ -368,9 +372,28 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)\n \t\t\tRTE_ETHER_HDR_LEN);\n \t\tadjust_ipv4_pktlen(pkt, iph4, 0);\n \n-\t\tif (iph4->next_proto_id == IPPROTO_ESP)\n+\t\tswitch (iph4->next_proto_id) {\n+\t\tcase IPPROTO_ESP:\n \t\t\tt->ipsec.pkts[(t->ipsec.num)++] = pkt;\n-\t\telse {\n+\t\t\tbreak;\n+\t\tcase IPPROTO_UDP:\n+\t\t\tif (app_sa_prm.udp_encap == 1) {\n+\t\t\t\tip4_hdr_len = ((iph4->version_ihl &\n+\t\t\t\t\tRTE_IPV4_HDR_IHL_MASK) *\n+\t\t\t\t\tRTE_IPV4_IHL_MULTIPLIER);\n+\t\t\t\tudp = rte_pktmbuf_mtod_offset(pkt,\n+\t\t\t\t\tstruct rte_udp_hdr *, ip4_hdr_len);\n+\t\t\t\tnat_port = rte_cpu_to_be_16(IPSEC_NAT_T_PORT);\n+\t\t\t\tif (udp->src_port == nat_port ||\n+\t\t\t\t\tudp->dst_port == nat_port){\n+\t\t\t\t\tt->ipsec.pkts[(t->ipsec.num)++] = pkt;\n+\t\t\t\t\tpkt->packet_type |=\n+\t\t\t\t\t\tRTE_PTYPE_TUNNEL_ESP_IN_UDP;\n+\t\t\t\t\tbreak;\n+\t\t\t\t}\n+\t\t\t}\n+\t\t/* Fall through */\n+\t\tdefault:\n \t\t\tt->ip4.data[t->ip4.num] = &iph4->next_proto_id;\n \t\t\tt->ip4.pkts[(t->ip4.num)++] = pkt;\n \t\t}\n@@ -403,9 +426,25 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)\n \t\t\treturn;\n \t\t}\n \n-\t\tif (next_proto == IPPROTO_ESP)\n+\t\tswitch (iph6->proto) {\n+\t\tcase IPPROTO_ESP:\n \t\t\tt->ipsec.pkts[(t->ipsec.num)++] = pkt;\n-\t\telse {\n+\t\t\tbreak;\n+\t\tcase IPPROTO_UDP:\n+\t\t\tif (app_sa_prm.udp_encap == 1) {\n+\t\t\t\tudp = rte_pktmbuf_mtod_offset(pkt,\n+\t\t\t\t\tstruct rte_udp_hdr *, l3len);\n+\t\t\t\tnat_port = rte_cpu_to_be_16(IPSEC_NAT_T_PORT);\n+\t\t\t\tif (udp->src_port == nat_port ||\n+\t\t\t\t\tudp->dst_port == nat_port){\n+\t\t\t\t\tt->ipsec.pkts[(t->ipsec.num)++] = pkt;\n+\t\t\t\t\tpkt->packet_type |=\n+\t\t\t\t\t\tRTE_PTYPE_TUNNEL_ESP_IN_UDP;\n+\t\t\t\t\tbreak;\n+\t\t\t\t}\n+\t\t\t}\n+\t\t/* Fall through */\n+\t\tdefault:\n \t\t\tt->ip6.data[t->ip6.num] = &iph6->proto;\n \t\t\tt->ip6.pkts[(t->ip6.num)++] = pkt;\n \t\t}\ndiff --git a/examples/ipsec-secgw/ipsec-secgw.h b/examples/ipsec-secgw/ipsec-secgw.h\nindex f2281e73cf..6887d752ab 100644\n--- a/examples/ipsec-secgw/ipsec-secgw.h\n+++ b/examples/ipsec-secgw/ipsec-secgw.h\n@@ -47,6 +47,8 @@\n \n #define ETHADDR(a, b, c, d, e, f) (__BYTES_TO_UINT64(a, b, c, d, e, f, 0, 0))\n \n+#define IPSEC_NAT_T_PORT 4500\n+\n struct traffic_type {\n \tconst uint8_t *data[MAX_PKT_BURST * 2];\n \tstruct rte_mbuf *pkts[MAX_PKT_BURST * 2];\ndiff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c\nindex 6baeeb342f..2d35536f57 100644\n--- a/examples/ipsec-secgw/ipsec.c\n+++ b/examples/ipsec-secgw/ipsec.c\n@@ -52,6 +52,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)\n \tipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;\n \tipsec->replay_win_sz = app_sa_prm.window_size;\n \tipsec->options.esn = app_sa_prm.enable_esn;\n+\tipsec->options.udp_encap = sa->udp_encap;\n }\n \n int\n@@ -556,6 +557,14 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,\n \t\t\t\tcontinue;\n \t\t\t}\n \n+\t\t\tif (unlikely((pkts[i]->packet_type &\n+\t\t\t\t\tRTE_PTYPE_TUNNEL_ESP_IN_UDP) ==\n+\t\t\t\t\tRTE_PTYPE_TUNNEL_ESP_IN_UDP &&\n+\t\t\t\t\tsa->udp_encap != 1)) {\n+\t\t\t\tfree_pkts(&pkts[i], 1);\n+\t\t\t\tcontinue;\n+\t\t\t}\n+\n \t\t\tsym_cop = get_sym_cop(&priv->cop);\n \t\t\tsym_cop->m_src = pkts[i];\n \ndiff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h\nindex 7031e28c46..ae5058de27 100644\n--- a/examples/ipsec-secgw/ipsec.h\n+++ b/examples/ipsec-secgw/ipsec.h\n@@ -75,6 +75,7 @@ struct app_sa_prm {\n \tuint32_t window_size; /* replay window size */\n \tuint32_t enable_esn; /* enable/disable ESN support */\n \tuint32_t cache_sz;\t/* per lcore SA cache size */\n+\tuint32_t udp_encap; /* enable/disable UDP Encapsulation */\n \tuint64_t flags; /* rte_ipsec_sa_prm.flags */\n };\n \n@@ -136,6 +137,7 @@ struct ipsec_sa {\n \t\tstruct rte_security_ipsec_xform *sec_xform;\n \t};\n \tenum rte_security_ipsec_sa_direction direction;\n+\tuint8_t udp_encap;\n \tuint16_t portid;\n \tuint8_t fdir_qid;\n \tuint8_t fdir_flag;\ndiff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c\nindex cd1397531a..7bb9ef36c2 100644\n--- a/examples/ipsec-secgw/sa.c\n+++ b/examples/ipsec-secgw/sa.c\n@@ -298,6 +298,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,\n \tuint32_t portid_p = 0;\n \tuint32_t fallback_p = 0;\n \tint16_t status_p = 0;\n+\tuint16_t udp_encap_p = 0;\n \n \tif (strcmp(tokens[0], \"in\") == 0) {\n \t\tri = &nb_sa_in;\n@@ -757,6 +758,23 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,\n \t\t\t}\n \t\t\tcontinue;\n \t\t}\n+\t\tif (strcmp(tokens[ti], \"udp-encap\") == 0) {\n+\t\t\tAPP_CHECK(ips->type ==\n+\t\t\t\tRTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,\n+\t\t\t\tstatus, \"UDP encapsulation is allowed if the \"\n+\t\t\t\t\"session is of type lookaside-protocol-offload \"\n+\t\t\t\t\"only.\");\n+\t\t\tif (status->status < 0)\n+\t\t\t\treturn;\n+\t\t\tAPP_CHECK_PRESENCE(udp_encap_p, tokens[ti], status);\n+\t\t\tif (status->status < 0)\n+\t\t\t\treturn;\n+\n+\t\t\trule->udp_encap = 1;\n+\t\t\tapp_sa_prm.udp_encap = 1;\n+\t\t\tudp_encap_p = 1;\n+\t\t\tcontinue;\n+\t\t}\n \n \t\t/* unrecognizeable input */\n \t\tAPP_CHECK(0, status, \"unrecognized input \\\"%s\\\"\",\ndiff --git a/examples/ipsec-secgw/sad.h b/examples/ipsec-secgw/sad.h\nindex 473aaa938e..751cf7afae 100644\n--- a/examples/ipsec-secgw/sad.h\n+++ b/examples/ipsec-secgw/sad.h\n@@ -77,6 +77,7 @@ sad_lookup(struct ipsec_sad *sad, struct rte_mbuf *pkts[],\n \tuint32_t spi, cache_idx;\n \tstruct ipsec_sad_cache *cache;\n \tstruct ipsec_sa *cached_sa;\n+\tuint16_t udp_hdr_len = 0;\n \tint is_ipv4;\n \n \tcache = &RTE_PER_LCORE(sad_cache);\n@@ -85,8 +86,11 @@ sad_lookup(struct ipsec_sad *sad, struct rte_mbuf *pkts[],\n \tfor (i = 0; i < nb_pkts; i++) {\n \t\tipv4 = rte_pktmbuf_mtod(pkts[i], struct rte_ipv4_hdr *);\n \t\tipv6 = rte_pktmbuf_mtod(pkts[i], struct rte_ipv6_hdr *);\n+\t\tif ((pkts[i]->packet_type & RTE_PTYPE_TUNNEL_ESP_IN_UDP) ==\n+\t\t\t\tRTE_PTYPE_TUNNEL_ESP_IN_UDP)\n+\t\t\tudp_hdr_len = sizeof(struct rte_udp_hdr);\n \t\tesp = rte_pktmbuf_mtod_offset(pkts[i], struct rte_esp_hdr *,\n-\t\t\t\tpkts[i]->l3_len);\n+\t\t\t\tpkts[i]->l3_len + udp_hdr_len);\n \n \t\tis_ipv4 = pkts[i]->packet_type & RTE_PTYPE_L3_IPV4;\n \t\tspi = rte_be_to_cpu_32(esp->spi);\n", "prefixes": [ "v3", "3/4" ] }