From patchwork Tue Mar 21 15:24:38 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petri Savolainen X-Patchwork-Id: 95663 Delivered-To: patch@linaro.org Received: by 10.140.89.233 with SMTP id v96csp1549967qgd; Tue, 21 Mar 2017 10:23:09 -0700 (PDT) X-Received: by 10.36.74.131 with SMTP id k125mr3727907itb.53.1490116989627; Tue, 21 Mar 2017 10:23:09 -0700 (PDT) Return-Path: Received: from lists.linaro.org (lists.linaro.org. [54.225.227.206]) by mx.google.com with ESMTP id q187si14802857itc.66.2017.03.21.10.23.09; Tue, 21 Mar 2017 10:23:09 -0700 (PDT) Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.225.227.206 as permitted sender) client-ip=54.225.227.206; Authentication-Results: mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.225.227.206 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: by lists.linaro.org (Postfix, from userid 109) id F40D56405B; Tue, 21 Mar 2017 17:23:08 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252 X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAD_ENC_HEADER,BAYES_00, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_HELO_PASS, URIBL_BLOCKED autolearn=disabled version=3.4.0 Received: from [127.0.0.1] (localhost [127.0.0.1]) by lists.linaro.org (Postfix) with ESMTP id C458963C7B; Tue, 21 Mar 2017 17:19:02 +0000 (UTC) X-Original-To: lng-odp@lists.linaro.org Delivered-To: lng-odp@lists.linaro.org Received: by lists.linaro.org (Postfix, from userid 109) id BFC2360DA7; Tue, 21 Mar 2017 15:25:09 +0000 (UTC) Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on0125.outbound.protection.outlook.com [104.47.2.125]) by lists.linaro.org (Postfix) with ESMTPS id 7B21760D8E for ; Tue, 21 Mar 2017 15:25:07 +0000 (UTC) Received: from AMXPR07CA0032.eurprd07.prod.outlook.com (10.242.64.32) by HE1PR07MB0844.eurprd07.prod.outlook.com (10.162.24.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.991.4; Tue, 21 Mar 2017 15:25:05 +0000 Received: from VE1EUR03FT057.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e09::204) by AMXPR07CA0032.outlook.office365.com (2a01:111:e400:1000::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.991.4 via Frontend Transport; Tue, 21 Mar 2017 15:25:04 +0000 Received-SPF: SoftFail (protection.outlook.com: domain of transitioning linaro.org discourages use of 131.228.2.38 as permitted sender) Received: from hybrid2.ext.net.nokia.com (131.228.2.38) by VE1EUR03FT057.mail.protection.outlook.com (10.152.19.123) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.977.7 via Frontend Transport; Tue, 21 Mar 2017 15:25:04 +0000 Received: from fihe3nok1349.nsn-intra.net (10.158.36.137) by fihe3nok1349.nsn-intra.net (10.158.36.137) with Microsoft SMTP Server (TLS) id 15.1.466.34; Tue, 21 Mar 2017 17:25:03 +0200 Received: from mailrelay.int.nokia.com (10.130.128.21) by fihe3nok1349.nsn-intra.net (10.158.36.137) with Microsoft SMTP Server (TLS) id 15.1.466.34 via Frontend Transport; Tue, 21 Mar 2017 17:25:03 +0200 Received: from fihe3nok0734.emea.nsn-net.net (localhost [127.0.0.1]) by fihe3nok0734.emea.nsn-net.net (8.14.9/8.14.5) with ESMTP id v2LFOdUZ028636 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 21 Mar 2017 17:24:39 +0200 Received: from 10.144.19.15 ([10.144.104.219]) by fihe3nok0734.emea.nsn-net.net (8.14.9/8.14.5) with ESMTP id v2LFOdnD028615 (version=TLSv1/SSLv3 cipher=AES128-SHA256 bits=128 verify=NOT) for ; Tue, 21 Mar 2017 17:24:39 +0200 X-HPESVCS-Source-Ip: 10.144.104.219 From: Petri Savolainen To: Date: Tue, 21 Mar 2017 17:24:38 +0200 Message-ID: <1490109879-4247-2-git-send-email-petri.savolainen@linaro.org> X-Mailer: git-send-email 2.8.1 In-Reply-To: <1490109879-4247-1-git-send-email-petri.savolainen@linaro.org> References: <1490109879-4247-1-git-send-email-petri.savolainen@linaro.org> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report: CIP:131.228.2.38; IPV:NLI; CTRY:FI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(39410400002)(39840400002)(39860400002)(39450400003)(39850400002)(2980300002)(199003)(189002)(9170700003)(81166006)(86362001)(22756006)(8676002)(50986999)(76176999)(50226002)(305945005)(48376002)(8936002)(77096006)(356003)(2351001)(5660300001)(189998001)(36756003)(2950100002)(6916009)(105596002)(53936002)(5003940100001)(47776003)(50466002)(2906002)(33646002)(106466001)(38730400002)(110136004)(217873001); DIR:OUT; SFP:1102; SCL:1; SRVR:HE1PR07MB0844; H:hybrid2.ext.net.nokia.com; FPR:; SPF:SoftFail; MLV:sfv; A:1; MX:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; VE1EUR03FT057; 1:N77Liz19wAfhhEe+OyDfCV1Gmgt1yXJlgRirPugRP8OKmBcu+Sae1SCHUw02rs2V8FN2ZVIlyB7WOcnb0Py4rBL3OlkaalM0x3CAGrfzSe6K+NknfK91c68F0Rb0asNAmvhO6yEcnmB6Cu2MATWltskt7Zkim1eCCpMRLRXzL6z3lhhhOmnCOG2fQdI0k7LUahWm1xIRB1jmWlGqEveExgK4/zfpKD6RQ5I2zhdW5fA2ORxg69uCDKoMOlg9zipn+2JaO43gi+zz/RMTY/gZgxQFXFpaqnA8nkokdbTT54OdfToRYCI2AdaL9Af01zhjk36m/A6rE0kZFL4qA1PU7wzkhWvtlw0djeKFpt/TNUxYfZ7kuYvZeDBO+44avuoWghvkrTWOsJd4A2lbbqlsDkT4mi6I4ZnvjQULnTuDO4PlPFxiZaxw1p+8LozbnjJhUkwvqktchb4qpnLP6FavtWmj9YJgBqTzy9YWNMOijt8= X-MS-Office365-Filtering-Correlation-Id: 4ce7107f-2e5e-41e4-7967-08d4706e733e X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075); SRVR:HE1PR07MB0844; X-Microsoft-Exchange-Diagnostics: 1; HE1PR07MB0844; 3:Im7WynPQ6Eb6s8hZNqMd/gLBxl6W0i+QdXkoq7OLX0rmFRXTdqOl7eOTj3l6Gg2Drh4Klh0dTobojUs8lkbSdEDG2Na3I46yInVeX6ZN6GH3+4G5vBJEEEDjC6sziORfZAAdh43Okzbqdlz53+Un1huFeqiAlvRafqijPIJife5WMmU75aeIA0Bc1AOn109E/+lAAVvf0i5jS+p4ZT82KodoF82kFCCwzt8tiWAN0ZCtiCygzjWCf4dJWElMch2GPkUzXO9sa/NwFvSpwk11iotfWKVHUejeJFMSf5tq9oimS64GxC6FY+4huQG5Uo8VmUU2V2PjY3UIAekqAyVktIYf2ZAMu/2OYakyL5WcVdKzPxFbZ2Kh+L37/WZxOpf1eg5+5+QjE78Azst4u6p3Pw==; 25:2BfqNb7uwpixNjXZ4975vtcY9zShGrAZduLWd7cg2bGNea5YvSWdTYYhjxaVaTiKkIawoHXhWGv2rSadxWyoBt4ojllDpzQhZLGgdnapYzUm/5ef0M5HaV06dYjKSRu2zTOsL75uvIF4atBUKJRHLPL4/7C0K8K1xzsOsx7zo/zaShdn45ghNLYlovpiHO8uGozGD8bNAwmlYVvPQELgi6glrYApm+3x83w9YEw+jU5rdQpHE+YCFOEXIVkXCjBDDGfY3HjxWbzv3SGh4Smk8VqFhw3AxZQg/j74+VehR8TKfVsbESo8rV5QRnN80xvdEmL7qO07ixze6oxY5t/x1zKN3N/rEnvTGDPAZlzxNXBqjKMVAyuMcqumN8F9/odUq6NDIGky58HbYYCLafx6XMMFiYOhKLrQR7Vwbc8Gvs594hKpHwYowj3u+93e/60CeDlRqZ88G8BnPxAsN9Wxpw== X-Microsoft-Exchange-Diagnostics: 1; HE1PR07MB0844; 31:/yhePejtc8OyKcMlSS41GbztumI74GwhkbTRw/p4zT1qyBMO4TdlChWf1nj0NQmGI8rlhLUzJMICUvVJlC0HidqDKp+8pDpIiUiSgnzKsswpPfW8mKimQBNOG67pYDK5f0O6m9zzQAu5yTFxq0X6PFMNwmVPOTOKkxtGl0jTqR8V5BCBZZXmK/Ymtg6coQyVOYn/2udhxUAgo+QfeUmYkoH5r/ONPCFCBGcKx9MaPNpEamkiaz6qZNOJ1x+32ZwaCpDrzQ3LKoLdq1JXruB2iQ==; 20:fp2DrnknWlGFZdoUYXyLD3D0HrjvPuBEBjSoj4ToizgFY76toJkheEZG/gk6Ojrtp741VflFlar2cl763UPefBvg6uVY1HJumeSGcTlbw6KUh5q80USE2n8TYZpUkxab+lAGvUga6Ct83WNCG93FPNSHJofyMKxeIlPbQChYVRSUx571Sy7srBLVupzDOraIzQmHMTnR0P7+eRZvC8LAaa/uSZ3VhRzV2ZoC1fBDPtgfXmJM6rIDyl/qQ89AkCCWfxL07oBskOgFlTYprRlFlMbGenUTeBINOilPSlksMNZJ9RjgyDqosFbFuxWFE6FsZ6MXnnF/lEJIW6mkYvxiEFU49QFhMgki/ApER849qeL/ILYUJQYlcMgtqvLSRm/+RTlcDwSZmxPS3WZ6/8vJbp6yFf1cBn8+Bm5qimUxTj9gU0Gjd2ZUl+3pkP3miLO+Hg9HdvrhQfxsLTBKMHi60j/hEBKcouvFdNJUE5OofSEk6ivWlcSt81QEz01FnVAYKCJhbXAIO8pYyhCsBLfhsU5b2bLfETk9520ux+o9txmn5JfC0mVJi3a/Y5LmU8f9qXsuV1eAFNQcr+qxMtS5990aCCPgbXPBOcCUPcajyeg= X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(192374486261705)(131327999870524); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(13016025)(13018025)(10201501046)(3002001)(6055026)(6041248)(20161123558025)(20161123560025)(20161123562025)(20161123555025)(20161123564025)(6072148); SRVR:HE1PR07MB0844; BCL:0; PCL:0; RULEID:; SRVR:HE1PR07MB0844; X-Microsoft-Exchange-Diagnostics: 1; HE1PR07MB0844; 4:YBmntoGvAeAOREHcOq1peGXbND8SD+rZ1dW2XVkS4/XflEdTbebxj6xWwqWHAYW1/ER66PhlmGCH8/xMC1Q8DTLxVyWyxKmYVoFgJlF5v6g+X6YTxypu0LjlIY9F8rZhIZ+888EpIDKjrb0gOOIhrZKX1mvvEgTRN1gkybKA9n7fk3mNFy35/fBbCluIqTwLXnVhTLzPGy4bIdr9S+p+kFgT9plSmTP1Xs9eehS+NkddKlV5xISqkh93lqqul7jSqId98JJ7maMEeHDN6n/NkYvw0P1knwWVuVRgLyMqI3/7z2HM+0zkffwYn2AkGVXHeHe29zcbkIZ7t4aG8V73Zqd0YcmaW2lIW1CqvyRiz0eDJO+N3gCs92fX73lehSrHNUUxB7nn2RnIODX5sqb0KEcgIrkGbtGEp5WDglAfRPo8sHEnV965zQIaFyL+XV99jWrJi8iHhfNbGenTkKMy+44unIFONUJkQ0B/sWi2S9mxCKCD12mmRRYdc2tsRemXwBM1BFLioE1o77Q8bwSYT8qK0ZmKXof0hnPHHzavLMF5lsmww8GJiguq1zY7AGkQv3LXZhwPxHmpprEuPpJYcDtmzIkzNNgim+5zLYDdpqhNCs8tBCzki+eCRbsengGnd+Y83yW9iO10bpZScQY6PWnCh3wyebgfn7Sq9a6NKI1HLCYdov/PfYwqpvvNwYnjTIgHMqd0rZHfmqrgyx03lE7bMAeUJR1AUtmpFkCunxjnHutrr+T61wz4B4RdJI+/ X-Forefront-PRVS: 02530BD3AA X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; HE1PR07MB0844; 23:z3VTQq6Va5MwaIgN35Mc0vUmBz0zmcUttIo2RQlCA?= 7VbmJDEFXI4ERSwRtTosWhsvo1Q1vvhuqkgeyCQFE7Bji0LFXc2v+5BjvdbOhvGKZXCzjvBYptIXaNlsTw5gqkihw0cxxgwSFf/qeLPSfTVn4BzSiC/AQrVA574lj0RzThLtViJi2RcBFKitwjhCn8aeENXHS1FxOcKLeQwP8/4Jc/ZVAk1Z0c2tMS151vlNdhEHGTg+7odvoMrZ1sauIUiyBWbHNIqsNZJ5pbfvcaQ+rUWbqFbH36aIRPzBhgqOxl7h/GEkhp/fIDO2DcJvYR3VduEKSm4rzRItlQJL76Ikk8H6hE6Tl6XahPnkoJ9Ch3bImA07PQeXwoqrr5UZ/rlA73cI1WNNa4989+DueYN6aQacYqmR3aneOwx+5e2o+gF8yvwLIqXYA9/FjOHvi7An2DaetoD54GnIJBXNBBVo26EndLyf38QSWNWd1RxWNy/G03mSDj/RO5o8+hXssCecI/lIOYyW7BI4hJBbUxGYYszjn7LC8yimvzMN4Ib0RihNGPghPzJ57U6JxFwPnr7aLhMZ1D0IjBXz2a6O5jpcr83UN4IMzNJbSFtLqsJtQZ06RmmiAL56U4dZYtz0H/9r87omIniZTITRdQ1k0xs1ewd0Uenwh3CSO4PZQTempf4tM/KL2Kbn5tpqcZULweBts5dHyuPTB38qpFaqXgh6nPQD9iwslykWiRfAsiUrbtgO8kMmgqjanQAdNQvK+bJzdWqFiHMNDNfRvuUjlvHKwDjcggxHYJLHlbQF1VyU9Iux8mLoqPflbQirLlQG1sHFh+S54Pmpa+ldIDKbHRKBRwulLayN2TgXXxBLcMIgGo/0fMYvoyTyooOnx+2EK1XzPBKUPfIh4X0Zq3loCiem0SmTOcMF07ShDy6GLlziXpy+KvwBOilJt4OpjgkN+DOo1AXY5XrXu2+GCu08ewVrIwD5io0BFXN3fmZ5DcCLTLAJR5H5HT06npde2WnRoN7 X-Microsoft-Exchange-Diagnostics: 1; HE1PR07MB0844; 6:KVLcX0kYxNVRitkonkkYK/7JyTBPbOP2SXVM6en8pxCjogKUjnbT9hBMNUUIkrzHzsz5hxquONBp+5R1lg9HaEOOjDCforRlqqWjl4VimnS3PeBb11I6NW28TWbeTY4RxDFOpBF0OixalJps7m58mZ7QqtcPNk04C/UfVj75gZgQEfpXX95+BYT1iBltq9R3G9PjNv2OSGGvCulmPzgFoPBpt6KOQERXfG3pIt+czdffDZxOvv/kYaMIKgXnt8YjpZLv6eaDRLgKO63ReX1NtpCqNMMtn5MwxOpzlwPnjAkaYkGGLx0WIzE+2Fb3FAnYuoqA7UstpD9hsyVv/49sVXIu6pCbEifpo/vwpw5WUxo1cijJDG0echzeofcq9HSJTDrM7UafMm9GFWwH6RiJpvzrwuHWwOv6cKNQtZSOB7A=; 5:0qXjSICeHzf3iQXF1Q8h7DoP3h84zGga/3ngnxEiy8hjfF0z4jsCQBOZqan1Pb14vwOLA9a2jI9gtNfrXT+hqcewzUA17KiCQuvCWeWl21IA/C/BmN0gVXIe7u5BMLAjWa+xkEYrmz4wp+hhlNReag==; 24:KuLGr86V8b0WhlNqfHmOWneXSZWbX2Mh7cK08BDuFeFP3SQSuETtsqim1QzLrjfs1w0U+gfCGJ2QU8a+ITK8HWQuuFWX1NRu1kSojW9c0SA= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; HE1PR07MB0844; 7:bThF9LtB4tbkNLKL/CgK/Q5gH6ktnvmM8p0OUyPsgGh41dAz4koo25/irscjcaBR8LfhpqqhCxltyU0IWsW6g3g40MXTAkqEco7Rz295/jE97p7paCToxmm0qhw9HtRsaqaoTBC88BjHYlXI8yZkcI6U7thNcSgbVJGnQJbDzq/jhfaHpnUZBzzLPgfR/qY2XCqctn+KSYyBGICyKPtX/ieIkTPmIWTjXaTmbo398ZxlzeY2gbkNGKCYgfRXz/QSGkt/glPBgaYtrr8BhamdJCbZ4ndp2eyNgI5ZeDmg7N6VkC6Lr/HpUm9iaE00Tk/BW7zhz/YnT/jJrx6R998aig== X-OriginatorOrg: nokia.onmicrosoft.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Mar 2017 15:25:04.7176 (UTC) X-MS-Exchange-CrossTenant-Id: 5d471751-9675-428d-917b-70f44f9630b0 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5d471751-9675-428d-917b-70f44f9630b0; Ip=[131.228.2.38]; Helo=[hybrid2.ext.net.nokia.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB0844 Subject: [lng-odp] [API-NEXT PATCH v2 2/3] api: ipsec: add inline IPSEC support X-BeenThere: lng-odp@lists.linaro.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "The OpenDataPlane \(ODP\) List" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: lng-odp-bounces@lists.linaro.org Sender: "lng-odp" Added support for inline IPSEC processing on packet input and output. Inline mode IPSEC and traffic manager cannot be enabled (currently) on the same pktio interface. Signed-off-by: Petri Savolainen --- include/odp/api/spec/ipsec.h | 348 ++++++++++++++++++++++++++++++++++++--- include/odp/api/spec/packet_io.h | 32 ++++ 2 files changed, 355 insertions(+), 25 deletions(-) -- 2.8.1 diff --git a/include/odp/api/spec/ipsec.h b/include/odp/api/spec/ipsec.h index e951e49..23d02cf 100644 --- a/include/odp/api/spec/ipsec.h +++ b/include/odp/api/spec/ipsec.h @@ -19,6 +19,8 @@ extern "C" { #endif #include +#include +#include /** @defgroup odp_ipsec ODP IPSEC * Operations of IPSEC API. @@ -51,11 +53,43 @@ typedef enum odp_ipsec_op_mode_t { * Application uses asynchronous IPSEC operations, * which return results via events. */ - ODP_IPSEC_OP_MODE_ASYNC + ODP_IPSEC_OP_MODE_ASYNC, + + /** Inline IPSEC operation + * + * Packet input/output is connected directly to IPSEC inbound/outbound + * processing. Application uses asynchronous or inline IPSEC + * operations. + */ + ODP_IPSEC_OP_MODE_INLINE, + + /** IPSEC is disabled in inbound / outbound direction */ + ODP_IPSEC_OP_MODE_DISABLED } odp_ipsec_op_mode_t; /** + * Protocol layers in IPSEC configuration + */ +typedef enum odp_ipsec_proto_layer_t { + /** No layers */ + ODP_IPSEC_LAYER_NONE = 0, + + /** Layer L2 protocols (Ethernet, VLAN, etc) */ + ODP_IPSEC_LAYER_L2, + + /** Layer L3 protocols (IPv4, IPv6, ICMP, IPSec, etc) */ + ODP_IPSEC_LAYER_L3, + + /** Layer L4 protocols (UDP, TCP, SCTP) */ + ODP_IPSEC_LAYER_L4, + + /** All layers */ + ODP_IPSEC_LAYER_ALL + +} odp_ipsec_proto_layer_t; + +/** * Configuration options for IPSEC inbound processing */ typedef struct odp_ipsec_inbound_config_t { @@ -77,9 +111,113 @@ typedef struct odp_ipsec_inbound_config_t { uint32_t max; } spi; + /** Retain outer headers + * + * Select up to which protocol layer (at least) outer headers are + * retained in inbound inline processing. Default value is + * ODP_IPSEC_LAYER_NONE. + * + * ODP_IPSEC_LAYER_NONE: Application does not require any outer + * headers to be retained. + * + * ODP_IPSEC_LAYER_L2: Retain headers up to layer 2. + * + * ODP_IPSEC_LAYER_L3: Retain headers up to layer 3, otherwise the + * same as ODP_IPSEC_LAYER_ALL. + * + * ODP_IPSEC_LAYER_L4: Retain headers up to layer 4, otherwise the + * same as ODP_IPSEC_LAYER_ALL. + * + * ODP_IPSEC_LAYER_ALL: In tunnel mode, all headers before IPSEC are + * retained. In transport mode, all headers + * before IP (carrying IPSEC) are retained. + * + */ + odp_ipsec_proto_layer_t retain_outer; + + /** Parse packet headers in IPSEC payload + * + * Select header parsing level after inbound processing. Packet headers + * in IPSEC payload must be parsed (at least) up to this level. + * Default value is ODP_IPSEC_LAYER_NONE. + * + * Note that IPSec payload is never a L2 packet (ODP_IPSEC_LAYER_L2 + * equals ODP_IPSEC_LAYER_NONE). In transport mode, IPSEC payload + * starts after IP header (ODP_IPSEC_LAYER_L3 equals + * ODP_IPSEC_LAYER_NONE). + */ + odp_ipsec_proto_layer_t parse; + + /** Flags to control IPSEC payload data checks up to the selected parse + * level. */ + union { + struct { + /** Check IPv4 header checksum in IPSEC payload. + * Default value is 0. */ + uint32_t ipv4_chksum : 1; + + /** Check UDP checksum in IPSEC payload. + * Default value is 0. */ + uint32_t udp_chksum : 1; + + /** Check TCP checksum in IPSEC payload. + * Default value is 0. */ + uint32_t tcp_chksum : 1; + + /** Check SCTP checksum in IPSEC payload. + * Default value is 0. */ + uint32_t sctp_chksum : 1; + } check; + + /** All bits of the bit field structure + * + * This field can be used to set/clear all flags, or bitwise + * operations over the entire structure. */ + uint32_t all_check; + }; + } odp_ipsec_inbound_config_t; /** + * Configuration options for IPSEC outbound processing + */ +typedef struct odp_ipsec_outbound_config_t { + /** Flags to control L3/L4 checksum insertion as part of outbound + * packet processing. Packet must have set with valid L3/L4 offsets. + * Checksum configuration is ignored for packets that checksum cannot + * be computed for (e.g. IPv4 fragments). Application may use a packet + * metadata flag to disable checksum insertion per packet bases. + */ + union { + struct { + /** Insert IPv4 header checksum on the payload packet + * before IPSEC transformation. Default value is 0. */ + uint32_t inner_ipv4 : 1; + + /** Insert UDP header checksum on the payload packet + * before IPSEC transformation. Default value is 0. */ + uint32_t inner_udp : 1; + + /** Insert TCP header checksum on the payload packet + * before IPSEC transformation. Default value is 0. */ + uint32_t inner_tcp : 1; + + /** Insert SCTP header checksum on the payload packet + * before IPSEC transformation. Default value is 0. */ + uint32_t inner_sctp : 1; + + } chksum; + + /** All bits of the bit field structure + * + * This field can be used to set/clear all flags, or bitwise + * operations over the entire structure. */ + uint32_t all_chksum; + }; + +} odp_ipsec_outbound_config_t; + +/** * IPSEC capability */ typedef struct odp_ipsec_capability_t { @@ -102,6 +240,24 @@ typedef struct odp_ipsec_capability_t { */ uint8_t op_mode_async; + /** Inline IPSEC operation mode (ODP_IPSEC_OP_MODE_INLINE) support + * + * 0: Inline IPSEC operation is not supported + * 1: Inline IPSEC operation is supported + * 2: Inline IPSEC operation is supported and preferred + */ + uint8_t op_mode_inline; + + /** Support of inline classification (ODP_IPSEC_DEST_CLS) for resulting + * inbound packets. + * + * 0: Inline classification of resulting packets is not supported + * 1: Inline classification of resulting packets is supported + * 2: Inline classification of resulting packets is supported and + * preferred + */ + uint8_t cls_inline; + /** Soft expiry limit in seconds support * * 0: Limit is not supported @@ -128,12 +284,19 @@ typedef struct odp_ipsec_capability_t { * IPSEC configuration options */ typedef struct odp_ipsec_config_t { - /** IPSEC operation mode. Application selects which mode (sync or async) - * will be used for IPSEC operations. + /** Inbound IPSEC operation mode. Application selects which mode + * will be used for inbound IPSEC operations. * * @see odp_ipsec_in(), odp_ipsec_in_enq() */ - odp_ipsec_op_mode_t op_mode; + odp_ipsec_op_mode_t inbound_mode; + + /** Outbound IPSEC operation mode. Application selects which mode + * will be used for outbound IPSEC operations. + * + * @see odp_ipsec_out(), odp_ipsec_out_enq(), odp_ipsec_out_inline() + */ + odp_ipsec_op_mode_t outbound_mode; /** Maximum number of IPSEC SAs that application will use * simultaneously */ @@ -142,6 +305,9 @@ typedef struct odp_ipsec_config_t { /** IPSEC inbound processing configuration */ odp_ipsec_inbound_config_t inbound; + /** IPSEC outbound processing configuration */ + odp_ipsec_outbound_config_t outbound; + } odp_ipsec_config_t; /** @@ -381,11 +547,29 @@ typedef enum odp_ipsec_lookup_mode_t { ODP_IPSEC_LOOKUP_DISABLED = 0, /** Inbound SA lookup is enabled. Used SPI values must be unique. */ - ODP_IPSEC_LOOKUP_IN_UNIQUE_SA + ODP_IPSEC_LOOKUP_IN_UNIQUE_SPI, + + /** Inbound SA lookup is enabled. Lookup matches both SPI and + * destination IP address. Used SPI values must be unique. */ + ODP_IPSEC_LOOKUP_IN_DSTADDR_UNIQUE_SPI } odp_ipsec_lookup_mode_t; /** + * Result event destination + */ +typedef enum odp_ipsec_dest_mode_t { + /** Destination for IPSEC result events is a queue. */ + ODP_IPSEC_DEST_QUEUE = 0, + + /** Destination for IPSEC result events is the classifier. + * IPSEC capability 'cls_inline' determines if inline classification + * is supported. */ + ODP_IPSEC_DEST_CLS + +} odp_ipsec_dest_mode_t; + +/** * IPSEC Security Association (SA) parameters */ typedef struct odp_ipsec_sa_param_t { @@ -426,6 +610,17 @@ typedef struct odp_ipsec_sa_param_t { /** SPI value */ uint32_t spi; + /** Additional inbound SA lookup parameters. Values are considered + * only in ODP_IPSEC_LOOKUP_IN_DSTADDR_UNIQUE_SPI lookup mode. */ + struct { + /* v4 or v6 */ + uint8_t ip_version; + + /* IP destination address (NETWORK ENDIAN) */ + void *dst_addr; + + } lookup_param; + /** MTU for outbound IP fragmentation offload * * This is the maximum length of IP packets that outbound IPSEC @@ -434,13 +629,32 @@ typedef struct odp_ipsec_sa_param_t { */ uint32_t mtu; + /** Select where IPSEC result events are sent + * + * Asynchronous and inline modes generate result events. Select where + * those events are sent. Inbound SAs may choose between a queue or + * the classifier. Outbound SAs must define a queue always. + * The default value is ODP_IPSEC_DEST_QUEUE. + */ + odp_ipsec_dest_mode_t dest_mode; + /** Destination queue for IPSEC events * - * Operations in asynchronous mode enqueue resulting events into - * this queue. + * Operations in asynchronous or inline mode enqueue resulting events + * into this queue. */ odp_queue_t dest_queue; + /** Classifier destination CoS for IPSEC result events + * + * Result events for successfully decapsulated packets are sent to + * classification through this CoS. Other result events are sent to + * 'dest_queue'. This field is considered only when 'dest_mode' is + * ODP_IPSEC_DEST_CLS. The CoS must not be shared between any pktio + * interface default CoS. + */ + odp_cos_t dest_cos; + /** User defined SA context pointer * * User defined context pointer associated with the SA. @@ -673,6 +887,18 @@ typedef struct odp_ipsec_op_status_t { uint32_t all_error; }; + union { + /** Status flags */ + struct { + /** Packet was processed in inline mode */ + uint32_t inline_mode : 1; + + } flag; + + /** All flag bits */ + uint32_t all_flag; + }; + } odp_ipsec_op_status_t; /** @@ -727,6 +953,35 @@ typedef struct odp_ipsec_op_param_t { } odp_ipsec_op_param_t; /** + * Outbound inline IPSEC operation parameters + */ +typedef struct odp_ipsec_inline_op_param_t { + /** Packet output interface for inline output operation + * + * Outbound inline IPSEC operation uses this packet IO interface to + * output the packet after a successful IPSEC transformation. The pktio + * must have been configured to operate in inline IPSEC mode. + */ + odp_pktio_t pktio; + + /** Outer headers for inline output operation + * + * Outbound inline IPSEC operation uses this information to prepend + * outer headers to the IPSEC packet before sending it out. + */ + struct { + /** Points to first byte of outer headers to be copied in + * front of the outgoing IPSEC packet. Implementation copies + * the headers during odp_ipsec_out_inline() call. */ + uint8_t *ptr; + + /** Outer header length in bytes */ + uint32_t len; + } outer_hdr; + +} odp_ipsec_inline_op_param_t; + +/** * IPSEC operation result for a packet */ typedef struct odp_ipsec_packet_result_t { @@ -752,6 +1007,23 @@ typedef struct odp_ipsec_packet_result_t { */ odp_ipsec_sa_t sa; + /** Packet outer header status before inbound inline processing. + * This is valid only when status.flag.inline_mode is set. + */ + struct { + /** Points to the first byte of retained outer headers. These + * headers are stored in a contiquous, per packet, + * implementation specific memory space. Since the memory space + * may overlap with e.g. packet head/tailroom, the content + * becomes invalid if packet data storage is modified in + * anyway. The memory space may not be sharable to other + * threads. */ + uint8_t *ptr; + + /** Outer header length in bytes */ + uint32_t len; + } outer_hdr; + } odp_ipsec_packet_result_t; /** @@ -773,18 +1045,14 @@ typedef struct odp_ipsec_op_result_t { * at least 'num_pkt' elements. * * Each successfully transformed packet has a valid value for these - * meta-data: + * meta-data regardless of the inner packet parse configuration. + * (odp_ipsec_inbound_config_t): * * L3 offset: Offset to the first byte of the (outmost) IP header - * * L4 offset: Offset to the first byte of the valid and known L4 - * header (immediately following the IP header). - * * Various flags about L3 and L4 layers: - * has_l3, has_l4, has_ipv4, has_ipv6, has_ipfrag, - * has_ipsec, has_udp, has_tcp, etc depending on - * the resulted packet format + * * pktio: For inbound inline IPSEC processed packets, original + * packet input interface * - * @see odp_packet_l3_offset(), odp_packet_l4_offset(), - * odp_packet_has_ipv4(), odp_packet_has_ipv6(), - * odp_packet_has_ipfrag(), odp_packet_has_ipsec() + * Other meta-data for parse results and error checks depend on + * configuration (selected parse and error check levels). */ odp_packet_t *pkt; @@ -915,10 +1183,10 @@ int odp_ipsec_out(const odp_ipsec_op_param_t *input, /** * Inbound asynchronous IPSEC operation * - * This operation does inbound IPSEC processing in asynchronous mode - * (ODP_IPSEC_OP_MODE_ASYNC). It processes packets otherwise identically to - * odp_ipsec_in(), but outputs all results through one or more - * ODP_EVENT_IPSEC_RESULT events with the following ordering considerations. + * This operation does inbound IPSEC processing in asynchronous mode. It + * processes packets otherwise identically to odp_ipsec_in(), but outputs all + * results through one or more ODP_EVENT_IPSEC_RESULT events with the following + * ordering considerations. * * Asynchronous mode maintains (operation input) packet order per SA when * application calls the operation within an ordered or atomic scheduler context @@ -928,6 +1196,11 @@ int odp_ipsec_out(const odp_ipsec_op_param_t *input, * events for the same SA are enqueued in order, and packet handles (for the * same SA) are stored in order within an event. * + * The function may be used also in inline processing mode, e.g. for IPSEC + * packets for which inline processing is not possible. Packets for the same SA + * may be processed simultaneously in both modes (initiated by this function + * and inline operation). + * * @param input Operation input parameters * * @return Number of input packets consumed (0 ... input.num_pkt) @@ -940,10 +1213,10 @@ int odp_ipsec_in_enq(const odp_ipsec_op_param_t *input); /** * Outbound asynchronous IPSEC operation * - * This operation does outbound IPSEC processing in asynchronous mode - * (ODP_IPSEC_OP_MODE_ASYNC). It processes packets otherwise identically to - * odp_ipsec_out(), but outputs all results through one or more - * ODP_EVENT_IPSEC_RESULT events with the following ordering considerations. + * This operation does outbound IPSEC processing in asynchronous mode. It + * processes packets otherwise identically to odp_ipsec_out(), but outputs all + * results through one or more ODP_EVENT_IPSEC_RESULT events with the following + * ordering considerations. * * Asynchronous mode maintains (operation input) packet order per SA when * application calls the operation within an ordered or atomic scheduler context @@ -953,6 +1226,9 @@ int odp_ipsec_in_enq(const odp_ipsec_op_param_t *input); * events for the same SA are enqueued in order, and packet handles (for the * same SA) are stored in order within an event. * + * The function may be used also in inline processing mode, e.g. for IPSEC + * packets for which inline processing is not possible. + * * @param input Operation input parameters * * @return Number of input packets consumed (0 ... input.num_pkt) @@ -963,6 +1239,28 @@ int odp_ipsec_in_enq(const odp_ipsec_op_param_t *input); int odp_ipsec_out_enq(const odp_ipsec_op_param_t *input); /** + * Outbound inline IPSEC operation + * + * This operation does outbound inline IPSEC processing for the packets. It's + * otherwise identical to odp_ipsec_out_enq(), but outputs all successfully + * transformed packets to the specified output interface, instead of generating + * result events for those. + * + * Inline operation parameters are defined per packet. The array of parameters + * must have 'op_param.num_pkt' elements and is pointed to by 'inline_param'. + * + * @param op_param Operation parameters + * @param inline_param Outbound inline operation specific parameters + * + * @return Number of packets consumed (0 ... op_param.num_pkt) + * @retval <0 On failure + * + * @see odp_ipsec_out_enq() + */ +int odp_ipsec_out_inline(const odp_ipsec_op_param_t *op_param, + const odp_ipsec_inline_op_param_t *inline_param); + +/** * Get IPSEC results from an ODP_EVENT_IPSEC_RESULT event * * Copies IPSEC operation results from an event. The event must be of diff --git a/include/odp/api/spec/packet_io.h b/include/odp/api/spec/packet_io.h index cec1f22..8802089 100644 --- a/include/odp/api/spec/packet_io.h +++ b/include/odp/api/spec/packet_io.h @@ -407,6 +407,38 @@ typedef struct odp_pktio_config_t { * interface capability before enabling the same. */ odp_bool_t enable_loop; + /** Inbound IPSEC inlined with packet input + * + * Enable/disable inline inbound IPSEC operation. When enabled packet + * input directs all IPSEC packets automatically to IPSEC inbound + * processing. IPSEC configuration is done through the IPSEC API. + * Packets that are not (recognized as) IPSEC are processed + * according to the packet input configuration. + * + * 0: Disable inbound IPSEC inline operation (default) + * 1: Enable inbound IPSEC inline operation + * + * @see odp_ipsec_config(), odp_ipsec_sa_create() + */ + odp_bool_t inbound_ipsec; + + /** Outbound IPSEC inlined with packet output + * + * Enable/disable inline outbound IPSEC operation. When enabled IPSEC + * outbound processing can send outgoing IPSEC packets directly + * to the pktio interface for output. IPSEC configuration is done + * through the IPSEC API. + * + * Outbound IPSEC inline operation cannot be combined with traffic + * manager (ODP_PKTOUT_MODE_TM). + * + * 0: Disable outbound IPSEC inline operation (default) + * 1: Enable outbound IPSEC inline operation + * + * @see odp_ipsec_config(), odp_ipsec_sa_create() + */ + odp_bool_t outbound_ipsec; + } odp_pktio_config_t; /**