[dpdk-dev] [RFC][PATCH 5/5] examples: updated IPSec sample app to support inline IPSec
Radu Nicolau
radu.nicolau at intel.com
Tue May 9 16:57:59 CEST 2017
Added new SA types: ipv4-inline and ipv6-inline.
Signed-off-by: Radu Nicolau <radu.nicolau at intel.com>
---
examples/ipsec-secgw/esp.c | 7 +-
examples/ipsec-secgw/ipsec.h | 2 +
examples/ipsec-secgw/sa.c | 165 ++++++++++++++++++++++++++++---------------
3 files changed, 117 insertions(+), 57 deletions(-)
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index e77afa0..f1dfac4 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -253,11 +253,12 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
pad_len = pad_payload_len + ip_hdr_len - rte_pktmbuf_pkt_len(m);
RTE_ASSERT(sa->flags == IP4_TUNNEL || sa->flags == IP6_TUNNEL ||
+ sa->flags == IP4_INLINE || sa->flags == IP6_INLINE ||
sa->flags == TRANSPORT);
- if (likely(sa->flags == IP4_TUNNEL))
+ if (likely(sa->flags == IP4_TUNNEL || sa->flags == IP4_INLINE))
ip_hdr_len = sizeof(struct ip);
- else if (sa->flags == IP6_TUNNEL)
+ else if (sa->flags == IP6_TUNNEL || sa->flags == IP6_INLINE)
ip_hdr_len = sizeof(struct ip6_hdr);
else if (sa->flags != TRANSPORT) {
RTE_LOG(ERR, IPSEC_ESP, "Unsupported SA flags: 0x%x\n",
@@ -281,11 +282,13 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
switch (sa->flags) {
case IP4_TUNNEL:
+ case IP4_INLINE:
ip4 = ip4ip_outbound(m, sizeof(struct esp_hdr) + sa->iv_len,
&sa->src, &sa->dst);
esp = (struct esp_hdr *)(ip4 + 1);
break;
case IP6_TUNNEL:
+ case IP6_INLINE:
ip6 = ip6ip_outbound(m, sizeof(struct esp_hdr) + sa->iv_len,
&sa->src, &sa->dst);
esp = (struct esp_hdr *)(ip6 + 1);
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index fe42661..502c182 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -107,6 +107,8 @@ struct ipsec_sa {
#define IP4_TUNNEL (1 << 0)
#define IP6_TUNNEL (1 << 1)
#define TRANSPORT (1 << 2)
+#define IP4_INLINE (1 << 3)
+#define IP6_INLINE (1 << 4)
struct ip_addr src;
struct ip_addr dst;
uint8_t cipher_key[MAX_KEY_SIZE];
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index 39624c4..b58bca7 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -256,6 +256,10 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
rule->flags = IP6_TUNNEL;
else if (strcmp(tokens[ti], "transport") == 0)
rule->flags = TRANSPORT;
+ else if (strcmp(tokens[ti], "ipv4-inline") == 0)
+ rule->flags = IP4_INLINE;
+ else if (strcmp(tokens[ti], "ipv6-inline") == 0)
+ rule->flags = IP6_INLINE;
else {
APP_CHECK(0, status, "unrecognized "
"input \"%s\"", tokens[ti]);
@@ -395,7 +399,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
if (status->status < 0)
return;
- if (rule->flags == IP4_TUNNEL) {
+ if (rule->flags == IP4_TUNNEL || rule->flags == IP4_INLINE) {
struct in_addr ip;
APP_CHECK(parse_ipv4_addr(tokens[ti],
@@ -407,7 +411,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
return;
rule->src.ip.ip4 = rte_bswap32(
(uint32_t)ip.s_addr);
- } else if (rule->flags == IP6_TUNNEL) {
+ } else if (rule->flags == IP6_TUNNEL || rule->flags == IP6_INLINE) {
struct in6_addr ip;
APP_CHECK(parse_ipv6_addr(tokens[ti], &ip,
@@ -438,7 +442,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
if (status->status < 0)
return;
- if (rule->flags == IP4_TUNNEL) {
+ if (rule->flags == IP4_TUNNEL || rule->flags == IP4_INLINE) {
struct in_addr ip;
APP_CHECK(parse_ipv4_addr(tokens[ti],
@@ -450,7 +454,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
return;
rule->dst.ip.ip4 = rte_bswap32(
(uint32_t)ip.s_addr);
- } else if (rule->flags == IP6_TUNNEL) {
+ } else if (rule->flags == IP6_TUNNEL || rule->flags == IP6_INLINE) {
struct in6_addr ip;
APP_CHECK(parse_ipv6_addr(tokens[ti], &ip,
@@ -518,14 +522,16 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound)
switch (sa->flags) {
case IP4_TUNNEL:
- printf("IP4Tunnel ");
+ case IP4_INLINE:
+ printf(sa->flags == IP4_TUNNEL? "IP4Tunnel " : "IP4Inline ");
uint32_t_to_char(sa->src.ip.ip4, &a, &b, &c, &d);
printf("%hhu.%hhu.%hhu.%hhu ", d, c, b, a);
uint32_t_to_char(sa->dst.ip.ip4, &a, &b, &c, &d);
printf("%hhu.%hhu.%hhu.%hhu", d, c, b, a);
break;
case IP6_TUNNEL:
- printf("IP6Tunnel ");
+ case IP6_INLINE:
+ printf(sa->flags == IP6_TUNNEL? "IP6Tunnel " : "IP6Inline ");
for (i = 0; i < 16; i++) {
if (i % 2 && i != 15)
printf("%.2x:", sa->src.ip.ip6.ip6_b[i]);
@@ -603,60 +609,107 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
switch (sa->flags) {
case IP4_TUNNEL:
+ case IP4_INLINE:
sa->src.ip.ip4 = rte_cpu_to_be_32(sa->src.ip.ip4);
sa->dst.ip.ip4 = rte_cpu_to_be_32(sa->dst.ip.ip4);
}
- if (inbound) {
- sa_ctx->xf[idx].b.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
- sa_ctx->xf[idx].b.cipher.algo = sa->cipher_algo;
- sa_ctx->xf[idx].b.cipher.key.data = sa->cipher_key;
- sa_ctx->xf[idx].b.cipher.key.length =
- sa->cipher_key_len;
- sa_ctx->xf[idx].b.cipher.op =
- RTE_CRYPTO_CIPHER_OP_DECRYPT;
- sa_ctx->xf[idx].b.next = NULL;
-
- sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_AUTH;
- sa_ctx->xf[idx].a.auth.algo = sa->auth_algo;
- sa_ctx->xf[idx].a.auth.add_auth_data_length =
- sa->aad_len;
- sa_ctx->xf[idx].a.auth.key.data = sa->auth_key;
- sa_ctx->xf[idx].a.auth.key.length =
- sa->auth_key_len;
- sa_ctx->xf[idx].a.auth.digest_length =
- sa->digest_len;
- sa_ctx->xf[idx].a.auth.op =
- RTE_CRYPTO_AUTH_OP_VERIFY;
-
- } else { /* outbound */
- sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
- sa_ctx->xf[idx].a.cipher.algo = sa->cipher_algo;
- sa_ctx->xf[idx].a.cipher.key.data = sa->cipher_key;
- sa_ctx->xf[idx].a.cipher.key.length =
- sa->cipher_key_len;
- sa_ctx->xf[idx].a.cipher.op =
- RTE_CRYPTO_CIPHER_OP_ENCRYPT;
- sa_ctx->xf[idx].a.next = NULL;
-
- sa_ctx->xf[idx].b.type = RTE_CRYPTO_SYM_XFORM_AUTH;
- sa_ctx->xf[idx].b.auth.algo = sa->auth_algo;
- sa_ctx->xf[idx].b.auth.add_auth_data_length =
- sa->aad_len;
- sa_ctx->xf[idx].b.auth.key.data = sa->auth_key;
- sa_ctx->xf[idx].b.auth.key.length =
- sa->auth_key_len;
- sa_ctx->xf[idx].b.auth.digest_length =
- sa->digest_len;
- sa_ctx->xf[idx].b.auth.op =
- RTE_CRYPTO_AUTH_OP_GENERATE;
+ if (sa->flags == IP4_INLINE || sa->flags == IP6_INLINE) {
+
+ if (inbound) {
+ sa_ctx->xf[idx].b.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
+ sa_ctx->xf[idx].b.cipher.algo = sa->cipher_algo;
+ sa_ctx->xf[idx].b.cipher.key.data = sa->cipher_key;
+ sa_ctx->xf[idx].b.cipher.key.length =
+ sa->cipher_key_len;
+ sa_ctx->xf[idx].b.cipher.op =
+ RTE_CRYPTO_CIPHER_OP_DECRYPT;
+ sa_ctx->xf[idx].b.next = NULL;
+
+ sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_IPSEC;
+ sa_ctx->xf[idx].a.ipsec.dir = RTE_CRYPTO_INBOUND;
+ sa_ctx->xf[idx].a.ipsec.spi = sa->spi;
+ sa_ctx->xf[idx].a.ipsec.salt = sa->salt;
+ sa_ctx->xf[idx].a.ipsec.src_ip.ipv4 = rte_cpu_to_be_32(sa->src.ip.ip4);
+ sa_ctx->xf[idx].a.ipsec.dst_ip.ipv4 = rte_cpu_to_be_32(sa->dst.ip.ip4);
+
+ } else { /* outbound */
+ sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
+ sa_ctx->xf[idx].a.cipher.algo = sa->cipher_algo;
+ sa_ctx->xf[idx].a.cipher.key.data = sa->cipher_key;
+ sa_ctx->xf[idx].a.cipher.key.length =
+ sa->cipher_key_len;
+ sa_ctx->xf[idx].a.cipher.op =
+ RTE_CRYPTO_CIPHER_OP_ENCRYPT;
+ sa_ctx->xf[idx].a.next = NULL;
+
+ sa_ctx->xf[idx].b.type = RTE_CRYPTO_SYM_XFORM_IPSEC;
+ sa_ctx->xf[idx].b.ipsec.dir = RTE_CRYPTO_OUTBOUND;
+ sa_ctx->xf[idx].b.ipsec.spi = sa->spi;
+ sa_ctx->xf[idx].b.ipsec.salt = sa->salt;
+ sa_ctx->xf[idx].b.ipsec.src_ip.ipv4 = rte_cpu_to_be_32(sa->src.ip.ip4);
+ sa_ctx->xf[idx].b.ipsec.dst_ip.ipv4 = rte_cpu_to_be_32(sa->dst.ip.ip4);
+ }
+
+ sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b;
+ sa_ctx->xf[idx].b.next = NULL;
+ sa->xforms = &sa_ctx->xf[idx].a;
+
+ print_one_sa_rule(sa, inbound);
+ }
+ else {
+
+ if (inbound) {
+ sa_ctx->xf[idx].b.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
+ sa_ctx->xf[idx].b.cipher.algo = sa->cipher_algo;
+ sa_ctx->xf[idx].b.cipher.key.data = sa->cipher_key;
+ sa_ctx->xf[idx].b.cipher.key.length =
+ sa->cipher_key_len;
+ sa_ctx->xf[idx].b.cipher.op =
+ RTE_CRYPTO_CIPHER_OP_DECRYPT;
+ sa_ctx->xf[idx].b.next = NULL;
+
+ sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_AUTH;
+ sa_ctx->xf[idx].a.auth.algo = sa->auth_algo;
+ sa_ctx->xf[idx].a.auth.add_auth_data_length =
+ sa->aad_len;
+ sa_ctx->xf[idx].a.auth.key.data = sa->auth_key;
+ sa_ctx->xf[idx].a.auth.key.length =
+ sa->auth_key_len;
+ sa_ctx->xf[idx].a.auth.digest_length =
+ sa->digest_len;
+ sa_ctx->xf[idx].a.auth.op =
+ RTE_CRYPTO_AUTH_OP_VERIFY;
+
+ } else { /* outbound */
+ sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
+ sa_ctx->xf[idx].a.cipher.algo = sa->cipher_algo;
+ sa_ctx->xf[idx].a.cipher.key.data = sa->cipher_key;
+ sa_ctx->xf[idx].a.cipher.key.length =
+ sa->cipher_key_len;
+ sa_ctx->xf[idx].a.cipher.op =
+ RTE_CRYPTO_CIPHER_OP_ENCRYPT;
+ sa_ctx->xf[idx].a.next = NULL;
+
+ sa_ctx->xf[idx].b.type = RTE_CRYPTO_SYM_XFORM_AUTH;
+ sa_ctx->xf[idx].b.auth.algo = sa->auth_algo;
+ sa_ctx->xf[idx].b.auth.add_auth_data_length =
+ sa->aad_len;
+ sa_ctx->xf[idx].b.auth.key.data = sa->auth_key;
+ sa_ctx->xf[idx].b.auth.key.length =
+ sa->auth_key_len;
+ sa_ctx->xf[idx].b.auth.digest_length =
+ sa->digest_len;
+ sa_ctx->xf[idx].b.auth.op =
+ RTE_CRYPTO_AUTH_OP_GENERATE;
+ }
+
+ sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b;
+ sa_ctx->xf[idx].b.next = NULL;
+ sa->xforms = &sa_ctx->xf[idx].a;
+
+ print_one_sa_rule(sa, inbound);
}
-
- sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b;
- sa_ctx->xf[idx].b.next = NULL;
- sa->xforms = &sa_ctx->xf[idx].a;
-
- print_one_sa_rule(sa, inbound);
}
return 0;
@@ -755,6 +808,7 @@ single_inbound_lookup(struct ipsec_sa *sadb, struct rte_mbuf *pkt,
switch (sa->flags) {
case IP4_TUNNEL:
+ case IP4_INLINE:
src4_addr = RTE_PTR_ADD(ip, offsetof(struct ip, ip_src));
if ((ip->ip_v == IPVERSION) &&
(sa->src.ip.ip4 == *src4_addr) &&
@@ -762,6 +816,7 @@ single_inbound_lookup(struct ipsec_sa *sadb, struct rte_mbuf *pkt,
*sa_ret = sa;
break;
case IP6_TUNNEL:
+ case IP6_INLINE:
src6_addr = RTE_PTR_ADD(ip, offsetof(struct ip6_hdr, ip6_src));
if ((ip->ip_v == IP6_VERSION) &&
!memcmp(&sa->src.ip.ip6.ip6, src6_addr, 16) &&
--
2.7.4
More information about the dev
mailing list