[dpdk-dev] [PATCH 11/14] examples/ipsec-secgw: add app processing code

Ananyev, Konstantin konstantin.ananyev at intel.com
Wed Dec 25 16:18:33 CET 2019

Previous message: [dpdk-dev] [PATCH 11/14] examples/ipsec-secgw: add app processing code
Next message: [dpdk-dev] [PATCH 12/14] examples/ipsec-secgw: add driver outbound worker
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> +static inline int
> +process_ipsec_ev_inbound(struct ipsec_ctx *ctx, struct route_table *rt,
> +		struct rte_event *ev)
> +{
> +	struct ipsec_sa *sa = NULL;
> +	struct rte_mbuf *pkt;
> +	uint16_t port_id = 0;
> +	enum pkt_type type;
> +	uint32_t sa_idx;
> +	uint8_t *nlp;
> +
> +	/* Get pkt from event */
> +	pkt = ev->mbuf;
> +
> +	/* Check the packet type */
> +	type = process_ipsec_get_pkt_type(pkt, &nlp);
> +
> +	switch (type) {
> +	case PKT_TYPE_PLAIN_IPV4:
> +		if (pkt->ol_flags & PKT_RX_SEC_OFFLOAD)
> +			sa = (struct ipsec_sa *) pkt->udata64;


Shouldn't packets with PKT_RX_SEC_OFFLOAD_FAIL be handled somehow?
Another question - as I can see from the code, right now event mode 
supports only inline-proto, correct?
If so, then probably an error should be reported at startup, if in config file
some other types of sessions were requested.    

> +
> +		/* Check if we have a match */
> +		if (check_sp(ctx->sp4_ctx, nlp, &sa_idx) == 0) {
> +			/* No valid match */
> +			goto drop_pkt_and_exit;
> +		}
> +		break;
> +
> +	case PKT_TYPE_PLAIN_IPV6:
> +		if (pkt->ol_flags & PKT_RX_SEC_OFFLOAD)
> +			sa = (struct ipsec_sa *) pkt->udata64;
> +
> +		/* Check if we have a match */
> +		if (check_sp(ctx->sp6_ctx, nlp, &sa_idx) == 0) {
> +			/* No valid match */
> +			goto drop_pkt_and_exit;
> +		}
> +		break;
> +
> +	default:
> +		RTE_LOG(ERR, IPSEC, "Unsupported packet type = %d\n", type);
> +		goto drop_pkt_and_exit;
> +	}
> +
> +	/* Check if the packet has to be bypassed */
> +	if (sa_idx == 0)
> +		goto route_and_send_pkt;
> +
> +	/* Else the packet has to be protected with SA */
> +
> +	/* If the packet was IPsec processed, then SA pointer should be set */
> +	if (sa == NULL)
> +		goto drop_pkt_and_exit;
> +
> +	/* SPI on the packet should match with the one in SA */
> +	if (unlikely(sa->spi != sa_idx))
> +		goto drop_pkt_and_exit;
> +
> +route_and_send_pkt:
> +	port_id = get_route(pkt, rt, type);
> +	if (unlikely(port_id == RTE_MAX_ETHPORTS)) {
> +		/* no match */
> +		goto drop_pkt_and_exit;
> +	}
> +	/* else, we have a matching route */
> +
> +	/* Update mac addresses */
> +	update_mac_addrs(pkt, port_id);
> +
> +	/* Update the event with the dest port */
> +	ipsec_event_pre_forward(pkt, port_id);
> +	return 1;
> +
> +drop_pkt_and_exit:
> +	RTE_LOG(ERR, IPSEC, "Inbound packet dropped\n");
> +	rte_pktmbuf_free(pkt);
> +	ev->mbuf = NULL;
> +	return 0;
> +}
> +

Previous message: [dpdk-dev] [PATCH 11/14] examples/ipsec-secgw: add app processing code
Next message: [dpdk-dev] [PATCH 12/14] examples/ipsec-secgw: add driver outbound worker
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list