[dpdk-dev] [PATCH v2] ipsec: support multi-segment packets

[Akhil Goyal]

> 
> Hi Akhil,
> 
> > Hi Konstantin,
> >
> > >
> > > Add support for packets that consist of multiple segments.
> > > Take into account that trailer bytes (padding, ESP tail, ICV)
> > > can spawn across multiple segments.
> > >
> > > Signed-off-by: Konstantin Ananyev <konstantin.ananyev at intel.com>
> > > ---
> >
> > Which all action types does this patch work well with?
> > Will it work for lookaside none and inline crypto case both?
> 
> Yes, in theory it should work with any device that supports
> in-place SGL.
> On practice, right now I am not aware about inline-crypto devices
> that can support such feature.
> So far, tested with lookaside-none device.
> 
> > For the other 2, ipsec lib is not used.
> 
> In fact, ipsec lib can be used by all 4 cases I believe.
> Though as I udenstand for lookaside-proto and inline-proto
> nothing need to be added/changed inside the lib
> (as HW supposed to deal with it transparently).
> 
> >
> > Also how can the SG support be tested?
> 
> Here is a separate patch series that adds fragmentation/reassembly
> support into ipsec-secgw and updates test-scripts with new test-cases:
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpatches.d
> pdk.org%2Fcover%2F54491%2F&data=02%7C01%7Cakhil.goyal%40nxp.co
> m%7Cf96f8b751ed04b046a6508d6f58bacc1%7C686ea1d3bc2b4c6fa92cd99c5c
> 301635%7C0%7C0%7C636966377578333871&sdata=HnVDoMHuh255qzx5
> OWBsupGrqNS4m9eZyNeZ%2FxpBWHE%3D&reserved=0
> 
> >
> > >
> > > v1 -> v2:
> > >  merge with latest mainline
> > >  fix build problem for RTE_BUILD_SHARED_LIB=y
> > >  update programmer's guide
> > >
> > >  doc/guides/prog_guide/ipsec_lib.rst |   1 -
> > >  lib/librte_ipsec/Makefile           |   3 +-
> > >  lib/librte_ipsec/esp_inb.c          | 148 +++++++++++++++++++++-------
> > >  lib/librte_ipsec/misc.h             |  61 ++++++++++++
> > >  4 files changed, 175 insertions(+), 38 deletions(-)
> > >
> > > diff --git a/doc/guides/prog_guide/ipsec_lib.rst
> > > b/doc/guides/prog_guide/ipsec_lib.rst
> > > index 6fc08886f..63b75b652 100644
> > > --- a/doc/guides/prog_guide/ipsec_lib.rst
> > > +++ b/doc/guides/prog_guide/ipsec_lib.rst
> > > @@ -162,7 +162,6 @@ Limitations
> > >  The following features are not properly supported in the current version:
> > >
> > >  *  ESP transport mode for IPv6 packets with extension headers.
> > > -*  Multi-segment packets.
> > >  *  Updates of the fields in inner IP header for tunnel mode
> > >     (as described in RFC 4301, section 5.1.2).
> > >  *  Hard/soft limit for SA lifetime (time interval/byte count).
> > > diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile
> > > index e80926baa..22f29d98a 100644
> > > --- a/lib/librte_ipsec/Makefile
> > > +++ b/lib/librte_ipsec/Makefile
> > > @@ -9,7 +9,8 @@ LIB = librte_ipsec.a
> > >  CFLAGS += -O3
> > >  CFLAGS += $(WERROR_FLAGS) -I$(SRCDIR)
> > >  CFLAGS += -DALLOW_EXPERIMENTAL_API
> > > -LDLIBS += -lrte_eal -lrte_mbuf -lrte_net -lrte_cryptodev -lrte_security
> > > +LDLIBS += -lrte_eal -lrte_mempool -lrte_mbuf -lrte_net
> > > +LDLIBS += -lrte_cryptodev -lrte_security
> > >
> >
> > I believe this build dependency should also be updated in meson.build file as
> well.
> 
> I found that unnecessary, meson seems to be able to figure out implicit
> dependencies itself.
> Though if you strongly insist, I can add them.
> Konstantin

Acked-by: Akhil Goyal <akhil.goyal at nxp.com>

Applied to dpdk-next-crypto

Thanks.