[dpdk-dev] [PATCH v4 1/5] ipsec: add inbound SAD API

Vladimir Medvedkin vladimir.medvedkin at intel.com
Tue Oct 8 18:55:51 CEST 2019


Add inbound security association database (SAD) API
and stub implementation.

Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin at intel.com>
---
 lib/librte_ipsec/Makefile              |   2 +
 lib/librte_ipsec/ipsec_sad.c           |  50 ++++++++++
 lib/librte_ipsec/meson.build           |   4 +-
 lib/librte_ipsec/rte_ipsec_sad.h       | 173 +++++++++++++++++++++++++++++++++
 lib/librte_ipsec/rte_ipsec_version.map |   7 ++
 5 files changed, 234 insertions(+), 2 deletions(-)
 create mode 100644 lib/librte_ipsec/ipsec_sad.c
 create mode 100644 lib/librte_ipsec/rte_ipsec_sad.h

diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile
index 22f29d9..5aaab72 100644
--- a/lib/librte_ipsec/Makefile
+++ b/lib/librte_ipsec/Makefile
@@ -21,10 +21,12 @@ SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c
 SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_outb.c
 SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += sa.c
 SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += ses.c
+SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += ipsec_sad.c
 
 # install header files
 SYMLINK-$(CONFIG_RTE_LIBRTE_IPSEC)-include += rte_ipsec.h
 SYMLINK-$(CONFIG_RTE_LIBRTE_IPSEC)-include += rte_ipsec_group.h
 SYMLINK-$(CONFIG_RTE_LIBRTE_IPSEC)-include += rte_ipsec_sa.h
+SYMLINK-$(CONFIG_RTE_LIBRTE_IPSEC)-include += rte_ipsec_sad.h
 
 include $(RTE_SDK)/mk/rte.lib.mk
diff --git a/lib/librte_ipsec/ipsec_sad.c b/lib/librte_ipsec/ipsec_sad.c
new file mode 100644
index 0000000..703be65
--- /dev/null
+++ b/lib/librte_ipsec/ipsec_sad.c
@@ -0,0 +1,50 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2019 Intel Corporation
+ */
+
+#include <rte_errno.h>
+
+#include "rte_ipsec_sad.h"
+
+int
+rte_ipsec_sad_add(__rte_unused struct rte_ipsec_sad *sad,
+		__rte_unused const union rte_ipsec_sad_key *key,
+		__rte_unused int key_type, __rte_unused void *sa)
+{
+	return -ENOTSUP;
+}
+
+int
+rte_ipsec_sad_del(__rte_unused struct rte_ipsec_sad *sad,
+		__rte_unused const union rte_ipsec_sad_key *key,
+		__rte_unused int key_type)
+{
+	return -ENOTSUP;
+}
+
+struct rte_ipsec_sad *
+rte_ipsec_sad_create(__rte_unused const char *name,
+		__rte_unused const struct rte_ipsec_sad_conf *conf)
+{
+	return NULL;
+}
+
+struct rte_ipsec_sad *
+rte_ipsec_sad_find_existing(__rte_unused const char *name)
+{
+	return NULL;
+}
+
+void
+rte_ipsec_sad_destroy(__rte_unused struct rte_ipsec_sad *sad)
+{
+	return;
+}
+
+int
+rte_ipsec_sad_lookup(__rte_unused const struct rte_ipsec_sad *sad,
+		__rte_unused const union rte_ipsec_sad_key *keys[],
+		__rte_unused void *sa[], __rte_unused uint32_t n)
+{
+	return -ENOTSUP;
+}
diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build
index 7ea0c7d..91b9867 100644
--- a/lib/librte_ipsec/meson.build
+++ b/lib/librte_ipsec/meson.build
@@ -3,8 +3,8 @@
 
 allow_experimental_apis = true
 
-sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c')
+sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c')
 
-headers = files('rte_ipsec.h', 'rte_ipsec_group.h', 'rte_ipsec_sa.h')
+headers = files('rte_ipsec.h', 'rte_ipsec_group.h', 'rte_ipsec_sa.h', 'rte_ipsec_sad.h')
 
 deps += ['mbuf', 'net', 'cryptodev', 'security']
diff --git a/lib/librte_ipsec/rte_ipsec_sad.h b/lib/librte_ipsec/rte_ipsec_sad.h
new file mode 100644
index 0000000..2cd9b52
--- /dev/null
+++ b/lib/librte_ipsec/rte_ipsec_sad.h
@@ -0,0 +1,173 @@
+
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2019 Intel Corporation
+ */
+
+#ifndef _RTE_IPSEC_SAD_H_
+#define _RTE_IPSEC_SAD_H_
+
+#include <rte_compat.h>
+
+/**
+ * @file rte_ipsec_sad.h
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * RTE IPsec security association database (SAD) support.
+ * Contains helper functions to lookup and maintain SAD
+ */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct rte_ipsec_sad;
+
+/** Type of key */
+enum {
+	RTE_IPSEC_SAD_SPI_ONLY = 0,
+	RTE_IPSEC_SAD_SPI_DIP,
+	RTE_IPSEC_SAD_SPI_DIP_SIP,
+	RTE_IPSEC_SAD_KEY_TYPE_MASK,
+};
+
+struct rte_ipsec_sadv4_key {
+	uint32_t spi;
+	uint32_t dip;
+	uint32_t sip;
+};
+
+struct rte_ipsec_sadv6_key {
+	uint32_t spi;
+	uint8_t dip[16];
+	uint8_t sip[16];
+};
+
+union rte_ipsec_sad_key {
+	struct rte_ipsec_sadv4_key	v4;
+	struct rte_ipsec_sadv6_key	v6;
+};
+
+#define RTE_IPSEC_SAD_FLAG_IPV6			0x1
+/** Flag to support reader writer concurrency */
+#define RTE_IPSEC_SAD_FLAG_RW_CONCURRENCY	0x2
+
+/** IPsec SAD configuration structure */
+struct rte_ipsec_sad_conf {
+	int		socket_id;
+	/** maximum number of SA for each type key */
+	uint32_t	max_sa[RTE_IPSEC_SAD_KEY_TYPE_MASK];
+	uint32_t	flags;
+};
+
+/**
+ * Add a rule into the SAD. Could be safely called with concurrent lookups
+ *  if RTE_IPSEC_SAD_FLAG_RW_CONCURRENCY flag was configured on creation time.
+ *  While with this flag multi-reader - one-writer model Is MT safe,
+ *  multi-writer model is not and required extra synchronisation.
+ *
+ * @param sad
+ *   SAD object handle
+ * @param key
+ *   pointer to the key
+ * @param key_type
+ *   key type (spi only/spi+dip/spi+dip+sip)
+ * @param sa
+ *   Pointer associated with the key to save in a SAD
+ *   Must be 4 bytes aligned.
+ * @return
+ *   0 on success, negative value otherwise
+ */
+__rte_experimental
+int
+rte_ipsec_sad_add(struct rte_ipsec_sad *sad,
+	const union rte_ipsec_sad_key *key,
+	int key_type, void *sa);
+
+/**
+ * Delete a rule from the SAD. Could be safely called with concurrent lookups
+ *  if RTE_IPSEC_SAD_FLAG_RW_CONCURRENCY flag was configured on creation time.
+ *  While with this flag multi-reader - one-writer model Is MT safe,
+ *  multi-writer model is not and required extra synchronisation.
+ *
+ * @param sad
+ *   SAD object handle
+ * @param key
+ *   pointer to the key
+ * @param key_type
+ *   key type (spi only/spi+dip/spi+dip+sip)
+ * @return
+ *   0 on success, negative value otherwise
+ */
+__rte_experimental
+int
+rte_ipsec_sad_del(struct rte_ipsec_sad *sad,
+	const union rte_ipsec_sad_key *key,
+	int key_type);
+/*
+ * Create SAD
+ *
+ * @param name
+ *  SAD name
+ * @param conf
+ *  Structure containing the configuration
+ * @return
+ *  Handle to SAD object on success
+ *  NULL otherwise with rte_errno set to an appropriate values.
+ */
+__rte_experimental
+struct rte_ipsec_sad *
+rte_ipsec_sad_create(const char *name, const struct rte_ipsec_sad_conf *conf);
+
+/**
+ * Find an existing SAD object and return a pointer to it.
+ *
+ * @param name
+ *  Name of the SAD object as passed to rte_ipsec_sad_create()
+ * @return
+ *  Pointer to sad object or NULL if object not found with rte_errno
+ *  set appropriately. Possible rte_errno values include:
+ *   - ENOENT - required entry not available to return.
+ */
+__rte_experimental
+struct rte_ipsec_sad *
+rte_ipsec_sad_find_existing(const char *name);
+
+/**
+ * Destroy SAD object.
+ *
+ * @param sad
+ *   pointer to the SAD object
+ * @return
+ *   None
+ */
+__rte_experimental
+void
+rte_ipsec_sad_destroy(struct rte_ipsec_sad *sad);
+
+/**
+ * Lookup multiple keys in the SAD.
+ *
+ * @param sad
+ *   SAD object handle
+ * @param keys
+ *   Array of keys to be looked up in the SAD
+ * @param sa
+ *   Pointer assocoated with the keys.
+ *   If the lookup for the given key failed, then corresponding sa
+ *   will be NULL
+ * @param n
+ *   Number of elements in keys array to lookup.
+ *  @return
+ *   -EINVAL for incorrect arguments, otherwise 0
+ */
+__rte_experimental
+int
+rte_ipsec_sad_lookup(const struct rte_ipsec_sad *sad,
+	const union rte_ipsec_sad_key *keys[],
+	void *sa[], uint32_t n);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _RTE_IPSEC_SAD_H_ */
diff --git a/lib/librte_ipsec/rte_ipsec_version.map b/lib/librte_ipsec/rte_ipsec_version.map
index ee9f196..3c6c630 100644
--- a/lib/librte_ipsec/rte_ipsec_version.map
+++ b/lib/librte_ipsec/rte_ipsec_version.map
@@ -11,5 +11,12 @@ EXPERIMENTAL {
 	rte_ipsec_ses_from_crypto;
 	rte_ipsec_session_prepare;
 
+	rte_ipsec_sad_add;
+	rte_ipsec_sad_create;
+	rte_ipsec_sad_del;
+	rte_ipsec_sad_find_existing;
+	rte_ipsec_sad_destroy;
+	rte_ipsec_sad_lookup;
+
 	local: *;
 };
-- 
2.7.4



More information about the dev mailing list