[dpdk-dev] [PATCH 11/14] examples/ipsec-secgw: add app processing code

[Anoob Joseph]

Hi Konstantin,

Please see inline.

Thanks,
Anoob

> -----Original Message-----
> From: Ananyev, Konstantin <konstantin.ananyev at intel.com>
> Sent: Wednesday, December 25, 2019 8:49 PM
> To: Anoob Joseph <anoobj at marvell.com>; Akhil Goyal <akhil.goyal at nxp.com>;
> Nicolau, Radu <radu.nicolau at intel.com>; Thomas Monjalon
> <thomas at monjalon.net>
> Cc: Lukas Bartosik <lbartosik at marvell.com>; Jerin Jacob Kollanukkaran
> <jerinj at marvell.com>; Narayana Prasad Raju Athreya
> <pathreya at marvell.com>; Ankur Dwivedi <adwivedi at marvell.com>; Archana
> Muniganti <marchana at marvell.com>; Tejasree Kondoj
> <ktejasree at marvell.com>; Vamsi Krishna Attunuru <vattunuru at marvell.com>;
> dev at dpdk.org
> Subject: [EXT] RE: [PATCH 11/14] examples/ipsec-secgw: add app processing
> code
> 
> External Email
> 
> ----------------------------------------------------------------------
> 
> > +static inline int
> > +process_ipsec_ev_inbound(struct ipsec_ctx *ctx, struct route_table *rt,
> > +		struct rte_event *ev)
> > +{
> > +	struct ipsec_sa *sa = NULL;
> > +	struct rte_mbuf *pkt;
> > +	uint16_t port_id = 0;
> > +	enum pkt_type type;
> > +	uint32_t sa_idx;
> > +	uint8_t *nlp;
> > +
> > +	/* Get pkt from event */
> > +	pkt = ev->mbuf;
> > +
> > +	/* Check the packet type */
> > +	type = process_ipsec_get_pkt_type(pkt, &nlp);
> > +
> > +	switch (type) {
> > +	case PKT_TYPE_PLAIN_IPV4:
> > +		if (pkt->ol_flags & PKT_RX_SEC_OFFLOAD)
> > +			sa = (struct ipsec_sa *) pkt->udata64;
> 
> 
> Shouldn't packets with PKT_RX_SEC_OFFLOAD_FAIL be handled somehow?

[Anoob] Yes. Will fix this in v2.
 
> Another question - as I can see from the code, right now event mode supports
> only inline-proto, correct?
> If so, then probably an error should be reported at startup, if in config file
> some other types of sessions were requested.

[Anoob] Okay. Will add this in v2.
 
> 
> > +
> > +		/* Check if we have a match */
> > +		if (check_sp(ctx->sp4_ctx, nlp, &sa_idx) == 0) {
> > +			/* No valid match */
> > +			goto drop_pkt_and_exit;
> > +		}
> > +		break;
> > +
> > +	case PKT_TYPE_PLAIN_IPV6:
> > +		if (pkt->ol_flags & PKT_RX_SEC_OFFLOAD)
> > +			sa = (struct ipsec_sa *) pkt->udata64;
> > +
> > +		/* Check if we have a match */
> > +		if (check_sp(ctx->sp6_ctx, nlp, &sa_idx) == 0) {
> > +			/* No valid match */
> > +			goto drop_pkt_and_exit;
> > +		}
> > +		break;
> > +
> > +	default:
> > +		RTE_LOG(ERR, IPSEC, "Unsupported packet type = %d\n", type);
> > +		goto drop_pkt_and_exit;
> > +	}
> > +
> > +	/* Check if the packet has to be bypassed */
> > +	if (sa_idx == 0)
> > +		goto route_and_send_pkt;
> > +
> > +	/* Else the packet has to be protected with SA */
> > +
> > +	/* If the packet was IPsec processed, then SA pointer should be set */
> > +	if (sa == NULL)
> > +		goto drop_pkt_and_exit;
> > +
> > +	/* SPI on the packet should match with the one in SA */
> > +	if (unlikely(sa->spi != sa_idx))
> > +		goto drop_pkt_and_exit;
> > +
> > +route_and_send_pkt:
> > +	port_id = get_route(pkt, rt, type);
> > +	if (unlikely(port_id == RTE_MAX_ETHPORTS)) {
> > +		/* no match */
> > +		goto drop_pkt_and_exit;
> > +	}
> > +	/* else, we have a matching route */
> > +
> > +	/* Update mac addresses */
> > +	update_mac_addrs(pkt, port_id);
> > +
> > +	/* Update the event with the dest port */
> > +	ipsec_event_pre_forward(pkt, port_id);
> > +	return 1;
> > +
> > +drop_pkt_and_exit:
> > +	RTE_LOG(ERR, IPSEC, "Inbound packet dropped\n");
> > +	rte_pktmbuf_free(pkt);
> > +	ev->mbuf = NULL;
> > +	return 0;
> > +}
> > +