Hi Konstantin,
Please see inline.
Thanks,
Anoob
> -----Original Message-----
> From: Ananyev, Konstantin <konstantin.anan...@intel.com>
> Sent: Wednesday, December 25, 2019 8:49 PM
> To: Anoob Joseph <ano...@marvell.com>; Akhil Goyal <akhil.go...@nxp.com>;
> Nicolau, Radu <radu.nico...@intel.com>; Thomas Monjalon
> <tho...@monjalon.net>
> Cc: Lukas Bartosik <lbarto...@marvell.com>; Jerin Jacob Kollanukkaran
> <jer...@marvell.com>; Narayana Prasad Raju Athreya
> <pathr...@marvell.com>; Ankur Dwivedi <adwiv...@marvell.com>; Archana
> Muniganti <march...@marvell.com>; Tejasree Kondoj
> <ktejas...@marvell.com>; Vamsi Krishna Attunuru <vattun...@marvell.com>;
> dev@dpdk.org
> Subject: [EXT] RE: [PATCH 11/14] examples/ipsec-secgw: add app processing
> code
>
> External Email
>
> ----------------------------------------------------------------------
>
> > +static inline int
> > +process_ipsec_ev_inbound(struct ipsec_ctx *ctx, struct route_table *rt,
> > + struct rte_event *ev)
> > +{
> > + struct ipsec_sa *sa = NULL;
> > + struct rte_mbuf *pkt;
> > + uint16_t port_id = 0;
> > + enum pkt_type type;
> > + uint32_t sa_idx;
> > + uint8_t *nlp;
> > +
> > + /* Get pkt from event */
> > + pkt = ev->mbuf;
> > +
> > + /* Check the packet type */
> > + type = process_ipsec_get_pkt_type(pkt, &nlp);
> > +
> > + switch (type) {
> > + case PKT_TYPE_PLAIN_IPV4:
> > + if (pkt->ol_flags & PKT_RX_SEC_OFFLOAD)
> > + sa = (struct ipsec_sa *) pkt->udata64;
>
>
> Shouldn't packets with PKT_RX_SEC_OFFLOAD_FAIL be handled somehow?
[Anoob] Yes. Will fix this in v2.
> Another question - as I can see from the code, right now event mode supports
> only inline-proto, correct?
> If so, then probably an error should be reported at startup, if in config file
> some other types of sessions were requested.
[Anoob] Okay. Will add this in v2.
>
> > +
> > + /* Check if we have a match */
> > + if (check_sp(ctx->sp4_ctx, nlp, &sa_idx) == 0) {
> > + /* No valid match */
> > + goto drop_pkt_and_exit;
> > + }
> > + break;
> > +
> > + case PKT_TYPE_PLAIN_IPV6:
> > + if (pkt->ol_flags & PKT_RX_SEC_OFFLOAD)
> > + sa = (struct ipsec_sa *) pkt->udata64;
> > +
> > + /* Check if we have a match */
> > + if (check_sp(ctx->sp6_ctx, nlp, &sa_idx) == 0) {
> > + /* No valid match */
> > + goto drop_pkt_and_exit;
> > + }
> > + break;
> > +
> > + default:
> > + RTE_LOG(ERR, IPSEC, "Unsupported packet type = %d\n", type);
> > + goto drop_pkt_and_exit;
> > + }
> > +
> > + /* Check if the packet has to be bypassed */
> > + if (sa_idx == 0)
> > + goto route_and_send_pkt;
> > +
> > + /* Else the packet has to be protected with SA */
> > +
> > + /* If the packet was IPsec processed, then SA pointer should be set */
> > + if (sa == NULL)
> > + goto drop_pkt_and_exit;
> > +
> > + /* SPI on the packet should match with the one in SA */
> > + if (unlikely(sa->spi != sa_idx))
> > + goto drop_pkt_and_exit;
> > +
> > +route_and_send_pkt:
> > + port_id = get_route(pkt, rt, type);
> > + if (unlikely(port_id == RTE_MAX_ETHPORTS)) {
> > + /* no match */
> > + goto drop_pkt_and_exit;
> > + }
> > + /* else, we have a matching route */
> > +
> > + /* Update mac addresses */
> > + update_mac_addrs(pkt, port_id);
> > +
> > + /* Update the event with the dest port */
> > + ipsec_event_pre_forward(pkt, port_id);
> > + return 1;
> > +
> > +drop_pkt_and_exit:
> > + RTE_LOG(ERR, IPSEC, "Inbound packet dropped\n");
> > + rte_pktmbuf_free(pkt);
> > + ev->mbuf = NULL;
> > + return 0;
> > +}
> > +
