Added SPI range and SA disable. Improved fragment documentation. Signed-off-by: Petri Savolainen <petri.savolai...@linaro.org> --- include/odp/api/spec/event.h | 2 +- include/odp/api/spec/ipsec.h | 43 +++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 42 insertions(+), 3 deletions(-)
diff --git a/include/odp/api/spec/event.h b/include/odp/api/spec/event.h index 75c0bbc..f22efce 100644 --- a/include/odp/api/spec/event.h +++ b/include/odp/api/spec/event.h @@ -39,7 +39,7 @@ extern "C" { * @typedef odp_event_type_t * ODP event types: * ODP_EVENT_BUFFER, ODP_EVENT_PACKET, ODP_EVENT_TIMEOUT, - * ODP_EVENT_CRYPTO_COMPL, ODP_EVENT_IPSEC_RESULT + * ODP_EVENT_CRYPTO_COMPL, ODP_EVENT_IPSEC_RESULT, ODP_EVENT_IPSEC_STATUS */ /** diff --git a/include/odp/api/spec/ipsec.h b/include/odp/api/spec/ipsec.h index 66222d8..e57c7df 100644 --- a/include/odp/api/spec/ipsec.h +++ b/include/odp/api/spec/ipsec.h @@ -111,6 +111,21 @@ typedef struct odp_ipsec_config_t { */ odp_ipsec_op_mode_t op_mode; + /** Maximum number of IPSEC SAs that application will use + * simultaneously */ + uint32_t max_num_sa; + + /** Inbound SPI range. Minimal range size may improve performance. */ + struct { + /** Minimum inbound SPI value that application will use. + * Default value is 0. */ + uint32_t min; + + /** Maximum inbound SPI value that application will use. + * Default value is UINT32_MAX. */ + uint32_t max; + } inbound_spi; + } odp_ipsec_config_t; /** @@ -529,6 +544,29 @@ void odp_ipsec_sa_param_init(odp_ipsec_sa_param_t *param); odp_ipsec_sa_t odp_ipsec_sa_create(odp_ipsec_sa_param_t *param); /** + * Disable IPSEC SA + * + * Application must use this call to disable a SA before destroying it. The call + * marks the SA disabled, so that IPSEC implementation stops using it. For + * example, inbound SPI lookups will not match any more. Application must + * stop providing the SA as parameter to new IPSEC input/output operations + * before calling disable. Packets in progress during the call may still match + * the SA and be processed successfully. + * + * When in synchronous operation mode, the call will return when it's possible + * to destroy the SA. In asynchronous mode, the same is indicated by an + * ODP_EVENT_IPSEC_STATUS event sent to the queue specified for the SA. + * + * @param sa IPSEC SA to be disabled + * + * @retval 0 On success + * @retval <0 On failure + * + * @see odp_ipsec_sa_destroy() + */ +int odp_ipsec_sa_disable(odp_ipsec_sa_t sa); + +/** * Destroy IPSEC SA * * Destroy an unused IPSEC SA. Result is undefined if the SA is being used @@ -679,8 +717,9 @@ typedef struct odp_ipsec_packet_result_t { * * Without fragmentation offload this is always one. However, if the * input packet was fragmented during the operation this is larger than - * one for the first fragment and zero for the rest of the fragments - * (following the first one in the 'pkt' array). + * one for the first returned fragment and zero for the rest of the + * fragments. All the fragments (of the same source packet) are stored + * consecutively in the 'pkt' array. */ int num_out; -- 2.8.1