Added SPI range and SA disable. Improved fragment documentation.
Signed-off-by: Petri Savolainen <petri.savolai...@linaro.org>
---
include/odp/api/spec/event.h | 2 +-
include/odp/api/spec/ipsec.h | 43 +++++++++++++++++++++++++++++++++++++++++--
2 files changed, 42 insertions(+), 3 deletions(-)
diff --git a/include/odp/api/spec/event.h b/include/odp/api/spec/event.h
index 75c0bbc..f22efce 100644
--- a/include/odp/api/spec/event.h
+++ b/include/odp/api/spec/event.h
@@ -39,7 +39,7 @@ extern "C" {
* @typedef odp_event_type_t
* ODP event types:
* ODP_EVENT_BUFFER, ODP_EVENT_PACKET, ODP_EVENT_TIMEOUT,
- * ODP_EVENT_CRYPTO_COMPL, ODP_EVENT_IPSEC_RESULT
+ * ODP_EVENT_CRYPTO_COMPL, ODP_EVENT_IPSEC_RESULT, ODP_EVENT_IPSEC_STATUS
*/
/**
diff --git a/include/odp/api/spec/ipsec.h b/include/odp/api/spec/ipsec.h
index 66222d8..e57c7df 100644
--- a/include/odp/api/spec/ipsec.h
+++ b/include/odp/api/spec/ipsec.h
@@ -111,6 +111,21 @@ typedef struct odp_ipsec_config_t {
*/
odp_ipsec_op_mode_t op_mode;
+ /** Maximum number of IPSEC SAs that application will use
+ * simultaneously */
+ uint32_t max_num_sa;
+
+ /** Inbound SPI range. Minimal range size may improve performance. */
+ struct {
+ /** Minimum inbound SPI value that application will use.
+ * Default value is 0. */
+ uint32_t min;
+
+ /** Maximum inbound SPI value that application will use.
+ * Default value is UINT32_MAX. */
+ uint32_t max;
+ } inbound_spi;
+
} odp_ipsec_config_t;
/**
@@ -529,6 +544,29 @@ void odp_ipsec_sa_param_init(odp_ipsec_sa_param_t *param);
odp_ipsec_sa_t odp_ipsec_sa_create(odp_ipsec_sa_param_t *param);
/**
+ * Disable IPSEC SA
+ *
+ * Application must use this call to disable a SA before destroying it. The
call
+ * marks the SA disabled, so that IPSEC implementation stops using it. For
+ * example, inbound SPI lookups will not match any more. Application must
+ * stop providing the SA as parameter to new IPSEC input/output operations
+ * before calling disable. Packets in progress during the call may still match
+ * the SA and be processed successfully.
+ *
+ * When in synchronous operation mode, the call will return when it's possible
+ * to destroy the SA. In asynchronous mode, the same is indicated by an
+ * ODP_EVENT_IPSEC_STATUS event sent to the queue specified for the SA.
+ *
+ * @param sa IPSEC SA to be disabled
+ *
+ * @retval 0 On success
+ * @retval <0 On failure
+ *
+ * @see odp_ipsec_sa_destroy()
+ */
+int odp_ipsec_sa_disable(odp_ipsec_sa_t sa);
+
+/**
* Destroy IPSEC SA
*
* Destroy an unused IPSEC SA. Result is undefined if the SA is being used
@@ -679,8 +717,9 @@ typedef struct odp_ipsec_packet_result_t {
*
* Without fragmentation offload this is always one. However, if the
* input packet was fragmented during the operation this is larger than
- * one for the first fragment and zero for the rest of the fragments
- * (following the first one in the 'pkt' array).
+ * one for the first returned fragment and zero for the rest of the
+ * fragments. All the fragments (of the same source packet) are stored
+ * consecutively in the 'pkt' array.
*/
int num_out;
--
2.8.1
