> > This is part of odp_ipsec_sa_param_t, so lookup config is per SA.
>
> Does that mean that both SPI lookup and DEST ADDR lookup are mandatory?
> Is there a reason lookup mode is per SA?
The lookup mode is per SA to make it possible to have SAs for which
not ODP but the application performs the lookup (e.g. currently for
multicast IPsec SAs that do not have unique SPIs and require src
address lookup too, or for any other SAs with weird lookup rules)
and uses look-a-side IPsec ops with an explicit SA to do the
IPsec transforms.
Thus, I think at minimum the ODP_IPSEC_LOOKUP_DISABLED needs to
be per-SA even if the SPI versus SPI+dstaddr selection would be
global.
Janne
> -----Original Message-----
> From: lng-odp [mailto:lng-odp-boun...@lists.linaro.org] On Behalf Of Bala
> Manoharan
> Sent: Thursday, March 23, 2017 4:42 PM
> To: Savolainen, Petri (Nokia - FI/Espoo)
> <petri.savolai...@nokia-bell-labs.com>
> Cc: lng-odp-forward <lng-odp@lists.linaro.org>
> Subject: Re: [lng-odp] [API-NEXT PATCH v2 2/3] api: ipsec: add inline IPSEC
> support
>
> Regards,
> Bala
>
>
> On 23 March 2017 at 17:40, Savolainen, Petri (Nokia - FI/Espoo)
> <petri.savolai...@nokia-bell-labs.com> wrote:
> >> >
> >> > /**
> >> > @@ -381,11 +547,29 @@ typedef enum odp_ipsec_lookup_mode_t {
> >> > ODP_IPSEC_LOOKUP_DISABLED = 0,
> >> >
> >> > /** Inbound SA lookup is enabled. Used SPI values must be
> >> unique. */
> >> > - ODP_IPSEC_LOOKUP_IN_UNIQUE_SA
> >> > + ODP_IPSEC_LOOKUP_IN_UNIQUE_SPI,
> >> > +
> >> > + /** Inbound SA lookup is enabled. Lookup matches both SPI and
> >> > + * destination IP address. Used SPI values must be unique. */
> >> > + ODP_IPSEC_LOOKUP_IN_DSTADDR_UNIQUE_SPI
> >> >
> >> > } odp_ipsec_lookup_mode_t;
> >>
> >> odp_ipsec_lookup_mode_t is not added either in odp_ipsec_config() or
> >> in odp_ipsec_capability().
> >> I believe this should be added in both these struct?
> >
> >
> > This is part of odp_ipsec_sa_param_t, so lookup config is per SA.
>
> Does that mean that both SPI lookup and DEST ADDR lookup are mandatory?
> Is there a reason lookup mode is per SA?
>
> >
> >
> >>
> >> >
> >> >
> >> > /**
> >> > + * Result event destination
> >> > + */
> >> > +typedef enum odp_ipsec_dest_mode_t {
> >> > + /** Destination for IPSEC result events is a queue. */
> >> > + ODP_IPSEC_DEST_QUEUE = 0,
> >> > +
> >> > + /** Destination for IPSEC result events is the classifier.
> >> > + * IPSEC capability 'cls_inline' determines if inline
> >> classification
> >> > + * is supported. */
> >> > + ODP_IPSEC_DEST_CLS
> >> > +
> >> > +} odp_ipsec_dest_mode_t;
> >>
> >> Should'nt we add a dest_mode ODP_IPSEC_DEST_PKTIO for outbound inline
> >> when the packet is sent out through interface directly.
> >
> > This selection is for result events. For output direction, queue are the
> > only option
> (for events). Queue vs inline pktout is selected by odp_ipsec_out_enq() vs
> odp_ipsec_out_inline(). Selection of output pktio (or TM queue in the future)
> is
> parameters to odp_ipsec_out_inline().
>
> Yes. But the odp_ipsec_dest_mode_t is available in SA params and if
> the SA is configured in outbound direction and linked to the pktio
> then the configuration of dest_mode cannot be ODP_IPSEC_DEST_QUEUE.
>
> >
> > -Petri
> >
> >
> >
