Regards,
Bala
On 21 March 2017 at 19:47, Petri Savolainen
wrote:
> Added configuration option for inbound SPI range and default
> queue. Added SA disable function and status event for the
> response from it. The same event may be used for e.g. IPSEC
> statistics, etc queries. Improved outbound fragmentation
> documentation.
>
> Signed-off-by: Petri Savolainen
> ---
> include/odp/api/spec/event.h | 2 +-
> include/odp/api/spec/ipsec.h | 181 ++
> +++--
> 2 files changed, 143 insertions(+), 40 deletions(-)
>
> diff --git a/include/odp/api/spec/event.h b/include/odp/api/spec/event.h
> index 75c0bbc..f22efce 100644
> --- a/include/odp/api/spec/event.h
> +++ b/include/odp/api/spec/event.h
> @@ -39,7 +39,7 @@ extern "C" {
> * @typedef odp_event_type_t
> * ODP event types:
> * ODP_EVENT_BUFFER, ODP_EVENT_PACKET, ODP_EVENT_TIMEOUT,
> - * ODP_EVENT_CRYPTO_COMPL, ODP_EVENT_IPSEC_RESULT
> + * ODP_EVENT_CRYPTO_COMPL, ODP_EVENT_IPSEC_RESULT, ODP_EVENT_IPSEC_STATUS
> */
>
> /**
> diff --git a/include/odp/api/spec/ipsec.h b/include/odp/api/spec/ipsec.h
> index 66222d8..e951e49 100644
> --- a/include/odp/api/spec/ipsec.h
> +++ b/include/odp/api/spec/ipsec.h
> @@ -56,6 +56,30 @@ typedef enum odp_ipsec_op_mode_t {
> } odp_ipsec_op_mode_t;
>
> /**
> + * Configuration options for IPSEC inbound processing
> + */
> +typedef struct odp_ipsec_inbound_config_t {
> + /** Default destination queue for IPSEC events
> +*
> +* When inbound SA lookup fails in asynchronous or inline modes,
> +* resulting IPSEC events are enqueued into this queue.
> +*/
> + odp_queue_t default_queue;
> +
> + /** Inbound SPI range. Minimal range size may improve performance.
> */
> + struct {
> + /** Minimum inbound SPI value that application will use.
> +* Default value is 0. */
> + uint32_t min;
> +
> + /** Maximum inbound SPI value that application will use.
> +* Default value is UINT32_MAX. */
> + uint32_t max;
> + } spi;
> +
> +} odp_ipsec_inbound_config_t;
> +
> +/**
> * IPSEC capability
> */
> typedef struct odp_ipsec_capability_t {
> @@ -111,6 +135,13 @@ typedef struct odp_ipsec_config_t {
> */
> odp_ipsec_op_mode_t op_mode;
>
> + /** Maximum number of IPSEC SAs that application will use
> +* simultaneously */
> + uint32_t max_num_sa;
> +
> + /** IPSEC inbound processing configuration */
> + odp_ipsec_inbound_config_t inbound;
> +
> } odp_ipsec_config_t;
>
> /**
> @@ -529,6 +560,29 @@ void odp_ipsec_sa_param_init(odp_ipsec_sa_param_t
> *param);
> odp_ipsec_sa_t odp_ipsec_sa_create(odp_ipsec_sa_param_t *param);
>
> /**
> + * Disable IPSEC SA
> + *
> + * Application must use this call to disable a SA before destroying it.
> The call
> + * marks the SA disabled, so that IPSEC implementation stops using it. For
> + * example, inbound SPI lookups will not match any more. Application must
> + * stop providing the SA as parameter to new IPSEC input/output operations
> + * before calling disable. Packets in progress during the call may still
> match
> + * the SA and be processed successfully.
> + *
> + * When in synchronous operation mode, the call will return when it's
> possible
> + * to destroy the SA. In asynchronous mode, the same is indicated by an
> + * ODP_EVENT_IPSEC_STATUS event sent to the queue specified for the SA.
>
During synchronous operation mode, it is possible that this call is
executing on one core
and the SA is being used in ipsec operation by some other core and so this
call might take considerable cpu
cycles waiting for other cores to finish.
It might be easy if we dictate that the result will be returned using the
status even for synchronous mode or we can add a new API odp_ipsec_sa_use()
which specifies if the SA has been disabled or not.
> + *
> + * @param sa IPSEC SA to be disabled
> + *
> + * @retval 0 On success
> + * @retval <0 On failure
> + *
> + * @see odp_ipsec_sa_destroy()
> + */
> +int odp_ipsec_sa_disable(odp_ipsec_sa_t sa);
> +
> +/**
> * Destroy IPSEC SA
> *
> * Destroy an unused IPSEC SA. Result is undefined if the SA is being used
> @@ -567,55 +621,59 @@ typedef struct odp_ipsec_op_opt_t {
> #define ODP_IPSEC_OK 0
>
> /** IPSEC operation status */
> -typedef union odp_ipsec_status_t {
> - /** Error flags */
> - struct {
> - /** Protocol error. Not a valid ESP or AH packet. */
> - uint32_t proto: 1;
> +typedef struct odp_ipsec_op_status_t {
> + union {
> + /** Error flags */
> + struct {
> + /** Protocol error. Not a valid ESP or AH packet.
> */
> + uint32_t proto: 1;
>
> - /** SA lookup failed */
> - uint32_t sa_lookup: 1;
> + /** SA