Added support for inline IPSEC processing on packet input and output. Inline mode IPSEC and traffic manager cannot be enabled (currently) on the same pktio interface.
Signed-off-by: Petri Savolainen <petri.savolai...@linaro.org> --- include/odp/api/spec/ipsec.h | 355 ++++++++++++++++++++++++++++++++++++--- include/odp/api/spec/packet_io.h | 32 ++++ 2 files changed, 360 insertions(+), 27 deletions(-) diff --git a/include/odp/api/spec/ipsec.h b/include/odp/api/spec/ipsec.h index 118363e..b3dc0ca 100644 --- a/include/odp/api/spec/ipsec.h +++ b/include/odp/api/spec/ipsec.h @@ -19,6 +19,8 @@ extern "C" { #endif #include <odp/api/crypto.h> +#include <odp/api/packet_io.h> +#include <odp/api/classification.h> /** @defgroup odp_ipsec ODP IPSEC * Operations of IPSEC API. @@ -51,11 +53,43 @@ typedef enum odp_ipsec_op_mode_t { * Application uses asynchronous IPSEC operations, * which return results via events. */ - ODP_IPSEC_OP_MODE_ASYNC + ODP_IPSEC_OP_MODE_ASYNC, + + /** Inline IPSEC operation + * + * Packet input/output is connected directly to IPSEC inbound/outbound + * processing. Application uses asynchronous or inline IPSEC + * operations. + */ + ODP_IPSEC_OP_MODE_INLINE, + + /** IPSEC is disabled in inbound / outbound direction */ + ODP_IPSEC_OP_MODE_DISABLED } odp_ipsec_op_mode_t; /** + * Protocol layers in IPSEC configuration + */ +typedef enum odp_ipsec_proto_layer_t { + /** No layers */ + ODP_IPSEC_LAYER_NONE = 0, + + /** Layer L2 protocols (Ethernet, VLAN, etc) */ + ODP_IPSEC_LAYER_L2, + + /** Layer L3 protocols (IPv4, IPv6, ICMP, IPSEC, etc) */ + ODP_IPSEC_LAYER_L3, + + /** Layer L4 protocols (UDP, TCP, SCTP) */ + ODP_IPSEC_LAYER_L4, + + /** All layers */ + ODP_IPSEC_LAYER_ALL + +} odp_ipsec_proto_layer_t; + +/** * Configuration options for IPSEC inbound processing */ typedef struct odp_ipsec_inbound_config_t { @@ -88,9 +122,110 @@ typedef struct odp_ipsec_inbound_config_t { } lookup; + /** Retain outer headers + * + * Select up to which protocol layer (at least) outer headers are + * retained in inbound inline processing. Default value is + * ODP_IPSEC_LAYER_NONE. + * + * ODP_IPSEC_LAYER_NONE: Application does not require any outer + * headers to be retained. + * + * ODP_IPSEC_LAYER_L2: Retain headers up to layer 2. + * + * ODP_IPSEC_LAYER_L3: Retain headers up to layer 3, otherwise the + * same as ODP_IPSEC_LAYER_ALL. + * + * ODP_IPSEC_LAYER_L4: Retain headers up to layer 4, otherwise the + * same as ODP_IPSEC_LAYER_ALL. + * + * ODP_IPSEC_LAYER_ALL: In tunnel mode, all headers before IPSEC are + * retained. In transport mode, all headers + * before IP (carrying IPSEC) are retained. + * + */ + odp_ipsec_proto_layer_t retain_outer; + + /** Parse packet headers after IPSEC transformation + * + * Select header parsing level after inbound processing. Headers of the + * resulting packet must be parsed (at least) up to this level. Parsing + * starts from IP (layer 3). Each successfully transformed packet has + * a valid value for L3 offset regardless of the parse configuration. + * Default value is ODP_IPSEC_LAYER_NONE. + */ + odp_ipsec_proto_layer_t parse; + + /** Flags to control IPSEC payload data checks up to the selected parse + * level. */ + union { + struct { + /** Check IPv4 header checksum in IPSEC payload. + * Default value is 0. */ + uint32_t ipv4_chksum : 1; + + /** Check UDP checksum in IPSEC payload. + * Default value is 0. */ + uint32_t udp_chksum : 1; + + /** Check TCP checksum in IPSEC payload. + * Default value is 0. */ + uint32_t tcp_chksum : 1; + + /** Check SCTP checksum in IPSEC payload. + * Default value is 0. */ + uint32_t sctp_chksum : 1; + } check; + + /** All bits of the bit field structure + * + * This field can be used to set/clear all flags, or bitwise + * operations over the entire structure. */ + uint32_t all_check; + }; + } odp_ipsec_inbound_config_t; /** + * Configuration options for IPSEC outbound processing + */ +typedef struct odp_ipsec_outbound_config_t { + /** Flags to control L3/L4 checksum insertion as part of outbound + * packet processing. Packet must have set with valid L3/L4 offsets. + * Checksum configuration is ignored for packets that checksum cannot + * be computed for (e.g. IPv4 fragments). Application may use a packet + * metadata flag to disable checksum insertion per packet bases. + */ + union { + struct { + /** Insert IPv4 header checksum on the payload packet + * before IPSEC transformation. Default value is 0. */ + uint32_t inner_ipv4 : 1; + + /** Insert UDP header checksum on the payload packet + * before IPSEC transformation. Default value is 0. */ + uint32_t inner_udp : 1; + + /** Insert TCP header checksum on the payload packet + * before IPSEC transformation. Default value is 0. */ + uint32_t inner_tcp : 1; + + /** Insert SCTP header checksum on the payload packet + * before IPSEC transformation. Default value is 0. */ + uint32_t inner_sctp : 1; + + } chksum; + + /** All bits of the bit field structure + * + * This field can be used to set/clear all flags, or bitwise + * operations over the entire structure. */ + uint32_t all_chksum; + }; + +} odp_ipsec_outbound_config_t; + +/** * IPSEC capability */ typedef struct odp_ipsec_capability_t { @@ -113,6 +248,23 @@ typedef struct odp_ipsec_capability_t { */ uint8_t op_mode_async; + /** Inline IPSEC operation mode (ODP_IPSEC_OP_MODE_INLINE) support + * + * 0: Inline IPSEC operation is not supported + * 1: Inline IPSEC operation is supported + * 2: Inline IPSEC operation is supported and preferred + */ + uint8_t op_mode_inline; + + /** Support of pipelined classification (ODP_IPSEC_PIPELINE_CLS) of + * resulting inbound packets. + * + * 0: Classification of resulting packets is not supported + * 1: Classification of resulting packets is supported + * 2: Classification of resulting packets is supported and preferred + */ + uint8_t pipeline_cls; + /** Soft expiry limit in seconds support * * 0: Limit is not supported @@ -139,12 +291,19 @@ typedef struct odp_ipsec_capability_t { * IPSEC configuration options */ typedef struct odp_ipsec_config_t { - /** IPSEC operation mode. Application selects which mode (sync or async) - * will be used for IPSEC operations. + /** Inbound IPSEC operation mode. Application selects which mode + * will be used for inbound IPSEC operations. * * @see odp_ipsec_in(), odp_ipsec_in_enq() */ - odp_ipsec_op_mode_t op_mode; + odp_ipsec_op_mode_t inbound_mode; + + /** Outbound IPSEC operation mode. Application selects which mode + * will be used for outbound IPSEC operations. + * + * @see odp_ipsec_out(), odp_ipsec_out_enq(), odp_ipsec_out_inline() + */ + odp_ipsec_op_mode_t outbound_mode; /** Maximum number of IPSEC SAs that application will use * simultaneously */ @@ -153,6 +312,9 @@ typedef struct odp_ipsec_config_t { /** IPSEC inbound processing configuration */ odp_ipsec_inbound_config_t inbound; + /** IPSEC outbound processing configuration */ + odp_ipsec_outbound_config_t outbound; + } odp_ipsec_config_t; /** @@ -392,13 +554,35 @@ typedef enum odp_ipsec_lookup_mode_t { ODP_IPSEC_LOOKUP_DISABLED = 0, /** Inbound SA lookup is enabled. Lookup matches only SPI value. - * SA lookup failure status (error.sa_lookup) is reported through + * In inline mode, a lookup miss directs the packet back to normal + * packet input interface processing. In other modes, the SA lookup + * failure status (error.sa_lookup) is reported through * odp_ipsec_packet_result_t. */ - ODP_IPSEC_LOOKUP_SPI + ODP_IPSEC_LOOKUP_SPI, + + /** Inbound SA lookup is enabled. Lookup matches both SPI value and + * destination IP address. Functionality is otherwise identical to + * ODP_IPSEC_LOOKUP_SPI. */ + ODP_IPSEC_LOOKUP_DSTADDR_SPI } odp_ipsec_lookup_mode_t; /** + * Result event pipeline configuration + */ +typedef enum odp_ipsec_pipeline_t { + /** Do not pipeline */ + ODP_IPSEC_PIPELINE_NONE = 0, + + /** Send IPSEC result events to the classifier. + * + * IPSEC capability 'pipeline_cls' determines if pipelined + * classification is supported. */ + ODP_IPSEC_PIPELINE_CLS + +} odp_ipsec_pipeline_t; + +/** * IPSEC Security Association (SA) parameters */ typedef struct odp_ipsec_sa_param_t { @@ -439,6 +623,21 @@ typedef struct odp_ipsec_sa_param_t { /** SPI value */ uint32_t spi; + /** Additional inbound SA lookup parameters. Values are considered + * only in ODP_IPSEC_LOOKUP_DSTADDR_SPI lookup mode. */ + struct { + /** Select IP version + * + * 4: IPv4 + * 6: IPv6 + */ + uint8_t ip_version; + + /** IP destination address (NETWORK ENDIAN) */ + void *dst_addr; + + } lookup_param; + /** MTU for outbound IP fragmentation offload * * This is the maximum length of IP packets that outbound IPSEC @@ -447,13 +646,31 @@ typedef struct odp_ipsec_sa_param_t { */ uint32_t mtu; + /** Select pipelined destination for IPSEC result events + * + * Asynchronous and inline modes generate result events. Select where + * those events are sent. Inbound SAs may choose to use pipelined + * classification. The default value is ODP_IPSEC_PIPELINE_NONE. + */ + odp_ipsec_pipeline_t pipeline; + /** Destination queue for IPSEC events * - * Operations in asynchronous mode enqueue resulting events into - * this queue. + * Operations in asynchronous or inline mode enqueue resulting events + * into this queue. */ odp_queue_t dest_queue; + /** Classifier destination CoS for IPSEC result events + * + * Result events for successfully decapsulated packets are sent to + * classification through this CoS. Other result events are sent to + * 'dest_queue'. This field is considered only when 'pipeline' is + * ODP_IPSEC_PIPELINE_CLS. The CoS must not be shared between any pktio + * interface default CoS. + */ + odp_cos_t dest_cos; + /** User defined SA context pointer * * User defined context pointer associated with the SA. @@ -686,6 +903,18 @@ typedef struct odp_ipsec_op_status_t { uint32_t all_error; }; + union { + /** Status flags */ + struct { + /** Packet was processed in inline mode */ + uint32_t inline_mode : 1; + + } flag; + + /** All flag bits */ + uint32_t all_flag; + }; + } odp_ipsec_op_status_t; /** @@ -715,7 +944,7 @@ typedef struct odp_ipsec_op_param_t { /** Pointer to an array of packets * - * Each packet must have a valid value for these meta-data: + * Each packet must have a valid value for these metadata: * * L3 offset: Offset to the first byte of the (outmost) IP header * * L4 offset: For inbound direction, when udp_encap is enabled - * offset to the first byte of the encapsulating UDP @@ -740,6 +969,35 @@ typedef struct odp_ipsec_op_param_t { } odp_ipsec_op_param_t; /** + * Outbound inline IPSEC operation parameters + */ +typedef struct odp_ipsec_inline_op_param_t { + /** Packet output interface for inline output operation + * + * Outbound inline IPSEC operation uses this packet IO interface to + * output the packet after a successful IPSEC transformation. The pktio + * must have been configured to operate in inline IPSEC mode. + */ + odp_pktio_t pktio; + + /** Outer headers for inline output operation + * + * Outbound inline IPSEC operation uses this information to prepend + * outer headers to the IPSEC packet before sending it out. + */ + struct { + /** Points to first byte of outer headers to be copied in + * front of the outgoing IPSEC packet. Implementation copies + * the headers during odp_ipsec_out_inline() call. */ + uint8_t *ptr; + + /** Outer header length in bytes */ + uint32_t len; + } outer_hdr; + +} odp_ipsec_inline_op_param_t; + +/** * IPSEC operation result for a packet */ typedef struct odp_ipsec_packet_result_t { @@ -765,6 +1023,23 @@ typedef struct odp_ipsec_packet_result_t { */ odp_ipsec_sa_t sa; + /** Packet outer header status before inbound inline processing. + * This is valid only when status.flag.inline_mode is set. + */ + struct { + /** Points to the first byte of retained outer headers. These + * headers are stored in a contiquous, per packet, + * implementation specific memory space. Since the memory space + * may overlap with e.g. packet head/tailroom, the content + * becomes invalid if packet data storage is modified in + * anyway. The memory space may not be sharable to other + * threads. */ + uint8_t *ptr; + + /** Outer header length in bytes */ + uint32_t len; + } outer_hdr; + } odp_ipsec_packet_result_t; /** @@ -786,18 +1061,14 @@ typedef struct odp_ipsec_op_result_t { * at least 'num_pkt' elements. * * Each successfully transformed packet has a valid value for these - * meta-data: + * metadata regardless of the inner packet parse configuration. + * (odp_ipsec_inbound_config_t): * * L3 offset: Offset to the first byte of the (outmost) IP header - * * L4 offset: Offset to the first byte of the valid and known L4 - * header (immediately following the IP header). - * * Various flags about L3 and L4 layers: - * has_l3, has_l4, has_ipv4, has_ipv6, has_ipfrag, - * has_ipsec, has_udp, has_tcp, etc depending on - * the resulted packet format + * * pktio: For inbound inline IPSEC processed packets, original + * packet input interface * - * @see odp_packet_l3_offset(), odp_packet_l4_offset(), - * odp_packet_has_ipv4(), odp_packet_has_ipv6(), - * odp_packet_has_ipfrag(), odp_packet_has_ipsec() + * Other metadata for parse results and error checks depend on + * configuration (selected parse and error check levels). */ odp_packet_t *pkt; @@ -928,10 +1199,10 @@ int odp_ipsec_out(const odp_ipsec_op_param_t *input, /** * Inbound asynchronous IPSEC operation * - * This operation does inbound IPSEC processing in asynchronous mode - * (ODP_IPSEC_OP_MODE_ASYNC). It processes packets otherwise identically to - * odp_ipsec_in(), but outputs all results through one or more - * ODP_EVENT_IPSEC_RESULT events with the following ordering considerations. + * This operation does inbound IPSEC processing in asynchronous mode. It + * processes packets otherwise identically to odp_ipsec_in(), but outputs all + * results through one or more ODP_EVENT_IPSEC_RESULT events with the following + * ordering considerations. * * Asynchronous mode maintains (operation input) packet order per SA when * application calls the operation within an ordered or atomic scheduler context @@ -941,6 +1212,11 @@ int odp_ipsec_out(const odp_ipsec_op_param_t *input, * events for the same SA are enqueued in order, and packet handles (for the * same SA) are stored in order within an event. * + * The function may be used also in inline processing mode, e.g. for IPSEC + * packets for which inline processing is not possible. Packets for the same SA + * may be processed simultaneously in both modes (initiated by this function + * and inline operation). + * * @param input Operation input parameters * * @return Number of input packets consumed (0 ... input.num_pkt) @@ -953,10 +1229,10 @@ int odp_ipsec_in_enq(const odp_ipsec_op_param_t *input); /** * Outbound asynchronous IPSEC operation * - * This operation does outbound IPSEC processing in asynchronous mode - * (ODP_IPSEC_OP_MODE_ASYNC). It processes packets otherwise identically to - * odp_ipsec_out(), but outputs all results through one or more - * ODP_EVENT_IPSEC_RESULT events with the following ordering considerations. + * This operation does outbound IPSEC processing in asynchronous mode. It + * processes packets otherwise identically to odp_ipsec_out(), but outputs all + * results through one or more ODP_EVENT_IPSEC_RESULT events with the following + * ordering considerations. * * Asynchronous mode maintains (operation input) packet order per SA when * application calls the operation within an ordered or atomic scheduler context @@ -966,6 +1242,9 @@ int odp_ipsec_in_enq(const odp_ipsec_op_param_t *input); * events for the same SA are enqueued in order, and packet handles (for the * same SA) are stored in order within an event. * + * The function may be used also in inline processing mode, e.g. for IPSEC + * packets for which inline processing is not possible. + * * @param input Operation input parameters * * @return Number of input packets consumed (0 ... input.num_pkt) @@ -976,6 +1255,28 @@ int odp_ipsec_in_enq(const odp_ipsec_op_param_t *input); int odp_ipsec_out_enq(const odp_ipsec_op_param_t *input); /** + * Outbound inline IPSEC operation + * + * This operation does outbound inline IPSEC processing for the packets. It's + * otherwise identical to odp_ipsec_out_enq(), but outputs all successfully + * transformed packets to the specified output interface, instead of generating + * result events for those. + * + * Inline operation parameters are defined per packet. The array of parameters + * must have 'op_param.num_pkt' elements and is pointed to by 'inline_param'. + * + * @param op_param Operation parameters + * @param inline_param Outbound inline operation specific parameters + * + * @return Number of packets consumed (0 ... op_param.num_pkt) + * @retval <0 On failure + * + * @see odp_ipsec_out_enq() + */ +int odp_ipsec_out_inline(const odp_ipsec_op_param_t *op_param, + const odp_ipsec_inline_op_param_t *inline_param); + +/** * Get IPSEC results from an ODP_EVENT_IPSEC_RESULT event * * Copies IPSEC operation results from an event. The event must be of diff --git a/include/odp/api/spec/packet_io.h b/include/odp/api/spec/packet_io.h index cec1f22..8802089 100644 --- a/include/odp/api/spec/packet_io.h +++ b/include/odp/api/spec/packet_io.h @@ -407,6 +407,38 @@ typedef struct odp_pktio_config_t { * interface capability before enabling the same. */ odp_bool_t enable_loop; + /** Inbound IPSEC inlined with packet input + * + * Enable/disable inline inbound IPSEC operation. When enabled packet + * input directs all IPSEC packets automatically to IPSEC inbound + * processing. IPSEC configuration is done through the IPSEC API. + * Packets that are not (recognized as) IPSEC are processed + * according to the packet input configuration. + * + * 0: Disable inbound IPSEC inline operation (default) + * 1: Enable inbound IPSEC inline operation + * + * @see odp_ipsec_config(), odp_ipsec_sa_create() + */ + odp_bool_t inbound_ipsec; + + /** Outbound IPSEC inlined with packet output + * + * Enable/disable inline outbound IPSEC operation. When enabled IPSEC + * outbound processing can send outgoing IPSEC packets directly + * to the pktio interface for output. IPSEC configuration is done + * through the IPSEC API. + * + * Outbound IPSEC inline operation cannot be combined with traffic + * manager (ODP_PKTOUT_MODE_TM). + * + * 0: Disable outbound IPSEC inline operation (default) + * 1: Enable outbound IPSEC inline operation + * + * @see odp_ipsec_config(), odp_ipsec_sa_create() + */ + odp_bool_t outbound_ipsec; + } odp_pktio_config_t; /** -- 2.8.1