protocol use case, the worker thread resembles l2fwd worker thread as the IPsec
processing is done entirely in HW. This mode can be used to benchmark the raw
performance of the HW. The driver submode is selected with --single-sa option
- (used also by poll mode). When --single-sa option is used in conjution with event
+ (used also by poll mode). When --single-sa option is used in conjunction with event
mode then index passed to --single-sa is ignored.
* App submode: This submode has all the features currently implemented with the
device will ensure the ordering. Ordering will be lost when tried in PARALLEL.
* ``--rxoffload MASK``: RX HW offload capabilities to enable/use on this port
- (bitmask of DEV_RX_OFFLOAD_* values). It is an optional parameter and
+ (bitmask of RTE_ETH_RX_OFFLOAD_* values). It is an optional parameter and
allows user to disable some of the RX HW offload capabilities.
By default all HW RX offloads are enabled.
* ``--txoffload MASK``: TX HW offload capabilities to enable/use on this port
- (bitmask of DEV_TX_OFFLOAD_* values). It is an optional parameter and
+ (bitmask of RTE_ETH_TX_OFFLOAD_* values). It is an optional parameter and
allows user to disable some of the TX HW offload capabilities.
By default all HW TX offloads are enabled.
and software crypto devices are detected, hardware devices will be used.
A way to achieve the case where you want to force the use of virtual crypto
-devices is to whitelist the Ethernet devices needed and therefore implicitly
-blacklisting all hardware crypto devices.
+devices is to only use the Ethernet devices needed (via the allow flag)
+and therefore implicitly blocking all hardware crypto devices.
For example, something like the following command line:
.. code-block:: console
./<build_dir>/examples/dpdk-ipsec-secgw -l 20,21 -n 4 --socket-mem 0,2048 \
- -w 81:00.0 -w 81:00.1 -w 81:00.2 -w 81:00.3 \
+ -a 81:00.0 -a 81:00.1 -a 81:00.2 -a 81:00.3 \
--vdev "crypto_aesni_mb" --vdev "crypto_null" \
-- \
-p 0xf -P -u 0x3 --config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)" \
sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key>
<mode> <src_ip> <dst_ip> <action_type> <port_id> <fallback>
- <flow-direction> <port_id> <queue_id>
+ <flow-direction> <port_id> <queue_id> <udp-encap>
where each options means:
* *port_id*: Port ID of the NIC for which the SA is configured.
* *queue_id*: Queue ID to which traffic should be redirected.
+ ``<udp-encap>``
+
+ * Option to enable IPsec UDP encapsulation for NAT Traversal.
+ Only *lookaside-protocol-offload* mode is supported at the moment.
+
+ * Optional: Yes, it is disabled by default
+
+ * Syntax:
+
+ * *udp-encap*
+
Example SA rules:
.. code-block:: console
* ``REMOTE_IFACE``: interface name for the test-port on the DUT.
-* ``ETH_DEV``: ethernet device to be used on the SUT by DPDK ('-w <pci-id>')
+* ``ETH_DEV``: ethernet device to be used on the SUT by DPDK ('-a <pci-id>')
Also the user can optionally setup:
* ``SGW_LCORE``: lcore to run ipsec-secgw on (default value is 0)
-* ``CRYPTO_DEV``: crypto device to be used ('-w <pci-id>'). If none specified
+* ``CRYPTO_DEV``: crypto device to be used ('-a <pci-id>'). If none specified
appropriate vdevs will be created by the script
Scripts can be used for multiple test scenarios. To check all available
* ``-h`` Show usage.
If <ipsec_mode> is specified, only tests for that mode will be invoked. For the
-list of available modes please refer to run_test.sh.
\ No newline at end of file
+list of available modes please refer to run_test.sh.