1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright(c) 2010-2016 Intel Corporation
3 * Copyright (C) 2020 Marvell International Ltd.
6 #include <rte_event_eth_tx_adapter.h>
10 #include "event_helper.h"
12 #include "ipsec-secgw.h"
13 #include "ipsec_worker.h"
15 struct port_drv_mode_data {
16 struct rte_security_session *sess;
17 struct rte_security_ctx *ctx;
20 static inline enum pkt_type
21 process_ipsec_get_pkt_type(struct rte_mbuf *pkt, uint8_t **nlp)
23 struct rte_ether_hdr *eth;
24 uint32_t ptype = pkt->packet_type;
26 eth = rte_pktmbuf_mtod(pkt, struct rte_ether_hdr *);
29 if (RTE_ETH_IS_IPV4_HDR(ptype)) {
30 *nlp = RTE_PTR_ADD(eth, RTE_ETHER_HDR_LEN +
31 offsetof(struct ip, ip_p));
32 if ((ptype & RTE_PTYPE_TUNNEL_MASK) == RTE_PTYPE_TUNNEL_ESP)
33 return PKT_TYPE_IPSEC_IPV4;
35 return PKT_TYPE_PLAIN_IPV4;
36 } else if (RTE_ETH_IS_IPV6_HDR(ptype)) {
37 *nlp = RTE_PTR_ADD(eth, RTE_ETHER_HDR_LEN +
38 offsetof(struct ip6_hdr, ip6_nxt));
39 if ((ptype & RTE_PTYPE_TUNNEL_MASK) == RTE_PTYPE_TUNNEL_ESP)
40 return PKT_TYPE_IPSEC_IPV6;
42 return PKT_TYPE_PLAIN_IPV6;
45 /* Unknown/Unsupported type */
46 return PKT_TYPE_INVALID;
50 update_mac_addrs(struct rte_mbuf *pkt, uint16_t portid)
52 struct rte_ether_hdr *ethhdr;
54 ethhdr = rte_pktmbuf_mtod(pkt, struct rte_ether_hdr *);
55 memcpy(ðhdr->src_addr, ðaddr_tbl[portid].src, RTE_ETHER_ADDR_LEN);
56 memcpy(ðhdr->dst_addr, ðaddr_tbl[portid].dst, RTE_ETHER_ADDR_LEN);
60 ipsec_event_pre_forward(struct rte_mbuf *m, unsigned int port_id)
62 /* Save the destination port in the mbuf */
65 /* Save eth queue for Tx */
66 rte_event_eth_tx_adapter_txq_set(m, 0);
70 prepare_out_sessions_tbl(struct sa_ctx *sa_out,
71 struct port_drv_mode_data *data,
74 struct rte_ipsec_session *pri_sess;
81 for (i = 0; i < sa_out->nb_sa; i++) {
87 pri_sess = ipsec_get_primary_session(sa);
92 RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) {
94 RTE_LOG(ERR, IPSEC, "Invalid session type %d\n",
99 if (sa->portid >= size) {
101 "Port id >= than table size %d, %d\n",
106 /* Use only first inline session found for a given port */
107 if (data[sa->portid].sess)
109 data[sa->portid].sess = pri_sess->security.ses;
110 data[sa->portid].ctx = pri_sess->security.ctx;
115 check_sp(struct sp_ctx *sp, const uint8_t *nlp, uint32_t *sa_idx)
119 if (unlikely(sp == NULL))
122 rte_acl_classify((struct rte_acl_ctx *)sp, &nlp, &res, 1,
123 DEFAULT_MAX_CATEGORIES);
125 if (unlikely(res == DISCARD))
127 else if (res == BYPASS) {
136 static inline uint16_t
137 route4_pkt(struct rte_mbuf *pkt, struct rt_ctx *rt_ctx)
144 offset = RTE_ETHER_HDR_LEN + offsetof(struct ip, ip_dst);
145 dst_ip = *rte_pktmbuf_mtod_offset(pkt, uint32_t *, offset);
146 dst_ip = rte_be_to_cpu_32(dst_ip);
148 ret = rte_lpm_lookup((struct rte_lpm *)rt_ctx, dst_ip, &hop);
156 return RTE_MAX_ETHPORTS;
159 /* TODO: To be tested */
160 static inline uint16_t
161 route6_pkt(struct rte_mbuf *pkt, struct rt_ctx *rt_ctx)
169 offset = RTE_ETHER_HDR_LEN + offsetof(struct ip6_hdr, ip6_dst);
170 ip6_dst = rte_pktmbuf_mtod_offset(pkt, uint8_t *, offset);
171 memcpy(&dst_ip[0], ip6_dst, 16);
173 ret = rte_lpm6_lookup((struct rte_lpm6 *)rt_ctx, dst_ip, &hop);
181 return RTE_MAX_ETHPORTS;
184 static inline uint16_t
185 get_route(struct rte_mbuf *pkt, struct route_table *rt, enum pkt_type type)
187 if (type == PKT_TYPE_PLAIN_IPV4 || type == PKT_TYPE_IPSEC_IPV4)
188 return route4_pkt(pkt, rt->rt4_ctx);
189 else if (type == PKT_TYPE_PLAIN_IPV6 || type == PKT_TYPE_IPSEC_IPV6)
190 return route6_pkt(pkt, rt->rt6_ctx);
192 return RTE_MAX_ETHPORTS;
196 process_ipsec_ev_inbound(struct ipsec_ctx *ctx, struct route_table *rt,
197 struct rte_event *ev)
199 struct ipsec_sa *sa = NULL;
200 struct rte_mbuf *pkt;
201 uint16_t port_id = 0;
206 /* Get pkt from event */
209 /* Check the packet type */
210 type = process_ipsec_get_pkt_type(pkt, &nlp);
213 case PKT_TYPE_PLAIN_IPV4:
214 if (pkt->ol_flags & PKT_RX_SEC_OFFLOAD) {
215 if (unlikely(pkt->ol_flags &
216 PKT_RX_SEC_OFFLOAD_FAILED)) {
218 "Inbound security offload failed\n");
219 goto drop_pkt_and_exit;
221 sa = *(struct ipsec_sa **)rte_security_dynfield(pkt);
224 /* Check if we have a match */
225 if (check_sp(ctx->sp4_ctx, nlp, &sa_idx) == 0) {
227 goto drop_pkt_and_exit;
231 case PKT_TYPE_PLAIN_IPV6:
232 if (pkt->ol_flags & PKT_RX_SEC_OFFLOAD) {
233 if (unlikely(pkt->ol_flags &
234 PKT_RX_SEC_OFFLOAD_FAILED)) {
236 "Inbound security offload failed\n");
237 goto drop_pkt_and_exit;
239 sa = *(struct ipsec_sa **)rte_security_dynfield(pkt);
242 /* Check if we have a match */
243 if (check_sp(ctx->sp6_ctx, nlp, &sa_idx) == 0) {
245 goto drop_pkt_and_exit;
250 RTE_LOG(ERR, IPSEC, "Unsupported packet type = %d\n", type);
251 goto drop_pkt_and_exit;
254 /* Check if the packet has to be bypassed */
255 if (sa_idx == BYPASS)
256 goto route_and_send_pkt;
258 /* Validate sa_idx */
259 if (sa_idx >= ctx->sa_ctx->nb_sa)
260 goto drop_pkt_and_exit;
262 /* Else the packet has to be protected with SA */
264 /* If the packet was IPsec processed, then SA pointer should be set */
266 goto drop_pkt_and_exit;
268 /* SPI on the packet should match with the one in SA */
269 if (unlikely(sa->spi != ctx->sa_ctx->sa[sa_idx].spi))
270 goto drop_pkt_and_exit;
273 port_id = get_route(pkt, rt, type);
274 if (unlikely(port_id == RTE_MAX_ETHPORTS)) {
276 goto drop_pkt_and_exit;
278 /* else, we have a matching route */
280 /* Update mac addresses */
281 update_mac_addrs(pkt, port_id);
283 /* Update the event with the dest port */
284 ipsec_event_pre_forward(pkt, port_id);
285 return PKT_FORWARDED;
288 RTE_LOG(ERR, IPSEC, "Inbound packet dropped\n");
289 rte_pktmbuf_free(pkt);
295 process_ipsec_ev_outbound(struct ipsec_ctx *ctx, struct route_table *rt,
296 struct rte_event *ev)
298 struct rte_ipsec_session *sess;
299 struct sa_ctx *sa_ctx;
300 struct rte_mbuf *pkt;
301 uint16_t port_id = 0;
307 /* Get pkt from event */
310 /* Check the packet type */
311 type = process_ipsec_get_pkt_type(pkt, &nlp);
314 case PKT_TYPE_PLAIN_IPV4:
315 /* Check if we have a match */
316 if (check_sp(ctx->sp4_ctx, nlp, &sa_idx) == 0) {
318 goto drop_pkt_and_exit;
321 case PKT_TYPE_PLAIN_IPV6:
322 /* Check if we have a match */
323 if (check_sp(ctx->sp6_ctx, nlp, &sa_idx) == 0) {
325 goto drop_pkt_and_exit;
330 * Only plain IPv4 & IPv6 packets are allowed
331 * on protected port. Drop the rest.
333 RTE_LOG(ERR, IPSEC, "Unsupported packet type = %d\n", type);
334 goto drop_pkt_and_exit;
337 /* Check if the packet has to be bypassed */
338 if (sa_idx == BYPASS) {
339 port_id = get_route(pkt, rt, type);
340 if (unlikely(port_id == RTE_MAX_ETHPORTS)) {
342 goto drop_pkt_and_exit;
344 /* else, we have a matching route */
348 /* Validate sa_idx */
349 if (unlikely(sa_idx >= ctx->sa_ctx->nb_sa))
350 goto drop_pkt_and_exit;
352 /* Else the packet has to be protected */
355 sa_ctx = ctx->sa_ctx;
358 sa = &(sa_ctx->sa[sa_idx]);
360 /* Get IPsec session */
361 sess = ipsec_get_primary_session(sa);
363 /* Allow only inline protocol for now */
364 if (unlikely(sess->type != RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL)) {
365 RTE_LOG(ERR, IPSEC, "SA type not supported\n");
366 goto drop_pkt_and_exit;
369 rte_security_set_pkt_metadata(sess->security.ctx,
370 sess->security.ses, pkt, NULL);
372 /* Mark the packet for Tx security offload */
373 pkt->ol_flags |= PKT_TX_SEC_OFFLOAD;
375 /* Get the port to which this pkt need to be submitted */
376 port_id = sa->portid;
379 /* Provide L2 len for Outbound processing */
380 pkt->l2_len = RTE_ETHER_HDR_LEN;
382 /* Update mac addresses */
383 update_mac_addrs(pkt, port_id);
385 /* Update the event with the dest port */
386 ipsec_event_pre_forward(pkt, port_id);
387 return PKT_FORWARDED;
390 RTE_LOG(ERR, IPSEC, "Outbound packet dropped\n");
391 rte_pktmbuf_free(pkt);
397 * Event mode exposes various operating modes depending on the
398 * capabilities of the event device and the operating mode
402 /* Workers registered */
403 #define IPSEC_EVENTMODE_WORKERS 2
407 * Operating parameters : non-burst - Tx internal port - driver mode
410 ipsec_wrkr_non_burst_int_port_drv_mode(struct eh_event_link_info *links,
413 struct port_drv_mode_data data[RTE_MAX_ETHPORTS];
414 unsigned int nb_rx = 0;
415 struct rte_mbuf *pkt;
421 /* Check if we have links registered for this lcore */
423 /* No links registered - exit */
427 memset(&data, 0, sizeof(struct port_drv_mode_data));
430 lcore_id = rte_lcore_id();
433 socket_id = rte_lcore_to_socket_id(lcore_id);
436 * Prepare security sessions table. In outbound driver mode
437 * we always use first session configured for a given port
439 prepare_out_sessions_tbl(socket_ctx[socket_id].sa_out, data,
443 "Launching event mode worker (non-burst - Tx internal port - "
444 "driver mode) on lcore %d\n", lcore_id);
446 /* We have valid links */
448 /* Check if it's single link */
451 "Multiple links not supported. Using first link\n");
454 RTE_LOG(INFO, IPSEC, " -- lcoreid=%u event_port_id=%u\n", lcore_id,
455 links[0].event_port_id);
456 while (!force_quit) {
457 /* Read packet from event queues */
458 nb_rx = rte_event_dequeue_burst(links[0].eventdev_id,
459 links[0].event_port_id,
462 0 /* timeout_ticks */);
470 rte_prefetch0(rte_pktmbuf_mtod(pkt, void *));
473 ipsec_event_pre_forward(pkt, port_id);
475 if (!is_unprotected_port(port_id)) {
477 if (unlikely(!data[port_id].sess)) {
478 rte_pktmbuf_free(pkt);
482 /* Save security session */
483 rte_security_set_pkt_metadata(data[port_id].ctx,
484 data[port_id].sess, pkt,
487 /* Mark the packet for Tx security offload */
488 pkt->ol_flags |= PKT_TX_SEC_OFFLOAD;
490 /* Provide L2 len for Outbound processing */
491 pkt->l2_len = RTE_ETHER_HDR_LEN;
495 * Since tx internal port is available, events can be
496 * directly enqueued to the adapter and it would be
497 * internally submitted to the eth device.
499 rte_event_eth_tx_adapter_enqueue(links[0].eventdev_id,
500 links[0].event_port_id,
509 * Operating parameters : non-burst - Tx internal port - app mode
512 ipsec_wrkr_non_burst_int_port_app_mode(struct eh_event_link_info *links,
515 struct lcore_conf_ev_tx_int_port_wrkr lconf;
516 unsigned int nb_rx = 0;
522 /* Check if we have links registered for this lcore */
524 /* No links registered - exit */
528 /* We have valid links */
531 lcore_id = rte_lcore_id();
534 socket_id = rte_lcore_to_socket_id(lcore_id);
536 /* Save routing table */
537 lconf.rt.rt4_ctx = socket_ctx[socket_id].rt_ip4;
538 lconf.rt.rt6_ctx = socket_ctx[socket_id].rt_ip6;
539 lconf.inbound.sp4_ctx = socket_ctx[socket_id].sp_ip4_in;
540 lconf.inbound.sp6_ctx = socket_ctx[socket_id].sp_ip6_in;
541 lconf.inbound.sa_ctx = socket_ctx[socket_id].sa_in;
542 lconf.inbound.session_pool = socket_ctx[socket_id].session_pool;
543 lconf.inbound.session_priv_pool =
544 socket_ctx[socket_id].session_priv_pool;
545 lconf.outbound.sp4_ctx = socket_ctx[socket_id].sp_ip4_out;
546 lconf.outbound.sp6_ctx = socket_ctx[socket_id].sp_ip6_out;
547 lconf.outbound.sa_ctx = socket_ctx[socket_id].sa_out;
548 lconf.outbound.session_pool = socket_ctx[socket_id].session_pool;
549 lconf.outbound.session_priv_pool =
550 socket_ctx[socket_id].session_priv_pool;
553 "Launching event mode worker (non-burst - Tx internal port - "
554 "app mode) on lcore %d\n", lcore_id);
556 /* Check if it's single link */
559 "Multiple links not supported. Using first link\n");
562 RTE_LOG(INFO, IPSEC, " -- lcoreid=%u event_port_id=%u\n", lcore_id,
563 links[0].event_port_id);
565 while (!force_quit) {
566 /* Read packet from event queues */
567 nb_rx = rte_event_dequeue_burst(links[0].eventdev_id,
568 links[0].event_port_id,
571 0 /* timeout_ticks */);
576 if (unlikely(ev.event_type != RTE_EVENT_TYPE_ETHDEV)) {
577 RTE_LOG(ERR, IPSEC, "Invalid event type %u",
583 if (is_unprotected_port(ev.mbuf->port))
584 ret = process_ipsec_ev_inbound(&lconf.inbound,
587 ret = process_ipsec_ev_outbound(&lconf.outbound,
590 /* The pkt has been dropped */
594 * Since tx internal port is available, events can be
595 * directly enqueued to the adapter and it would be
596 * internally submitted to the eth device.
598 rte_event_eth_tx_adapter_enqueue(links[0].eventdev_id,
599 links[0].event_port_id,
607 ipsec_eventmode_populate_wrkr_params(struct eh_app_worker_params *wrkrs)
609 struct eh_app_worker_params *wrkr;
610 uint8_t nb_wrkr_param = 0;
615 /* Non-burst - Tx internal port - driver mode */
616 wrkr->cap.burst = EH_RX_TYPE_NON_BURST;
617 wrkr->cap.tx_internal_port = EH_TX_TYPE_INTERNAL_PORT;
618 wrkr->cap.ipsec_mode = EH_IPSEC_MODE_TYPE_DRIVER;
619 wrkr->worker_thread = ipsec_wrkr_non_burst_int_port_drv_mode;
623 /* Non-burst - Tx internal port - app mode */
624 wrkr->cap.burst = EH_RX_TYPE_NON_BURST;
625 wrkr->cap.tx_internal_port = EH_TX_TYPE_INTERNAL_PORT;
626 wrkr->cap.ipsec_mode = EH_IPSEC_MODE_TYPE_APP;
627 wrkr->worker_thread = ipsec_wrkr_non_burst_int_port_app_mode;
630 return nb_wrkr_param;
634 ipsec_eventmode_worker(struct eh_conf *conf)
636 struct eh_app_worker_params ipsec_wrkr[IPSEC_EVENTMODE_WORKERS] = {
638 uint8_t nb_wrkr_param;
640 /* Populate l2fwd_wrkr params */
641 nb_wrkr_param = ipsec_eventmode_populate_wrkr_params(ipsec_wrkr);
644 * Launch correct worker after checking
645 * the event device's capabilities.
647 eh_launch_worker(conf, ipsec_wrkr, nb_wrkr_param);
650 int ipsec_launch_one_lcore(void *args)
652 struct eh_conf *conf;
654 conf = (struct eh_conf *)args;
656 if (conf->mode == EH_PKT_TRANSFER_MODE_POLL) {
657 /* Run in poll mode */
658 ipsec_poll_mode_worker();
659 } else if (conf->mode == EH_PKT_TRANSFER_MODE_EVENT) {
660 /* Run in event mode */
661 ipsec_eventmode_worker(conf);
git.droids-corp.org / dpdk.git / blob