From 60fb11ff0564649c8f2771cf646aada278f00417 Mon Sep 17 00:00:00 2001 From: Boris Pismenny Date: Wed, 25 Oct 2017 20:37:22 +0530 Subject: [PATCH] ethdev: add flow action for crypto The crypto action is specified by an application to request crypto offload for a flow. Signed-off-by: Boris Pismenny Signed-off-by: Aviad Yehezkel Reviewed-by: John McNamara Acked-by: John McNamara --- doc/guides/prog_guide/rte_flow.rst | 84 +++++++++++++++++++++++++++++- lib/librte_ether/rte_flow.h | 39 ++++++++++++++ 2 files changed, 121 insertions(+), 2 deletions(-) diff --git a/doc/guides/prog_guide/rte_flow.rst b/doc/guides/prog_guide/rte_flow.rst index bcb438ed48..d158be5e42 100644 --- a/doc/guides/prog_guide/rte_flow.rst +++ b/doc/guides/prog_guide/rte_flow.rst @@ -187,7 +187,7 @@ Pattern item Pattern items fall in two categories: - Matching protocol headers and packet data (ANY, RAW, ETH, VLAN, IPV4, - IPV6, ICMP, UDP, TCP, SCTP, VXLAN, MPLS, GRE and so on), usually + IPV6, ICMP, UDP, TCP, SCTP, VXLAN, MPLS, GRE, ESP and so on), usually associated with a specification structure. - Matching meta-data or affecting pattern processing (END, VOID, INVERT, PF, @@ -972,6 +972,14 @@ flow rules. - ``teid``: tunnel endpoint identifier. - Default ``mask`` matches teid only. +Item: ``ESP`` +^^^^^^^^^^^^^ + +Matches an ESP header. + +- ``hdr``: ESP header definition (``rte_esp.h``). +- Default ``mask`` matches SPI only. + Actions ~~~~~~~ @@ -989,7 +997,7 @@ They fall in three categories: additional processing by subsequent flow rules. - Other non-terminating meta actions that do not affect the fate of packets - (END, VOID, MARK, FLAG, COUNT). + (END, VOID, MARK, FLAG, COUNT, SECURITY). When several actions are combined in a flow rule, they should all have different types (e.g. dropping a packet twice is not possible). @@ -1394,6 +1402,78 @@ the rte_mtr* API. | ``mtr_id`` | MTR object ID | +--------------+---------------+ +Action: ``SECURITY`` +^^^^^^^^^^^^^^^^^^^^ + +Perform the security action on flows matched by the pattern items +according to the configuration of the security session. + +This action modifies the payload of matched flows. For INLINE_CRYPTO, the +security protocol headers and IV are fully provided by the application as +specified in the flow pattern. The payload of matching packets is +encrypted on egress, and decrypted and authenticated on ingress. +For INLINE_PROTOCOL, the security protocol is fully offloaded to HW, +providing full encapsulation and decapsulation of packets in security +protocols. The flow pattern specifies both the outer security header fields +and the inner packet fields. The security session specified in the action +must match the pattern parameters. + +The security session specified in the action must be created on the same +port as the flow action that is being specified. + +The ingress/egress flow attribute should match that specified in the +security session if the security session supports the definition of the +direction. + +Multiple flows can be configured to use the same security session. + +- Non-terminating by default. + +.. _table_rte_flow_action_security: + +.. table:: SECURITY + + +----------------------+--------------------------------------+ + | Field | Value | + +======================+======================================+ + | ``security_session`` | security session to apply | + +----------------------+--------------------------------------+ + +The following is an example of configuring IPsec inline using the +INLINE_CRYPTO security session: + +The encryption algorithm, keys and salt are part of the opaque +``rte_security_session``. The SA is identified according to the IP and ESP +fields in the pattern items. + +.. _table_rte_flow_item_esp_inline_example: + +.. table:: IPsec inline crypto flow pattern items. + + +-------+----------+ + | Index | Item | + +=======+==========+ + | 0 | Ethernet | + +-------+----------+ + | 1 | IPv4 | + +-------+----------+ + | 2 | ESP | + +-------+----------+ + | 3 | END | + +-------+----------+ + +.. _table_rte_flow_action_esp_inline_example: + +.. table:: IPsec inline flow actions. + + +-------+----------+ + | Index | Action | + +=======+==========+ + | 0 | SECURITY | + +-------+----------+ + | 1 | END | + +-------+----------+ + Negative types ~~~~~~~~~~~~~~ diff --git a/lib/librte_ether/rte_flow.h b/lib/librte_ether/rte_flow.h index bd8274dc2f..47c88ea520 100644 --- a/lib/librte_ether/rte_flow.h +++ b/lib/librte_ether/rte_flow.h @@ -1001,6 +1001,14 @@ enum rte_flow_action_type { * See file rte_mtr.h for MTR object configuration. */ RTE_FLOW_ACTION_TYPE_METER, + + /** + * Redirects packets to security engine of current device for security + * processing as specified by security session. + * + * See struct rte_flow_action_security. + */ + RTE_FLOW_ACTION_TYPE_SECURITY }; /** @@ -1107,6 +1115,37 @@ struct rte_flow_action_meter { uint32_t mtr_id; /**< MTR object ID created with rte_mtr_create(). */ }; +/** + * RTE_FLOW_ACTION_TYPE_SECURITY + * + * Perform the security action on flows matched by the pattern items + * according to the configuration of the security session. + * + * This action modifies the payload of matched flows. For INLINE_CRYPTO, the + * security protocol headers and IV are fully provided by the application as + * specified in the flow pattern. The payload of matching packets is + * encrypted on egress, and decrypted and authenticated on ingress. + * For INLINE_PROTOCOL, the security protocol is fully offloaded to HW, + * providing full encapsulation and decapsulation of packets in security + * protocols. The flow pattern specifies both the outer security header fields + * and the inner packet fields. The security session specified in the action + * must match the pattern parameters. + * + * The security session specified in the action must be created on the same + * port as the flow action that is being specified. + * + * The ingress/egress flow attribute should match that specified in the + * security session if the security session supports the definition of the + * direction. + * + * Multiple flows can be configured to use the same security session. + * + * Non-terminating by default. + */ +struct rte_flow_action_security { + void *security_session; /**< Pointer to security session structure. */ +}; + /** * Definition of a single action. * -- 2.20.1