1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright (C) 2020 Marvell International Ltd.
4 #ifndef _IPSEC_WORKER_H_
5 #define _IPSEC_WORKER_H_
8 #include <rte_ethdev.h>
14 /* Configure how many packets ahead to prefetch, when reading packets */
15 #define PREFETCH_OFFSET 3
17 PKT_TYPE_PLAIN_IPV4 = 1,
27 PKT_POSTED /* for lookaside case */
31 struct rt_ctx *rt4_ctx;
32 struct rt_ctx *rt6_ctx;
36 * Conf required by event mode worker with tx internal port
38 struct lcore_conf_ev_tx_int_port_wrkr {
39 struct ipsec_ctx inbound;
40 struct ipsec_ctx outbound;
41 struct route_table rt;
42 } __rte_cache_aligned;
44 void ipsec_poll_mode_worker(void);
46 int ipsec_launch_one_lcore(void *args);
49 * helper routine for inline and cpu(synchronous) processing
50 * this is just to satisfy inbound_sa_check() and get_hop_for_offload_pkt().
51 * Should be removed in future.
54 prep_process_group(void *sa, struct rte_mbuf *mb[], uint32_t cnt)
57 struct ipsec_mbuf_metadata *priv;
59 for (j = 0; j != cnt; j++) {
60 priv = get_priv(mb[j]);
62 /* setup TSO related fields if TSO enabled*/
64 uint32_t ptype = mb[j]->packet_type;
65 /* only TCP is supported */
66 if ((ptype & RTE_PTYPE_L4_MASK) == RTE_PTYPE_L4_TCP) {
67 mb[j]->tso_segsz = priv->sa->mss;
68 if ((IS_TUNNEL(priv->sa->flags))) {
69 mb[j]->outer_l3_len = mb[j]->l3_len;
70 mb[j]->outer_l2_len = mb[j]->l2_len;
72 RTE_MBUF_F_TX_TUNNEL_ESP;
73 if (RTE_ETH_IS_IPV4_HDR(ptype))
75 RTE_MBUF_F_TX_OUTER_IP_CKSUM;
77 mb[j]->l4_len = sizeof(struct rte_tcp_hdr);
78 mb[j]->ol_flags |= (RTE_MBUF_F_TX_TCP_SEG |
79 RTE_MBUF_F_TX_TCP_CKSUM);
80 if (RTE_ETH_IS_IPV4_HDR(ptype))
82 RTE_MBUF_F_TX_OUTER_IPV4;
85 RTE_MBUF_F_TX_OUTER_IPV6;
92 adjust_ipv4_pktlen(struct rte_mbuf *m, const struct rte_ipv4_hdr *iph,
97 plen = rte_be_to_cpu_16(iph->total_length) + l2_len;
98 if (plen < m->pkt_len) {
99 trim = m->pkt_len - plen;
100 rte_pktmbuf_trim(m, trim);
105 adjust_ipv6_pktlen(struct rte_mbuf *m, const struct rte_ipv6_hdr *iph,
110 plen = rte_be_to_cpu_16(iph->payload_len) + sizeof(*iph) + l2_len;
111 if (plen < m->pkt_len) {
112 trim = m->pkt_len - plen;
113 rte_pktmbuf_trim(m, trim);
118 prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)
120 uint32_t ptype = pkt->packet_type;
121 const struct rte_ether_hdr *eth;
122 const struct rte_ipv4_hdr *iph4;
123 const struct rte_ipv6_hdr *iph6;
124 uint32_t tun_type, l3_type;
128 tun_type = ptype & RTE_PTYPE_TUNNEL_MASK;
129 l3_type = ptype & RTE_PTYPE_L3_MASK;
131 eth = rte_pktmbuf_mtod(pkt, const struct rte_ether_hdr *);
132 if (RTE_ETH_IS_IPV4_HDR(l3_type)) {
133 iph4 = (const struct rte_ipv4_hdr *)rte_pktmbuf_adj(pkt,
135 adjust_ipv4_pktlen(pkt, iph4, 0);
137 if (tun_type == RTE_PTYPE_TUNNEL_ESP) {
138 t->ipsec.pkts[(t->ipsec.num)++] = pkt;
140 t->ip4.data[t->ip4.num] = &iph4->next_proto_id;
141 t->ip4.pkts[(t->ip4.num)++] = pkt;
143 tx_offload = sizeof(*iph4) << RTE_MBUF_L2_LEN_BITS;
144 } else if (RTE_ETH_IS_IPV6_HDR(l3_type)) {
149 /* get protocol type */
150 iph6 = (const struct rte_ipv6_hdr *)rte_pktmbuf_adj(pkt,
152 adjust_ipv6_pktlen(pkt, iph6, 0);
154 l3len = sizeof(struct ip6_hdr);
156 if (tun_type == RTE_PTYPE_TUNNEL_ESP) {
157 t->ipsec.pkts[(t->ipsec.num)++] = pkt;
159 t->ip6.data[t->ip6.num] = &iph6->proto;
160 t->ip6.pkts[(t->ip6.num)++] = pkt;
163 /* Determine l3 header size up to ESP extension by walking
164 * through extension headers.
166 if (l3_type == RTE_PTYPE_L3_IPV6_EXT ||
167 l3_type == RTE_PTYPE_L3_IPV6_EXT_UNKNOWN) {
168 p = rte_pktmbuf_mtod(pkt, uint8_t *);
169 next_proto = iph6->proto;
170 while (next_proto != IPPROTO_ESP &&
171 l3len < pkt->data_len &&
172 (next_proto = rte_ipv6_get_next_ext(p + l3len,
173 next_proto, &ext_len)) >= 0)
176 /* Drop pkt when IPv6 header exceeds first seg size */
177 if (unlikely(l3len > pkt->data_len)) {
182 tx_offload = l3len << RTE_MBUF_L2_LEN_BITS;
184 /* Unknown/Unsupported type, drop the packet */
185 RTE_LOG(ERR, IPSEC, "Unsupported packet type 0x%x\n",
186 rte_be_to_cpu_16(eth->ether_type));
191 if ((ptype & RTE_PTYPE_L4_MASK) == RTE_PTYPE_L4_TCP)
192 tx_offload |= (sizeof(struct rte_tcp_hdr) <<
193 (RTE_MBUF_L2_LEN_BITS + RTE_MBUF_L3_LEN_BITS));
194 else if ((ptype & RTE_PTYPE_L4_MASK) == RTE_PTYPE_L4_UDP)
195 tx_offload |= (sizeof(struct rte_udp_hdr) <<
196 (RTE_MBUF_L2_LEN_BITS + RTE_MBUF_L3_LEN_BITS));
197 pkt->tx_offload = tx_offload;
199 /* Check if the packet has been processed inline. For inline protocol
200 * processed packets, the metadata in the mbuf can be used to identify
201 * the security processing done on the packet. The metadata will be
202 * used to retrieve the application registered userdata associated
203 * with the security session.
206 if (pkt->ol_flags & RTE_MBUF_F_RX_SEC_OFFLOAD &&
207 rte_security_dynfield_is_registered()) {
209 struct ipsec_mbuf_metadata *priv;
210 struct rte_security_ctx *ctx = (struct rte_security_ctx *)
211 rte_eth_dev_get_sec_ctx(
214 /* Retrieve the userdata registered. Here, the userdata
215 * registered is the SA pointer.
217 sa = (struct ipsec_sa *)rte_security_get_userdata(ctx,
218 *rte_security_dynfield(pkt));
220 /* userdata could not be retrieved */
224 /* Save SA as priv member in mbuf. This will be used in the
225 * IPsec selector(SP-SA) check.
228 priv = get_priv(pkt);
234 prepare_traffic(struct rte_mbuf **pkts, struct ipsec_traffic *t,
243 for (i = 0; i < (nb_pkts - PREFETCH_OFFSET); i++) {
244 rte_prefetch0(rte_pktmbuf_mtod(pkts[i + PREFETCH_OFFSET],
246 prepare_one_packet(pkts[i], t);
248 /* Process left packets */
249 for (; i < nb_pkts; i++)
250 prepare_one_packet(pkts[i], t);
254 prepare_tx_pkt(struct rte_mbuf *pkt, uint16_t port,
255 const struct lcore_conf *qconf)
258 struct rte_ether_hdr *ethhdr;
260 ip = rte_pktmbuf_mtod(pkt, struct ip *);
262 ethhdr = (struct rte_ether_hdr *)
263 rte_pktmbuf_prepend(pkt, RTE_ETHER_HDR_LEN);
265 if (ip->ip_v == IPVERSION) {
266 pkt->ol_flags |= qconf->outbound.ipv4_offloads;
267 pkt->l3_len = sizeof(struct ip);
268 pkt->l2_len = RTE_ETHER_HDR_LEN;
272 /* calculate IPv4 cksum in SW */
273 if ((pkt->ol_flags & RTE_MBUF_F_TX_IP_CKSUM) == 0)
274 ip->ip_sum = rte_ipv4_cksum((struct rte_ipv4_hdr *)ip);
276 ethhdr->ether_type = rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4);
278 pkt->ol_flags |= qconf->outbound.ipv6_offloads;
279 pkt->l3_len = sizeof(struct ip6_hdr);
280 pkt->l2_len = RTE_ETHER_HDR_LEN;
282 ethhdr->ether_type = rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV6);
285 memcpy(ðhdr->src_addr, ðaddr_tbl[port].src,
286 sizeof(struct rte_ether_addr));
287 memcpy(ðhdr->dst_addr, ðaddr_tbl[port].dst,
288 sizeof(struct rte_ether_addr));
292 prepare_tx_burst(struct rte_mbuf *pkts[], uint16_t nb_pkts, uint16_t port,
293 const struct lcore_conf *qconf)
296 const int32_t prefetch_offset = 2;
298 for (i = 0; i < (nb_pkts - prefetch_offset); i++) {
299 rte_mbuf_prefetch_part2(pkts[i + prefetch_offset]);
300 prepare_tx_pkt(pkts[i], port, qconf);
302 /* Process left packets */
303 for (; i < nb_pkts; i++)
304 prepare_tx_pkt(pkts[i], port, qconf);
307 /* Send burst of packets on an output interface */
308 static inline int32_t
309 send_burst(struct lcore_conf *qconf, uint16_t n, uint16_t port)
311 struct rte_mbuf **m_table;
315 queueid = qconf->tx_queue_id[port];
316 m_table = (struct rte_mbuf **)qconf->tx_mbufs[port].m_table;
318 prepare_tx_burst(m_table, n, port, qconf);
320 ret = rte_eth_tx_burst(port, queueid, m_table, n);
322 core_stats_update_tx(ret);
324 if (unlikely(ret < n)) {
326 free_pkts(&m_table[ret], 1);
334 * Helper function to fragment and queue for TX one packet.
336 static inline uint32_t
337 send_fragment_packet(struct lcore_conf *qconf, struct rte_mbuf *m,
338 uint16_t port, uint8_t proto)
344 tbl = qconf->tx_mbufs + port;
347 /* free space for new fragments */
348 if (len + RTE_LIBRTE_IP_FRAG_MAX_FRAG >= RTE_DIM(tbl->m_table)) {
349 send_burst(qconf, len, port);
353 n = RTE_DIM(tbl->m_table) - len;
355 if (proto == IPPROTO_IP)
356 rc = rte_ipv4_fragment_packet(m, tbl->m_table + len,
357 n, mtu_size, m->pool, qconf->frag.pool_indir);
359 rc = rte_ipv6_fragment_packet(m, tbl->m_table + len,
360 n, mtu_size, m->pool, qconf->frag.pool_indir);
366 "%s: failed to fragment packet with size %u, "
368 __func__, m->pkt_len, rte_errno);
374 /* Enqueue a single packet, and send burst if queue is filled */
375 static inline int32_t
376 send_single_packet(struct rte_mbuf *m, uint16_t port, uint8_t proto)
380 struct lcore_conf *qconf;
382 lcore_id = rte_lcore_id();
384 qconf = &lcore_conf[lcore_id];
385 len = qconf->tx_mbufs[port].len;
387 if (m->pkt_len <= mtu_size) {
388 qconf->tx_mbufs[port].m_table[len] = m;
391 /* need to fragment the packet */
392 } else if (frag_tbl_sz > 0)
393 len = send_fragment_packet(qconf, m, port, proto);
397 /* enough pkts to be sent */
398 if (unlikely(len == MAX_PKT_BURST)) {
399 send_burst(qconf, MAX_PKT_BURST, port);
403 qconf->tx_mbufs[port].len = len;
408 inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip,
409 uint16_t lim, struct ipsec_spd_stats *stats)
412 uint32_t i, j, res, sa_idx;
414 if (ip->num == 0 || sp == NULL)
417 rte_acl_classify((struct rte_acl_ctx *)sp, ip->data, ip->res,
418 ip->num, DEFAULT_MAX_CATEGORIES);
421 for (i = 0; i < ip->num; i++) {
429 if (res == DISCARD) {
435 /* Only check SPI match for processed IPSec packets */
436 if (i < lim && ((m->ol_flags & RTE_MBUF_F_RX_SEC_OFFLOAD) == 0)) {
443 if (!inbound_sa_check(sa, m, sa_idx)) {
454 static inline int32_t
455 get_hop_for_offload_pkt(struct rte_mbuf *pkt, int is_ipv6)
457 struct ipsec_mbuf_metadata *priv;
460 priv = get_priv(pkt);
463 if (unlikely(sa == NULL)) {
464 RTE_LOG(ERR, IPSEC, "SA not saved in private data\n");
472 return (sa->portid | RTE_LPM_LOOKUP_SUCCESS);
483 route4_pkts(struct rt_ctx *rt_ctx, struct rte_mbuf *pkts[], uint8_t nb_pkts)
485 uint32_t hop[MAX_PKT_BURST * 2];
486 uint32_t dst_ip[MAX_PKT_BURST * 2];
489 uint16_t lpm_pkts = 0;
490 unsigned int lcoreid = rte_lcore_id();
495 /* Need to do an LPM lookup for non-inline packets. Inline packets will
496 * have port ID in the SA
499 for (i = 0; i < nb_pkts; i++) {
500 if (!(pkts[i]->ol_flags & RTE_MBUF_F_TX_SEC_OFFLOAD)) {
501 /* Security offload not enabled. So an LPM lookup is
502 * required to get the hop
504 offset = offsetof(struct ip, ip_dst);
505 dst_ip[lpm_pkts] = *rte_pktmbuf_mtod_offset(pkts[i],
507 dst_ip[lpm_pkts] = rte_be_to_cpu_32(dst_ip[lpm_pkts]);
512 rte_lpm_lookup_bulk((struct rte_lpm *)rt_ctx, dst_ip, hop, lpm_pkts);
516 for (i = 0; i < nb_pkts; i++) {
517 if (pkts[i]->ol_flags & RTE_MBUF_F_TX_SEC_OFFLOAD) {
518 /* Read hop from the SA */
519 pkt_hop = get_hop_for_offload_pkt(pkts[i], 0);
521 /* Need to use hop returned by lookup */
522 pkt_hop = hop[lpm_pkts++];
525 if ((pkt_hop & RTE_LPM_LOOKUP_SUCCESS) == 0) {
526 core_statistics[lcoreid].lpm4.miss++;
527 free_pkts(&pkts[i], 1);
530 send_single_packet(pkts[i], pkt_hop & 0xff, IPPROTO_IP);
535 route6_pkts(struct rt_ctx *rt_ctx, struct rte_mbuf *pkts[], uint8_t nb_pkts)
537 int32_t hop[MAX_PKT_BURST * 2];
538 uint8_t dst_ip[MAX_PKT_BURST * 2][16];
542 uint16_t lpm_pkts = 0;
543 unsigned int lcoreid = rte_lcore_id();
548 /* Need to do an LPM lookup for non-inline packets. Inline packets will
549 * have port ID in the SA
552 for (i = 0; i < nb_pkts; i++) {
553 if (!(pkts[i]->ol_flags & RTE_MBUF_F_TX_SEC_OFFLOAD)) {
554 /* Security offload not enabled. So an LPM lookup is
555 * required to get the hop
557 offset = offsetof(struct ip6_hdr, ip6_dst);
558 ip6_dst = rte_pktmbuf_mtod_offset(pkts[i], uint8_t *,
560 memcpy(&dst_ip[lpm_pkts][0], ip6_dst, 16);
565 rte_lpm6_lookup_bulk_func((struct rte_lpm6 *)rt_ctx, dst_ip, hop,
570 for (i = 0; i < nb_pkts; i++) {
571 if (pkts[i]->ol_flags & RTE_MBUF_F_TX_SEC_OFFLOAD) {
572 /* Read hop from the SA */
573 pkt_hop = get_hop_for_offload_pkt(pkts[i], 1);
575 /* Need to use hop returned by lookup */
576 pkt_hop = hop[lpm_pkts++];
580 core_statistics[lcoreid].lpm6.miss++;
581 free_pkts(&pkts[i], 1);
584 send_single_packet(pkts[i], pkt_hop & 0xff, IPPROTO_IPV6);
589 drain_tx_buffers(struct lcore_conf *qconf)
594 for (portid = 0; portid < RTE_MAX_ETHPORTS; portid++) {
595 buf = &qconf->tx_mbufs[portid];
598 send_burst(qconf, buf->len, portid);
603 #endif /* _IPSEC_WORKER_H_ */