1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright (C) 2020 Marvell International Ltd.
4 #ifndef _IPSEC_WORKER_H_
5 #define _IPSEC_WORKER_H_
8 #include <rte_ethdev.h>
14 /* Configure how many packets ahead to prefetch, when reading packets */
15 #define PREFETCH_OFFSET 3
17 PKT_TYPE_PLAIN_IPV4 = 1,
27 PKT_POSTED /* for lookaside case */
31 struct rt_ctx *rt4_ctx;
32 struct rt_ctx *rt6_ctx;
36 * Conf required by event mode worker with tx internal port
38 struct lcore_conf_ev_tx_int_port_wrkr {
39 struct ipsec_ctx inbound;
40 struct ipsec_ctx outbound;
41 struct route_table rt;
42 } __rte_cache_aligned;
44 void ipsec_poll_mode_worker(void);
46 int ipsec_launch_one_lcore(void *args);
49 * helper routine for inline and cpu(synchronous) processing
50 * this is just to satisfy inbound_sa_check() and get_hop_for_offload_pkt().
51 * Should be removed in future.
54 prep_process_group(void *sa, struct rte_mbuf *mb[], uint32_t cnt)
57 struct ipsec_mbuf_metadata *priv;
59 for (j = 0; j != cnt; j++) {
60 priv = get_priv(mb[j]);
62 /* setup TSO related fields if TSO enabled*/
64 uint32_t ptype = mb[j]->packet_type;
65 /* only TCP is supported */
66 if ((ptype & RTE_PTYPE_L4_MASK) == RTE_PTYPE_L4_TCP) {
67 mb[j]->tso_segsz = priv->sa->mss;
68 if ((IS_TUNNEL(priv->sa->flags))) {
69 mb[j]->outer_l3_len = mb[j]->l3_len;
70 mb[j]->outer_l2_len = mb[j]->l2_len;
72 RTE_MBUF_F_TX_TUNNEL_ESP;
73 if (RTE_ETH_IS_IPV4_HDR(ptype))
75 RTE_MBUF_F_TX_OUTER_IP_CKSUM;
77 mb[j]->l4_len = sizeof(struct rte_tcp_hdr);
78 mb[j]->ol_flags |= (RTE_MBUF_F_TX_TCP_SEG |
79 RTE_MBUF_F_TX_TCP_CKSUM);
80 if (RTE_ETH_IS_IPV4_HDR(ptype))
82 RTE_MBUF_F_TX_OUTER_IPV4;
85 RTE_MBUF_F_TX_OUTER_IPV6;
91 static __rte_always_inline void
92 adjust_ipv4_pktlen(struct rte_mbuf *m, const struct rte_ipv4_hdr *iph,
97 plen = rte_be_to_cpu_16(iph->total_length) + l2_len;
98 if (plen < m->pkt_len) {
99 trim = m->pkt_len - plen;
100 rte_pktmbuf_trim(m, trim);
104 static __rte_always_inline void
105 adjust_ipv6_pktlen(struct rte_mbuf *m, const struct rte_ipv6_hdr *iph,
110 plen = rte_be_to_cpu_16(iph->payload_len) + sizeof(*iph) + l2_len;
111 if (plen < m->pkt_len) {
112 trim = m->pkt_len - plen;
113 rte_pktmbuf_trim(m, trim);
117 static __rte_always_inline void
118 prepare_one_packet(struct rte_security_ctx *ctx, struct rte_mbuf *pkt,
119 struct ipsec_traffic *t)
121 uint32_t ptype = pkt->packet_type;
122 const struct rte_ether_hdr *eth;
123 const struct rte_ipv4_hdr *iph4;
124 const struct rte_ipv6_hdr *iph6;
125 uint32_t tun_type, l3_type;
129 tun_type = ptype & RTE_PTYPE_TUNNEL_MASK;
130 l3_type = ptype & RTE_PTYPE_L3_MASK;
132 eth = rte_pktmbuf_mtod(pkt, const struct rte_ether_hdr *);
133 if (RTE_ETH_IS_IPV4_HDR(l3_type)) {
134 iph4 = (const struct rte_ipv4_hdr *)rte_pktmbuf_adj(pkt,
136 adjust_ipv4_pktlen(pkt, iph4, 0);
138 if (tun_type == RTE_PTYPE_TUNNEL_ESP) {
139 t->ipsec.pkts[(t->ipsec.num)++] = pkt;
141 t->ip4.data[t->ip4.num] = &iph4->next_proto_id;
142 t->ip4.pkts[(t->ip4.num)++] = pkt;
144 tx_offload = sizeof(*iph4) << RTE_MBUF_L2_LEN_BITS;
145 } else if (RTE_ETH_IS_IPV6_HDR(l3_type)) {
150 /* get protocol type */
151 iph6 = (const struct rte_ipv6_hdr *)rte_pktmbuf_adj(pkt,
153 adjust_ipv6_pktlen(pkt, iph6, 0);
155 l3len = sizeof(struct ip6_hdr);
157 if (tun_type == RTE_PTYPE_TUNNEL_ESP) {
158 t->ipsec.pkts[(t->ipsec.num)++] = pkt;
160 t->ip6.data[t->ip6.num] = &iph6->proto;
161 t->ip6.pkts[(t->ip6.num)++] = pkt;
164 /* Determine l3 header size up to ESP extension by walking
165 * through extension headers.
167 if (l3_type == RTE_PTYPE_L3_IPV6_EXT ||
168 l3_type == RTE_PTYPE_L3_IPV6_EXT_UNKNOWN) {
169 p = rte_pktmbuf_mtod(pkt, uint8_t *);
170 next_proto = iph6->proto;
171 while (next_proto != IPPROTO_ESP &&
172 l3len < pkt->data_len &&
173 (next_proto = rte_ipv6_get_next_ext(p + l3len,
174 next_proto, &ext_len)) >= 0)
177 /* Drop pkt when IPv6 header exceeds first seg size */
178 if (unlikely(l3len > pkt->data_len)) {
183 tx_offload = l3len << RTE_MBUF_L2_LEN_BITS;
185 /* Unknown/Unsupported type, drop the packet */
186 RTE_LOG(ERR, IPSEC, "Unsupported packet type 0x%x\n",
187 rte_be_to_cpu_16(eth->ether_type));
192 if ((ptype & RTE_PTYPE_L4_MASK) == RTE_PTYPE_L4_TCP)
193 tx_offload |= (sizeof(struct rte_tcp_hdr) <<
194 (RTE_MBUF_L2_LEN_BITS + RTE_MBUF_L3_LEN_BITS));
195 else if ((ptype & RTE_PTYPE_L4_MASK) == RTE_PTYPE_L4_UDP)
196 tx_offload |= (sizeof(struct rte_udp_hdr) <<
197 (RTE_MBUF_L2_LEN_BITS + RTE_MBUF_L3_LEN_BITS));
198 pkt->tx_offload = tx_offload;
200 /* Check if the packet has been processed inline. For inline protocol
201 * processed packets, the metadata in the mbuf can be used to identify
202 * the security processing done on the packet. The metadata will be
203 * used to retrieve the application registered userdata associated
204 * with the security session.
207 if (ctx && pkt->ol_flags & RTE_MBUF_F_RX_SEC_OFFLOAD) {
209 struct ipsec_mbuf_metadata *priv;
211 /* Retrieve the userdata registered. Here, the userdata
212 * registered is the SA pointer.
214 sa = (struct ipsec_sa *)rte_security_get_userdata(ctx,
215 *rte_security_dynfield(pkt));
217 /* userdata could not be retrieved */
221 /* Save SA as priv member in mbuf. This will be used in the
222 * IPsec selector(SP-SA) check.
225 priv = get_priv(pkt);
230 static __rte_always_inline void
231 prepare_traffic(struct rte_security_ctx *ctx, struct rte_mbuf **pkts,
232 struct ipsec_traffic *t, uint16_t nb_pkts)
240 for (i = 0; i < (nb_pkts - PREFETCH_OFFSET); i++) {
241 rte_prefetch0(rte_pktmbuf_mtod(pkts[i + PREFETCH_OFFSET],
243 prepare_one_packet(ctx, pkts[i], t);
245 /* Process left packets */
246 for (; i < nb_pkts; i++)
247 prepare_one_packet(ctx, pkts[i], t);
251 prepare_tx_pkt(struct rte_mbuf *pkt, uint16_t port,
252 const struct lcore_conf *qconf)
255 struct rte_ether_hdr *ethhdr;
257 ip = rte_pktmbuf_mtod(pkt, struct ip *);
259 ethhdr = (struct rte_ether_hdr *)
260 rte_pktmbuf_prepend(pkt, RTE_ETHER_HDR_LEN);
262 if (ip->ip_v == IPVERSION) {
263 pkt->ol_flags |= qconf->outbound.ipv4_offloads;
264 pkt->l3_len = sizeof(struct ip);
265 pkt->l2_len = RTE_ETHER_HDR_LEN;
269 /* calculate IPv4 cksum in SW */
270 if ((pkt->ol_flags & RTE_MBUF_F_TX_IP_CKSUM) == 0)
271 ip->ip_sum = rte_ipv4_cksum((struct rte_ipv4_hdr *)ip);
273 ethhdr->ether_type = rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4);
275 pkt->ol_flags |= qconf->outbound.ipv6_offloads;
276 pkt->l3_len = sizeof(struct ip6_hdr);
277 pkt->l2_len = RTE_ETHER_HDR_LEN;
279 ethhdr->ether_type = rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV6);
282 memcpy(ðhdr->src_addr, ðaddr_tbl[port].src,
283 sizeof(struct rte_ether_addr));
284 memcpy(ðhdr->dst_addr, ðaddr_tbl[port].dst,
285 sizeof(struct rte_ether_addr));
289 prepare_tx_burst(struct rte_mbuf *pkts[], uint16_t nb_pkts, uint16_t port,
290 const struct lcore_conf *qconf)
293 const int32_t prefetch_offset = 2;
295 for (i = 0; i < (nb_pkts - prefetch_offset); i++) {
296 rte_mbuf_prefetch_part2(pkts[i + prefetch_offset]);
297 prepare_tx_pkt(pkts[i], port, qconf);
299 /* Process left packets */
300 for (; i < nb_pkts; i++)
301 prepare_tx_pkt(pkts[i], port, qconf);
304 /* Send burst of packets on an output interface */
305 static __rte_always_inline int32_t
306 send_burst(struct lcore_conf *qconf, uint16_t n, uint16_t port)
308 struct rte_mbuf **m_table;
312 queueid = qconf->tx_queue_id[port];
313 m_table = (struct rte_mbuf **)qconf->tx_mbufs[port].m_table;
315 prepare_tx_burst(m_table, n, port, qconf);
317 ret = rte_eth_tx_burst(port, queueid, m_table, n);
319 core_stats_update_tx(ret);
321 if (unlikely(ret < n)) {
323 free_pkts(&m_table[ret], 1);
331 * Helper function to fragment and queue for TX one packet.
333 static __rte_always_inline uint32_t
334 send_fragment_packet(struct lcore_conf *qconf, struct rte_mbuf *m,
335 uint16_t port, uint8_t proto)
341 tbl = qconf->tx_mbufs + port;
344 /* free space for new fragments */
345 if (len + RTE_LIBRTE_IP_FRAG_MAX_FRAG >= RTE_DIM(tbl->m_table)) {
346 send_burst(qconf, len, port);
350 n = RTE_DIM(tbl->m_table) - len;
352 if (proto == IPPROTO_IP)
353 rc = rte_ipv4_fragment_packet(m, tbl->m_table + len,
354 n, mtu_size, m->pool, qconf->frag.pool_indir);
356 rc = rte_ipv6_fragment_packet(m, tbl->m_table + len,
357 n, mtu_size, m->pool, qconf->frag.pool_indir);
363 "%s: failed to fragment packet with size %u, "
365 __func__, m->pkt_len, rte_errno);
371 /* Enqueue a single packet, and send burst if queue is filled */
372 static __rte_always_inline int32_t
373 send_single_packet(struct rte_mbuf *m, uint16_t port, uint8_t proto)
377 struct lcore_conf *qconf;
379 lcore_id = rte_lcore_id();
381 qconf = &lcore_conf[lcore_id];
382 len = qconf->tx_mbufs[port].len;
384 if (m->pkt_len <= mtu_size) {
385 qconf->tx_mbufs[port].m_table[len] = m;
388 /* need to fragment the packet */
389 } else if (frag_tbl_sz > 0)
390 len = send_fragment_packet(qconf, m, port, proto);
394 /* enough pkts to be sent */
395 if (unlikely(len == MAX_PKT_BURST)) {
396 send_burst(qconf, MAX_PKT_BURST, port);
400 qconf->tx_mbufs[port].len = len;
404 static __rte_always_inline void
405 inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip,
406 uint16_t lim, struct ipsec_spd_stats *stats)
409 uint32_t i, j, res, sa_idx;
411 if (ip->num == 0 || sp == NULL)
414 rte_acl_classify((struct rte_acl_ctx *)sp, ip->data, ip->res,
415 ip->num, DEFAULT_MAX_CATEGORIES);
418 for (i = 0; i < ip->num; i++) {
426 if (res == DISCARD) {
432 /* Only check SPI match for processed IPSec packets */
433 if (i < lim && ((m->ol_flags & RTE_MBUF_F_RX_SEC_OFFLOAD) == 0)) {
440 if (!inbound_sa_check(sa, m, sa_idx)) {
451 static __rte_always_inline int32_t
452 get_hop_for_offload_pkt(struct rte_mbuf *pkt, int is_ipv6)
454 struct ipsec_mbuf_metadata *priv;
457 priv = get_priv(pkt);
460 if (unlikely(sa == NULL)) {
461 RTE_LOG(ERR, IPSEC, "SA not saved in private data\n");
469 return (sa->portid | RTE_LPM_LOOKUP_SUCCESS);
480 route4_pkts(struct rt_ctx *rt_ctx, struct rte_mbuf *pkts[], uint8_t nb_pkts)
482 uint32_t hop[MAX_PKT_BURST * 2];
483 uint32_t dst_ip[MAX_PKT_BURST * 2];
486 uint16_t lpm_pkts = 0;
487 unsigned int lcoreid = rte_lcore_id();
492 /* Need to do an LPM lookup for non-inline packets. Inline packets will
493 * have port ID in the SA
496 for (i = 0; i < nb_pkts; i++) {
497 if (!(pkts[i]->ol_flags & RTE_MBUF_F_TX_SEC_OFFLOAD)) {
498 /* Security offload not enabled. So an LPM lookup is
499 * required to get the hop
501 offset = offsetof(struct ip, ip_dst);
502 dst_ip[lpm_pkts] = *rte_pktmbuf_mtod_offset(pkts[i],
504 dst_ip[lpm_pkts] = rte_be_to_cpu_32(dst_ip[lpm_pkts]);
509 rte_lpm_lookup_bulk((struct rte_lpm *)rt_ctx, dst_ip, hop, lpm_pkts);
513 for (i = 0; i < nb_pkts; i++) {
514 if (pkts[i]->ol_flags & RTE_MBUF_F_TX_SEC_OFFLOAD) {
515 /* Read hop from the SA */
516 pkt_hop = get_hop_for_offload_pkt(pkts[i], 0);
518 /* Need to use hop returned by lookup */
519 pkt_hop = hop[lpm_pkts++];
522 if ((pkt_hop & RTE_LPM_LOOKUP_SUCCESS) == 0) {
523 core_statistics[lcoreid].lpm4.miss++;
524 free_pkts(&pkts[i], 1);
527 send_single_packet(pkts[i], pkt_hop & 0xff, IPPROTO_IP);
531 static __rte_always_inline void
532 route6_pkts(struct rt_ctx *rt_ctx, struct rte_mbuf *pkts[], uint8_t nb_pkts)
534 int32_t hop[MAX_PKT_BURST * 2];
535 uint8_t dst_ip[MAX_PKT_BURST * 2][16];
539 uint16_t lpm_pkts = 0;
540 unsigned int lcoreid = rte_lcore_id();
545 /* Need to do an LPM lookup for non-inline packets. Inline packets will
546 * have port ID in the SA
549 for (i = 0; i < nb_pkts; i++) {
550 if (!(pkts[i]->ol_flags & RTE_MBUF_F_TX_SEC_OFFLOAD)) {
551 /* Security offload not enabled. So an LPM lookup is
552 * required to get the hop
554 offset = offsetof(struct ip6_hdr, ip6_dst);
555 ip6_dst = rte_pktmbuf_mtod_offset(pkts[i], uint8_t *,
557 memcpy(&dst_ip[lpm_pkts][0], ip6_dst, 16);
562 rte_lpm6_lookup_bulk_func((struct rte_lpm6 *)rt_ctx, dst_ip, hop,
567 for (i = 0; i < nb_pkts; i++) {
568 if (pkts[i]->ol_flags & RTE_MBUF_F_TX_SEC_OFFLOAD) {
569 /* Read hop from the SA */
570 pkt_hop = get_hop_for_offload_pkt(pkts[i], 1);
572 /* Need to use hop returned by lookup */
573 pkt_hop = hop[lpm_pkts++];
577 core_statistics[lcoreid].lpm6.miss++;
578 free_pkts(&pkts[i], 1);
581 send_single_packet(pkts[i], pkt_hop & 0xff, IPPROTO_IPV6);
585 static __rte_always_inline void
586 drain_tx_buffers(struct lcore_conf *qconf)
591 for (portid = 0; portid < RTE_MAX_ETHPORTS; portid++) {
592 buf = &qconf->tx_mbufs[portid];
595 send_burst(qconf, buf->len, portid);
600 #endif /* _IPSEC_WORKER_H_ */
git.droids-corp.org / dpdk.git / blob