+ int32_t rc = 0;
+
+ ss->sa = sa;
+
+ if (ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
+ ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) {
+ if (ss->security.ses != NULL) {
+ rc = rte_ipsec_session_prepare(ss);
+ if (rc != 0)
+ memset(ss, 0, sizeof(*ss));
+ }
+ }
+
+ return rc;
+}
+
+/*
+ * Initialise related rte_ipsec_sa object.
+ */
+static int
+ipsec_sa_init(struct ipsec_sa *lsa, struct rte_ipsec_sa *sa, uint32_t sa_size)
+{
+ int rc;
+ struct rte_ipsec_sa_prm prm;
+ struct rte_ipsec_session *ips;
+ struct rte_ipv4_hdr v4 = {
+ .version_ihl = IPVERSION << 4 |
+ sizeof(v4) / RTE_IPV4_IHL_MULTIPLIER,
+ .time_to_live = IPDEFTTL,
+ .next_proto_id = IPPROTO_ESP,
+ .src_addr = lsa->src.ip.ip4,
+ .dst_addr = lsa->dst.ip.ip4,
+ };
+ struct rte_ipv6_hdr v6 = {
+ .vtc_flow = htonl(IP6_VERSION << 28),
+ .proto = IPPROTO_ESP,
+ };
+
+ if (IS_IP6_TUNNEL(lsa->flags)) {
+ memcpy(v6.src_addr, lsa->src.ip.ip6.ip6_b, sizeof(v6.src_addr));
+ memcpy(v6.dst_addr, lsa->dst.ip.ip6.ip6_b, sizeof(v6.dst_addr));
+ }
+
+ rc = fill_ipsec_sa_prm(&prm, lsa, &v4, &v6);
+ if (rc == 0)
+ rc = rte_ipsec_sa_init(sa, &prm, sa_size);
+ if (rc < 0)
+ return rc;
+
+ /* init primary processing session */
+ ips = ipsec_get_primary_session(lsa);
+ rc = fill_ipsec_session(ips, sa);
+ if (rc != 0)
+ return rc;
+
+ /* init inline fallback processing session */
+ if (lsa->fallback_sessions == 1)
+ rc = fill_ipsec_session(ipsec_get_fallback_session(lsa), sa);
+
+ return rc;
+}
+
+/*
+ * Allocate space and init rte_ipsec_sa strcutures,
+ * one per session.
+ */
+static int
+ipsec_satbl_init(struct sa_ctx *ctx, uint32_t nb_ent, int32_t socket)
+{
+ int32_t rc, sz;
+ uint32_t i, idx;
+ size_t tsz;
+ struct rte_ipsec_sa *sa;
+ struct ipsec_sa *lsa;
+ struct rte_ipsec_sa_prm prm;
+
+ /* determine SA size */
+ idx = 0;
+ fill_ipsec_sa_prm(&prm, ctx->sa + idx, NULL, NULL);
+ sz = rte_ipsec_sa_size(&prm);
+ if (sz < 0) {
+ RTE_LOG(ERR, IPSEC, "%s(%p, %u, %d): "
+ "failed to determine SA size, error code: %d\n",
+ __func__, ctx, nb_ent, socket, sz);
+ return sz;
+ }
+
+ tsz = sz * nb_ent;
+
+ ctx->satbl = rte_zmalloc_socket(NULL, tsz, RTE_CACHE_LINE_SIZE, socket);
+ if (ctx->satbl == NULL) {
+ RTE_LOG(ERR, IPSEC,
+ "%s(%p, %u, %d): failed to allocate %zu bytes\n",
+ __func__, ctx, nb_ent, socket, tsz);
+ return -ENOMEM;
+ }
+
+ rc = 0;
+ for (i = 0; i != nb_ent && rc == 0; i++) {
+
+ idx = i;
+
+ sa = (struct rte_ipsec_sa *)((uintptr_t)ctx->satbl + sz * i);
+ lsa = ctx->sa + idx;
+
+ rc = ipsec_sa_init(lsa, sa, sz);
+ }
+
+ return rc;
+}
+
+static int
+sa_cmp(const void *p, const void *q)
+{
+ uint32_t spi1 = ((const struct ipsec_sa *)p)->spi;
+ uint32_t spi2 = ((const struct ipsec_sa *)q)->spi;
+
+ return (int)(spi1 - spi2);
+}
+
+/*
+ * Walk through all SA rules to find an SA with given SPI
+ */
+int
+sa_spi_present(struct sa_ctx *sa_ctx, uint32_t spi, int inbound)
+{
+ uint32_t num;
+ struct ipsec_sa *sa;
+ struct ipsec_sa tmpl;
+ const struct ipsec_sa *sar;
+
+ sar = sa_ctx->sa;
+ if (inbound != 0)
+ num = nb_sa_in;
+ else
+ num = nb_sa_out;
+
+ tmpl.spi = spi;
+
+ sa = bsearch(&tmpl, sar, num, sizeof(struct ipsec_sa), sa_cmp);
+ if (sa != NULL)
+ return RTE_PTR_DIFF(sa, sar) / sizeof(struct ipsec_sa);
+
+ return -ENOENT;