* No AH mode.
* Supported algorithms: AES-CBC, AES-CTR, AES-GCM, 3DES-CBC, HMAC-SHA1 and NULL.
* Each SA must be handle by a unique lcore (*1 RX queue per port*).
-* No chained mbufs.
Compiling the Application
-------------------------
./build/ipsec-secgw [EAL options] --
-p PORTMASK -P -u PORTMASK -j FRAMESIZE
-l -w REPLAY_WINOW_SIZE -e -a
+ -c SAD_CACHE_SIZE
--config (port,queue,lcore)[,(port,queue,lcore]
--single-sa SAIDX
--rxoffload MASK
--txoffload MASK
+ --mtu MTU
+ --reassemble NUM
-f CONFIG_FILE_PATH
Where:
* ``-u PORTMASK``: hexadecimal bitmask of unprotected ports
-* ``-j FRAMESIZE``: *optional*. Enables jumbo frames with the maximum size
- specified as FRAMESIZE. If an invalid value is provided as FRAMESIZE
- then the default value 9000 is used.
+* ``-j FRAMESIZE``: *optional*. data buffer size (in bytes),
+ in other words maximum data size for one segment.
+ Packets with length bigger then FRAMESIZE still can be received,
+ but will be segmented.
+ Default value: RTE_MBUF_DEFAULT_BUF_SIZE (2176)
+ Minimum value: RTE_MBUF_DEFAULT_BUF_SIZE (2176)
+ Maximum value: UINT16_MAX (65535).
* ``-l``: enables code-path that uses librte_ipsec.
* ``-a``: enables Security Association sequence number atomic behavior
(available only with librte_ipsec code path).
+* ``-c``: specifies the SAD cache size. Stores the most recent SA in a per
+ lcore cache. Cache represents flat array containing SA's indexed by SPI.
+ Zero value disables cache.
+ Default value: 128.
+
* ``--config (port,queue,lcore)[,(port,queue,lcore)]``: determines which queues
from which ports are mapped to which cores.
allows user to disable some of the TX HW offload capabilities.
By default all HW TX offloads are enabled.
+* ``--mtu MTU``: MTU value (in bytes) on all attached ethernet ports.
+ Outgoing packets with length bigger then MTU will be fragmented.
+ Incoming packets with length bigger then MTU will be discarded.
+ Default value: 1500.
+
+* ``--frag-ttl FRAG_TTL_NS``: fragment lifetime (in nanoseconds).
+ If packet is not reassembled within this time, received fragments
+ will be discarded. Fragment lifetime should be decreased when
+ there is a high fragmented traffic loss in high bandwidth networks.
+ Should be lower for low number of reassembly buckets.
+ Valid values: from 1 ns to 10 s. Default value: 10000000 (10 s).
+
+* ``--reassemble NUM``: max number of entries in reassemble fragment table.
+ Zero value disables reassembly functionality.
+ Default value: 0.
+
* ``-f CONFIG_FILE_PATH``: the full path of text-based file containing all
configuration items for running the application (See Configuration file
syntax section below). ``-f CONFIG_FILE_PATH`` **must** be specified.
.. code-block:: console
sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key>
- <mode> <src_ip> <dst_ip> <action_type> <port_id>
+ <mode> <src_ip> <dst_ip> <action_type> <port_id> <fallback>
where each options means:
* *port_id X* X is a valid device number in decimal
+ ``<fallback>``
+
+ * Action type for ingress IPsec packets that inline processor failed to
+ process. Only a combination of *inline-crypto-offload* as a primary
+ session and *lookaside-none* as a fall-back session is supported at the
+ moment.
+
+ If used in conjunction with IPsec window, its width needs be increased
+ due to different processing times of inline and lookaside modes which
+ results in packet reordering.
+
+ * Optional: Yes.
+
+ * Available options:
+
+ * *lookaside-none*: use automatically chosen cryptodev to process packets
+
+ * Syntax:
+
+ * *fallback lookaside-none*
Example SA rules:
* ``CRYPTO_DEV``: crypto device to be used ('-w <pci-id>'). If none specified
appropriate vdevs will be created by the script
+* ``MULTI_SEG_TEST``: ipsec-secgw option to enable reassembly support and
+ specify size of reassembly table (e.g.
+ ``MULTI_SEG_TEST='--reassemble 128'``). This option must be set for
+ fallback session tests.
+
Note that most of the tests require the appropriate crypto PMD/device to be
available.