/* SPDX-License-Identifier: BSD-3-Clause
- * Copyright 2017 NXP.
+ * Copyright 2017,2019 NXP
* Copyright(c) 2017 Intel Corporation.
*/
* IPsec Security Association option flags
*/
struct rte_security_ipsec_sa_options {
- /**< Extended Sequence Numbers (ESN)
+ /** Extended Sequence Numbers (ESN)
*
* * 1: Use extended (64 bit) sequence numbers
* * 0: Use normal sequence numbers
*/
uint32_t esn : 1;
- /**< UDP encapsulation
+ /** UDP encapsulation
*
* * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can
* traverse through NAT boxes.
*/
uint32_t udp_encap : 1;
- /**< Copy DSCP bits
+ /** Copy DSCP bits
*
* * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to
* the outer IP header in encapsulation, and vice versa in
*/
uint32_t copy_dscp : 1;
- /**< Copy IPv6 Flow Label
+ /** Copy IPv6 Flow Label
*
* * 1: Copy IPv6 flow label from inner IPv6 header to the
* outer IPv6 header.
*/
uint32_t copy_flabel : 1;
- /**< Copy IPv4 Don't Fragment bit
+ /** Copy IPv4 Don't Fragment bit
*
* * 1: Copy the DF bit from the inner IPv4 header to the outer
* IPv4 header.
*/
uint32_t copy_df : 1;
- /**< Decrement inner packet Time To Live (TTL) field
+ /** Decrement inner packet Time To Live (TTL) field
*
* * 1: In tunnel mode, decrement inner packet IPv4 TTL or
* IPv6 Hop Limit after tunnel decapsulation, or before tunnel
* * 0: Inner packet is not modified.
*/
uint32_t dec_ttl : 1;
+
+ /** Explicit Congestion Notification (ECN)
+ *
+ * * 1: In tunnel mode, enable outer header ECN Field copied from
+ * inner header in tunnel encapsulation, or inner header ECN
+ * field construction in decapsulation.
+ * * 0: Inner/outer header are not modified.
+ */
+ uint32_t ecn : 1;
+
+ /** Security statistics
+ *
+ * * 1: Enable per session security statistics collection for
+ * this SA, if supported by the driver.
+ * * 0: Disable per session security statistics collection for this SA.
+ */
+ uint32_t stats : 1;
};
/** IPSec security association direction */
/**< Tunnel parameters, NULL for transport mode */
uint64_t esn_soft_limit;
/**< ESN for which the overflow event need to be raised */
+ uint32_t replay_win_sz;
+ /**< Anti replay window size to enable sequence replay attack handling.
+ * replay checking is disabled if the window size is 0.
+ */
};
/**
uint32_t hfn;
/** HFN Threshold for key renegotiation */
uint32_t hfn_threshold;
+ /** HFN can be given as a per packet value also.
+ * As we do not have IV in case of PDCP, and HFN is
+ * used to generate IV. IV field can be used to get the
+ * per packet HFN while enq/deq.
+ * If hfn_ovrd field is set, user is expected to set the
+ * per packet HFN in place of IV. PMDs will extract the HFN
+ * and perform operations accordingly.
+ */
+ uint32_t hfn_ovrd;
};
/**
struct rte_security_session {
void *sess_private_data;
/**< Private session material */
+ uint64_t opaque_data;
+ /**< Opaque user defined data */
};
/**
* - On success returns 0
* - On failure return errno
*/
+__rte_experimental
int
rte_security_session_update(struct rte_security_ctx *instance,
struct rte_security_session *sess,
* - On success, userdata
* - On failure, NULL
*/
+__rte_experimental
void *
rte_security_get_userdata(struct rte_security_ctx *instance, uint64_t md);
};
struct rte_security_ipsec_stats {
- uint64_t reserved;
-
+ uint64_t ipackets; /**< Successfully received IPsec packets. */
+ uint64_t opackets; /**< Successfully transmitted IPsec packets.*/
+ uint64_t ibytes; /**< Successfully received IPsec bytes. */
+ uint64_t obytes; /**< Successfully transmitted IPsec bytes. */
+ uint64_t ierrors; /**< IPsec packets receive/decrypt errors. */
+ uint64_t oerrors; /**< IPsec packets transmit/encrypt errors. */
+ uint64_t reserved1; /**< Reserved for future use. */
+ uint64_t reserved2; /**< Reserved for future use. */
};
struct rte_security_pdcp_stats {
*
* @param instance security instance
* @param sess security session
+ * If security session is NULL then global (per security instance) statistics
+ * will be retrieved, if supported. Global statistics collection is not
+ * dependent on the per session statistics configuration.
* @param stats statistics
* @return
- * - On success return 0
- * - On failure errno
+ * - On success, return 0
+ * - On failure, a negative value
*/
+__rte_experimental
int
rte_security_session_stats_get(struct rte_security_ctx *instance,
struct rte_security_session *sess,
/**< IPsec SA direction */
struct rte_security_ipsec_sa_options options;
/**< IPsec SA supported options */
+ uint32_t replay_win_sz_max;
+ /**< IPsec Anti Replay Window Size. A '0' value
+ * indicates that Anti Replay is not supported.
+ */
} ipsec;
/**< IPsec capability */
struct {
enum rte_security_pdcp_domain domain;
/**< PDCP mode of operation: Control or data */
uint32_t capa_flags;
- /**< Capabilitity flags, see RTE_SECURITY_PDCP_* */
+ /**< Capability flags, see RTE_SECURITY_PDCP_* */
} pdcp;
/**< PDCP capability */
};
#define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002
/**< HW constructs trailer of packets
* Transmitted packets will have the trailer added to them
- * by hardawre. The next protocol field will be based on
+ * by hardware. The next protocol field will be based on
* the mbuf->inner_esp_next_proto field.
*/
#define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000