With the above configuration, inbound encrypted traffic from both the ports
is received by ipsec inline device.
+- ``Inline IPsec device channel and mask`` (default ``none``)
+
+ Set channel and channel mask configuration for the inline IPSec device. This
+ will be used when creating flow rules with RTE_FLOW_ACTION_TYPE_SECURITY
+ action.
+
+ By default, RTE Flow API sets the channel number of the port on which the
+ rule is created in the MCAM entry and matches it exactly. This behaviour can
+ be modified using the ``inl_cpt_channel`` ``devargs`` parameter.
+
+ For example::
+
+ -a 0002:1d:00.0,inl_cpt_channel=0x100/0xf00
+
+ With the above configuration, RTE Flow rules API will set the channel
+ and channel mask as 0x100 and 0xF00 in the MCAM entries of the flow rules
+ created with RTE_FLOW_ACTION_TYPE_SECURITY action. Since channel number is
+ set with this custom mask, inbound encrypted traffic from all ports with
+ matching channel number pattern will be directed to the inline IPSec device.
+
.. note::
Above devarg parameters are configurable per device, user needs to pass the
#define CNXK_NIX_INL_SELFTEST "selftest"
#define CNXK_NIX_INL_IPSEC_IN_MAX_SPI "ipsec_in_max_spi"
+#define CNXK_INL_CPT_CHANNEL "inl_cpt_channel"
+
+struct inl_cpt_channel {
+ bool is_multi_channel;
+ uint16_t channel;
+ uint16_t mask;
+};
#define CNXK_NIX_INL_DEV_NAME RTE_STR(cnxk_nix_inl_dev_)
#define CNXK_NIX_INL_DEV_NAME_LEN \
return 0;
}
+static int
+parse_inl_cpt_channel(const char *key, const char *value, void *extra_args)
+{
+ RTE_SET_USED(key);
+ uint16_t chan = 0, mask = 0;
+ char *next = 0;
+
+ /* next will point to the separator '/' */
+ chan = strtol(value, &next, 16);
+ mask = strtol(++next, 0, 16);
+
+ if (chan > GENMASK(12, 0) || mask > GENMASK(12, 0))
+ return -EINVAL;
+
+ ((struct inl_cpt_channel *)extra_args)->channel = chan;
+ ((struct inl_cpt_channel *)extra_args)->mask = mask;
+ ((struct inl_cpt_channel *)extra_args)->is_multi_channel = true;
+
+ return 0;
+}
+
static int
nix_inl_parse_devargs(struct rte_devargs *devargs,
struct roc_nix_inl_dev *inl_dev)
{
uint32_t ipsec_in_max_spi = BIT(8) - 1;
+ struct inl_cpt_channel cpt_channel;
struct rte_kvargs *kvlist;
uint8_t selftest = 0;
+ memset(&cpt_channel, 0, sizeof(cpt_channel));
+
if (devargs == NULL)
goto null_devargs;
&selftest);
rte_kvargs_process(kvlist, CNXK_NIX_INL_IPSEC_IN_MAX_SPI,
&parse_ipsec_in_max_spi, &ipsec_in_max_spi);
+ rte_kvargs_process(kvlist, CNXK_INL_CPT_CHANNEL, &parse_inl_cpt_channel,
+ &cpt_channel);
rte_kvargs_free(kvlist);
null_devargs:
inl_dev->ipsec_in_max_spi = ipsec_in_max_spi;
inl_dev->selftest = selftest;
+ inl_dev->channel = cpt_channel.channel;
+ inl_dev->chan_mask = cpt_channel.mask;
+ inl_dev->is_multi_channel = cpt_channel.is_multi_channel;
return 0;
exit:
return -EINVAL;
RTE_PMD_REGISTER_PARAM_STRING(cnxk_nix_inl,
CNXK_NIX_INL_SELFTEST "=1"
- CNXK_NIX_INL_IPSEC_IN_MAX_SPI "=<1-65535>");
+ CNXK_NIX_INL_IPSEC_IN_MAX_SPI "=<1-65535>"
+ CNXK_INL_CPT_CHANNEL "=<1-4095>/<1-4095>");
git.droids-corp.org / dpdk.git / commitdiff