From 578da1bd2025419f8d0fef420770cbdf419b4c29 Mon Sep 17 00:00:00 2001 From: Radu Nicolau Date: Mon, 28 Feb 2022 15:00:22 +0000 Subject: [PATCH] net/iavf: support NAT-T / UDP encapsulation Add support for NAT-T / UDP encapsulated ESP. This fixes the inline crypto feature for iAVF which will not function properly without setting the UDP encapsulation options. Fixes: 6bc987ecb860 ("net/iavf: support IPsec inline crypto") Cc: stable@dpdk.org Signed-off-by: Radu Nicolau Reviewed-by: Qi Zhang --- drivers/common/iavf/virtchnl_inline_ipsec.h | 9 +++++++++ drivers/net/iavf/iavf_ipsec_crypto.c | 16 +++++++++++++--- drivers/net/iavf/iavf_ipsec_crypto.h | 4 +++- 3 files changed, 25 insertions(+), 4 deletions(-) diff --git a/drivers/common/iavf/virtchnl_inline_ipsec.h b/drivers/common/iavf/virtchnl_inline_ipsec.h index 1e9134501e..2f4bf15725 100644 --- a/drivers/common/iavf/virtchnl_inline_ipsec.h +++ b/drivers/common/iavf/virtchnl_inline_ipsec.h @@ -446,6 +446,15 @@ struct virtchnl_ipsec_sp_cfg { /* Set TC (congestion domain) if true. For future use. */ u8 set_tc; + + /* 0 for NAT-T unsupported, 1 for NAT-T supported */ + u8 is_udp; + + /* reserved */ + u8 reserved; + + /* NAT-T UDP port number. Only valid in case NAT-T supported */ + u16 udp_port; } __rte_packed; diff --git a/drivers/net/iavf/iavf_ipsec_crypto.c b/drivers/net/iavf/iavf_ipsec_crypto.c index a63e42f29a..d6875eb6aa 100644 --- a/drivers/net/iavf/iavf_ipsec_crypto.c +++ b/drivers/net/iavf/iavf_ipsec_crypto.c @@ -736,7 +736,9 @@ iavf_ipsec_crypto_inbound_security_policy_add(struct iavf_adapter *adapter, uint8_t is_v4, rte_be32_t v4_dst_addr, uint8_t *v6_dst_addr, - uint8_t drop) + uint8_t drop, + bool is_udp, + uint16_t udp_port) { struct inline_ipsec_msg *request = NULL, *response = NULL; size_t request_len, response_len; @@ -781,6 +783,8 @@ iavf_ipsec_crypto_inbound_security_policy_add(struct iavf_adapter *adapter, /** Traffic Class/Congestion Domain currently not support */ request->ipsec_data.sp_cfg->set_tc = 0; request->ipsec_data.sp_cfg->cgd = 0; + request->ipsec_data.sp_cfg->is_udp = is_udp; + request->ipsec_data.sp_cfg->udp_port = htons(udp_port); response_len = sizeof(struct inline_ipsec_msg) + sizeof(struct virtchnl_ipsec_sp_cfg_resp); @@ -1625,6 +1629,7 @@ struct iavf_ipsec_flow_item { struct rte_ipv6_hdr ipv6_hdr; }; struct rte_udp_hdr udp_hdr; + uint8_t is_udp; }; static void @@ -1737,6 +1742,7 @@ iavf_ipsec_flow_item_parse(struct rte_eth_dev *ethdev, parse_udp_item((const struct rte_flow_item_udp *) pattern[2].spec, &ipsec_flow->udp_hdr); + ipsec_flow->is_udp = true; ipsec_flow->spi = ((const struct rte_flow_item_esp *) pattern[3].spec)->hdr.spi; @@ -1806,7 +1812,9 @@ iavf_ipsec_flow_create(struct iavf_adapter *ad, 1, ipsec_flow->ipv4_hdr.dst_addr, NULL, - 0); + 0, + ipsec_flow->is_udp, + ipsec_flow->udp_hdr.dst_port); } else { ipsec_flow->id = iavf_ipsec_crypto_inbound_security_policy_add(ad, @@ -1814,7 +1822,9 @@ iavf_ipsec_flow_create(struct iavf_adapter *ad, 0, 0, ipsec_flow->ipv6_hdr.dst_addr, - 0); + 0, + ipsec_flow->is_udp, + ipsec_flow->udp_hdr.dst_port); } if (ipsec_flow->id < 1) { diff --git a/drivers/net/iavf/iavf_ipsec_crypto.h b/drivers/net/iavf/iavf_ipsec_crypto.h index 687541077a..8ea0f9540e 100644 --- a/drivers/net/iavf/iavf_ipsec_crypto.h +++ b/drivers/net/iavf/iavf_ipsec_crypto.h @@ -145,7 +145,9 @@ iavf_ipsec_crypto_inbound_security_policy_add(struct iavf_adapter *adapter, uint8_t is_v4, rte_be32_t v4_dst_addr, uint8_t *v6_dst_addr, - uint8_t drop); + uint8_t drop, + bool is_udp, + uint16_t udp_port); /** * Delete inbound security policy rule from hardware -- 2.20.1