[RFC,API-NEXT,1/2] api: ipsec: extend lookaside API

Message ID 1488550988-2652-1-git-send-email-petri.savolainen@linaro.org
State New
Headers show
Series
  • [RFC,API-NEXT,1/2] api: ipsec: extend lookaside API
Related show

Commit Message

Petri Savolainen March 3, 2017, 2:23 p.m.
Added SPI range and SA disable. Improved fragment documentation.

Signed-off-by: Petri Savolainen <petri.savolainen@linaro.org>

---
 include/odp/api/spec/event.h |  2 +-
 include/odp/api/spec/ipsec.h | 43 +++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 42 insertions(+), 3 deletions(-)

-- 
2.8.1

Patch hide | download patch | download mbox

diff --git a/include/odp/api/spec/event.h b/include/odp/api/spec/event.h
index 75c0bbc..f22efce 100644
--- a/include/odp/api/spec/event.h
+++ b/include/odp/api/spec/event.h
@@ -39,7 +39,7 @@  extern "C" {
  * @typedef odp_event_type_t
  * ODP event types:
  * ODP_EVENT_BUFFER, ODP_EVENT_PACKET, ODP_EVENT_TIMEOUT,
- * ODP_EVENT_CRYPTO_COMPL, ODP_EVENT_IPSEC_RESULT
+ * ODP_EVENT_CRYPTO_COMPL, ODP_EVENT_IPSEC_RESULT, ODP_EVENT_IPSEC_STATUS
  */
 
 /**
diff --git a/include/odp/api/spec/ipsec.h b/include/odp/api/spec/ipsec.h
index 66222d8..e57c7df 100644
--- a/include/odp/api/spec/ipsec.h
+++ b/include/odp/api/spec/ipsec.h
@@ -111,6 +111,21 @@  typedef struct odp_ipsec_config_t {
 	 */
 	odp_ipsec_op_mode_t op_mode;
 
+	/** Maximum number of IPSEC SAs that application will use
+	 * simultaneously */
+	uint32_t max_num_sa;
+
+	/** Inbound SPI range. Minimal range size may improve performance. */
+	struct {
+		/** Minimum inbound SPI value that application will use.
+		 *  Default value is 0. */
+		uint32_t min;
+
+		/** Maximum inbound SPI value that application will use.
+		 *  Default value is UINT32_MAX. */
+		uint32_t max;
+	} inbound_spi;
+
 } odp_ipsec_config_t;
 
 /**
@@ -529,6 +544,29 @@  void odp_ipsec_sa_param_init(odp_ipsec_sa_param_t *param);
 odp_ipsec_sa_t odp_ipsec_sa_create(odp_ipsec_sa_param_t *param);
 
 /**
+ * Disable IPSEC SA
+ *
+ * Application must use this call to disable a SA before destroying it. The call
+ * marks the SA disabled, so that IPSEC implementation stops using it. For
+ * example, inbound SPI lookups will not match any more. Application must
+ * stop providing the SA as parameter to new IPSEC input/output operations
+ * before calling disable. Packets in progress during the call may still match
+ * the SA and be processed successfully.
+ *
+ * When in synchronous operation mode, the call will return when it's possible
+ * to destroy the SA. In asynchronous mode, the same is indicated by an
+ * ODP_EVENT_IPSEC_STATUS event sent to the queue specified for the SA.
+ *
+ * @param sa      IPSEC SA to be disabled
+ *
+ * @retval 0      On success
+ * @retval <0     On failure
+ *
+ * @see odp_ipsec_sa_destroy()
+ */
+int odp_ipsec_sa_disable(odp_ipsec_sa_t sa);
+
+/**
  * Destroy IPSEC SA
  *
  * Destroy an unused IPSEC SA. Result is undefined if the SA is being used
@@ -679,8 +717,9 @@  typedef struct odp_ipsec_packet_result_t {
 	 *
 	 *  Without fragmentation offload this is always one. However, if the
 	 *  input packet was fragmented during the operation this is larger than
-	 *  one for the first fragment and zero for the rest of the fragments
-	 *  (following the first one in the 'pkt' array).
+	 *  one for the first returned fragment and zero for the rest of the
+	 *  fragments. All the fragments (of the same source packet) are stored
+	 *  consecutively in the 'pkt' array.
 	 */
 	int num_out;