[RFC,API-NEXT,2/2] api: ipsec: add inline IPSEC support

Message ID 1488550988-2652-2-git-send-email-petri.savolainen@linaro.org
State New
Headers show
Series
  • [RFC,API-NEXT,1/2] api: ipsec: extend lookaside API
Related show

Commit Message

Petri Savolainen March 3, 2017, 2:23 p.m.
Added support for inline IPSEC processing on packet input and
output.

Signed-off-by: Petri Savolainen <petri.savolainen@linaro.org>

---
 include/odp/api/spec/ipsec.h     | 134 +++++++++++++++++++++++++++++++++++----
 include/odp/api/spec/packet_io.h |  27 ++++++++
 2 files changed, 149 insertions(+), 12 deletions(-)

-- 
2.8.1

Patch hide | download patch | download mbox

diff --git a/include/odp/api/spec/ipsec.h b/include/odp/api/spec/ipsec.h
index e57c7df..445216c 100644
--- a/include/odp/api/spec/ipsec.h
+++ b/include/odp/api/spec/ipsec.h
@@ -19,6 +19,7 @@  extern "C" {
 #endif
 
 #include <odp/api/crypto.h>
+#include <odp/api/packet_io.h>
 
 /** @defgroup odp_ipsec ODP IPSEC
  *  Operations of IPSEC API.
@@ -51,7 +52,15 @@  typedef enum odp_ipsec_op_mode_t {
 	  * Application uses asynchronous IPSEC operations,
 	  * which return results via events.
 	  */
-	ODP_IPSEC_OP_MODE_ASYNC
+	ODP_IPSEC_OP_MODE_ASYNC,
+
+	/** Inline IPSEC operation
+	  *
+	  * Packet input/output is connected directly to IPSEC inbound/outbound
+	  * processing. Application uses asynchronous or inline IPSEC
+	  * operations.
+	  */
+	ODP_IPSEC_OP_MODE_INLINE
 
 } odp_ipsec_op_mode_t;
 
@@ -78,6 +87,14 @@  typedef struct odp_ipsec_capability_t {
 	 */
 	uint8_t op_mode_async;
 
+	/** Inline IPSEC operation mode (ODP_IPSEC_OP_MODE_INLINE) support
+	 *
+	 *  0: Inline IPSEC operation is not supported
+	 *  1: Inline IPSEC operation is supported
+	 *  2: Inline IPSEC operation is supported and preferred
+	 */
+	uint8_t op_mode_inline;
+
 	/** Soft expiry limit in seconds support
 	 *
 	 *  0: Limit is not supported
@@ -605,7 +622,7 @@  typedef struct odp_ipsec_op_opt_t {
 #define ODP_IPSEC_OK 0
 
 /** IPSEC operation status */
-typedef union odp_ipsec_status_t {
+typedef union odp_ipsec_op_status_t {
 	/** Error flags */
 	struct {
 		/** Protocol error. Not a valid ESP or AH packet. */
@@ -653,7 +670,24 @@  typedef union odp_ipsec_status_t {
 	  */
 	uint32_t all;
 
-} odp_ipsec_status_t;
+} odp_ipsec_op_status_t;
+
+/** IPSEC operation flags */
+typedef union odp_ipsec_op_flags_t {
+	/** Operation flags */
+	struct {
+		/** Packet was processed in inline mode */
+		uint32_t inline_mode            : 1;
+
+	} bit;
+
+	/** All bits of the bit field structure
+	  *
+	  * This field can be used to set, clear or compare multiple flags.
+	  */
+	uint32_t all;
+
+} odp_ipsec_op_flags_t;
 
 /**
  * IPSEC operation input parameters
@@ -707,11 +741,51 @@  typedef struct odp_ipsec_op_param_t {
 } odp_ipsec_op_param_t;
 
 /**
+ * Outbound inline IPSEC operation parameters
+ */
+typedef struct odp_ipsec_inline_op_param_t {
+	/** Packet output interface for inline output operation
+	 *
+	 *  Outbound inline IPSEC operation uses this packet IO interface to
+	 *  output the packet after a successful IPSEC transformation. The pktio
+	 *  must have been configured to operate in inline IPSEC mode.
+	 */
+	odp_pktio_t pktio;
+
+	/** Outer headers for inline output operation
+	 *
+	 *  Outbound inline IPSEC operation uses this information to prepend
+	 *  outer headers to the IPSEC packet before sending it out.
+	 */
+	struct {
+		/** Points to first byte of outer headers to be copied in
+		 *  front of the outgoing IPSEC packet */
+		uint8_t *ptr;
+
+		/** Outer header length in bytes */
+		uint32_t len;
+	} outer_hdr;
+
+} odp_ipsec_inline_op_param_t;
+
+/**
+ * Additional information about the inbound inline IPSEC processed packet
+ */
+typedef struct odp_ipsec_orig_packet_t {
+	/** VLAN Tag Control Information (TCI) of the original packet */
+	uint16_t vlan_tci;
+
+} odp_ipsec_orig_packet_t;
+
+/**
  * IPSEC operation result for a packet
  */
 typedef struct odp_ipsec_packet_result_t {
 	/** IPSEC operation status */
-	odp_ipsec_status_t status;
+	odp_ipsec_op_status_t status;
+
+	/** IPSEC operation flags */
+	odp_ipsec_op_flags_t flags;
 
 	/** Number of output packets created from the corresponding input packet
 	 *
@@ -732,6 +806,12 @@  typedef struct odp_ipsec_packet_result_t {
 	 */
 	odp_ipsec_sa_t sa;
 
+	/** Additional information about the packet before inbound
+	 *  inline processing. This is valid only when flags.bit.inline_mode is
+	 *  set.
+	 */
+	odp_ipsec_orig_packet_t orig;
+
 } odp_ipsec_packet_result_t;
 
 /**
@@ -761,6 +841,8 @@  typedef struct odp_ipsec_op_result_t {
 	 *               has_l3, has_l4, has_ipv4, has_ipv6, has_ipfrag,
 	 *               has_ipsec, has_udp, has_tcp, etc depending on
 	 *               the resulted packet format
+	 *  * pktio:     For inbound inline IPSEC processed packets, original
+	 *               packet input interface
 	 *
 	 * @see odp_packet_l3_offset(), odp_packet_l4_offset(),
 	 *      odp_packet_has_ipv4(), odp_packet_has_ipv6(),
@@ -867,10 +949,10 @@  int odp_ipsec_out(const odp_ipsec_op_param_t *input,
 /**
  * Inbound asynchronous IPSEC operation
  *
- * This operation does inbound IPSEC processing in asynchronous mode
- * (ODP_IPSEC_OP_MODE_ASYNC). It processes packets otherwise identically to
- * odp_ipsec_in(), but outputs all results through one or more
- * ODP_EVENT_IPSEC_RESULT events with the following ordering considerations.
+ * This operation does inbound IPSEC processing in asynchronous mode. It
+ * processes packets otherwise identically to odp_ipsec_in(), but outputs all
+ * results through one or more ODP_EVENT_IPSEC_RESULT events with the following
+ * ordering considerations.
  *
  * Asynchronous mode maintains (operation input) packet order per SA when
  * application calls the operation within an ordered or atomic scheduler context
@@ -880,6 +962,9 @@  int odp_ipsec_out(const odp_ipsec_op_param_t *input,
  * events for the same SA are enqueued in order, and packet handles (for the
  * same SA) are stored in order within an event.
  *
+ * The function may be used also in inline processing mode, e.g. for IPSEC
+ * packets for which inline processing is not possible.
+ *
  * @param         input   Operation input parameters
  *
  * @return Number of input packets consumed (0 ... input.num_pkt)
@@ -892,10 +977,10 @@  int odp_ipsec_in_enq(const odp_ipsec_op_param_t *input);
 /**
  * Outbound asynchronous IPSEC operation
  *
- * This operation does outbound IPSEC processing in asynchronous mode
- * (ODP_IPSEC_OP_MODE_ASYNC). It processes packets otherwise identically to
- * odp_ipsec_out(), but outputs all results through one or more
- * ODP_EVENT_IPSEC_RESULT events with the following ordering considerations.
+ * This operation does outbound IPSEC processing in asynchronous mode. It
+ * processes packets otherwise identically to odp_ipsec_out(), but outputs all
+ * results through one or more ODP_EVENT_IPSEC_RESULT events with the following
+ * ordering considerations.
  *
  * Asynchronous mode maintains (operation input) packet order per SA when
  * application calls the operation within an ordered or atomic scheduler context
@@ -905,6 +990,9 @@  int odp_ipsec_in_enq(const odp_ipsec_op_param_t *input);
  * events for the same SA are enqueued in order, and packet handles (for the
  * same SA) are stored in order within an event.
  *
+ * The function may be used also in inline processing mode, e.g. for IPSEC
+ * packets for which inline processing is not possible.
+ *
  * @param         input   Operation input parameters
  *
  * @return Number of input packets consumed (0 ... input.num_pkt)
@@ -915,6 +1003,28 @@  int odp_ipsec_in_enq(const odp_ipsec_op_param_t *input);
 int odp_ipsec_out_enq(const odp_ipsec_op_param_t *input);
 
 /**
+ * Outbound inline IPSEC operation
+ *
+ * This operation does outbound inline IPSEC processing for the packets. It's
+ * otherwise identical to odp_ipsec_out_enq(), but outputs all successfully
+ * transformed packets to the specified output interface, instead of generating
+ * result events for those.
+ *
+ * Inline operation parameters are defined per packet. The array of parameters
+ * must have 'op_param.num_pkt' elements and is pointed to by 'inline_param'.
+ *
+ * @param         op_param      Operation parameters
+ * @param         inline_param  Outbound inline operation specific parameters
+ *
+ * @return Number of packets consumed (0 ... op_param.num_pkt)
+ * @retval <0     On failure
+ *
+ * @see odp_ipsec_out_enq()
+ */
+int odp_ipsec_out_inline(const odp_ipsec_op_param_t *op_param,
+			 const odp_ipsec_inline_op_param_t *inline_param);
+
+/**
  * Get IPSEC results from an ODP_EVENT_IPSEC_RESULT event
  *
  * Copies IPSEC operation results from an event. The event must be of
diff --git a/include/odp/api/spec/packet_io.h b/include/odp/api/spec/packet_io.h
index cec1f22..56bd9e7 100644
--- a/include/odp/api/spec/packet_io.h
+++ b/include/odp/api/spec/packet_io.h
@@ -407,6 +407,33 @@  typedef struct odp_pktio_config_t {
 	 * interface capability before enabling the same. */
 	odp_bool_t enable_loop;
 
+	/** Inbound IPSEC inlined with packet input
+	 *
+	 *  Enable/disable inline inbound IPSEC operation. When enabled packet
+	 *  input directs all IPSEC packets automatically to IPSEC inbound
+	 *  processing. IPSEC configuration is done through the IPSEC API.
+	 *
+	 *  0: Disable inbound IPSEC inline operation (default)
+	 *  1: Enable inbound IPSEC inline operation
+	 *
+	 *  @see odp_ipsec_config(), odp_ipsec_sa_create()
+	 */
+	odp_bool_t inbound_ipsec;
+
+	/** Outbound IPSEC inlined with packet output
+	 *
+	 *  Enable/disable inline outbound IPSEC operation. When enabled IPSEC
+	 *  outbound processing can send outgoing IPSEC packets directly
+	 *  to the pktio interface for output. IPSEC configuration is done
+	 *  through the IPSEC API.
+	 *
+	 *  0: Disable outbound IPSEC inline operation (default)
+	 *  1: Enable outbound IPSEC inline operation
+	 *
+	 *  @see odp_ipsec_config(), odp_ipsec_sa_create()
+	 */
+	odp_bool_t outbound_ipsec;
+
 } odp_pktio_config_t;
 
 /**