[API-NEXT,v4,1/3] api: ipsec: extend lookaside API

Message ID	1490869785-16657-1-git-send-email-petri.savolainen@linaro.org
State	Accepted
Commit	4bf15b16e4fe26ff397e8c8d12d068cc289337d6
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.225.227.206 as permitted sender) client-ip=54.225.227.206; Received-SPF: SoftFail (protection.outlook.com: domain of transitioning linaro.org discourages use of 131.228.2.240 as permitted sender) From: Petri Savolainen <petri.savolainen@linaro.org> To: <lng-odp@lists.linaro.org> Date: Thu, 30 Mar 2017 13:29:43 +0300 Message-ID: <1490869785-16657-1-git-send-email-petri.savolainen@linaro.org> MIME-Version: 1.0 Content-Type: text/plain X-MS-Office365-Filtering-Correlation-Id: c58f0785-0ef6-4426-c50c-08d47757d2b2 SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; VI1PR07MB0816; 7:F8OzQ4WEtFwlBsMEtlDrX8NKcsfW1s46lsj/9lOnGgYNEdJi+6ts+IBZ9Mq1rK/lc9auJC1UeXa1/4+A4nvT3Mg4BxW3yqD9Se4RnQXt/pnJs3yL8Om5QVm97ww9DKJoqmBtnuUYLtH6eez/3qeFlGDzuzqcwPd6VS6O0laojg1HxlRipEWJSnIHIY5aHwhM88aw1KUGiEEejX2kvI6eSKC7PnBpockDPQs65dS4X5q2lZrLnb+/4Swdxx0KrkuHImyxumZcmTaY1Q74fpTL2Q25teqec6Uswb3ToMJqqobLFkOTaALBmjS99QXami/Jue5ZQibIBU7MxhMJpvq5Hw== Subject: [lng-odp] [API-NEXT PATCH v4 1/3] api: ipsec: extend lookaside API Precedence: list Errors-To: lng-odp-bounces@lists.linaro.org Sender: "lng-odp" <lng-odp-bounces@lists.linaro.org>
Series	[API-NEXT,v4,1/3] api: ipsec: extend lookaside API \| expand [API-NEXT,v4,1/3] api: ipsec: extend lookaside API [API-NEXT,v4,2/3] api: ipsec: add inline IPSEC support [API-NEXT,v4,3/3] linux-gen: ipsec: add stubs for new functions

Message ID

1490869785-16657-1-git-send-email-petri.savolainen@linaro.org

State

Accepted

Commit

4bf15b16e4fe26ff397e8c8d12d068cc289337d6

Headers

Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org
	designates 54.225.227.206 as permitted sender)
	client-ip=54.225.227.206; 
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning
	linaro.org discourages use of 131.228.2.240 as permitted sender)
From: Petri Savolainen <petri.savolainen@linaro.org>
To: <lng-odp@lists.linaro.org>
Date: Thu, 30 Mar 2017 13:29:43 +0300
Message-ID: <1490869785-16657-1-git-send-email-petri.savolainen@linaro.org>
MIME-Version: 1.0
Content-Type: text/plain
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Mar 2017 10:30:44.5311
	(UTC)
X-MS-Exchange-CrossTenant-Id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5d471751-9675-428d-917b-70f44f9630b0;
	Ip=[131.228.2.240]; 
	Helo=[mailrelay.int.nokia.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB0816
Subject: [lng-odp] [API-NEXT PATCH v4 1/3] api: ipsec: extend lookaside API
X-BeenThere: lng-odp@lists.linaro.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: "The OpenDataPlane \(ODP\) List" <lng-odp.lists.linaro.org>
List-Unsubscribe: <https://lists.linaro.org/mailman/options/lng-odp>,
	<mailto:lng-odp-request@lists.linaro.org?subject=unsubscribe>
List-Archive: <http://lists.linaro.org/pipermail/lng-odp/>
List-Post: <mailto:lng-odp@lists.linaro.org>
List-Help: <mailto:lng-odp-request@lists.linaro.org?subject=help>
List-Subscribe: <https://lists.linaro.org/mailman/listinfo/lng-odp>,
	<mailto:lng-odp-request@lists.linaro.org?subject=subscribe>
Errors-To: lng-odp-bounces@lists.linaro.org
Sender: "lng-odp" <lng-odp-bounces@lists.linaro.org>

Series

[API-NEXT,v4,1/3] api: ipsec: extend lookaside API | expand

Commit Message

Petri Savolainen March 30, 2017, 10:29 a.m. UTC

Added configuration option for inbound SPI range (for
lookups). Removed unique SPI requirement and added config
option for overlap. Added default queue for lookup misses.
Added SA disable function and status event for the response
from it. The same event may be used for e.g. IPSEC
statistics, etc queries. Improved outbound fragmentation
documentation.

Signed-off-by: Petri Savolainen <petri.savolainen@linaro.org>

---
 include/odp/api/spec/event.h |   2 +-
 include/odp/api/spec/ipsec.h | 198 ++++++++++++++++++++++++++++++++++---------
 2 files changed, 158 insertions(+), 42 deletions(-)

-- 
2.8.1

Comments

Bill Fischofer April 2, 2017, 11:21 p.m. UTC | #1

For the v4 series:

Reviewed-by: Bill Fischofer <bill.fischofer@linaro.org>


On Thu, Mar 30, 2017 at 5:29 AM, Petri Savolainen
<petri.savolainen@linaro.org> wrote:
> Added configuration option for inbound SPI range (for

> lookups). Removed unique SPI requirement and added config

> option for overlap. Added default queue for lookup misses.

> Added SA disable function and status event for the response

> from it. The same event may be used for e.g. IPSEC

> statistics, etc queries. Improved outbound fragmentation

> documentation.

>

> Signed-off-by: Petri Savolainen <petri.savolainen@linaro.org>

> ---

>  include/odp/api/spec/event.h |   2 +-

>  include/odp/api/spec/ipsec.h | 198 ++++++++++++++++++++++++++++++++++---------

>  2 files changed, 158 insertions(+), 42 deletions(-)

>

> diff --git a/include/odp/api/spec/event.h b/include/odp/api/spec/event.h

> index 75c0bbc..f22efce 100644

> --- a/include/odp/api/spec/event.h

> +++ b/include/odp/api/spec/event.h

> @@ -39,7 +39,7 @@ extern "C" {

>   * @typedef odp_event_type_t

>   * ODP event types:

>   * ODP_EVENT_BUFFER, ODP_EVENT_PACKET, ODP_EVENT_TIMEOUT,

> - * ODP_EVENT_CRYPTO_COMPL, ODP_EVENT_IPSEC_RESULT

> + * ODP_EVENT_CRYPTO_COMPL, ODP_EVENT_IPSEC_RESULT, ODP_EVENT_IPSEC_STATUS

>   */

>

>  /**

> diff --git a/include/odp/api/spec/ipsec.h b/include/odp/api/spec/ipsec.h

> index 66222d8..118363e 100644

> --- a/include/odp/api/spec/ipsec.h

> +++ b/include/odp/api/spec/ipsec.h

> @@ -56,6 +56,41 @@ typedef enum odp_ipsec_op_mode_t {

>  } odp_ipsec_op_mode_t;

>

>  /**

> + * Configuration options for IPSEC inbound processing

> + */

> +typedef struct odp_ipsec_inbound_config_t {

> +       /** Default destination queue for IPSEC events

> +        *

> +        *  When inbound SA lookup fails in the asynchronous mode,

> +        *  resulting IPSEC events are enqueued into this queue.

> +        */

> +       odp_queue_t default_queue;

> +

> +       /** Constraints for SPI values used with inbound SA lookup. Minimal

> +        *  SPI range and unique values may improve performance. */

> +       struct {

> +               /** Minimum SPI value for SA lookup. Default value is 0. */

> +               uint32_t min_spi;

> +

> +               /** Maximum SPI value for SA lookup. Default value is

> +                *  UINT32_MAX. */

> +               uint32_t max_spi;

> +

> +               /** Select if SPI values for SA lookup are unique or may contain

> +                *  the same value multiple times. This configuration is not

> +                *  relevant in ODP_IPSEC_LOOKUP_SPI mode. The default value

> +                *  is 0.

> +                *

> +                *  0: All SAs in SA lookup have unique SPI value

> +                *  1: The same SPI value may be used for multiple SAs

> +                */

> +               odp_bool_t spi_overlap;

> +

> +       } lookup;

> +

> +} odp_ipsec_inbound_config_t;

> +

> +/**

>   * IPSEC capability

>   */

>  typedef struct odp_ipsec_capability_t {

> @@ -111,6 +146,13 @@ typedef struct odp_ipsec_config_t {

>          */

>         odp_ipsec_op_mode_t op_mode;

>

> +       /** Maximum number of IPSEC SAs that application will use

> +        * simultaneously */

> +       uint32_t max_num_sa;

> +

> +       /** IPSEC inbound processing configuration */

> +       odp_ipsec_inbound_config_t inbound;

> +

>  } odp_ipsec_config_t;

>

>  /**

> @@ -349,8 +391,10 @@ typedef enum odp_ipsec_lookup_mode_t {

>         /** Inbound SA lookup is disabled. */

>         ODP_IPSEC_LOOKUP_DISABLED = 0,

>

> -       /** Inbound SA lookup is enabled. Used SPI values must be unique. */

> -       ODP_IPSEC_LOOKUP_IN_UNIQUE_SA

> +       /** Inbound SA lookup is enabled. Lookup matches only SPI value.

> +        *  SA lookup failure status (error.sa_lookup) is reported through

> +        *  odp_ipsec_packet_result_t. */

> +       ODP_IPSEC_LOOKUP_SPI

>

>  } odp_ipsec_lookup_mode_t;

>

> @@ -529,6 +573,29 @@ void odp_ipsec_sa_param_init(odp_ipsec_sa_param_t *param);

>  odp_ipsec_sa_t odp_ipsec_sa_create(odp_ipsec_sa_param_t *param);

>

>  /**

> + * Disable IPSEC SA

> + *

> + * Application must use this call to disable a SA before destroying it. The call

> + * marks the SA disabled, so that IPSEC implementation stops using it. For

> + * example, inbound SPI lookups will not match any more. Application must

> + * stop providing the SA as parameter to new IPSEC input/output operations

> + * before calling disable. Packets in progress during the call may still match

> + * the SA and be processed successfully.

> + *

> + * When in synchronous operation mode, the call will return when it's possible

> + * to destroy the SA. In asynchronous mode, the same is indicated by an

> + * ODP_EVENT_IPSEC_STATUS event sent to the queue specified for the SA.

> + *

> + * @param sa      IPSEC SA to be disabled

> + *

> + * @retval 0      On success

> + * @retval <0     On failure

> + *

> + * @see odp_ipsec_sa_destroy()

> + */

> +int odp_ipsec_sa_disable(odp_ipsec_sa_t sa);

> +

> +/**

>   * Destroy IPSEC SA

>   *

>   * Destroy an unused IPSEC SA. Result is undefined if the SA is being used

> @@ -567,55 +634,59 @@ typedef struct odp_ipsec_op_opt_t {

>  #define ODP_IPSEC_OK 0

>

>  /** IPSEC operation status */

> -typedef union odp_ipsec_status_t {

> -       /** Error flags */

> -       struct {

> -               /** Protocol error. Not a valid ESP or AH packet. */

> -               uint32_t proto            : 1;

> +typedef struct odp_ipsec_op_status_t {

> +       union {

> +               /** Error flags */

> +               struct {

> +                       /** Protocol error. Not a valid ESP or AH packet. */

> +                       uint32_t proto            : 1;

>

> -               /** SA lookup failed */

> -               uint32_t sa_lookup        : 1;

> +                       /** SA lookup failed */

> +                       uint32_t sa_lookup        : 1;

>

> -               /** Authentication failed */

> -               uint32_t auth             : 1;

> +                       /** Authentication failed */

> +                       uint32_t auth             : 1;

>

> -               /** Anti-replay check failed */

> -               uint32_t antireplay       : 1;

> +                       /** Anti-replay check failed */

> +                       uint32_t antireplay       : 1;

>

> -               /** Other algorithm error */

> -               uint32_t alg              : 1;

> +                       /** Other algorithm error */

> +                       uint32_t alg              : 1;

>

> -               /** Packet does not fit into the given MTU size */

> -               uint32_t mtu              : 1;

> +                       /** Packet does not fit into the given MTU size */

> +                       uint32_t mtu              : 1;

>

> -               /** Soft lifetime expired: seconds */

> -               uint32_t soft_exp_sec     : 1;

> +                       /** Soft lifetime expired: seconds */

> +                       uint32_t soft_exp_sec     : 1;

>

> -               /** Soft lifetime expired: bytes */

> -               uint32_t soft_exp_bytes   : 1;

> +                       /** Soft lifetime expired: bytes */

> +                       uint32_t soft_exp_bytes   : 1;

>

> -               /** Soft lifetime expired: packets */

> -               uint32_t soft_exp_packets : 1;

> +                       /** Soft lifetime expired: packets */

> +                       uint32_t soft_exp_packets : 1;

>

> -               /** Hard lifetime expired: seconds */

> -               uint32_t hard_exp_sec     : 1;

> +                       /** Hard lifetime expired: seconds */

> +                       uint32_t hard_exp_sec     : 1;

>

> -               /** Hard lifetime expired: bytes */

> -               uint32_t hard_exp_bytes   : 1;

> +                       /** Hard lifetime expired: bytes */

> +                       uint32_t hard_exp_bytes   : 1;

>

> -               /** Hard lifetime expired: packets */

> -               uint32_t hard_exp_packets : 1;

> -       } error;

> +                       /** Hard lifetime expired: packets */

> +                       uint32_t hard_exp_packets : 1;

>

> -       /** All bits of the bit field structure

> -         *

> -         * This field can be used to set, clear or compare multiple flags.

> -         * For example, 'status.all != ODP_IPSEC_OK' checks if there are any

> -         * errors.

> -         */

> -       uint32_t all;

> +               } error;

>

> -} odp_ipsec_status_t;

> +               /** All error bits

> +                *

> +                *  This field can be used to set, clear or compare multiple

> +                *  flags. For example, 'status.all_error != ODP_IPSEC_OK'

> +                *  checks if there are

> +                *  any errors.

> +                */

> +               uint32_t all_error;

> +       };

> +

> +} odp_ipsec_op_status_t;

>

>  /**

>   * IPSEC operation input parameters

> @@ -673,14 +744,15 @@ typedef struct odp_ipsec_op_param_t {

>   */

>  typedef struct odp_ipsec_packet_result_t {

>         /** IPSEC operation status */

> -       odp_ipsec_status_t status;

> +       odp_ipsec_op_status_t status;

>

>         /** Number of output packets created from the corresponding input packet

>          *

>          *  Without fragmentation offload this is always one. However, if the

>          *  input packet was fragmented during the operation this is larger than

> -        *  one for the first fragment and zero for the rest of the fragments

> -        *  (following the first one in the 'pkt' array).

> +        *  one for the first returned fragment and zero for the rest of the

> +        *  fragments. All the fragments (of the same source packet) are stored

> +        *  consecutively in the 'pkt' array.

>          */

>         int num_out;

>

> @@ -745,6 +817,34 @@ typedef struct odp_ipsec_op_result_t {

>  } odp_ipsec_op_result_t;

>

>  /**

> + * IPSEC status ID

> + */

> +typedef enum odp_ipsec_status_id_t {

> +       /** Response to SA disable command */

> +       ODP_IPSEC_STATUS_SA_DISABLE = 0

> +

> +} odp_ipsec_status_id_t;

> +

> +/**

> + * IPSEC status content

> + */

> +typedef struct odp_ipsec_status_t {

> +       /** IPSEC status ID */

> +       odp_ipsec_status_id_t id;

> +

> +       /** Return value from the operation

> +        *

> +        *   0:    Success

> +        *  <0:    Failure

> +        */

> +       int ret;

> +

> +       /** IPSEC SA that was target of the operation */

> +       odp_ipsec_sa_t sa;

> +

> +} odp_ipsec_status_t;

> +

> +/**

>   * Inbound synchronous IPSEC operation

>   *

>   * This operation does inbound IPSEC processing in synchronous mode

> @@ -897,6 +997,22 @@ int odp_ipsec_out_enq(const odp_ipsec_op_param_t *input);

>  int odp_ipsec_result(odp_ipsec_op_result_t *result, odp_event_t event);

>

>  /**

> + * Get IPSEC status information from an ODP_EVENT_IPSEC_STATUS event

> + *

> + * Copies IPSEC status information from an event. The event must be of

> + * type ODP_EVENT_IPSEC_STATUS.

> + *

> + * @param[out]    status  Pointer to status information structure for output.

> + * @param         event   An ODP_EVENT_IPSEC_STATUS event

> + *

> + * @retval  0     On success

> + * @retval <0     On failure

> + *

> + * @see odp_ipsec_sa_disable()

> + */

> +int odp_ipsec_status(odp_ipsec_status_t *status, odp_event_t event);

> +

> +/**

>   * Update MTU for outbound IP fragmentation

>   *

>   * When IP fragmentation offload is enabled, the SA is created with an MTU.

> --

> 2.8.1

>

Balasubramanian Manoharan April 3, 2017, 12:59 p.m. UTC | #2

For this series:

Reviewed-by: Balasubramanian Manoharan <bala.manoharan@linaro.org>



On 30 March 2017 at 15:59, Petri Savolainen <petri.savolainen@linaro.org> wrote:
> Added configuration option for inbound SPI range (for

> lookups). Removed unique SPI requirement and added config

> option for overlap. Added default queue for lookup misses.

> Added SA disable function and status event for the response

> from it. The same event may be used for e.g. IPSEC

> statistics, etc queries. Improved outbound fragmentation

> documentation.

>

> Signed-off-by: Petri Savolainen <petri.savolainen@linaro.org>

> ---

>  include/odp/api/spec/event.h |   2 +-

>  include/odp/api/spec/ipsec.h | 198 ++++++++++++++++++++++++++++++++++---------

>  2 files changed, 158 insertions(+), 42 deletions(-)

>

> diff --git a/include/odp/api/spec/event.h b/include/odp/api/spec/event.h

> index 75c0bbc..f22efce 100644

> --- a/include/odp/api/spec/event.h

> +++ b/include/odp/api/spec/event.h

> @@ -39,7 +39,7 @@ extern "C" {

>   * @typedef odp_event_type_t

>   * ODP event types:

>   * ODP_EVENT_BUFFER, ODP_EVENT_PACKET, ODP_EVENT_TIMEOUT,

> - * ODP_EVENT_CRYPTO_COMPL, ODP_EVENT_IPSEC_RESULT

> + * ODP_EVENT_CRYPTO_COMPL, ODP_EVENT_IPSEC_RESULT, ODP_EVENT_IPSEC_STATUS

>   */

>

>  /**

> diff --git a/include/odp/api/spec/ipsec.h b/include/odp/api/spec/ipsec.h

> index 66222d8..118363e 100644

> --- a/include/odp/api/spec/ipsec.h

> +++ b/include/odp/api/spec/ipsec.h

> @@ -56,6 +56,41 @@ typedef enum odp_ipsec_op_mode_t {

>  } odp_ipsec_op_mode_t;

>

>  /**

> + * Configuration options for IPSEC inbound processing

> + */

> +typedef struct odp_ipsec_inbound_config_t {

> +       /** Default destination queue for IPSEC events

> +        *

> +        *  When inbound SA lookup fails in the asynchronous mode,

> +        *  resulting IPSEC events are enqueued into this queue.

> +        */

> +       odp_queue_t default_queue;

> +

> +       /** Constraints for SPI values used with inbound SA lookup. Minimal

> +        *  SPI range and unique values may improve performance. */

> +       struct {

> +               /** Minimum SPI value for SA lookup. Default value is 0. */

> +               uint32_t min_spi;

> +

> +               /** Maximum SPI value for SA lookup. Default value is

> +                *  UINT32_MAX. */

> +               uint32_t max_spi;

> +

> +               /** Select if SPI values for SA lookup are unique or may contain

> +                *  the same value multiple times. This configuration is not

> +                *  relevant in ODP_IPSEC_LOOKUP_SPI mode. The default value

> +                *  is 0.

> +                *

> +                *  0: All SAs in SA lookup have unique SPI value

> +                *  1: The same SPI value may be used for multiple SAs

> +                */

> +               odp_bool_t spi_overlap;

> +

> +       } lookup;

> +

> +} odp_ipsec_inbound_config_t;

> +

> +/**

>   * IPSEC capability

>   */

>  typedef struct odp_ipsec_capability_t {

> @@ -111,6 +146,13 @@ typedef struct odp_ipsec_config_t {

>          */

>         odp_ipsec_op_mode_t op_mode;

>

> +       /** Maximum number of IPSEC SAs that application will use

> +        * simultaneously */

> +       uint32_t max_num_sa;

> +

> +       /** IPSEC inbound processing configuration */

> +       odp_ipsec_inbound_config_t inbound;

> +

>  } odp_ipsec_config_t;

>

>  /**

> @@ -349,8 +391,10 @@ typedef enum odp_ipsec_lookup_mode_t {

>         /** Inbound SA lookup is disabled. */

>         ODP_IPSEC_LOOKUP_DISABLED = 0,

>

> -       /** Inbound SA lookup is enabled. Used SPI values must be unique. */

> -       ODP_IPSEC_LOOKUP_IN_UNIQUE_SA

> +       /** Inbound SA lookup is enabled. Lookup matches only SPI value.

> +        *  SA lookup failure status (error.sa_lookup) is reported through

> +        *  odp_ipsec_packet_result_t. */

> +       ODP_IPSEC_LOOKUP_SPI

>

>  } odp_ipsec_lookup_mode_t;

>

> @@ -529,6 +573,29 @@ void odp_ipsec_sa_param_init(odp_ipsec_sa_param_t *param);

>  odp_ipsec_sa_t odp_ipsec_sa_create(odp_ipsec_sa_param_t *param);

>

>  /**

> + * Disable IPSEC SA

> + *

> + * Application must use this call to disable a SA before destroying it. The call

> + * marks the SA disabled, so that IPSEC implementation stops using it. For

> + * example, inbound SPI lookups will not match any more. Application must

> + * stop providing the SA as parameter to new IPSEC input/output operations

> + * before calling disable. Packets in progress during the call may still match

> + * the SA and be processed successfully.

> + *

> + * When in synchronous operation mode, the call will return when it's possible

> + * to destroy the SA. In asynchronous mode, the same is indicated by an

> + * ODP_EVENT_IPSEC_STATUS event sent to the queue specified for the SA.

> + *

> + * @param sa      IPSEC SA to be disabled

> + *

> + * @retval 0      On success

> + * @retval <0     On failure

> + *

> + * @see odp_ipsec_sa_destroy()

> + */

> +int odp_ipsec_sa_disable(odp_ipsec_sa_t sa);

> +

> +/**

>   * Destroy IPSEC SA

>   *

>   * Destroy an unused IPSEC SA. Result is undefined if the SA is being used

> @@ -567,55 +634,59 @@ typedef struct odp_ipsec_op_opt_t {

>  #define ODP_IPSEC_OK 0

>

>  /** IPSEC operation status */

> -typedef union odp_ipsec_status_t {

> -       /** Error flags */

> -       struct {

> -               /** Protocol error. Not a valid ESP or AH packet. */

> -               uint32_t proto            : 1;

> +typedef struct odp_ipsec_op_status_t {

> +       union {

> +               /** Error flags */

> +               struct {

> +                       /** Protocol error. Not a valid ESP or AH packet. */

> +                       uint32_t proto            : 1;

>

> -               /** SA lookup failed */

> -               uint32_t sa_lookup        : 1;

> +                       /** SA lookup failed */

> +                       uint32_t sa_lookup        : 1;

>

> -               /** Authentication failed */

> -               uint32_t auth             : 1;

> +                       /** Authentication failed */

> +                       uint32_t auth             : 1;

>

> -               /** Anti-replay check failed */

> -               uint32_t antireplay       : 1;

> +                       /** Anti-replay check failed */

> +                       uint32_t antireplay       : 1;

>

> -               /** Other algorithm error */

> -               uint32_t alg              : 1;

> +                       /** Other algorithm error */

> +                       uint32_t alg              : 1;

>

> -               /** Packet does not fit into the given MTU size */

> -               uint32_t mtu              : 1;

> +                       /** Packet does not fit into the given MTU size */

> +                       uint32_t mtu              : 1;

>

> -               /** Soft lifetime expired: seconds */

> -               uint32_t soft_exp_sec     : 1;

> +                       /** Soft lifetime expired: seconds */

> +                       uint32_t soft_exp_sec     : 1;

>

> -               /** Soft lifetime expired: bytes */

> -               uint32_t soft_exp_bytes   : 1;

> +                       /** Soft lifetime expired: bytes */

> +                       uint32_t soft_exp_bytes   : 1;

>

> -               /** Soft lifetime expired: packets */

> -               uint32_t soft_exp_packets : 1;

> +                       /** Soft lifetime expired: packets */

> +                       uint32_t soft_exp_packets : 1;

>

> -               /** Hard lifetime expired: seconds */

> -               uint32_t hard_exp_sec     : 1;

> +                       /** Hard lifetime expired: seconds */

> +                       uint32_t hard_exp_sec     : 1;

>

> -               /** Hard lifetime expired: bytes */

> -               uint32_t hard_exp_bytes   : 1;

> +                       /** Hard lifetime expired: bytes */

> +                       uint32_t hard_exp_bytes   : 1;

>

> -               /** Hard lifetime expired: packets */

> -               uint32_t hard_exp_packets : 1;

> -       } error;

> +                       /** Hard lifetime expired: packets */

> +                       uint32_t hard_exp_packets : 1;

>

> -       /** All bits of the bit field structure

> -         *

> -         * This field can be used to set, clear or compare multiple flags.

> -         * For example, 'status.all != ODP_IPSEC_OK' checks if there are any

> -         * errors.

> -         */

> -       uint32_t all;

> +               } error;

>

> -} odp_ipsec_status_t;

> +               /** All error bits

> +                *

> +                *  This field can be used to set, clear or compare multiple

> +                *  flags. For example, 'status.all_error != ODP_IPSEC_OK'

> +                *  checks if there are

> +                *  any errors.

> +                */

> +               uint32_t all_error;

> +       };

> +

> +} odp_ipsec_op_status_t;

>

>  /**

>   * IPSEC operation input parameters

> @@ -673,14 +744,15 @@ typedef struct odp_ipsec_op_param_t {

>   */

>  typedef struct odp_ipsec_packet_result_t {

>         /** IPSEC operation status */

> -       odp_ipsec_status_t status;

> +       odp_ipsec_op_status_t status;

>

>         /** Number of output packets created from the corresponding input packet

>          *

>          *  Without fragmentation offload this is always one. However, if the

>          *  input packet was fragmented during the operation this is larger than

> -        *  one for the first fragment and zero for the rest of the fragments

> -        *  (following the first one in the 'pkt' array).

> +        *  one for the first returned fragment and zero for the rest of the

> +        *  fragments. All the fragments (of the same source packet) are stored

> +        *  consecutively in the 'pkt' array.

>          */

>         int num_out;

>

> @@ -745,6 +817,34 @@ typedef struct odp_ipsec_op_result_t {

>  } odp_ipsec_op_result_t;

>

>  /**

> + * IPSEC status ID

> + */

> +typedef enum odp_ipsec_status_id_t {

> +       /** Response to SA disable command */

> +       ODP_IPSEC_STATUS_SA_DISABLE = 0

> +

> +} odp_ipsec_status_id_t;

> +

> +/**

> + * IPSEC status content

> + */

> +typedef struct odp_ipsec_status_t {

> +       /** IPSEC status ID */

> +       odp_ipsec_status_id_t id;

> +

> +       /** Return value from the operation

> +        *

> +        *   0:    Success

> +        *  <0:    Failure

> +        */

> +       int ret;

> +

> +       /** IPSEC SA that was target of the operation */

> +       odp_ipsec_sa_t sa;

> +

> +} odp_ipsec_status_t;

> +

> +/**

>   * Inbound synchronous IPSEC operation

>   *

>   * This operation does inbound IPSEC processing in synchronous mode

> @@ -897,6 +997,22 @@ int odp_ipsec_out_enq(const odp_ipsec_op_param_t *input);

>  int odp_ipsec_result(odp_ipsec_op_result_t *result, odp_event_t event);

>

>  /**

> + * Get IPSEC status information from an ODP_EVENT_IPSEC_STATUS event

> + *

> + * Copies IPSEC status information from an event. The event must be of

> + * type ODP_EVENT_IPSEC_STATUS.

> + *

> + * @param[out]    status  Pointer to status information structure for output.

> + * @param         event   An ODP_EVENT_IPSEC_STATUS event

> + *

> + * @retval  0     On success

> + * @retval <0     On failure

> + *

> + * @see odp_ipsec_sa_disable()

> + */

> +int odp_ipsec_status(odp_ipsec_status_t *status, odp_event_t event);

> +

> +/**

>   * Update MTU for outbound IP fragmentation

>   *

>   * When IP fragmentation offload is enabled, the SA is created with an MTU.

> --

> 2.8.1

>

diff --git a/include/odp/api/spec/event.h b/include/odp/api/spec/event.h
index 75c0bbc..f22efce 100644
--- a/include/odp/api/spec/event.h
+++ b/include/odp/api/spec/event.h
@@ -39,7 +39,7 @@  extern "C" {
  * @typedef odp_event_type_t
  * ODP event types:
  * ODP_EVENT_BUFFER, ODP_EVENT_PACKET, ODP_EVENT_TIMEOUT,
- * ODP_EVENT_CRYPTO_COMPL, ODP_EVENT_IPSEC_RESULT
+ * ODP_EVENT_CRYPTO_COMPL, ODP_EVENT_IPSEC_RESULT, ODP_EVENT_IPSEC_STATUS
  */
 
 /**
diff --git a/include/odp/api/spec/ipsec.h b/include/odp/api/spec/ipsec.h
index 66222d8..118363e 100644
--- a/include/odp/api/spec/ipsec.h
+++ b/include/odp/api/spec/ipsec.h
@@ -56,6 +56,41 @@  typedef enum odp_ipsec_op_mode_t {
 } odp_ipsec_op_mode_t;
 
 /**
+ * Configuration options for IPSEC inbound processing
+ */
+typedef struct odp_ipsec_inbound_config_t {
+	/** Default destination queue for IPSEC events
+	 *
+	 *  When inbound SA lookup fails in the asynchronous mode,
+	 *  resulting IPSEC events are enqueued into this queue.
+	 */
+	odp_queue_t default_queue;
+
+	/** Constraints for SPI values used with inbound SA lookup. Minimal
+	 *  SPI range and unique values may improve performance. */
+	struct {
+		/** Minimum SPI value for SA lookup. Default value is 0. */
+		uint32_t min_spi;
+
+		/** Maximum SPI value for SA lookup. Default value is
+		 *  UINT32_MAX. */
+		uint32_t max_spi;
+
+		/** Select if SPI values for SA lookup are unique or may contain
+		 *  the same value multiple times. This configuration is not
+		 *  relevant in ODP_IPSEC_LOOKUP_SPI mode. The default value
+		 *  is 0.
+		 *
+		 *  0: All SAs in SA lookup have unique SPI value
+		 *  1: The same SPI value may be used for multiple SAs
+		 */
+		odp_bool_t spi_overlap;
+
+	} lookup;
+
+} odp_ipsec_inbound_config_t;
+
+/**
  * IPSEC capability
  */
 typedef struct odp_ipsec_capability_t {
@@ -111,6 +146,13 @@  typedef struct odp_ipsec_config_t {
 	 */
 	odp_ipsec_op_mode_t op_mode;
 
+	/** Maximum number of IPSEC SAs that application will use
+	 * simultaneously */
+	uint32_t max_num_sa;
+
+	/** IPSEC inbound processing configuration */
+	odp_ipsec_inbound_config_t inbound;
+
 } odp_ipsec_config_t;
 
 /**
@@ -349,8 +391,10 @@  typedef enum odp_ipsec_lookup_mode_t {
 	/** Inbound SA lookup is disabled. */
 	ODP_IPSEC_LOOKUP_DISABLED = 0,
 
-	/** Inbound SA lookup is enabled. Used SPI values must be unique. */
-	ODP_IPSEC_LOOKUP_IN_UNIQUE_SA
+	/** Inbound SA lookup is enabled. Lookup matches only SPI value.
+	 *  SA lookup failure status (error.sa_lookup) is reported through
+	 *  odp_ipsec_packet_result_t. */
+	ODP_IPSEC_LOOKUP_SPI
 
 } odp_ipsec_lookup_mode_t;
 
@@ -529,6 +573,29 @@  void odp_ipsec_sa_param_init(odp_ipsec_sa_param_t *param);
 odp_ipsec_sa_t odp_ipsec_sa_create(odp_ipsec_sa_param_t *param);
 
 /**
+ * Disable IPSEC SA
+ *
+ * Application must use this call to disable a SA before destroying it. The call
+ * marks the SA disabled, so that IPSEC implementation stops using it. For
+ * example, inbound SPI lookups will not match any more. Application must
+ * stop providing the SA as parameter to new IPSEC input/output operations
+ * before calling disable. Packets in progress during the call may still match
+ * the SA and be processed successfully.
+ *
+ * When in synchronous operation mode, the call will return when it's possible
+ * to destroy the SA. In asynchronous mode, the same is indicated by an
+ * ODP_EVENT_IPSEC_STATUS event sent to the queue specified for the SA.
+ *
+ * @param sa      IPSEC SA to be disabled
+ *
+ * @retval 0      On success
+ * @retval <0     On failure
+ *
+ * @see odp_ipsec_sa_destroy()
+ */
+int odp_ipsec_sa_disable(odp_ipsec_sa_t sa);
+
+/**
  * Destroy IPSEC SA
  *
  * Destroy an unused IPSEC SA. Result is undefined if the SA is being used
@@ -567,55 +634,59 @@  typedef struct odp_ipsec_op_opt_t {
 #define ODP_IPSEC_OK 0
 
 /** IPSEC operation status */
-typedef union odp_ipsec_status_t {
-	/** Error flags */
-	struct {
-		/** Protocol error. Not a valid ESP or AH packet. */
-		uint32_t proto            : 1;
+typedef struct odp_ipsec_op_status_t {
+	union {
+		/** Error flags */
+		struct {
+			/** Protocol error. Not a valid ESP or AH packet. */
+			uint32_t proto            : 1;
 
-		/** SA lookup failed */
-		uint32_t sa_lookup        : 1;
+			/** SA lookup failed */
+			uint32_t sa_lookup        : 1;
 
-		/** Authentication failed */
-		uint32_t auth             : 1;
+			/** Authentication failed */
+			uint32_t auth             : 1;
 
-		/** Anti-replay check failed */
-		uint32_t antireplay       : 1;
+			/** Anti-replay check failed */
+			uint32_t antireplay       : 1;
 
-		/** Other algorithm error */
-		uint32_t alg              : 1;
+			/** Other algorithm error */
+			uint32_t alg              : 1;
 
-		/** Packet does not fit into the given MTU size */
-		uint32_t mtu              : 1;
+			/** Packet does not fit into the given MTU size */
+			uint32_t mtu              : 1;
 
-		/** Soft lifetime expired: seconds */
-		uint32_t soft_exp_sec     : 1;
+			/** Soft lifetime expired: seconds */
+			uint32_t soft_exp_sec     : 1;
 
-		/** Soft lifetime expired: bytes */
-		uint32_t soft_exp_bytes   : 1;
+			/** Soft lifetime expired: bytes */
+			uint32_t soft_exp_bytes   : 1;
 
-		/** Soft lifetime expired: packets */
-		uint32_t soft_exp_packets : 1;
+			/** Soft lifetime expired: packets */
+			uint32_t soft_exp_packets : 1;
 
-		/** Hard lifetime expired: seconds */
-		uint32_t hard_exp_sec     : 1;
+			/** Hard lifetime expired: seconds */
+			uint32_t hard_exp_sec     : 1;
 
-		/** Hard lifetime expired: bytes */
-		uint32_t hard_exp_bytes   : 1;
+			/** Hard lifetime expired: bytes */
+			uint32_t hard_exp_bytes   : 1;
 
-		/** Hard lifetime expired: packets */
-		uint32_t hard_exp_packets : 1;
-	} error;
+			/** Hard lifetime expired: packets */
+			uint32_t hard_exp_packets : 1;
 
-	/** All bits of the bit field structure
-	  *
-	  * This field can be used to set, clear or compare multiple flags.
-	  * For example, 'status.all != ODP_IPSEC_OK' checks if there are any
-	  * errors.
-	  */
-	uint32_t all;
+		} error;
 
-} odp_ipsec_status_t;
+		/** All error bits
+		 *
+		 *  This field can be used to set, clear or compare multiple
+		 *  flags. For example, 'status.all_error != ODP_IPSEC_OK'
+		 *  checks if there are
+		 *  any errors.
+		 */
+		uint32_t all_error;
+	};
+
+} odp_ipsec_op_status_t;
 
 /**
  * IPSEC operation input parameters
@@ -673,14 +744,15 @@  typedef struct odp_ipsec_op_param_t {
  */
 typedef struct odp_ipsec_packet_result_t {
 	/** IPSEC operation status */
-	odp_ipsec_status_t status;
+	odp_ipsec_op_status_t status;
 
 	/** Number of output packets created from the corresponding input packet
 	 *
 	 *  Without fragmentation offload this is always one. However, if the
 	 *  input packet was fragmented during the operation this is larger than
-	 *  one for the first fragment and zero for the rest of the fragments
-	 *  (following the first one in the 'pkt' array).
+	 *  one for the first returned fragment and zero for the rest of the
+	 *  fragments. All the fragments (of the same source packet) are stored
+	 *  consecutively in the 'pkt' array.
 	 */
 	int num_out;
 
@@ -745,6 +817,34 @@  typedef struct odp_ipsec_op_result_t {
 } odp_ipsec_op_result_t;
 
 /**
+ * IPSEC status ID
+ */
+typedef enum odp_ipsec_status_id_t {
+	/** Response to SA disable command */
+	ODP_IPSEC_STATUS_SA_DISABLE = 0
+
+} odp_ipsec_status_id_t;
+
+/**
+ * IPSEC status content
+ */
+typedef struct odp_ipsec_status_t {
+	/** IPSEC status ID */
+	odp_ipsec_status_id_t id;
+
+	/** Return value from the operation
+	 *
+	 *   0:    Success
+	 *  <0:    Failure
+	 */
+	int ret;
+
+	/** IPSEC SA that was target of the operation */
+	odp_ipsec_sa_t sa;
+
+} odp_ipsec_status_t;
+
+/**
  * Inbound synchronous IPSEC operation
  *
  * This operation does inbound IPSEC processing in synchronous mode
@@ -897,6 +997,22 @@  int odp_ipsec_out_enq(const odp_ipsec_op_param_t *input);
 int odp_ipsec_result(odp_ipsec_op_result_t *result, odp_event_t event);
 
 /**
+ * Get IPSEC status information from an ODP_EVENT_IPSEC_STATUS event
+ *
+ * Copies IPSEC status information from an event. The event must be of
+ * type ODP_EVENT_IPSEC_STATUS.
+ *
+ * @param[out]    status  Pointer to status information structure for output.
+ * @param         event   An ODP_EVENT_IPSEC_STATUS event
+ *
+ * @retval  0     On success
+ * @retval <0     On failure
+ *
+ * @see odp_ipsec_sa_disable()
+ */
+int odp_ipsec_status(odp_ipsec_status_t *status, odp_event_t event);
+
+/**
  * Update MTU for outbound IP fragmentation
  *
  * When IP fragmentation offload is enabled, the SA is created with an MTU.

[API-NEXT,v4,1/3] api: ipsec: extend lookaside API

Commit Message

Comments

Patch