Add fallback session feature allowing to process packets that inline processor is unable to handle (e.g. fragmented traffic). Processing takes place in a secondary session defined for SA in a configuration file.
This feature is limited to ingress IPsec traffic only. IPsec anti-replay window and ESN are supported in conjunction with fallback session when following conditions are met: * primary session is 'inline-crypto-offload, * fallback sessions is 'lookaside-none'. v2 to v3 changes: - doc and commit log update - explicitly state feature limitations v1 to v2 changes: - disable fallback offload for outbound SAs - add test scripts Marcin Smoczynski (3): examples/ipsec-secgw: ipsec_sa structure cleanup examples/ipsec-secgw: add fallback session feature examples/ipsec-secgw: add offload fallback tests doc/guides/sample_app_ug/ipsec_secgw.rst | 20 ++- examples/ipsec-secgw/esp.c | 35 ++-- examples/ipsec-secgw/ipsec-secgw.c | 16 +- examples/ipsec-secgw/ipsec.c | 99 ++++++----- examples/ipsec-secgw/ipsec.h | 61 +++++-- examples/ipsec-secgw/ipsec_process.c | 113 +++++++----- examples/ipsec-secgw/sa.c | 164 +++++++++++++----- .../test/trs_aesgcm_common_defs.sh | 4 +- .../trs_aesgcm_inline_crypto_fallback_defs.sh | 5 + .../test/tun_aesgcm_common_defs.sh | 6 +- .../tun_aesgcm_inline_crypto_fallback_defs.sh | 5 + 11 files changed, 361 insertions(+), 167 deletions(-) create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh -- 2.17.1
