Re: [dpdk-dev] [PATCH 11/14] examples/ipsec-secgw: add app processing code

Wed, 25 Dec 2019 07:19:13 -0800 


> +static inline int
> +process_ipsec_ev_inbound(struct ipsec_ctx *ctx, struct route_table *rt,
> +             struct rte_event *ev)
> +{
> +     struct ipsec_sa *sa = NULL;
> +     struct rte_mbuf *pkt;
> +     uint16_t port_id = 0;
> +     enum pkt_type type;
> +     uint32_t sa_idx;
> +     uint8_t *nlp;
> +
> +     /* Get pkt from event */
> +     pkt = ev->mbuf;
> +
> +     /* Check the packet type */
> +     type = process_ipsec_get_pkt_type(pkt, &nlp);
> +
> +     switch (type) {
> +     case PKT_TYPE_PLAIN_IPV4:
> +             if (pkt->ol_flags & PKT_RX_SEC_OFFLOAD)
> +                     sa = (struct ipsec_sa *) pkt->udata64;


Shouldn't packets with PKT_RX_SEC_OFFLOAD_FAIL be handled somehow?
Another question - as I can see from the code, right now event mode 
supports only inline-proto, correct?
If so, then probably an error should be reported at startup, if in config file
some other types of sessions were requested.    

> +
> +             /* Check if we have a match */
> +             if (check_sp(ctx->sp4_ctx, nlp, &sa_idx) == 0) {
> +                     /* No valid match */
> +                     goto drop_pkt_and_exit;
> +             }
> +             break;
> +
> +     case PKT_TYPE_PLAIN_IPV6:
> +             if (pkt->ol_flags & PKT_RX_SEC_OFFLOAD)
> +                     sa = (struct ipsec_sa *) pkt->udata64;
> +
> +             /* Check if we have a match */
> +             if (check_sp(ctx->sp6_ctx, nlp, &sa_idx) == 0) {
> +                     /* No valid match */
> +                     goto drop_pkt_and_exit;
> +             }
> +             break;
> +
> +     default:
> +             RTE_LOG(ERR, IPSEC, "Unsupported packet type = %d\n", type);
> +             goto drop_pkt_and_exit;
> +     }
> +
> +     /* Check if the packet has to be bypassed */
> +     if (sa_idx == 0)
> +             goto route_and_send_pkt;
> +
> +     /* Else the packet has to be protected with SA */
> +
> +     /* If the packet was IPsec processed, then SA pointer should be set */
> +     if (sa == NULL)
> +             goto drop_pkt_and_exit;
> +
> +     /* SPI on the packet should match with the one in SA */
> +     if (unlikely(sa->spi != sa_idx))
> +             goto drop_pkt_and_exit;
> +
> +route_and_send_pkt:
> +     port_id = get_route(pkt, rt, type);
> +     if (unlikely(port_id == RTE_MAX_ETHPORTS)) {
> +             /* no match */
> +             goto drop_pkt_and_exit;
> +     }
> +     /* else, we have a matching route */
> +
> +     /* Update mac addresses */
> +     update_mac_addrs(pkt, port_id);
> +
> +     /* Update the event with the dest port */
> +     ipsec_event_pre_forward(pkt, port_id);
> +     return 1;
> +
> +drop_pkt_and_exit:
> +     RTE_LOG(ERR, IPSEC, "Inbound packet dropped\n");
> +     rte_pktmbuf_free(pkt);
> +     ev->mbuf = NULL;
> +     return 0;
> +}
> +

Reply via email to