Re: [dpdk-dev] [PATCH v2 3/4] examples/ipsec-secgw: add UDP encapsulation support

Tue, 06 Apr 2021 06:38:39 -0700 


> 
> Adding lookaside IPsec UDP encapsulation support
> for NAT traversal.
> Application has to add udp-encap option to sa config file
> to enable UDP encapsulation on the SA.
> 
> Signed-off-by: Tejasree Kondoj <ktejas...@marvell.com>
> ---
>  doc/guides/rel_notes/release_21_05.rst   |  5 ++++
>  doc/guides/sample_app_ug/ipsec_secgw.rst | 15 ++++++++++--
>  examples/ipsec-secgw/ipsec-secgw.c       | 29 +++++++++++++++++++++---
>  examples/ipsec-secgw/ipsec-secgw.h       |  2 ++
>  examples/ipsec-secgw/ipsec.c             |  9 ++++++++
>  examples/ipsec-secgw/ipsec.h             |  2 ++
>  examples/ipsec-secgw/sa.c                | 18 +++++++++++++++
>  examples/ipsec-secgw/sad.h               |  7 +++++-
>  8 files changed, 81 insertions(+), 6 deletions(-)
> 
> diff --git a/doc/guides/rel_notes/release_21_05.rst 
> b/doc/guides/rel_notes/release_21_05.rst
> index 4ab2d7500f..9ef2537b1a 100644
> --- a/doc/guides/rel_notes/release_21_05.rst
> +++ b/doc/guides/rel_notes/release_21_05.rst
> @@ -111,6 +111,11 @@ New Features
>    * Added command to display Rx queue used descriptor count.
>      ``show port (port_id) rxq (queue_id) desc used count``
> 
> +* **Updated ipsec-secgw sample application.**
> +
> +  * Updated the ``ipsec-secgw`` sample application with UDP encapsulation
> +    support for NAT Traversal.
> +
> 
>  Removed Items
>  -------------
> diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst 
> b/doc/guides/sample_app_ug/ipsec_secgw.rst
> index 176e292d3f..07bbbb5916 100644
> --- a/doc/guides/sample_app_ug/ipsec_secgw.rst
> +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
> @@ -500,7 +500,7 @@ The SA rule syntax is shown as follows:
> 
>      sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key>
>      <mode> <src_ip> <dst_ip> <action_type> <port_id> <fallback>
> -    <flow-direction> <port_id> <queue_id>
> +    <flow-direction> <port_id> <queue_id> <udp-encap>
> 
>  where each options means:
> 
> @@ -709,6 +709,17 @@ where each options means:
>     * *port_id*: Port ID of the NIC for which the SA is configured.
>     * *queue_id*: Queue ID to which traffic should be redirected.
> 
> + ``<udp-encap>``
> +
> + * Option to enable IPsec UDP encapsulation for NAT Traversal.
> +   Only lookaside-protocol-offload mode is supported at the moment.
> +
> + * Optional: Yes, it is disabled by default
> +
> + * Syntax:
> +
> +   * *udp-encap*
> +
>  Example SA rules:
> 
>  .. code-block:: console
> @@ -1023,4 +1034,4 @@ Available options:
>  *   ``-h`` Show usage.
> 
>  If <ipsec_mode> is specified, only tests for that mode will be invoked. For 
> the
> -list of available modes please refer to run_test.sh.
> \ No newline at end of file
> +list of available modes please refer to run_test.sh.
> diff --git a/examples/ipsec-secgw/ipsec-secgw.c 
> b/examples/ipsec-secgw/ipsec-secgw.c
> index 20d69ba813..6f6f2aa796 100644
> --- a/examples/ipsec-secgw/ipsec-secgw.c
> +++ b/examples/ipsec-secgw/ipsec-secgw.c
> @@ -184,7 +184,8 @@ static uint64_t frag_ttl_ns = MAX_FRAG_TTL_NS;
>  /* application wide librte_ipsec/SA parameters */
>  struct app_sa_prm app_sa_prm = {
>                       .enable = 0,
> -                     .cache_sz = SA_CACHE_SZ
> +                     .cache_sz = SA_CACHE_SZ,
> +                     .udp_encap = 0
>               };
>  static const char *cfgfile;
> 
> @@ -360,6 +361,9 @@ prepare_one_packet(struct rte_mbuf *pkt, struct 
> ipsec_traffic *t)
>       const struct rte_ether_hdr *eth;
>       const struct rte_ipv4_hdr *iph4;
>       const struct rte_ipv6_hdr *iph6;
> +     const struct rte_udp_hdr *udp;
> +     uint16_t ip4_hdr_len;
> +     uint16_t nat_port;
> 
>       eth = rte_pktmbuf_mtod(pkt, const struct rte_ether_hdr *);
>       if (eth->ether_type == rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4)) {
> @@ -368,9 +372,28 @@ prepare_one_packet(struct rte_mbuf *pkt, struct 
> ipsec_traffic *t)
>                       RTE_ETHER_HDR_LEN);
>               adjust_ipv4_pktlen(pkt, iph4, 0);
> 
> -             if (iph4->next_proto_id == IPPROTO_ESP)
> +             switch (iph4->next_proto_id) {
> +             case IPPROTO_ESP:
>                       t->ipsec.pkts[(t->ipsec.num)++] = pkt;
> -             else {
> +                     break;
> +             case IPPROTO_UDP:
> +                     if (app_sa_prm.udp_encap == 1) {
> +                             ip4_hdr_len = ((iph4->version_ihl &
> +                                     RTE_IPV4_HDR_IHL_MASK) *
> +                                     RTE_IPV4_IHL_MULTIPLIER);
> +                             udp = rte_pktmbuf_mtod_offset(pkt,
> +                                     struct rte_udp_hdr *, ip4_hdr_len);
> +                             nat_port = rte_cpu_to_be_16(IPSEC_NAT_T_PORT);
> +                             if (udp->src_port == nat_port ||
> +                                     udp->dst_port == nat_port){
> +                                     t->ipsec.pkts[(t->ipsec.num)++] = pkt;
> +                                     pkt->packet_type |=
> +                                             RTE_PTYPE_TUNNEL_ESP_IN_UDP;
> +                                     break;
> +                             }
> +                     }
> +             /* Fall through */
> +             default:
>                       t->ip4.data[t->ip4.num] = &iph4->next_proto_id;
>                       t->ip4.pkts[(t->ip4.num)++] = pkt;
>               }

As I understand you don't support UDP tunneling for ipv6 packets for now.
If so, then it probably worth to notice that in the doc, and in 
parse_sa_tokens()
add a check for ipv4.
Apart from that all seems ok to me.
Acked-by: Konstantin Ananyev <konstantin.anan...@intel.com>

Reply via email to