Hi Konstantin,
Please see inline.
Thanks
Tejasree
> -----Original Message-----
> From: Ananyev, Konstantin <konstantin.anan...@intel.com>
> Sent: Tuesday, April 6, 2021 7:08 PM
> To: Tejasree Kondoj <ktejas...@marvell.com>; Akhil Goyal
> <gak...@marvell.com>; Nicolau, Radu <radu.nico...@intel.com>
> Cc: Anoob Joseph <ano...@marvell.com>; Ankur Dwivedi
> <adwiv...@marvell.com>; Jerin Jacob Kollanukkaran <jer...@marvell.com>;
> dev@dpdk.org
> Subject: [EXT] RE: [PATCH v2 3/4] examples/ipsec-secgw: add UDP
> encapsulation support
>
> External Email
>
> ----------------------------------------------------------------------
>
> >
> > Adding lookaside IPsec UDP encapsulation support for NAT traversal.
> > Application has to add udp-encap option to sa config file to enable
> > UDP encapsulation on the SA.
> >
> > Signed-off-by: Tejasree Kondoj <ktejas...@marvell.com>
> > ---
> > doc/guides/rel_notes/release_21_05.rst | 5 ++++
> > doc/guides/sample_app_ug/ipsec_secgw.rst | 15 ++++++++++--
> > examples/ipsec-secgw/ipsec-secgw.c | 29 +++++++++++++++++++++---
> > examples/ipsec-secgw/ipsec-secgw.h | 2 ++
> > examples/ipsec-secgw/ipsec.c | 9 ++++++++
> > examples/ipsec-secgw/ipsec.h | 2 ++
> > examples/ipsec-secgw/sa.c | 18 +++++++++++++++
> > examples/ipsec-secgw/sad.h | 7 +++++-
> > 8 files changed, 81 insertions(+), 6 deletions(-)
> >
> > diff --git a/doc/guides/rel_notes/release_21_05.rst
> > b/doc/guides/rel_notes/release_21_05.rst
> > index 4ab2d7500f..9ef2537b1a 100644
> > --- a/doc/guides/rel_notes/release_21_05.rst
> > +++ b/doc/guides/rel_notes/release_21_05.rst
> > @@ -111,6 +111,11 @@ New Features
> > * Added command to display Rx queue used descriptor count.
> > ``show port (port_id) rxq (queue_id) desc used count``
> >
> > +* **Updated ipsec-secgw sample application.**
> > +
> > + * Updated the ``ipsec-secgw`` sample application with UDP encapsulation
> > + support for NAT Traversal.
> > +
> >
> > Removed Items
> > -------------
> > diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst
> > b/doc/guides/sample_app_ug/ipsec_secgw.rst
> > index 176e292d3f..07bbbb5916 100644
> > --- a/doc/guides/sample_app_ug/ipsec_secgw.rst
> > +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
> > @@ -500,7 +500,7 @@ The SA rule syntax is shown as follows:
> >
> > sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key>
> > <mode> <src_ip> <dst_ip> <action_type> <port_id> <fallback>
> > - <flow-direction> <port_id> <queue_id>
> > + <flow-direction> <port_id> <queue_id> <udp-encap>
> >
> > where each options means:
> >
> > @@ -709,6 +709,17 @@ where each options means:
> > * *port_id*: Port ID of the NIC for which the SA is configured.
> > * *queue_id*: Queue ID to which traffic should be redirected.
> >
> > + ``<udp-encap>``
> > +
> > + * Option to enable IPsec UDP encapsulation for NAT Traversal.
> > + Only lookaside-protocol-offload mode is supported at the moment.
> > +
> > + * Optional: Yes, it is disabled by default
> > +
> > + * Syntax:
> > +
> > + * *udp-encap*
> > +
> > Example SA rules:
> >
> > .. code-block:: console
> > @@ -1023,4 +1034,4 @@ Available options:
> > * ``-h`` Show usage.
> >
> > If <ipsec_mode> is specified, only tests for that mode will be
> > invoked. For the -list of available modes please refer to run_test.sh.
> > \ No newline at end of file
> > +list of available modes please refer to run_test.sh.
> > diff --git a/examples/ipsec-secgw/ipsec-secgw.c
> > b/examples/ipsec-secgw/ipsec-secgw.c
> > index 20d69ba813..6f6f2aa796 100644
> > --- a/examples/ipsec-secgw/ipsec-secgw.c
> > +++ b/examples/ipsec-secgw/ipsec-secgw.c
> > @@ -184,7 +184,8 @@ static uint64_t frag_ttl_ns = MAX_FRAG_TTL_NS;
> > /* application wide librte_ipsec/SA parameters */ struct app_sa_prm
> > app_sa_prm = {
> > .enable = 0,
> > - .cache_sz = SA_CACHE_SZ
> > + .cache_sz = SA_CACHE_SZ,
> > + .udp_encap = 0
> > };
> > static const char *cfgfile;
> >
> > @@ -360,6 +361,9 @@ prepare_one_packet(struct rte_mbuf *pkt, struct
> ipsec_traffic *t)
> > const struct rte_ether_hdr *eth;
> > const struct rte_ipv4_hdr *iph4;
> > const struct rte_ipv6_hdr *iph6;
> > + const struct rte_udp_hdr *udp;
> > + uint16_t ip4_hdr_len;
> > + uint16_t nat_port;
> >
> > eth = rte_pktmbuf_mtod(pkt, const struct rte_ether_hdr *);
> > if (eth->ether_type == rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4)) {
> @@
> > -368,9 +372,28 @@ prepare_one_packet(struct rte_mbuf *pkt, struct
> ipsec_traffic *t)
> > RTE_ETHER_HDR_LEN);
> > adjust_ipv4_pktlen(pkt, iph4, 0);
> >
> > - if (iph4->next_proto_id == IPPROTO_ESP)
> > + switch (iph4->next_proto_id) {
> > + case IPPROTO_ESP:
> > t->ipsec.pkts[(t->ipsec.num)++] = pkt;
> > - else {
> > + break;
> > + case IPPROTO_UDP:
> > + if (app_sa_prm.udp_encap == 1) {
> > + ip4_hdr_len = ((iph4->version_ihl &
> > + RTE_IPV4_HDR_IHL_MASK) *
> > + RTE_IPV4_IHL_MULTIPLIER);
> > + udp = rte_pktmbuf_mtod_offset(pkt,
> > + struct rte_udp_hdr *, ip4_hdr_len);
> > + nat_port =
> rte_cpu_to_be_16(IPSEC_NAT_T_PORT);
> > + if (udp->src_port == nat_port ||
> > + udp->dst_port == nat_port){
> > + t->ipsec.pkts[(t->ipsec.num)++] = pkt;
> > + pkt->packet_type |=
> > +
> RTE_PTYPE_TUNNEL_ESP_IN_UDP;
> > + break;
> > + }
> > + }
> > + /* Fall through */
> > + default:
> > t->ip4.data[t->ip4.num] = &iph4->next_proto_id;
> > t->ip4.pkts[(t->ip4.num)++] = pkt;
> > }
>
> As I understand you don't support UDP tunneling for ipv6 packets for now.
> If so, then it probably worth to notice that in the doc, and in
> parse_sa_tokens() add a check for ipv4.
> Apart from that all seems ok to me.
> Acked-by: Konstantin Ananyev <konstantin.anan...@intel.com>
[Tejasree] Added support for IPv6 packets in v3. Could you please review?
