Add support to allow user to specific MSS for TSO offload on a per SA
basis. MSS configuration in the context of IPsec is only supported for
outbound SA's in the context of an inline IPsec Crypto offload.
Signed-off-by: Declan Doherty <declan.dohe...@intel.com>
Signed-off-by: Radu Nicolau <radu.nico...@intel.com>
---
doc/guides/rel_notes/release_21_11.rst | 4 ++++
doc/guides/sample_app_ug/ipsec_secgw.rst | 11 +++++++++++
examples/ipsec-secgw/ipsec-secgw.c | 4 ++++
examples/ipsec-secgw/ipsec.h | 1 +
examples/ipsec-secgw/ipsec_process.c | 22 ++++++++++++++++++++++
examples/ipsec-secgw/sa.c | 10 ++++++++++
6 files changed, 52 insertions(+)
diff --git a/doc/guides/rel_notes/release_21_11.rst
b/doc/guides/rel_notes/release_21_11.rst
index 955b0bd68f..c2563c6f63 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -203,6 +203,10 @@ New Features
* Added support for setting a non default starting ESN value.
* Added support TSO offload support; only supported for inline crypto mode.
+* **IPsec Security Gateway sample application new features.**
+
+ * Added support for TSO
+
Removed Items
-------------
diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst
b/doc/guides/sample_app_ug/ipsec_secgw.rst
index 6510456e31..2ff928e4dc 100644
--- a/doc/guides/sample_app_ug/ipsec_secgw.rst
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -748,6 +748,17 @@ where each options means:
* *esn N* N is the initial ESN value
+ ``<mss>``
+
+ * Maximum segment size for TSO offload, available for egress SAs only.
+
+ * Optional: Yes, TSO offload not set by default
+
+ * Syntax:
+
+ * *mss N* N is the segment size in bytes
+
+
Example SA rules:
.. code-block:: console
diff --git a/examples/ipsec-secgw/ipsec-secgw.c
b/examples/ipsec-secgw/ipsec-secgw.c
index 47c33661df..6aaaaa3a14 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -400,6 +400,10 @@ prepare_one_packet(struct rte_mbuf *pkt, struct
ipsec_traffic *t)
pkt->l2_len = 0;
pkt->l3_len = sizeof(*iph4);
pkt->packet_type |= RTE_PTYPE_L3_IPV4;
+ if (pkt->packet_type & RTE_PTYPE_L4_TCP)
+ pkt->l4_len = sizeof(struct rte_tcp_hdr);
+ else if (pkt->packet_type & RTE_PTYPE_L4_UDP)
+ pkt->l4_len = sizeof(struct rte_udp_hdr);
} else if (eth->ether_type == rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV6)) {
int next_proto;
size_t l3len, ext_len;
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index 0dfb0d6acb..02855ce774 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -142,6 +142,7 @@ struct ipsec_sa {
enum rte_security_ipsec_sa_direction direction;
uint8_t udp_encap;
uint16_t portid;
+ uint16_t mss;
uint64_t esn;
uint8_t fdir_qid;
uint8_t fdir_flag;
diff --git a/examples/ipsec-secgw/ipsec_process.c
b/examples/ipsec-secgw/ipsec_process.c
index 5012e1a6a4..333e3f1e74 100644
--- a/examples/ipsec-secgw/ipsec_process.c
+++ b/examples/ipsec-secgw/ipsec_process.c
@@ -222,6 +222,28 @@ prep_process_group(void *sa, struct rte_mbuf *mb[],
uint32_t cnt)
for (j = 0; j != cnt; j++) {
priv = get_priv(mb[j]);
priv->sa = sa;
+ /* setup TSO related fields if TSO enabled*/
+ if (priv->sa->mss) {
+ mb[j]->tso_segsz = priv->sa->mss;
+
+ if ((IS_TUNNEL(priv->sa->flags))) {
+ mb[j]->outer_l3_len = mb[j]->l3_len;
+ mb[j]->outer_l2_len = mb[j]->l2_len;
+ mb[j]->ol_flags |=
+ (PKT_TX_OUTER_IP_CKSUM | PKT_TX_TUNNEL_ESP);
+ }
+ uint32_t ptype = mb[j]->packet_type;
+ if (ptype & RTE_PTYPE_L4_TCP)
+ mb[j]->ol_flags |=
+ (PKT_TX_TCP_SEG | PKT_TX_TCP_CKSUM);
+ else
+ mb[j]->ol_flags |=
+ (PKT_TX_UDP_SEG | PKT_TX_UDP_CKSUM);
+ if (RTE_ETH_IS_IPV4_HDR(ptype))
+ mb[j]->ol_flags |= PKT_TX_OUTER_IPV4;
+ else
+ mb[j]->ol_flags |= PKT_TX_OUTER_IPV6;
+ }
}
}
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index de06f24d01..3690e0a7eb 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -778,6 +778,16 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
continue;
}
+ if (strcmp(tokens[ti], "mss") == 0) {
+ INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
+ if (status->status < 0)
+ return;
+ rule->mss = atoi(tokens[ti]);
+ if (status->status < 0)
+ return;
+ continue;
+ }
+
if (strcmp(tokens[ti], "fallback") == 0) {
struct rte_ipsec_session *fb;
--
2.25.1
