Hi Konstantin and Awal:
I have couple questions for this patch.
please forgive me if they are obvious, since I don't have much insight
on IPsec, but I may work on related stuff in future :)
> +static inline int32_t
> +esp_outb_tun_pkt_prepare(struct rte_ipsec_sa *sa, rte_be64_t sqc,
> + const uint64_t ivp[IPSEC_MAX_IV_QWORD], struct rte_mbuf *mb,
> + union sym_op_data *icv)
> +{
> + uint32_t clen, hlen, pdlen, pdofs, tlen;
> + struct rte_mbuf *ml;
> + struct esp_hdr *esph;
> + struct esp_tail *espt;
> + char *ph, *pt;
> + uint64_t *iv;
> +
> + /* calculate extra header space required */
> + hlen = sa->hdr_len + sa->iv_len + sizeof(*esph);
> +
> + /* number of bytes to encrypt */
> + clen = mb->pkt_len + sizeof(*espt);
> + clen = RTE_ALIGN_CEIL(clen, sa->pad_align);
> +
> + /* pad length + esp tail */
> + pdlen = clen - mb->pkt_len;
> + tlen = pdlen + sa->icv_len;
> +
> + /* do append and prepend */
> + ml = rte_pktmbuf_lastseg(mb);
> + if (tlen + sa->sqh_len + sa->aad_len > rte_pktmbuf_tailroom(ml))
> + return -ENOSPC;
> +
> + /* prepend header */
> + ph = rte_pktmbuf_prepend(mb, hlen);
> + if (ph == NULL)
> + return -ENOSPC;
> +
> + /* append tail */
> + pdofs = ml->data_len;
> + ml->data_len += tlen;
> + mb->pkt_len += tlen;
> + pt = rte_pktmbuf_mtod_offset(ml, typeof(pt), pdofs);
> +
> + /* update pkt l2/l3 len */
> + mb->l2_len = sa->hdr_l3_off;
> + mb->l3_len = sa->hdr_len - sa->hdr_l3_off;
> +
> + /* copy tunnel pkt header */
> + rte_memcpy(ph, sa->hdr, sa->hdr_len);
I didn't get this, my understand is:
for tunnel mode if an original packet is
Eth + IP + UDP/TCP + data,
after encap, it should become
Eth + encap header (IP or IP + UDP) + ESP Header + IP + UDP/TCP + Data
+ ESP Tailer...
So after rte_pktmbuf_prepend shouldn't we do below
1) shift L2 HEAD (Eth) ahead
2) copy encap header and ESP header to the hole.
?
But now we just copy the sa->hdr on the pre-pend space directly? What is the
sa->hdr supposed to be? but no matter what is it, we encap everything before
the packet?
BTW, is UDP encapsulation also be considered here?, I didn't figure out how a
IP + UDP header should be configured with sa->hdr , sa->hdr_l3_off, sa->hdr_len
for this case
> +static inline int
> +esp_inb_tun_single_pkt_process(struct rte_ipsec_sa *sa, struct rte_mbuf
> *mb,
> + uint32_t *sqn)
> +{
> + uint32_t hlen, icv_len, tlen;
> + struct esp_hdr *esph;
> + struct esp_tail *espt;
> + struct rte_mbuf *ml;
> + char *pd;
> +
> + if (mb->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED)
> + return -EBADMSG;
> +
> + icv_len = sa->icv_len;
> +
> + ml = rte_pktmbuf_lastseg(mb);
> + espt = rte_pktmbuf_mtod_offset(ml, struct esp_tail *,
> + ml->data_len - icv_len - sizeof(*espt));
What kind of mechanism is to guarantee that last segment will always cover the
esp tail?( data_len >= icv_len + sizeof (*espt))
Is that possible the esp tail be split into multi-segment for jumbo frames caes?
Thanks
Qi
