NVIDIA DOCA SDK Data Center on a Chip Framework Documentation
flow_common.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2023-2024 NVIDIA CORPORATION AND AFFILIATES. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without modification, are permitted
5  * provided that the following conditions are met:
6  * * Redistributions of source code must retain the above copyright notice, this list of
7  * conditions and the following disclaimer.
8  * * Redistributions in binary form must reproduce the above copyright notice, this list of
9  * conditions and the following disclaimer in the documentation and/or other materials
10  * provided with the distribution.
11  * * Neither the name of the NVIDIA CORPORATION nor the names of its contributors may be used
12  * to endorse or promote products derived from this software without specific prior written
13  * permission.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
17  * FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NVIDIA CORPORATION BE LIABLE
18  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
19  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
20  * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
21  * STRICT LIABILITY, OR TOR (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
22  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23  *
24  */
25 #include <stdlib.h>
26 
27 #include <rte_ethdev.h>
28 
29 #include <doca_log.h>
30 #include <doca_flow.h>
31 #include <doca_flow_tune_server.h>
32 #include <doca_bitfield.h>
33 
34 #include "utils.h"
35 #include "flow_common.h"
36 #include "flow_decrypt.h"
37 #include "flow_encrypt.h"
38 
39 DOCA_LOG_REGISTER(IPSEC_SECURITY_GW::flow_common);
40 
41 /*
42  * Entry processing callback
43  *
44  * @entry [in]: entry pointer
45  * @pipe_queue [in]: queue identifier
46  * @status [in]: DOCA Flow entry status
47  * @op [in]: DOCA Flow entry operation
48  * @user_ctx [out]: user context
49  */
50 static void check_for_valid_entry(struct doca_flow_pipe_entry *entry,
51  uint16_t pipe_queue,
52  enum doca_flow_entry_status status,
53  enum doca_flow_entry_op op,
54  void *user_ctx)
55 {
56  (void)entry;
57  (void)op;
58  (void)pipe_queue;
59 
60  struct entries_status *entry_status = (struct entries_status *)user_ctx;
61 
62  if (entry_status == NULL || op != DOCA_FLOW_ENTRY_OP_ADD)
63  return;
64  if (status != DOCA_FLOW_ENTRY_STATUS_SUCCESS)
65  entry_status->failure = true; /* set failure to true if processing failed */
66  entry_status->nb_processed++;
67  entry_status->entries_in_queue--;
68 }
69 
70 /*
71  * Process entries and check the returned status
72  *
73  * @port [in]: the port we want to process in
74  * @status [in]: the entries status that was sent to the pipe
75  * @timeout [in]: timeout for the entries process function
76  * @pipe_queue [in]: queue identifier
77  */
78 doca_error_t process_entries(struct doca_flow_port *port,
79  struct entries_status *status,
80  int timeout,
81  uint16_t pipe_queue)
82 {
83  doca_error_t result;
84 
85  result = doca_flow_entries_process(port, pipe_queue, timeout, status->entries_in_queue);
86  if (result != DOCA_SUCCESS) {
87  DOCA_LOG_ERR("Failed to process entries: %s", doca_error_get_descr(result));
88  return result;
89  }
90  if (status->failure || status->entries_in_queue == QUEUE_DEPTH) {
91  DOCA_LOG_ERR("Failed to process entries");
92  return DOCA_ERROR_BAD_STATE;
93  }
94  return DOCA_SUCCESS;
95 }
96 
97 /*
98  * Create DOCA Flow port by port id
99  *
100  * @port_id [in]: port ID
101  * @dev [in]: DOCA device pointer
102  * @sn_offload_disable [in]: disable SN offload
103  * @port [out]: pointer to port handler
104  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
105  */
106 static doca_error_t create_doca_flow_port(int port_id,
107  struct doca_dev *dev,
108  bool sn_offload_disable,
109  struct doca_flow_port **port)
110 {
111  struct doca_flow_port_cfg *port_cfg;
112  doca_error_t result, tmp_result;
113 
114  result = doca_flow_port_cfg_create(&port_cfg);
115  if (result != DOCA_SUCCESS) {
116  DOCA_LOG_ERR("Failed to create doca_flow_port_cfg: %s", doca_error_get_descr(result));
117  return result;
118  }
119 
120  result = doca_flow_port_cfg_set_port_id(port_cfg, port_id);
121  if (result != DOCA_SUCCESS) {
122  DOCA_LOG_ERR("Failed to set doca_flow_port_cfg port_id: %s", doca_error_get_descr(result));
123  goto destroy_port_cfg;
124  }
125 
126  result = doca_flow_port_cfg_set_dev(port_cfg, dev);
127  if (result != DOCA_SUCCESS) {
128  DOCA_LOG_ERR("Failed to set doca_flow_port_cfg device: %s", doca_error_get_descr(result));
129  goto destroy_port_cfg;
130  }
131 
132  result = doca_flow_port_cfg_set_actions_mem_size(port_cfg, rte_align32pow2(MAX_ACTIONS_MEM_SIZE));
133  if (result != DOCA_SUCCESS) {
134  DOCA_LOG_ERR("Failed to set doca_flow_port_cfg actions memory size: %s", doca_error_get_descr(result));
135  goto destroy_port_cfg;
136  }
137 
138  if (sn_offload_disable) {
139  result = doca_flow_port_cfg_set_ipsec_sn_offload_disable(port_cfg);
140  if (result != DOCA_SUCCESS) {
141  DOCA_LOG_ERR("Failed to set doca_flow_port_cfg sn offload disable: %s",
142  doca_error_get_descr(result));
143  goto destroy_port_cfg;
144  }
145  }
146 
147  result = doca_flow_port_start(port_cfg, port);
148  if (result != DOCA_SUCCESS) {
149  DOCA_LOG_ERR("Failed to start doca_flow port: %s", doca_error_get_descr(result));
150  goto destroy_port_cfg;
151  }
152 
153 destroy_port_cfg:
154  tmp_result = doca_flow_port_cfg_destroy(port_cfg);
155  if (tmp_result != DOCA_SUCCESS) {
156  DOCA_LOG_ERR("Failed to destroy doca_flow port: %s", doca_error_get_descr(tmp_result));
157  DOCA_ERROR_PROPAGATE(result, tmp_result);
158  }
159 
160  return result;
161 }
162 
163 doca_error_t ipsec_security_gw_init_doca_flow(const struct ipsec_security_gw_config *app_cfg,
164  int nb_queues,
165  struct ipsec_security_gw_ports_map *ports[])
166 {
167  int port_id;
168  int port_idx = 0;
169  int nb_ports = 0;
170  struct doca_dev *dev;
171  struct doca_flow_cfg *flow_cfg;
172  struct doca_flow_tune_server_cfg *server_cfg;
173  struct doca_flow_resource_rss_cfg rss = {0};
174  uint16_t rss_queues[nb_queues];
175  char *mode_args;
176  doca_error_t result;
177  bool sn_offload_disable;
178 
179  memset(&flow_cfg, 0, sizeof(flow_cfg));
180 
181  /* init doca flow with crypto shared resources */
182  result = doca_flow_cfg_create(&flow_cfg);
183  if (result != DOCA_SUCCESS) {
184  DOCA_LOG_ERR("Failed to create doca_flow_cfg: %s", doca_error_get_descr(result));
185  return result;
186  }
187  result = doca_flow_cfg_set_pipe_queues(flow_cfg, nb_queues);
188  if (result != DOCA_SUCCESS) {
189  DOCA_LOG_ERR("Failed to set doca_flow_cfg pipe_queues: %s", doca_error_get_descr(result));
190  doca_flow_cfg_destroy(flow_cfg);
191  return result;
192  }
193  if (app_cfg->flow_mode == IPSEC_SECURITY_GW_VNF)
194  mode_args = "vnf,hws,isolated";
195  else
196  mode_args = "switch,hws,isolated,expert";
197  result = doca_flow_cfg_set_mode_args(flow_cfg, mode_args);
198  if (result != DOCA_SUCCESS) {
199  DOCA_LOG_ERR("Failed to set doca_flow_cfg mode_args: %s", doca_error_get_descr(result));
200  doca_flow_cfg_destroy(flow_cfg);
201  return result;
202  }
203  result = doca_flow_cfg_set_queue_depth(flow_cfg, QUEUE_DEPTH);
204  if (result != DOCA_SUCCESS) {
205  DOCA_LOG_ERR("Failed to set doca_flow_cfg queue_depth: %s", doca_error_get_descr(result));
206  doca_flow_cfg_destroy(flow_cfg);
207  return result;
208  }
209  result = doca_flow_cfg_set_cb_entry_process(flow_cfg, check_for_valid_entry);
210  if (result != DOCA_SUCCESS) {
211  DOCA_LOG_ERR("Failed to set doca_flow_cfg cb_entry_process: %s", doca_error_get_descr(result));
212  doca_flow_cfg_destroy(flow_cfg);
213  return result;
214  }
215 
216  result = doca_flow_cfg_set_nr_counters(flow_cfg, MAX_NB_RULES * NUM_OF_SYNDROMES);
217  if (result != DOCA_SUCCESS) {
218  DOCA_LOG_ERR("Failed to set doca_flow_cfg nr_counters: %s", doca_error_get_descr(result));
219  doca_flow_cfg_destroy(flow_cfg);
220  return result;
221  }
222 
223  result = doca_flow_cfg_set_nr_shared_resource(flow_cfg,
224  MAX_NB_RULES * 2, /* for both encrypt and decrypt */
225  DOCA_FLOW_SHARED_RESOURCE_IPSEC_SA);
226  if (result != DOCA_SUCCESS) {
227  DOCA_LOG_ERR("Failed to set doca_flow_cfg nr_shared_resources: %s", doca_error_get_descr(result));
228  doca_flow_cfg_destroy(flow_cfg);
229  return result;
230  }
231 
232  linear_array_init_u16(rss_queues, nb_queues);
233  rss.nr_queues = nb_queues;
234  rss.queues_array = rss_queues;
235  result = doca_flow_cfg_set_default_rss(flow_cfg, &rss);
236  if (result != DOCA_SUCCESS) {
237  DOCA_LOG_ERR("Failed to set doca_flow_cfg rss: %s", doca_error_get_descr(result));
238  doca_flow_cfg_destroy(flow_cfg);
239  return result;
240  }
241  result = doca_flow_init(flow_cfg);
242  if (result != DOCA_SUCCESS) {
243  DOCA_LOG_ERR("Failed to init DOCA Flow: %s", doca_error_get_descr(result));
244  doca_flow_cfg_destroy(flow_cfg);
245  return result;
246  }
247  doca_flow_cfg_destroy(flow_cfg);
248 
249  sn_offload_disable = app_cfg->sw_sn_inc_enable && app_cfg->sw_antireplay;
250  for (port_id = 0; port_id < RTE_MAX_ETHPORTS; port_id++) {
251  /* search for the probed devices */
252  if (!rte_eth_dev_is_valid_port(port_id))
253  continue;
254  /* get device idx for ports array - secured or unsecured */
255  if (app_cfg->flow_mode == IPSEC_SECURITY_GW_VNF)
256  result = find_port_action_type_vnf(app_cfg, port_id, &dev, &port_idx);
257  else {
258  dev = app_cfg->objects.secured_dev.doca_dev;
259  result = find_port_action_type_switch(port_id, &port_idx);
260  }
261  if (result != DOCA_SUCCESS)
262  return result;
263 
264  ports[port_idx] = malloc(sizeof(struct ipsec_security_gw_ports_map));
265  if (ports[port_idx] == NULL) {
266  DOCA_LOG_ERR("malloc() failed");
267  doca_flow_cleanup(nb_ports, ports);
268  return DOCA_ERROR_NO_MEMORY;
269  }
270  result = create_doca_flow_port(port_id, dev, sn_offload_disable, &ports[port_idx]->port);
271  if (result != DOCA_SUCCESS) {
272  DOCA_LOG_ERR("Failed to init DOCA Flow port: %s", doca_error_get_descr(result));
273  free(ports[port_idx]);
274  doca_flow_cleanup(nb_ports, ports);
275  return result;
276  }
277  nb_ports++;
278  ports[port_idx]->port_id = port_id;
279  }
280  if (ports[SECURED_IDX]->port == NULL || ports[UNSECURED_IDX]->port == NULL) {
281  DOCA_LOG_ERR("Failed to init two DOCA Flow ports");
282  doca_flow_cleanup(nb_ports, ports);
283  return DOCA_ERROR_INITIALIZATION;
284  }
285  if (app_cfg->flow_mode == IPSEC_SECURITY_GW_VNF) {
286  result = doca_flow_port_pair(ports[SECURED_IDX]->port, ports[UNSECURED_IDX]->port);
287  if (result != DOCA_SUCCESS) {
288  DOCA_LOG_ERR("Failed to pair ports");
289  doca_flow_cleanup(nb_ports, ports);
290  return DOCA_ERROR_INITIALIZATION;
291  }
292  }
293  /* Init DOCA Flow Tune Server */
294  result = doca_flow_tune_server_cfg_create(&server_cfg);
295  if (result != DOCA_SUCCESS) {
296  DOCA_LOG_ERR("Failed to create flow tune server configuration");
297  doca_flow_cleanup(nb_ports, ports);
298  return result;
299  }
300  result = doca_flow_tune_server_init(server_cfg);
301  if (result != DOCA_SUCCESS) {
302  if (result == DOCA_ERROR_NOT_SUPPORTED) {
303  DOCA_LOG_DBG("DOCA Flow Tune Server isn't supported in this runtime version");
304  } else {
305  DOCA_LOG_ERR("Failed to initialize the flow tune server");
306  doca_flow_tune_server_cfg_destroy(server_cfg);
307  doca_flow_cleanup(nb_ports, ports);
308  return result;
309  }
310  }
311  doca_flow_tune_server_cfg_destroy(server_cfg);
312  return DOCA_SUCCESS;
313 }
314 
315 doca_error_t ipsec_security_gw_init_status(struct ipsec_security_gw_config *app_cfg, int nb_queues)
316 {
317  app_cfg->secured_status = (struct entries_status *)malloc(sizeof(struct entries_status) * nb_queues);
318  if (app_cfg->secured_status == NULL) {
319  DOCA_LOG_ERR("malloc() status array failed");
320  return DOCA_ERROR_NO_MEMORY;
321  }
322 
323  app_cfg->unsecured_status = (struct entries_status *)malloc(sizeof(struct entries_status) * nb_queues);
324  if (app_cfg->unsecured_status == NULL) {
325  DOCA_LOG_ERR("malloc() status array failed");
326  free(app_cfg->secured_status);
327  return DOCA_ERROR_NO_MEMORY;
328  }
329 
330  return DOCA_SUCCESS;
331 }
332 
333 doca_error_t ipsec_security_gw_bind(struct ipsec_security_gw_ports_map *ports[],
334  struct ipsec_security_gw_config *app_cfg)
335 {
336  struct doca_flow_port *secured_port;
337  doca_error_t result;
338 
339  if (app_cfg->flow_mode == IPSEC_SECURITY_GW_VNF) {
340  secured_port = ports[SECURED_IDX]->port;
341  } else {
342  secured_port = doca_flow_port_switch_get(NULL);
343  }
344  result = bind_encrypt_ids(app_cfg->app_rules.nb_encrypt_rules, secured_port);
345  if (result != DOCA_SUCCESS) {
346  DOCA_LOG_ERR("Failed to bind IDs: %s", doca_error_get_descr(result));
347  return result;
348  }
349 
350  result = bind_decrypt_ids(app_cfg->app_rules.nb_decrypt_rules,
351  app_cfg->app_rules.nb_encrypt_rules,
352  secured_port);
353  if (result != DOCA_SUCCESS) {
354  DOCA_LOG_ERR("Failed to bind IDs: %s", doca_error_get_descr(result));
355  return result;
356  }
357  return result;
358 }
359 
360 void doca_flow_cleanup(int nb_ports, struct ipsec_security_gw_ports_map *ports[])
361 {
362  int port_id;
363 
364  for (port_id = nb_ports - 1; port_id >= 0; port_id--) {
365  if (ports[port_id] != NULL) {
366  doca_flow_port_stop(ports[port_id]->port);
367  free(ports[port_id]);
368  }
369  }
370 
371  doca_flow_destroy();
372 }
373 
374 uint32_t get_icv_len_int(enum doca_flow_crypto_icv_len icv_len)
375 {
376  if (icv_len == DOCA_FLOW_CRYPTO_ICV_LENGTH_8)
377  return 8;
378  else if (icv_len == DOCA_FLOW_CRYPTO_ICV_LENGTH_12)
379  return 12;
380  else
381  return 16;
382 }
383 
384 doca_error_t create_rss_pipe(struct ipsec_security_gw_config *app_cfg,
385  struct doca_flow_port *port,
386  uint16_t nb_queues,
387  struct doca_flow_pipe **rss_pipe)
388 {
389  struct doca_flow_match match;
390  struct doca_flow_match match_mask;
391  struct doca_flow_fwd fwd;
392  struct doca_flow_pipe_cfg *pipe_cfg;
393  int num_of_entries = 2;
394  uint16_t *rss_queues = NULL;
395  int i;
396  doca_error_t result;
397  union security_gateway_pkt_meta meta = {0};
398  bool is_root = (app_cfg->flow_mode == IPSEC_SECURITY_GW_VNF);
399 
400  memset(&match, 0, sizeof(match));
401  memset(&match_mask, 0, sizeof(match_mask));
402  memset(&fwd, 0, sizeof(fwd));
403  memset(&app_cfg->secured_status[0], 0, sizeof(app_cfg->secured_status[0]));
404 
405  meta.encrypt = 1;
406  meta.decrypt = 1;
407  match_mask.meta.pkt_meta = DOCA_HTOBE32(meta.u32);
408 
409  fwd.type = DOCA_FLOW_FWD_RSS;
410  fwd.rss_type = DOCA_FLOW_RESOURCE_TYPE_NON_SHARED;
411  rss_queues = (uint16_t *)calloc(nb_queues - 1, sizeof(uint16_t));
412  if (rss_queues == NULL) {
413  DOCA_LOG_ERR("Failed to allocate memory for RSS queues");
414  return DOCA_ERROR_NO_MEMORY;
415  }
416 
417  for (i = 0; i < nb_queues - 1; i++)
418  rss_queues[i] = i + 1;
419  fwd.rss.queues_array = rss_queues;
420  fwd.rss.nr_queues = nb_queues - 1;
421 
422  result = doca_flow_pipe_cfg_create(&pipe_cfg, port);
423  if (result != DOCA_SUCCESS) {
424  DOCA_LOG_ERR("Failed to create doca_flow_pipe_cfg: %s", doca_error_get_descr(result));
425  return result;
426  }
427 
428  result = doca_flow_pipe_cfg_set_name(pipe_cfg, "RSS_PIPE");
429  if (result != DOCA_SUCCESS) {
430  DOCA_LOG_ERR("Failed to set doca_flow_pipe_cfg name: %s", doca_error_get_descr(result));
431  goto destroy_pipe_cfg;
432  }
433  result = doca_flow_pipe_cfg_set_type(pipe_cfg, DOCA_FLOW_PIPE_BASIC);
434  if (result != DOCA_SUCCESS) {
435  DOCA_LOG_ERR("Failed to set doca_flow_pipe_cfg type: %s", doca_error_get_descr(result));
436  goto destroy_pipe_cfg;
437  }
438  result = doca_flow_pipe_cfg_set_is_root(pipe_cfg, is_root);
439  if (result != DOCA_SUCCESS) {
440  DOCA_LOG_ERR("Failed to set doca_flow_pipe_cfg is_root: %s", doca_error_get_descr(result));
441  goto destroy_pipe_cfg;
442  }
443  result = doca_flow_pipe_cfg_set_match(pipe_cfg, &match, &match_mask);
444  if (result != DOCA_SUCCESS) {
445  DOCA_LOG_ERR("Failed to set doca_flow_pipe_cfg match: %s", doca_error_get_descr(result));
446  goto destroy_pipe_cfg;
447  }
448 
449  result = doca_flow_pipe_create(pipe_cfg, &fwd, NULL, rss_pipe);
450  if (result != DOCA_SUCCESS) {
451  DOCA_LOG_ERR("Failed to create RSS pipe: %s", doca_error_get_descr(result));
452  if (rss_queues != NULL)
453  free(rss_queues);
454  goto destroy_pipe_cfg;
455  }
456 
457  doca_flow_pipe_cfg_destroy(pipe_cfg);
458 
459  if (rss_queues != NULL)
460  free(rss_queues);
461 
462  meta.encrypt = 1;
463  meta.decrypt = 0;
464  match.meta.pkt_meta = DOCA_HTOBE32(meta.u32);
465  result = doca_flow_pipe_add_entry(0,
466  *rss_pipe,
467  &match,
468  NULL,
469  NULL,
470  NULL,
471  DOCA_FLOW_WAIT_FOR_BATCH,
472  &app_cfg->secured_status[0],
473  NULL);
474  if (result != DOCA_SUCCESS) {
475  DOCA_LOG_ERR("Failed to add entry to RSS pipe: %s", doca_error_get_descr(result));
476  return result;
477  }
478 
479  meta.encrypt = 0;
480  meta.decrypt = 1;
481  match.meta.pkt_meta = DOCA_HTOBE32(meta.u32);
482  result = doca_flow_pipe_add_entry(0,
483  *rss_pipe,
484  &match,
485  NULL,
486  NULL,
487  NULL,
488  DOCA_FLOW_NO_WAIT,
489  &app_cfg->secured_status[0],
490  NULL);
491  if (result != DOCA_SUCCESS) {
492  DOCA_LOG_ERR("Failed to add entry to RSS pipe: %s", doca_error_get_descr(result));
493  return result;
494  }
495 
496  result = doca_flow_entries_process(port, 0, DEFAULT_TIMEOUT_US, num_of_entries);
497  if (result != DOCA_SUCCESS) {
498  DOCA_LOG_ERR("Failed to process entry: %s", doca_error_get_descr(result));
499  return result;
500  }
501  if (app_cfg->secured_status[0].nb_processed != num_of_entries || app_cfg->secured_status[0].failure) {
502  DOCA_LOG_ERR("Failed to process entry");
503  return DOCA_ERROR_BAD_STATE;
504  }
505  return DOCA_SUCCESS;
506 
507 destroy_pipe_cfg:
508  doca_flow_pipe_cfg_destroy(pipe_cfg);
509  return result;
510 }
511 
512 void create_hairpin_pipe_fwd(struct ipsec_security_gw_config *app_cfg,
513  int port_id,
514  bool encrypt,
515  uint16_t *rss_queues,
516  uint32_t rss_flags,
517  struct doca_flow_fwd *fwd)
518 {
519  uint32_t nb_queues = app_cfg->dpdk_config->port_config.nb_queues;
520  uint32_t i;
521 
522  memset(fwd, 0, sizeof(*fwd));
523 
524  if ((app_cfg->offload == IPSEC_SECURITY_GW_ESP_OFFLOAD_NONE) ||
525  (app_cfg->offload == IPSEC_SECURITY_GW_ESP_OFFLOAD_ENCAP && !encrypt) ||
526  (app_cfg->offload == IPSEC_SECURITY_GW_ESP_OFFLOAD_DECAP && encrypt)) {
527  /* for software handling the packets will be sent to the application by RSS queues */
528  if (app_cfg->flow_mode == IPSEC_SECURITY_GW_SWITCH) {
529  fwd->type = DOCA_FLOW_FWD_PIPE;
530  fwd->next_pipe = app_cfg->switch_pipes.rss_pipe.pipe;
531  } else {
532  for (i = 0; i < nb_queues - 1; i++)
533  rss_queues[i] = i + 1;
534 
535  fwd->type = DOCA_FLOW_FWD_RSS;
536  fwd->rss_type = DOCA_FLOW_RESOURCE_TYPE_NON_SHARED;
537  if (!encrypt && app_cfg->mode == IPSEC_SECURITY_GW_TUNNEL)
538  fwd->rss.inner_flags = rss_flags;
539  else
540  fwd->rss.outer_flags = rss_flags;
541 
542  fwd->rss.queues_array = rss_queues;
543  fwd->rss.nr_queues = nb_queues - 1;
544  }
545  } else {
546  if (app_cfg->flow_mode == IPSEC_SECURITY_GW_SWITCH) {
547  fwd->type = DOCA_FLOW_FWD_PIPE;
548  fwd->next_pipe = app_cfg->switch_pipes.pkt_meta_pipe.pipe;
549  } else {
550  fwd->type = DOCA_FLOW_FWD_PORT;
551  fwd->port_id = port_id ^ 1;
552  }
553  }
554 }
555 
556 /*
557  * Create DOCA Flow pipe that match on port meta field.
558  *
559  * @pipe [out]: the created pipe
560  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
561  */
562 static doca_error_t create_switch_port_meta_pipe(struct doca_flow_pipe **pipe)
563 {
564  struct doca_flow_match match;
565  struct doca_flow_pipe_cfg *pipe_cfg;
566  doca_error_t result;
567  struct doca_flow_fwd fwd = {.type = DOCA_FLOW_FWD_CHANGEABLE};
568 
569  memset(&match, 0, sizeof(match));
570 
571  match.parser_meta.port_id = UINT16_MAX;
572 
573  result = doca_flow_pipe_cfg_create(&pipe_cfg, doca_flow_port_switch_get(NULL));
574  if (result != DOCA_SUCCESS) {
575  DOCA_LOG_ERR("Failed to create doca_flow_pipe_cfg: %s", doca_error_get_descr(result));
576  return result;
577  }
578 
579  result = doca_flow_pipe_cfg_set_name(pipe_cfg, "SWITCH_PORT_META_PIPE");
580  if (result != DOCA_SUCCESS) {
581  DOCA_LOG_ERR("Failed to set doca_flow_pipe_cfg name: %s", doca_error_get_descr(result));
582  goto destroy_pipe_cfg;
583  }
584  result = doca_flow_pipe_cfg_set_is_root(pipe_cfg, true);
585  if (result != DOCA_SUCCESS) {
586  DOCA_LOG_ERR("Failed to set doca_flow_pipe_cfg is_root: %s", doca_error_get_descr(result));
587  goto destroy_pipe_cfg;
588  }
589  result = doca_flow_pipe_cfg_set_match(pipe_cfg, &match, NULL);
590  if (result != DOCA_SUCCESS) {
591  DOCA_LOG_ERR("Failed to set doca_flow_pipe_cfg match: %s", doca_error_get_descr(result));
592  goto destroy_pipe_cfg;
593  }
594 
595  result = doca_flow_pipe_create(pipe_cfg, &fwd, NULL, pipe);
596  if (result != DOCA_SUCCESS)
597  DOCA_LOG_ERR("Failed to create switch port meta pipe: %s", doca_error_get_descr(result));
598 
599 destroy_pipe_cfg:
600  doca_flow_pipe_cfg_destroy(pipe_cfg);
601  return result;
602 }
603 
604 /*
605  * Add entries to port meta pipe
606  * Send packets to decrypt / encrypt path based on the port
607  *
608  * @ports [in]: array of struct ipsec_security_gw_ports_map
609  * @encrypt_root [in]: pipe to send the packets that comes from unsecured port
610  * @decrypt_root [in]: pipe to send the packets that comes from secured port
611  * @pipe [in]: the pipe to add entries to
612  * @app_cfg [in]: application configuration struct
613  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
614  */
615 static doca_error_t add_switch_port_meta_entries(struct ipsec_security_gw_ports_map *ports[],
616  struct doca_flow_pipe *encrypt_root,
617  struct doca_flow_pipe *decrypt_root,
618  struct doca_flow_pipe *pipe,
619  struct ipsec_security_gw_config *app_cfg)
620 {
621  struct doca_flow_match match;
622  struct doca_flow_fwd fwd;
623  int num_of_entries = 2;
624  doca_error_t result;
625 
626  memset(&app_cfg->secured_status[0], 0, sizeof(app_cfg->secured_status[0]));
627  memset(&match, 0, sizeof(match));
628 
629  app_cfg->secured_status[0].entries_in_queue = num_of_entries;
630 
631  /* forward the packets from the unsecured port to encryption */
632  match.parser_meta.port_id = ports[UNSECURED_IDX]->port_id;
633 
634  fwd.type = DOCA_FLOW_FWD_PIPE;
635  fwd.next_pipe = encrypt_root;
636 
637  result = doca_flow_pipe_add_entry(0,
638  pipe,
639  &match,
640  NULL,
641  NULL,
642  &fwd,
643  DOCA_FLOW_WAIT_FOR_BATCH,
644  &app_cfg->secured_status[0],
645  NULL);
646  if (result != DOCA_SUCCESS) {
647  DOCA_LOG_ERR("Failed to add entry to port meta pipe: %s", doca_error_get_descr(result));
648  return result;
649  }
650 
651  /* forward the packets from the secured port to decryption */
652  match.parser_meta.port_id = ports[SECURED_IDX]->port_id;
653 
654  fwd.type = DOCA_FLOW_FWD_PIPE;
655  fwd.next_pipe = decrypt_root;
656 
657  result = doca_flow_pipe_add_entry(0,
658  pipe,
659  &match,
660  NULL,
661  NULL,
662  &fwd,
663  DOCA_FLOW_NO_WAIT,
664  &app_cfg->secured_status[0],
665  NULL);
666  if (result != DOCA_SUCCESS) {
667  DOCA_LOG_ERR("Failed to add entry to port meta pipe: %s", doca_error_get_descr(result));
668  return result;
669  }
670 
671  result = doca_flow_entries_process(doca_flow_port_switch_get(NULL), 0, DEFAULT_TIMEOUT_US, num_of_entries);
672  if (result != DOCA_SUCCESS)
673  return result;
674  if (app_cfg->secured_status[0].nb_processed != num_of_entries || app_cfg->secured_status[0].failure)
675  return DOCA_ERROR_BAD_STATE;
676 
677  return DOCA_SUCCESS;
678 }
679 
680 /*
681  * Create the switch root pipe, which match the first 2 MSB in pkt meta
682  *
683  * @pipe [out]: the created pipe
684  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
685  */
686 static doca_error_t create_switch_pkt_meta_pipe(struct doca_flow_pipe **pipe)
687 {
688  struct doca_flow_pipe_cfg *pipe_cfg;
689  struct doca_flow_match match;
690  struct doca_flow_match match_mask;
691  doca_error_t result;
692  struct doca_flow_fwd fwd = {.type = DOCA_FLOW_FWD_CHANGEABLE};
693  union security_gateway_pkt_meta meta = {0};
694 
695  memset(&match, 0, sizeof(match));
696  memset(&match_mask, 0, sizeof(match_mask));
697 
698  meta.decrypt = 1;
699  meta.encrypt = 1;
700  match_mask.meta.pkt_meta = DOCA_HTOBE32(meta.u32);
701 
702  result = doca_flow_pipe_cfg_create(&pipe_cfg, doca_flow_port_switch_get(NULL));
703  if (result != DOCA_SUCCESS) {
704  DOCA_LOG_ERR("Failed to create doca_flow_pipe_cfg: %s", doca_error_get_descr(result));
705  return result;
706  }
707 
708  result = doca_flow_pipe_cfg_set_name(pipe_cfg, "PKT_META_PIPE");
709  if (result != DOCA_SUCCESS) {
710  DOCA_LOG_ERR("Failed to set doca_flow_pipe_cfg name: %s", doca_error_get_descr(result));
711  goto destroy_pipe_cfg;
712  }
713  result = doca_flow_pipe_cfg_set_is_root(pipe_cfg, true);
714  if (result != DOCA_SUCCESS) {
715  DOCA_LOG_ERR("Failed to set doca_flow_pipe_cfg is_root: %s", doca_error_get_descr(result));
716  goto destroy_pipe_cfg;
717  }
718  result = doca_flow_pipe_cfg_set_match(pipe_cfg, &match, &match_mask);
719  if (result != DOCA_SUCCESS) {
720  DOCA_LOG_ERR("Failed to set doca_flow_pipe_cfg match: %s", doca_error_get_descr(result));
721  goto destroy_pipe_cfg;
722  }
723  result = doca_flow_pipe_cfg_set_domain(pipe_cfg, DOCA_FLOW_PIPE_DOMAIN_EGRESS);
724  if (result != DOCA_SUCCESS) {
725  DOCA_LOG_ERR("Failed to set doca_flow_pipe_cfg domain: %s", doca_error_get_descr(result));
726  goto destroy_pipe_cfg;
727  }
728  result = doca_flow_pipe_cfg_set_dir_info(pipe_cfg, DOCA_FLOW_DIRECTION_HOST_TO_NETWORK);
729  if (result != DOCA_SUCCESS) {
730  DOCA_LOG_ERR("Failed to set doca_flow_pipe_cfg dir_info: %s", doca_error_get_descr(result));
731  goto destroy_pipe_cfg;
732  }
733 
734  result = doca_flow_pipe_create(pipe_cfg, &fwd, NULL, pipe);
735  if (result != DOCA_SUCCESS)
736  DOCA_LOG_ERR("Failed to create pkt meta pipe: %s", doca_error_get_descr(result));
737 
738 destroy_pipe_cfg:
739  doca_flow_pipe_cfg_destroy(pipe_cfg);
740  return result;
741 }
742 
743 /*
744  * Add entries to pkt meta pipe
745  *
746  * @ports [in]: array of struct ipsec_security_gw_ports_map
747  * @encrypt_pipe [in]: pipe to forward the packets for encryption if pkt meta second bit is one
748  * @pipe [in]: pipe to add the entries
749  * @app_cfg [in]: application configuration struct
750  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
751  */
752 static doca_error_t add_switch_pkt_meta_entries(struct ipsec_security_gw_ports_map *ports[],
753  struct doca_flow_pipe *encrypt_pipe,
754  struct doca_flow_pipe *pipe,
755  struct ipsec_security_gw_config *app_cfg)
756 {
757  struct doca_flow_match match;
758  struct doca_flow_fwd fwd;
759  int num_of_entries = 2;
760  doca_error_t result;
761  union security_gateway_pkt_meta meta = {0};
762 
763  memset(&match, 0, sizeof(match));
764  memset(&app_cfg->secured_status[0], 0, sizeof(app_cfg->secured_status[0]));
765 
766  meta.decrypt = 0;
767  meta.encrypt = 1;
768  match.meta.pkt_meta = DOCA_HTOBE32(meta.u32);
769  fwd.type = DOCA_FLOW_FWD_PIPE;
770  fwd.next_pipe = encrypt_pipe;
771 
772  result = doca_flow_pipe_add_entry(0,
773  pipe,
774  &match,
775  NULL,
776  NULL,
777  &fwd,
778  DOCA_FLOW_WAIT_FOR_BATCH,
779  &app_cfg->secured_status[0],
780  NULL);
781  if (result != DOCA_SUCCESS) {
782  DOCA_LOG_ERR("Failed to add entry to pkt meta pipe: %s", doca_error_get_descr(result));
783  return result;
784  }
785 
786  meta.encrypt = 0;
787  meta.decrypt = 1;
788  match.meta.pkt_meta = DOCA_HTOBE32(meta.u32);
789  fwd.type = DOCA_FLOW_FWD_PORT;
790  fwd.port_id = ports[UNSECURED_IDX]->port_id;
791 
792  result = doca_flow_pipe_add_entry(0,
793  pipe,
794  &match,
795  NULL,
796  NULL,
797  &fwd,
798  DOCA_FLOW_NO_WAIT,
799  &app_cfg->secured_status[0],
800  NULL);
801  if (result != DOCA_SUCCESS) {
802  DOCA_LOG_ERR("Failed to add entry to pkt meta pipe: %s", doca_error_get_descr(result));
803  return result;
804  }
805 
806  result = doca_flow_entries_process(doca_flow_port_switch_get(NULL), 0, DEFAULT_TIMEOUT_US, num_of_entries);
807  if (result != DOCA_SUCCESS)
808  return result;
809  if (app_cfg->secured_status[0].nb_processed != num_of_entries || app_cfg->secured_status[0].failure)
810  return DOCA_ERROR_BAD_STATE;
811 
812  return DOCA_SUCCESS;
813 }
814 
815 doca_error_t create_switch_ingress_root_pipes(struct ipsec_security_gw_ports_map *ports[],
816  struct ipsec_security_gw_config *app_cfg)
817 {
818  struct doca_flow_pipe *match_port_pipe;
819  doca_error_t result;
820 
821  result = create_switch_port_meta_pipe(&match_port_pipe);
822  if (result != DOCA_SUCCESS) {
823  DOCA_LOG_ERR("Failed to create port meta pipe: %s", doca_error_get_descr(result));
824  return result;
825  }
826 
827  result = add_switch_port_meta_entries(ports,
828  app_cfg->encrypt_pipes.encrypt_root.pipe,
829  app_cfg->decrypt_pipes.decrypt_root.pipe,
830  match_port_pipe,
831  app_cfg);
832  if (result != DOCA_SUCCESS) {
833  DOCA_LOG_ERR("Failed to add port meta pipe entries: %s", doca_error_get_descr(result));
834  return result;
835  }
836 
837  return DOCA_SUCCESS;
838 }
839 
840 doca_error_t create_switch_egress_root_pipes(struct ipsec_security_gw_ports_map *ports[],
841  struct ipsec_security_gw_config *app_cfg)
842 {
843  doca_error_t result;
844 
845  result = create_switch_pkt_meta_pipe(&app_cfg->switch_pipes.pkt_meta_pipe.pipe);
846  if (result != DOCA_SUCCESS) {
847  DOCA_LOG_ERR("Failed to create pkt meta pipe: %s", doca_error_get_descr(result));
848  return result;
849  }
850 
851  result = add_switch_pkt_meta_entries(ports,
852  app_cfg->encrypt_pipes.egress_ip_classifier.pipe,
853  app_cfg->switch_pipes.pkt_meta_pipe.pipe,
854  app_cfg);
855  if (result != DOCA_SUCCESS) {
856  DOCA_LOG_ERR("Failed to add pkt meta pipe entries: %s", doca_error_get_descr(result));
857  return result;
858  }
859  return DOCA_SUCCESS;
860 }
861 
862 /*
863  * Remove the ethernet padding from the packet
864  * Ethernet padding is added to the packet to make sure the packet is at least 64 bytes long
865  * This is required by the Ethernet standard
866  * The padding is added after the payload and before the FCS
867  *
868  * @m [in]: the packet to remove the padding from
869  */
870 void remove_ethernet_padding(struct rte_mbuf **m)
871 {
872  struct rte_ether_hdr *oh;
873  struct rte_ipv4_hdr *ipv4;
874  struct rte_ipv6_hdr *ipv6;
875  uint32_t payload_len, payload_len_l3, l2_l3_len;
876 
877  oh = rte_pktmbuf_mtod(*m, struct rte_ether_hdr *);
878 
879  if (RTE_ETH_IS_IPV4_HDR((*m)->packet_type)) {
880  ipv4 = (void *)(oh + 1);
881  l2_l3_len = rte_ipv4_hdr_len(ipv4) + sizeof(struct rte_ether_hdr);
882  payload_len_l3 = rte_be_to_cpu_16(ipv4->total_length) - rte_ipv4_hdr_len(ipv4);
883  } else {
884  ipv6 = (void *)(oh + 1);
885  l2_l3_len = sizeof(struct rte_ipv6_hdr) + sizeof(struct rte_ether_hdr);
886  payload_len_l3 = rte_be_to_cpu_16(ipv6->payload_len);
887  }
888 
889  payload_len = (*m)->pkt_len - l2_l3_len;
890 
891  /* check if need to remove trailing l2 zeros - occurs when packet_len < eth_minimum_len=64 */
892  if (payload_len > payload_len_l3) {
893  /* need to remove the extra zeros */
894  rte_pktmbuf_trim(*m, payload_len - payload_len_l3);
895  }
896 }
897 
898 /*
899  * Free encrypt pipes resources
900  *
901  * @encrypt_pipes [in]: encrypt pipes struct
902  */
903 static void security_gateway_free_encrypt_resources(struct encrypt_pipes *encrypt_pipes)
904 {
905  if (encrypt_pipes->marker_insert_pipe.entries_info)
906  free(encrypt_pipes->marker_insert_pipe.entries_info);
907  if (encrypt_pipes->encrypt_root.entries_info)
908  free(encrypt_pipes->encrypt_root.entries_info);
909  if (encrypt_pipes->egress_ip_classifier.entries_info)
910  free(encrypt_pipes->egress_ip_classifier.entries_info);
911  if (encrypt_pipes->ipv4_encrypt_pipe.entries_info)
912  free(encrypt_pipes->ipv4_encrypt_pipe.entries_info);
913  if (encrypt_pipes->ipv6_encrypt_pipe.entries_info)
914  free(encrypt_pipes->ipv6_encrypt_pipe.entries_info);
915  if (encrypt_pipes->ipv4_tcp_pipe.entries_info)
916  free(encrypt_pipes->ipv4_tcp_pipe.entries_info);
917  if (encrypt_pipes->ipv4_udp_pipe.entries_info)
918  free(encrypt_pipes->ipv4_udp_pipe.entries_info);
919  if (encrypt_pipes->ipv6_tcp_pipe.entries_info)
920  free(encrypt_pipes->ipv6_tcp_pipe.entries_info);
921  if (encrypt_pipes->ipv6_udp_pipe.entries_info)
922  free(encrypt_pipes->ipv6_udp_pipe.entries_info);
923  if (encrypt_pipes->ipv6_src_tcp_pipe.entries_info)
924  free(encrypt_pipes->ipv6_src_tcp_pipe.entries_info);
925  if (encrypt_pipes->ipv6_src_udp_pipe.entries_info)
926  free(encrypt_pipes->ipv6_src_udp_pipe.entries_info);
927  if (encrypt_pipes->vxlan_encap_pipe.entries_info)
928  free(encrypt_pipes->vxlan_encap_pipe.entries_info);
929 }
930 
931 /*
932  * Free decrypt pipes resources
933  *
934  * @decrypt_pipes [in]: decrypt pipes struct
935  */
936 static void security_gateway_free_decrypt_resources(struct decrypt_pipes *decrypt_pipes)
937 {
938  if (decrypt_pipes->marker_remove_pipe.entries_info)
939  free(decrypt_pipes->marker_remove_pipe.entries_info);
940  if (decrypt_pipes->decrypt_root.entries_info)
941  free(decrypt_pipes->decrypt_root.entries_info);
942  if (decrypt_pipes->decrypt_ipv4_pipe.entries_info)
943  free(decrypt_pipes->decrypt_ipv4_pipe.entries_info);
944  if (decrypt_pipes->decrypt_ipv6_pipe.entries_info)
945  free(decrypt_pipes->decrypt_ipv6_pipe.entries_info);
946  if (decrypt_pipes->decap_pipe.entries_info)
947  free(decrypt_pipes->decap_pipe.entries_info);
948  if (decrypt_pipes->vxlan_decap_ipv4_pipe.entries_info)
949  free(decrypt_pipes->vxlan_decap_ipv4_pipe.entries_info);
950  if (decrypt_pipes->vxlan_decap_ipv6_pipe.entries_info)
951  free(decrypt_pipes->vxlan_decap_ipv6_pipe.entries_info);
952 }
953 
954 void security_gateway_free_status_entries(struct ipsec_security_gw_config *app_cfg)
955 {
956  free(app_cfg->secured_status);
957  free(app_cfg->unsecured_status);
958 }
959 
960 void security_gateway_free_resources(struct ipsec_security_gw_config *app_cfg)
961 {
962  security_gateway_free_encrypt_resources(&app_cfg->encrypt_pipes);
963  security_gateway_free_decrypt_resources(&app_cfg->decrypt_pipes);
964 }
NULL
#define NULL
Definition: __stddef_null.h:26
result
int32_t result
Definition: app_shield_agent_core.h:3
doca_flow_cleanup
void doca_flow_cleanup(int nb_ports, struct ipsec_security_gw_ports_map *ports[])
Definition: flow_common.c:360
security_gateway_free_encrypt_resources
static void security_gateway_free_encrypt_resources(struct encrypt_pipes *encrypt_pipes)
Definition: flow_common.c:903
DOCA_LOG_REGISTER
DOCA_LOG_REGISTER(IPSEC_SECURITY_GW::flow_common)
create_rss_pipe
doca_error_t create_rss_pipe(struct ipsec_security_gw_config *app_cfg, struct doca_flow_port *port, uint16_t nb_queues, struct doca_flow_pipe **rss_pipe)
Definition: flow_common.c:384
remove_ethernet_padding
void remove_ethernet_padding(struct rte_mbuf **m)
Definition: flow_common.c:870
security_gateway_free_decrypt_resources
static void security_gateway_free_decrypt_resources(struct decrypt_pipes *decrypt_pipes)
Definition: flow_common.c:936
process_entries
doca_error_t process_entries(struct doca_flow_port *port, struct entries_status *status, int timeout, uint16_t pipe_queue)
Definition: flow_common.c:78
add_switch_port_meta_entries
static doca_error_t add_switch_port_meta_entries(struct ipsec_security_gw_ports_map *ports[], struct doca_flow_pipe *encrypt_root, struct doca_flow_pipe *decrypt_root, struct doca_flow_pipe *pipe, struct ipsec_security_gw_config *app_cfg)
Definition: flow_common.c:615
ipsec_security_gw_init_status
doca_error_t ipsec_security_gw_init_status(struct ipsec_security_gw_config *app_cfg, int nb_queues)
Definition: flow_common.c:315
create_switch_ingress_root_pipes
doca_error_t create_switch_ingress_root_pipes(struct ipsec_security_gw_ports_map *ports[], struct ipsec_security_gw_config *app_cfg)
Definition: flow_common.c:815
security_gateway_free_status_entries
void security_gateway_free_status_entries(struct ipsec_security_gw_config *app_cfg)
Definition: flow_common.c:954
create_switch_pkt_meta_pipe
static doca_error_t create_switch_pkt_meta_pipe(struct doca_flow_pipe **pipe)
Definition: flow_common.c:686
ipsec_security_gw_bind
doca_error_t ipsec_security_gw_bind(struct ipsec_security_gw_ports_map *ports[], struct ipsec_security_gw_config *app_cfg)
Definition: flow_common.c:333
security_gateway_free_resources
void security_gateway_free_resources(struct ipsec_security_gw_config *app_cfg)
Definition: flow_common.c:960
ipsec_security_gw_init_doca_flow
doca_error_t ipsec_security_gw_init_doca_flow(const struct ipsec_security_gw_config *app_cfg, int nb_queues, struct ipsec_security_gw_ports_map *ports[])
Definition: flow_common.c:163
create_hairpin_pipe_fwd
void create_hairpin_pipe_fwd(struct ipsec_security_gw_config *app_cfg, int port_id, bool encrypt, uint16_t *rss_queues, uint32_t rss_flags, struct doca_flow_fwd *fwd)
Definition: flow_common.c:512
add_switch_pkt_meta_entries
static doca_error_t add_switch_pkt_meta_entries(struct ipsec_security_gw_ports_map *ports[], struct doca_flow_pipe *encrypt_pipe, struct doca_flow_pipe *pipe, struct ipsec_security_gw_config *app_cfg)
Definition: flow_common.c:752
create_doca_flow_port
static doca_error_t create_doca_flow_port(int port_id, struct doca_dev *dev, bool sn_offload_disable, struct doca_flow_port **port)
Definition: flow_common.c:106
create_switch_egress_root_pipes
doca_error_t create_switch_egress_root_pipes(struct ipsec_security_gw_ports_map *ports[], struct ipsec_security_gw_config *app_cfg)
Definition: flow_common.c:840
check_for_valid_entry
static void check_for_valid_entry(struct doca_flow_pipe_entry *entry, uint16_t pipe_queue, enum doca_flow_entry_status status, enum doca_flow_entry_op op, void *user_ctx)
Definition: flow_common.c:50
create_switch_port_meta_pipe
static doca_error_t create_switch_port_meta_pipe(struct doca_flow_pipe **pipe)
Definition: flow_common.c:562
get_icv_len_int
uint32_t get_icv_len_int(enum doca_flow_crypto_icv_len icv_len)
Definition: flow_common.c:374
QUEUE_DEPTH
#define QUEUE_DEPTH
Definition: flow_common.h:39
encrypt
uint32_t encrypt
Definition: flow_common.h:2
SECURED_IDX
#define SECURED_IDX
Definition: flow_common.h:40
UNSECURED_IDX
#define UNSECURED_IDX
Definition: flow_common.h:41
doca_bitfield.h
doca_flow.h
doca_flow_tune_server.h
doca_log.h
bind_decrypt_ids
doca_error_t bind_decrypt_ids(int nb_rules, int initial_id, struct doca_flow_port *port)
Definition: flow_decrypt.c:1359
flow_decrypt.h
bind_encrypt_ids
doca_error_t bind_encrypt_ids(int nb_rules, struct doca_flow_port *port)
Definition: flow_encrypt.c:1806
flow_encrypt.h
destroy_pipe_cfg
static doca_error_t destroy_pipe_cfg(struct doca_flow_pipe_cfg *cfg)
Definition: flow_fwd_miss_sample.c:124
rss_queues
static uint16_t * rss_queues
Definition: flow_parser.c:114
fwd
static struct doca_flow_fwd fwd
Definition: flow_parser.c:109
match_mask
static struct doca_flow_match match_mask
Definition: flow_parser.c:106
entry
static struct doca_flow_pipe_entry * entry[MAX_ENTRIES]
Definition: flow_pipe_resize_sample.c:46
DEFAULT_TIMEOUT_US
#define DEFAULT_TIMEOUT_US
Definition: flow_skeleton.c:36
app_cfg
static struct app_gpu_cfg app_cfg
Definition: gpu_packet_processing.c:40
DOCA_HTOBE32
#define DOCA_HTOBE32(_x)
Definition: doca_bitfield.h:114
DOCA_ERROR_PROPAGATE
#define DOCA_ERROR_PROPAGATE(r, t)
Save the first encountered doca_error_t.
Definition: doca_error.h:83
doca_error_t
enum doca_error doca_error_t
DOCA API return codes.
doca_error_get_descr
DOCA_STABLE const char * doca_error_get_descr(doca_error_t error)
Returns the description string of an error code.
DOCA_ERROR_INITIALIZATION
@ DOCA_ERROR_INITIALIZATION
Definition: doca_error.h:46
DOCA_ERROR_BAD_STATE
@ DOCA_ERROR_BAD_STATE
Definition: doca_error.h:56
DOCA_ERROR_NOT_SUPPORTED
@ DOCA_ERROR_NOT_SUPPORTED
Definition: doca_error.h:42
DOCA_SUCCESS
@ DOCA_SUCCESS
Definition: doca_error.h:38
DOCA_ERROR_NO_MEMORY
@ DOCA_ERROR_NO_MEMORY
Definition: doca_error.h:45
doca_flow_crypto_icv_len
doca_flow_crypto_icv_len
doca flow crypto ICV length
Definition: doca_flow_crypto.h:122
DOCA_FLOW_CRYPTO_ICV_LENGTH_12
@ DOCA_FLOW_CRYPTO_ICV_LENGTH_12
Definition: doca_flow_crypto.h:125
DOCA_FLOW_CRYPTO_ICV_LENGTH_8
@ DOCA_FLOW_CRYPTO_ICV_LENGTH_8
Definition: doca_flow_crypto.h:123
doca_flow_tune_server_init
DOCA_EXPERIMENTAL doca_error_t doca_flow_tune_server_init(struct doca_flow_tune_server_cfg *cfg)
Initialize a DOCA Flow Tune Server.
doca_flow_tune_server_cfg_destroy
DOCA_EXPERIMENTAL doca_error_t doca_flow_tune_server_cfg_destroy(struct doca_flow_tune_server_cfg *cfg)
Destroy DOCA Flow Tune Server configuration struct.
doca_flow_tune_server_cfg_create
DOCA_EXPERIMENTAL doca_error_t doca_flow_tune_server_cfg_create(struct doca_flow_tune_server_cfg **cfg)
Create DOCA Flow Tune Server configuration struct.
doca_flow_pipe_cfg_destroy
DOCA_STABLE doca_error_t doca_flow_pipe_cfg_destroy(struct doca_flow_pipe_cfg *cfg)
Destroy DOCA Flow pipe configuration struct.
doca_flow_cfg_set_mode_args
DOCA_STABLE doca_error_t doca_flow_cfg_set_mode_args(struct doca_flow_cfg *cfg, const char *mode_args)
Set DOCA mode args.
doca_flow_pipe_cfg_create
DOCA_STABLE doca_error_t doca_flow_pipe_cfg_create(struct doca_flow_pipe_cfg **cfg, struct doca_flow_port *port)
Create DOCA Flow pipe configuration struct.
doca_flow_entries_process
DOCA_STABLE doca_error_t doca_flow_entries_process(struct doca_flow_port *port, uint16_t pipe_queue, uint64_t timeout, uint32_t max_processed_entries)
Process entries in queue.
doca_flow_pipe_cfg_set_name
DOCA_STABLE doca_error_t doca_flow_pipe_cfg_set_name(struct doca_flow_pipe_cfg *cfg, const char *name)
Set pipe's name.
doca_flow_port_pair
DOCA_EXPERIMENTAL doca_error_t doca_flow_port_pair(struct doca_flow_port *port, struct doca_flow_port *pair_port)
pair two doca flow ports.
doca_flow_pipe_cfg_set_match
DOCA_EXPERIMENTAL doca_error_t doca_flow_pipe_cfg_set_match(struct doca_flow_pipe_cfg *cfg, const struct doca_flow_match *match, const struct doca_flow_match *match_mask)
Set pipe's match and match mask.
doca_flow_port_start
DOCA_EXPERIMENTAL doca_error_t doca_flow_port_start(const struct doca_flow_port_cfg *cfg, struct doca_flow_port **port)
Start a doca port.
doca_flow_entry_op
doca_flow_entry_op
doca flow entry operation
Definition: doca_flow.h:146
doca_flow_cfg_set_cb_entry_process
DOCA_STABLE doca_error_t doca_flow_cfg_set_cb_entry_process(struct doca_flow_cfg *cfg, doca_flow_entry_process_cb cb)
Set callback for entry create/destroy.
doca_flow_pipe_cfg_set_is_root
DOCA_STABLE doca_error_t doca_flow_pipe_cfg_set_is_root(struct doca_flow_pipe_cfg *cfg, bool is_root)
Set if pipe is root or not.
doca_flow_cfg_set_queue_depth
DOCA_STABLE doca_error_t doca_flow_cfg_set_queue_depth(struct doca_flow_cfg *cfg, uint32_t queue_depth)
Set number of pre-configured queue_size.
doca_flow_pipe_create
DOCA_EXPERIMENTAL doca_error_t doca_flow_pipe_create(const struct doca_flow_pipe_cfg *cfg, const struct doca_flow_fwd *fwd, const struct doca_flow_fwd *fwd_miss, struct doca_flow_pipe **pipe)
Create one new pipe.
doca_flow_cfg_create
DOCA_STABLE doca_error_t doca_flow_cfg_create(struct doca_flow_cfg **cfg)
Create DOCA Flow configuration struct.
doca_flow_pipe_cfg_set_type
DOCA_STABLE doca_error_t doca_flow_pipe_cfg_set_type(struct doca_flow_pipe_cfg *cfg, enum doca_flow_pipe_type type)
Set pipe's type.
doca_flow_init
DOCA_EXPERIMENTAL doca_error_t doca_flow_init(struct doca_flow_cfg *cfg)
Initialize the doca flow.
doca_flow_port_cfg_set_dev
DOCA_EXPERIMENTAL doca_error_t doca_flow_port_cfg_set_dev(struct doca_flow_port_cfg *cfg, struct doca_dev *dev)
Set port's device.
doca_flow_cfg_set_nr_counters
DOCA_STABLE doca_error_t doca_flow_cfg_set_nr_counters(struct doca_flow_cfg *cfg, uint32_t nr_counters)
Set number of counters to configure.
doca_flow_port_cfg_set_ipsec_sn_offload_disable
DOCA_STABLE doca_error_t doca_flow_port_cfg_set_ipsec_sn_offload_disable(struct doca_flow_port_cfg *cfg)
Disable SN offload for ipsec - Anti-replay and sn increment will not be activated.
doca_flow_port_cfg_set_actions_mem_size
DOCA_EXPERIMENTAL doca_error_t doca_flow_port_cfg_set_actions_mem_size(struct doca_flow_port_cfg *cfg, uint32_t size)
Set max memory size used by actions.
doca_flow_cfg_set_nr_shared_resource
DOCA_STABLE doca_error_t doca_flow_cfg_set_nr_shared_resource(struct doca_flow_cfg *cfg, uint32_t nr_shared_resource, enum doca_flow_shared_resource_type type)
Set number of shared resource.
doca_flow_port_stop
DOCA_STABLE doca_error_t doca_flow_port_stop(struct doca_flow_port *port)
Stop a doca port.
doca_flow_pipe_add_entry
DOCA_EXPERIMENTAL doca_error_t doca_flow_pipe_add_entry(uint16_t pipe_queue, struct doca_flow_pipe *pipe, const struct doca_flow_match *match, const struct doca_flow_actions *actions, const struct doca_flow_monitor *monitor, const struct doca_flow_fwd *fwd, uint32_t flags, void *usr_ctx, struct doca_flow_pipe_entry **entry)
Add one new entry to a pipe.
doca_flow_entry_status
doca_flow_entry_status
doca flow entry status
Definition: doca_flow.h:160
doca_flow_destroy
DOCA_STABLE void doca_flow_destroy(void)
Destroy the doca flow.
doca_flow_port_cfg_set_port_id
DOCA_EXPERIMENTAL doca_error_t doca_flow_port_cfg_set_port_id(struct doca_flow_port_cfg *cfg, uint16_t port_id)
Set the logical port ID.
doca_flow_cfg_set_default_rss
DOCA_EXPERIMENTAL doca_error_t doca_flow_cfg_set_default_rss(struct doca_flow_cfg *cfg, const struct doca_flow_resource_rss_cfg *rss)
Set RSS global configuration.
doca_flow_port_cfg_create
DOCA_STABLE doca_error_t doca_flow_port_cfg_create(struct doca_flow_port_cfg **cfg)
Create DOCA Flow port configuration struct.
doca_flow_pipe_cfg_set_dir_info
DOCA_EXPERIMENTAL doca_error_t doca_flow_pipe_cfg_set_dir_info(struct doca_flow_pipe_cfg *cfg, enum doca_flow_direction_info dir_info)
Set pipe's Direction info.
doca_flow_port_cfg_destroy
DOCA_STABLE doca_error_t doca_flow_port_cfg_destroy(struct doca_flow_port_cfg *cfg)
Destroy DOCA Flow port configuration struct.
doca_flow_cfg_set_pipe_queues
DOCA_STABLE doca_error_t doca_flow_cfg_set_pipe_queues(struct doca_flow_cfg *cfg, uint16_t pipe_queues)
Set pipe queues.
doca_flow_port_switch_get
DOCA_STABLE struct doca_flow_port * doca_flow_port_switch_get(const struct doca_flow_port *port)
Get doca flow switch port.
doca_flow_pipe_cfg_set_domain
DOCA_STABLE doca_error_t doca_flow_pipe_cfg_set_domain(struct doca_flow_pipe_cfg *cfg, enum doca_flow_pipe_domain domain)
Set pipe's domain.
doca_flow_cfg_destroy
DOCA_STABLE doca_error_t doca_flow_cfg_destroy(struct doca_flow_cfg *cfg)
Destroy DOCA Flow configuration struct.
DOCA_FLOW_SHARED_RESOURCE_IPSEC_SA
@ DOCA_FLOW_SHARED_RESOURCE_IPSEC_SA
Definition: doca_flow.h:107
DOCA_FLOW_ENTRY_OP_ADD
@ DOCA_FLOW_ENTRY_OP_ADD
Definition: doca_flow.h:147
DOCA_FLOW_DIRECTION_HOST_TO_NETWORK
@ DOCA_FLOW_DIRECTION_HOST_TO_NETWORK
Definition: doca_flow.h:1095
DOCA_FLOW_PIPE_BASIC
@ DOCA_FLOW_PIPE_BASIC
Definition: doca_flow.h:221
DOCA_FLOW_NO_WAIT
@ DOCA_FLOW_NO_WAIT
Definition: doca_flow.h:115
DOCA_FLOW_WAIT_FOR_BATCH
@ DOCA_FLOW_WAIT_FOR_BATCH
Definition: doca_flow.h:117
DOCA_FLOW_RESOURCE_TYPE_NON_SHARED
@ DOCA_FLOW_RESOURCE_TYPE_NON_SHARED
Definition: doca_flow.h:615
DOCA_FLOW_FWD_PORT
@ DOCA_FLOW_FWD_PORT
Definition: doca_flow.h:744
DOCA_FLOW_FWD_PIPE
@ DOCA_FLOW_FWD_PIPE
Definition: doca_flow.h:746
DOCA_FLOW_FWD_CHANGEABLE
@ DOCA_FLOW_FWD_CHANGEABLE
Definition: doca_flow.h:756
DOCA_FLOW_FWD_RSS
@ DOCA_FLOW_FWD_RSS
Definition: doca_flow.h:742
DOCA_FLOW_ENTRY_STATUS_SUCCESS
@ DOCA_FLOW_ENTRY_STATUS_SUCCESS
Definition: doca_flow.h:163
DOCA_FLOW_PIPE_DOMAIN_EGRESS
@ DOCA_FLOW_PIPE_DOMAIN_EGRESS
Definition: doca_flow.h:245
DOCA_LOG_ERR
#define DOCA_LOG_ERR(format,...)
Generates an ERROR application log message.
Definition: doca_log.h:466
DOCA_LOG_DBG
#define DOCA_LOG_DBG(format,...)
Generates a DEBUG application log message.
Definition: doca_log.h:496
find_port_action_type_vnf
doca_error_t find_port_action_type_vnf(const struct ipsec_security_gw_config *app_cfg, int port_id, struct doca_dev **connected_dev, int *idx)
Definition: ipsec_ctx.c:117
find_port_action_type_switch
doca_error_t find_port_action_type_switch(int port_id, int *idx)
Definition: ipsec_ctx.c:43
IPSEC_SECURITY_GW_TUNNEL
@ IPSEC_SECURITY_GW_TUNNEL
Definition: ipsec_ctx.h:180
MAX_NB_RULES
#define MAX_NB_RULES
Definition: ipsec_ctx.h:40
NUM_OF_SYNDROMES
#define NUM_OF_SYNDROMES
Definition: ipsec_ctx.h:43
IPSEC_SECURITY_GW_VNF
@ IPSEC_SECURITY_GW_VNF
Definition: ipsec_ctx.h:187
IPSEC_SECURITY_GW_SWITCH
@ IPSEC_SECURITY_GW_SWITCH
Definition: ipsec_ctx.h:188
MAX_ACTIONS_MEM_SIZE
#define MAX_ACTIONS_MEM_SIZE
Definition: ipsec_ctx.h:47
IPSEC_SECURITY_GW_ESP_OFFLOAD_ENCAP
@ IPSEC_SECURITY_GW_ESP_OFFLOAD_ENCAP
Definition: ipsec_ctx.h:194
IPSEC_SECURITY_GW_ESP_OFFLOAD_DECAP
@ IPSEC_SECURITY_GW_ESP_OFFLOAD_DECAP
Definition: ipsec_ctx.h:195
IPSEC_SECURITY_GW_ESP_OFFLOAD_NONE
@ IPSEC_SECURITY_GW_ESP_OFFLOAD_NONE
Definition: ipsec_ctx.h:196
flow_common.h
decrypt_pipes
Definition: ipsec_ctx.h:150
decrypt_pipes::decrypt_ipv4_pipe
struct security_gateway_pipe_info decrypt_ipv4_pipe
Definition: ipsec_ctx.h:153
decrypt_pipes::vxlan_decap_ipv6_pipe
struct security_gateway_pipe_info vxlan_decap_ipv6_pipe
Definition: ipsec_ctx.h:158
decrypt_pipes::marker_remove_pipe
struct security_gateway_pipe_info marker_remove_pipe
Definition: ipsec_ctx.h:152
decrypt_pipes::decrypt_ipv6_pipe
struct security_gateway_pipe_info decrypt_ipv6_pipe
Definition: ipsec_ctx.h:154
decrypt_pipes::decrypt_root
struct security_gateway_pipe_info decrypt_root
Definition: ipsec_ctx.h:151
decrypt_pipes::decap_pipe
struct security_gateway_pipe_info decap_pipe
Definition: ipsec_ctx.h:155
decrypt_pipes::vxlan_decap_ipv4_pipe
struct security_gateway_pipe_info vxlan_decap_ipv4_pipe
Definition: ipsec_ctx.h:157
doca_flow_fwd
forwarding configuration
Definition: doca_flow.h:779
doca_flow_fwd::next_pipe
struct doca_flow_pipe * next_pipe
Definition: doca_flow.h:800
doca_flow_fwd::pipe
struct doca_flow_pipe * pipe
Definition: doca_flow.h:806
doca_flow_fwd::port_id
uint16_t port_id
Definition: doca_flow.h:795
doca_flow_fwd::type
enum doca_flow_fwd_type type
Definition: doca_flow.h:780
doca_flow_fwd::rss_type
enum doca_flow_resource_type rss_type
Definition: doca_flow.h:784
doca_flow_fwd::rss
struct doca_flow_resource_rss_cfg rss
Definition: doca_flow.h:787
doca_flow_match
doca flow matcher information
Definition: doca_flow.h:491
doca_flow_match::parser_meta
struct doca_flow_parser_meta parser_meta
Definition: doca_flow.h:496
doca_flow_match::meta
struct doca_flow_meta meta
Definition: doca_flow.h:494
doca_flow_meta::pkt_meta
doca_be32_t pkt_meta
Definition: doca_flow.h:359
doca_flow_parser_meta::port_id
uint16_t port_id
Definition: doca_flow.h:370
doca_flow_resource_rss_cfg
doca flow rss resource configuration
Definition: doca_flow.h:180
doca_flow_resource_rss_cfg::inner_flags
uint32_t inner_flags
Definition: doca_flow.h:183
doca_flow_resource_rss_cfg::queues_array
uint16_t * queues_array
Definition: doca_flow.h:185
doca_flow_resource_rss_cfg::nr_queues
int nr_queues
Definition: doca_flow.h:187
doca_flow_resource_rss_cfg::outer_flags
uint32_t outer_flags
Definition: doca_flow.h:181
encrypt_pipes
Definition: ipsec_ctx.h:134
encrypt_pipes::ipv4_encrypt_pipe
struct security_gateway_pipe_info ipv4_encrypt_pipe
Definition: ipsec_ctx.h:137
encrypt_pipes::ipv6_tcp_pipe
struct security_gateway_pipe_info ipv6_tcp_pipe
Definition: ipsec_ctx.h:141
encrypt_pipes::ipv6_src_udp_pipe
struct security_gateway_pipe_info ipv6_src_udp_pipe
Definition: ipsec_ctx.h:144
encrypt_pipes::ipv4_udp_pipe
struct security_gateway_pipe_info ipv4_udp_pipe
Definition: ipsec_ctx.h:140
encrypt_pipes::encrypt_root
struct security_gateway_pipe_info encrypt_root
Definition: ipsec_ctx.h:135
encrypt_pipes::egress_ip_classifier
struct security_gateway_pipe_info egress_ip_classifier
Definition: ipsec_ctx.h:136
encrypt_pipes::marker_insert_pipe
struct security_gateway_pipe_info marker_insert_pipe
Definition: ipsec_ctx.h:146
encrypt_pipes::ipv6_udp_pipe
struct security_gateway_pipe_info ipv6_udp_pipe
Definition: ipsec_ctx.h:142
encrypt_pipes::vxlan_encap_pipe
struct security_gateway_pipe_info vxlan_encap_pipe
Definition: ipsec_ctx.h:145
encrypt_pipes::ipv6_src_tcp_pipe
struct security_gateway_pipe_info ipv6_src_tcp_pipe
Definition: ipsec_ctx.h:143
encrypt_pipes::ipv6_encrypt_pipe
struct security_gateway_pipe_info ipv6_encrypt_pipe
Definition: ipsec_ctx.h:138
encrypt_pipes::ipv4_tcp_pipe
struct security_gateway_pipe_info ipv4_tcp_pipe
Definition: ipsec_ctx.h:139
entries_status
user context struct that will be used in entries process callback
Definition: flow_common.h:78
entries_status::entries_in_queue
int entries_in_queue
Definition: flow_common.h:81
entries_status::nb_processed
int nb_processed
Definition: flow_common.h:80
entries_status::failure
bool failure
Definition: flow_common.h:79
ipsec_security_gw_config
Definition: ipsec_ctx.h:238
ipsec_security_gw_ports_map
Definition: flow_common.h:71
security_gateway_pipe_info::entries_info
struct security_gateway_entry_info * entries_info
Definition: ipsec_ctx.h:130
nb_ports
static int nb_ports
Definition: switch_core.c:44
ports
static struct doca_flow_port * ports[FLOW_SWITCH_PORTS_MAX]
Definition: switch_core.c:42
security_gateway_pkt_meta
Definition: flow_common.h:97
security_gateway_pkt_meta::encrypt
uint32_t encrypt
Definition: flow_common.h:100
security_gateway_pkt_meta::decrypt
uint32_t decrypt
Definition: flow_common.h:101
security_gateway_pkt_meta::u32
uint32_t u32
Definition: flow_common.h:98
linear_array_init_u16
void linear_array_init_u16(uint16_t *array, uint16_t n)
Definition: utils.c:109