NVIDIA DOCA SDK Data Center on a Chip Framework Documentation
config.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2023-2025 NVIDIA CORPORATION AND AFFILIATES. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without modification, are permitted
5  * provided that the following conditions are met:
6  * * Redistributions of source code must retain the above copyright notice, this list of
7  * conditions and the following disclaimer.
8  * * Redistributions in binary form must reproduce the above copyright notice, this list of
9  * conditions and the following disclaimer in the documentation and/or other materials
10  * provided with the distribution.
11  * * Neither the name of the NVIDIA CORPORATION nor the names of its contributors may be used
12  * to endorse or promote products derived from this software without specific prior written
13  * permission.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
17  * FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NVIDIA CORPORATION BE LIABLE
18  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
19  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
20  * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
21  * STRICT LIABILITY, OR TOR (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
22  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23  *
24  */
25 
26 #include <ctype.h>
27 #include <json-c/json.h>
28 
29 #include <rte_hash_crc.h>
30 
31 #include <doca_argp.h>
32 #include <doca_log.h>
33 
34 #include <pack.h>
35 #include <utils.h>
36 #include <flow_parser.h>
37 
38 #include "config.h"
39 
40 DOCA_LOG_REGISTER(IPSEC_SECURITY_GW::config);
41 
42 #define MAX_CORES (32)
43 
44 /*
45  * Parse hex key string to array of uint8_t
46  *
47  * @key_hex [in]: hex format key string
48  * @key_size [in]: the hex string length
49  * @key [out]: the parsed key array
50  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
51  */
52 static doca_error_t parse_hex_to_bytes(const char *key_hex, size_t key_size, uint8_t *key)
53 {
54  uint8_t digit;
55  size_t i;
56 
57  /* Parse every digit (nibble and translate it to the matching numeric value) */
58  for (i = 0; i < key_size; i++) {
59  /* Must be alpha-numeric */
60  if ('0' <= key_hex[i] && key_hex[i] <= '9')
61  digit = key_hex[i] - '0';
62  else if ('a' <= tolower(key_hex[i]) && tolower(key_hex[i]) <= 'f')
63  digit = tolower(key_hex[i]) - 'a' + 10;
64  else {
65  DOCA_LOG_ERR("Wrong format for key (%s) - not alpha-numeric", key_hex);
66  return DOCA_ERROR_INVALID_VALUE;
67  }
68  /* There are 2 nibbles (digits) in each byte, place them at their numeric place */
69  key[i / 2] = (key[i / 2] << 4) + digit;
70  }
71  return DOCA_SUCCESS;
72 }
73 
74 /*
75  * Parse key from json object rule
76  *
77  * @cur_rule [in]: json object of the current rule to parse
78  * @key_type [in]: key type
79  * @key [out]: the parsed key value
80  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
81  */
82 static doca_error_t create_key(struct json_object *cur_rule, enum doca_flow_crypto_key_type key_type, uint8_t *key)
83 {
84  struct json_object *json_key;
85  doca_error_t result;
86  const char *key_str;
87  size_t max_key_size;
88  size_t key_len;
89 
90  if (!json_object_object_get_ex(cur_rule, "key", &json_key)) {
91  DOCA_LOG_ERR("Missing key");
92  return DOCA_ERROR_INVALID_VALUE;
93  }
94  if (json_object_get_type(json_key) != json_type_string) {
95  DOCA_LOG_ERR("Expecting a string value for \"key\"");
96  return DOCA_ERROR_INVALID_VALUE;
97  }
98 
99  key_str = json_object_get_string(json_key);
100  if (key_type == DOCA_FLOW_CRYPTO_KEY_128)
101  max_key_size = 32;
102  else
103  max_key_size = 64;
104  key_len = strnlen(key_str, max_key_size + 1);
105  if (key_len == max_key_size + 1) {
106  DOCA_LOG_ERR("Key string is too long - MAX=%ld", max_key_size);
107  return DOCA_ERROR_INVALID_VALUE;
108  }
109  if (key_len % 2 != 0) {
110  DOCA_LOG_ERR("Key string should be in hexadecimal format, length must be even");
111  return DOCA_ERROR_INVALID_VALUE;
112  }
113  result = parse_hex_to_bytes(key_str, key_len, key);
114  if (result != DOCA_SUCCESS)
115  return result;
116 
117  return DOCA_SUCCESS;
118 }
119 
120 /*
121  * Parse key type from json object rule
122  *
123  * @cur_rule [in]: json object of the current rule to parse
124  * @key_type [out]: the parse key type
125  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
126  */
127 static doca_error_t create_key_type(struct json_object *cur_rule, enum doca_flow_crypto_key_type *key_type)
128 {
129  struct json_object *json_key_type;
130  int key_len;
131 
132  if (!json_object_object_get_ex(cur_rule, "key-type", &json_key_type)) {
133  DOCA_LOG_DBG("Missing key type, default is DOCA_ENCRYPTION_KEY_AESGCM_256");
134  *key_type = DOCA_FLOW_CRYPTO_KEY_256;
135  return DOCA_SUCCESS;
136  }
137  if (json_object_get_type(json_key_type) != json_type_int) {
138  DOCA_LOG_ERR("Expecting a int value for \"key-type\"");
139  return DOCA_ERROR_INVALID_VALUE;
140  }
141 
142  key_len = json_object_get_int(json_key_type);
143  if (key_len == 128)
144  *key_type = DOCA_FLOW_CRYPTO_KEY_128;
145  else if (key_len == 256)
146  *key_type = DOCA_FLOW_CRYPTO_KEY_256;
147  else {
148  DOCA_LOG_ERR("Key type should be 128 / 256");
149  return DOCA_ERROR_INVALID_VALUE;
150  }
151  return DOCA_SUCCESS;
152 }
153 
154 /*
155  * Parse IV from json object rule
156  *
157  * @cur_rule [in]: json object of the current rule to parse
158  * @iv [out]: the parsed iv value
159  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
160  */
161 static doca_error_t create_iv(struct json_object *cur_rule, uint64_t *iv)
162 {
163  struct json_object *json_iv;
164  doca_error_t result;
165  const char *iv_str;
166  int iv_len;
167  const int max_iv_size = 8 * 2;
168  uint8_t iv_bytes[8] = {0};
169  uint8_t *read_head = iv_bytes;
170 
171  if (!json_object_object_get_ex(cur_rule, "iv", &json_iv)) {
172  DOCA_LOG_DBG("Missing IV, will use the default value");
173  *iv = unpack_uint64(&read_head);
174  return DOCA_SUCCESS;
175  }
176  if (json_object_get_type(json_iv) != json_type_string) {
177  DOCA_LOG_ERR("Expecting a string value for \"iv\"");
178  return DOCA_ERROR_INVALID_VALUE;
179  }
180 
181  iv_str = json_object_get_string(json_iv);
182  iv_len = strnlen(iv_str, max_iv_size + 1);
183  if (iv_len == max_iv_size + 1) {
184  DOCA_LOG_ERR("IV string is too long - MAX=%d", max_iv_size);
185  return DOCA_ERROR_INVALID_VALUE;
186  }
187  if (iv_len % 2 != 0) {
188  DOCA_LOG_ERR("IV string should be in hexadecimal format, length must be even");
189  return DOCA_ERROR_INVALID_VALUE;
190  }
191  result = parse_hex_to_bytes(iv_str, iv_len, iv_bytes);
192  if (result != DOCA_SUCCESS)
193  return result;
194 
195  *iv = unpack_uint64(&read_head);
196  return DOCA_SUCCESS;
197 }
198 
199 /*
200  * Parse json object for salt length
201  *
202  * @cur_rule [in]: json object of the current rule to parse
203  * @salt [out]: the parse salt
204  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
205  */
206 static doca_error_t create_salt(struct json_object *cur_rule, uint32_t *salt)
207 {
208  struct json_object *json_salt;
209 
210  if (!json_object_object_get_ex(cur_rule, "salt", &json_salt)) {
211  DOCA_LOG_DBG("Missing salt, default is 6");
212  *salt = 6;
213  return DOCA_SUCCESS;
214  }
215  if (json_object_get_type(json_salt) != json_type_int) {
216  DOCA_LOG_ERR("Expecting a int value for \"salt\"");
217  return DOCA_ERROR_INVALID_VALUE;
218  }
219  *salt = (uint32_t)json_object_get_int64(json_salt);
220  return DOCA_SUCCESS;
221 }
222 
223 /*
224  * Parse json object for lifetime threshold
225  *
226  * @cur_rule [in]: json object of the current rule to parse
227  * @lifetime_threshold [out]: the parsed lifetime threshold
228  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
229  */
230 static doca_error_t create_lifetime_threshold(struct json_object *cur_rule, uint32_t *lifetime_threshold)
231 {
232  struct json_object *json_lifetime;
233 
234  if (!json_object_object_get_ex(cur_rule, "lifetime-threshold", &json_lifetime)) {
235  DOCA_LOG_DBG("Missing lifetime-threshold, default is 0 (ignored)");
236  *lifetime_threshold = 0;
237  return DOCA_SUCCESS;
238  }
239  if (json_object_get_type(json_lifetime) != json_type_int) {
240  DOCA_LOG_ERR("Expecting a int value for \"lifetime-threshold\"");
241  return DOCA_ERROR_INVALID_VALUE;
242  }
243  *lifetime_threshold = (uint32_t)json_object_get_int64(json_lifetime);
244  return DOCA_SUCCESS;
245 }
246 
247 /*
248  * Parse json object for esn
249  *
250  * @cur_rule [in]: json object of the current rule to parse
251  * @esn_en [out]: the parsed esn_en
252  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
253  */
254 static doca_error_t create_esn_en(struct json_object *cur_rule, bool *esn_en)
255 {
256  struct json_object *json_esn_en;
257 
258  if (!json_object_object_get_ex(cur_rule, "esn_en", &json_esn_en)) {
259  DOCA_LOG_DBG("Missing esn_en, default is false");
260  return DOCA_SUCCESS;
261  }
262  if (json_object_get_type(json_esn_en) != json_type_boolean) {
263  DOCA_LOG_ERR("Expecting a bool value for \"esn_en\"");
264  return DOCA_ERROR_INVALID_VALUE;
265  }
266  *esn_en = json_object_get_boolean(json_esn_en);
267  return DOCA_SUCCESS;
268 }
269 
270 /*
271  * Parse protocol type from json object rule
272  *
273  * @cur_rule [in]: json object of the current rule to parse
274  * @protocol [out]: the parsed protocol value
275  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
276  */
277 static doca_error_t create_protocol(struct json_object *cur_rule, enum doca_flow_l4_type_ext *protocol)
278 {
279  doca_error_t result;
280  struct json_object *json_protocol;
281  const char *protocol_str;
282 
283  if (!json_object_object_get_ex(cur_rule, "protocol", &json_protocol)) {
284  DOCA_LOG_ERR("Missing protocol type");
285  return DOCA_ERROR_INVALID_VALUE;
286  }
287  if (json_object_get_type(json_protocol) != json_type_string) {
288  DOCA_LOG_ERR("Expecting a string value for \"protocol\"");
289  return DOCA_ERROR_INVALID_VALUE;
290  }
291 
292  protocol_str = json_object_get_string(json_protocol);
293  result = parse_protocol_string(protocol_str, protocol);
294  if (result != DOCA_SUCCESS)
295  return result;
296  return DOCA_SUCCESS;
297 }
298 
299 /*
300  * Parse l3 type from json object rule
301  *
302  * @cur_rule [in]: json object of the current rule to parse
303  * @ip_version_string [in]: ip-version/encap-ip-version/inner-ip-version
304  * @l3_type [out]: the parsed l3_type value
305  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
306  */
307 static doca_error_t create_l3_type(struct json_object *cur_rule,
308  char *ip_version_string,
309  enum doca_flow_l3_type *l3_type)
310 {
311  struct json_object *json_ip;
312  int ip;
313 
314  if (!json_object_object_get_ex(cur_rule, ip_version_string, &json_ip)) {
315  DOCA_LOG_DBG("Missing ip-version, using default: IPv4");
316  *l3_type = DOCA_FLOW_L3_TYPE_IP4;
317  return DOCA_SUCCESS;
318  }
319  if (json_object_get_type(json_ip) != json_type_int) {
320  DOCA_LOG_ERR("Expecting a int value for \"ip-version\"");
321  return DOCA_ERROR_INVALID_VALUE;
322  }
323 
324  ip = json_object_get_int(json_ip);
325  if (ip == 4)
326  *l3_type = DOCA_FLOW_L3_TYPE_IP4;
327  else if (ip == 6)
328  *l3_type = DOCA_FLOW_L3_TYPE_IP6;
329  else {
330  DOCA_LOG_ERR("Expecting 4 or 6 value for \"ip-version\"");
331  return DOCA_ERROR_INVALID_VALUE;
332  }
333  return DOCA_SUCCESS;
334 }
335 
336 /*
337  * Parse IPv4 address from json object rule
338  *
339  * @cur_rule [in]: json object of the current rule to parse
340  * @ip_type [in]: src-ip/dst-ip/encap-dst-ip
341  * @ip [out]: the parsed dst_ip value
342  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
343  */
344 static doca_error_t create_ipv4(struct json_object *cur_rule, char *ip_type, doca_be32_t *ip)
345 {
346  doca_error_t result;
347  struct json_object *json_ip;
348 
349  if (!json_object_object_get_ex(cur_rule, ip_type, &json_ip)) {
350  DOCA_LOG_ERR("Missing %s", ip_type);
351  return DOCA_ERROR_INVALID_VALUE;
352  }
353  if (json_object_get_type(json_ip) != json_type_string) {
354  DOCA_LOG_ERR("Expecting a string value for \"%s\"", ip_type);
355  return DOCA_ERROR_INVALID_VALUE;
356  }
357 
358  result = parse_ipv4_str(json_object_get_string(json_ip), ip);
359  if (result != DOCA_SUCCESS)
360  return result;
361  return DOCA_SUCCESS;
362 }
363 
364 doca_error_t parse_ipv6_str(const char *str_ip, doca_be32_t ipv6_addr[])
365 {
366  int i;
367  struct in6_addr ip;
368 
369  if (inet_pton(AF_INET6, str_ip, &ip) != 1) {
370  DOCA_LOG_ERR("Wrong format of ipv6 address");
371  return DOCA_ERROR_INVALID_VALUE;
372  }
373  for (i = 0; i < 4; i++)
374  ipv6_addr[i] = ip.__in6_u.__u6_addr32[i];
375  return DOCA_SUCCESS;
376 }
377 
378 /*
379  * Parse IPv6 address from json object rule
380  *
381  * @cur_rule [in]: json object of the current rule to parse
382  * @ip_type [in]: src-ip/dst-ip/encap-dst-ip
383  * @ip [out]: the parsed ip value
384  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
385  */
386 static doca_error_t create_ipv6(struct json_object *cur_rule, char *ip_type, doca_be32_t ip[])
387 {
388  doca_error_t result;
389  struct json_object *json_ip;
390 
391  if (!json_object_object_get_ex(cur_rule, ip_type, &json_ip)) {
392  DOCA_LOG_ERR("Missing %s", ip_type);
393  return DOCA_ERROR_INVALID_VALUE;
394  }
395  if (json_object_get_type(json_ip) != json_type_string) {
396  DOCA_LOG_ERR("Expecting a string value for \"%s\"", ip_type);
397  return DOCA_ERROR_INVALID_VALUE;
398  }
399 
400  result = parse_ipv6_str(json_object_get_string(json_ip), ip);
401  if (result != DOCA_SUCCESS)
402  return result;
403  return DOCA_SUCCESS;
404 }
405 
406 /*
407  * Parse port from json object rule
408  *
409  * @cur_rule [in]: json object of the current rule to parse
410  * @port_type [in]: src-port/dst-port
411  * @port [out]: the parsed src_port value
412  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
413  */
414 static doca_error_t create_port(struct json_object *cur_rule, char *port_type, int *port)
415 {
416  struct json_object *json_port;
417 
418  if (!json_object_object_get_ex(cur_rule, port_type, &json_port)) {
419  DOCA_LOG_ERR("Missing %s", port_type);
420  return DOCA_ERROR_INVALID_VALUE;
421  }
422  if (json_object_get_type(json_port) != json_type_int) {
423  DOCA_LOG_ERR("Expecting a int value for \"%s\"", port_type);
424  return DOCA_ERROR_INVALID_VALUE;
425  }
426 
427  *port = json_object_get_int(json_port);
428  return DOCA_SUCCESS;
429 }
430 
431 /*
432  * Parse SPI from json object rule
433  *
434  * @cur_rule [in]: json object of the current rule to parse
435  * @esp_spi [out]: the parsed esp_spi value
436  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
437  */
438 static doca_error_t create_spi(struct json_object *cur_rule, doca_be32_t *esp_spi)
439 {
440  struct json_object *json_spi;
441 
442  if (!json_object_object_get_ex(cur_rule, "spi", &json_spi)) {
443  DOCA_LOG_ERR("Missing spi");
444  return DOCA_ERROR_INVALID_VALUE;
445  }
446  if (json_object_get_type(json_spi) != json_type_int) {
447  DOCA_LOG_ERR("Expecting a int value for \"spi\"");
448  return DOCA_ERROR_INVALID_VALUE;
449  }
450 
451  *esp_spi = (uint32_t)json_object_get_int64(json_spi);
452  return DOCA_SUCCESS;
453 }
454 
455 /*
456  * Parse IPv4 encrypt addresses from json object rule
457  *
458  * @cur_rule [in]: json object of the current rule to parse
459  * @rule [out]: the current encrypt rule to fill
460  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
461  */
462 static doca_error_t parse_encrypt_ipv4(struct json_object *cur_rule, struct encrypt_rule *rule)
463 {
464  doca_error_t result;
465 
466  result = create_ipv4(cur_rule, "src-ip", &rule->ip4.src_ip);
467  if (result != DOCA_SUCCESS)
468  return result;
469 
470  result = create_ipv4(cur_rule, "dst-ip", &rule->ip4.dst_ip);
471  if (result != DOCA_SUCCESS)
472  return result;
473 
474  return DOCA_SUCCESS;
475 }
476 
477 /*
478  * Parse IPv6 encrypt addresses from json object rule
479  *
480  * @cur_rule [in]: json object of the current rule to parse
481  * @rule [out]: the current encrypt rule to fill
482  * @ip6_table [out]: created hash table with IP addresses
483  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
484  */
485 static doca_error_t parse_encrypt_ipv6(struct json_object *cur_rule,
486  struct encrypt_rule *rule,
487  struct rte_hash **ip6_table)
488 {
489  int ret;
490  doca_error_t result;
491 
492  result = create_ipv6(cur_rule, "src-ip", rule->ip6.src_ip);
493  if (result != DOCA_SUCCESS)
494  return result;
495 
496  result = create_ipv6(cur_rule, "dst-ip", rule->ip6.dst_ip);
497  if (result != DOCA_SUCCESS)
498  return result;
499 
500  ret = rte_hash_lookup(*ip6_table, (void *)rule->ip6.src_ip);
501  if (ret < 0) {
502  ret = rte_hash_add_key(*ip6_table, rule->ip6.src_ip);
503  if (ret < 0) {
504  DOCA_LOG_ERR("Failed to add address to hash table");
505  return DOCA_ERROR_DRIVER;
506  }
507  }
508 
509  ret = rte_hash_lookup(*ip6_table, (void *)rule->ip6.dst_ip);
510  if (ret < 0) {
511  ret = rte_hash_add_key(*ip6_table, rule->ip6.dst_ip);
512  if (ret < 0) {
513  DOCA_LOG_ERR("Failed to add address to hash table");
514  return DOCA_ERROR_DRIVER;
515  }
516  }
517 
518  return DOCA_SUCCESS;
519 }
520 
521 /*
522  * Parse encap IP addresses from json object rule
523  *
524  * @cur_rule [in]: json object of the current rule to parse
525  * @rule [out]: the current encrypt rule to fill
526  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
527  */
528 static doca_error_t parse_encrypt_encap_ip(struct json_object *cur_rule, struct encrypt_rule *rule)
529 {
530  doca_error_t result;
531 
532  if (rule->encap_l3_type == DOCA_FLOW_L3_TYPE_IP4) {
533  result = create_ipv4(cur_rule, "encap-dst-ip", &rule->encap_dst_ip4);
534  if (result != DOCA_SUCCESS)
535  return result;
536  } else {
537  result = create_ipv6(cur_rule, "encap-dst-ip", rule->encap_dst_ip6);
538  if (result != DOCA_SUCCESS)
539  return result;
540  }
541  return DOCA_SUCCESS;
542 }
543 
544 /*
545  * Parse json object of the decryption rules and set it in decrypt_rules array
546  *
547  * @json_rules [in]: json object of the rules to parse
548  * @app_cfg [in/out]: internal array will hold the decryption rules
549  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
550  */
551 static doca_error_t parse_json_decrypt_rules(struct json_object *json_rules, struct ipsec_security_gw_config *app_cfg)
552 {
553  int i;
554  doca_error_t result;
555  struct json_object *cur_rule;
556 
557  DOCA_LOG_DBG("Number of decrypt rules in input file: %d", app_cfg->app_rules.nb_decrypt_rules);
558 
559  for (i = 0; i < app_cfg->app_rules.nb_decrypt_rules; i++) {
560  cur_rule = json_object_array_get_idx(json_rules, i);
561  result = create_l3_type(cur_rule, "ip-version", &app_cfg->app_rules.decrypt_rules[i].l3_type);
562  if (result != DOCA_SUCCESS)
563  return result;
564 
565  if (app_cfg->app_rules.decrypt_rules[i].l3_type == DOCA_FLOW_L3_TYPE_IP4) {
566  result = create_ipv4(cur_rule, "dst-ip", &app_cfg->app_rules.decrypt_rules[i].dst_ip4);
567  if (result != DOCA_SUCCESS)
568  return result;
569  } else {
570  result = create_ipv6(cur_rule, "dst-ip", app_cfg->app_rules.decrypt_rules[i].dst_ip6);
571  if (result != DOCA_SUCCESS)
572  return result;
573  }
574  result = create_spi(cur_rule, &app_cfg->app_rules.decrypt_rules[i].esp_spi);
575  if (result != DOCA_SUCCESS)
576  return result;
577 
578  result = create_l3_type(cur_rule,
579  "inner-ip-version",
580  &app_cfg->app_rules.decrypt_rules[i].inner_l3_type);
581  if (result != DOCA_SUCCESS)
582  return result;
583 
584  result = create_key_type(cur_rule, &app_cfg->app_rules.decrypt_rules[i].sa_attrs.key_type);
585  if (result != DOCA_SUCCESS)
586  return result;
587 
588  result = create_key(cur_rule,
589  app_cfg->app_rules.decrypt_rules[i].sa_attrs.key_type,
590  app_cfg->app_rules.decrypt_rules[i].sa_attrs.enc_key_data);
591  if (result != DOCA_SUCCESS)
592  return result;
593 
594  result = create_iv(cur_rule, &app_cfg->app_rules.decrypt_rules[i].sa_attrs.iv);
595  if (result != DOCA_SUCCESS)
596  return result;
597 
598  result = create_salt(cur_rule, &app_cfg->app_rules.decrypt_rules[i].sa_attrs.salt);
599  if (result != DOCA_SUCCESS)
600  return result;
601 
602  result = create_lifetime_threshold(cur_rule,
603  &app_cfg->app_rules.decrypt_rules[i].sa_attrs.lifetime_threshold);
604  if (result != DOCA_SUCCESS)
605  return result;
606 
607  result = create_esn_en(cur_rule, &app_cfg->app_rules.decrypt_rules[i].sa_attrs.esn_en);
608  if (result != DOCA_SUCCESS)
609  return result;
610  }
611  return DOCA_SUCCESS;
612 }
613 
614 /*
615  * Parse json object of the encryption rules and set it in encrypt_rules array
616  *
617  * @json_rules [in]: json object of the rules to parse
618  * @app_cfg [in/out]: application configuration structure, will holds the encryption rules
619  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
620  */
621 static doca_error_t parse_json_encrypt_rules(struct json_object *json_rules, struct ipsec_security_gw_config *app_cfg)
622 {
623  int i;
624  doca_error_t result;
625  struct json_object *cur_rule;
626 
627  DOCA_LOG_DBG("Number of encrypt rules in input file: %d", app_cfg->app_rules.nb_encrypt_rules);
628 
629  for (i = 0; i < app_cfg->app_rules.nb_encrypt_rules; i++) {
630  cur_rule = json_object_array_get_idx(json_rules, i);
631  result = create_l3_type(cur_rule, "ip-version", &app_cfg->app_rules.encrypt_rules[i].l3_type);
632  if (result != DOCA_SUCCESS)
633  return result;
634 
635  result = create_protocol(cur_rule, &app_cfg->app_rules.encrypt_rules[i].protocol);
636  if (result != DOCA_SUCCESS)
637  return result;
638 
639  result = create_l3_type(cur_rule,
640  "encap-ip-version",
641  &app_cfg->app_rules.encrypt_rules[i].encap_l3_type);
642  if (result != DOCA_SUCCESS)
643  return result;
644 
645  if (app_cfg->app_rules.encrypt_rules[i].l3_type == DOCA_FLOW_L3_TYPE_IP4) {
646  result = parse_encrypt_ipv4(cur_rule, &app_cfg->app_rules.encrypt_rules[i]);
647  if (result != DOCA_SUCCESS)
648  return result;
649  } else {
650  result =
651  parse_encrypt_ipv6(cur_rule, &app_cfg->app_rules.encrypt_rules[i], &app_cfg->ip6_table);
652  if (result != DOCA_SUCCESS)
653  return result;
654  }
655  if (app_cfg->mode == IPSEC_SECURITY_GW_TUNNEL) {
656  result = parse_encrypt_encap_ip(cur_rule, &app_cfg->app_rules.encrypt_rules[i]);
657  if (result != DOCA_SUCCESS)
658  return result;
659  }
660  result = create_port(cur_rule, "src-port", &app_cfg->app_rules.encrypt_rules[i].src_port);
661  if (result != DOCA_SUCCESS)
662  return result;
663 
664  result = create_port(cur_rule, "dst-port", &app_cfg->app_rules.encrypt_rules[i].dst_port);
665  if (result != DOCA_SUCCESS)
666  return result;
667 
668  result = create_spi(cur_rule, &app_cfg->app_rules.encrypt_rules[i].esp_spi);
669  if (result != DOCA_SUCCESS)
670  return result;
671 
672  result = create_key_type(cur_rule, &app_cfg->app_rules.encrypt_rules[i].sa_attrs.key_type);
673  if (result != DOCA_SUCCESS)
674  return result;
675 
676  result = create_key(cur_rule,
677  app_cfg->app_rules.encrypt_rules[i].sa_attrs.key_type,
678  app_cfg->app_rules.encrypt_rules[i].sa_attrs.enc_key_data);
679  if (result != DOCA_SUCCESS)
680  return result;
681 
682  result = create_iv(cur_rule, &app_cfg->app_rules.encrypt_rules[i].sa_attrs.iv);
683  if (result != DOCA_SUCCESS)
684  return result;
685 
686  result = create_salt(cur_rule, &app_cfg->app_rules.encrypt_rules[i].sa_attrs.salt);
687  if (result != DOCA_SUCCESS)
688  return result;
689 
690  result = create_lifetime_threshold(cur_rule,
691  &app_cfg->app_rules.encrypt_rules[i].sa_attrs.lifetime_threshold);
692  if (result != DOCA_SUCCESS)
693  return result;
694 
695  result = create_esn_en(cur_rule, &app_cfg->app_rules.encrypt_rules[i].sa_attrs.esn_en);
696  if (result != DOCA_SUCCESS)
697  return result;
698  }
699  return DOCA_SUCCESS;
700 }
701 
702 /*
703  * Parse json object for ESP offload string
704  *
705  * @json_config [in]: json config object
706  * @app_cfg [out]: application configuration struct
707  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
708  */
709 static doca_error_t parse_esp_offload(struct json_object *json_config, struct ipsec_security_gw_config *app_cfg)
710 {
711  const char *offload_str;
712  struct json_object *esp_header_offload;
713 
714  if (!json_object_object_get_ex(json_config, "esp-header-offload", &esp_header_offload)) {
715  DOCA_LOG_DBG("Missing \"esp-header-offload\" parameter, default is offload both");
716  return DOCA_SUCCESS;
717  }
718  if (json_object_get_type(esp_header_offload) != json_type_string) {
719  DOCA_LOG_ERR("Expecting a string value for \"esp-header-offload\"");
720  return DOCA_ERROR_INVALID_VALUE;
721  }
722 
723  offload_str = json_object_get_string(esp_header_offload);
724  if (strcmp(offload_str, "both") == 0)
725  app_cfg->offload = IPSEC_SECURITY_GW_ESP_OFFLOAD_BOTH;
726  else if (strcmp(offload_str, "encap") == 0)
727  app_cfg->offload = IPSEC_SECURITY_GW_ESP_OFFLOAD_ENCAP;
728  else if (strcmp(offload_str, "decap") == 0)
729  app_cfg->offload = IPSEC_SECURITY_GW_ESP_OFFLOAD_DECAP;
730  else if (strcmp(offload_str, "none") == 0)
731  app_cfg->offload = IPSEC_SECURITY_GW_ESP_OFFLOAD_NONE;
732  else {
733  DOCA_LOG_ERR("ESP offload type %s is not supported", offload_str);
734  return DOCA_ERROR_INVALID_VALUE;
735  }
736 
737  return DOCA_SUCCESS;
738 }
739 
740 /*
741  * Parse json object for perf measurement string
742  *
743  * @json_config [in]: json config object
744  * @app_cfg [out]: application configuration struct
745  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
746  */
747 static doca_error_t parse_perf_measurement(struct json_object *json_config, struct ipsec_security_gw_config *app_cfg)
748 {
749  const char *perf_str;
750  struct json_object *perf_measure;
751 
752  if (!json_object_object_get_ex(json_config, "perf-measurements", &perf_measure)) {
753  DOCA_LOG_DBG("Missing \"perf-measurements\" parameter, default is none");
754  return DOCA_SUCCESS;
755  }
756  if (json_object_get_type(perf_measure) != json_type_string) {
757  DOCA_LOG_ERR("Expecting a string value for \"perf-measurements\"");
758  return DOCA_ERROR_INVALID_VALUE;
759  }
760 
761  perf_str = json_object_get_string(perf_measure);
762  if (strcmp(perf_str, "none") == 0)
763  app_cfg->perf_measurement = IPSEC_SECURITY_GW_PERF_NONE;
764  else if (strcmp(perf_str, "insertion-rate") == 0)
765  app_cfg->perf_measurement = IPSEC_SECURITY_GW_PERF_INSERTION_RATE;
766  else if (strcmp(perf_str, "bandwidth") == 0)
767  app_cfg->perf_measurement = IPSEC_SECURITY_GW_PERF_BW;
768  else if (strcmp(perf_str, "both") == 0)
769  app_cfg->perf_measurement = IPSEC_SECURITY_GW_PERF_BOTH;
770  else {
771  DOCA_LOG_ERR("Perf type %s is not supported", perf_str);
772  return DOCA_ERROR_INVALID_VALUE;
773  }
774 
775  return DOCA_SUCCESS;
776 }
777 
778 /*
779  * Parse json object for SW anti-replay
780  *
781  * @json_config [in]: json config object
782  * @app_cfg [out]: application configuration struct
783  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
784  */
785 static doca_error_t parse_antireplay(struct json_object *json_config, struct ipsec_security_gw_config *app_cfg)
786 {
787  struct json_object *sw_antireplay_enable;
788 
789  if (!json_object_object_get_ex(json_config, "sw-antireplay-enable", &sw_antireplay_enable)) {
790  DOCA_LOG_DBG("Missing \"sw-antireplay-enable\" parameter, using false as default");
791  return DOCA_SUCCESS;
792  }
793  if (json_object_get_type(sw_antireplay_enable) != json_type_boolean) {
794  DOCA_LOG_ERR("Expecting a bool value for \"sw-antireplay-enable\"");
795  return DOCA_ERROR_INVALID_VALUE;
796  }
797  app_cfg->sw_antireplay = json_object_get_boolean(sw_antireplay_enable);
798  return DOCA_SUCCESS;
799 }
800 
801 /*
802  * Parse json object for SW SN increment
803  *
804  * @json_config [in]: json config object
805  * @app_cfg [out]: application configuration struct
806  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
807  */
808 static doca_error_t parse_sn_inc(struct json_object *json_config, struct ipsec_security_gw_config *app_cfg)
809 {
810  struct json_object *sw_sn_inc_enable;
811 
812  if (!json_object_object_get_ex(json_config, "sw-sn-inc-enable", &sw_sn_inc_enable)) {
813  DOCA_LOG_DBG("Missing \"sw-sn-inc-enable\" parameter, using false as default");
814  return DOCA_SUCCESS;
815  }
816  if (json_object_get_type(sw_sn_inc_enable) != json_type_boolean) {
817  DOCA_LOG_ERR("Expecting a bool value for \"sw-sn-inc-enable\"");
818  return DOCA_ERROR_INVALID_VALUE;
819  }
820  app_cfg->sw_sn_inc_enable = json_object_get_boolean(sw_sn_inc_enable);
821  return DOCA_SUCCESS;
822 }
823 
824 /*
825  * Parse json object for SN initial
826  *
827  * @json_config [in]: json config object
828  * @app_cfg [out]: application configuration struct
829  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
830  */
831 static doca_error_t parse_sn_initial(struct json_object *json_config, struct ipsec_security_gw_config *app_cfg)
832 {
833  struct json_object *sn_init_config;
834  int64_t sn_init;
835 
836  if (!json_object_object_get_ex(json_config, "sn-initial", &sn_init_config)) {
837  DOCA_LOG_DBG("Missing \"sn_initial\" parameter, using zero as default");
838  return DOCA_SUCCESS;
839  }
840  if (json_object_get_type(sn_init_config) != json_type_int) {
841  DOCA_LOG_ERR("Expecting a int value for \"sn-initial\"");
842  return DOCA_ERROR_INVALID_VALUE;
843  }
844  sn_init = json_object_get_int64(sn_init_config); /* notice that in future use of 64 bits for SN (for e.g. ESN)
845  the maximum is 2^63 since we're reading int64 and not
846  uint64
847  */
848  if (sn_init < 0 || sn_init > UINT32_MAX) {
849  DOCA_LOG_ERR("\"sn-initial\" should get non-negative 32 bits value");
850  return DOCA_ERROR_INVALID_VALUE;
851  }
852  if (app_cfg->sw_antireplay && (UINT32_MAX - (uint32_t)sn_init < SW_WINDOW_SIZE)) {
853  DOCA_LOG_ERR("SN initial value is too close to the maximum value");
854  return DOCA_ERROR_INVALID_VALUE;
855  }
856  if (!app_cfg->sw_antireplay && (UINT32_MAX - (uint32_t)sn_init < HW_WINDOW_SIZE)) {
857  DOCA_LOG_ERR("SN initial value is too close to the maximum value");
858  return DOCA_ERROR_INVALID_VALUE;
859  }
860 
861  app_cfg->sn_initial = (uint64_t)sn_init;
862 
863  return DOCA_SUCCESS;
864 }
865 
866 /*
867  * Parse json object for switch configuration
868  *
869  * @json_config [in]: json config object
870  * @app_cfg [out]: application configuration struct
871  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
872  */
873 static doca_error_t parse_switch_config(struct json_object *json_config, struct ipsec_security_gw_config *app_cfg)
874 {
875  struct json_object *switch_config;
876  bool is_switch;
877 
878  if (!json_object_object_get_ex(json_config, "switch", &switch_config)) {
879  DOCA_LOG_DBG("Missing \"switch\" parameter, using vnf mode");
880  return DOCA_SUCCESS;
881  }
882  if (json_object_get_type(switch_config) != json_type_boolean) {
883  DOCA_LOG_ERR("Expecting a bool value for \"switch\"");
884  return DOCA_ERROR_INVALID_VALUE;
885  }
886  is_switch = json_object_get_boolean(switch_config);
887  if (is_switch)
888  app_cfg->flow_mode = IPSEC_SECURITY_GW_SWITCH;
889 
890  return DOCA_SUCCESS;
891 }
892 
893 /*
894  * Parse json object for debug mode configuration
895  *
896  * @json_config [in]: json config object
897  * @app_cfg [out]: application configuration struct
898  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
899  */
900 static doca_error_t parse_debug_config(struct json_object *json_config, struct ipsec_security_gw_config *app_cfg)
901 {
902  struct json_object *debug_config;
903  bool debug;
904 
905  if (!json_object_object_get_ex(json_config, "debug", &debug_config)) {
906  return DOCA_SUCCESS;
907  }
908  if (json_object_get_type(debug_config) != json_type_boolean) {
909  DOCA_LOG_ERR("Expecting a bool value for \"debug\"");
910  return DOCA_ERROR_INVALID_VALUE;
911  }
912  debug = json_object_get_boolean(debug_config);
913  if (debug)
914  app_cfg->debug_mode = true;
915 
916  return DOCA_SUCCESS;
917 }
918 
919 /*
920  * Parse json object for vxlan encap configuration
921  *
922  * @json_config [in]: json config object
923  * @app_cfg [out]: application configuration struct
924  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
925  */
926 static doca_error_t parse_vxlan_encap_config(struct json_object *json_config, struct ipsec_security_gw_config *app_cfg)
927 {
928  struct json_object *vxlan_encap_config;
929  struct json_object *vni_config;
930  bool vxlan_encap;
931 
932  if (!json_object_object_get_ex(json_config, "vxlan-encap", &vxlan_encap_config)) {
933  return DOCA_SUCCESS;
934  }
935  if (json_object_get_type(vxlan_encap_config) != json_type_boolean) {
936  DOCA_LOG_ERR("Expecting a bool value for \"vxlan-encap\"");
937  return DOCA_ERROR_INVALID_VALUE;
938  }
939  vxlan_encap = json_object_get_boolean(vxlan_encap_config);
940  if (!vxlan_encap)
941  return DOCA_SUCCESS;
942 
943  app_cfg->vxlan_encap = true;
944  if (!json_object_object_get_ex(json_config, "vni", &vni_config)) {
945  app_cfg->vni = 1;
946  DOCA_LOG_DBG("Missing \"vni\" value, using 1 as default");
947  return DOCA_SUCCESS;
948  }
949  if (json_object_get_type(vni_config) != json_type_int) {
950  DOCA_LOG_ERR("Expecting a int value for \"vni\"");
951  return DOCA_ERROR_INVALID_VALUE;
952  }
953  app_cfg->vni = json_object_get_int(vni_config);
954 
955  return DOCA_SUCCESS;
956 }
957 
958 /*
959  * Parse json object for non-ESP marker encap configuration
960  *
961  * @json_config [in]: json config object
962  * @app_cfg [out]: application configuration struct
963  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
964  */
965 static doca_error_t parse_marker_encap_config(struct json_object *json_config, struct ipsec_security_gw_config *app_cfg)
966 {
967  struct json_object *marker_encap_config;
968  bool marker_encap;
969 
970  if (!json_object_object_get_ex(json_config, "marker-encap", &marker_encap_config)) {
971  return DOCA_SUCCESS;
972  }
973  if (json_object_get_type(marker_encap_config) != json_type_boolean) {
974  DOCA_LOG_ERR("Expecting a bool value for \"marker-encap\"");
975  return DOCA_ERROR_INVALID_VALUE;
976  }
977  marker_encap = json_object_get_boolean(marker_encap_config);
978  if (!marker_encap)
979  return DOCA_SUCCESS;
980 
981  if (app_cfg->vxlan_encap) {
982  DOCA_LOG_ERR("Non-ESP marker not supported for VXLAN encapsulation");
983  return DOCA_ERROR_NOT_SUPPORTED;
984  }
985  app_cfg->marker_encap = true;
986  return DOCA_SUCCESS;
987 }
988 
989 /*
990  * Parse json object for bad syndrome fwd string
991  *
992  * @json_config [in]: json config object
993  * @app_cfg [out]: application configuration struct
994  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
995  */
996 static doca_error_t parse_bad_syndrome_fwd(struct json_object *json_config, struct ipsec_security_gw_config *app_cfg)
997 {
998  const char *fwd_str;
999  struct json_object *fwd_obj;
1000 
1001  if (!json_object_object_get_ex(json_config, "fwd-bad-syndrome", &fwd_obj)) {
1002  DOCA_LOG_DBG("Missing \"fwd-bad-syndrome\" parameter, default is drop");
1003  return DOCA_SUCCESS;
1004  }
1005  if (json_object_get_type(fwd_obj) != json_type_string) {
1006  DOCA_LOG_ERR("Expecting a string value for \"fwd-bad-syndrome\"");
1007  return DOCA_ERROR_INVALID_VALUE;
1008  }
1009 
1010  fwd_str = json_object_get_string(fwd_obj);
1011  if (strcmp(fwd_str, "drop") == 0)
1012  app_cfg->syndrome_fwd = IPSEC_SECURITY_GW_FWD_SYNDROME_DROP;
1013  else if (strcmp(fwd_str, "rss") == 0)
1014  app_cfg->syndrome_fwd = IPSEC_SECURITY_GW_FWD_SYNDROME_RSS;
1015  else {
1016  DOCA_LOG_ERR("Forward syndrome type %s is not supported", fwd_str);
1017  return DOCA_ERROR_INVALID_VALUE;
1018  }
1019 
1020  return DOCA_SUCCESS;
1021 }
1022 
1023 /*
1024  * Parse json object for ICV length
1025  *
1026  * @json_config [in]: json config object
1027  * @app_cfg [out]: application configuration struct
1028  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
1029  */
1030 static doca_error_t parse_icv_length(struct json_object *json_config, struct ipsec_security_gw_config *app_cfg)
1031 {
1032  int icv_length_int;
1033  struct json_object *icv_length_config;
1034 
1035  if (!json_object_object_get_ex(json_config, "icv-length", &icv_length_config)) {
1036  DOCA_LOG_DBG("Missing \"icv_length\" parameter, default is 16");
1037  app_cfg->icv_length = DOCA_FLOW_CRYPTO_ICV_LENGTH_16;
1038  return DOCA_SUCCESS;
1039  }
1040  if (json_object_get_type(icv_length_config) != json_type_int) {
1041  DOCA_LOG_ERR("Expecting a int value for \"icv-length\"");
1042  return DOCA_ERROR_INVALID_VALUE;
1043  }
1044 
1045  icv_length_int = json_object_get_int(icv_length_config);
1046  switch (icv_length_int) {
1047  case 8:
1048  app_cfg->icv_length = DOCA_FLOW_CRYPTO_ICV_LENGTH_8;
1049  break;
1050  case 12:
1051  app_cfg->icv_length = DOCA_FLOW_CRYPTO_ICV_LENGTH_12;
1052  break;
1053  case 16:
1054  app_cfg->icv_length = DOCA_FLOW_CRYPTO_ICV_LENGTH_16;
1055  break;
1056  default:
1057  DOCA_LOG_ERR("ICV length can only be one of the following: 8, 12, 16");
1058  return DOCA_ERROR_INVALID_VALUE;
1059  }
1060  return DOCA_SUCCESS;
1061 }
1062 
1063 /*
1064  * Parse json object of the config
1065  *
1066  * @json_config [in]: json object of the config to parse
1067  * @app_cfg [out]: application configuration struct
1068  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
1069  */
1070 static doca_error_t parse_json_config(struct json_object *json_config, struct ipsec_security_gw_config *app_cfg)
1071 {
1072  doca_error_t result;
1073 
1074  result = parse_switch_config(json_config, app_cfg);
1075  if (result != DOCA_SUCCESS)
1076  return result;
1077 
1078  result = parse_antireplay(json_config, app_cfg);
1079  if (result != DOCA_SUCCESS)
1080  return result;
1081 
1082  result = parse_sn_initial(json_config, app_cfg);
1083  if (result != DOCA_SUCCESS)
1084  return result;
1085 
1086  result = parse_esp_offload(json_config, app_cfg);
1087  if (result != DOCA_SUCCESS)
1088  return result;
1089 
1090  result = parse_perf_measurement(json_config, app_cfg);
1091  if (result != DOCA_SUCCESS)
1092  return result;
1093 
1094  result = parse_sn_inc(json_config, app_cfg);
1095  if (result != DOCA_SUCCESS)
1096  return result;
1097 
1098  result = parse_debug_config(json_config, app_cfg);
1099  if (result != DOCA_SUCCESS)
1100  return result;
1101 
1102  if (app_cfg->debug_mode) {
1103  result = parse_bad_syndrome_fwd(json_config, app_cfg);
1104  if (result != DOCA_SUCCESS)
1105  return result;
1106  }
1107 
1108  result = parse_vxlan_encap_config(json_config, app_cfg);
1109  if (result != DOCA_SUCCESS)
1110  return result;
1111 
1112  result = parse_marker_encap_config(json_config, app_cfg);
1113  if (result != DOCA_SUCCESS)
1114  return result;
1115 
1116  result = parse_icv_length(json_config, app_cfg);
1117  if (result != DOCA_SUCCESS)
1118  return result;
1119 
1120  return DOCA_SUCCESS;
1121 }
1122 
1123 /*
1124  * Check the input file size and allocate a buffer to read it
1125  *
1126  * @fp [in]: file pointer to the input rules file
1127  * @file_length [out]: total bytes in file
1128  * @json_data [out]: allocated buffer, with null termination
1129  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
1130  */
1131 static doca_error_t allocate_json_buffer_dynamic(FILE *fp, size_t *file_length, char **json_data)
1132 {
1133  ssize_t buf_len = 0;
1134 
1135  /* use fseek to put file counter to the end, and calculate file length */
1136  if (fseek(fp, 0L, SEEK_END) == 0) {
1137  buf_len = ftell(fp);
1138  if (buf_len < 0) {
1139  DOCA_LOG_ERR("ftell() function failed");
1140  return DOCA_ERROR_IO_FAILED;
1141  }
1142 
1143  /* dynamic allocation */
1144  *json_data = (char *)calloc(1, buf_len + 1);
1145  if (*json_data == NULL) {
1146  DOCA_LOG_ERR("malloc() function failed");
1147  return DOCA_ERROR_NO_MEMORY;
1148  }
1149 
1150  /* return file counter to the beginning */
1151  if (fseek(fp, 0L, SEEK_SET) != 0) {
1152  free(*json_data);
1153  *json_data = NULL;
1154  DOCA_LOG_ERR("fseek() function failed");
1155  return DOCA_ERROR_IO_FAILED;
1156  }
1157  }
1158  *file_length = buf_len;
1159  return DOCA_SUCCESS;
1160 }
1161 
1162 /*
1163  * Run validation check to the parsed application parameters
1164  * - in VNF mode the application should get both secured and unsecured ports
1165  * - in switch mode the application should get only secured port. If the unsecured port is passed it will be ignored
1166  *
1167  * @app_cfg [in]: application configuration struct
1168  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
1169  */
1170 static doca_error_t validate_config(struct ipsec_security_gw_config *app_cfg)
1171 {
1172  if (app_cfg->objects.secured_dev.has_device == false) {
1173  DOCA_LOG_ERR("Secure port is missing");
1174  return DOCA_ERROR_INVALID_VALUE;
1175  }
1176 
1177  if (app_cfg->flow_mode == IPSEC_SECURITY_GW_VNF) {
1178  if (app_cfg->objects.unsecured_dev.has_device == false) {
1179  DOCA_LOG_ERR("Unsecure port is missing for vnf mode");
1180  return DOCA_ERROR_INVALID_VALUE;
1181  }
1182  if (app_cfg->objects.unsecured_dev.open_by_pci == true &&
1183  app_cfg->objects.unsecured_dev.open_by_name == true) {
1184  DOCA_LOG_ERR("Please specify only one parameter for the unsecured device: -u / -un");
1185  return DOCA_ERROR_INVALID_VALUE;
1186  }
1187  }
1188 
1189  if (app_cfg->objects.secured_dev.open_by_pci == true && app_cfg->objects.secured_dev.open_by_name == true) {
1190  DOCA_LOG_ERR("Please specify only one parameter for the secured device: -s / -sn");
1191  return DOCA_ERROR_INVALID_VALUE;
1192  }
1193 
1194  if (app_cfg->flow_mode == IPSEC_SECURITY_GW_SWITCH && app_cfg->objects.unsecured_dev.has_device == true)
1195  DOCA_LOG_WARN("In switch mode unsecure port parameter will be ignored");
1196 
1197  /* verify that encap is enabled if sw increment is enabled */
1198  if (app_cfg->sw_sn_inc_enable && (app_cfg->offload == IPSEC_SECURITY_GW_ESP_OFFLOAD_BOTH ||
1199  app_cfg->offload == IPSEC_SECURITY_GW_ESP_OFFLOAD_ENCAP)) {
1200  DOCA_LOG_ERR("SW SN Increment cannot be enabled when offloading encap");
1201  return DOCA_ERROR_INVALID_VALUE;
1202  }
1203  /* verify that encap is enabled if sw antireplay is enabled */
1204  if (app_cfg->sw_antireplay && (app_cfg->offload == IPSEC_SECURITY_GW_ESP_OFFLOAD_BOTH ||
1205  app_cfg->offload == IPSEC_SECURITY_GW_ESP_OFFLOAD_DECAP)) {
1206  DOCA_LOG_ERR("SW Anti-Replay cannot be enabled when offloading decap");
1207  return DOCA_ERROR_INVALID_VALUE;
1208  }
1209 
1210  return DOCA_SUCCESS;
1211 }
1212 
1213 /*
1214  * Create Hash table for IPv6 addresses
1215  *
1216  * @ip6_table [out]: the created hash table for ipv6 addresses
1217  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
1218  */
1219 static doca_error_t create_ip6_table(struct rte_hash **ip6_table)
1220 {
1221  struct rte_hash_parameters table_params = {
1222  .name = "IPv6 table",
1223  .entries = MAX_NB_RULES * 2,
1224  .key_len = sizeof(uint32_t) * 4,
1225  .hash_func = rte_hash_crc,
1226  .hash_func_init_val = 0,
1227  };
1228 
1229  *ip6_table = rte_hash_create(&table_params);
1230  if (*ip6_table == NULL)
1231  return DOCA_ERROR_DRIVER;
1232 
1233  return DOCA_SUCCESS;
1234 }
1235 
1236 doca_error_t ipsec_security_gw_parse_config(struct ipsec_security_gw_config *app_cfg)
1237 {
1238  FILE *json_fp;
1239  size_t file_length;
1240  char *json_data = NULL;
1241  struct json_object *parsed_json;
1242  struct json_object *json_encrypt_rules;
1243  struct json_object *json_decrypt_rules;
1244  struct json_object *json_config;
1245  doca_error_t result;
1246  int nb_encrypt_alloc, nb_decrypt_alloc;
1247 
1248  result = create_ip6_table(&app_cfg->ip6_table);
1249  if (result != DOCA_SUCCESS) {
1250  DOCA_LOG_ERR("Failed to create table for ipv6 addresses");
1251  return result;
1252  }
1253 
1254  /* set default DOCA Flow mode to vnf */
1255  app_cfg->flow_mode = IPSEC_SECURITY_GW_VNF;
1256 
1257  json_fp = fopen(app_cfg->json_path, "r");
1258  if (json_fp == NULL) {
1259  DOCA_LOG_ERR("JSON file open failed");
1260  return DOCA_ERROR_IO_FAILED;
1261  }
1262 
1263  result = allocate_json_buffer_dynamic(json_fp, &file_length, &json_data);
1264  if (result != DOCA_SUCCESS) {
1265  fclose(json_fp);
1266  DOCA_LOG_ERR("Failed to allocate data buffer for the json file");
1267  return result;
1268  }
1269 
1270  if (fread(json_data, 1, file_length, json_fp) < file_length)
1271  DOCA_LOG_DBG("EOF reached");
1272  fclose(json_fp);
1273 
1274  parsed_json = json_tokener_parse(json_data);
1275 
1276  if (json_object_object_get_ex(parsed_json, "config", &json_config)) {
1277  result = parse_json_config(json_config, app_cfg);
1278  if (result != DOCA_SUCCESS) {
1279  DOCA_LOG_ERR("Failed to parse config");
1280  goto json_release;
1281  }
1282  }
1283 
1284  result = validate_config(app_cfg);
1285  if (result != DOCA_SUCCESS) {
1286  DOCA_LOG_ERR("Failed to validate config");
1287  goto json_release;
1288  }
1289 
1290  nb_encrypt_alloc = DYN_RESERVED_RULES;
1291  nb_decrypt_alloc = DYN_RESERVED_RULES;
1292  if (!app_cfg->socket_ctx.socket_conf) {
1293  if (!json_object_object_get_ex(parsed_json, "encrypt-rules", &json_encrypt_rules)) {
1294  DOCA_LOG_ERR("Missing \"encrypt_rules\" parameter");
1295  result = DOCA_ERROR_INVALID_VALUE;
1296  goto json_release;
1297  }
1298 
1299  if (!json_object_object_get_ex(parsed_json, "decrypt-rules", &json_decrypt_rules)) {
1300  DOCA_LOG_ERR("Missing \"decrypt_rules\" parameter");
1301  result = DOCA_ERROR_INVALID_VALUE;
1302  goto json_release;
1303  }
1304 
1305  app_cfg->app_rules.nb_encrypt_rules = json_object_array_length(json_encrypt_rules);
1306  app_cfg->app_rules.nb_decrypt_rules = json_object_array_length(json_decrypt_rules);
1307  if ((app_cfg->app_rules.nb_encrypt_rules > MAX_NB_RULES) ||
1308  (app_cfg->app_rules.nb_decrypt_rules > MAX_NB_RULES)) {
1309  DOCA_LOG_ERR("Number of rules exceeds the maximum number of rules allowed");
1310  result = DOCA_ERROR_INVALID_VALUE;
1311  goto json_release;
1312  }
1313 
1314  if (app_cfg->app_rules.nb_encrypt_rules == 0 && app_cfg->app_rules.nb_decrypt_rules == 0) {
1315  DOCA_LOG_ERR("No encrypt and decrypt rules were found");
1316  result = DOCA_ERROR_INVALID_VALUE;
1317  goto json_release;
1318  }
1319 
1320  app_cfg->app_rules.nb_rules = app_cfg->app_rules.nb_encrypt_rules + app_cfg->app_rules.nb_decrypt_rules;
1321 
1322  nb_encrypt_alloc = app_cfg->app_rules.nb_encrypt_rules;
1323  nb_decrypt_alloc = app_cfg->app_rules.nb_decrypt_rules;
1324  } else {
1325  app_cfg->app_rules.nb_encrypt_rules = nb_encrypt_alloc;
1326  app_cfg->app_rules.nb_decrypt_rules = nb_decrypt_alloc;
1327  }
1328 
1329  app_cfg->app_rules.encrypt_rules = (struct encrypt_rule *)calloc(nb_encrypt_alloc, sizeof(struct encrypt_rule));
1330  if (app_cfg->app_rules.encrypt_rules == NULL) {
1331  DOCA_LOG_ERR("calloc() function failed to allocate encryption rules array");
1332  result = DOCA_ERROR_NO_MEMORY;
1333  goto json_release;
1334  }
1335 
1336  app_cfg->app_rules.decrypt_rules = (struct decrypt_rule *)calloc(nb_decrypt_alloc, sizeof(struct decrypt_rule));
1337  if (app_cfg->app_rules.decrypt_rules == NULL) {
1338  DOCA_LOG_ERR("calloc() function failed to allocate decryption rules array");
1339  result = DOCA_ERROR_NO_MEMORY;
1340  goto encrypt_release;
1341  }
1342 
1343  /* parse the rules and insert to the allocated arrays */
1344  if (!app_cfg->socket_ctx.socket_conf) {
1345  result = parse_json_encrypt_rules(json_encrypt_rules, app_cfg);
1346  if (result != DOCA_SUCCESS) {
1347  DOCA_LOG_ERR("Failed to parse encrypt rules");
1348  goto dec_enc_release;
1349  }
1350 
1351  result = parse_json_decrypt_rules(json_decrypt_rules, app_cfg);
1352  if (result != DOCA_SUCCESS) {
1353  DOCA_LOG_ERR("Failed to parse decrypt rules");
1354  goto dec_enc_release;
1355  }
1356  }
1357  json_object_put(parsed_json);
1358  free(json_data);
1359  return DOCA_SUCCESS;
1360 dec_enc_release:
1361  free(app_cfg->app_rules.decrypt_rules);
1362 encrypt_release:
1363  free(app_cfg->app_rules.encrypt_rules);
1364 json_release:
1365  json_object_put(parsed_json);
1366  free(json_data);
1367  return result;
1368 }
1369 
1370 /*
1371  * Parse the input PCI address and set the relevant fields in the struct
1372  *
1373  * @param [in]: Input parameter
1374  * @dev_info [out]: device info struct
1375  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
1376  */
1377 static doca_error_t parse_pci_param(void *param, struct ipsec_security_gw_dev_info *dev_info)
1378 {
1379  char *pci_addr = (char *)param;
1380 
1381  if (strnlen(pci_addr, DOCA_DEVINFO_PCI_ADDR_SIZE) == DOCA_DEVINFO_PCI_ADDR_SIZE) {
1382  DOCA_LOG_ERR("Entered device PCI address exceeding the maximum size of %d",
1383  DOCA_DEVINFO_PCI_ADDR_SIZE - 1);
1384  return DOCA_ERROR_INVALID_VALUE;
1385  }
1386 
1387  strlcpy(dev_info->pci_addr, pci_addr, DOCA_DEVINFO_PCI_ADDR_SIZE);
1388 
1389  dev_info->has_device = true;
1390  dev_info->open_by_pci = true;
1391 
1392  return DOCA_SUCCESS;
1393 }
1394 
1395 /*
1396  * Parse the input name and set the relevant fields in the struct
1397  *
1398  * @param [in]: Input parameter
1399  * @dev_info [out]: device info struct
1400  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
1401  */
1402 static doca_error_t parse_iface_name_param(void *param, struct ipsec_security_gw_dev_info *dev_info)
1403 {
1404  char *iface_name = (char *)param;
1405 
1406  if (strnlen(iface_name, DOCA_DEVINFO_IFACE_NAME_SIZE) == DOCA_DEVINFO_IFACE_NAME_SIZE) {
1407  DOCA_LOG_ERR("Device name is too long - MAX=%d", DOCA_DEVINFO_IFACE_NAME_SIZE - 1);
1408  return DOCA_ERROR_INVALID_VALUE;
1409  }
1410  strlcpy(dev_info->iface_name, iface_name, DOCA_DEVINFO_IFACE_NAME_SIZE);
1411  dev_info->has_device = true;
1412  dev_info->open_by_name = true;
1413  return DOCA_SUCCESS;
1414 }
1415 
1416 /*
1417  * ARGP Callback - Handle DOCA device PCI address parameter for secured port
1418  *
1419  * @param [in]: Input parameter
1420  * @config [in/out]: Program configuration context
1421  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
1422  */
1423 static doca_error_t secured_callback(void *param, void *config)
1424 {
1425  struct ipsec_security_gw_config *app_cfg = (struct ipsec_security_gw_config *)config;
1426 
1427  return parse_pci_param(param, &app_cfg->objects.secured_dev);
1428 }
1429 
1430 /*
1431  * ARGP Callback - Handle DOCA device PCI address parameter for unsecured port
1432  *
1433  * @param [in]: Input parameter
1434  * @config [in/out]: Program configuration context
1435  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
1436  */
1437 static doca_error_t unsecured_callback(void *param, void *config)
1438 {
1439  struct ipsec_security_gw_config *app_cfg = (struct ipsec_security_gw_config *)config;
1440 
1441  return parse_pci_param(param, &app_cfg->objects.unsecured_dev);
1442 }
1443 
1444 /*
1445  * ARGP Callback - Handle DOCA device name for secured port
1446  *
1447  * @param [in]: Input parameter
1448  * @config [in/out]: Program configuration context
1449  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
1450  */
1451 static doca_error_t secured_name_callback(void *param, void *config)
1452 {
1453  struct ipsec_security_gw_config *app_cfg = (struct ipsec_security_gw_config *)config;
1454 
1455  return parse_iface_name_param(param, &app_cfg->objects.secured_dev);
1456 }
1457 
1458 /*
1459  * ARGP Callback - Handle DOCA device name for unsecured port
1460  *
1461  * @param [in]: Input parameter
1462  * @config [in/out]: Program configuration context
1463  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
1464  */
1465 static doca_error_t unsecured_name_callback(void *param, void *config)
1466 {
1467  struct ipsec_security_gw_config *app_cfg = (struct ipsec_security_gw_config *)config;
1468 
1469  return parse_iface_name_param(param, &app_cfg->objects.unsecured_dev);
1470 }
1471 
1472 /*
1473  * ARGP Callback - Handle number of cores parameter
1474  *
1475  * @param [in]: Input parameter
1476  * @config [in/out]: Program configuration context
1477  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
1478  */
1479 static doca_error_t nb_cores_callback(void *param, void *config)
1480 {
1481  struct ipsec_security_gw_config *app_cfg = (struct ipsec_security_gw_config *)config;
1482 
1483  app_cfg->nb_cores = *(uint8_t *)param;
1484  if (app_cfg->nb_cores > MAX_CORES)
1485  DOCA_LOG_WARN(
1486  "The application's memory consumption depends on the amount of used cores, a value above %d might lead to unstable results",
1487  MAX_CORES);
1488 
1489  return DOCA_SUCCESS;
1490 }
1491 
1492 /*
1493  * ARGP Callback - Handle debug mode parameter
1494  *
1495  * @param [in]: Input parameter
1496  * @config [in/out]: Program configuration context
1497  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
1498  */
1499 static doca_error_t debug_mode_callback(void *param, void *config)
1500 {
1501  struct ipsec_security_gw_config *app_cfg = (struct ipsec_security_gw_config *)config;
1502 
1503  app_cfg->debug_mode = *(bool *)param;
1504  return DOCA_SUCCESS;
1505 }
1506 
1507 /*
1508  * ARGP Callback - Handle rules file parameter
1509  *
1510  * @param [in]: Input parameter
1511  * @config [in/out]: Program configuration context
1512  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
1513  */
1514 static doca_error_t config_callback(void *param, void *config)
1515 {
1516  struct ipsec_security_gw_config *app_cfg = (struct ipsec_security_gw_config *)config;
1517  const char *json_path = (char *)param;
1518 
1519  if (strnlen(json_path, MAX_FILE_NAME) == MAX_FILE_NAME) {
1520  DOCA_LOG_ERR("JSON file name is too long - MAX=%d", MAX_FILE_NAME - 1);
1521  return DOCA_ERROR_INVALID_VALUE;
1522  }
1523  if (access(json_path, F_OK) == -1) {
1524  DOCA_LOG_ERR("JSON file was not found %s", json_path);
1525  return DOCA_ERROR_NOT_FOUND;
1526  }
1527  strlcpy(app_cfg->json_path, json_path, MAX_FILE_NAME);
1528  return DOCA_SUCCESS;
1529 }
1530 
1531 /*
1532  * ARGP Callback - Handle application offload mode
1533  *
1534  * @param [in]: Input parameter
1535  * @config [in/out]: Program configuration context
1536  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
1537  */
1538 static doca_error_t offload_mode_callback(void *param, void *config)
1539 {
1540  struct ipsec_security_gw_config *app_cfg = (struct ipsec_security_gw_config *)config;
1541  const char *mode = (char *)param;
1542 
1543  if (strcmp(mode, "tunnel") == 0)
1544  app_cfg->mode = IPSEC_SECURITY_GW_TUNNEL;
1545  else if (strcmp(mode, "transport") == 0)
1546  app_cfg->mode = IPSEC_SECURITY_GW_TRANSPORT;
1547  else if (strcmp(mode, "udp_transport") == 0)
1548  app_cfg->mode = IPSEC_SECURITY_GW_UDP_TRANSPORT;
1549  else {
1550  DOCA_LOG_ERR("Illegal running mode = [%s]", mode);
1551  return DOCA_ERROR_INVALID_VALUE;
1552  }
1553 
1554  return DOCA_SUCCESS;
1555 }
1556 
1557 /*
1558  * ARGP Callback - Handle application socket mode
1559  *
1560  * @param [in]: Input parameter
1561  * @config [in/out]: Program configuration context
1562  * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
1563  */
1564 static doca_error_t socket_callback(void *param, void *config)
1565 {
1566  struct ipsec_security_gw_config *app_cfg = (struct ipsec_security_gw_config *)config;
1567  char *file_path = (char *)param;
1568 
1569  if (strnlen(file_path, MAX_SOCKET_PATH_NAME) == MAX_SOCKET_PATH_NAME) {
1570  DOCA_LOG_ERR("File name is too long - MAX=%d", MAX_SOCKET_PATH_NAME - 1);
1571  return DOCA_ERROR_INVALID_VALUE;
1572  }
1573  strlcpy(app_cfg->socket_ctx.socket_path, file_path, MAX_SOCKET_PATH_NAME);
1574  app_cfg->socket_ctx.socket_conf = true;
1575  return DOCA_SUCCESS;
1576 }
1577 
1578 doca_error_t register_ipsec_security_gw_params(void)
1579 {
1580  doca_error_t result;
1581  struct doca_argp_param *secured_param, *unsecured_param, *config_param, *ipsec_mode, *socket_path,
1582  *secured_name_param, *unsecured_name_param, *nb_cores, *debug_mode;
1583 
1584  /* Create and register ingress pci param */
1585  result = doca_argp_param_create(&secured_param);
1586  if (result != DOCA_SUCCESS) {
1587  DOCA_LOG_ERR("Failed to create ARGP param: %s", doca_error_get_descr(result));
1588  return result;
1589  }
1590  doca_argp_param_set_short_name(secured_param, "s");
1591  doca_argp_param_set_long_name(secured_param, "secured");
1592  doca_argp_param_set_description(secured_param, "secured port pci-address");
1593  doca_argp_param_set_callback(secured_param, secured_callback);
1594  doca_argp_param_set_type(secured_param, DOCA_ARGP_TYPE_STRING);
1595  result = doca_argp_register_param(secured_param);
1596  if (result != DOCA_SUCCESS) {
1597  DOCA_LOG_ERR("Failed to register program param: %s", doca_error_get_descr(result));
1598  return result;
1599  }
1600 
1601  /* Create and register egress pci param */
1602  result = doca_argp_param_create(&unsecured_param);
1603  if (result != DOCA_SUCCESS) {
1604  DOCA_LOG_ERR("Failed to create ARGP param: %s", doca_error_get_descr(result));
1605  return result;
1606  }
1607  doca_argp_param_set_short_name(unsecured_param, "u");
1608  doca_argp_param_set_long_name(unsecured_param, "unsecured");
1609  doca_argp_param_set_description(unsecured_param, "unsecured port pci-address");
1610  doca_argp_param_set_callback(unsecured_param, unsecured_callback);
1611  doca_argp_param_set_type(unsecured_param, DOCA_ARGP_TYPE_STRING);
1612  result = doca_argp_register_param(unsecured_param);
1613  if (result != DOCA_SUCCESS) {
1614  DOCA_LOG_ERR("Failed to register program param: %s", doca_error_get_descr(result));
1615  return result;
1616  }
1617 
1618  /* Create and register json rules param */
1619  result = doca_argp_param_create(&config_param);
1620  if (result != DOCA_SUCCESS) {
1621  DOCA_LOG_ERR("Failed to create ARGP param: %s", doca_error_get_descr(result));
1622  return result;
1623  }
1624  doca_argp_param_set_short_name(config_param, "c");
1625  doca_argp_param_set_long_name(config_param, "config");
1626  doca_argp_param_set_description(config_param, "Path to the JSON file with application configuration");
1627  doca_argp_param_set_callback(config_param, config_callback);
1628  doca_argp_param_set_type(config_param, DOCA_ARGP_TYPE_STRING);
1629  doca_argp_param_set_mandatory(config_param);
1630  result = doca_argp_register_param(config_param);
1631  if (result != DOCA_SUCCESS) {
1632  DOCA_LOG_ERR("Failed to register program param: %s", doca_error_get_descr(result));
1633  return result;
1634  }
1635 
1636  /* Create and register offload mode param */
1637  result = doca_argp_param_create(&ipsec_mode);
1638  if (result != DOCA_SUCCESS) {
1639  DOCA_LOG_ERR("Failed to create ARGP param: %s", doca_error_get_descr(result));
1640  return result;
1641  }
1642  doca_argp_param_set_short_name(ipsec_mode, "m");
1643  doca_argp_param_set_long_name(ipsec_mode, "mode");
1644  doca_argp_param_set_description(ipsec_mode, "ipsec mode - {tunnel/transport/udp_transport}");
1645  doca_argp_param_set_callback(ipsec_mode, offload_mode_callback);
1646  doca_argp_param_set_type(ipsec_mode, DOCA_ARGP_TYPE_STRING);
1647  doca_argp_param_set_mandatory(ipsec_mode);
1648  result = doca_argp_register_param(ipsec_mode);
1649  if (result != DOCA_SUCCESS) {
1650  DOCA_LOG_ERR("Failed to register program param: %s", doca_error_get_descr(result));
1651  return result;
1652  }
1653 
1654  result = doca_argp_param_create(&socket_path);
1655  if (result != DOCA_SUCCESS) {
1656  DOCA_LOG_ERR("Failed to create ARGP param: %s", doca_error_get_descr(result));
1657  return result;
1658  }
1659  doca_argp_param_set_short_name(socket_path, "i");
1660  doca_argp_param_set_long_name(socket_path, "ipc");
1661  doca_argp_param_set_description(socket_path, "IPC socket file path");
1662  doca_argp_param_set_callback(socket_path, socket_callback);
1663  doca_argp_param_set_type(socket_path, DOCA_ARGP_TYPE_STRING);
1664  result = doca_argp_register_param(socket_path);
1665  if (result != DOCA_SUCCESS) {
1666  DOCA_LOG_ERR("Failed to register program param: %s", doca_error_get_descr(result));
1667  return result;
1668  }
1669 
1670  /* Create and register secured device name param */
1671  result = doca_argp_param_create(&secured_name_param);
1672  if (result != DOCA_SUCCESS) {
1673  DOCA_LOG_ERR("Failed to create ARGP param: %s", doca_error_get_descr(result));
1674  return result;
1675  }
1676  doca_argp_param_set_short_name(secured_name_param, "sn");
1677  doca_argp_param_set_long_name(secured_name_param, "secured-name");
1678  doca_argp_param_set_description(secured_name_param, "secured port interface name");
1679  doca_argp_param_set_callback(secured_name_param, secured_name_callback);
1680  doca_argp_param_set_type(secured_name_param, DOCA_ARGP_TYPE_STRING);
1681  result = doca_argp_register_param(secured_name_param);
1682  if (result != DOCA_SUCCESS) {
1683  DOCA_LOG_ERR("Failed to register program param: %s", doca_error_get_descr(result));
1684  return result;
1685  }
1686 
1687  /* Create and register unsecured device name param */
1688  result = doca_argp_param_create(&unsecured_name_param);
1689  if (result != DOCA_SUCCESS) {
1690  DOCA_LOG_ERR("Failed to create ARGP param: %s", doca_error_get_descr(result));
1691  return result;
1692  }
1693  doca_argp_param_set_short_name(unsecured_name_param, "un");
1694  doca_argp_param_set_long_name(unsecured_name_param, "unsecured-name");
1695  doca_argp_param_set_description(unsecured_name_param, "unsecured port interface name");
1696  doca_argp_param_set_callback(unsecured_name_param, unsecured_name_callback);
1697  doca_argp_param_set_type(unsecured_name_param, DOCA_ARGP_TYPE_STRING);
1698  result = doca_argp_register_param(unsecured_name_param);
1699  if (result != DOCA_SUCCESS) {
1700  DOCA_LOG_ERR("Failed to register program param: %s", doca_error_get_descr(result));
1701  return result;
1702  }
1703 
1704  /* Create and register unsecured device name param */
1705  result = doca_argp_param_create(&nb_cores);
1706  if (result != DOCA_SUCCESS) {
1707  DOCA_LOG_ERR("Failed to create ARGP param: %s", doca_error_get_descr(result));
1708  return result;
1709  }
1710  doca_argp_param_set_short_name(nb_cores, "n");
1711  doca_argp_param_set_long_name(nb_cores, "nb-cores");
1712  doca_argp_param_set_description(nb_cores, "number of cores");
1713  doca_argp_param_set_callback(nb_cores, nb_cores_callback);
1714  doca_argp_param_set_type(nb_cores, DOCA_ARGP_TYPE_INT);
1715  result = doca_argp_register_param(nb_cores);
1716  if (result != DOCA_SUCCESS) {
1717  DOCA_LOG_ERR("Failed to register program param: %s", doca_error_get_descr(result));
1718  return result;
1719  }
1720 
1721  /* Create and register debug mode param */
1722  result = doca_argp_param_create(&debug_mode);
1723  if (result != DOCA_SUCCESS) {
1724  DOCA_LOG_ERR("Failed to create ARGP param: %s", doca_error_get_descr(result));
1725  return result;
1726  }
1727  doca_argp_param_set_long_name(debug_mode, "debug");
1728  doca_argp_param_set_description(debug_mode, "Enable debug counters");
1729  doca_argp_param_set_callback(debug_mode, debug_mode_callback);
1730  doca_argp_param_set_type(debug_mode, DOCA_ARGP_TYPE_BOOLEAN);
1731  doca_argp_register_param(debug_mode);
1732 
1733  /* Register version callback for DOCA SDK & RUNTIME */
1734  result = doca_argp_register_version_callback(sdk_version_callback);
1735  if (result != DOCA_SUCCESS) {
1736  DOCA_LOG_ERR("Failed to register version callback: %s", doca_error_get_descr(result));
1737  return result;
1738  }
1739 
1740  return result;
1741 }
NULL
#define NULL
Definition: __stddef_null.h:26
result
int32_t result
Definition: app_shield_agent_core.h:3
MAX_CORES
#define MAX_CORES
Definition: config.c:42
create_esn_en
static doca_error_t create_esn_en(struct json_object *cur_rule, bool *esn_en)
Definition: config.c:254
create_port
static doca_error_t create_port(struct json_object *cur_rule, char *port_type, int *port)
Definition: config.c:414
parse_perf_measurement
static doca_error_t parse_perf_measurement(struct json_object *json_config, struct ipsec_security_gw_config *app_cfg)
Definition: config.c:747
secured_name_callback
static doca_error_t secured_name_callback(void *param, void *config)
Definition: config.c:1451
create_key_type
static doca_error_t create_key_type(struct json_object *cur_rule, enum doca_flow_crypto_key_type *key_type)
Definition: config.c:127
parse_esp_offload
static doca_error_t parse_esp_offload(struct json_object *json_config, struct ipsec_security_gw_config *app_cfg)
Definition: config.c:709
create_l3_type
static doca_error_t create_l3_type(struct json_object *cur_rule, char *ip_version_string, enum doca_flow_l3_type *l3_type)
Definition: config.c:307
create_salt
static doca_error_t create_salt(struct json_object *cur_rule, uint32_t *salt)
Definition: config.c:206
create_lifetime_threshold
static doca_error_t create_lifetime_threshold(struct json_object *cur_rule, uint32_t *lifetime_threshold)
Definition: config.c:230
parse_debug_config
static doca_error_t parse_debug_config(struct json_object *json_config, struct ipsec_security_gw_config *app_cfg)
Definition: config.c:900
parse_encrypt_encap_ip
static doca_error_t parse_encrypt_encap_ip(struct json_object *cur_rule, struct encrypt_rule *rule)
Definition: config.c:528
secured_callback
static doca_error_t secured_callback(void *param, void *config)
Definition: config.c:1423
parse_sn_inc
static doca_error_t parse_sn_inc(struct json_object *json_config, struct ipsec_security_gw_config *app_cfg)
Definition: config.c:808
create_iv
static doca_error_t create_iv(struct json_object *cur_rule, uint64_t *iv)
Definition: config.c:161
parse_json_decrypt_rules
static doca_error_t parse_json_decrypt_rules(struct json_object *json_rules, struct ipsec_security_gw_config *app_cfg)
Definition: config.c:551
register_ipsec_security_gw_params
doca_error_t register_ipsec_security_gw_params(void)
Definition: config.c:1578
parse_iface_name_param
static doca_error_t parse_iface_name_param(void *param, struct ipsec_security_gw_dev_info *dev_info)
Definition: config.c:1402
parse_antireplay
static doca_error_t parse_antireplay(struct json_object *json_config, struct ipsec_security_gw_config *app_cfg)
Definition: config.c:785
nb_cores_callback
static doca_error_t nb_cores_callback(void *param, void *config)
Definition: config.c:1479
parse_icv_length
static doca_error_t parse_icv_length(struct json_object *json_config, struct ipsec_security_gw_config *app_cfg)
Definition: config.c:1030
create_ipv4
static doca_error_t create_ipv4(struct json_object *cur_rule, char *ip_type, doca_be32_t *ip)
Definition: config.c:344
ipsec_security_gw_parse_config
doca_error_t ipsec_security_gw_parse_config(struct ipsec_security_gw_config *app_cfg)
Definition: config.c:1236
create_key
static doca_error_t create_key(struct json_object *cur_rule, enum doca_flow_crypto_key_type key_type, uint8_t *key)
Definition: config.c:82
create_spi
static doca_error_t create_spi(struct json_object *cur_rule, doca_be32_t *esp_spi)
Definition: config.c:438
create_protocol
static doca_error_t create_protocol(struct json_object *cur_rule, enum doca_flow_l4_type_ext *protocol)
Definition: config.c:277
parse_vxlan_encap_config
static doca_error_t parse_vxlan_encap_config(struct json_object *json_config, struct ipsec_security_gw_config *app_cfg)
Definition: config.c:926
debug_mode_callback
static doca_error_t debug_mode_callback(void *param, void *config)
Definition: config.c:1499
allocate_json_buffer_dynamic
static doca_error_t allocate_json_buffer_dynamic(FILE *fp, size_t *file_length, char **json_data)
Definition: config.c:1131
create_ip6_table
static doca_error_t create_ip6_table(struct rte_hash **ip6_table)
Definition: config.c:1219
parse_json_config
static doca_error_t parse_json_config(struct json_object *json_config, struct ipsec_security_gw_config *app_cfg)
Definition: config.c:1070
offload_mode_callback
static doca_error_t offload_mode_callback(void *param, void *config)
Definition: config.c:1538
parse_sn_initial
static doca_error_t parse_sn_initial(struct json_object *json_config, struct ipsec_security_gw_config *app_cfg)
Definition: config.c:831
socket_callback
static doca_error_t socket_callback(void *param, void *config)
Definition: config.c:1564
parse_bad_syndrome_fwd
static doca_error_t parse_bad_syndrome_fwd(struct json_object *json_config, struct ipsec_security_gw_config *app_cfg)
Definition: config.c:996
unsecured_name_callback
static doca_error_t unsecured_name_callback(void *param, void *config)
Definition: config.c:1465
parse_hex_to_bytes
static doca_error_t parse_hex_to_bytes(const char *key_hex, size_t key_size, uint8_t *key)
Definition: config.c:52
config_callback
static doca_error_t config_callback(void *param, void *config)
Definition: config.c:1514
parse_marker_encap_config
static doca_error_t parse_marker_encap_config(struct json_object *json_config, struct ipsec_security_gw_config *app_cfg)
Definition: config.c:965
validate_config
static doca_error_t validate_config(struct ipsec_security_gw_config *app_cfg)
Definition: config.c:1170
parse_switch_config
static doca_error_t parse_switch_config(struct json_object *json_config, struct ipsec_security_gw_config *app_cfg)
Definition: config.c:873
create_ipv6
static doca_error_t create_ipv6(struct json_object *cur_rule, char *ip_type, doca_be32_t ip[])
Definition: config.c:386
parse_ipv6_str
doca_error_t parse_ipv6_str(const char *str_ip, doca_be32_t ipv6_addr[])
Definition: config.c:364
parse_encrypt_ipv4
static doca_error_t parse_encrypt_ipv4(struct json_object *cur_rule, struct encrypt_rule *rule)
Definition: config.c:462
parse_encrypt_ipv6
static doca_error_t parse_encrypt_ipv6(struct json_object *cur_rule, struct encrypt_rule *rule, struct rte_hash **ip6_table)
Definition: config.c:485
parse_json_encrypt_rules
static doca_error_t parse_json_encrypt_rules(struct json_object *json_rules, struct ipsec_security_gw_config *app_cfg)
Definition: config.c:621
parse_pci_param
static doca_error_t parse_pci_param(void *param, struct ipsec_security_gw_dev_info *dev_info)
Definition: config.c:1377
DOCA_LOG_REGISTER
DOCA_LOG_REGISTER(IPSEC_SECURITY_GW::config)
unsecured_callback
static doca_error_t unsecured_callback(void *param, void *config)
Definition: config.c:1437
dev_info
struct rte_eth_dev_info dev_info
Definition: device.c:32
doca_argp.h
doca_log.h
if
if(bitoffset % 64+bitlength > 64) result|
MAX_FILE_NAME
#define MAX_FILE_NAME
Definition: file_integrity_core.h:38
parse_protocol_string
doca_error_t parse_protocol_string(const char *protocol_str, enum doca_flow_l4_type_ext *protocol)
Definition: flow_parser.c:292
parse_ipv4_str
doca_error_t parse_ipv4_str(const char *str_ip, doca_be32_t *ipv4_addr)
Definition: flow_parser.c:268
flow_parser.h
app_cfg
static struct app_gpu_cfg app_cfg
Definition: gpu_packet_processing.c:40
doca_argp_param_set_description
DOCA_EXPERIMENTAL void doca_argp_param_set_description(struct doca_argp_param *param, const char *description)
Set the description of the program param, used during program usage.
doca_argp_param_set_long_name
DOCA_EXPERIMENTAL void doca_argp_param_set_long_name(struct doca_argp_param *param, const char *name)
Set the long name of the program param.
doca_argp_param_set_callback
DOCA_EXPERIMENTAL void doca_argp_param_set_callback(struct doca_argp_param *param, doca_argp_param_cb_t callback)
Set the callback function of the program param.
doca_argp_param_set_mandatory
DOCA_EXPERIMENTAL void doca_argp_param_set_mandatory(struct doca_argp_param *param)
Mark the program param as mandatory.
doca_argp_param_create
DOCA_EXPERIMENTAL doca_error_t doca_argp_param_create(struct doca_argp_param **param)
Create new program param.
doca_argp_param_set_type
DOCA_EXPERIMENTAL void doca_argp_param_set_type(struct doca_argp_param *param, enum doca_argp_type type)
Set the type of the param arguments.
doca_argp_register_version_callback
DOCA_EXPERIMENTAL doca_error_t doca_argp_register_version_callback(doca_argp_param_cb_t callback)
Register an alternative version callback.
doca_argp_param_set_short_name
DOCA_EXPERIMENTAL void doca_argp_param_set_short_name(struct doca_argp_param *param, const char *name)
Set the short name of the program param.
doca_argp_register_param
DOCA_EXPERIMENTAL doca_error_t doca_argp_register_param(struct doca_argp_param *input_param)
Register a program flag.
DOCA_ARGP_TYPE_STRING
@ DOCA_ARGP_TYPE_STRING
Definition: doca_argp.h:56
DOCA_ARGP_TYPE_BOOLEAN
@ DOCA_ARGP_TYPE_BOOLEAN
Definition: doca_argp.h:58
DOCA_ARGP_TYPE_INT
@ DOCA_ARGP_TYPE_INT
Definition: doca_argp.h:57
DOCA_DEVINFO_IFACE_NAME_SIZE
#define DOCA_DEVINFO_IFACE_NAME_SIZE
Buffer size to hold network interface name. Including a null terminator.
Definition: doca_dev.h:305
DOCA_DEVINFO_PCI_ADDR_SIZE
#define DOCA_DEVINFO_PCI_ADDR_SIZE
Buffer size to hold PCI BDF format: "XXXX:XX:XX.X". Including a null terminator.
Definition: doca_dev.h:313
doca_error_t
enum doca_error doca_error_t
DOCA API return codes.
doca_error_get_descr
DOCA_STABLE const char * doca_error_get_descr(doca_error_t error)
Returns the description string of an error code.
DOCA_ERROR_INVALID_VALUE
@ DOCA_ERROR_INVALID_VALUE
Definition: doca_error.h:44
DOCA_ERROR_NOT_FOUND
@ DOCA_ERROR_NOT_FOUND
Definition: doca_error.h:54
DOCA_ERROR_NOT_SUPPORTED
@ DOCA_ERROR_NOT_SUPPORTED
Definition: doca_error.h:42
DOCA_ERROR_IO_FAILED
@ DOCA_ERROR_IO_FAILED
Definition: doca_error.h:55
DOCA_SUCCESS
@ DOCA_SUCCESS
Definition: doca_error.h:38
DOCA_ERROR_NO_MEMORY
@ DOCA_ERROR_NO_MEMORY
Definition: doca_error.h:45
DOCA_ERROR_DRIVER
@ DOCA_ERROR_DRIVER
Definition: doca_error.h:59
doca_flow_crypto_key_type
doca_flow_crypto_key_type
doca flow crypto key type
Definition: doca_flow_crypto.h:112
DOCA_FLOW_CRYPTO_ICV_LENGTH_16
@ DOCA_FLOW_CRYPTO_ICV_LENGTH_16
Definition: doca_flow_crypto.h:127
DOCA_FLOW_CRYPTO_ICV_LENGTH_12
@ DOCA_FLOW_CRYPTO_ICV_LENGTH_12
Definition: doca_flow_crypto.h:125
DOCA_FLOW_CRYPTO_ICV_LENGTH_8
@ DOCA_FLOW_CRYPTO_ICV_LENGTH_8
Definition: doca_flow_crypto.h:123
DOCA_FLOW_CRYPTO_KEY_128
@ DOCA_FLOW_CRYPTO_KEY_128
Definition: doca_flow_crypto.h:113
DOCA_FLOW_CRYPTO_KEY_256
@ DOCA_FLOW_CRYPTO_KEY_256
Definition: doca_flow_crypto.h:115
doca_flow_l4_type_ext
doca_flow_l4_type_ext
doca flow layer 4 packet extend type
Definition: doca_flow_net.h:174
doca_flow_l3_type
doca_flow_l3_type
doca flow layer 3 packet type
Definition: doca_flow_net.h:136
DOCA_FLOW_L3_TYPE_IP6
@ DOCA_FLOW_L3_TYPE_IP6
Definition: doca_flow_net.h:141
DOCA_FLOW_L3_TYPE_IP4
@ DOCA_FLOW_L3_TYPE_IP4
Definition: doca_flow_net.h:139
DOCA_LOG_ERR
#define DOCA_LOG_ERR(format,...)
Generates an ERROR application log message.
Definition: doca_log.h:466
DOCA_LOG_WARN
#define DOCA_LOG_WARN(format,...)
Generates a WARNING application log message.
Definition: doca_log.h:476
DOCA_LOG_DBG
#define DOCA_LOG_DBG(format,...)
Generates a DEBUG application log message.
Definition: doca_log.h:496
doca_be32_t
uint32_t doca_be32_t
Definition: doca_types.h:121
SW_WINDOW_SIZE
#define SW_WINDOW_SIZE
Definition: ipsec_ctx.h:44
IPSEC_SECURITY_GW_FWD_SYNDROME_DROP
@ IPSEC_SECURITY_GW_FWD_SYNDROME_DROP
Definition: ipsec_ctx.h:209
IPSEC_SECURITY_GW_FWD_SYNDROME_RSS
@ IPSEC_SECURITY_GW_FWD_SYNDROME_RSS
Definition: ipsec_ctx.h:210
IPSEC_SECURITY_GW_UDP_TRANSPORT
@ IPSEC_SECURITY_GW_UDP_TRANSPORT
Definition: ipsec_ctx.h:182
IPSEC_SECURITY_GW_TUNNEL
@ IPSEC_SECURITY_GW_TUNNEL
Definition: ipsec_ctx.h:180
IPSEC_SECURITY_GW_TRANSPORT
@ IPSEC_SECURITY_GW_TRANSPORT
Definition: ipsec_ctx.h:181
HW_WINDOW_SIZE
#define HW_WINDOW_SIZE
Definition: ipsec_ctx.h:45
MAX_NB_RULES
#define MAX_NB_RULES
Definition: ipsec_ctx.h:40
IPSEC_SECURITY_GW_VNF
@ IPSEC_SECURITY_GW_VNF
Definition: ipsec_ctx.h:187
IPSEC_SECURITY_GW_SWITCH
@ IPSEC_SECURITY_GW_SWITCH
Definition: ipsec_ctx.h:188
IPSEC_SECURITY_GW_ESP_OFFLOAD_ENCAP
@ IPSEC_SECURITY_GW_ESP_OFFLOAD_ENCAP
Definition: ipsec_ctx.h:194
IPSEC_SECURITY_GW_ESP_OFFLOAD_DECAP
@ IPSEC_SECURITY_GW_ESP_OFFLOAD_DECAP
Definition: ipsec_ctx.h:195
IPSEC_SECURITY_GW_ESP_OFFLOAD_BOTH
@ IPSEC_SECURITY_GW_ESP_OFFLOAD_BOTH
Definition: ipsec_ctx.h:193
IPSEC_SECURITY_GW_ESP_OFFLOAD_NONE
@ IPSEC_SECURITY_GW_ESP_OFFLOAD_NONE
Definition: ipsec_ctx.h:196
DYN_RESERVED_RULES
#define DYN_RESERVED_RULES
Definition: ipsec_ctx.h:41
IPSEC_SECURITY_GW_PERF_NONE
@ IPSEC_SECURITY_GW_PERF_NONE
Definition: ipsec_ctx.h:201
IPSEC_SECURITY_GW_PERF_BW
@ IPSEC_SECURITY_GW_PERF_BW
Definition: ipsec_ctx.h:203
IPSEC_SECURITY_GW_PERF_BOTH
@ IPSEC_SECURITY_GW_PERF_BOTH
Definition: ipsec_ctx.h:204
IPSEC_SECURITY_GW_PERF_INSERTION_RATE
@ IPSEC_SECURITY_GW_PERF_INSERTION_RATE
Definition: ipsec_ctx.h:202
MAX_SOCKET_PATH_NAME
#define MAX_SOCKET_PATH_NAME
Definition: ipsec_ctx.h:38
unpack_uint64
uint64_t unpack_uint64(uint8_t **buffer)
Definition: pack.c:134
ip
rte_ipv6_hdr ip
Definition: psp_gw_flows.cpp:4
decrypt_rule
Definition: ipsec_ctx.h:80
encrypt_rule
Definition: ipsec_ctx.h:106
encrypt_rule::encap_dst_ip4
doca_be32_t encap_dst_ip4
Definition: ipsec_ctx.h:117
encrypt_rule::ip6
struct ipsec_security_gw_ip6 ip6
Definition: ipsec_ctx.h:111
encrypt_rule::encap_l3_type
enum doca_flow_l3_type encap_l3_type
Definition: ipsec_ctx.h:115
encrypt_rule::encap_dst_ip6
doca_be32_t encap_dst_ip6[4]
Definition: ipsec_ctx.h:118
encrypt_rule::ip4
struct ipsec_security_gw_ip4 ip4
Definition: ipsec_ctx.h:110
ipsec_security_gw_config
Definition: ipsec_ctx.h:238
ipsec_security_gw_config::mode
enum ipsec_security_gw_mode mode
Definition: ipsec_ctx.h:244
ipsec_security_gw_config::json_path
char json_path[MAX_FILE_NAME]
Definition: ipsec_ctx.h:250
ipsec_security_gw_dev_info
Definition: ipsec_ctx.h:214
ipsec_security_gw_ip4::dst_ip
doca_be32_t dst_ip
Definition: ipsec_ctx.h:96
ipsec_security_gw_ip4::src_ip
doca_be32_t src_ip
Definition: ipsec_ctx.h:95
ipsec_security_gw_ip6::src_ip
doca_be32_t src_ip[4]
Definition: ipsec_ctx.h:101
ipsec_security_gw_ip6::dst_ip
doca_be32_t dst_ip[4]
Definition: ipsec_ctx.h:102
vxlan_encap_config
Definition: flow_vxlan_encap_main.c:42
protocol
uint8_t protocol
Definition: telemetry_export_netflow_sample.c:11
strlcpy
size_t strlcpy(char *dst, const char *src, size_t size)
Definition: utils.c:123
sdk_version_callback
noreturn doca_error_t sdk_version_callback(void *param, void *doca_config)
Definition: utils.c:41