DPDK 25.03.0-rc0
Data Structures | Functions
rte_ipsec.h File Reference
#include <rte_ipsec_sa.h>
#include <rte_mbuf.h>
#include <rte_ipsec_group.h>

Go to the source code of this file.

Data Structures

struct  rte_ipsec_state
 
struct  rte_ipsec_sa_pkt_func
 
struct  rte_ipsec_session
 

Functions

int rte_ipsec_session_prepare (struct rte_ipsec_session *ss)
 
static uint16_t rte_ipsec_pkt_crypto_prepare (const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], struct rte_crypto_op *cop[], uint16_t num)
 
static __rte_experimental uint16_t rte_ipsec_pkt_crypto_prepare_stateless (const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], struct rte_crypto_op *cop[], uint16_t num, struct rte_ipsec_state *state)
 
static __rte_experimental uint16_t rte_ipsec_pkt_cpu_prepare_stateless (const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], uint16_t num, struct rte_ipsec_state *state)
 
static uint16_t rte_ipsec_pkt_process (const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], uint16_t num)
 
int rte_ipsec_telemetry_sa_add (const struct rte_ipsec_sa *sa)
 
void rte_ipsec_telemetry_sa_del (const struct rte_ipsec_sa *sa)
 

Detailed Description

RTE IPsec support.

librte_ipsec provides a framework for data-path IPsec protocol processing (ESP/AH).

Definition in file rte_ipsec.h.

Function Documentation

◆ rte_ipsec_session_prepare()

int rte_ipsec_session_prepare ( struct rte_ipsec_session ss)

Checks that inside given rte_ipsec_session crypto/security fields are filled correctly and setups function pointers based on these values. Expects that all fields except IPsec processing function pointers (pkt_func) will be filled correctly by caller.

Parameters
ssPointer to the rte_ipsec_session object
Returns
  • Zero if operation completed successfully.
  • -EINVAL if the parameters are invalid.
Examples
examples/ipsec-secgw/sa.c.

◆ rte_ipsec_pkt_crypto_prepare()

static uint16_t rte_ipsec_pkt_crypto_prepare ( const struct rte_ipsec_session ss,
struct rte_mbuf mb[],
struct rte_crypto_op cop[],
uint16_t  num 
)
inlinestatic

For input mbufs and given IPsec session prepare crypto ops that can be enqueued into the cryptodev associated with given session. expects that for each input packet:

  • l2_len, l3_len are setup correctly Note that erroneous mbufs are not freed by the function, but are placed beyond last valid mbuf in the mb array. It is a user responsibility to handle them further.
    Parameters
    ssPointer to the rte_ipsec_session object the packets belong to.
    mbThe address of an array of num pointers to rte_mbuf structures which contain the input packets.
    copThe address of an array of num pointers to the output rte_crypto_op structures.
    numThe maximum number of packets to process.
    Returns
    Number of successfully processed packets, with error code set in rte_errno.
Examples
examples/ipsec-secgw/ipsec_process.c.

Definition at line 138 of file rte_ipsec.h.

◆ rte_ipsec_pkt_crypto_prepare_stateless()

static __rte_experimental uint16_t rte_ipsec_pkt_crypto_prepare_stateless ( const struct rte_ipsec_session ss,
struct rte_mbuf mb[],
struct rte_crypto_op cop[],
uint16_t  num,
struct rte_ipsec_state state 
)
inlinestatic

Same as rte_ipsec_pkt_crypto_prepare, but processing is done based on IPsec state provided by the 'state' parameter. Internal IPsec state won't be updated when this API is called.

For input mbufs and given IPsec session prepare crypto ops that can be enqueued into the cryptodev associated with given session. expects that for each input packet:

  • l2_len, l3_len are setup correctly Note that erroneous mbufs are not freed by the function, but are placed beyond last valid mbuf in the mb array. It is a user responsibility to handle them further.
    Parameters
    ssPointer to the rte_ipsec_session object the packets belong to.
    mbThe address of an array of num pointers to rte_mbuf structures which contain the input packets.
    copThe address of an array of num pointers to the output rte_crypto_op structures.
    numThe maximum number of packets to process.
    stateThe IPsec state to be used for processing current batch of packets.
    Returns
    Number of successfully processed packets, with error code set in rte_errno.

Definition at line 180 of file rte_ipsec.h.

◆ rte_ipsec_pkt_cpu_prepare_stateless()

static __rte_experimental uint16_t rte_ipsec_pkt_cpu_prepare_stateless ( const struct rte_ipsec_session ss,
struct rte_mbuf mb[],
uint16_t  num,
struct rte_ipsec_state state 
)
inlinestatic

Same as rte_ipsec_pkt_crypto_prepare_stateless, but processing is done in synchronous mode.

Parameters
ssPointer to the rte_ipsec_session object the packets belong to.
mbThe address of an array of num pointers to rte_mbuf structures which contain the input packets.
numThe maximum number of packets to process.
stateThe IPsec state to be used for processing current batch of packets.
Returns
Number of successfully processed packets, with error code set in rte_errno.

Definition at line 205 of file rte_ipsec.h.

◆ rte_ipsec_pkt_process()

static uint16_t rte_ipsec_pkt_process ( const struct rte_ipsec_session ss,
struct rte_mbuf mb[],
uint16_t  num 
)
inlinestatic

Finalise processing of packets after crypto-dev finished with them or process packets that are subjects to inline IPsec offload. Expects that for each input packet:

  • l2_len, l3_len are setup correctly Output mbufs will be: inbound - decrypted & authenticated, ESP(AH) related headers removed, l2_len and l3_len fields are updated. outbound - appropriate mbuf fields (ol_flags, tx_offloads, etc.) properly setup, if necessary - IP headers updated, ESP(AH) fields added, Note that erroneous mbufs are not freed by the function, but are placed beyond last valid mbuf in the mb array. It is a user responsibility to handle them further.
    Parameters
    ssPointer to the rte_ipsec_session object the packets belong to.
    mbThe address of an array of num pointers to rte_mbuf structures which contain the input packets.
    numThe maximum number of packets to process.
    Returns
    Number of successfully processed packets, with error code set in rte_errno.
Examples
examples/ipsec-secgw/ipsec_process.c, and examples/ipsec-secgw/ipsec_worker.c.

Definition at line 235 of file rte_ipsec.h.

◆ rte_ipsec_telemetry_sa_add()

int rte_ipsec_telemetry_sa_add ( const struct rte_ipsec_sa *  sa)

Enable per SA telemetry for a specific SA. Note that this function is not thread safe

Parameters
saPointer to the rte_ipsec_sa object that will have telemetry enabled.
Returns
0 on success, negative value otherwise.
Examples
examples/ipsec-secgw/sa.c.

◆ rte_ipsec_telemetry_sa_del()

void rte_ipsec_telemetry_sa_del ( const struct rte_ipsec_sa *  sa)

Disable per SA telemetry for a specific SA. Note that this function is not thread safe

Parameters
saPointer to the rte_ipsec_sa object that will have telemetry disabled.