#include <rte_ipsec_sa.h>
#include <rte_mbuf.h>
#include <rte_ipsec_group.h>

Data Structures
struct	rte_ipsec_state

struct	rte_ipsec_sa_pkt_func

struct	rte_ipsec_session

Functions
int	rte_ipsec_session_prepare (struct rte_ipsec_session *ss)

static uint16_t	rte_ipsec_pkt_crypto_prepare (const struct rte_ipsec_session ss, struct rte_mbuf mb[], struct rte_crypto_op *cop[], uint16_t num)

static __rte_experimental uint16_t	rte_ipsec_pkt_crypto_prepare_stateless (const struct rte_ipsec_session ss, struct rte_mbuf mb[], struct rte_crypto_op cop[], uint16_t num, struct rte_ipsec_state state)

static __rte_experimental uint16_t	rte_ipsec_pkt_cpu_prepare_stateless (const struct rte_ipsec_session ss, struct rte_mbuf mb[], uint16_t num, struct rte_ipsec_state *state)

static uint16_t	rte_ipsec_pkt_process (const struct rte_ipsec_session ss, struct rte_mbuf mb[], uint16_t num)

int	rte_ipsec_telemetry_sa_add (const struct rte_ipsec_sa *sa)

void	rte_ipsec_telemetry_sa_del (const struct rte_ipsec_sa *sa)

Detailed Description

RTE IPsec support.

librte_ipsec provides a framework for data-path IPsec protocol processing (ESP/AH).

Definition in file rte_ipsec.h.

Function Documentation

◆ rte_ipsec_session_prepare()

int rte_ipsec_session_prepare ( struct rte_ipsec_session * ss )

Checks that inside given rte_ipsec_session crypto/security fields are filled correctly and setups function pointers based on these values. Expects that all fields except IPsec processing function pointers (pkt_func) will be filled correctly by caller.

Parameters

ss	Pointer to the rte_ipsec_session object

Returns

Zero if operation completed successfully.
-EINVAL if the parameters are invalid.

Examples:: examples/ipsec-secgw/sa.c.

◆ rte_ipsec_pkt_crypto_prepare()

static uint16_t rte_ipsec_pkt_crypto_prepare	(	const struct rte_ipsec_session *	ss,
		struct rte_mbuf *	mb[],
		struct rte_crypto_op *	cop[],
		uint16_t	num
	)

inlinestatic

For input mbufs and given IPsec session prepare crypto ops that can be enqueued into the cryptodev associated with given session. expects that for each input packet:

l2_len, l3_len are setup correctly Note that erroneous mbufs are not freed by the function, but are placed beyond last valid mbuf in the mb array. It is a user responsibility to handle them further.

Parameters

ss	Pointer to the rte_ipsec_session object the packets belong to.
mb	The address of an array of num pointers to rte_mbuf structures which contain the input packets.
cop	The address of an array of num pointers to the output rte_crypto_op structures.
num	The maximum number of packets to process.

Returns: Number of successfully processed packets, with error code set in rte_errno.

Examples:: examples/ipsec-secgw/ipsec_process.c.

Definition at line 138 of file rte_ipsec.h.

◆ rte_ipsec_pkt_crypto_prepare_stateless()

static __rte_experimental uint16_t rte_ipsec_pkt_crypto_prepare_stateless	(	const struct rte_ipsec_session *	ss,
		struct rte_mbuf *	mb[],
		struct rte_crypto_op *	cop[],
		uint16_t	num,
		struct rte_ipsec_state *	state
	)

inlinestatic

Same as rte_ipsec_pkt_crypto_prepare, but processing is done based on IPsec state provided by the 'state' parameter. Internal IPsec state won't be updated when this API is called.

For input mbufs and given IPsec session prepare crypto ops that can be enqueued into the cryptodev associated with given session. expects that for each input packet:

l2_len, l3_len are setup correctly Note that erroneous mbufs are not freed by the function, but are placed beyond last valid mbuf in the mb array. It is a user responsibility to handle them further.

Parameters

ss	Pointer to the rte_ipsec_session object the packets belong to.
mb	The address of an array of num pointers to rte_mbuf structures which contain the input packets.
cop	The address of an array of num pointers to the output rte_crypto_op structures.
num	The maximum number of packets to process.
state	The IPsec state to be used for processing current batch of packets.

Returns: Number of successfully processed packets, with error code set in rte_errno.

Definition at line 180 of file rte_ipsec.h.

◆ rte_ipsec_pkt_cpu_prepare_stateless()

static __rte_experimental uint16_t rte_ipsec_pkt_cpu_prepare_stateless	(	const struct rte_ipsec_session *	ss,
		struct rte_mbuf *	mb[],
		uint16_t	num,
		struct rte_ipsec_state *	state
	)

inlinestatic

Same as rte_ipsec_pkt_crypto_prepare_stateless, but processing is done in synchronous mode.

Parameters

ss	Pointer to the rte_ipsec_session object the packets belong to.
mb	The address of an array of num pointers to rte_mbuf structures which contain the input packets.
num	The maximum number of packets to process.
state	The IPsec state to be used for processing current batch of packets.

Returns: Number of successfully processed packets, with error code set in rte_errno.

Definition at line 205 of file rte_ipsec.h.

◆ rte_ipsec_pkt_process()

static uint16_t rte_ipsec_pkt_process	(	const struct rte_ipsec_session *	ss,
		struct rte_mbuf *	mb[],
		uint16_t	num
	)

inlinestatic

Finalise processing of packets after crypto-dev finished with them or process packets that are subjects to inline IPsec offload. Expects that for each input packet:

l2_len, l3_len are setup correctly Output mbufs will be: inbound - decrypted & authenticated, ESP(AH) related headers removed, l2_len and l3_len fields are updated. outbound - appropriate mbuf fields (ol_flags, tx_offloads, etc.) properly setup, if necessary - IP headers updated, ESP(AH) fields added, Note that erroneous mbufs are not freed by the function, but are placed beyond last valid mbuf in the mb array. It is a user responsibility to handle them further.

Parameters

ss	Pointer to the rte_ipsec_session object the packets belong to.
mb	The address of an array of num pointers to rte_mbuf structures which contain the input packets.
num	The maximum number of packets to process.

Returns: Number of successfully processed packets, with error code set in rte_errno.

Examples:: examples/ipsec-secgw/ipsec_process.c, and examples/ipsec-secgw/ipsec_worker.c.

Definition at line 235 of file rte_ipsec.h.

◆ rte_ipsec_telemetry_sa_add()

int rte_ipsec_telemetry_sa_add ( const struct rte_ipsec_sa * sa )

Enable per SA telemetry for a specific SA. Note that this function is not thread safe

Parameters

sa	Pointer to the rte_ipsec_sa object that will have telemetry enabled.

Returns: 0 on success, negative value otherwise.

Examples:: examples/ipsec-secgw/sa.c.

◆ rte_ipsec_telemetry_sa_del()

void rte_ipsec_telemetry_sa_del ( const struct rte_ipsec_sa * sa )

Disable per SA telemetry for a specific SA. Note that this function is not thread safe

Parameters

sa	Pointer to the rte_ipsec_sa object that will have telemetry disabled.

Data Structures

Functions

Detailed Description

Function Documentation

◆ rte_ipsec_session_prepare()

◆ rte_ipsec_pkt_crypto_prepare()

◆ rte_ipsec_pkt_crypto_prepare_stateless()

◆ rte_ipsec_pkt_cpu_prepare_stateless()

◆ rte_ipsec_pkt_process()

◆ rte_ipsec_telemetry_sa_add()

◆ rte_ipsec_telemetry_sa_del()