From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EBF2CC433F5 for ; Tue, 12 Oct 2021 10:50:32 +0000 (UTC) Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by mail.kernel.org (Postfix) with ESMTP id 59DB161039 for ; Tue, 12 Oct 2021 10:50:32 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 59DB161039 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=intel.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=dpdk.org Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id C557641147; Tue, 12 Oct 2021 12:50:31 +0200 (CEST) Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mails.dpdk.org (Postfix) with ESMTP id 5AA7141143 for ; Tue, 12 Oct 2021 12:50:30 +0200 (CEST) X-IronPort-AV: E=McAfee;i="6200,9189,10134"; a="214255009" X-IronPort-AV: E=Sophos;i="5.85,367,1624345200"; d="scan'208";a="214255009" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Oct 2021 03:50:29 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.85,367,1624345200"; d="scan'208";a="480302219" Received: from orsmsx605.amr.corp.intel.com ([10.22.229.18]) by orsmga007.jf.intel.com with ESMTP; 12 Oct 2021 03:50:29 -0700 Received: from orsmsx605.amr.corp.intel.com (10.22.229.18) by ORSMSX605.amr.corp.intel.com (10.22.229.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12; Tue, 12 Oct 2021 03:50:29 -0700 Received: from orsedg603.ED.cps.intel.com (10.7.248.4) by orsmsx605.amr.corp.intel.com (10.22.229.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12 via Frontend Transport; Tue, 12 Oct 2021 03:50:29 -0700 Received: from NAM10-MW2-obe.outbound.protection.outlook.com (104.47.55.105) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.12; Tue, 12 Oct 2021 03:50:28 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ihGY5CPtUpSUOtW5lQ+FU2RkwGw+vKidsazwUXf1JKEKx90PMBT5XN4o5GYAgwJwZm3Rx1EnHO/Ik8m5BvWmAxrapz9Q2iBvQE619F+CnmcHczXm5lZxDdFr60fGGf+VD3OnL0kZVTbvywW6V+17YSRrEQ8SwzEuB5/VP84UcsCJtaTcs+BlhqGWtzPb0N8geRp7QZrWquzIOXmU/em/8qDrRNrKIRU7PXucFG3Y0fqGMTICaMBxaU07lWHnqKJdQh/T4Dhg8EWzyW0vGXlxWbrXiAzm5/UEPkJD6suIJmflOiQ1B/IVYKEOoFERGxvrZ6G2VbwDjKa2QcbmSaZnmw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tUwmVJKEsMRa6KYIPM/1t8KrsaIRRaejv2QRahc8dP0=; b=JP7CoXsXhaGQtrqnbI+s/Y/hO675EYmhOzVBcIgpbMEYOpssJrVZmipoD+GKBT3NzxccqeUmSffxYtoEo8b+4/QpirY1ZPR6wvtu42rblnsB6yGxp3SL1e4eHz457bYhcHIoH/AP/bllYpjG83HTvmxbkJvjQi1Tk3pZyKf+GcY5OFOSIIGtxweu/bHReSBKGv5RiBCaVBy+a67ABP06GspDGIsn/pR2PQwGcKU4vcdmYj/kg9Pu5KDyySBy/wG3Lg4DzXNdGAXEsZZvNFmX803ZQuUS3CLcA44MrT0jAmLR4ywcciz9N5XrDe2jnTtiymz5GTAhs0taGEKrzCzjOQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tUwmVJKEsMRa6KYIPM/1t8KrsaIRRaejv2QRahc8dP0=; b=HM/NrR77dAiDF0LB/IZSQYDTQr1C1n8e+F7q1sSVbfsIAXU43z2eKmYBYSXRQpiva1W12m/c4JtC3QSgoUKXekaxnbJtRHP6PI40T+3+bB0TslTqzZepL9MVq84Oh2+FIM9gN8VsPVyGCzAEWy3PG5JDwwfHZuN4SuXF6JJ+fK0= Received: from DM6PR11MB4491.namprd11.prod.outlook.com (2603:10b6:5:204::19) by DM5PR11MB1450.namprd11.prod.outlook.com (2603:10b6:4:f::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4587.22; Tue, 12 Oct 2021 10:50:27 +0000 Received: from DM6PR11MB4491.namprd11.prod.outlook.com ([fe80::740e:126e:c785:c8fd]) by DM6PR11MB4491.namprd11.prod.outlook.com ([fe80::740e:126e:c785:c8fd%4]) with mapi id 15.20.4587.026; Tue, 12 Oct 2021 10:50:26 +0000 From: "Ananyev, Konstantin" To: "Nicolau, Radu" , "Iremonger, Bernard" , "Medvedkin, Vladimir" CC: "dev@dpdk.org" , "mdr@ashroe.eu" , "Richardson, Bruce" , "Zhang, Roy Fan" , "hemant.agrawal@nxp.com" , "gakhil@marvell.com" , "anoobj@marvell.com" , "Doherty, Declan" , "Sinha, Abhijit" , "Buckley, Daniel M" , "marchana@marvell.com" , "ktejasree@marvell.com" , "matan@nvidia.com" Thread-Topic: [PATCH v8 04/10] ipsec: add support for NAT-T Thread-Index: AQHXvpT5On99DvWA1EqUry/vLv6fiqvPLNmg Date: Tue, 12 Oct 2021 10:50:26 +0000 Message-ID: References: <20210713133542.3550525-1-radu.nicolau@intel.com> <20211011112945.2876-1-radu.nicolau@intel.com> <20211011112945.2876-5-radu.nicolau@intel.com> In-Reply-To: <20211011112945.2876-5-radu.nicolau@intel.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-reaction: no-action dlp-version: 11.6.200.16 authentication-results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: cf039e24-5775-4bdd-8388-08d98d6e19df x-ms-traffictypediagnostic: DM5PR11MB1450: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:7219; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 8liGQaYugiobUWdZqQ63qGmjo6ucoOWOyJsu8jzokykgmEWooqLNtTvW/qpZWtGT32sZNc5iDWyfe+xMstbUDrDB7fnDGpY0esZuMTGkrtEjP4nUqFSwyJkWeXH2eIeWPHBsjuPbwlWyXfTgkaHh101tzVpkGtt8NBjUwShCQRmVLuMo7PILcdjEfTsk+rmvf2SMpMoMSfnKaLRrRVtIXKJJTcHCjy09SCMsDrIilILlf01WBartid6Xkj/b6hdsTLVmvqaaV9R19Titnw1Y+6PtUbsYd8hc/hEhxRreSoNt8eboitjjK26P2Bgd0oeG2HS6DUOEsamHRs6GIOfjiWX0TZ1Jn40iBHWxHneDF9GdbpjXWWmMAwMYrmkmY1R7gyH4RH6sIi9NGkB3KXrg8qjBMyYgafKxG/4v9tIccCxAGN4Z1JRhVzofAnTMoAYceQ9xfdoY+2+rrTB2DQcihm1+kVhJocqzePRRLPxYaHnOrxOPWeWlPFB6t/SRpPRXunKzmZcxPoohreuyU0rxt1E2OGEMgqA6S1Pqpgzdi6Ak7ht6dR0/0u86WOyvTsWPByKgJk8YJURAmGkecJLUPB8ugzWqJ0HcbissUyZHTfSNw+5KKtrASKoRwWPis+lK/uQCvZhowcW5+liqIta8tZtcMuRFneyfMH8jOBAvFzwJMQo4+inlkGdldJLZDYe9VTXtRH5ABBK/TY5UhpE+Vw== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR11MB4491.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(26005)(5660300002)(71200400001)(6506007)(186003)(508600001)(6636002)(55236004)(38100700002)(38070700005)(52536014)(122000001)(7696005)(76116006)(66446008)(64756008)(66556008)(66946007)(66476007)(2906002)(86362001)(8936002)(316002)(9686003)(33656002)(8676002)(110136005)(4326008)(55016002)(54906003)(83380400001); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?tWbJwet/2szCrRSzFyKpCrDyfc0LFW3tNWCf3wB6xoONPlkekEjQJVIqs1dU?= =?us-ascii?Q?WMnKH5N+6POBlBz7XR+33I8fs50V5M43ZekwsP2wqtBVbrZwAJ0w+uZtrTqc?= =?us-ascii?Q?OFLK4mEyp3yaJohAsTh4fX+3JRuK+NG/xv45wKIcMz/XdskTBLuj8I9q0RVb?= =?us-ascii?Q?U8kGUgTZy0QnsU1AzLvurAVf5C91OtUnEhOerPtXdJX1/Iq+svtjV+3V8Bw8?= =?us-ascii?Q?KB+IClgyHRSwIPNACn4vSCB0et0r6iiAZLRf32hWM86uyXqpidKCPDXolxdh?= =?us-ascii?Q?sq8lznuWqJAxCTLNK8wt+zwA4M6CqlFPp6tIp7JF55WTvSzrqJYZ5nZxTatJ?= =?us-ascii?Q?SxItidigBlnOZMFnZOtE3FYuLea5YANMn8cjC9H1E6jcf+TTdRBdK+JvSVbE?= =?us-ascii?Q?CNGOI4JS3tHbPKcJ4RDc7mTcOT93EI6CFfGCaigPrThiw6mHIGaoORHiYAXw?= =?us-ascii?Q?oEaBJ6b+vwAROXmeDxSPTVprprJ41m6Vs+Zy4kyKcqm6kAgsTiStxV4sSIgC?= =?us-ascii?Q?xtbKuFU/PzADSG9IqOgKB3deD8zdCTk9FvXQOYp9ciXl4njCUaVtr45Nz/oK?= =?us-ascii?Q?0A/2yrHR8qV03ql38bIgDxEnUnyeKU92LF1QOxC2iofFLogeEsinMlYTMQpX?= =?us-ascii?Q?mDG/VSMwkM6o4fENz6dzbOhTP5HDnb5AXumzScV1LKkyG8ZwthvO2YfcNnNZ?= =?us-ascii?Q?CqQ44dZoEC6jYRax3scDZQidnM/MUJhqxhDw/HzkuVbXB2WtH9B54rOx/ZbT?= =?us-ascii?Q?A3QgudHyKsxLJfychChT+YvqjhK2UG9DnBXBorG6/OoUTsFJK1/6OzF3To/7?= =?us-ascii?Q?uoPdgAseZXol3HD4JlEKLdlfH9OjJUSRHCyp5WAaYp+Mk4mRw9NU/CDP88RH?= =?us-ascii?Q?wVIAjOS8XAfYtuRGblEzHdlBUD6CxGmi5DqNRDwh7xQrp2zipNHvv7miJIPE?= =?us-ascii?Q?oZvsA552xEZrA1+ROCrm4VlTKQ7OOHDHHfoHkPcLXIlOvzD6AJYTM4XtE3DP?= =?us-ascii?Q?2umohcBTKHYToj10Uh4+TWT6S1Kf36qgWj2j4Kjb5POUM3lGSByI7RuVGlai?= =?us-ascii?Q?oayAZ+Gi4RWP04fs66rc+VjKFszRMHljUd/gMJwh+6vl2+5wi3iw5eoPRdQK?= =?us-ascii?Q?lr+o52+E54LLykd7llI3FPyBmDqRNf4SIZzKEWKS3t/qoCkWwp2zRtnm7Q54?= =?us-ascii?Q?atHzACNjVXpd09xmqYjsPfuSvUfOBuQ3DzfddeKZgMVkpQQfNFadYV0Np0Xp?= =?us-ascii?Q?Se443DaBku6XLz56jo5SE79Jq1MXdFTqZGlsux3TsbDdvur7ZEN9DumIxJql?= =?us-ascii?Q?jpcRRRErA0ei6M7Z0AncGcdo?= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB4491.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: cf039e24-5775-4bdd-8388-08d98d6e19df X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Oct 2021 10:50:26.7664 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: D0EVWdwO7seaQGNcopOO9wmdcsFZOcfr4Kc68nGU2qWF4Mr939eK9W7VL5xAuq1axn60mzcOprt8e4GlmE8KrTNrvCwtXXDrXm5VkbU1g9o= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1450 X-OriginatorOrg: intel.com Subject: Re: [dpdk-dev] [PATCH v8 04/10] ipsec: add support for NAT-T X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" >=20 > Add support for the IPsec NAT-Traversal use case for Tunnel mode > packets. >=20 > Signed-off-by: Declan Doherty > Signed-off-by: Radu Nicolau > Signed-off-by: Abhijit Sinha > Signed-off-by: Daniel Martin Buckley > Acked-by: Fan Zhang > --- > doc/guides/prog_guide/ipsec_lib.rst | 2 ++ > doc/guides/rel_notes/release_21_11.rst | 1 + > lib/ipsec/esp_outb.c | 9 +++++++++ > lib/ipsec/rte_ipsec_sa.h | 9 ++++++++- > lib/ipsec/sa.c | 28 +++++++++++++++++++++++--- > 5 files changed, 45 insertions(+), 4 deletions(-) >=20 > diff --git a/doc/guides/prog_guide/ipsec_lib.rst b/doc/guides/prog_guide/= ipsec_lib.rst > index 93e213bf36..af51ff8131 100644 > --- a/doc/guides/prog_guide/ipsec_lib.rst > +++ b/doc/guides/prog_guide/ipsec_lib.rst > @@ -313,6 +313,8 @@ Supported features >=20 > * ESN and replay window. >=20 > +* NAT-T / UDP encapsulated ESP. > + > * algorithms: 3DES-CBC, AES-CBC, AES-CTR, AES-GCM, AES_CCM, CHACHA20_PO= LY1305, > AES_GMAC, HMAC-SHA1, NULL. >=20 > diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_note= s/release_21_11.rst > index 1a29640eea..73a566eaca 100644 > --- a/doc/guides/rel_notes/release_21_11.rst > +++ b/doc/guides/rel_notes/release_21_11.rst > @@ -137,6 +137,7 @@ New Features > * **IPsec library new features.** >=20 > * Added support for AEAD algorithms AES_CCM, CHACHA20_POLY1305 and AES= _GMAC. > + * Added support for NAT-T / UDP encapsulated ESP >=20 >=20 > Removed Items > diff --git a/lib/ipsec/esp_outb.c b/lib/ipsec/esp_outb.c > index a3f77469c3..0e3314b358 100644 > --- a/lib/ipsec/esp_outb.c > +++ b/lib/ipsec/esp_outb.c > @@ -5,6 +5,7 @@ > #include > #include > #include > +#include > #include > #include >=20 > @@ -185,6 +186,14 @@ outb_tun_pkt_prepare(struct rte_ipsec_sa *sa, rte_be= 64_t sqc, > /* copy tunnel pkt header */ > rte_memcpy(ph, sa->hdr, sa->hdr_len); >=20 > + /* if UDP encap is enabled update the dgram_len */ > + if (sa->type & RTE_IPSEC_SATP_NATT_ENABLE) { > + struct rte_udp_hdr *udph =3D (struct rte_udp_hdr *) > + (ph - sizeof(struct rte_udp_hdr)); > + udph->dgram_len =3D rte_cpu_to_be_16(mb->pkt_len - sqh_len - > + sa->hdr_l3_off - sa->hdr_len); > + } > + > /* update original and new ip header fields */ > update_tun_outb_l3hdr(sa, ph + sa->hdr_l3_off, ph + hlen, > mb->pkt_len - sqh_len, sa->hdr_l3_off, sqn_low16(sqc)); > diff --git a/lib/ipsec/rte_ipsec_sa.h b/lib/ipsec/rte_ipsec_sa.h > index cf51ad8338..3a22705055 100644 > --- a/lib/ipsec/rte_ipsec_sa.h > +++ b/lib/ipsec/rte_ipsec_sa.h > @@ -78,6 +78,7 @@ struct rte_ipsec_sa_prm { > * - for TUNNEL outer IP version (IPv4/IPv6) > * - are SA SQN operations 'atomic' > * - ESN enabled/disabled > + * - NAT-T UDP encapsulated (TUNNEL mode only) > * ... > */ >=20 > @@ -89,7 +90,8 @@ enum { > RTE_SATP_LOG2_SQN =3D RTE_SATP_LOG2_MODE + 2, > RTE_SATP_LOG2_ESN, > RTE_SATP_LOG2_ECN, > - RTE_SATP_LOG2_DSCP > + RTE_SATP_LOG2_DSCP, > + RTE_SATP_LOG2_NATT > }; >=20 > #define RTE_IPSEC_SATP_IPV_MASK (1ULL << RTE_SATP_LOG2_IPV) > @@ -125,6 +127,11 @@ enum { > #define RTE_IPSEC_SATP_DSCP_DISABLE (0ULL << RTE_SATP_LOG2_DSCP) > #define RTE_IPSEC_SATP_DSCP_ENABLE (1ULL << RTE_SATP_LOG2_DSCP) >=20 > +#define RTE_IPSEC_SATP_NATT_MASK (1ULL << RTE_SATP_LOG2_NATT) > +#define RTE_IPSEC_SATP_NATT_DISABLE (0ULL << RTE_SATP_LOG2_NATT) > +#define RTE_IPSEC_SATP_NATT_ENABLE (1ULL << RTE_SATP_LOG2_NATT) > + > + > /** > * get type of given SA > * @return > diff --git a/lib/ipsec/sa.c b/lib/ipsec/sa.c > index 720e0f365b..1dd19467a6 100644 > --- a/lib/ipsec/sa.c > +++ b/lib/ipsec/sa.c > @@ -5,6 +5,7 @@ > #include > #include > #include > +#include > #include > #include >=20 > @@ -217,6 +218,10 @@ fill_sa_type(const struct rte_ipsec_sa_prm *prm, uin= t64_t *type) > } else > return -EINVAL; >=20 > + /* check for UDP encapsulation flag */ > + if (prm->ipsec_xform.options.udp_encap =3D=3D 1) > + tp |=3D RTE_IPSEC_SATP_NATT_ENABLE; > + > /* check for ESN flag */ > if (prm->ipsec_xform.options.esn =3D=3D 0) > tp |=3D RTE_IPSEC_SATP_ESN_DISABLE; > @@ -355,12 +360,22 @@ esp_outb_tun_init(struct rte_ipsec_sa *sa, const st= ruct rte_ipsec_sa_prm *prm) > sa->hdr_len =3D prm->tun.hdr_len; > sa->hdr_l3_off =3D prm->tun.hdr_l3_off; >=20 > + memcpy(sa->hdr, prm->tun.hdr, prm->tun.hdr_len); > + > + /* insert UDP header if UDP encapsulation is inabled */ > + if (sa->type & RTE_IPSEC_SATP_NATT_ENABLE) { > + struct rte_udp_hdr *udph =3D (struct rte_udp_hdr *) > + &sa->hdr[prm->tun.hdr_len]; I think we need a check somewhere here (probably in rte_ipsec_sa_init() or = so) to make sure that new sa->hdr_len wouldn't overrun sizeof(sa->hdr). > + sa->hdr_len +=3D sizeof(struct rte_udp_hdr); > + udph->src_port =3D prm->ipsec_xform.udp.sport; > + udph->dst_port =3D prm->ipsec_xform.udp.dport; > + udph->dgram_cksum =3D 0; > + } > + > /* update l2_len and l3_len fields for outbound mbuf */ > sa->tx_offload.val =3D rte_mbuf_tx_offload(sa->hdr_l3_off, > sa->hdr_len - sa->hdr_l3_off, 0, 0, 0, 0, 0); So for such packets UDP cksum will always be zero, and we don't need to setup l4_hdr or any TX L4 flags, correct? >=20 > - memcpy(sa->hdr, prm->tun.hdr, sa->hdr_len); > - > esp_outb_init(sa, sa->hdr_len); > } >=20 > @@ -372,7 +387,8 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte= _ipsec_sa_prm *prm, > const struct crypto_xform *cxf) > { > static const uint64_t msk =3D RTE_IPSEC_SATP_DIR_MASK | > - RTE_IPSEC_SATP_MODE_MASK; > + RTE_IPSEC_SATP_MODE_MASK | > + RTE_IPSEC_SATP_NATT_MASK; >=20 > if (prm->ipsec_xform.options.ecn) > sa->tos_mask |=3D RTE_IPV4_HDR_ECN_MASK; > @@ -475,10 +491,16 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct r= te_ipsec_sa_prm *prm, > case (RTE_IPSEC_SATP_DIR_IB | RTE_IPSEC_SATP_MODE_TRANS): > esp_inb_init(sa); > break; > + case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV4 | > + RTE_IPSEC_SATP_NATT_ENABLE): > + case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV6 | > + RTE_IPSEC_SATP_NATT_ENABLE): > case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV4): > case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV6): > esp_outb_tun_init(sa, prm); > break; > + case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TRANS | > + RTE_IPSEC_SATP_NATT_ENABLE): > case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TRANS): > esp_outb_init(sa, 0); > break; > -- > 2.25.1