From: Saeed Mahameed <saeed@kernel.org>
To: "David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Eric Dumazet <edumazet@google.com>
Cc: Saeed Mahameed <saeedm@nvidia.com>,
netdev@vger.kernel.org, Tariq Toukan <tariqt@nvidia.com>,
Leon Romanovsky <leonro@nvidia.com>,
Raed Salem <raeds@nvidia.com>, Simon Horman <horms@kernel.org>
Subject: [net-next 15/15] net/mlx5e: Support IPsec upper TCP protocol selector
Date: Tue, 22 Aug 2023 22:10:12 -0700 [thread overview]
Message-ID: <20230823051012.162483-16-saeed@kernel.org> (raw)
In-Reply-To: <20230823051012.162483-1-saeed@kernel.org>
From: Leon Romanovsky <leonro@nvidia.com>
Support TCP as protocol selector for policy and state in IPsec
packet offload mode.
Example of state configuration is as follows:
ip xfrm state add src 192.168.25.3 dst 192.168.25.1 \
proto esp spi 1001 reqid 10001 aead 'rfc4106(gcm(aes))' \
0x54a7588d36873b031e4bd46301be5a86b3a53879 128 mode transport \
offload packet dev re0 dir in sel src 192.168.25.3 dst 192.168.25.1 \
proto tcp dport 9003
Acked-by: Raed Salem <raeds@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
---
.../mellanox/mlx5/core/en_accel/ipsec.c | 11 +++--
.../mellanox/mlx5/core/en_accel/ipsec_fs.c | 43 +++++++++++++------
2 files changed, 38 insertions(+), 16 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
index 2bbe232c2ffa..3b88a8bb7082 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
@@ -440,8 +440,9 @@ static int mlx5e_xfrm_validate_state(struct mlx5_core_dev *mdev,
return -EINVAL;
}
- if (x->sel.proto != IPPROTO_IP && x->sel.proto != IPPROTO_UDP) {
- NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than UDP");
+ if (x->sel.proto != IPPROTO_IP && x->sel.proto != IPPROTO_UDP &&
+ x->sel.proto != IPPROTO_TCP) {
+ NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than TCP/UDP");
return -EINVAL;
}
@@ -982,8 +983,10 @@ static int mlx5e_xfrm_validate_policy(struct mlx5_core_dev *mdev,
return -EINVAL;
}
- if (x->selector.proto != IPPROTO_IP && x->selector.proto != IPPROTO_UDP) {
- NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than UDP");
+ if (x->selector.proto != IPPROTO_IP &&
+ x->selector.proto != IPPROTO_UDP &&
+ x->selector.proto != IPPROTO_TCP) {
+ NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than TCP/UDP");
return -EINVAL;
}
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
index f5e29b7f5ba0..a1cfddd05bc4 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
@@ -936,23 +936,42 @@ static void setup_fte_reg_c4(struct mlx5_flow_spec *spec, u32 reqid)
static void setup_fte_upper_proto_match(struct mlx5_flow_spec *spec, struct upspec *upspec)
{
- if (upspec->proto != IPPROTO_UDP)
+ switch (upspec->proto) {
+ case IPPROTO_UDP:
+ if (upspec->dport) {
+ MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria,
+ udp_dport, upspec->dport_mask);
+ MLX5_SET(fte_match_set_lyr_2_4, spec->match_value,
+ udp_dport, upspec->dport);
+ }
+ if (upspec->sport) {
+ MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria,
+ udp_sport, upspec->sport_mask);
+ MLX5_SET(fte_match_set_lyr_2_4, spec->match_value,
+ udp_sport, upspec->sport);
+ }
+ break;
+ case IPPROTO_TCP:
+ if (upspec->dport) {
+ MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria,
+ tcp_dport, upspec->dport_mask);
+ MLX5_SET(fte_match_set_lyr_2_4, spec->match_value,
+ tcp_dport, upspec->dport);
+ }
+ if (upspec->sport) {
+ MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria,
+ tcp_sport, upspec->sport_mask);
+ MLX5_SET(fte_match_set_lyr_2_4, spec->match_value,
+ tcp_sport, upspec->sport);
+ }
+ break;
+ default:
return;
+ }
spec->match_criteria_enable |= MLX5_MATCH_OUTER_HEADERS;
MLX5_SET_TO_ONES(fte_match_set_lyr_2_4, spec->match_criteria, ip_protocol);
MLX5_SET(fte_match_set_lyr_2_4, spec->match_value, ip_protocol, upspec->proto);
- if (upspec->dport) {
- MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria, udp_dport,
- upspec->dport_mask);
- MLX5_SET(fte_match_set_lyr_2_4, spec->match_value, udp_dport, upspec->dport);
- }
-
- if (upspec->sport) {
- MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria, udp_sport,
- upspec->sport_mask);
- MLX5_SET(fte_match_set_lyr_2_4, spec->match_value, udp_sport, upspec->sport);
- }
}
static enum mlx5_flow_namespace_type ipsec_fs_get_ns(struct mlx5e_ipsec *ipsec,
--
2.41.0
next prev parent reply other threads:[~2023-08-23 5:10 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-23 5:09 [pull request][net-next 00/15] mlx5 updates 2023-08-22 Saeed Mahameed
2023-08-23 5:09 ` [net-next 01/15] net/mlx5: Rework devlink port alloc/free into init/cleanup Saeed Mahameed
2023-08-24 13:40 ` patchwork-bot+netdevbpf
2023-08-23 5:09 ` [net-next 02/15] net/mlx5: Push out SF devlink port init and cleanup code to separate helpers Saeed Mahameed
2023-08-23 5:10 ` [net-next 03/15] net/mlx5: Push devlink port PF/VF init/cleanup calls out of devlink_port_register/unregister() Saeed Mahameed
2023-08-23 5:10 ` [net-next 04/15] net/mlx5: Allow mlx5_esw_offloads_devlink_port_register() to register SFs Saeed Mahameed
2023-08-23 5:10 ` [net-next 05/15] net/mlx5: Introduce mlx5_eswitch_load/unload_sf_vport() and use it from SF code Saeed Mahameed
2023-08-23 5:10 ` [net-next 06/15] net/mlx5: Remove no longer used mlx5_esw_offloads_sf_vport_enable/disable() Saeed Mahameed
2023-08-23 5:10 ` [net-next 07/15] net/mlx5: Don't register ops for non-PF/VF/SF port and avoid checks in ops Saeed Mahameed
2023-08-23 5:10 ` [net-next 08/15] net/mlx5: Embed struct devlink_port into driver structure Saeed Mahameed
2023-08-23 5:10 ` [net-next 09/15] net/mlx5: Reduce number of vport lookups passing vport pointer instead of index Saeed Mahameed
2023-08-23 5:10 ` [net-next 10/15] net/mlx5: Return -EOPNOTSUPP in mlx5_devlink_port_fn_migratable_set() directly Saeed Mahameed
2023-08-23 5:10 ` [net-next 11/15] net/mlx5: Relax mlx5_devlink_eswitch_get() return value checking Saeed Mahameed
2023-08-23 5:10 ` [net-next 12/15] net/mlx5: Check vhca_resource_manager capability in each op and add extack msg Saeed Mahameed
2023-08-23 5:10 ` [net-next 13/15] net/mlx5: Store vport in struct mlx5_devlink_port and use it in port ops Saeed Mahameed
2023-08-23 5:10 ` [net-next 14/15] net/mlx5e: Support IPsec upper protocol selector field offload for RX Saeed Mahameed
2023-08-23 5:10 ` Saeed Mahameed [this message]
2023-08-24 2:09 ` [pull request][net-next 00/15] mlx5 updates 2023-08-22 Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230823051012.162483-16-saeed@kernel.org \
--to=saeed@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=leonro@nvidia.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=raeds@nvidia.com \
--cc=saeedm@nvidia.com \
--cc=tariqt@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.