Re: [PATCH net-next v2 2/3] nfp: add framework to support ipsec offloading

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Leon Romanovsky <leon@kernel.org>
To: Yinjun Zhang <yinjun.zhang@corigine.com>
Cc: Cc: chengtian.liu@corigine.com,
	; Simon Horman <simon.horman@corigine.com>,
	David Miller <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	netdev@vger.kernel.org, oss-drivers@corigine.com,
	Huanhuan Wang <huanhuan.wang@corigine.com>
Subject: Re: [PATCH net-next v2 2/3] nfp: add framework to support ipsec offloading
Date: Tue, 11 Oct 2022 11:41:47 +0300	[thread overview]
Message-ID: <Y0UsS9oxEuac8fmj@unreal> (raw)
In-Reply-To: <20221010070512.GA21559@nj-rack01-04.nji.corigine.com>

On Mon, Oct 10, 2022 at 03:05:12PM +0800, Yinjun Zhang wrote:
> Thanks for your comments and sorry for the late reply.
> 
> On Thu, Sep 29, 2022 at 11:10:12AM +0300, Leon Romanovsky wrote:
> > On Tue, Sep 27, 2022 at 12:27:06PM +0200, Simon Horman wrote:
> > > +struct nfp_net_ipsec_data {
> > > +	struct nfp_net_ipsec_sa_data sa_entries[NFP_NET_IPSEC_MAX_SA_CNT];
> > > +	unsigned int sa_free_stack[NFP_NET_IPSEC_MAX_SA_CNT];
> > > +	unsigned int sa_free_cnt;
> > 
> > I don't see in this patch what are you doing with this free_stack array,
> > but whole nfp_net_ipsec_data is more than 32Kb of arrays.
> >
> 
> `sa_free_stack` is used to maintain the used/available sa entries, which
> is initialized in `nfp_net_ipsec_init`.
> Yes, it's indeed a big array, and we're going to use pointer instead of array
> here.

Why do you want to use array and not Xarray?

> 
> > > +bool nfp_net_ipsec_tx_prep(struct nfp_net_dp *dp, struct sk_buff *skb,
> > > +			   struct nfp_ipsec_offload *offload_info)
> > > +{
> > > +	struct xfrm_offload *xo = xfrm_offload(skb);
> > > +	struct xfrm_state *x;
> > > +
> > > +	if (!xo)
> > > +		return false;
> > 
> > How is it possible in offload path?
> > Why do all drivers check sec_path length and not xo?
> > 
> 
> `tx_prep` is called in the tx datapath, we use `xo` to check if the
> packet needs offload-encrypto or not.

You didn't answer on any of my questions above.

How is it possible in offload path?
Why do all drivers check sec_path length and not xo?

> 
> > > +int nfp_net_ipsec_rx(struct nfp_meta_parsed *meta, struct sk_buff *skb)
> > > +{
> > > +	struct nfp_net_ipsec_sa_data *sa_data;
> > > +	struct net_device *netdev = skb->dev;
> > > +	struct nfp_net_ipsec_data *ipd;
> > > +	struct xfrm_offload *xo;
> > > +	struct nfp_net_dp *dp;
> > > +	struct xfrm_state *x;
> > > +	struct sec_path *sp;
> > > +	struct nfp_net *nn;
> > > +	int saidx;
> > > +
> > > +	nn = netdev_priv(netdev);
> > > +	ipd = nn->ipsec_data;
> > > +	dp = &nn->dp;
> > > +
> > > +	if (meta->ipsec_saidx == 0)
> > > +		return 0; /* No offload took place */
> > > +
> > > +	saidx = meta->ipsec_saidx - 1;
> > > +	if (saidx > NFP_NET_IPSEC_MAX_SA_CNT || saidx < 0) {
> > > +		nn_dp_warn(dp, "Invalid SAIDX from NIC %d\n", saidx);
> > 
> > No prints in data path that can be triggered from the network, please.
> > 
> 
> It's a ratelimit print, and it means severe error happens, probably
> unrecoverable, when running into this path.

The main part of the sentence is "... can be triggered from the network ..."

Thanks

next prev parent reply	other threads:[~2022-10-11  8:41 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-27 10:27 [PATCH net-next v2 0/3] nfp: IPsec offload support Simon Horman
2022-09-27 10:27 ` [PATCH net-next v2 1/3] nfp: extend capability and control words Simon Horman
2022-09-27 10:27 ` [PATCH net-next v2 2/3] nfp: add framework to support ipsec offloading Simon Horman
2022-09-29  8:10   ` Leon Romanovsky
     [not found]     ` <20221010070512.GA21559@nj-rack01-04.nji.corigine.com>
2022-10-11  8:41       ` Leon Romanovsky [this message]
2022-10-13  8:21         ` Yinjun Zhang
2022-09-27 10:27 ` [PATCH net-next v2 3/3] nfp: implement xfrm callbacks and expose ipsec offload feature to upper layer Simon Horman
2022-09-29  8:26   ` Leon Romanovsky
2022-10-10  7:14     ` Yinjun Zhang
2022-10-11  8:36       ` Leon Romanovsky
2022-09-29  2:42 ` [PATCH net-next v2 0/3] nfp: IPsec offload support Jakub Kicinski
2022-09-29  8:48   ` Simon Horman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y0UsS9oxEuac8fmj@unreal \
    --to=leon@kernel.org \
    --cc=chengtian.liu@corigine.com \
    --cc=yinjun.zhang@corigine.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.