From: Antony Antony <antony.antony@secunet.com>
To: Leon Romanovsky <leon@kernel.org>
Cc: Antony Antony <antony.antony@secunet.com>,
Steffen Klassert <steffen.klassert@secunet.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
<netdev@vger.kernel.org>, <devel@linux-ipsec.org>,
Eyal Birger <eyal.birger@gmail.com>
Subject: Re: [PATCH ipsec-next v3] xfrm: Add Direction to the SA in or out
Date: Wed, 13 Mar 2024 22:03:35 +0100 [thread overview]
Message-ID: <ZfIUpy2u7VeuiAgU@moon.secunet.de> (raw)
In-Reply-To: <20240313085430.GW12921@unreal>
Hi Leon,
On Wed, Mar 13, 2024 at 10:54:30 +0200, Leon Romanovsky wrote:
> On Tue, Mar 12, 2024 at 08:59:29PM +0100, Antony Antony wrote:
> > This patch introduces the 'dir' attribute, 'in' or 'out', to the
> > xfrm_state, SA, enhancing usability by delineating the scope of values
> > based on direction. An input SA will now exclusively encompass values
> > pertinent to input, effectively segregating them from output-related
> > values. This change aims to streamline the configuration process and
> > improve the overall clarity of SA attributes.
> >
> > Signed-off-by: Antony Antony <antony.antony@secunet.com>
> > ---
> > v2->v3:
> > - delete redundant XFRM_SA_DIR_USET
> > - use u8 for "dir"
> > - fix HW OFFLOAD DIR check
> >
> > v1->v2:
> > - use .strict_start_type in struct nla_policy xfrma_policy
> > - delete redundant XFRM_SA_DIR_MAX enum
> > ---
> > include/net/xfrm.h | 1 +
> > include/uapi/linux/xfrm.h | 6 +++++
> > net/xfrm/xfrm_compat.c | 7 ++++--
> > net/xfrm/xfrm_device.c | 5 +++++
> > net/xfrm/xfrm_state.c | 1 +
> > net/xfrm/xfrm_user.c | 46 +++++++++++++++++++++++++++++++++++----
> > 6 files changed, 60 insertions(+), 6 deletions(-)
>
> <...>
>
> > diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
> > index 3784534c9185..481a374eff3b 100644
> > --- a/net/xfrm/xfrm_device.c
> > +++ b/net/xfrm/xfrm_device.c
> > @@ -253,6 +253,11 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x,
> > return -EINVAL;
> > }
> >
> > + if (xuo->flags & XFRM_OFFLOAD_INBOUND && x->dir == XFRM_SA_DIR_OUT) {
> > + NL_SET_ERR_MSG(extack, "Mismatched SA and offload direction");
> > + return -EINVAL;
> > + }
>
> It is only one side, the more comprehensive check should be done for
> XFRM_SA_DIR_IN too.
>
> if ((xuo->flags & XFRM_OFFLOAD_INBOUND && x->dir == XFRM_SA_DIR_OUT) ||
> !((xuo->flags & XFRM_OFFLOAD_INBOUND) && x->dir == XFRM_SA_DIR_IN))
> ....
I added this check too. With "!" inside , (!( )
> and IMHO, it is better to have this check in verify_newsa_info().
That function does not have xuo extracted. And xfrm_dev_state_add() has
other checks already. So I think this is a better place for now.
thanks,
-antony
prev parent reply other threads:[~2024-03-13 21:03 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-12 19:59 [PATCH ipsec-next v3] xfrm: Add Direction to the SA in or out Antony Antony
2024-03-13 8:54 ` Leon Romanovsky
2024-03-13 10:38 ` Leon Romanovsky
2024-03-13 21:03 ` Antony Antony [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZfIUpy2u7VeuiAgU@moon.secunet.de \
--to=antony.antony@secunet.com \
--cc=devel@linux-ipsec.org \
--cc=eyal.birger@gmail.com \
--cc=herbert@gondor.apana.org.au \
--cc=leon@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.