* [PATCH net-next 0/2] Support more IPsec selectors in mlx5 packet offload
@ 2023-08-08 19:14 Leon Romanovsky
2023-08-08 19:14 ` [PATCH net-next 1/2] net/mlx5e: Support IPsec upper protocol selector field offload for RX Leon Romanovsky
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Leon Romanovsky @ 2023-08-08 19:14 UTC (permalink / raw)
To: Jakub Kicinski, Steffen Klassert
Cc: Leon Romanovsky, Emeel Hakim, David S . Miller, Eric Dumazet,
netdev, Paolo Abeni, Raed Salem, Saeed Mahameed, Simon Horman
From: Leon Romanovsky <leonro@nvidia.com>
These two patches add ability to configure proto both UDP and TCP selectors
in RX and TX directions.
Thanks
Emeel Hakim (1):
net/mlx5e: Support IPsec upper protocol selector field offload for RX
Leon Romanovsky (1):
net/mlx5e: Support IPsec upper TCP protocol selector
.../mellanox/mlx5/core/en_accel/ipsec.c | 13 +++---
.../mellanox/mlx5/core/en_accel/ipsec_fs.c | 45 ++++++++++++++-----
2 files changed, 40 insertions(+), 18 deletions(-)
--
2.41.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH net-next 1/2] net/mlx5e: Support IPsec upper protocol selector field offload for RX
2023-08-08 19:14 [PATCH net-next 0/2] Support more IPsec selectors in mlx5 packet offload Leon Romanovsky
@ 2023-08-08 19:14 ` Leon Romanovsky
2023-08-08 19:14 ` [PATCH net-next 2/2] net/mlx5e: Support IPsec upper TCP protocol selector Leon Romanovsky
2023-08-10 9:47 ` [PATCH net-next 0/2] Support more IPsec selectors in mlx5 packet offload Simon Horman
2 siblings, 0 replies; 4+ messages in thread
From: Leon Romanovsky @ 2023-08-08 19:14 UTC (permalink / raw)
To: Jakub Kicinski, Steffen Klassert
Cc: Emeel Hakim, David S . Miller, Eric Dumazet, netdev, Paolo Abeni,
Raed Salem, Saeed Mahameed, Simon Horman
From: Emeel Hakim <ehakim@nvidia.com>
Support RX policy/state upper protocol selector field offload,
to enable selecting RX traffic for IPsec operation based on l4
protocol UDP with specific source/destination port.
Signed-off-by: Emeel Hakim <ehakim@nvidia.com>
Reviewed-by: Raed Salem <raeds@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
---
.../net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 10 ++++------
.../ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c | 2 ++
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
index 40350227b3c3..9ee169b72d9d 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
@@ -442,9 +442,8 @@ static int mlx5e_xfrm_validate_state(struct mlx5_core_dev *mdev,
return -EINVAL;
}
- if (x->sel.proto != IPPROTO_IP &&
- (x->sel.proto != IPPROTO_UDP || x->xso.dir != XFRM_DEV_OFFLOAD_OUT)) {
- NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than UDP, and only Tx direction");
+ if (x->sel.proto != IPPROTO_IP && x->sel.proto != IPPROTO_UDP) {
+ NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than UDP");
return -EINVAL;
}
@@ -1000,9 +999,8 @@ static int mlx5e_xfrm_validate_policy(struct mlx5_core_dev *mdev,
return -EINVAL;
}
- if (sel->proto != IPPROTO_IP &&
- (sel->proto != IPPROTO_UDP || x->xdo.dir != XFRM_DEV_OFFLOAD_OUT)) {
- NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than UDP, and only Tx direction");
+ if (x->selector.proto != IPPROTO_IP && x->selector.proto != IPPROTO_UDP) {
+ NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than UDP");
return -EINVAL;
}
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
index 3781c72d97f1..f5e29b7f5ba0 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
@@ -1243,6 +1243,7 @@ static int rx_add_rule(struct mlx5e_ipsec_sa_entry *sa_entry)
setup_fte_spi(spec, attrs->spi);
setup_fte_esp(spec);
setup_fte_no_frags(spec);
+ setup_fte_upper_proto_match(spec, &attrs->upspec);
if (rx != ipsec->rx_esw)
err = setup_modify_header(ipsec, attrs->type,
@@ -1519,6 +1520,7 @@ static int rx_add_policy(struct mlx5e_ipsec_pol_entry *pol_entry)
setup_fte_addr6(spec, attrs->saddr.a6, attrs->daddr.a6);
setup_fte_no_frags(spec);
+ setup_fte_upper_proto_match(spec, &attrs->upspec);
switch (attrs->action) {
case XFRM_POLICY_ALLOW:
--
2.41.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH net-next 2/2] net/mlx5e: Support IPsec upper TCP protocol selector
2023-08-08 19:14 [PATCH net-next 0/2] Support more IPsec selectors in mlx5 packet offload Leon Romanovsky
2023-08-08 19:14 ` [PATCH net-next 1/2] net/mlx5e: Support IPsec upper protocol selector field offload for RX Leon Romanovsky
@ 2023-08-08 19:14 ` Leon Romanovsky
2023-08-10 9:47 ` [PATCH net-next 0/2] Support more IPsec selectors in mlx5 packet offload Simon Horman
2 siblings, 0 replies; 4+ messages in thread
From: Leon Romanovsky @ 2023-08-08 19:14 UTC (permalink / raw)
To: Jakub Kicinski, Steffen Klassert
Cc: Leon Romanovsky, Emeel Hakim, David S . Miller, Eric Dumazet,
netdev, Paolo Abeni, Raed Salem, Saeed Mahameed, Simon Horman
From: Leon Romanovsky <leonro@nvidia.com>
Support TCP as protocol selector for policy and state in IPsec
packet offload mode.
Example of state configuration is as follows:
ip xfrm state add src 192.168.25.3 dst 192.168.25.1 \
proto esp spi 1001 reqid 10001 aead 'rfc4106(gcm(aes))' \
0x54a7588d36873b031e4bd46301be5a86b3a53879 128 mode transport \
offload packet dev re0 dir in sel src 192.168.25.3 dst 192.168.25.1 \
proto tcp dport 9003
Acked-by: Raed Salem <raeds@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
---
.../mellanox/mlx5/core/en_accel/ipsec.c | 11 +++--
.../mellanox/mlx5/core/en_accel/ipsec_fs.c | 43 +++++++++++++------
2 files changed, 38 insertions(+), 16 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
index 9ee169b72d9d..6f21694c7b13 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
@@ -442,8 +442,9 @@ static int mlx5e_xfrm_validate_state(struct mlx5_core_dev *mdev,
return -EINVAL;
}
- if (x->sel.proto != IPPROTO_IP && x->sel.proto != IPPROTO_UDP) {
- NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than UDP");
+ if (x->sel.proto != IPPROTO_IP && x->sel.proto != IPPROTO_UDP &&
+ x->sel.proto != IPPROTO_TCP) {
+ NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than TCP/UDP");
return -EINVAL;
}
@@ -999,8 +1000,10 @@ static int mlx5e_xfrm_validate_policy(struct mlx5_core_dev *mdev,
return -EINVAL;
}
- if (x->selector.proto != IPPROTO_IP && x->selector.proto != IPPROTO_UDP) {
- NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than UDP");
+ if (x->selector.proto != IPPROTO_IP &&
+ x->selector.proto != IPPROTO_UDP &&
+ x->selector.proto != IPPROTO_TCP) {
+ NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than TCP/UDP");
return -EINVAL;
}
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
index f5e29b7f5ba0..a1cfddd05bc4 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
@@ -936,23 +936,42 @@ static void setup_fte_reg_c4(struct mlx5_flow_spec *spec, u32 reqid)
static void setup_fte_upper_proto_match(struct mlx5_flow_spec *spec, struct upspec *upspec)
{
- if (upspec->proto != IPPROTO_UDP)
+ switch (upspec->proto) {
+ case IPPROTO_UDP:
+ if (upspec->dport) {
+ MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria,
+ udp_dport, upspec->dport_mask);
+ MLX5_SET(fte_match_set_lyr_2_4, spec->match_value,
+ udp_dport, upspec->dport);
+ }
+ if (upspec->sport) {
+ MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria,
+ udp_sport, upspec->sport_mask);
+ MLX5_SET(fte_match_set_lyr_2_4, spec->match_value,
+ udp_sport, upspec->sport);
+ }
+ break;
+ case IPPROTO_TCP:
+ if (upspec->dport) {
+ MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria,
+ tcp_dport, upspec->dport_mask);
+ MLX5_SET(fte_match_set_lyr_2_4, spec->match_value,
+ tcp_dport, upspec->dport);
+ }
+ if (upspec->sport) {
+ MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria,
+ tcp_sport, upspec->sport_mask);
+ MLX5_SET(fte_match_set_lyr_2_4, spec->match_value,
+ tcp_sport, upspec->sport);
+ }
+ break;
+ default:
return;
+ }
spec->match_criteria_enable |= MLX5_MATCH_OUTER_HEADERS;
MLX5_SET_TO_ONES(fte_match_set_lyr_2_4, spec->match_criteria, ip_protocol);
MLX5_SET(fte_match_set_lyr_2_4, spec->match_value, ip_protocol, upspec->proto);
- if (upspec->dport) {
- MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria, udp_dport,
- upspec->dport_mask);
- MLX5_SET(fte_match_set_lyr_2_4, spec->match_value, udp_dport, upspec->dport);
- }
-
- if (upspec->sport) {
- MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria, udp_sport,
- upspec->sport_mask);
- MLX5_SET(fte_match_set_lyr_2_4, spec->match_value, udp_sport, upspec->sport);
- }
}
static enum mlx5_flow_namespace_type ipsec_fs_get_ns(struct mlx5e_ipsec *ipsec,
--
2.41.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH net-next 0/2] Support more IPsec selectors in mlx5 packet offload
2023-08-08 19:14 [PATCH net-next 0/2] Support more IPsec selectors in mlx5 packet offload Leon Romanovsky
2023-08-08 19:14 ` [PATCH net-next 1/2] net/mlx5e: Support IPsec upper protocol selector field offload for RX Leon Romanovsky
2023-08-08 19:14 ` [PATCH net-next 2/2] net/mlx5e: Support IPsec upper TCP protocol selector Leon Romanovsky
@ 2023-08-10 9:47 ` Simon Horman
2 siblings, 0 replies; 4+ messages in thread
From: Simon Horman @ 2023-08-10 9:47 UTC (permalink / raw)
To: Leon Romanovsky
Cc: Jakub Kicinski, Steffen Klassert, Leon Romanovsky, Emeel Hakim,
David S . Miller, Eric Dumazet, netdev, Paolo Abeni, Raed Salem,
Saeed Mahameed
On Tue, Aug 08, 2023 at 10:14:53PM +0300, Leon Romanovsky wrote:
> From: Leon Romanovsky <leonro@nvidia.com>
>
> These two patches add ability to configure proto both UDP and TCP selectors
> in RX and TX directions.
>
> Thanks
>
> Emeel Hakim (1):
> net/mlx5e: Support IPsec upper protocol selector field offload for RX
>
> Leon Romanovsky (1):
> net/mlx5e: Support IPsec upper TCP protocol selector
Thanks Emeel and Leon,
this looks good to me.
For series,
Reviewed-by: Simon Horman <horms@kernel.org>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-08-10 9:47 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-08-08 19:14 [PATCH net-next 0/2] Support more IPsec selectors in mlx5 packet offload Leon Romanovsky
2023-08-08 19:14 ` [PATCH net-next 1/2] net/mlx5e: Support IPsec upper protocol selector field offload for RX Leon Romanovsky
2023-08-08 19:14 ` [PATCH net-next 2/2] net/mlx5e: Support IPsec upper TCP protocol selector Leon Romanovsky
2023-08-10 9:47 ` [PATCH net-next 0/2] Support more IPsec selectors in mlx5 packet offload Simon Horman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.