From: Tariq Toukan <tariqt@nvidia.com>
To: "David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Eric Dumazet <edumazet@google.com>,
"Andrew Lunn" <andrew+netdev@lunn.ch>
Cc: Gal Pressman <gal@nvidia.com>, Mark Bloch <mbloch@nvidia.com>,
"Saeed Mahameed" <saeedm@nvidia.com>,
Leon Romanovsky <leon@kernel.org>,
Tariq Toukan <tariqt@nvidia.com>, <netdev@vger.kernel.org>,
<linux-rdma@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
Jianbo Liu <jianbol@nvidia.com>,
"Leon Romanovsky" <leonro@nvidia.com>,
Patrisious Haddad <phaddad@nvidia.com>
Subject: [PATCH net-next 7/8] net/mlx5e: Add pass flow group for IPSec RX status table
Date: Thu, 20 Feb 2025 23:39:57 +0200 [thread overview]
Message-ID: <20250220213959.504304-8-tariqt@nvidia.com> (raw)
In-Reply-To: <20250220213959.504304-1-tariqt@nvidia.com>
From: Jianbo Liu <jianbol@nvidia.com>
This flow group is added for the pass rules for both crypto offload
and packet offload. It is placed at the end of the table, and right
before the miss group. There are two entries, and the default pass
rules for both offloads are added in this group.
Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Reviewed-by: Patrisious Haddad <phaddad@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
---
.../mellanox/mlx5/core/en_accel/ipsec_fs.c | 51 ++++++++++++++++++-
1 file changed, 50 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
index 2ee4c7bfd7e6..840d9e0514d3 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
@@ -41,6 +41,7 @@ struct mlx5e_ipsec_tx {
};
struct mlx5e_ipsec_status_checks {
+ struct mlx5_flow_group *pass_group;
struct mlx5_flow_handle *packet_offload_pass_rule;
struct mlx5_flow_handle *crypto_offload_pass_rule;
struct mlx5_flow_group *drop_all_group;
@@ -397,6 +398,47 @@ static int ipsec_rx_status_drop_all_create(struct mlx5e_ipsec *ipsec,
return err;
}
+static int ipsec_rx_status_pass_group_create(struct mlx5e_ipsec *ipsec,
+ struct mlx5e_ipsec_rx *rx)
+{
+ int inlen = MLX5_ST_SZ_BYTES(create_flow_group_in);
+ struct mlx5_flow_table *ft = rx->ft.status;
+ struct mlx5_flow_group *fg;
+ void *match_criteria;
+ u32 *flow_group_in;
+ int err = 0;
+
+ flow_group_in = kvzalloc(inlen, GFP_KERNEL);
+ if (!flow_group_in)
+ return -ENOMEM;
+
+ MLX5_SET(create_flow_group_in, flow_group_in, match_criteria_enable,
+ MLX5_MATCH_MISC_PARAMETERS_2);
+ match_criteria = MLX5_ADDR_OF(create_flow_group_in, flow_group_in,
+ match_criteria);
+ MLX5_SET_TO_ONES(fte_match_param, match_criteria,
+ misc_parameters_2.ipsec_syndrome);
+ MLX5_SET_TO_ONES(fte_match_param, match_criteria,
+ misc_parameters_2.metadata_reg_c_4);
+
+ MLX5_SET(create_flow_group_in, flow_group_in,
+ start_flow_index, ft->max_fte - 3);
+ MLX5_SET(create_flow_group_in, flow_group_in,
+ end_flow_index, ft->max_fte - 2);
+
+ fg = mlx5_create_flow_group(ft, flow_group_in);
+ if (IS_ERR(fg)) {
+ err = PTR_ERR(fg);
+ mlx5_core_warn(ipsec->mdev,
+ "Failed to create rx status pass flow group, err=%d\n",
+ err);
+ }
+ rx->status_checks.pass_group = fg;
+
+ kvfree(flow_group_in);
+ return err;
+}
+
static struct mlx5_flow_handle *
ipsec_rx_status_pass_create(struct mlx5e_ipsec *ipsec,
struct mlx5e_ipsec_rx *rx,
@@ -446,6 +488,7 @@ static void mlx5_ipsec_rx_status_destroy(struct mlx5e_ipsec *ipsec,
struct mlx5e_ipsec_rx *rx)
{
ipsec_rx_status_pass_destroy(ipsec, rx);
+ mlx5_destroy_flow_group(rx->status_checks.pass_group);
ipsec_rx_status_drop_destroy(ipsec, rx);
}
@@ -461,6 +504,10 @@ static int mlx5_ipsec_rx_status_create(struct mlx5e_ipsec *ipsec,
if (err)
return err;
+ err = ipsec_rx_status_pass_group_create(ipsec, rx);
+ if (err)
+ goto err_pass_group_create;
+
rule = ipsec_rx_status_pass_create(ipsec, rx, dest,
MLX5_IPSEC_ASO_SW_CRYPTO_OFFLOAD);
if (IS_ERR(rule)) {
@@ -485,6 +532,8 @@ static int mlx5_ipsec_rx_status_create(struct mlx5e_ipsec *ipsec,
err_packet_offload_pass_create:
mlx5_del_flow_rules(rx->status_checks.crypto_offload_pass_rule);
err_crypto_offload_pass_create:
+ mlx5_destroy_flow_group(rx->status_checks.pass_group);
+err_pass_group_create:
ipsec_rx_status_drop_destroy(ipsec, rx);
return err;
}
@@ -858,7 +907,7 @@ static int rx_create(struct mlx5_core_dev *mdev, struct mlx5e_ipsec *ipsec,
if (err)
return err;
- ft = ipsec_ft_create(attr.ns, attr.status_level, attr.prio, 1, 3, 0);
+ ft = ipsec_ft_create(attr.ns, attr.status_level, attr.prio, 3, 3, 0);
if (IS_ERR(ft)) {
err = PTR_ERR(ft);
goto err_fs_ft_status;
--
2.45.0
next prev parent reply other threads:[~2025-02-20 21:41 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-20 21:39 [PATCH net-next 0/8] net/mlx5e: Move IPSec policy check after decryption Tariq Toukan
2025-02-20 21:39 ` [PATCH net-next 1/8] net/mlx5e: Add helper function to update IPSec default destination Tariq Toukan
2025-02-20 21:39 ` [PATCH net-next 2/8] net/mlx5e: Change the destination of IPSec RX SA miss rule Tariq Toukan
2025-02-20 21:39 ` [PATCH net-next 3/8] net/mlx5e: Add correct match to check IPSec syndromes for switchdev mode Tariq Toukan
2025-02-20 21:39 ` [PATCH net-next 4/8] net/mlx5e: Move IPSec policy check after decryption Tariq Toukan
2025-02-20 21:39 ` [PATCH net-next 5/8] net/mlx5e: Skip IPSec RX policy check for crypto offload Tariq Toukan
2025-02-20 21:39 ` [PATCH net-next 6/8] net/mlx5e: Add num_reserved_entries param for ipsec_ft_create() Tariq Toukan
2025-02-20 21:39 ` Tariq Toukan [this message]
2025-02-20 21:39 ` [PATCH net-next 8/8] net/mlx5e: Support RX xfrm state selector's UPSPEC for packet offload Tariq Toukan
2025-02-25 2:30 ` [PATCH net-next 0/8] net/mlx5e: Move IPSec policy check after decryption patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250220213959.504304-8-tariqt@nvidia.com \
--to=tariqt@nvidia.com \
--cc=andrew+netdev@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=gal@nvidia.com \
--cc=jianbol@nvidia.com \
--cc=kuba@kernel.org \
--cc=leon@kernel.org \
--cc=leonro@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=mbloch@nvidia.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=phaddad@nvidia.com \
--cc=saeedm@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox