From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Shannon Nelson <shannon.nelson@oracle.com>,
Jeff Kirsher <jeffrey.t.kirsher@intel.com>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.20 007/117] ixgbe: allow IPsec Tx offload in VEPA mode
Date: Tue, 8 Jan 2019 14:24:35 -0500 [thread overview]
Message-ID: <20190108192628.121270-7-sashal@kernel.org> (raw)
In-Reply-To: <20190108192628.121270-1-sashal@kernel.org>
From: Shannon Nelson <shannon.nelson@oracle.com>
[ Upstream commit 7fa57ca443cffe81ce8416b57966bfb0370678a1 ]
When it's possible that the PF might end up trying to send a
packet to one of its own VFs, we have to forbid IPsec offload
because the device drops the packets into a black hole.
See commit 47b6f50077e6 ("ixgbe: disallow IPsec Tx offload
when in SR-IOV mode") for more info.
This really is only necessary when the device is in the default
VEB mode. If instead the device is running in VEPA mode,
the packets will go through the encryption engine and out the
MAC/PHY as normal, and get "hairpinned" as needed by the switch.
So let's not block IPsec offload when in VEPA mode. To get
there with the ixgbe device, use the handy 'bridge' command:
bridge link set dev eth1 hwmode vepa
Signed-off-by: Shannon Nelson <shannon.nelson@oracle.com>
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
index fd1b0546fd67..4d77f42e035c 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
@@ -4,6 +4,7 @@
#include "ixgbe.h"
#include <net/xfrm.h>
#include <crypto/aead.h>
+#include <linux/if_bridge.h>
#define IXGBE_IPSEC_KEY_BITS 160
static const char aes_gcm_name[] = "rfc4106(gcm(aes))";
@@ -693,7 +694,8 @@ static int ixgbe_ipsec_add_sa(struct xfrm_state *xs)
} else {
struct tx_sa tsa;
- if (adapter->num_vfs)
+ if (adapter->num_vfs &&
+ adapter->bridge_mode != BRIDGE_MODE_VEPA)
return -EOPNOTSUPP;
/* find the first unused index */
--
2.19.1
next prev parent reply other threads:[~2019-01-08 19:24 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-08 19:24 [PATCH AUTOSEL 4.20 001/117] netfilter: ipset: Allow matching on destination MAC address for mac and ipmac sets Sasha Levin
2019-01-08 19:24 ` [PATCH AUTOSEL 4.20 006/117] qtnfmac: fix error handling in control path Sasha Levin
2019-01-08 19:24 ` Sasha Levin [this message]
2019-01-08 19:24 ` [PATCH AUTOSEL 4.20 009/117] e1000e: allow non-monotonic SYSTIM readings Sasha Levin
2019-01-08 19:24 ` [PATCH AUTOSEL 4.20 011/117] selftests/bpf: enable (uncomment) all tests in test_libbpf.sh Sasha Levin
2019-01-08 19:24 ` [PATCH AUTOSEL 4.20 015/117] bpf: Allow narrow loads with offset > 0 Sasha Levin
2019-01-08 19:24 ` [PATCH AUTOSEL 4.20 029/117] samples: bpf: fix: error handling regarding kprobe_events Sasha Levin
2019-01-08 19:25 ` [PATCH AUTOSEL 4.20 038/117] net: ethernet: ave: Set initial wol state to disabled Sasha Levin
2019-01-08 19:25 ` [PATCH AUTOSEL 4.20 057/117] net: call sk_dst_reset when set SO_DONTROUTE Sasha Levin
2019-01-08 19:25 ` [PATCH AUTOSEL 4.20 064/117] bpf: relax verifier restriction on BPF_MOV | BPF_ALU Sasha Levin
2019-01-08 19:25 ` [PATCH AUTOSEL 4.20 084/117] netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is set Sasha Levin
2019-01-08 19:25 ` [PATCH AUTOSEL 4.20 085/117] netfilter: ipt_CLUSTERIP: remove wrong WARN_ON_ONCE in netns exit routine Sasha Levin
2019-01-08 19:25 ` [PATCH AUTOSEL 4.20 086/117] netfilter: ipt_CLUSTERIP: fix deadlock " Sasha Levin
2019-01-08 19:26 ` [PATCH AUTOSEL 4.20 105/117] ath10k: fix peer stats null pointer dereference Sasha Levin
2019-01-08 19:26 ` [PATCH AUTOSEL 4.20 111/117] bnx2x: Fix NULL pointer dereference in bnx2x_del_all_vlans() on some hw Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190108192628.121270-7-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=jeffrey.t.kirsher@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=shannon.nelson@oracle.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).