* [PATCH v1 net-next 1/4] net: flow_dissector: Add IPSEC dissector
2023-08-01 1:40 [PATCH v1 net-next 0/4] Packet classify by matching against SPI Ratheesh Kannoth
@ 2023-08-01 1:40 ` Ratheesh Kannoth
2023-08-01 1:40 ` [PATCH v1 net-next 2/4] tc: flower: support for SPI Ratheesh Kannoth
` (3 subsequent siblings)
4 siblings, 0 replies; 9+ messages in thread
From: Ratheesh Kannoth @ 2023-08-01 1:40 UTC (permalink / raw)
To: netdev, linux-kernel
Cc: sgoutham, lcherian, gakula, jerinj, hkelam, sbhatta, davem,
edumazet, kuba, pabeni, jhs, xiyou.wangcong, jiri,
Ratheesh Kannoth
Support for dissecting IPSEC field SPI (which is
32bits in size) for ESP and AH packets.
Signed-off-by: Ratheesh Kannoth <rkannoth@marvell.com>
---
include/net/flow_dissector.h | 9 ++++++
net/core/flow_dissector.c | 53 +++++++++++++++++++++++++++++++++++-
2 files changed, 61 insertions(+), 1 deletion(-)
diff --git a/include/net/flow_dissector.h b/include/net/flow_dissector.h
index 830f06b2f36d..1a7131d6cb0e 100644
--- a/include/net/flow_dissector.h
+++ b/include/net/flow_dissector.h
@@ -301,6 +301,14 @@ struct flow_dissector_key_l2tpv3 {
__be32 session_id;
};
+/**
+ * struct flow_dissector_key_ipsec:
+ * @spi: identifier for a ipsec connection
+ */
+struct flow_dissector_key_ipsec {
+ __be32 spi;
+};
+
/**
* struct flow_dissector_key_cfm
* @mdl_ver: maintenance domain level (mdl) and cfm protocol version
@@ -354,6 +362,7 @@ enum flow_dissector_key_id {
FLOW_DISSECTOR_KEY_PPPOE, /* struct flow_dissector_key_pppoe */
FLOW_DISSECTOR_KEY_L2TPV3, /* struct flow_dissector_key_l2tpv3 */
FLOW_DISSECTOR_KEY_CFM, /* struct flow_dissector_key_cfm */
+ FLOW_DISSECTOR_KEY_IPSEC, /* struct flow_dissector_key_ipsec */
FLOW_DISSECTOR_KEY_MAX,
};
diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index ed5dfa376024..89d15ceaf9af 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -205,6 +205,50 @@ static void __skb_flow_dissect_icmp(const struct sk_buff *skb,
skb_flow_get_icmp_tci(skb, key_icmp, data, thoff, hlen);
}
+static void __skb_flow_dissect_ah(const struct sk_buff *skb,
+ struct flow_dissector *flow_dissector,
+ void *target_container, const void *data,
+ int nhoff, int hlen)
+{
+ struct flow_dissector_key_ipsec *key_ah;
+ struct ip_auth_hdr _hdr, *hdr;
+
+ if (!dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_IPSEC))
+ return;
+
+ hdr = __skb_header_pointer(skb, nhoff, sizeof(_hdr), data, hlen, &_hdr);
+ if (!hdr)
+ return;
+
+ key_ah = skb_flow_dissector_target(flow_dissector,
+ FLOW_DISSECTOR_KEY_IPSEC,
+ target_container);
+
+ key_ah->spi = hdr->spi;
+}
+
+static void __skb_flow_dissect_esp(const struct sk_buff *skb,
+ struct flow_dissector *flow_dissector,
+ void *target_container, const void *data,
+ int nhoff, int hlen)
+{
+ struct flow_dissector_key_ipsec *key_esp;
+ struct ip_esp_hdr _hdr, *hdr;
+
+ if (!dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_IPSEC))
+ return;
+
+ hdr = __skb_header_pointer(skb, nhoff, sizeof(_hdr), data, hlen, &_hdr);
+ if (!hdr)
+ return;
+
+ key_esp = skb_flow_dissector_target(flow_dissector,
+ FLOW_DISSECTOR_KEY_IPSEC,
+ target_container);
+
+ key_esp->spi = hdr->spi;
+}
+
static void __skb_flow_dissect_l2tpv3(const struct sk_buff *skb,
struct flow_dissector *flow_dissector,
void *target_container, const void *data,
@@ -1571,7 +1615,14 @@ bool __skb_flow_dissect(const struct net *net,
__skb_flow_dissect_l2tpv3(skb, flow_dissector, target_container,
data, nhoff, hlen);
break;
-
+ case IPPROTO_ESP:
+ __skb_flow_dissect_esp(skb, flow_dissector, target_container,
+ data, nhoff, hlen);
+ break;
+ case IPPROTO_AH:
+ __skb_flow_dissect_ah(skb, flow_dissector, target_container,
+ data, nhoff, hlen);
+ break;
default:
break;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 9+ messages in thread* [PATCH v1 net-next 2/4] tc: flower: support for SPI
2023-08-01 1:40 [PATCH v1 net-next 0/4] Packet classify by matching against SPI Ratheesh Kannoth
2023-08-01 1:40 ` [PATCH v1 net-next 1/4] net: flow_dissector: Add IPSEC dissector Ratheesh Kannoth
@ 2023-08-01 1:40 ` Ratheesh Kannoth
2023-08-02 19:07 ` Simon Horman
2023-08-01 1:41 ` [PATCH v1 net-next 3/4] tc: flower: Enable offload support IPSEC SPI field Ratheesh Kannoth
` (2 subsequent siblings)
4 siblings, 1 reply; 9+ messages in thread
From: Ratheesh Kannoth @ 2023-08-01 1:40 UTC (permalink / raw)
To: netdev, linux-kernel
Cc: sgoutham, lcherian, gakula, jerinj, hkelam, sbhatta, davem,
edumazet, kuba, pabeni, jhs, xiyou.wangcong, jiri,
Ratheesh Kannoth
tc flower rules support to classify ESP/AH
packets matching SPI field.
Signed-off-by: Ratheesh Kannoth <rkannoth@marvell.com>
---
include/uapi/linux/pkt_cls.h | 3 +++
net/sched/cls_flower.c | 35 +++++++++++++++++++++++++++++++++++
2 files changed, 38 insertions(+)
diff --git a/include/uapi/linux/pkt_cls.h b/include/uapi/linux/pkt_cls.h
index 7865f5a9885b..75506f157340 100644
--- a/include/uapi/linux/pkt_cls.h
+++ b/include/uapi/linux/pkt_cls.h
@@ -598,6 +598,9 @@ enum {
TCA_FLOWER_KEY_CFM, /* nested */
+ TCA_FLOWER_KEY_SPI, /* be32 */
+ TCA_FLOWER_KEY_SPI_MASK, /* be32 */
+
__TCA_FLOWER_MAX,
};
diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
index 8da9d039d964..eca260272845 100644
--- a/net/sched/cls_flower.c
+++ b/net/sched/cls_flower.c
@@ -72,6 +72,7 @@ struct fl_flow_key {
struct flow_dissector_key_num_of_vlans num_of_vlans;
struct flow_dissector_key_pppoe pppoe;
struct flow_dissector_key_l2tpv3 l2tpv3;
+ struct flow_dissector_key_ipsec ipsec;
struct flow_dissector_key_cfm cfm;
} __aligned(BITS_PER_LONG / 8); /* Ensure that we can do comparisons as longs. */
@@ -726,6 +727,8 @@ static const struct nla_policy fl_policy[TCA_FLOWER_MAX + 1] = {
[TCA_FLOWER_KEY_PPPOE_SID] = { .type = NLA_U16 },
[TCA_FLOWER_KEY_PPP_PROTO] = { .type = NLA_U16 },
[TCA_FLOWER_KEY_L2TPV3_SID] = { .type = NLA_U32 },
+ [TCA_FLOWER_KEY_SPI] = { .type = NLA_U32 },
+ [TCA_FLOWER_KEY_SPI_MASK] = { .type = NLA_U32 },
[TCA_FLOWER_L2_MISS] = NLA_POLICY_MAX(NLA_U8, 1),
[TCA_FLOWER_KEY_CFM] = { .type = NLA_NESTED },
};
@@ -795,6 +798,24 @@ static void fl_set_key_val(struct nlattr **tb,
nla_memcpy(mask, tb[mask_type], len);
}
+static int fl_set_key_spi(struct nlattr **tb, struct fl_flow_key *key,
+ struct fl_flow_key *mask,
+ struct netlink_ext_ack *extack)
+{
+ if (key->basic.ip_proto != IPPROTO_ESP &&
+ key->basic.ip_proto != IPPROTO_AH) {
+ NL_SET_ERR_MSG(extack,
+ "Protocol must be either ESP or AH");
+ return -EINVAL;
+ }
+
+ fl_set_key_val(tb, &key->ipsec.spi,
+ TCA_FLOWER_KEY_SPI,
+ &mask->ipsec.spi, TCA_FLOWER_KEY_SPI_MASK,
+ sizeof(key->ipsec.spi));
+ return 0;
+}
+
static int fl_set_key_port_range(struct nlattr **tb, struct fl_flow_key *key,
struct fl_flow_key *mask,
struct netlink_ext_ack *extack)
@@ -1894,6 +1915,12 @@ static int fl_set_key(struct net *net, struct nlattr **tb,
return ret;
}
+ if (tb[TCA_FLOWER_KEY_SPI]) {
+ ret = fl_set_key_spi(tb, key, mask, extack);
+ if (ret)
+ return ret;
+ }
+
if (tb[TCA_FLOWER_KEY_ENC_IPV4_SRC] ||
tb[TCA_FLOWER_KEY_ENC_IPV4_DST]) {
key->enc_control.addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS;
@@ -2066,6 +2093,8 @@ static void fl_init_dissector(struct flow_dissector *dissector,
FLOW_DISSECTOR_KEY_PPPOE, pppoe);
FL_KEY_SET_IF_MASKED(mask, keys, cnt,
FLOW_DISSECTOR_KEY_L2TPV3, l2tpv3);
+ FL_KEY_SET_IF_MASKED(mask, keys, cnt,
+ FLOW_DISSECTOR_KEY_IPSEC, ipsec);
FL_KEY_SET_IF_MASKED(mask, keys, cnt,
FLOW_DISSECTOR_KEY_CFM, cfm);
@@ -3364,6 +3393,12 @@ static int fl_dump_key(struct sk_buff *skb, struct net *net,
sizeof(key->l2tpv3.session_id)))
goto nla_put_failure;
+ if (key->ipsec.spi &&
+ fl_dump_key_val(skb, &key->ipsec.spi, TCA_FLOWER_KEY_SPI,
+ &mask->ipsec.spi, TCA_FLOWER_KEY_SPI_MASK,
+ sizeof(key->ipsec.spi)))
+ goto nla_put_failure;
+
if ((key->basic.ip_proto == IPPROTO_TCP ||
key->basic.ip_proto == IPPROTO_UDP ||
key->basic.ip_proto == IPPROTO_SCTP) &&
--
2.25.1
^ permalink raw reply related [flat|nested] 9+ messages in thread* Re: [PATCH v1 net-next 2/4] tc: flower: support for SPI
2023-08-01 1:40 ` [PATCH v1 net-next 2/4] tc: flower: support for SPI Ratheesh Kannoth
@ 2023-08-02 19:07 ` Simon Horman
2023-08-03 11:55 ` Dan Carpenter
0 siblings, 1 reply; 9+ messages in thread
From: Simon Horman @ 2023-08-02 19:07 UTC (permalink / raw)
To: Ratheesh Kannoth, Dan Carpenter
Cc: netdev, linux-kernel, sgoutham, lcherian, gakula, jerinj, hkelam,
sbhatta, davem, edumazet, kuba, pabeni, jhs, xiyou.wangcong, jiri
+ Dan Carpenter
On Tue, Aug 01, 2023 at 07:10:59AM +0530, Ratheesh Kannoth wrote:
> tc flower rules support to classify ESP/AH
> packets matching SPI field.
>
> Signed-off-by: Ratheesh Kannoth <rkannoth@marvell.com>
> ---
> include/uapi/linux/pkt_cls.h | 3 +++
> net/sched/cls_flower.c | 35 +++++++++++++++++++++++++++++++++++
> 2 files changed, 38 insertions(+)
>
> diff --git a/include/uapi/linux/pkt_cls.h b/include/uapi/linux/pkt_cls.h
> index 7865f5a9885b..75506f157340 100644
> --- a/include/uapi/linux/pkt_cls.h
> +++ b/include/uapi/linux/pkt_cls.h
> @@ -598,6 +598,9 @@ enum {
>
> TCA_FLOWER_KEY_CFM, /* nested */
>
> + TCA_FLOWER_KEY_SPI, /* be32 */
> + TCA_FLOWER_KEY_SPI_MASK, /* be32 */
> +
> __TCA_FLOWER_MAX,
> };
>
> diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
> index 8da9d039d964..eca260272845 100644
> --- a/net/sched/cls_flower.c
> +++ b/net/sched/cls_flower.c
> @@ -72,6 +72,7 @@ struct fl_flow_key {
> struct flow_dissector_key_num_of_vlans num_of_vlans;
> struct flow_dissector_key_pppoe pppoe;
> struct flow_dissector_key_l2tpv3 l2tpv3;
> + struct flow_dissector_key_ipsec ipsec;
> struct flow_dissector_key_cfm cfm;
> } __aligned(BITS_PER_LONG / 8); /* Ensure that we can do comparisons as longs. */
>
> @@ -726,6 +727,8 @@ static const struct nla_policy fl_policy[TCA_FLOWER_MAX + 1] = {
> [TCA_FLOWER_KEY_PPPOE_SID] = { .type = NLA_U16 },
> [TCA_FLOWER_KEY_PPP_PROTO] = { .type = NLA_U16 },
> [TCA_FLOWER_KEY_L2TPV3_SID] = { .type = NLA_U32 },
> + [TCA_FLOWER_KEY_SPI] = { .type = NLA_U32 },
> + [TCA_FLOWER_KEY_SPI_MASK] = { .type = NLA_U32 },
> [TCA_FLOWER_L2_MISS] = NLA_POLICY_MAX(NLA_U8, 1),
> [TCA_FLOWER_KEY_CFM] = { .type = NLA_NESTED },
> };
> @@ -795,6 +798,24 @@ static void fl_set_key_val(struct nlattr **tb,
> nla_memcpy(mask, tb[mask_type], len);
> }
>
> +static int fl_set_key_spi(struct nlattr **tb, struct fl_flow_key *key,
> + struct fl_flow_key *mask,
> + struct netlink_ext_ack *extack)
> +{
> + if (key->basic.ip_proto != IPPROTO_ESP &&
> + key->basic.ip_proto != IPPROTO_AH) {
> + NL_SET_ERR_MSG(extack,
> + "Protocol must be either ESP or AH");
> + return -EINVAL;
> + }
> +
> + fl_set_key_val(tb, &key->ipsec.spi,
> + TCA_FLOWER_KEY_SPI,
> + &mask->ipsec.spi, TCA_FLOWER_KEY_SPI_MASK,
> + sizeof(key->ipsec.spi));
> + return 0;
> +}
> +
> static int fl_set_key_port_range(struct nlattr **tb, struct fl_flow_key *key,
> struct fl_flow_key *mask,
> struct netlink_ext_ack *extack)
> @@ -1894,6 +1915,12 @@ static int fl_set_key(struct net *net, struct nlattr **tb,
> return ret;
> }
>
> + if (tb[TCA_FLOWER_KEY_SPI]) {
> + ret = fl_set_key_spi(tb, key, mask, extack);
> + if (ret)
> + return ret;
> + }
> +
Hi Dan,
I'm seeing a warning from Smatch, which I think is a false positive,
but I feel that I should raise. Perhaps you could take a look at it?
net/sched/cls_flower.c:1918 fl_set_key() error: buffer overflow 'tb' 106 <= 108
> if (tb[TCA_FLOWER_KEY_ENC_IPV4_SRC] ||
> tb[TCA_FLOWER_KEY_ENC_IPV4_DST]) {
> key->enc_control.addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS;
> @@ -2066,6 +2093,8 @@ static void fl_init_dissector(struct flow_dissector *dissector,
> FLOW_DISSECTOR_KEY_PPPOE, pppoe);
> FL_KEY_SET_IF_MASKED(mask, keys, cnt,
> FLOW_DISSECTOR_KEY_L2TPV3, l2tpv3);
> + FL_KEY_SET_IF_MASKED(mask, keys, cnt,
> + FLOW_DISSECTOR_KEY_IPSEC, ipsec);
> FL_KEY_SET_IF_MASKED(mask, keys, cnt,
> FLOW_DISSECTOR_KEY_CFM, cfm);
>
> @@ -3364,6 +3393,12 @@ static int fl_dump_key(struct sk_buff *skb, struct net *net,
> sizeof(key->l2tpv3.session_id)))
> goto nla_put_failure;
>
> + if (key->ipsec.spi &&
> + fl_dump_key_val(skb, &key->ipsec.spi, TCA_FLOWER_KEY_SPI,
> + &mask->ipsec.spi, TCA_FLOWER_KEY_SPI_MASK,
> + sizeof(key->ipsec.spi)))
> + goto nla_put_failure;
> +
> if ((key->basic.ip_proto == IPPROTO_TCP ||
> key->basic.ip_proto == IPPROTO_UDP ||
> key->basic.ip_proto == IPPROTO_SCTP) &&
> --
> 2.25.1
>
>
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [PATCH v1 net-next 2/4] tc: flower: support for SPI
2023-08-02 19:07 ` Simon Horman
@ 2023-08-03 11:55 ` Dan Carpenter
2023-08-03 13:25 ` Dan Carpenter
0 siblings, 1 reply; 9+ messages in thread
From: Dan Carpenter @ 2023-08-03 11:55 UTC (permalink / raw)
To: Simon Horman
Cc: Ratheesh Kannoth, netdev, linux-kernel, sgoutham, lcherian,
gakula, jerinj, hkelam, sbhatta, davem, edumazet, kuba, pabeni,
jhs, xiyou.wangcong, jiri
On Wed, Aug 02, 2023 at 09:07:35PM +0200, Simon Horman wrote:
> + Dan Carpenter
>
> On Tue, Aug 01, 2023 at 07:10:59AM +0530, Ratheesh Kannoth wrote:
> > @@ -1894,6 +1915,12 @@ static int fl_set_key(struct net *net, struct nlattr **tb,
> > return ret;
> > }
> >
> > + if (tb[TCA_FLOWER_KEY_SPI]) {
> > + ret = fl_set_key_spi(tb, key, mask, extack);
> > + if (ret)
> > + return ret;
> > + }
> > +
>
> Hi Dan,
>
> I'm seeing a warning from Smatch, which I think is a false positive,
> but I feel that I should raise. Perhaps you could take a look at it?
>
> net/sched/cls_flower.c:1918 fl_set_key() error: buffer overflow 'tb' 106 <= 108
>
You're using the cross function database, right? What happens is that
when someone adds a new type of net link attribute, it takes a rebuild
for the database to sync up.
I can't think of a good way to fix this. This information is passed as
a BUF_SIZE. Each database rebuild passes the BUF_SIZE one call further
down the call tree.
$ smdb fl_set_key | grep BUF_SIZE
net/sched/cls_flower.c | fl_change | fl_set_key | BUF_SIZE | 1 | tb | 864
net/sched/cls_flower.c | fl_tmplt_create | fl_set_key | BUF_SIZE | 1 | tb | 864
This is a flaw in how Smatch works, and theoretically it affects
everything, but in practical terms it affect netlink attribute tables
the most. Other places are not modified as often or they pass the size
as a parameter. I could modify check_index_overflow.c to silence
warnings where it's a netlink attribute table and the offset is less
than __TCA_FLOWER_MAX.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [PATCH v1 net-next 2/4] tc: flower: support for SPI
2023-08-03 11:55 ` Dan Carpenter
@ 2023-08-03 13:25 ` Dan Carpenter
0 siblings, 0 replies; 9+ messages in thread
From: Dan Carpenter @ 2023-08-03 13:25 UTC (permalink / raw)
To: Simon Horman
Cc: Ratheesh Kannoth, netdev, linux-kernel, sgoutham, lcherian,
gakula, jerinj, hkelam, sbhatta, davem, edumazet, kuba, pabeni,
jhs, xiyou.wangcong, jiri
Done. :) That false positive has been bothering me for a while so it's
nice to have it fixed. I'll test this out for a bit before pushing.
regards,
dan carpenter
diff --git a/check_index_overflow.c b/check_index_overflow.c
index 19ea4354029b..644310ae837c 100644
--- a/check_index_overflow.c
+++ b/check_index_overflow.c
@@ -160,6 +160,43 @@ free:
return ret;
}
+static unsigned long __TCA_FLOWER_MAX(void)
+{
+ struct symbol *sym;
+ struct ident *id;
+ sval_t sval;
+
+ id = built_in_ident("__TCA_FLOWER_MAX");
+ sym = lookup_symbol(id, NS_SYMBOL);
+ if (!sym)
+ return 0;
+ if (!get_value(sym->initializer, &sval))
+ return 0;
+ return sval.value;
+}
+
+static bool is_out_of_sync_nla_tb(struct expression *array_expr, struct expression *offset)
+{
+ sval_t sval;
+ char *type;
+
+ if (option_project != PROJ_KERNEL)
+ return false;
+
+ if (!get_value(offset, &sval))
+ return false;
+ type = type_to_str(get_type(array_expr));
+ if (!type)
+ return false;
+ if (strcmp(type, "struct nlattr**") != 0)
+ return false;
+
+ if (sval.uvalue >= __TCA_FLOWER_MAX())
+ return false;
+
+ return true;
+}
+
static int is_subtract(struct expression *expr)
{
struct expression *tmp;
@@ -286,6 +323,9 @@ static int should_warn(struct expression *expr)
if (common_false_positives(array_expr, max))
return 0;
+ if (is_out_of_sync_nla_tb(array_expr, offset))
+ return 0;
+
if (impossibly_high_comparison(offset))
return 0;
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH v1 net-next 3/4] tc: flower: Enable offload support IPSEC SPI field.
2023-08-01 1:40 [PATCH v1 net-next 0/4] Packet classify by matching against SPI Ratheesh Kannoth
2023-08-01 1:40 ` [PATCH v1 net-next 1/4] net: flow_dissector: Add IPSEC dissector Ratheesh Kannoth
2023-08-01 1:40 ` [PATCH v1 net-next 2/4] tc: flower: support for SPI Ratheesh Kannoth
@ 2023-08-01 1:41 ` Ratheesh Kannoth
2023-08-01 1:41 ` [PATCH v1 net-next 4/4] octeontx2-pf: TC flower offload support for " Ratheesh Kannoth
2023-08-02 9:20 ` [PATCH v1 net-next 0/4] Packet classify by matching against SPI patchwork-bot+netdevbpf
4 siblings, 0 replies; 9+ messages in thread
From: Ratheesh Kannoth @ 2023-08-01 1:41 UTC (permalink / raw)
To: netdev, linux-kernel
Cc: sgoutham, lcherian, gakula, jerinj, hkelam, sbhatta, davem,
edumazet, kuba, pabeni, jhs, xiyou.wangcong, jiri,
Ratheesh Kannoth
This patch enables offload for TC classifier
flower rules which matches against SPI field.
Signed-off-by: Ratheesh Kannoth <rkannoth@marvell.com>
---
include/net/flow_offload.h | 6 ++++++
net/core/flow_offload.c | 7 +++++++
2 files changed, 13 insertions(+)
diff --git a/include/net/flow_offload.h b/include/net/flow_offload.h
index 118082eae48c..9efa9a59e81f 100644
--- a/include/net/flow_offload.h
+++ b/include/net/flow_offload.h
@@ -64,6 +64,10 @@ struct flow_match_tcp {
struct flow_dissector_key_tcp *key, *mask;
};
+struct flow_match_ipsec {
+ struct flow_dissector_key_ipsec *key, *mask;
+};
+
struct flow_match_mpls {
struct flow_dissector_key_mpls *key, *mask;
};
@@ -116,6 +120,8 @@ void flow_rule_match_ports_range(const struct flow_rule *rule,
struct flow_match_ports_range *out);
void flow_rule_match_tcp(const struct flow_rule *rule,
struct flow_match_tcp *out);
+void flow_rule_match_ipsec(const struct flow_rule *rule,
+ struct flow_match_ipsec *out);
void flow_rule_match_icmp(const struct flow_rule *rule,
struct flow_match_icmp *out);
void flow_rule_match_mpls(const struct flow_rule *rule,
diff --git a/net/core/flow_offload.c b/net/core/flow_offload.c
index acfc1f88ea79..bc5169482710 100644
--- a/net/core/flow_offload.c
+++ b/net/core/flow_offload.c
@@ -146,6 +146,13 @@ void flow_rule_match_tcp(const struct flow_rule *rule,
}
EXPORT_SYMBOL(flow_rule_match_tcp);
+void flow_rule_match_ipsec(const struct flow_rule *rule,
+ struct flow_match_ipsec *out)
+{
+ FLOW_DISSECTOR_MATCH(rule, FLOW_DISSECTOR_KEY_IPSEC, out);
+}
+EXPORT_SYMBOL(flow_rule_match_ipsec);
+
void flow_rule_match_icmp(const struct flow_rule *rule,
struct flow_match_icmp *out)
{
--
2.25.1
^ permalink raw reply related [flat|nested] 9+ messages in thread* [PATCH v1 net-next 4/4] octeontx2-pf: TC flower offload support for SPI field
2023-08-01 1:40 [PATCH v1 net-next 0/4] Packet classify by matching against SPI Ratheesh Kannoth
` (2 preceding siblings ...)
2023-08-01 1:41 ` [PATCH v1 net-next 3/4] tc: flower: Enable offload support IPSEC SPI field Ratheesh Kannoth
@ 2023-08-01 1:41 ` Ratheesh Kannoth
2023-08-02 9:20 ` [PATCH v1 net-next 0/4] Packet classify by matching against SPI patchwork-bot+netdevbpf
4 siblings, 0 replies; 9+ messages in thread
From: Ratheesh Kannoth @ 2023-08-01 1:41 UTC (permalink / raw)
To: netdev, linux-kernel
Cc: sgoutham, lcherian, gakula, jerinj, hkelam, sbhatta, davem,
edumazet, kuba, pabeni, jhs, xiyou.wangcong, jiri,
Ratheesh Kannoth
Driver support to offload TC flower rules which matches
against SPI field of IPSEC packets (AH/ESP).
Signed-off-by: Ratheesh Kannoth <rkannoth@marvell.com>
---
.../net/ethernet/marvell/octeontx2/af/mbox.h | 4 +++
.../net/ethernet/marvell/octeontx2/af/npc.h | 1 +
.../marvell/octeontx2/af/rvu_debugfs.c | 4 +++
.../marvell/octeontx2/af/rvu_npc_fs.c | 11 ++++++++
.../ethernet/marvell/octeontx2/nic/otx2_tc.c | 27 +++++++++++++++++++
5 files changed, 47 insertions(+)
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/mbox.h b/drivers/net/ethernet/marvell/octeontx2/af/mbox.h
index ed66c5989102..a8f3c8faf8af 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/mbox.h
+++ b/drivers/net/ethernet/marvell/octeontx2/af/mbox.h
@@ -1451,6 +1451,10 @@ struct flow_msg {
__be32 ip4dst;
__be32 ip6dst[4];
};
+ union {
+ __be32 spi;
+ };
+
u8 tos;
u8 ip_ver;
u8 ip_proto;
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/npc.h b/drivers/net/ethernet/marvell/octeontx2/af/npc.h
index 9beeead56d7b..534f20c0c5df 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/npc.h
+++ b/drivers/net/ethernet/marvell/octeontx2/af/npc.h
@@ -204,6 +204,7 @@ enum key_fields {
NPC_DPORT_UDP,
NPC_SPORT_SCTP,
NPC_DPORT_SCTP,
+ NPC_IPSEC_SPI,
NPC_HEADER_FIELDS_MAX,
NPC_CHAN = NPC_HEADER_FIELDS_MAX, /* Valid when Rx */
NPC_PF_FUNC, /* Valid when Tx */
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
index 3b26893efdf8..7cd33edca365 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
@@ -2827,6 +2827,10 @@ static void rvu_dbg_npc_mcam_show_flows(struct seq_file *s,
seq_printf(s, "%d ", ntohs(rule->packet.dport));
seq_printf(s, "mask 0x%x\n", ntohs(rule->mask.dport));
break;
+ case NPC_IPSEC_SPI:
+ seq_printf(s, "0x%x ", ntohl(rule->packet.spi));
+ seq_printf(s, "mask 0x%x\n", ntohl(rule->mask.spi));
+ break;
default:
seq_puts(s, "\n");
break;
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c
index 9c365cc3e736..bb715e616fad 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c
@@ -41,6 +41,7 @@ static const char * const npc_flow_names[] = {
[NPC_SPORT_SCTP] = "sctp source port",
[NPC_DPORT_SCTP] = "sctp destination port",
[NPC_LXMB] = "Mcast/Bcast header ",
+ [NPC_IPSEC_SPI] = "SPI ",
[NPC_UNKNOWN] = "unknown",
};
@@ -513,6 +514,10 @@ do { \
NPC_SCAN_HDR(NPC_VLAN_TAG1, NPC_LID_LB, NPC_LT_LB_CTAG, 2, 2);
NPC_SCAN_HDR(NPC_VLAN_TAG2, NPC_LID_LB, NPC_LT_LB_STAG_QINQ, 2, 2);
NPC_SCAN_HDR(NPC_DMAC, NPC_LID_LA, la_ltype, la_start, 6);
+
+ NPC_SCAN_HDR(NPC_IPSEC_SPI, NPC_LID_LD, NPC_LT_LD_AH, 4, 4);
+ NPC_SCAN_HDR(NPC_IPSEC_SPI, NPC_LID_LE, NPC_LT_LE_ESP, 0, 4);
+
/* SMAC follows the DMAC(which is 6 bytes) */
NPC_SCAN_HDR(NPC_SMAC, NPC_LID_LA, la_ltype, la_start + 6, 6);
/* PF_FUNC is 2 bytes at 0th byte of NPC_LT_LA_IH_NIX_ETHER */
@@ -564,6 +569,9 @@ static void npc_set_features(struct rvu *rvu, int blkaddr, u8 intf)
if (!npc_check_field(rvu, blkaddr, NPC_LB, intf))
*features &= ~BIT_ULL(NPC_OUTER_VID);
+ if (*features & (BIT_ULL(NPC_IPPROTO_AH) | BIT_ULL(NPC_IPPROTO_ESP)))
+ *features |= BIT_ULL(NPC_IPSEC_SPI);
+
/* for vlan ethertypes corresponding layer type should be in the key */
if (npc_check_field(rvu, blkaddr, NPC_LB, intf))
*features |= BIT_ULL(NPC_VLAN_ETYPE_CTAG) |
@@ -930,6 +938,9 @@ do { \
NPC_WRITE_FLOW(NPC_DPORT_SCTP, dport, ntohs(pkt->dport), 0,
ntohs(mask->dport), 0);
+ NPC_WRITE_FLOW(NPC_IPSEC_SPI, spi, ntohl(pkt->spi), 0,
+ ntohl(mask->spi), 0);
+
NPC_WRITE_FLOW(NPC_OUTER_VID, vlan_tci, ntohs(pkt->vlan_tci), 0,
ntohs(mask->vlan_tci), 0);
diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c
index 5a44e9b96fc0..4bb511e3cbe5 100644
--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c
@@ -461,6 +461,7 @@ static int otx2_tc_prepare_flow(struct otx2_nic *nic, struct otx2_tc_flow *node,
BIT_ULL(FLOW_DISSECTOR_KEY_IPV4_ADDRS) |
BIT_ULL(FLOW_DISSECTOR_KEY_IPV6_ADDRS) |
BIT_ULL(FLOW_DISSECTOR_KEY_PORTS) |
+ BIT(FLOW_DISSECTOR_KEY_IPSEC) |
BIT_ULL(FLOW_DISSECTOR_KEY_IP)))) {
netdev_info(nic->netdev, "unsupported flow used key 0x%llx",
dissector->used_keys);
@@ -482,6 +483,8 @@ static int otx2_tc_prepare_flow(struct otx2_nic *nic, struct otx2_tc_flow *node,
match.key->ip_proto != IPPROTO_UDP &&
match.key->ip_proto != IPPROTO_SCTP &&
match.key->ip_proto != IPPROTO_ICMP &&
+ match.key->ip_proto != IPPROTO_ESP &&
+ match.key->ip_proto != IPPROTO_AH &&
match.key->ip_proto != IPPROTO_ICMPV6)) {
netdev_info(nic->netdev,
"ip_proto=0x%x not supported\n",
@@ -501,6 +504,10 @@ static int otx2_tc_prepare_flow(struct otx2_nic *nic, struct otx2_tc_flow *node,
req->features |= BIT_ULL(NPC_IPPROTO_ICMP);
else if (ip_proto == IPPROTO_ICMPV6)
req->features |= BIT_ULL(NPC_IPPROTO_ICMP6);
+ else if (ip_proto == IPPROTO_ESP)
+ req->features |= BIT_ULL(NPC_IPPROTO_ESP);
+ else if (ip_proto == IPPROTO_AH)
+ req->features |= BIT_ULL(NPC_IPPROTO_AH);
}
if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_CONTROL)) {
@@ -545,6 +552,26 @@ static int otx2_tc_prepare_flow(struct otx2_nic *nic, struct otx2_tc_flow *node,
}
}
+ if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_IPSEC)) {
+ struct flow_match_ipsec match;
+
+ flow_rule_match_ipsec(rule, &match);
+ if (!match.mask->spi) {
+ NL_SET_ERR_MSG_MOD(extack, "spi index not specified");
+ return -EOPNOTSUPP;
+ }
+ if (ip_proto != IPPROTO_ESP &&
+ ip_proto != IPPROTO_AH) {
+ NL_SET_ERR_MSG_MOD(extack,
+ "SPI index is valid only for ESP/AH proto");
+ return -EOPNOTSUPP;
+ }
+
+ flow_spec->spi = match.key->spi;
+ flow_mask->spi = match.mask->spi;
+ req->features |= BIT_ULL(NPC_IPSEC_SPI);
+ }
+
if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_IP)) {
struct flow_match_ip match;
--
2.25.1
^ permalink raw reply related [flat|nested] 9+ messages in thread* Re: [PATCH v1 net-next 0/4] Packet classify by matching against SPI
2023-08-01 1:40 [PATCH v1 net-next 0/4] Packet classify by matching against SPI Ratheesh Kannoth
` (3 preceding siblings ...)
2023-08-01 1:41 ` [PATCH v1 net-next 4/4] octeontx2-pf: TC flower offload support for " Ratheesh Kannoth
@ 2023-08-02 9:20 ` patchwork-bot+netdevbpf
4 siblings, 0 replies; 9+ messages in thread
From: patchwork-bot+netdevbpf @ 2023-08-02 9:20 UTC (permalink / raw)
To: Ratheesh Kannoth
Cc: netdev, linux-kernel, sgoutham, lcherian, gakula, jerinj, hkelam,
sbhatta, davem, edumazet, kuba, pabeni, jhs, xiyou.wangcong, jiri
Hello:
This series was applied to netdev/net-next.git (main)
by David S. Miller <davem@davemloft.net>:
On Tue, 1 Aug 2023 07:10:57 +0530 you wrote:
> 1. net: flow_dissector: Add IPSEC dissector.
> Flow dissector patch reads IPSEC headers (ESP or AH) header
> from packet and retrieves the SPI header.
>
> 2. tc: flower: support for SPI.
> TC control path changes to pass SPI field from userspace to
> kernel.
>
> [...]
Here is the summary with links:
- [v1,net-next,1/4] net: flow_dissector: Add IPSEC dissector
https://git.kernel.org/netdev/net-next/c/a57c34a80cbe
- [v1,net-next,2/4] tc: flower: support for SPI
https://git.kernel.org/netdev/net-next/c/4c13eda757e3
- [v1,net-next,3/4] tc: flower: Enable offload support IPSEC SPI field.
https://git.kernel.org/netdev/net-next/c/c8915d7329d6
- [v1,net-next,4/4] octeontx2-pf: TC flower offload support for SPI field
https://git.kernel.org/netdev/net-next/c/73b4c04e2e9a
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 9+ messages in thread