From: Steffen Klassert <steffen.klassert@secunet.com>
To: David Miller <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
Steffen Klassert <steffen.klassert@secunet.com>,
<netdev@vger.kernel.org>
Subject: [PATCH 08/11] xfrm: add SA information to the offloaded packet
Date: Mon, 9 Sep 2024 12:03:25 +0200 [thread overview]
Message-ID: <20240909100328.1838963-9-steffen.klassert@secunet.com> (raw)
In-Reply-To: <20240909100328.1838963-1-steffen.klassert@secunet.com>
From: wangfe <wangfe@google.com>
In packet offload mode, append Security Association (SA) information
to each packet, replicating the crypto offload implementation.
The XFRM_XMIT flag is set to enable packet to be returned immediately
from the validate_xmit_xfrm function, thus aligning with the existing
code path for packet offload mode.
This SA info helps HW offload match packets to their correct security
policies. The XFRM interface ID is included, which is crucial in setups
with multiple XFRM interfaces where source/destination addresses alone
can't pinpoint the right policy.
Signed-off-by: wangfe <wangfe@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/xfrm/xfrm_output.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index e5722c95b8bb..a12588e7b060 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -706,6 +706,8 @@ int xfrm_output(struct sock *sk, struct sk_buff *skb)
struct xfrm_state *x = skb_dst(skb)->xfrm;
int family;
int err;
+ struct xfrm_offload *xo;
+ struct sec_path *sp;
family = (x->xso.type != XFRM_DEV_OFFLOAD_PACKET) ? x->outer_mode.family
: skb_dst(skb)->ops->family;
@@ -728,6 +730,25 @@ int xfrm_output(struct sock *sk, struct sk_buff *skb)
kfree_skb(skb);
return -EHOSTUNREACH;
}
+ sp = secpath_set(skb);
+ if (!sp) {
+ XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR);
+ kfree_skb(skb);
+ return -ENOMEM;
+ }
+
+ sp->olen++;
+ sp->xvec[sp->len++] = x;
+ xfrm_state_hold(x);
+
+ xo = xfrm_offload(skb);
+ if (!xo) {
+ secpath_reset(skb);
+ XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR);
+ kfree_skb(skb);
+ return -EINVAL;
+ }
+ xo->flags |= XFRM_XMIT;
return xfrm_output_resume(sk, skb, 0);
}
--
2.34.1
next prev parent reply other threads:[~2024-09-09 10:03 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-09 10:03 [PATCH 0/11] pull request (net-next): ipsec-next 2024-09-09 Steffen Klassert
2024-09-09 10:03 ` [PATCH 01/11] xfrm: Remove documentation WARN_ON to limit return values for offloaded SA Steffen Klassert
2024-09-09 10:03 ` [PATCH 02/11] net: add copy from skb_seq_state to buffer function Steffen Klassert
2024-09-09 10:03 ` [PATCH 03/11] xfrm: Correct spelling in xfrm.h Steffen Klassert
2024-09-09 10:03 ` [PATCH 04/11] selftests: add xfrm policy insertion speed test script Steffen Klassert
2024-09-09 10:03 ` [PATCH 05/11] xfrm: policy: don't iterate inexact policies twice at insert time Steffen Klassert
2024-09-09 10:03 ` [PATCH 06/11] xfrm: switch migrate to xfrm_policy_lookup_bytype Steffen Klassert
2024-09-09 11:01 ` Florian Westphal
2024-09-09 13:18 ` Steffen Klassert
2024-09-09 10:03 ` [PATCH 07/11] xfrm: policy: remove remaining use of inexact list Steffen Klassert
2024-09-09 10:03 ` Steffen Klassert [this message]
2024-09-09 10:03 ` [PATCH 09/11] xfrm: policy: use recently added helper in more places Steffen Klassert
2024-09-09 10:59 ` Florian Westphal
2024-09-09 13:19 ` Steffen Klassert
2024-09-09 10:03 ` [PATCH 10/11] xfrm: minor update to sdb and xfrm_policy comments Steffen Klassert
2024-09-09 10:03 ` [PATCH 11/11] Revert "xfrm: add SA information to the offloaded packet" Steffen Klassert
2024-09-09 13:21 ` [PATCH 0/11] pull request (net-next): ipsec-next 2024-09-09 Steffen Klassert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240909100328.1838963-9-steffen.klassert@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).