From: Leon Romanovsky <leon@kernel.org>
To: steffen.klassert@secunet.com
Cc: Feng Wang <wangfe@google.com>,
netdev@vger.kernel.org, antony.antony@secunet.com,
pabeni@redhat.com
Subject: Re: [PATCH v7] xfrm: add SA information to the offloaded packet when if_id is set
Date: Mon, 9 Dec 2024 23:53:01 +0200 [thread overview]
Message-ID: <20241209215301.GC1245331@unreal> (raw)
In-Reply-To: <20241209202811.481441-2-wangfe@google.com>
On Mon, Dec 09, 2024 at 08:28:12PM +0000, Feng Wang wrote:
> In packet offload mode, append Security Association (SA) information
> to each packet, replicating the crypto offload implementation. This
> SA info helps HW offload match packets to their correct security
> policies. The XFRM interface ID is included, which is used in setups
> with multiple XFRM interfaces where source/destination addresses alone
> can't pinpoint the right policy.
>
> The XFRM_XMIT flag is set to enable packet to be returned immediately
> from the validate_xmit_xfrm function, thus aligning with the existing
> code path for packet offload mode.
>
> Enable packet offload mode on netdevsim and add code to check the XFRM
> interface ID.
>
> Signed-off-by: wangfe <wangfe@google.com>
> ---
<...>
> @@ -728,7 +730,27 @@ int xfrm_output(struct sock *sk, struct sk_buff *skb)
> kfree_skb(skb);
> return -EHOSTUNREACH;
> }
> + if (x->if_id) {
> + sp = secpath_set(skb);
> + if (!sp) {
> + XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR);
> + kfree_skb(skb);
> + return -ENOMEM;
> + }
> +
> + sp->olen++;
> + sp->xvec[sp->len++] = x;
> + xfrm_state_hold(x);
>
> + xo = xfrm_offload(skb);
> + if (!xo) {
> + secpath_reset(skb);
> + XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR);
> + kfree_skb(skb);
> + return -EINVAL;
> + }
> + xo->flags |= XFRM_XMIT;
> + }
Steffen,
I would like to ask from you to delay this patch till this "if_id"
support is implemented and tested on real upstreamed device.
I have no confidence that the solution proposed above is the right thing
to do as it doesn't solve the claim "This SA info helps HW offload match
packets to their correct security". HW is going to perform lookup anyway
on the source and destination, so it is unclear how will it "help".
Thanks
> return xfrm_output_resume(sk, skb, 0);
> }
>
> --
> 2.47.0.338.g60cca15819-goog
>
>
next prev parent reply other threads:[~2024-12-09 21:53 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-09 20:28 [PATCH v7] xfrm: add SA information to the offloaded packet when if_id is set Feng Wang
2024-12-09 21:53 ` Leon Romanovsky [this message]
2024-12-09 23:44 ` Feng Wang
2024-12-10 9:38 ` Steffen Klassert
2024-12-11 3:20 ` Jakub Kicinski
2024-12-11 10:57 ` Steffen Klassert
2024-12-10 9:28 ` Steffen Klassert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241209215301.GC1245331@unreal \
--to=leon@kernel.org \
--cc=antony.antony@secunet.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=steffen.klassert@secunet.com \
--cc=wangfe@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).