From: Leon Romanovsky <leon@kernel.org>
To: Sabrina Dubroca <sd@queasysnail.net>
Cc: netdev@vger.kernel.org, Zhu Yanjun <yanjun.zhu@linux.dev>,
Steffen Klassert <steffen.klassert@secunet.com>,
Xiumei Mu <xmu@redhat.com>
Subject: Re: [PATCH ipsec] xfrm: fix offloading of cross-family tunnels
Date: Wed, 10 Sep 2025 11:40:27 +0300 [thread overview]
Message-ID: <20250910084027.GL341237@unreal> (raw)
In-Reply-To: <aMExEjj3I4ahnMHc@krikkit>
On Wed, Sep 10, 2025 at 10:04:34AM +0200, Sabrina Dubroca wrote:
> 2025-09-10, 08:45:50 +0300, Leon Romanovsky wrote:
> > On Tue, Sep 09, 2025 at 08:29:20PM +0200, Sabrina Dubroca wrote:
> > > 2025-09-09, 12:23:15 +0300, Leon Romanovsky wrote:
> > > > On Mon, Aug 25, 2025 at 02:50:23PM +0200, Sabrina Dubroca wrote:
> > > > > Xiumei reported a regression in IPsec offload tests over xfrmi, where
> > > > > IPv6 over IPv4 tunnels are no longer offloaded after commit
> > > > > cc18f482e8b6 ("xfrm: provide common xdo_dev_offload_ok callback
> > > > > implementation").
> > > >
> > > > What does it mean "tunnels not offloaded"?
> > >
> > > Offload is no longer performed for those tunnels, or for packets going
> > > through those tunnels if we want to be pedantic.
> > >
> > > > xdo_dev_offload_ok()
> > > > participates in data path and influences packet processing itself,
> > > > but not if tunnel offloaded or not.
> > >
> > > If for you "tunnel is offloaded" means "xdo_dev_state_add is called",
> > > then yes.
> >
> > Yes, "offloaded" means that we created HW objects.
>
> For me "offloaded" can mean either the xfrm state or the packets
> depending on context, and I don't think there's a strict definition,
> but whatever.
>
> Xiumei reported a regression in IPsec offload tests over xfrmi, where
> the traffic for IPv6 over IPv4 tunnels is processed in SW instead of
> going through crypto offload, after commit [...].
>
> It's getting too verbose IMO, but does that work for you?
Yes, it is perfectly fine.
>
>
> For the subject, are you ok with the current one? It's hard to fit
> more details into such a short space.
Leave subject as is, you describe issue well enough in the commit
message.
>
> > > > Also what type of "offload" are you talking? Crypto or packet?
> > >
> > > Crypto offload, but I don't think packet offload would behave
> > > differently here.
> >
> > It will, at least in the latest code, we have an extra check before
> > passing packet to HW.
> >
> > 765 if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET) {
> > 766 if (!xfrm_dev_offload_ok(skb, x)) {
> > 767 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR);
> > 768 kfree_skb(skb);
> > 769 return -EHOSTUNREACH;
> > 770 }
>
> So it looks like packet offload is also affected. We get to
> xfrm_dev_offload_ok, it does the wrong check, and the packets will get
> dropped instead of being sent through SW crypto. Am I misreading this?
There is no fallback in packet offload, so dropping packet which can't
be handled by HW is right thing to do. I agree that we shouldn't fail
here.
>
>
> > > > > Commit cc18f482e8b6 added a generic version of existing checks
> > > > > attempting to prevent packets with IPv4 options or IPv6 extension
> > > > > headers from being sent to HW that doesn't support offloading such
> > > > > packets. The check mistakenly uses x->props.family (the outer family)
> > > > > to determine the inner packet's family and verify if
> > > > > options/extensions are present.
> > > >
> > > > This is how ALL implementations did, so I'm not agree with claimed Fixes
> > > > tag (it it not important).
> > >
> > > Well, prior to your commit, offload seemed to work on mlx5 as I
> > > describe just after this.
> >
> > It worked by chance, not by design :)
>
> Sure.
>
> [...]
> > > > The latter is more correct, so it raises question against which
> > > > in-kernel driver were these xfrmi tests performed?
> > >
> > > mlx5
> >
> > It is artifact.
>
> Sorry, I'm not sure what you mean here.
I'm saying that "works" depends on FW and HW revision.
>
> [...]
> > > > Will it work for transport mode too? We are taking this path both for
> > > > tunnel and transport modes.
> > >
> > > Yes, if you look at __xfrm_init_state, inner_mode will always be set
> > > to whatever family is "inside".
> >
> > I believe that you need to rephrase commit message around meaning of "offloaded"
> > but the change looks ok to me.
> >
> > Thanks,
> > Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
>
> Thanks. I'll send a v2 when we agree on the wording, to avoid
> resending multiple times.
>
> --
> Sabrina
next prev parent reply other threads:[~2025-09-10 8:40 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-25 12:50 [PATCH ipsec] xfrm: fix offloading of cross-family tunnels Sabrina Dubroca
2025-09-09 9:23 ` Leon Romanovsky
2025-09-09 18:29 ` Sabrina Dubroca
2025-09-10 5:45 ` Leon Romanovsky
2025-09-10 8:04 ` Sabrina Dubroca
2025-09-10 8:40 ` Leon Romanovsky [this message]
2025-09-09 17:47 ` Yanjun.Zhu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250910084027.GL341237@unreal \
--to=leon@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=sd@queasysnail.net \
--cc=steffen.klassert@secunet.com \
--cc=xmu@redhat.com \
--cc=yanjun.zhu@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).