Re: [PATCH net-next v2 2/3] nfp: add framework to support ipsec offloading

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Leon Romanovsky <leon@kernel.org>
To: Yinjun Zhang <yinjun.zhang@corigine.com>
Cc: Cc: chengtian.liu@corigine.com,
	; Simon Horman <simon.horman@corigine.com>,
	David Miller <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	netdev@vger.kernel.org, oss-drivers@corigine.com,
	Huanhuan Wang <huanhuan.wang@corigine.com>
Subject: Re: [PATCH net-next v2 2/3] nfp: add framework to support ipsec offloading
Date: Tue, 11 Oct 2022 11:41:47 +0300	[thread overview]
Message-ID: <Y0UsS9oxEuac8fmj@unreal> (raw)
In-Reply-To: <20221010070512.GA21559@nj-rack01-04.nji.corigine.com>

On Mon, Oct 10, 2022 at 03:05:12PM +0800, Yinjun Zhang wrote:
> Thanks for your comments and sorry for the late reply.
> 
> On Thu, Sep 29, 2022 at 11:10:12AM +0300, Leon Romanovsky wrote:
> > On Tue, Sep 27, 2022 at 12:27:06PM +0200, Simon Horman wrote:
> > > +struct nfp_net_ipsec_data {
> > > +	struct nfp_net_ipsec_sa_data sa_entries[NFP_NET_IPSEC_MAX_SA_CNT];
> > > +	unsigned int sa_free_stack[NFP_NET_IPSEC_MAX_SA_CNT];
> > > +	unsigned int sa_free_cnt;
> > 
> > I don't see in this patch what are you doing with this free_stack array,
> > but whole nfp_net_ipsec_data is more than 32Kb of arrays.
> >
> 
> `sa_free_stack` is used to maintain the used/available sa entries, which
> is initialized in `nfp_net_ipsec_init`.
> Yes, it's indeed a big array, and we're going to use pointer instead of array
> here.

Why do you want to use array and not Xarray?

> 
> > > +bool nfp_net_ipsec_tx_prep(struct nfp_net_dp *dp, struct sk_buff *skb,
> > > +			   struct nfp_ipsec_offload *offload_info)
> > > +{
> > > +	struct xfrm_offload *xo = xfrm_offload(skb);
> > > +	struct xfrm_state *x;
> > > +
> > > +	if (!xo)
> > > +		return false;
> > 
> > How is it possible in offload path?
> > Why do all drivers check sec_path length and not xo?
> > 
> 
> `tx_prep` is called in the tx datapath, we use `xo` to check if the
> packet needs offload-encrypto or not.

You didn't answer on any of my questions above.

How is it possible in offload path?
Why do all drivers check sec_path length and not xo?

> 
> > > +int nfp_net_ipsec_rx(struct nfp_meta_parsed *meta, struct sk_buff *skb)
> > > +{
> > > +	struct nfp_net_ipsec_sa_data *sa_data;
> > > +	struct net_device *netdev = skb->dev;
> > > +	struct nfp_net_ipsec_data *ipd;
> > > +	struct xfrm_offload *xo;
> > > +	struct nfp_net_dp *dp;
> > > +	struct xfrm_state *x;
> > > +	struct sec_path *sp;
> > > +	struct nfp_net *nn;
> > > +	int saidx;
> > > +
> > > +	nn = netdev_priv(netdev);
> > > +	ipd = nn->ipsec_data;
> > > +	dp = &nn->dp;
> > > +
> > > +	if (meta->ipsec_saidx == 0)
> > > +		return 0; /* No offload took place */
> > > +
> > > +	saidx = meta->ipsec_saidx - 1;
> > > +	if (saidx > NFP_NET_IPSEC_MAX_SA_CNT || saidx < 0) {
> > > +		nn_dp_warn(dp, "Invalid SAIDX from NIC %d\n", saidx);
> > 
> > No prints in data path that can be triggered from the network, please.
> > 
> 
> It's a ratelimit print, and it means severe error happens, probably
> unrecoverable, when running into this path.

The main part of the sentence is "... can be triggered from the network ..."

Thanks

next prev parent reply	other threads:[~2022-10-11  8:41 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-27 10:27 [PATCH net-next v2 0/3] nfp: IPsec offload support Simon Horman
2022-09-27 10:27 ` [PATCH net-next v2 1/3] nfp: extend capability and control words Simon Horman
2022-09-27 10:27 ` [PATCH net-next v2 2/3] nfp: add framework to support ipsec offloading Simon Horman
2022-09-29  8:10   ` Leon Romanovsky
     [not found]     ` <20221010070512.GA21559@nj-rack01-04.nji.corigine.com>
2022-10-11  8:41       ` Leon Romanovsky [this message]
2022-10-13  8:21         ` Yinjun Zhang
2022-09-27 10:27 ` [PATCH net-next v2 3/3] nfp: implement xfrm callbacks and expose ipsec offload feature to upper layer Simon Horman
2022-09-29  8:26   ` Leon Romanovsky
2022-10-10  7:14     ` Yinjun Zhang
2022-10-11  8:36       ` Leon Romanovsky
2022-09-29  2:42 ` [PATCH net-next v2 0/3] nfp: IPsec offload support Jakub Kicinski
2022-09-29  8:48   ` Simon Horman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y0UsS9oxEuac8fmj@unreal \
    --to=leon@kernel.org \
    --cc=chengtian.liu@corigine.com \
    --cc=yinjun.zhang@corigine.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).