From: Leon Romanovsky <leon@kernel.org>
To: Steffen Klassert <steffen.klassert@secunet.com>
Cc: "David S . Miller" <davem@davemloft.net>,
Herbert Xu <herbert@gondor.apana.org.au>,
netdev@vger.kernel.org, Raed Salem <raeds@nvidia.com>,
ipsec-devel <devel@linux-ipsec.org>
Subject: Re: [PATCH ipsec-next 6/6] xfrm: enforce separation between priorities of HW/SW policies
Date: Mon, 16 May 2022 08:17:42 +0300 [thread overview]
Message-ID: <YoHedr67PscgzhTo@unreal> (raw)
In-Reply-To: <20220513150702.GN680067@gauss3.secunet.de>
On Fri, May 13, 2022 at 05:07:02PM +0200, Steffen Klassert wrote:
> On Tue, May 10, 2022 at 01:36:57PM +0300, Leon Romanovsky wrote:
> > From: Leon Romanovsky <leonro@nvidia.com>
> >
> > Devices that implement IPsec full offload mode offload policies too.
> > In RX path, it causes to the situation that HW can't effectively handle
> > mixed SW and HW priorities unless users make sure that HW offloaded
> > policies have higher priorities.
> >
> > In order to make sure that users have coherent picture, let's require to
> > make sure that HW offloaded policies have always (both RX and TX) higher
> > priorities than SW ones.
>
> I'm still not sure whether splitting priorities in software and hardware
> is the right way to go. I fear we can get problems with corner cases we
> don't think about now. But OTOH I don't have a better idea. So maybe
> someone on the list has an opinion on that.
I see this patch as aid to catch wrong configurations of policy
priorities, at least for simple users. I didn't have a goal to
create full featured validator to don't add complexity where it
is not necessary.
Thanks
prev parent reply other threads:[~2022-05-16 5:18 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-10 10:36 [PATCH ipsec-next 0/6] Extend XFRM core to allow full offload configuration Leon Romanovsky
2022-05-10 10:36 ` [PATCH ipsec-next 1/6] xfrm: add new full offload flag Leon Romanovsky
2022-05-10 10:36 ` [PATCH ipsec-next 2/6] xfrm: allow state full offload mode Leon Romanovsky
2022-05-10 10:36 ` [PATCH ipsec-next 3/6] xfrm: add an interface to offload policy Leon Romanovsky
2022-05-13 14:44 ` Steffen Klassert
2022-05-16 5:18 ` Leon Romanovsky
2022-05-10 10:36 ` [PATCH ipsec-next 4/6] xfrm: add TX datapath support for IPsec full offload mode Leon Romanovsky
2022-05-13 14:56 ` Steffen Klassert
2022-05-16 5:44 ` Leon Romanovsky
2022-05-18 7:49 ` Steffen Klassert
2022-05-24 18:30 ` Leon Romanovsky
2022-05-10 10:36 ` [PATCH ipsec-next 5/6] xfrm: add RX datapath protection " Leon Romanovsky
2022-05-13 15:02 ` Steffen Klassert
2022-05-16 5:29 ` Leon Romanovsky
2022-05-18 8:02 ` Steffen Klassert
2022-05-10 10:36 ` [PATCH ipsec-next 6/6] xfrm: enforce separation between priorities of HW/SW policies Leon Romanovsky
2022-05-13 15:07 ` Steffen Klassert
2022-05-16 5:17 ` Leon Romanovsky [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YoHedr67PscgzhTo@unreal \
--to=leon@kernel.org \
--cc=davem@davemloft.net \
--cc=devel@linux-ipsec.org \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
--cc=raeds@nvidia.com \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).