From: Leon Romanovsky <leon@kernel.org>
To: Steffen Klassert <steffen.klassert@secunet.com>
Cc: "David S . Miller" <davem@davemloft.net>,
Herbert Xu <herbert@gondor.apana.org.au>,
netdev@vger.kernel.org, Raed Salem <raeds@nvidia.com>,
ipsec-devel <devel@linux-ipsec.org>
Subject: Re: [PATCH xfrm-next v2 5/6] xfrm: add RX datapath protection for IPsec full offload mode
Date: Mon, 22 Aug 2022 12:35:34 +0300 [thread overview]
Message-ID: <YwNN5hPMD474r03i@unreal> (raw)
In-Reply-To: <20220822080642.GG2602992@gauss3.secunet.de>
On Mon, Aug 22, 2022 at 10:06:42AM +0200, Steffen Klassert wrote:
> On Thu, Aug 18, 2022 at 04:36:46PM +0300, Leon Romanovsky wrote:
> > On Thu, Aug 18, 2022 at 12:27:08PM +0200, Steffen Klassert wrote:
> > > On Tue, Aug 16, 2022 at 11:59:26AM +0300, Leon Romanovsky wrote:
> > > > From: Leon Romanovsky <leonro@nvidia.com>
> > > >
> > > > Traffic received by device with enabled IPsec full offload should be
> > > > forwarded to the stack only after decryption, packet headers and
> > > > trailers removed.
> > > >
> > > > Such packets are expected to be seen as normal (non-XFRM) ones, while
> > > > not-supported packets should be dropped by the HW.
> > > >
> > > > Reviewed-by: Raed Salem <raeds@nvidia.com>
> > > > Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
> > >
> > > > @@ -1125,6 +1148,15 @@ static inline int __xfrm_policy_check2(struct sock *sk, int dir,
> > > > {
> > > > struct net *net = dev_net(skb->dev);
> > > > int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0);
> > > > + struct xfrm_offload *xo = xfrm_offload(skb);
> > > > + struct xfrm_state *x;
> > > > +
> > > > + if (xo) {
> > > > + x = xfrm_input_state(skb);
> > > > + if (x->xso.type == XFRM_DEV_OFFLOAD_FULL)
> > > > + return (xo->flags & CRYPTO_DONE) &&
> > > > + (xo->status & CRYPTO_SUCCESS);
> > > > + }
> > > >
> > > > if (sk && sk->sk_policy[XFRM_POLICY_IN])
> > > > return __xfrm_policy_check(sk, ndir, skb, family);
> > >
> > > What happens here if there is a socket policy configured?
> >
> > No change, we don't support offload of socket policies.
>
> But the user can confugure it, so it should be enforced
> regardless if we had an offload before.
Thanks, I'll see how it can be resolved.
next prev parent reply other threads:[~2022-08-22 9:35 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-16 8:59 [PATCH xfrm-next v2 0/6] Extend XFRM core to allow full offload configuration Leon Romanovsky
2022-08-16 8:59 ` [PATCH xfrm-next v2 1/6] xfrm: add new full offload flag Leon Romanovsky
2022-08-16 8:59 ` [PATCH xfrm-next v2 2/6] xfrm: allow state full offload mode Leon Romanovsky
2022-08-18 10:12 ` Steffen Klassert
2022-08-18 13:28 ` Leon Romanovsky
2022-08-22 8:01 ` Steffen Klassert
2022-08-22 8:46 ` Leon Romanovsky
2022-08-16 8:59 ` [PATCH xfrm-next v2 3/6] xfrm: add an interface to offload policy Leon Romanovsky
2022-08-16 8:59 ` [PATCH xfrm-next v2 4/6] xfrm: add TX datapath support for IPsec full offload mode Leon Romanovsky
2022-08-18 10:24 ` Steffen Klassert
2022-08-18 13:34 ` Leon Romanovsky
2022-08-22 8:04 ` Steffen Klassert
2022-08-22 8:50 ` Leon Romanovsky
2022-08-16 8:59 ` [PATCH xfrm-next v2 5/6] xfrm: add RX datapath protection " Leon Romanovsky
2022-08-18 10:27 ` Steffen Klassert
2022-08-18 13:36 ` Leon Romanovsky
2022-08-22 8:06 ` Steffen Klassert
2022-08-22 9:35 ` Leon Romanovsky [this message]
2022-08-16 8:59 ` [PATCH xfrm-next v2 6/6] xfrm: enforce separation between priorities of HW/SW policies Leon Romanovsky
2022-08-17 2:54 ` [PATCH xfrm-next v2 0/6] Extend XFRM core to allow full offload configuration Jakub Kicinski
2022-08-17 5:22 ` Leon Romanovsky
2022-08-17 18:10 ` Jakub Kicinski
2022-08-18 5:24 ` Leon Romanovsky
2022-08-18 10:10 ` Steffen Klassert
2022-08-18 12:51 ` Leon Romanovsky
2022-08-19 1:54 ` Jakub Kicinski
2022-08-19 2:34 ` Jakub Kicinski
2022-08-19 5:52 ` Leon Romanovsky
2022-08-19 15:47 ` Jakub Kicinski
2022-08-19 16:01 ` Jason Gunthorpe
2022-08-19 17:53 ` Jakub Kicinski
2022-08-22 8:41 ` Steffen Klassert
2022-08-22 8:54 ` Leon Romanovsky
2022-08-22 16:33 ` Jakub Kicinski
2022-08-22 21:27 ` Saeed Mahameed
2022-08-23 0:17 ` Jakub Kicinski
2022-08-23 5:22 ` Steffen Klassert
2022-08-23 14:06 ` Leon Romanovsky
2022-08-23 4:48 ` Leon Romanovsky
2022-08-26 12:20 ` Jason Gunthorpe
2022-08-23 5:34 ` Leon Romanovsky
2022-08-18 10:09 ` Steffen Klassert
2022-08-18 13:26 ` Leon Romanovsky
2022-08-22 8:34 ` Steffen Klassert
2022-08-22 9:34 ` Leon Romanovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YwNN5hPMD474r03i@unreal \
--to=leon@kernel.org \
--cc=davem@davemloft.net \
--cc=devel@linux-ipsec.org \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
--cc=raeds@nvidia.com \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).