From: Antony Antony <antony@phenome.org>
To: Feng Wang <wangfe@google.com>
Cc: Leon Romanovsky <leon@kernel.org>,
Steffen Klassert <steffen.klassert@secunet.com>,
netdev@vger.kernel.org, herbert@gondor.apana.org.au,
davem@davemloft.net
Subject: Re: [PATCH] [PATCH ipsec] xfrm: Store ipsec interface index
Date: Fri, 5 Apr 2024 16:19:34 +0200 [thread overview]
Message-ID: <ZhAIdoNsmwXSK59t@Antony2201.local> (raw)
In-Reply-To: <20240403064507.GR11187@unreal>
Hi Feng,
On Wed, Apr 03, 2024 at 09:45:07AM +0300, Leon Romanovsky wrote:
> On Tue, Apr 02, 2024 at 02:10:16PM -0700, Feng Wang wrote:
> > The xfrm interface ID is the index of the ipsec device, for example,
> > ipsec11, ipsec12. One ipsec application(VPN) might create an ipsec11
> > interface and send the data through this interface.
Where to find xfrm interface if_id depends on the direction the packet is
traversing, direction "out": (clear text in ESP out), or "in": (ESP in clear
text out) use if_id diffrently.
Which case are you looking at? It sounds like out.
> > Another application(Wifi calling) might create an ipsec12 interface and
> > send its data through ipsec12. Both packets are routed through the kernel
> > to the one device driver(wifi). When the device driver receives the
> > packet, it needs to find the correct application parameters to encrypt the
this looks like an out case. After a successful dst lookup, xfrm_lookup(),
look at skb_dst(skb)->xfrm->if_id ?
> > packet. So if the skb_iif is marked by the kernel with ipsec11 or
> > ipsec12, device driver can use this information to find the corresponding
> > parameter. I hope I explain my user case clearly. If there is any
> > misunderstanding, please let me know. I try my best to make it clear.
skb_dst(skb)->xfrm->if_id should match what is in the xfrm policy I think,
p->if_id.
Note I assumed the packet is locally generated. If it is a forwarded packet
there could be another policy lookup before.
> Like I said before, please send the code which uses this feature. Right
> now, packet offload doesn't need this feature.
+1
-antony
prev parent reply other threads:[~2024-04-05 14:19 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-18 23:13 [PATCH] [PATCH ipsec] xfrm: Store ipsec interface index Feng Wang
2024-03-19 8:42 ` Leon Romanovsky
[not found] ` <CADsK2K_65Wytnr5y+5Biw=ebtb-+hO=K7hxhSNJd6X+q9nAieg@mail.gmail.com>
2024-03-20 4:33 ` Steffen Klassert
[not found] ` <CADsK2K-WFG2+2NQ08xBq89ty-G-xcoV517Eq5D7kNePcT4z0MQ@mail.gmail.com>
2024-03-21 9:32 ` Leon Romanovsky
[not found] ` <CADsK2K8=B=Yv4i6rzNdbuc-C6yc-pw6RSuRvKbsL2qYjsO9seg@mail.gmail.com>
2024-04-01 14:27 ` Leon Romanovsky
[not found] ` <CADsK2K-VLdiuxeP82bmuGvmU6z848mLpk+JBYdhXppOq0B76VA@mail.gmail.com>
2024-04-02 7:51 ` Leon Romanovsky
[not found] ` <CADsK2K8WvGmUdno5X=_ebNF1mzP9=kd1=ve31Tb5hSk+q4VTkg@mail.gmail.com>
2024-04-03 6:45 ` Leon Romanovsky
2024-04-05 14:19 ` Antony Antony [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZhAIdoNsmwXSK59t@Antony2201.local \
--to=antony@phenome.org \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=leon@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
--cc=wangfe@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).