* [PATCH net-next 0/2] Support more IPsec selectors in mlx5 packet offload
@ 2023-08-08 19:14 Leon Romanovsky
2023-08-08 19:14 ` [PATCH net-next 1/2] net/mlx5e: Support IPsec upper protocol selector field offload for RX Leon Romanovsky
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Leon Romanovsky @ 2023-08-08 19:14 UTC (permalink / raw)
To: Jakub Kicinski, Steffen Klassert
Cc: Leon Romanovsky, Emeel Hakim, David S . Miller, Eric Dumazet,
netdev, Paolo Abeni, Raed Salem, Saeed Mahameed, Simon Horman
From: Leon Romanovsky <leonro@nvidia.com>
These two patches add ability to configure proto both UDP and TCP selectors
in RX and TX directions.
Thanks
Emeel Hakim (1):
net/mlx5e: Support IPsec upper protocol selector field offload for RX
Leon Romanovsky (1):
net/mlx5e: Support IPsec upper TCP protocol selector
.../mellanox/mlx5/core/en_accel/ipsec.c | 13 +++---
.../mellanox/mlx5/core/en_accel/ipsec_fs.c | 45 ++++++++++++++-----
2 files changed, 40 insertions(+), 18 deletions(-)
--
2.41.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH net-next 1/2] net/mlx5e: Support IPsec upper protocol selector field offload for RX
2023-08-08 19:14 [PATCH net-next 0/2] Support more IPsec selectors in mlx5 packet offload Leon Romanovsky
@ 2023-08-08 19:14 ` Leon Romanovsky
2023-08-08 19:14 ` [PATCH net-next 2/2] net/mlx5e: Support IPsec upper TCP protocol selector Leon Romanovsky
2023-08-10 9:47 ` [PATCH net-next 0/2] Support more IPsec selectors in mlx5 packet offload Simon Horman
2 siblings, 0 replies; 4+ messages in thread
From: Leon Romanovsky @ 2023-08-08 19:14 UTC (permalink / raw)
To: Jakub Kicinski, Steffen Klassert
Cc: Emeel Hakim, David S . Miller, Eric Dumazet, netdev, Paolo Abeni,
Raed Salem, Saeed Mahameed, Simon Horman
From: Emeel Hakim <ehakim@nvidia.com>
Support RX policy/state upper protocol selector field offload,
to enable selecting RX traffic for IPsec operation based on l4
protocol UDP with specific source/destination port.
Signed-off-by: Emeel Hakim <ehakim@nvidia.com>
Reviewed-by: Raed Salem <raeds@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
---
.../net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 10 ++++------
.../ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c | 2 ++
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
index 40350227b3c3..9ee169b72d9d 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
@@ -442,9 +442,8 @@ static int mlx5e_xfrm_validate_state(struct mlx5_core_dev *mdev,
return -EINVAL;
}
- if (x->sel.proto != IPPROTO_IP &&
- (x->sel.proto != IPPROTO_UDP || x->xso.dir != XFRM_DEV_OFFLOAD_OUT)) {
- NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than UDP, and only Tx direction");
+ if (x->sel.proto != IPPROTO_IP && x->sel.proto != IPPROTO_UDP) {
+ NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than UDP");
return -EINVAL;
}
@@ -1000,9 +999,8 @@ static int mlx5e_xfrm_validate_policy(struct mlx5_core_dev *mdev,
return -EINVAL;
}
- if (sel->proto != IPPROTO_IP &&
- (sel->proto != IPPROTO_UDP || x->xdo.dir != XFRM_DEV_OFFLOAD_OUT)) {
- NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than UDP, and only Tx direction");
+ if (x->selector.proto != IPPROTO_IP && x->selector.proto != IPPROTO_UDP) {
+ NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than UDP");
return -EINVAL;
}
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
index 3781c72d97f1..f5e29b7f5ba0 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
@@ -1243,6 +1243,7 @@ static int rx_add_rule(struct mlx5e_ipsec_sa_entry *sa_entry)
setup_fte_spi(spec, attrs->spi);
setup_fte_esp(spec);
setup_fte_no_frags(spec);
+ setup_fte_upper_proto_match(spec, &attrs->upspec);
if (rx != ipsec->rx_esw)
err = setup_modify_header(ipsec, attrs->type,
@@ -1519,6 +1520,7 @@ static int rx_add_policy(struct mlx5e_ipsec_pol_entry *pol_entry)
setup_fte_addr6(spec, attrs->saddr.a6, attrs->daddr.a6);
setup_fte_no_frags(spec);
+ setup_fte_upper_proto_match(spec, &attrs->upspec);
switch (attrs->action) {
case XFRM_POLICY_ALLOW:
--
2.41.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH net-next 2/2] net/mlx5e: Support IPsec upper TCP protocol selector
2023-08-08 19:14 [PATCH net-next 0/2] Support more IPsec selectors in mlx5 packet offload Leon Romanovsky
2023-08-08 19:14 ` [PATCH net-next 1/2] net/mlx5e: Support IPsec upper protocol selector field offload for RX Leon Romanovsky
@ 2023-08-08 19:14 ` Leon Romanovsky
2023-08-10 9:47 ` [PATCH net-next 0/2] Support more IPsec selectors in mlx5 packet offload Simon Horman
2 siblings, 0 replies; 4+ messages in thread
From: Leon Romanovsky @ 2023-08-08 19:14 UTC (permalink / raw)
To: Jakub Kicinski, Steffen Klassert
Cc: Leon Romanovsky, Emeel Hakim, David S . Miller, Eric Dumazet,
netdev, Paolo Abeni, Raed Salem, Saeed Mahameed, Simon Horman
From: Leon Romanovsky <leonro@nvidia.com>
Support TCP as protocol selector for policy and state in IPsec
packet offload mode.
Example of state configuration is as follows:
ip xfrm state add src 192.168.25.3 dst 192.168.25.1 \
proto esp spi 1001 reqid 10001 aead 'rfc4106(gcm(aes))' \
0x54a7588d36873b031e4bd46301be5a86b3a53879 128 mode transport \
offload packet dev re0 dir in sel src 192.168.25.3 dst 192.168.25.1 \
proto tcp dport 9003
Acked-by: Raed Salem <raeds@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
---
.../mellanox/mlx5/core/en_accel/ipsec.c | 11 +++--
.../mellanox/mlx5/core/en_accel/ipsec_fs.c | 43 +++++++++++++------
2 files changed, 38 insertions(+), 16 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
index 9ee169b72d9d..6f21694c7b13 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
@@ -442,8 +442,9 @@ static int mlx5e_xfrm_validate_state(struct mlx5_core_dev *mdev,
return -EINVAL;
}
- if (x->sel.proto != IPPROTO_IP && x->sel.proto != IPPROTO_UDP) {
- NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than UDP");
+ if (x->sel.proto != IPPROTO_IP && x->sel.proto != IPPROTO_UDP &&
+ x->sel.proto != IPPROTO_TCP) {
+ NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than TCP/UDP");
return -EINVAL;
}
@@ -999,8 +1000,10 @@ static int mlx5e_xfrm_validate_policy(struct mlx5_core_dev *mdev,
return -EINVAL;
}
- if (x->selector.proto != IPPROTO_IP && x->selector.proto != IPPROTO_UDP) {
- NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than UDP");
+ if (x->selector.proto != IPPROTO_IP &&
+ x->selector.proto != IPPROTO_UDP &&
+ x->selector.proto != IPPROTO_TCP) {
+ NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than TCP/UDP");
return -EINVAL;
}
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
index f5e29b7f5ba0..a1cfddd05bc4 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
@@ -936,23 +936,42 @@ static void setup_fte_reg_c4(struct mlx5_flow_spec *spec, u32 reqid)
static void setup_fte_upper_proto_match(struct mlx5_flow_spec *spec, struct upspec *upspec)
{
- if (upspec->proto != IPPROTO_UDP)
+ switch (upspec->proto) {
+ case IPPROTO_UDP:
+ if (upspec->dport) {
+ MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria,
+ udp_dport, upspec->dport_mask);
+ MLX5_SET(fte_match_set_lyr_2_4, spec->match_value,
+ udp_dport, upspec->dport);
+ }
+ if (upspec->sport) {
+ MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria,
+ udp_sport, upspec->sport_mask);
+ MLX5_SET(fte_match_set_lyr_2_4, spec->match_value,
+ udp_sport, upspec->sport);
+ }
+ break;
+ case IPPROTO_TCP:
+ if (upspec->dport) {
+ MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria,
+ tcp_dport, upspec->dport_mask);
+ MLX5_SET(fte_match_set_lyr_2_4, spec->match_value,
+ tcp_dport, upspec->dport);
+ }
+ if (upspec->sport) {
+ MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria,
+ tcp_sport, upspec->sport_mask);
+ MLX5_SET(fte_match_set_lyr_2_4, spec->match_value,
+ tcp_sport, upspec->sport);
+ }
+ break;
+ default:
return;
+ }
spec->match_criteria_enable |= MLX5_MATCH_OUTER_HEADERS;
MLX5_SET_TO_ONES(fte_match_set_lyr_2_4, spec->match_criteria, ip_protocol);
MLX5_SET(fte_match_set_lyr_2_4, spec->match_value, ip_protocol, upspec->proto);
- if (upspec->dport) {
- MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria, udp_dport,
- upspec->dport_mask);
- MLX5_SET(fte_match_set_lyr_2_4, spec->match_value, udp_dport, upspec->dport);
- }
-
- if (upspec->sport) {
- MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria, udp_sport,
- upspec->sport_mask);
- MLX5_SET(fte_match_set_lyr_2_4, spec->match_value, udp_sport, upspec->sport);
- }
}
static enum mlx5_flow_namespace_type ipsec_fs_get_ns(struct mlx5e_ipsec *ipsec,
--
2.41.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH net-next 0/2] Support more IPsec selectors in mlx5 packet offload
2023-08-08 19:14 [PATCH net-next 0/2] Support more IPsec selectors in mlx5 packet offload Leon Romanovsky
2023-08-08 19:14 ` [PATCH net-next 1/2] net/mlx5e: Support IPsec upper protocol selector field offload for RX Leon Romanovsky
2023-08-08 19:14 ` [PATCH net-next 2/2] net/mlx5e: Support IPsec upper TCP protocol selector Leon Romanovsky
@ 2023-08-10 9:47 ` Simon Horman
2 siblings, 0 replies; 4+ messages in thread
From: Simon Horman @ 2023-08-10 9:47 UTC (permalink / raw)
To: Leon Romanovsky
Cc: Jakub Kicinski, Steffen Klassert, Leon Romanovsky, Emeel Hakim,
David S . Miller, Eric Dumazet, netdev, Paolo Abeni, Raed Salem,
Saeed Mahameed
On Tue, Aug 08, 2023 at 10:14:53PM +0300, Leon Romanovsky wrote:
> From: Leon Romanovsky <leonro@nvidia.com>
>
> These two patches add ability to configure proto both UDP and TCP selectors
> in RX and TX directions.
>
> Thanks
>
> Emeel Hakim (1):
> net/mlx5e: Support IPsec upper protocol selector field offload for RX
>
> Leon Romanovsky (1):
> net/mlx5e: Support IPsec upper TCP protocol selector
Thanks Emeel and Leon,
this looks good to me.
For series,
Reviewed-by: Simon Horman <horms@kernel.org>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-08-10 9:47 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-08-08 19:14 [PATCH net-next 0/2] Support more IPsec selectors in mlx5 packet offload Leon Romanovsky
2023-08-08 19:14 ` [PATCH net-next 1/2] net/mlx5e: Support IPsec upper protocol selector field offload for RX Leon Romanovsky
2023-08-08 19:14 ` [PATCH net-next 2/2] net/mlx5e: Support IPsec upper TCP protocol selector Leon Romanovsky
2023-08-10 9:47 ` [PATCH net-next 0/2] Support more IPsec selectors in mlx5 packet offload Simon Horman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).