[PATCH v7 ipsec-next 0/3] xfrm: Support GRO decapsulation for ESP in UDP encapsulation

[Antony Antony <antony.antony@secunet.com>]

Hi,

I have added how to enable this feature, and more description to the second
patch. Here is copy of that.

xfrm: Support GRO for IPv4i & IPv6 ESP in UDP encapsulation

This patchset enables the GRO codepath for ESP in UDP encapsulated
packets. Decapsulation happens at L2 and saves a full round through
the stack for each packet. This is also needed to support HW offload
for ESP in UDP encapsulation.

Enabling this would imporove performance for ESP in UDP datapath, i.e
IPsec with NAT in between. Our initial tests show 20% improvement.


By default GRP for ESP-in-UDP is disabled for UDP sockets.
To enable this feature for an ESP socket, the following two options
need to be set:
 1. enable ESP-in-UDP: (this is already set by an IKE daemon).
    int type = UDP_ENCAP_ESPINUDP;
    setsockopt(fd, SOL_UDP, UDP_ENCAP, &type, sizeof(type));

 2. To enable GRO for ESP in UDP socket:
    type = true;
    setsockopt(fd, SOL_UDP, UDP_GRO, &type, sizeof(type));

Enabling ESP-in-UDP has the side effect of preventing the Linux stack from
seeing ESP packets at the L3 (when ESP OFFLOAD is disabled), as packets are
immediately decapsulated from UDP and decrypted.
This change may affect nftable rules that match on ESP packets  at L3.
Also tcpdump won't see the ESP packet.

Developers/admins are advised to review and adapt any nftable rules
accordingly before enabling this feature to prevent potential rule breakage.
Also tcpdump will not see from ESP packets from a ESP in UDP flow when this
is enabled.

---

Initial, a quick test showed performance difference of about 20%
impromvent on the receiver, when using iperf, tcp flow, over ESP in UDP.

Steffen Klassert (3):
  xfrm: Use the XFRM_GRO to indicate a GRO call on input
  xfrm: Support GRO for IPv4 ESP in UDP encapsulation
  xfrm: Support GRO for IPv6 ESP in UDP encapsulation

 include/net/gro.h        |  2 +-
 include/net/ipv6_stubs.h |  3 ++
 include/net/xfrm.h       |  4 ++
 net/ipv4/esp4_offload.c  |  6 ++-
 net/ipv4/udp.c           | 16 +++++++
 net/ipv4/xfrm4_input.c   | 94 ++++++++++++++++++++++++++++++++--------
 net/ipv6/af_inet6.c      |  1 +
 net/ipv6/esp6_offload.c  | 10 ++++-
 net/ipv6/xfrm6_input.c   | 94 ++++++++++++++++++++++++++++++++--------
 net/xfrm/xfrm_input.c    |  6 +--
 10 files changed, 192 insertions(+), 44 deletions(-)

--
2.30.2