Message ID | 4d8f2155e79af5a12f6358337bdc0f035f687769.1662295929.git.leonro@nvidia.com (mailing list archive) |
---|---|
State | RFC |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | Extend XFRM core to allow full offload configuration | expand |
On Sun, Sep 04, 2022 at 04:15:41PM +0300, Leon Romanovsky wrote: > From: Leon Romanovsky <leonro@nvidia.com> > > Both in RX and TX, the traffic that performs IPsec full offload > transformation is accounted by HW. It is needed to properly handle > hard limits that require to drop the packet. > > It means that XFRM core needs to update internal counters with the one > that accounted by the HW, so new callbacks are introduced in this patch. > > In case of soft or hard limit is occurred, the driver should call to > xfrm_state_check_expire() that will perform key rekeying exactly as > done by XFRM core. > > Signed-off-by: Leon Romanovsky <leonro@nvidia.com> This looks good, thanks! We need this for the other relevant counters too.
On Sun, Sep 25, 2022 at 11:20:06AM +0200, Steffen Klassert wrote: > On Sun, Sep 04, 2022 at 04:15:41PM +0300, Leon Romanovsky wrote: > > From: Leon Romanovsky <leonro@nvidia.com> > > > > Both in RX and TX, the traffic that performs IPsec full offload > > transformation is accounted by HW. It is needed to properly handle > > hard limits that require to drop the packet. > > > > It means that XFRM core needs to update internal counters with the one > > that accounted by the HW, so new callbacks are introduced in this patch. > > > > In case of soft or hard limit is occurred, the driver should call to > > xfrm_state_check_expire() that will perform key rekeying exactly as > > done by XFRM core. > > > > Signed-off-by: Leon Romanovsky <leonro@nvidia.com> > > This looks good, thanks! > > We need this for the other relevant counters too. It is in my backlog. Thanks
On Mon, Sep 26, 2022 at 09:07:31AM +0300, Leon Romanovsky wrote: > On Sun, Sep 25, 2022 at 11:20:06AM +0200, Steffen Klassert wrote: > > On Sun, Sep 04, 2022 at 04:15:41PM +0300, Leon Romanovsky wrote: > > > From: Leon Romanovsky <leonro@nvidia.com> > > > > > > Both in RX and TX, the traffic that performs IPsec full offload > > > transformation is accounted by HW. It is needed to properly handle > > > hard limits that require to drop the packet. > > > > > > It means that XFRM core needs to update internal counters with the one > > > that accounted by the HW, so new callbacks are introduced in this patch. > > > > > > In case of soft or hard limit is occurred, the driver should call to > > > xfrm_state_check_expire() that will perform key rekeying exactly as > > > done by XFRM core. > > > > > > Signed-off-by: Leon Romanovsky <leonro@nvidia.com> > > > > This looks good, thanks! > > > > We need this for the other relevant counters too. > > It is in my backlog. Great, thanks!
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index c1db9eaa3dca..e38154d7b4cd 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -1026,6 +1026,7 @@ struct xfrmdev_ops { bool (*xdo_dev_offload_ok) (struct sk_buff *skb, struct xfrm_state *x); void (*xdo_dev_state_advance_esn) (struct xfrm_state *x); + void (*xdo_dev_state_update_curlft) (struct xfrm_state *x); int (*xdo_dev_policy_add) (struct xfrm_policy *x); void (*xdo_dev_policy_delete) (struct xfrm_policy *x); void (*xdo_dev_policy_free) (struct xfrm_policy *x); diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 38fff78a1421..100ca45d8172 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -1563,6 +1563,23 @@ struct xfrm_state *xfrm_stateonly_find(struct net *net, u32 mark, u32 if_id, struct xfrm_state *xfrm_state_lookup_byspi(struct net *net, __be32 spi, unsigned short family); int xfrm_state_check_expire(struct xfrm_state *x); +#ifdef CONFIG_XFRM_OFFLOAD +static inline void xfrm_dev_state_update_curlft(struct xfrm_state *x) +{ + struct xfrm_dev_offload *xdo = &x->xso; + struct net_device *dev = xdo->dev; + + if (x->xso.type != XFRM_DEV_OFFLOAD_FULL) + return; + + if (dev && dev->xfrmdev_ops && + dev->xfrmdev_ops->xdo_dev_state_update_curlft) + dev->xfrmdev_ops->xdo_dev_state_update_curlft(x); + +} +#else +static inline void xfrm_dev_state_update_curlft(struct xfrm_state *x) {} +#endif void xfrm_state_insert(struct xfrm_state *x); int xfrm_state_add(struct xfrm_state *x); int xfrm_state_update(struct xfrm_state *x); diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c index dde009be8463..a22033350ddc 100644 --- a/net/xfrm/xfrm_output.c +++ b/net/xfrm/xfrm_output.c @@ -560,7 +560,6 @@ static int xfrm_output_one(struct sk_buff *skb, int err) XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATEPROTOERROR); goto error_nolock; } - dst = skb_dst_pop(skb); if (!dst) { XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR); diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index 91c32a3b6924..83d307cb526f 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c @@ -549,6 +549,8 @@ static enum hrtimer_restart xfrm_timer_handler(struct hrtimer *me) int err = 0; spin_lock(&x->lock); + xfrm_dev_state_update_curlft(x); + if (x->km.state == XFRM_STATE_DEAD) goto out; if (x->km.state == XFRM_STATE_EXPIRED) @@ -1786,6 +1788,8 @@ EXPORT_SYMBOL(xfrm_state_update); int xfrm_state_check_expire(struct xfrm_state *x) { + xfrm_dev_state_update_curlft(x); + if (!x->curlft.use_time) x->curlft.use_time = ktime_get_real_seconds();