diff mbox series

[net-next,09/10] net/mlx5e: Create IPsec table with tunnel support only when encap is disabled

Message ID ee971aa614d3264c9fe88eb77a6f61687a3ff363.1681106636.git.leonro@nvidia.com (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series Support tunnel mode in mlx5 IPsec packet offload | expand

Checks

Context Check Description
netdev/series_format success Posting correctly formatted
netdev/tree_selection success Clearly marked for net-next, async
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 18 this patch: 18
netdev/cc_maintainers warning 2 maintainers not CCed: linux-rdma@vger.kernel.org borisp@nvidia.com
netdev/build_clang success Errors and warnings before: 18 this patch: 18
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 18 this patch: 18
netdev/checkpatch warning WARNING: line length of 107 exceeds 80 columns
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Leon Romanovsky April 10, 2023, 6:19 a.m. UTC 
From: Leon Romanovsky <leonro@nvidia.com>

Current hardware doesn't support double encapsulation which is
happening when IPsec packet offload tunnel mode is configured
together with eswitch encap option.

Any user attempt to add new SA/policy after he/she sets encap mode, will
generate the following FW syndrome:

 mlx5_core 0000:08:00.0: mlx5_cmd_out_err:803:(pid 1904): CREATE_FLOW_TABLE(0x930) op_mod(0x0) failed,
 status bad parameter(0x3), syndrome (0xa43321), err(-22)

Make sure that we block encap changes before creating flow steering tables.
This is applicable only for packet offload in tunnel mode, while packet
offload in transport mode and crypto offload, don't have such limitation
as they don't perform encapsulation.

Reviewed-by: Raed Salem <raeds@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
---
 .../mellanox/mlx5/core/en_accel/ipsec.c       |  7 ++++
 .../mellanox/mlx5/core/en_accel/ipsec.h       |  1 +
 .../mellanox/mlx5/core/en_accel/ipsec_fs.c    | 33 +++++++++++++++++--
 3 files changed, 38 insertions(+), 3 deletions(-)

Comments

Simon Horman April 10, 2023, 2:29 p.m. UTC | #1 
On Mon, Apr 10, 2023 at 09:19:11AM +0300, Leon Romanovsky wrote:
> From: Leon Romanovsky <leonro@nvidia.com>
> 
> Current hardware doesn't support double encapsulation which is
> happening when IPsec packet offload tunnel mode is configured
> together with eswitch encap option.
> 
> Any user attempt to add new SA/policy after he/she sets encap mode, will
> generate the following FW syndrome:
> 
>  mlx5_core 0000:08:00.0: mlx5_cmd_out_err:803:(pid 1904): CREATE_FLOW_TABLE(0x930) op_mod(0x0) failed,
>  status bad parameter(0x3), syndrome (0xa43321), err(-22)
> 
> Make sure that we block encap changes before creating flow steering tables.
> This is applicable only for packet offload in tunnel mode, while packet
> offload in transport mode and crypto offload, don't have such limitation
> as they don't perform encapsulation.
> 
> Reviewed-by: Raed Salem <raeds@nvidia.com>
> Signed-off-by: Leon Romanovsky <leonro@nvidia.com>

Hi Raed and Leon,

some minor feedback from me below.

> ---
>  .../mellanox/mlx5/core/en_accel/ipsec.c       |  7 ++++
>  .../mellanox/mlx5/core/en_accel/ipsec.h       |  1 +
>  .../mellanox/mlx5/core/en_accel/ipsec_fs.c    | 33 +++++++++++++++++--
>  3 files changed, 38 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
> index b64281fd4142..e95004ac7a20 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
> @@ -668,6 +668,13 @@ static int mlx5e_xfrm_add_state(struct xfrm_state *x,
>  	if (err)
>  		goto err_hw_ctx;
>  
> +	if (x->props.mode == XFRM_MODE_TUNNEL &&
> +	    x->xso.type == XFRM_DEV_OFFLOAD_PACKET &&
> +	    !mlx5e_ipsec_fs_tunnel_enabled(sa_entry)) {
> +		NL_SET_ERR_MSG_MOD(extack, "Packet offload tunnel mode is disabled due to encap settings");
> +		goto err_add_rule;

The err_add_rule will return err.
But err is zero here.
Perhaps it should be set to an negative error code?

Flagged by Smatch as:

drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c:753 mlx5e_xfrm_free_state() error: we previously assumed 'sa_entry->work' could be null (see line 744)

> +	}
> +
>  	/* We use *_bh() variant because xfrm_timer_handler(), which runs
>  	 * in softirq context, can reach our state delete logic and we need
>  	 * xa_erase_bh() there.

...
Leon Romanovsky April 10, 2023, 4:49 p.m. UTC | #2 
On Mon, Apr 10, 2023 at 04:29:09PM +0200, Simon Horman wrote:
> On Mon, Apr 10, 2023 at 09:19:11AM +0300, Leon Romanovsky wrote:
> > From: Leon Romanovsky <leonro@nvidia.com>
> > 
> > Current hardware doesn't support double encapsulation which is
> > happening when IPsec packet offload tunnel mode is configured
> > together with eswitch encap option.
> > 
> > Any user attempt to add new SA/policy after he/she sets encap mode, will
> > generate the following FW syndrome:
> > 
> >  mlx5_core 0000:08:00.0: mlx5_cmd_out_err:803:(pid 1904): CREATE_FLOW_TABLE(0x930) op_mod(0x0) failed,
> >  status bad parameter(0x3), syndrome (0xa43321), err(-22)
> > 
> > Make sure that we block encap changes before creating flow steering tables.
> > This is applicable only for packet offload in tunnel mode, while packet
> > offload in transport mode and crypto offload, don't have such limitation
> > as they don't perform encapsulation.
> > 
> > Reviewed-by: Raed Salem <raeds@nvidia.com>
> > Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
> 
> Hi Raed and Leon,
> 
> some minor feedback from me below.
> 
> > ---
> >  .../mellanox/mlx5/core/en_accel/ipsec.c       |  7 ++++
> >  .../mellanox/mlx5/core/en_accel/ipsec.h       |  1 +
> >  .../mellanox/mlx5/core/en_accel/ipsec_fs.c    | 33 +++++++++++++++++--
> >  3 files changed, 38 insertions(+), 3 deletions(-)
> > 
> > diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
> > index b64281fd4142..e95004ac7a20 100644
> > --- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
> > +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
> > @@ -668,6 +668,13 @@ static int mlx5e_xfrm_add_state(struct xfrm_state *x,
> >  	if (err)
> >  		goto err_hw_ctx;
> >  
> > +	if (x->props.mode == XFRM_MODE_TUNNEL &&
> > +	    x->xso.type == XFRM_DEV_OFFLOAD_PACKET &&
> > +	    !mlx5e_ipsec_fs_tunnel_enabled(sa_entry)) {
> > +		NL_SET_ERR_MSG_MOD(extack, "Packet offload tunnel mode is disabled due to encap settings");
> > +		goto err_add_rule;
> 
> The err_add_rule will return err.
> But err is zero here.
> Perhaps it should be set to an negative error code?

Thanks, I overlooked it.

> 
> Flagged by Smatch as:
> 
> drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c:753 mlx5e_xfrm_free_state() error: we previously assumed 'sa_entry->work' could be null (see line 744)

I don't get such warnings from my CI, will try to understand why.

What are the command line arguments you use to run smatch?
What is the version of smatch?

Thanks

> 
> > +	}
> > +
> >  	/* We use *_bh() variant because xfrm_timer_handler(), which runs
> >  	 * in softirq context, can reach our state delete logic and we need
> >  	 * xa_erase_bh() there.
> 
> ...
Simon Horman April 10, 2023, 6:10 p.m. UTC | #3 
On Mon, Apr 10, 2023 at 07:49:20PM +0300, Leon Romanovsky wrote:
> On Mon, Apr 10, 2023 at 04:29:09PM +0200, Simon Horman wrote:
> > On Mon, Apr 10, 2023 at 09:19:11AM +0300, Leon Romanovsky wrote:
> > > From: Leon Romanovsky <leonro@nvidia.com>
> > > 
> > > Current hardware doesn't support double encapsulation which is
> > > happening when IPsec packet offload tunnel mode is configured
> > > together with eswitch encap option.
> > > 
> > > Any user attempt to add new SA/policy after he/she sets encap mode, will
> > > generate the following FW syndrome:
> > > 
> > >  mlx5_core 0000:08:00.0: mlx5_cmd_out_err:803:(pid 1904): CREATE_FLOW_TABLE(0x930) op_mod(0x0) failed,
> > >  status bad parameter(0x3), syndrome (0xa43321), err(-22)
> > > 
> > > Make sure that we block encap changes before creating flow steering tables.
> > > This is applicable only for packet offload in tunnel mode, while packet
> > > offload in transport mode and crypto offload, don't have such limitation
> > > as they don't perform encapsulation.
> > > 
> > > Reviewed-by: Raed Salem <raeds@nvidia.com>
> > > Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
> > 
> > Hi Raed and Leon,
> > 
> > some minor feedback from me below.
> > 
> > > ---
> > >  .../mellanox/mlx5/core/en_accel/ipsec.c       |  7 ++++
> > >  .../mellanox/mlx5/core/en_accel/ipsec.h       |  1 +
> > >  .../mellanox/mlx5/core/en_accel/ipsec_fs.c    | 33 +++++++++++++++++--
> > >  3 files changed, 38 insertions(+), 3 deletions(-)
> > > 
> > > diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
> > > index b64281fd4142..e95004ac7a20 100644
> > > --- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
> > > +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
> > > @@ -668,6 +668,13 @@ static int mlx5e_xfrm_add_state(struct xfrm_state *x,
> > >  	if (err)
> > >  		goto err_hw_ctx;
> > >  
> > > +	if (x->props.mode == XFRM_MODE_TUNNEL &&
> > > +	    x->xso.type == XFRM_DEV_OFFLOAD_PACKET &&
> > > +	    !mlx5e_ipsec_fs_tunnel_enabled(sa_entry)) {
> > > +		NL_SET_ERR_MSG_MOD(extack, "Packet offload tunnel mode is disabled due to encap settings");
> > > +		goto err_add_rule;
> > 
> > The err_add_rule will return err.
> > But err is zero here.
> > Perhaps it should be set to an negative error code?
> 
> Thanks, I overlooked it.
> 
> > 
> > Flagged by Smatch as:
> > 
> > drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c:753 mlx5e_xfrm_free_state() error: we previously assumed 'sa_entry->work' could be null (see line 744)
> 
> I don't get such warnings from my CI, will try to understand why.
> 
> What are the command line arguments you use to run smatch?

Hi Leon,

I run Smatch like this:

.../smatch/smatch_scripts/kchecker \
	drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.o

> What is the version of smatch?

I see this with Smatch 1.73.


In writing this email, I noticed that Smatch seems to flag
a problem in net-next. Which seems to be a valid concern.

drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c:753 mlx5e_xfrm_free_state() error: we previously assumed 'sa_entry->work' could be null (see line 744)
Leon Romanovsky April 11, 2023, 12:47 p.m. UTC | #4 
On Mon, Apr 10, 2023 at 08:10:14PM +0200, Simon Horman wrote:
> On Mon, Apr 10, 2023 at 07:49:20PM +0300, Leon Romanovsky wrote:
> > On Mon, Apr 10, 2023 at 04:29:09PM +0200, Simon Horman wrote:
> > > On Mon, Apr 10, 2023 at 09:19:11AM +0300, Leon Romanovsky wrote:
> > > > From: Leon Romanovsky <leonro@nvidia.com>
> > > > 
> > > > Current hardware doesn't support double encapsulation which is
> > > > happening when IPsec packet offload tunnel mode is configured
> > > > together with eswitch encap option.
> > > > 
> > > > Any user attempt to add new SA/policy after he/she sets encap mode, will
> > > > generate the following FW syndrome:
> > > > 
> > > >  mlx5_core 0000:08:00.0: mlx5_cmd_out_err:803:(pid 1904): CREATE_FLOW_TABLE(0x930) op_mod(0x0) failed,
> > > >  status bad parameter(0x3), syndrome (0xa43321), err(-22)
> > > > 
> > > > Make sure that we block encap changes before creating flow steering tables.
> > > > This is applicable only for packet offload in tunnel mode, while packet
> > > > offload in transport mode and crypto offload, don't have such limitation
> > > > as they don't perform encapsulation.
> > > > 
> > > > Reviewed-by: Raed Salem <raeds@nvidia.com>
> > > > Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
> > > 
> > > Hi Raed and Leon,
> > > 
> > > some minor feedback from me below.
> > > 
> > > > ---
> > > >  .../mellanox/mlx5/core/en_accel/ipsec.c       |  7 ++++
> > > >  .../mellanox/mlx5/core/en_accel/ipsec.h       |  1 +
> > > >  .../mellanox/mlx5/core/en_accel/ipsec_fs.c    | 33 +++++++++++++++++--
> > > >  3 files changed, 38 insertions(+), 3 deletions(-)
> > > > 
> > > > diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
> > > > index b64281fd4142..e95004ac7a20 100644
> > > > --- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
> > > > +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
> > > > @@ -668,6 +668,13 @@ static int mlx5e_xfrm_add_state(struct xfrm_state *x,
> > > >  	if (err)
> > > >  		goto err_hw_ctx;
> > > >  
> > > > +	if (x->props.mode == XFRM_MODE_TUNNEL &&
> > > > +	    x->xso.type == XFRM_DEV_OFFLOAD_PACKET &&
> > > > +	    !mlx5e_ipsec_fs_tunnel_enabled(sa_entry)) {
> > > > +		NL_SET_ERR_MSG_MOD(extack, "Packet offload tunnel mode is disabled due to encap settings");
> > > > +		goto err_add_rule;
> > > 
> > > The err_add_rule will return err.
> > > But err is zero here.
> > > Perhaps it should be set to an negative error code?
> > 
> > Thanks, I overlooked it.
> > 
> > > 
> > > Flagged by Smatch as:
> > > 
> > > drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c:753 mlx5e_xfrm_free_state() error: we previously assumed 'sa_entry->work' could be null (see line 744)
> > 
> > I don't get such warnings from my CI, will try to understand why.
> > 
> > What are the command line arguments you use to run smatch?
> 
> Hi Leon,
> 
> I run Smatch like this:
> 
> .../smatch/smatch_scripts/kchecker \
> 	drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.o
> 
> > What is the version of smatch?
> 
> I see this with Smatch 1.73.
> 
> 
> In writing this email, I noticed that Smatch seems to flag
> a problem in net-next. Which seems to be a valid concern.
> 
> drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c:753 mlx5e_xfrm_free_state() error: we previously assumed 'sa_entry->work' could be null (see line 744)

Thanks, I'll take a look when will return to the office.
Leon Romanovsky April 13, 2023, 11:21 a.m. UTC | #5 
On Tue, Apr 11, 2023 at 03:47:31PM +0300, Leon Romanovsky wrote:
> On Mon, Apr 10, 2023 at 08:10:14PM +0200, Simon Horman wrote:
> > On Mon, Apr 10, 2023 at 07:49:20PM +0300, Leon Romanovsky wrote:
> > > On Mon, Apr 10, 2023 at 04:29:09PM +0200, Simon Horman wrote:
> > > > On Mon, Apr 10, 2023 at 09:19:11AM +0300, Leon Romanovsky wrote:
> > > > > From: Leon Romanovsky <leonro@nvidia.com>
> > > > > 
> > > > > Current hardware doesn't support double encapsulation which is
> > > > > happening when IPsec packet offload tunnel mode is configured
> > > > > together with eswitch encap option.
> > > > > 
> > > > > Any user attempt to add new SA/policy after he/she sets encap mode, will
> > > > > generate the following FW syndrome:
> > > > > 
> > > > >  mlx5_core 0000:08:00.0: mlx5_cmd_out_err:803:(pid 1904): CREATE_FLOW_TABLE(0x930) op_mod(0x0) failed,
> > > > >  status bad parameter(0x3), syndrome (0xa43321), err(-22)
> > > > > 
> > > > > Make sure that we block encap changes before creating flow steering tables.
> > > > > This is applicable only for packet offload in tunnel mode, while packet
> > > > > offload in transport mode and crypto offload, don't have such limitation
> > > > > as they don't perform encapsulation.
> > > > > 
> > > > > Reviewed-by: Raed Salem <raeds@nvidia.com>
> > > > > Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
> > > > 
> > > > Hi Raed and Leon,
> > > > 
> > > > some minor feedback from me below.
> > > > 
> > > > > ---
> > > > >  .../mellanox/mlx5/core/en_accel/ipsec.c       |  7 ++++
> > > > >  .../mellanox/mlx5/core/en_accel/ipsec.h       |  1 +
> > > > >  .../mellanox/mlx5/core/en_accel/ipsec_fs.c    | 33 +++++++++++++++++--
> > > > >  3 files changed, 38 insertions(+), 3 deletions(-)
> > > > > 
> > > > > diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
> > > > > index b64281fd4142..e95004ac7a20 100644
> > > > > --- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
> > > > > +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
> > > > > @@ -668,6 +668,13 @@ static int mlx5e_xfrm_add_state(struct xfrm_state *x,
> > > > >  	if (err)
> > > > >  		goto err_hw_ctx;
> > > > >  
> > > > > +	if (x->props.mode == XFRM_MODE_TUNNEL &&
> > > > > +	    x->xso.type == XFRM_DEV_OFFLOAD_PACKET &&
> > > > > +	    !mlx5e_ipsec_fs_tunnel_enabled(sa_entry)) {
> > > > > +		NL_SET_ERR_MSG_MOD(extack, "Packet offload tunnel mode is disabled due to encap settings");
> > > > > +		goto err_add_rule;
> > > > 
> > > > The err_add_rule will return err.
> > > > But err is zero here.
> > > > Perhaps it should be set to an negative error code?
> > > 
> > > Thanks, I overlooked it.
> > > 
> > > > 
> > > > Flagged by Smatch as:
> > > > 
> > > > drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c:753 mlx5e_xfrm_free_state() error: we previously assumed 'sa_entry->work' could be null (see line 744)
> > > 
> > > I don't get such warnings from my CI, will try to understand why.
> > > 
> > > What are the command line arguments you use to run smatch?
> > 
> > Hi Leon,
> > 
> > I run Smatch like this:
> > 
> > .../smatch/smatch_scripts/kchecker \
> > 	drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.o
> > 
> > > What is the version of smatch?
> > 
> > I see this with Smatch 1.73.
> > 
> > 
> > In writing this email, I noticed that Smatch seems to flag
> > a problem in net-next. Which seems to be a valid concern.
> > 
> > drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c:753 mlx5e_xfrm_free_state() error: we previously assumed 'sa_entry->work' could be null (see line 744)
> 
> Thanks, I'll take a look when will return to the office.

I tried it now and still don't get this warning.

Thanks
diff mbox series

Patch

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
index b64281fd4142..e95004ac7a20 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
@@ -668,6 +668,13 @@  static int mlx5e_xfrm_add_state(struct xfrm_state *x,
 	if (err)
 		goto err_hw_ctx;
 
+	if (x->props.mode == XFRM_MODE_TUNNEL &&
+	    x->xso.type == XFRM_DEV_OFFLOAD_PACKET &&
+	    !mlx5e_ipsec_fs_tunnel_enabled(sa_entry)) {
+		NL_SET_ERR_MSG_MOD(extack, "Packet offload tunnel mode is disabled due to encap settings");
+		goto err_add_rule;
+	}
+
 	/* We use *_bh() variant because xfrm_timer_handler(), which runs
 	 * in softirq context, can reach our state delete logic and we need
 	 * xa_erase_bh() there.
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h
index d06c896eadb6..f7f7c09d2b32 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h
@@ -251,6 +251,7 @@  void mlx5e_accel_ipsec_fs_del_rule(struct mlx5e_ipsec_sa_entry *sa_entry);
 int mlx5e_accel_ipsec_fs_add_pol(struct mlx5e_ipsec_pol_entry *pol_entry);
 void mlx5e_accel_ipsec_fs_del_pol(struct mlx5e_ipsec_pol_entry *pol_entry);
 void mlx5e_accel_ipsec_fs_modify(struct mlx5e_ipsec_sa_entry *sa_entry);
+bool mlx5e_ipsec_fs_tunnel_enabled(struct mlx5e_ipsec_sa_entry *sa_entry);
 
 int mlx5_ipsec_create_sa_ctx(struct mlx5e_ipsec_sa_entry *sa_entry);
 void mlx5_ipsec_free_sa_ctx(struct mlx5e_ipsec_sa_entry *sa_entry);
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
index b1f759c378d9..6a8f1c0f4912 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
@@ -4,6 +4,7 @@ 
 #include <linux/netdevice.h>
 #include "en.h"
 #include "en/fs.h"
+#include "eswitch.h"
 #include "ipsec.h"
 #include "fs_core.h"
 #include "lib/ipsec_fs_roce.h"
@@ -37,6 +38,7 @@  struct mlx5e_ipsec_rx {
 	struct mlx5e_ipsec_rule status;
 	struct mlx5e_ipsec_fc *fc;
 	struct mlx5_fs_chains *chains;
+	u8 allow_tunnel_mode : 1;
 };
 
 struct mlx5e_ipsec_tx {
@@ -46,6 +48,7 @@  struct mlx5e_ipsec_tx {
 	struct mlx5_flow_namespace *ns;
 	struct mlx5e_ipsec_fc *fc;
 	struct mlx5_fs_chains *chains;
+	u8 allow_tunnel_mode : 1;
 };
 
 /* IPsec RX flow steering */
@@ -253,7 +256,8 @@  static void rx_destroy(struct mlx5_core_dev *mdev, struct mlx5e_ipsec *ipsec,
 	mlx5_del_flow_rules(rx->sa.rule);
 	mlx5_destroy_flow_group(rx->sa.group);
 	mlx5_destroy_flow_table(rx->ft.sa);
-
+	if (rx->allow_tunnel_mode)
+		mlx5_eswitch_unblock_encap(mdev);
 	mlx5_del_flow_rules(rx->status.rule);
 	mlx5_modify_header_dealloc(mdev, rx->status.modify_hdr);
 	mlx5_destroy_flow_table(rx->ft.status);
@@ -304,6 +308,8 @@  static int rx_create(struct mlx5_core_dev *mdev, struct mlx5e_ipsec *ipsec,
 
 	/* Create FT */
 	if (mlx5_ipsec_device_caps(mdev) & MLX5_IPSEC_CAP_TUNNEL)
+		rx->allow_tunnel_mode = mlx5_eswitch_block_encap(mdev);
+	if (rx->allow_tunnel_mode)
 		flags = MLX5_FLOW_TABLE_TUNNEL_EN_REFORMAT;
 	ft = ipsec_ft_create(ns, MLX5E_ACCEL_FS_ESP_FT_LEVEL, MLX5E_NIC_PRIO, 2,
 			     flags);
@@ -361,6 +367,8 @@  static int rx_create(struct mlx5_core_dev *mdev, struct mlx5e_ipsec *ipsec,
 err_fs:
 	mlx5_destroy_flow_table(rx->ft.sa);
 err_fs_ft:
+	if (rx->allow_tunnel_mode)
+		mlx5_eswitch_unblock_encap(mdev);
 	mlx5_del_flow_rules(rx->status.rule);
 	mlx5_modify_header_dealloc(mdev, rx->status.modify_hdr);
 err_add:
@@ -495,7 +503,8 @@  static int ipsec_counter_rule_tx(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_
 }
 
 /* IPsec TX flow steering */
-static void tx_destroy(struct mlx5e_ipsec_tx *tx, struct mlx5_ipsec_fs *roce)
+static void tx_destroy(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_tx *tx,
+		       struct mlx5_ipsec_fs *roce)
 {
 	mlx5_ipsec_fs_roce_tx_destroy(roce);
 	if (tx->chains) {
@@ -507,6 +516,8 @@  static void tx_destroy(struct mlx5e_ipsec_tx *tx, struct mlx5_ipsec_fs *roce)
 	}
 
 	mlx5_destroy_flow_table(tx->ft.sa);
+	if (tx->allow_tunnel_mode)
+		mlx5_eswitch_unblock_encap(mdev);
 	mlx5_del_flow_rules(tx->status.rule);
 	mlx5_destroy_flow_table(tx->ft.status);
 }
@@ -529,6 +540,8 @@  static int tx_create(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_tx *tx,
 		goto err_status_rule;
 
 	if (mlx5_ipsec_device_caps(mdev) & MLX5_IPSEC_CAP_TUNNEL)
+		tx->allow_tunnel_mode = mlx5_eswitch_block_encap(mdev);
+	if (tx->allow_tunnel_mode)
 		flags = MLX5_FLOW_TABLE_TUNNEL_EN_REFORMAT;
 	ft = ipsec_ft_create(tx->ns, 1, 0, 4, flags);
 	if (IS_ERR(ft)) {
@@ -580,6 +593,8 @@  static int tx_create(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_tx *tx,
 err_pol_ft:
 	mlx5_destroy_flow_table(tx->ft.sa);
 err_sa_ft:
+	if (tx->allow_tunnel_mode)
+		mlx5_eswitch_unblock_encap(mdev);
 	mlx5_del_flow_rules(tx->status.rule);
 err_status_rule:
 	mlx5_destroy_flow_table(tx->ft.status);
@@ -608,7 +623,7 @@  static void tx_put(struct mlx5e_ipsec *ipsec, struct mlx5e_ipsec_tx *tx)
 	if (--tx->ft.refcnt)
 		return;
 
-	tx_destroy(tx, ipsec->roce);
+	tx_destroy(ipsec->mdev, tx, ipsec->roce);
 }
 
 static struct mlx5_flow_table *tx_ft_get_policy(struct mlx5_core_dev *mdev,
@@ -1607,3 +1622,15 @@  void mlx5e_accel_ipsec_fs_modify(struct mlx5e_ipsec_sa_entry *sa_entry)
 	mlx5e_accel_ipsec_fs_del_rule(sa_entry);
 	memcpy(sa_entry, &sa_entry_shadow, sizeof(*sa_entry));
 }
+
+bool mlx5e_ipsec_fs_tunnel_enabled(struct mlx5e_ipsec_sa_entry *sa_entry)
+{
+	struct mlx5e_ipsec_rx *rx =
+		ipsec_rx(sa_entry->ipsec, sa_entry->attrs.family);
+	struct mlx5e_ipsec_tx *tx = sa_entry->ipsec->tx;
+
+	if (sa_entry->attrs.dir == XFRM_DEV_OFFLOAD_OUT)
+		return tx->allow_tunnel_mode;
+
+	return rx->allow_tunnel_mode;
+}