[net,06/15] net/mlx5e: Tidy up IPsec NAT-T SA discovery

Message ID	20231122014804.27716-7-saeed@kernel.org (mailing list archive)
State	Superseded
Delegated to:	Netdev Maintainers
Headers	show Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8CD708BE1 for <netdev@vger.kernel.org>; Wed, 22 Nov 2023 01:48:11 +0000 (UTC) From: Saeed Mahameed <saeed@kernel.org> To: "David S. Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>, Eric Dumazet <edumazet@google.com> Cc: Saeed Mahameed <saeedm@nvidia.com>, netdev@vger.kernel.org, Tariq Toukan <tariqt@nvidia.com>, Leon Romanovsky <leonro@nvidia.com> Subject: [net 06/15] net/mlx5e: Tidy up IPsec NAT-T SA discovery Date: Tue, 21 Nov 2023 17:47:55 -0800 Message-ID: <20231122014804.27716-7-saeed@kernel.org> In-Reply-To: <20231122014804.27716-1-saeed@kernel.org> References: <20231122014804.27716-1-saeed@kernel.org> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[net,01/15] net/mlx5e: Honor user choice of IPsec replay window size \| expand [net,01/15] net/mlx5e: Honor user choice of IPsec replay window size [net,02/15] net/mlx5e: Ensure that IPsec sequence packet number starts from 1 [net,03/15] net/mlx5e: Unify esw and normal IPsec status table creation/destruction [net,04/15] net/mlx5e: Remove exposure of IPsec RX flow steering struct [net,05/15] net/mlx5e: Add IPsec and ASO syndromes check in HW [net,06/15] net/mlx5e: Tidy up IPsec NAT-T SA discovery [net,07/15] net/mlx5e: Reduce eswitch mode_lock protection context [net,08/15] net/mlx5e: Check the number of elements before walk TC rhashtable [net,09/15] net/mlx5e: Forbid devlink reload if IPSec rules are offloaded [net,10/15] net/mlx5e: Disable IPsec offload support if not FW steering [net,11/15] net/mlx5e: Fix possible deadlock on mlx5e_tx_timeout_work [net,12/15] net/mlx5e: TC, Don't offload post action rule if not supported [net,13/15] net/mlx5: Nack sync reset request when HotPlug is enabled [net,14/15] net/mlx5e: Check netdev pointer before checking its net ns [net,15/15] net/mlx5: Fix a NULL vs IS_ERR() check

Message ID

20231122014804.27716-7-saeed@kernel.org (mailing list archive)

State

Superseded

Delegated to:

Netdev Maintainers

Headers

From: Saeed Mahameed <saeed@kernel.org>
To: "David S. Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	Eric Dumazet <edumazet@google.com>
Cc: Saeed Mahameed <saeedm@nvidia.com>,
	netdev@vger.kernel.org,
	Tariq Toukan <tariqt@nvidia.com>,
	Leon Romanovsky <leonro@nvidia.com>
Subject: [net 06/15] net/mlx5e: Tidy up IPsec NAT-T SA discovery
Date: Tue, 21 Nov 2023 17:47:55 -0800
Message-ID: <20231122014804.27716-7-saeed@kernel.org>
In-Reply-To: <20231122014804.27716-1-saeed@kernel.org>
References: <20231122014804.27716-1-saeed@kernel.org>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[net,01/15] net/mlx5e: Honor user choice of IPsec replay window size | expand

Context	Check	Description
netdev/series_format	success	Pull request is its own cover letter
netdev/codegen	success	Generated files up to date
netdev/tree_selection	success	Clearly marked for net
netdev/fixes_present	success	Fixes tag present in non-next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 1118 this patch: 1118
netdev/cc_maintainers	warning	1 maintainers not CCed: steffen.klassert@secunet.com
netdev/build_clang	success	Errors and warnings before: 1142 this patch: 1142
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	Fixes tag looks correct
netdev/build_allmodconfig_warn	success	Errors and warnings before: 1145 this patch: 1145
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 52 lines checked
netdev/build_clang_rust	success	No Rust files in patch. Skipping build
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0

Context

Check

Description

netdev/series_format

success

Pull request is its own cover letter

netdev/codegen

success

Generated files up to date

netdev/tree_selection

success

Clearly marked for net

netdev/fixes_present

success

Fixes tag present in non-next series

netdev/header_inline

success

No static functions without inline keyword in header files

netdev/build_32bit

success

Errors and warnings before: 1118 this patch: 1118

netdev/cc_maintainers

warning

1 maintainers not CCed: steffen.klassert@secunet.com

netdev/build_clang

success

Errors and warnings before: 1142 this patch: 1142

netdev/verify_signedoff

success

Signed-off-by tag matches author and committer

netdev/deprecated_api

success

None detected

netdev/check_selftest

success

No net selftest shell script

netdev/verify_fixes

success

Fixes tag looks correct

netdev/build_allmodconfig_warn

success

Errors and warnings before: 1145 this patch: 1145

netdev/checkpatch

success

total: 0 errors, 0 warnings, 0 checks, 52 lines checked

netdev/build_clang_rust

success

No Rust files in patch. Skipping build

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/source_inline

success

Was 0 now: 0

Commit Message

Saeed Mahameed Nov. 22, 2023, 1:47 a.m. UTC

From: Leon Romanovsky <leonro@nvidia.com>

IPsec NAT-T packets are UDP encapsulated packets over ESP normal ones.
In case they arrive to RX, the SPI and ESP are located in inner header,
while the check was performed on outer header instead.

That wrong check caused to the situation where received rekeying request
was missed and caused to rekey timeout, which "compensated" this failure
by completing rekeying.

Fixes: d65954934937 ("net/mlx5e: Support IPsec NAT-T functionality")
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
---
 .../mellanox/mlx5/core/en_accel/ipsec_fs.c    | 22 ++++++++++++++-----
 include/linux/mlx5/mlx5_ifc.h                 |  2 +-
 2 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
index aeb399d8dae5..7a789061c998 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
@@ -1212,13 +1212,22 @@  static void setup_fte_esp(struct mlx5_flow_spec *spec)
 	MLX5_SET(fte_match_param, spec->match_value, outer_headers.ip_protocol, IPPROTO_ESP);
 }
 
-static void setup_fte_spi(struct mlx5_flow_spec *spec, u32 spi)
+static void setup_fte_spi(struct mlx5_flow_spec *spec, u32 spi, bool encap)
 {
 	/* SPI number */
 	spec->match_criteria_enable |= MLX5_MATCH_MISC_PARAMETERS;
 
-	MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, misc_parameters.outer_esp_spi);
-	MLX5_SET(fte_match_param, spec->match_value, misc_parameters.outer_esp_spi, spi);
+	if (encap) {
+		MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria,
+				 misc_parameters.inner_esp_spi);
+		MLX5_SET(fte_match_param, spec->match_value,
+			 misc_parameters.inner_esp_spi, spi);
+	} else {
+		MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria,
+				 misc_parameters.outer_esp_spi);
+		MLX5_SET(fte_match_param, spec->match_value,
+			 misc_parameters.outer_esp_spi, spi);
+	}
 }
 
 static void setup_fte_no_frags(struct mlx5_flow_spec *spec)
@@ -1596,8 +1605,9 @@  static int rx_add_rule(struct mlx5e_ipsec_sa_entry *sa_entry)
 	else
 		setup_fte_addr6(spec, attrs->saddr.a6, attrs->daddr.a6);
 
-	setup_fte_spi(spec, attrs->spi);
-	setup_fte_esp(spec);
+	setup_fte_spi(spec, attrs->spi, attrs->encap);
+	if (!attrs->encap)
+		setup_fte_esp(spec);
 	setup_fte_no_frags(spec);
 	setup_fte_upper_proto_match(spec, &attrs->upspec);
 
@@ -1719,7 +1729,7 @@  static int tx_add_rule(struct mlx5e_ipsec_sa_entry *sa_entry)
 
 	switch (attrs->type) {
 	case XFRM_DEV_OFFLOAD_CRYPTO:
-		setup_fte_spi(spec, attrs->spi);
+		setup_fte_spi(spec, attrs->spi, false);
 		setup_fte_esp(spec);
 		setup_fte_reg_a(spec);
 		break;
diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h
index 90ca63f4bf63..3f7b664d625b 100644
--- a/include/linux/mlx5/mlx5_ifc.h
+++ b/include/linux/mlx5/mlx5_ifc.h
@@ -621,7 +621,7 @@  struct mlx5_ifc_fte_match_set_misc_bits {
 
 	u8         reserved_at_140[0x8];
 	u8         bth_dst_qp[0x18];
-	u8	   reserved_at_160[0x20];
+	u8	   inner_esp_spi[0x20];
 	u8	   outer_esp_spi[0x20];
 	u8         reserved_at_1a0[0x60];
 };

[net,06/15] net/mlx5e: Tidy up IPsec NAT-T SA discovery

Checks

Commit Message

Patch