From patchwork Mon Sep 9 10:03:25 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffen Klassert X-Patchwork-Id: 13796585 X-Patchwork-Delegate: kuba@kernel.org Received: from a.mx.secunet.com (a.mx.secunet.com [62.96.220.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2A5821B3F3E for ; Mon, 9 Sep 2024 10:03:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=62.96.220.36 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725876222; cv=none; b=BxUSKZR5dzRUv4yTVyNtFXR/07Ki7ssfhDAEFDceGXOkk5zi/SNNdm9j+eMKxF0F4G3ONecARHKgTOQqkwyn/aUQeqIdGOCxVxWCghKDNQebmUmHfKZjyrTkd1ub6jEa7gdWdweBiiCMAYkvKxDjgw73DjoZ7F0L0ToPyfF4X9w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725876222; c=relaxed/simple; bh=2SuLeyuFJWDHA7U8do1vJwuS3h5Z2OFpGils9N3eHWc=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=o+GqjX1a4s2ud1jmJGriomH7YNRhd7SrUrtySqsVu+J7dNWwMtOAZ+VpCVG+VDL4GRicrlqZ6/X3muGpvX4yibrCaUwof0Hqq96VeNZ1Kqagk3B4Vi2tpf7vfxmSmUyn08SuqOEYH1JuqXBIw26BbYiQXWU9k5JEF9c9K5k+a+A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=secunet.com; spf=pass smtp.mailfrom=secunet.com; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b=MwHcqWlo; arc=none smtp.client-ip=62.96.220.36 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=secunet.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=secunet.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b="MwHcqWlo" Received: from localhost (localhost [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id A7B272082B; Mon, 9 Sep 2024 12:03:38 +0200 (CEST) X-Virus-Scanned: by secunet Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SngCw0_nIkzi; Mon, 9 Sep 2024 12:03:38 +0200 (CEST) Received: from cas-essen-02.secunet.de (rl2.secunet.de [10.53.40.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by a.mx.secunet.com (Postfix) with ESMTPS id 207BA2085A; Mon, 9 Sep 2024 12:03:38 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 a.mx.secunet.com 207BA2085A DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secunet.com; s=202301; t=1725876218; bh=8csKfYlaZqHzHjNFu6MP3D+sydLQSCMkZgGnTdb3vrU=; h=From:To:CC:Subject:Date:In-Reply-To:References:From; b=MwHcqWlo6TiB03/PY6teSBud+IpSBoFiAHbHsRLWOTTSK4xMaOSzs/+zMKoAU3rNm 5g1DpApCw72T6Bi9rDxLhLJNljlvbwuJIfj2wEJav5UPLPfVelvVJJLU9VODFuiwqn BGfSM4xjyJFKeoQo4NovC8/jXcGwuKZjNxhvgfRTDS7iD0SOIfOHQew/ql2D1FA7aU 3HpRXfcIy473UHK2zn7BIGb8HY58IbgDGu0FnJhSpXMj+RQUGAY49S38nKJtt/PsqR FDyTSuLqhw/A9nRvgbwDri5LTXrG4K78AEI2xLLrl7ykVZhOx7WP0I6kiAiEGpAlmN iQ0/yJoydu0hA== Received: from mbx-essen-02.secunet.de (10.53.40.198) by cas-essen-02.secunet.de (10.53.40.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Mon, 9 Sep 2024 12:03:37 +0200 Received: from gauss2.secunet.de (10.182.7.193) by mbx-essen-02.secunet.de (10.53.40.198) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Mon, 9 Sep 2024 12:03:37 +0200 Received: by gauss2.secunet.de (Postfix, from userid 1000) id 4BACA3184092; Mon, 9 Sep 2024 12:03:34 +0200 (CEST) From: Steffen Klassert To: David Miller , Jakub Kicinski CC: Herbert Xu , Steffen Klassert , Subject: [PATCH 08/11] xfrm: add SA information to the offloaded packet Date: Mon, 9 Sep 2024 12:03:25 +0200 Message-ID: <20240909100328.1838963-9-steffen.klassert@secunet.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240909100328.1838963-1-steffen.klassert@secunet.com> References: <20240909100328.1838963-1-steffen.klassert@secunet.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: cas-essen-02.secunet.de (10.53.40.202) To mbx-essen-02.secunet.de (10.53.40.198) X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 X-Patchwork-Delegate: kuba@kernel.org From: wangfe In packet offload mode, append Security Association (SA) information to each packet, replicating the crypto offload implementation. The XFRM_XMIT flag is set to enable packet to be returned immediately from the validate_xmit_xfrm function, thus aligning with the existing code path for packet offload mode. This SA info helps HW offload match packets to their correct security policies. The XFRM interface ID is included, which is crucial in setups with multiple XFRM interfaces where source/destination addresses alone can't pinpoint the right policy. Signed-off-by: wangfe Signed-off-by: Steffen Klassert --- net/xfrm/xfrm_output.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c index e5722c95b8bb..a12588e7b060 100644 --- a/net/xfrm/xfrm_output.c +++ b/net/xfrm/xfrm_output.c @@ -706,6 +706,8 @@ int xfrm_output(struct sock *sk, struct sk_buff *skb) struct xfrm_state *x = skb_dst(skb)->xfrm; int family; int err; + struct xfrm_offload *xo; + struct sec_path *sp; family = (x->xso.type != XFRM_DEV_OFFLOAD_PACKET) ? x->outer_mode.family : skb_dst(skb)->ops->family; @@ -728,6 +730,25 @@ int xfrm_output(struct sock *sk, struct sk_buff *skb) kfree_skb(skb); return -EHOSTUNREACH; } + sp = secpath_set(skb); + if (!sp) { + XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR); + kfree_skb(skb); + return -ENOMEM; + } + + sp->olen++; + sp->xvec[sp->len++] = x; + xfrm_state_hold(x); + + xo = xfrm_offload(skb); + if (!xo) { + secpath_reset(skb); + XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR); + kfree_skb(skb); + return -EINVAL; + } + xo->flags |= XFRM_XMIT; return xfrm_output_resume(sk, skb, 0); }