[net,6/8] net/mlx5e: Properly match IPsec subnet addresses

Commit Message

Tariq Toukan Jan. 13, 2025, 3:40 p.m. UTC

From: Leon Romanovsky <leonro@nvidia.com>

Existing match criteria didn't allow to match whole subnet and
only by specific addresses only. This caused to tunnel mode do not
forward such traffic through relevant SA.

In tunnel mode, policies look like this:
src 192.169.0.0/16 dst 192.169.0.0/16
        dir out priority 383615 ptype main
        tmpl src 192.169.101.2 dst 192.169.101.1
                proto esp spi 0xc5141c18 reqid 1 mode tunnel
        crypto offload parameters: dev eth2 mode packet

Fixes: a5b8ca9471d3 ("net/mlx5e: Add XFRM policy offload logic")
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
---
 .../mellanox/mlx5/core/en_accel/ipsec_fs.c    | 41 +++++++++++++++----
 1 file changed, 33 insertions(+), 8 deletions(-)

Comments

Jacob Keller Jan. 13, 2025, 7:07 p.m. UTC | #1

On 1/13/2025 7:40 AM, Tariq Toukan wrote:
> +static void addr4_to_mask(__be32 *addr, __be32 *mask)
> +{
> +	int i;
> +
> +	*mask = 0;
> +	for (i = 0; i < 4; i++)
> +		*mask |= ((*addr >> 8 * i) & 0xFF) ? (0xFF << 8 * i) : 0;
> +}
> +

I'm surprised this isn't already a common helper function.

Leon Romanovsky Jan. 13, 2025, 7:23 p.m. UTC | #2

On Mon, Jan 13, 2025 at 11:07:03AM -0800, Jacob Keller wrote:
> 
> 
> On 1/13/2025 7:40 AM, Tariq Toukan wrote:
> > +static void addr4_to_mask(__be32 *addr, __be32 *mask)
> > +{
> > +	int i;
> > +
> > +	*mask = 0;
> > +	for (i = 0; i < 4; i++)
> > +		*mask |= ((*addr >> 8 * i) & 0xFF) ? (0xFF << 8 * i) : 0;
> > +}
> > +
> 
> I'm surprised this isn't already a common helper function.

I failed to find.

Thanks

Jacob Keller Jan. 13, 2025, 7:48 p.m. UTC | #3

On 1/13/2025 11:23 AM, Leon Romanovsky wrote:
> On Mon, Jan 13, 2025 at 11:07:03AM -0800, Jacob Keller wrote:
>>
>>
>> On 1/13/2025 7:40 AM, Tariq Toukan wrote:
>>> +static void addr4_to_mask(__be32 *addr, __be32 *mask)
>>> +{
>>> +	int i;
>>> +
>>> +	*mask = 0;
>>> +	for (i = 0; i < 4; i++)
>>> +		*mask |= ((*addr >> 8 * i) & 0xFF) ? (0xFF << 8 * i) : 0;
>>> +}
>>> +
>>
>> I'm surprised this isn't already a common helper function.
> 
> I failed to find.
> 
> Thanks

To clarify, I didn't find one either, and I don't think its a blocker on
this fix. I'm just surprised that there hasn't been another user with
the same need before.

Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>

Patch

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
index e51b03d4c717..47df02ef5d69 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
@@ -1150,9 +1150,20 @@  static void tx_ft_put_policy(struct mlx5e_ipsec *ipsec, u32 prio, int type)
 	mutex_unlock(&tx->ft.mutex);
 }
 
+static void addr4_to_mask(__be32 *addr, __be32 *mask)
+{
+	int i;
+
+	*mask = 0;
+	for (i = 0; i < 4; i++)
+		*mask |= ((*addr >> 8 * i) & 0xFF) ? (0xFF << 8 * i) : 0;
+}
+
 static void setup_fte_addr4(struct mlx5_flow_spec *spec, __be32 *saddr,
 			    __be32 *daddr)
 {
+	__be32 mask;
+
 	if (!*saddr && !*daddr)
 		return;
 
@@ -1164,21 +1175,33 @@  static void setup_fte_addr4(struct mlx5_flow_spec *spec, __be32 *saddr,
 	if (*saddr) {
 		memcpy(MLX5_ADDR_OF(fte_match_param, spec->match_value,
 				    outer_headers.src_ipv4_src_ipv6.ipv4_layout.ipv4), saddr, 4);
-		MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria,
-				 outer_headers.src_ipv4_src_ipv6.ipv4_layout.ipv4);
+		addr4_to_mask(saddr, &mask);
+		memcpy(MLX5_ADDR_OF(fte_match_param, spec->match_criteria,
+				    outer_headers.src_ipv4_src_ipv6.ipv4_layout.ipv4), &mask, 4);
 	}
 
 	if (*daddr) {
 		memcpy(MLX5_ADDR_OF(fte_match_param, spec->match_value,
 				    outer_headers.dst_ipv4_dst_ipv6.ipv4_layout.ipv4), daddr, 4);
-		MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria,
-				 outer_headers.dst_ipv4_dst_ipv6.ipv4_layout.ipv4);
+		addr4_to_mask(daddr, &mask);
+		memcpy(MLX5_ADDR_OF(fte_match_param, spec->match_criteria,
+				    outer_headers.dst_ipv4_dst_ipv6.ipv4_layout.ipv4), &mask, 4);
 	}
 }
 
+static void addr6_to_mask(__be32 *addr, __be32 *mask)
+{
+	int i;
+
+	for (i = 0; i < 4; i++)
+		addr4_to_mask(&addr[i], &mask[i]);
+}
+
 static void setup_fte_addr6(struct mlx5_flow_spec *spec, __be32 *saddr,
 			    __be32 *daddr)
 {
+	__be32 mask[4];
+
 	if (addr6_all_zero(saddr) && addr6_all_zero(daddr))
 		return;
 
@@ -1190,15 +1213,17 @@  static void setup_fte_addr6(struct mlx5_flow_spec *spec, __be32 *saddr,
 	if (!addr6_all_zero(saddr)) {
 		memcpy(MLX5_ADDR_OF(fte_match_param, spec->match_value,
 				    outer_headers.src_ipv4_src_ipv6.ipv6_layout.ipv6), saddr, 16);
-		memset(MLX5_ADDR_OF(fte_match_param, spec->match_criteria,
-				    outer_headers.src_ipv4_src_ipv6.ipv6_layout.ipv6), 0xff, 16);
+		addr6_to_mask(saddr, mask);
+		memcpy(MLX5_ADDR_OF(fte_match_param, spec->match_criteria,
+				    outer_headers.src_ipv4_src_ipv6.ipv6_layout.ipv6), mask, 16);
 	}
 
 	if (!addr6_all_zero(daddr)) {
 		memcpy(MLX5_ADDR_OF(fte_match_param, spec->match_value,
 				    outer_headers.dst_ipv4_dst_ipv6.ipv6_layout.ipv6), daddr, 16);
-		memset(MLX5_ADDR_OF(fte_match_param, spec->match_criteria,
-				    outer_headers.dst_ipv4_dst_ipv6.ipv6_layout.ipv6), 0xff, 16);
+		addr6_to_mask(daddr, mask);
+		memcpy(MLX5_ADDR_OF(fte_match_param, spec->match_criteria,
+				    outer_headers.dst_ipv4_dst_ipv6.ipv6_layout.ipv6), mask, 16);
 	}
 }