[net,7/8] net/mlx5e: Rely on reqid in IPsec tunnel mode

Message ID	20250113154055.1927008-8-tariqt@nvidia.com (mailing list archive)
State	New
Delegated to:	Netdev Maintainers
Headers	show Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2064.outbound.protection.outlook.com [40.107.92.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BC62A1C5D6A for <netdev@vger.kernel.org>; Mon, 13 Jan 2025 15:42:23 +0000 (UTC) Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C From: Tariq Toukan <tariqt@nvidia.com> To: "David S. Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>, Eric Dumazet <edumazet@google.com>, "Andrew Lunn" <andrew+netdev@lunn.ch> CC: <netdev@vger.kernel.org>, Saeed Mahameed <saeedm@nvidia.com>, Gal Pressman <gal@nvidia.com>, Leon Romanovsky <leonro@nvidia.com>, Mark Bloch <mbloch@nvidia.com>, Moshe Shemesh <moshe@nvidia.com>, Tariq Toukan <tariqt@nvidia.com> Subject: [PATCH net 7/8] net/mlx5e: Rely on reqid in IPsec tunnel mode Date: Mon, 13 Jan 2025 17:40:53 +0200 Message-ID: <20250113154055.1927008-8-tariqt@nvidia.com> In-Reply-To: <20250113154055.1927008-1-tariqt@nvidia.com> References: <20250113154055.1927008-1-tariqt@nvidia.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	mlx5 misc fixes 2025-01-13 \| expand [net,0/8] mlx5 misc fixes 2025-01-13 [net,1/8] net/mlx5: Fix RDMA TX steering prio [net,2/8] net/mlx5: Fix a lockdep warning as part of the write combining test [net,3/8] net/mlx5: SF, Fix add port error handling [net,4/8] net/mlx5: Clear port select structure when fail to create [net,5/8] net/mlx5e: Fix inversion dependency warning while enabling IPsec tunnel [net,6/8] net/mlx5e: Properly match IPsec subnet addresses [net,7/8] net/mlx5e: Rely on reqid in IPsec tunnel mode [net,8/8] net/mlx5e: Always start IPsec sequence number from 1

Message ID

20250113154055.1927008-8-tariqt@nvidia.com (mailing list archive)

State

New

Delegated to:

Netdev Maintainers

Headers

Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
 216.228.117.160 as permitted sender) receiver=protection.outlook.com;
 client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C
From: Tariq Toukan <tariqt@nvidia.com>
To: "David S. Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>, Eric Dumazet <edumazet@google.com>, "Andrew
 Lunn" <andrew+netdev@lunn.ch>
CC: <netdev@vger.kernel.org>, Saeed Mahameed <saeedm@nvidia.com>, Gal Pressman
	<gal@nvidia.com>, Leon Romanovsky <leonro@nvidia.com>, Mark Bloch
	<mbloch@nvidia.com>, Moshe Shemesh <moshe@nvidia.com>, Tariq Toukan
	<tariqt@nvidia.com>
Subject: [PATCH net 7/8] net/mlx5e: Rely on reqid in IPsec tunnel mode
Date: Mon, 13 Jan 2025 17:40:53 +0200
Message-ID: <20250113154055.1927008-8-tariqt@nvidia.com>
In-Reply-To: <20250113154055.1927008-1-tariqt@nvidia.com>
References: <20250113154055.1927008-1-tariqt@nvidia.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Jan 2025 15:42:20.2481
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 f91774f3-ea7e-4873-49f9-08dd33e8dddb
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	SA2PEPF00003F67.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR12MB7913
X-Patchwork-Delegate: kuba@kernel.org

Series

mlx5 misc fixes 2025-01-13 | expand

Context	Check	Description
netdev/series_format	success	Posting correctly formatted
netdev/tree_selection	success	Clearly marked for net
netdev/ynl	success	Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present	success	Fixes tag present in non-next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 1 this patch: 1
netdev/build_tools	success	No tools touched, skip
netdev/cc_maintainers	fail	1 blamed authors not CCed: raeds@nvidia.com; 3 maintainers not CCed: borisp@nvidia.com linux-rdma@vger.kernel.org raeds@nvidia.com
netdev/build_clang	success	Errors and warnings before: 2 this patch: 2
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	Fixes tag looks correct
netdev/build_allmodconfig_warn	success	Errors and warnings before: 3 this patch: 3
netdev/checkpatch	warning	WARNING: line length of 82 exceeds 80 columns
netdev/build_clang_rust	success	No Rust files in patch. Skipping build
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0

Context

Check

Description

netdev/series_format

success

Posting correctly formatted

netdev/tree_selection

success

Clearly marked for net

netdev/ynl

success

Generated files up to date; no warnings/errors; no diff in generated;

netdev/fixes_present

success

Fixes tag present in non-next series

netdev/header_inline

success

No static functions without inline keyword in header files

netdev/build_32bit

success

Errors and warnings before: 1 this patch: 1

netdev/build_tools

success

No tools touched, skip

netdev/cc_maintainers

fail

1 blamed authors not CCed: raeds@nvidia.com; 3 maintainers not CCed: borisp@nvidia.com linux-rdma@vger.kernel.org raeds@nvidia.com

netdev/build_clang

success

Errors and warnings before: 2 this patch: 2

netdev/verify_signedoff

success

Signed-off-by tag matches author and committer

netdev/deprecated_api

success

None detected

netdev/check_selftest

success

No net selftest shell script

netdev/verify_fixes

success

Fixes tag looks correct

netdev/build_allmodconfig_warn

success

Errors and warnings before: 3 this patch: 3

netdev/checkpatch

warning

WARNING: line length of 82 exceeds 80 columns

netdev/build_clang_rust

success

No Rust files in patch. Skipping build

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/source_inline

success

Was 0 now: 0

Commit Message

Tariq Toukan Jan. 13, 2025, 3:40 p.m. UTC

From: Leon Romanovsky <leonro@nvidia.com>

All packet offloads SAs have reqid in it to make sure they have
corresponding policy. While it is not strictly needed for transparent
mode, it is extremely important in tunnel mode. In that mode, policy and
SAs have different match criteria.

Policy catches the whole subnet addresses, and SA catches the tunnel gateways
addresses. The source address of such tunnel is not known during egress packet
traversal in flow steering as it is added only after successful encryption.

As reqid is required for packet offload and it is unique for every SA,
we can safely rely on it only.

The output below shows the configured egress policy and SA by strongswan:

[leonro@vm ~]$ sudo ip x s
src 192.169.101.2 dst 192.169.101.1
        proto esp spi 0xc88b7652 reqid 1 mode tunnel
        replay-window 0 flag af-unspec esn
        aead rfc4106(gcm(aes)) 0xe406a01083986e14d116488549094710e9c57bc6 128
        anti-replay esn context:
         seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0
         replay_window 1, bitmap-length 1
         00000000
        crypto offload parameters: dev eth2 dir out mode packet

[leonro@064 ~]$ sudo ip x p
src 192.170.0.0/16 dst 192.170.0.0/16
        dir out priority 383615 ptype main
        tmpl src 192.169.101.2 dst 192.169.101.1
                proto esp spi 0xc88b7652 reqid 1 mode tunnel
        crypto offload parameters: dev eth2 mode packet

Fixes: b3beba1fb404 ("net/mlx5e: Allow policies with reqid 0, to support IKE policy holes")
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
---
 .../ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c  | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

Comments

Jacob Keller Jan. 13, 2025, 7:08 p.m. UTC | #1

On 1/13/2025 7:40 AM, Tariq Toukan wrote:
> From: Leon Romanovsky <leonro@nvidia.com>
> 
> All packet offloads SAs have reqid in it to make sure they have
> corresponding policy. While it is not strictly needed for transparent
> mode, it is extremely important in tunnel mode. In that mode, policy and
> SAs have different match criteria.
> 
> Policy catches the whole subnet addresses, and SA catches the tunnel gateways
> addresses. The source address of such tunnel is not known during egress packet
> traversal in flow steering as it is added only after successful encryption.
> 
> As reqid is required for packet offload and it is unique for every SA,
> we can safely rely on it only.
> 
> The output below shows the configured egress policy and SA by strongswan:
> 
> [leonro@vm ~]$ sudo ip x s
> src 192.169.101.2 dst 192.169.101.1
>         proto esp spi 0xc88b7652 reqid 1 mode tunnel
>         replay-window 0 flag af-unspec esn
>         aead rfc4106(gcm(aes)) 0xe406a01083986e14d116488549094710e9c57bc6 128
>         anti-replay esn context:
>          seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0
>          replay_window 1, bitmap-length 1
>          00000000
>         crypto offload parameters: dev eth2 dir out mode packet
> 
> [leonro@064 ~]$ sudo ip x p
> src 192.170.0.0/16 dst 192.170.0.0/16
>         dir out priority 383615 ptype main
>         tmpl src 192.169.101.2 dst 192.169.101.1
>                 proto esp spi 0xc88b7652 reqid 1 mode tunnel
>         crypto offload parameters: dev eth2 mode packet
> 
> Fixes: b3beba1fb404 ("net/mlx5e: Allow policies with reqid 0, to support IKE policy holes")
> Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
> Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
> ---

Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
index 47df02ef5d69..772b329aecc5 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
@@ -1743,23 +1743,21 @@  static int tx_add_rule(struct mlx5e_ipsec_sa_entry *sa_entry)
 		goto err_alloc;
 	}
 
-	if (attrs->family == AF_INET)
-		setup_fte_addr4(spec, &attrs->saddr.a4, &attrs->daddr.a4);
-	else
-		setup_fte_addr6(spec, attrs->saddr.a6, attrs->daddr.a6);
-
 	setup_fte_no_frags(spec);
 	setup_fte_upper_proto_match(spec, &attrs->upspec);
 
 	switch (attrs->type) {
 	case XFRM_DEV_OFFLOAD_CRYPTO:
+		if (attrs->family == AF_INET)
+			setup_fte_addr4(spec, &attrs->saddr.a4, &attrs->daddr.a4);
+		else
+			setup_fte_addr6(spec, attrs->saddr.a6, attrs->daddr.a6);
 		setup_fte_spi(spec, attrs->spi, false);
 		setup_fte_esp(spec);
 		setup_fte_reg_a(spec);
 		break;
 	case XFRM_DEV_OFFLOAD_PACKET:
-		if (attrs->reqid)
-			setup_fte_reg_c4(spec, attrs->reqid);
+		setup_fte_reg_c4(spec, attrs->reqid);
 		err = setup_pkt_reformat(ipsec, attrs, &flow_act);
 		if (err)
 			goto err_pkt_reformat;

[net,7/8] net/mlx5e: Rely on reqid in IPsec tunnel mode

Checks

Commit Message

Comments

Patch