From patchwork Tue Aug 8 19:14:54 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leon Romanovsky X-Patchwork-Id: 13346883 X-Patchwork-Delegate: kuba@kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A8A94168D5 for ; Tue, 8 Aug 2023 19:15:11 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BA5A7C433CC; Tue, 8 Aug 2023 19:15:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1691522111; bh=mRxON/kFZ9txpUhRHlyNSpZL+APDX5ByQ218x37KZMI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=D6SHOh+H69UY/sVQ/poCu9rpvKBr0zSGjNJA+sxaslhtc1eNhCK6iMSgyeMFi7+Gd gVRyJc+cNPK+GxnsTvX7dXSt3EuA618xAM5f9VTli2HR2fsOmCLLBFfhKS2mSXQ4RL uBu/a0W1Yxik6hFeM13IkkGBv7jlBFJJubFRl4f/QrPuOYcEqlCVieTByB+thLe3/A qd448/F/NBG5n+XRxAW+og6S9QTM3B+gXCSb7mPoOJRX2oPw1kYS41EPKb5JpCa+Bq nszz0se7RMwC4zcC6EPu8K8RJ35RqNPkHWzOtDMamy8IKdS4AgDtucsAc0sZ4RXY/S 3rsDOyx3RCQOQ== From: Leon Romanovsky To: Jakub Kicinski , Steffen Klassert Cc: Emeel Hakim , "David S . Miller" , Eric Dumazet , netdev@vger.kernel.org, Paolo Abeni , Raed Salem , Saeed Mahameed , Simon Horman Subject: [PATCH net-next 1/2] net/mlx5e: Support IPsec upper protocol selector field offload for RX Date: Tue, 8 Aug 2023 22:14:54 +0300 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Emeel Hakim Support RX policy/state upper protocol selector field offload, to enable selecting RX traffic for IPsec operation based on l4 protocol UDP with specific source/destination port. Signed-off-by: Emeel Hakim Reviewed-by: Raed Salem Signed-off-by: Leon Romanovsky --- .../net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 10 ++++------ .../ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c | 2 ++ 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c index 40350227b3c3..9ee169b72d9d 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c @@ -442,9 +442,8 @@ static int mlx5e_xfrm_validate_state(struct mlx5_core_dev *mdev, return -EINVAL; } - if (x->sel.proto != IPPROTO_IP && - (x->sel.proto != IPPROTO_UDP || x->xso.dir != XFRM_DEV_OFFLOAD_OUT)) { - NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than UDP, and only Tx direction"); + if (x->sel.proto != IPPROTO_IP && x->sel.proto != IPPROTO_UDP) { + NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than UDP"); return -EINVAL; } @@ -1000,9 +999,8 @@ static int mlx5e_xfrm_validate_policy(struct mlx5_core_dev *mdev, return -EINVAL; } - if (sel->proto != IPPROTO_IP && - (sel->proto != IPPROTO_UDP || x->xdo.dir != XFRM_DEV_OFFLOAD_OUT)) { - NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than UDP, and only Tx direction"); + if (x->selector.proto != IPPROTO_IP && x->selector.proto != IPPROTO_UDP) { + NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than UDP"); return -EINVAL; } diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c index 3781c72d97f1..f5e29b7f5ba0 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c @@ -1243,6 +1243,7 @@ static int rx_add_rule(struct mlx5e_ipsec_sa_entry *sa_entry) setup_fte_spi(spec, attrs->spi); setup_fte_esp(spec); setup_fte_no_frags(spec); + setup_fte_upper_proto_match(spec, &attrs->upspec); if (rx != ipsec->rx_esw) err = setup_modify_header(ipsec, attrs->type, @@ -1519,6 +1520,7 @@ static int rx_add_policy(struct mlx5e_ipsec_pol_entry *pol_entry) setup_fte_addr6(spec, attrs->saddr.a6, attrs->daddr.a6); setup_fte_no_frags(spec); + setup_fte_upper_proto_match(spec, &attrs->upspec); switch (attrs->action) { case XFRM_POLICY_ALLOW: From patchwork Tue Aug 8 19:14:55 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leon Romanovsky X-Patchwork-Id: 13346882 X-Patchwork-Delegate: kuba@kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DAFD415ADC for ; Tue, 8 Aug 2023 19:15:06 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 22B37C433C9; Tue, 8 Aug 2023 19:15:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1691522106; bh=NZkx3SGVX7iWh61ENgbXJPh73u4CMTJKAyjKIKzyz94=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=iux94AOJvGEq3hFpcC/nyAGO2SkQg+9L1efxlLe975AloIXrmKb/H+e3MTV2dQmZ0 NtRIbaYUsZsvB+Tym2BCrRc60VM21rf57GQec+Bq/oUTE316zqkmRKm1GUMY0e/EJe sdAkOc8nWflWVeD5Gz09eWyt4EoKW+Pdc0KndvbdqBBvrL/P4gm49/7FdSwrmfE9qv ohprZcZUc1fzinnlF4uSz53UFfptOGR/+QJygQmoPsyzbaD9MkNJhnY4DJ/S3Y5cDD zXMIRqtBWsWkoSXg7xIp3SxV8GMID/hLdQhNExkflVBGD45coT+G2EwI5kZ0F1xyr4 iGG4Cq2h2Y/uQ== From: Leon Romanovsky To: Jakub Kicinski , Steffen Klassert Cc: Leon Romanovsky , Emeel Hakim , "David S . Miller" , Eric Dumazet , netdev@vger.kernel.org, Paolo Abeni , Raed Salem , Saeed Mahameed , Simon Horman Subject: [PATCH net-next 2/2] net/mlx5e: Support IPsec upper TCP protocol selector Date: Tue, 8 Aug 2023 22:14:55 +0300 Message-ID: <189e078717ad628fcb37ab8a2d09be4faf777811.1691521680.git.leonro@nvidia.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Leon Romanovsky Support TCP as protocol selector for policy and state in IPsec packet offload mode. Example of state configuration is as follows: ip xfrm state add src 192.168.25.3 dst 192.168.25.1 \ proto esp spi 1001 reqid 10001 aead 'rfc4106(gcm(aes))' \ 0x54a7588d36873b031e4bd46301be5a86b3a53879 128 mode transport \ offload packet dev re0 dir in sel src 192.168.25.3 dst 192.168.25.1 \ proto tcp dport 9003 Acked-by: Raed Salem Signed-off-by: Leon Romanovsky --- .../mellanox/mlx5/core/en_accel/ipsec.c | 11 +++-- .../mellanox/mlx5/core/en_accel/ipsec_fs.c | 43 +++++++++++++------ 2 files changed, 38 insertions(+), 16 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c index 9ee169b72d9d..6f21694c7b13 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c @@ -442,8 +442,9 @@ static int mlx5e_xfrm_validate_state(struct mlx5_core_dev *mdev, return -EINVAL; } - if (x->sel.proto != IPPROTO_IP && x->sel.proto != IPPROTO_UDP) { - NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than UDP"); + if (x->sel.proto != IPPROTO_IP && x->sel.proto != IPPROTO_UDP && + x->sel.proto != IPPROTO_TCP) { + NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than TCP/UDP"); return -EINVAL; } @@ -999,8 +1000,10 @@ static int mlx5e_xfrm_validate_policy(struct mlx5_core_dev *mdev, return -EINVAL; } - if (x->selector.proto != IPPROTO_IP && x->selector.proto != IPPROTO_UDP) { - NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than UDP"); + if (x->selector.proto != IPPROTO_IP && + x->selector.proto != IPPROTO_UDP && + x->selector.proto != IPPROTO_TCP) { + NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than TCP/UDP"); return -EINVAL; } diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c index f5e29b7f5ba0..a1cfddd05bc4 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c @@ -936,23 +936,42 @@ static void setup_fte_reg_c4(struct mlx5_flow_spec *spec, u32 reqid) static void setup_fte_upper_proto_match(struct mlx5_flow_spec *spec, struct upspec *upspec) { - if (upspec->proto != IPPROTO_UDP) + switch (upspec->proto) { + case IPPROTO_UDP: + if (upspec->dport) { + MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria, + udp_dport, upspec->dport_mask); + MLX5_SET(fte_match_set_lyr_2_4, spec->match_value, + udp_dport, upspec->dport); + } + if (upspec->sport) { + MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria, + udp_sport, upspec->sport_mask); + MLX5_SET(fte_match_set_lyr_2_4, spec->match_value, + udp_sport, upspec->sport); + } + break; + case IPPROTO_TCP: + if (upspec->dport) { + MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria, + tcp_dport, upspec->dport_mask); + MLX5_SET(fte_match_set_lyr_2_4, spec->match_value, + tcp_dport, upspec->dport); + } + if (upspec->sport) { + MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria, + tcp_sport, upspec->sport_mask); + MLX5_SET(fte_match_set_lyr_2_4, spec->match_value, + tcp_sport, upspec->sport); + } + break; + default: return; + } spec->match_criteria_enable |= MLX5_MATCH_OUTER_HEADERS; MLX5_SET_TO_ONES(fte_match_set_lyr_2_4, spec->match_criteria, ip_protocol); MLX5_SET(fte_match_set_lyr_2_4, spec->match_value, ip_protocol, upspec->proto); - if (upspec->dport) { - MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria, udp_dport, - upspec->dport_mask); - MLX5_SET(fte_match_set_lyr_2_4, spec->match_value, udp_dport, upspec->dport); - } - - if (upspec->sport) { - MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria, udp_sport, - upspec->sport_mask); - MLX5_SET(fte_match_set_lyr_2_4, spec->match_value, udp_sport, upspec->sport); - } } static enum mlx5_flow_namespace_type ipsec_fs_get_ns(struct mlx5e_ipsec *ipsec,