From patchwork Tue Jul 2 08:44:48 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mike Yu X-Patchwork-Id: 13719111 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-yw1-f202.google.com (mail-yw1-f202.google.com [209.85.128.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7078714F9FA for ; Tue, 2 Jul 2024 08:45:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719909905; cv=none; b=oVFKrvasgtJmlqNBfWDcLeSzoh71Mbq1KMOJijAYWfjkpQLxG87Z8mgnhSLeIk4ZXQz9wz6L9rhDAM6nnDx67dzLr+jGOldLtmnMI0qNJyJ+ZrteyVrxLx9ekFCKFtZ0ze5MfNll+ct+OdILVrRJHnpXCcxiwwYDTYIUeD0IgD8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719909905; c=relaxed/simple; bh=6wcAfIzA083j9udKzDviD3/sDaqZOKbaCwhCVSZxdts=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=M1qJt8xfvXkig9KCaCJ1yuSZhnjRZ0rKNLoawG8YrJavd3PRNvmdhGry9+HCEFFIuc6znEyiEAspeh2UUK4PSoYDhhkT911uuTygA86J3/xza1XJfxT3i5muhhAHre2YxlGswEuFeWhMolvwb5CKBa5HokxP2jrydGyBQDctgtY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=WD44Tsny; arc=none smtp.client-ip=209.85.128.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="WD44Tsny" Received: by mail-yw1-f202.google.com with SMTP id 00721157ae682-6479d38bdfaso78790167b3.0 for ; Tue, 02 Jul 2024 01:45:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1719909903; x=1720514703; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=c+oYe1ueaUtt6r/NxRQwLFx8cwsPSNkw5jKdeiGr0tE=; b=WD44TsnyLhCyFK/aKK1Go4I3UAurMqq/QQlZ+YqUs/ufyf9/mcdgAuNlw46eHdQ2yN FEeXqZ3hdwAqjC5DMb03IDcz0mKxTxpYFDNkYk1ZeStwMxRiMTZvRnDGMjLgDAhNcTYw C7+a3pOFYJ1Io3Uhn4OyVqNA44tF3ASeJgO33eJk76DGRj2tkGvI5uIaiUMOPDiFnjDb 4ojxg877Si8V3orfYfhe6WpkWMoxcU8b8CDDOCXX9+xpNefI6JvsR4NJN+a6YlGjlkDm BZdDwX0uQyTFRbZ2oHRbSJr7fY/mYJJtAYWobeX3UsdYa3hKTFTKIzg7uW6bR/Y4DC5e vS2w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719909903; x=1720514703; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=c+oYe1ueaUtt6r/NxRQwLFx8cwsPSNkw5jKdeiGr0tE=; b=RexI3zknTAdU/boTwmaFsR8f+UQsTVNwLre0SSVuYLSwGQNxp1vrToPw+H6syyVp9i oWxW1s5Ehfw0ii2Y8R/k7jqYdtEu0z825Ik1TmN3lvfFO+zAbWMSuU+BFy1QRguWjLfd bhCGHGTUfQ4qbseuxF9ZLXKujDq6dt86mNox1wjeP6uL5zGAQMRFqE2z9/qtNNRKV+WC 9d2cvp0+i9oLpKmfZOkbqT7LlB0sej2e3Qb2YEI/l9Ge9PkasfxpbM6Nj729/no68Dhs LC16YlQfoHvaCJgj6CubMCPgmwjXUkXZIF15zbrZZxrgjgcfk6w9Tdks0azFpY2def5p 4+cQ== X-Gm-Message-State: AOJu0YzgAj/R8rlFpmWczdhos5LofnfZiR+vNQAMgGMP3Hj8KvvD8KGU D6TQSbvSS0eUKJUWrkeaFjVWaOvQGLrR1zoqgThGmagfJrZa80ouk52kgKtGqJLsQ0zaR6KJD7n IJ+7idOpv5WzALrsx/d9nYHxKF4Ci8NP+yz+LvrMlT0GZL00Cr5j+MZReE7Mc+2ssi6Qd0lh7m2 23biZXu0LFNYFNO9rKqQN+c3dvK1cyROHc X-Google-Smtp-Source: AGHT+IHE7D4/y2QIUmTcXcemwuZL8FxTYTIR5Pxp/x4xEA0WiuFElZcszOzpFT8JoFWSTnnxFZPiIrBWE4o= X-Received: from yumike.c.googlers.com ([fda3:e722:ac3:cc00:3:22c1:c0a8:d2d]) (user=yumike job=sendgmr) by 2002:a25:dc90:0:b0:df7:9ac4:f1b2 with SMTP id 3f1490d57ef6-e036eb485eemr223764276.5.1719909903221; Tue, 02 Jul 2024 01:45:03 -0700 (PDT) Date: Tue, 2 Jul 2024 16:44:48 +0800 In-Reply-To: <20240702084452.2259237-1-yumike@google.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240702084452.2259237-1-yumike@google.com> X-Mailer: git-send-email 2.45.2.803.g4e1b14247a-goog Message-ID: <20240702084452.2259237-2-yumike@google.com> Subject: [PATCH ipsec 1/4] xfrm: Support crypto offload for inbound IPv6 ESP packets not in GRO path From: Mike Yu To: netdev@vger.kernel.org, steffen.klassert@secunet.com Cc: stanleyjhu@google.com, martinwu@google.com, chiachangwang@google.com, yumike@google.com X-Patchwork-Delegate: kuba@kernel.org IPsec crypt offload supports outbound IPv6 ESP packets, but it doesn't support inbound IPv6 ESP packets. This change enables the crypto offload for inbound IPv6 ESP packets that are not handled through GRO code path. If HW drivers add the offload information to the skb, the packet will be handled in the crypto offload rx code path. Apart from the change in crypto offload rx code path, the change in xfrm_policy_check is also needed. Exampe of RX data path: +-----------+ +-------+ | HW Driver |-->| wlan0 |--------+ +-----------+ +-------+ | v +---------------+ +------+ +------>| Network Stack |-->| Apps | | +---------------+ +------+ | | | v +--------+ +------------+ | ipsec1 |<--| XFRM Stack | +--------+ +------------+ Test: Enabled both in/out IPsec crypto offload, and verified IPv6 ESP packets on Android device on both wifi/cellular network Signed-off-by: Mike Yu --- net/xfrm/xfrm_input.c | 2 +- net/xfrm/xfrm_policy.c | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index d2ea18dcb0cb..ba8deb0235ba 100644 --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c @@ -471,7 +471,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) struct xfrm_offload *xo = xfrm_offload(skb); struct sec_path *sp; - if (encap_type < 0 || (xo && xo->flags & XFRM_GRO)) { + if (encap_type < 0 || (xo && (xo->flags & XFRM_GRO || encap_type == 0))) { x = xfrm_input_state(skb); if (unlikely(x->dir && x->dir != XFRM_SA_DIR_IN)) { diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 6603d3bd171f..2a9a31f2a9c1 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -3718,12 +3718,15 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, pol = xfrm_in_fwd_icmp(skb, &fl, family, if_id); if (!pol) { + const bool is_crypto_offload = sp && + (xfrm_input_state(skb)->xso.type == XFRM_DEV_OFFLOAD_CRYPTO); + if (net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK) { XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS); return 0; } - if (sp && secpath_has_nontransport(sp, 0, &xerr_idx)) { + if (sp && secpath_has_nontransport(sp, 0, &xerr_idx) && !is_crypto_offload) { xfrm_secpath_reject(xerr_idx, skb, &fl); XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS); return 0; From patchwork Tue Jul 2 08:44:49 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mike Yu X-Patchwork-Id: 13719112 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-yb1-f202.google.com (mail-yb1-f202.google.com [209.85.219.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3D9AB149E1A for ; Tue, 2 Jul 2024 08:45:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719909909; cv=none; b=mSUkfbUvSyF75WX/xsdCTzZTn0EPGWPEp1bu+slJx4egQhiIKq49qhjI4T709TyPdoHV0FjBzZB9ZeNVL6ka6YTWmy9ggwwB2V6z7A8DovY5bpo0d+4qVJg2S41gXsrMmTN5Mx/wJj74XETvSsHeQV4azfsq2DhM9kprOAqipl4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719909909; c=relaxed/simple; bh=VmaOxrMDoxpJeQU1U5hafB/Lf4mftJY8KRF5RJ2sdGg=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=TC2tTIqcDPx0hAK0fXM8yKipeah806vhw1+jKjPyzHI8AddZk3pQj0vtqcw6SfGu4CbZRrOnRsBxisVViTn21T7exzuKV8UWi19wRfcHDJBV3Tif6/eMavCokZxg8x6qfx/mKDNx7d+AwdtInfAH2q5WIGN5vGt5YX4X4axoy3Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=PwKvPXJ/; arc=none smtp.client-ip=209.85.219.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="PwKvPXJ/" Received: by mail-yb1-f202.google.com with SMTP id 3f1490d57ef6-e0342b6f7fbso6772251276.0 for ; Tue, 02 Jul 2024 01:45:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1719909907; x=1720514707; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=XYup63ShssTSYOcnVn9rka8+8qfRXpQa81RERIvxbCs=; b=PwKvPXJ/osnkjunGcQY1xOmpOrY3U2x3R1oX7BoVUNPsalVqIT8wvCCNJuR0YDdO8i EWHWKdK4PfwN9Tw0DP/+9KQ4y2XC5dOED83aGaSMAhfSZ5b9YeLk2KWUuHOf/kFnDefQ o6n8lDdohYIbRHIs6B5aAHQuAxPsW9FzdLfZdJnzbXSy4oGs//wswtBCVpBsS3lq/oY4 6wrTLZLrrm5V4yBThrh9Dl14SEGbiiNiTeud2rPgedskXBQ+YNFCyvJGTnzA/Ghlt2h9 DBBLHkRaLZV8FLeRf7tMoi/5c8j76n7I/qW0GxLhpHpuPnqgLQULhP2vv5A2aO7PfOlx Cfag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719909907; x=1720514707; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=XYup63ShssTSYOcnVn9rka8+8qfRXpQa81RERIvxbCs=; b=VFaew6Xq1Sj+ReqIer0ZX7GNGRrQZBUrhR9Yb3CPxAvkiVx+V7V20BHbamfM1h0HKp 0ULh88Dw3ttynUE7inupsl97e3MkvLoB1BY45yoBym/973nsRdNHlrFFLdLcxs4yxdsy 65mKUck1ZXwriN01bqN9nHRoy1HPIU8lteMvpihSFNQpwJOg0itdggI8McTGUccumEre 29SxCjQFEykKkHuk6M3s/lf2H460W0Sl2an4fN73Ve1HClHU4TuWUTZOaJh8Fc9/IP+Z lXL0kyPZ6T+QClmA5HaYOoRJ8EP3hYjnAUZWcpYeFMNQw59JZUTDfMOnKbOnKnI6oPb3 nEAg== X-Gm-Message-State: AOJu0Yz4wmPR8o0ofzH5om4+T/vbLDCrd/3nCMkHPhtgUE+EXEddzu3J JrRdtpXVrtlKgTZRc4SFut0N+XBgagVSOikyFlqNoWMiCx0nseNMWutsHhs1IpTjCDVOop6Hlye p2r1HxNQRFFSNbpfI0fDshLFTewIePousFUfV+JcUGVC1l1kblrHX/ffjCb+ZVdS4Pj2YtH3xdh RRZ4pMHrsPysHGHvPpDNh9cq8HA3rPjRfx X-Google-Smtp-Source: AGHT+IFBGMHh20Oep5G/wRDjEC+B+ZSxCCW0tq6jQojKEDUweM7aCgrxwqgcz7oJGpF9ts/zhxyEuF3nvmw= X-Received: from yumike.c.googlers.com ([fda3:e722:ac3:cc00:3:22c1:c0a8:d2d]) (user=yumike job=sendgmr) by 2002:a05:6902:2b89:b0:e03:5220:a9df with SMTP id 3f1490d57ef6-e036e6ea728mr710972276.0.1719909907131; Tue, 02 Jul 2024 01:45:07 -0700 (PDT) Date: Tue, 2 Jul 2024 16:44:49 +0800 In-Reply-To: <20240702084452.2259237-1-yumike@google.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240702084452.2259237-1-yumike@google.com> X-Mailer: git-send-email 2.45.2.803.g4e1b14247a-goog Message-ID: <20240702084452.2259237-3-yumike@google.com> Subject: [PATCH ipsec 2/4] xfrm: Allow UDP encapsulation in crypto offload control path From: Mike Yu To: netdev@vger.kernel.org, steffen.klassert@secunet.com Cc: stanleyjhu@google.com, martinwu@google.com, chiachangwang@google.com, yumike@google.com X-Patchwork-Delegate: kuba@kernel.org Unblock this limitation so that SAs with encapsulation specified can be passed to HW drivers. HW drivers can still reject the SA in their implementation of xdo_dev_state_add if the encapsulation is not supported. Test: Verified on Android device Signed-off-by: Mike Yu --- net/xfrm/xfrm_device.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c index 2455a76a1cff..9a44d363ba62 100644 --- a/net/xfrm/xfrm_device.c +++ b/net/xfrm/xfrm_device.c @@ -261,9 +261,9 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, is_packet_offload = xuo->flags & XFRM_OFFLOAD_PACKET; - /* We don't yet support UDP encapsulation and TFC padding. */ - if ((!is_packet_offload && x->encap) || x->tfcpad) { - NL_SET_ERR_MSG(extack, "Encapsulation and TFC padding can't be offloaded"); + /* We don't yet support TFC padding. */ + if (x->tfcpad) { + NL_SET_ERR_MSG(extack, "TFC padding can't be offloaded"); return -EINVAL; } From patchwork Tue Jul 2 08:44:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mike Yu X-Patchwork-Id: 13719113 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-yw1-f202.google.com (mail-yw1-f202.google.com [209.85.128.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9BCD714E2E9 for ; Tue, 2 Jul 2024 08:45:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719909914; cv=none; b=I8tRNEjcmkiCMHuI/rBTriq/6zPxmKeGB7Sh8351NbofjZg7kAbnbt/kNVeT9xBYOACgoCXylswu4cVQQFrRWjTvcOBMoGloTWydwelmiUKIJdQm/ZpPu0lKhKLqs8YJr6ft4CF+uFZzUJKFaGDrPHIn2TjQ0AtEqnrFCgGWk74= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719909914; c=relaxed/simple; bh=t+fd8Ua0W5SAGhCz1imNDwt9NMPjurfkPT2IJFivpaU=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=gq0GN9wKUwPnyM7ODa5RPwl8rQhfMWrlaiOhIghHgbu3HiNhKDSMzKZ9rcZq36Oif6qu1IwphibGZUJrrHl4X8ZzNDtKQy2610rS8T0jAV7KbYMA6Z372o0PiRkK4Hl3JcB8OIx22AMt2ztJqbVQWZkVDb+KveKfPMFLToYa35Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=uChNMWvj; arc=none smtp.client-ip=209.85.128.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="uChNMWvj" Received: by mail-yw1-f202.google.com with SMTP id 00721157ae682-64399573fd3so67265697b3.0 for ; Tue, 02 Jul 2024 01:45:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1719909911; x=1720514711; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=pMWw3T7z9YrPkDclPYswq8+OgJBIlNt5StLoSoxGAIs=; b=uChNMWvjXwtCWX/UulhvhuybsG3eW3eQlcY5+wG4KC+8KGYWGUlG4RRI1D1hDhUZkR S3lAzTqrJSzYyVj3ULoxF7b9SjPHKQAIGIp8JTFwXdhnwFgdaOlFkTELtFkpF6NM2vCj pNDi4sAgWAJJyU7p96h+jlgY/uRE96AuSptyr9Mie0sorlVXP7ABE/mKIWn2OCwqKa5W gsjqne+ShKgMipgJxRJbEsUs+BDFTFACmBExSXvxK2sQKYcuKyw7GYqSI3yVBGHPaVdK HMAgrXqJTSdrHkuWXmYvYxQ1qFig3f5ezgWG1BvmczaLoybHm7qJeBBUdKL2eAC3Zo4Z 8TUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719909911; x=1720514711; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=pMWw3T7z9YrPkDclPYswq8+OgJBIlNt5StLoSoxGAIs=; b=hsvukmtTpzKq+mLGGPUX8/pPMoj+K7ZYTubBvi8sbblngjcY/8MAhYhI/fQfeoTgru +LBLJ83tQ79FBLkNwvoPINoDJMGndq7iDsAZjIMRPrNz2iTAQpPg3CVugZf+rKaCRTT+ 6zmG2KD5JuXmte+QOJKWiauB8aXvm11yO+nm041C00UgVYons2EdeKS6gY3PrVmKrcW5 KiI4nqXPeki2EB51gB5HehKv8GxwMGFItStH5T809TqC0GeOWt/Knann277nHmhj++uo lIpMbHtPuP3Cg9HlWTBOf/Jwvo1v+sdLiB6lzyrHFR6+Xay6lgAD2sEENA6tAd5RSYF4 t0dQ== X-Gm-Message-State: AOJu0YwrqX8zqsxGuvREdELd+KyJ3UksOx/yoTThpYfe1IWzyGKMzuy0 yOopSD/1Tl9odh2iJogdteXn72901ddZQXxUxGDKEKdL8kwBmpJzQ9xAzTLIb1MYOlONkL6FK/o 0Jqc4F92KDXiFi8xJ9mHtBeOYtd5XycLl01n6n/SBUnhbjtp17NEULv7p1B8oFWbnJn1djkEZHX GLFKM6e7kcxg1g/rkA0AcpueEB9Iu1YxCv X-Google-Smtp-Source: AGHT+IEZC4N4N2m3Ys0gxyZ9eL2VC71+0jaGbZw3UQEuaDkka7M+y9VSasEhJW+wcxsdEJvpATVaKsKD+tg= X-Received: from yumike.c.googlers.com ([fda3:e722:ac3:cc00:3:22c1:c0a8:d2d]) (user=yumike job=sendgmr) by 2002:a05:690c:46c1:b0:650:a16c:91ac with SMTP id 00721157ae682-650a17bd8ffmr3727b3.8.1719909911088; Tue, 02 Jul 2024 01:45:11 -0700 (PDT) Date: Tue, 2 Jul 2024 16:44:50 +0800 In-Reply-To: <20240702084452.2259237-1-yumike@google.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240702084452.2259237-1-yumike@google.com> X-Mailer: git-send-email 2.45.2.803.g4e1b14247a-goog Message-ID: <20240702084452.2259237-4-yumike@google.com> Subject: [PATCH ipsec 3/4] xfrm: Support crypto offload for inbound IPv4 UDP-encapsulated ESP packet From: Mike Yu To: netdev@vger.kernel.org, steffen.klassert@secunet.com Cc: stanleyjhu@google.com, martinwu@google.com, chiachangwang@google.com, yumike@google.com X-Patchwork-Delegate: kuba@kernel.org If xfrm_input() is called with UDP_ENCAP_ESPINUDP, the packet is already processed in UDP layer that removes the UDP header. Therefore, there should be no much difference to treat it as an ESP packet in the XFRM stack. Test: Enabled dir=in IPsec crypto offload, and verified IPv4 UDP-encapsulated ESP packets on both wifi/cellular network Signed-off-by: Mike Yu --- net/xfrm/xfrm_input.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index ba8deb0235ba..7cee9c0a2cdc 100644 --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c @@ -471,7 +471,8 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) struct xfrm_offload *xo = xfrm_offload(skb); struct sec_path *sp; - if (encap_type < 0 || (xo && (xo->flags & XFRM_GRO || encap_type == 0))) { + if (encap_type < 0 || (xo && (xo->flags & XFRM_GRO || encap_type == 0 || + encap_type == UDP_ENCAP_ESPINUDP))) { x = xfrm_input_state(skb); if (unlikely(x->dir && x->dir != XFRM_SA_DIR_IN)) { From patchwork Tue Jul 2 08:44:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mike Yu X-Patchwork-Id: 13719114 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-yw1-f201.google.com (mail-yw1-f201.google.com [209.85.128.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 42DDC55C1A for ; Tue, 2 Jul 2024 08:45:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719909917; cv=none; b=k9YZt/MhAc2i37ZcSfhSqvckoaXz7BcXXqSchDaAJ4XuMEC2Mg4lHFH/NXVDfNcVquadLClU53nwlUTTJre+7VqMYVLYNhoshvyndvQSlXZnZPGWcHGXhTcyK1SR1jr+7MDx/hf/pFZ/3fGyXPyeUUjgfeQh2WRtMUmU4RrAgEo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719909917; c=relaxed/simple; bh=Au1Mxoq0dOSVwMhbNvubqJYaXs1cEOtuXfPknsWQRI0=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=Ky3pStI9XwBK6RkA+s3VhalmR9OlePlAkoPP7X9EkLI+O5PfWfw/L8VVN9U6H9P2YEkdq340Bx0PstVtYcqbqZfQwq8IqefEKRr44aKpPN+GMd3BsFgNe2I3i9R2R1yj3QNP31Fe1KKZmyb9bxulBkEj13mzFBAw24DfWoDWkro= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=cN0rcVp7; arc=none smtp.client-ip=209.85.128.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="cN0rcVp7" Received: by mail-yw1-f201.google.com with SMTP id 00721157ae682-64aac532a60so67197237b3.0 for ; Tue, 02 Jul 2024 01:45:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1719909915; x=1720514715; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=J6fZgcTM+CTMpnrUlEpBkATHgtZKfVVC2EZUby1pMxk=; b=cN0rcVp7BsS2MW6WW0qefpvGToCrWLaJz6AZyZB9kJtkIr9Kt06VdrBhPtJOvviyQD a7yGML/GBbOyHZHRu6gmBpxEm/g2wdkcM+yZZPYJVs/Q7qCQM8WsRtIuf+lT/ymCj4ny Iykd36AwABmqabFXfzamosm5G3/dOZLdCJtIQaNK7x9ru/147ce1w2QcSTBRQp3Ck+nG ngvMde5vqenGNZUxuPkyZIqZdjW4V0Pg+4V0qItXEbZSeaLfwjb0Nh/IVBH/ptOUOW/u EZ1qg6R8HUhRpvt34JyEQD/l3G80aImFVh1B4bER9Ut30AaTG7F67Dkqu8aneJjeq7Di EAyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719909915; x=1720514715; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=J6fZgcTM+CTMpnrUlEpBkATHgtZKfVVC2EZUby1pMxk=; b=tJMIoU+WIYDMuQhuG1w31yd/ohWzt/vfL+lNxCG7glhF9ikXi1/R1Z2biXwG0butww KnGGaVkdnG0TLG3LbrotaeltGSlJlWv7vguUMfrHLZDheqI/YnnTbW9pGGLK6TLAhRV6 ddQ0w6xwvb3FaPO+B/HOWNJBzK3x7RtlHNfpKtMGleX2NcTXa9TolW5UFTv66JofPHwJ wX7VVU4i4gy8Z4pCJ10+HaW5n2Uiji9D4Eoj2yWMmw+fzw+wfjIfJ+301k4EHRz5LK3e nbzm1Q2bcvcC52TqhovX3IP7oQthmhWos8bfq+6fPQ0LX3IGL/gCkHbfJZH1qy3vCXa6 BaeQ== X-Gm-Message-State: AOJu0Yzttr75dSM6Zh1vzjNETz3asMRVTEVS3h4QjHehThbgM26lDsQl 6JJfAAdpw1g5uTJnyGf0BYb7Kt+RGp4kSIofk/RcQpZdsxdS8+PDIhRLAadNWN0gLzWGAVHOnp/ Ys3yxTjgFV1McuGWqVXCl6CjFun37X0HkrG0nEigitGgqEsUYreGQ2/02BaaKNFiGwVKmmsph2F ESefyi/B2QkLuHtJpE/plJwpwAejGLcgIi X-Google-Smtp-Source: AGHT+IEaVjUEmum0spKNwzTbd7P5NG91PMIN8gv+thMp//lWw2455Q7H1Ss9+K+SNJMOAvRd7YQ2YP5x3Og= X-Received: from yumike.c.googlers.com ([fda3:e722:ac3:cc00:3:22c1:c0a8:d2d]) (user=yumike job=sendgmr) by 2002:a05:6902:1806:b0:e03:a2f7:71d with SMTP id 3f1490d57ef6-e03a2f70e66mr12772276.0.1719909915084; Tue, 02 Jul 2024 01:45:15 -0700 (PDT) Date: Tue, 2 Jul 2024 16:44:51 +0800 In-Reply-To: <20240702084452.2259237-1-yumike@google.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240702084452.2259237-1-yumike@google.com> X-Mailer: git-send-email 2.45.2.803.g4e1b14247a-goog Message-ID: <20240702084452.2259237-5-yumike@google.com> Subject: [PATCH ipsec 4/4] xfrm: Support crypto offload for outbound IPv4 UDP-encapsulated ESP packet From: Mike Yu To: netdev@vger.kernel.org, steffen.klassert@secunet.com Cc: stanleyjhu@google.com, martinwu@google.com, chiachangwang@google.com, yumike@google.com X-Patchwork-Delegate: kuba@kernel.org esp_xmit() is already able to handle UDP encapsulation through the call to esp_output_head(). The missing part in esp_xmit() is to correct the outer IP header. Test: Enabled both dir=in/out IPsec crypto offload, and verified IPv4 UDP-encapsulated ESP packets on both wifi/cellular network Signed-off-by: Mike Yu --- net/ipv4/esp4.c | 7 ++++++- net/ipv4/esp4_offload.c | 14 +++++++++++++- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index 3968d3f98e08..cd4b52e131ce 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c @@ -349,6 +349,7 @@ static struct ip_esp_hdr *esp_output_udp_encap(struct sk_buff *skb, { struct udphdr *uh; unsigned int len; + struct xfrm_offload *xo = xfrm_offload(skb); len = skb->len + esp->tailen - skb_transport_offset(skb); if (len + sizeof(struct iphdr) > IP_MAX_MTU) @@ -360,7 +361,11 @@ static struct ip_esp_hdr *esp_output_udp_encap(struct sk_buff *skb, uh->len = htons(len); uh->check = 0; - *skb_mac_header(skb) = IPPROTO_UDP; + // For IPv4 ESP with UDP encapsulation, if xo is not null, the skb is in the crypto offload + // data path, which means that esp_output_udp_encap is called outside of the XFRM stack. + // In this case, the mac header doesn't point to the IPv4 protocol field, so don't set it. + if (!xo || encap_type != UDP_ENCAP_ESPINUDP) + *skb_mac_header(skb) = IPPROTO_UDP; return (struct ip_esp_hdr *)(uh + 1); } diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c index b3271957ad9a..ccfc466ddf6c 100644 --- a/net/ipv4/esp4_offload.c +++ b/net/ipv4/esp4_offload.c @@ -264,6 +264,7 @@ static int esp_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features_ struct esp_info esp; bool hw_offload = true; __u32 seq; + int encap_type = 0; esp.inplace = true; @@ -296,8 +297,10 @@ static int esp_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features_ esp.esph = ip_esp_hdr(skb); + if (x->encap) + encap_type = x->encap->encap_type; - if (!hw_offload || !skb_is_gso(skb)) { + if (!hw_offload || !skb_is_gso(skb) || (hw_offload && encap_type == UDP_ENCAP_ESPINUDP)) { esp.nfrags = esp_output_head(x, skb, &esp); if (esp.nfrags < 0) return esp.nfrags; @@ -324,6 +327,15 @@ static int esp_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features_ esp.seqno = cpu_to_be64(seq + ((u64)xo->seq.hi << 32)); + if (hw_offload && encap_type == UDP_ENCAP_ESPINUDP) { + // In the XFRM stack, the encapsulation protocol is set to iphdr->protocol by + // setting *skb_mac_header(skb) (see esp_output_udp_encap()) where skb->mac_header + // points to iphdr->protocol (see xfrm4_tunnel_encap_add()). + // However, in esp_xmit(), skb->mac_header doesn't point to iphdr->protocol. + // Therefore, the protocol field needs to be corrected. + ip_hdr(skb)->protocol = IPPROTO_UDP; + } + ip_hdr(skb)->tot_len = htons(skb->len); ip_send_check(ip_hdr(skb));