From patchwork Wed Jul 10 11:16:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mike Yu X-Patchwork-Id: 13729206 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-yb1-f202.google.com (mail-yb1-f202.google.com [209.85.219.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 981D719047E for ; Wed, 10 Jul 2024 11:17:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720610234; cv=none; b=hSxerRl3CE/jt79d7w9w8TO/E/LttnDVMsU7aAn7L8L2TTHgbyTATYiLFOuG4RaRAjfRt/Fs0YCxUYM/bALIAUVt6KOGLVTmvtdwcziN99HQUQq72n+5myHKJmi6kzDjgklLeSX1UajrrDes2avYI+CGWbiqb/KYKjL4e37xgdY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720610234; c=relaxed/simple; bh=6wcAfIzA083j9udKzDviD3/sDaqZOKbaCwhCVSZxdts=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=UE2n+EaeZUCjMI3nDVPrtcdqGis8vGXfSeCeLoU1qf+Nc6WurfgHbz4KixuGpokg4f8HbREV7cstmsZe1cvNfZeu/C3vF9nFPAoHcJR1NFzDELyu5KMoIFU1Ckyni5ZLhgUd2tGnBfuTE+MRQ9NAB7R7L91ccjW0m5ePOpjp+2g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=oMzPbd4H; arc=none smtp.client-ip=209.85.219.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="oMzPbd4H" Received: by mail-yb1-f202.google.com with SMTP id 3f1490d57ef6-e039fe0346eso11079245276.1 for ; Wed, 10 Jul 2024 04:17:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1720610231; x=1721215031; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=c+oYe1ueaUtt6r/NxRQwLFx8cwsPSNkw5jKdeiGr0tE=; b=oMzPbd4HMmCJ8+0pJv5fi48PKit+I8HfR7z4IAO0ykFiP0B5/VO84k+KSBDHQkPaMn rHLkFM5gu5F+Dj8ERbtPiFw+bwURYVlxi5RVcrQGWYLWj043+t5ot9CkhEPIN0awpVjc /r5aVQLcFcgX+Kb3hFNfFPrKfzf154D6bvSTuVI/bwqJFdnBB9db24pfORLCN4DNUcbA tFnlT524iAMwvaoIOUUfw39H+hpBxuA5cxQ3tw3+7ZPtgCej4obsJRokyq75wBqGgu/i VzJg2gCs3CbNxk0OJG5IZqE6S9OBWFzuB+zAY4uqoqmykuhLsYU0j8fOxkzI69764cJv WQUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720610231; x=1721215031; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=c+oYe1ueaUtt6r/NxRQwLFx8cwsPSNkw5jKdeiGr0tE=; b=wGVVlyazXEx0qTyd55Hy6vKjHV7tT5KgwgdPXxHDrXh+H6tUfUx/rQShZBwRkkAr2h uVg/lHgoeE6NVcsv84r8LlsdogIzhTNLVPDBMQz8bQqJ5YB1B3llp9DXdXr/VaPUuYtk 5szcGQ6KhR4AROY7npGG2zM5t7m08bwQo8TsJx6uDXJV7FKS6dbXcAqZKvzQDxStvNKQ L5vGhPuB4f+GemTdPZDMlnPPahW41wJ2JS8bEGp4+9xLQHt9b0HcMik7qSxaGL9gnZ9Z VjBLuYyOlA6ya5wYae/RwFPfkHyOss6GIGWZeAruOiqZN5JwLqZspdpaA/0mKenAalOw QT/A== X-Gm-Message-State: AOJu0YwMrUzC8ESKdQrVfG21LKcSQgCcTIVkWZlU1SIrTmIvmj7DCWTS nETrRVYzx324VQayjPJprnerWLqP9KT64Oe4oshJQXD6+MMR9uZdZnwG5a7k4FlS+VrU8OOqZ2Z rxRNrgrsaJhu8J0j04+z+4kybYsGmPWg3y7MG5tpnEjOZIGtlSSC3wxMElrMxuhb3bbXJQktKy9 KWR4/7lhtZlM1DkdFrJ+f1r75ETALeJvxX X-Google-Smtp-Source: AGHT+IG3vKwcd5iyOmZNVcrbhxXuQFhOaT5ELZLgJ/OKN3TWMQvE94wfCSdLkkZlOWcpa1vwl+O63oX2i7k= X-Received: from yumike.c.googlers.com ([fda3:e722:ac3:cc00:3:22c1:c0a8:d2d]) (user=yumike job=sendgmr) by 2002:a05:6902:2b0d:b0:e03:3cfa:1aa9 with SMTP id 3f1490d57ef6-e041b1134afmr11718276.8.1720610231327; Wed, 10 Jul 2024 04:17:11 -0700 (PDT) Date: Wed, 10 Jul 2024 19:16:51 +0800 In-Reply-To: <20240710111654.4085575-1-yumike@google.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240710111654.4085575-1-yumike@google.com> X-Mailer: git-send-email 2.45.2.803.g4e1b14247a-goog Message-ID: <20240710111654.4085575-2-yumike@google.com> Subject: [PATCH ipsec v3 1/4] xfrm: Support crypto offload for inbound IPv6 ESP packets not in GRO path From: Mike Yu To: netdev@vger.kernel.org, steffen.klassert@secunet.com Cc: yumike@google.com, stanleyjhu@google.com, martinwu@google.com, chiachangwang@google.com X-Patchwork-Delegate: kuba@kernel.org IPsec crypt offload supports outbound IPv6 ESP packets, but it doesn't support inbound IPv6 ESP packets. This change enables the crypto offload for inbound IPv6 ESP packets that are not handled through GRO code path. If HW drivers add the offload information to the skb, the packet will be handled in the crypto offload rx code path. Apart from the change in crypto offload rx code path, the change in xfrm_policy_check is also needed. Exampe of RX data path: +-----------+ +-------+ | HW Driver |-->| wlan0 |--------+ +-----------+ +-------+ | v +---------------+ +------+ +------>| Network Stack |-->| Apps | | +---------------+ +------+ | | | v +--------+ +------------+ | ipsec1 |<--| XFRM Stack | +--------+ +------------+ Test: Enabled both in/out IPsec crypto offload, and verified IPv6 ESP packets on Android device on both wifi/cellular network Signed-off-by: Mike Yu --- net/xfrm/xfrm_input.c | 2 +- net/xfrm/xfrm_policy.c | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index d2ea18dcb0cb..ba8deb0235ba 100644 --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c @@ -471,7 +471,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) struct xfrm_offload *xo = xfrm_offload(skb); struct sec_path *sp; - if (encap_type < 0 || (xo && xo->flags & XFRM_GRO)) { + if (encap_type < 0 || (xo && (xo->flags & XFRM_GRO || encap_type == 0))) { x = xfrm_input_state(skb); if (unlikely(x->dir && x->dir != XFRM_SA_DIR_IN)) { diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 6603d3bd171f..2a9a31f2a9c1 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -3718,12 +3718,15 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, pol = xfrm_in_fwd_icmp(skb, &fl, family, if_id); if (!pol) { + const bool is_crypto_offload = sp && + (xfrm_input_state(skb)->xso.type == XFRM_DEV_OFFLOAD_CRYPTO); + if (net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK) { XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS); return 0; } - if (sp && secpath_has_nontransport(sp, 0, &xerr_idx)) { + if (sp && secpath_has_nontransport(sp, 0, &xerr_idx) && !is_crypto_offload) { xfrm_secpath_reject(xerr_idx, skb, &fl); XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS); return 0; From patchwork Wed Jul 10 11:16:52 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mike Yu X-Patchwork-Id: 13729207 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-yb1-f202.google.com (mail-yb1-f202.google.com [209.85.219.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A9620190483 for ; Wed, 10 Jul 2024 11:17:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720610238; cv=none; b=mRamH88oEpGwvk/i9taQwMZjgGgW78vMgwXWDL05pD4pqIEyPn/PrbuAKpgzg8+ptwIhu3JREBvRVfd+XnLi89WtCwcTjHIckJyfeb7WcH6HJwM8jlcbluTB6jBRrJAn56GGJ2hZtQo7R6fpD9L8X9eX/Apb25Vz15TZVmt2ubM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720610238; c=relaxed/simple; bh=VmaOxrMDoxpJeQU1U5hafB/Lf4mftJY8KRF5RJ2sdGg=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=YvldDp2cjqIfs7IsiGZ+jTpDczcZ301bbPjicleBDPiZyrmFRUcE/VFyEEpcqMT2NhviZrgjpwesoe7z3kN5MXecyRb5vl1+CxTIvPrcXUgnDm4lsS+LTezeuRTswJvqOVr5TDN4miHB8qs28WryfKhKGuzK6mxFxhMW2Nbvx/s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=WWfb+WrB; arc=none smtp.client-ip=209.85.219.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="WWfb+WrB" Received: by mail-yb1-f202.google.com with SMTP id 3f1490d57ef6-e037c3d20a6so11072833276.0 for ; Wed, 10 Jul 2024 04:17:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1720610235; x=1721215035; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=XYup63ShssTSYOcnVn9rka8+8qfRXpQa81RERIvxbCs=; b=WWfb+WrBX308gCpkpSnRSMfPRXBN2AxYvO2qTmeQ/2AkLE3WWeU8e+137u+bi03c3+ OuNvB4qnSbj661oGJdJ81bBpKUIc2V03UIqmDlrAgIMgG/f4dMVVXfzSz6QWW6WRMxvu NwN56HSDyaOo9BP7/d+RCyFC6fkFpSXVmRwTzYEKIgEGEKCM8CuRykiXJdG7eUaFQJ36 HDP1XU+ElYSbniKn8A4xQzXTLr/C6iYLxD6qdQN6HlPIjcuFOZIpcANQ4TxqyUdfA1w9 f2NVhv9VYEgkcEZpXEzFj7rqo0oXBE02YxIa7z7nvzEgmKzWhvc44co9LufkAfHB9PHx bRUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720610235; x=1721215035; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=XYup63ShssTSYOcnVn9rka8+8qfRXpQa81RERIvxbCs=; b=u+Rj0KAlYlEQEKPhtTBbkIW8wYtYFH7/m/F9EhC88t1KVRKIo580rPC6J2WZkYAebF uSbYElM6brownHGs4rbqumetI5BybtF/Ym9Q1qLdfTpRB/6wKyKVi++EV56cPunE/HUL Cb1IsMDKiSC5JLpLEbfRIOiav2ebADVxG4yl5P2eehne1ztAB9DFq3r6dRG1HbTStjzk rMI9POKO4kj1foL28vB4QX8iA3pmZd8CGoD0jQhmCvQwF0Z5suyp1jX/S3LVNfKTShDG GJ9OdokKulBp2Sp/pkSJnMx2UFyl+fqFVrqj2XX1jkIHvxKxLHEq8SIrW2aGml7bK5Ky rhTw== X-Gm-Message-State: AOJu0YzoT5oPwaSoCLTyqPsvEAcM1L4u9Qs3k5EKtsgE0HK2ezxYqlUE 6O3LMezVjtokKSqNnLat/Iyfha9z+97nZovE8gHycFt3++yYvu3ivebSsTHBc/g/ncVKgAMYMdR +It6fycYk1kL697MS/AjAJOTLwNATCW29F0dIho/EekCjcOepkQRCdT/uD8wdzjHOt7KcE+e5dR QdXaHMDfd7uJLjz6z6LCDOsIEuukuaQpUw X-Google-Smtp-Source: AGHT+IG608nfPJgI9gdXcUJYidhTGNnb4U8rgMPp8r3UE4c3lu6YZdX0XmFi4aXN9c1TvxdiOhx86JjaV7Y= X-Received: from yumike.c.googlers.com ([fda3:e722:ac3:cc00:3:22c1:c0a8:d2d]) (user=yumike job=sendgmr) by 2002:a05:6902:100d:b0:dfa:b47e:b99f with SMTP id 3f1490d57ef6-e041b0314afmr11517276.2.1720610235111; Wed, 10 Jul 2024 04:17:15 -0700 (PDT) Date: Wed, 10 Jul 2024 19:16:52 +0800 In-Reply-To: <20240710111654.4085575-1-yumike@google.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240710111654.4085575-1-yumike@google.com> X-Mailer: git-send-email 2.45.2.803.g4e1b14247a-goog Message-ID: <20240710111654.4085575-3-yumike@google.com> Subject: [PATCH ipsec v3 2/4] xfrm: Allow UDP encapsulation in crypto offload control path From: Mike Yu To: netdev@vger.kernel.org, steffen.klassert@secunet.com Cc: yumike@google.com, stanleyjhu@google.com, martinwu@google.com, chiachangwang@google.com X-Patchwork-Delegate: kuba@kernel.org Unblock this limitation so that SAs with encapsulation specified can be passed to HW drivers. HW drivers can still reject the SA in their implementation of xdo_dev_state_add if the encapsulation is not supported. Test: Verified on Android device Signed-off-by: Mike Yu --- net/xfrm/xfrm_device.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c index 2455a76a1cff..9a44d363ba62 100644 --- a/net/xfrm/xfrm_device.c +++ b/net/xfrm/xfrm_device.c @@ -261,9 +261,9 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, is_packet_offload = xuo->flags & XFRM_OFFLOAD_PACKET; - /* We don't yet support UDP encapsulation and TFC padding. */ - if ((!is_packet_offload && x->encap) || x->tfcpad) { - NL_SET_ERR_MSG(extack, "Encapsulation and TFC padding can't be offloaded"); + /* We don't yet support TFC padding. */ + if (x->tfcpad) { + NL_SET_ERR_MSG(extack, "TFC padding can't be offloaded"); return -EINVAL; } From patchwork Wed Jul 10 11:16:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mike Yu X-Patchwork-Id: 13729208 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-yw1-f201.google.com (mail-yw1-f201.google.com [209.85.128.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0B2A519049D for ; Wed, 10 Jul 2024 11:17:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720610241; cv=none; b=Mz6Li6hAE6QX5UYazH/F2mnFaB7THNaDIMuB13/wqbzu/vaPY3exzIKXt8SrHF4jp1Dqci+Qr4qqm/TEYuvPnr/90SL2SVWBSvHnYZ4/UILJnjhQQ5c3emEa4PGvBoJu4JsvDghD0w8KkMabl2zCd/XMMBU3cpHtQ7gMLTy+ui0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720610241; c=relaxed/simple; bh=t+fd8Ua0W5SAGhCz1imNDwt9NMPjurfkPT2IJFivpaU=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=i4xKYesfM+uNY0YR3F5Xno198WEo2h98oT1OVWI0O85f35KJHaxI/jm+mLsiU+QF6k0OpphBVTjlOO1fn9RKgQ9y9KvewFunQGBBt7StIx873thkXVexFVU0xlLiPtd/9SZNnm18s/2VFByt8aMET3r94A3Pln8zpATeuyUwZXg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=DSCkCJiJ; arc=none smtp.client-ip=209.85.128.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="DSCkCJiJ" Received: by mail-yw1-f201.google.com with SMTP id 00721157ae682-65026e6285eso102100167b3.3 for ; Wed, 10 Jul 2024 04:17:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1720610239; x=1721215039; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=pMWw3T7z9YrPkDclPYswq8+OgJBIlNt5StLoSoxGAIs=; b=DSCkCJiJUXnGoEi2cN+YFMefYq82ioB/1C7iy5tSezQAq1tfx25pemJuIVB31lFIxD HsPMkJpzk3txlKY6f/zOXJWRtYoE56o0WPl4VGGJTuJJRewgmoln9MzK1R7U7zYaEM9s J8y7e4JS4f7UiZyNt4SLUUAZUN9Fvs4pAtBbDmxFrceTeVISCCltKUAZc7MSL0uxSCL+ Hfsi8DmW8myN1vm8dXBifd3r/erw4rlnHt5jVHWQzKpPE8DFnqnVTKtphpcvn9E67TJx 417bxMBo8TjR94q9A7U4hpu6dSVpxRNjcEq9H3b9xDJ0WdDIBngf2sGkYIah/tbwCEct cZHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720610239; x=1721215039; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=pMWw3T7z9YrPkDclPYswq8+OgJBIlNt5StLoSoxGAIs=; b=kfwmN8zrGUTIa3xZIZsbD1R3ijmsH4qb6R+O4S8n+gqCiX4+40B//aWoW98uzwB6/j b3UM0gvmyYdH9lq3OKd99d9MA3rnAj1WBoX8KXBA6nodHNPSmXcMz9JDOQlOIymZGZhi 7lqfMCKtG1HscJbeNqAmRt7fKkiWenxQ4dLoyP6Qs97mmJhTmnj3I1f9bnipPGmylLu6 OLLtFxhZJAmzJAKXusqrIebw36suhn1590n1htczAEDZFkEN+VMXL50OLCJcift5MeSR a9AzIsjRbGbjq3cS2iT3aYO4ismZYEV3mmg4qlQULPqFUzRSzG0En8U+mKsz6MAZXwBZ fA4Q== X-Gm-Message-State: AOJu0Yy3CR9kHhZqqKO7+m5brf8lsBOJZXxjP5YmNdFPZoZRDwmttNCn 9GtGXYm1WKBS9uC+uQJXP28T+8kOIqAjW9akNdjfK5Ps+TUiGUFzNynmLMGVFDjh79rkcMDFxy7 0lny3sLahG5kGn/PyWPGIRl2LPibvmzaPRPprNdFF6wE6EEo8ulHEvefnh71IfIes/tw+ExW0qg FMf8flsF0nCI7ICbfDB0q/Kpu3BmNYRdHY X-Google-Smtp-Source: AGHT+IEIt080N0N0T4Hwcm9FrbLChwO+5DiAQLR7dNzOk6ic5Zd5ZKGLlTty6IE0+j8y0ubFVbkONdozjzc= X-Received: from yumike.c.googlers.com ([fda3:e722:ac3:cc00:3:22c1:c0a8:d2d]) (user=yumike job=sendgmr) by 2002:a05:690c:4d82:b0:62c:f6fd:5401 with SMTP id 00721157ae682-658f04e51a9mr1190927b3.6.1720610238871; Wed, 10 Jul 2024 04:17:18 -0700 (PDT) Date: Wed, 10 Jul 2024 19:16:53 +0800 In-Reply-To: <20240710111654.4085575-1-yumike@google.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240710111654.4085575-1-yumike@google.com> X-Mailer: git-send-email 2.45.2.803.g4e1b14247a-goog Message-ID: <20240710111654.4085575-4-yumike@google.com> Subject: [PATCH ipsec v3 3/4] xfrm: Support crypto offload for inbound IPv4 UDP-encapsulated ESP packet From: Mike Yu To: netdev@vger.kernel.org, steffen.klassert@secunet.com Cc: yumike@google.com, stanleyjhu@google.com, martinwu@google.com, chiachangwang@google.com X-Patchwork-Delegate: kuba@kernel.org If xfrm_input() is called with UDP_ENCAP_ESPINUDP, the packet is already processed in UDP layer that removes the UDP header. Therefore, there should be no much difference to treat it as an ESP packet in the XFRM stack. Test: Enabled dir=in IPsec crypto offload, and verified IPv4 UDP-encapsulated ESP packets on both wifi/cellular network Signed-off-by: Mike Yu --- net/xfrm/xfrm_input.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index ba8deb0235ba..7cee9c0a2cdc 100644 --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c @@ -471,7 +471,8 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) struct xfrm_offload *xo = xfrm_offload(skb); struct sec_path *sp; - if (encap_type < 0 || (xo && (xo->flags & XFRM_GRO || encap_type == 0))) { + if (encap_type < 0 || (xo && (xo->flags & XFRM_GRO || encap_type == 0 || + encap_type == UDP_ENCAP_ESPINUDP))) { x = xfrm_input_state(skb); if (unlikely(x->dir && x->dir != XFRM_SA_DIR_IN)) { From patchwork Wed Jul 10 11:16:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mike Yu X-Patchwork-Id: 13729209 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-yb1-f202.google.com (mail-yb1-f202.google.com [209.85.219.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 995EC190051 for ; Wed, 10 Jul 2024 11:17:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720610246; cv=none; b=PhKfy3cYoHTp5jkMeUY8UoMVI6Lrhs8o8Os21OxDQOim/Vko6sQj67wIfu7SYh5RA5I+47r5g490ckIOSKp+kB36oc8Qbzw3DgjCTkqfJRWbfXMgyOemvHRirgppgXwFtsPmD0oHcS6/QMmMSeXtf2u21y/uNJE7UL9Jll4kyD4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720610246; c=relaxed/simple; bh=WrtqFERzEJIkzZQo3fRBAxU6zrDUOl/mlBTil4k/bNQ=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=OqZy7hatpjwjFuHUCCYlkkewUoeM+9xthRtHMc0vfQzwbI9WabCmF390C1nqfXBQu/QzpxbI7rKGlKQEiLa4hdLm95hNELZ7sVCz94VQkRWQvAaZNePrVicJATNBX97J5eYEisd69S3I1JD1zrENYKpnwG8vkWwiJ5+0FBDp9z0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=Ph76nE2d; arc=none smtp.client-ip=209.85.219.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Ph76nE2d" Received: by mail-yb1-f202.google.com with SMTP id 3f1490d57ef6-e03a5534d58so8437703276.1 for ; Wed, 10 Jul 2024 04:17:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1720610243; x=1721215043; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=LCgskX3LFMnRlDKQpiJhgyUXnZTae+zWHxn2qpG7om0=; b=Ph76nE2dpzJnZCwrGQWqMPjgrD6Zc/KCVZSOnBH51R4zb0LzqEaas2xzqQ8peZI/B9 v2OPwrsE4WAQh/wrkjfDJPTWEC3mV9RdBHRh3OyOO/UfGXA3LmVCvxXdcjKb8rHPW+ki ydS3mFX9W6bQAObMEjpLJhTSvDq1Apvnu3xD8XjUBBA8YVsTz2VAgfMLz8rO/3xiWsTe sdyFXeBuX3o0xD5f7fSs1W0D8cCIgtsBREbp67PH7q+cqR4nGV+uEpoyNRSnuvgzrCRq +z5pM3/88JY7UjTHvmidoGLKJ/FrIThWtDleljrt5ug7vEifCBXC4vJyL54/uC5XVql3 r3hQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720610243; x=1721215043; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=LCgskX3LFMnRlDKQpiJhgyUXnZTae+zWHxn2qpG7om0=; b=jRPg12m6sJXbPAXtxSxqD9Gp5rMLszIkcJ0AHSb3smYBpB4UmS3yjJeSe3nO4g4340 qrE8fO5BLAycfjKGYODuknJknyHL8XWOLeYpNPtup7U8XJOP8oP1b/DBwTqEjnQYMe87 qndBOt99it90USz4sY0/sE7iMMMDDbTj1AQRn15W4h7vt1ZvZ1CyBJCoJyBri/kmMePd VtgVUi/aZrvrBMlWdUk8rZrkFjcr/o9YAu+ezKij+UxaqtKoeE0WE16RSGoeUM+X9ZIG Vw9lTkxVoShT5IVHY1bt4E6DI2ls5MGVgDsZrMQFLfDNqip0iJ3Hz27ZJDHfuUNdUBW/ xZNA== X-Gm-Message-State: AOJu0YzWsr5LD08VkThDayTAzCL1bxYVqv6LLK2ChpeX8wj1zpK9X9bN PxA0hr/JhOIMeTqXCPqqSY0QjMlwRcSQWSU9uCnz1kxmu+r1fLaSgG8PO1UzZWhbKWbOvS0HdHX 2ouQH3b/0lcGFcuCz5ca/b/A7dITqMi8vw2F2kZgwI/0p43CQQhtVQZTxaNfB7d9ByNiVZ7Gul2 zZteY6t+GHmBmmcdX2gKu9TObmDJPSvUs4 X-Google-Smtp-Source: AGHT+IEnS5uR0fvQf6+sDiC+DBrIFAdLWTPed9KtnSQCjl12dzBU/IYVxQJreQSiVLq87dYb6VOAdlX/dLU= X-Received: from yumike.c.googlers.com ([fda3:e722:ac3:cc00:3:22c1:c0a8:d2d]) (user=yumike job=sendgmr) by 2002:a05:6902:114b:b0:e05:70c2:b907 with SMTP id 3f1490d57ef6-e0570c2bcb5mr222276.4.1720610243048; Wed, 10 Jul 2024 04:17:23 -0700 (PDT) Date: Wed, 10 Jul 2024 19:16:54 +0800 In-Reply-To: <20240710111654.4085575-1-yumike@google.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240710111654.4085575-1-yumike@google.com> X-Mailer: git-send-email 2.45.2.803.g4e1b14247a-goog Message-ID: <20240710111654.4085575-5-yumike@google.com> Subject: [PATCH ipsec v3 4/4] xfrm: Support crypto offload for outbound IPv4 UDP-encapsulated ESP packet From: Mike Yu To: netdev@vger.kernel.org, steffen.klassert@secunet.com Cc: yumike@google.com, stanleyjhu@google.com, martinwu@google.com, chiachangwang@google.com X-Patchwork-Delegate: kuba@kernel.org esp_xmit() is already able to handle UDP encapsulation through the call to esp_output_head(). However, the ESP header and the outer IP header are not correct and need to be corrected. Test: Enabled both dir=in/out IPsec crypto offload, and verified IPv4 UDP-encapsulated ESP packets on both wifi/cellular network Signed-off-by: Mike Yu --- v2->v3: https://lore.kernel.org/all/20240709062326.939083-5-yumike@google.com - Correct ESP seq in esp_xmit(). v1->v2: https://lore.kernel.org/all/20240702084452.2259237-5-yumike@google.com - Fix comment style. --- net/ipv4/esp4.c | 8 +++++++- net/ipv4/esp4_offload.c | 17 ++++++++++++++++- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index 3968d3f98e08..73981595f062 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c @@ -349,6 +349,7 @@ static struct ip_esp_hdr *esp_output_udp_encap(struct sk_buff *skb, { struct udphdr *uh; unsigned int len; + struct xfrm_offload *xo = xfrm_offload(skb); len = skb->len + esp->tailen - skb_transport_offset(skb); if (len + sizeof(struct iphdr) > IP_MAX_MTU) @@ -360,7 +361,12 @@ static struct ip_esp_hdr *esp_output_udp_encap(struct sk_buff *skb, uh->len = htons(len); uh->check = 0; - *skb_mac_header(skb) = IPPROTO_UDP; + /* For IPv4 ESP with UDP encapsulation, if xo is not null, the skb is in the crypto offload + * data path, which means that esp_output_udp_encap is called outside of the XFRM stack. + * In this case, the mac header doesn't point to the IPv4 protocol field, so don't set it. + */ + if (!xo || encap_type != UDP_ENCAP_ESPINUDP) + *skb_mac_header(skb) = IPPROTO_UDP; return (struct ip_esp_hdr *)(uh + 1); } diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c index b3271957ad9a..a37d18858c72 100644 --- a/net/ipv4/esp4_offload.c +++ b/net/ipv4/esp4_offload.c @@ -264,6 +264,7 @@ static int esp_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features_ struct esp_info esp; bool hw_offload = true; __u32 seq; + int encap_type = 0; esp.inplace = true; @@ -296,8 +297,10 @@ static int esp_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features_ esp.esph = ip_esp_hdr(skb); + if (x->encap) + encap_type = x->encap->encap_type; - if (!hw_offload || !skb_is_gso(skb)) { + if (!hw_offload || !skb_is_gso(skb) || (hw_offload && encap_type == UDP_ENCAP_ESPINUDP)) { esp.nfrags = esp_output_head(x, skb, &esp); if (esp.nfrags < 0) return esp.nfrags; @@ -324,6 +327,18 @@ static int esp_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features_ esp.seqno = cpu_to_be64(seq + ((u64)xo->seq.hi << 32)); + if (hw_offload && encap_type == UDP_ENCAP_ESPINUDP) { + /* In the XFRM stack, the encapsulation protocol is set to iphdr->protocol by + * setting *skb_mac_header(skb) (see esp_output_udp_encap()) where skb->mac_header + * points to iphdr->protocol (see xfrm4_tunnel_encap_add()). + * However, in esp_xmit(), skb->mac_header doesn't point to iphdr->protocol. + * Therefore, the protocol field needs to be corrected. + */ + ip_hdr(skb)->protocol = IPPROTO_UDP; + + esph->seq_no = htonl(seq); + } + ip_hdr(skb)->tot_len = htons(skb->len); ip_send_check(ip_hdr(skb));