From patchwork Fri Jul 12 02:51:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mike Yu X-Patchwork-Id: 13731255 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-yw1-f202.google.com (mail-yw1-f202.google.com [209.85.128.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7489FBE4A for ; Fri, 12 Jul 2024 02:51:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720752696; cv=none; b=pNU9eFghWLvpsP3G7EvDMk9QHcFD/G5U9tV4szCZUaoEPO6cbQPzsgn6t4sZQ+y0wA5vbmprGU+gH6XcWD41UObizB9B0CfyRE3GBC42t8Lvu8ZOebLw7ktr76062gyiZ/41j2NVQgew3JFDjP3kOKZagqVQL5tgFEzsxb+62l0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720752696; c=relaxed/simple; bh=XDn2xQ6mSdf4vqwrpivn/Bk8DGfc3nDkUe4obUElGNk=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=j0oMms7GOtvIwj9mqFI40biR3UoI75t2FTqXAqp5kI4bIQHkol1gsgN+PvVPAzm/DOI2/CFKDgnjZ8xHgtGdxi35SVdmVdAl/JgVVhjyXTl/dx3hmBnD9xxYtmaSdlBbEJlYb6izAWZJ0L5Pcg7psfQXp9WBLDxr5mBUjK+EwbQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=RMRAkTbp; arc=none smtp.client-ip=209.85.128.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="RMRAkTbp" Received: by mail-yw1-f202.google.com with SMTP id 00721157ae682-64b70c4a269so25791177b3.1 for ; Thu, 11 Jul 2024 19:51:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1720752694; x=1721357494; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=xa2SKE1EBrP4tXqYTNA1j0gjaQqK1FrRbdlXtusiecc=; b=RMRAkTbpOn/S6H+Ty+IZpFLXP+8RV7P/tIWukKdq6qzX1eKR06RiP9IsXF4dzNu/E4 SlIrAqbp3aDqXy+RA5eCWSPnTZBLoC12q2AAmvEDI4qIRjUq/d4q4G+fSAIAfv0xCq2K j7AgCBVmF+f9bOj9W7XAYunQUO5+3IV4dWcLrtUjN0JDPnc94Vhm1xzKHTRX526mz4Hf 2HxJLuHTji7yZ9Jd7YCUQym2p3gzf6qb2Mr98/Wv0w0wlg8qbQYKj45HD3D21AZh52ZN tIOon5+KH9YngJKbqultcJPJCx+G4Is+7gIv38+FZ2S3PVBOEeuaww6aI4WqkDDvZZ6y mFOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720752694; x=1721357494; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=xa2SKE1EBrP4tXqYTNA1j0gjaQqK1FrRbdlXtusiecc=; b=UKv8QXpsTCYRLeJRlR8FuapEbAaVJpThVox6FrfONmIutZjcDxYkqvVcX52LYEdUwp bpP13miR5wsLQpz+kFS99kruIOxYFexDzcJPBNV0Q8G/OZpGj5e/W8qGzZTKbyzIsgyc 1YmgYm0jTU7q0JU3rgWpm2Ny/dnndGmLY5L+z+Q1yN2KQde3KEINePMeMQzMFzPkTr1a RNu8V7bDVJKsrkitYWxQyVhmrKOesS+WdtuqZ8Q/V6WDEzGwEwG0P8c2lndMccxjmkX9 Rah+fwInN89SogJmfUdDqwMyenRL51UueagZYXf4PCNhCh3Sse1tUa8eIlsVzOqs6uaF I+/Q== X-Gm-Message-State: AOJu0YxpuUKXMx4ROAPobzvIOWanJZMpLbmZb319I4azAg9RU/ldX9/D E6K2Jk+hhK96s7+P7WtM+70BasCIrm/KtnX6btWAhcG6K8x+Q4g1iIZh19h64T3Gg13Iy16c2xK G2PKL61sSAamo9OHvB8pjd2IolQxdSNiNH6ZRVCnKRVqUtiI9Mfef5ed/eSNGR2sMpTzmhs5I8d cJXVFtsjpX4Bx0laHN5W9XEQ4EvA8xLThY X-Google-Smtp-Source: AGHT+IEP7AUtVMMSa+uF6p6qEwt8XaV85M23q4GMS6hVT/M8vT4Yox7CY6eP+meNWx8q6W0fIrpjXNPPg3c= X-Received: from yumike.c.googlers.com ([fda3:e722:ac3:cc00:3:22c1:c0a8:d2d]) (user=yumike job=sendgmr) by 2002:a05:690c:4d82:b0:62c:f6fd:5401 with SMTP id 00721157ae682-658f04e51a9mr1352387b3.6.1720752694382; Thu, 11 Jul 2024 19:51:34 -0700 (PDT) Date: Fri, 12 Jul 2024 10:51:22 +0800 In-Reply-To: <20240712025125.1926249-1-yumike@google.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240712025125.1926249-1-yumike@google.com> X-Mailer: git-send-email 2.45.2.993.g49e7a77208-goog Message-ID: <20240712025125.1926249-2-yumike@google.com> Subject: [PATCH ipsec-next v4 1/4] xfrm: Support crypto offload for inbound IPv6 ESP packets not in GRO path From: Mike Yu To: netdev@vger.kernel.org, steffen.klassert@secunet.com Cc: stanleyjhu@google.com, martinwu@google.com, chiachangwang@google.com, yumike@google.com X-Patchwork-Delegate: kuba@kernel.org IPsec crypt offload supports outbound IPv6 ESP packets, but it doesn't support inbound IPv6 ESP packets. This change enables the crypto offload for inbound IPv6 ESP packets that are not handled through GRO code path. If HW drivers add the offload information to the skb, the packet will be handled in the crypto offload rx code path. Apart from the change in crypto offload rx code path, the change in xfrm_policy_check is also needed. Exampe of RX data path: +-----------+ +-------+ | HW Driver |-->| wlan0 |--------+ +-----------+ +-------+ | v +---------------+ +------+ +------>| Network Stack |-->| Apps | | +---------------+ +------+ | | | v +--------+ +------------+ | ipsec1 |<--| XFRM Stack | +--------+ +------------+ Test: Enabled both in/out IPsec crypto offload, and verified IPv6 ESP packets on Android device on both wifi/cellular network Signed-off-by: Mike Yu --- net/xfrm/xfrm_input.c | 2 +- net/xfrm/xfrm_policy.c | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index d2ea18dcb0cb..ba8deb0235ba 100644 --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c @@ -471,7 +471,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) struct xfrm_offload *xo = xfrm_offload(skb); struct sec_path *sp; - if (encap_type < 0 || (xo && xo->flags & XFRM_GRO)) { + if (encap_type < 0 || (xo && (xo->flags & XFRM_GRO || encap_type == 0))) { x = xfrm_input_state(skb); if (unlikely(x->dir && x->dir != XFRM_SA_DIR_IN)) { diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 6603d3bd171f..2a9a31f2a9c1 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -3718,12 +3718,15 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, pol = xfrm_in_fwd_icmp(skb, &fl, family, if_id); if (!pol) { + const bool is_crypto_offload = sp && + (xfrm_input_state(skb)->xso.type == XFRM_DEV_OFFLOAD_CRYPTO); + if (net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK) { XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS); return 0; } - if (sp && secpath_has_nontransport(sp, 0, &xerr_idx)) { + if (sp && secpath_has_nontransport(sp, 0, &xerr_idx) && !is_crypto_offload) { xfrm_secpath_reject(xerr_idx, skb, &fl); XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS); return 0; From patchwork Fri Jul 12 02:51:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mike Yu X-Patchwork-Id: 13731256 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-yw1-f202.google.com (mail-yw1-f202.google.com [209.85.128.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2CB77C8D1 for ; Fri, 12 Jul 2024 02:51:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720752700; cv=none; b=Mh8nbwZJSFHoi7soZ/E6wG/SH0I8rUSbbzdFLy7UrzrJ2Xo2U+DE+eIiyV8RFZUNkqPEM63Fp/yL317Cuu5f0xYZgbtDhXEPKkV+BHhr18em9+27pjqlZtNRbOY9CqGTbiUxbRR2Z8a4xSZCZMZITE5hbckVR//Cyf8sWcbd/a8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720752700; c=relaxed/simple; bh=lY42/By9JtdK4d4bhg7ZM1sr2cWBf0pXTfnlotNosUo=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=sq+E3NH8ZENW35LJhGaHcBan9ZH7iZ4DAW8pIJIiUezFLCqPvIfKC5Ealb8+Hf4fOboQSAuuf5GsdfLbS93A1/gX2F9oqQzJ1BXRgbisGFveQM+K0JFdz9BM7r015gzgBnKp8Gk1Yu0skCCwOnK8DPwFlaqjo4eo/h/K9IH8IpM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=wrXDpaWK; arc=none smtp.client-ip=209.85.128.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="wrXDpaWK" Received: by mail-yw1-f202.google.com with SMTP id 00721157ae682-6501bac2d6aso18014377b3.0 for ; Thu, 11 Jul 2024 19:51:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1720752698; x=1721357498; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=1wfGIYHAsP0uvUmYT83Hpv70MkEkseiVLdINBjnhZCk=; b=wrXDpaWKUrvdO27TNyxDTMYBflIF6PdpfF4iPrNMhSzYcP6A5FL4AJqJJ1hYmx6B3r TeKjlbeDv1b3+c95R4lUX8A2RH1bykl4LDdiCqmsXj4Bnj7Ybko3g9z/RdBSpwSDE8Ch fVcbxFepnYWZKfrsuI13qFjSTwenNPdFvmhNBV8hWlJWg9fpIbHEP40HvfczN2PgX68H +6JpZ4m/XLlKHKuTv1TWI/WD/8h0mGrBYc+G8sG3gKIUN6t0jkP5rRQtxWxDyoDnGAPr 7iM4BtSXg2hxJt0hKTsaUFwhXde4sVE2VHupo+Iop0hUnef0+Nvte7VVeLfdtJmxsCDN G0iA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720752698; x=1721357498; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=1wfGIYHAsP0uvUmYT83Hpv70MkEkseiVLdINBjnhZCk=; b=tAKZ9/dgmjgJ09txfSS5dQ9+Hf/jHqF5ox+M8W/+PD41e514NJztShx1P7eIFewez7 8OIKbMuSkdBolvZlASqIExBHMK1AVhOTzWrRFAr+yk7O3RqoPjD54R1HxBu3uBvnFA3n MyiMfOCI6u1mp1qJ9s86GEHjJZbCieJrSGh02newUjMwkxomOz5EjeDxM12f9VRH5qBl ha73wsRonwp26SAMta6SzO8mcHimnc1MlfiZiidtYMU0u4q5ZQPeq6cGEHEURnT+vUBr 6d/z2V4Zueye+01uyWSDPogltSJMtc2Tq9Y5jc1qdmVfoW/VSS/5flSYdW/dFkTHFJYB JocQ== X-Gm-Message-State: AOJu0YyqL7i4v7wOTlCpO0uTgJcJGY3balQ+V6ewxcRG2mejB4vkpkmF i7HTZVCOJ/Gg0SaqRXPa1f81+vH8PGMO1+TkvO5LT/FWqwEXaIJ2sBv4jZI529ZGSQRC8vCr6pR EK1T34L+9roOTLdBoHphD995xwwpu8asyXcVqp/fUW2kq6pGaGxOPtgwVg/nx4dyGw317Ma3zX1 paj2UZndB0vX0jeJVp3WwXDjBZVF01oc0Q X-Google-Smtp-Source: AGHT+IEMlj+g4IvcIQkRixKXwIJVkhEWqD/XSWjU1ABRg9vQ1jI4xIGpx818oUKDOEIbQzfcXKOlZk/Sg+U= X-Received: from yumike.c.googlers.com ([fda3:e722:ac3:cc00:3:22c1:c0a8:d2d]) (user=yumike job=sendgmr) by 2002:a05:690c:39c:b0:618:5009:cb71 with SMTP id 00721157ae682-65dfa1d7effmr669807b3.5.1720752698062; Thu, 11 Jul 2024 19:51:38 -0700 (PDT) Date: Fri, 12 Jul 2024 10:51:23 +0800 In-Reply-To: <20240712025125.1926249-1-yumike@google.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240712025125.1926249-1-yumike@google.com> X-Mailer: git-send-email 2.45.2.993.g49e7a77208-goog Message-ID: <20240712025125.1926249-3-yumike@google.com> Subject: [PATCH ipsec-next v4 2/4] xfrm: Allow UDP encapsulation in crypto offload control path From: Mike Yu To: netdev@vger.kernel.org, steffen.klassert@secunet.com Cc: stanleyjhu@google.com, martinwu@google.com, chiachangwang@google.com, yumike@google.com X-Patchwork-Delegate: kuba@kernel.org Unblock this limitation so that SAs with encapsulation specified can be passed to HW drivers. HW drivers can still reject the SA in their implementation of xdo_dev_state_add if the encapsulation is not supported. Test: Verified on Android device Signed-off-by: Mike Yu --- net/xfrm/xfrm_device.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c index 2455a76a1cff..9a44d363ba62 100644 --- a/net/xfrm/xfrm_device.c +++ b/net/xfrm/xfrm_device.c @@ -261,9 +261,9 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, is_packet_offload = xuo->flags & XFRM_OFFLOAD_PACKET; - /* We don't yet support UDP encapsulation and TFC padding. */ - if ((!is_packet_offload && x->encap) || x->tfcpad) { - NL_SET_ERR_MSG(extack, "Encapsulation and TFC padding can't be offloaded"); + /* We don't yet support TFC padding. */ + if (x->tfcpad) { + NL_SET_ERR_MSG(extack, "TFC padding can't be offloaded"); return -EINVAL; } From patchwork Fri Jul 12 02:51:24 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mike Yu X-Patchwork-Id: 13731257 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-yb1-f201.google.com (mail-yb1-f201.google.com [209.85.219.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F16F7BE40 for ; Fri, 12 Jul 2024 02:51:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720752704; cv=none; b=Yuwe28QRZerXJsXXWSkQ/6/+kY9iydsDMDjIrvr734ePsqEIbsdN4vtwd4FdjASlliUq0yq7XtbLY7QDIu74eDRwFJbnMXtJ/k/bIFBjPgIQZq5mwE4uavOYBICufuGh9tfTzIeH+rWc4RfAcG4PQ9cg5vO87AYM2eByUVHtyes= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720752704; c=relaxed/simple; bh=KzNQ/JAc7m3NmjSvt2TaE6f3Tu+ksYFmjFxXU0iWeNA=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=HdBzdvM1TKQWf7ek/Q1zanaFk+oVGbXTaYrX2L1+DqwCHt7sWIQNp6GtIQnESu5mm04x8Nx2L5+m4OCU4xKu6zjMBJL3J7s6jMB033MnFGaP5dpnxSwziZdT9ZYE8Zr8yZE+JOFNQUOEKdSr1CzItNy+jW3lqxryaEZAwdsbRZE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=fkcKlIId; arc=none smtp.client-ip=209.85.219.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="fkcKlIId" Received: by mail-yb1-f201.google.com with SMTP id 3f1490d57ef6-e039b77a040so2688539276.2 for ; Thu, 11 Jul 2024 19:51:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1720752702; x=1721357502; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=EUpyRGjVKLo3p04NVoy1/q9o2v0VKpGzpXTNtobgiho=; b=fkcKlIIdhdgzfssyodKrt93UzC9Xk/qDbd7ni4CDHmm80EAMrXqvJcqDRkaAz8jUfm d18px2+f0Qrr6aPOFOf4DF0bG8+oQVZGxtlXlNSQIy56HK4FTRM36r2pV2asByfhVUx3 hWNUbe7fFYeWbvqNTfSubfRqCnoEiXWcsdFc0dpSKvalnzUvl69+AEiHIKSvwkeQzmsJ lSKIMt0mso0vq46IHlcpw/gaf6WYvGaW/QvTQTdSWKm2CDiSJeOI1IsEAuYDOZGSxD1S zFVnL7dHzBokDj+aROqMwWXVQBWe+K8Fw1C3Jh7AjAJBbfALoG/4k+E77phXjG5Tl7dN gWpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720752702; x=1721357502; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=EUpyRGjVKLo3p04NVoy1/q9o2v0VKpGzpXTNtobgiho=; b=khofcJxA/ycvM8miq30Drp7zJfkNtch48gUURyCdTaR40EhTnCNeQjF1DupVTUbPv2 990Mn6COq2CMhJ9YVGX02tl/VQT0CiapqutcLl6KMhBrtKq/ouHD+sro7xogyzlD61TO hSNInk0ABJ3s4IQH6KbEodYfbQLX4WS2WtVcR/Nl+BWuXpiU6pMZ01zCce5eGTzO8oeK w+BeO0FBdYlgpgQZ55J07+EvA13QFN18tnPwH6ECSuvjl50y6w2FfNdyGNtZn7/rZ0cw Uwpw63zWa9H1lALqS9bLfx41DBPiAzSusqyzmXuhcrcHTfDaEvlVGdXqw4OoxJhzLA0B 9B4Q== X-Gm-Message-State: AOJu0YxyRGG3M3TWTLdFu6+5Gyx6kO1QgkAr3QRBfiH5lpdY+BFdGaAO 2DtOdezelz/L2eAdmVrHrlwDVUcxiv5zy3zw08LfRmSbES2/kHX0HERyqxHDUk7/9vCIO+m5sZ7 hrrfpHyXMj901eUbF2cWHBo3e9Bb6B+15Jv1y9ZabPJCtMSmag8QDAcvd7OHTHx+2Bpry7sJHJ1 hP52knJnklgwsxDBSZMchfZeFsF86/vmcY X-Google-Smtp-Source: AGHT+IH3i3e4oMr0q67oCSQhwwyCv4eYmVeXlBXng9lQp3VvaTZqsRklaU8og1BSMFRYzcdtuj2/KEzIZLU= X-Received: from yumike.c.googlers.com ([fda3:e722:ac3:cc00:3:22c1:c0a8:d2d]) (user=yumike job=sendgmr) by 2002:a05:6902:a07:b0:e03:5dfe:45bb with SMTP id 3f1490d57ef6-e041b14c6a3mr691938276.12.1720752701858; Thu, 11 Jul 2024 19:51:41 -0700 (PDT) Date: Fri, 12 Jul 2024 10:51:24 +0800 In-Reply-To: <20240712025125.1926249-1-yumike@google.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240712025125.1926249-1-yumike@google.com> X-Mailer: git-send-email 2.45.2.993.g49e7a77208-goog Message-ID: <20240712025125.1926249-4-yumike@google.com> Subject: [PATCH ipsec-next v4 3/4] xfrm: Support crypto offload for inbound IPv4 UDP-encapsulated ESP packet From: Mike Yu To: netdev@vger.kernel.org, steffen.klassert@secunet.com Cc: stanleyjhu@google.com, martinwu@google.com, chiachangwang@google.com, yumike@google.com X-Patchwork-Delegate: kuba@kernel.org If xfrm_input() is called with UDP_ENCAP_ESPINUDP, the packet is already processed in UDP layer that removes the UDP header. Therefore, there should be no much difference to treat it as an ESP packet in the XFRM stack. Test: Enabled dir=in IPsec crypto offload, and verified IPv4 UDP-encapsulated ESP packets on both wifi/cellular network Signed-off-by: Mike Yu --- net/xfrm/xfrm_input.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index ba8deb0235ba..7cee9c0a2cdc 100644 --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c @@ -471,7 +471,8 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) struct xfrm_offload *xo = xfrm_offload(skb); struct sec_path *sp; - if (encap_type < 0 || (xo && (xo->flags & XFRM_GRO || encap_type == 0))) { + if (encap_type < 0 || (xo && (xo->flags & XFRM_GRO || encap_type == 0 || + encap_type == UDP_ENCAP_ESPINUDP))) { x = xfrm_input_state(skb); if (unlikely(x->dir && x->dir != XFRM_SA_DIR_IN)) { From patchwork Fri Jul 12 02:51:25 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mike Yu X-Patchwork-Id: 13731258 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-yb1-f202.google.com (mail-yb1-f202.google.com [209.85.219.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C3A4C945A for ; Fri, 12 Jul 2024 02:51:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720752708; cv=none; b=ELB9h0wA6ghDOe+IxFmITtdfDBOr6YsOvuFtyvSOi3LW2ZsaKvD1uwfzgFn7nmjriI0eskQf+Oq6Garkh6gODAFxf4c/tyiMSwrSQ6jcTUWX4g5wgl3wxskaf2xQtEFJSiIYjwFGGrDBtEzCPHANhy9LD/UBWiPgTkHlROsLu0A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720752708; c=relaxed/simple; bh=rDBvajKY5OC0PXZ1yITuS+5CAbjqQVusYbaPkwQLiLE=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=Kb3ZO+RYdu7vqqtAbwE2Y3xiQofVjbeEIJZb6KQiInh7RoDeq6TTlkgGvGr7ZIkE+SoXYfKpSFixZ5BWsJ71BddMplsZ0AwXL4LJm4w3sYRl+YDgkBPmmJ0dDHbStpVcyDdaQrJs/9mkp/80CNebUf3ymdFd5IXJkBU6GpFFS9A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=z8iFNuO4; arc=none smtp.client-ip=209.85.219.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--yumike.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="z8iFNuO4" Received: by mail-yb1-f202.google.com with SMTP id 3f1490d57ef6-e03c68c7163so2788601276.0 for ; Thu, 11 Jul 2024 19:51:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1720752706; x=1721357506; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=DB4pQNaU+Ev4vjvziD2IB7UTB9UxPT+SsJGcwrSVFTk=; b=z8iFNuO4pszmVBhY8ZFeIn0XQd4igNzNQFYE50+Kl5thnJEB7xHKXjN3WnQqkPI/8r jPcytyCxccEX9vEmzwwxF0rZpN9b443GqIC8ngoFnAe98oQkXauJ56SD9IWV0UDTKmYH V6U42ex/ylCDVFUyw7LPN+Nj5pKyZcKYWzSax9xnSeca8Us/loLSCjqhfIaGnBSvAUP6 BbRQOYoEGTCeaAgMSqQyf0pSxxdLQ/sFjFftDWDh2GKW7lx1GDFMNNgVPvtoqLLgXx/a m4gK2qbWmNgugJ+zhQUZe8rrbMSO5XjypLO+d+fY4nugytj1nSP2SeRiDUYMJE7cDL6x qliQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720752706; x=1721357506; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=DB4pQNaU+Ev4vjvziD2IB7UTB9UxPT+SsJGcwrSVFTk=; b=GqMkzxMy6IEk4sFHoNAzGSR33HqJBXfjB2/taSWxuE0qfgrjdWSBroaeUZB5H/ELvb Ku4iq9HdqnYrugUl3+x2ZcN0kELVbdVvr4nWg2Aa6If+U2FygK39Z/7GQbJyfGE9vYGL J+xitUJH4sSU9Vb+RlXYRt/XG3Zmq1Vvdz43c3FkXu3Fs0n2mCFt/wXfrccW+Rfri5W4 33ZG7szPV34BS6mDUxyTu4xaK79iQkFJKO/W4zQRgU5oOeLHkANulNVTeGOr3QNx+78v 4q1h+VBn0oNjBmY1DMYVKXYxZx23JCJsVN7faV9/93g0BzjHyuIKY1N8wB5zcGjHuVd2 IXtg== X-Gm-Message-State: AOJu0YyfAtLwWZ4TNnjHjVGvUmbeZfyHVDNBP+EM1ZRltQ2nad2RLWlq rfW7MFV4AKCy+A8J3gVN0wxdqmA+KFc1eSc17MY0X3cWWx0JgInsNLWRpIA1BzPmPqU8BWGVEHc Pe1ixJGTh3wk6Sz54JWpSoIk3mam2QBXTxWTQUvZ/IpCrzzd6edC9bTSldDeafYs9bNx5Lw7erL g/8hJGi99z08N4TVbj/jQUI/ijU2dAEal8 X-Google-Smtp-Source: AGHT+IFuN+UgKtKYNAIiDsh6EHpLvHt3XqfqagEvkPFAxUDjw6rFDm8sBcnrPqCvSQZ+Gby7eYaZKmdHd1g= X-Received: from yumike.c.googlers.com ([fda3:e722:ac3:cc00:3:22c1:c0a8:d2d]) (user=yumike job=sendgmr) by 2002:a05:6902:188f:b0:dfb:b4e:407a with SMTP id 3f1490d57ef6-e041b1153e5mr1113315276.9.1720752705816; Thu, 11 Jul 2024 19:51:45 -0700 (PDT) Date: Fri, 12 Jul 2024 10:51:25 +0800 In-Reply-To: <20240712025125.1926249-1-yumike@google.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240712025125.1926249-1-yumike@google.com> X-Mailer: git-send-email 2.45.2.993.g49e7a77208-goog Message-ID: <20240712025125.1926249-5-yumike@google.com> Subject: [PATCH ipsec-next v4 4/4] xfrm: Support crypto offload for outbound IPv4 UDP-encapsulated ESP packet From: Mike Yu To: netdev@vger.kernel.org, steffen.klassert@secunet.com Cc: stanleyjhu@google.com, martinwu@google.com, chiachangwang@google.com, yumike@google.com X-Patchwork-Delegate: kuba@kernel.org esp_xmit() is already able to handle UDP encapsulation through the call to esp_output_head(). However, the ESP header and the outer IP header are not correct and need to be corrected. Test: Enabled both dir=in/out IPsec crypto offload, and verified IPv4 UDP-encapsulated ESP packets on both wifi/cellular network Signed-off-by: Mike Yu --- v2->v3: https://lore.kernel.org/all/20240709062326.939083-5-yumike@google.com - Correct ESP seq in esp_xmit(). v1->v2: https://lore.kernel.org/all/20240702084452.2259237-5-yumike@google.com - Fix comment style. --- net/ipv4/esp4.c | 8 +++++++- net/ipv4/esp4_offload.c | 17 ++++++++++++++++- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index 3968d3f98e08..73981595f062 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c @@ -349,6 +349,7 @@ static struct ip_esp_hdr *esp_output_udp_encap(struct sk_buff *skb, { struct udphdr *uh; unsigned int len; + struct xfrm_offload *xo = xfrm_offload(skb); len = skb->len + esp->tailen - skb_transport_offset(skb); if (len + sizeof(struct iphdr) > IP_MAX_MTU) @@ -360,7 +361,12 @@ static struct ip_esp_hdr *esp_output_udp_encap(struct sk_buff *skb, uh->len = htons(len); uh->check = 0; - *skb_mac_header(skb) = IPPROTO_UDP; + /* For IPv4 ESP with UDP encapsulation, if xo is not null, the skb is in the crypto offload + * data path, which means that esp_output_udp_encap is called outside of the XFRM stack. + * In this case, the mac header doesn't point to the IPv4 protocol field, so don't set it. + */ + if (!xo || encap_type != UDP_ENCAP_ESPINUDP) + *skb_mac_header(skb) = IPPROTO_UDP; return (struct ip_esp_hdr *)(uh + 1); } diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c index b3271957ad9a..a37d18858c72 100644 --- a/net/ipv4/esp4_offload.c +++ b/net/ipv4/esp4_offload.c @@ -264,6 +264,7 @@ static int esp_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features_ struct esp_info esp; bool hw_offload = true; __u32 seq; + int encap_type = 0; esp.inplace = true; @@ -296,8 +297,10 @@ static int esp_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features_ esp.esph = ip_esp_hdr(skb); + if (x->encap) + encap_type = x->encap->encap_type; - if (!hw_offload || !skb_is_gso(skb)) { + if (!hw_offload || !skb_is_gso(skb) || (hw_offload && encap_type == UDP_ENCAP_ESPINUDP)) { esp.nfrags = esp_output_head(x, skb, &esp); if (esp.nfrags < 0) return esp.nfrags; @@ -324,6 +327,18 @@ static int esp_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features_ esp.seqno = cpu_to_be64(seq + ((u64)xo->seq.hi << 32)); + if (hw_offload && encap_type == UDP_ENCAP_ESPINUDP) { + /* In the XFRM stack, the encapsulation protocol is set to iphdr->protocol by + * setting *skb_mac_header(skb) (see esp_output_udp_encap()) where skb->mac_header + * points to iphdr->protocol (see xfrm4_tunnel_encap_add()). + * However, in esp_xmit(), skb->mac_header doesn't point to iphdr->protocol. + * Therefore, the protocol field needs to be corrected. + */ + ip_hdr(skb)->protocol = IPPROTO_UDP; + + esph->seq_no = htonl(seq); + } + ip_hdr(skb)->tot_len = htons(skb->len); ip_send_check(ip_hdr(skb));