Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next
Steffen Klassert says: ==================== pull request (net-next): ipsec-next 2022-05-13 1) Cleanups for the code behind the XFRM offload API. This is a preparation for the extension of the API for policy offload. From Leon Romanovsky. * 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next: xfrm: drop not needed flags variable in XFRM offload struct net/mlx5e: Use XFRM state direction instead of flags netdevsim: rely on XFRM state direction instead of flags ixgbe: propagate XFRM offload state direction instead of flags xfrm: store and rely on direction to construct offload flags xfrm: rename xfrm_state_offload struct to allow reuse xfrm: delete not used number of external headers xfrm: free not used XFRM_ESP_NO_TRAILER flag ==================== Link: https://lore.kernel.org/r/20220513151218.4010119-1-steffen.klassert@secunet.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
commit
2c5f153647
@ -585,7 +585,7 @@ static int ixgbe_ipsec_add_sa(struct xfrm_state *xs)
|
|||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (xs->xso.flags & XFRM_OFFLOAD_INBOUND) {
|
if (xs->xso.dir == XFRM_DEV_OFFLOAD_IN) {
|
||||||
struct rx_sa rsa;
|
struct rx_sa rsa;
|
||||||
|
|
||||||
if (xs->calg) {
|
if (xs->calg) {
|
||||||
@ -757,7 +757,7 @@ static void ixgbe_ipsec_del_sa(struct xfrm_state *xs)
|
|||||||
u32 zerobuf[4] = {0, 0, 0, 0};
|
u32 zerobuf[4] = {0, 0, 0, 0};
|
||||||
u16 sa_idx;
|
u16 sa_idx;
|
||||||
|
|
||||||
if (xs->xso.flags & XFRM_OFFLOAD_INBOUND) {
|
if (xs->xso.dir == XFRM_DEV_OFFLOAD_IN) {
|
||||||
struct rx_sa *rsa;
|
struct rx_sa *rsa;
|
||||||
u8 ipi;
|
u8 ipi;
|
||||||
|
|
||||||
@ -903,8 +903,7 @@ int ixgbe_ipsec_vf_add_sa(struct ixgbe_adapter *adapter, u32 *msgbuf, u32 vf)
|
|||||||
/* Tx IPsec offload doesn't seem to work on this
|
/* Tx IPsec offload doesn't seem to work on this
|
||||||
* device, so block these requests for now.
|
* device, so block these requests for now.
|
||||||
*/
|
*/
|
||||||
sam->flags = sam->flags & ~XFRM_OFFLOAD_IPV6;
|
if (sam->dir != XFRM_DEV_OFFLOAD_IN) {
|
||||||
if (sam->flags != XFRM_OFFLOAD_INBOUND) {
|
|
||||||
err = -EOPNOTSUPP;
|
err = -EOPNOTSUPP;
|
||||||
goto err_out;
|
goto err_out;
|
||||||
}
|
}
|
||||||
@ -915,7 +914,7 @@ int ixgbe_ipsec_vf_add_sa(struct ixgbe_adapter *adapter, u32 *msgbuf, u32 vf)
|
|||||||
goto err_out;
|
goto err_out;
|
||||||
}
|
}
|
||||||
|
|
||||||
xs->xso.flags = sam->flags;
|
xs->xso.dir = sam->dir;
|
||||||
xs->id.spi = sam->spi;
|
xs->id.spi = sam->spi;
|
||||||
xs->id.proto = sam->proto;
|
xs->id.proto = sam->proto;
|
||||||
xs->props.family = sam->family;
|
xs->props.family = sam->family;
|
||||||
|
@ -74,7 +74,7 @@ struct ixgbe_ipsec {
|
|||||||
|
|
||||||
struct sa_mbx_msg {
|
struct sa_mbx_msg {
|
||||||
__be32 spi;
|
__be32 spi;
|
||||||
u8 flags;
|
u8 dir;
|
||||||
u8 proto;
|
u8 proto;
|
||||||
u16 family;
|
u16 family;
|
||||||
__be32 addr[4];
|
__be32 addr[4];
|
||||||
|
@ -25,7 +25,7 @@ static int ixgbevf_ipsec_set_pf_sa(struct ixgbevf_adapter *adapter,
|
|||||||
|
|
||||||
/* send the important bits to the PF */
|
/* send the important bits to the PF */
|
||||||
sam = (struct sa_mbx_msg *)(&msgbuf[1]);
|
sam = (struct sa_mbx_msg *)(&msgbuf[1]);
|
||||||
sam->flags = xs->xso.flags;
|
sam->dir = xs->xso.dir;
|
||||||
sam->spi = xs->id.spi;
|
sam->spi = xs->id.spi;
|
||||||
sam->proto = xs->id.proto;
|
sam->proto = xs->id.proto;
|
||||||
sam->family = xs->props.family;
|
sam->family = xs->props.family;
|
||||||
@ -280,7 +280,7 @@ static int ixgbevf_ipsec_add_sa(struct xfrm_state *xs)
|
|||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (xs->xso.flags & XFRM_OFFLOAD_INBOUND) {
|
if (xs->xso.dir == XFRM_DEV_OFFLOAD_IN) {
|
||||||
struct rx_sa rsa;
|
struct rx_sa rsa;
|
||||||
|
|
||||||
if (xs->calg) {
|
if (xs->calg) {
|
||||||
@ -394,7 +394,7 @@ static void ixgbevf_ipsec_del_sa(struct xfrm_state *xs)
|
|||||||
adapter = netdev_priv(dev);
|
adapter = netdev_priv(dev);
|
||||||
ipsec = adapter->ipsec;
|
ipsec = adapter->ipsec;
|
||||||
|
|
||||||
if (xs->xso.flags & XFRM_OFFLOAD_INBOUND) {
|
if (xs->xso.dir == XFRM_DEV_OFFLOAD_IN) {
|
||||||
sa_idx = xs->xso.offload_handle - IXGBE_IPSEC_BASE_RX_INDEX;
|
sa_idx = xs->xso.offload_handle - IXGBE_IPSEC_BASE_RX_INDEX;
|
||||||
|
|
||||||
if (!ipsec->rx_tbl[sa_idx].used) {
|
if (!ipsec->rx_tbl[sa_idx].used) {
|
||||||
|
@ -57,7 +57,7 @@ struct ixgbevf_ipsec {
|
|||||||
|
|
||||||
struct sa_mbx_msg {
|
struct sa_mbx_msg {
|
||||||
__be32 spi;
|
__be32 spi;
|
||||||
u8 flags;
|
u8 dir;
|
||||||
u8 proto;
|
u8 proto;
|
||||||
u16 family;
|
u16 family;
|
||||||
__be32 addr[4];
|
__be32 addr[4];
|
||||||
|
@ -172,9 +172,9 @@ mlx5e_ipsec_build_accel_xfrm_attrs(struct mlx5e_ipsec_sa_entry *sa_entry,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* action */
|
/* action */
|
||||||
attrs->action = (!(x->xso.flags & XFRM_OFFLOAD_INBOUND)) ?
|
attrs->action = (x->xso.dir == XFRM_DEV_OFFLOAD_OUT) ?
|
||||||
MLX5_ACCEL_ESP_ACTION_ENCRYPT :
|
MLX5_ACCEL_ESP_ACTION_ENCRYPT :
|
||||||
MLX5_ACCEL_ESP_ACTION_DECRYPT;
|
MLX5_ACCEL_ESP_ACTION_DECRYPT;
|
||||||
/* flags */
|
/* flags */
|
||||||
attrs->flags |= (x->props.mode == XFRM_MODE_TRANSPORT) ?
|
attrs->flags |= (x->props.mode == XFRM_MODE_TRANSPORT) ?
|
||||||
MLX5_ACCEL_ESP_FLAGS_TRANSPORT :
|
MLX5_ACCEL_ESP_FLAGS_TRANSPORT :
|
||||||
@ -306,7 +306,7 @@ static int mlx5e_xfrm_add_state(struct xfrm_state *x)
|
|||||||
if (err)
|
if (err)
|
||||||
goto err_hw_ctx;
|
goto err_hw_ctx;
|
||||||
|
|
||||||
if (x->xso.flags & XFRM_OFFLOAD_INBOUND) {
|
if (x->xso.dir == XFRM_DEV_OFFLOAD_IN) {
|
||||||
err = mlx5e_ipsec_sadb_rx_add(sa_entry);
|
err = mlx5e_ipsec_sadb_rx_add(sa_entry);
|
||||||
if (err)
|
if (err)
|
||||||
goto err_add_rule;
|
goto err_add_rule;
|
||||||
@ -333,7 +333,7 @@ static void mlx5e_xfrm_del_state(struct xfrm_state *x)
|
|||||||
{
|
{
|
||||||
struct mlx5e_ipsec_sa_entry *sa_entry = to_ipsec_sa_entry(x);
|
struct mlx5e_ipsec_sa_entry *sa_entry = to_ipsec_sa_entry(x);
|
||||||
|
|
||||||
if (x->xso.flags & XFRM_OFFLOAD_INBOUND)
|
if (x->xso.dir == XFRM_DEV_OFFLOAD_IN)
|
||||||
mlx5e_ipsec_sadb_rx_del(sa_entry);
|
mlx5e_ipsec_sadb_rx_del(sa_entry);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -171,7 +171,7 @@ static int nsim_ipsec_add_sa(struct xfrm_state *xs)
|
|||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (xs->xso.flags & XFRM_OFFLOAD_INBOUND) {
|
if (xs->xso.dir == XFRM_DEV_OFFLOAD_IN) {
|
||||||
sa.rx = true;
|
sa.rx = true;
|
||||||
|
|
||||||
if (xs->props.family == AF_INET6)
|
if (xs->props.family == AF_INET6)
|
||||||
|
@ -126,13 +126,17 @@ struct xfrm_state_walk {
|
|||||||
struct xfrm_address_filter *filter;
|
struct xfrm_address_filter *filter;
|
||||||
};
|
};
|
||||||
|
|
||||||
struct xfrm_state_offload {
|
enum {
|
||||||
|
XFRM_DEV_OFFLOAD_IN = 1,
|
||||||
|
XFRM_DEV_OFFLOAD_OUT,
|
||||||
|
};
|
||||||
|
|
||||||
|
struct xfrm_dev_offload {
|
||||||
struct net_device *dev;
|
struct net_device *dev;
|
||||||
netdevice_tracker dev_tracker;
|
netdevice_tracker dev_tracker;
|
||||||
struct net_device *real_dev;
|
struct net_device *real_dev;
|
||||||
unsigned long offload_handle;
|
unsigned long offload_handle;
|
||||||
unsigned int num_exthdrs;
|
u8 dir : 2;
|
||||||
u8 flags;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
struct xfrm_mode {
|
struct xfrm_mode {
|
||||||
@ -247,7 +251,7 @@ struct xfrm_state {
|
|||||||
struct xfrm_lifetime_cur curlft;
|
struct xfrm_lifetime_cur curlft;
|
||||||
struct hrtimer mtimer;
|
struct hrtimer mtimer;
|
||||||
|
|
||||||
struct xfrm_state_offload xso;
|
struct xfrm_dev_offload xso;
|
||||||
|
|
||||||
/* used to fix curlft->add_time when changing date */
|
/* used to fix curlft->add_time when changing date */
|
||||||
long saved_tmo;
|
long saved_tmo;
|
||||||
@ -1006,7 +1010,7 @@ struct xfrm_offload {
|
|||||||
#define CRYPTO_FALLBACK 8
|
#define CRYPTO_FALLBACK 8
|
||||||
#define XFRM_GSO_SEGMENT 16
|
#define XFRM_GSO_SEGMENT 16
|
||||||
#define XFRM_GRO 32
|
#define XFRM_GRO 32
|
||||||
#define XFRM_ESP_NO_TRAILER 64
|
/* 64 is free */
|
||||||
#define XFRM_DEV_RESUME 128
|
#define XFRM_DEV_RESUME 128
|
||||||
#define XFRM_XMIT 256
|
#define XFRM_XMIT 256
|
||||||
|
|
||||||
@ -1866,7 +1870,7 @@ bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x);
|
|||||||
|
|
||||||
static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x)
|
static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x)
|
||||||
{
|
{
|
||||||
struct xfrm_state_offload *xso = &x->xso;
|
struct xfrm_dev_offload *xso = &x->xso;
|
||||||
|
|
||||||
if (xso->dev && xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn)
|
if (xso->dev && xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn)
|
||||||
xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn(x);
|
xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn(x);
|
||||||
@ -1892,7 +1896,7 @@ static inline bool xfrm_dst_offload_ok(struct dst_entry *dst)
|
|||||||
|
|
||||||
static inline void xfrm_dev_state_delete(struct xfrm_state *x)
|
static inline void xfrm_dev_state_delete(struct xfrm_state *x)
|
||||||
{
|
{
|
||||||
struct xfrm_state_offload *xso = &x->xso;
|
struct xfrm_dev_offload *xso = &x->xso;
|
||||||
|
|
||||||
if (xso->dev)
|
if (xso->dev)
|
||||||
xso->dev->xfrmdev_ops->xdo_dev_state_delete(x);
|
xso->dev->xfrmdev_ops->xdo_dev_state_delete(x);
|
||||||
@ -1900,7 +1904,7 @@ static inline void xfrm_dev_state_delete(struct xfrm_state *x)
|
|||||||
|
|
||||||
static inline void xfrm_dev_state_free(struct xfrm_state *x)
|
static inline void xfrm_dev_state_free(struct xfrm_state *x)
|
||||||
{
|
{
|
||||||
struct xfrm_state_offload *xso = &x->xso;
|
struct xfrm_dev_offload *xso = &x->xso;
|
||||||
struct net_device *dev = xso->dev;
|
struct net_device *dev = xso->dev;
|
||||||
|
|
||||||
if (dev && dev->xfrmdev_ops) {
|
if (dev && dev->xfrmdev_ops) {
|
||||||
|
@ -705,7 +705,6 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
|
|||||||
static inline int esp_remove_trailer(struct sk_buff *skb)
|
static inline int esp_remove_trailer(struct sk_buff *skb)
|
||||||
{
|
{
|
||||||
struct xfrm_state *x = xfrm_input_state(skb);
|
struct xfrm_state *x = xfrm_input_state(skb);
|
||||||
struct xfrm_offload *xo = xfrm_offload(skb);
|
|
||||||
struct crypto_aead *aead = x->data;
|
struct crypto_aead *aead = x->data;
|
||||||
int alen, hlen, elen;
|
int alen, hlen, elen;
|
||||||
int padlen, trimlen;
|
int padlen, trimlen;
|
||||||
@ -717,11 +716,6 @@ static inline int esp_remove_trailer(struct sk_buff *skb)
|
|||||||
hlen = sizeof(struct ip_esp_hdr) + crypto_aead_ivsize(aead);
|
hlen = sizeof(struct ip_esp_hdr) + crypto_aead_ivsize(aead);
|
||||||
elen = skb->len - hlen;
|
elen = skb->len - hlen;
|
||||||
|
|
||||||
if (xo && (xo->flags & XFRM_ESP_NO_TRAILER)) {
|
|
||||||
ret = xo->proto;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (skb_copy_bits(skb, skb->len - alen - 2, nexthdr, 2))
|
if (skb_copy_bits(skb, skb->len - alen - 2, nexthdr, 2))
|
||||||
BUG();
|
BUG();
|
||||||
|
|
||||||
|
@ -741,7 +741,6 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb)
|
|||||||
static inline int esp_remove_trailer(struct sk_buff *skb)
|
static inline int esp_remove_trailer(struct sk_buff *skb)
|
||||||
{
|
{
|
||||||
struct xfrm_state *x = xfrm_input_state(skb);
|
struct xfrm_state *x = xfrm_input_state(skb);
|
||||||
struct xfrm_offload *xo = xfrm_offload(skb);
|
|
||||||
struct crypto_aead *aead = x->data;
|
struct crypto_aead *aead = x->data;
|
||||||
int alen, hlen, elen;
|
int alen, hlen, elen;
|
||||||
int padlen, trimlen;
|
int padlen, trimlen;
|
||||||
@ -753,11 +752,6 @@ static inline int esp_remove_trailer(struct sk_buff *skb)
|
|||||||
hlen = sizeof(struct ip_esp_hdr) + crypto_aead_ivsize(aead);
|
hlen = sizeof(struct ip_esp_hdr) + crypto_aead_ivsize(aead);
|
||||||
elen = skb->len - hlen;
|
elen = skb->len - hlen;
|
||||||
|
|
||||||
if (xo && (xo->flags & XFRM_ESP_NO_TRAILER)) {
|
|
||||||
ret = xo->proto;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = skb_copy_bits(skb, skb->len - alen - 2, nexthdr, 2);
|
ret = skb_copy_bits(skb, skb->len - alen - 2, nexthdr, 2);
|
||||||
BUG_ON(ret);
|
BUG_ON(ret);
|
||||||
|
|
||||||
|
@ -117,7 +117,7 @@ struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t featur
|
|||||||
|
|
||||||
sp = skb_sec_path(skb);
|
sp = skb_sec_path(skb);
|
||||||
x = sp->xvec[sp->len - 1];
|
x = sp->xvec[sp->len - 1];
|
||||||
if (xo->flags & XFRM_GRO || x->xso.flags & XFRM_OFFLOAD_INBOUND)
|
if (xo->flags & XFRM_GRO || x->xso.dir == XFRM_DEV_OFFLOAD_IN)
|
||||||
return skb;
|
return skb;
|
||||||
|
|
||||||
/* This skb was already validated on the upper/virtual dev */
|
/* This skb was already validated on the upper/virtual dev */
|
||||||
@ -212,7 +212,7 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x,
|
|||||||
int err;
|
int err;
|
||||||
struct dst_entry *dst;
|
struct dst_entry *dst;
|
||||||
struct net_device *dev;
|
struct net_device *dev;
|
||||||
struct xfrm_state_offload *xso = &x->xso;
|
struct xfrm_dev_offload *xso = &x->xso;
|
||||||
xfrm_address_t *saddr;
|
xfrm_address_t *saddr;
|
||||||
xfrm_address_t *daddr;
|
xfrm_address_t *daddr;
|
||||||
|
|
||||||
@ -264,15 +264,16 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x,
|
|||||||
xso->dev = dev;
|
xso->dev = dev;
|
||||||
netdev_tracker_alloc(dev, &xso->dev_tracker, GFP_ATOMIC);
|
netdev_tracker_alloc(dev, &xso->dev_tracker, GFP_ATOMIC);
|
||||||
xso->real_dev = dev;
|
xso->real_dev = dev;
|
||||||
xso->num_exthdrs = 1;
|
|
||||||
/* Don't forward bit that is not implemented */
|
if (xuo->flags & XFRM_OFFLOAD_INBOUND)
|
||||||
xso->flags = xuo->flags & ~XFRM_OFFLOAD_IPV6;
|
xso->dir = XFRM_DEV_OFFLOAD_IN;
|
||||||
|
else
|
||||||
|
xso->dir = XFRM_DEV_OFFLOAD_OUT;
|
||||||
|
|
||||||
err = dev->xfrmdev_ops->xdo_dev_state_add(x);
|
err = dev->xfrmdev_ops->xdo_dev_state_add(x);
|
||||||
if (err) {
|
if (err) {
|
||||||
xso->num_exthdrs = 0;
|
|
||||||
xso->flags = 0;
|
|
||||||
xso->dev = NULL;
|
xso->dev = NULL;
|
||||||
|
xso->dir = 0;
|
||||||
xso->real_dev = NULL;
|
xso->real_dev = NULL;
|
||||||
dev_put_track(dev, &xso->dev_tracker);
|
dev_put_track(dev, &xso->dev_tracker);
|
||||||
|
|
||||||
|
@ -751,7 +751,7 @@ xfrm_dev_state_flush_secctx_check(struct net *net, struct net_device *dev, bool
|
|||||||
|
|
||||||
for (i = 0; i <= net->xfrm.state_hmask; i++) {
|
for (i = 0; i <= net->xfrm.state_hmask; i++) {
|
||||||
struct xfrm_state *x;
|
struct xfrm_state *x;
|
||||||
struct xfrm_state_offload *xso;
|
struct xfrm_dev_offload *xso;
|
||||||
|
|
||||||
hlist_for_each_entry(x, net->xfrm.state_bydst+i, bydst) {
|
hlist_for_each_entry(x, net->xfrm.state_bydst+i, bydst) {
|
||||||
xso = &x->xso;
|
xso = &x->xso;
|
||||||
@ -835,7 +835,7 @@ int xfrm_dev_state_flush(struct net *net, struct net_device *dev, bool task_vali
|
|||||||
err = -ESRCH;
|
err = -ESRCH;
|
||||||
for (i = 0; i <= net->xfrm.state_hmask; i++) {
|
for (i = 0; i <= net->xfrm.state_hmask; i++) {
|
||||||
struct xfrm_state *x;
|
struct xfrm_state *x;
|
||||||
struct xfrm_state_offload *xso;
|
struct xfrm_dev_offload *xso;
|
||||||
restart:
|
restart:
|
||||||
hlist_for_each_entry(x, net->xfrm.state_bydst+i, bydst) {
|
hlist_for_each_entry(x, net->xfrm.state_bydst+i, bydst) {
|
||||||
xso = &x->xso;
|
xso = &x->xso;
|
||||||
|
@ -840,7 +840,7 @@ static int copy_sec_ctx(struct xfrm_sec_ctx *s, struct sk_buff *skb)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int copy_user_offload(struct xfrm_state_offload *xso, struct sk_buff *skb)
|
static int copy_user_offload(struct xfrm_dev_offload *xso, struct sk_buff *skb)
|
||||||
{
|
{
|
||||||
struct xfrm_user_offload *xuo;
|
struct xfrm_user_offload *xuo;
|
||||||
struct nlattr *attr;
|
struct nlattr *attr;
|
||||||
@ -852,7 +852,8 @@ static int copy_user_offload(struct xfrm_state_offload *xso, struct sk_buff *skb
|
|||||||
xuo = nla_data(attr);
|
xuo = nla_data(attr);
|
||||||
memset(xuo, 0, sizeof(*xuo));
|
memset(xuo, 0, sizeof(*xuo));
|
||||||
xuo->ifindex = xso->dev->ifindex;
|
xuo->ifindex = xso->dev->ifindex;
|
||||||
xuo->flags = xso->flags;
|
if (xso->dir == XFRM_DEV_OFFLOAD_IN)
|
||||||
|
xuo->flags = XFRM_OFFLOAD_INBOUND;
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
Loading…
x
Reference in New Issue
Block a user