From: Leon Romanovsky <leon@kernel.org>
To: "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>
Cc: Leon Romanovsky <leonro@nvidia.com>,
Steffen Klassert <steffen.klassert@secunet.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
netdev@vger.kernel.org, Saeed Mahameed <saeedm@nvidia.com>,
Raed Salem <raeds@nvidia.com>, Emeel Hakim <ehakim@nvidia.com>,
Simon Horman <simon.horman@corigine.com>
Subject: [PATCH net-next v1 08/10] net/mlx5: Allow blocking encap changes in eswitch
Date: Thu, 13 Apr 2023 15:29:26 +0300 [thread overview]
Message-ID: <47dc63412a5c0b8b60ff4127a54d709845b4e4de.1681388425.git.leonro@nvidia.com> (raw)
In-Reply-To: <cover.1681388425.git.leonro@nvidia.com>
From: Leon Romanovsky <leonro@nvidia.com>
Existing eswitch encap option enables header encapsulation. Unfortunately
currently available hardware isn't able to perform double encapsulation,
which can happen once IPsec packet offload tunnel mode is used together
with encap mode set to BASIC.
So as a solution for misconfiguration, provide an option to block encap
changes, which will be used for IPsec packet offload.
Reviewed-by: Emeel Hakim <ehakim@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
---
.../net/ethernet/mellanox/mlx5/core/eswitch.h | 14 ++++++
.../mellanox/mlx5/core/eswitch_offloads.c | 48 +++++++++++++++++++
2 files changed, 62 insertions(+)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
index 19e9a77c4633..e9d68fdf68f5 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
@@ -263,6 +263,7 @@ struct mlx5_esw_offload {
const struct mlx5_eswitch_rep_ops *rep_ops[NUM_REP_TYPES];
u8 inline_mode;
atomic64_t num_flows;
+ u64 num_block_encap;
enum devlink_eswitch_encap_mode encap;
struct ida vport_metadata_ida;
unsigned int host_number; /* ECPF supports one external host */
@@ -748,6 +749,9 @@ void mlx5_eswitch_offloads_destroy_single_fdb(struct mlx5_eswitch *master_esw,
struct mlx5_eswitch *slave_esw);
int mlx5_eswitch_reload_reps(struct mlx5_eswitch *esw);
+bool mlx5_eswitch_block_encap(struct mlx5_core_dev *dev);
+void mlx5_eswitch_unblock_encap(struct mlx5_core_dev *dev);
+
static inline int mlx5_eswitch_num_vfs(struct mlx5_eswitch *esw)
{
if (mlx5_esw_allowed(esw))
@@ -761,6 +765,7 @@ mlx5_eswitch_get_slow_fdb(struct mlx5_eswitch *esw)
{
return esw->fdb_table.offloads.slow_fdb;
}
+
#else /* CONFIG_MLX5_ESWITCH */
/* eswitch API stubs */
static inline int mlx5_eswitch_init(struct mlx5_core_dev *dev) { return 0; }
@@ -805,6 +810,15 @@ mlx5_eswitch_reload_reps(struct mlx5_eswitch *esw)
{
return 0;
}
+
+static inline bool mlx5_eswitch_block_encap(struct mlx5_core_dev *dev)
+{
+ return true;
+}
+
+static inline void mlx5_eswitch_unblock_encap(struct mlx5_core_dev *dev)
+{
+}
#endif /* CONFIG_MLX5_ESWITCH */
#endif /* __MLX5_ESWITCH_H__ */
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
index 48036dfddd5e..b6e2709c1371 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
@@ -3586,6 +3586,47 @@ int mlx5_devlink_eswitch_inline_mode_get(struct devlink *devlink, u8 *mode)
return err;
}
+bool mlx5_eswitch_block_encap(struct mlx5_core_dev *dev)
+{
+ struct devlink *devlink = priv_to_devlink(dev);
+ struct mlx5_eswitch *esw;
+
+ devl_lock(devlink);
+ esw = mlx5_devlink_eswitch_get(devlink);
+ if (IS_ERR(esw)) {
+ devl_unlock(devlink);
+ /* Failure means no eswitch => not possible to change encap */
+ return true;
+ }
+
+ down_write(&esw->mode_lock);
+ if (esw->mode != MLX5_ESWITCH_LEGACY &&
+ esw->offloads.encap != DEVLINK_ESWITCH_ENCAP_MODE_NONE) {
+ up_write(&esw->mode_lock);
+ devl_unlock(devlink);
+ return false;
+ }
+
+ esw->offloads.num_block_encap++;
+ up_write(&esw->mode_lock);
+ devl_unlock(devlink);
+ return true;
+}
+
+void mlx5_eswitch_unblock_encap(struct mlx5_core_dev *dev)
+{
+ struct devlink *devlink = priv_to_devlink(dev);
+ struct mlx5_eswitch *esw;
+
+ esw = mlx5_devlink_eswitch_get(devlink);
+ if (IS_ERR(esw))
+ return;
+
+ down_write(&esw->mode_lock);
+ esw->offloads.num_block_encap--;
+ up_write(&esw->mode_lock);
+}
+
int mlx5_devlink_eswitch_encap_mode_set(struct devlink *devlink,
enum devlink_eswitch_encap_mode encap,
struct netlink_ext_ack *extack)
@@ -3627,6 +3668,13 @@ int mlx5_devlink_eswitch_encap_mode_set(struct devlink *devlink,
goto unlock;
}
+ if (esw->offloads.num_block_encap) {
+ NL_SET_ERR_MSG_MOD(extack,
+ "Can't set encapsulation when IPsec SA and/or policies are configured");
+ err = -EOPNOTSUPP;
+ goto unlock;
+ }
+
esw_destroy_offloads_fdb_tables(esw);
esw->offloads.encap = encap;
--
2.39.2
next prev parent reply other threads:[~2023-04-13 12:30 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-13 12:29 [PATCH net-next v1 00/10] Support tunnel mode in mlx5 IPsec packet offload Leon Romanovsky
2023-04-13 12:29 ` [PATCH net-next v1 01/10] net/mlx5e: Add IPsec packet offload tunnel bits Leon Romanovsky
2023-04-13 12:29 ` [PATCH net-next v1 02/10] net/mlx5e: Check IPsec packet offload tunnel capabilities Leon Romanovsky
2023-04-13 12:29 ` [PATCH net-next v1 03/10] net/mlx5e: Configure IPsec SA tables to support tunnel mode Leon Romanovsky
2023-04-13 12:29 ` [PATCH net-next v1 04/10] net/mlx5e: Prepare IPsec packet reformat code for " Leon Romanovsky
2023-04-14 22:40 ` Samudrala, Sridhar
2023-04-15 8:49 ` Leon Romanovsky
2023-04-17 13:32 ` Simon Horman
2023-04-13 12:29 ` [PATCH net-next v1 05/10] net/mlx5e: Support IPsec RX packet offload in " Leon Romanovsky
2023-04-17 13:33 ` Simon Horman
2023-04-13 12:29 ` [PATCH net-next v1 06/10] net/mlx5e: Support IPsec TX " Leon Romanovsky
2023-04-17 13:23 ` Simon Horman
2023-04-18 6:48 ` Leon Romanovsky
2023-04-18 7:09 ` Simon Horman
2023-04-18 7:58 ` Leon Romanovsky
2023-04-13 12:29 ` [PATCH net-next v1 07/10] net/mlx5e: Listen to ARP events to update IPsec L2 headers " Leon Romanovsky
2023-04-17 13:34 ` Simon Horman
2023-04-13 12:29 ` Leon Romanovsky [this message]
2023-04-17 13:34 ` [PATCH net-next v1 08/10] net/mlx5: Allow blocking encap changes in eswitch Simon Horman
2023-04-13 12:29 ` [PATCH net-next v1 09/10] net/mlx5e: Create IPsec table with tunnel support only when encap is disabled Leon Romanovsky
2023-04-17 13:35 ` Simon Horman
2023-04-13 12:29 ` [PATCH net-next v1 10/10] net/mlx5e: Accept tunnel mode for IPsec packet offload Leon Romanovsky
2023-04-17 13:36 ` Simon Horman
2023-04-16 14:41 ` [PATCH net-next v1 00/10] Support tunnel mode in mlx5 " Samudrala, Sridhar
2023-04-17 4:05 ` Jakub Kicinski
2023-04-17 13:10 ` Simon Horman
2023-04-17 13:38 ` Simon Horman
2023-04-17 17:58 ` Leon Romanovsky
2023-04-17 19:25 ` Jakub Kicinski
2023-04-18 2:00 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47dc63412a5c0b8b60ff4127a54d709845b4e4de.1681388425.git.leonro@nvidia.com \
--to=leon@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=ehakim@nvidia.com \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=leonro@nvidia.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=raeds@nvidia.com \
--cc=saeedm@nvidia.com \
--cc=simon.horman@corigine.com \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).