All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] ixgbe: allow IPsec Tx offload in VEPA mode
@ 2018-10-04 23:28 ` Shannon Nelson
  0 siblings, 0 replies; 4+ messages in thread
From: Shannon Nelson @ 2018-10-04 23:28 UTC (permalink / raw)
  To: intel-wired-lan, jeffrey.t.kirsher; +Cc: netdev

When it's possible that the PF might end up trying to send a
packet to one of its own VFs, we have to forbid IPsec offload
because the device drops the packets into a black hole.
See commit 47b6f50077e6 ("ixgbe: disallow IPsec Tx offload
when in SR-IOV mode") for more info.

This really is only necessary when the device is in the default
VEB mode.  If instead the device is running in VEPA mode,
the packets will go through the encryption engine and out the
MAC/PHY as normal, and get "hairpinned" as needed by the switch.

So let's not block IPsec offload when in VEPA mode.  To get
there with the ixgbe device, use the handy 'bridge' command:
	bridge link set dev eth1 hwmode vepa

Signed-off-by: Shannon Nelson <shannon.nelson@oracle.com>
---
 drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
index fd1b054..4d77f42 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
@@ -4,6 +4,7 @@
 #include "ixgbe.h"
 #include <net/xfrm.h>
 #include <crypto/aead.h>
+#include <linux/if_bridge.h>
 
 #define IXGBE_IPSEC_KEY_BITS  160
 static const char aes_gcm_name[] = "rfc4106(gcm(aes))";
@@ -693,7 +694,8 @@ static int ixgbe_ipsec_add_sa(struct xfrm_state *xs)
 	} else {
 		struct tx_sa tsa;
 
-		if (adapter->num_vfs)
+		if (adapter->num_vfs &&
+		    adapter->bridge_mode != BRIDGE_MODE_VEPA)
 			return -EOPNOTSUPP;
 
 		/* find the first unused index */
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [Intel-wired-lan] [PATCH] ixgbe: allow IPsec Tx offload in VEPA mode
@ 2018-10-04 23:28 ` Shannon Nelson
  0 siblings, 0 replies; 4+ messages in thread
From: Shannon Nelson @ 2018-10-04 23:28 UTC (permalink / raw)
  To: intel-wired-lan

When it's possible that the PF might end up trying to send a
packet to one of its own VFs, we have to forbid IPsec offload
because the device drops the packets into a black hole.
See commit 47b6f50077e6 ("ixgbe: disallow IPsec Tx offload
when in SR-IOV mode") for more info.

This really is only necessary when the device is in the default
VEB mode.  If instead the device is running in VEPA mode,
the packets will go through the encryption engine and out the
MAC/PHY as normal, and get "hairpinned" as needed by the switch.

So let's not block IPsec offload when in VEPA mode.  To get
there with the ixgbe device, use the handy 'bridge' command:
	bridge link set dev eth1 hwmode vepa

Signed-off-by: Shannon Nelson <shannon.nelson@oracle.com>
---
 drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
index fd1b054..4d77f42 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
@@ -4,6 +4,7 @@
 #include "ixgbe.h"
 #include <net/xfrm.h>
 #include <crypto/aead.h>
+#include <linux/if_bridge.h>
 
 #define IXGBE_IPSEC_KEY_BITS  160
 static const char aes_gcm_name[] = "rfc4106(gcm(aes))";
@@ -693,7 +694,8 @@ static int ixgbe_ipsec_add_sa(struct xfrm_state *xs)
 	} else {
 		struct tx_sa tsa;
 
-		if (adapter->num_vfs)
+		if (adapter->num_vfs &&
+		    adapter->bridge_mode != BRIDGE_MODE_VEPA)
 			return -EOPNOTSUPP;
 
 		/* find the first unused index */
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* RE: [Intel-wired-lan] [PATCH] ixgbe: allow IPsec Tx offload in VEPA mode
  2018-10-04 23:28 ` [Intel-wired-lan] " Shannon Nelson
@ 2018-10-22 19:39   ` Bowers, AndrewX
  -1 siblings, 0 replies; 4+ messages in thread
From: Bowers, AndrewX @ 2018-10-22 19:39 UTC (permalink / raw)
  To: intel-wired-lan; +Cc: netdev

> -----Original Message-----
> From: Intel-wired-lan [mailto:intel-wired-lan-bounces@osuosl.org] On
> Behalf Of Shannon Nelson
> Sent: Thursday, October 4, 2018 4:29 PM
> To: intel-wired-lan@lists.osuosl.org; Kirsher, Jeffrey T
> <jeffrey.t.kirsher@intel.com>
> Cc: netdev@vger.kernel.org
> Subject: [Intel-wired-lan] [PATCH] ixgbe: allow IPsec Tx offload in VEPA
> mode
> 
> When it's possible that the PF might end up trying to send a packet to one of
> its own VFs, we have to forbid IPsec offload because the device drops the
> packets into a black hole.
> See commit 47b6f50077e6 ("ixgbe: disallow IPsec Tx offload when in SR-IOV
> mode") for more info.
> 
> This really is only necessary when the device is in the default VEB mode.  If
> instead the device is running in VEPA mode, the packets will go through the
> encryption engine and out the MAC/PHY as normal, and get "hairpinned" as
> needed by the switch.
> 
> So let's not block IPsec offload when in VEPA mode.  To get there with the
> ixgbe device, use the handy 'bridge' command:
> 	bridge link set dev eth1 hwmode vepa
> 
> Signed-off-by: Shannon Nelson <shannon.nelson@oracle.com>
> ---
>  drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)

Tested-by: Andrew Bowers <andrewx.bowers@intel.com>

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Intel-wired-lan] [PATCH] ixgbe: allow IPsec Tx offload in VEPA mode
@ 2018-10-22 19:39   ` Bowers, AndrewX
  0 siblings, 0 replies; 4+ messages in thread
From: Bowers, AndrewX @ 2018-10-22 19:39 UTC (permalink / raw)
  To: intel-wired-lan

> -----Original Message-----
> From: Intel-wired-lan [mailto:intel-wired-lan-bounces at osuosl.org] On
> Behalf Of Shannon Nelson
> Sent: Thursday, October 4, 2018 4:29 PM
> To: intel-wired-lan at lists.osuosl.org; Kirsher, Jeffrey T
> <jeffrey.t.kirsher@intel.com>
> Cc: netdev at vger.kernel.org
> Subject: [Intel-wired-lan] [PATCH] ixgbe: allow IPsec Tx offload in VEPA
> mode
> 
> When it's possible that the PF might end up trying to send a packet to one of
> its own VFs, we have to forbid IPsec offload because the device drops the
> packets into a black hole.
> See commit 47b6f50077e6 ("ixgbe: disallow IPsec Tx offload when in SR-IOV
> mode") for more info.
> 
> This really is only necessary when the device is in the default VEB mode.  If
> instead the device is running in VEPA mode, the packets will go through the
> encryption engine and out the MAC/PHY as normal, and get "hairpinned" as
> needed by the switch.
> 
> So let's not block IPsec offload when in VEPA mode.  To get there with the
> ixgbe device, use the handy 'bridge' command:
> 	bridge link set dev eth1 hwmode vepa
> 
> Signed-off-by: Shannon Nelson <shannon.nelson@oracle.com>
> ---
>  drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)

Tested-by: Andrew Bowers <andrewx.bowers@intel.com>



^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-10-23  3:59 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-10-04 23:28 [PATCH] ixgbe: allow IPsec Tx offload in VEPA mode Shannon Nelson
2018-10-04 23:28 ` [Intel-wired-lan] " Shannon Nelson
2018-10-22 19:39 ` Bowers, AndrewX
2018-10-22 19:39   ` Bowers, AndrewX

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.