* [PATCH RFC] xfrm: fail to create ixgbe offload of IPsec tunnel mode sa
@ 2020-08-28 11:11 Antony Antony
2020-10-14 14:17 ` [PATCH] ixgbe: fail to create xfrm offload of IPsec tunnel mode SA Antony Antony
0 siblings, 1 reply; 3+ messages in thread
From: Antony Antony @ 2020-08-28 11:11 UTC (permalink / raw)
To: Steffen Klassert, Herbert Xu, David S. Miller; +Cc: Antony Antony, netdev
Based on talks and indirect references ixgbe driver does not
support offloading IPsec tunnel mode. It only support transport mode.
Now explicitly fail to avoid when trying to offload.
Fixes: 63a67fe229ea ("ixgbe: add ipsec offload add and remove SA")
Signed-off-by: Antony Antony <antony@phenome.org>
---
I haven't tested this fix as I have no access to the hardware.
This patch is based on a libreswan bug report.
https://github.com/libreswan/libreswan/issues/252
Is it useful to this bug report in kernel commit message?
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 5 +++++
drivers/net/ethernet/intel/ixgbevf/ipsec.c | 5 +++++
2 files changed, 10 insertions(+)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
index eca73526ac86..e2b978efcc5a 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
@@ -575,6 +575,11 @@ static int ixgbe_ipsec_add_sa(struct xfrm_state *xs)
return -EINVAL;
}
+ if (xs->props.mode != XFRM_MODE_TRANSPORT) {
+ netdev_err(dev, "Unsupported mode for ipsec offload\n");
+ return -EINVAL;
+ }
+
if (ixgbe_ipsec_check_mgmt_ip(xs)) {
netdev_err(dev, "IPsec IP addr clash with mgmt filters\n");
return -EINVAL;
diff --git a/drivers/net/ethernet/intel/ixgbevf/ipsec.c b/drivers/net/ethernet/intel/ixgbevf/ipsec.c
index 5170dd9d8705..d11b3f3414ea 100644
--- a/drivers/net/ethernet/intel/ixgbevf/ipsec.c
+++ b/drivers/net/ethernet/intel/ixgbevf/ipsec.c
@@ -272,6 +272,11 @@ static int ixgbevf_ipsec_add_sa(struct xfrm_state *xs)
return -EINVAL;
}
+ if (xs->props.mode != XFRM_MODE_TRANSPORT) {
+ netdev_err(dev, "Unsupported mode for ipsec offload\n");
+ return -EINVAL;
+ }
+
if (xs->xso.flags & XFRM_OFFLOAD_INBOUND) {
struct rx_sa rsa;
--
2.21.3
^ permalink raw reply related [flat|nested] 3+ messages in thread* [PATCH] ixgbe: fail to create xfrm offload of IPsec tunnel mode SA
2020-08-28 11:11 [PATCH RFC] xfrm: fail to create ixgbe offload of IPsec tunnel mode sa Antony Antony
@ 2020-10-14 14:17 ` Antony Antony
2020-10-14 18:14 ` Shannon Nelson
0 siblings, 1 reply; 3+ messages in thread
From: Antony Antony @ 2020-10-14 14:17 UTC (permalink / raw)
To: Jesse Brandeburg, Tony Nguyen, David S. Miller, Jakub Kicinski
Cc: Jeff Kirsher, Shannon Nelson, intel-wired-lan, netdev, Steffen Klassert
Based on talks and indirect references ixgbe IPsec offlod do not
support IPsec tunnel mode offload. It can only support IPsec transport
mode offload. Now explicitly fail when creating non transport mode SA
with offload to avoid false performance expectations.
Fixes: 63a67fe229ea ("ixgbe: add ipsec offload add and remove SA")
Signed-off-by: Antony Antony <antony@phenome.org>
---
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 5 +++++
drivers/net/ethernet/intel/ixgbevf/ipsec.c | 5 +++++
2 files changed, 10 insertions(+)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
index eca73526ac86..54d47265a7ac 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
@@ -575,6 +575,11 @@ static int ixgbe_ipsec_add_sa(struct xfrm_state *xs)
return -EINVAL;
}
+ if (xs->props.mode != XFRM_MODE_TRANSPORT) {
+ netdev_err(dev, "Unsupported mode for ipsec offload\n");
+ return -EINVAL;
+ }
+
if (ixgbe_ipsec_check_mgmt_ip(xs)) {
netdev_err(dev, "IPsec IP addr clash with mgmt filters\n");
return -EINVAL;
diff --git a/drivers/net/ethernet/intel/ixgbevf/ipsec.c b/drivers/net/ethernet/intel/ixgbevf/ipsec.c
index 5170dd9d8705..caaea2c920a6 100644
--- a/drivers/net/ethernet/intel/ixgbevf/ipsec.c
+++ b/drivers/net/ethernet/intel/ixgbevf/ipsec.c
@@ -272,6 +272,11 @@ static int ixgbevf_ipsec_add_sa(struct xfrm_state *xs)
return -EINVAL;
}
+ if (xs->props.mode != XFRM_MODE_TRANSPORT) {
+ netdev_err(dev, "Unsupported mode for ipsec offload\n");
+ return -EINVAL;
+ }
+
if (xs->xso.flags & XFRM_OFFLOAD_INBOUND) {
struct rx_sa rsa;
--
2.21.3
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH] ixgbe: fail to create xfrm offload of IPsec tunnel mode SA
2020-10-14 14:17 ` [PATCH] ixgbe: fail to create xfrm offload of IPsec tunnel mode SA Antony Antony
@ 2020-10-14 18:14 ` Shannon Nelson
0 siblings, 0 replies; 3+ messages in thread
From: Shannon Nelson @ 2020-10-14 18:14 UTC (permalink / raw)
To: Antony Antony, Jesse Brandeburg, Tony Nguyen, David S. Miller,
Jakub Kicinski
Cc: Jeff Kirsher, Shannon Nelson, intel-wired-lan, netdev, Steffen Klassert
On 10/14/20 7:17 AM, Antony Antony wrote:
> Based on talks and indirect references ixgbe IPsec offlod do not
> support IPsec tunnel mode offload. It can only support IPsec transport
> mode offload. Now explicitly fail when creating non transport mode SA
> with offload to avoid false performance expectations.
>
> Fixes: 63a67fe229ea ("ixgbe: add ipsec offload add and remove SA")
> Signed-off-by: Antony Antony <antony@phenome.org>
Acked-by: Shannon Nelson <snelson@pensando.io>
> ---
> drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 5 +++++
> drivers/net/ethernet/intel/ixgbevf/ipsec.c | 5 +++++
> 2 files changed, 10 insertions(+)
>
> diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
> index eca73526ac86..54d47265a7ac 100644
> --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
> +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
> @@ -575,6 +575,11 @@ static int ixgbe_ipsec_add_sa(struct xfrm_state *xs)
> return -EINVAL;
> }
>
> + if (xs->props.mode != XFRM_MODE_TRANSPORT) {
> + netdev_err(dev, "Unsupported mode for ipsec offload\n");
> + return -EINVAL;
> + }
> +
> if (ixgbe_ipsec_check_mgmt_ip(xs)) {
> netdev_err(dev, "IPsec IP addr clash with mgmt filters\n");
> return -EINVAL;
> diff --git a/drivers/net/ethernet/intel/ixgbevf/ipsec.c b/drivers/net/ethernet/intel/ixgbevf/ipsec.c
> index 5170dd9d8705..caaea2c920a6 100644
> --- a/drivers/net/ethernet/intel/ixgbevf/ipsec.c
> +++ b/drivers/net/ethernet/intel/ixgbevf/ipsec.c
> @@ -272,6 +272,11 @@ static int ixgbevf_ipsec_add_sa(struct xfrm_state *xs)
> return -EINVAL;
> }
>
> + if (xs->props.mode != XFRM_MODE_TRANSPORT) {
> + netdev_err(dev, "Unsupported mode for ipsec offload\n");
> + return -EINVAL;
> + }
> +
> if (xs->xso.flags & XFRM_OFFLOAD_INBOUND) {
> struct rx_sa rsa;
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-10-14 18:14 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-28 11:11 [PATCH RFC] xfrm: fail to create ixgbe offload of IPsec tunnel mode sa Antony Antony
2020-10-14 14:17 ` [PATCH] ixgbe: fail to create xfrm offload of IPsec tunnel mode SA Antony Antony
2020-10-14 18:14 ` Shannon Nelson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).