Commit fa5aa2f8 authored by Paul Blakey's avatar Paul Blakey Committed by Leon Romanovsky

net/mlx5e: Use chains for IPsec policy priority offload

Currently, policy priority field is ignored and so order
of matching is unpredictable.

Use chains for RX/TX policy offload to support the
priority field.
Signed-off-by: default avatarPaul Blakey <paulb@nvidia.com>
Reviewed-by: default avatarRaed Salem <raeds@nvidia.com>
Link: https://lore.kernel.org/r/9ef3ef88858217932696ad413b1b147b799a11be.1678714336.git.leon@kernel.orgSigned-off-by: default avatarLeon Romanovsky <leon@kernel.org>
parent 664eab8a
...@@ -499,7 +499,8 @@ static void mlx5e_xfrm_update_curlft(struct xfrm_state *x) ...@@ -499,7 +499,8 @@ static void mlx5e_xfrm_update_curlft(struct xfrm_state *x)
mlx5e_ipsec_aso_update_curlft(sa_entry, &x->curlft.packets); mlx5e_ipsec_aso_update_curlft(sa_entry, &x->curlft.packets);
} }
static int mlx5e_xfrm_validate_policy(struct xfrm_policy *x, static int mlx5e_xfrm_validate_policy(struct mlx5_core_dev *mdev,
struct xfrm_policy *x,
struct netlink_ext_ack *extack) struct netlink_ext_ack *extack)
{ {
if (x->type != XFRM_POLICY_TYPE_MAIN) { if (x->type != XFRM_POLICY_TYPE_MAIN) {
...@@ -535,6 +536,18 @@ static int mlx5e_xfrm_validate_policy(struct xfrm_policy *x, ...@@ -535,6 +536,18 @@ static int mlx5e_xfrm_validate_policy(struct xfrm_policy *x,
return -EINVAL; return -EINVAL;
} }
if (x->priority) {
if (!(mlx5_ipsec_device_caps(mdev) & MLX5_IPSEC_CAP_PRIO)) {
NL_SET_ERR_MSG_MOD(extack, "Device does not support policy priority");
return -EINVAL;
}
if (x->priority == U32_MAX) {
NL_SET_ERR_MSG_MOD(extack, "Device does not support requested policy priority");
return -EINVAL;
}
}
return 0; return 0;
} }
...@@ -560,6 +573,7 @@ mlx5e_ipsec_build_accel_pol_attrs(struct mlx5e_ipsec_pol_entry *pol_entry, ...@@ -560,6 +573,7 @@ mlx5e_ipsec_build_accel_pol_attrs(struct mlx5e_ipsec_pol_entry *pol_entry,
attrs->upspec.sport = ntohs(sel->sport); attrs->upspec.sport = ntohs(sel->sport);
attrs->upspec.sport_mask = ntohs(sel->sport_mask); attrs->upspec.sport_mask = ntohs(sel->sport_mask);
attrs->upspec.proto = sel->proto; attrs->upspec.proto = sel->proto;
attrs->prio = x->priority;
} }
static int mlx5e_xfrm_add_policy(struct xfrm_policy *x, static int mlx5e_xfrm_add_policy(struct xfrm_policy *x,
...@@ -576,7 +590,7 @@ static int mlx5e_xfrm_add_policy(struct xfrm_policy *x, ...@@ -576,7 +590,7 @@ static int mlx5e_xfrm_add_policy(struct xfrm_policy *x,
return -EOPNOTSUPP; return -EOPNOTSUPP;
} }
err = mlx5e_xfrm_validate_policy(x, extack); err = mlx5e_xfrm_validate_policy(priv->mdev, x, extack);
if (err) if (err)
return err; return err;
......
...@@ -94,6 +94,7 @@ enum mlx5_ipsec_cap { ...@@ -94,6 +94,7 @@ enum mlx5_ipsec_cap {
MLX5_IPSEC_CAP_ESN = 1 << 1, MLX5_IPSEC_CAP_ESN = 1 << 1,
MLX5_IPSEC_CAP_PACKET_OFFLOAD = 1 << 2, MLX5_IPSEC_CAP_PACKET_OFFLOAD = 1 << 2,
MLX5_IPSEC_CAP_ROCE = 1 << 3, MLX5_IPSEC_CAP_ROCE = 1 << 3,
MLX5_IPSEC_CAP_PRIO = 1 << 4,
}; };
struct mlx5e_priv; struct mlx5e_priv;
...@@ -198,6 +199,7 @@ struct mlx5_accel_pol_xfrm_attrs { ...@@ -198,6 +199,7 @@ struct mlx5_accel_pol_xfrm_attrs {
u8 type : 2; u8 type : 2;
u8 dir : 2; u8 dir : 2;
u32 reqid; u32 reqid;
u32 prio;
}; };
struct mlx5e_ipsec_pol_entry { struct mlx5e_ipsec_pol_entry {
......
...@@ -36,11 +36,18 @@ u32 mlx5_ipsec_device_caps(struct mlx5_core_dev *mdev) ...@@ -36,11 +36,18 @@ u32 mlx5_ipsec_device_caps(struct mlx5_core_dev *mdev)
MLX5_CAP_ETH(mdev, insert_trailer) && MLX5_CAP_ETH(mdev, swp)) MLX5_CAP_ETH(mdev, insert_trailer) && MLX5_CAP_ETH(mdev, swp))
caps |= MLX5_IPSEC_CAP_CRYPTO; caps |= MLX5_IPSEC_CAP_CRYPTO;
if (MLX5_CAP_IPSEC(mdev, ipsec_full_offload) && if (MLX5_CAP_IPSEC(mdev, ipsec_full_offload)) {
MLX5_CAP_FLOWTABLE_NIC_TX(mdev, reformat_add_esp_trasport) && if (MLX5_CAP_FLOWTABLE_NIC_TX(mdev,
MLX5_CAP_FLOWTABLE_NIC_RX(mdev, reformat_del_esp_trasport) && reformat_add_esp_trasport) &&
MLX5_CAP_FLOWTABLE_NIC_RX(mdev, decap)) MLX5_CAP_FLOWTABLE_NIC_RX(mdev,
caps |= MLX5_IPSEC_CAP_PACKET_OFFLOAD; reformat_del_esp_trasport) &&
MLX5_CAP_FLOWTABLE_NIC_RX(mdev, decap))
caps |= MLX5_IPSEC_CAP_PACKET_OFFLOAD;
if (MLX5_CAP_FLOWTABLE_NIC_TX(mdev, ignore_flow_level) &&
MLX5_CAP_FLOWTABLE_NIC_RX(mdev, ignore_flow_level))
caps |= MLX5_IPSEC_CAP_PRIO;
}
if (mlx5_get_roce_state(mdev) && if (mlx5_get_roce_state(mdev) &&
MLX5_CAP_GEN_2(mdev, flow_table_type_2_type) & MLX5_FT_NIC_RX_2_NIC_RX_RDMA && MLX5_CAP_GEN_2(mdev, flow_table_type_2_type) & MLX5_FT_NIC_RX_2_NIC_RX_RDMA &&
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment