www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Jianbo Liu <jianbol@nvidia.com>
	Thu, 20 Feb 2025 21:39:58 +0000 (23:39 +0200)
committer	Jakub Kicinski <kuba@kernel.org>
	Tue, 25 Feb 2025 02:14:33 +0000 (18:14 -0800)
commit	c69046c3f2dcef3fe65eb771544547286934a865
tree	4a45c4587e391926561a5c4e38e3bde8206210ca	tree
parent	78e77a41e4019bc4538d09a3738180077220fa77	commit \| diff

net/mlx5e: Support RX xfrm state selector's UPSPEC for packet offload

Previously, the upper layer matches are added for the decryption rule
when xfrm selector's UPSPEC is specified in the command. However, it's
impossible as packets are not decrypted, and there is no way to do
match on the upper protocol (TCP/UDP) with specific source/destination
port. The result is that packets are not decrypted by hardware because
of this mismatch. Instead, they are forwarded to kernel, and
decryption is done by software.

To resolve this issue, this patch adds new table (sa_sel) after status
table and before policy table. When UPSPEC's proto is specified in
xfrm state's selector, a rule is added in status table to forward the
decrypted packets to sa_sel table, where the corresponding rule for
selector's UPSPEC is added, and packet's upper headers are checked
there. If matched, they will be forward to policy table to do policy
check. Otherwise, they are dropped immediately.

Besides, add a global count for this kind of packet drop.

Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Reviewed-by: Patrisious Haddad <phaddad@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20250220213959.504304-9-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h		diff \| blob \| history
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c		diff \| blob \| history
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_stats.c		diff \| blob \| history