www.infradead.org Git - users/hch/misc.git/commit

author	Leon Romanovsky <leonro@nvidia.com>
	Tue, 4 Mar 2025 16:06:20 +0000 (18:06 +0200)
committer	Jakub Kicinski <kuba@kernel.org>
	Fri, 7 Mar 2025 01:53:34 +0000 (17:53 -0800)
commit	ca7992f52c2cb5ef61fbfa590a2d7c926f290237
tree	30a89b6f0c5bdf513b2368ca585b1b9136322a9a	tree
parent	348ed4b20546b80a67bb87b0fb32397efbae4c87	commit \| diff

net/mlx5e: Properly match IPsec subnet addresses

Existing match criteria didn't allow to match whole subnet and
only by specific addresses only. This caused to tunnel mode do not
forward such traffic through relevant SA.

In tunnel mode, policies look like this:
src 192.169.0.0/16 dst 192.169.0.0/16
        dir out priority 383615 ptype main
        tmpl src 192.169.101.2 dst 192.169.101.1
                proto esp spi 0xc5141c18 reqid 1 mode tunnel
        crypto offload parameters: dev eth2 mode packet

In this case, the XFRM core code handled all subnet calculations and
forwarded network address to the drivers e.g. 192.169.0.0.

For mlx5 devices, there is a need to set relevant prefix e.g. 0xFFFF00
to perform flow steering match operation.

Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Link: https://patch.msgid.link/20250304160620.417580-7-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c		diff \| blob \| history
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h		diff \| blob \| history
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c		diff \| blob \| history