Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Steffen Klassert says:

====================
pull request (net-next): ipsec-next 2018-01-26

One last patch for this development cycle:

1) Add ESN support for IPSec HW offload.
From Yossef Efraim.

Please pull or let me know if there are problems.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

David S. Miller 8 years ago a81e4aff 5b09179e

+27 -2

5 changed files

expand all

Documentation

networking

xfrm_device.txt

include

linux

netdevice.h

net

xfrm.h

net

xfrm

xfrm_device.c

xfrm_replay.c

Documentation/networking/xfrm_device.txt

··· 41 41 void (*xdo_dev_state_free) (struct xfrm_state *x); 42 42 bool (*xdo_dev_offload_ok) (struct sk_buff *skb, 43 43 struct xfrm_state *x); 44 + void (*xdo_dev_state_advance_esn) (struct xfrm_state *x); 44 45 }; 45 46 46 47 The NIC driver offering ipsec offload will need to implement these ··· 118 117 119 118 hand the packet to napi_gro_receive() as usual 120 119 120 + In ESN mode, xdo_dev_state_advance_esn() is called from xfrm_replay_advance_esn(). 121 + Driver will check packet seq number and update HW ESN state machine if needed. 121 122 122 123 When the SA is removed by the user, the driver's xdo_dev_state_delete() 123 124 is asked to disable the offload. Later, xdo_dev_state_free() is called

include/linux/netdevice.h

··· 851 851 void (*xdo_dev_state_free) (struct xfrm_state *x); 852 852 bool (*xdo_dev_offload_ok) (struct sk_buff *skb, 853 853 struct xfrm_state *x); 854 + void (*xdo_dev_state_advance_esn) (struct xfrm_state *x); 854 855 }; 855 856 #endif 856 857

+12

include/net/xfrm.h

··· 1904 1904 struct xfrm_user_offload *xuo); 1905 1905 bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x); 1906 1906 1907 + static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x) 1908 + { 1909 + struct xfrm_state_offload *xso = &x->xso; 1910 + 1911 + if (xso->dev && xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn) 1912 + xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn(x); 1913 + } 1914 + 1907 1915 static inline bool xfrm_dst_offload_ok(struct dst_entry *dst) 1908 1916 { 1909 1917 struct xfrm_state *x = dst->xfrm; ··· 1980 1972 static inline bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x) 1981 1973 { 1982 1974 return false; 1975 + } 1976 + 1977 + static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x) 1978 + { 1983 1979 } 1984 1980 1985 1981 static inline bool xfrm_dst_offload_ok(struct dst_entry *dst)

+9 -2

net/xfrm/xfrm_device.c

··· 147 147 if (!x->type_offload) 148 148 return -EINVAL; 149 149 150 - /* We don't yet support UDP encapsulation, TFC padding and ESN. */ 151 - if (x->encap || x->tfcpad || (x->props.flags & XFRM_STATE_ESN)) 150 + /* We don't yet support UDP encapsulation and TFC padding. */ 151 + if (x->encap || x->tfcpad) 152 152 return -EINVAL; 153 153 154 154 dev = dev_get_by_index(net, xuo->ifindex); ··· 176 176 xso->dev = NULL; 177 177 dev_put(dev); 178 178 return 0; 179 + } 180 + 181 + if (x->props.flags & XFRM_STATE_ESN && 182 + !dev->xfrmdev_ops->xdo_dev_state_advance_esn) { 183 + xso->dev = NULL; 184 + dev_put(dev); 185 + return -EINVAL; 179 186 } 180 187 181 188 xso->dev = dev;

net/xfrm/xfrm_replay.c

··· 551 551 bitnr = replay_esn->replay_window - (diff - pos); 552 552 } 553 553 554 + xfrm_dev_state_advance_esn(x); 555 + 554 556 nr = bitnr >> 5; 555 557 bitnr = bitnr & 0x1F; 556 558 replay_esn->bmp[nr] |= (1U << bitnr);