tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge branch 'net-mlx5e-move-ipsec-policy-check-after-decryption'

Tariq Toukan says:

====================
net/mlx5e: Move IPSec policy check after decryption

This series by Jianbo adds IPsec policy check after decryption.

In current mlx5 driver, the policy check is done before decryption for
IPSec crypto and packet offload. This series changes that order to
make it consistent with the processing in kernel xfrm. Besides, RX
state with UPSPEC selector is supported correctly after new steering
table is added after decryption and before the policy check.
====================

Link: https://patch.msgid.link/20250220213959.504304-1-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Jakub Kicinski 79936fcb a3ad653c

+571 -107
+2 -2
drivers/net/ethernet/mellanox/mlx5/core/en/fs.h
··· 84 84 MLX5E_ARFS_FT_LEVEL = MLX5E_INNER_TTC_FT_LEVEL + 1, 85 85 #endif 86 86 #ifdef CONFIG_MLX5_EN_IPSEC 87 - MLX5E_ACCEL_FS_POL_FT_LEVEL = MLX5E_INNER_TTC_FT_LEVEL + 1, 88 - MLX5E_ACCEL_FS_ESP_FT_LEVEL, 87 + MLX5E_ACCEL_FS_ESP_FT_LEVEL = MLX5E_INNER_TTC_FT_LEVEL + 1, 89 88 MLX5E_ACCEL_FS_ESP_FT_ERR_LEVEL, 89 + MLX5E_ACCEL_FS_POL_FT_LEVEL, 90 90 MLX5E_ACCEL_FS_ESP_FT_ROCE_LEVEL, 91 91 #endif 92 92 };
+5
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h
··· 128 128 u64 ipsec_rx_bytes; 129 129 u64 ipsec_rx_drop_pkts; 130 130 u64 ipsec_rx_drop_bytes; 131 + u64 ipsec_rx_drop_mismatch_sa_sel; 131 132 u64 ipsec_tx_pkts; 132 133 u64 ipsec_tx_bytes; 133 134 u64 ipsec_tx_drop_pkts; ··· 185 184 struct mutex mutex; /* Protect changes to this struct */ 186 185 struct mlx5_flow_table *pol; 187 186 struct mlx5_flow_table *sa; 187 + struct mlx5_flow_table *sa_sel; 188 188 struct mlx5_flow_table *status; 189 189 u32 refcnt; 190 190 }; ··· 197 195 198 196 struct mlx5e_ipsec_rule { 199 197 struct mlx5_flow_handle *rule; 198 + struct mlx5_flow_handle *status_pass; 199 + struct mlx5_flow_handle *sa_sel; 200 200 struct mlx5_modify_hdr *modify_hdr; 201 201 struct mlx5_pkt_reformat *pkt_reformat; 202 202 struct mlx5_fc *fc; ··· 210 206 struct mlx5e_ipsec_miss { 211 207 struct mlx5_flow_group *group; 212 208 struct mlx5_flow_handle *rule; 209 + struct mlx5_fc *fc; 213 210 }; 214 211 215 212 struct mlx5e_ipsec_tx_create_attr {
+542 -104
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
··· 16 16 #define MLX5_REFORMAT_TYPE_ADD_ESP_TRANSPORT_SIZE 16 17 17 #define IPSEC_TUNNEL_DEFAULT_TTL 0x40 18 18 19 + #define MLX5_IPSEC_FS_SA_SELECTOR_MAX_NUM_GROUPS 16 20 + 21 + enum { 22 + MLX5_IPSEC_ASO_OK, 23 + MLX5_IPSEC_ASO_BAD_REPLY, 24 + 25 + /* For crypto offload, set by driver */ 26 + MLX5_IPSEC_ASO_SW_CRYPTO_OFFLOAD = 0xAA, 27 + }; 28 + 19 29 struct mlx5e_ipsec_fc { 20 30 struct mlx5_fc *cnt; 21 31 struct mlx5_fc *drop; ··· 43 33 }; 44 34 45 35 struct mlx5e_ipsec_status_checks { 36 + struct mlx5_flow_group *pass_group; 37 + struct mlx5_flow_handle *packet_offload_pass_rule; 38 + struct mlx5_flow_handle *crypto_offload_pass_rule; 46 39 struct mlx5_flow_group *drop_all_group; 47 40 struct mlx5e_ipsec_drop all; 48 41 }; ··· 54 41 struct mlx5e_ipsec_ft ft; 55 42 struct mlx5e_ipsec_miss pol; 56 43 struct mlx5e_ipsec_miss sa; 57 - struct mlx5e_ipsec_rule status; 58 - struct mlx5e_ipsec_status_checks status_drops; 44 + struct mlx5e_ipsec_miss sa_sel; 45 + struct mlx5e_ipsec_status_checks status_checks; 59 46 struct mlx5e_ipsec_fc *fc; 60 47 struct mlx5_fs_chains *chains; 48 + struct mlx5_flow_table *pol_miss_ft; 49 + struct mlx5_flow_handle *pol_miss_rule; 61 50 u8 allow_tunnel_mode : 1; 62 51 }; 63 52 ··· 145 130 146 131 static struct mlx5_flow_table *ipsec_ft_create(struct mlx5_flow_namespace *ns, 147 132 int level, int prio, 133 + int num_reserved_entries, 148 134 int max_num_groups, u32 flags) 149 135 { 150 136 struct mlx5_flow_table_attr ft_attr = {}; 151 137 152 - ft_attr.autogroup.num_reserved_entries = 1; 138 + ft_attr.autogroup.num_reserved_entries = num_reserved_entries; 153 139 ft_attr.autogroup.max_num_groups = max_num_groups; 154 140 ft_attr.max_fte = NUM_IPSEC_FTE; 155 141 ft_attr.level = level; ··· 163 147 static void ipsec_rx_status_drop_destroy(struct mlx5e_ipsec *ipsec, 164 148 struct mlx5e_ipsec_rx *rx) 165 149 { 166 - mlx5_del_flow_rules(rx->status_drops.all.rule); 167 - mlx5_fc_destroy(ipsec->mdev, rx->status_drops.all.fc); 168 - mlx5_destroy_flow_group(rx->status_drops.drop_all_group); 150 + mlx5_del_flow_rules(rx->status_checks.all.rule); 151 + mlx5_fc_destroy(ipsec->mdev, rx->status_checks.all.fc); 152 + mlx5_destroy_flow_group(rx->status_checks.drop_all_group); 169 153 } 170 154 171 155 static void ipsec_rx_status_pass_destroy(struct mlx5e_ipsec *ipsec, 172 156 struct mlx5e_ipsec_rx *rx) 173 157 { 174 - mlx5_del_flow_rules(rx->status.rule); 158 + mlx5_del_flow_rules(rx->status_checks.packet_offload_pass_rule); 159 + mlx5_del_flow_rules(rx->status_checks.crypto_offload_pass_rule); 160 + } 175 161 176 - if (rx != ipsec->rx_esw) 177 - return; 162 + static void ipsec_rx_rule_add_match_obj(struct mlx5e_ipsec_sa_entry *sa_entry, 163 + struct mlx5e_ipsec_rx *rx, 164 + struct mlx5_flow_spec *spec) 165 + { 166 + struct mlx5e_ipsec *ipsec = sa_entry->ipsec; 178 167 179 - #ifdef CONFIG_MLX5_ESWITCH 180 - mlx5_chains_put_table(esw_chains(ipsec->mdev->priv.eswitch), 0, 1, 0); 181 - #endif 168 + if (rx == ipsec->rx_esw) { 169 + mlx5_esw_ipsec_rx_rule_add_match_obj(sa_entry, spec); 170 + } else { 171 + MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, 172 + misc_parameters_2.metadata_reg_c_2); 173 + MLX5_SET(fte_match_param, spec->match_value, 174 + misc_parameters_2.metadata_reg_c_2, 175 + sa_entry->ipsec_obj_id | BIT(31)); 176 + 177 + spec->match_criteria_enable |= MLX5_MATCH_MISC_PARAMETERS_2; 178 + } 182 179 } 183 180 184 181 static int rx_add_rule_drop_auth_trailer(struct mlx5e_ipsec_sa_entry *sa_entry, ··· 229 200 230 201 MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, misc_parameters_2.ipsec_syndrome); 231 202 MLX5_SET(fte_match_param, spec->match_value, misc_parameters_2.ipsec_syndrome, 1); 232 - MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, misc_parameters_2.metadata_reg_c_2); 233 - MLX5_SET(fte_match_param, spec->match_value, 234 - misc_parameters_2.metadata_reg_c_2, 235 - sa_entry->ipsec_obj_id | BIT(31)); 236 203 spec->match_criteria_enable = MLX5_MATCH_MISC_PARAMETERS_2; 204 + ipsec_rx_rule_add_match_obj(sa_entry, rx, spec); 237 205 rule = mlx5_add_flow_rules(ft, spec, &flow_act, &dest, 1); 238 206 if (IS_ERR(rule)) { 239 207 err = PTR_ERR(rule); ··· 307 281 308 282 MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, misc_parameters_2.metadata_reg_c_4); 309 283 MLX5_SET(fte_match_param, spec->match_value, misc_parameters_2.metadata_reg_c_4, 1); 310 - MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, misc_parameters_2.metadata_reg_c_2); 311 - MLX5_SET(fte_match_param, spec->match_value, misc_parameters_2.metadata_reg_c_2, 312 - sa_entry->ipsec_obj_id | BIT(31)); 313 284 spec->match_criteria_enable = MLX5_MATCH_MISC_PARAMETERS_2; 285 + ipsec_rx_rule_add_match_obj(sa_entry, rx, spec); 314 286 rule = mlx5_add_flow_rules(ft, spec, &flow_act, &dest, 1); 315 287 if (IS_ERR(rule)) { 316 288 err = PTR_ERR(rule); ··· 383 359 goto err_rule; 384 360 } 385 361 386 - rx->status_drops.drop_all_group = g; 387 - rx->status_drops.all.rule = rule; 388 - rx->status_drops.all.fc = flow_counter; 362 + rx->status_checks.drop_all_group = g; 363 + rx->status_checks.all.rule = rule; 364 + rx->status_checks.all.fc = flow_counter; 389 365 390 366 kvfree(flow_group_in); 391 367 kvfree(spec); ··· 401 377 return err; 402 378 } 403 379 404 - static int ipsec_rx_status_pass_create(struct mlx5e_ipsec *ipsec, 405 - struct mlx5e_ipsec_rx *rx, 406 - struct mlx5_flow_destination *dest) 380 + static int ipsec_rx_status_pass_group_create(struct mlx5e_ipsec *ipsec, 381 + struct mlx5e_ipsec_rx *rx) 382 + { 383 + int inlen = MLX5_ST_SZ_BYTES(create_flow_group_in); 384 + struct mlx5_flow_table *ft = rx->ft.status; 385 + struct mlx5_flow_group *fg; 386 + void *match_criteria; 387 + u32 *flow_group_in; 388 + int err = 0; 389 + 390 + flow_group_in = kvzalloc(inlen, GFP_KERNEL); 391 + if (!flow_group_in) 392 + return -ENOMEM; 393 + 394 + MLX5_SET(create_flow_group_in, flow_group_in, match_criteria_enable, 395 + MLX5_MATCH_MISC_PARAMETERS_2); 396 + match_criteria = MLX5_ADDR_OF(create_flow_group_in, flow_group_in, 397 + match_criteria); 398 + MLX5_SET_TO_ONES(fte_match_param, match_criteria, 399 + misc_parameters_2.ipsec_syndrome); 400 + MLX5_SET_TO_ONES(fte_match_param, match_criteria, 401 + misc_parameters_2.metadata_reg_c_4); 402 + 403 + MLX5_SET(create_flow_group_in, flow_group_in, 404 + start_flow_index, ft->max_fte - 3); 405 + MLX5_SET(create_flow_group_in, flow_group_in, 406 + end_flow_index, ft->max_fte - 2); 407 + 408 + fg = mlx5_create_flow_group(ft, flow_group_in); 409 + if (IS_ERR(fg)) { 410 + err = PTR_ERR(fg); 411 + mlx5_core_warn(ipsec->mdev, 412 + "Failed to create rx status pass flow group, err=%d\n", 413 + err); 414 + } 415 + rx->status_checks.pass_group = fg; 416 + 417 + kvfree(flow_group_in); 418 + return err; 419 + } 420 + 421 + static struct mlx5_flow_handle * 422 + ipsec_rx_status_pass_create(struct mlx5e_ipsec *ipsec, 423 + struct mlx5e_ipsec_rx *rx, 424 + struct mlx5_flow_destination *dest, 425 + u8 aso_ok) 407 426 { 408 427 struct mlx5_flow_act flow_act = {}; 409 428 struct mlx5_flow_handle *rule; ··· 455 388 456 389 spec = kvzalloc(sizeof(*spec), GFP_KERNEL); 457 390 if (!spec) 458 - return -ENOMEM; 391 + return ERR_PTR(-ENOMEM); 459 392 460 393 MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, 461 394 misc_parameters_2.ipsec_syndrome); ··· 464 397 MLX5_SET(fte_match_param, spec->match_value, 465 398 misc_parameters_2.ipsec_syndrome, 0); 466 399 MLX5_SET(fte_match_param, spec->match_value, 467 - misc_parameters_2.metadata_reg_c_4, 0); 400 + misc_parameters_2.metadata_reg_c_4, aso_ok); 468 401 if (rx == ipsec->rx_esw) 469 402 spec->flow_context.flow_source = MLX5_FLOW_CONTEXT_FLOW_SOURCE_UPLINK; 470 403 spec->match_criteria_enable = MLX5_MATCH_MISC_PARAMETERS_2; 471 - flow_act.flags = FLOW_ACT_NO_APPEND; 404 + flow_act.flags = FLOW_ACT_NO_APPEND | FLOW_ACT_IGNORE_FLOW_LEVEL; 472 405 flow_act.action = MLX5_FLOW_CONTEXT_ACTION_FWD_DEST | 473 406 MLX5_FLOW_CONTEXT_ACTION_COUNT; 474 407 rule = mlx5_add_flow_rules(rx->ft.status, spec, &flow_act, dest, 2); ··· 479 412 goto err_rule; 480 413 } 481 414 482 - rx->status.rule = rule; 483 415 kvfree(spec); 484 - return 0; 416 + return rule; 485 417 486 418 err_rule: 487 419 kvfree(spec); 488 - return err; 420 + return ERR_PTR(err); 489 421 } 490 422 491 423 static void mlx5_ipsec_rx_status_destroy(struct mlx5e_ipsec *ipsec, 492 424 struct mlx5e_ipsec_rx *rx) 493 425 { 494 426 ipsec_rx_status_pass_destroy(ipsec, rx); 427 + mlx5_destroy_flow_group(rx->status_checks.pass_group); 495 428 ipsec_rx_status_drop_destroy(ipsec, rx); 496 429 } 497 430 ··· 499 432 struct mlx5e_ipsec_rx *rx, 500 433 struct mlx5_flow_destination *dest) 501 434 { 435 + struct mlx5_flow_destination pol_dest[2]; 436 + struct mlx5_flow_handle *rule; 502 437 int err; 503 438 504 439 err = ipsec_rx_status_drop_all_create(ipsec, rx); 505 440 if (err) 506 441 return err; 507 442 508 - err = ipsec_rx_status_pass_create(ipsec, rx, dest); 443 + err = ipsec_rx_status_pass_group_create(ipsec, rx); 509 444 if (err) 510 - goto err_pass_create; 445 + goto err_pass_group_create; 446 + 447 + rule = ipsec_rx_status_pass_create(ipsec, rx, dest, 448 + MLX5_IPSEC_ASO_SW_CRYPTO_OFFLOAD); 449 + if (IS_ERR(rule)) { 450 + err = PTR_ERR(rule); 451 + goto err_crypto_offload_pass_create; 452 + } 453 + rx->status_checks.crypto_offload_pass_rule = rule; 454 + 455 + pol_dest[0].type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE; 456 + pol_dest[0].ft = rx->ft.pol; 457 + pol_dest[1] = dest[1]; 458 + rule = ipsec_rx_status_pass_create(ipsec, rx, pol_dest, 459 + MLX5_IPSEC_ASO_OK); 460 + if (IS_ERR(rule)) { 461 + err = PTR_ERR(rule); 462 + goto err_packet_offload_pass_create; 463 + } 464 + rx->status_checks.packet_offload_pass_rule = rule; 511 465 512 466 return 0; 513 467 514 - err_pass_create: 468 + err_packet_offload_pass_create: 469 + mlx5_del_flow_rules(rx->status_checks.crypto_offload_pass_rule); 470 + err_crypto_offload_pass_create: 471 + mlx5_destroy_flow_group(rx->status_checks.pass_group); 472 + err_pass_group_create: 515 473 ipsec_rx_status_drop_destroy(ipsec, rx); 516 474 return err; 517 475 } ··· 585 493 return err; 586 494 } 587 495 496 + static void ipsec_rx_update_default_dest(struct mlx5e_ipsec_rx *rx, 497 + struct mlx5_flow_destination *old_dest, 498 + struct mlx5_flow_destination *new_dest) 499 + { 500 + mlx5_modify_rule_destination(rx->pol_miss_rule, new_dest, old_dest); 501 + mlx5_modify_rule_destination(rx->status_checks.crypto_offload_pass_rule, 502 + new_dest, old_dest); 503 + } 504 + 588 505 static void handle_ipsec_rx_bringup(struct mlx5e_ipsec *ipsec, u32 family) 589 506 { 590 507 struct mlx5e_ipsec_rx *rx = ipsec_rx(ipsec, family, XFRM_DEV_OFFLOAD_PACKET); ··· 608 507 609 508 new_dest.ft = mlx5_ipsec_fs_roce_ft_get(ipsec->roce, family); 610 509 new_dest.type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE; 611 - mlx5_modify_rule_destination(rx->status.rule, &new_dest, &old_dest); 612 - mlx5_modify_rule_destination(rx->sa.rule, &new_dest, &old_dest); 510 + ipsec_rx_update_default_dest(rx, &old_dest, &new_dest); 613 511 } 614 512 615 513 static void handle_ipsec_rx_cleanup(struct mlx5e_ipsec *ipsec, u32 family) ··· 620 520 old_dest.type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE; 621 521 new_dest = mlx5_ttc_get_default_dest(mlx5e_fs_get_ttc(ipsec->fs, false), 622 522 family2tt(family)); 623 - mlx5_modify_rule_destination(rx->sa.rule, &new_dest, &old_dest); 624 - mlx5_modify_rule_destination(rx->status.rule, &new_dest, &old_dest); 523 + ipsec_rx_update_default_dest(rx, &old_dest, &new_dest); 625 524 626 525 mlx5_ipsec_fs_roce_rx_destroy(ipsec->roce, family, ipsec->mdev); 627 526 } ··· 676 577 mlx5_ttc_fwd_default_dest(ttc, family2tt(family)); 677 578 } 678 579 679 - static void rx_destroy(struct mlx5_core_dev *mdev, struct mlx5e_ipsec *ipsec, 680 - struct mlx5e_ipsec_rx *rx, u32 family) 580 + static void ipsec_rx_policy_destroy(struct mlx5e_ipsec_rx *rx) 681 581 { 682 - /* disconnect */ 683 - if (rx != ipsec->rx_esw) 684 - ipsec_rx_ft_disconnect(ipsec, family); 685 - 686 582 if (rx->chains) { 687 583 ipsec_chains_destroy(rx->chains); 688 584 } else { ··· 685 591 mlx5_destroy_flow_group(rx->pol.group); 686 592 mlx5_destroy_flow_table(rx->ft.pol); 687 593 } 594 + 595 + if (rx->pol_miss_rule) { 596 + mlx5_del_flow_rules(rx->pol_miss_rule); 597 + mlx5_destroy_flow_table(rx->pol_miss_ft); 598 + } 599 + } 600 + 601 + static void ipsec_rx_sa_selector_destroy(struct mlx5_core_dev *mdev, 602 + struct mlx5e_ipsec_rx *rx) 603 + { 604 + mlx5_del_flow_rules(rx->sa_sel.rule); 605 + mlx5_fc_destroy(mdev, rx->sa_sel.fc); 606 + rx->sa_sel.fc = NULL; 607 + mlx5_destroy_flow_group(rx->sa_sel.group); 608 + mlx5_destroy_flow_table(rx->ft.sa_sel); 609 + } 610 + 611 + static void rx_destroy(struct mlx5_core_dev *mdev, struct mlx5e_ipsec *ipsec, 612 + struct mlx5e_ipsec_rx *rx, u32 family) 613 + { 614 + /* disconnect */ 615 + if (rx != ipsec->rx_esw) 616 + ipsec_rx_ft_disconnect(ipsec, family); 688 617 689 618 mlx5_del_flow_rules(rx->sa.rule); 690 619 mlx5_destroy_flow_group(rx->sa.group); ··· 717 600 mlx5_ipsec_rx_status_destroy(ipsec, rx); 718 601 mlx5_destroy_flow_table(rx->ft.status); 719 602 603 + ipsec_rx_sa_selector_destroy(mdev, rx); 604 + 605 + ipsec_rx_policy_destroy(rx); 606 + 720 607 mlx5_ipsec_fs_roce_rx_destroy(ipsec->roce, family, mdev); 608 + 609 + #ifdef CONFIG_MLX5_ESWITCH 610 + if (rx == ipsec->rx_esw) 611 + mlx5_chains_put_table(esw_chains(ipsec->mdev->priv.eswitch), 612 + 0, 1, 0); 613 + #endif 721 614 } 722 615 723 616 static void ipsec_rx_create_attr_set(struct mlx5e_ipsec *ipsec, ··· 779 652 return 0; 780 653 } 781 654 655 + static void ipsec_rx_sa_miss_dest_get(struct mlx5e_ipsec *ipsec, 656 + struct mlx5e_ipsec_rx *rx, 657 + struct mlx5e_ipsec_rx_create_attr *attr, 658 + struct mlx5_flow_destination *dest, 659 + struct mlx5_flow_destination *miss_dest) 660 + { 661 + if (rx == ipsec->rx_esw) 662 + *miss_dest = *dest; 663 + else 664 + *miss_dest = 665 + mlx5_ttc_get_default_dest(attr->ttc, 666 + family2tt(attr->family)); 667 + } 668 + 669 + static void ipsec_rx_default_dest_get(struct mlx5e_ipsec *ipsec, 670 + struct mlx5e_ipsec_rx *rx, 671 + struct mlx5_flow_destination *dest) 672 + { 673 + dest->type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE; 674 + dest->ft = rx->pol_miss_ft; 675 + } 676 + 782 677 static void ipsec_rx_ft_connect(struct mlx5e_ipsec *ipsec, 783 678 struct mlx5e_ipsec_rx *rx, 784 679 struct mlx5e_ipsec_rx_create_attr *attr) ··· 808 659 struct mlx5_flow_destination dest = {}; 809 660 810 661 dest.type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE; 811 - dest.ft = rx->ft.pol; 662 + dest.ft = rx->ft.sa; 812 663 mlx5_ttc_fwd_dest(attr->ttc, family2tt(attr->family), &dest); 813 664 } 665 + 666 + static int ipsec_rx_chains_create_miss(struct mlx5e_ipsec *ipsec, 667 + struct mlx5e_ipsec_rx *rx, 668 + struct mlx5e_ipsec_rx_create_attr *attr, 669 + struct mlx5_flow_destination *dest) 670 + { 671 + struct mlx5_flow_table_attr ft_attr = {}; 672 + MLX5_DECLARE_FLOW_ACT(flow_act); 673 + struct mlx5_flow_handle *rule; 674 + struct mlx5_flow_table *ft; 675 + int err; 676 + 677 + if (rx == ipsec->rx_esw) { 678 + /* No need to create miss table for switchdev mode, 679 + * just set it to the root chain table. 680 + */ 681 + rx->pol_miss_ft = dest->ft; 682 + return 0; 683 + } 684 + 685 + ft_attr.max_fte = 1; 686 + ft_attr.autogroup.max_num_groups = 1; 687 + ft_attr.level = attr->pol_level; 688 + ft_attr.prio = attr->prio; 689 + 690 + ft = mlx5_create_auto_grouped_flow_table(attr->ns, &ft_attr); 691 + if (IS_ERR(ft)) 692 + return PTR_ERR(ft); 693 + 694 + rule = mlx5_add_flow_rules(ft, NULL, &flow_act, dest, 1); 695 + if (IS_ERR(rule)) { 696 + err = PTR_ERR(rule); 697 + goto err_rule; 698 + } 699 + 700 + rx->pol_miss_ft = ft; 701 + rx->pol_miss_rule = rule; 702 + 703 + return 0; 704 + 705 + err_rule: 706 + mlx5_destroy_flow_table(ft); 707 + return err; 708 + } 709 + 710 + static int ipsec_rx_policy_create(struct mlx5e_ipsec *ipsec, 711 + struct mlx5e_ipsec_rx *rx, 712 + struct mlx5e_ipsec_rx_create_attr *attr, 713 + struct mlx5_flow_destination *dest) 714 + { 715 + struct mlx5_flow_destination default_dest; 716 + struct mlx5_core_dev *mdev = ipsec->mdev; 717 + struct mlx5_flow_table *ft; 718 + int err; 719 + 720 + err = ipsec_rx_chains_create_miss(ipsec, rx, attr, dest); 721 + if (err) 722 + return err; 723 + 724 + ipsec_rx_default_dest_get(ipsec, rx, &default_dest); 725 + 726 + if (mlx5_ipsec_device_caps(mdev) & MLX5_IPSEC_CAP_PRIO) { 727 + rx->chains = ipsec_chains_create(mdev, 728 + default_dest.ft, 729 + attr->chains_ns, 730 + attr->prio, 731 + attr->sa_level, 732 + &rx->ft.pol); 733 + if (IS_ERR(rx->chains)) 734 + err = PTR_ERR(rx->chains); 735 + } else { 736 + ft = ipsec_ft_create(attr->ns, attr->pol_level, 737 + attr->prio, 1, 2, 0); 738 + if (IS_ERR(ft)) { 739 + err = PTR_ERR(ft); 740 + goto err_out; 741 + } 742 + rx->ft.pol = ft; 743 + 744 + err = ipsec_miss_create(mdev, rx->ft.pol, &rx->pol, 745 + &default_dest); 746 + if (err) 747 + mlx5_destroy_flow_table(rx->ft.pol); 748 + } 749 + 750 + if (!err) 751 + return 0; 752 + 753 + err_out: 754 + if (rx->pol_miss_rule) { 755 + mlx5_del_flow_rules(rx->pol_miss_rule); 756 + mlx5_destroy_flow_table(rx->pol_miss_ft); 757 + } 758 + return err; 759 + } 760 + 761 + static int ipsec_rx_sa_selector_create(struct mlx5e_ipsec *ipsec, 762 + struct mlx5e_ipsec_rx *rx, 763 + struct mlx5e_ipsec_rx_create_attr *attr) 764 + { 765 + int inlen = MLX5_ST_SZ_BYTES(create_flow_group_in); 766 + struct mlx5_core_dev *mdev = ipsec->mdev; 767 + struct mlx5_flow_act flow_act = {}; 768 + struct mlx5_flow_destination dest; 769 + struct mlx5_flow_handle *rule; 770 + struct mlx5_flow_table *ft; 771 + struct mlx5_flow_group *fg; 772 + u32 *flow_group_in; 773 + struct mlx5_fc *fc; 774 + int err; 775 + 776 + flow_group_in = kvzalloc(inlen, GFP_KERNEL); 777 + if (!flow_group_in) 778 + return -ENOMEM; 779 + 780 + ft = ipsec_ft_create(attr->ns, attr->status_level, attr->prio, 1, 781 + MLX5_IPSEC_FS_SA_SELECTOR_MAX_NUM_GROUPS, 0); 782 + if (IS_ERR(ft)) { 783 + err = PTR_ERR(ft); 784 + mlx5_core_err(mdev, "Failed to create RX SA selector flow table, err=%d\n", 785 + err); 786 + goto err_ft; 787 + } 788 + 789 + MLX5_SET(create_flow_group_in, flow_group_in, start_flow_index, 790 + ft->max_fte - 1); 791 + MLX5_SET(create_flow_group_in, flow_group_in, end_flow_index, 792 + ft->max_fte - 1); 793 + fg = mlx5_create_flow_group(ft, flow_group_in); 794 + if (IS_ERR(fg)) { 795 + err = PTR_ERR(fg); 796 + mlx5_core_err(mdev, "Failed to create RX SA selector miss group, err=%d\n", 797 + err); 798 + goto err_fg; 799 + } 800 + 801 + fc = mlx5_fc_create(mdev, false); 802 + if (IS_ERR(fc)) { 803 + err = PTR_ERR(fc); 804 + mlx5_core_err(mdev, 805 + "Failed to create ipsec RX SA selector miss rule counter, err=%d\n", 806 + err); 807 + goto err_cnt; 808 + } 809 + 810 + dest.type = MLX5_FLOW_DESTINATION_TYPE_COUNTER; 811 + dest.counter = fc; 812 + flow_act.action = 813 + MLX5_FLOW_CONTEXT_ACTION_COUNT | MLX5_FLOW_CONTEXT_ACTION_DROP; 814 + 815 + rule = mlx5_add_flow_rules(ft, NULL, &flow_act, &dest, 1); 816 + if (IS_ERR(rule)) { 817 + err = PTR_ERR(rule); 818 + mlx5_core_err(mdev, "Failed to create RX SA selector miss drop rule, err=%d\n", 819 + err); 820 + goto err_rule; 821 + } 822 + 823 + rx->ft.sa_sel = ft; 824 + rx->sa_sel.group = fg; 825 + rx->sa_sel.fc = fc; 826 + rx->sa_sel.rule = rule; 827 + 828 + kvfree(flow_group_in); 829 + 830 + return 0; 831 + 832 + err_rule: 833 + mlx5_fc_destroy(mdev, fc); 834 + err_cnt: 835 + mlx5_destroy_flow_group(fg); 836 + err_fg: 837 + mlx5_destroy_flow_table(ft); 838 + err_ft: 839 + kvfree(flow_group_in); 840 + return err; 841 + } 842 + 843 + /* The decryption processing is as follows: 844 + * 845 + * +----------+ +-------------+ 846 + * | | | | 847 + * | Kernel <--------------+----------+ policy miss <------------+ 848 + * | | ^ | | ^ 849 + * +----^-----+ | +-------------+ | 850 + * | crypto | 851 + * miss offload ok allow/default 852 + * ^ ^ ^ 853 + * | | packet | 854 + * +----+---------+ +----+-------------+ offload ok +------+---+ 855 + * | | | | (no UPSPEC) | | 856 + * | SA (decrypt) +-----> status +--->------->----+ policy | 857 + * | | | | | | 858 + * +--------------+ ++---------+-------+ +-^----+---+ 859 + * | | | | 860 + * v packet +-->->---+ v 861 + * | offload ok match | 862 + * fails (with UPSPEC) | block 863 + * | | +-------------+-+ | 864 + * v v | | miss v 865 + * drop +---> SA sel +--------->drop 866 + * | | 867 + * +---------------+ 868 + */ 814 869 815 870 static int rx_create(struct mlx5_core_dev *mdev, struct mlx5e_ipsec *ipsec, 816 871 struct mlx5e_ipsec_rx *rx, u32 family) 817 872 { 873 + struct mlx5_flow_destination dest[2], miss_dest; 818 874 struct mlx5e_ipsec_rx_create_attr attr; 819 - struct mlx5_flow_destination dest[2]; 820 875 struct mlx5_flow_table *ft; 821 876 u32 flags = 0; 822 877 int err; ··· 1031 678 if (err) 1032 679 return err; 1033 680 1034 - ft = ipsec_ft_create(attr.ns, attr.status_level, attr.prio, 3, 0); 681 + ft = ipsec_ft_create(attr.ns, attr.status_level, attr.prio, 3, 4, 0); 1035 682 if (IS_ERR(ft)) { 1036 683 err = PTR_ERR(ft); 1037 684 goto err_fs_ft_status; 1038 685 } 1039 686 rx->ft.status = ft; 687 + 688 + err = ipsec_rx_sa_selector_create(ipsec, rx, &attr); 689 + if (err) 690 + goto err_fs_ft_sa_sel; 691 + 692 + /* Create FT */ 693 + if (mlx5_ipsec_device_caps(mdev) & MLX5_IPSEC_CAP_TUNNEL) 694 + rx->allow_tunnel_mode = mlx5_eswitch_block_encap(mdev); 695 + if (rx->allow_tunnel_mode) 696 + flags = MLX5_FLOW_TABLE_TUNNEL_EN_REFORMAT; 697 + ft = ipsec_ft_create(attr.ns, attr.sa_level, attr.prio, 1, 2, flags); 698 + if (IS_ERR(ft)) { 699 + err = PTR_ERR(ft); 700 + goto err_fs_ft; 701 + } 702 + rx->ft.sa = ft; 703 + 704 + ipsec_rx_sa_miss_dest_get(ipsec, rx, &attr, &dest[0], &miss_dest); 705 + err = ipsec_miss_create(mdev, rx->ft.sa, &rx->sa, &miss_dest); 706 + if (err) 707 + goto err_fs; 708 + 709 + err = ipsec_rx_policy_create(ipsec, rx, &attr, &dest[0]); 710 + if (err) 711 + goto err_policy; 1040 712 1041 713 dest[1].type = MLX5_FLOW_DESTINATION_TYPE_COUNTER; 1042 714 dest[1].counter = rx->fc->cnt; ··· 1069 691 if (err) 1070 692 goto err_add; 1071 693 1072 - /* Create FT */ 1073 - if (mlx5_ipsec_device_caps(mdev) & MLX5_IPSEC_CAP_TUNNEL) 1074 - rx->allow_tunnel_mode = mlx5_eswitch_block_encap(mdev); 1075 - if (rx->allow_tunnel_mode) 1076 - flags = MLX5_FLOW_TABLE_TUNNEL_EN_REFORMAT; 1077 - ft = ipsec_ft_create(attr.ns, attr.sa_level, attr.prio, 2, flags); 1078 - if (IS_ERR(ft)) { 1079 - err = PTR_ERR(ft); 1080 - goto err_fs_ft; 1081 - } 1082 - rx->ft.sa = ft; 1083 - 1084 - err = ipsec_miss_create(mdev, rx->ft.sa, &rx->sa, dest); 1085 - if (err) 1086 - goto err_fs; 1087 - 1088 - if (mlx5_ipsec_device_caps(mdev) & MLX5_IPSEC_CAP_PRIO) { 1089 - rx->chains = ipsec_chains_create(mdev, rx->ft.sa, 1090 - attr.chains_ns, 1091 - attr.prio, 1092 - attr.pol_level, 1093 - &rx->ft.pol); 1094 - if (IS_ERR(rx->chains)) { 1095 - err = PTR_ERR(rx->chains); 1096 - goto err_pol_ft; 1097 - } 1098 - 1099 - goto connect; 1100 - } 1101 - 1102 - ft = ipsec_ft_create(attr.ns, attr.pol_level, attr.prio, 2, 0); 1103 - if (IS_ERR(ft)) { 1104 - err = PTR_ERR(ft); 1105 - goto err_pol_ft; 1106 - } 1107 - rx->ft.pol = ft; 1108 - memset(dest, 0x00, 2 * sizeof(*dest)); 1109 - dest[0].type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE; 1110 - dest[0].ft = rx->ft.sa; 1111 - err = ipsec_miss_create(mdev, rx->ft.pol, &rx->pol, dest); 1112 - if (err) 1113 - goto err_pol_miss; 1114 - 1115 - connect: 1116 694 /* connect */ 1117 695 if (rx != ipsec->rx_esw) 1118 696 ipsec_rx_ft_connect(ipsec, rx, &attr); 1119 697 return 0; 1120 698 1121 - err_pol_miss: 1122 - mlx5_destroy_flow_table(rx->ft.pol); 1123 - err_pol_ft: 699 + err_add: 700 + ipsec_rx_policy_destroy(rx); 701 + err_policy: 1124 702 mlx5_del_flow_rules(rx->sa.rule); 1125 703 mlx5_destroy_flow_group(rx->sa.group); 1126 704 err_fs: 1127 705 mlx5_destroy_flow_table(rx->ft.sa); 1128 - err_fs_ft: 1129 706 if (rx->allow_tunnel_mode) 1130 707 mlx5_eswitch_unblock_encap(mdev); 1131 - mlx5_ipsec_rx_status_destroy(ipsec, rx); 1132 - err_add: 708 + err_fs_ft: 709 + ipsec_rx_sa_selector_destroy(mdev, rx); 710 + err_fs_ft_sa_sel: 1133 711 mlx5_destroy_flow_table(rx->ft.status); 1134 712 err_fs_ft_status: 1135 713 mlx5_ipsec_fs_roce_rx_destroy(ipsec->roce, family, mdev); ··· 1275 941 int err; 1276 942 1277 943 ipsec_tx_create_attr_set(ipsec, tx, &attr); 1278 - ft = ipsec_ft_create(tx->ns, attr.cnt_level, attr.prio, 1, 0); 944 + ft = ipsec_ft_create(tx->ns, attr.cnt_level, attr.prio, 1, 1, 0); 1279 945 if (IS_ERR(ft)) 1280 946 return PTR_ERR(ft); 1281 947 tx->ft.status = ft; ··· 1288 954 tx->allow_tunnel_mode = mlx5_eswitch_block_encap(mdev); 1289 955 if (tx->allow_tunnel_mode) 1290 956 flags = MLX5_FLOW_TABLE_TUNNEL_EN_REFORMAT; 1291 - ft = ipsec_ft_create(tx->ns, attr.sa_level, attr.prio, 4, flags); 957 + ft = ipsec_ft_create(tx->ns, attr.sa_level, attr.prio, 1, 4, flags); 1292 958 if (IS_ERR(ft)) { 1293 959 err = PTR_ERR(ft); 1294 960 goto err_sa_ft; ··· 1316 982 goto connect_roce; 1317 983 } 1318 984 1319 - ft = ipsec_ft_create(tx->ns, attr.pol_level, attr.prio, 2, 0); 985 + ft = ipsec_ft_create(tx->ns, attr.pol_level, attr.prio, 1, 2, 0); 1320 986 if (IS_ERR(ft)) { 1321 987 err = PTR_ERR(ft); 1322 988 goto err_pol_ft; ··· 1674 1340 MLX5_ACTION_TYPE_SET); 1675 1341 MLX5_SET(set_action_in, action[2], field, 1676 1342 MLX5_ACTION_IN_FIELD_METADATA_REG_C_4); 1677 - MLX5_SET(set_action_in, action[2], data, 0); 1343 + MLX5_SET(set_action_in, action[2], data, 1344 + MLX5_IPSEC_ASO_SW_CRYPTO_OFFLOAD); 1678 1345 MLX5_SET(set_action_in, action[2], offset, 0); 1679 1346 MLX5_SET(set_action_in, action[2], length, 32); 1680 1347 } ··· 1911 1576 return 0; 1912 1577 } 1913 1578 1579 + static int rx_add_rule_sa_selector(struct mlx5e_ipsec_sa_entry *sa_entry, 1580 + struct mlx5e_ipsec_rx *rx, 1581 + struct upspec *upspec) 1582 + { 1583 + struct mlx5e_ipsec *ipsec = sa_entry->ipsec; 1584 + struct mlx5_core_dev *mdev = ipsec->mdev; 1585 + struct mlx5_flow_destination dest[2]; 1586 + struct mlx5_flow_act flow_act = {}; 1587 + struct mlx5_flow_handle *rule; 1588 + struct mlx5_flow_spec *spec; 1589 + int err = 0; 1590 + 1591 + spec = kvzalloc(sizeof(*spec), GFP_KERNEL); 1592 + if (!spec) 1593 + return -ENOMEM; 1594 + 1595 + MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, 1596 + misc_parameters_2.ipsec_syndrome); 1597 + MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, 1598 + misc_parameters_2.metadata_reg_c_4); 1599 + MLX5_SET(fte_match_param, spec->match_value, 1600 + misc_parameters_2.ipsec_syndrome, 0); 1601 + MLX5_SET(fte_match_param, spec->match_value, 1602 + misc_parameters_2.metadata_reg_c_4, 0); 1603 + spec->match_criteria_enable = MLX5_MATCH_MISC_PARAMETERS_2; 1604 + 1605 + ipsec_rx_rule_add_match_obj(sa_entry, rx, spec); 1606 + 1607 + flow_act.action = MLX5_FLOW_CONTEXT_ACTION_FWD_DEST | 1608 + MLX5_FLOW_CONTEXT_ACTION_COUNT; 1609 + flow_act.flags = FLOW_ACT_IGNORE_FLOW_LEVEL; 1610 + dest[0].type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE; 1611 + dest[0].ft = rx->ft.sa_sel; 1612 + dest[1].type = MLX5_FLOW_DESTINATION_TYPE_COUNTER; 1613 + dest[1].counter = rx->fc->cnt; 1614 + 1615 + rule = mlx5_add_flow_rules(rx->ft.status, spec, &flow_act, dest, 2); 1616 + if (IS_ERR(rule)) { 1617 + err = PTR_ERR(rule); 1618 + mlx5_core_err(mdev, 1619 + "Failed to add ipsec rx pass rule, err=%d\n", 1620 + err); 1621 + goto err_add_status_pass_rule; 1622 + } 1623 + 1624 + sa_entry->ipsec_rule.status_pass = rule; 1625 + 1626 + MLX5_SET(fte_match_param, spec->match_criteria, 1627 + misc_parameters_2.ipsec_syndrome, 0); 1628 + MLX5_SET(fte_match_param, spec->match_criteria, 1629 + misc_parameters_2.metadata_reg_c_4, 0); 1630 + 1631 + setup_fte_upper_proto_match(spec, upspec); 1632 + 1633 + flow_act.action = MLX5_FLOW_CONTEXT_ACTION_FWD_DEST; 1634 + dest[0].type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE; 1635 + dest[0].ft = rx->ft.pol; 1636 + 1637 + rule = mlx5_add_flow_rules(rx->ft.sa_sel, spec, &flow_act, &dest[0], 1); 1638 + if (IS_ERR(rule)) { 1639 + err = PTR_ERR(rule); 1640 + mlx5_core_err(mdev, 1641 + "Failed to add ipsec rx sa selector rule, err=%d\n", 1642 + err); 1643 + goto err_add_sa_sel_rule; 1644 + } 1645 + 1646 + sa_entry->ipsec_rule.sa_sel = rule; 1647 + 1648 + kvfree(spec); 1649 + return 0; 1650 + 1651 + err_add_sa_sel_rule: 1652 + mlx5_del_flow_rules(sa_entry->ipsec_rule.status_pass); 1653 + err_add_status_pass_rule: 1654 + kvfree(spec); 1655 + return err; 1656 + } 1657 + 1914 1658 static int rx_add_rule(struct mlx5e_ipsec_sa_entry *sa_entry) 1915 1659 { 1916 1660 struct mlx5_accel_esp_xfrm_attrs *attrs = &sa_entry->attrs; ··· 2022 1608 if (!attrs->encap) 2023 1609 setup_fte_esp(spec); 2024 1610 setup_fte_no_frags(spec); 2025 - setup_fte_upper_proto_match(spec, &attrs->upspec); 2026 1611 2027 1612 if (!attrs->drop) { 2028 1613 if (rx != ipsec->rx_esw) ··· 2069 1656 mlx5_core_err(mdev, "fail to add RX ipsec rule err=%d\n", err); 2070 1657 goto err_add_flow; 2071 1658 } 1659 + 1660 + if (attrs->upspec.proto && attrs->type == XFRM_DEV_OFFLOAD_PACKET) { 1661 + err = rx_add_rule_sa_selector(sa_entry, rx, &attrs->upspec); 1662 + if (err) 1663 + goto err_add_sa_sel; 1664 + } 1665 + 2072 1666 if (attrs->type == XFRM_DEV_OFFLOAD_PACKET) 2073 1667 err = rx_add_rule_drop_replay(sa_entry, rx); 2074 1668 if (err) ··· 2099 1679 mlx5_fc_destroy(mdev, sa_entry->ipsec_rule.replay.fc); 2100 1680 } 2101 1681 err_add_replay: 1682 + if (sa_entry->ipsec_rule.sa_sel) { 1683 + mlx5_del_flow_rules(sa_entry->ipsec_rule.sa_sel); 1684 + mlx5_del_flow_rules(sa_entry->ipsec_rule.status_pass); 1685 + } 1686 + err_add_sa_sel: 2102 1687 mlx5_del_flow_rules(rule); 2103 1688 err_add_flow: 2104 1689 mlx5_fc_destroy(mdev, counter); ··· 2348 1923 flow_act.flags |= FLOW_ACT_NO_APPEND; 2349 1924 if (rx == ipsec->rx_esw && rx->chains) 2350 1925 flow_act.flags |= FLOW_ACT_IGNORE_FLOW_LEVEL; 2351 - dest[dstn].type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE; 2352 - dest[dstn].ft = rx->ft.sa; 1926 + ipsec_rx_default_dest_get(ipsec, rx, &dest[dstn]); 2353 1927 dstn++; 2354 1928 rule = mlx5_add_flow_rules(ft, spec, &flow_act, dest, dstn); 2355 1929 if (IS_ERR(rule)) { ··· 2485 2061 stats->ipsec_rx_bytes = 0; 2486 2062 stats->ipsec_rx_drop_pkts = 0; 2487 2063 stats->ipsec_rx_drop_bytes = 0; 2064 + stats->ipsec_rx_drop_mismatch_sa_sel = 0; 2488 2065 stats->ipsec_tx_pkts = 0; 2489 2066 stats->ipsec_tx_bytes = 0; 2490 2067 stats->ipsec_tx_drop_pkts = 0; ··· 2495 2070 mlx5_fc_query(mdev, fc->cnt, &stats->ipsec_rx_pkts, &stats->ipsec_rx_bytes); 2496 2071 mlx5_fc_query(mdev, fc->drop, &stats->ipsec_rx_drop_pkts, 2497 2072 &stats->ipsec_rx_drop_bytes); 2073 + if (ipsec->rx_ipv4->sa_sel.fc) 2074 + mlx5_fc_query(mdev, ipsec->rx_ipv4->sa_sel.fc, 2075 + &stats->ipsec_rx_drop_mismatch_sa_sel, &bytes); 2498 2076 2499 2077 fc = ipsec->tx->fc; 2500 2078 mlx5_fc_query(mdev, fc->cnt, &stats->ipsec_tx_pkts, &stats->ipsec_tx_bytes); ··· 2526 2098 stats->ipsec_tx_drop_pkts += packets; 2527 2099 stats->ipsec_tx_drop_bytes += bytes; 2528 2100 } 2101 + 2102 + if (ipsec->rx_esw->sa_sel.fc && 2103 + !mlx5_fc_query(mdev, ipsec->rx_esw->sa_sel.fc, 2104 + &packets, &bytes)) 2105 + stats->ipsec_rx_drop_mismatch_sa_sel += packets; 2529 2106 } 2530 2107 } 2531 2108 ··· 2627 2194 2628 2195 mlx5_del_flow_rules(ipsec_rule->auth.rule); 2629 2196 mlx5_fc_destroy(mdev, ipsec_rule->auth.fc); 2197 + 2198 + if (ipsec_rule->sa_sel) { 2199 + mlx5_del_flow_rules(ipsec_rule->sa_sel); 2200 + mlx5_del_flow_rules(ipsec_rule->status_pass); 2201 + } 2630 2202 2631 2203 if (ipsec_rule->replay.rule) { 2632 2204 mlx5_del_flow_rules(ipsec_rule->replay.rule);
+1
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_stats.c
··· 42 42 { MLX5E_DECLARE_STAT(struct mlx5e_ipsec_hw_stats, ipsec_rx_bytes) }, 43 43 { MLX5E_DECLARE_STAT(struct mlx5e_ipsec_hw_stats, ipsec_rx_drop_pkts) }, 44 44 { MLX5E_DECLARE_STAT(struct mlx5e_ipsec_hw_stats, ipsec_rx_drop_bytes) }, 45 + { MLX5E_DECLARE_STAT(struct mlx5e_ipsec_hw_stats, ipsec_rx_drop_mismatch_sa_sel) }, 45 46 { MLX5E_DECLARE_STAT(struct mlx5e_ipsec_hw_stats, ipsec_tx_pkts) }, 46 47 { MLX5E_DECLARE_STAT(struct mlx5e_ipsec_hw_stats, ipsec_tx_bytes) }, 47 48 { MLX5E_DECLARE_STAT(struct mlx5e_ipsec_hw_stats, ipsec_tx_drop_pkts) },
+14 -1
drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.c
··· 10 10 #endif 11 11 12 12 enum { 13 - MLX5_ESW_IPSEC_RX_POL_FT_LEVEL, 14 13 MLX5_ESW_IPSEC_RX_ESP_FT_LEVEL, 15 14 MLX5_ESW_IPSEC_RX_ESP_FT_CHK_LEVEL, 15 + MLX5_ESW_IPSEC_RX_POL_FT_LEVEL, 16 16 }; 17 17 18 18 enum { ··· 83 83 err_header_alloc: 84 84 xa_erase_bh(&ipsec->ipsec_obj_id_map, mapped_id); 85 85 return err; 86 + } 87 + 88 + void mlx5_esw_ipsec_rx_rule_add_match_obj(struct mlx5e_ipsec_sa_entry *sa_entry, 89 + struct mlx5_flow_spec *spec) 90 + { 91 + MLX5_SET(fte_match_param, spec->match_criteria, 92 + misc_parameters_2.metadata_reg_c_1, 93 + ESW_IPSEC_RX_MAPPED_ID_MATCH_MASK); 94 + MLX5_SET(fte_match_param, spec->match_value, 95 + misc_parameters_2.metadata_reg_c_1, 96 + sa_entry->rx_mapped_id << ESW_ZONE_ID_BITS); 97 + 98 + spec->match_criteria_enable |= MLX5_MATCH_MISC_PARAMETERS_2; 86 99 } 87 100 88 101 void mlx5_esw_ipsec_rx_id_mapping_remove(struct mlx5e_ipsec_sa_entry *sa_entry)
+5
drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.h
··· 20 20 void mlx5_esw_ipsec_tx_create_attr_set(struct mlx5e_ipsec *ipsec, 21 21 struct mlx5e_ipsec_tx_create_attr *attr); 22 22 void mlx5_esw_ipsec_restore_dest_uplink(struct mlx5_core_dev *mdev); 23 + void mlx5_esw_ipsec_rx_rule_add_match_obj(struct mlx5e_ipsec_sa_entry *sa_entry, 24 + struct mlx5_flow_spec *spec); 23 25 #else 24 26 static inline void mlx5_esw_ipsec_rx_create_attr_set(struct mlx5e_ipsec *ipsec, 25 27 struct mlx5e_ipsec_rx_create_attr *attr) {} ··· 50 48 struct mlx5e_ipsec_tx_create_attr *attr) {} 51 49 52 50 static inline void mlx5_esw_ipsec_restore_dest_uplink(struct mlx5_core_dev *mdev) {} 51 + static inline void 52 + mlx5_esw_ipsec_rx_rule_add_match_obj(struct mlx5e_ipsec_sa_entry *sa_entry, 53 + struct mlx5_flow_spec *spec) {} 53 54 #endif /* CONFIG_MLX5_ESWITCH */ 54 55 #endif /* __MLX5_ESW_IPSEC_FS_H__ */
+2
include/linux/mlx5/eswitch.h
··· 147 147 148 148 /* reuse tun_opts for the mapped ipsec obj id when tun_id is 0 (invalid) */ 149 149 #define ESW_IPSEC_RX_MAPPED_ID_MASK GENMASK(ESW_TUN_OPTS_BITS - 1, 0) 150 + #define ESW_IPSEC_RX_MAPPED_ID_MATCH_MASK \ 151 + GENMASK(31 - ESW_RESERVED_BITS, ESW_ZONE_ID_BITS) 150 152 151 153 u8 mlx5_eswitch_mode(const struct mlx5_core_dev *dev); 152 154 u16 mlx5_eswitch_get_total_vports(const struct mlx5_core_dev *dev);