Commit b8c697e1 authored by Leon Romanovsky's avatar Leon Romanovsky Committed by Saeed Mahameed
Browse files

net/mlx5e: Support IPsec upper TCP protocol selector 



Support TCP as protocol selector for policy and state in IPsec
packet offload mode.

Example of state configuration is as follows:
  ip xfrm state add src 192.168.25.3 dst 192.168.25.1 \
	proto esp spi 1001 reqid 10001 aead 'rfc4106(gcm(aes))' \
	0x54a7588d36873b031e4bd46301be5a86b3a53879 128 mode transport \
	offload packet dev re0 dir in sel src 192.168.25.3 dst 192.168.25.1 \
	proto tcp dport 9003

Acked-by: default avatarRaed Salem <raeds@nvidia.com>
Reviewed-by: default avatarSimon Horman <horms@kernel.org>
Signed-off-by: default avatarLeon Romanovsky <leonro@nvidia.com>
Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
parent c338325f

drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c

+7 −4
Original line number Diff line number Diff line
@@ -440,8 +440,9 @@ static int mlx5e_xfrm_validate_state(struct mlx5_core_dev *mdev, 
		return -EINVAL;

	}



	if (x->sel.proto != IPPROTO_IP && x->sel.proto != IPPROTO_UDP) {

		NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than UDP");

	if (x->sel.proto != IPPROTO_IP && x->sel.proto != IPPROTO_UDP &&

	    x->sel.proto != IPPROTO_TCP) {

		NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than TCP/UDP");

		return -EINVAL;

	}
@@ -982,8 +983,10 @@ static int mlx5e_xfrm_validate_policy(struct mlx5_core_dev *mdev, 
		return -EINVAL;

	}



	if (x->selector.proto != IPPROTO_IP && x->selector.proto != IPPROTO_UDP) {

		NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than UDP");

	if (x->selector.proto != IPPROTO_IP &&

	    x->selector.proto != IPPROTO_UDP &&

	    x->selector.proto != IPPROTO_TCP) {

		NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than TCP/UDP");

		return -EINVAL;

	}

drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c

+31 −12
Original line number Diff line number Diff line
@@ -936,23 +936,42 @@ static void setup_fte_reg_c4(struct mlx5_flow_spec *spec, u32 reqid) 


static void setup_fte_upper_proto_match(struct mlx5_flow_spec *spec, struct upspec *upspec)

{

	if (upspec->proto != IPPROTO_UDP)

	switch (upspec->proto) {

	case IPPROTO_UDP:

		if (upspec->dport) {

			MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria,

				 udp_dport, upspec->dport_mask);

			MLX5_SET(fte_match_set_lyr_2_4, spec->match_value,

				 udp_dport, upspec->dport);

		}

		if (upspec->sport) {

			MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria,

				 udp_sport, upspec->sport_mask);

			MLX5_SET(fte_match_set_lyr_2_4, spec->match_value,

				 udp_sport, upspec->sport);

		}

		break;

	case IPPROTO_TCP:

		if (upspec->dport) {

			MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria,

				 tcp_dport, upspec->dport_mask);

			MLX5_SET(fte_match_set_lyr_2_4, spec->match_value,

				 tcp_dport, upspec->dport);

		}

		if (upspec->sport) {

			MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria,

				 tcp_sport, upspec->sport_mask);

			MLX5_SET(fte_match_set_lyr_2_4, spec->match_value,

				 tcp_sport, upspec->sport);

		}

		break;

	default:

		return;

	}



	spec->match_criteria_enable |= MLX5_MATCH_OUTER_HEADERS;

	MLX5_SET_TO_ONES(fte_match_set_lyr_2_4, spec->match_criteria, ip_protocol);

	MLX5_SET(fte_match_set_lyr_2_4, spec->match_value, ip_protocol, upspec->proto);

	if (upspec->dport) {

		MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria, udp_dport,

			 upspec->dport_mask);

		MLX5_SET(fte_match_set_lyr_2_4, spec->match_value, udp_dport, upspec->dport);

	}



	if (upspec->sport) {

		MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria, udp_sport,

			 upspec->sport_mask);

		MLX5_SET(fte_match_set_lyr_2_4, spec->match_value, udp_sport, upspec->sport);

	}

}



static enum mlx5_flow_namespace_type ipsec_fs_get_ns(struct mlx5e_ipsec *ipsec,