| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 May 2022 13:49:07 +0300
From: Leon Romanovsky <leon@...nel.org>
To: Steffen Klassert <steffen.klassert@...unet.com>,
David Ahern <dsahern@...il.com>
Cc: Leon Romanovsky <leonro@...dia.com>,
"David S . Miller" <davem@...emloft.net>,
Herbert Xu <herbert@...dor.apana.org.au>,
netdev@...r.kernel.org, Raed Salem <raeds@...dia.com>,
ipsec-devel <devel@...ux-ipsec.org>
Subject: [PATCH iproute2-next 3/4] xfrm: add full offload mode to xfrm state
From: Leon Romanovsky <leonro@...dia.com>
Allow users to configure xfrm states with full offload type.
Full offload mode:
ip xfrm state offload full dev <if-name> dir <in|out>
Crypto offload mode:
ip xfrm state offload crypto dev <if-name> dir <in|out>
ip xfrm state offload dev <if-name> dir <in|out>
The latter variant configures crypto offload mode and is needed
to provide backward compatibility.
Signed-off-by: Leon Romanovsky <leonro@...dia.com>
---
ip/ipxfrm.c | 6 ++++--
ip/xfrm_state.c | 16 ++++++++++++++--
man/man8/ip-xfrm.8 | 1 +
3 files changed, 19 insertions(+), 4 deletions(-)
diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c
index 1c59596a..5117f483 100644
--- a/ip/ipxfrm.c
+++ b/ip/ipxfrm.c
@@ -895,8 +895,10 @@ void xfrm_xfrma_print(struct rtattr *tb[], __u16 family,
xuo = (struct xfrm_user_offload *)
RTA_DATA(tb[XFRMA_OFFLOAD_DEV]);
- fprintf(fp, "dev %s dir %s", ll_index_to_name(xuo->ifindex),
- (xuo->flags & XFRM_OFFLOAD_INBOUND) ? "in" : "out");
+ fprintf(fp, "dev %s dir %s mode %s",
+ ll_index_to_name(xuo->ifindex),
+ (xuo->flags & XFRM_OFFLOAD_INBOUND) ? "in" : "out",
+ (xuo->flags & XFRM_OFFLOAD_FULL) ? "full" : "crypto");
fprintf(fp, "%s", _SL_);
}
if (tb[XFRMA_IF_ID]) {
diff --git a/ip/xfrm_state.c b/ip/xfrm_state.c
index 9b6659a1..44887249 100644
--- a/ip/xfrm_state.c
+++ b/ip/xfrm_state.c
@@ -61,7 +61,7 @@ static void usage(void)
" [ replay-seq-hi SEQ ] [ replay-oseq-hi SEQ ]\n"
" [ flag FLAG-LIST ] [ sel SELECTOR ] [ LIMIT-LIST ] [ encap ENCAP ]\n"
" [ coa ADDR[/PLEN] ] [ ctx CTX ] [ extra-flag EXTRA-FLAG-LIST ]\n"
- " [ offload dev DEV dir DIR ]\n"
+ " [ offload [ crypto | full ] dev DEV dir DIR ]\n"
" [ output-mark OUTPUT-MARK [ mask MASK ] ]\n"
" [ if_id IF_ID ] [ tfcpad LENGTH ]\n"
"Usage: ip xfrm state allocspi ID [ mode MODE ] [ mark MARK [ mask MASK ] ]\n"
@@ -312,7 +312,7 @@ static int xfrm_state_modify(int cmd, unsigned int flags, int argc, char **argv)
struct xfrm_user_offload xuo = {};
unsigned int ifindex = 0;
__u8 dir = 0;
- bool is_offload = false;
+ bool is_offload = false, is_full_offload = false;
__u32 replay_window = 0;
__u32 seq = 0, oseq = 0, seq_hi = 0, oseq_hi = 0;
char *idp = NULL;
@@ -430,6 +430,16 @@ static int xfrm_state_modify(int cmd, unsigned int flags, int argc, char **argv)
(void *)&ctx, ctx.sctx.len);
} else if (strcmp(*argv, "offload") == 0) {
NEXT_ARG();
+ /* If user doesn't provide offload mode, treat it as
+ * crypto one for the backward compatibility.
+ */
+ if (strcmp(*argv, "crypto") == 0)
+ NEXT_ARG();
+ else if (strcmp(*argv, "full") == 0) {
+ is_full_offload = true;
+ NEXT_ARG();
+ }
+
if (strcmp(*argv, "dev") == 0) {
NEXT_ARG();
ifindex = ll_name_to_index(*argv);
@@ -613,6 +623,8 @@ static int xfrm_state_modify(int cmd, unsigned int flags, int argc, char **argv)
if (is_offload) {
xuo.ifindex = ifindex;
xuo.flags = dir;
+ if (is_full_offload)
+ xuo.flags |= XFRM_OFFLOAD_FULL;
addattr_l(&req.n, sizeof(req.buf), XFRMA_OFFLOAD_DEV, &xuo,
sizeof(xuo));
}
diff --git a/man/man8/ip-xfrm.8 b/man/man8/ip-xfrm.8
index 4243a023..e1b8aaab 100644
--- a/man/man8/ip-xfrm.8
+++ b/man/man8/ip-xfrm.8
@@ -66,6 +66,7 @@ ip-xfrm \- transform configuration
.RB "[ " if_id
.IR IF-ID " ]"
.RB "[ " offload
+.RB "[ " crypto | full " ]"
.RB dev
.IR DEV "
.RB dir
--
2.35.1
Powered by blists - more mailing lists