lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 16 Aug 2022 13:38:06 +0300 From: Leon Romanovsky <leon@...nel.org> To: Steffen Klassert <steffen.klassert@...unet.com>, "David S . Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, Saeed Mahameed <saeedm@...dia.com> Cc: Leon Romanovsky <leonro@...dia.com>, Eric Dumazet <edumazet@...gle.com>, netdev@...r.kernel.org, Paolo Abeni <pabeni@...hat.com>, Raed Salem <raeds@...dia.com>, ipsec-devel <devel@...ux-ipsec.org> Subject: [PATCH xfrm-next 18/26] net/mlx5e: Generalize creation of default IPsec miss group and rule From: Leon Romanovsky <leonro@...dia.com> Create general function that sets miss group and rule to forward all not-matched traffic to the next table. Reviewed-by: Raed Salem <raeds@...dia.com> Signed-off-by: Leon Romanovsky <leonro@...dia.com> --- .../mellanox/mlx5/core/en_accel/ipsec_fs.c | 48 +++++++++---------- 1 file changed, 23 insertions(+), 25 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c index 3443638453a9..b3827e024a1d 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c @@ -24,7 +24,6 @@ struct mlx5e_ipsec_miss { struct mlx5e_ipsec_rx { struct mlx5e_ipsec_ft ft; struct mlx5e_ipsec_miss sa; - struct mlx5_flow_destination default_dest; struct mlx5e_ipsec_rule status; }; @@ -64,7 +63,8 @@ static struct mlx5_flow_table *ipsec_ft_create(struct mlx5_core_dev *mdev, } static int ipsec_status_rule(struct mlx5_core_dev *mdev, - struct mlx5e_ipsec_rx *rx) + struct mlx5e_ipsec_rx *rx, + struct mlx5_flow_destination *dest) { u8 action[MLX5_UN_SZ_BYTES(set_add_copy_action_in_auto)] = {}; struct mlx5_flow_act flow_act = {}; @@ -99,8 +99,7 @@ static int ipsec_status_rule(struct mlx5_core_dev *mdev, flow_act.action = MLX5_FLOW_CONTEXT_ACTION_MOD_HDR | MLX5_FLOW_CONTEXT_ACTION_FWD_DEST; flow_act.modify_hdr = modify_hdr; - fte = mlx5_add_flow_rules(rx->ft.status, spec, &flow_act, - &rx->default_dest, 1); + fte = mlx5_add_flow_rules(rx->ft.status, spec, &flow_act, dest, 1); if (IS_ERR(fte)) { err = PTR_ERR(fte); mlx5_core_err(mdev, "fail to add ipsec rx err copy rule err=%d\n", err); @@ -119,12 +118,12 @@ static int ipsec_status_rule(struct mlx5_core_dev *mdev, return err; } -static int rx_fs_create(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_rx *rx) +static int ipsec_miss_create(struct mlx5_core_dev *mdev, + struct mlx5_flow_table *ft, + struct mlx5e_ipsec_miss *miss, + struct mlx5_flow_destination *dest) { int inlen = MLX5_ST_SZ_BYTES(create_flow_group_in); - struct mlx5_flow_table *ft = rx->ft.sa; - struct mlx5_flow_group *miss_group; - struct mlx5_flow_handle *miss_rule; MLX5_DECLARE_FLOW_ACT(flow_act); struct mlx5_flow_spec *spec; u32 *flow_group_in; @@ -140,24 +139,23 @@ static int rx_fs_create(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_rx *rx) /* Create miss_group */ MLX5_SET(create_flow_group_in, flow_group_in, start_flow_index, ft->max_fte - 1); MLX5_SET(create_flow_group_in, flow_group_in, end_flow_index, ft->max_fte - 1); - miss_group = mlx5_create_flow_group(ft, flow_group_in); - if (IS_ERR(miss_group)) { - err = PTR_ERR(miss_group); - mlx5_core_err(mdev, "fail to create ipsec rx miss_group err=%d\n", err); + miss->group = mlx5_create_flow_group(ft, flow_group_in); + if (IS_ERR(miss->group)) { + err = PTR_ERR(miss->group); + mlx5_core_err(mdev, "fail to create IPsec miss_group err=%d\n", + err); goto out; } - rx->sa.group = miss_group; /* Create miss rule */ - miss_rule = - mlx5_add_flow_rules(ft, spec, &flow_act, &rx->default_dest, 1); - if (IS_ERR(miss_rule)) { - mlx5_destroy_flow_group(rx->sa.group); - err = PTR_ERR(miss_rule); - mlx5_core_err(mdev, "fail to create ipsec rx miss_rule err=%d\n", err); + miss->rule = mlx5_add_flow_rules(ft, spec, &flow_act, dest, 1); + if (IS_ERR(miss->rule)) { + mlx5_destroy_flow_group(miss->group); + err = PTR_ERR(miss->rule); + mlx5_core_err(mdev, "fail to create IPsec miss_rule err=%d\n", + err); goto out; } - rx->sa.rule = miss_rule; out: kvfree(flow_group_in); kvfree(spec); @@ -178,12 +176,10 @@ static void rx_destroy(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_rx *rx) static int rx_create(struct mlx5_core_dev *mdev, struct mlx5e_ipsec *ipsec, struct mlx5e_ipsec_rx *rx, u32 family) { + struct mlx5_flow_destination dest; struct mlx5_flow_table *ft; int err; - rx->default_dest = - mlx5_ttc_get_default_dest(ipsec->fs->ttc, family2tt(family)); - ft = ipsec_ft_create(mdev, ipsec->fs->ns, MLX5E_ACCEL_FS_ESP_FT_ERR_LEVEL, MLX5E_NIC_PRIO, 1, XFRM_DEV_OFFLOAD_IN); @@ -191,7 +187,9 @@ static int rx_create(struct mlx5_core_dev *mdev, struct mlx5e_ipsec *ipsec, return PTR_ERR(ft); rx->ft.status = ft; - err = ipsec_status_rule(mdev, rx); + + dest = mlx5_ttc_get_default_dest(ipsec->fs->ttc, family2tt(family)); + err = ipsec_status_rule(mdev, rx, &dest); if (err) goto err_add; @@ -204,7 +202,7 @@ static int rx_create(struct mlx5_core_dev *mdev, struct mlx5e_ipsec *ipsec, } rx->ft.sa = ft; - err = rx_fs_create(mdev, rx); + err = ipsec_miss_create(mdev, rx->ft.sa, &rx->sa, &dest); if (err) goto err_fs; -- 2.37.2
Powered by blists - more mailing lists