Make sure the Security Association is using
a 128-bit authentication, since that's the only
size that the hardware offload supports.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 16 +++-
drivers/net/ethernet
Acked-by: Shannon Nelson <shannon.nel...@oracle.com>
---
include/net/xfrm.h | 11 +++--
net/xfrm/xfrm_device.c | 2 ++
net/xfrm/xfrm_policy.c | 66 ++
3 files changed, 72 insertions(+), 7 deletions(-)
diff --git a/include/net/xfrm
On 2/12/2018 9:21 AM, Eyal Birger wrote:
In setups like the following:
Host A --Host B
tun0 -- ipsec -- eth0 -- eth0 -- ipsec -- tun0
where tun0 are tunnel devices using dst_cache (ipip, ipip6, etc...).
Unregistration of an underlying eth0 device leads to the
On 2/7/2018 7:09 AM, James Hogan wrote:
On Fri, Jan 26, 2018 at 01:24:50PM -0800, Jeff Kirsher wrote:
From: Alice Michael
As we have added more flags, we need to now use more
bits and have over flooded the 32 bit size. So
make it 64.
Also change all the existing
On 2/7/2018 3:59 AM, Julian Calaby wrote:
Hi Shannon,
On Wed, Feb 7, 2018 at 6:34 AM, Shannon Nelson
<shannon.nel...@oracle.com> wrote:
Add the appropriate SPDX license tags to the Sun network drivers
as outlined in Documentation/process/license-rules.rst.
Signed-off-by: Shannon
Add the appropriate SPDX license tags to the Sun network drivers
as outlined in Documentation/process/license-rules.rst.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
drivers/net/ethernet/sun/Kconfig | 1 +
drivers/net/ethernet/sun/cassini.c| 1 +
drive
On 2/2/2018 1:08 PM, Tantilov, Emil S wrote:
Just FYI - we looked at the reads and confirmed that there is no functional
bug in the code because as it happens the CX1/SR bits is the only bits that
are read and set and as such we don't lose any data. This of course means
that the read is not
On 2/1/2018 4:34 PM, Tantilov, Emil S wrote:
-Original Message-
From: Intel-wired-lan [mailto:intel-wired-lan-boun...@osuosl.org] On
Behalf Of Shannon Nelson
Sent: Thursday, February 01, 2018 3:46 PM
To: Tantilov, Emil S <emil.s.tanti...@intel.com>
Cc: netdev@vger.kernel.org; intel
if (ret_val)
return ret_val;
The assignments to reg_phy_ext look wrong to me - perhaps those should
be '|=' rather than '='?
sln
--
==========
Shannon Nelson shannon.nel...@oracle.com
Parents can't afford to be squeamish
On 1/29/2018 3:01 PM, Keller, Jacob E wrote:
Hi,
I'm currently investigating how macvlan devices behave in regards to vlan
support, and found some interesting behavior that I am not sure how best to
correct, or what the right path forward is.
If I create a macvlan device:
ip link add link
ed-off-by: Boris Pismeny <bor...@mellanox.com>
Thanks - I was wondering about that a couple of days ago and hadn't
gotten back to it.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
net/xfrm/xfrm_device.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/xfrm/x
On 1/18/2018 1:06 AM, Yanjun Zhu wrote:
On 2018/1/9 6:47, Shannon Nelson wrote:
Add unlikely() to a few error checking expressions in the Tx
offload handling.
Suggested-by: Yanjun Zhu <yanjun@oracle.com>
Hi,
I am fine with this patch. I have a question. The ipsec feature is
sup
bit.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 39 ++
1 file changed, 27 insertions(+), 12 deletions(-)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
b/drivers/net/ethernet/intel
1:
- Added documentation
Changes from v2:
- Due to Shannon Nelson's request, xfrm_dev_state_add() fails if ESN is
requested and xdo_dev_state_advance_esn() is not implemented
This works for me - thanks!
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
Documentation/networki
These are a couple of tweaks I found while making sure that the ipsec
offload would work on SPARC.
Shannon Nelson (2):
ixgbe: ipsec offload for sparc
ixgbe: use compiler constants in Rx path
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 14 +++---
1 file changed, 7 insertions
Rather than swapping runtime bytes to compare to constants, let the
compiler swap the constants and save a couple of runtuime cycles.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 10 +-
1 file changed, 5 insertions
Add a couple of byteswaps needed to make the ipsec offload
work on big-endian SPARC platforms.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/et
On 1/11/2018 5:51 AM, Aviad Yehezkel wrote:
On 1/11/2018 10:28 AM, Yossi Kuperman wrote:
From: Shannon Nelson [mailto:shannon.nel...@oracle.com]
Sent: Thursday, January 11, 2018 5:21 AM
On 1/10/2018 3:09 PM, Yossi Kuperman wrote:
On 10 Jan 2018, at 19:36, Shannon Nelson
<shannon.
On 1/10/2018 3:09 PM, Yossi Kuperman wrote:
On 10 Jan 2018, at 19:36, Shannon Nelson <shannon.nel...@oracle.com> wrote:
On 1/10/2018 2:34 AM, yoss...@mellanox.com wrote:
From: Yossef Efraim <yoss...@mellanox.com>
This patch adds ESN support to IPsec device offload.
Adding new
On 1/10/2018 2:34 AM, yoss...@mellanox.com wrote:
From: Yossef Efraim
This patch adds ESN support to IPsec device offload.
Adding new xfrm device operation to synchronize device ESN.
Signed-off-by: Yossef Efraim
---
Changes from v1:
- Added
Add unlikely() to a few error checking expressions in the Tx
offload handling.
Suggested-by: Yanjun Zhu <yanjun@oracle.com>
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 8
1 file changed, 4 insertions(+),
Fix a cut-paste error so that we can clean all the table entries.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipse
On 12/22/2017 12:24 AM, Yanjun Zhu wrote:
On 2017/12/20 8:00, Shannon Nelson wrote:
If the skb has a security association referenced in the skb, then
set up the Tx descriptor with the ipsec offload bits. While we're
here, we fix an oddly named field in the context descriptor struct
Add a couple of stats that aren't in the documentation file
and rework the top description to be a little more readable.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
Documentation/networking/xfrm_proc.txt | 20 ++--
1 file changed, 14 insertions(+), 6 del
Don't try to set up ipsec offload on the oldest part of
the ixgbe family.
Suggested-by: Yanjun Zhu <yanjun@oracle.com>
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 3 +++
1 file changed, 3 insertions(+)
diff --g
On 12/20/2017 11:09 PM, Yanjun Zhu wrote:
On 2017/12/21 14:39, Yanjun Zhu wrote:
On 2017/12/20 7:59, Shannon Nelson wrote:
This is an implementation of the ipsec hardware offload feature for
the ixgbe driver and Intel's 10Gbe series NICs: x540, x550, 82599.
Hi, Nelson
I notice that the ipsec
On 12/20/2017 6:21 PM, Marcelo Ricardo Leitner wrote:
On Wed, Dec 20, 2017 at 05:39:13PM -0800, Shannon Nelson wrote:
On 12/20/2017 5:17 PM, Marcelo Ricardo Leitner wrote:
Hi,
On Tue, Dec 19, 2017 at 03:59:57PM -0800, Shannon Nelson wrote:
+}
+
+static const struct xfrmdev_ops
On 12/20/2017 5:17 PM, Marcelo Ricardo Leitner wrote:
Hi,
On Tue, Dec 19, 2017 at 03:59:57PM -0800, Shannon Nelson wrote:
+}
+
+static const struct xfrmdev_ops ixgbe_xfrmdev_ops = {
+ .xdo_dev_state_add = ixgbe_ipsec_add_sa,
+ .xdo_dev_state_delete = ixgbe_ipsec_del_sa
On 12/20/2017 8:03 AM, Marcelo Ricardo Leitner wrote:
On Tue, Dec 19, 2017 at 03:35:49PM -0800, Shannon Nelson wrote:
There's no reason to define netdev->xfrmdev_ops if
the offload facility is not CONFIG'd in.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
This one
On a chip reset most of the table contents are lost, so must be
restored. This scans the driver's ipsec tables and restores both
the filled and empty table slots to their pre-reset values.
v2: during restore, clean the tables before restarting
Signed-off-by: Shannon Nelson <shannon.
value
Use the addr as __be32
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
drivers/net/ethernet/intel/ixgbe/Makefile | 1 +
drivers/net/ethernet/intel/ixgbe/ixgbe.h | 6 +
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 161 +
drive
of NETIF_F_HW_CSUM_BIT to NETIF_F_HW_CSUM
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 17 +
drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 6 ++
2 files changed, 23 insertions(+)
diff --git a/drivers/net/ethernet
Add in the code for running and stopping the hardware ipsec
encryption/decryption engine. It is good to keep the engine
off when not in use in order to save on the power draw.
v2: add limiter to do-while loop waiting for paths to drain
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.
Clean up the ipsec/macsec descriptor bit definitions to match the rest
of the defines and file organization. Also recognise the bit-definition
overlap in the error mask macro.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
drivers/net/ethernet/intel/ixgbe/ixgbe_type.
sky kbuild robots
v2: fixes after comments from Alex
Shannon Nelson (10):
ixgbe: clean up ipsec defines
ixgbe: add ipsec register access routines
ixgbe: add ipsec engine start and stop routines
ixgbe: add ipsec data structures
ixgbe: add ipsec offload add and remove SA
ixgbe: restore
Add a simple statistic to count the ipsec offloads.
v2: change per ring counter to adapter rx and tx counters
move tx_ipsec count to the tx clean code
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
drivers/net/ethernet/intel/ixgbe/ixgbe.h | 2 ++
drivers/net/et
Set up the data structures to be used by the ipsec offload.
v2: ipaddr[] becomes __be32
increase the hash table size
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
drivers/net/ethernet/intel/ixgbe/ixgbe.h | 5
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.
If the chip sees and decrypts an ipsec offload, set up the skb
sp pointer with the ralated SA info. Since the chip is rude
enough to keep to itself the table index it used for the
decryption, we have to do our own table lookup, using the
hash for speed.
Signed-off-by: Shannon Nelson <shannon.
move the ixgbe_ipsec_tx() call to near the call to ixgbe_tso()
drop the ipsec packet if the tx offload setup fails
simplify the ixgbe_ipsec_tx() parameters by using 'first'
leave out the ixgbe_tso() changes since we don't support TSO
with ipsec yet.
Signed-off-by: Shannon Nelson
that should be num_tx_sa
change aes_gcm_name to a const array
tighten up the key parsing code
add another label to the init error handling
move table deletion to a separate function
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
drivers/net/ethernet/intel/ixgbe/i
The current XFRM code assumes that we've implemented the
xdo_dev_state_free() callback, even if it is meaningless to the driver.
This patch adds a check for it before calling, as done in other APIs,
to prevent a NULL function pointer kernel crash.
Signed-off-by: Shannon Nelson <shannon.
from v1:
- removed netdev_err() notes (Steffen)
- fixed build when CONFIG_XFRM_OFFLOAD is off (kbuild robot)
- split into multiple patches (me)
Shannon Nelson (3):
xfrm: check for xdo_dev_state_free
xfrm: check for xdo_dev_ops add and delete
xfrm: wrap xfrmdev_ops with offload config
There's no reason to define netdev->xfrmdev_ops if
the offload facility is not CONFIG'd in.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
include/linux/netdevice.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/netdevice.h b/incl
was setting xfrmdev_ops to
NULL if the NETIF_F_HW_ESP bit was missing, which would probably
surprise the driver later if the driver turned its NETIF_F_HW_ESP bit
back on. We shouldn't be messing with the driver's callback list, so
we stop doing that with this patch.
Signed-off-by: Shannon Nelson
On 12/15/2017 12:10 PM, kbuild test robot wrote:
[...]
drivers/net/ethernet/intel/ixgbe/ixgbe_main.c: In function
'ixgbe_xmit_frame_ring':
drivers/net/ethernet/intel/ixgbe/ixgbe_main.c:8563:11: error: 'struct sk_buff'
has no member named 'sp'; did you mean 'sk'?
if (skb->sp &&
There's no reason to define netdev->xfrmdev_ops if
the offload facility is not CONFIG'd in.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
include/linux/netdevice.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/netdevice.h b/incl
The current XFRM code assumes that we've implemented the
xdo_dev_state_free() callback, even if it is meaningless to the driver.
This patch adds a check for it before calling, as done in other APIs,
to prevent a NULL function pointer kernel crash.
Signed-off-by: Shannon Nelson <shannon.
These are a couple of little fixes to the xfrm_offload API to make
life just a little easier for the poor driver developer.
Changes from v1:
- removed netdev_err() notes (Steffen)
- fixed build when CONFIG_XFRM_OFFLOAD is off (kbuild robot)
- split into multiple patches (me)
Shannon Nelson
This adds a check for the required add and delete functions up front
at registration time to be sure both are defined.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
net/xfrm/xfrm_device.c | 16
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git
On 12/13/2017 10:20 PM, Steffen Klassert wrote:
On Mon, Dec 11, 2017 at 12:57:22PM -0800, Shannon Nelson wrote:
The current XFRM code assumes that we've implemented the
xdo_dev_state_free() callback, even if it is meaningless to the driver.
+ if (dev->featu
On 12/12/2017 5:59 PM, Alexander Duyck wrote:
On Tue, Dec 12, 2017 at 3:37 PM, Shannon Nelson
<shannon.nel...@oracle.com> wrote:
If the skb has a security association referenced in the skb, then
set up the Tx descriptor with the ipsec offload bits. While we're
here, we fix an oddly named
Set up the data structures to be used by the ipsec offload.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
v2: ipaddr[] becomes __be32
increase the hash table size
drivers/net/ethernet/intel/ixgbe/ixgbe.h | 5
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.
to mimic the hardware tables to make it
easier to track what's in the hardware, and the SA table index is used
for the XFRM offload handle. However, there is a hashing field in the
Rx SA tracking that will be used to facilitate faster table searches in
the Rx fast path.
Signed-off-by: Shannon
If the skb has a security association referenced in the skb, then
set up the Tx descriptor with the ipsec offload bits. While we're
here, we fix an oddly named field in the context descriptor struct.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
v2: use ihl != 5
Add in the code for running and stopping the hardware ipsec
encryption/decryption engine. It is good to keep the engine
off when not in use in order to save on the power draw.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
v2: add limiter to do-while loop waiting for
Add a simple statistic to count the ipsec offloads.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
v2: change per ring counter to adapter rx and tx counters
move tx_ipsec count to the tx clean code
drivers/net/ethernet/intel/ixgbe/ixgbe.h | 2 ++
drivers/net/et
With all the support code in place we can now link in the ipsec
offload operations and set the ESP feature flag for the XFRM
subsystem to see.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
v2: added the xdo_dev_state_free callback to make XFRM happy
chang
On a chip reset most of the table contents are lost, so must be
restored. This scans the driver's ipsec tables and restores both
the filled and empty table slots to their pre-reset values.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
v2: during restore, clean the tables
Clean up the ipsec/macsec descriptor bit definitions to match the rest
of the defines and file organization. Also recognise the bit-definition
overlap in the error mask macro.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
v2: no changes
drivers/net/ethernet/intel
Add a few routines to make access to the ipsec registers just a little
easier, and throw in the beginnings of an initialization.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
v2: Rx table selector becomes an enum with a shift
Combine the clear table loops into one
If the chip sees and decrypts an ipsec offload, set up the skb
sp pointer with the ralated SA info. Since the chip is rude
enough to keep to itself the table index it used for the
decryption, we have to do our own table lookup, using the
hash for speed.
Signed-off-by: Shannon Nelson <shannon.
d dev eth4 dir in
In both cases, the command "ip x s flush ; ip x p flush" will clean
it all out and remove the offloads.
Lastly, thanks to Alex Duyck for his early comments.
Please see the individual patches for version update info.
Shannon Nelson (10):
ixgbe: clean up ipsec define
Alexey Kodanev <alexey.koda...@oracle.com>
---
v2: * cleanup commit message issues (thanks to Shannon)
Acked-by: Shannon Nelson <shannon.nel...@oracle.com>
* handle the case when we don't have route but have device parameter
* cast new MTU to int and then check the maximum
and delete functions up front
at registration time to be sure both are defined, and complain if not.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
include/net/xfrm.h | 3 ++-
net/xfrm/xfrm_device.c | 18 ++
2 files changed, 16 insertions(+), 5 deletions(-)
On 12/8/2017 3:54 AM, Alexey Kodanev wrote:
On 12/08/2017 10:02 AM, Steffen Klassert wrote:
On Wed, Dec 06, 2017 at 07:38:19PM +0300, Alexey Kodanev wrote:
Since you're planning to do a 2nd version anyway, can we get a couple of
the commit message issues cleaned up?
LTP/udp6_ipsec_vti
On 12/7/2017 1:52 PM, Alexander Duyck wrote:
The reads/writes themselves should be cheap. These kind of things only
get to be really expensive when you start looking at adding delays in
between the writes/reads polling on things. As long as we aren't
waiting milliseconds on things you can
On 12/7/2017 9:16 AM, Alexander Duyck wrote:
On Wed, Dec 6, 2017 at 9:43 PM, Shannon Nelson
<shannon.nel...@oracle.com> wrote:
On 12/5/2017 9:30 AM, Alexander Duyck wrote:
On Mon, Dec 4, 2017 at 9:35 PM, Shannon Nelson
<shannon.nel...@oracle.com> wrote:
On a chip reset most
On 12/7/2017 9:56 AM, Alexander Duyck wrote:
You've suggested several things here, all good things to look into,
which I will do, most now, some in the near future.
Thanks!
sln
On Wed, Dec 6, 2017 at 9:43 PM, Shannon Nelson
<shannon.nel...@oracle.com> wrote:
On 12/5/2017 10
On 12/7/2017 8:02 AM, Alexander Duyck wrote:
On Wed, Dec 6, 2017 at 9:43 PM, Shannon Nelson
<shannon.nel...@oracle.com> wrote:
Thanks, Alex, for your detailed comments, I do appreciate the time and
thought you put into them.
Responses below...
sln
On 12/5/2017 8:56 AM, Alexander Duyck
On 12/5/2017 8:22 AM, Alexander Duyck wrote:
On Mon, Dec 4, 2017 at 9:35 PM, Shannon Nelson
<shannon.nel...@oracle.com> wrote:
Add in the code for running and stopping the hardware ipsec
encryption/decryption engine. It is good to keep the engine
off when not in use in order t
On 12/5/2017 12:11 PM, Alexander Duyck wrote:
On Mon, Dec 4, 2017 at 9:35 PM, Shannon Nelson
<shannon.nel...@oracle.com> wrote:
With all the support code in place we can now link in the ipsec
offload operations and set the ESP feature flag for the XFRM
subsystem to see.
Signed-off-by: S
On 12/5/2017 9:40 AM, Alexander Duyck wrote:
On Mon, Dec 4, 2017 at 9:35 PM, Shannon Nelson
<shannon.nel...@oracle.com> wrote:
If the chip sees and decrypts an ipsec offload, set up the skb
sp pointer with the ralated SA info. Since the chip is rude
enough to keep to itself the table
On 12/5/2017 11:53 AM, Alexander Duyck wrote:
On Mon, Dec 4, 2017 at 9:35 PM, Shannon Nelson
<shannon.nel...@oracle.com> wrote:
Add a simple statistic to count the ipsec offloads.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
drivers/net/ethernet/intel/i
On 12/5/2017 10:13 AM, Alexander Duyck wrote:
On Mon, Dec 4, 2017 at 9:35 PM, Shannon Nelson
<shannon.nel...@oracle.com> wrote:
If the skb has a security association referenced in the skb, then
set up the Tx descriptor with the ipsec offload bits. While we're
here, we fix an oddly named
On 12/5/2017 9:30 AM, Alexander Duyck wrote:
On Mon, Dec 4, 2017 at 9:35 PM, Shannon Nelson
<shannon.nel...@oracle.com> wrote:
On a chip reset most of the table contents are lost, so must be
restored. This scans the driver's ipsec tables and restores both
the filled and empty table
On 12/5/2017 9:26 AM, Alexander Duyck wrote:
On Mon, Dec 4, 2017 at 9:35 PM, Shannon Nelson
<shannon.nel...@oracle.com> wrote:
Add the functions for setting up and removing offloaded SAs (Security
Associations) with the x540 hardware. We set up the callback structure
but we don't y
Thanks, Alex, for your detailed comments, I do appreciate the time and
thought you put into them.
Responses below...
sln
On 12/5/2017 8:56 AM, Alexander Duyck wrote:
On Mon, Dec 4, 2017 at 9:35 PM, Shannon Nelson
<shannon.nel...@oracle.com> wrote:
Add a few routines to make
On 12/5/2017 9:03 AM, Alexander Duyck wrote:
On Mon, Dec 4, 2017 at 9:35 PM, Shannon Nelson
<shannon.nel...@oracle.com> wrote:
Set up the data structures to be used by the ipsec offload.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
drivers/net/ethernet/intel/i
With all the support code in place we can now link in the ipsec
offload operations and set the ESP feature flag for the XFRM
subsystem to see.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 4
drivers/net/ethernet/intel
Set up the data structures to be used by the ipsec offload.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
drivers/net/ethernet/intel/ixgbe/ixgbe.h | 5
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.h | 40 ++
2 files changed, 45 inse
to mimic the hardware tables to make it
easier to track what's in the hardware, and the SA table index is used
for the XFRM offload handle. However, there is a hashing field in the
Rx SA tracking that will be used to facilitate faster table searches in
the Rx fast path.
Signed-off-by: Shannon
If the skb has a security association referenced in the skb, then
set up the Tx descriptor with the ipsec offload bits. While we're
here, we fix an oddly named field in the context descriptor struct.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
drivers/net/ethernet/intel
d dev eth4 dir in
In both cases, the command "ip x s flush ; ip x p flush" will clean
it all out and remove the offloads.
Lastly, thanks to Alex Duyck for his early comments.
Shannon Nelson (10):
ixgbe: clean up ipsec defines
ixgbe: add ipsec register access routines
ixgbe: ad
Add a few routines to make access to the ipsec registers just a little
easier, and throw in the beginnings of an initialization.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
drivers/net/ethernet/intel/ixgbe/Makefile | 1 +
drivers/net/ethernet/intel/ixgbe/i
Add a simple statistic to count the ipsec offloads.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
drivers/net/ethernet/intel/ixgbe/ixgbe.h | 1 +
drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 28 ++--
drivers/net/ethernet/intel
On a chip reset most of the table contents are lost, so must be
restored. This scans the driver's ipsec tables and restores both
the filled and empty table slots to their pre-reset values.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
drivers/net/ethernet/intel/ixgbe/i
If the chip sees and decrypts an ipsec offload, set up the skb
sp pointer with the ralated SA info. Since the chip is rude
enough to keep to itself the table index it used for the
decryption, we have to do our own table lookup, using the
hash for speed.
Signed-off-by: Shannon Nelson <shannon.
Clean up the ipsec/macsec descriptor bit definitions to match the rest
of the defines and file organization. Also recognise the bit-definition
overlap in the error mask macro.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
drivers/net/ethernet/intel/ixgbe/ixgbe_type.
Add in the code for running and stopping the hardware ipsec
encryption/decryption engine. It is good to keep the engine
off when not in use in order to save on the power draw.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
On 12/3/2017 2:16 PM, Yossi Kuperman wrote:
-Original Message-
From: Shannon Nelson [mailto:shannon.nel...@oracle.com]
Sent: Sunday, December 3, 2017 12:11 AM
To: Aviv Heller <av...@mellanox.com>; Steffen Klassert
<steffen.klass...@secunet.com>
Cc: Herbert Xu <herb...@gond
On 12/2/2017 2:33 PM, Yossi Kuperman wrote:
On 1 Dec 2017, at 9:09, Steffen Klassert wrote:
On Tue, Nov 28, 2017 at 07:55:41PM +0200, av...@mellanox.com wrote:
From: Aviv Heller
Adding the state to the offload device prior to replay init
On 12/1/2017 11:47 AM, Shannon Nelson wrote:
On 11/28/2017 9:55 AM, av...@mellanox.com wrote:
From: Aviv Heller <av...@mellanox.com>
Adding the state to the offload device prior to replay init in
xfrm_state_construct() will result in NULL dereference if a matching
ESP packet is re
On 11/30/2017 6:11 AM, Michael S. Tsirkin wrote:
On Thu, Nov 30, 2017 at 10:08:45AM +0200, achiad shochat wrote:
Re. problem #2:
Indeed the best way to address it seems to be to enslave the VF driver
netdev under a persistent anchor netdev.
And it's indeed desired to allow (but not enforce) PV
On 11/28/2017 9:55 AM, av...@mellanox.com wrote:
From: Aviv Heller
Adding the state to the offload device prior to replay init in
xfrm_state_construct() will result in NULL dereference if a matching
ESP packet is received in between.
In order to inhibit driver offload
On 11/28/2017 1:49 AM, yoss...@mellanox.com wrote:
From: Yossef Efraim
This patch adds ESN support to IPsec device offload.
Adding new xfrm device operation to synchronize device ESN.
Signed-off-by: Yossef Efraim
---
include/linux/netdevice.h |
On 11/30/2017 10:23 PM, Steffen Klassert wrote:
On Tue, Nov 28, 2017 at 11:49:30AM +0200, yoss...@mellanox.com wrote:
From: Yossef Efraim
This patch adds ESN support to IPsec device offload.
Adding new xfrm device operation to synchronize device ESN.
Signed-off-by:
Add a writeup on how to use the XFRM device offload API, and
mention this new file in the index.
Signed-off-by: Shannon Nelson <shannon.nel...@oracle.com>
---
Documentation/networking/00-INDEX| 2 +
Documentation/networking/xfrm_device.txt | 132 +++
2
On 11/14/2017 9:03 AM, Shannon Nelson wrote:
On 11/14/2017 2:32 AM, Daniel Axtens wrote:
If a macvlan device which is not in bridge mode receives a packet,
it is sent straight to the lowerdev without checking against the
device's MTU. This also happens for multicast traffic.
Add
(e.g. 1480)
- do not set the MTU lower in the guest (e.g. keep at 1500)
- netperf to a different host with the same high MTU
- observe that currently, the driver will forward too-big packets
- observe that with this patch the packets are dropped
Cc: Shannon Nelson <shannon.nel...@oracle.
to be minor clean-ups
to address the fact that we don't want packets to somehow stray and end up
being transmitted on a queue that is supposed to be in use by a macvlan
instead of the lowerdev itself.
Other than the little misspelling I flagged,
Acked-by: Shannon Nelson <shannon.nel...@oracle.
101 - 200 of 317 matches
Mail list logo