Lines Matching full:ipsec
37 #include <netipsec/ipsec.h>
43 #include <dev/mlx5/mlx5_accel/ipsec.h>
124 struct mlx5e_ipsec_rule kspi_bypass_rule; /*rule for IPSEC bypass*/
326 mlx5_core_err(mdev, "fail to create IPsec miss_group err=%d\n", in ipsec_miss_create()
340 mlx5_core_err(mdev, "fail to create IPsec miss_rule err=%d\n", in ipsec_miss_create()
523 struct mlx5e_ipsec *ipsec = sa_entry->ipsec; in rx_add_rule() local
532 rx = (attrs->family == AF_INET) ? ipsec->rx_ipv4 : ipsec->rx_ipv6; in rx_add_rule()
592 mlx5_core_err(mdev, "fail to add RX ipsec rule err=%d\n", err); in rx_add_rule()
605 "fail to add RX ipsec zero vid rule err=%d\n", in rx_add_rule()
664 mlx5_core_err(mdev, "Fail to add ipsec tx counter rule err=%d\n", err); in ipsec_counter_rule_tx()
685 /* IPsec TX flow steering */
720 mlx5_core_err(mdev, "Fail to add TX roce ipsec rule err=%d\n", in ipsec_tx_roce_rule_setup()
750 mlx5_core_err(mdev, "Fail to create ipsec tx roce ft err=%d\n", in ipsec_tx_create_roce()
762 mlx5_core_err(mdev, "Fail to create ipsec tx roce group err=%d\n", in ipsec_tx_create_roce()
770 mlx5_core_err(mdev, "Fail to create RoCE IPsec tx rules err=%d\n", err); in ipsec_tx_create_roce()
788 * Setting a rule in KSPI table for values that should bypass IPSEC.
791 * tx - IPSEC TX
817 mlx5_core_err(mdev, "Fail to add ipsec kspi bypass rule err=%d\n", in tx_create_kspi_bypass_rules()
823 /* set the rule for packets withoiut ipsec tag. */ in tx_create_kspi_bypass_rules()
830 mlx5_core_err(mdev, "Fail to add ipsec kspi bypass rule err=%d\n", err); in tx_create_kspi_bypass_rules()
949 static int tx_get(struct mlx5_core_dev *mdev, struct mlx5e_ipsec *ipsec, in tx_get() argument
966 static void tx_put(struct mlx5e_ipsec *ipsec, struct mlx5e_ipsec_tx *tx) in tx_put() argument
975 struct mlx5e_ipsec *ipsec) in tx_ft_get() argument
977 struct mlx5e_ipsec_tx *tx = ipsec->tx; in tx_ft_get()
981 err = tx_get(mdev, ipsec, tx); in tx_ft_get()
990 struct mlx5e_ipsec *ipsec, in tx_ft_get_policy() argument
993 struct mlx5e_ipsec_tx *tx = ipsec->tx; in tx_ft_get_policy()
998 err = tx_get(mdev, ipsec, tx); in tx_ft_get_policy()
1012 tx_put(ipsec, tx); in tx_ft_get_policy()
1018 static void tx_ft_put_policy(struct mlx5e_ipsec *ipsec, u32 prio) in tx_ft_put_policy() argument
1020 struct mlx5e_ipsec_tx *tx = ipsec->tx; in tx_ft_put_policy()
1026 tx_put(ipsec, tx); in tx_ft_put_policy()
1030 static void tx_ft_put(struct mlx5e_ipsec *ipsec) in tx_ft_put() argument
1032 struct mlx5e_ipsec_tx *tx = ipsec->tx; in tx_ft_put()
1035 tx_put(ipsec, tx); in tx_ft_put()
1042 /* Add IPsec indicator in metadata_reg_a. */ in setup_fte_reg_a_with_tag()
1054 /* Add IPsec indicator in metadata_reg_a. */ in setup_fte_reg_a_no_tag()
1140 mlx5_core_err(mdev, "fail to add TX ipsec kspi rule err=%d\n", err); in tx_add_kspi_rule()
1177 mlx5_core_err(mdev, "fail to add TX ipsec reqid rule err=%d\n", err); in tx_add_reqid_ip_rules()
1193 mlx5_core_err(mdev, "fail to add TX ipsec ip rule err=%d\n", err); in tx_add_reqid_ip_rules()
1212 struct mlx5e_ipsec *ipsec = sa_entry->ipsec; in tx_add_rule() local
1219 tx = tx_ft_get(mdev, ipsec); in tx_add_rule()
1271 tx_ft_put(ipsec); in tx_add_rule()
1279 struct mlx5e_ipsec_tx *tx = pol_entry->ipsec->tx; in tx_add_policy()
1287 ft = tx_ft_get_policy(mdev, pol_entry->ipsec, attrs->prio); in tx_add_policy()
1332 mlx5_core_err(mdev, "fail to add TX ipsec rule err=%d\n", err); in tx_add_policy()
1347 tx_ft_put_policy(pol_entry->ipsec, attrs->prio); in tx_add_policy()
1355 struct mlx5e_ipsec *ipsec = pol_entry->ipsec; in rx_add_policy() local
1364 rx = (attrs->family == AF_INET) ? ipsec->rx_ipv4 : ipsec->rx_ipv6; in rx_add_policy()
1411 "Failed to add RX IPsec policy rule err=%d\n", err); in rx_add_policy()
1424 "Failed to add RX IPsec policy rule err=%d\n", in rx_add_policy()
1444 static void ipsec_fs_destroy_counters(struct mlx5e_ipsec *ipsec) in ipsec_fs_destroy_counters() argument
1446 struct mlx5e_ipsec_rx *rx_ipv4 = ipsec->rx_ipv4; in ipsec_fs_destroy_counters()
1447 struct mlx5_core_dev *mdev = ipsec->mdev; in ipsec_fs_destroy_counters()
1448 struct mlx5e_ipsec_tx *tx = ipsec->tx; in ipsec_fs_destroy_counters()
1458 static int ipsec_fs_init_counters(struct mlx5e_ipsec *ipsec) in ipsec_fs_init_counters() argument
1460 struct mlx5e_ipsec_rx *rx_ipv4 = ipsec->rx_ipv4; in ipsec_fs_init_counters()
1461 struct mlx5e_ipsec_rx *rx_ipv6 = ipsec->rx_ipv6; in ipsec_fs_init_counters()
1462 struct mlx5_core_dev *mdev = ipsec->mdev; in ipsec_fs_init_counters()
1463 struct mlx5e_ipsec_tx *tx = ipsec->tx; in ipsec_fs_init_counters()
1555 "fail to alloc ipsec copy modify_header_id err=%d\n", err); in ipsec_status_rule()
1568 mlx5_core_err(mdev, "fail to add ipsec rx err copy rule err=%d\n", err); in ipsec_status_rule()
1674 mlx5_core_err(mdev, "Fail to add RX roce ipsec rule err=%d\n", in ipsec_roce_rx_rule_setup()
1684 mlx5_core_err(mdev, "Fail to add RX roce ipsec miss rule err=%d\n", in ipsec_roce_rx_rule_setup()
1731 mlx5_core_err(mdev, "Fail to create ipsec rx roce group at nic err=%d\n", err); in ipsec_roce_rx_rules()
1743 mlx5_core_err(mdev, "Fail to create ipsec rx roce miss group at nic err=%d\n", in ipsec_roce_rx_rules()
1774 /* IPsec RoCE RX rules */ in ipsec_fs_rx_catchall_rules()
1779 /* IPsec Rx IP Status table rule */ in ipsec_fs_rx_catchall_rules()
1793 /* IPsec Rx IP policy default miss rule */ in ipsec_fs_rx_catchall_rules()
1865 struct mlx5e_ipsec *ipsec = priv->ipsec; in ipsec_fs_rx_ip_type_catchall_rules_create() local
1880 dst.ft = ipsec->rx_ipv4->ft.pol; in ipsec_fs_rx_ip_type_catchall_rules_create()
1882 rule = mlx5_add_flow_rules(ipsec->rx_ip_type->ft, spec, &flow_act, &dst, 1); in ipsec_fs_rx_ip_type_catchall_rules_create()
1889 ipsec->rx_ip_type->ipv4_rule = rule; in ipsec_fs_rx_ip_type_catchall_rules_create()
1892 dst.ft = ipsec->rx_ipv6->ft.pol; in ipsec_fs_rx_ip_type_catchall_rules_create()
1894 rule = mlx5_add_flow_rules(ipsec->rx_ip_type->ft, spec, &flow_act, &dst, 1); in ipsec_fs_rx_ip_type_catchall_rules_create()
1901 ipsec->rx_ip_type->ipv6_rule = rule; in ipsec_fs_rx_ip_type_catchall_rules_create()
1904 err = ipsec_miss_create(mdev, ipsec->rx_ip_type->ft, &ipsec->rx_ip_type->miss, defdst); in ipsec_fs_rx_ip_type_catchall_rules_create()
1914 mlx5_del_flow_rules(&ipsec->rx_ip_type->ipv6_rule); in ipsec_fs_rx_ip_type_catchall_rules_create()
1916 mlx5_del_flow_rules(&ipsec->rx_ip_type->ipv4_rule); in ipsec_fs_rx_ip_type_catchall_rules_create()
1926 struct mlx5e_ipsec *ipsec = priv->ipsec; in ipsec_fs_rx_ip_type_table_create() local
1931 ft = ipsec_rx_ft_create(ipsec->rx_ip_type->ns, level, 0, 1); in ipsec_fs_rx_ip_type_table_create()
1936 ipsec->rx_ip_type->ft = ft; in ipsec_fs_rx_ip_type_table_create()
1938 priv->fts.ipsec_ft = priv->ipsec->rx_ip_type->ft; in ipsec_fs_rx_ip_type_table_create()
1953 /* IPsec Rx IP SA table create */ in ipsec_fs_rx_table_create()
1961 /* IPsec Rx IP Status table create */ in ipsec_fs_rx_table_create()
1986 /* IPsec RoCE RX tables create*/ in ipsec_fs_rx_table_create()
2007 static void mlx5e_accel_ipsec_fs_init_roce(struct mlx5e_ipsec *ipsec) in mlx5e_accel_ipsec_fs_init_roce() argument
2009 struct mlx5_core_dev *mdev = ipsec->mdev; in mlx5e_accel_ipsec_fs_init_roce()
2012 if ((MLX5_CAP_GEN_2(ipsec->mdev, flow_table_type_2_type) & in mlx5e_accel_ipsec_fs_init_roce()
2018 ns = mlx5_get_flow_namespace(ipsec->mdev, MLX5_FLOW_NAMESPACE_RDMA_RX_IPSEC); in mlx5e_accel_ipsec_fs_init_roce()
2024 ipsec->rx_ipv4->roce.ns_rdma = ns; in mlx5e_accel_ipsec_fs_init_roce()
2025 ipsec->rx_ipv6->roce.ns_rdma = ns; in mlx5e_accel_ipsec_fs_init_roce()
2027 ns = mlx5_get_flow_namespace(ipsec->mdev, MLX5_FLOW_NAMESPACE_RDMA_TX_IPSEC); in mlx5e_accel_ipsec_fs_init_roce()
2029 ipsec->rx_ipv4->roce.ns_rdma = NULL; in mlx5e_accel_ipsec_fs_init_roce()
2030 ipsec->rx_ipv6->roce.ns_rdma = NULL; in mlx5e_accel_ipsec_fs_init_roce()
2035 ipsec->tx->roce.ns = ns; in mlx5e_accel_ipsec_fs_init_roce()
2060 tx_ft_put(sa_entry->ipsec); in mlx5e_accel_ipsec_fs_del_rule()
2089 ? pol_entry->ipsec->rx_ipv4 in mlx5e_accel_ipsec_fs_del_pol()
2090 : pol_entry->ipsec->rx_ipv6; in mlx5e_accel_ipsec_fs_del_pol()
2100 tx_ft_put_policy(pol_entry->ipsec, pol_entry->attrs.prio); in mlx5e_accel_ipsec_fs_del_pol()
2105 /* Check if IPsec supported */ in mlx5e_accel_ipsec_fs_rx_catchall_rules_destroy()
2106 if (!priv->ipsec) in mlx5e_accel_ipsec_fs_rx_catchall_rules_destroy()
2109 ipsec_fs_rx_ip_type_catchall_rule_destroy(priv->ipsec->rx_ip_type); in mlx5e_accel_ipsec_fs_rx_catchall_rules_destroy()
2110 ipsec_fs_rx_catchall_rules_destroy(priv->mdev, priv->ipsec->rx_ipv4); in mlx5e_accel_ipsec_fs_rx_catchall_rules_destroy()
2111 ipsec_fs_rx_catchall_rules_destroy(priv->mdev, priv->ipsec->rx_ipv6); in mlx5e_accel_ipsec_fs_rx_catchall_rules_destroy()
2116 struct mlx5e_ipsec *ipsec = priv->ipsec; in mlx5e_accel_ipsec_fs_rx_catchall_rules() local
2120 /* Check if IPsec supported */ in mlx5e_accel_ipsec_fs_rx_catchall_rules()
2121 if (!ipsec) in mlx5e_accel_ipsec_fs_rx_catchall_rules()
2126 err = ipsec_fs_rx_catchall_rules(priv, ipsec->rx_ipv6, &dest); in mlx5e_accel_ipsec_fs_rx_catchall_rules()
2130 err = ipsec_fs_rx_catchall_rules(priv, ipsec->rx_ipv4, &dest); in mlx5e_accel_ipsec_fs_rx_catchall_rules()
2132 ipsec_fs_rx_catchall_rules_destroy(priv->mdev, priv->ipsec->rx_ipv6); in mlx5e_accel_ipsec_fs_rx_catchall_rules()
2136 ipsec_fs_rx_catchall_rules_destroy(priv->mdev, priv->ipsec->rx_ipv6); in mlx5e_accel_ipsec_fs_rx_catchall_rules()
2137 ipsec_fs_rx_catchall_rules_destroy(priv->mdev, priv->ipsec->rx_ipv4); in mlx5e_accel_ipsec_fs_rx_catchall_rules()
2147 struct mlx5e_ipsec *ipsec = priv->ipsec; in mlx5e_accel_ipsec_fs_rx_tables_destroy() local
2149 /* Check if IPsec supported */ in mlx5e_accel_ipsec_fs_rx_tables_destroy()
2150 if (!ipsec) in mlx5e_accel_ipsec_fs_rx_tables_destroy()
2153 mlx5_destroy_flow_table(ipsec->rx_ip_type->ft); in mlx5e_accel_ipsec_fs_rx_tables_destroy()
2154 ipsec_fs_rx_table_destroy(mdev, ipsec->rx_ipv6); in mlx5e_accel_ipsec_fs_rx_tables_destroy()
2155 ipsec_fs_rx_table_destroy(mdev, ipsec->rx_ipv4); in mlx5e_accel_ipsec_fs_rx_tables_destroy()
2160 struct mlx5e_ipsec *ipsec = priv->ipsec; in mlx5e_accel_ipsec_fs_rx_tables_create() local
2163 /* Check if IPsec supported */ in mlx5e_accel_ipsec_fs_rx_tables_create()
2164 if (!ipsec) in mlx5e_accel_ipsec_fs_rx_tables_create()
2171 err = ipsec_fs_rx_table_create(ipsec->mdev, ipsec->rx_ipv4, 1, 0); in mlx5e_accel_ipsec_fs_rx_tables_create()
2175 err = ipsec_fs_rx_table_create(ipsec->mdev, ipsec->rx_ipv6, 5, 1); in mlx5e_accel_ipsec_fs_rx_tables_create()
2182 ipsec_fs_rx_table_destroy(priv->mdev, ipsec->rx_ipv4); in mlx5e_accel_ipsec_fs_rx_tables_create()
2184 mlx5_destroy_flow_table(ipsec->rx_ip_type->ft); in mlx5e_accel_ipsec_fs_rx_tables_create()
2188 void mlx5e_accel_ipsec_fs_cleanup(struct mlx5e_ipsec *ipsec) in mlx5e_accel_ipsec_fs_cleanup() argument
2190 WARN_ON(ipsec->tx->ft.refcnt); in mlx5e_accel_ipsec_fs_cleanup()
2191 mutex_destroy(&ipsec->rx_ipv6->ft.mutex); in mlx5e_accel_ipsec_fs_cleanup()
2192 mutex_destroy(&ipsec->rx_ipv4->ft.mutex); in mlx5e_accel_ipsec_fs_cleanup()
2193 mutex_destroy(&ipsec->tx->ft.mutex); in mlx5e_accel_ipsec_fs_cleanup()
2194 ipsec_fs_destroy_counters(ipsec); in mlx5e_accel_ipsec_fs_cleanup()
2195 kfree(ipsec->rx_ip_type); in mlx5e_accel_ipsec_fs_cleanup()
2196 kfree(ipsec->rx_ipv6); in mlx5e_accel_ipsec_fs_cleanup()
2197 kfree(ipsec->rx_ipv4); in mlx5e_accel_ipsec_fs_cleanup()
2198 kfree(ipsec->tx); in mlx5e_accel_ipsec_fs_cleanup()
2201 int mlx5e_accel_ipsec_fs_init(struct mlx5e_ipsec *ipsec) in mlx5e_accel_ipsec_fs_init() argument
2206 tns = mlx5_get_flow_namespace(ipsec->mdev, MLX5_FLOW_NAMESPACE_EGRESS_IPSEC); in mlx5e_accel_ipsec_fs_init()
2210 rns = mlx5_get_flow_namespace(ipsec->mdev, MLX5_FLOW_NAMESPACE_KERNEL); in mlx5e_accel_ipsec_fs_init()
2214 ipsec->tx = kzalloc(sizeof(*ipsec->tx), GFP_KERNEL); in mlx5e_accel_ipsec_fs_init()
2215 if (!ipsec->tx) in mlx5e_accel_ipsec_fs_init()
2218 ipsec->rx_ip_type = kzalloc(sizeof(*ipsec->rx_ip_type), GFP_KERNEL); in mlx5e_accel_ipsec_fs_init()
2219 if (!ipsec->rx_ip_type) in mlx5e_accel_ipsec_fs_init()
2222 ipsec->rx_ipv4 = kzalloc(sizeof(*ipsec->rx_ipv4), GFP_KERNEL); in mlx5e_accel_ipsec_fs_init()
2223 if (!ipsec->rx_ipv4) in mlx5e_accel_ipsec_fs_init()
2226 ipsec->rx_ipv6 = kzalloc(sizeof(*ipsec->rx_ipv6), GFP_KERNEL); in mlx5e_accel_ipsec_fs_init()
2227 if (!ipsec->rx_ipv6) in mlx5e_accel_ipsec_fs_init()
2230 err = ipsec_fs_init_counters(ipsec); in mlx5e_accel_ipsec_fs_init()
2234 ipsec->tx->ns = tns; in mlx5e_accel_ipsec_fs_init()
2235 mutex_init(&ipsec->tx->ft.mutex); in mlx5e_accel_ipsec_fs_init()
2236 ipsec->rx_ip_type->ns = rns; in mlx5e_accel_ipsec_fs_init()
2237 ipsec->rx_ipv4->ns = rns; in mlx5e_accel_ipsec_fs_init()
2238 ipsec->rx_ipv6->ns = rns; in mlx5e_accel_ipsec_fs_init()
2239 mutex_init(&ipsec->rx_ipv4->ft.mutex); in mlx5e_accel_ipsec_fs_init()
2240 mutex_init(&ipsec->rx_ipv6->ft.mutex); in mlx5e_accel_ipsec_fs_init()
2242 mlx5e_accel_ipsec_fs_init_roce(ipsec); in mlx5e_accel_ipsec_fs_init()
2247 kfree(ipsec->rx_ipv6); in mlx5e_accel_ipsec_fs_init()
2249 kfree(ipsec->rx_ipv4); in mlx5e_accel_ipsec_fs_init()
2251 kfree(ipsec->rx_ip_type); in mlx5e_accel_ipsec_fs_init()
2253 kfree(ipsec->tx); in mlx5e_accel_ipsec_fs_init()