xref: /freebsd/sys/dev/mlx5/mlx5_accel/mlx5_ipsec_fs.c (revision 3a56015a2f5d630910177fa79a522bb95511ccf7)
1 /*-
2  * Copyright (c) 2023 NVIDIA corporation & affiliates.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS `AS IS' AND
14  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16  * ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
17  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23  * SUCH DAMAGE.
24  *
25  */
26 
27 #include "opt_ipsec.h"
28 
29 #include <sys/types.h>
30 #include <netinet/in.h>
31 #include <sys/socket.h>
32 #include <sys/param.h>
33 #include <sys/systm.h>
34 #include <net/pfkeyv2.h>
35 #include <netipsec/key_var.h>
36 #include <netipsec/keydb.h>
37 #include <netipsec/ipsec.h>
38 #include <netipsec/xform.h>
39 #include <netipsec/ipsec_offload.h>
40 #include <dev/mlx5/fs.h>
41 #include <dev/mlx5/mlx5_en/en.h>
42 #include <dev/mlx5/qp.h>
43 #include <dev/mlx5/mlx5_accel/ipsec.h>
44 #include <dev/mlx5/mlx5_core/fs_core.h>
45 #include <dev/mlx5/mlx5_core/fs_chains.h>
46 
47 /*
48  * TX tables are organized differently for Ethernet and for RoCE:
49  *
50  *                       +=========+
51  *       Ethernet Tx     | SA KSPI | match
52  * --------------------->|Flowtable|----->+         +
53  *                       |         |\     |        / \
54  *                       +=========+ |    |       /   \         +=========+     +=========+
55  *                              miss |    |      /     \        |  Status |     |         |
56  *                      DROP<--------+    |---->|Encrypt|------>|Flowtable|---->|  TX NS  |
57  *                                        |      \     /        |         |     |         |
58  *                                        |       \   /         +=========+     +=========+
59  *       +=========+      +=========+     |        \ /               |
60  *  RoCE |  Policy | match|SA ReqId |match|         +                |
61  *  Tx   |Flowtable|----->|Flowtable|---->+                          |
62  *  ---->|IP header|      |ReqId+IP |                                |
63  *       |         |      | header  |--------------------------------+
64  *       +=========+      +=========+         miss                   |
65  *            |                                                      |
66  *            |                   miss                               |
67  *            +-------------------------------------------------------
68  *
69  *                                                                                  +=========+
70  *                                                                                  |   RDMA  |
71  *                                                                                  |Flowtable|
72  *                                                                                  |         |
73  * Rx Tables and rules:                                                             +=========+
74  *                                             +                                        /
75  *       +=========+      +=========+         / \         +=========+      +=========+ /match
76  *       |  Policy |      |   SA    |        /   \        |  Status |      |  RoCE   |/
77  *  ---->|Flowtable| match|Flowtable| match /     \       |Flowtable|----->|Flowtable|
78  *       |IP header|----->|IP header|----->|Decrypt|----->|         |      | Roce V2 |
79  *       |         |      |+ESP+SPI |       \     /       |         |      | UDP port|\
80  *       +=========+      +=========+        \   /        +=========+      +=========+ \miss
81  *             |               |              \ /                                       \
82  *             |               |               +                                      +=========+
83  *             |     miss      |          miss                                       | Ethernet|
84  *             +--------------->---------------------------------------------------->|  RX NS  |
85  *                                                                                   |         |
86  *                                                                                   +=========+
87  *
88  */
89 
90 #define NUM_IPSEC_FTE BIT(15)
91 #define IPSEC_TUNNEL_DEFAULT_TTL 0x40
92 
93 struct mlx5e_ipsec_fc {
94 	struct mlx5_fc *cnt;
95 	struct mlx5_fc *drop;
96 };
97 
98 struct mlx5e_ipsec_ft {
99 	struct mutex mutex; /* Protect changes to this struct */
100 	struct mlx5_flow_table *pol;
101 	struct mlx5_flow_table *sa_kspi;
102 	struct mlx5_flow_table *sa;
103 	struct mlx5_flow_table *status;
104 	u32 refcnt;
105 };
106 
107 struct mlx5e_ipsec_tx_roce {
108 	struct mlx5_flow_group *g;
109 	struct mlx5_flow_table *ft;
110 	struct mlx5_flow_handle *rule;
111 	struct mlx5_flow_namespace *ns;
112 };
113 
114 struct mlx5e_ipsec_miss {
115 	struct mlx5_flow_group *group;
116 	struct mlx5_flow_handle *rule;
117 };
118 
119 struct mlx5e_ipsec_tx {
120 	struct mlx5e_ipsec_ft ft;
121 	struct mlx5e_ipsec_miss pol;
122 	struct mlx5e_ipsec_miss kspi_miss;
123 	struct mlx5e_ipsec_rule status;
124 	struct mlx5e_ipsec_rule kspi_bypass_rule; /*rule for IPSEC bypass*/
125 	struct mlx5_flow_namespace *ns;
126 	struct mlx5e_ipsec_fc *fc;
127 	struct mlx5_fs_chains *chains;
128 	struct mlx5e_ipsec_tx_roce roce;
129 };
130 
131 struct mlx5e_ipsec_rx_roce {
132 	struct mlx5_flow_group *g;
133 	struct mlx5_flow_table *ft;
134 	struct mlx5_flow_handle *rule;
135 	struct mlx5e_ipsec_miss roce_miss;
136 
137 	struct mlx5_flow_table *ft_rdma;
138 	struct mlx5_flow_namespace *ns_rdma;
139 };
140 
141 struct mlx5e_ipsec_rx {
142 	struct mlx5e_ipsec_ft ft;
143 	struct mlx5e_ipsec_miss pol;
144 	struct mlx5e_ipsec_miss sa;
145 	struct mlx5e_ipsec_rule status;
146 	struct mlx5_flow_namespace *ns;
147 	struct mlx5e_ipsec_fc *fc;
148 	struct mlx5_fs_chains *chains;
149 	struct mlx5e_ipsec_rx_roce roce;
150 };
151 
152 static void setup_fte_reg_a_with_tag(struct mlx5_flow_spec *spec,
153                                      u16 kspi);
154 static void setup_fte_reg_a_no_tag(struct mlx5_flow_spec *spec);
155 
156 static void setup_fte_no_frags(struct mlx5_flow_spec *spec)
157 {
158 	/* Non fragmented */
159 	spec->match_criteria_enable |= MLX5_MATCH_OUTER_HEADERS;
160 
161 	MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, outer_headers.frag);
162 	MLX5_SET(fte_match_param, spec->match_value, outer_headers.frag, 0);
163 }
164 
165 static void setup_fte_esp(struct mlx5_flow_spec *spec)
166 {
167 	/* ESP header */
168 	spec->match_criteria_enable |= MLX5_MATCH_OUTER_HEADERS;
169 
170 	MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, outer_headers.ip_protocol);
171 	MLX5_SET(fte_match_param, spec->match_value, outer_headers.ip_protocol, IPPROTO_ESP);
172 }
173 
174 static void setup_fte_spi(struct mlx5_flow_spec *spec, u32 spi, bool encap)
175 {
176 	/* SPI number */
177 	spec->match_criteria_enable |= MLX5_MATCH_MISC_PARAMETERS;
178 
179 	if (encap) {
180 		MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, misc_parameters.inner_esp_spi);
181 		MLX5_SET(fte_match_param, spec->match_value, misc_parameters.inner_esp_spi, spi);
182 	} else {
183 		MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, misc_parameters.outer_esp_spi);
184 		MLX5_SET(fte_match_param, spec->match_value, misc_parameters.outer_esp_spi, spi);
185 	}
186 }
187 
188 static void
189 setup_fte_vid(struct mlx5_flow_spec *spec, u16 vid)
190 {
191 	/* virtual lan tag */
192 	spec->match_criteria_enable |= MLX5_MATCH_OUTER_HEADERS;
193 
194 	MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria,
195 	    outer_headers.cvlan_tag);
196 	MLX5_SET(fte_match_param, spec->match_value,
197 	    outer_headers.cvlan_tag, 1);
198 	MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria,
199 	    outer_headers.first_vid);
200 	MLX5_SET(fte_match_param, spec->match_value, outer_headers.first_vid,
201 	    vid);
202 }
203 
204 static void
205 clear_fte_vid(struct mlx5_flow_spec *spec)
206 {
207 	MLX5_SET(fte_match_param, spec->match_criteria,
208 	    outer_headers.cvlan_tag, 0);
209 	MLX5_SET(fte_match_param, spec->match_value,
210 	    outer_headers.cvlan_tag, 0);
211 	MLX5_SET(fte_match_param, spec->match_criteria,
212 	    outer_headers.first_vid, 0);
213 	MLX5_SET(fte_match_param, spec->match_value,
214 	    outer_headers.first_vid, 0);
215 }
216 
217 static void
218 setup_fte_no_vid(struct mlx5_flow_spec *spec)
219 {
220 	MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria,
221 	    outer_headers.cvlan_tag);
222 	MLX5_SET(fte_match_param, spec->match_value,
223 	    outer_headers.cvlan_tag, 0);
224 }
225 
226 static struct mlx5_fs_chains *
227 ipsec_chains_create(struct mlx5_core_dev *mdev, struct mlx5_flow_table *miss_ft,
228 		    enum mlx5_flow_namespace_type ns, int base_prio,
229 		    int base_level, struct mlx5_flow_table **root_ft)
230 {
231 	struct mlx5_chains_attr attr = {};
232 	struct mlx5_fs_chains *chains;
233 	struct mlx5_flow_table *ft;
234 	int err;
235 
236 	attr.flags = MLX5_CHAINS_AND_PRIOS_SUPPORTED |
237 		     MLX5_CHAINS_IGNORE_FLOW_LEVEL_SUPPORTED;
238 	attr.max_grp_num = 2;
239 	attr.default_ft = miss_ft;
240 	attr.ns = ns;
241 	attr.fs_base_prio = base_prio;
242 	attr.fs_base_level = base_level;
243 	chains = mlx5_chains_create(mdev, &attr);
244 	if (IS_ERR(chains))
245 		return chains;
246 
247 	/* Create chain 0, prio 1, level 0 to connect chains to prev in fs_core */
248 	ft = mlx5_chains_get_table(chains, 0, 1, 0);
249 	if (IS_ERR(ft)) {
250 		err = PTR_ERR(ft);
251 		goto err_chains_get;
252 	}
253 
254 	*root_ft = ft;
255 	return chains;
256 
257 err_chains_get:
258 	mlx5_chains_destroy(chains);
259 	return ERR_PTR(err);
260 }
261 
262 static void ipsec_chains_destroy(struct mlx5_fs_chains *chains)
263 {
264 	mlx5_chains_put_table(chains, 0, 1, 0);
265 	mlx5_chains_destroy(chains);
266 }
267 
268 static struct mlx5_flow_table *
269 ipsec_chains_get_table(struct mlx5_fs_chains *chains, u32 prio)
270 {
271 	return mlx5_chains_get_table(chains, 0, prio + 1, 0);
272 }
273 
274 static void ipsec_chains_put_table(struct mlx5_fs_chains *chains, u32 prio)
275 {
276 	mlx5_chains_put_table(chains, 0, prio + 1, 0);
277 }
278 
279 static struct mlx5_flow_table *ipsec_rx_ft_create(struct mlx5_flow_namespace *ns,
280 						  int level, int prio,
281 						  int max_num_groups)
282 {
283 	struct mlx5_flow_table_attr ft_attr = {};
284 
285 	ft_attr.max_fte = NUM_IPSEC_FTE;
286 	ft_attr.level = level;
287 	ft_attr.prio = prio;
288 	ft_attr.autogroup.max_num_groups = max_num_groups;
289 	ft_attr.autogroup.num_reserved_entries = 1;
290 
291 	return mlx5_create_auto_grouped_flow_table(ns, &ft_attr);
292 }
293 
294 static int ipsec_miss_create(struct mlx5_core_dev *mdev,
295 			     struct mlx5_flow_table *ft,
296 			     struct mlx5e_ipsec_miss *miss,
297 			     struct mlx5_flow_destination *dest)
298 {
299 	int inlen = MLX5_ST_SZ_BYTES(create_flow_group_in);
300 	struct mlx5_flow_act flow_act = {};
301 	struct mlx5_flow_spec *spec;
302 	u32 *flow_group_in;
303 	int err = 0;
304 
305 	flow_group_in = kvzalloc(inlen, GFP_KERNEL);
306 	spec = kvzalloc(sizeof(*spec), GFP_KERNEL);
307 	if (!flow_group_in || !spec) {
308 		err = -ENOMEM;
309 		goto out;
310 	}
311 
312 	/* Create miss_group */
313 	MLX5_SET(create_flow_group_in, flow_group_in, start_flow_index, ft->max_fte - 1);
314 	MLX5_SET(create_flow_group_in, flow_group_in, end_flow_index, ft->max_fte - 1);
315 	miss->group = mlx5_create_flow_group(ft, flow_group_in);
316 	if (IS_ERR(miss->group)) {
317 		err = PTR_ERR(miss->group);
318 		mlx5_core_err(mdev, "fail to create IPsec miss_group err=%d\n",
319 			      err);
320 		goto out;
321 	}
322 
323 	if (dest)
324 		flow_act.action = MLX5_FLOW_CONTEXT_ACTION_FWD_DEST;
325 	else
326 		flow_act.action = MLX5_FLOW_CONTEXT_ACTION_DROP;
327 	/* Create miss rule */
328 	miss->rule = mlx5_add_flow_rules(ft, NULL, &flow_act, dest, 1);
329 	if (IS_ERR(miss->rule)) {
330 		mlx5_destroy_flow_group(miss->group);
331 		err = PTR_ERR(miss->rule);
332 		mlx5_core_err(mdev, "fail to create IPsec miss_rule err=%d\n",
333 			      err);
334 		goto out;
335 	}
336 out:
337 	kvfree(flow_group_in);
338 	kvfree(spec);
339 	return err;
340 }
341 
342 static int setup_modify_header(struct mlx5_core_dev *mdev, u32 val, u8 dir,
343                                struct mlx5_flow_act *flow_act)
344 {
345         u8 action[MLX5_UN_SZ_BYTES(set_add_copy_action_in_auto)] = {};
346         enum mlx5_flow_namespace_type ns_type;
347         struct mlx5_modify_hdr *modify_hdr;
348 
349         MLX5_SET(set_action_in, action, action_type, MLX5_ACTION_TYPE_SET);
350         switch (dir) {
351         case IPSEC_DIR_INBOUND:
352                 MLX5_SET(set_action_in, action, field,
353                          MLX5_ACTION_IN_FIELD_METADATA_REG_B);
354                 ns_type = MLX5_FLOW_NAMESPACE_KERNEL;
355                 break;
356         case IPSEC_DIR_OUTBOUND:
357                 MLX5_SET(set_action_in, action, field,
358                          MLX5_ACTION_IN_FIELD_METADATA_REG_C_0);
359                 ns_type = MLX5_FLOW_NAMESPACE_EGRESS;
360                 break;
361         default:
362                 return -EINVAL;
363         }
364 
365         MLX5_SET(set_action_in, action, data, val);
366         MLX5_SET(set_action_in, action, offset, 0);
367         MLX5_SET(set_action_in, action, length, 32);
368 
369         modify_hdr = mlx5_modify_header_alloc(mdev, ns_type, 1, action);
370         if (IS_ERR(modify_hdr)) {
371                 mlx5_core_err(mdev, "Failed to allocate modify_header %ld\n",
372                               PTR_ERR(modify_hdr));
373                 return PTR_ERR(modify_hdr);
374         }
375 
376         flow_act->modify_hdr = modify_hdr;
377         flow_act->action |= MLX5_FLOW_CONTEXT_ACTION_MOD_HDR;
378         return 0;
379 }
380 
381 static int
382 setup_pkt_transport_reformat(struct mlx5_accel_esp_xfrm_attrs *attrs,
383 			     struct mlx5_pkt_reformat_params *reformat_params)
384 {
385 	struct udphdr *udphdr;
386 	size_t bfflen = 16;
387 	char *reformatbf;
388 	__be32 spi;
389 	void *hdr;
390 
391 	if (attrs->family == AF_INET) {
392 		if (attrs->encap)
393 			reformat_params->type = MLX5_REFORMAT_TYPE_ADD_ESP_TRANSPORT_OVER_UDPV4;
394 		else
395 			reformat_params->type = MLX5_REFORMAT_TYPE_ADD_ESP_TRANSPORT_OVER_IPV4;
396 	} else {
397 		if (attrs->encap)
398 			reformat_params->type =
399 			    MLX5_REFORMAT_TYPE_ADD_ESP_TRANSPORT_OVER_UDPV6;
400 		else
401 			reformat_params->type =
402 			    MLX5_REFORMAT_TYPE_ADD_ESP_TRANSPORT_OVER_IPV6;
403 	}
404 
405 	if (attrs->encap)
406 		bfflen += sizeof(*udphdr);
407 	reformatbf = kzalloc(bfflen, GFP_KERNEL);
408 	if (!reformatbf)
409 		return -ENOMEM;
410 
411 	hdr = reformatbf;
412 	if (attrs->encap) {
413 		udphdr = (struct udphdr *)reformatbf;
414 		udphdr->uh_sport = attrs->sport;
415 		udphdr->uh_dport = attrs->dport;
416 		hdr += sizeof(*udphdr);
417 	}
418 
419 	/* convert to network format */
420 	spi = htonl(attrs->spi);
421 	memcpy(hdr, &spi, 4);
422 
423 	reformat_params->param_0 = attrs->authsize;
424 	reformat_params->size = bfflen;
425 	reformat_params->data = reformatbf;
426 
427 	return 0;
428 }
429 
430 static int setup_pkt_reformat(struct mlx5_core_dev *mdev,
431 			      struct mlx5_accel_esp_xfrm_attrs *attrs,
432 			      struct mlx5_flow_act *flow_act)
433 {
434 	enum mlx5_flow_namespace_type ns_type = MLX5_FLOW_NAMESPACE_EGRESS;
435 	struct mlx5_pkt_reformat_params reformat_params = {};
436 	struct mlx5_pkt_reformat *pkt_reformat;
437 	int ret;
438 
439 	if (attrs->dir == IPSEC_DIR_INBOUND) {
440 		if (attrs->encap)
441 			reformat_params.type = MLX5_REFORMAT_TYPE_DEL_ESP_TRANSPORT_OVER_UDP;
442 		else
443 			reformat_params.type = MLX5_REFORMAT_TYPE_DEL_ESP_TRANSPORT;
444 		ns_type = MLX5_FLOW_NAMESPACE_KERNEL;
445 		goto cmd;
446 	}
447 
448 	ret = setup_pkt_transport_reformat(attrs, &reformat_params);
449 	if (ret)
450 		return ret;
451 cmd:
452 	pkt_reformat =
453 		mlx5_packet_reformat_alloc(mdev, &reformat_params, ns_type);
454 	if (reformat_params.data)
455 		kfree(reformat_params.data);
456 	if (IS_ERR(pkt_reformat))
457 		return PTR_ERR(pkt_reformat);
458 
459 	flow_act->pkt_reformat = pkt_reformat;
460 	flow_act->action |= MLX5_FLOW_CONTEXT_ACTION_PACKET_REFORMAT;
461 	return 0;
462 }
463 
464 static void setup_fte_addr4(struct mlx5_flow_spec *spec, __be32 *saddr,
465                             __be32 *daddr)
466 {
467         spec->match_criteria_enable |= MLX5_MATCH_OUTER_HEADERS;
468 
469         MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, outer_headers.ip_version);
470         MLX5_SET(fte_match_param, spec->match_value, outer_headers.ip_version, 4);
471 
472         memcpy(MLX5_ADDR_OF(fte_match_param, spec->match_value,
473                             outer_headers.src_ipv4_src_ipv6.ipv4_layout.ipv4), saddr, 4);
474         memcpy(MLX5_ADDR_OF(fte_match_param, spec->match_value,
475                             outer_headers.dst_ipv4_dst_ipv6.ipv4_layout.ipv4), daddr, 4);
476         MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria,
477                          outer_headers.src_ipv4_src_ipv6.ipv4_layout.ipv4);
478         MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria,
479                          outer_headers.dst_ipv4_dst_ipv6.ipv4_layout.ipv4);
480 }
481 
482 static void setup_fte_addr6(struct mlx5_flow_spec *spec, __be32 *saddr,
483                             __be32 *daddr)
484 {
485         spec->match_criteria_enable |= MLX5_MATCH_OUTER_HEADERS;
486 
487         MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, outer_headers.ip_version);
488         MLX5_SET(fte_match_param, spec->match_value, outer_headers.ip_version, 6);
489 
490         memcpy(MLX5_ADDR_OF(fte_match_param, spec->match_value,
491                             outer_headers.src_ipv4_src_ipv6.ipv6_layout.ipv6), saddr, 16);
492         memcpy(MLX5_ADDR_OF(fte_match_param, spec->match_value,
493                             outer_headers.dst_ipv4_dst_ipv6.ipv6_layout.ipv6), daddr, 16);
494         memset(MLX5_ADDR_OF(fte_match_param, spec->match_criteria,
495                             outer_headers.src_ipv4_src_ipv6.ipv6_layout.ipv6), 0xff, 16);
496         memset(MLX5_ADDR_OF(fte_match_param, spec->match_criteria,
497                             outer_headers.dst_ipv4_dst_ipv6.ipv6_layout.ipv6), 0xff, 16);
498 }
499 
500 static int rx_add_rule(struct mlx5e_ipsec_sa_entry *sa_entry)
501 {
502 	struct mlx5e_ipsec_rule *ipsec_rule = &sa_entry->ipsec_rule;
503 	struct mlx5_accel_esp_xfrm_attrs *attrs = &sa_entry->attrs;
504 	struct mlx5_core_dev *mdev = mlx5e_ipsec_sa2dev(sa_entry);
505 	struct mlx5e_ipsec *ipsec = sa_entry->ipsec;
506 	struct mlx5_flow_destination dest[2] = {};
507 	struct mlx5_flow_act flow_act = {};
508 	struct mlx5_flow_handle *rule;
509 	struct mlx5_flow_spec *spec;
510 	struct mlx5e_ipsec_rx *rx;
511 	struct mlx5_fc *counter;
512 	int err;
513 
514 	rx = (attrs->family == AF_INET) ? ipsec->rx_ipv4 : ipsec->rx_ipv6;
515 
516 	spec = kvzalloc(sizeof(*spec), GFP_KERNEL);
517 	if (!spec)
518 		return -ENOMEM;
519 
520 	if (!attrs->drop) {
521 		err = setup_modify_header(mdev, sa_entry->kspi | BIT(31), IPSEC_DIR_INBOUND,
522 					  &flow_act);
523 		if (err)
524 			goto err_mod_header;
525 	}
526 
527 	err = setup_pkt_reformat(mdev, attrs, &flow_act);
528 	if (err)
529 		goto err_pkt_reformat;
530 
531 	counter = mlx5_fc_create(mdev, false);
532 	if (IS_ERR(counter)) {
533 		err = PTR_ERR(counter);
534 		goto err_add_cnt;
535 	}
536 
537 	flow_act.crypto.type = MLX5_FLOW_CONTEXT_ENCRYPT_DECRYPT_TYPE_IPSEC;
538 	flow_act.crypto.op = MLX5_FLOW_ACT_CRYPTO_OP_DECRYPT;
539 	flow_act.crypto.obj_id = sa_entry->ipsec_obj_id;
540 	flow_act.flags |= FLOW_ACT_NO_APPEND;
541 
542 	flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_CRYPTO_DECRYPT |
543 		MLX5_FLOW_CONTEXT_ACTION_COUNT;
544 
545 	if (attrs->drop)
546 		flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_DROP;
547 	else
548 		flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_FWD_DEST;
549 
550 	dest[0].type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE;
551 	dest[0].ft = rx->ft.status;
552 	dest[1].type = MLX5_FLOW_DESTINATION_TYPE_COUNTER;
553 	dest[1].counter_id = mlx5_fc_id(counter);
554 
555 	if (attrs->family == AF_INET)
556 		setup_fte_addr4(spec, &attrs->saddr.a4, &attrs->daddr.a4);
557 	else
558 		setup_fte_addr6(spec, attrs->saddr.a6, attrs->daddr.a6);
559 
560 	if (!attrs->encap)
561 		setup_fte_esp(spec);
562 
563 	setup_fte_spi(spec, attrs->spi, attrs->encap);
564 	setup_fte_no_frags(spec);
565 
566 	if (sa_entry->vid != VLAN_NONE)
567 		setup_fte_vid(spec, sa_entry->vid);
568 	else
569 		setup_fte_no_vid(spec);
570 
571 	rule = mlx5_add_flow_rules(rx->ft.sa, spec, &flow_act, dest, 2);
572 	if (IS_ERR(rule)) {
573 		err = PTR_ERR(rule);
574 		mlx5_core_err(mdev, "fail to add RX ipsec rule err=%d\n", err);
575 		goto err_add_flow;
576 	}
577 	ipsec_rule->rule = rule;
578 
579 	/* Add another rule for zero vid */
580 	if (sa_entry->vid == VLAN_NONE) {
581 		clear_fte_vid(spec);
582 		setup_fte_vid(spec, 0);
583 		rule = mlx5_add_flow_rules(rx->ft.sa, spec, &flow_act, dest, 2);
584 		if (IS_ERR(rule)) {
585 			err = PTR_ERR(rule);
586 			mlx5_core_err(mdev,
587 			    "fail to add RX ipsec zero vid rule err=%d\n",
588 			    err);
589 			goto err_add_flow;
590 		}
591 		ipsec_rule->vid_zero_rule = rule;
592 	}
593 
594 	kvfree(spec);
595 	ipsec_rule->fc = counter;
596 	ipsec_rule->modify_hdr = flow_act.modify_hdr;
597 	ipsec_rule->pkt_reformat = flow_act.pkt_reformat;
598 	return 0;
599 
600 err_add_flow:
601 	mlx5_fc_destroy(mdev, counter);
602 	if (ipsec_rule->rule != NULL)
603 		mlx5_del_flow_rules(&ipsec_rule->rule);
604 err_add_cnt:
605 	mlx5_packet_reformat_dealloc(mdev, flow_act.pkt_reformat);
606 err_pkt_reformat:
607 	if (flow_act.modify_hdr != NULL)
608 		mlx5_modify_header_dealloc(mdev, flow_act.modify_hdr);
609 err_mod_header:
610 	kvfree(spec);
611 
612 	return err;
613 }
614 
615 static struct mlx5_flow_table *ipsec_tx_ft_create(struct mlx5_flow_namespace *ns,
616 						  int level, int prio,
617 						  int max_num_groups)
618 {
619 	struct mlx5_flow_table_attr ft_attr = {};
620 
621         ft_attr.autogroup.num_reserved_entries = 1;
622         ft_attr.autogroup.max_num_groups = max_num_groups;
623         ft_attr.max_fte = NUM_IPSEC_FTE;
624         ft_attr.level = level;
625         ft_attr.prio = prio;
626 
627 	return mlx5_create_auto_grouped_flow_table(ns, &ft_attr);
628 }
629 
630 static int ipsec_counter_rule_tx(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_tx *tx)
631 {
632 	struct mlx5_flow_destination dest = {};
633 	struct mlx5_flow_act flow_act = {};
634 	struct mlx5_flow_handle *fte;
635 	int err;
636 
637 	/* create fte */
638 	flow_act.action = MLX5_FLOW_CONTEXT_ACTION_COUNT |
639 		MLX5_FLOW_CONTEXT_ACTION_ALLOW;
640 
641 	dest.type = MLX5_FLOW_DESTINATION_TYPE_COUNTER;
642 	dest.counter_id = mlx5_fc_id(tx->fc->cnt);
643 	fte = mlx5_add_flow_rules(tx->ft.status, NULL, &flow_act, &dest, 1);
644 	if (IS_ERR_OR_NULL(fte)) {
645 		err = PTR_ERR(fte);
646 		mlx5_core_err(mdev, "Fail to add ipsec tx counter rule err=%d\n", err);
647 		goto err_rule;
648 	}
649 
650 	tx->status.rule = fte;
651 	return 0;
652 
653 err_rule:
654 	return err;
655 }
656 
657 static void tx_destroy_roce(struct mlx5e_ipsec_tx *tx) {
658 	if (!tx->roce.ft)
659 		return;
660 
661 	mlx5_del_flow_rules(&tx->roce.rule);
662 	mlx5_destroy_flow_group(tx->roce.g);
663 	mlx5_destroy_flow_table(tx->roce.ft);
664 	tx->roce.ft = NULL;
665 }
666 
667 /* IPsec TX flow steering */
668 static void tx_destroy(struct mlx5e_ipsec_tx *tx)
669 {
670 	tx_destroy_roce(tx);
671 	if (tx->chains) {
672 		ipsec_chains_destroy(tx->chains);
673 	} else {
674 		mlx5_del_flow_rules(&tx->pol.rule);
675 		mlx5_destroy_flow_group(tx->pol.group);
676 		mlx5_destroy_flow_table(tx->ft.pol);
677 	}
678 	mlx5_destroy_flow_table(tx->ft.sa);
679 	mlx5_del_flow_rules(&tx->kspi_miss.rule);
680 	mlx5_destroy_flow_group(tx->kspi_miss.group);
681 	mlx5_del_flow_rules(&tx->kspi_bypass_rule.rule);
682 	mlx5_del_flow_rules(&tx->kspi_bypass_rule.kspi_rule);
683 	mlx5_destroy_flow_table(tx->ft.sa_kspi);
684 	mlx5_del_flow_rules(&tx->status.rule);
685 	mlx5_destroy_flow_table(tx->ft.status);
686 }
687 
688 static int ipsec_tx_roce_rule_setup(struct mlx5_core_dev *mdev,
689 				    struct mlx5e_ipsec_tx *tx)
690 {
691 	struct mlx5_flow_destination dst = {};
692 	struct mlx5_flow_act flow_act = {};
693 	struct mlx5_flow_handle *rule;
694 	int err = 0;
695 
696 	flow_act.action = MLX5_FLOW_CONTEXT_ACTION_FWD_DEST;
697 	dst.type = MLX5_FLOW_DESTINATION_TYPE_TABLE_TYPE;
698 	dst.ft = tx->ft.pol;
699 	rule = mlx5_add_flow_rules(tx->roce.ft, NULL, &flow_act, &dst, 1);
700 	if (IS_ERR(rule)) {
701 		err = PTR_ERR(rule);
702 		mlx5_core_err(mdev, "Fail to add TX roce ipsec rule err=%d\n",
703 			      err);
704 		goto out;
705 	}
706 	tx->roce.rule = rule;
707 
708 out:
709 	return err;
710 }
711 
712 static int ipsec_tx_create_roce(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_tx *tx)
713 {
714 	struct mlx5_flow_table_attr ft_attr = {};
715 	struct mlx5_flow_table *ft;
716 	struct mlx5_flow_group *g;
717 	int ix = 0;
718 	int err;
719 	u32 *in;
720 
721 	if (!tx->roce.ns)
722 		return -EOPNOTSUPP;
723 
724 	in = kvzalloc(MLX5_ST_SZ_BYTES(create_flow_group_in), GFP_KERNEL);
725 	if (!in)
726 		return -ENOMEM;
727 
728 	ft_attr.max_fte = 1;
729 	ft = mlx5_create_flow_table(tx->roce.ns, &ft_attr);
730 	if (IS_ERR(ft)) {
731 		err = PTR_ERR(ft);
732 		mlx5_core_err(mdev, "Fail to create ipsec tx roce ft err=%d\n",
733 			      err);
734 		goto fail_table;
735 	}
736 	tx->roce.ft = ft;
737 
738 	MLX5_SET_CFG(in, start_flow_index, ix);
739 	ix += 1;
740 	MLX5_SET_CFG(in, end_flow_index, ix - 1);
741 	g = mlx5_create_flow_group(ft, in);
742 	if (IS_ERR(g)) {
743 		err = PTR_ERR(g);
744 		mlx5_core_err(mdev, "Fail to create ipsec tx roce group err=%d\n",
745 			      err);
746 		goto fail_group;
747 	}
748 	tx->roce.g = g;
749 
750 	err = ipsec_tx_roce_rule_setup(mdev, tx);
751 	if (err) {
752 		mlx5_core_err(mdev, "Fail to create RoCE IPsec tx rules err=%d\n", err);
753 		goto fail_rule;
754 	}
755 
756 	kvfree(in);
757 	return 0;
758 
759 fail_rule:
760 	mlx5_destroy_flow_group(tx->roce.g);
761 fail_group:
762 	mlx5_destroy_flow_table(tx->roce.ft);
763 	tx->roce.ft = NULL;
764 fail_table:
765 	kvfree(in);
766 	return err;
767 }
768 
769 /*
770  * Setting a rule in KSPI table for values that should bypass IPSEC.
771  *
772  * mdev - mlx5 core device
773  * tx - IPSEC TX
774  * return - 0 for success errno for failure
775  */
776 static int tx_create_kspi_bypass_rules(struct mlx5_core_dev *mdev,
777                                        struct mlx5e_ipsec_tx *tx)
778 {
779 	struct mlx5_flow_destination dest = {};
780 	struct mlx5_flow_act flow_act = {};
781 	struct mlx5_flow_act flow_act_kspi = {};
782 	struct mlx5_flow_handle *rule;
783 	struct mlx5_flow_spec *spec;
784 	int err;
785 
786 	spec = kvzalloc(sizeof(*spec), GFP_KERNEL);
787 	if (!spec)
788 		return -ENOMEM;
789 
790 	dest.ft = tx->ft.status;
791 	dest.type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE;
792 	flow_act_kspi.action |= MLX5_FLOW_CONTEXT_ACTION_FWD_DEST;
793 
794 	setup_fte_reg_a_with_tag(spec, IPSEC_ACCEL_DRV_SPI_BYPASS);
795 	rule = mlx5_add_flow_rules(tx->ft.sa_kspi, spec, &flow_act_kspi,
796 								&dest, 1);
797 	if (IS_ERR(rule)) {
798 		err = PTR_ERR(rule);
799 		mlx5_core_err(mdev, "Fail to add ipsec kspi bypass rule err=%d\n",
800                       err);
801 		goto err_add_kspi_rule;
802 	}
803 	tx->kspi_bypass_rule.kspi_rule = rule;
804 
805 	/* set the rule for packets withoiut ipsec tag. */
806 	flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_FWD_DEST;
807 	memset(spec, 0, sizeof(*spec));
808 	setup_fte_reg_a_no_tag(spec);
809 	rule = mlx5_add_flow_rules(tx->ft.sa_kspi, spec, &flow_act, &dest, 1);
810 	if (IS_ERR(rule)) {
811 		err = PTR_ERR(rule);
812 		mlx5_core_err(mdev, "Fail to add ipsec kspi bypass rule err=%d\n", err);
813 		goto err_add_rule;
814 	}
815 	tx->kspi_bypass_rule.rule = rule;
816 
817 	kvfree(spec);
818 	return 0;
819 err_add_rule:
820 	mlx5_del_flow_rules(&tx->kspi_bypass_rule.kspi_rule);
821 err_add_kspi_rule:
822 	kvfree(spec);
823 	return err;
824 }
825 
826 
827 static int tx_create(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_tx *tx)
828 {
829 	struct mlx5_flow_destination dest = {};
830 	struct mlx5_flow_table *ft;
831 	int err;
832 
833 	/*
834 	 *  Tx flow is different for ethernet traffic then for RoCE packets
835 	 *  For Ethernet packets we start in SA KSPI table that matches KSPI of SA rule
836 	 *  to the KSPI in the packet metadata
837 	 *  For RoCE traffic we start in Policy table, then move to SA table
838 	 *  which matches either reqid of the SA rule to reqid reported by policy table
839 	 *  or ip header fields of SA to the packet IP header fields.
840 	 *  Tables are ordered by their level so we set kspi
841 	 *  with level 0 to have it first one for ethernet traffic.
842 	 *  For RoCE the RoCE TX table direct the packets to policy table explicitly
843 	 */
844 	ft = ipsec_tx_ft_create(tx->ns, 0, 0, 4);
845 	if (IS_ERR(ft))
846 		return PTR_ERR(ft);
847 	tx->ft.sa_kspi = ft;
848 
849 	ft = ipsec_tx_ft_create(tx->ns, 2, 0, 4);
850 	if (IS_ERR(ft)) {
851 		err = PTR_ERR(ft);
852 		goto err_reqid_ft;
853 	}
854 	tx->ft.sa = ft;
855 
856 	if (mlx5_ipsec_device_caps(mdev) & MLX5_IPSEC_CAP_PRIO) {
857 		tx->chains = ipsec_chains_create(
858 				mdev, tx->ft.sa, MLX5_FLOW_NAMESPACE_EGRESS_IPSEC, 0, 1,
859 				&tx->ft.pol);
860 		if (IS_ERR(tx->chains)) {
861 			err = PTR_ERR(tx->chains);
862 			goto err_pol_ft;
863 		}
864 	} else {
865 		ft = ipsec_tx_ft_create(tx->ns, 1, 0, 2);
866 		if (IS_ERR(ft)) {
867 			err = PTR_ERR(ft);
868 			goto err_pol_ft;
869 		}
870 		tx->ft.pol = ft;
871 		dest.type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE;
872 		dest.ft = tx->ft.sa;
873 		err = ipsec_miss_create(mdev, tx->ft.pol, &tx->pol, &dest);
874 		if (err)
875 			goto err_pol_miss;
876 	}
877 
878 	ft = ipsec_tx_ft_create(tx->ns, 2, 0, 1);
879 	if (IS_ERR(ft)) {
880 		err = PTR_ERR(ft);
881 		goto err_status_ft;
882 	}
883 	tx->ft.status = ft;
884 
885 	/* set miss rule for kspi table with drop action*/
886 	err = ipsec_miss_create(mdev, tx->ft.sa_kspi, &tx->kspi_miss, NULL);
887 	if (err)
888 		goto err_kspi_miss;
889 
890 	err = tx_create_kspi_bypass_rules(mdev, tx);
891 	if (err)
892 		goto err_kspi_rule;
893 
894 	err = ipsec_counter_rule_tx(mdev, tx);
895 	if (err)
896 		goto err_status_rule;
897 
898 	err = ipsec_tx_create_roce(mdev, tx);
899 	if (err)
900 		goto err_counter_rule;
901 
902 	return 0;
903 
904 err_counter_rule:
905 	mlx5_del_flow_rules(&tx->status.rule);
906 err_status_rule:
907 	mlx5_del_flow_rules(&tx->kspi_bypass_rule.rule);
908 	mlx5_del_flow_rules(&tx->kspi_bypass_rule.kspi_rule);
909 err_kspi_rule:
910 	mlx5_destroy_flow_table(tx->ft.status);
911 err_status_ft:
912 	if (tx->chains) {
913 		ipsec_chains_destroy(tx->chains);
914 	} else {
915 		mlx5_del_flow_rules(&tx->pol.rule);
916 		mlx5_destroy_flow_group(tx->pol.group);
917 	}
918 err_pol_miss:
919 	if (!tx->chains)
920 		mlx5_destroy_flow_table(tx->ft.pol);
921 err_pol_ft:
922 	mlx5_del_flow_rules(&tx->kspi_miss.rule);
923 	mlx5_destroy_flow_group(tx->kspi_miss.group);
924 err_kspi_miss:
925 	mlx5_destroy_flow_table(tx->ft.sa);
926 err_reqid_ft:
927 	mlx5_destroy_flow_table(tx->ft.sa_kspi);
928 	return err;
929 }
930 
931 static int tx_get(struct mlx5_core_dev *mdev, struct mlx5e_ipsec *ipsec,
932 		  struct mlx5e_ipsec_tx *tx)
933 {
934 	int err;
935 
936 	if (tx->ft.refcnt)
937 		goto skip;
938 
939 	err = tx_create(mdev, tx);
940 	if (err)
941 		return err;
942 
943 skip:
944 	tx->ft.refcnt++;
945 	return 0;
946 }
947 
948 static void tx_put(struct mlx5e_ipsec *ipsec, struct mlx5e_ipsec_tx *tx)
949 {
950 	if (--tx->ft.refcnt)
951 		return;
952 
953 	tx_destroy(tx);
954 }
955 
956 static struct mlx5e_ipsec_tx *tx_ft_get(struct mlx5_core_dev *mdev,
957 					struct mlx5e_ipsec *ipsec)
958 {
959 	struct mlx5e_ipsec_tx *tx = ipsec->tx;
960 	int err;
961 
962 	mutex_lock(&tx->ft.mutex);
963 	err = tx_get(mdev, ipsec, tx);
964 	mutex_unlock(&tx->ft.mutex);
965 	if (err)
966 		return ERR_PTR(err);
967 
968 	return tx;
969 }
970 
971 static struct mlx5_flow_table *tx_ft_get_policy(struct mlx5_core_dev *mdev,
972                                                 struct mlx5e_ipsec *ipsec,
973                                                 u32 prio)
974 {
975         struct mlx5e_ipsec_tx *tx = ipsec->tx;
976         struct mlx5_flow_table *ft;
977         int err;
978 
979         mutex_lock(&tx->ft.mutex);
980         err = tx_get(mdev, ipsec, tx);
981         if (err)
982             goto err_get;
983 
984         ft = tx->chains ? ipsec_chains_get_table(tx->chains, prio) : tx->ft.pol;
985         if (IS_ERR(ft)) {
986                 err = PTR_ERR(ft);
987                 goto err_get_ft;
988         }
989 
990         mutex_unlock(&tx->ft.mutex);
991         return ft;
992 
993 err_get_ft:
994         tx_put(ipsec, tx);
995 err_get:
996         mutex_unlock(&tx->ft.mutex);
997         return ERR_PTR(err);
998 }
999 
1000 static void tx_ft_put_policy(struct mlx5e_ipsec *ipsec, u32 prio)
1001 {
1002         struct mlx5e_ipsec_tx *tx = ipsec->tx;
1003 
1004         mutex_lock(&tx->ft.mutex);
1005         if (tx->chains)
1006                 ipsec_chains_put_table(tx->chains, prio);
1007 
1008         tx_put(ipsec, tx);
1009         mutex_unlock(&tx->ft.mutex);
1010 }
1011 
1012 static void tx_ft_put(struct mlx5e_ipsec *ipsec)
1013 {
1014 	struct mlx5e_ipsec_tx *tx = ipsec->tx;
1015 
1016 	mutex_lock(&tx->ft.mutex);
1017 	tx_put(ipsec, tx);
1018 	mutex_unlock(&tx->ft.mutex);
1019 }
1020 
1021 static void setup_fte_reg_a_with_tag(struct mlx5_flow_spec *spec,
1022 									 u16 kspi)
1023 {
1024        /* Add IPsec indicator in metadata_reg_a. */
1025        spec->match_criteria_enable |= MLX5_MATCH_MISC_PARAMETERS_2;
1026 
1027        MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria,
1028                         misc_parameters_2.metadata_reg_a);
1029        MLX5_SET(fte_match_param, spec->match_value,
1030                 misc_parameters_2.metadata_reg_a,
1031                 MLX5_ETH_WQE_FT_META_IPSEC << 23 |  kspi);
1032 }
1033 
1034 static void setup_fte_reg_a_no_tag(struct mlx5_flow_spec *spec)
1035 {
1036        /* Add IPsec indicator in metadata_reg_a. */
1037        spec->match_criteria_enable |= MLX5_MATCH_MISC_PARAMETERS_2;
1038 
1039        MLX5_SET(fte_match_param, spec->match_criteria,
1040                 misc_parameters_2.metadata_reg_a,
1041 				MLX5_ETH_WQE_FT_META_IPSEC << 23);
1042        MLX5_SET(fte_match_param, spec->match_value,
1043                 misc_parameters_2.metadata_reg_a,
1044                 0);
1045 }
1046 
1047 static void setup_fte_reg_c0(struct mlx5_flow_spec *spec, u32 reqid)
1048 {
1049 	/* Pass policy check before choosing this SA */
1050 	spec->match_criteria_enable |= MLX5_MATCH_MISC_PARAMETERS_2;
1051 
1052 	MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria,
1053 			 misc_parameters_2.metadata_reg_c_0);
1054 	MLX5_SET(fte_match_param, spec->match_value,
1055 		 misc_parameters_2.metadata_reg_c_0, reqid);
1056 }
1057 
1058 static void setup_fte_upper_proto_match(struct mlx5_flow_spec *spec, struct upspec *upspec)
1059 {
1060         switch (upspec->proto) {
1061         case IPPROTO_UDP:
1062                 if (upspec->dport) {
1063                         MLX5_SET_TO_ONES(fte_match_set_lyr_2_4,
1064                                          spec->match_criteria, udp_dport);
1065                         MLX5_SET(fte_match_set_lyr_2_4, spec->match_value,
1066                                  udp_dport, upspec->dport);
1067                 }
1068 
1069                 if (upspec->sport) {
1070                         MLX5_SET_TO_ONES(fte_match_set_lyr_2_4,
1071                                          spec->match_criteria, udp_sport);
1072                         MLX5_SET(fte_match_set_lyr_2_4, spec->match_value,
1073                                  udp_dport, upspec->sport);
1074                 }
1075                 break;
1076         case IPPROTO_TCP:
1077                 if (upspec->dport) {
1078                         MLX5_SET_TO_ONES(fte_match_set_lyr_2_4,
1079                                          spec->match_criteria, tcp_dport);
1080                         MLX5_SET(fte_match_set_lyr_2_4, spec->match_value,
1081                                  tcp_dport, upspec->dport);
1082                 }
1083 
1084                 if (upspec->sport) {
1085                         MLX5_SET_TO_ONES(fte_match_set_lyr_2_4,
1086                                          spec->match_criteria, tcp_sport);
1087                         MLX5_SET(fte_match_set_lyr_2_4, spec->match_value,
1088                                  tcp_dport, upspec->sport);
1089                 }
1090                 break;
1091         default:
1092                 return;
1093         }
1094 
1095         spec->match_criteria_enable |= MLX5_MATCH_OUTER_HEADERS;
1096 	MLX5_SET_TO_ONES(fte_match_set_lyr_2_4, spec->match_criteria, ip_protocol);
1097 	MLX5_SET(fte_match_set_lyr_2_4, spec->match_value, ip_protocol, upspec->proto);
1098 }
1099 
1100 static int tx_add_kspi_rule(struct mlx5e_ipsec_sa_entry *sa_entry,
1101 							struct mlx5e_ipsec_tx *tx,
1102 							struct mlx5_flow_act *flow_act,
1103 							struct mlx5_flow_destination *dest,
1104 							int num_dest)
1105 {
1106 	struct mlx5e_ipsec_rule *ipsec_rule = &sa_entry->ipsec_rule;
1107 	struct mlx5_core_dev *mdev = mlx5e_ipsec_sa2dev(sa_entry);
1108 	struct mlx5_flow_handle *rule;
1109 	struct mlx5_flow_spec *spec;
1110 	int err;
1111 
1112 	spec = kvzalloc(sizeof(*spec), GFP_KERNEL);
1113 	if (!spec)
1114 		return -ENOMEM;
1115 
1116 	setup_fte_no_frags(spec);
1117 	setup_fte_reg_a_with_tag(spec, sa_entry->kspi);
1118 
1119 	rule = mlx5_add_flow_rules(tx->ft.sa_kspi, spec, flow_act, dest, num_dest);
1120 	if (IS_ERR(rule)) {
1121 		err = PTR_ERR(rule);
1122 		mlx5_core_err(mdev, "fail to add TX ipsec kspi rule err=%d\n", err);
1123 		goto err_add_kspi_flow;
1124 	}
1125 	ipsec_rule->kspi_rule = rule;
1126 	kvfree(spec);
1127 	return 0;
1128 
1129 err_add_kspi_flow:
1130 	kvfree(spec);
1131 	return err;
1132 }
1133 
1134 static int tx_add_reqid_ip_rules(struct mlx5e_ipsec_sa_entry *sa_entry,
1135 								struct mlx5e_ipsec_tx *tx,
1136 								struct mlx5_flow_act *flow_act,
1137 								struct mlx5_flow_destination *dest,
1138 								int num_dest)
1139 {
1140 	struct mlx5e_ipsec_rule *ipsec_rule = &sa_entry->ipsec_rule;
1141 	struct mlx5_accel_esp_xfrm_attrs *attrs = &sa_entry->attrs;
1142 	struct mlx5_core_dev *mdev = mlx5e_ipsec_sa2dev(sa_entry);
1143 	struct mlx5_flow_handle *rule;
1144 	struct mlx5_flow_spec *spec;
1145 	int err;
1146 
1147 	spec = kvzalloc(sizeof(*spec), GFP_KERNEL);
1148 	if (!spec)
1149 		return -ENOMEM;
1150 
1151 	flow_act->flags |= FLOW_ACT_IGNORE_FLOW_LEVEL;
1152 
1153 	if(attrs->reqid) {
1154 		setup_fte_no_frags(spec);
1155 		setup_fte_reg_c0(spec, attrs->reqid);
1156 		rule = mlx5_add_flow_rules(tx->ft.sa, spec, flow_act, dest, num_dest);
1157 		if (IS_ERR(rule)) {
1158 			err = PTR_ERR(rule);
1159 			mlx5_core_err(mdev, "fail to add TX ipsec reqid rule err=%d\n", err);
1160 			goto err_add_reqid_rule;
1161 		}
1162 		ipsec_rule->reqid_rule = rule;
1163 		memset(spec, 0, sizeof(*spec));
1164 	}
1165 
1166 	if (attrs->family == AF_INET)
1167 		setup_fte_addr4(spec, &attrs->saddr.a4, &attrs->daddr.a4);
1168 	else
1169 		setup_fte_addr6(spec, attrs->saddr.a6, attrs->daddr.a6);
1170 	setup_fte_no_frags(spec);
1171 
1172 	rule = mlx5_add_flow_rules(tx->ft.sa, spec, flow_act, dest, num_dest);
1173 	if (IS_ERR(rule)) {
1174 		err = PTR_ERR(rule);
1175 		mlx5_core_err(mdev, "fail to add TX ipsec ip rule err=%d\n", err);
1176 		goto err_add_ip_rule;
1177 	}
1178 	ipsec_rule->rule = rule;
1179 	kvfree(spec);
1180 	return 0;
1181 
1182 err_add_ip_rule:
1183 	mlx5_del_flow_rules(&ipsec_rule->reqid_rule);
1184 err_add_reqid_rule:
1185 	kvfree(spec);
1186 	return err;
1187 }
1188 
1189 static int tx_add_rule(struct mlx5e_ipsec_sa_entry *sa_entry)
1190 {
1191 	struct mlx5e_ipsec_rule *ipsec_rule = &sa_entry->ipsec_rule;
1192 	struct mlx5_accel_esp_xfrm_attrs *attrs = &sa_entry->attrs;
1193 	struct mlx5_core_dev *mdev = mlx5e_ipsec_sa2dev(sa_entry);
1194 	struct mlx5e_ipsec *ipsec = sa_entry->ipsec;
1195 	struct mlx5_flow_destination dest[2] = {};
1196 	struct mlx5_flow_act flow_act = {};
1197 	struct mlx5e_ipsec_tx *tx;
1198 	struct mlx5_fc *counter;
1199 	int err;
1200 
1201 	tx = tx_ft_get(mdev, ipsec);
1202 	if (IS_ERR(tx))
1203 		return PTR_ERR(tx);
1204 
1205 	err = setup_pkt_reformat(mdev, attrs, &flow_act);
1206 	if (err)
1207 		goto err_pkt_reformat;
1208 
1209 	counter = mlx5_fc_create(mdev, false);
1210 	if (IS_ERR(counter)) {
1211 		err = PTR_ERR(counter);
1212 		goto err_add_cnt;
1213 	}
1214 
1215 	flow_act.crypto.type = MLX5_FLOW_CONTEXT_ENCRYPT_DECRYPT_TYPE_IPSEC;
1216         flow_act.crypto.obj_id = sa_entry->ipsec_obj_id;
1217         flow_act.flags |= FLOW_ACT_NO_APPEND;
1218         flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_CRYPTO_ENCRYPT |
1219                            MLX5_FLOW_CONTEXT_ACTION_COUNT;
1220 
1221 	if (attrs->drop)
1222 		flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_DROP;
1223 	else
1224 		flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_FWD_DEST;
1225 
1226 	dest[0].ft = tx->ft.status;
1227 	dest[0].type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE;
1228 	dest[1].type = MLX5_FLOW_DESTINATION_TYPE_COUNTER;
1229 	dest[1].counter_id = mlx5_fc_id(counter);
1230 
1231 	err = tx_add_kspi_rule(sa_entry, tx, &flow_act, dest, 2);
1232 	if (err) {
1233 		goto err_add_kspi_rule;
1234 	}
1235 
1236 	err = tx_add_reqid_ip_rules(sa_entry, tx, &flow_act, dest, 2);
1237 	if (err) {
1238 		goto err_add_reqid_ip_rule;
1239 	}
1240 
1241 	ipsec_rule->fc = counter;
1242 	ipsec_rule->pkt_reformat = flow_act.pkt_reformat;
1243 	return 0;
1244 
1245 err_add_reqid_ip_rule:
1246 	mlx5_del_flow_rules(&ipsec_rule->kspi_rule);
1247 err_add_kspi_rule:
1248 	mlx5_fc_destroy(mdev, counter);
1249 err_add_cnt:
1250 	if (flow_act.pkt_reformat)
1251 		mlx5_packet_reformat_dealloc(mdev, flow_act.pkt_reformat);
1252 err_pkt_reformat:
1253 	tx_ft_put(ipsec);
1254 	return err;
1255 }
1256 
1257 static int tx_add_policy(struct mlx5e_ipsec_pol_entry *pol_entry)
1258 {
1259         struct mlx5_accel_pol_xfrm_attrs *attrs = &pol_entry->attrs;
1260         struct mlx5_core_dev *mdev = mlx5e_ipsec_pol2dev(pol_entry);
1261         struct mlx5e_ipsec_tx *tx = pol_entry->ipsec->tx;
1262         struct mlx5_flow_destination dest[2] = {};
1263         struct mlx5_flow_act flow_act = {};
1264         struct mlx5_flow_handle *rule;
1265         struct mlx5_flow_spec *spec;
1266         struct mlx5_flow_table *ft;
1267         int err, dstn = 0;
1268 
1269         ft = tx_ft_get_policy(mdev, pol_entry->ipsec, attrs->prio);
1270         if (IS_ERR(ft))
1271             return PTR_ERR(ft);
1272 
1273         spec = kvzalloc(sizeof(*spec), GFP_KERNEL);
1274         if (!spec) {
1275             err = -ENOMEM;
1276             goto err_alloc;
1277         }
1278 
1279         if (attrs->family == AF_INET)
1280                 setup_fte_addr4(spec, &attrs->saddr.a4, &attrs->daddr.a4);
1281         else
1282                 setup_fte_addr6(spec, attrs->saddr.a6, attrs->daddr.a6);
1283 
1284         setup_fte_no_frags(spec);
1285 	setup_fte_upper_proto_match(spec, &attrs->upspec);
1286 
1287         switch (attrs->action) {
1288         case IPSEC_POLICY_IPSEC:
1289                 flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_FWD_DEST;
1290                 err = setup_modify_header(mdev, attrs->reqid,
1291                                           IPSEC_DIR_OUTBOUND, &flow_act);
1292                 if (err)
1293                         goto err_mod_header;
1294                  break;
1295         case IPSEC_POLICY_DISCARD:
1296                 flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_DROP |
1297                                    MLX5_FLOW_CONTEXT_ACTION_COUNT;
1298                 dest[dstn].type = MLX5_FLOW_DESTINATION_TYPE_COUNTER;
1299                 dest[dstn].counter_id = mlx5_fc_id(tx->fc->drop);
1300                 dstn++;
1301                 break;
1302         default:
1303                 err = -EINVAL;
1304                 goto err_mod_header;
1305         }
1306 
1307         flow_act.flags |= FLOW_ACT_NO_APPEND;
1308         dest[dstn].ft = tx->ft.sa;
1309         dest[dstn].type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE;
1310         dstn++;
1311         rule = mlx5_add_flow_rules(ft, spec, &flow_act, dest, dstn);
1312         if (IS_ERR(rule)) {
1313                 err = PTR_ERR(rule);
1314                 mlx5_core_err(mdev, "fail to add TX ipsec rule err=%d\n", err);
1315                 goto err_action;
1316         }
1317 
1318         kvfree(spec);
1319         pol_entry->ipsec_rule.rule = rule;
1320         pol_entry->ipsec_rule.modify_hdr = flow_act.modify_hdr;
1321         return 0;
1322 
1323 err_action:
1324         if (flow_act.modify_hdr)
1325                 mlx5_modify_header_dealloc(mdev, flow_act.modify_hdr);
1326 err_mod_header:
1327         kvfree(spec);
1328 err_alloc:
1329         tx_ft_put_policy(pol_entry->ipsec, attrs->prio);
1330         return err;
1331 }
1332 
1333 static int rx_add_policy(struct mlx5e_ipsec_pol_entry *pol_entry)
1334 {
1335         struct mlx5_accel_pol_xfrm_attrs *attrs = &pol_entry->attrs;
1336         struct mlx5_core_dev *mdev = mlx5e_ipsec_pol2dev(pol_entry);
1337 	struct mlx5e_ipsec *ipsec = pol_entry->ipsec;
1338         struct mlx5_flow_destination dest[2];
1339         struct mlx5_flow_act flow_act = {};
1340         struct mlx5_flow_handle *rule;
1341         struct mlx5_flow_spec *spec;
1342         struct mlx5_flow_table *ft;
1343         struct mlx5e_ipsec_rx *rx;
1344 	int err, dstn = 0;
1345 
1346         rx = (attrs->family == AF_INET) ? ipsec->rx_ipv4 : ipsec->rx_ipv6;
1347         ft = rx->chains ? ipsec_chains_get_table(rx->chains, attrs->prio) : rx->ft.pol;
1348         if (IS_ERR(ft))
1349                 return PTR_ERR(ft);
1350 
1351         spec = kvzalloc(sizeof(*spec), GFP_KERNEL);
1352         if (!spec) {
1353                 err = -ENOMEM;
1354                 goto err_alloc;
1355         }
1356 
1357         switch (attrs->action) {
1358         case IPSEC_POLICY_IPSEC:
1359                 flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_FWD_DEST;
1360                 break;
1361         case IPSEC_POLICY_DISCARD:
1362                 flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_DROP | MLX5_FLOW_CONTEXT_ACTION_COUNT;
1363                 dest[dstn].type = MLX5_FLOW_DESTINATION_TYPE_COUNTER;
1364                 dest[dstn].counter_id = mlx5_fc_id(rx->fc->drop);
1365                 dstn++;
1366                 break;
1367         default:
1368                 err = -EINVAL;
1369                 goto err_action;
1370         }
1371 
1372         flow_act.flags |= FLOW_ACT_NO_APPEND;
1373         dest[dstn].type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE;
1374         dest[dstn].ft = rx->ft.sa;
1375         dstn++;
1376 
1377 	if (attrs->family == AF_INET)
1378 		setup_fte_addr4(spec, &attrs->saddr.a4, &attrs->daddr.a4);
1379 	else
1380 		setup_fte_addr6(spec, attrs->saddr.a6, attrs->daddr.a6);
1381 
1382 	setup_fte_no_frags(spec);
1383 	setup_fte_upper_proto_match(spec, &attrs->upspec);
1384 	if (attrs->vid != VLAN_NONE)
1385 		setup_fte_vid(spec, attrs->vid);
1386 	else
1387 		setup_fte_no_vid(spec);
1388 
1389 	rule = mlx5_add_flow_rules(ft, spec, &flow_act, dest, dstn);
1390 	if (IS_ERR(rule)) {
1391 		err = PTR_ERR(rule);
1392 		mlx5_core_err(mdev,
1393 		    "Failed to add RX IPsec policy rule err=%d\n", err);
1394 		goto err_action;
1395 	}
1396 	pol_entry->ipsec_rule.rule = rule;
1397 
1398 	/* Add also rule for zero vid */
1399 	if (attrs->vid == VLAN_NONE) {
1400 		clear_fte_vid(spec);
1401 		setup_fte_vid(spec, 0);
1402 		rule = mlx5_add_flow_rules(ft, spec, &flow_act, dest, dstn);
1403 		if (IS_ERR(rule)) {
1404 			err = PTR_ERR(rule);
1405 			mlx5_core_err(mdev,
1406 			    "Failed to add RX IPsec policy rule err=%d\n",
1407 			    err);
1408 			goto err_action;
1409 		}
1410 		pol_entry->ipsec_rule.vid_zero_rule = rule;
1411 	}
1412 
1413 	kvfree(spec);
1414         return 0;
1415 
1416 err_action:
1417 	if (pol_entry->ipsec_rule.rule != NULL)
1418 		mlx5_del_flow_rules(&pol_entry->ipsec_rule.rule);
1419 	kvfree(spec);
1420 err_alloc:
1421         if (rx->chains != NULL)
1422                 ipsec_chains_put_table(rx->chains, attrs->prio);
1423         return err;
1424 }
1425 
1426 static void ipsec_fs_destroy_counters(struct mlx5e_ipsec *ipsec)
1427 {
1428 	struct mlx5e_ipsec_rx *rx_ipv4 = ipsec->rx_ipv4;
1429 	struct mlx5_core_dev *mdev = ipsec->mdev;
1430 	struct mlx5e_ipsec_tx *tx = ipsec->tx;
1431 
1432 	mlx5_fc_destroy(mdev, rx_ipv4->fc->drop);
1433 	mlx5_fc_destroy(mdev, rx_ipv4->fc->cnt);
1434 	kfree(rx_ipv4->fc);
1435 	mlx5_fc_destroy(mdev, tx->fc->drop);
1436 	mlx5_fc_destroy(mdev, tx->fc->cnt);
1437 	kfree(tx->fc);
1438 }
1439 
1440 static int ipsec_fs_init_counters(struct mlx5e_ipsec *ipsec)
1441 {
1442 	struct mlx5e_ipsec_rx *rx_ipv4 = ipsec->rx_ipv4;
1443 	struct mlx5e_ipsec_rx *rx_ipv6 = ipsec->rx_ipv6;
1444 	struct mlx5_core_dev *mdev = ipsec->mdev;
1445 	struct mlx5e_ipsec_tx *tx = ipsec->tx;
1446 	struct mlx5e_ipsec_fc *fc;
1447 	struct mlx5_fc *counter;
1448 	int err;
1449 
1450 	fc = kzalloc(sizeof(*tx->fc), GFP_KERNEL);
1451 	if (!fc)
1452 		return -ENOMEM;
1453 
1454 	tx->fc = fc;
1455 	counter = mlx5_fc_create(mdev, false);
1456 	if (IS_ERR(counter)) {
1457 		err = PTR_ERR(counter);
1458 		goto err_tx_fc_alloc;
1459 	}
1460 
1461 	fc->cnt = counter;
1462 	counter = mlx5_fc_create(mdev, false);
1463 	if (IS_ERR(counter)) {
1464 		err = PTR_ERR(counter);
1465 		goto err_tx_fc_cnt;
1466 	}
1467 
1468 	fc->drop = counter;
1469 
1470 	fc = kzalloc(sizeof(*tx->fc), GFP_KERNEL);
1471 	if (!fc) {
1472 		err = -ENOMEM;
1473 		goto err_tx_fc_drop;
1474 	}
1475 
1476 	/* Both IPv4 and IPv6 point to same flow counters struct. */
1477 	rx_ipv4->fc = fc;
1478 	rx_ipv6->fc = fc;
1479 	counter = mlx5_fc_create(mdev, false);
1480 	if (IS_ERR(counter)) {
1481 		err = PTR_ERR(counter);
1482 		goto err_rx_fc_alloc;
1483 	}
1484 
1485 	fc->cnt = counter;
1486 	counter = mlx5_fc_create(mdev, false);
1487 	if (IS_ERR(counter)) {
1488 		err = PTR_ERR(counter);
1489 		goto err_rx_fc_cnt;
1490 	}
1491 
1492 	fc->drop = counter;
1493 	return 0;
1494 
1495 err_rx_fc_cnt:
1496 	mlx5_fc_destroy(mdev, rx_ipv4->fc->cnt);
1497 err_rx_fc_alloc:
1498 	kfree(rx_ipv4->fc);
1499 err_tx_fc_drop:
1500 	mlx5_fc_destroy(mdev, tx->fc->drop);
1501 err_tx_fc_cnt:
1502 	mlx5_fc_destroy(mdev, tx->fc->cnt);
1503 err_tx_fc_alloc:
1504 	kfree(tx->fc);
1505 	return err;
1506 }
1507 
1508 static int ipsec_status_rule(struct mlx5_core_dev *mdev,
1509 			     struct mlx5e_ipsec_rx *rx,
1510 			     struct mlx5_flow_destination *dest)
1511 {
1512 	u8 action[MLX5_UN_SZ_BYTES(set_add_copy_action_in_auto)] = {};
1513 	struct mlx5_flow_act flow_act = {};
1514 	struct mlx5_modify_hdr *modify_hdr;
1515 	struct mlx5_flow_handle *rule;
1516 	struct mlx5_flow_spec *spec;
1517 	int err;
1518 
1519 	spec = kvzalloc(sizeof(*spec), GFP_KERNEL);
1520 	if (!spec)
1521 		return -ENOMEM;
1522 
1523 	/* Action to copy 7 bit ipsec_syndrome to regB[24:30] */
1524 	MLX5_SET(copy_action_in, action, action_type, MLX5_ACTION_TYPE_COPY);
1525 	MLX5_SET(copy_action_in, action, src_field, MLX5_ACTION_IN_FIELD_IPSEC_SYNDROME);
1526 	MLX5_SET(copy_action_in, action, src_offset, 0);
1527 	MLX5_SET(copy_action_in, action, length, 7);
1528 	MLX5_SET(copy_action_in, action, dst_field, MLX5_ACTION_IN_FIELD_METADATA_REG_B);
1529 	MLX5_SET(copy_action_in, action, dst_offset, 24);
1530 
1531 	modify_hdr = mlx5_modify_header_alloc(mdev, MLX5_FLOW_NAMESPACE_KERNEL,
1532 					      1, action);
1533 
1534 	if (IS_ERR(modify_hdr)) {
1535 		err = PTR_ERR(modify_hdr);
1536 		mlx5_core_err(mdev,
1537 			      "fail to alloc ipsec copy modify_header_id err=%d\n", err);
1538 		goto out_spec;
1539 	}
1540 
1541 	/* create fte */
1542 	flow_act.action = MLX5_FLOW_CONTEXT_ACTION_MOD_HDR |
1543 		MLX5_FLOW_CONTEXT_ACTION_FWD_DEST |
1544 		MLX5_FLOW_CONTEXT_ACTION_COUNT;
1545 	flow_act.modify_hdr = modify_hdr;
1546 
1547 	rule = mlx5_add_flow_rules(rx->ft.status, spec, &flow_act, dest, 2);
1548 	if (IS_ERR(rule)) {
1549 		err = PTR_ERR(rule);
1550 		mlx5_core_err(mdev, "fail to add ipsec rx err copy rule err=%d\n", err);
1551 		goto out;
1552 	}
1553 
1554 	kvfree(spec);
1555 	rx->status.rule = rule;
1556 	rx->status.modify_hdr = modify_hdr;
1557 	return 0;
1558 
1559 out:
1560 	mlx5_modify_header_dealloc(mdev, modify_hdr);
1561 out_spec:
1562 	kvfree(spec);
1563 	return err;
1564 }
1565 
1566 static void ipsec_fs_rx_roce_rules_destroy(struct mlx5e_ipsec_rx_roce *rx_roce)
1567 {
1568 	if (!rx_roce->ns_rdma)
1569 		return;
1570 
1571 	mlx5_del_flow_rules(&rx_roce->roce_miss.rule);
1572 	mlx5_del_flow_rules(&rx_roce->rule);
1573 	mlx5_destroy_flow_group(rx_roce->roce_miss.group);
1574 	mlx5_destroy_flow_group(rx_roce->g);
1575 }
1576 
1577 static void ipsec_fs_rx_catchall_rules_destroy(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_rx *rx)
1578 {
1579 	mutex_lock(&rx->ft.mutex);
1580 	mlx5_del_flow_rules(&rx->sa.rule);
1581 	mlx5_destroy_flow_group(rx->sa.group);
1582 	if (rx->chains == NULL) {
1583 		mlx5_del_flow_rules(&rx->pol.rule);
1584 		mlx5_destroy_flow_group(rx->pol.group);
1585 	}
1586 	mlx5_del_flow_rules(&rx->status.rule);
1587 	mlx5_modify_header_dealloc(mdev, rx->status.modify_hdr);
1588 	ipsec_fs_rx_roce_rules_destroy(&rx->roce);
1589 	mutex_unlock(&rx->ft.mutex);
1590 }
1591 
1592 static void ipsec_fs_rx_roce_table_destroy(struct mlx5e_ipsec_rx_roce *rx_roce)
1593 {
1594 	if (!rx_roce->ns_rdma)
1595 		return;
1596 
1597 	mlx5_destroy_flow_table(rx_roce->ft_rdma);
1598 	mlx5_destroy_flow_table(rx_roce->ft);
1599 }
1600 
1601 static void ipsec_fs_rx_table_destroy(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_rx *rx)
1602 {
1603 	mutex_lock(&rx->ft.mutex);
1604 	if (rx->chains) {
1605 		ipsec_chains_destroy(rx->chains);
1606 	} else {
1607 		mlx5_del_flow_rules(&rx->pol.rule);
1608 		mlx5_destroy_flow_table(rx->ft.pol);
1609         }
1610 	mlx5_destroy_flow_table(rx->ft.sa);
1611 	mlx5_destroy_flow_table(rx->ft.status);
1612 	ipsec_fs_rx_roce_table_destroy(&rx->roce);
1613 	mutex_unlock(&rx->ft.mutex);
1614 }
1615 
1616 static void ipsec_roce_setup_udp_dport(struct mlx5_flow_spec *spec, u16 dport)
1617 {
1618 	spec->match_criteria_enable |= MLX5_MATCH_OUTER_HEADERS;
1619 	MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, outer_headers.ip_protocol);
1620 	MLX5_SET(fte_match_param, spec->match_value, outer_headers.ip_protocol, IPPROTO_UDP);
1621 	MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, outer_headers.udp_dport);
1622 	MLX5_SET(fte_match_param, spec->match_value, outer_headers.udp_dport, dport);
1623 }
1624 
1625 static int ipsec_roce_rx_rule_setup(struct mlx5_flow_destination *default_dst,
1626 				    struct mlx5e_ipsec_rx_roce *roce, struct mlx5_core_dev *mdev)
1627 {
1628 	struct mlx5_flow_destination dst = {};
1629 	struct mlx5_flow_act flow_act = {};
1630 	struct mlx5_flow_handle *rule;
1631 	struct mlx5_flow_spec *spec;
1632 	int err = 0;
1633 
1634 	spec = kvzalloc(sizeof(*spec), GFP_KERNEL);
1635 	if (!spec)
1636 		return -ENOMEM;
1637 
1638 	ipsec_roce_setup_udp_dport(spec, ROCE_V2_UDP_DPORT);
1639 
1640 	//flow_act.action = MLX5_FLOW_CONTEXT_ACTION_FWD_DEST;//not needed it is added in command
1641 	dst.type = MLX5_FLOW_DESTINATION_TYPE_TABLE_TYPE;
1642 	dst.ft = roce->ft_rdma;
1643 
1644 	flow_act.action = MLX5_FLOW_CONTEXT_ACTION_FWD_DEST;
1645 	rule = mlx5_add_flow_rules(roce->ft, spec, &flow_act, &dst, 1);
1646 	if (IS_ERR(rule)) {
1647 		err = PTR_ERR(rule);
1648 		mlx5_core_err(mdev, "Fail to add RX roce ipsec rule err=%d\n",
1649 			      err);
1650 		goto fail_add_rule;
1651 	}
1652 
1653 	roce->rule = rule;
1654 
1655 	rule = mlx5_add_flow_rules(roce->ft, NULL, &flow_act, default_dst, 1);
1656 	if (IS_ERR(rule)) {
1657 		err = PTR_ERR(rule);
1658 		mlx5_core_err(mdev, "Fail to add RX roce ipsec miss rule err=%d\n",
1659 			      err);
1660 		goto fail_add_default_rule;
1661 	}
1662 
1663 	roce->roce_miss.rule = rule;
1664 
1665 	kvfree(spec);
1666 	return 0;
1667 
1668 fail_add_default_rule:
1669 	mlx5_del_flow_rules(&roce->rule);
1670 fail_add_rule:
1671 	kvfree(spec);
1672 	return err;
1673 }
1674 
1675 static int ipsec_roce_rx_rules(struct mlx5e_ipsec_rx *rx, struct mlx5_flow_destination *defdst,
1676 			       struct mlx5_core_dev *mdev)
1677 {
1678 	int inlen = MLX5_ST_SZ_BYTES(create_flow_group_in);
1679 	struct mlx5_flow_group *g;
1680 	void *outer_headers_c;
1681 	u32 *in;
1682 	int err = 0;
1683 	int ix = 0;
1684 	u8 *mc;
1685 
1686 	if (!rx->roce.ns_rdma)
1687 		return 0;
1688 
1689 	in = kvzalloc(inlen, GFP_KERNEL);
1690 	if (!in)
1691 		return -ENOMEM;
1692 
1693 	mc = MLX5_ADDR_OF(create_flow_group_in, in, match_criteria);
1694 	outer_headers_c = MLX5_ADDR_OF(fte_match_param, mc, outer_headers);
1695 	MLX5_SET_TO_ONES(fte_match_set_lyr_2_4, outer_headers_c, ip_protocol);
1696 	MLX5_SET_TO_ONES(fte_match_set_lyr_2_4, outer_headers_c, udp_dport);
1697 
1698 	MLX5_SET_CFG(in, match_criteria_enable, MLX5_MATCH_OUTER_HEADERS);
1699 	MLX5_SET_CFG(in, start_flow_index, ix);
1700 	ix += 1;
1701 	MLX5_SET_CFG(in, end_flow_index, ix - 1);
1702 	g = mlx5_create_flow_group(rx->roce.ft, in);
1703 	if (IS_ERR(g)) {
1704 		err = PTR_ERR(g);
1705 		mlx5_core_err(mdev, "Fail to create ipsec rx roce group at nic err=%d\n", err);
1706 		goto fail_group;
1707 	}
1708 	rx->roce.g = g;
1709 
1710 	memset(in, 0, MLX5_ST_SZ_BYTES(create_flow_group_in));
1711 	MLX5_SET_CFG(in, start_flow_index, ix);
1712 	ix += 1;
1713 	MLX5_SET_CFG(in, end_flow_index, ix - 1);
1714 	g = mlx5_create_flow_group(rx->roce.ft, in);
1715 	if (IS_ERR(g)) {
1716 		err = PTR_ERR(g);
1717 		mlx5_core_err(mdev, "Fail to create ipsec rx roce miss group at nic err=%d\n",
1718 			      err);
1719 		goto fail_mgroup;
1720 	}
1721 	rx->roce.roce_miss.group = g;
1722 
1723 	err = ipsec_roce_rx_rule_setup(defdst, &rx->roce, mdev);
1724 	if (err)
1725 		goto fail_setup_rule;
1726 
1727 	kvfree(in);
1728 	return 0;
1729 
1730 fail_setup_rule:
1731 	mlx5_destroy_flow_group(rx->roce.roce_miss.group);
1732 fail_mgroup:
1733 	mlx5_destroy_flow_group(rx->roce.g);
1734 fail_group:
1735 	kvfree(in);
1736 	return err;
1737 }
1738 
1739 static int ipsec_fs_rx_catchall_rules(struct mlx5e_priv *priv,
1740 				      struct mlx5e_ipsec_rx *rx,
1741 				      struct mlx5_flow_destination *defdst)
1742 {
1743 	struct mlx5_core_dev *mdev = priv->mdev;
1744 	struct mlx5_flow_destination dest[2] = {};
1745 	int err = 0;
1746 
1747 	mutex_lock(&rx->ft.mutex);
1748 	/* IPsec RoCE RX rules */
1749 	err = ipsec_roce_rx_rules(rx, defdst, mdev);
1750 	if (err)
1751 		goto out;
1752 
1753 	/* IPsec Rx IP Status table rule */
1754 	dest[0].type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE;
1755 	if (rx->roce.ft)
1756 		dest[0].ft = rx->roce.ft;
1757 	else
1758 		dest[0].ft = priv->fts.vlan.t;
1759 
1760 	dest[1].type = MLX5_FLOW_DESTINATION_TYPE_COUNTER;
1761         dest[1].counter_id = mlx5_fc_id(rx->fc->cnt);
1762         err = ipsec_status_rule(mdev, rx, dest);
1763         if (err)
1764                 goto err_roce_rules_destroy;
1765 
1766 	if (!rx->chains) {
1767 		/* IPsec Rx IP policy default miss rule */
1768 		err = ipsec_miss_create(mdev, rx->ft.pol, &rx->pol, defdst);
1769 		if (err)
1770 			goto err_status_rule_destroy;
1771 	}
1772 
1773 	/* FIXME: This is workaround to current design
1774 	 * which installs SA on firt packet. So we need to forward this
1775 	 * packet to the stack. It doesn't work with RoCE and eswitch traffic,
1776 	 */
1777 	err = ipsec_miss_create(mdev, rx->ft.sa, &rx->sa, defdst);
1778 	if (err)
1779 		goto err_status_sa_rule_destroy;
1780 
1781 	mutex_unlock(&rx->ft.mutex);
1782 	return 0;
1783 
1784 err_status_sa_rule_destroy:
1785 	if (!rx->chains) {
1786 		mlx5_del_flow_rules(&rx->pol.rule);
1787 		mlx5_destroy_flow_group(rx->pol.group);
1788 	}
1789 err_status_rule_destroy:
1790 	mlx5_del_flow_rules(&rx->status.rule);
1791 	mlx5_modify_header_dealloc(mdev, rx->status.modify_hdr);
1792 err_roce_rules_destroy:
1793 	ipsec_fs_rx_roce_rules_destroy(&rx->roce);
1794 out:
1795 	mutex_unlock(&rx->ft.mutex);
1796 	return err;
1797 }
1798 
1799 static int ipsec_fs_rx_roce_tables_create(struct mlx5e_ipsec_rx *rx,
1800 					  int rx_init_level, int rdma_init_level)
1801 {
1802 	struct mlx5_flow_table_attr ft_attr = {};
1803 	struct mlx5_flow_table *ft;
1804 	int err = 0;
1805 
1806 	if (!rx->roce.ns_rdma)
1807 		return 0;
1808 
1809 	ft_attr.max_fte = 2;
1810 	ft_attr.level = rx_init_level;
1811 	ft = mlx5_create_flow_table(rx->ns, &ft_attr);
1812 	if (IS_ERR(ft)) {
1813 		err = PTR_ERR(ft);
1814 		return err;
1815 	}
1816 	rx->roce.ft = ft;
1817 
1818 	ft_attr.max_fte = 0;
1819 	ft_attr.level = rdma_init_level;
1820 	ft = mlx5_create_flow_table(rx->roce.ns_rdma, &ft_attr);
1821 	if (IS_ERR(ft)) {
1822 		err = PTR_ERR(ft);
1823 		goto out;
1824 	}
1825 	rx->roce.ft_rdma = ft;
1826 
1827 	return 0;
1828 out:
1829 	mlx5_destroy_flow_table(rx->roce.ft);
1830 	rx->roce.ft = NULL;
1831 	return err;
1832 }
1833 
1834 static int ipsec_fs_rx_table_create(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_rx *rx,
1835 				    int rx_init_level, int rdma_init_level)
1836 {
1837 	struct mlx5_flow_namespace *ns = rx->ns;
1838 	struct mlx5_flow_table *ft;
1839 	int err = 0;
1840 
1841 	mutex_lock(&rx->ft.mutex);
1842 
1843 	/* IPsec Rx IP SA table create */
1844 	ft = ipsec_rx_ft_create(ns, rx_init_level + 1, 0, 1);
1845 	if (IS_ERR(ft)) {
1846 		err = PTR_ERR(ft);
1847 		goto out;
1848 	}
1849 	rx->ft.sa = ft;
1850 
1851 	/* IPsec Rx IP Status table create */
1852 	ft = ipsec_rx_ft_create(ns, rx_init_level + 2, 0, 1);
1853 	if (IS_ERR(ft)) {
1854 		err = PTR_ERR(ft);
1855 		goto err_sa_table_destroy;
1856 	}
1857 	rx->ft.status = ft;
1858 
1859 	if (mlx5_ipsec_device_caps(mdev) & MLX5_IPSEC_CAP_PRIO) {
1860 		rx->chains = ipsec_chains_create(mdev, rx->ft.sa,
1861 				MLX5_FLOW_NAMESPACE_KERNEL, 0,
1862 				rx_init_level, &rx->ft.pol);
1863 		if (IS_ERR(rx->chains)) {
1864 			err = PTR_ERR(rx->chains);
1865 			goto err_status_table_destroy;
1866 		}
1867 	} else {
1868 		ft = ipsec_rx_ft_create(ns, rx_init_level, 0, 1);
1869 		if (IS_ERR(ft)) {
1870 			err = PTR_ERR(ft);
1871 			goto err_status_table_destroy;
1872 		}
1873 		rx->ft.pol = ft;
1874 	}
1875 
1876 	/* IPsec RoCE RX tables create*/
1877 	err = ipsec_fs_rx_roce_tables_create(rx, rx_init_level + 3,
1878 					     rdma_init_level);
1879 	if (err)
1880 		goto err_pol_table_destroy;
1881 
1882 	goto out;
1883 
1884 err_pol_table_destroy:
1885 	mlx5_destroy_flow_table(rx->ft.pol);
1886 err_status_table_destroy:
1887 	mlx5_destroy_flow_table(rx->ft.status);
1888 err_sa_table_destroy:
1889 	mlx5_destroy_flow_table(rx->ft.sa);
1890 out:
1891 	mutex_unlock(&rx->ft.mutex);
1892 	return err;
1893 }
1894 
1895 #define NIC_RDMA_BOTH_DIRS_CAPS (MLX5_FT_NIC_RX_2_NIC_RX_RDMA | MLX5_FT_NIC_TX_RDMA_2_NIC_TX)
1896 
1897 static void mlx5e_accel_ipsec_fs_init_roce(struct mlx5e_ipsec *ipsec)
1898 {
1899 	struct mlx5_core_dev *mdev = ipsec->mdev;
1900 	struct mlx5_flow_namespace *ns;
1901 
1902 	if ((MLX5_CAP_GEN_2(ipsec->mdev, flow_table_type_2_type) &
1903 	      NIC_RDMA_BOTH_DIRS_CAPS) != NIC_RDMA_BOTH_DIRS_CAPS) {
1904 		mlx5_core_dbg(mdev, "Failed to init roce ns, capabilities not supported\n");
1905 		return;
1906 	}
1907 
1908 	ns = mlx5_get_flow_namespace(ipsec->mdev, MLX5_FLOW_NAMESPACE_RDMA_RX_IPSEC);
1909 	if (!ns) {
1910 		mlx5_core_err(mdev, "Failed to init roce rx ns\n");
1911 		return;
1912 	}
1913 
1914 	ipsec->rx_ipv4->roce.ns_rdma = ns;
1915 	ipsec->rx_ipv6->roce.ns_rdma = ns;
1916 
1917 	ns = mlx5_get_flow_namespace(ipsec->mdev, MLX5_FLOW_NAMESPACE_RDMA_TX_IPSEC);
1918 	if (!ns) {
1919 		ipsec->rx_ipv4->roce.ns_rdma = NULL;
1920 		ipsec->rx_ipv6->roce.ns_rdma = NULL;
1921 		mlx5_core_err(mdev, "Failed to init roce tx ns\n");
1922 		return;
1923 	}
1924 
1925 	ipsec->tx->roce.ns = ns;
1926 }
1927 
1928 int mlx5e_accel_ipsec_fs_add_rule(struct mlx5e_ipsec_sa_entry *sa_entry)
1929 {
1930 	if (sa_entry->attrs.dir == IPSEC_DIR_OUTBOUND)
1931 		return tx_add_rule(sa_entry);
1932 
1933 	return rx_add_rule(sa_entry);
1934 }
1935 
1936 void mlx5e_accel_ipsec_fs_del_rule(struct mlx5e_ipsec_sa_entry *sa_entry)
1937 {
1938 	struct mlx5e_ipsec_rule *ipsec_rule = &sa_entry->ipsec_rule;
1939 	struct mlx5_core_dev *mdev = mlx5e_ipsec_sa2dev(sa_entry);
1940 
1941 	mlx5_del_flow_rules(&ipsec_rule->rule);
1942 	mlx5_del_flow_rules(&ipsec_rule->kspi_rule);
1943 	if (ipsec_rule->vid_zero_rule != NULL)
1944 		mlx5_del_flow_rules(&ipsec_rule->vid_zero_rule);
1945 	if (ipsec_rule->reqid_rule != NULL)
1946 		mlx5_del_flow_rules(&ipsec_rule->reqid_rule);
1947 	mlx5_fc_destroy(mdev, ipsec_rule->fc);
1948 	mlx5_packet_reformat_dealloc(mdev, ipsec_rule->pkt_reformat);
1949 	if (sa_entry->attrs.dir == IPSEC_DIR_OUTBOUND) {
1950 		tx_ft_put(sa_entry->ipsec);
1951 		return;
1952 	}
1953 
1954 	if (ipsec_rule->modify_hdr != NULL)
1955 		mlx5_modify_header_dealloc(mdev, ipsec_rule->modify_hdr);
1956 }
1957 
1958 int mlx5e_accel_ipsec_fs_add_pol(struct mlx5e_ipsec_pol_entry *pol_entry)
1959 {
1960 	if (pol_entry->attrs.dir == IPSEC_DIR_OUTBOUND)
1961 		return tx_add_policy(pol_entry);
1962 
1963 	return rx_add_policy(pol_entry);
1964 }
1965 
1966 void mlx5e_accel_ipsec_fs_del_pol(struct mlx5e_ipsec_pol_entry *pol_entry)
1967 {
1968 	struct mlx5e_ipsec_rule *ipsec_rule = &pol_entry->ipsec_rule;
1969 	struct mlx5_core_dev *mdev = mlx5e_ipsec_pol2dev(pol_entry);
1970 
1971 	mlx5_del_flow_rules(&ipsec_rule->rule);
1972 	if (ipsec_rule->vid_zero_rule != NULL)
1973 		mlx5_del_flow_rules(&ipsec_rule->vid_zero_rule);
1974 
1975 	if (pol_entry->attrs.dir == IPSEC_DIR_INBOUND) {
1976 		struct mlx5e_ipsec_rx *rx;
1977 
1978                 rx = (pol_entry->attrs.family == AF_INET)
1979                          ? pol_entry->ipsec->rx_ipv4
1980                          : pol_entry->ipsec->rx_ipv6;
1981                 if (rx->chains)
1982                         ipsec_chains_put_table(rx->chains,
1983                                                pol_entry->attrs.prio);
1984                 return;
1985 	}
1986 
1987 	if (ipsec_rule->modify_hdr)
1988 		mlx5_modify_header_dealloc(mdev, ipsec_rule->modify_hdr);
1989 
1990 	tx_ft_put_policy(pol_entry->ipsec, pol_entry->attrs.prio);
1991 }
1992 
1993 void mlx5e_accel_ipsec_fs_rx_catchall_rules_destroy(struct mlx5e_priv *priv)
1994 {
1995 	/* Check if IPsec supported */
1996 	if (!priv->ipsec)
1997 		return;
1998 
1999 	ipsec_fs_rx_catchall_rules_destroy(priv->mdev, priv->ipsec->rx_ipv4);
2000 	ipsec_fs_rx_catchall_rules_destroy(priv->mdev, priv->ipsec->rx_ipv6);
2001 }
2002 
2003 int mlx5e_accel_ipsec_fs_rx_catchall_rules(struct mlx5e_priv *priv)
2004 {
2005 	struct mlx5e_ipsec *ipsec = priv->ipsec;
2006 	struct mlx5_flow_destination dest = {};
2007 	int err = 0;
2008 
2009 	/* Check if IPsec supported */
2010 	if (!ipsec)
2011 		return 0;
2012 
2013 	dest.type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE;
2014 	dest.ft = priv->fts.vlan.t;
2015 	err = ipsec_fs_rx_catchall_rules(priv, ipsec->rx_ipv6, &dest);
2016 	if (err)
2017 		goto out;
2018 
2019 	err = ipsec_fs_rx_catchall_rules(priv, ipsec->rx_ipv4, &dest);
2020 	if (err)
2021 		ipsec_fs_rx_catchall_rules_destroy(priv->mdev, priv->ipsec->rx_ipv6);
2022 out:
2023 	return err;
2024 }
2025 
2026 void mlx5e_accel_ipsec_fs_rx_tables_destroy(struct mlx5e_priv *priv)
2027 {
2028 	struct mlx5_core_dev *mdev = priv->mdev;
2029 	struct mlx5e_ipsec *ipsec = priv->ipsec;
2030 
2031 	/* Check if IPsec supported */
2032 	if (!ipsec)
2033 		return;
2034 
2035 	ipsec_fs_rx_table_destroy(mdev, ipsec->rx_ipv6);
2036 	ipsec_fs_rx_table_destroy(mdev, ipsec->rx_ipv4);
2037 }
2038 
2039 int mlx5e_accel_ipsec_fs_rx_tables_create(struct mlx5e_priv *priv)
2040 {
2041 	struct mlx5e_ipsec *ipsec = priv->ipsec;
2042 	int err = 0;
2043 
2044 	/* Check if IPsec supported */
2045 	if (!ipsec)
2046 		return 0;
2047 
2048 	err = ipsec_fs_rx_table_create(ipsec->mdev, ipsec->rx_ipv4, 0, 0);
2049 	if (err)
2050 		goto out;
2051 
2052 	err = ipsec_fs_rx_table_create(ipsec->mdev, ipsec->rx_ipv6, 4, 1);
2053 	if (err) {
2054 		ipsec_fs_rx_table_destroy(priv->mdev, ipsec->rx_ipv4);
2055 		goto out;
2056 	}
2057 
2058 	priv->fts.ipsec_ft = priv->ipsec->rx_ipv4->ft.pol;
2059 out:
2060 	return err;
2061 }
2062 
2063 void mlx5e_accel_ipsec_fs_cleanup(struct mlx5e_ipsec *ipsec)
2064 {
2065 	WARN_ON(ipsec->tx->ft.refcnt);
2066 	mutex_destroy(&ipsec->rx_ipv6->ft.mutex);
2067 	mutex_destroy(&ipsec->rx_ipv4->ft.mutex);
2068 	mutex_destroy(&ipsec->tx->ft.mutex);
2069 	ipsec_fs_destroy_counters(ipsec);
2070 	kfree(ipsec->rx_ipv6);
2071 	kfree(ipsec->rx_ipv4);
2072 	kfree(ipsec->tx);
2073 }
2074 
2075 int mlx5e_accel_ipsec_fs_init(struct mlx5e_ipsec *ipsec)
2076 {
2077 	struct mlx5_flow_namespace *tns, *rns;
2078 	int err = -ENOMEM;
2079 
2080 	tns = mlx5_get_flow_namespace(ipsec->mdev, MLX5_FLOW_NAMESPACE_EGRESS_IPSEC);
2081 	if (!tns)
2082 		return -EOPNOTSUPP;
2083 
2084 	rns = mlx5_get_flow_namespace(ipsec->mdev, MLX5_FLOW_NAMESPACE_KERNEL);
2085 	if (!rns)
2086 		return -EOPNOTSUPP;
2087 
2088 	ipsec->tx = kzalloc(sizeof(*ipsec->tx), GFP_KERNEL);
2089 	if (!ipsec->tx)
2090 		return -ENOMEM;
2091 
2092 	ipsec->rx_ipv4 = kzalloc(sizeof(*ipsec->rx_ipv4), GFP_KERNEL);
2093 	if (!ipsec->rx_ipv4)
2094 		goto err_tx;
2095 
2096 	ipsec->rx_ipv6 = kzalloc(sizeof(*ipsec->rx_ipv6), GFP_KERNEL);
2097 	if (!ipsec->rx_ipv6)
2098 		goto err_rx_ipv4;
2099 
2100 	err = ipsec_fs_init_counters(ipsec);
2101 	if (err)
2102 		goto err_rx_ipv6;
2103 
2104 	ipsec->tx->ns = tns;
2105 	mutex_init(&ipsec->tx->ft.mutex);
2106 	ipsec->rx_ipv4->ns = rns;
2107 	ipsec->rx_ipv6->ns = rns;
2108 	mutex_init(&ipsec->rx_ipv4->ft.mutex);
2109 	mutex_init(&ipsec->rx_ipv6->ft.mutex);
2110 
2111 	mlx5e_accel_ipsec_fs_init_roce(ipsec);
2112 
2113 	return 0;
2114 
2115 err_rx_ipv6:
2116 	kfree(ipsec->rx_ipv6);
2117 err_rx_ipv4:
2118 	kfree(ipsec->rx_ipv4);
2119 err_tx:
2120 	kfree(ipsec->tx);
2121 	return err;
2122 }
2123 
2124 void mlx5e_accel_ipsec_fs_modify(struct mlx5e_ipsec_sa_entry *sa_entry)
2125 {
2126         struct mlx5e_ipsec_sa_entry sa_entry_shadow = {};
2127         int err;
2128 
2129         memcpy(&sa_entry_shadow, sa_entry, sizeof(*sa_entry));
2130         memset(&sa_entry_shadow.ipsec_rule, 0x00, sizeof(sa_entry->ipsec_rule));
2131 
2132         err = mlx5e_accel_ipsec_fs_add_rule(&sa_entry_shadow);
2133         if (err)
2134                 return;
2135         mlx5e_accel_ipsec_fs_del_rule(sa_entry);
2136         memcpy(sa_entry, &sa_entry_shadow, sizeof(*sa_entry));
2137 }
2138