Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7785bba2 authored by Steffen Klassert's avatar Steffen Klassert
Browse files

esp: Add a software GRO codepath



This patch adds GRO ifrastructure and callbacks for ESP on
ipv4 and ipv6.

In case the GRO layer detects an ESP packet, the
esp{4,6}_gro_receive() function does a xfrm state lookup
and calls the xfrm input layer if it finds a matching state.
The packet will be decapsulated and reinjected it into layer 2.

Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
parent 54ef207a
Loading
Loading
Loading
Loading
+1 −0
Original line number Original line Diff line number Diff line
@@ -682,6 +682,7 @@ struct xfrm_spi_skb_cb {


	unsigned int daddroff;
	unsigned int daddroff;
	unsigned int family;
	unsigned int family;
	__be32 seq;
};
};


#define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))
#define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))
+13 −0
Original line number Original line Diff line number Diff line
@@ -360,6 +360,19 @@ config INET_ESP


	  If unsure, say Y.
	  If unsure, say Y.


config INET_ESP_OFFLOAD
	tristate "IP: ESP transformation offload"
	depends on INET_ESP
	select XFRM_OFFLOAD
	default n
	---help---
	  Support for ESP transformation offload. This makes sense
	  only if this system really does IPsec and want to do it
	  with high throughput. A typical desktop system does not
	  need it, even if it does IPsec.

	  If unsure, say N.

config INET_IPCOMP
config INET_IPCOMP
	tristate "IP: IPComp transformation"
	tristate "IP: IPComp transformation"
	select INET_XFRM_TUNNEL
	select INET_XFRM_TUNNEL
+1 −0
Original line number Original line Diff line number Diff line
@@ -29,6 +29,7 @@ obj-$(CONFIG_NET_IPVTI) += ip_vti.o
obj-$(CONFIG_SYN_COOKIES) += syncookies.o
obj-$(CONFIG_SYN_COOKIES) += syncookies.o
obj-$(CONFIG_INET_AH) += ah4.o
obj-$(CONFIG_INET_AH) += ah4.o
obj-$(CONFIG_INET_ESP) += esp4.o
obj-$(CONFIG_INET_ESP) += esp4.o
obj-$(CONFIG_INET_ESP_OFFLOAD) += esp4_offload.o
obj-$(CONFIG_INET_IPCOMP) += ipcomp.o
obj-$(CONFIG_INET_IPCOMP) += ipcomp.o
obj-$(CONFIG_INET_XFRM_TUNNEL) += xfrm4_tunnel.o
obj-$(CONFIG_INET_XFRM_TUNNEL) += xfrm4_tunnel.o
obj-$(CONFIG_INET_XFRM_MODE_BEET) += xfrm4_mode_beet.o
obj-$(CONFIG_INET_XFRM_MODE_BEET) += xfrm4_mode_beet.o
+106 −0
Original line number Original line Diff line number Diff line
/*
 * IPV4 GSO/GRO offload support
 * Linux INET implementation
 *
 * Copyright (C) 2016 secunet Security Networks AG
 * Author: Steffen Klassert <steffen.klassert@secunet.com>
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms and conditions of the GNU General Public License,
 * version 2, as published by the Free Software Foundation.
 *
 * ESP GRO support
 */

#include <linux/skbuff.h>
#include <linux/init.h>
#include <net/protocol.h>
#include <crypto/aead.h>
#include <crypto/authenc.h>
#include <linux/err.h>
#include <linux/module.h>
#include <net/ip.h>
#include <net/xfrm.h>
#include <net/esp.h>
#include <linux/scatterlist.h>
#include <linux/kernel.h>
#include <linux/slab.h>
#include <linux/spinlock.h>
#include <net/udp.h>

static struct sk_buff **esp4_gro_receive(struct sk_buff **head,
					 struct sk_buff *skb)
{
	int offset = skb_gro_offset(skb);
	struct xfrm_offload *xo;
	struct xfrm_state *x;
	__be32 seq;
	__be32 spi;
	int err;

	skb_pull(skb, offset);

	if ((err = xfrm_parse_spi(skb, IPPROTO_ESP, &spi, &seq)) != 0)
		goto out;

	err = secpath_set(skb);
	if (err)
		goto out;

	if (skb->sp->len == XFRM_MAX_DEPTH)
		goto out;

	x = xfrm_state_lookup(dev_net(skb->dev), skb->mark,
			      (xfrm_address_t *)&ip_hdr(skb)->daddr,
			      spi, IPPROTO_ESP, AF_INET);
	if (!x)
		goto out;

	skb->sp->xvec[skb->sp->len++] = x;
	skb->sp->olen++;

	xo = xfrm_offload(skb);
	if (!xo) {
		xfrm_state_put(x);
		goto out;
	}
	xo->flags |= XFRM_GRO;

	XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL;
	XFRM_SPI_SKB_CB(skb)->family = AF_INET;
	XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
	XFRM_SPI_SKB_CB(skb)->seq = seq;

	/* We don't need to handle errors from xfrm_input, it does all
	 * the error handling and frees the resources on error. */
	xfrm_input(skb, IPPROTO_ESP, spi, -2);

	return ERR_PTR(-EINPROGRESS);
out:
	skb_push(skb, offset);
	NAPI_GRO_CB(skb)->same_flow = 0;
	NAPI_GRO_CB(skb)->flush = 1;

	return NULL;
}

static const struct net_offload esp4_offload = {
	.callbacks = {
		.gro_receive = esp4_gro_receive,
	},
};

static int __init esp4_offload_init(void)
{
	return inet_add_offload(&esp4_offload, IPPROTO_ESP);
}

static void __exit esp4_offload_exit(void)
{
	inet_del_offload(&esp4_offload, IPPROTO_ESP);
}

module_init(esp4_offload_init);
module_exit(esp4_offload_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Steffen Klassert <steffen.klassert@secunet.com>");
+6 −0
Original line number Original line Diff line number Diff line
@@ -40,6 +40,7 @@ static inline int xfrm4_rcv_encap_finish(struct net *net, struct sock *sk,


int xfrm4_transport_finish(struct sk_buff *skb, int async)
int xfrm4_transport_finish(struct sk_buff *skb, int async)
{
{
	struct xfrm_offload *xo = xfrm_offload(skb);
	struct iphdr *iph = ip_hdr(skb);
	struct iphdr *iph = ip_hdr(skb);


	iph->protocol = XFRM_MODE_SKB_CB(skb)->protocol;
	iph->protocol = XFRM_MODE_SKB_CB(skb)->protocol;
@@ -53,6 +54,11 @@ int xfrm4_transport_finish(struct sk_buff *skb, int async)
	iph->tot_len = htons(skb->len);
	iph->tot_len = htons(skb->len);
	ip_send_check(iph);
	ip_send_check(iph);


	if (xo && (xo->flags & XFRM_GRO)) {
		skb_mac_header_rebuild(skb);
		return 0;
	}

	NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING,
	NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING,
		dev_net(skb->dev), NULL, skb, skb->dev, NULL,
		dev_net(skb->dev), NULL, skb, skb->dev, NULL,
		xfrm4_rcv_encap_finish);
		xfrm4_rcv_encap_finish);
Loading