Skip to content

Commit 22551e7

Browse files
MarkZhang81rleon
MarkZhang81
authored and
rleon
committed
net/mlx5: Configure IPsec steering for egress RoCEv2 traffic
Add steering table/rule in RDMA_TX domain, to forward all traffic to IPsec crypto table in NIC domain. Signed-off-by: Mark Zhang <[email protected]> Signed-off-by: Patrisious Haddad <[email protected]> Reviewed-by: Raed Salem <[email protected]> Reviewed-by: Leon Romanovsky <[email protected]> Signed-off-by: Saeed Mahameed <[email protected]> Signed-off-by: Leon Romanovsky <[email protected]>
1 parent 8995776 commit 22551e7

File tree

4 files changed

+137
-3
lines changed

4 files changed

+137
-3
lines changed

drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -334,7 +334,8 @@ static void rx_ft_put(struct mlx5_core_dev *mdev, struct mlx5e_ipsec *ipsec,
334334
}
335335

336336
/* IPsec TX flow steering */
337-
static int tx_create(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_tx *tx)
337+
static int tx_create(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_tx *tx,
338+
struct mlx5_ipsec_fs *roce)
338339
{
339340
struct mlx5_flow_destination dest = {};
340341
struct mlx5_flow_table *ft;
@@ -357,8 +358,15 @@ static int tx_create(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_tx *tx)
357358
err = ipsec_miss_create(mdev, tx->ft.pol, &tx->pol, &dest);
358359
if (err)
359360
goto err_pol_miss;
361+
362+
err = mlx5_ipsec_fs_roce_tx_create(mdev, roce, tx->ft.pol);
363+
if (err)
364+
goto err_roce;
360365
return 0;
361366

367+
err_roce:
368+
mlx5_del_flow_rules(tx->pol.rule);
369+
mlx5_destroy_flow_group(tx->pol.group);
362370
err_pol_miss:
363371
mlx5_destroy_flow_table(tx->ft.pol);
364372
err_pol_ft:
@@ -376,9 +384,10 @@ static struct mlx5e_ipsec_tx *tx_ft_get(struct mlx5_core_dev *mdev,
376384
if (tx->ft.refcnt)
377385
goto skip;
378386

379-
err = tx_create(mdev, tx);
387+
err = tx_create(mdev, tx, ipsec->roce);
380388
if (err)
381389
goto out;
390+
382391
skip:
383392
tx->ft.refcnt++;
384393
out:
@@ -397,6 +406,7 @@ static void tx_ft_put(struct mlx5e_ipsec *ipsec)
397406
if (tx->ft.refcnt)
398407
goto out;
399408

409+
mlx5_ipsec_fs_roce_tx_destroy(ipsec->roce);
400410
mlx5_del_flow_rules(tx->pol.rule);
401411
mlx5_destroy_flow_group(tx->pol.group);
402412
mlx5_destroy_flow_table(tx->ft.pol);

drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,8 @@ u32 mlx5_ipsec_device_caps(struct mlx5_core_dev *mdev)
4343
caps |= MLX5_IPSEC_CAP_PACKET_OFFLOAD;
4444

4545
if (mlx5_get_roce_state(mdev) &&
46-
(MLX5_CAP_GEN_2(mdev, flow_table_type_2_type) & MLX5_FT_NIC_RX_2_NIC_RX_RDMA))
46+
MLX5_CAP_GEN_2(mdev, flow_table_type_2_type) & MLX5_FT_NIC_RX_2_NIC_RX_RDMA &&
47+
MLX5_CAP_GEN_2(mdev, flow_table_type_2_type) & MLX5_FT_NIC_TX_RDMA_2_NIC_TX)
4748
caps |= MLX5_IPSEC_CAP_ROCE;
4849

4950
if (!caps)

drivers/net/ethernet/mellanox/mlx5/core/lib/ipsec_fs_roce.c

Lines changed: 119 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,9 +20,17 @@ struct mlx5_ipsec_rx_roce {
2020
struct mlx5_flow_namespace *ns_rdma;
2121
};
2222

23+
struct mlx5_ipsec_tx_roce {
24+
struct mlx5_flow_group *g;
25+
struct mlx5_flow_table *ft;
26+
struct mlx5_flow_handle *rule;
27+
struct mlx5_flow_namespace *ns;
28+
};
29+
2330
struct mlx5_ipsec_fs {
2431
struct mlx5_ipsec_rx_roce ipv4_rx;
2532
struct mlx5_ipsec_rx_roce ipv6_rx;
33+
struct mlx5_ipsec_tx_roce tx;
2634
};
2735

2836
static void ipsec_fs_roce_setup_udp_dport(struct mlx5_flow_spec *spec,
@@ -86,6 +94,105 @@ ipsec_fs_roce_rx_rule_setup(struct mlx5_core_dev *mdev,
8694
return err;
8795
}
8896

97+
static int ipsec_fs_roce_tx_rule_setup(struct mlx5_core_dev *mdev,
98+
struct mlx5_ipsec_tx_roce *roce,
99+
struct mlx5_flow_table *pol_ft)
100+
{
101+
struct mlx5_flow_destination dst = {};
102+
MLX5_DECLARE_FLOW_ACT(flow_act);
103+
struct mlx5_flow_handle *rule;
104+
int err = 0;
105+
106+
flow_act.action = MLX5_FLOW_CONTEXT_ACTION_FWD_DEST;
107+
dst.type = MLX5_FLOW_DESTINATION_TYPE_TABLE_TYPE;
108+
dst.ft = pol_ft;
109+
rule = mlx5_add_flow_rules(roce->ft, NULL, &flow_act, &dst,
110+
1);
111+
if (IS_ERR(rule)) {
112+
err = PTR_ERR(rule);
113+
mlx5_core_err(mdev, "Fail to add TX RoCE IPsec rule err=%d\n",
114+
err);
115+
goto out;
116+
}
117+
roce->rule = rule;
118+
119+
out:
120+
return err;
121+
}
122+
123+
void mlx5_ipsec_fs_roce_tx_destroy(struct mlx5_ipsec_fs *ipsec_roce)
124+
{
125+
struct mlx5_ipsec_tx_roce *tx_roce;
126+
127+
if (!ipsec_roce)
128+
return;
129+
130+
tx_roce = &ipsec_roce->tx;
131+
132+
mlx5_del_flow_rules(tx_roce->rule);
133+
mlx5_destroy_flow_group(tx_roce->g);
134+
mlx5_destroy_flow_table(tx_roce->ft);
135+
}
136+
137+
#define MLX5_TX_ROCE_GROUP_SIZE BIT(0)
138+
139+
int mlx5_ipsec_fs_roce_tx_create(struct mlx5_core_dev *mdev,
140+
struct mlx5_ipsec_fs *ipsec_roce,
141+
struct mlx5_flow_table *pol_ft)
142+
{
143+
struct mlx5_flow_table_attr ft_attr = {};
144+
struct mlx5_ipsec_tx_roce *roce;
145+
struct mlx5_flow_table *ft;
146+
struct mlx5_flow_group *g;
147+
int ix = 0;
148+
int err;
149+
u32 *in;
150+
151+
if (!ipsec_roce)
152+
return 0;
153+
154+
roce = &ipsec_roce->tx;
155+
156+
in = kvzalloc(MLX5_ST_SZ_BYTES(create_flow_group_in), GFP_KERNEL);
157+
if (!in)
158+
return -ENOMEM;
159+
160+
ft_attr.max_fte = 1;
161+
ft = mlx5_create_flow_table(roce->ns, &ft_attr);
162+
if (IS_ERR(ft)) {
163+
err = PTR_ERR(ft);
164+
mlx5_core_err(mdev, "Fail to create RoCE IPsec tx ft err=%d\n", err);
165+
return err;
166+
}
167+
168+
roce->ft = ft;
169+
170+
MLX5_SET_CFG(in, start_flow_index, ix);
171+
ix += MLX5_TX_ROCE_GROUP_SIZE;
172+
MLX5_SET_CFG(in, end_flow_index, ix - 1);
173+
g = mlx5_create_flow_group(ft, in);
174+
if (IS_ERR(g)) {
175+
err = PTR_ERR(g);
176+
mlx5_core_err(mdev, "Fail to create RoCE IPsec tx group err=%d\n", err);
177+
goto fail;
178+
}
179+
roce->g = g;
180+
181+
err = ipsec_fs_roce_tx_rule_setup(mdev, roce, pol_ft);
182+
if (err) {
183+
mlx5_core_err(mdev, "Fail to create RoCE IPsec tx rules err=%d\n", err);
184+
goto rule_fail;
185+
}
186+
187+
return 0;
188+
189+
rule_fail:
190+
mlx5_destroy_flow_group(roce->g);
191+
fail:
192+
mlx5_destroy_flow_table(ft);
193+
return err;
194+
}
195+
89196
struct mlx5_flow_table *mlx5_ipsec_fs_roce_ft_get(struct mlx5_ipsec_fs *ipsec_roce, u32 family)
90197
{
91198
struct mlx5_ipsec_rx_roce *rx_roce;
@@ -245,5 +352,17 @@ struct mlx5_ipsec_fs *mlx5_ipsec_fs_roce_init(struct mlx5_core_dev *mdev)
245352
roce_ipsec->ipv4_rx.ns_rdma = ns;
246353
roce_ipsec->ipv6_rx.ns_rdma = ns;
247354

355+
ns = mlx5_get_flow_namespace(mdev, MLX5_FLOW_NAMESPACE_RDMA_TX_IPSEC);
356+
if (!ns) {
357+
mlx5_core_err(mdev, "Failed to get RoCE tx ns\n");
358+
goto err_tx;
359+
}
360+
361+
roce_ipsec->tx.ns = ns;
362+
248363
return roce_ipsec;
364+
365+
err_tx:
366+
kfree(roce_ipsec);
367+
return NULL;
249368
}

drivers/net/ethernet/mellanox/mlx5/core/lib/ipsec_fs_roce.h

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,10 @@ int mlx5_ipsec_fs_roce_rx_create(struct mlx5_core_dev *mdev,
1515
struct mlx5_flow_namespace *ns,
1616
struct mlx5_flow_destination *default_dst,
1717
u32 family, u32 level, u32 prio);
18+
void mlx5_ipsec_fs_roce_tx_destroy(struct mlx5_ipsec_fs *ipsec_roce);
19+
int mlx5_ipsec_fs_roce_tx_create(struct mlx5_core_dev *mdev,
20+
struct mlx5_ipsec_fs *ipsec_roce,
21+
struct mlx5_flow_table *pol_ft);
1822
void mlx5_ipsec_fs_roce_cleanup(struct mlx5_ipsec_fs *ipsec_roce);
1923
struct mlx5_ipsec_fs *mlx5_ipsec_fs_roce_init(struct mlx5_core_dev *mdev);
2024

0 commit comments

Comments
 (0)