7a49d3d4ea
Steffen Klassert says: ==================== pull request (net-next): ipsec-next 2018-07-27 1) Extend the output_mark to also support the input direction and masking the mark values before applying to the skb. 2) Add a new lookup key for the upcomming xfrm interfaces. 3) Extend the xfrm lookups to match xfrm interface IDs. 4) Add virtual xfrm interfaces. The purpose of these interfaces is to overcome the design limitations that the existing VTI devices have. The main limitations that we see with the current VTI are the following: VTI interfaces are L3 tunnels with configurable endpoints. For xfrm, the tunnel endpoint are already determined by the SA. So the VTI tunnel endpoints must be either the same as on the SA or wildcards. In case VTI tunnel endpoints are same as on the SA, we get a one to one correlation between the SA and the tunnel. So each SA needs its own tunnel interface. On the other hand, we can have only one VTI tunnel with wildcard src/dst tunnel endpoints in the system because the lookup is based on the tunnel endpoints. The existing tunnel lookup won't work with multiple tunnels with wildcard tunnel endpoints. Some usecases require more than on VTI tunnel of this type, for example if somebody has multiple namespaces and every namespace requires such a VTI. VTI needs separate interfaces for IPv4 and IPv6 tunnels. So when routing to a VTI, we have to know to which address family this traffic class is going to be encapsulated. This is a lmitation because it makes routing more complex and it is not always possible to know what happens behind the VTI, e.g. when the VTI is move to some namespace. VTI works just with tunnel mode SAs. We need generic interfaces that ensures transfomation, regardless of the xfrm mode and the encapsulated address family. VTI is configured with a combination GRE keys and xfrm marks. With this we have to deal with some extra cases in the generic tunnel lookup because the GRE keys on the VTI are actually not GRE keys, the GRE keys were just reused for something else. All extensions to the VTI interfaces would require to add even more complexity to the generic tunnel lookup. So to overcome this, we developed xfrm interfaces with the following design goal: It should be possible to tunnel IPv4 and IPv6 through the same interface. No limitation on xfrm mode (tunnel, transport and beet). Should be a generic virtual interface that ensures IPsec transformation, no need to know what happens behind the interface. Interfaces should be configured with a new key that must match a new policy/SA lookup key. The lookup logic should stay in the xfrm codebase, no need to change or extend generic routing and tunnel lookups. Should be possible to use IPsec hardware offloads of the underlying interface. 5) Remove xfrm pcpu policy cache. This was added after the flowcache removal, but it turned out to make things even worse. From Florian Westphal. 6) Allow to update the set mark on SA updates. From Nathan Harold. 7) Convert some timestamps to time64_t. From Arnd Bergmann. 8) Don't check the offload_handle in xfrm code, it is an opaque data cookie for the driver. From Shannon Nelson. 9) Remove xfrmi interface ID from flowi. After this pach no generic code is touched anymore to do xfrm interface lookups. From Benedict Wong. 10) Allow to update the xfrm interface ID on SA updates. From Nathan Harold. 11) Don't pass zero to ERR_PTR() in xfrm_resolve_and_create_bundle. From YueHaibing. 12) Return more detailed errors on xfrm interface creation. From Benedict Wong. 13) Use PTR_ERR_OR_ZERO instead of IS_ERR + PTR_ERR. From the kbuild test robot. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
310 lines
7.0 KiB
C
310 lines
7.0 KiB
C
/*
|
|
* IPV6 GSO/GRO offload support
|
|
* Linux INET implementation
|
|
*
|
|
* Copyright (C) 2016 secunet Security Networks AG
|
|
* Author: Steffen Klassert <steffen.klassert@secunet.com>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
* under the terms and conditions of the GNU General Public License,
|
|
* version 2, as published by the Free Software Foundation.
|
|
*
|
|
* ESP GRO support
|
|
*/
|
|
|
|
#include <linux/skbuff.h>
|
|
#include <linux/init.h>
|
|
#include <net/protocol.h>
|
|
#include <crypto/aead.h>
|
|
#include <crypto/authenc.h>
|
|
#include <linux/err.h>
|
|
#include <linux/module.h>
|
|
#include <net/ip.h>
|
|
#include <net/xfrm.h>
|
|
#include <net/esp.h>
|
|
#include <linux/scatterlist.h>
|
|
#include <linux/kernel.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/spinlock.h>
|
|
#include <net/ip6_route.h>
|
|
#include <net/ipv6.h>
|
|
#include <linux/icmpv6.h>
|
|
|
|
static __u16 esp6_nexthdr_esp_offset(struct ipv6hdr *ipv6_hdr, int nhlen)
|
|
{
|
|
int off = sizeof(struct ipv6hdr);
|
|
struct ipv6_opt_hdr *exthdr;
|
|
|
|
if (likely(ipv6_hdr->nexthdr == NEXTHDR_ESP))
|
|
return offsetof(struct ipv6hdr, nexthdr);
|
|
|
|
while (off < nhlen) {
|
|
exthdr = (void *)ipv6_hdr + off;
|
|
if (exthdr->nexthdr == NEXTHDR_ESP)
|
|
return off;
|
|
|
|
off += ipv6_optlen(exthdr);
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static struct sk_buff *esp6_gro_receive(struct list_head *head,
|
|
struct sk_buff *skb)
|
|
{
|
|
int offset = skb_gro_offset(skb);
|
|
struct xfrm_offload *xo;
|
|
struct xfrm_state *x;
|
|
__be32 seq;
|
|
__be32 spi;
|
|
int nhoff;
|
|
int err;
|
|
|
|
if (!pskb_pull(skb, offset))
|
|
return NULL;
|
|
|
|
if ((err = xfrm_parse_spi(skb, IPPROTO_ESP, &spi, &seq)) != 0)
|
|
goto out;
|
|
|
|
xo = xfrm_offload(skb);
|
|
if (!xo || !(xo->flags & CRYPTO_DONE)) {
|
|
err = secpath_set(skb);
|
|
if (err)
|
|
goto out;
|
|
|
|
if (skb->sp->len == XFRM_MAX_DEPTH)
|
|
goto out;
|
|
|
|
x = xfrm_state_lookup(dev_net(skb->dev), skb->mark,
|
|
(xfrm_address_t *)&ipv6_hdr(skb)->daddr,
|
|
spi, IPPROTO_ESP, AF_INET6);
|
|
if (!x)
|
|
goto out;
|
|
|
|
skb->sp->xvec[skb->sp->len++] = x;
|
|
skb->sp->olen++;
|
|
|
|
xo = xfrm_offload(skb);
|
|
if (!xo) {
|
|
xfrm_state_put(x);
|
|
goto out;
|
|
}
|
|
}
|
|
|
|
xo->flags |= XFRM_GRO;
|
|
|
|
nhoff = esp6_nexthdr_esp_offset(ipv6_hdr(skb), offset);
|
|
if (!nhoff)
|
|
goto out;
|
|
|
|
IP6CB(skb)->nhoff = nhoff;
|
|
XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = NULL;
|
|
XFRM_SPI_SKB_CB(skb)->family = AF_INET6;
|
|
XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct ipv6hdr, daddr);
|
|
XFRM_SPI_SKB_CB(skb)->seq = seq;
|
|
|
|
/* We don't need to handle errors from xfrm_input, it does all
|
|
* the error handling and frees the resources on error. */
|
|
xfrm_input(skb, IPPROTO_ESP, spi, -2);
|
|
|
|
return ERR_PTR(-EINPROGRESS);
|
|
out:
|
|
skb_push(skb, offset);
|
|
NAPI_GRO_CB(skb)->same_flow = 0;
|
|
NAPI_GRO_CB(skb)->flush = 1;
|
|
|
|
return NULL;
|
|
}
|
|
|
|
static void esp6_gso_encap(struct xfrm_state *x, struct sk_buff *skb)
|
|
{
|
|
struct ip_esp_hdr *esph;
|
|
struct ipv6hdr *iph = ipv6_hdr(skb);
|
|
struct xfrm_offload *xo = xfrm_offload(skb);
|
|
int proto = iph->nexthdr;
|
|
|
|
skb_push(skb, -skb_network_offset(skb));
|
|
esph = ip_esp_hdr(skb);
|
|
*skb_mac_header(skb) = IPPROTO_ESP;
|
|
|
|
esph->spi = x->id.spi;
|
|
esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low);
|
|
|
|
xo->proto = proto;
|
|
}
|
|
|
|
static struct sk_buff *esp6_gso_segment(struct sk_buff *skb,
|
|
netdev_features_t features)
|
|
{
|
|
struct xfrm_state *x;
|
|
struct ip_esp_hdr *esph;
|
|
struct crypto_aead *aead;
|
|
netdev_features_t esp_features = features;
|
|
struct xfrm_offload *xo = xfrm_offload(skb);
|
|
|
|
if (!xo)
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
if (!(skb_shinfo(skb)->gso_type & SKB_GSO_ESP))
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
x = skb->sp->xvec[skb->sp->len - 1];
|
|
aead = x->data;
|
|
esph = ip_esp_hdr(skb);
|
|
|
|
if (esph->spi != x->id.spi)
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
if (!pskb_may_pull(skb, sizeof(*esph) + crypto_aead_ivsize(aead)))
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
__skb_pull(skb, sizeof(*esph) + crypto_aead_ivsize(aead));
|
|
|
|
skb->encap_hdr_csum = 1;
|
|
|
|
if (!(features & NETIF_F_HW_ESP) || x->xso.dev != skb->dev)
|
|
esp_features = features & ~(NETIF_F_SG | NETIF_F_CSUM_MASK);
|
|
else if (!(features & NETIF_F_HW_ESP_TX_CSUM))
|
|
esp_features = features & ~NETIF_F_CSUM_MASK;
|
|
|
|
xo->flags |= XFRM_GSO_SEGMENT;
|
|
|
|
return x->outer_mode->gso_segment(x, skb, esp_features);
|
|
}
|
|
|
|
static int esp6_input_tail(struct xfrm_state *x, struct sk_buff *skb)
|
|
{
|
|
struct crypto_aead *aead = x->data;
|
|
struct xfrm_offload *xo = xfrm_offload(skb);
|
|
|
|
if (!pskb_may_pull(skb, sizeof(struct ip_esp_hdr) + crypto_aead_ivsize(aead)))
|
|
return -EINVAL;
|
|
|
|
if (!(xo->flags & CRYPTO_DONE))
|
|
skb->ip_summed = CHECKSUM_NONE;
|
|
|
|
return esp6_input_done2(skb, 0);
|
|
}
|
|
|
|
static int esp6_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features_t features)
|
|
{
|
|
int len;
|
|
int err;
|
|
int alen;
|
|
int blksize;
|
|
struct xfrm_offload *xo;
|
|
struct ip_esp_hdr *esph;
|
|
struct crypto_aead *aead;
|
|
struct esp_info esp;
|
|
bool hw_offload = true;
|
|
__u32 seq;
|
|
|
|
esp.inplace = true;
|
|
|
|
xo = xfrm_offload(skb);
|
|
|
|
if (!xo)
|
|
return -EINVAL;
|
|
|
|
if (!(features & NETIF_F_HW_ESP) || x->xso.dev != skb->dev) {
|
|
xo->flags |= CRYPTO_FALLBACK;
|
|
hw_offload = false;
|
|
}
|
|
|
|
esp.proto = xo->proto;
|
|
|
|
/* skb is pure payload to encrypt */
|
|
|
|
aead = x->data;
|
|
alen = crypto_aead_authsize(aead);
|
|
|
|
esp.tfclen = 0;
|
|
/* XXX: Add support for tfc padding here. */
|
|
|
|
blksize = ALIGN(crypto_aead_blocksize(aead), 4);
|
|
esp.clen = ALIGN(skb->len + 2 + esp.tfclen, blksize);
|
|
esp.plen = esp.clen - skb->len - esp.tfclen;
|
|
esp.tailen = esp.tfclen + esp.plen + alen;
|
|
|
|
if (!hw_offload || (hw_offload && !skb_is_gso(skb))) {
|
|
esp.nfrags = esp6_output_head(x, skb, &esp);
|
|
if (esp.nfrags < 0)
|
|
return esp.nfrags;
|
|
}
|
|
|
|
seq = xo->seq.low;
|
|
|
|
esph = ip_esp_hdr(skb);
|
|
esph->spi = x->id.spi;
|
|
|
|
skb_push(skb, -skb_network_offset(skb));
|
|
|
|
if (xo->flags & XFRM_GSO_SEGMENT) {
|
|
esph->seq_no = htonl(seq);
|
|
|
|
if (!skb_is_gso(skb))
|
|
xo->seq.low++;
|
|
else
|
|
xo->seq.low += skb_shinfo(skb)->gso_segs;
|
|
}
|
|
|
|
esp.seqno = cpu_to_be64(xo->seq.low + ((u64)xo->seq.hi << 32));
|
|
|
|
len = skb->len - sizeof(struct ipv6hdr);
|
|
if (len > IPV6_MAXPLEN)
|
|
len = 0;
|
|
|
|
ipv6_hdr(skb)->payload_len = htons(len);
|
|
|
|
if (hw_offload)
|
|
return 0;
|
|
|
|
err = esp6_output_tail(x, skb, &esp);
|
|
if (err)
|
|
return err;
|
|
|
|
secpath_reset(skb);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static const struct net_offload esp6_offload = {
|
|
.callbacks = {
|
|
.gro_receive = esp6_gro_receive,
|
|
.gso_segment = esp6_gso_segment,
|
|
},
|
|
};
|
|
|
|
static const struct xfrm_type_offload esp6_type_offload = {
|
|
.description = "ESP6 OFFLOAD",
|
|
.owner = THIS_MODULE,
|
|
.proto = IPPROTO_ESP,
|
|
.input_tail = esp6_input_tail,
|
|
.xmit = esp6_xmit,
|
|
.encap = esp6_gso_encap,
|
|
};
|
|
|
|
static int __init esp6_offload_init(void)
|
|
{
|
|
if (xfrm_register_type_offload(&esp6_type_offload, AF_INET6) < 0) {
|
|
pr_info("%s: can't add xfrm type offload\n", __func__);
|
|
return -EAGAIN;
|
|
}
|
|
|
|
return inet6_add_offload(&esp6_offload, IPPROTO_ESP);
|
|
}
|
|
|
|
static void __exit esp6_offload_exit(void)
|
|
{
|
|
if (xfrm_unregister_type_offload(&esp6_type_offload, AF_INET6) < 0)
|
|
pr_info("%s: can't remove xfrm type offload\n", __func__);
|
|
|
|
inet6_del_offload(&esp6_offload, IPPROTO_ESP);
|
|
}
|
|
|
|
module_init(esp6_offload_init);
|
|
module_exit(esp6_offload_exit);
|
|
MODULE_LICENSE("GPL");
|
|
MODULE_AUTHOR("Steffen Klassert <steffen.klassert@secunet.com>");
|
|
MODULE_ALIAS_XFRM_OFFLOAD_TYPE(AF_INET6, XFRM_PROTO_ESP);
|