net/mlx5e: Support IPsec upper TCP protocol selector

Support TCP as protocol selector for policy and state in IPsec
packet offload mode.

Example of state configuration is as follows:
  ip xfrm state add src 192.168.25.3 dst 192.168.25.1 \
	proto esp spi 1001 reqid 10001 aead 'rfc4106(gcm(aes))' \
	0x54a7588d36873b031e4bd46301be5a86b3a53879 128 mode transport \
	offload packet dev re0 dir in sel src 192.168.25.3 dst 192.168.25.1 \
	proto tcp dport 9003

Acked-by: Raed Salem <raeds@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
index 2bbe232c2ffa78b852756c024515fc8341fbecad..3b88a8bb7082299c2f5846dc0542dddb98e0abbf 100644 (file)
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
@@ -440,8 +440,9 @@ static int mlx5e_xfrm_validate_state(struct mlx5_core_dev *mdev,
                return -EINVAL;
        }
 
-       if (x->sel.proto != IPPROTO_IP && x->sel.proto != IPPROTO_UDP) {
-               NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than UDP");
+       if (x->sel.proto != IPPROTO_IP && x->sel.proto != IPPROTO_UDP &&
+           x->sel.proto != IPPROTO_TCP) {
+               NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than TCP/UDP");
                return -EINVAL;
        }
 
@@ -982,8 +983,10 @@ static int mlx5e_xfrm_validate_policy(struct mlx5_core_dev *mdev,
                return -EINVAL;
        }
 
-       if (x->selector.proto != IPPROTO_IP && x->selector.proto != IPPROTO_UDP) {
-               NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than UDP");
+       if (x->selector.proto != IPPROTO_IP &&
+           x->selector.proto != IPPROTO_UDP &&
+           x->selector.proto != IPPROTO_TCP) {
+               NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than TCP/UDP");
                return -EINVAL;
        }
 

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
index f5e29b7f5ba0e97fbfe1757d9af937898e345347..a1cfddd05bc4bb46fb0d661bbbd28323f22ae858 100644 (file)
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
@@ -936,23 +936,42 @@ static void setup_fte_reg_c4(struct mlx5_flow_spec *spec, u32 reqid)
 
 static void setup_fte_upper_proto_match(struct mlx5_flow_spec *spec, struct upspec *upspec)
 {
-       if (upspec->proto != IPPROTO_UDP)
+       switch (upspec->proto) {
+       case IPPROTO_UDP:
+               if (upspec->dport) {
+                       MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria,
+                                udp_dport, upspec->dport_mask);
+                       MLX5_SET(fte_match_set_lyr_2_4, spec->match_value,
+                                udp_dport, upspec->dport);
+               }
+               if (upspec->sport) {
+                       MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria,
+                                udp_sport, upspec->sport_mask);
+                       MLX5_SET(fte_match_set_lyr_2_4, spec->match_value,
+                                udp_sport, upspec->sport);
+               }
+               break;
+       case IPPROTO_TCP:
+               if (upspec->dport) {
+                       MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria,
+                                tcp_dport, upspec->dport_mask);
+                       MLX5_SET(fte_match_set_lyr_2_4, spec->match_value,
+                                tcp_dport, upspec->dport);
+               }
+               if (upspec->sport) {
+                       MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria,
+                                tcp_sport, upspec->sport_mask);
+                       MLX5_SET(fte_match_set_lyr_2_4, spec->match_value,
+                                tcp_sport, upspec->sport);
+               }
+               break;
+       default:
                return;
+       }
 
        spec->match_criteria_enable |= MLX5_MATCH_OUTER_HEADERS;
        MLX5_SET_TO_ONES(fte_match_set_lyr_2_4, spec->match_criteria, ip_protocol);
        MLX5_SET(fte_match_set_lyr_2_4, spec->match_value, ip_protocol, upspec->proto);
-       if (upspec->dport) {
-               MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria, udp_dport,
-                        upspec->dport_mask);
-               MLX5_SET(fte_match_set_lyr_2_4, spec->match_value, udp_dport, upspec->dport);
-       }
-
-       if (upspec->sport) {
-               MLX5_SET(fte_match_set_lyr_2_4, spec->match_criteria, udp_sport,
-                        upspec->sport_mask);
-               MLX5_SET(fte_match_set_lyr_2_4, spec->match_value, udp_sport, upspec->sport);
-       }
 }
 
 static enum mlx5_flow_namespace_type ipsec_fs_get_ns(struct mlx5e_ipsec *ipsec,