[net-next,v3 7/8] cn10k-ipsec: Allow inline ipsec offload for skb with SA
From: Bharat Bhushan
Date: Tue May 28 2024 - 09:56:28 EST
Allow to use hardware offload for outbound inline ipsec
if security association (SA) is set for a given skb.
Signed-off-by: Bharat Bhushan <bbhushan2@xxxxxxxxxxx>
---
.../ethernet/marvell/octeontx2/nic/cn10k_ipsec.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_ipsec.c b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_ipsec.c
index 1974fda2e0d3..81f1258cd996 100644
--- a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_ipsec.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_ipsec.c
@@ -784,9 +784,24 @@ static void cn10k_ipsec_del_state(struct xfrm_state *x)
mutex_unlock(&pf->ipsec.lock);
}
+static bool cn10k_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
+{
+ if (x->props.family == AF_INET) {
+ /* Offload with IPv4 options is not supported yet */
+ if (ip_hdr(skb)->ihl > 5)
+ return false;
+ } else {
+ /* Offload with IPv6 extension headers is not support yet */
+ if (ipv6_ext_hdr(ipv6_hdr(skb)->nexthdr))
+ return false;
+ }
+ return true;
+}
+
static const struct xfrmdev_ops cn10k_ipsec_xfrmdev_ops = {
.xdo_dev_state_add = cn10k_ipsec_add_state,
.xdo_dev_state_delete = cn10k_ipsec_del_state,
+ .xdo_dev_offload_ok = cn10k_ipsec_offload_ok,
};
int cn10k_ipsec_ethtool_init(struct net_device *netdev, bool enable)
--
2.34.1