[PATCH net-next 0/8] net/mlx5e: Move IPSec policy check after decryption
From: Tariq Toukan
Date: Thu Feb 20 2025 - 16:41:22 EST
Hi,
This series by Jianbo adds IPsec policy check after decryption.
In current mlx5 driver, the policy check is done before decryption for
IPSec crypto and packet offload. This series changes that order to
make it consistent with the processing in kernel xfrm. Besides, RX
state with UPSPEC selector is supported correctly after new steering
table is added after decryption and before the policy check.
Regards,
Tariq
Jianbo Liu (8):
net/mlx5e: Add helper function to update IPSec default destination
net/mlx5e: Change the destination of IPSec RX SA miss rule
net/mlx5e: Add correct match to check IPSec syndromes for switchdev
mode
net/mlx5e: Move IPSec policy check after decryption
net/mlx5e: Skip IPSec RX policy check for crypto offload
net/mlx5e: Add num_reserved_entries param for ipsec_ft_create()
net/mlx5e: Add pass flow group for IPSec RX status table
net/mlx5e: Support RX xfrm state selector's UPSPEC for packet offload
.../net/ethernet/mellanox/mlx5/core/en/fs.h | 4 +-
.../mellanox/mlx5/core/en_accel/ipsec.h | 5 +
.../mellanox/mlx5/core/en_accel/ipsec_fs.c | 620 +++++++++++++++---
.../mellanox/mlx5/core/en_accel/ipsec_stats.c | 1 +
.../mellanox/mlx5/core/esw/ipsec_fs.c | 15 +-
.../mellanox/mlx5/core/esw/ipsec_fs.h | 5 +
include/linux/mlx5/eswitch.h | 2 +
7 files changed, 558 insertions(+), 94 deletions(-)
base-commit: 5d6ba5ab8582aa35c1ee98e47af28e6f6772596c
--
2.45.0