Merge tag 'ipsec-next-2025-03-24' of...

the skb and the intended offload state to ask the driver if the offload

will serviceable.  This can check the packet information to be sure the

offload can be supported (e.g. IPv4 or IPv6, no IPv4 options, etc) and

return true of false to signify its support.

return true or false to signify its support. In case driver doesn't implement

this callback, the stack provides reasonable defaults.

Crypto offload mode:

When ready to send, the driver needs to inspect the Tx packet for the

static bool bond_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)

{

	struct net_device *real_dev;

	bool ok = false;

	rcu_read_lock();

	real_dev = bond_ipsec_dev(xs);

	if (!real_dev)

		goto out;

	if (!real_dev->xfrmdev_ops ||

	    !real_dev->xfrmdev_ops->xdo_dev_offload_ok ||

	    netif_is_bond_master(real_dev))

		goto out;

	if (!real_dev || netif_is_bond_master(real_dev)) {

		rcu_read_unlock();

		return false;

	}

	ok = real_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs);

out:

	rcu_read_unlock();

	return ok;

	return true;

}

/**

	mutex_unlock(&uld_mutex);

}

static bool cxgb4_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *x)

{

	struct adapter *adap = netdev2adap(x->xso.dev);

	bool ret = false;

	if (!mutex_trylock(&uld_mutex)) {

		dev_dbg(adap->pdev_dev,

			"crypto uld critical resource is under use\n");

		return ret;

	}

	if (chcr_offload_state(adap, CXGB4_XFRMDEV_OPS))

		goto out_unlock;

	ret = adap->uld[CXGB4_ULD_IPSEC].xfrmdev_ops->xdo_dev_offload_ok(skb, x);

out_unlock:

	mutex_unlock(&uld_mutex);

	return ret;

}

static void cxgb4_advance_esn_state(struct xfrm_state *x)

{

	struct adapter *adap = netdev2adap(x->xso.dev);

	.xdo_dev_state_add      = cxgb4_xfrm_add_state,

	.xdo_dev_state_delete   = cxgb4_xfrm_del_state,

	.xdo_dev_state_free     = cxgb4_xfrm_free_state,

	.xdo_dev_offload_ok     = cxgb4_ipsec_offload_ok,

	.xdo_dev_state_advance_esn = cxgb4_advance_esn_state,

};

static LIST_HEAD(uld_ctx_list);

static DEFINE_MUTEX(dev_mutex);

static bool ch_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *x);

static int ch_ipsec_uld_state_change(void *handle, enum cxgb4_state new_state);

static int ch_ipsec_xmit(struct sk_buff *skb, struct net_device *dev);

static void *ch_ipsec_uld_add(const struct cxgb4_lld_info *infop);

	.xdo_dev_state_add      = ch_ipsec_xfrm_add_state,

	.xdo_dev_state_delete   = ch_ipsec_xfrm_del_state,

	.xdo_dev_state_free     = ch_ipsec_xfrm_free_state,

	.xdo_dev_offload_ok     = ch_ipsec_offload_ok,

	.xdo_dev_state_advance_esn = ch_ipsec_advance_esn_state,

};

	module_put(THIS_MODULE);

}

static bool ch_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *x)

{

	if (x->props.family == AF_INET) {

		/* Offload with IP options is not supported yet */

		if (ip_hdr(skb)->ihl > 5)

			return false;

	} else {

		/* Offload with IPv6 extension headers is not support yet */

		if (ipv6_ext_hdr(ipv6_hdr(skb)->nexthdr))

			return false;

	}

	return true;

}

static void ch_ipsec_advance_esn_state(struct xfrm_state *x)

{

	/* do nothing */

	}

}

/**

 * ixgbe_ipsec_offload_ok - can this packet use the xfrm hw offload

 * @skb: current data packet

 * @xs: pointer to transformer state struct

 **/

static bool ixgbe_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)

{

	if (xs->props.family == AF_INET) {

		/* Offload with IPv4 options is not supported yet */

		if (ip_hdr(skb)->ihl != 5)

			return false;

	} else {

		/* Offload with IPv6 extension headers is not support yet */

		if (ipv6_ext_hdr(ipv6_hdr(skb)->nexthdr))

			return false;

	}

	return true;

}

static const struct xfrmdev_ops ixgbe_xfrmdev_ops = {

	.xdo_dev_state_add = ixgbe_ipsec_add_sa,

	.xdo_dev_state_delete = ixgbe_ipsec_del_sa,

	.xdo_dev_offload_ok = ixgbe_ipsec_offload_ok,

};

/**