Commit 62fdd170 authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'ipsec-next-2024-07-13' of... 

Merge tag 'ipsec-next-2024-07-13' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next

Steffen Klassert says:

====================
pull request (net-next): ipsec-next 2024-07-13

1) Support sending NAT keepalives in ESP in UDP states.
   Userspace IKE daemon had to do this before, but the
   kernel can better keep track of it.
   From Eyal Birger.

2) Support IPsec crypto offload for IPv6 ESP and IPv4 UDP-encapsulated
   ESP data paths. Currently, IPsec crypto offload is enabled for GRO
   code path only. This patchset support UDP encapsulation for the non
   GRO path. From Mike Yu.

* tag 'ipsec-next-2024-07-13' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next:
  xfrm: Support crypto offload for outbound IPv4 UDP-encapsulated ESP packet
  xfrm: Support crypto offload for inbound IPv4 UDP-encapsulated ESP packet
  xfrm: Allow UDP encapsulation in crypto offload control path
  xfrm: Support crypto offload for inbound IPv6 ESP packets not in GRO path
  xfrm: support sending NAT keepalives in ESP in UDP states
====================

Link: https://patch.msgid.link/20240713102416.3272997-1-steffen.klassert@secunet.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents ecb1e1dc d5b60c65

include/net/ipv6_stubs.h

+3 −0
Original line number Diff line number Diff line
@@ -9,6 +9,7 @@ 
#include <net/flow.h>

#include <net/neighbour.h>

#include <net/sock.h>

#include <net/ipv6.h>



/* structs from net/ip6_fib.h */

struct fib6_info;
@@ -72,6 +73,8 @@ struct ipv6_stub { 
			     int (*output)(struct net *, struct sock *, struct sk_buff *));

	struct net_device *(*ipv6_dev_find)(struct net *net, const struct in6_addr *addr,

					    struct net_device *dev);

	int (*ip6_xmit)(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,

			__u32 mark, struct ipv6_txoptions *opt, int tclass, u32 priority);

};

extern const struct ipv6_stub *ipv6_stub __read_mostly;

include/net/netns/xfrm.h

+1 −0
Original line number Diff line number Diff line
@@ -83,6 +83,7 @@ struct netns_xfrm { 


	spinlock_t xfrm_policy_lock;

	struct mutex xfrm_cfg_mutex;

	struct delayed_work	nat_keepalive_work;

};



#endif

include/net/xfrm.h

+10 −0
Original line number Diff line number Diff line
@@ -229,6 +229,10 @@ struct xfrm_state { 
	struct xfrm_encap_tmpl	*encap;

	struct sock __rcu	*encap_sk;



	/* NAT keepalive */

	u32			nat_keepalive_interval; /* seconds */

	time64_t		nat_keepalive_expiration;



	/* Data for care-of address */

	xfrm_address_t	*coaddr;
@@ -2203,4 +2207,10 @@ static inline int register_xfrm_state_bpf(void) 
}

#endif



int xfrm_nat_keepalive_init(unsigned short family);

void xfrm_nat_keepalive_fini(unsigned short family);

int xfrm_nat_keepalive_net_init(struct net *net);

int xfrm_nat_keepalive_net_fini(struct net *net);

void xfrm_nat_keepalive_state_updated(struct xfrm_state *x);



#endif	/* _NET_XFRM_H */

include/uapi/linux/xfrm.h

+1 −0
Original line number Diff line number Diff line
@@ -321,6 +321,7 @@ enum xfrm_attr_type_t { 
	XFRMA_IF_ID,		/* __u32 */

	XFRMA_MTIMER_THRESH,	/* __u32 in seconds for input SA */

	XFRMA_SA_DIR,		/* __u8 */

	XFRMA_NAT_KEEPALIVE_INTERVAL,	/* __u32 in seconds for NAT keepalive */

	__XFRMA_MAX



#define XFRMA_OUTPUT_MARK XFRMA_SET_MARK	/* Compatibility */

net/ipv4/esp4.c

+7 −1
Original line number Diff line number Diff line
@@ -349,6 +349,7 @@ static struct ip_esp_hdr *esp_output_udp_encap(struct sk_buff *skb, 
{

	struct udphdr *uh;

	unsigned int len;

	struct xfrm_offload *xo = xfrm_offload(skb);



	len = skb->len + esp->tailen - skb_transport_offset(skb);

	if (len + sizeof(struct iphdr) > IP_MAX_MTU)
@@ -360,6 +361,11 @@ static struct ip_esp_hdr *esp_output_udp_encap(struct sk_buff *skb, 
	uh->len = htons(len);

	uh->check = 0;



	/* For IPv4 ESP with UDP encapsulation, if xo is not null, the skb is in the crypto offload

	 * data path, which means that esp_output_udp_encap is called outside of the XFRM stack.

	 * In this case, the mac header doesn't point to the IPv4 protocol field, so don't set it.

	 */

	if (!xo || encap_type != UDP_ENCAP_ESPINUDP)

		*skb_mac_header(skb) = IPPROTO_UDP;



	return (struct ip_esp_hdr *)(uh + 1);