[Swan-dev] Libreswan nic-offload automatic and fallback

Ilan Tayari ilant at mellanox.com
Wed Jul 5 11:10:24 UTC 2017 

> -----Original Message-----
> From: Antony Antony [mailto:antony at phenome.org]
> Subject: Re: Libreswan nic-offload automatic and fallback
> 
> On Tue, Jul 04, 2017 at 01:58:51PM +0000, Ilan Tayari wrote:
> > Hi Paul, Antony, and all,
> >
> > I want to discuss an improvement to the basic Libreswan nic-offload
> feature.
> >
> > We (Mellanox) propose the following change:
> > * Upgrade the nic-offload configuration option from bool to tristate
> enum:
> > 	* Never – old behavior, never attempt to perform nic-offload.
> > 	* Always – current "nic-offload=yes" behavior, e.g. always attempt
> to
> > 	           perform nic-offload and fail if it doesn't work.
> > 	* Auto – new behavior:
> > 		* Attempt nic-offload only if the NIC has the capability
> > 		  (NETIF_F_HW_ESP). If NIC doesn't have the capability then
> don't
> > 		  attempt nic offload.
> > 		* Fallback to regular SA if NIC offload fails (and log this)
> 
> If this is accessible from userland it is a good idea.
> How does a process, pluto, check NETIF_F_HW_ESP support for an interface.

I'm looking for an easy way to do this, without messing too much with
ETHTOOL_GFEATURES. But it might be the only option.

> 
> > This would work with the existing kernel interface.
> 
> Also would NETIF_F_HW_ESP work on older kernels atleast CentOS 6.x? Or
> need
> ifdef for newer version?

The flag will never be set on older kernels.

> 
> > If in the future we will have an API to query algos/modes supported, we
> > can
> > extend "Auto" mode to use it, and not attempt something that is bound to
> fail.
> >
> > Also, I believe we can have "Auto" as the default.
> >
> > Please reply with your comments,
> 
> I had a similar thought before readinu about NETIF_F_HW_ESP.
> A tristate option yes|no|only
> 
> yes - offload and if add_sa return -EINVAL fallback without
> XFRMA_OFFLOAD_DEV.
> 
> no  - don't send XFRMA_OFFLOAD_DEV in add_sa
> always - sed XFRMA_OFFLOAD_DEV in add_sa and if this fails don't attempt
> install SA without  XFRM_OFFLOAD.
> 
> I am not sure what would be the good default. I guess it depends what
> older
> kerenl will do with XFRMA_OFFLOAD_DEV in add_sa and when probing
> NETIF_F_HW_ESP. I didn't test this yet.

Older kernel ignores unrecognized attributes? I'll check this. 
But note that this only matters for "always", not for "auto".

Ilan.

More information about the Swan-dev mailing list