[Swan-dev] [libreswan RFC 2/3] pluto, whack: Add nic-offload 'auto' mode

Mon Jul 31 16:34:12 UTC 2017

> -----Original Message-----
> From: Paul Wouters [mailto:paul at nohats.ca]
> Subject: RE: [libreswan RFC 2/3] pluto, whack: Add nic-offload 'auto' mode
> 
> On Mon, 31 Jul 2017, Ilan Tayari wrote:
> 
> >> For the second and the third patch here is my suggestion.
> >>
> >> no|yes|auto is probably better keywords in the libreswan context.
> >> Libreswan do not use first letter capitalizing as you proposed.
> >
> > Sure, no problem, I'll change in v2
> >
> >>
> >> I am not sure about making auto default. Paul would ethtool detection
> work
> >> on RHEL 6.x?  Ilan have tested this on RHEL/CentOS 6.x, without a
> Mellanox
> >> NIC?
> >
> > It's designed to be compatible anywhere ethtool -k works.
> > This was introduced around kernel 2.6.38, circa 2011
> 
> We do still have embedded people, and people on 2.4.x kernels. I think
> it is safe to assume that if these detection routines fail, we go back
> to being "no" without attempting to add_sa() twice for each IPsec SA?

Yes, code will treat lack of ETH_SS_FEATURES as if kernel does not
support the feature (e.g. auto=no)

> 
> > On a machine with older kernel (prior to 4.11), it detects lack of the
> capability.
> > On machine with newer kernel, but incapable NIC, it also detects lack of
> the capability.
> >
> > In both cases, 'auto' behaves as 'no'
> >
> > Paul, can you comment on this behavior?
> 
> That sounds good with me. It is important that we do not do these checks
> every SA and that we detect the lack of capability in the kernel once on
> startup. Otherwise, it will cause a delay for each tunnel, which adds up
> if you run thousands+ tunnels. So the only add_sa() retry without
> offload should happen when we see unexpected errors from a supported
> card.

The kernel-wide check is done once only.

Unfortunately it cannot be done on init because the IOCTL requires a real
device even though it checks for kernel-wide support.
So I deferred it to the time an SA is installed, but only if it wasn't
checked already.

The per-device check is done every time an SA is installed (a single ioctl)
but only if the kernel-wide support exists.
Each SA might be on a different device, so it must happen at least once
per device.
I didn't want to cache these per-device, do you think it's a good idea?

I tend to think handling such cache is more trouble than gain in this case.

> 
> Are any of the NIC cards that support this offload hotpluggable? If not,
> we could also ensure this is only probed on startup.

They very well might be.
I see no incentive to rule this out even though such a use case boggles my
mind.

> 
> I'll reread through the patches again - it's been a while. But I think
> we are in good shape for them, as long we can still compile on older
> systems, so we should make sure we agree on when to use our own copy
> of xfrm.h / {rt}netlink.h and when to use our bundled versions. AFAIK,
> these files are always backwards compatible, so we can always use a
> newer version, except the kernel might not support all options we are
> aware of.

Please do review them, if you can.
Thanks!