[Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload on the NIC

Ilan Tayari ilant at mellanox.com
Wed Jun 28 05:36:05 UTC 2017

> -----Original Message-----
> From: Paul Wouters [mailto:paul at nohats.ca]
> Subject: Re: [Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload
> on the NIC
> On Tue, 27 Jun 2017, Antony Antony wrote:
> > I guess this is could be applied. However, please hold on, lets update
> > xfrm.h first.
> >
> > I plan to update linux26/xfrm.h with history from kernel commits.
> > It should happen before this patch. Otherwise it hard to know how upto
> date
> > xfrm.h is.
> >
> > Another comment. It would be nice to add whack option?
> Yes, I noticed the whack part was missing too.
> The only decision to make is if we can just make this auto-detect, so we
> do not have to set an explicit option. If we can detect the capability
> in the kernel and detect the capability in the nic, we could just
> auto-set it with possibly a global disable option in case of fire.

Thanks for the review, Paul!
(Sorry Antony for confusing you with Paul in the other email)

I am not sure you really need the kernel-wide detection, because the per-device
capability implies it.

Look for NETIF_F_HW_ESP.

# ethtool -k ens8
Features for ens8:
esp-hw-offload: on [fixed]
esp-tx-csum-hw-offload: on [fixed]

> Paul

More information about the Swan-dev mailing list