[Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload on the NIC

Antony Antony antony at phenome.org
Thu Jun 29 09:31:49 UTC 2017 

Hi Ilan,
Here are a couple of proposed changes, untested, after a closer review.

1. rename option to "nic-offload". Libreswan is moving away from "_"
2. whack --nic-offload
3. nic-offload:yes;  in "ipsec staus" connection
4. there is one coding style change I made.

On Wed, Jun 28, 2017 at 05:31:06AM +0000, Ilan Tayari wrote:
> > I guess this is could be applied. However, please hold on, lets update
> > xfrm.h first.
> > 
> > I plan to update linux26/xfrm.h with history from kernel commits.
> > It should happen before this patch. Otherwise it hard to know how upto
> > date
> > xfrm.h is.

> Yes, I suppose xfrm.h update should come separately and before.
> I don't mind rebasing and re-submitting after you do that.
> Do you have an approximation when this would happen?

I pushed this change yesterday. Rebase should work.

> > Another comment. It would be nice to add whack option?
> 
> I'll take some time to understand whack better and come up with something.
> You're talking about the command line tool, right?

see the attached proposed patch. It is not tested, I don't have a card.

regards,
-antony 
-------------- next part --------------
>From 00ab206ec16096284632d77050ed0c423841977a Mon Sep 17 00:00:00 2001
From: Antony Antony <antony at phenome.org>
Date: Wed, 28 Jun 2017 14:59:31 +0200
Subject: [PATCH 1/3] pluto: rename hw_offload to nic-offload

Signed-off-by: Antony Antony <antony at phenome.org>
---
 include/ipsecconf/keywords.h    | 2 +-
 include/whack.h                 | 2 +-
 lib/libipsecconf/confread.c     | 2 +-
 lib/libipsecconf/keywords.c     | 2 +-
 lib/libipsecconf/starterwhack.c | 2 +-
 programs/pluto/connections.c    | 2 +-
 programs/pluto/connections.h    | 2 +-
 programs/pluto/kernel.c         | 6 +++---
 programs/pluto/kernel.h         | 4 ++--
 programs/pluto/kernel_netlink.c | 4 ++--
 programs/whack/whack.c          | 2 +-
 11 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/include/ipsecconf/keywords.h b/include/ipsecconf/keywords.h
index 948ac40..6894b63 100644
--- a/include/ipsecconf/keywords.h
+++ b/include/ipsecconf/keywords.h
@@ -159,7 +159,7 @@ enum keyword_numeric_config_field {
 	KBF_SECCOMP,		/* set SECCOMP mode */
 	KBF_VTI_ROUTING,	/* let updown do routing into VTI device */
 	KBF_VTI_SHARED,		/* VTI device is shared - enable checks and disable cleanup */
-	KBF_HW_OFFLOAD,		/* HW offload on network device */
+	KBF_NIC_OFFLOAD,	/* xfrm offload to network device */
 	KBF_MAX
 };
 
diff --git a/include/whack.h b/include/whack.h
index fd96053..9e8a15a 100644
--- a/include/whack.h
+++ b/include/whack.h
@@ -155,7 +155,7 @@ struct whack_message {
 	unsigned long sa_replay_window;
 	deltatime_t r_timeout; /* in secs */
 	unsigned long  r_interval; /* in msec */
-	bool hw_offload;
+	bool nic_offload;
 
 	/* For IKEv1 RFC 3706 - Dead Peer Detection */
 	deltatime_t dpd_delay;
diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c
index 1396728..8a3bb5e 100644
--- a/lib/libipsecconf/confread.c
+++ b/lib/libipsecconf/confread.c
@@ -150,7 +150,7 @@ void ipsecconf_default_values(struct starter_config *cfg)
 		POLICY_IKE_FRAG_ALLOW |      /* ike_frag=yes */
 		POLICY_ESN_NO;      /* esn=no */
 
-	cfg->conn_default.options[KBF_HW_OFFLOAD] = FALSE;
+	cfg->conn_default.options[KBF_NIC_OFFLOAD] = FALSE;
 	cfg->conn_default.options[KBF_IKELIFETIME] = IKE_SA_LIFETIME_DEFAULT;
 
 	cfg->conn_default.options[KBF_REPLAY_WINDOW] = IPSEC_SA_DEFAULT_REPLAY_WINDOW;
diff --git a/lib/libipsecconf/keywords.c b/lib/libipsecconf/keywords.c
index 6f69a18..a2f554f 100644
--- a/lib/libipsecconf/keywords.c
+++ b/lib/libipsecconf/keywords.c
@@ -610,7 +610,7 @@ const struct keyword_def ipsec_conf_keywords_v2[] = {
   { "modecfgwins1",  kv_conn,  kt_obsolete,  KBF_WARNIGNORE,  NOT_ENUM },
   { "modecfgwins2",  kv_conn,  kt_obsolete,  KBF_WARNIGNORE,  NOT_ENUM },
 
-  { "hw_offload",  kv_conn,  kt_bool,  KBF_HW_OFFLOAD,  NOT_ENUM },
+  { "nic-offload",  kv_conn,  kt_bool,  KBF_NIC_OFFLOAD,  NOT_ENUM },
   { "encapsulation",  kv_conn,  kt_enum,  KBF_ENCAPS,  &kw_encaps_list },
   { "forceencaps",  kv_conn, kt_obsolete, KBF_WARNIGNORE, NOT_ENUM },
 
diff --git a/lib/libipsecconf/starterwhack.c b/lib/libipsecconf/starterwhack.c
index 41877ae..8458357 100644
--- a/lib/libipsecconf/starterwhack.c
+++ b/lib/libipsecconf/starterwhack.c
@@ -531,7 +531,7 @@ static int starter_whack_basic_add_conn(struct starter_config *cfg,
 	if (conn->right.addrtype == KH_IPHOSTNAME)
 		msg.dnshostname = conn->right.strings[KSCF_IP];
 
-	msg.hw_offload = conn->options[KBF_HW_OFFLOAD];
+	msg.nic_offload = conn->options[KBF_NIC_OFFLOAD];
 	msg.sa_ike_life_seconds = deltatime(conn->options[KBF_IKELIFETIME]);
 	msg.sa_ipsec_life_seconds = deltatime(conn->options[KBF_SALIFETIME]);
 	msg.sa_rekey_margin = deltatime(conn->options[KBF_REKEYMARGIN]);
diff --git a/programs/pluto/connections.c b/programs/pluto/connections.c
index 880177f..b1333e3 100644
--- a/programs/pluto/connections.c
+++ b/programs/pluto/connections.c
@@ -1546,7 +1546,7 @@ void add_connection(const struct whack_message *wm)
 			}
 		}
 
-		c->hw_offload = wm->hw_offload;
+		c->nic_offload = wm->nic_offload;
 		c->sa_ike_life_seconds = wm->sa_ike_life_seconds;
 		c->sa_ipsec_life_seconds = wm->sa_ipsec_life_seconds;
 		c->sa_rekey_margin = wm->sa_rekey_margin;
diff --git a/programs/pluto/connections.h b/programs/pluto/connections.h
index 9e0e1ee..d5fee13 100644
--- a/programs/pluto/connections.h
+++ b/programs/pluto/connections.h
@@ -242,7 +242,7 @@ struct connection {
 	deltatime_t r_timeout; /* max time (in secs) for one packet exchange attempt */
 	reqid_t sa_reqid;
 	int encapsulation;
-	bool hw_offload;
+	bool nic_offload;
 
 	/* RFC 3706 DPD */
 	deltatime_t dpd_delay;		/* time between checks */
diff --git a/programs/pluto/kernel.c b/programs/pluto/kernel.c
index 55ca125..ac745c1 100644
--- a/programs/pluto/kernel.c
+++ b/programs/pluto/kernel.c
@@ -1794,9 +1794,9 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 	said_boilerplate.transport_proto = c->spd.this.protocol;
 	said_boilerplate.sa_lifetime = c->sa_ipsec_life_seconds;
 	said_boilerplate.outif = -1;
-	said_boilerplate.hw_offload = c->hw_offload;
-	if (c->hw_offload && c->interface)
-		said_boilerplate.hw_offload_ifindex = if_nametoindex(c->interface->ip_dev->id_rname);
+	said_boilerplate.nic_offload = c->nic_offload;
+	if (c->nic_offload && c->interface != NULL)
+		said_boilerplate.nic_offload_ifindex = if_nametoindex(c->interface->ip_dev->id_rname);
 
 #ifdef HAVE_LABELED_IPSEC
 	said_boilerplate.sec_ctx = st->sec_ctx;
diff --git a/programs/pluto/kernel.h b/programs/pluto/kernel.h
index 748a0d1..0b6b20c 100644
--- a/programs/pluto/kernel.h
+++ b/programs/pluto/kernel.h
@@ -117,8 +117,8 @@ struct kernel_sa {
 #ifdef HAVE_LABELED_IPSEC
 	struct xfrm_user_sec_ctx_ike *sec_ctx;
 #endif
-	bool hw_offload;
-	int hw_offload_ifindex;
+	bool nic_offload;
+	int nic_offload_ifindex;
 
 	deltatime_t sa_lifetime; /* number of seconds until SA expires */
 	/* below two need to enabled and used, instead of getting passed */
diff --git a/programs/pluto/kernel_netlink.c b/programs/pluto/kernel_netlink.c
index 66c5c25..a74d132 100644
--- a/programs/pluto/kernel_netlink.c
+++ b/programs/pluto/kernel_netlink.c
@@ -1257,13 +1257,13 @@ static bool netlink_add_sa(const struct kernel_sa *sa, bool replace)
 		attr = (struct rtattr *)((char *)attr + attr->rta_len);
 	}
 
-	if (sa->hw_offload) {
+	if (sa->nic_offload) {
 		struct xfrm_user_offload xuo;
 
 		xuo.flags |= sa->inbound ? XFRM_OFFLOAD_INBOUND : 0;
 		if (sa->src->u.v4.sin_family == AF_INET6)
 			xuo.flags |= XFRM_OFFLOAD_IPV6;
-		xuo.ifindex = sa->hw_offload_ifindex;
+		xuo.ifindex = sa->nic_offload_ifindex;
 
 		attr->rta_type = XFRMA_OFFLOAD_DEV;
 		attr->rta_len = RTA_LENGTH(sizeof(xuo));
diff --git a/programs/whack/whack.c b/programs/whack/whack.c
index 568aa23..8bae96d 100644
--- a/programs/whack/whack.c
+++ b/programs/whack/whack.c
@@ -942,7 +942,7 @@ int main(int argc, char **argv)
 	msg.modecfg_domain = NULL;
 	msg.modecfg_banner = NULL;
 
-	msg.hw_offload = FALSE;
+	msg.nic_offload = FALSE;
 	msg.sa_ike_life_seconds = deltatime(IKE_SA_LIFETIME_DEFAULT);
 	msg.sa_ipsec_life_seconds = deltatime(IPSEC_SA_LIFETIME_DEFAULT);
 	msg.sa_rekey_margin = deltatime(SA_REPLACEMENT_MARGIN_DEFAULT);
-- 
2.4.11

-------------- next part --------------
>From 596e12525b02f00faffbe0b7f2baa0f92599fa81 Mon Sep 17 00:00:00 2001
From: Antony Antony <antony at phenome.org>
Date: Wed, 28 Jun 2017 10:02:11 +0200
Subject: [PATCH 2/3] pluto: add nic-offload:yes to ipsec status output

if nic-offload=yes is configured for the connection show it.

Signed-off-by: Antony Antony <antony at phenome.org>
---
 programs/pluto/connections.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/programs/pluto/connections.c b/programs/pluto/connections.c
index b1333e3..c44b9e9 100644
--- a/programs/pluto/connections.c
+++ b/programs/pluto/connections.c
@@ -4112,11 +4112,12 @@ void show_one_connection(const struct connection *c)
 		strcpy(markstr, "unset");
 
 	whack_log(RC_COMMENT,
-		  "\"%s\"%s:   nflog-group: %s; mark: %s; vti-iface:%s; vti-routing:%s; vti-shared:%s;",
+		  "\"%s\"%s:   nflog-group: %s; mark: %s; vti-iface:%s; vti-routing:%s; vti-shared:%s;%s",
 		  c->name, instance, nflogstr, markstr,
 		  c->vti_iface == NULL ? "unset" : c->vti_iface,
 		  c->vti_routing ? "yes" : "no",
-		  c->vti_shared ? "yes" : "no"
+		  c->vti_shared ? "yes" : "no",
+		  c->nic_offload ? " nic-offload:yes;" : ""
 	);
 
 	{
-- 
2.4.11

-------------- next part --------------
>From 32397e06ab415b26cf7798b6ece5b653c5076614 Mon Sep 17 00:00:00 2001
From: Antony Antony <antony at phenome.org>
Date: Wed, 29 Jun 2017 10:03:39 +0200
Subject: [PATCH 3/3] whack: add option --nic-offload

Signed-off-by: Antony Antony <antony at phenome.org>
---
 programs/whack/whack.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/programs/whack/whack.c b/programs/whack/whack.c
index 8bae96d..9157fc6 100644
--- a/programs/whack/whack.c
+++ b/programs/whack/whack.c
@@ -129,6 +129,7 @@ static void help(void)
 		"	[--initiateontraffic | --pass | --drop | --reject] \\\n"
 		"	[--failnone | --failpass | --faildrop | --failreject] \\\n"
 		"	[--negopass ] \\\n"
+		"	[--nic-offload ] \\\n"
 		"	--to\n"
 		"\n"
 		"routing: whack (--route | --unroute) --name <connection_name>\n"
@@ -421,6 +422,7 @@ enum option_enums {
 	CD_XAUTHBY,
 	CD_XAUTHFAIL,
 	CD_ESP,
+	CD_NIC_OFFLOAD,
 #   define CD_LAST CD_ESP	/* last connection description */
 
 /*
@@ -673,6 +675,7 @@ static const struct option long_opts[] = {
 	{ "pfsgroup", required_argument, NULL, CD_PFSGROUP + OO },
 	{ "esp", required_argument, NULL, CD_ESP + OO },
 	{ "remote_peer_type", required_argument, NULL, CD_REMOTEPEERTYPE + OO },
+	{ "nic-offload", no_argument, NULL, CD_NIC_OFFLOAD + OO},
 
 
 	PS("ikev1-allow", IKEV1_ALLOW),
@@ -1694,6 +1697,10 @@ int main(int argc, char **argv)
 				diag("--encaps options are 'auto', 'yes' or 'no'");
 			continue;
 
+		case CD_NIC_OFFLOAD:  /* --nic-offload */
+			msg.nic_offload = TRUE;
+			continue;
+
 		case CD_NO_NAT_KEEPALIVE:	/* --no-nat_keepalive */
 			msg.nat_keepalive = FALSE;
 			continue;
-- 
2.4.11

More information about the Swan-dev mailing list