[Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload on the NIC
Antony Antony
antony at phenome.org
Thu Jun 29 09:31:49 UTC 2017
Hi Ilan,
Here are a couple of proposed changes, untested, after a closer review.
1. rename option to "nic-offload". Libreswan is moving away from "_"
2. whack --nic-offload
3. nic-offload:yes; in "ipsec staus" connection
4. there is one coding style change I made.
On Wed, Jun 28, 2017 at 05:31:06AM +0000, Ilan Tayari wrote:
> > I guess this is could be applied. However, please hold on, lets update
> > xfrm.h first.
> >
> > I plan to update linux26/xfrm.h with history from kernel commits.
> > It should happen before this patch. Otherwise it hard to know how upto
> > date
> > xfrm.h is.
> Yes, I suppose xfrm.h update should come separately and before.
> I don't mind rebasing and re-submitting after you do that.
> Do you have an approximation when this would happen?
I pushed this change yesterday. Rebase should work.
> > Another comment. It would be nice to add whack option?
>
> I'll take some time to understand whack better and come up with something.
> You're talking about the command line tool, right?
see the attached proposed patch. It is not tested, I don't have a card.
regards,
-antony
-------------- next part --------------
>From 00ab206ec16096284632d77050ed0c423841977a Mon Sep 17 00:00:00 2001
From: Antony Antony <antony at phenome.org>
Date: Wed, 28 Jun 2017 14:59:31 +0200
Subject: [PATCH 1/3] pluto: rename hw_offload to nic-offload
Signed-off-by: Antony Antony <antony at phenome.org>
---
include/ipsecconf/keywords.h | 2 +-
include/whack.h | 2 +-
lib/libipsecconf/confread.c | 2 +-
lib/libipsecconf/keywords.c | 2 +-
lib/libipsecconf/starterwhack.c | 2 +-
programs/pluto/connections.c | 2 +-
programs/pluto/connections.h | 2 +-
programs/pluto/kernel.c | 6 +++---
programs/pluto/kernel.h | 4 ++--
programs/pluto/kernel_netlink.c | 4 ++--
programs/whack/whack.c | 2 +-
11 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/include/ipsecconf/keywords.h b/include/ipsecconf/keywords.h
index 948ac40..6894b63 100644
--- a/include/ipsecconf/keywords.h
+++ b/include/ipsecconf/keywords.h
@@ -159,7 +159,7 @@ enum keyword_numeric_config_field {
KBF_SECCOMP, /* set SECCOMP mode */
KBF_VTI_ROUTING, /* let updown do routing into VTI device */
KBF_VTI_SHARED, /* VTI device is shared - enable checks and disable cleanup */
- KBF_HW_OFFLOAD, /* HW offload on network device */
+ KBF_NIC_OFFLOAD, /* xfrm offload to network device */
KBF_MAX
};
diff --git a/include/whack.h b/include/whack.h
index fd96053..9e8a15a 100644
--- a/include/whack.h
+++ b/include/whack.h
@@ -155,7 +155,7 @@ struct whack_message {
unsigned long sa_replay_window;
deltatime_t r_timeout; /* in secs */
unsigned long r_interval; /* in msec */
- bool hw_offload;
+ bool nic_offload;
/* For IKEv1 RFC 3706 - Dead Peer Detection */
deltatime_t dpd_delay;
diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c
index 1396728..8a3bb5e 100644
--- a/lib/libipsecconf/confread.c
+++ b/lib/libipsecconf/confread.c
@@ -150,7 +150,7 @@ void ipsecconf_default_values(struct starter_config *cfg)
POLICY_IKE_FRAG_ALLOW | /* ike_frag=yes */
POLICY_ESN_NO; /* esn=no */
- cfg->conn_default.options[KBF_HW_OFFLOAD] = FALSE;
+ cfg->conn_default.options[KBF_NIC_OFFLOAD] = FALSE;
cfg->conn_default.options[KBF_IKELIFETIME] = IKE_SA_LIFETIME_DEFAULT;
cfg->conn_default.options[KBF_REPLAY_WINDOW] = IPSEC_SA_DEFAULT_REPLAY_WINDOW;
diff --git a/lib/libipsecconf/keywords.c b/lib/libipsecconf/keywords.c
index 6f69a18..a2f554f 100644
--- a/lib/libipsecconf/keywords.c
+++ b/lib/libipsecconf/keywords.c
@@ -610,7 +610,7 @@ const struct keyword_def ipsec_conf_keywords_v2[] = {
{ "modecfgwins1", kv_conn, kt_obsolete, KBF_WARNIGNORE, NOT_ENUM },
{ "modecfgwins2", kv_conn, kt_obsolete, KBF_WARNIGNORE, NOT_ENUM },
- { "hw_offload", kv_conn, kt_bool, KBF_HW_OFFLOAD, NOT_ENUM },
+ { "nic-offload", kv_conn, kt_bool, KBF_NIC_OFFLOAD, NOT_ENUM },
{ "encapsulation", kv_conn, kt_enum, KBF_ENCAPS, &kw_encaps_list },
{ "forceencaps", kv_conn, kt_obsolete, KBF_WARNIGNORE, NOT_ENUM },
diff --git a/lib/libipsecconf/starterwhack.c b/lib/libipsecconf/starterwhack.c
index 41877ae..8458357 100644
--- a/lib/libipsecconf/starterwhack.c
+++ b/lib/libipsecconf/starterwhack.c
@@ -531,7 +531,7 @@ static int starter_whack_basic_add_conn(struct starter_config *cfg,
if (conn->right.addrtype == KH_IPHOSTNAME)
msg.dnshostname = conn->right.strings[KSCF_IP];
- msg.hw_offload = conn->options[KBF_HW_OFFLOAD];
+ msg.nic_offload = conn->options[KBF_NIC_OFFLOAD];
msg.sa_ike_life_seconds = deltatime(conn->options[KBF_IKELIFETIME]);
msg.sa_ipsec_life_seconds = deltatime(conn->options[KBF_SALIFETIME]);
msg.sa_rekey_margin = deltatime(conn->options[KBF_REKEYMARGIN]);
diff --git a/programs/pluto/connections.c b/programs/pluto/connections.c
index 880177f..b1333e3 100644
--- a/programs/pluto/connections.c
+++ b/programs/pluto/connections.c
@@ -1546,7 +1546,7 @@ void add_connection(const struct whack_message *wm)
}
}
- c->hw_offload = wm->hw_offload;
+ c->nic_offload = wm->nic_offload;
c->sa_ike_life_seconds = wm->sa_ike_life_seconds;
c->sa_ipsec_life_seconds = wm->sa_ipsec_life_seconds;
c->sa_rekey_margin = wm->sa_rekey_margin;
diff --git a/programs/pluto/connections.h b/programs/pluto/connections.h
index 9e0e1ee..d5fee13 100644
--- a/programs/pluto/connections.h
+++ b/programs/pluto/connections.h
@@ -242,7 +242,7 @@ struct connection {
deltatime_t r_timeout; /* max time (in secs) for one packet exchange attempt */
reqid_t sa_reqid;
int encapsulation;
- bool hw_offload;
+ bool nic_offload;
/* RFC 3706 DPD */
deltatime_t dpd_delay; /* time between checks */
diff --git a/programs/pluto/kernel.c b/programs/pluto/kernel.c
index 55ca125..ac745c1 100644
--- a/programs/pluto/kernel.c
+++ b/programs/pluto/kernel.c
@@ -1794,9 +1794,9 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
said_boilerplate.transport_proto = c->spd.this.protocol;
said_boilerplate.sa_lifetime = c->sa_ipsec_life_seconds;
said_boilerplate.outif = -1;
- said_boilerplate.hw_offload = c->hw_offload;
- if (c->hw_offload && c->interface)
- said_boilerplate.hw_offload_ifindex = if_nametoindex(c->interface->ip_dev->id_rname);
+ said_boilerplate.nic_offload = c->nic_offload;
+ if (c->nic_offload && c->interface != NULL)
+ said_boilerplate.nic_offload_ifindex = if_nametoindex(c->interface->ip_dev->id_rname);
#ifdef HAVE_LABELED_IPSEC
said_boilerplate.sec_ctx = st->sec_ctx;
diff --git a/programs/pluto/kernel.h b/programs/pluto/kernel.h
index 748a0d1..0b6b20c 100644
--- a/programs/pluto/kernel.h
+++ b/programs/pluto/kernel.h
@@ -117,8 +117,8 @@ struct kernel_sa {
#ifdef HAVE_LABELED_IPSEC
struct xfrm_user_sec_ctx_ike *sec_ctx;
#endif
- bool hw_offload;
- int hw_offload_ifindex;
+ bool nic_offload;
+ int nic_offload_ifindex;
deltatime_t sa_lifetime; /* number of seconds until SA expires */
/* below two need to enabled and used, instead of getting passed */
diff --git a/programs/pluto/kernel_netlink.c b/programs/pluto/kernel_netlink.c
index 66c5c25..a74d132 100644
--- a/programs/pluto/kernel_netlink.c
+++ b/programs/pluto/kernel_netlink.c
@@ -1257,13 +1257,13 @@ static bool netlink_add_sa(const struct kernel_sa *sa, bool replace)
attr = (struct rtattr *)((char *)attr + attr->rta_len);
}
- if (sa->hw_offload) {
+ if (sa->nic_offload) {
struct xfrm_user_offload xuo;
xuo.flags |= sa->inbound ? XFRM_OFFLOAD_INBOUND : 0;
if (sa->src->u.v4.sin_family == AF_INET6)
xuo.flags |= XFRM_OFFLOAD_IPV6;
- xuo.ifindex = sa->hw_offload_ifindex;
+ xuo.ifindex = sa->nic_offload_ifindex;
attr->rta_type = XFRMA_OFFLOAD_DEV;
attr->rta_len = RTA_LENGTH(sizeof(xuo));
diff --git a/programs/whack/whack.c b/programs/whack/whack.c
index 568aa23..8bae96d 100644
--- a/programs/whack/whack.c
+++ b/programs/whack/whack.c
@@ -942,7 +942,7 @@ int main(int argc, char **argv)
msg.modecfg_domain = NULL;
msg.modecfg_banner = NULL;
- msg.hw_offload = FALSE;
+ msg.nic_offload = FALSE;
msg.sa_ike_life_seconds = deltatime(IKE_SA_LIFETIME_DEFAULT);
msg.sa_ipsec_life_seconds = deltatime(IPSEC_SA_LIFETIME_DEFAULT);
msg.sa_rekey_margin = deltatime(SA_REPLACEMENT_MARGIN_DEFAULT);
--
2.4.11
-------------- next part --------------
>From 596e12525b02f00faffbe0b7f2baa0f92599fa81 Mon Sep 17 00:00:00 2001
From: Antony Antony <antony at phenome.org>
Date: Wed, 28 Jun 2017 10:02:11 +0200
Subject: [PATCH 2/3] pluto: add nic-offload:yes to ipsec status output
if nic-offload=yes is configured for the connection show it.
Signed-off-by: Antony Antony <antony at phenome.org>
---
programs/pluto/connections.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/programs/pluto/connections.c b/programs/pluto/connections.c
index b1333e3..c44b9e9 100644
--- a/programs/pluto/connections.c
+++ b/programs/pluto/connections.c
@@ -4112,11 +4112,12 @@ void show_one_connection(const struct connection *c)
strcpy(markstr, "unset");
whack_log(RC_COMMENT,
- "\"%s\"%s: nflog-group: %s; mark: %s; vti-iface:%s; vti-routing:%s; vti-shared:%s;",
+ "\"%s\"%s: nflog-group: %s; mark: %s; vti-iface:%s; vti-routing:%s; vti-shared:%s;%s",
c->name, instance, nflogstr, markstr,
c->vti_iface == NULL ? "unset" : c->vti_iface,
c->vti_routing ? "yes" : "no",
- c->vti_shared ? "yes" : "no"
+ c->vti_shared ? "yes" : "no",
+ c->nic_offload ? " nic-offload:yes;" : ""
);
{
--
2.4.11
-------------- next part --------------
>From 32397e06ab415b26cf7798b6ece5b653c5076614 Mon Sep 17 00:00:00 2001
From: Antony Antony <antony at phenome.org>
Date: Wed, 29 Jun 2017 10:03:39 +0200
Subject: [PATCH 3/3] whack: add option --nic-offload
Signed-off-by: Antony Antony <antony at phenome.org>
---
programs/whack/whack.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/programs/whack/whack.c b/programs/whack/whack.c
index 8bae96d..9157fc6 100644
--- a/programs/whack/whack.c
+++ b/programs/whack/whack.c
@@ -129,6 +129,7 @@ static void help(void)
" [--initiateontraffic | --pass | --drop | --reject] \\\n"
" [--failnone | --failpass | --faildrop | --failreject] \\\n"
" [--negopass ] \\\n"
+ " [--nic-offload ] \\\n"
" --to\n"
"\n"
"routing: whack (--route | --unroute) --name <connection_name>\n"
@@ -421,6 +422,7 @@ enum option_enums {
CD_XAUTHBY,
CD_XAUTHFAIL,
CD_ESP,
+ CD_NIC_OFFLOAD,
# define CD_LAST CD_ESP /* last connection description */
/*
@@ -673,6 +675,7 @@ static const struct option long_opts[] = {
{ "pfsgroup", required_argument, NULL, CD_PFSGROUP + OO },
{ "esp", required_argument, NULL, CD_ESP + OO },
{ "remote_peer_type", required_argument, NULL, CD_REMOTEPEERTYPE + OO },
+ { "nic-offload", no_argument, NULL, CD_NIC_OFFLOAD + OO},
PS("ikev1-allow", IKEV1_ALLOW),
@@ -1694,6 +1697,10 @@ int main(int argc, char **argv)
diag("--encaps options are 'auto', 'yes' or 'no'");
continue;
+ case CD_NIC_OFFLOAD: /* --nic-offload */
+ msg.nic_offload = TRUE;
+ continue;
+
case CD_NO_NAT_KEEPALIVE: /* --no-nat_keepalive */
msg.nat_keepalive = FALSE;
continue;
--
2.4.11
More information about the Swan-dev
mailing list