From nobody Thu Oct 2 10:58:01 2025 Received: from BYAPR05CU005.outbound.protection.outlook.com (mail-westusazon11010059.outbound.protection.outlook.com [52.101.85.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0FBEB2E974E; Thu, 18 Sep 2025 07:20:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.85.59 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758180010; cv=fail; b=gZ3K+O+q3nvm/Ge3UmSBZg93XIVFA2ck/Cr+31tARl84hf9p/UxsWQv91DfOKWqqX8Zzzoz1djxaY5bVLdO7+XOMdix4YtiQPBcAmA1sERcv8bLFrS8G58TS1/+ukFrXBfqGB7Bnbx6dDQTLC/gN5b9rkWw6ZtqYTdqn8XtwxbM= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758180010; c=relaxed/simple; bh=tjFh298tE8OkXlcmmHiE1G10KXHl8ZhwIW61TouCE+8=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=GGd9dh3VAVQ7MgXrhR8UdG1RfQAq9f2kdOL+gE/eqYnuJv+8hxCjvwfm+Q28j3fHPiAqgXWQ6yVI08iinREBzV4O+L8k5jCGHECa1icUpL7sltKu8oj8E4aW0n77TlfjXDgq9E4s+iu8MyRj1ZF9eo+GqnGbsYBTfjVo1I3Lqis= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=uiT2wcAX; arc=fail smtp.client-ip=52.101.85.59 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="uiT2wcAX" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=vgVJCI6IZfm96VZtmwACdC6CgELmYX5yHuwjktdlgOUBEL+pkH4DxtpP3KCpure1haESNImll5MgZ5udg5plfHgM9ROtOWny2KnO9sFlw1GfKm6ZducYZsZA2zlgZisk/aBe558TuF0xM+Al7GGY0m5PPonEyw0NfG2LsQDavcwvxgJ4qX2XckRK/lttV5Tuqe7n3Tah8O5kVUBQCzECR/TmDI6pWy2WQ+n+UWYU/ystvWJN4jK/HNry7Gx1GK7xjxrfDq+QMURIUmxFNMRYgvJ0PyW8w0yUWOP/h6pyQT3NyYbU4p4LwjhJXLuJRMwukviw9BVls/mIr5odWXVEaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=y0pHy2PV0P2Bhkt3TsvzB4SpGUsQkNKnwzWkRJRPLUo=; b=OmOUs6ZStoqi8xcYiskeEdZmoyZALnhjkKJXv5S+CLxhxM2yJGbWoc8mb97C+FpvD/tQ3j8xTTpT3V44DKjVnYjUWZRNL+R8NeDESyT/Navl56kZOyxKMjeLzow+leZjH+aHBr/g/omXDir3eJ2GLGQkBgJTwEsZvHOL7Lyv+2v8Y/TtGbxcyr5iMI5TnrsvzpWaP+YadwkDTMHrpax/+vZewH53ofqchYgxznqO1Uq7jt034Wo7Kd/f4W/6ZHYNPj3HbjIJKzOx8+kmQnrs4jP5/v9eL/KDZSGyVRHf2iJf6bqpxPRxMupRT8B74wwYyvaRm6rUha8AbfMsVr7xfg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.161) smtp.rcpttodomain=google.com smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=y0pHy2PV0P2Bhkt3TsvzB4SpGUsQkNKnwzWkRJRPLUo=; b=uiT2wcAXeNahinoVwowt1asdXnW8NrCHHVqKaPiXWtHEC679o2UfaBrAKJq/n9HaqvNTPrxfvwOcsj7Wc/qZtduYba2KH8bvJj4UCVukQ1Q8ETJjAzzddPOC55achf/rvvUgxw66nXfItCWuiYnz+/3M6j67KSOcM0rotys/0t65HGvYJNcDBMdICxFTf4U4mrRkToufqH0BPQuCrh9tVXOAOtEfinGXGzIyz+vN1xzMIQmglJqCLQL02ZxlzKd0V9bCO6DdH/q/b7y60Rg2vHFIfvafQErTLVJXf5dnlWD8/m+qGoptQuMlZcYSsvgZuUbcww2+3sW3n8EotJYghw== Received: from MN2PR03CA0007.namprd03.prod.outlook.com (2603:10b6:208:23a::12) by PH0PR12MB8128.namprd12.prod.outlook.com (2603:10b6:510:294::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9137.13; Thu, 18 Sep 2025 07:20:05 +0000 Received: from BN2PEPF000044AB.namprd04.prod.outlook.com (2603:10b6:208:23a:cafe::84) by MN2PR03CA0007.outlook.office365.com (2603:10b6:208:23a::12) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9137.14 via Frontend Transport; Thu, 18 Sep 2025 07:20:05 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.161 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.161) by BN2PEPF000044AB.mail.protection.outlook.com (10.167.243.106) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9137.12 via Frontend Transport; Thu, 18 Sep 2025 07:20:05 +0000 Received: from rnnvmail205.nvidia.com (10.129.68.10) by mail.nvidia.com (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.14; Thu, 18 Sep 2025 00:19:49 -0700 Received: from rnnvmail201.nvidia.com (10.129.68.8) by rnnvmail205.nvidia.com (10.129.68.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.14; Thu, 18 Sep 2025 00:19:49 -0700 Received: from vdi.nvidia.com (10.127.8.10) by mail.nvidia.com (10.129.68.8) with Microsoft SMTP Server id 15.2.1544.14 via Frontend Transport; Thu, 18 Sep 2025 00:19:44 -0700 From: Tariq Toukan To: Eric Dumazet , Jakub Kicinski , Paolo Abeni , Andrew Lunn , "David S. Miller" CC: Saeed Mahameed , Leon Romanovsky , Tariq Toukan , Mark Bloch , , , , Jianbo Liu , "Leon Romanovsky" , Steffen Klassert , Herbert Xu , Paul Moore Subject: [PATCH net-next 1/4] net/mlx5: Change TTC rules to match on undecrypted ESP packets Date: Thu, 18 Sep 2025 10:19:20 +0300 Message-ID: <1758179963-649455-2-git-send-email-tariqt@nvidia.com> X-Mailer: git-send-email 2.8.0 In-Reply-To: <1758179963-649455-1-git-send-email-tariqt@nvidia.com> References: <1758179963-649455-1-git-send-email-tariqt@nvidia.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-NV-OnPremToCloud: ExternallySecured X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN2PEPF000044AB:EE_|PH0PR12MB8128:EE_ X-MS-Office365-Filtering-Correlation-Id: 0f497c32-b6bd-4dba-e6b6-08ddf683ca67 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|7416014|376014|82310400026|36860700013|1800799024; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?PGtv51oYYuhkudbZTOQACVdp4D2B23kOtHBka9MeSw/9naITN2bG+dk1mV7S?= =?us-ascii?Q?0R5oQv+HpSmCHhpJou5pL7qXLP8hIh1ImTzyX+NCjA/doS6uuDF6LzcFN2eN?= =?us-ascii?Q?ub/rtri9otIkDK+Gk6vM9eF2Qiu1yZl8yGvgonLGpR2gA4vtF3XFJgpU2Bkf?= =?us-ascii?Q?LcVVic9xoBV9isDh4FCbdie5NRmfi/AqyQvTCDptxi44FRu1f3aaFXU6ooUP?= =?us-ascii?Q?WjdbzaM2+RPsg7u9TRWV5Ze63tsjfqoXO6aB04i7P6k/oyCXltdKymTIdddv?= =?us-ascii?Q?0dr+PoGwJ94wLCYrTrIf++8rt9H3C/x9atwbHH+t2ITXwxaOu9kayvnzretC?= =?us-ascii?Q?B8vcev07N1rSEDES+S+OK0e0SfpuHI5FjEpUeE5gqnzSKozvOcLSV6Z+Nt1C?= =?us-ascii?Q?sZ2u6nivYroluiQoJ5Mm0qf/+s86zg2cBVCtpVqhqG+Pt+IzBR5coyXPTTW2?= =?us-ascii?Q?jg41GhHhcuUhwUeqEOOQ8HAcjwObtxMcleH11p1PvX0MJDKLZ+tREGWXwKPW?= =?us-ascii?Q?rP+00Yk8NDx3EmpgUYPSjAAELXNX3z4FyjulZENLX1In2rxUzeCqXOB0sGbq?= =?us-ascii?Q?XU60SSxUrUMi6JMxPTnVEVyZ7yiyMBwaAW4EyB4NLJM5MNYfApe38jt+fmAf?= =?us-ascii?Q?HKQEM2vkjArHpIaRMj3kAH79xCSsq32shCXXdYtgOs+pfBSWmpt3EGMg0ofk?= =?us-ascii?Q?gA6WJBpR0qYoGd3dclo1RgduN3hdvg5/O/pz8jzgSs7CPhjnGQjuU3XtVutQ?= =?us-ascii?Q?nf110uDP5bLPLxlImfjIiSgwFZDz9GnQzJkLyH6Dbha0piQhtl9KVSbH0AK4?= =?us-ascii?Q?R/C0mFOjmMwCIuTLw3kuXdFWnuC6y0903wYYzdNejy4v8ClOLjXDdYYwHVKn?= =?us-ascii?Q?wxzzUgi/BVQpuxojstyR4zp/ECsl6+YwPhZxXpZvwnUksGe7hjURlzBhird1?= =?us-ascii?Q?B0k90+opPBKm5yAhD10ASUa36DpVbzItKuF88iXc9dH3K5Bf0t+RbbmSo2Tm?= =?us-ascii?Q?UdQEwaHIneyM/k8hMEfMxDB+4braxWO5Tf6OMKhHmxy2tgTbyck/Wz1w7RLN?= =?us-ascii?Q?bTz3asLrmdPwcWOYmcsTDkoP0EN1651GAWg4GSHmBOA2qVB1xjSxjfvB1kx3?= =?us-ascii?Q?o5QlC3uB9eCcXcTRwLeY3kigK3E+2beHNwtd61lRVc0f1rvj+0jiwG3EtrvR?= =?us-ascii?Q?VBbWCU5fGpQ9MwBiHomhManVXrnqexXS6CdbEVitUvMWEzvX9oZwzIGmXLzu?= =?us-ascii?Q?bjJGtwPux8Uey9lGUpp2UORHB6SI44R2bS3tL791N6tC9hVo/vyFMuhv9hk3?= =?us-ascii?Q?qSu0DNig27r9xSMvUmVh4dHa2PswTpzwnfbC3E0PvpIbKKTw3G/kHKYFaXiC?= =?us-ascii?Q?y5Gxf2MDFuN1Uee+9l9PMmV2lq2Hi41kUgmKgVrvaH2T+hSx8l1q7puDYLll?= =?us-ascii?Q?eAmT3cOOTTuwQ0U/3PJKOEksekt0Is3O06A6CTQNZoVgM/ooMxbSN985fWA9?= =?us-ascii?Q?hu+CmOfGPLv4G63Es/6gIGj4JEmhTiLep7UU?= X-Forefront-Antispam-Report: CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230040)(7416014)(376014)(82310400026)(36860700013)(1800799024);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Sep 2025 07:20:05.1515 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 0f497c32-b6bd-4dba-e6b6-08ddf683ca67 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BN2PEPF000044AB.namprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR12MB8128 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Jianbo Liu The TTC (Traffic Type Classifier) table classifies the traffic and steers packet to TIRs, where RSS works based on the hash calculated from the selected packet fields. For AH/ESP packets, SPI and IP addresses are the fields used to calculate the hash value for RSS. So, it's hard to distribute packets to different receiving queues as there is usually only one SPI in that direction. IPSec hardware offloads, crypto offload and full (packet) offload were introduced later. For crypto offload, hardware does encryption, decryption and authentication, kernel does the others. Kernel always sends/receives formatted ESP packets with plaintext data instead of the ciphertext data, all other fields are unmodified. For full offload, hardware will take care of almost everything, kernel just sends/receives packets without any IPSec headers. Currently, all packets with ESP protocols are forwarded to IPSec offload tables if IPSec rules are configured. In a downstream patch, the decrypted packets will be recirculated to TTC table, in order to use RSS, which does the hash on L4 fields after IPSec headers are stripped by full offload. So those packets handled by crypto offload must filtered out, as they still have the ESP headers, but apparently no need to be decrypted again. To do that, ipsec_next_header is added for the packet matching, as it is valid only after passing through IPSec decryption. Signed-off-by: Jianbo Liu Reviewed-by: Dragos Tatulea Signed-off-by: Tariq Toukan --- .../net/ethernet/mellanox/mlx5/core/en/fs.h | 3 +- .../net/ethernet/mellanox/mlx5/core/en_fs.c | 8 +- .../net/ethernet/mellanox/mlx5/core/en_rep.c | 2 +- .../ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 108 ++++++++++++++++-- .../ethernet/mellanox/mlx5/core/lib/fs_ttc.h | 3 + 5 files changed, 109 insertions(+), 15 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/fs.h b/drivers/net/= ethernet/mellanox/mlx5/core/en/fs.h index 9560fcba643f..cdc813ae9f23 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en/fs.h +++ b/drivers/net/ethernet/mellanox/mlx5/core/en/fs.h @@ -131,7 +131,8 @@ struct mlx5e_ptp_fs; =20 void mlx5e_set_ttc_params(struct mlx5e_flow_steering *fs, struct mlx5e_rx_res *rx_res, - struct ttc_params *ttc_params, bool tunnel); + struct ttc_params *ttc_params, bool tunnel, + bool ipsec_rss); =20 void mlx5e_destroy_ttc_table(struct mlx5e_flow_steering *fs); int mlx5e_create_ttc_table(struct mlx5e_flow_steering *fs, diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c b/drivers/net/= ethernet/mellanox/mlx5/core/en_fs.c index 265c4ca85f7d..15ffb8e0d884 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c @@ -916,7 +916,8 @@ static void mlx5e_set_inner_ttc_params(struct mlx5e_flo= w_steering *fs, =20 void mlx5e_set_ttc_params(struct mlx5e_flow_steering *fs, struct mlx5e_rx_res *rx_res, - struct ttc_params *ttc_params, bool tunnel) + struct ttc_params *ttc_params, bool tunnel, + bool ipsec_rss) =20 { struct mlx5_flow_table_attr *ft_attr =3D &ttc_params->ft_attr; @@ -927,6 +928,9 @@ void mlx5e_set_ttc_params(struct mlx5e_flow_steering *f= s, ft_attr->level =3D MLX5E_TTC_FT_LEVEL; ft_attr->prio =3D MLX5E_NIC_PRIO; =20 + ttc_params->ipsec_rss =3D ipsec_rss && + MLX5_CAP_NIC_RX_FT_FIELD_SUPPORT_2(fs->mdev, ipsec_next_header); + for (tt =3D 0; tt < MLX5_NUM_TT; tt++) { ttc_params->dests[tt].type =3D MLX5_FLOW_DESTINATION_TYPE_TIR; ttc_params->dests[tt].tir_num =3D @@ -1293,7 +1297,7 @@ int mlx5e_create_ttc_table(struct mlx5e_flow_steering= *fs, { struct ttc_params ttc_params =3D {}; =20 - mlx5e_set_ttc_params(fs, rx_res, &ttc_params, true); + mlx5e_set_ttc_params(fs, rx_res, &ttc_params, true, true); fs->ttc =3D mlx5_create_ttc_table(fs->mdev, &ttc_params); return PTR_ERR_OR_ZERO(fs->ttc); } diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net= /ethernet/mellanox/mlx5/core/en_rep.c index b231e7855bca..7deb6a9b7f4a 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c @@ -974,7 +974,7 @@ static int mlx5e_create_rep_ttc_table(struct mlx5e_priv= *priv) MLX5_FLOW_NAMESPACE_KERNEL), false); =20 /* The inner_ttc in the ttc params is intentionally not set */ - mlx5e_set_ttc_params(priv->fs, priv->rx_res, &ttc_params, false); + mlx5e_set_ttc_params(priv->fs, priv->rx_res, &ttc_params, false, false); =20 if (rep->vport !=3D MLX5_VPORT_UPLINK) /* To give uplik rep TTC a lower level for chaining from root ft */ diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c b/drivers= /net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c index ca9ecec358b2..850fff4548c8 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c @@ -9,7 +9,7 @@ #include "mlx5_core.h" #include "lib/fs_ttc.h" =20 -#define MLX5_TTC_MAX_NUM_GROUPS 4 +#define MLX5_TTC_MAX_NUM_GROUPS 5 #define MLX5_TTC_GROUP_TCPUDP_SIZE (MLX5_TT_IPV6_UDP + 1) =20 struct mlx5_fs_ttc_groups { @@ -31,6 +31,7 @@ static int mlx5_fs_ttc_table_size(const struct mlx5_fs_tt= c_groups *groups) /* L3/L4 traffic type classifier */ struct mlx5_ttc_table { int num_groups; + const struct mlx5_fs_ttc_groups *groups; struct mlx5_flow_table *t; struct mlx5_flow_group **g; struct mlx5_ttc_rule rules[MLX5_NUM_TT]; @@ -163,6 +164,8 @@ static struct mlx5_etype_proto ttc_tunnel_rules[] =3D { enum TTC_GROUP_TYPE { TTC_GROUPS_DEFAULT =3D 0, TTC_GROUPS_USE_L4_TYPE =3D 1, + TTC_GROUPS_DEFAULT_ESP =3D 2, + TTC_GROUPS_USE_L4_TYPE_ESP =3D 3, }; =20 static const struct mlx5_fs_ttc_groups ttc_groups[] =3D { @@ -184,6 +187,27 @@ static const struct mlx5_fs_ttc_groups ttc_groups[] = =3D { BIT(0), }, }, + [TTC_GROUPS_DEFAULT_ESP] =3D { + .num_groups =3D 4, + .group_size =3D { + MLX5_TTC_GROUP_TCPUDP_SIZE + BIT(1) + + MLX5_NUM_TUNNEL_TT, + BIT(1), /* ESP */ + BIT(1), + BIT(0), + }, + }, + [TTC_GROUPS_USE_L4_TYPE_ESP] =3D { + .use_l4_type =3D true, + .num_groups =3D 5, + .group_size =3D { + MLX5_TTC_GROUP_TCPUDP_SIZE, + BIT(1) + MLX5_NUM_TUNNEL_TT, + BIT(1), /* ESP */ + BIT(1), + BIT(0), + }, + }, }; =20 static const struct mlx5_fs_ttc_groups inner_ttc_groups[] =3D { @@ -207,6 +231,23 @@ static const struct mlx5_fs_ttc_groups inner_ttc_group= s[] =3D { }, }; =20 +static const struct mlx5_fs_ttc_groups * +mlx5_ttc_get_fs_groups(bool use_l4_type, bool ipsec_rss) +{ + if (!ipsec_rss) + return use_l4_type ? &ttc_groups[TTC_GROUPS_USE_L4_TYPE] : + &ttc_groups[TTC_GROUPS_DEFAULT]; + + return use_l4_type ? &ttc_groups[TTC_GROUPS_USE_L4_TYPE_ESP] : + &ttc_groups[TTC_GROUPS_DEFAULT_ESP]; +} + +bool mlx5_ttc_has_esp_flow_group(struct mlx5_ttc_table *ttc) +{ + return ttc->groups =3D=3D &ttc_groups[TTC_GROUPS_DEFAULT_ESP] || + ttc->groups =3D=3D &ttc_groups[TTC_GROUPS_USE_L4_TYPE_ESP]; +} + u8 mlx5_get_proto_by_tunnel_type(enum mlx5_tunnel_types tt) { return ttc_tunnel_rules[tt].proto; @@ -279,7 +320,7 @@ static void mlx5_fs_ttc_set_match_proto(void *headers_c= , void *headers_v, static struct mlx5_flow_handle * mlx5_generate_ttc_rule(struct mlx5_core_dev *dev, struct mlx5_flow_table *= ft, struct mlx5_flow_destination *dest, u16 etype, u8 proto, - bool use_l4_type) + bool use_l4_type, bool ipsec_rss) { int match_ipv_outer =3D MLX5_CAP_FLOWTABLE_NIC_RX(dev, @@ -316,6 +357,14 @@ mlx5_generate_ttc_rule(struct mlx5_core_dev *dev, stru= ct mlx5_flow_table *ft, MLX5_SET(fte_match_param, spec->match_value, outer_headers.ethertype, et= ype); } =20 + if (ipsec_rss && proto =3D=3D IPPROTO_ESP) { + MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, + misc_parameters_2.ipsec_next_header); + MLX5_SET(fte_match_param, spec->match_value, + misc_parameters_2.ipsec_next_header, 0); + spec->match_criteria_enable |=3D MLX5_MATCH_MISC_PARAMETERS_2; + } + rule =3D mlx5_add_flow_rules(ft, spec, &flow_act, dest, 1); if (IS_ERR(rule)) { err =3D PTR_ERR(rule); @@ -347,7 +396,8 @@ static int mlx5_generate_ttc_table_rules(struct mlx5_co= re_dev *dev, rule->rule =3D mlx5_generate_ttc_rule(dev, ft, ¶ms->dests[tt], ttc_rules[tt].etype, ttc_rules[tt].proto, - use_l4_type); + use_l4_type, + params->ipsec_rss); if (IS_ERR(rule->rule)) { err =3D PTR_ERR(rule->rule); rule->rule =3D NULL; @@ -370,7 +420,7 @@ static int mlx5_generate_ttc_table_rules(struct mlx5_co= re_dev *dev, ¶ms->tunnel_dests[tt], ttc_tunnel_rules[tt].etype, ttc_tunnel_rules[tt].proto, - use_l4_type); + use_l4_type, false); if (IS_ERR(trules[tt])) { err =3D PTR_ERR(trules[tt]); trules[tt] =3D NULL; @@ -385,10 +435,38 @@ static int mlx5_generate_ttc_table_rules(struct mlx5_= core_dev *dev, return err; } =20 +static int mlx5_create_ttc_table_ipsec_groups(struct mlx5_ttc_table *ttc, + u32 *in, int *next_ix) +{ + u8 *mc =3D MLX5_ADDR_OF(create_flow_group_in, in, match_criteria); + const struct mlx5_fs_ttc_groups *groups =3D ttc->groups; + int ix =3D *next_ix; + + /* undecrypted ESP group */ + MLX5_SET_CFG(in, match_criteria_enable, + MLX5_MATCH_OUTER_HEADERS | MLX5_MATCH_MISC_PARAMETERS_2); + MLX5_SET_TO_ONES(fte_match_param, mc, + misc_parameters_2.ipsec_next_header); + MLX5_SET_CFG(in, start_flow_index, ix); + ix +=3D groups->group_size[ttc->num_groups]; + MLX5_SET_CFG(in, end_flow_index, ix - 1); + ttc->g[ttc->num_groups] =3D mlx5_create_flow_group(ttc->t, in); + if (IS_ERR(ttc->g[ttc->num_groups])) + goto err; + ttc->num_groups++; + + *next_ix =3D ix; + + return 0; + +err: + return PTR_ERR(ttc->g[ttc->num_groups]); +} + static int mlx5_create_ttc_table_groups(struct mlx5_ttc_table *ttc, - bool use_ipv, - const struct mlx5_fs_ttc_groups *groups) + bool use_ipv) { + const struct mlx5_fs_ttc_groups *groups =3D ttc->groups; int inlen =3D MLX5_ST_SZ_BYTES(create_flow_group_in); int ix =3D 0; u32 *in; @@ -436,8 +514,18 @@ static int mlx5_create_ttc_table_groups(struct mlx5_tt= c_table *ttc, goto err; ttc->num_groups++; =20 + if (mlx5_ttc_has_esp_flow_group(ttc)) { + err =3D mlx5_create_ttc_table_ipsec_groups(ttc, in, &ix); + if (err) + goto err; + + MLX5_SET(fte_match_param, mc, + misc_parameters_2.ipsec_next_header, 0); + } + /* L3 Group */ MLX5_SET(fte_match_param, mc, outer_headers.ip_protocol, 0); + MLX5_SET_CFG(in, match_criteria_enable, MLX5_MATCH_OUTER_HEADERS); MLX5_SET_CFG(in, start_flow_index, ix); ix +=3D groups->group_size[ttc->num_groups]; MLX5_SET_CFG(in, end_flow_index, ix - 1); @@ -709,7 +797,6 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx= 5_core_dev *dev, bool match_ipv_outer =3D MLX5_CAP_FLOWTABLE_NIC_RX(dev, ft_field_support.outer_ip_version); - const struct mlx5_fs_ttc_groups *groups; struct mlx5_flow_namespace *ns; struct mlx5_ttc_table *ttc; bool use_l4_type; @@ -738,11 +825,10 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct m= lx5_core_dev *dev, return ERR_PTR(-EOPNOTSUPP); } =20 - groups =3D use_l4_type ? &ttc_groups[TTC_GROUPS_USE_L4_TYPE] : - &ttc_groups[TTC_GROUPS_DEFAULT]; + ttc->groups =3D mlx5_ttc_get_fs_groups(use_l4_type, params->ipsec_rss); =20 WARN_ON_ONCE(params->ft_attr.max_fte); - params->ft_attr.max_fte =3D mlx5_fs_ttc_table_size(groups); + params->ft_attr.max_fte =3D mlx5_fs_ttc_table_size(ttc->groups); ttc->t =3D mlx5_create_flow_table(ns, ¶ms->ft_attr); if (IS_ERR(ttc->t)) { err =3D PTR_ERR(ttc->t); @@ -750,7 +836,7 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx= 5_core_dev *dev, return ERR_PTR(err); } =20 - err =3D mlx5_create_ttc_table_groups(ttc, match_ipv_outer, groups); + err =3D mlx5_create_ttc_table_groups(ttc, match_ipv_outer); if (err) goto destroy_ft; =20 diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.h b/drivers= /net/ethernet/mellanox/mlx5/core/lib/fs_ttc.h index ab9434fe3ae6..aead62441550 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.h +++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.h @@ -47,6 +47,7 @@ struct ttc_params { bool inner_ttc; DECLARE_BITMAP(ignore_tunnel_dests, MLX5_NUM_TUNNEL_TT); struct mlx5_flow_destination tunnel_dests[MLX5_NUM_TUNNEL_TT]; + bool ipsec_rss; }; =20 const char *mlx5_ttc_get_name(enum mlx5_traffic_types tt); @@ -70,4 +71,6 @@ int mlx5_ttc_fwd_default_dest(struct mlx5_ttc_table *ttc, bool mlx5_tunnel_inner_ft_supported(struct mlx5_core_dev *mdev); u8 mlx5_get_proto_by_tunnel_type(enum mlx5_tunnel_types tt); =20 +bool mlx5_ttc_has_esp_flow_group(struct mlx5_ttc_table *ttc); + #endif /* __MLX5_FS_TTC_H__ */ --=20 2.31.1 From nobody Thu Oct 2 10:58:01 2025 Received: from SN4PR0501CU005.outbound.protection.outlook.com (mail-southcentralusazon11011069.outbound.protection.outlook.com [40.93.194.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8ED6E2EACF9; Thu, 18 Sep 2025 07:20:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.93.194.69 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758180018; cv=fail; b=VPBxumJ5te0tvftSuB5dlYtT2WDBjY4D5BfBRnizzouUAsFPkDzC+x8L678SLZ5cxD41J5RWfIwul0Xi9jQ8RkBFYtGVqZhVBBvy+FVBQtNMXGvBWlju3L70pT4Id7BLR8XcIzGmMvZM4VtOamfJFBwum7gd8MAZ3kiOfukUaKY= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758180018; c=relaxed/simple; bh=al+Q5667CS/6cdkR8ATpTRtQhim3nr42l2ON7dS87pA=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=vGd1riynUYdp52Cq2qKIXl6A43r0zadHWCHKnrHecYriycQ7fHyQdMur46RVdtbsakngs9t8X8xbPUumt8MGxHkpU2aKOV/vun77pdVRCW0O6sOfoGOChi+6dgDh2+OXltMTTry26zh9im5Lo0xWn+zzJmG0+3R1S4GaF9hPxRE= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=TXzQM/Jg; arc=fail smtp.client-ip=40.93.194.69 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="TXzQM/Jg" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=xCLNjLuHwLlqCMB4mfXUK+kmironUEvIC1lmXShmUlV9TJDTDi057GXYG/zRLW+6Cp2qq0hILg87Y+I1cNWVQTopSfRGPkLX0ugOxe86BoqeUfn0254wkzWAH5mhCC4aFsrgCPZ216KDJN/09vU262Sj/1wl3eFhObWD0+Uzh2ctIQUdDofcA/plZ/XJE2RYgx9HES+Kr36I/mP50mSiwfXl2I+9bQfoE7NBb/e9Z66tknV10RGPU4SAJ2QJ7SjQ6aHmHAsr57KW3B1/Np2s2em66U7UhXhIls9/yJAEIzQGJ5+W4/JnG8f4/ZJPlVu+b1zqO2hu7UkegWtdw7P+6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Gs5ST19C9IIbWxwWJWrtr8Sf7RF+VFBnizWPCQHe9PE=; b=sojnVsA4eXNevIhhlf925oZGWrlqRDWuhgOdstQYsXfcCnxic/s2DicK9Sak0tjgDYCCIiocT/T5lM+ZmQ94PgJu0UM8zBPOEp8Hb66Fgr485oomNdZc5qcAOFD4fQxxLOVLTpg6OnCm2IN20ulFj4Q4e5to1WIJhG5bEH9ap+8JaU35QvypjPEo7uFRu6mKG8ZWN+dOZuHkROUJwAlUTulqB4pbBUvDlyXETVs7l3u8DFgRIRrh6B4fRlxok10F7oHk9sA54Ud24aS0HrkOlm1EkwmSE67NJNAzcgdb6Gf+Vlah221yVfA7mXndVTw3eIKa+r3k3PYmLZ0IJHrWPA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.161) smtp.rcpttodomain=google.com smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Gs5ST19C9IIbWxwWJWrtr8Sf7RF+VFBnizWPCQHe9PE=; b=TXzQM/JgmqzEGuqwjMOJofhLFfMbHazSU0FgIaMX/pNZk284f5IGtsXqq8akWE9AROFYjGCIs7vWrqfqjK4ukoQTlT3pWnWyrPPEz24V/luqLu2aFiITAhp+MzAT98KxGGUxA/jZuTU/r3UI8aZd11UOADC/Op+tqOPKlRTJFWRKGIY45vy3hlBaxbAevBMOJe0qnpRJ2PwyLkEwwjwpDha0rHe7h+tl/b85LkMFdLPpLx+FwCJQ5aUI2KdBF3RMlRmsdD2kkSLJL3cpHphjwN2FKwJSzex6n+eL+nerqE4aJgb39SUPqd0adltJ0q4Y7vdcCc0OkAD9eD8WX+U51w== Received: from MN2PR03CA0001.namprd03.prod.outlook.com (2603:10b6:208:23a::6) by MW4PR12MB6924.namprd12.prod.outlook.com (2603:10b6:303:207::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9115.22; Thu, 18 Sep 2025 07:20:10 +0000 Received: from BN2PEPF000044AB.namprd04.prod.outlook.com (2603:10b6:208:23a:cafe::89) by MN2PR03CA0001.outlook.office365.com (2603:10b6:208:23a::6) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9137.13 via Frontend Transport; Thu, 18 Sep 2025 07:20:09 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.161 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.161) by BN2PEPF000044AB.mail.protection.outlook.com (10.167.243.106) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9137.12 via Frontend Transport; Thu, 18 Sep 2025 07:20:09 +0000 Received: from rnnvmail205.nvidia.com (10.129.68.10) by mail.nvidia.com (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.14; Thu, 18 Sep 2025 00:19:54 -0700 Received: from rnnvmail201.nvidia.com (10.129.68.8) by rnnvmail205.nvidia.com (10.129.68.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.14; Thu, 18 Sep 2025 00:19:54 -0700 Received: from vdi.nvidia.com (10.127.8.10) by mail.nvidia.com (10.129.68.8) with Microsoft SMTP Server id 15.2.1544.14 via Frontend Transport; Thu, 18 Sep 2025 00:19:49 -0700 From: Tariq Toukan To: Eric Dumazet , Jakub Kicinski , Paolo Abeni , Andrew Lunn , "David S. Miller" CC: Saeed Mahameed , Leon Romanovsky , Tariq Toukan , Mark Bloch , , , , Jianbo Liu , "Leon Romanovsky" , Steffen Klassert , Herbert Xu , Paul Moore Subject: [PATCH net-next 2/4] net/mlx5e: Recirculate decrypted packets into TTC table Date: Thu, 18 Sep 2025 10:19:21 +0300 Message-ID: <1758179963-649455-3-git-send-email-tariqt@nvidia.com> X-Mailer: git-send-email 2.8.0 In-Reply-To: <1758179963-649455-1-git-send-email-tariqt@nvidia.com> References: <1758179963-649455-1-git-send-email-tariqt@nvidia.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-NV-OnPremToCloud: ExternallySecured X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN2PEPF000044AB:EE_|MW4PR12MB6924:EE_ X-MS-Office365-Filtering-Correlation-Id: e67ff6d4-16fc-419d-dda1-08ddf683cd0c X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|36860700013|1800799024|376014|7416014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?76jfpKbaIjmosijRgaPXL1gtORtNW4mBmhjozTN3/E222bjh0cvTwhAhZhV8?= =?us-ascii?Q?OMMuaf+kzi8mBFjgMkEdzU96Ijcpd6XytZzZaeYFfCuy0JI2ifsH1qm/SNEl?= =?us-ascii?Q?kkyqkZkxs6yvKFv1DlW73+RqOwNYSUNBZPtw3TSTyN771ovyFx/NheAoeSxa?= =?us-ascii?Q?IjjYyP8Jfo0XeZGLISzos9ySGJmEqPRdCIYKvoQL2a/W010VXoCCFLXntgSd?= =?us-ascii?Q?O5vA8qx8S+itoxv3JX/4BJjCUJDbmpLh4zavnXl4yraMkpatIt2J+Qzb8rPJ?= =?us-ascii?Q?005FAPce8TzvL1Nz1jBsGz2rSWroM+7TM6IKo4Ldyz7OmAz/PWYClJ23tfqi?= =?us-ascii?Q?UCO1DJr84FQnHbJYden+oE0RytczPh8ve05H1HfjjCqBQhIsZu/PnK27Q6Tb?= =?us-ascii?Q?2lVuZp1A651iNowF+RQDtQT0s+IHfN9R7XWS/7RKS7DV4awfILU5Q7k0Dy7b?= =?us-ascii?Q?G/GY+L6n4Znj73itR29LZQSrvDwdtpg1/lmabalG3n36DcFO/vHwY3BANxIV?= =?us-ascii?Q?amD32LZLPbPikHnpUOhvZA1WNYujCXxOtrxxKjVGCiS7US1eRykGqJdDqtnO?= =?us-ascii?Q?Vwx0o0I3QzNCtwYQ2gl6q97qRAi6EVknnU46ulEgnA+qYG9AO/iryGjiLRwo?= =?us-ascii?Q?2VESD7Zj+FMxoI3ZyzOzNTEvEkBngodt+F+YjkgqGX0oi96eh0njQH6SZVDB?= =?us-ascii?Q?SU/Kz8JTjCeQRVCLhDSKfpP2nGUUGVCYCXadASmAiRZmqhil0ad5P5u2wEOE?= =?us-ascii?Q?QSWif5TOnpDTtI1F2T5ZUkN0eeeDRJex34NOjsmwZnCeBDaSNDeXkpRAsjtm?= =?us-ascii?Q?4dGtIfLPIwNTrkUUOuDj0AJlX06uxxruF4uaiEuN2dr85gfZo5vbR6TAGj6e?= =?us-ascii?Q?Bal52/F3Yc8ZJeAgFNZdkKCyPpx9Z6WxlB677GxNEGZXC8uW6JW/REVRN4a1?= =?us-ascii?Q?uojUpkuS5KqfuS7L6fOPmYAE605n6i6brENgqcAB7lq1Bl56Lzr90lLZm0Xi?= =?us-ascii?Q?XccTfcOVKY8hucRT9drLm68JiilVcPKhHTy9IMIztKECKD6psfQDkwfNhihZ?= =?us-ascii?Q?bmjl5OYNelJZOZO3FM8eWHz4kXDi4LSA3SEx/lNcaB4HqShgqvBKJ2i0csBS?= =?us-ascii?Q?ZgwRq99VDtiywzMhOrDZJfG9rmLD2kF7PbfkNJO2eSeYORiUrsCZTRH7IhdT?= =?us-ascii?Q?6gJY4fPgoloouFitXpjTdn8ToBBgNTIqC5xoMnQpyUp2PrqmfZB5wBhmfwoc?= =?us-ascii?Q?ZLjNtBdF8QCDXColED+M825gkSp8rpfBYGaVuzYVmisoSakGr3vYM/X6WXfi?= =?us-ascii?Q?lpJ/+uImHksCm8+D5wCJ/BJx4Q79BrRRrUuawICmm66gQa+ka6QxO/vD//5p?= =?us-ascii?Q?s0zHAUDW9sEUv6kUp2X08l0a1RagT8t3NhClZPtxeHx6Ea49NNklRrXoPtAb?= =?us-ascii?Q?8N53c3l6bli1WEyMr7IHiRmt/h5iyPoxaJUtp3W9W7zmkjn+Jk/ySc5hH//c?= =?us-ascii?Q?iwoC+w9WPO/rRtnPI2oAXAx2UArKWbLzU0Ua?= X-Forefront-Antispam-Report: CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230040)(82310400026)(36860700013)(1800799024)(376014)(7416014);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Sep 2025 07:20:09.5893 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: e67ff6d4-16fc-419d-dda1-08ddf683cd0c X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BN2PEPF000044AB.namprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR12MB6924 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Jianbo Liu In the commit 5e466345291a ("net/mlx5e: IPsec: Add IPsec steering in local NIC RX"), the decrypted packets are handled in RX error flow table. There is only one rule in the table, which forwards packets to the default ESP TIR. This patch updates the design to allow RSS after decryption. For ESP traffic, SPI and IP addresses are the fields selected for RSS hash, and it's common that only one SPI is configured in RX direction, so RSS can't work properly as all the packets are hashed to one key in this case. To take advantage of RSS and improve performance, the decrypted packets need to be forwarded back to TTC table, where RSS can work based on the decrypted packet types. Signed-off-by: Jianbo Liu Reviewed-by: Dragos Tatulea Signed-off-by: Tariq Toukan --- .../mellanox/mlx5/core/en_accel/ipsec_fs.c | 24 +++++++++++++++---- .../mellanox/mlx5/core/lib/ipsec_fs_roce.c | 4 ++++ 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/= drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c index 98b6a3a623f9..a06929852296 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c @@ -585,6 +585,20 @@ static int ipsec_miss_create(struct mlx5_core_dev *mde= v, return err; } =20 +static struct mlx5_flow_destination +ipsec_rx_decrypted_pkt_def_dest(struct mlx5_ttc_table *ttc, u32 family) +{ + struct mlx5_flow_destination dest; + + if (!mlx5_ttc_has_esp_flow_group(ttc)) + return mlx5_ttc_get_default_dest(ttc, family2tt(family)); + + dest.ft =3D mlx5_get_ttc_flow_table(ttc); + dest.type =3D MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE; + + return dest; +} + static void ipsec_rx_update_default_dest(struct mlx5e_ipsec_rx *rx, struct mlx5_flow_destination *old_dest, struct mlx5_flow_destination *new_dest) @@ -598,10 +612,10 @@ static void handle_ipsec_rx_bringup(struct mlx5e_ipse= c *ipsec, u32 family) { struct mlx5e_ipsec_rx *rx =3D ipsec_rx(ipsec, family, XFRM_DEV_OFFLOAD_PA= CKET); struct mlx5_flow_namespace *ns =3D mlx5e_fs_get_ns(ipsec->fs, false); + struct mlx5_ttc_table *ttc =3D mlx5e_fs_get_ttc(ipsec->fs, false); struct mlx5_flow_destination old_dest, new_dest; =20 - old_dest =3D mlx5_ttc_get_default_dest(mlx5e_fs_get_ttc(ipsec->fs, false), - family2tt(family)); + old_dest =3D ipsec_rx_decrypted_pkt_def_dest(ttc, family); =20 mlx5_ipsec_fs_roce_rx_create(ipsec->mdev, ipsec->roce, ns, &old_dest, fam= ily, MLX5E_ACCEL_FS_ESP_FT_ROCE_LEVEL, MLX5E_NIC_PRIO); @@ -614,12 +628,12 @@ static void handle_ipsec_rx_bringup(struct mlx5e_ipse= c *ipsec, u32 family) static void handle_ipsec_rx_cleanup(struct mlx5e_ipsec *ipsec, u32 family) { struct mlx5e_ipsec_rx *rx =3D ipsec_rx(ipsec, family, XFRM_DEV_OFFLOAD_PA= CKET); + struct mlx5_ttc_table *ttc =3D mlx5e_fs_get_ttc(ipsec->fs, false); struct mlx5_flow_destination old_dest, new_dest; =20 old_dest.ft =3D mlx5_ipsec_fs_roce_ft_get(ipsec->roce, family); old_dest.type =3D MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE; - new_dest =3D mlx5_ttc_get_default_dest(mlx5e_fs_get_ttc(ipsec->fs, false), - family2tt(family)); + new_dest =3D ipsec_rx_decrypted_pkt_def_dest(ttc, family); ipsec_rx_update_default_dest(rx, &old_dest, &new_dest); =20 mlx5_ipsec_fs_roce_rx_destroy(ipsec->roce, family, ipsec->mdev); @@ -763,7 +777,7 @@ static int ipsec_rx_status_pass_dest_get(struct mlx5e_i= psec *ipsec, if (rx =3D=3D ipsec->rx_esw) return mlx5_esw_ipsec_rx_status_pass_dest_get(ipsec, dest); =20 - *dest =3D mlx5_ttc_get_default_dest(attr->ttc, family2tt(attr->family)); + *dest =3D ipsec_rx_decrypted_pkt_def_dest(attr->ttc, attr->family); err =3D mlx5_ipsec_fs_roce_rx_create(ipsec->mdev, ipsec->roce, attr->ns, = dest, attr->family, MLX5E_ACCEL_FS_ESP_FT_ROCE_LEVEL, attr->prio); diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/ipsec_fs_roce.c b/= drivers/net/ethernet/mellanox/mlx5/core/lib/ipsec_fs_roce.c index b7d4b1a2baf2..d524f0220513 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/lib/ipsec_fs_roce.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/ipsec_fs_roce.c @@ -164,6 +164,8 @@ ipsec_fs_roce_rx_rule_setup(struct mlx5_core_dev *mdev, roce->rule =3D rule; =20 memset(spec, 0, sizeof(*spec)); + if (default_dst->type =3D=3D MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE) + flow_act.flags |=3D FLOW_ACT_IGNORE_FLOW_LEVEL; rule =3D mlx5_add_flow_rules(roce->ft, spec, &flow_act, default_dst, 1); if (IS_ERR(rule)) { err =3D PTR_ERR(rule); @@ -178,6 +180,8 @@ ipsec_fs_roce_rx_rule_setup(struct mlx5_core_dev *mdev, goto out; =20 flow_act.action =3D MLX5_FLOW_CONTEXT_ACTION_FWD_DEST; + if (default_dst->type =3D=3D MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE) + flow_act.flags &=3D ~FLOW_ACT_IGNORE_FLOW_LEVEL; dst.type =3D MLX5_FLOW_DESTINATION_TYPE_TABLE_TYPE; dst.ft =3D roce->ft_rdma; rule =3D mlx5_add_flow_rules(roce->nic_master_ft, NULL, &flow_act, &dst, --=20 2.31.1 From nobody Thu Oct 2 10:58:01 2025 Received: from PH7PR06CU001.outbound.protection.outlook.com (mail-westus3azon11010022.outbound.protection.outlook.com [52.101.201.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 47EEF2EACF9; Thu, 18 Sep 2025 07:20:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.201.22 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758180026; cv=fail; b=Ugh3CKf9/hdJQu0k6n6wR8haquezWvtc9ZzXRCW/Kc7UqzT1+NvDwsrPLbTBrqjBZp7HJ4IdC/OWAttWwrrgGWO2qKrGUpQJ9e92d23QTio1QQ+4CKj0eKXawExldhM8MZB//ApGJknP5C65DIB1L3bW/Cgyp0W0e/0ZcAnjY/Y= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758180026; c=relaxed/simple; bh=pGQq5So5teW/RZ0PzjVL3owVZm06qAQgSPGvgJbFp2w=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=FXO+/SjRGvrz3BBJoxD/ORYW6UZzZ0Za2unmMabMQbxVp+EK2hy5p2JKDjpgbsoHIWkzorr+n3mno3poSEx8GjkMcvAXdQe38PQzt29QzJD0JwnKBFksLM21N8VfRu6ywYKRDXi2XpkCycEydLHIu8vLQdIzyJs3KgDeIEcevNc= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=J4BJ7gz+; arc=fail smtp.client-ip=52.101.201.22 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="J4BJ7gz+" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=HVA1PjWNhQlX1tAmoyvk1cfDC7oLxMFLCcUPk+nx9ZWZKdkpuUQIoe2jEC8kPuHCMEvVsOwQSbF5JnLW1q22weRx+PYqzoagaPHwdyHM9cxggwiT5e65v+r9dETusakhr0JCKfHzdKwlf0qi5jZp6Y1tEBUBV7murRdk2ENwZXVdIyESKKr4ecUap2FtUtdRgtez4YFsOkqlLGSab7fhA/Wim7PRwSwmD22lJ6DLe+/JYPGtrNzuS5QVWjn4s1wPKixFHVQ21nUcTaaKjf48ix+LT6mKOaRVhIUHhOBpYF2KO7wkCRh2ms8VLS6WIB3JWJgEEDe4j3aM7CiRM149qA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=DbHeDXFhW4IKcNc0JICRhkaHnSTiBIn83jjCxuL18Sc=; b=Wb9txXnI+yriBk+JCQRfpPxeZXmJ2tmxWhWCgQPQBEz7ZxRciMyTu2XyavmrwoK0dnMv9mjXurZdR3w43uAiiE8mSAkd/SomU4O1CC7FSODU+HSdg6j8/GfPTo3HWZcVL89KSD745S0xl++6WygZWkX0xqDZhn65yAzjU6dUDOnT1WWDApHCCr2HEE4yjToQKa/neGEuA9TNq2NwfqQm7vAXagyoIkS+ru11qfquevSzhh8Wj3EBE+kFWkY+S9ZsDrpj2XZ07PrvGAsneLxtmmxJUdp+H8Z8aWWFI7DnupVTbM8nz4+sAsgyWrkx2oSfUqgIX62vuqSP8TwMgBcYYA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.161) smtp.rcpttodomain=google.com smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DbHeDXFhW4IKcNc0JICRhkaHnSTiBIn83jjCxuL18Sc=; b=J4BJ7gz+voBfwzvaPQtXZgvrMwbVvthOhEe9xRfr8GB1pfTzY8iaxKGSGlhmbuEkWm8b1IwzAmOHIe3XDijMoK+GPjGneOHTCEj+CqX2SqGp0QKGXbY7tGggEDmJfpIfEsLAwFaC/Nvq0yBQgXD7gihZSZ35b4+d3KJdZUpTdZrC4vsVn1x1Xi1uC2FdDlChkdqEnLBBGLWHEIK4PIWrgbXs4tgJ7edJ7Fm2HpCOEWHELKfx/yWoJI0ls+zfybehjJsQjKlGli77MYHerT/szghHyKMbC9y7UIvPGYIxmocScYTASyg+QNpIf04VP47YyN37zZ8fztzT+N7c8Bse5g== Received: from MN2PR06CA0003.namprd06.prod.outlook.com (2603:10b6:208:23d::8) by SJ2PR12MB8158.namprd12.prod.outlook.com (2603:10b6:a03:4f7::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9137.13; Thu, 18 Sep 2025 07:20:14 +0000 Received: from BN2PEPF000044A7.namprd04.prod.outlook.com (2603:10b6:208:23d:cafe::e6) by MN2PR06CA0003.outlook.office365.com (2603:10b6:208:23d::8) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9137.13 via Frontend Transport; Thu, 18 Sep 2025 07:20:13 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.161 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.161) by BN2PEPF000044A7.mail.protection.outlook.com (10.167.243.101) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9137.12 via Frontend Transport; Thu, 18 Sep 2025 07:20:13 +0000 Received: from rnnvmail205.nvidia.com (10.129.68.10) by mail.nvidia.com (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.14; Thu, 18 Sep 2025 00:20:00 -0700 Received: from rnnvmail201.nvidia.com (10.129.68.8) by rnnvmail205.nvidia.com (10.129.68.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.14; Thu, 18 Sep 2025 00:19:59 -0700 Received: from vdi.nvidia.com (10.127.8.10) by mail.nvidia.com (10.129.68.8) with Microsoft SMTP Server id 15.2.1544.14 via Frontend Transport; Thu, 18 Sep 2025 00:19:55 -0700 From: Tariq Toukan To: Eric Dumazet , Jakub Kicinski , Paolo Abeni , Andrew Lunn , "David S. Miller" CC: Saeed Mahameed , Leon Romanovsky , Tariq Toukan , Mark Bloch , , , , Jianbo Liu , "Leon Romanovsky" , Steffen Klassert , Herbert Xu , Paul Moore Subject: [PATCH net-next 3/4] net/mlx5e: Add flow groups for the packets decrypted by crypto offload Date: Thu, 18 Sep 2025 10:19:22 +0300 Message-ID: <1758179963-649455-4-git-send-email-tariqt@nvidia.com> X-Mailer: git-send-email 2.8.0 In-Reply-To: <1758179963-649455-1-git-send-email-tariqt@nvidia.com> References: <1758179963-649455-1-git-send-email-tariqt@nvidia.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-NV-OnPremToCloud: ExternallySecured X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN2PEPF000044A7:EE_|SJ2PR12MB8158:EE_ X-MS-Office365-Filtering-Correlation-Id: 899930a4-8af1-48dd-3542-08ddf683cf5e X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|7416014|1800799024|82310400026|36860700013; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?YyNduiYHaxtL3iOeKAmqXcOk2ViSaSoQ4763B/pIVCye7BHbjYVSo8yIb4ha?= =?us-ascii?Q?VZgonz0nX7bmGiwZnsPPPGI2sQnVCkJQMiQn2M/7dCoI/QCVg2H5bGiqmjuv?= =?us-ascii?Q?rHAU75FMtZY0+UXwiys9w09+4I18YiPR1ex76cGit49VkwsGFRF8vLOJ/WjC?= =?us-ascii?Q?gOyHQgzmVywrNJYHEH9Gf5XYJ0kkq0jxZND/jlfVIeSMfwzVwLW+2LKvsW8x?= =?us-ascii?Q?XwWljxoPZl2yq7drxg/CDDiNWQx/J1Go3hgVUlmZKPnm1sZr5XNRSdcUlGhE?= =?us-ascii?Q?PEhnp6zSL+d9p5FaqK4fgFzNpbXdlegCDHvqAv/CLjiA53CNv+MFapj4q5uH?= =?us-ascii?Q?J/mfZ495yANZ+I37pOrxG9ofuxZIzFB/IOd5JIO6iRX3M9EU1bdph72h1a5I?= =?us-ascii?Q?7o8ZYut11DM2+F2s4FZhPJZw9ggX8LA8+k8XgJeeceCgR16CraThYyh0/e03?= =?us-ascii?Q?xNUBym7XI813nYJKRxQ80OMPEmObjX5cBiY3DP6lrLa7vRdRkn7/uy9fxKg9?= =?us-ascii?Q?+E1UAARp/tdFugEyDfNtkeALr05cb2Wc7qiAWrqilT8wwP757S2OiaUGjMQH?= =?us-ascii?Q?n61+qX8qB3jg8MD5oSkCwDMGU71WCwiyKgIak2nYmUTeXcLjEdgdoxQeOiHH?= =?us-ascii?Q?inHlj3NHDdaNcJrF01wTjl2IvMR3XQzuzL8LGo99OZczN0mXFlsTIMZxOlal?= =?us-ascii?Q?o29rGr9HhlAzmZG4u6emxSIuGWUfoIy6FKQ4GZxWF3K2UqTFkzX9tpdwRhlE?= =?us-ascii?Q?+CHrspOOwhWfBYsdv6N3bqJbhzSjljBh2Rg/J/Sci0WHTpYBkuPZvv5lYNtA?= =?us-ascii?Q?ffSEmBCspDm42lJybTmrwe8Cpa4x6MMU1N4HibcHukBIB5/pN5xjNbQJy2wf?= =?us-ascii?Q?ZXd+jBXXxyWvOlJAE0PGL318qDsZXM94D6Q0PFB6u4S9fPoTK4v7tmcpL3WW?= =?us-ascii?Q?cGCEPFCu9JWhr7l/HvJ4Ss+zZ/FjeCuX5BoVKIRIhw8yYLtSQy7KELZBxqkX?= =?us-ascii?Q?xh4S3glmQgzZIWQZavDW7zIk/kK/wqAVu5FYd7yeEt5DWtxI80966gJEWY27?= =?us-ascii?Q?uBMoEKpyEV4u439sM2waoKZwZyJ70bcw0qtJdQmVJzPuFOgqLgUWO2m/BQ35?= =?us-ascii?Q?mdgh+qY8QenFJSN37V+g7ydFfGNQMxaRZd+QXarqNm79T+ok4G4OPyq4JAUW?= =?us-ascii?Q?YrJM+wZi2IscNC1sgw843HvVYlPpbSVGohvNWuAuBP/p81m/d0/gapl3QiWd?= =?us-ascii?Q?JPdwT6qWue81Os7U3tVqjui/h2Ibc9Mpv46xTcE71KJQN6A6jbdmA6nAcJA6?= =?us-ascii?Q?Rot6tmItGvbS2K+Kk8GcLrgeRr80C2IvI2DsdweMAlUM7XI41JnpV7Y3aH42?= =?us-ascii?Q?7xQA7c+0R4bHKA/9sOvI87/dbZWuYE3ErUD35USZBBZADjKNAszdnRzEKXjX?= =?us-ascii?Q?tf1ley5QYzWcbMFx1bXk8iHI6I7XXjRS7fJ1kcQ1MK+leUi8Atn8i3GkQK/F?= =?us-ascii?Q?lRy/VjhHJLJjX6lFua+6UeWeAM7xamBjeFCY?= X-Forefront-Antispam-Report: CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230040)(376014)(7416014)(1800799024)(82310400026)(36860700013);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Sep 2025 07:20:13.4804 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 899930a4-8af1-48dd-3542-08ddf683cf5e X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BN2PEPF000044A7.namprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ2PR12MB8158 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Jianbo Liu When using IPsec crypto offload, the hardware decrypts the packet payload but preserves the ESP header. This prevents the standard RSS mechanism from accessing the inner L4 (TCP/UDP) headers. As a result, the RSS hash is calculated only on the outer L3 IP headers, causing all traffic for a given IPsec tunnel to be directed to a single queue, leading to poor traffic distribution. Newer firmware introduces the ability to match on l4_type_ext, which exposes the L4 protocol type following an ESP header. This allows the driver to create steering rules that can identify the inner protocols of decrypted packets. This commit leverages this new capability to improve traffic distribution. It adds two new flow groups to steer decrypted packets to dedicated TIRs that was configured to perform RSS on the inner L4 headers. These groups are inserted after the standard L4 group and before the group that handles undecrypted ESP packets added in this series. The first new group matches decrypted packets based on the outer IP version (or ethertype) and l4_type_ext. The second new group matches decrypted tunneled packets based on the inner IP version and l4_type_ext. Eight new traffic types are also defined to support this functionality. Signed-off-by: Jianbo Liu Reviewed-by: Dragos Tatulea Signed-off-by: Tariq Toukan --- .../net/ethernet/mellanox/mlx5/core/en/fs.h | 2 +- .../net/ethernet/mellanox/mlx5/core/en_fs.c | 15 ++++- .../net/ethernet/mellanox/mlx5/core/en_tc.c | 3 + .../ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 58 +++++++++++++++++-- .../ethernet/mellanox/mlx5/core/lib/fs_ttc.h | 13 +++++ 5 files changed, 85 insertions(+), 6 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/fs.h b/drivers/net/= ethernet/mellanox/mlx5/core/en/fs.h index cdc813ae9f23..59e3262cb09e 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en/fs.h +++ b/drivers/net/ethernet/mellanox/mlx5/core/en/fs.h @@ -57,7 +57,7 @@ struct mlx5e_l2_table { bool promisc_enabled; }; =20 -#define MLX5E_NUM_INDIR_TIRS (MLX5_NUM_TT - 1) +#define MLX5E_NUM_INDIR_TIRS (MLX5_NUM_INDIR_TIRS) =20 #define MLX5_HASH_IP (MLX5_HASH_FIELD_SEL_SRC_IP |\ MLX5_HASH_FIELD_SEL_DST_IP) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c b/drivers/net/= ethernet/mellanox/mlx5/core/en_fs.c index 15ffb8e0d884..8928d2dcd43f 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c @@ -905,6 +905,9 @@ static void mlx5e_set_inner_ttc_params(struct mlx5e_flo= w_steering *fs, ft_attr->prio =3D MLX5E_NIC_PRIO; =20 for (tt =3D 0; tt < MLX5_NUM_TT; tt++) { + if (mlx5_ttc_is_decrypted_esp_tt(tt)) + continue; + ttc_params->dests[tt].type =3D MLX5_FLOW_DESTINATION_TYPE_TIR; ttc_params->dests[tt].tir_num =3D tt =3D=3D MLX5_TT_ANY ? @@ -914,6 +917,13 @@ static void mlx5e_set_inner_ttc_params(struct mlx5e_fl= ow_steering *fs, } } =20 +static bool mlx5e_ipsec_rss_supported(struct mlx5_core_dev *mdev) +{ + return MLX5_CAP_NIC_RX_FT_FIELD_SUPPORT_2(mdev, ipsec_next_header) && + MLX5_CAP_NIC_RX_FT_FIELD_SUPPORT_2(mdev, outer_l4_type_ext) && + MLX5_CAP_NIC_RX_FT_FIELD_SUPPORT_2(mdev, inner_l4_type_ext); +} + void mlx5e_set_ttc_params(struct mlx5e_flow_steering *fs, struct mlx5e_rx_res *rx_res, struct ttc_params *ttc_params, bool tunnel, @@ -929,9 +939,12 @@ void mlx5e_set_ttc_params(struct mlx5e_flow_steering *= fs, ft_attr->prio =3D MLX5E_NIC_PRIO; =20 ttc_params->ipsec_rss =3D ipsec_rss && - MLX5_CAP_NIC_RX_FT_FIELD_SUPPORT_2(fs->mdev, ipsec_next_header); + mlx5e_ipsec_rss_supported(fs->mdev); =20 for (tt =3D 0; tt < MLX5_NUM_TT; tt++) { + if (mlx5_ttc_is_decrypted_esp_tt(tt)) + continue; + ttc_params->dests[tt].type =3D MLX5_FLOW_DESTINATION_TYPE_TIR; ttc_params->dests[tt].tir_num =3D tt =3D=3D MLX5_TT_ANY ? diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/= ethernet/mellanox/mlx5/core/en_tc.c index 09c3eecb836d..b6d6584fc6fe 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c @@ -838,6 +838,9 @@ static void mlx5e_hairpin_set_ttc_params(struct mlx5e_h= airpin *hp, =20 ttc_params->ns_type =3D MLX5_FLOW_NAMESPACE_KERNEL; for (tt =3D 0; tt < MLX5_NUM_TT; tt++) { + if (mlx5_ttc_is_decrypted_esp_tt(tt)) + continue; + ttc_params->dests[tt].type =3D MLX5_FLOW_DESTINATION_TYPE_TIR; ttc_params->dests[tt].tir_num =3D tt =3D=3D MLX5_TT_ANY ? diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c b/drivers= /net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c index 850fff4548c8..3cd5de6f714f 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c @@ -9,7 +9,7 @@ #include "mlx5_core.h" #include "lib/fs_ttc.h" =20 -#define MLX5_TTC_MAX_NUM_GROUPS 5 +#define MLX5_TTC_MAX_NUM_GROUPS 7 #define MLX5_TTC_GROUP_TCPUDP_SIZE (MLX5_TT_IPV6_UDP + 1) =20 struct mlx5_fs_ttc_groups { @@ -188,10 +188,12 @@ static const struct mlx5_fs_ttc_groups ttc_groups[] = =3D { }, }, [TTC_GROUPS_DEFAULT_ESP] =3D { - .num_groups =3D 4, + .num_groups =3D 6, .group_size =3D { MLX5_TTC_GROUP_TCPUDP_SIZE + BIT(1) + MLX5_NUM_TUNNEL_TT, + BIT(2), /* decrypted outer L4 */ + BIT(2), /* decrypted inner L4 */ BIT(1), /* ESP */ BIT(1), BIT(0), @@ -199,10 +201,12 @@ static const struct mlx5_fs_ttc_groups ttc_groups[] = =3D { }, [TTC_GROUPS_USE_L4_TYPE_ESP] =3D { .use_l4_type =3D true, - .num_groups =3D 5, + .num_groups =3D 7, .group_size =3D { MLX5_TTC_GROUP_TCPUDP_SIZE, BIT(1) + MLX5_NUM_TUNNEL_TT, + BIT(2), /* decrypted outer L4 */ + BIT(2), /* decrypted inner L4 */ BIT(1), /* ESP */ BIT(1), BIT(0), @@ -391,6 +395,9 @@ static int mlx5_generate_ttc_table_rules(struct mlx5_co= re_dev *dev, for (tt =3D 0; tt < MLX5_NUM_TT; tt++) { struct mlx5_ttc_rule *rule =3D &rules[tt]; =20 + if (mlx5_ttc_is_decrypted_esp_tt(tt)) + continue; + if (test_bit(tt, params->ignore_dests)) continue; rule->rule =3D mlx5_generate_ttc_rule(dev, ft, ¶ms->dests[tt], @@ -436,15 +443,55 @@ static int mlx5_generate_ttc_table_rules(struct mlx5_= core_dev *dev, } =20 static int mlx5_create_ttc_table_ipsec_groups(struct mlx5_ttc_table *ttc, + bool use_ipv, u32 *in, int *next_ix) { u8 *mc =3D MLX5_ADDR_OF(create_flow_group_in, in, match_criteria); const struct mlx5_fs_ttc_groups *groups =3D ttc->groups; int ix =3D *next_ix; =20 + MLX5_SET(fte_match_param, mc, outer_headers.ip_protocol, 0); + + /* decrypted ESP outer group */ + MLX5_SET_CFG(in, match_criteria_enable, MLX5_MATCH_OUTER_HEADERS); + MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.l4_type_ext); + MLX5_SET_CFG(in, start_flow_index, ix); + ix +=3D groups->group_size[ttc->num_groups]; + MLX5_SET_CFG(in, end_flow_index, ix - 1); + ttc->g[ttc->num_groups] =3D mlx5_create_flow_group(ttc->t, in); + if (IS_ERR(ttc->g[ttc->num_groups])) + goto err; + ttc->num_groups++; + + MLX5_SET(fte_match_param, mc, outer_headers.l4_type_ext, 0); + + /* decrypted ESP inner group */ + MLX5_SET_CFG(in, match_criteria_enable, MLX5_MATCH_INNER_HEADERS); + if (use_ipv) + MLX5_SET(fte_match_param, mc, outer_headers.ip_version, 0); + else + MLX5_SET(fte_match_param, mc, outer_headers.ethertype, 0); + MLX5_SET_TO_ONES(fte_match_param, mc, inner_headers.ip_version); + MLX5_SET_TO_ONES(fte_match_param, mc, inner_headers.l4_type_ext); + MLX5_SET_CFG(in, start_flow_index, ix); + ix +=3D groups->group_size[ttc->num_groups]; + MLX5_SET_CFG(in, end_flow_index, ix - 1); + ttc->g[ttc->num_groups] =3D mlx5_create_flow_group(ttc->t, in); + if (IS_ERR(ttc->g[ttc->num_groups])) + goto err; + ttc->num_groups++; + + MLX5_SET(fte_match_param, mc, inner_headers.ip_version, 0); + MLX5_SET(fte_match_param, mc, inner_headers.l4_type_ext, 0); + /* undecrypted ESP group */ MLX5_SET_CFG(in, match_criteria_enable, MLX5_MATCH_OUTER_HEADERS | MLX5_MATCH_MISC_PARAMETERS_2); + if (use_ipv) + MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.ip_version); + else + MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.ethertype); + MLX5_SET_TO_ONES(fte_match_param, mc, outer_headers.ip_protocol); MLX5_SET_TO_ONES(fte_match_param, mc, misc_parameters_2.ipsec_next_header); MLX5_SET_CFG(in, start_flow_index, ix); @@ -515,7 +562,7 @@ static int mlx5_create_ttc_table_groups(struct mlx5_ttc= _table *ttc, ttc->num_groups++; =20 if (mlx5_ttc_has_esp_flow_group(ttc)) { - err =3D mlx5_create_ttc_table_ipsec_groups(ttc, in, &ix); + err =3D mlx5_create_ttc_table_ipsec_groups(ttc, use_ipv, in, &ix); if (err) goto err; =20 @@ -615,6 +662,9 @@ static int mlx5_generate_inner_ttc_table_rules(struct m= lx5_core_dev *dev, for (tt =3D 0; tt < MLX5_NUM_TT; tt++) { struct mlx5_ttc_rule *rule =3D &rules[tt]; =20 + if (mlx5_ttc_is_decrypted_esp_tt(tt)) + continue; + if (test_bit(tt, params->ignore_dests)) continue; rule->rule =3D mlx5_generate_inner_ttc_rule(dev, ft, diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.h b/drivers= /net/ethernet/mellanox/mlx5/core/lib/fs_ttc.h index aead62441550..cae6a8ba0491 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.h +++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.h @@ -18,6 +18,14 @@ enum mlx5_traffic_types { MLX5_TT_IPV4, MLX5_TT_IPV6, MLX5_TT_ANY, + MLX5_TT_DECRYPTED_ESP_OUTER_IPV4_TCP, + MLX5_TT_DECRYPTED_ESP_OUTER_IPV6_TCP, + MLX5_TT_DECRYPTED_ESP_OUTER_IPV4_UDP, + MLX5_TT_DECRYPTED_ESP_OUTER_IPV6_UDP, + MLX5_TT_DECRYPTED_ESP_INNER_IPV4_TCP, + MLX5_TT_DECRYPTED_ESP_INNER_IPV6_TCP, + MLX5_TT_DECRYPTED_ESP_INNER_IPV4_UDP, + MLX5_TT_DECRYPTED_ESP_INNER_IPV6_UDP, MLX5_NUM_TT, MLX5_NUM_INDIR_TIRS =3D MLX5_TT_ANY, }; @@ -72,5 +80,10 @@ bool mlx5_tunnel_inner_ft_supported(struct mlx5_core_dev= *mdev); u8 mlx5_get_proto_by_tunnel_type(enum mlx5_tunnel_types tt); =20 bool mlx5_ttc_has_esp_flow_group(struct mlx5_ttc_table *ttc); +static inline bool mlx5_ttc_is_decrypted_esp_tt(enum mlx5_traffic_types tt) +{ + return tt >=3D MLX5_TT_DECRYPTED_ESP_OUTER_IPV4_TCP && + tt <=3D MLX5_TT_DECRYPTED_ESP_INNER_IPV6_UDP; +} =20 #endif /* __MLX5_FS_TTC_H__ */ --=20 2.31.1 From nobody Thu Oct 2 10:58:01 2025 Received: from BN1PR04CU002.outbound.protection.outlook.com (mail-eastus2azon11010065.outbound.protection.outlook.com [52.101.56.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 55B7A2EA48F; Thu, 18 Sep 2025 07:20:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.56.65 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758180037; cv=fail; b=R/r3EhGCUBMxS6MgJ/HeoJfW58OXqkEve16BIf5tRI+AKEGKy21Nldxb1ILE1pQoD2WWYbTU2iaYo03kAiSBr87tl7CzdN5RdsnrWWvC2NKLYFFxLYwzDSzqrlJ9NFGLChDqFTgwYQ8Yo+fyP1RCsPzHJ/J7NsGma+JHgi5dO44= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758180037; c=relaxed/simple; bh=hsUEyXfBtlzMCqWCsy3f+7SNJ1VjYD/HbOONtfSqzuk=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=pW1OKv/vcThfHnjRxURHNBNf3t8GB3xjXUXHT0tAk78/BbbkiWfLBwVeaKUxJ1xF6flg7KYhjFL2uydz8kjD5lYprNS9FttjcV/a3FUOYjc59TzVkEe58+70CPUpE/xmgBC2QGvAIMYuiInlvOP7QnMe3W5SaoZITSMI7MOidTA= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=F8prLcWO; arc=fail smtp.client-ip=52.101.56.65 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="F8prLcWO" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=RKInUK41Dx/AnPpPjF1VOnT2xSfFMJCcfYnUtjx6Vg1E1ZWoPNDgH0ekkmqOjVePfs/rqHati5QtbksQfcPraBIM24m2ZzUU6fRSMMAgrcmxXXsiqYGEcdaVDurVy1G3Tjqhi2wThW3f+nYiSpwPltl8LPGP1z57FQtepHwqKL/C462eOT+OCwqwFk59kr32Fk/HuZUU8P80yIADe/9xgZ4yWvdmtRV8Ol+pv9JNKC7qIGpK+FpDKptKsQNwD5lMod3QowdqexOxXZhZ3x1JM+S9wWAXqZKthtFwCRsxKXRTG8ByKiWkvMfpTCZ+uPfbq3kKgK+CU/u50QwbIxTmwg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=hV6nnGHUIqGGOBUEv98uUPhc15c8L9XI3TwVFJm2NH4=; b=Q6q42UeMjbaOJ1Ad2BehavJO6r+71uJ894nuB1cG2nvZf78/tIkw5BfqRvCTXDkNbFCnl69aXqZSmCEfphRAOjCbGmlzcYTTle2gCXAX+22tLm6SK9n70pdUeGI8h006Tj3NscF9+L6MwebeaU2VdpwTlG6ZvHcuTWVYNTG5/bylizN2r77vh3PHdnZ2/BZmAer4ZeVBB04ZnkRfXDfqIUk/WrVcvOkpjbavMVDS2wnhRp9UG6f2Jus2bUtt1ck1V6eVjNgnrAQLIBykDCXnjoxUNxAvOpOf9ax1JtSs1e4DV+kIXoZbdpZDFTJUV2XRO4ZqHJh/tjDzFvIsOvNpSQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=google.com smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hV6nnGHUIqGGOBUEv98uUPhc15c8L9XI3TwVFJm2NH4=; b=F8prLcWOsb/e0M1LI8IZfc5lvJfc8UNYCaIBS1pfmM5jByTcgm3rf7gwgG2rP4wVLRiaiiJhn0aOoJ1Hrkp7/lz5ws0CkFv95s+7hnP8jpstankzvPkGhhS9u4xlIu4BUaI/89nB+vqD9Ssdf47EG63wPM9JK/EZ29l3/0wKTgN7DWe2Kg40gPUVyAUDm8wt2/emj0LGoTZnCW3MxdhbflJbRC5yaQi0MyMbkaLOInJN5S3Gt4NjJpKIIY2YkK0LqDQnq8wwhJdsSAXbLelzZrkJyDh/yidiJAdfpvFiy+7HARo+tW5u+tTqDjlgAYNl50IRNKRofIVbSa5UM5tDvA== Received: from BL1PR13CA0119.namprd13.prod.outlook.com (2603:10b6:208:2b9::34) by PH7PR12MB8828.namprd12.prod.outlook.com (2603:10b6:510:26b::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9115.23; Thu, 18 Sep 2025 07:20:23 +0000 Received: from BN1PEPF00006000.namprd05.prod.outlook.com (2603:10b6:208:2b9:cafe::fc) by BL1PR13CA0119.outlook.office365.com (2603:10b6:208:2b9::34) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9137.13 via Frontend Transport; Thu, 18 Sep 2025 07:19:48 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by BN1PEPF00006000.mail.protection.outlook.com (10.167.243.232) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9137.12 via Frontend Transport; Thu, 18 Sep 2025 07:20:23 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.34; Thu, 18 Sep 2025 00:20:06 -0700 Received: from rnnvmail201.nvidia.com (10.129.68.8) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.14; Thu, 18 Sep 2025 00:20:04 -0700 Received: from vdi.nvidia.com (10.127.8.10) by mail.nvidia.com (10.129.68.8) with Microsoft SMTP Server id 15.2.1544.14 via Frontend Transport; Thu, 18 Sep 2025 00:20:00 -0700 From: Tariq Toukan To: Eric Dumazet , Jakub Kicinski , Paolo Abeni , Andrew Lunn , "David S. Miller" CC: Saeed Mahameed , Leon Romanovsky , Tariq Toukan , Mark Bloch , , , , Jianbo Liu , "Leon Romanovsky" , Steffen Klassert , Herbert Xu , Paul Moore Subject: [PATCH net-next 4/4] net/mlx5e: Add flow rules for the decrypted ESP packets Date: Thu, 18 Sep 2025 10:19:23 +0300 Message-ID: <1758179963-649455-5-git-send-email-tariqt@nvidia.com> X-Mailer: git-send-email 2.8.0 In-Reply-To: <1758179963-649455-1-git-send-email-tariqt@nvidia.com> References: <1758179963-649455-1-git-send-email-tariqt@nvidia.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-NV-OnPremToCloud: ExternallySecured X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN1PEPF00006000:EE_|PH7PR12MB8828:EE_ X-MS-Office365-Filtering-Correlation-Id: 2bada3d1-5bbb-463c-26f0-08ddf683d516 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|36860700013|376014|7416014|82310400026; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?ZkhZBMNnQv7G6p/ofd0IWnLKMFi64X2I+vcYWCb+eXgt0LjOsJX+hkw/ORXA?= =?us-ascii?Q?QYgH81QOafjP+TgDBbFlMq4xDxLLqKERV+61A6BNsN6oJwSLc4w/atIQ6182?= =?us-ascii?Q?fC6VeIdTBu91MXdU4SX0gHbaDPrjWZoT/ux1mFn+FmogsbqdhVG9+0903cnQ?= =?us-ascii?Q?vhALf2nc75cF7hVXbAGwmTkolFVfv9doQ/l04eeHbmODEx2175yKAESt6KVV?= =?us-ascii?Q?tgH2HaSX8eIszLI/vQRlI0pVpJbcZCGDzMF+Ol8crUoMRgSd+YRxrYDKHDrF?= =?us-ascii?Q?ZzoZU/6U8JBhgEhb2AaLbeGw7BAbfBWV/SQnqKw55UuYbCkILJSDEiPMmqym?= =?us-ascii?Q?YlPckLj9YeZYeBe4+hJK2pk8v5ezwKFp9MHZFRoFQT83v2SwmJJlbfZ55F8C?= =?us-ascii?Q?vKSRSRX/NGRM6EPXJPOFI5f0MJaK35V8y4uwRY2jmKDnMe8xexwV133SwBvN?= =?us-ascii?Q?av8TJFMCwM137Ib736UVUL1MmAdaaOr8sHZAdIDptPhdHgs0HywbOSVCDHR4?= =?us-ascii?Q?jKv3nwE1gvuApvhcwSCsiJJFVlEQ3TeadaLJdbBOyCH6C5KtXVEDyx5bAccD?= =?us-ascii?Q?SqA7N+PxjDcql3+3RgO0zPO8U/CMiPoDmkvzsGNehiQBjwiCcP97UeB8dL0w?= =?us-ascii?Q?wwsIFryllqZrzIpwlP0qZLzp0JKlZfGB0GROEoUn+9+5H2fJtwrluH+2ihi8?= =?us-ascii?Q?fvtd8uw3wzwTajUAkbHbuadhThWwRNAO7+xt3yCDsiKoAdfSRdB0VTWGCVjR?= =?us-ascii?Q?AKfD6Mnk3QQkWPicgo58FxOk6e737Pl2FBDa1wX4AV2EdgxvwiJU+pmBL+iB?= =?us-ascii?Q?ItqJ+3Oi0sqQTP+uf3ZGsAmUSG3HnTPwsAepaj9hGxRYVUco7vI7DEsKszTm?= =?us-ascii?Q?pNQTYioJSTsYf04rtc8uh3fjzthrp9fGykcnbwPVNlyfn3Ba6hjZTFilAZUt?= =?us-ascii?Q?QQ9Fh2tZvNbIifHJRGDejW52UeKCIvhrqUcPoThZwNILmSmh37KWpX8Clzon?= =?us-ascii?Q?PSRXYblIMpO1tidij1dp6B9KymyndMZUgyJdul9T6eELhmozHsUsjmH6r+GE?= =?us-ascii?Q?u5gOoa0W6da/dtcagTBjKi9pME67YDLVFgd1uABFswfVpG4BeVvJ+yD1CjOg?= =?us-ascii?Q?XcpoEXOrNPO2d4XdheS/COOwvJnp7NfpP219Ffe+qAkUKXheA1SguEB48+w4?= =?us-ascii?Q?pg5No076V9NYVPN1ViOnWfvG/Roo4QJ4tqHTT9GLVc7RceAKWJMQDZ3LF1EE?= =?us-ascii?Q?0SXWV9sjO/873b+qVe4y5Xob3LEcKYTg/qZKcbG/2T1lqUy98CmXUTJF/MVE?= =?us-ascii?Q?YB9IaQjvORgY3UI5AhhSp8Z9iUkbHyNrH5WPI+Bt2KdI4HVbF0JILpH16Slz?= =?us-ascii?Q?zPZsuh16XEKjLQwJi2KWsI8DBCTe/DQfWxx1KTvkhzCX9kf2pcMmqQF4S2XU?= =?us-ascii?Q?mEb1VijIlgFBs/CxeMcsYZoTMw2qf8qDK4edlMnr7Fv8PG+YhFuIKfM4RBQ/?= =?us-ascii?Q?yjsBM7+YzyfGs8IItIdHZRs9QJo1WG4roTL6?= X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230040)(1800799024)(36860700013)(376014)(7416014)(82310400026);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Sep 2025 07:20:23.0834 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 2bada3d1-5bbb-463c-26f0-08ddf683d516 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BN1PEPF00006000.namprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR12MB8828 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Jianbo Liu The previous commit introduced two new flow groups to enable L4 RSS for decrypted IPsec traffic. This commit implements the logic to populate these groups with the necessary steering rules. The rules are created dynamically whenever the first IPSec offload rule is configured via the xfrm subsystem and the decryption tables for RX are created. Each rule matches a specific decrypted traffic type based on its ip version (or ethertype) and outer/inner l4_type_ext, directing it to the appropriate L4 RSS-enabled TIR. The lifecycle of these steering rules is tied directly to the RX tables. They are deleted when the RX tables are destroyed. Signed-off-by: Jianbo Liu Reviewed-by: Dragos Tatulea Signed-off-by: Tariq Toukan --- .../mellanox/mlx5/core/en_accel/ipsec_fs.c | 16 +- .../ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 239 +++++++++++++++++- .../ethernet/mellanox/mlx5/core/lib/fs_ttc.h | 3 + 3 files changed, 241 insertions(+), 17 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/= drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c index a06929852296..4526ca899daf 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c @@ -61,6 +61,7 @@ struct mlx5e_ipsec_rx { struct mlx5_flow_table *pol_miss_ft; struct mlx5_flow_handle *pol_miss_rule; u8 allow_tunnel_mode : 1; + u8 ttc_rules_added : 1; }; =20 /* IPsec RX flow steering */ @@ -683,10 +684,13 @@ static void ipsec_mpv_work_handler(struct work_struct= *_work) complete(&work->master_priv->ipsec->comp); } =20 -static void ipsec_rx_ft_disconnect(struct mlx5e_ipsec *ipsec, u32 family) +static void ipsec_rx_ft_disconnect(struct mlx5e_ipsec *ipsec, + struct mlx5e_ipsec_rx *rx, u32 family) { struct mlx5_ttc_table *ttc =3D mlx5e_fs_get_ttc(ipsec->fs, false); =20 + if (rx->ttc_rules_added) + mlx5_ttc_destroy_ipsec_rules(ttc); mlx5_ttc_fwd_default_dest(ttc, family2tt(family)); } =20 @@ -721,7 +725,7 @@ static void rx_destroy(struct mlx5_core_dev *mdev, stru= ct mlx5e_ipsec *ipsec, { /* disconnect */ if (rx !=3D ipsec->rx_esw) - ipsec_rx_ft_disconnect(ipsec, family); + ipsec_rx_ft_disconnect(ipsec, rx, family); =20 mlx5_del_flow_rules(rx->sa.rule); mlx5_destroy_flow_group(rx->sa.group); @@ -820,10 +824,16 @@ static void ipsec_rx_ft_connect(struct mlx5e_ipsec *i= psec, struct mlx5e_ipsec_rx_create_attr *attr) { struct mlx5_flow_destination dest =3D {}; + struct mlx5_ttc_table *ttc, *inner_ttc; =20 dest.type =3D MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE; dest.ft =3D rx->ft.sa; - mlx5_ttc_fwd_dest(attr->ttc, family2tt(attr->family), &dest); + if (mlx5_ttc_fwd_dest(attr->ttc, family2tt(attr->family), &dest)) + return; + + ttc =3D mlx5e_fs_get_ttc(ipsec->fs, false); + inner_ttc =3D mlx5e_fs_get_ttc(ipsec->fs, true); + rx->ttc_rules_added =3D !mlx5_ttc_create_ipsec_rules(ttc, inner_ttc); } =20 static int ipsec_rx_chains_create_miss(struct mlx5e_ipsec *ipsec, diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c b/drivers= /net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c index 3cd5de6f714f..7adad784ad46 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c @@ -32,10 +32,13 @@ static int mlx5_fs_ttc_table_size(const struct mlx5_fs_= ttc_groups *groups) struct mlx5_ttc_table { int num_groups; const struct mlx5_fs_ttc_groups *groups; + struct mlx5_core_dev *mdev; struct mlx5_flow_table *t; struct mlx5_flow_group **g; struct mlx5_ttc_rule rules[MLX5_NUM_TT]; struct mlx5_flow_handle *tunnel_rules[MLX5_NUM_TUNNEL_TT]; + u32 refcnt; + struct mutex mutex; /* Protect adding rules for ipsec crypto offload */ }; =20 struct mlx5_flow_table *mlx5_get_ttc_flow_table(struct mlx5_ttc_table *ttc) @@ -302,6 +305,31 @@ static u8 mlx5_etype_to_ipv(u16 ethertype) return 0; } =20 +static void mlx5_fs_ttc_set_match_ipv_outer(struct mlx5_core_dev *mdev, + struct mlx5_flow_spec *spec, + u16 etype) +{ + int match_ipv_outer =3D + MLX5_CAP_FLOWTABLE_NIC_RX(mdev, + ft_field_support.outer_ip_version); + u8 ipv; + + ipv =3D mlx5_etype_to_ipv(etype); + if (match_ipv_outer && ipv) { + MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, + outer_headers.ip_version); + MLX5_SET(fte_match_param, spec->match_value, + outer_headers.ip_version, ipv); + } else { + MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, + outer_headers.ethertype); + MLX5_SET(fte_match_param, spec->match_value, + outer_headers.ethertype, etype); + } + + spec->match_criteria_enable =3D MLX5_MATCH_OUTER_HEADERS; +} + static void mlx5_fs_ttc_set_match_proto(void *headers_c, void *headers_v, u8 proto, bool use_l4_type) { @@ -326,14 +354,10 @@ mlx5_generate_ttc_rule(struct mlx5_core_dev *dev, str= uct mlx5_flow_table *ft, struct mlx5_flow_destination *dest, u16 etype, u8 proto, bool use_l4_type, bool ipsec_rss) { - int match_ipv_outer =3D - MLX5_CAP_FLOWTABLE_NIC_RX(dev, - ft_field_support.outer_ip_version); MLX5_DECLARE_FLOW_ACT(flow_act); struct mlx5_flow_handle *rule; struct mlx5_flow_spec *spec; int err =3D 0; - u8 ipv; =20 spec =3D kvzalloc(sizeof(*spec), GFP_KERNEL); if (!spec) @@ -350,16 +374,8 @@ mlx5_generate_ttc_rule(struct mlx5_core_dev *dev, stru= ct mlx5_flow_table *ft, proto, use_l4_type); } =20 - ipv =3D mlx5_etype_to_ipv(etype); - if (match_ipv_outer && ipv) { - spec->match_criteria_enable =3D MLX5_MATCH_OUTER_HEADERS; - MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, outer_headers.ip= _version); - MLX5_SET(fte_match_param, spec->match_value, outer_headers.ip_version, i= pv); - } else if (etype) { - spec->match_criteria_enable =3D MLX5_MATCH_OUTER_HEADERS; - MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, outer_headers.et= hertype); - MLX5_SET(fte_match_param, spec->match_value, outer_headers.ethertype, et= ype); - } + if (etype) + mlx5_fs_ttc_set_match_ipv_outer(dev, spec, etype); =20 if (ipsec_rss && proto =3D=3D IPPROTO_ESP) { MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, @@ -838,6 +854,7 @@ void mlx5_destroy_ttc_table(struct mlx5_ttc_table *ttc) =20 kfree(ttc->g); mlx5_destroy_flow_table(ttc->t); + mutex_destroy(&ttc->mutex); kvfree(ttc); } =20 @@ -894,6 +911,9 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx= 5_core_dev *dev, if (err) goto destroy_ft; =20 + ttc->mdev =3D dev; + mutex_init(&ttc->mutex); + return ttc; =20 destroy_ft: @@ -927,3 +947,194 @@ int mlx5_ttc_fwd_default_dest(struct mlx5_ttc_table *= ttc, =20 return mlx5_ttc_fwd_dest(ttc, type, &dest); } + +static void _mlx5_ttc_destroy_ipsec_rules(struct mlx5_ttc_table *ttc) +{ + enum mlx5_traffic_types i; + + for (i =3D MLX5_TT_DECRYPTED_ESP_OUTER_IPV4_TCP; + i <=3D MLX5_TT_DECRYPTED_ESP_INNER_IPV6_UDP; i++) { + if (!ttc->rules[i].rule) + continue; + + mlx5_del_flow_rules(ttc->rules[i].rule); + ttc->rules[i].rule =3D NULL; + } +} + +void mlx5_ttc_destroy_ipsec_rules(struct mlx5_ttc_table *ttc) +{ + if (!mlx5_ttc_has_esp_flow_group(ttc)) + return; + + mutex_lock(&ttc->mutex); + if (--ttc->refcnt) + goto unlock; + + _mlx5_ttc_destroy_ipsec_rules(ttc); +unlock: + mutex_unlock(&ttc->mutex); +} + +static int mlx5_ttc_get_tt_attrs(enum mlx5_traffic_types type, + u16 *etype, int *l4_type_ext, + enum mlx5_traffic_types *tir_tt) +{ + switch (type) { + case MLX5_TT_DECRYPTED_ESP_OUTER_IPV4_TCP: + case MLX5_TT_DECRYPTED_ESP_INNER_IPV4_TCP: + *etype =3D ETH_P_IP; + *l4_type_ext =3D MLX5_PACKET_L4_TYPE_EXT_TCP; + *tir_tt =3D MLX5_TT_IPV4_TCP; + break; + case MLX5_TT_DECRYPTED_ESP_OUTER_IPV6_TCP: + case MLX5_TT_DECRYPTED_ESP_INNER_IPV6_TCP: + *etype =3D ETH_P_IPV6; + *l4_type_ext =3D MLX5_PACKET_L4_TYPE_EXT_TCP; + *tir_tt =3D MLX5_TT_IPV6_TCP; + break; + case MLX5_TT_DECRYPTED_ESP_OUTER_IPV4_UDP: + case MLX5_TT_DECRYPTED_ESP_INNER_IPV4_UDP: + *etype =3D ETH_P_IP; + *l4_type_ext =3D MLX5_PACKET_L4_TYPE_EXT_UDP; + *tir_tt =3D MLX5_TT_IPV4_UDP; + break; + case MLX5_TT_DECRYPTED_ESP_OUTER_IPV6_UDP: + case MLX5_TT_DECRYPTED_ESP_INNER_IPV6_UDP: + *etype =3D ETH_P_IPV6; + *l4_type_ext =3D MLX5_PACKET_L4_TYPE_EXT_UDP; + *tir_tt =3D MLX5_TT_IPV6_UDP; + break; + default: + return -EINVAL; + } + + return 0; +} + +static struct mlx5_flow_handle * +mlx5_ttc_create_ipsec_outer_rule(struct mlx5_ttc_table *ttc, + enum mlx5_traffic_types type) +{ + struct mlx5_flow_destination dest; + MLX5_DECLARE_FLOW_ACT(flow_act); + enum mlx5_traffic_types tir_tt; + struct mlx5_flow_handle *rule; + struct mlx5_flow_spec *spec; + int l4_type_ext; + u16 etype; + int err; + + err =3D mlx5_ttc_get_tt_attrs(type, &etype, &l4_type_ext, &tir_tt); + if (err) + return ERR_PTR(err); + + spec =3D kvzalloc(sizeof(*spec), GFP_KERNEL); + if (!spec) + return ERR_PTR(-ENOMEM); + + mlx5_fs_ttc_set_match_ipv_outer(ttc->mdev, spec, etype); + + MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, + outer_headers.l4_type_ext); + MLX5_SET(fte_match_param, spec->match_value, + outer_headers.l4_type_ext, l4_type_ext); + + dest =3D mlx5_ttc_get_default_dest(ttc, tir_tt); + + rule =3D mlx5_add_flow_rules(ttc->t, spec, &flow_act, &dest, 1); + if (IS_ERR(rule)) { + err =3D PTR_ERR(rule); + mlx5_core_err(ttc->mdev, "%s: add rule failed\n", __func__); + } + + kvfree(spec); + return err ? ERR_PTR(err) : rule; +} + +static struct mlx5_flow_handle * +mlx5_ttc_create_ipsec_inner_rule(struct mlx5_ttc_table *ttc, + struct mlx5_ttc_table *inner_ttc, + enum mlx5_traffic_types type) +{ + struct mlx5_flow_destination dest; + MLX5_DECLARE_FLOW_ACT(flow_act); + enum mlx5_traffic_types tir_tt; + struct mlx5_flow_handle *rule; + struct mlx5_flow_spec *spec; + int l4_type_ext; + u16 etype; + int err; + + err =3D mlx5_ttc_get_tt_attrs(type, &etype, &l4_type_ext, &tir_tt); + if (err) + return ERR_PTR(err); + + spec =3D kvzalloc(sizeof(*spec), GFP_KERNEL); + if (!spec) + return ERR_PTR(-ENOMEM); + + MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, + inner_headers.ip_version); + MLX5_SET(fte_match_param, spec->match_value, + inner_headers.ip_version, mlx5_etype_to_ipv(etype)); + MLX5_SET_TO_ONES(fte_match_param, spec->match_criteria, + inner_headers.l4_type_ext); + MLX5_SET(fte_match_param, spec->match_value, + inner_headers.l4_type_ext, l4_type_ext); + + dest =3D mlx5_ttc_get_default_dest(inner_ttc, tir_tt); + + spec->match_criteria_enable =3D MLX5_MATCH_INNER_HEADERS; + + rule =3D mlx5_add_flow_rules(ttc->t, spec, &flow_act, &dest, 1); + if (IS_ERR(rule)) { + err =3D PTR_ERR(rule); + mlx5_core_err(ttc->mdev, "%s: add rule failed\n", __func__); + } + + kvfree(spec); + return err ? ERR_PTR(err) : rule; +} + +int mlx5_ttc_create_ipsec_rules(struct mlx5_ttc_table *ttc, + struct mlx5_ttc_table *inner_ttc) +{ + struct mlx5_flow_handle *rule; + enum mlx5_traffic_types i; + + if (!mlx5_ttc_has_esp_flow_group(ttc)) + return 0; + + mutex_lock(&ttc->mutex); + if (ttc->refcnt) + goto skip; + + for (i =3D MLX5_TT_DECRYPTED_ESP_OUTER_IPV4_TCP; + i <=3D MLX5_TT_DECRYPTED_ESP_OUTER_IPV6_UDP; i++) { + rule =3D mlx5_ttc_create_ipsec_outer_rule(ttc, i); + if (IS_ERR(rule)) + goto err_out; + + ttc->rules[i].rule =3D rule; + } + + for (i =3D MLX5_TT_DECRYPTED_ESP_INNER_IPV4_TCP; + i <=3D MLX5_TT_DECRYPTED_ESP_INNER_IPV6_UDP; i++) { + rule =3D mlx5_ttc_create_ipsec_inner_rule(ttc, inner_ttc, i); + if (IS_ERR(rule)) + goto err_out; + + ttc->rules[i].rule =3D rule; + } + +skip: + ttc->refcnt++; + mutex_unlock(&ttc->mutex); + return 0; + +err_out: + _mlx5_ttc_destroy_ipsec_rules(ttc); + mutex_unlock(&ttc->mutex); + return PTR_ERR(rule); +} diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.h b/drivers= /net/ethernet/mellanox/mlx5/core/lib/fs_ttc.h index cae6a8ba0491..95f6e56724a2 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.h +++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.h @@ -80,6 +80,9 @@ bool mlx5_tunnel_inner_ft_supported(struct mlx5_core_dev = *mdev); u8 mlx5_get_proto_by_tunnel_type(enum mlx5_tunnel_types tt); =20 bool mlx5_ttc_has_esp_flow_group(struct mlx5_ttc_table *ttc); +int mlx5_ttc_create_ipsec_rules(struct mlx5_ttc_table *ttc, + struct mlx5_ttc_table *inner_ttc); +void mlx5_ttc_destroy_ipsec_rules(struct mlx5_ttc_table *ttc); static inline bool mlx5_ttc_is_decrypted_esp_tt(enum mlx5_traffic_types tt) { return tt >=3D MLX5_TT_DECRYPTED_ESP_OUTER_IPV4_TCP && --=20 2.31.1