[PATCH net-next 7/7] net: Allow IPsec GSO for local sockets

From: Steffen Klassert This patch allows local sockets to make use of XFRM GSO code path. Signed-off-by: Steffen Klassert Signed-off-by: Ilan Tayari --- include/net/xfrm.h | 19 +++ net/core/sock.c| 2 +- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/incl

[PATCH net-next 6/7] xfrm: Clear RX SKB secpath xfrm_offload

From: Ilan Tayari If an incoming packet undergoes XFRM crypto-offload, its secpath is filled with xfrm_offload struct denoting offload information. If the SKB is then forwarded to a device which supports crypto- offload, the stack wrongfully attempts to offload it (even though the output SA may

[PATCH net-next 3/7] xfrm6: Fix CHECKSUM_COMPLETE after IPv6 header push

From: Yossi Kuperman xfrm6_transport_finish rebuilds the IPv6 header based on the original one and pushes it back without fixing skb->csum. Therefore, CHECKSUM_COMPLETE is no longer valid and the packet gets dropped. Fix skb->csum by calling skb_postpush_rcsum. Note: A valid IPv4 header has che

[PATCH net-next 4/7] esp6: Fix RX checksum after header pull

From: Yossi Kuperman Both ip6_input_finish (non-GRO) and esp6_gro_receive (GRO) strip the IPv6 header without adjusting skb->csum accordingly. As a result CHECKSUM_COMPLETE breaks and "hw csum failure" is written to the kernel log by netdev_rx_csum_fault (dev.c). Fix skb->csum by substracting th

[PATCH net-next 0/7] IPSec offload improvements

From: Ilan Tayari Hi Steffen, This patchset introduces several improvements to IPSec offload. We would like to see these merged in 4.14. Patches 1-4 add RX checksum offload support. This gives a big performance boost. These patches have been submitted before but were not merged. Note that patch

[PATCH net-next 5/7] xfrm: Auto-load xfrm offload modules

From: Ilan Tayari IPSec crypto offload depends on the protocol-specific offload module (such as esp_offload.ko). When the user installs an SA with crypto-offload, load the offload module automatically, in the same way that the protocol module is loaded (such as esp.ko) Signed-off-by: Ilan Tayar

[PATCH net-next 2/7] esp6: Support RX checksum with crypto offload

From: Ilan Tayari Keep the device's reported ip_summed indication in case crypto was offloaded by the device. Subtract the csum values of the stripped parts (esp header+iv, esp trailer+auth_data) to keep value correct. Note: CHECKSUM_COMPLETE should be indicated only if skb->csum has the post-de

[PATCH net-next 1/7] esp4: Support RX checksum with crypto offload

From: Ilan Tayari Keep the device's reported ip_summed indication in case crypto was offloaded by the device. Subtract the csum values of the stripped parts (esp header+iv, esp trailer+auth_data) to keep value correct. Note: CHECKSUM_COMPLETE should be indicated only if skb->csum has the post-de

[PATCH net-next 1/4] esp4: Support RX checksum with crypto offload

From: Ilan Tayari Keep the device's reported ip_summed indication in case crypto was offloaded by the device. Subtract the csum values of the stripped parts (esp header+iv, esp trailer+auth_data) to keep value correct. Note: CHECKSUM_COMPLETE should be indicated only if skb->csum has the post-de

[PATCH net-next 3/4] xfrm6: Fix CHECKSUM_COMPLETE after IPv6 header push

From: Yossi Kuperman xfrm6_transport_finish rebuilds the IPv6 header based on the original one and pushes it back without fixing skb->csum. Therefore, CHECKSUM_COMPLETE is no longer valid and the packet gets dropped. Fix skb->csum by calling skb_postpush_rcsum. Note: A valid IPv4 header has che

[PATCH net-next 2/4] esp6: Support RX checksum with crypto offload

From: Ilan Tayari Keep the device's reported ip_summed indication in case crypto was offloaded by the device. Subtract the csum values of the stripped parts (esp header+iv, esp trailer+auth_data) to keep value correct. Note: CHECKSUM_COMPLETE should be indicated only if skb->csum has the post-de

[PATCH net-next 4/4] esp6: Fix RX checksum after header pull

From: Yossi Kuperman Both ip6_input_finish (non-GRO) and esp6_gro_receive (GRO) strip the IPv6 header without adjusting skb->csum accordingly. As a result CHECKSUM_COMPLETE breaks and "hw csum failure" is written to the kernel log by netdev_rx_csum_fault (dev.c). Fix skb->csum by substracting th

[PATCH net-next 0/4] CHECKSUM_COMPLETE in IPSec

From: Ilan Tayari This patchset adds support for RX checksum offload in IPSec. When crypto is performed in the host, the checksum needs to be recalculated over all the payload. However, when crypto is performed in the NIC, the NIC may provide useful CHECKSUM_COMPLETE value, which then only need

[PATCH net v2 1/1] xfrm: Fix NETDEV_DOWN with IPSec offload

From: Ilan Tayari Upon NETDEV_DOWN event, all xfrm_state objects which are bound to the device are flushed. The condition for this is wrong, though, testing dev->hw_features instead of dev->features. If a device has non-user-modifiable NETIF_F_HW_ESP, then its xfrm_state objects are not flushed,

[PATCH net v2 0/1] xfrm: Fix NETDEV_DOWN with IPSec offload

From: Ilan Tayari v1 -> v2: Added Fixes tag Ilan Tayari (1): xfrm: Fix NETDEV_DOWN with IPSec offload net/xfrm/xfrm_device.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.11.0

[PATCH net] xfrm: Fix NETDEV_DOWN with IPSec offload

From: Ilan Tayari Upon NETDEV_DOWN event, all xfrm_state objects which are bound to the device are flushed. The condition for this is wrong, though, testing dev->hw_features instead of dev->features. If a device has non-user-modifiable NETIF_F_HW_ESP, then its xfrm_state objects are not flushed,

[PATCH iproute2 net-next] ip xfrm: Add xfrm state crypto offload

From: Boris Pismenny syntax: ip xfrm state offload dev dir Example to add inbound offload: ip xfrm state offload dev mlx0 dir in Example to add outbound offload: ip xfrm state offload dev mlx0 dir out Signed-off-by: Boris Pismenny Signed-off-by: Ilan Tayari --- ip/ipxfrm

[PATCH net-next] xfrm: Indicate xfrm_state offload errors

From: Ilan Tayari Current code silently ignores driver errors when configuring IPSec offload xfrm_state, and falls back to host-based crypto. Fail the xfrm_state creation if the driver has an error, because the NIC offloading was explicitly requested by the user program. This will communicate b

[PATCH net-next] net/esp4: Fix invalid esph pointer crash

From: Ilan Tayari Both esp_output and esp_xmit take a pointer to the ESP header and place it in esp_info struct prior to calling esp_output_head. Inside esp_output_head, the call to esp_output_udp_encap makes sure to update the pointer if it gets invalid. However, if esp_output_head itself calls

[PATCH net] gso: Validate assumption of frag_list segementation

From: Ilan Tayari Commit 07b26c9454a2 ("gso: Support partial splitting at the frag_list pointer") assumes that all SKBs in a frag_list (except maybe the last one) contain the same amount of GSO payload. This assumption is not always correct, resulting in the following warning message in the log:

[PATCH ipsec-next] esp4/6: Fix GSO path for non-GSO SW-crypto packets

From: Ilan Tayari If esp*_offload module is loaded, outbound packets take the GSO code path, being encapsulated at layer 3, but encrypted in layer 2. validate_xmit_xfrm calls esp*_xmit for that. esp*_xmit was wrongfully detecting these packets as going through hardware crypto offload, while in f

[PATCH] gso: Validate assumption of frag_list segementation

From: Ilan Tayari Commit 07b26c9454a2 ("gso: Support partial splitting at the frag_list pointer") assumes that all SKBs in a frag_list (except maybe the last one) contain the same amount of GSO payload. This assumption is not always correct, resulting in the following warning message in the log:

[PATCH net-next] gso: Support frag_list splitting with head_frag

From: Ilan Tayari A driver may use build_skb() for received packets. These SKBs then have a head_frag. Since commit d7e8883cfcf4 ("net: make GRO aware of skb->head_frag"), GRO may build frag_list SKBs out of head_frag received SKBs. In such a case, the chained SKBs end up with a head_frag. Comm