From: Adi Nissim <[email protected]> Until now there were 2 hw_offload modes: no/yes * hw_offload = no : Configure the SA without HW offload. * hw_offload = yes : Configure the SA with HW offload. In this case, if the device does not support offloading, SA creation will fail.
This commit introduces a new mode: hw_offload = auto ---------------------------------------------------- If the device and kernel support HW offload, configure the SA with HW offload, but do not fail SA creation otherwise. Signed-off-by: Adi Nissim <[email protected]> Reviewed-by: Aviv Heller <[email protected]> --- .../plugins/kernel_netlink/kernel_netlink_ipsec.c | 262 +++++++++++++++++++-- 1 file changed, 239 insertions(+), 23 deletions(-) diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c index 4e79dfc..9ca431c 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -21,12 +21,15 @@ #define _GNU_SOURCE #include <sys/types.h> #include <sys/socket.h> +#include <sys/ioctl.h> #include <stdint.h> #include <linux/ipsec.h> #include <linux/netlink.h> #include <linux/rtnetlink.h> #include <linux/xfrm.h> #include <linux/udp.h> +#include <linux/ethtool.h> +#include <linux/sockios.h> #include <net/if.h> #include <unistd.h> #include <time.h> @@ -237,6 +240,21 @@ static kernel_algorithm_t compression_algs[] = { }; /** + * IPsec offload + */ +enum nic_offload_state { + NIC_OFFLOAD_UNKNOWN, + NIC_OFFLOAD_UNSUPPORTED, + NIC_OFFLOAD_SUPPORTED +}; + +static struct { + unsigned int bit; + unsigned int total_blocks; + enum nic_offload_state state; +} netlink_esp_hw_offload; + +/** * Look up a kernel algorithm name and its key size */ static const char* lookup_algorithm(transform_type_t type, int ikev2) @@ -1290,6 +1308,222 @@ static bool add_mark(struct nlmsghdr *hdr, int buflen, mark_t mark) return TRUE; } +/** + * check if kernel supported HW offload + */ +static void netlink_find_offload_feature(const char *ifname, int fd_for_socket) +{ + struct ethtool_sset_info *sset_info = NULL; + struct ethtool_gstrings *cmd = NULL; + struct ifreq ifr; + uint32_t sset_len, i; + char *str; + int err; + + netlink_esp_hw_offload.state = NIC_OFFLOAD_UNSUPPORTED; + + /* Determine number of device-features */ + sset_info = malloc(sizeof(*sset_info)); + if (sset_info == NULL) + { + goto out; + } + memset(sset_info, 0, sizeof(*sset_info)); + + sset_info->cmd = ETHTOOL_GSSET_INFO; + sset_info->sset_mask = 1ULL << ETH_SS_FEATURES; + strcpy(ifr.ifr_name, ifname); + + ifr.ifr_data = (void *)sset_info; + + err = ioctl(fd_for_socket, SIOCETHTOOL, &ifr); + if (err != 0) + { + goto out; + } + + if (sset_info->sset_mask != 1ULL << ETH_SS_FEATURES) + { + goto out; + } + sset_len = sset_info->data[0]; + + /* Retrieve names of device-features */ + cmd = malloc(sizeof(*cmd) + ETH_GSTRING_LEN * sset_len); + if (cmd == NULL) + { + goto out; + } + + memset(cmd, 0, sizeof(*cmd)); + cmd->cmd = ETHTOOL_GSTRINGS; + cmd->string_set = ETH_SS_FEATURES; + strcpy(ifr.ifr_name, ifname); + ifr.ifr_data = (void *)cmd; + err = ioctl(fd_for_socket, SIOCETHTOOL, &ifr); + if (err) + { + goto out; + } + + /* Look for the ESP_HW feature bit */ + str = (char *)cmd->data; + for (i = 0; i < cmd->len; i++) + { + if (strneq(str, "esp-hw-offload", ETH_GSTRING_LEN) == 1) + break; + str += ETH_GSTRING_LEN; + } + if (i >= cmd->len) + { + goto out; + } + + netlink_esp_hw_offload.bit = i; + netlink_esp_hw_offload.total_blocks = (sset_len + 31) / 32; + netlink_esp_hw_offload.state = NIC_OFFLOAD_SUPPORTED; + +out: + if (sset_info != NULL) + { + free(sset_info); + } + if (cmd != NULL) + { + free(cmd); + } +} + +/** + * Check if interface supported HW offload + */ +static bool netlink_detect_offload(const char *ifname) +{ + struct ethtool_gfeatures *cmd; + uint32_t feature_bit; + struct ifreq ifr; + bool ret = FALSE; + int nl_send_fd; + int block; + + nl_send_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM); + + if (nl_send_fd < 0) + { + return FALSE; + } + + /* + * Kernel requires a real interface in order to query the kernel-wide + * capability, so we do it here on first invocation. + */ + if (netlink_esp_hw_offload.state == NIC_OFFLOAD_UNKNOWN) + { + netlink_find_offload_feature(ifname, nl_send_fd); + } + + if (netlink_esp_hw_offload.state == NIC_OFFLOAD_UNSUPPORTED) + { + DBG1(DBG_KNL, "HW offload is not supported by kernel"); + return FALSE; + } + + /* Feature is supported by kernel. Query device features */ + cmd = malloc(sizeof(cmd->features[0]) * + netlink_esp_hw_offload.total_blocks); + if (cmd == NULL) + { + return FALSE; + } + + strcpy(ifr.ifr_name, ifname); + + ifr.ifr_data = (void *)cmd; + cmd->cmd = ETHTOOL_GFEATURES; + cmd->size = netlink_esp_hw_offload.total_blocks; + + if (ioctl(nl_send_fd, SIOCETHTOOL, &ifr)) + { + goto out; + } + + block = netlink_esp_hw_offload.bit / 32; + feature_bit = 1U << (netlink_esp_hw_offload.bit % 32); + if (cmd->features[block].active & feature_bit) + { + ret = TRUE; + } + +out: + free(cmd); + if (ret == FALSE) + { + DBG1(DBG_KNL, "HW offload is not supported by device"); + } + return ret; +} + +/** + * There are 3 configuration options: + * 1. HW_OFFLOAD_NO : Do not configure HW offload.. + * 2. HW_OFFLOAD_YES : Configure HW offload. + * Fail SA addition if offload is not supported. + * 3. HW_OFFLOAD_AUTO : Configure HW offload if supported by the kernel + * and device. + * Do not fail SA addition otherwise. + */ +static bool config_hw_offload(kernel_ipsec_sa_id_t *id, + kernel_ipsec_add_sa_t *data, struct nlmsghdr *hdr, int buflen) +{ + bool cfg_hw_offload_is_yes = (data->hw_offload == HW_OFFLOAD_YES); + host_t *local = data->inbound ? id->dst : id->src; + struct xfrm_user_offload *offload; + bool hw_offload_support; + bool ret = FALSE; + char *ifname; + + /* Do Ipsec configuration without offload */ + if (data->hw_offload == HW_OFFLOAD_NO) + { + return TRUE; + } + + if (!charon->kernel->get_interface(charon->kernel, local, &ifname)) + { + return !cfg_hw_offload_is_yes; + } + + /* Check if interface supports hw_offload */ + hw_offload_support = netlink_detect_offload(ifname); + + if (!hw_offload_support) + { + ret = !cfg_hw_offload_is_yes; + goto out; + } + + /* Activate HW offload */ + offload = netlink_reserve(hdr, buflen, + XFRMA_OFFLOAD_DEV, sizeof(*offload)); + if (!offload) + { + ret = !cfg_hw_offload_is_yes; + goto out; + } + offload->ifindex = if_nametoindex(ifname); + if (local->get_family(local) == AF_INET6) + { + offload->flags |= XFRM_OFFLOAD_IPV6; + } + offload->flags |= data->inbound ? XFRM_OFFLOAD_INBOUND : 0; + + ret = TRUE; + +out: + free(ifname); + return ret; +} + METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id, kernel_ipsec_add_sa_t *data) @@ -1650,30 +1884,12 @@ METHOD(kernel_ipsec_t, add_sa, status_t, data->replay_window); sa->replay_window = data->replay_window; } - if (data->hw_offload) - { - host_t *local = data->inbound ? id->dst : id->src; - char *ifname; - - if (charon->kernel->get_interface(charon->kernel, local, &ifname)) - { - struct xfrm_user_offload *offload; - offload = netlink_reserve(hdr, sizeof(request), - XFRMA_OFFLOAD_DEV, sizeof(*offload)); - if (!offload) - { - free(ifname); - goto failed; - } - offload->ifindex = if_nametoindex(ifname); - if (local->get_family(local) == AF_INET6) - { - offload->flags |= XFRM_OFFLOAD_IPV6; - } - offload->flags |= data->inbound ? XFRM_OFFLOAD_INBOUND : 0; - free(ifname); - } + DBG2(DBG_KNL, " HW offload mode = %N", hw_offload_names, data->hw_offload); + if (!config_hw_offload(id, data, hdr, sizeof(request))) + { + DBG1(DBG_KNL, "failed to configure HW offload"); + goto failed; } } -- 1.8.3.1
