Hi Ilan, Here are a couple of proposed changes, untested, after a closer review.
1. rename option to "nic-offload". Libreswan is moving away from "_" 2. whack --nic-offload 3. nic-offload:yes; in "ipsec staus" connection 4. there is one coding style change I made. On Wed, Jun 28, 2017 at 05:31:06AM +0000, Ilan Tayari wrote: > > I guess this is could be applied. However, please hold on, lets update > > xfrm.h first. > > > > I plan to update linux26/xfrm.h with history from kernel commits. > > It should happen before this patch. Otherwise it hard to know how upto > > date > > xfrm.h is. > Yes, I suppose xfrm.h update should come separately and before. > I don't mind rebasing and re-submitting after you do that. > Do you have an approximation when this would happen? I pushed this change yesterday. Rebase should work. > > Another comment. It would be nice to add whack option? > > I'll take some time to understand whack better and come up with something. > You're talking about the command line tool, right? see the attached proposed patch. It is not tested, I don't have a card. regards, -antony
>From 00ab206ec16096284632d77050ed0c423841977a Mon Sep 17 00:00:00 2001 From: Antony Antony <[email protected]> Date: Wed, 28 Jun 2017 14:59:31 +0200 Subject: [PATCH 1/3] pluto: rename hw_offload to nic-offload Signed-off-by: Antony Antony <[email protected]> --- include/ipsecconf/keywords.h | 2 +- include/whack.h | 2 +- lib/libipsecconf/confread.c | 2 +- lib/libipsecconf/keywords.c | 2 +- lib/libipsecconf/starterwhack.c | 2 +- programs/pluto/connections.c | 2 +- programs/pluto/connections.h | 2 +- programs/pluto/kernel.c | 6 +++--- programs/pluto/kernel.h | 4 ++-- programs/pluto/kernel_netlink.c | 4 ++-- programs/whack/whack.c | 2 +- 11 files changed, 15 insertions(+), 15 deletions(-) diff --git a/include/ipsecconf/keywords.h b/include/ipsecconf/keywords.h index 948ac40..6894b63 100644 --- a/include/ipsecconf/keywords.h +++ b/include/ipsecconf/keywords.h @@ -159,7 +159,7 @@ enum keyword_numeric_config_field { KBF_SECCOMP, /* set SECCOMP mode */ KBF_VTI_ROUTING, /* let updown do routing into VTI device */ KBF_VTI_SHARED, /* VTI device is shared - enable checks and disable cleanup */ - KBF_HW_OFFLOAD, /* HW offload on network device */ + KBF_NIC_OFFLOAD, /* xfrm offload to network device */ KBF_MAX }; diff --git a/include/whack.h b/include/whack.h index fd96053..9e8a15a 100644 --- a/include/whack.h +++ b/include/whack.h @@ -155,7 +155,7 @@ struct whack_message { unsigned long sa_replay_window; deltatime_t r_timeout; /* in secs */ unsigned long r_interval; /* in msec */ - bool hw_offload; + bool nic_offload; /* For IKEv1 RFC 3706 - Dead Peer Detection */ deltatime_t dpd_delay; diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c index 1396728..8a3bb5e 100644 --- a/lib/libipsecconf/confread.c +++ b/lib/libipsecconf/confread.c @@ -150,7 +150,7 @@ void ipsecconf_default_values(struct starter_config *cfg) POLICY_IKE_FRAG_ALLOW | /* ike_frag=yes */ POLICY_ESN_NO; /* esn=no */ - cfg->conn_default.options[KBF_HW_OFFLOAD] = FALSE; + cfg->conn_default.options[KBF_NIC_OFFLOAD] = FALSE; cfg->conn_default.options[KBF_IKELIFETIME] = IKE_SA_LIFETIME_DEFAULT; cfg->conn_default.options[KBF_REPLAY_WINDOW] = IPSEC_SA_DEFAULT_REPLAY_WINDOW; diff --git a/lib/libipsecconf/keywords.c b/lib/libipsecconf/keywords.c index 6f69a18..a2f554f 100644 --- a/lib/libipsecconf/keywords.c +++ b/lib/libipsecconf/keywords.c @@ -610,7 +610,7 @@ const struct keyword_def ipsec_conf_keywords_v2[] = { { "modecfgwins1", kv_conn, kt_obsolete, KBF_WARNIGNORE, NOT_ENUM }, { "modecfgwins2", kv_conn, kt_obsolete, KBF_WARNIGNORE, NOT_ENUM }, - { "hw_offload", kv_conn, kt_bool, KBF_HW_OFFLOAD, NOT_ENUM }, + { "nic-offload", kv_conn, kt_bool, KBF_NIC_OFFLOAD, NOT_ENUM }, { "encapsulation", kv_conn, kt_enum, KBF_ENCAPS, &kw_encaps_list }, { "forceencaps", kv_conn, kt_obsolete, KBF_WARNIGNORE, NOT_ENUM }, diff --git a/lib/libipsecconf/starterwhack.c b/lib/libipsecconf/starterwhack.c index 41877ae..8458357 100644 --- a/lib/libipsecconf/starterwhack.c +++ b/lib/libipsecconf/starterwhack.c @@ -531,7 +531,7 @@ static int starter_whack_basic_add_conn(struct starter_config *cfg, if (conn->right.addrtype == KH_IPHOSTNAME) msg.dnshostname = conn->right.strings[KSCF_IP]; - msg.hw_offload = conn->options[KBF_HW_OFFLOAD]; + msg.nic_offload = conn->options[KBF_NIC_OFFLOAD]; msg.sa_ike_life_seconds = deltatime(conn->options[KBF_IKELIFETIME]); msg.sa_ipsec_life_seconds = deltatime(conn->options[KBF_SALIFETIME]); msg.sa_rekey_margin = deltatime(conn->options[KBF_REKEYMARGIN]); diff --git a/programs/pluto/connections.c b/programs/pluto/connections.c index 880177f..b1333e3 100644 --- a/programs/pluto/connections.c +++ b/programs/pluto/connections.c @@ -1546,7 +1546,7 @@ void add_connection(const struct whack_message *wm) } } - c->hw_offload = wm->hw_offload; + c->nic_offload = wm->nic_offload; c->sa_ike_life_seconds = wm->sa_ike_life_seconds; c->sa_ipsec_life_seconds = wm->sa_ipsec_life_seconds; c->sa_rekey_margin = wm->sa_rekey_margin; diff --git a/programs/pluto/connections.h b/programs/pluto/connections.h index 9e0e1ee..d5fee13 100644 --- a/programs/pluto/connections.h +++ b/programs/pluto/connections.h @@ -242,7 +242,7 @@ struct connection { deltatime_t r_timeout; /* max time (in secs) for one packet exchange attempt */ reqid_t sa_reqid; int encapsulation; - bool hw_offload; + bool nic_offload; /* RFC 3706 DPD */ deltatime_t dpd_delay; /* time between checks */ diff --git a/programs/pluto/kernel.c b/programs/pluto/kernel.c index 55ca125..ac745c1 100644 --- a/programs/pluto/kernel.c +++ b/programs/pluto/kernel.c @@ -1794,9 +1794,9 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) said_boilerplate.transport_proto = c->spd.this.protocol; said_boilerplate.sa_lifetime = c->sa_ipsec_life_seconds; said_boilerplate.outif = -1; - said_boilerplate.hw_offload = c->hw_offload; - if (c->hw_offload && c->interface) - said_boilerplate.hw_offload_ifindex = if_nametoindex(c->interface->ip_dev->id_rname); + said_boilerplate.nic_offload = c->nic_offload; + if (c->nic_offload && c->interface != NULL) + said_boilerplate.nic_offload_ifindex = if_nametoindex(c->interface->ip_dev->id_rname); #ifdef HAVE_LABELED_IPSEC said_boilerplate.sec_ctx = st->sec_ctx; diff --git a/programs/pluto/kernel.h b/programs/pluto/kernel.h index 748a0d1..0b6b20c 100644 --- a/programs/pluto/kernel.h +++ b/programs/pluto/kernel.h @@ -117,8 +117,8 @@ struct kernel_sa { #ifdef HAVE_LABELED_IPSEC struct xfrm_user_sec_ctx_ike *sec_ctx; #endif - bool hw_offload; - int hw_offload_ifindex; + bool nic_offload; + int nic_offload_ifindex; deltatime_t sa_lifetime; /* number of seconds until SA expires */ /* below two need to enabled and used, instead of getting passed */ diff --git a/programs/pluto/kernel_netlink.c b/programs/pluto/kernel_netlink.c index 66c5c25..a74d132 100644 --- a/programs/pluto/kernel_netlink.c +++ b/programs/pluto/kernel_netlink.c @@ -1257,13 +1257,13 @@ static bool netlink_add_sa(const struct kernel_sa *sa, bool replace) attr = (struct rtattr *)((char *)attr + attr->rta_len); } - if (sa->hw_offload) { + if (sa->nic_offload) { struct xfrm_user_offload xuo; xuo.flags |= sa->inbound ? XFRM_OFFLOAD_INBOUND : 0; if (sa->src->u.v4.sin_family == AF_INET6) xuo.flags |= XFRM_OFFLOAD_IPV6; - xuo.ifindex = sa->hw_offload_ifindex; + xuo.ifindex = sa->nic_offload_ifindex; attr->rta_type = XFRMA_OFFLOAD_DEV; attr->rta_len = RTA_LENGTH(sizeof(xuo)); diff --git a/programs/whack/whack.c b/programs/whack/whack.c index 568aa23..8bae96d 100644 --- a/programs/whack/whack.c +++ b/programs/whack/whack.c @@ -942,7 +942,7 @@ int main(int argc, char **argv) msg.modecfg_domain = NULL; msg.modecfg_banner = NULL; - msg.hw_offload = FALSE; + msg.nic_offload = FALSE; msg.sa_ike_life_seconds = deltatime(IKE_SA_LIFETIME_DEFAULT); msg.sa_ipsec_life_seconds = deltatime(IPSEC_SA_LIFETIME_DEFAULT); msg.sa_rekey_margin = deltatime(SA_REPLACEMENT_MARGIN_DEFAULT); -- 2.4.11
>From 596e12525b02f00faffbe0b7f2baa0f92599fa81 Mon Sep 17 00:00:00 2001 From: Antony Antony <[email protected]> Date: Wed, 28 Jun 2017 10:02:11 +0200 Subject: [PATCH 2/3] pluto: add nic-offload:yes to ipsec status output if nic-offload=yes is configured for the connection show it. Signed-off-by: Antony Antony <[email protected]> --- programs/pluto/connections.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/programs/pluto/connections.c b/programs/pluto/connections.c index b1333e3..c44b9e9 100644 --- a/programs/pluto/connections.c +++ b/programs/pluto/connections.c @@ -4112,11 +4112,12 @@ void show_one_connection(const struct connection *c) strcpy(markstr, "unset"); whack_log(RC_COMMENT, - "\"%s\"%s: nflog-group: %s; mark: %s; vti-iface:%s; vti-routing:%s; vti-shared:%s;", + "\"%s\"%s: nflog-group: %s; mark: %s; vti-iface:%s; vti-routing:%s; vti-shared:%s;%s", c->name, instance, nflogstr, markstr, c->vti_iface == NULL ? "unset" : c->vti_iface, c->vti_routing ? "yes" : "no", - c->vti_shared ? "yes" : "no" + c->vti_shared ? "yes" : "no", + c->nic_offload ? " nic-offload:yes;" : "" ); { -- 2.4.11
>From 32397e06ab415b26cf7798b6ece5b653c5076614 Mon Sep 17 00:00:00 2001 From: Antony Antony <[email protected]> Date: Wed, 29 Jun 2017 10:03:39 +0200 Subject: [PATCH 3/3] whack: add option --nic-offload Signed-off-by: Antony Antony <[email protected]> --- programs/whack/whack.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/programs/whack/whack.c b/programs/whack/whack.c index 8bae96d..9157fc6 100644 --- a/programs/whack/whack.c +++ b/programs/whack/whack.c @@ -129,6 +129,7 @@ static void help(void) " [--initiateontraffic | --pass | --drop | --reject] \\\n" " [--failnone | --failpass | --faildrop | --failreject] \\\n" " [--negopass ] \\\n" + " [--nic-offload ] \\\n" " --to\n" "\n" "routing: whack (--route | --unroute) --name <connection_name>\n" @@ -421,6 +422,7 @@ enum option_enums { CD_XAUTHBY, CD_XAUTHFAIL, CD_ESP, + CD_NIC_OFFLOAD, # define CD_LAST CD_ESP /* last connection description */ /* @@ -673,6 +675,7 @@ static const struct option long_opts[] = { { "pfsgroup", required_argument, NULL, CD_PFSGROUP + OO }, { "esp", required_argument, NULL, CD_ESP + OO }, { "remote_peer_type", required_argument, NULL, CD_REMOTEPEERTYPE + OO }, + { "nic-offload", no_argument, NULL, CD_NIC_OFFLOAD + OO}, PS("ikev1-allow", IKEV1_ALLOW), @@ -1694,6 +1697,10 @@ int main(int argc, char **argv) diag("--encaps options are 'auto', 'yes' or 'no'"); continue; + case CD_NIC_OFFLOAD: /* --nic-offload */ + msg.nic_offload = TRUE; + continue; + case CD_NO_NAT_KEEPALIVE: /* --no-nat_keepalive */ msg.nat_keepalive = FALSE; continue; -- 2.4.11
_______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
