Google Git
Sign in
nest-open-source / manifest_repos / sdk / refs/heads/main / . / 0001-Revert-SFE-ESP-changes.patch
blob: d824011b8dae63df9b1ba550e909c51d7bafda9e [file] [log] [blame]
From 466a71a2b97c575ebc0cab4e2af94b00e83c2218 Mon Sep 17 00:00:00 2001
From: Siva Eluri <eluris@google.com>
Date: Fri, 3 Nov 2023 12:05:09 -0700
Subject: [PATCH] Revert SFE ESP changes
Change-Id: Ib5816fc4cc80ac8d1b6219d35871298c7bd5b409
---
qca-nss-sfe/Makefile | 4 +-
qca-nss-sfe/sfe.c | 6 -
qca-nss-sfe/sfe_ipv4.c | 31 +---
qca-nss-sfe/sfe_ipv4.h | 4 -
qca-nss-sfe/sfe_ipv4_esp.c | 295 -------------------------------------
qca-nss-sfe/sfe_ipv4_esp.h | 21 ---
qca-nss-sfe/sfe_ipv6.c | 29 +---
qca-nss-sfe/sfe_ipv6.h | 4 -
qca-nss-sfe/sfe_ipv6_esp.c | 275 ----------------------------------
qca-nss-sfe/sfe_ipv6_esp.h | 21 ---
10 files changed, 5 insertions(+), 685 deletions(-)
delete mode 100644 qca-nss-sfe/sfe_ipv4_esp.c
delete mode 100644 qca-nss-sfe/sfe_ipv4_esp.h
delete mode 100644 qca-nss-sfe/sfe_ipv6_esp.c
delete mode 100644 qca-nss-sfe/sfe_ipv6_esp.h
diff --git a/qca-nss-sfe/Makefile b/qca-nss-sfe/Makefile
index 6ac42d3..d52146c 100644
--- a/qca-nss-sfe/Makefile
+++ b/qca-nss-sfe/Makefile
@@ -5,8 +5,8 @@
KERNELVERSION := $(word 1, $(subst ., ,$(KERNELVERSION))).$(word 2, $(subst ., ,$(KERNELVERSION)))
SFE_BASE_OBJS := sfe.o sfe_init.o
-SFE_IPV4_OBJS := sfe_ipv4.o sfe_ipv4_udp.o sfe_ipv4_tcp.o sfe_ipv4_icmp.o sfe_ipv4_esp.o
-SFE_IPV6_OBJS := sfe_ipv6.o sfe_ipv6_udp.o sfe_ipv6_tcp.o sfe_ipv6_icmp.o sfe_ipv6_tunipip6.o sfe_ipv6_esp.o
+SFE_IPV4_OBJS := sfe_ipv4.o sfe_ipv4_udp.o sfe_ipv4_tcp.o sfe_ipv4_icmp.o
+SFE_IPV6_OBJS := sfe_ipv6.o sfe_ipv6_udp.o sfe_ipv6_tcp.o sfe_ipv6_icmp.o sfe_ipv6_tunipip6.o
SFE_PPPOE_OBJS := sfe_pppoe.o
diff --git a/qca-nss-sfe/sfe.c b/qca-nss-sfe/sfe.c
index 8bc387c..b352e9a 100644
--- a/qca-nss-sfe/sfe.c
+++ b/qca-nss-sfe/sfe.c
@@ -680,9 +680,6 @@ sfe_tx_status_t sfe_create_ipv4_rule_msg(struct sfe_ctx_instance_internal *sfe_c
case IPPROTO_GRE:
break;
- case IPPROTO_ESP:
- break;
-
default:
ret = SFE_CMN_RESPONSE_EMSG;
sfe_incr_exceptions(SFE_EXCEPTION_PROTOCOL_NOT_SUPPORT);
@@ -1051,9 +1048,6 @@ sfe_tx_status_t sfe_create_ipv6_rule_msg(struct sfe_ctx_instance_internal *sfe_c
case IPPROTO_GRE:
break;
- case IPPROTO_ESP:
- break;
-
default:
ret = SFE_CMN_RESPONSE_EMSG;
sfe_incr_exceptions(SFE_EXCEPTION_PROTOCOL_NOT_SUPPORT);
diff --git a/qca-nss-sfe/sfe_ipv4.c b/qca-nss-sfe/sfe_ipv4.c
index 48eec72..aeb9a42 100644
--- a/qca-nss-sfe/sfe_ipv4.c
+++ b/qca-nss-sfe/sfe_ipv4.c
@@ -45,7 +45,6 @@
#include "sfe_ipv4_icmp.h"
#include "sfe_pppoe.h"
#include "sfe_ipv4_gre.h"
-#include "sfe_ipv4_esp.h"
static char *sfe_ipv4_exception_events_string[SFE_IPV4_EXCEPTION_EVENT_LAST] = {
"UDP_HEADER_INCOMPLETE",
@@ -96,10 +95,6 @@ static char *sfe_ipv4_exception_events_string[SFE_IPV4_EXCEPTION_EVENT_LAST] = {
"GRE_IP_OPTIONS_OR_INITIAL_FRAGMENT",
"GRE_SMALL_TTL",
"GRE_NEEDS_FRAGMENTATION",
- "ESP_NO_CONNECTION",
- "ESP_IP_OPTIONS_OR_INITIAL_FRAGMENT",
- "ESP_NEEDS_FRAGMENTATION",
- "ESP_SMALL_TTL"
};
static struct sfe_ipv4 __si;
@@ -876,10 +871,6 @@ int sfe_ipv4_recv(struct net_device *dev, struct sk_buff *skb, struct sfe_l2_inf
return sfe_ipv4_recv_tcp(si, skb, dev, len, iph, ihl, sync_on_find, l2_info);
}
- if (IPPROTO_ESP == protocol) {
- return sfe_ipv4_recv_esp(si, skb, dev, len, iph, ihl, sync_on_find, tun_outer);
- }
-
if (IPPROTO_ICMP == protocol) {
return sfe_ipv4_recv_icmp(si, skb, dev, len, iph, ihl);
}
@@ -1279,8 +1270,7 @@ int sfe_ipv4_create_rule(struct sfe_ipv4_rule_create_msg *msg)
}
}
- if (((IPPROTO_GRE == tuple->protocol) || (IPPROTO_ESP == tuple->protocol)) &&
- !sfe_ipv4_is_local_ip(si, original_cm->match_dest_ip)) {
+ if ((IPPROTO_GRE == tuple->protocol) && !sfe_ipv4_is_local_ip(si, original_cm->match_dest_ip)) {
original_cm->flags |= SFE_IPV4_CONNECTION_MATCH_FLAG_PASSTHROUGH;
}
@@ -1460,8 +1450,7 @@ int sfe_ipv4_create_rule(struct sfe_ipv4_rule_create_msg *msg)
reply_cm->flags |= SFE_IPV4_CONNECTION_MATCH_FLAG_FAST_XMIT_DEV_ADMISSION;
}
- if (((IPPROTO_GRE == tuple->protocol) || (IPPROTO_ESP == tuple->protocol)) &&
- !sfe_ipv4_is_local_ip(si, reply_cm->match_dest_ip)) {
+ if ((IPPROTO_GRE == tuple->protocol) && !sfe_ipv4_is_local_ip(si, reply_cm->match_dest_ip)) {
reply_cm->flags |= SFE_IPV4_CONNECTION_MATCH_FLAG_PASSTHROUGH;
}
@@ -1571,22 +1560,6 @@ int sfe_ipv4_create_rule(struct sfe_ipv4_rule_create_msg *msg)
}
#endif
- if ((IPPROTO_ESP == tuple->protocol) && !(reply_cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_PASSTHROUGH)) {
- rcu_read_lock();
- reply_cm->proto = rcu_dereference(inet_protos[IPPROTO_ESP]);
- rcu_read_unlock();
-
- if (unlikely(!reply_cm->proto)) {
- kfree(reply_cm);
- kfree(original_cm);
- kfree(c);
- dev_put(src_dev);
- dev_put(dest_dev);
- DEBUG_WARN("sfe: ESP proto handler is not registered\n");
- return -EPERM;
- }
- }
-
#ifdef CONFIG_NF_FLOW_COOKIE
reply_cm->flow_cookie = 0;
#endif
diff --git a/qca-nss-sfe/sfe_ipv4.h b/qca-nss-sfe/sfe_ipv4.h
index fcbc09b..4e8169b 100644
--- a/qca-nss-sfe/sfe_ipv4.h
+++ b/qca-nss-sfe/sfe_ipv4.h
@@ -288,10 +288,6 @@ enum sfe_ipv4_exception_events {
SFE_IPV4_EXCEPTION_EVENT_GRE_IP_OPTIONS_OR_INITIAL_FRAGMENT,
SFE_IPV4_EXCEPTION_EVENT_GRE_SMALL_TTL,
SFE_IPV4_EXCEPTION_EVENT_GRE_NEEDS_FRAGMENTATION,
- SFE_IPV4_EXCEPTION_EVENT_ESP_NO_CONNECTION,
- SFE_IPV4_EXCEPTION_EVENT_ESP_IP_OPTIONS_OR_INITIAL_FRAGMENT,
- SFE_IPV4_EXCEPTION_EVENT_ESP_NEEDS_FRAGMENTATION,
- SFE_IPV4_EXCEPTION_EVENT_ESP_SMALL_TTL,
SFE_IPV4_EXCEPTION_EVENT_LAST
};
diff --git a/qca-nss-sfe/sfe_ipv4_esp.c b/qca-nss-sfe/sfe_ipv4_esp.c
deleted file mode 100644
index f0b4941..0000000
--- a/qca-nss-sfe/sfe_ipv4_esp.c
+++ /dev/null
@@ -1,295 +0,0 @@
-/*
- * sfe_ipv4_esp.c
- * Shortcut forwarding engine - IPv4 ESP implementation
- *
- * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include <linux/skbuff.h>
-#include <net/protocol.h>
-#include <net/ip.h>
-#include <linux/etherdevice.h>
-#include <linux/lockdep.h>
-
-#include "sfe_debug.h"
-#include "sfe_api.h"
-#include "sfe.h"
-#include "sfe_flow_cookie.h"
-#include "sfe_ipv4.h"
-#include "sfe_ipv4_esp.h"
-
-/*
- * sfe_ipv4_recv_esp()
- * Handle ESP packet receives and forwarding
- */
-int sfe_ipv4_recv_esp(struct sfe_ipv4 *si, struct sk_buff *skb, struct net_device *dev,
- unsigned int len, struct iphdr *iph, unsigned int ihl,
- bool sync_on_find, bool tun_outer)
-{
- struct sfe_ipv4_connection_match *cm;
- struct net_device *xmit_dev;
- struct net_protocol *ipprot;
- netdev_features_t features;
- bool passthrough;
- bool bridge_flow;
- bool fast_xmit;
- bool hw_csum;
- __be32 src_ip;
- __be32 dest_ip;
- bool ret;
- u8 ttl;
-
- /*
- * Read the IP address from the iphdr, and set the src/dst ports to 0.
- */
- src_ip = iph->saddr;
- dest_ip = iph->daddr;
- rcu_read_lock();
-
- /*
- * Look for a connection match.
- */
-#ifdef CONFIG_NF_FLOW_COOKIE
- cm = si->sfe_flow_cookie_table[skb->flow_cookie & SFE_FLOW_COOKIE_MASK].match;
- if (unlikely(!cm)) {
- cm = sfe_ipv4_find_ipv4_connection_match_rcu(si, dev, IPPROTO_ESP, src_ip, 0, dest_ip, 0);
- }
-#else
- cm = sfe_ipv4_find_connection_match_rcu(si, dev, IPPROTO_ESP, src_ip, 0, dest_ip, 0);
-#endif
- if (unlikely(!cm)) {
- rcu_read_unlock();
- sfe_ipv4_exception_stats_inc(si, SFE_IPV4_EXCEPTION_EVENT_ESP_NO_CONNECTION);
- DEBUG_TRACE("no connection found for esp packet\n");
- return 0;
- }
-
- /*
- * Source interface validate.
- */
- if (unlikely((cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK) && (cm->match_dev != dev))) {
- struct sfe_ipv4_connection *c = cm->connection;
- int ret;
-
- spin_lock_bh(&si->lock);
- ret = sfe_ipv4_remove_connection(si, c);
- spin_unlock_bh(&si->lock);
-
- if (ret) {
- sfe_ipv4_flush_connection(si, c, SFE_SYNC_REASON_FLUSH);
- }
- rcu_read_unlock();
- sfe_ipv4_exception_stats_inc(si, SFE_IPV4_EXCEPTION_EVENT_INVALID_SRC_IFACE);
- DEBUG_TRACE("flush on wrong source interface check failure\n");
- return 0;
- }
-
- passthrough = cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_PASSTHROUGH;
- bridge_flow = !!(cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_BRIDGE_FLOW);
-
- /*
- * If our packet has been marked as "sync on find" we can't actually
- * forward it in the fast path, but now that we've found an associated
- * connection we need sync its status before exception it to slow path unless
- * it is passthrough (packets not directed to DUT) packet.
- * TODO: revisit to ensure that pass through traffic is not bypassing firewall for fragmented cases
- */
- if (unlikely(sync_on_find) && !passthrough) {
- sfe_ipv4_sync_status(si, cm->connection, SFE_SYNC_REASON_STATS);
- rcu_read_unlock();
- sfe_ipv4_exception_stats_inc(si, SFE_IPV4_EXCEPTION_EVENT_ESP_IP_OPTIONS_OR_INITIAL_FRAGMENT);
- DEBUG_TRACE("%px: sfe: sync on find\n", cm);
- return 0;
- }
-
- /*
- * Check if skb was cloned. If it was, unshare it.
- */
- if (unlikely(skb_cloned(skb))) {
- DEBUG_TRACE("%px: skb is a cloned skb\n", skb);
- skb = skb_unshare(skb, GFP_ATOMIC);
- if (!skb) {
- DEBUG_WARN("Failed to unshare the cloned skb\n");
- rcu_read_unlock();
- return 0;
- }
-
- /*
- * Update the iphdr pointer with the unshared skb's data area.
- */
- iph = (struct iphdr *)skb->data;
- }
-
- /*
- * Enable HW csum if rx checksum is verified and xmit interface is CSUM offload capable.
- */
- hw_csum = !!(cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_CSUM_OFFLOAD) && (skb->ip_summed == CHECKSUM_UNNECESSARY);
-
- /*
- * proto decap packet.
- * Invoke the inet_protocol handler for delivery of the packet.
- */
- ipprot = rcu_dereference(cm->proto);
- if (likely(ipprot)) {
- skb_reset_network_header(skb);
- skb_pull(skb, ihl);
- skb_reset_transport_header(skb);
- xmit_dev = cm->xmit_dev;
- skb->dev = xmit_dev;
-
- ret = ipprot->handler(skb);
- if (ret) {
- rcu_read_unlock();
- this_cpu_inc(si->stats_pcpu->packets_not_forwarded64);
- DEBUG_TRACE("ESP handler returned error %u\n", ret);
- return 0;
- }
-
- /*
- * Update traffic stats.
- */
- atomic_inc(&cm->rx_packet_count);
- atomic_add(len, &cm->rx_byte_count);
-
- rcu_read_unlock();
- this_cpu_inc(si->stats_pcpu->packets_forwarded64);
- return 1;
- }
-
- /*
- * esp passthrough / ip local out scenarios.
- */
- /*
- * If our packet is larger than the MTU of the transmit interface then
- * we can't forward it easily.
- */
- if (unlikely(len > cm->xmit_dev_mtu)) {
- sfe_ipv4_sync_status(si, cm->connection, SFE_SYNC_REASON_STATS);
- rcu_read_unlock();
- sfe_ipv4_exception_stats_inc(si, SFE_IPV4_EXCEPTION_EVENT_ESP_NEEDS_FRAGMENTATION);
- DEBUG_TRACE("%px: sfe: larger than MTU\n", cm);
- return 0;
- }
-
- /*
- * need to ensure that TTL is >=2.
- */
- ttl = iph->ttl;
- if (!bridge_flow && (ttl < 2) && passthrough) {
- sfe_ipv4_sync_status(si, cm->connection, SFE_SYNC_REASON_STATS);
- rcu_read_unlock();
-
- DEBUG_TRACE("%px: sfe: TTL too low\n", skb);
- sfe_ipv4_exception_stats_inc(si, SFE_IPV4_EXCEPTION_EVENT_ESP_SMALL_TTL);
- return 0;
- }
-
- /*
- * decrement TTL by 1.
- */
- iph->ttl = (ttl - (u8)(!bridge_flow && !tun_outer));
-
- /*
- * Update DSCP
- */
- if (unlikely(cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_DSCP_REMARK)) {
- iph->tos = (iph->tos & SFE_IPV4_DSCP_MASK) | cm->dscp;
- }
-
- /*
- * Replace the IP checksum.
- */
- if (likely(hw_csum)) {
- skb->ip_summed = CHECKSUM_PARTIAL;
- } else {
- iph->check = sfe_ipv4_gen_ip_csum(iph);
- }
-
- /*
- * Update traffic stats.
- */
- atomic_inc(&cm->rx_packet_count);
- atomic_add(len, &cm->rx_byte_count);
-
- xmit_dev = cm->xmit_dev;
- skb->dev = xmit_dev;
-
- /*
- * write the layer - 2 header.
- */
- if (likely(cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_WRITE_L2_HDR)) {
- if (unlikely(!(cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_WRITE_FAST_ETH_HDR))) {
- dev_hard_header(skb, xmit_dev, ETH_P_IP, cm->xmit_dest_mac, cm->xmit_src_mac, len);
- } else {
- /*
- * For the simple case we write this really fast.
- */
- struct ethhdr *eth = (struct ethhdr *)__skb_push(skb, ETH_HLEN);
- eth->h_proto = htons(ETH_P_IP);
- ether_addr_copy((u8 *)eth->h_dest, (u8 *)cm->xmit_dest_mac);
- ether_addr_copy((u8 *)eth->h_source, (u8 *)cm->xmit_src_mac);
- }
- }
-
- /*
- * Update priority of skb
- */
- if (unlikely(cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_PRIORITY_REMARK)) {
- skb->priority = cm->priority;
- }
-
- /*
- * Mark outgoing packet.
- */
- if (unlikely(cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_MARK)) {
- skb->mark = cm->mark;
- }
-
- /*
- * For the first packets, check if it could got fast xmit.
- */
- if (unlikely(!(cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_FAST_XMIT_FLOW_CHECKED)
- && (cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_FAST_XMIT_DEV_ADMISSION))){
- cm->features = netif_skb_features(skb);
- if (likely(sfe_fast_xmit_check(skb, cm->features))) {
- cm->flags |= SFE_IPV4_CONNECTION_MATCH_FLAG_FAST_XMIT;
- }
- cm->flags |= SFE_IPV4_CONNECTION_MATCH_FLAG_FAST_XMIT_FLOW_CHECKED;
- }
-
- features = cm->features;
- fast_xmit = !!(cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_FAST_XMIT);
-
- rcu_read_unlock();
- this_cpu_inc(si->stats_pcpu->packets_forwarded64);
- prefetch(skb_shinfo(skb));
-
- /*
- * We do per packet condition check before we could fast xmit the
- * packet.
- */
- if (likely(fast_xmit && dev_fast_xmit(skb, xmit_dev, features))) {
- this_cpu_inc(si->stats_pcpu->packets_fast_xmited64);
- return 1;
- }
-
- /*
- * Mark that this packet has been fast forwarded.
- */
- skb->fast_forwarded = 1;
-
- dev_queue_xmit(skb);
- return 1;
-}
diff --git a/qca-nss-sfe/sfe_ipv4_esp.h b/qca-nss-sfe/sfe_ipv4_esp.h
deleted file mode 100644
index f889605..0000000
--- a/qca-nss-sfe/sfe_ipv4_esp.h
+++ /dev/null
@@ -1,21 +0,0 @@
-/*
- * sfe_ipv4_esp.h
- * Shortcut forwarding engine - IPv4 ESP header file
- *
- * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-int sfe_ipv4_recv_esp(struct sfe_ipv4 *si, struct sk_buff *skb, struct net_device *dev, unsigned int len,
- struct iphdr *iph, unsigned int ihl, bool sync_on_find, bool tun_outer);
diff --git a/qca-nss-sfe/sfe_ipv6.c b/qca-nss-sfe/sfe_ipv6.c
index 9b9539f..372d9fb 100644
--- a/qca-nss-sfe/sfe_ipv6.c
+++ b/qca-nss-sfe/sfe_ipv6.c
@@ -46,7 +46,6 @@
#include "sfe_pppoe.h"
#include "sfe_ipv6_tunipip6.h"
#include "sfe_ipv6_gre.h"
-#include "sfe_ipv6_esp.h"
#define sfe_ipv6_addr_copy(src, dest) memcpy((void *)(dest), (void *)(src), 16)
@@ -105,10 +104,6 @@ static char *sfe_ipv6_exception_events_string[SFE_IPV6_EXCEPTION_EVENT_LAST] = {
"GRE_IP_OPTIONS_OR_INITIAL_FRAGMENT",
"GRE_SMALL_TTL",
"GRE_NEEDS_FRAGMENTATION",
- "ESP_NO_CONNECTION",
- "ESP_IP_OPTIONS_OR_INITIAL_FRAGMENT",
- "ESP_NEEDS_FRAGMENTATION",
- "ESP_SMALL_TTL"
};
static struct sfe_ipv6 __si6;
@@ -868,10 +863,6 @@ int sfe_ipv6_recv(struct net_device *dev, struct sk_buff *skb, struct sfe_l2_inf
return sfe_ipv6_recv_tcp(si, skb, dev, len, iph, ihl, sync_on_find, l2_info);
}
- if (IPPROTO_ESP == next_hdr) {
- return sfe_ipv6_recv_esp(si, skb, dev, len, iph, ihl, sync_on_find, tun_outer);
- }
-
if (IPPROTO_ICMPV6 == next_hdr) {
return sfe_ipv6_recv_icmp(si, skb, dev, len, iph, ihl);
}
@@ -1547,7 +1538,7 @@ int sfe_ipv6_create_rule(struct sfe_ipv6_rule_create_msg *msg)
#ifdef SFE_GRE_TUN_ENABLE
if ((IPPROTO_GRE == tuple->protocol) && !(reply_cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_PASSTHROUGH)) {
rcu_read_lock();
- reply_cm->proto = rcu_dereference(inet6_protos[IPPROTO_GRE]);
+ reply_cm->proto = rcu_dereference(inet6_protos[tuple->protocol]);
rcu_read_unlock();
if (unlikely(!reply_cm->proto)) {
@@ -1564,24 +1555,6 @@ int sfe_ipv6_create_rule(struct sfe_ipv6_rule_create_msg *msg)
}
#endif
- if ((IPPROTO_ESP == tuple->protocol) && !(reply_cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_PASSTHROUGH)) {
- rcu_read_lock();
- reply_cm->proto = rcu_dereference(inet6_protos[IPPROTO_ESP]);
- rcu_read_unlock();
-
- if (unlikely(!reply_cm->proto)) {
- this_cpu_inc(si->stats_pcpu->connection_create_failures64);
- spin_unlock_bh(&si->lock);
- kfree(reply_cm);
- kfree(original_cm);
- kfree(c);
- dev_put(src_dev);
- dev_put(dest_dev);
- DEBUG_WARN("sfe: ESP proto handler is not registered\n");
- return -EPERM;
- }
- }
-
/*
* Decapsulation path have proto set.
* This is used to differentiate de/encap, and call protocol specific handler.
diff --git a/qca-nss-sfe/sfe_ipv6.h b/qca-nss-sfe/sfe_ipv6.h
index f9a33f8..9c78f1c 100644
--- a/qca-nss-sfe/sfe_ipv6.h
+++ b/qca-nss-sfe/sfe_ipv6.h
@@ -307,10 +307,6 @@ enum sfe_ipv6_exception_events {
SFE_IPV6_EXCEPTION_EVENT_GRE_IP_OPTIONS_OR_INITIAL_FRAGMENT,
SFE_IPV6_EXCEPTION_EVENT_GRE_SMALL_TTL,
SFE_IPV6_EXCEPTION_EVENT_GRE_NEEDS_FRAGMENTATION,
- SFE_IPV6_EXCEPTION_EVENT_ESP_NO_CONNECTION,
- SFE_IPV6_EXCEPTION_EVENT_ESP_IP_OPTIONS_OR_INITIAL_FRAGMENT,
- SFE_IPV6_EXCEPTION_EVENT_ESP_NEEDS_FRAGMENTATION,
- SFE_IPV6_EXCEPTION_EVENT_ESP_SMALL_TTL,
SFE_IPV6_EXCEPTION_EVENT_LAST
};
diff --git a/qca-nss-sfe/sfe_ipv6_esp.c b/qca-nss-sfe/sfe_ipv6_esp.c
deleted file mode 100644
index 7a152e8..0000000
--- a/qca-nss-sfe/sfe_ipv6_esp.c
+++ /dev/null
@@ -1,275 +0,0 @@
-/*
- * sfe_ipv6_esp.c
- * Shortcut forwarding engine - IPv6 ESP implementation
- *
- * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include <linux/skbuff.h>
-#include <net/protocol.h>
-#include <net/ip6_checksum.h>
-#include <linux/etherdevice.h>
-#include <linux/version.h>
-
-#include "sfe_debug.h"
-#include "sfe_api.h"
-#include "sfe.h"
-#include "sfe_flow_cookie.h"
-#include "sfe_ipv6.h"
-#include "sfe_ipv6_esp.h"
-
-/*
- * sfe_ipv6_recv_esp()
- * Handle ESP packet receives and forwarding
- */
-int sfe_ipv6_recv_esp(struct sfe_ipv6 *si, struct sk_buff *skb, struct net_device *dev,
- unsigned int len, struct ipv6hdr *iph, unsigned int ihl,
- bool sync_on_find, bool tun_outer)
-{
- struct sfe_ipv6_connection_match *cm;
- struct sfe_ipv6_addr *src_ip;
- struct sfe_ipv6_addr *dest_ip;
- struct net_device *xmit_dev;
- struct inet6_protocol *ipprot;
- netdev_features_t features;
- bool bridge_flow;
- bool passthrough;
- bool fast_xmit;
- bool ret;
-
- /*
- * Read the IP address from the iphdr, and set the src/dst ports to 0.
- */
- src_ip = (struct sfe_ipv6_addr *)iph->saddr.s6_addr32;
- dest_ip = (struct sfe_ipv6_addr *)iph->daddr.s6_addr32;
- rcu_read_lock();
-
- /*
- * Look for a connection match.
- */
-#ifdef CONFIG_NF_FLOW_COOKIE
- cm = si->sfe_flow_cookie_table[skb->flow_cookie & SFE_FLOW_COOKIE_MASK].match;
- if (unlikely(!cm)) {
- cm = sfe_ipv6_find_connection_match_rcu(si, dev, IPPROTO_ESP, src_ip, 0, dest_ip, 0);
- }
-#else
- cm = sfe_ipv6_find_connection_match_rcu(si, dev, IPPROTO_ESP, src_ip, 0, dest_ip, 0);
-#endif
- if (unlikely(!cm)) {
- rcu_read_unlock();
- sfe_ipv6_exception_stats_inc(si, SFE_IPV6_EXCEPTION_EVENT_ESP_NO_CONNECTION);
-
- DEBUG_TRACE("no connection found for esp packet\n");
- return 0;
- }
-
- /*
- * Source interface validate.
- */
- if (unlikely((cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK) && (cm->match_dev != dev))) {
- struct sfe_ipv6_connection *c = cm->connection;
- int ret;
-
- spin_lock_bh(&si->lock);
- ret = sfe_ipv6_remove_connection(si, c);
- spin_unlock_bh(&si->lock);
-
- if (ret) {
- sfe_ipv6_flush_connection(si, c, SFE_SYNC_REASON_FLUSH);
- }
- rcu_read_unlock();
- sfe_ipv6_exception_stats_inc(si, SFE_IPV6_EXCEPTION_EVENT_INVALID_SRC_IFACE);
- DEBUG_TRACE("flush on wrong source interface check failure\n");
- return 0;
- }
-
- passthrough = cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_PASSTHROUGH;
- bridge_flow = !!(cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_BRIDGE_FLOW);
-
- /*
- * If our packet has beern marked as "sync on find" we can't actually
- * forward it in the fast path, but now that we've found an associated
- * connection we need sync its status before exception it to slow path. unless
- * it is passthrough packet.
- * TODO: revisit to ensure that pass through traffic is not bypassing firewall for fragmented cases
- */
- if (unlikely(sync_on_find) && !passthrough) {
- sfe_ipv6_sync_status(si, cm->connection, SFE_SYNC_REASON_STATS);
- rcu_read_unlock();
-
- sfe_ipv6_exception_stats_inc(si, SFE_IPV6_EXCEPTION_EVENT_ESP_IP_OPTIONS_OR_INITIAL_FRAGMENT);
- DEBUG_TRACE("Sync on find\n");
- return 0;
- }
-
- /*
- * Check if skb was cloned. If it was, unshare it.
- */
- if (unlikely(skb_cloned(skb))) {
- DEBUG_TRACE("%px: skb is a cloned skb\n", skb);
- skb = skb_unshare(skb, GFP_ATOMIC);
- if (!skb) {
- DEBUG_WARN("Failed to unshare the cloned skb\n");
- rcu_read_unlock();
- return 0;
- }
-
- /*
- * Update the iphdr pointer with the unshared skb's data area.
- */
- iph = (struct ipv6hdr *)skb->data;
- }
-
- /*
- * proto decap packet.
- * Invoke the inet_protocol handler for delivery of the packet.
- */
- ipprot = rcu_dereference(cm->proto);
- if (likely(ipprot)) {
- skb_reset_network_header(skb);
- skb_pull(skb, ihl);
- skb_reset_transport_header(skb);
- xmit_dev = cm->xmit_dev;
- skb->dev = xmit_dev;
-
- ret = ipprot->handler(skb);
- if (ret) {
- rcu_read_unlock();
- this_cpu_inc(si->stats_pcpu->packets_not_forwarded64);
- DEBUG_TRACE("ESP handler returned error %u\n", ret);
- return 0;
- }
-
- rcu_read_unlock();
- this_cpu_inc(si->stats_pcpu->packets_forwarded64);
- return 1;
- }
-
- /*
- * esp passthrough / ip local out scenarios
- */
- /*
- * If our packet is larger than the MTU of the transmit interface then
- * we can't forward it easily.
- */
- if (unlikely(len > cm->xmit_dev_mtu)) {
- sfe_ipv6_sync_status(si, cm->connection, SFE_SYNC_REASON_STATS);
- rcu_read_unlock();
-
- sfe_ipv6_exception_stats_inc(si, SFE_IPV6_EXCEPTION_EVENT_ESP_NEEDS_FRAGMENTATION);
- DEBUG_TRACE("Larger than MTU\n");
- return 0;
- }
-
- /*
- * need to ensure that TTL is >=2.
- */
- if (!bridge_flow && (iph->hop_limit < 2) && passthrough) {
- sfe_ipv6_sync_status(si, cm->connection, SFE_SYNC_REASON_STATS);
- rcu_read_unlock();
-
- sfe_ipv6_exception_stats_inc(si, SFE_IPV6_EXCEPTION_EVENT_ESP_SMALL_TTL);
- DEBUG_TRACE("hop_limit too low\n");
- return 0;
- }
-
- /*
- * decrement TTL by 1.
- */
- iph->hop_limit = iph->hop_limit - (u8)(!bridge_flow && !tun_outer);
-
- /*
- * Update DSCP
- */
- if (unlikely(cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_DSCP_REMARK)) {
- sfe_ipv6_change_dsfield(iph, cm->dscp);
- }
-
- /*
- * Update traffic stats.
- */
- atomic_inc(&cm->rx_packet_count);
- atomic_add(len, &cm->rx_byte_count);
-
- xmit_dev = cm->xmit_dev;
- skb->dev = xmit_dev;
-
- /*
- * write the layer - 2 header.
- */
- if (likely(cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_WRITE_L2_HDR)) {
- if (unlikely(!(cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_WRITE_FAST_ETH_HDR))) {
- dev_hard_header(skb, xmit_dev, ETH_P_IPV6, cm->xmit_dest_mac, cm->xmit_src_mac, len);
- } else {
- /*
- * For the simple case we write this really fast.
- */
- struct ethhdr *eth = (struct ethhdr *)__skb_push(skb, ETH_HLEN);
- eth->h_proto = htons(ETH_P_IPV6);
- ether_addr_copy((u8 *)eth->h_dest, (u8 *)cm->xmit_dest_mac);
- ether_addr_copy((u8 *)eth->h_source, (u8 *)cm->xmit_src_mac);
- }
- }
-
- /*
- * Update priority of skb.
- */
- if (unlikely(cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_PRIORITY_REMARK)) {
- skb->priority = cm->priority;
- }
-
- /*
- * Mark outgoing packet.
- */
- if (unlikely(cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_MARK)) {
- skb->mark = cm->mark;
- }
-
- /*
- * For the first packets, check if it could got fast xmit.
- */
- if (unlikely(!(cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_FAST_XMIT_FLOW_CHECKED)
- && (cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_FAST_XMIT_DEV_ADMISSION))){
- cm->features = netif_skb_features(skb);
- if (likely(sfe_fast_xmit_check(skb, cm->features))) {
- cm->flags |= SFE_IPV6_CONNECTION_MATCH_FLAG_FAST_XMIT;
- }
- cm->flags |= SFE_IPV6_CONNECTION_MATCH_FLAG_FAST_XMIT_FLOW_CHECKED;
- }
-
- features = cm->features;
- fast_xmit = !!(cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_FAST_XMIT);
-
- rcu_read_unlock();
- this_cpu_inc(si->stats_pcpu->packets_forwarded64);
- prefetch(skb_shinfo(skb));
-
- /*
- * We do per packet condition check before we could fast xmit the
- * packet.
- */
- if (likely(fast_xmit && dev_fast_xmit(skb, xmit_dev, features))) {
- this_cpu_inc(si->stats_pcpu->packets_fast_xmited64);
- return 1;
- }
-
- /*
- * Mark that this packet has been fast forwarded.
- */
- skb->fast_forwarded = 1;
-
- dev_queue_xmit(skb);
- return 1;
-}
diff --git a/qca-nss-sfe/sfe_ipv6_esp.h b/qca-nss-sfe/sfe_ipv6_esp.h
deleted file mode 100644
index 2870670..0000000
--- a/qca-nss-sfe/sfe_ipv6_esp.h
+++ /dev/null
@@ -1,21 +0,0 @@
-/*
- * sfe_ipv6_esp.h
- * Shortcut forwarding engine - IPv6 ESP header file
- *
- * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-int sfe_ipv6_recv_esp(struct sfe_ipv6 *si, struct sk_buff *skb, struct net_device *dev, unsigned int len,
- struct ipv6hdr *iph, unsigned int ihl, bool sync_on_find, bool tun_outer);
--
2.42.0.869.gea05f2083d-goog