| From 466a71a2b97c575ebc0cab4e2af94b00e83c2218 Mon Sep 17 00:00:00 2001 |
| From: Siva Eluri <eluris@google.com> |
| Date: Fri, 3 Nov 2023 12:05:09 -0700 |
| Subject: [PATCH] Revert SFE ESP changes |
| |
| Change-Id: Ib5816fc4cc80ac8d1b6219d35871298c7bd5b409 |
| --- |
| qca-nss-sfe/Makefile | 4 +- |
| qca-nss-sfe/sfe.c | 6 - |
| qca-nss-sfe/sfe_ipv4.c | 31 +--- |
| qca-nss-sfe/sfe_ipv4.h | 4 - |
| qca-nss-sfe/sfe_ipv4_esp.c | 295 ------------------------------------- |
| qca-nss-sfe/sfe_ipv4_esp.h | 21 --- |
| qca-nss-sfe/sfe_ipv6.c | 29 +--- |
| qca-nss-sfe/sfe_ipv6.h | 4 - |
| qca-nss-sfe/sfe_ipv6_esp.c | 275 ---------------------------------- |
| qca-nss-sfe/sfe_ipv6_esp.h | 21 --- |
| 10 files changed, 5 insertions(+), 685 deletions(-) |
| delete mode 100644 qca-nss-sfe/sfe_ipv4_esp.c |
| delete mode 100644 qca-nss-sfe/sfe_ipv4_esp.h |
| delete mode 100644 qca-nss-sfe/sfe_ipv6_esp.c |
| delete mode 100644 qca-nss-sfe/sfe_ipv6_esp.h |
| |
| diff --git a/qca-nss-sfe/Makefile b/qca-nss-sfe/Makefile |
| index 6ac42d3..d52146c 100644 |
| --- a/qca-nss-sfe/Makefile |
| +++ b/qca-nss-sfe/Makefile |
| @@ -5,8 +5,8 @@ |
| KERNELVERSION := $(word 1, $(subst ., ,$(KERNELVERSION))).$(word 2, $(subst ., ,$(KERNELVERSION))) |
| |
| SFE_BASE_OBJS := sfe.o sfe_init.o |
| -SFE_IPV4_OBJS := sfe_ipv4.o sfe_ipv4_udp.o sfe_ipv4_tcp.o sfe_ipv4_icmp.o sfe_ipv4_esp.o |
| -SFE_IPV6_OBJS := sfe_ipv6.o sfe_ipv6_udp.o sfe_ipv6_tcp.o sfe_ipv6_icmp.o sfe_ipv6_tunipip6.o sfe_ipv6_esp.o |
| +SFE_IPV4_OBJS := sfe_ipv4.o sfe_ipv4_udp.o sfe_ipv4_tcp.o sfe_ipv4_icmp.o |
| +SFE_IPV6_OBJS := sfe_ipv6.o sfe_ipv6_udp.o sfe_ipv6_tcp.o sfe_ipv6_icmp.o sfe_ipv6_tunipip6.o |
| SFE_PPPOE_OBJS := sfe_pppoe.o |
| |
| |
| diff --git a/qca-nss-sfe/sfe.c b/qca-nss-sfe/sfe.c |
| index 8bc387c..b352e9a 100644 |
| --- a/qca-nss-sfe/sfe.c |
| +++ b/qca-nss-sfe/sfe.c |
| @@ -680,9 +680,6 @@ sfe_tx_status_t sfe_create_ipv4_rule_msg(struct sfe_ctx_instance_internal *sfe_c |
| case IPPROTO_GRE: |
| break; |
| |
| - case IPPROTO_ESP: |
| - break; |
| - |
| default: |
| ret = SFE_CMN_RESPONSE_EMSG; |
| sfe_incr_exceptions(SFE_EXCEPTION_PROTOCOL_NOT_SUPPORT); |
| @@ -1051,9 +1048,6 @@ sfe_tx_status_t sfe_create_ipv6_rule_msg(struct sfe_ctx_instance_internal *sfe_c |
| case IPPROTO_GRE: |
| break; |
| |
| - case IPPROTO_ESP: |
| - break; |
| - |
| default: |
| ret = SFE_CMN_RESPONSE_EMSG; |
| sfe_incr_exceptions(SFE_EXCEPTION_PROTOCOL_NOT_SUPPORT); |
| diff --git a/qca-nss-sfe/sfe_ipv4.c b/qca-nss-sfe/sfe_ipv4.c |
| index 48eec72..aeb9a42 100644 |
| --- a/qca-nss-sfe/sfe_ipv4.c |
| +++ b/qca-nss-sfe/sfe_ipv4.c |
| @@ -45,7 +45,6 @@ |
| #include "sfe_ipv4_icmp.h" |
| #include "sfe_pppoe.h" |
| #include "sfe_ipv4_gre.h" |
| -#include "sfe_ipv4_esp.h" |
| |
| static char *sfe_ipv4_exception_events_string[SFE_IPV4_EXCEPTION_EVENT_LAST] = { |
| "UDP_HEADER_INCOMPLETE", |
| @@ -96,10 +95,6 @@ static char *sfe_ipv4_exception_events_string[SFE_IPV4_EXCEPTION_EVENT_LAST] = { |
| "GRE_IP_OPTIONS_OR_INITIAL_FRAGMENT", |
| "GRE_SMALL_TTL", |
| "GRE_NEEDS_FRAGMENTATION", |
| - "ESP_NO_CONNECTION", |
| - "ESP_IP_OPTIONS_OR_INITIAL_FRAGMENT", |
| - "ESP_NEEDS_FRAGMENTATION", |
| - "ESP_SMALL_TTL" |
| }; |
| |
| static struct sfe_ipv4 __si; |
| @@ -876,10 +871,6 @@ int sfe_ipv4_recv(struct net_device *dev, struct sk_buff *skb, struct sfe_l2_inf |
| return sfe_ipv4_recv_tcp(si, skb, dev, len, iph, ihl, sync_on_find, l2_info); |
| } |
| |
| - if (IPPROTO_ESP == protocol) { |
| - return sfe_ipv4_recv_esp(si, skb, dev, len, iph, ihl, sync_on_find, tun_outer); |
| - } |
| - |
| if (IPPROTO_ICMP == protocol) { |
| return sfe_ipv4_recv_icmp(si, skb, dev, len, iph, ihl); |
| } |
| @@ -1279,8 +1270,7 @@ int sfe_ipv4_create_rule(struct sfe_ipv4_rule_create_msg *msg) |
| } |
| } |
| |
| - if (((IPPROTO_GRE == tuple->protocol) || (IPPROTO_ESP == tuple->protocol)) && |
| - !sfe_ipv4_is_local_ip(si, original_cm->match_dest_ip)) { |
| + if ((IPPROTO_GRE == tuple->protocol) && !sfe_ipv4_is_local_ip(si, original_cm->match_dest_ip)) { |
| original_cm->flags |= SFE_IPV4_CONNECTION_MATCH_FLAG_PASSTHROUGH; |
| } |
| |
| @@ -1460,8 +1450,7 @@ int sfe_ipv4_create_rule(struct sfe_ipv4_rule_create_msg *msg) |
| reply_cm->flags |= SFE_IPV4_CONNECTION_MATCH_FLAG_FAST_XMIT_DEV_ADMISSION; |
| } |
| |
| - if (((IPPROTO_GRE == tuple->protocol) || (IPPROTO_ESP == tuple->protocol)) && |
| - !sfe_ipv4_is_local_ip(si, reply_cm->match_dest_ip)) { |
| + if ((IPPROTO_GRE == tuple->protocol) && !sfe_ipv4_is_local_ip(si, reply_cm->match_dest_ip)) { |
| reply_cm->flags |= SFE_IPV4_CONNECTION_MATCH_FLAG_PASSTHROUGH; |
| } |
| |
| @@ -1571,22 +1560,6 @@ int sfe_ipv4_create_rule(struct sfe_ipv4_rule_create_msg *msg) |
| } |
| #endif |
| |
| - if ((IPPROTO_ESP == tuple->protocol) && !(reply_cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_PASSTHROUGH)) { |
| - rcu_read_lock(); |
| - reply_cm->proto = rcu_dereference(inet_protos[IPPROTO_ESP]); |
| - rcu_read_unlock(); |
| - |
| - if (unlikely(!reply_cm->proto)) { |
| - kfree(reply_cm); |
| - kfree(original_cm); |
| - kfree(c); |
| - dev_put(src_dev); |
| - dev_put(dest_dev); |
| - DEBUG_WARN("sfe: ESP proto handler is not registered\n"); |
| - return -EPERM; |
| - } |
| - } |
| - |
| #ifdef CONFIG_NF_FLOW_COOKIE |
| reply_cm->flow_cookie = 0; |
| #endif |
| diff --git a/qca-nss-sfe/sfe_ipv4.h b/qca-nss-sfe/sfe_ipv4.h |
| index fcbc09b..4e8169b 100644 |
| --- a/qca-nss-sfe/sfe_ipv4.h |
| +++ b/qca-nss-sfe/sfe_ipv4.h |
| @@ -288,10 +288,6 @@ enum sfe_ipv4_exception_events { |
| SFE_IPV4_EXCEPTION_EVENT_GRE_IP_OPTIONS_OR_INITIAL_FRAGMENT, |
| SFE_IPV4_EXCEPTION_EVENT_GRE_SMALL_TTL, |
| SFE_IPV4_EXCEPTION_EVENT_GRE_NEEDS_FRAGMENTATION, |
| - SFE_IPV4_EXCEPTION_EVENT_ESP_NO_CONNECTION, |
| - SFE_IPV4_EXCEPTION_EVENT_ESP_IP_OPTIONS_OR_INITIAL_FRAGMENT, |
| - SFE_IPV4_EXCEPTION_EVENT_ESP_NEEDS_FRAGMENTATION, |
| - SFE_IPV4_EXCEPTION_EVENT_ESP_SMALL_TTL, |
| SFE_IPV4_EXCEPTION_EVENT_LAST |
| }; |
| |
| diff --git a/qca-nss-sfe/sfe_ipv4_esp.c b/qca-nss-sfe/sfe_ipv4_esp.c |
| deleted file mode 100644 |
| index f0b4941..0000000 |
| --- a/qca-nss-sfe/sfe_ipv4_esp.c |
| +++ /dev/null |
| @@ -1,295 +0,0 @@ |
| -/* |
| - * sfe_ipv4_esp.c |
| - * Shortcut forwarding engine - IPv4 ESP implementation |
| - * |
| - * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved. |
| - * |
| - * Permission to use, copy, modify, and/or distribute this software for any |
| - * purpose with or without fee is hereby granted, provided that the above |
| - * copyright notice and this permission notice appear in all copies. |
| - * |
| - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
| - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
| - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
| - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
| - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| - */ |
| - |
| -#include <linux/skbuff.h> |
| -#include <net/protocol.h> |
| -#include <net/ip.h> |
| -#include <linux/etherdevice.h> |
| -#include <linux/lockdep.h> |
| - |
| -#include "sfe_debug.h" |
| -#include "sfe_api.h" |
| -#include "sfe.h" |
| -#include "sfe_flow_cookie.h" |
| -#include "sfe_ipv4.h" |
| -#include "sfe_ipv4_esp.h" |
| - |
| -/* |
| - * sfe_ipv4_recv_esp() |
| - * Handle ESP packet receives and forwarding |
| - */ |
| -int sfe_ipv4_recv_esp(struct sfe_ipv4 *si, struct sk_buff *skb, struct net_device *dev, |
| - unsigned int len, struct iphdr *iph, unsigned int ihl, |
| - bool sync_on_find, bool tun_outer) |
| -{ |
| - struct sfe_ipv4_connection_match *cm; |
| - struct net_device *xmit_dev; |
| - struct net_protocol *ipprot; |
| - netdev_features_t features; |
| - bool passthrough; |
| - bool bridge_flow; |
| - bool fast_xmit; |
| - bool hw_csum; |
| - __be32 src_ip; |
| - __be32 dest_ip; |
| - bool ret; |
| - u8 ttl; |
| - |
| - /* |
| - * Read the IP address from the iphdr, and set the src/dst ports to 0. |
| - */ |
| - src_ip = iph->saddr; |
| - dest_ip = iph->daddr; |
| - rcu_read_lock(); |
| - |
| - /* |
| - * Look for a connection match. |
| - */ |
| -#ifdef CONFIG_NF_FLOW_COOKIE |
| - cm = si->sfe_flow_cookie_table[skb->flow_cookie & SFE_FLOW_COOKIE_MASK].match; |
| - if (unlikely(!cm)) { |
| - cm = sfe_ipv4_find_ipv4_connection_match_rcu(si, dev, IPPROTO_ESP, src_ip, 0, dest_ip, 0); |
| - } |
| -#else |
| - cm = sfe_ipv4_find_connection_match_rcu(si, dev, IPPROTO_ESP, src_ip, 0, dest_ip, 0); |
| -#endif |
| - if (unlikely(!cm)) { |
| - rcu_read_unlock(); |
| - sfe_ipv4_exception_stats_inc(si, SFE_IPV4_EXCEPTION_EVENT_ESP_NO_CONNECTION); |
| - DEBUG_TRACE("no connection found for esp packet\n"); |
| - return 0; |
| - } |
| - |
| - /* |
| - * Source interface validate. |
| - */ |
| - if (unlikely((cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK) && (cm->match_dev != dev))) { |
| - struct sfe_ipv4_connection *c = cm->connection; |
| - int ret; |
| - |
| - spin_lock_bh(&si->lock); |
| - ret = sfe_ipv4_remove_connection(si, c); |
| - spin_unlock_bh(&si->lock); |
| - |
| - if (ret) { |
| - sfe_ipv4_flush_connection(si, c, SFE_SYNC_REASON_FLUSH); |
| - } |
| - rcu_read_unlock(); |
| - sfe_ipv4_exception_stats_inc(si, SFE_IPV4_EXCEPTION_EVENT_INVALID_SRC_IFACE); |
| - DEBUG_TRACE("flush on wrong source interface check failure\n"); |
| - return 0; |
| - } |
| - |
| - passthrough = cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_PASSTHROUGH; |
| - bridge_flow = !!(cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_BRIDGE_FLOW); |
| - |
| - /* |
| - * If our packet has been marked as "sync on find" we can't actually |
| - * forward it in the fast path, but now that we've found an associated |
| - * connection we need sync its status before exception it to slow path unless |
| - * it is passthrough (packets not directed to DUT) packet. |
| - * TODO: revisit to ensure that pass through traffic is not bypassing firewall for fragmented cases |
| - */ |
| - if (unlikely(sync_on_find) && !passthrough) { |
| - sfe_ipv4_sync_status(si, cm->connection, SFE_SYNC_REASON_STATS); |
| - rcu_read_unlock(); |
| - sfe_ipv4_exception_stats_inc(si, SFE_IPV4_EXCEPTION_EVENT_ESP_IP_OPTIONS_OR_INITIAL_FRAGMENT); |
| - DEBUG_TRACE("%px: sfe: sync on find\n", cm); |
| - return 0; |
| - } |
| - |
| - /* |
| - * Check if skb was cloned. If it was, unshare it. |
| - */ |
| - if (unlikely(skb_cloned(skb))) { |
| - DEBUG_TRACE("%px: skb is a cloned skb\n", skb); |
| - skb = skb_unshare(skb, GFP_ATOMIC); |
| - if (!skb) { |
| - DEBUG_WARN("Failed to unshare the cloned skb\n"); |
| - rcu_read_unlock(); |
| - return 0; |
| - } |
| - |
| - /* |
| - * Update the iphdr pointer with the unshared skb's data area. |
| - */ |
| - iph = (struct iphdr *)skb->data; |
| - } |
| - |
| - /* |
| - * Enable HW csum if rx checksum is verified and xmit interface is CSUM offload capable. |
| - */ |
| - hw_csum = !!(cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_CSUM_OFFLOAD) && (skb->ip_summed == CHECKSUM_UNNECESSARY); |
| - |
| - /* |
| - * proto decap packet. |
| - * Invoke the inet_protocol handler for delivery of the packet. |
| - */ |
| - ipprot = rcu_dereference(cm->proto); |
| - if (likely(ipprot)) { |
| - skb_reset_network_header(skb); |
| - skb_pull(skb, ihl); |
| - skb_reset_transport_header(skb); |
| - xmit_dev = cm->xmit_dev; |
| - skb->dev = xmit_dev; |
| - |
| - ret = ipprot->handler(skb); |
| - if (ret) { |
| - rcu_read_unlock(); |
| - this_cpu_inc(si->stats_pcpu->packets_not_forwarded64); |
| - DEBUG_TRACE("ESP handler returned error %u\n", ret); |
| - return 0; |
| - } |
| - |
| - /* |
| - * Update traffic stats. |
| - */ |
| - atomic_inc(&cm->rx_packet_count); |
| - atomic_add(len, &cm->rx_byte_count); |
| - |
| - rcu_read_unlock(); |
| - this_cpu_inc(si->stats_pcpu->packets_forwarded64); |
| - return 1; |
| - } |
| - |
| - /* |
| - * esp passthrough / ip local out scenarios. |
| - */ |
| - /* |
| - * If our packet is larger than the MTU of the transmit interface then |
| - * we can't forward it easily. |
| - */ |
| - if (unlikely(len > cm->xmit_dev_mtu)) { |
| - sfe_ipv4_sync_status(si, cm->connection, SFE_SYNC_REASON_STATS); |
| - rcu_read_unlock(); |
| - sfe_ipv4_exception_stats_inc(si, SFE_IPV4_EXCEPTION_EVENT_ESP_NEEDS_FRAGMENTATION); |
| - DEBUG_TRACE("%px: sfe: larger than MTU\n", cm); |
| - return 0; |
| - } |
| - |
| - /* |
| - * need to ensure that TTL is >=2. |
| - */ |
| - ttl = iph->ttl; |
| - if (!bridge_flow && (ttl < 2) && passthrough) { |
| - sfe_ipv4_sync_status(si, cm->connection, SFE_SYNC_REASON_STATS); |
| - rcu_read_unlock(); |
| - |
| - DEBUG_TRACE("%px: sfe: TTL too low\n", skb); |
| - sfe_ipv4_exception_stats_inc(si, SFE_IPV4_EXCEPTION_EVENT_ESP_SMALL_TTL); |
| - return 0; |
| - } |
| - |
| - /* |
| - * decrement TTL by 1. |
| - */ |
| - iph->ttl = (ttl - (u8)(!bridge_flow && !tun_outer)); |
| - |
| - /* |
| - * Update DSCP |
| - */ |
| - if (unlikely(cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_DSCP_REMARK)) { |
| - iph->tos = (iph->tos & SFE_IPV4_DSCP_MASK) | cm->dscp; |
| - } |
| - |
| - /* |
| - * Replace the IP checksum. |
| - */ |
| - if (likely(hw_csum)) { |
| - skb->ip_summed = CHECKSUM_PARTIAL; |
| - } else { |
| - iph->check = sfe_ipv4_gen_ip_csum(iph); |
| - } |
| - |
| - /* |
| - * Update traffic stats. |
| - */ |
| - atomic_inc(&cm->rx_packet_count); |
| - atomic_add(len, &cm->rx_byte_count); |
| - |
| - xmit_dev = cm->xmit_dev; |
| - skb->dev = xmit_dev; |
| - |
| - /* |
| - * write the layer - 2 header. |
| - */ |
| - if (likely(cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_WRITE_L2_HDR)) { |
| - if (unlikely(!(cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_WRITE_FAST_ETH_HDR))) { |
| - dev_hard_header(skb, xmit_dev, ETH_P_IP, cm->xmit_dest_mac, cm->xmit_src_mac, len); |
| - } else { |
| - /* |
| - * For the simple case we write this really fast. |
| - */ |
| - struct ethhdr *eth = (struct ethhdr *)__skb_push(skb, ETH_HLEN); |
| - eth->h_proto = htons(ETH_P_IP); |
| - ether_addr_copy((u8 *)eth->h_dest, (u8 *)cm->xmit_dest_mac); |
| - ether_addr_copy((u8 *)eth->h_source, (u8 *)cm->xmit_src_mac); |
| - } |
| - } |
| - |
| - /* |
| - * Update priority of skb |
| - */ |
| - if (unlikely(cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_PRIORITY_REMARK)) { |
| - skb->priority = cm->priority; |
| - } |
| - |
| - /* |
| - * Mark outgoing packet. |
| - */ |
| - if (unlikely(cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_MARK)) { |
| - skb->mark = cm->mark; |
| - } |
| - |
| - /* |
| - * For the first packets, check if it could got fast xmit. |
| - */ |
| - if (unlikely(!(cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_FAST_XMIT_FLOW_CHECKED) |
| - && (cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_FAST_XMIT_DEV_ADMISSION))){ |
| - cm->features = netif_skb_features(skb); |
| - if (likely(sfe_fast_xmit_check(skb, cm->features))) { |
| - cm->flags |= SFE_IPV4_CONNECTION_MATCH_FLAG_FAST_XMIT; |
| - } |
| - cm->flags |= SFE_IPV4_CONNECTION_MATCH_FLAG_FAST_XMIT_FLOW_CHECKED; |
| - } |
| - |
| - features = cm->features; |
| - fast_xmit = !!(cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_FAST_XMIT); |
| - |
| - rcu_read_unlock(); |
| - this_cpu_inc(si->stats_pcpu->packets_forwarded64); |
| - prefetch(skb_shinfo(skb)); |
| - |
| - /* |
| - * We do per packet condition check before we could fast xmit the |
| - * packet. |
| - */ |
| - if (likely(fast_xmit && dev_fast_xmit(skb, xmit_dev, features))) { |
| - this_cpu_inc(si->stats_pcpu->packets_fast_xmited64); |
| - return 1; |
| - } |
| - |
| - /* |
| - * Mark that this packet has been fast forwarded. |
| - */ |
| - skb->fast_forwarded = 1; |
| - |
| - dev_queue_xmit(skb); |
| - return 1; |
| -} |
| diff --git a/qca-nss-sfe/sfe_ipv4_esp.h b/qca-nss-sfe/sfe_ipv4_esp.h |
| deleted file mode 100644 |
| index f889605..0000000 |
| --- a/qca-nss-sfe/sfe_ipv4_esp.h |
| +++ /dev/null |
| @@ -1,21 +0,0 @@ |
| -/* |
| - * sfe_ipv4_esp.h |
| - * Shortcut forwarding engine - IPv4 ESP header file |
| - * |
| - * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved. |
| - * |
| - * Permission to use, copy, modify, and/or distribute this software for any |
| - * purpose with or without fee is hereby granted, provided that the above |
| - * copyright notice and this permission notice appear in all copies. |
| - * |
| - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
| - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
| - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
| - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
| - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| - */ |
| - |
| -int sfe_ipv4_recv_esp(struct sfe_ipv4 *si, struct sk_buff *skb, struct net_device *dev, unsigned int len, |
| - struct iphdr *iph, unsigned int ihl, bool sync_on_find, bool tun_outer); |
| diff --git a/qca-nss-sfe/sfe_ipv6.c b/qca-nss-sfe/sfe_ipv6.c |
| index 9b9539f..372d9fb 100644 |
| --- a/qca-nss-sfe/sfe_ipv6.c |
| +++ b/qca-nss-sfe/sfe_ipv6.c |
| @@ -46,7 +46,6 @@ |
| #include "sfe_pppoe.h" |
| #include "sfe_ipv6_tunipip6.h" |
| #include "sfe_ipv6_gre.h" |
| -#include "sfe_ipv6_esp.h" |
| |
| #define sfe_ipv6_addr_copy(src, dest) memcpy((void *)(dest), (void *)(src), 16) |
| |
| @@ -105,10 +104,6 @@ static char *sfe_ipv6_exception_events_string[SFE_IPV6_EXCEPTION_EVENT_LAST] = { |
| "GRE_IP_OPTIONS_OR_INITIAL_FRAGMENT", |
| "GRE_SMALL_TTL", |
| "GRE_NEEDS_FRAGMENTATION", |
| - "ESP_NO_CONNECTION", |
| - "ESP_IP_OPTIONS_OR_INITIAL_FRAGMENT", |
| - "ESP_NEEDS_FRAGMENTATION", |
| - "ESP_SMALL_TTL" |
| }; |
| |
| static struct sfe_ipv6 __si6; |
| @@ -868,10 +863,6 @@ int sfe_ipv6_recv(struct net_device *dev, struct sk_buff *skb, struct sfe_l2_inf |
| return sfe_ipv6_recv_tcp(si, skb, dev, len, iph, ihl, sync_on_find, l2_info); |
| } |
| |
| - if (IPPROTO_ESP == next_hdr) { |
| - return sfe_ipv6_recv_esp(si, skb, dev, len, iph, ihl, sync_on_find, tun_outer); |
| - } |
| - |
| if (IPPROTO_ICMPV6 == next_hdr) { |
| return sfe_ipv6_recv_icmp(si, skb, dev, len, iph, ihl); |
| } |
| @@ -1547,7 +1538,7 @@ int sfe_ipv6_create_rule(struct sfe_ipv6_rule_create_msg *msg) |
| #ifdef SFE_GRE_TUN_ENABLE |
| if ((IPPROTO_GRE == tuple->protocol) && !(reply_cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_PASSTHROUGH)) { |
| rcu_read_lock(); |
| - reply_cm->proto = rcu_dereference(inet6_protos[IPPROTO_GRE]); |
| + reply_cm->proto = rcu_dereference(inet6_protos[tuple->protocol]); |
| rcu_read_unlock(); |
| |
| if (unlikely(!reply_cm->proto)) { |
| @@ -1564,24 +1555,6 @@ int sfe_ipv6_create_rule(struct sfe_ipv6_rule_create_msg *msg) |
| } |
| #endif |
| |
| - if ((IPPROTO_ESP == tuple->protocol) && !(reply_cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_PASSTHROUGH)) { |
| - rcu_read_lock(); |
| - reply_cm->proto = rcu_dereference(inet6_protos[IPPROTO_ESP]); |
| - rcu_read_unlock(); |
| - |
| - if (unlikely(!reply_cm->proto)) { |
| - this_cpu_inc(si->stats_pcpu->connection_create_failures64); |
| - spin_unlock_bh(&si->lock); |
| - kfree(reply_cm); |
| - kfree(original_cm); |
| - kfree(c); |
| - dev_put(src_dev); |
| - dev_put(dest_dev); |
| - DEBUG_WARN("sfe: ESP proto handler is not registered\n"); |
| - return -EPERM; |
| - } |
| - } |
| - |
| /* |
| * Decapsulation path have proto set. |
| * This is used to differentiate de/encap, and call protocol specific handler. |
| diff --git a/qca-nss-sfe/sfe_ipv6.h b/qca-nss-sfe/sfe_ipv6.h |
| index f9a33f8..9c78f1c 100644 |
| --- a/qca-nss-sfe/sfe_ipv6.h |
| +++ b/qca-nss-sfe/sfe_ipv6.h |
| @@ -307,10 +307,6 @@ enum sfe_ipv6_exception_events { |
| SFE_IPV6_EXCEPTION_EVENT_GRE_IP_OPTIONS_OR_INITIAL_FRAGMENT, |
| SFE_IPV6_EXCEPTION_EVENT_GRE_SMALL_TTL, |
| SFE_IPV6_EXCEPTION_EVENT_GRE_NEEDS_FRAGMENTATION, |
| - SFE_IPV6_EXCEPTION_EVENT_ESP_NO_CONNECTION, |
| - SFE_IPV6_EXCEPTION_EVENT_ESP_IP_OPTIONS_OR_INITIAL_FRAGMENT, |
| - SFE_IPV6_EXCEPTION_EVENT_ESP_NEEDS_FRAGMENTATION, |
| - SFE_IPV6_EXCEPTION_EVENT_ESP_SMALL_TTL, |
| SFE_IPV6_EXCEPTION_EVENT_LAST |
| }; |
| |
| diff --git a/qca-nss-sfe/sfe_ipv6_esp.c b/qca-nss-sfe/sfe_ipv6_esp.c |
| deleted file mode 100644 |
| index 7a152e8..0000000 |
| --- a/qca-nss-sfe/sfe_ipv6_esp.c |
| +++ /dev/null |
| @@ -1,275 +0,0 @@ |
| -/* |
| - * sfe_ipv6_esp.c |
| - * Shortcut forwarding engine - IPv6 ESP implementation |
| - * |
| - * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved. |
| - * |
| - * Permission to use, copy, modify, and/or distribute this software for any |
| - * purpose with or without fee is hereby granted, provided that the above |
| - * copyright notice and this permission notice appear in all copies. |
| - * |
| - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
| - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
| - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
| - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
| - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| - */ |
| - |
| -#include <linux/skbuff.h> |
| -#include <net/protocol.h> |
| -#include <net/ip6_checksum.h> |
| -#include <linux/etherdevice.h> |
| -#include <linux/version.h> |
| - |
| -#include "sfe_debug.h" |
| -#include "sfe_api.h" |
| -#include "sfe.h" |
| -#include "sfe_flow_cookie.h" |
| -#include "sfe_ipv6.h" |
| -#include "sfe_ipv6_esp.h" |
| - |
| -/* |
| - * sfe_ipv6_recv_esp() |
| - * Handle ESP packet receives and forwarding |
| - */ |
| -int sfe_ipv6_recv_esp(struct sfe_ipv6 *si, struct sk_buff *skb, struct net_device *dev, |
| - unsigned int len, struct ipv6hdr *iph, unsigned int ihl, |
| - bool sync_on_find, bool tun_outer) |
| -{ |
| - struct sfe_ipv6_connection_match *cm; |
| - struct sfe_ipv6_addr *src_ip; |
| - struct sfe_ipv6_addr *dest_ip; |
| - struct net_device *xmit_dev; |
| - struct inet6_protocol *ipprot; |
| - netdev_features_t features; |
| - bool bridge_flow; |
| - bool passthrough; |
| - bool fast_xmit; |
| - bool ret; |
| - |
| - /* |
| - * Read the IP address from the iphdr, and set the src/dst ports to 0. |
| - */ |
| - src_ip = (struct sfe_ipv6_addr *)iph->saddr.s6_addr32; |
| - dest_ip = (struct sfe_ipv6_addr *)iph->daddr.s6_addr32; |
| - rcu_read_lock(); |
| - |
| - /* |
| - * Look for a connection match. |
| - */ |
| -#ifdef CONFIG_NF_FLOW_COOKIE |
| - cm = si->sfe_flow_cookie_table[skb->flow_cookie & SFE_FLOW_COOKIE_MASK].match; |
| - if (unlikely(!cm)) { |
| - cm = sfe_ipv6_find_connection_match_rcu(si, dev, IPPROTO_ESP, src_ip, 0, dest_ip, 0); |
| - } |
| -#else |
| - cm = sfe_ipv6_find_connection_match_rcu(si, dev, IPPROTO_ESP, src_ip, 0, dest_ip, 0); |
| -#endif |
| - if (unlikely(!cm)) { |
| - rcu_read_unlock(); |
| - sfe_ipv6_exception_stats_inc(si, SFE_IPV6_EXCEPTION_EVENT_ESP_NO_CONNECTION); |
| - |
| - DEBUG_TRACE("no connection found for esp packet\n"); |
| - return 0; |
| - } |
| - |
| - /* |
| - * Source interface validate. |
| - */ |
| - if (unlikely((cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK) && (cm->match_dev != dev))) { |
| - struct sfe_ipv6_connection *c = cm->connection; |
| - int ret; |
| - |
| - spin_lock_bh(&si->lock); |
| - ret = sfe_ipv6_remove_connection(si, c); |
| - spin_unlock_bh(&si->lock); |
| - |
| - if (ret) { |
| - sfe_ipv6_flush_connection(si, c, SFE_SYNC_REASON_FLUSH); |
| - } |
| - rcu_read_unlock(); |
| - sfe_ipv6_exception_stats_inc(si, SFE_IPV6_EXCEPTION_EVENT_INVALID_SRC_IFACE); |
| - DEBUG_TRACE("flush on wrong source interface check failure\n"); |
| - return 0; |
| - } |
| - |
| - passthrough = cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_PASSTHROUGH; |
| - bridge_flow = !!(cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_BRIDGE_FLOW); |
| - |
| - /* |
| - * If our packet has beern marked as "sync on find" we can't actually |
| - * forward it in the fast path, but now that we've found an associated |
| - * connection we need sync its status before exception it to slow path. unless |
| - * it is passthrough packet. |
| - * TODO: revisit to ensure that pass through traffic is not bypassing firewall for fragmented cases |
| - */ |
| - if (unlikely(sync_on_find) && !passthrough) { |
| - sfe_ipv6_sync_status(si, cm->connection, SFE_SYNC_REASON_STATS); |
| - rcu_read_unlock(); |
| - |
| - sfe_ipv6_exception_stats_inc(si, SFE_IPV6_EXCEPTION_EVENT_ESP_IP_OPTIONS_OR_INITIAL_FRAGMENT); |
| - DEBUG_TRACE("Sync on find\n"); |
| - return 0; |
| - } |
| - |
| - /* |
| - * Check if skb was cloned. If it was, unshare it. |
| - */ |
| - if (unlikely(skb_cloned(skb))) { |
| - DEBUG_TRACE("%px: skb is a cloned skb\n", skb); |
| - skb = skb_unshare(skb, GFP_ATOMIC); |
| - if (!skb) { |
| - DEBUG_WARN("Failed to unshare the cloned skb\n"); |
| - rcu_read_unlock(); |
| - return 0; |
| - } |
| - |
| - /* |
| - * Update the iphdr pointer with the unshared skb's data area. |
| - */ |
| - iph = (struct ipv6hdr *)skb->data; |
| - } |
| - |
| - /* |
| - * proto decap packet. |
| - * Invoke the inet_protocol handler for delivery of the packet. |
| - */ |
| - ipprot = rcu_dereference(cm->proto); |
| - if (likely(ipprot)) { |
| - skb_reset_network_header(skb); |
| - skb_pull(skb, ihl); |
| - skb_reset_transport_header(skb); |
| - xmit_dev = cm->xmit_dev; |
| - skb->dev = xmit_dev; |
| - |
| - ret = ipprot->handler(skb); |
| - if (ret) { |
| - rcu_read_unlock(); |
| - this_cpu_inc(si->stats_pcpu->packets_not_forwarded64); |
| - DEBUG_TRACE("ESP handler returned error %u\n", ret); |
| - return 0; |
| - } |
| - |
| - rcu_read_unlock(); |
| - this_cpu_inc(si->stats_pcpu->packets_forwarded64); |
| - return 1; |
| - } |
| - |
| - /* |
| - * esp passthrough / ip local out scenarios |
| - */ |
| - /* |
| - * If our packet is larger than the MTU of the transmit interface then |
| - * we can't forward it easily. |
| - */ |
| - if (unlikely(len > cm->xmit_dev_mtu)) { |
| - sfe_ipv6_sync_status(si, cm->connection, SFE_SYNC_REASON_STATS); |
| - rcu_read_unlock(); |
| - |
| - sfe_ipv6_exception_stats_inc(si, SFE_IPV6_EXCEPTION_EVENT_ESP_NEEDS_FRAGMENTATION); |
| - DEBUG_TRACE("Larger than MTU\n"); |
| - return 0; |
| - } |
| - |
| - /* |
| - * need to ensure that TTL is >=2. |
| - */ |
| - if (!bridge_flow && (iph->hop_limit < 2) && passthrough) { |
| - sfe_ipv6_sync_status(si, cm->connection, SFE_SYNC_REASON_STATS); |
| - rcu_read_unlock(); |
| - |
| - sfe_ipv6_exception_stats_inc(si, SFE_IPV6_EXCEPTION_EVENT_ESP_SMALL_TTL); |
| - DEBUG_TRACE("hop_limit too low\n"); |
| - return 0; |
| - } |
| - |
| - /* |
| - * decrement TTL by 1. |
| - */ |
| - iph->hop_limit = iph->hop_limit - (u8)(!bridge_flow && !tun_outer); |
| - |
| - /* |
| - * Update DSCP |
| - */ |
| - if (unlikely(cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_DSCP_REMARK)) { |
| - sfe_ipv6_change_dsfield(iph, cm->dscp); |
| - } |
| - |
| - /* |
| - * Update traffic stats. |
| - */ |
| - atomic_inc(&cm->rx_packet_count); |
| - atomic_add(len, &cm->rx_byte_count); |
| - |
| - xmit_dev = cm->xmit_dev; |
| - skb->dev = xmit_dev; |
| - |
| - /* |
| - * write the layer - 2 header. |
| - */ |
| - if (likely(cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_WRITE_L2_HDR)) { |
| - if (unlikely(!(cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_WRITE_FAST_ETH_HDR))) { |
| - dev_hard_header(skb, xmit_dev, ETH_P_IPV6, cm->xmit_dest_mac, cm->xmit_src_mac, len); |
| - } else { |
| - /* |
| - * For the simple case we write this really fast. |
| - */ |
| - struct ethhdr *eth = (struct ethhdr *)__skb_push(skb, ETH_HLEN); |
| - eth->h_proto = htons(ETH_P_IPV6); |
| - ether_addr_copy((u8 *)eth->h_dest, (u8 *)cm->xmit_dest_mac); |
| - ether_addr_copy((u8 *)eth->h_source, (u8 *)cm->xmit_src_mac); |
| - } |
| - } |
| - |
| - /* |
| - * Update priority of skb. |
| - */ |
| - if (unlikely(cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_PRIORITY_REMARK)) { |
| - skb->priority = cm->priority; |
| - } |
| - |
| - /* |
| - * Mark outgoing packet. |
| - */ |
| - if (unlikely(cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_MARK)) { |
| - skb->mark = cm->mark; |
| - } |
| - |
| - /* |
| - * For the first packets, check if it could got fast xmit. |
| - */ |
| - if (unlikely(!(cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_FAST_XMIT_FLOW_CHECKED) |
| - && (cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_FAST_XMIT_DEV_ADMISSION))){ |
| - cm->features = netif_skb_features(skb); |
| - if (likely(sfe_fast_xmit_check(skb, cm->features))) { |
| - cm->flags |= SFE_IPV6_CONNECTION_MATCH_FLAG_FAST_XMIT; |
| - } |
| - cm->flags |= SFE_IPV6_CONNECTION_MATCH_FLAG_FAST_XMIT_FLOW_CHECKED; |
| - } |
| - |
| - features = cm->features; |
| - fast_xmit = !!(cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_FAST_XMIT); |
| - |
| - rcu_read_unlock(); |
| - this_cpu_inc(si->stats_pcpu->packets_forwarded64); |
| - prefetch(skb_shinfo(skb)); |
| - |
| - /* |
| - * We do per packet condition check before we could fast xmit the |
| - * packet. |
| - */ |
| - if (likely(fast_xmit && dev_fast_xmit(skb, xmit_dev, features))) { |
| - this_cpu_inc(si->stats_pcpu->packets_fast_xmited64); |
| - return 1; |
| - } |
| - |
| - /* |
| - * Mark that this packet has been fast forwarded. |
| - */ |
| - skb->fast_forwarded = 1; |
| - |
| - dev_queue_xmit(skb); |
| - return 1; |
| -} |
| diff --git a/qca-nss-sfe/sfe_ipv6_esp.h b/qca-nss-sfe/sfe_ipv6_esp.h |
| deleted file mode 100644 |
| index 2870670..0000000 |
| --- a/qca-nss-sfe/sfe_ipv6_esp.h |
| +++ /dev/null |
| @@ -1,21 +0,0 @@ |
| -/* |
| - * sfe_ipv6_esp.h |
| - * Shortcut forwarding engine - IPv6 ESP header file |
| - * |
| - * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved. |
| - * |
| - * Permission to use, copy, modify, and/or distribute this software for any |
| - * purpose with or without fee is hereby granted, provided that the above |
| - * copyright notice and this permission notice appear in all copies. |
| - * |
| - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
| - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
| - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
| - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
| - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| - */ |
| - |
| -int sfe_ipv6_recv_esp(struct sfe_ipv6 *si, struct sk_buff *skb, struct net_device *dev, unsigned int len, |
| - struct ipv6hdr *iph, unsigned int ihl, bool sync_on_find, bool tun_outer); |
| -- |
| 2.42.0.869.gea05f2083d-goog |
| |