[Intel-wired-lan] [net-queue PATCH] ixgbe: check that ipsec is available on the chip
Shannon Nelson
shannon.nelson at oracle.com
Tue Jun 5 20:12:01 UTC 2018
On 6/5/2018 11:41 AM, Alexander Duyck wrote:
> On Tue, Jun 5, 2018 at 10:20 AM, Shannon Nelson
> <shannon.nelson at oracle.com> wrote:
>> On 6/5/2018 9:55 AM, Alexander Duyck wrote:
>>>
>>> On Tue, Jun 5, 2018 at 9:22 AM, Shannon Nelson
>>> <shannon.nelson at oracle.com> wrote:
>>>>
>>>> On 6/5/2018 5:10 AM, zhuyj wrote:
>>>>>
>>>>>
>>>>> In the mainline kernel source code, it seems that the above does not
>>>>> exist. Do you use the latest ixgbe source code from e1000 maillist?
>>>>> And can we use "ethtool -K" to enable/disable ipsec offload?
>>>>
>>>>
>>>>
>>>> I believe it is in Linux v4.15 and later. Be sure to enable
>>>> CONFIG_INET_ESP_OFFLOAD and CONFIG_INET6_ESP_OFFLOAD to enable all the
>>>> IPsec
>>>> offload features.
>>>>
>>>> Since the output shows "[fixed]", the user is not able to change it on
>>>> the
>>>> fly.
>>>>
>>>> sln
>>>
>>>
>>> I'm pretty sure the "[fixed]" was due to a bug. Specifically we were
>>> setting the bits in hw_enc_features instead of hw_features. I fixed
>>> that in the patch set I submitted yesterday.
>>
>>
>> No, that wasn't a bug, that was intended: turning the offload on and off
>> willy-nilly will only serve to confuse the XFRM/IPsec offloads. If you
>> don't want to use an offload, don't create and IPsec SA with the 'offload'
>> tag.
>>
>> sln
>
> Well the change I made that moved the feature bits allows us to turn
> it on and off, so we have the bits set in features, hw_features,
> vlan_features, and hw_enc_features. However the hardware supports it
> either way as all we turn on or off is the advertising of the feature.
The features are expected to be enabled in a certain pattern. For
example, if the user disables NETIF_F_HW_ESP without disabling
NETIF_F_HW_ESP_TX_CSUM, __ip_append_data() may make a poor decision in
setting the checksum mode. I think the other uses of
NETIF_F_HW_ESP_TX_CSUM are safe at the moment, but I don't think we
should allow the user to break this expectation. This is part of why we
have a check for this in xfrm_api_check(), to be sure the driver has set
it up correctly in the first place.
sln
>
> - Alex
>
More information about the Intel-wired-lan
mailing list