tc: flower: support for SPI
authorRatheesh Kannoth <rkannoth@marvell.com>
Tue, 1 Aug 2023 01:40:59 +0000 (07:10 +0530)
committerDavid S. Miller <davem@davemloft.net>
Wed, 2 Aug 2023 09:09:31 +0000 (10:09 +0100)
tc flower rules support to classify ESP/AH
packets matching SPI field.

Signed-off-by: Ratheesh Kannoth <rkannoth@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
include/uapi/linux/pkt_cls.h
net/sched/cls_flower.c

index 7865f5a9885b9bc12332448418cfef8214391f09..75506f157340015e28982ba9da64d3efea4fdf83 100644 (file)
@@ -598,6 +598,9 @@ enum {
 
        TCA_FLOWER_KEY_CFM,             /* nested */
 
+       TCA_FLOWER_KEY_SPI,             /* be32 */
+       TCA_FLOWER_KEY_SPI_MASK,        /* be32 */
+
        __TCA_FLOWER_MAX,
 };
 
index 8da9d039d964ea417700a2f59ad95a9ce52f5eab..eca26027284549a2222d2154c8c02e3658eaf87a 100644 (file)
@@ -72,6 +72,7 @@ struct fl_flow_key {
        struct flow_dissector_key_num_of_vlans num_of_vlans;
        struct flow_dissector_key_pppoe pppoe;
        struct flow_dissector_key_l2tpv3 l2tpv3;
+       struct flow_dissector_key_ipsec ipsec;
        struct flow_dissector_key_cfm cfm;
 } __aligned(BITS_PER_LONG / 8); /* Ensure that we can do comparisons as longs. */
 
@@ -726,6 +727,8 @@ static const struct nla_policy fl_policy[TCA_FLOWER_MAX + 1] = {
        [TCA_FLOWER_KEY_PPPOE_SID]      = { .type = NLA_U16 },
        [TCA_FLOWER_KEY_PPP_PROTO]      = { .type = NLA_U16 },
        [TCA_FLOWER_KEY_L2TPV3_SID]     = { .type = NLA_U32 },
+       [TCA_FLOWER_KEY_SPI]            = { .type = NLA_U32 },
+       [TCA_FLOWER_KEY_SPI_MASK]       = { .type = NLA_U32 },
        [TCA_FLOWER_L2_MISS]            = NLA_POLICY_MAX(NLA_U8, 1),
        [TCA_FLOWER_KEY_CFM]            = { .type = NLA_NESTED },
 };
@@ -795,6 +798,24 @@ static void fl_set_key_val(struct nlattr **tb,
                nla_memcpy(mask, tb[mask_type], len);
 }
 
+static int fl_set_key_spi(struct nlattr **tb, struct fl_flow_key *key,
+                         struct fl_flow_key *mask,
+                         struct netlink_ext_ack *extack)
+{
+       if (key->basic.ip_proto != IPPROTO_ESP &&
+           key->basic.ip_proto != IPPROTO_AH) {
+               NL_SET_ERR_MSG(extack,
+                              "Protocol must be either ESP or AH");
+               return -EINVAL;
+       }
+
+       fl_set_key_val(tb, &key->ipsec.spi,
+                      TCA_FLOWER_KEY_SPI,
+                      &mask->ipsec.spi, TCA_FLOWER_KEY_SPI_MASK,
+                      sizeof(key->ipsec.spi));
+       return 0;
+}
+
 static int fl_set_key_port_range(struct nlattr **tb, struct fl_flow_key *key,
                                 struct fl_flow_key *mask,
                                 struct netlink_ext_ack *extack)
@@ -1894,6 +1915,12 @@ static int fl_set_key(struct net *net, struct nlattr **tb,
                        return ret;
        }
 
+       if (tb[TCA_FLOWER_KEY_SPI]) {
+               ret = fl_set_key_spi(tb, key, mask, extack);
+               if (ret)
+                       return ret;
+       }
+
        if (tb[TCA_FLOWER_KEY_ENC_IPV4_SRC] ||
            tb[TCA_FLOWER_KEY_ENC_IPV4_DST]) {
                key->enc_control.addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS;
@@ -2066,6 +2093,8 @@ static void fl_init_dissector(struct flow_dissector *dissector,
                             FLOW_DISSECTOR_KEY_PPPOE, pppoe);
        FL_KEY_SET_IF_MASKED(mask, keys, cnt,
                             FLOW_DISSECTOR_KEY_L2TPV3, l2tpv3);
+       FL_KEY_SET_IF_MASKED(mask, keys, cnt,
+                            FLOW_DISSECTOR_KEY_IPSEC, ipsec);
        FL_KEY_SET_IF_MASKED(mask, keys, cnt,
                             FLOW_DISSECTOR_KEY_CFM, cfm);
 
@@ -3364,6 +3393,12 @@ static int fl_dump_key(struct sk_buff *skb, struct net *net,
                                 sizeof(key->l2tpv3.session_id)))
                goto nla_put_failure;
 
+       if (key->ipsec.spi &&
+           fl_dump_key_val(skb, &key->ipsec.spi, TCA_FLOWER_KEY_SPI,
+                           &mask->ipsec.spi, TCA_FLOWER_KEY_SPI_MASK,
+                           sizeof(key->ipsec.spi)))
+               goto nla_put_failure;
+
        if ((key->basic.ip_proto == IPPROTO_TCP ||
             key->basic.ip_proto == IPPROTO_UDP ||
             key->basic.ip_proto == IPPROTO_SCTP) &&