Merge branch 'Improve packet offload for dual stack'

Mike Yu says: ==================== In the XFRM stack, whether a packet is forwarded to the IPv4 or IPv6 stack depends on the family field of the matched SA. This does not completely work for IPsec packet offload in some scenario, for example, sending an IPv6 packet that will be encrypted and encapsulated as an IPv4 packet in HW. Here are the patches to make IPsec packet offload work on the mentioned scenario. ==================== Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
mariux64 · Mar 6, 2024 · 2ce0eae · 2ce0eae
2 parents 1a807e4 + 8688ab2
commit 2ce0eae
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
@@ -704,9 +704,13 @@ int xfrm_output(struct sock *sk, struct sk_buff *skb)
 {
 	struct net *net = dev_net(skb_dst(skb)->dev);
 	struct xfrm_state *x = skb_dst(skb)->xfrm;
+	int family;
 	int err;
 
-	switch (x->outer_mode.family) {
+	family = (x->xso.type != XFRM_DEV_OFFLOAD_PACKET) ? x->outer_mode.family
+		: skb_dst(skb)->ops->family;
+
+	switch (family) {
 	case AF_INET:
 		memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
 		IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED;

diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
@@ -2694,7 +2694,9 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
 			if (xfrm[i]->props.smark.v || xfrm[i]->props.smark.m)
 				mark = xfrm_smark_get(fl->flowi_mark, xfrm[i]);
 
-			family = xfrm[i]->props.family;
+			if (xfrm[i]->xso.type != XFRM_DEV_OFFLOAD_PACKET)
+				family = xfrm[i]->props.family;
+
 			oif = fl->flowi_oif ? : fl->flowi_l3mdev;
 			dst = xfrm_dst_lookup(xfrm[i], tos, oif,
 					      &saddr, &daddr, family, mark);