aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAriel Ehrenberg <aehrenberg@nvidia.com>2025-09-17 13:17:46 +0000
committerKonstantin Belousov <kib@FreeBSD.org>2025-09-26 06:32:10 +0000
commit84d688af4e625e159af65cd2432af88609d4962a (patch)
tree2afe2f25a484ecb98bebd414128dfb7cfb0e0e2b
parent7e8fb7756c3ed89a2141b923e6da1b6fd96f509c (diff)
mlx5 ipsec: Add VLAN tag to IPSec rules to prevent duplicates
Include VLAN tag in policy and SA outbound rules so that rules from VLAN interfaces differ from physical interface rules, preventing duplicate rule creation in VLAN configurations. Sponsored by: Nvidia networking MFC after: 1 week
Diffstat
-rw-r--r--sys/dev/mlx5/mlx5_accel/mlx5_ipsec_fs.c19
1 files changed, 19 insertions, 0 deletions
diff --git a/sys/dev/mlx5/mlx5_accel/mlx5_ipsec_fs.c b/sys/dev/mlx5/mlx5_accel/mlx5_ipsec_fs.c
index fb9ca94278db..d1f454a5ec41 100644
--- a/sys/dev/mlx5/mlx5_accel/mlx5_ipsec_fs.c
+++ b/sys/dev/mlx5/mlx5_accel/mlx5_ipsec_fs.c
@@ -1134,6 +1134,11 @@ static int tx_add_kspi_rule(struct mlx5e_ipsec_sa_entry *sa_entry,
setup_fte_no_frags(spec);
setup_fte_reg_a_with_tag(spec, sa_entry->kspi);
+ if (sa_entry->vid != VLAN_NONE)
+ setup_fte_vid(spec, sa_entry->vid);
+ else
+ setup_fte_no_vid(spec);
+
rule = mlx5_add_flow_rules(tx->ft.sa_kspi, spec, flow_act, dest, num_dest);
if (IS_ERR(rule)) {
err = PTR_ERR(rule);
@@ -1169,6 +1174,10 @@ static int tx_add_reqid_ip_rules(struct mlx5e_ipsec_sa_entry *sa_entry,
flow_act->flags |= FLOW_ACT_IGNORE_FLOW_LEVEL;
if(attrs->reqid) {
+ if (sa_entry->vid != VLAN_NONE)
+ setup_fte_vid(spec, sa_entry->vid);
+ else
+ setup_fte_no_vid(spec);
setup_fte_no_frags(spec);
setup_fte_reg_c0(spec, attrs->reqid);
rule = mlx5_add_flow_rules(tx->ft.sa, spec, flow_act, dest, num_dest);
@@ -1181,6 +1190,11 @@ static int tx_add_reqid_ip_rules(struct mlx5e_ipsec_sa_entry *sa_entry,
memset(spec, 0, sizeof(*spec));
}
+ if (sa_entry->vid != VLAN_NONE)
+ setup_fte_vid(spec, sa_entry->vid);
+ else
+ setup_fte_no_vid(spec);
+
if (attrs->family == AF_INET)
setup_fte_addr4(spec, &attrs->saddr.a4, &attrs->daddr.a4);
else
@@ -1322,6 +1336,11 @@ static int tx_add_policy(struct mlx5e_ipsec_pol_entry *pol_entry)
goto err_mod_header;
}
+ if (attrs->vid != VLAN_NONE)
+ setup_fte_vid(spec, attrs->vid);
+ else
+ setup_fte_no_vid(spec);
+
flow_act.flags |= FLOW_ACT_NO_APPEND;
dest[dstn].ft = tx->ft.sa;
dest[dstn].type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE;
generated by cgit v1.2.3 (git 2.25.1) at 2026-02-09 19:48:40 +0000