ixgbe: fail to create xfrm offload of IPsec tunnel mode SA

BugLink: https://bugs.launchpad.net/bugs/1919492
commit d785e1fec60179f534fbe8d006c890e5ad186e51 upstream.

Based on talks and indirect references ixgbe IPsec offlod do not
support IPsec tunnel mode offload. It can only support IPsec transport
mode offload. Now explicitly fail when creating non transport mode SA
with offload to avoid false performance expectations.

Fixes: 63a67fe229ea ("ixgbe: add ipsec offload add and remove SA")
Signed-off-by: Antony Antony <antony@phenome.org>
Acked-by: Shannon Nelson <snelson@pensando.io>
Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>

diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
index eca73526ac86bc609d560023596b9d2391caead0..54d47265a7ac1038e3e5ab8938f6aab3238ce8c9 100644 (file)
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
@@ -575,6 +575,11 @@ static int ixgbe_ipsec_add_sa(struct xfrm_state *xs)
                return -EINVAL;
        }
 
+       if (xs->props.mode != XFRM_MODE_TRANSPORT) {
+               netdev_err(dev, "Unsupported mode for ipsec offload\n");
+               return -EINVAL;
+       }
+
        if (ixgbe_ipsec_check_mgmt_ip(xs)) {
                netdev_err(dev, "IPsec IP addr clash with mgmt filters\n");
                return -EINVAL;

diff --git a/drivers/net/ethernet/intel/ixgbevf/ipsec.c b/drivers/net/ethernet/intel/ixgbevf/ipsec.c
index 5170dd9d8705b0b6467151b9154e5f7b2ea8d78a..caaea2c920a6e48d08abc13501996960755dbdea 100644 (file)
--- a/drivers/net/ethernet/intel/ixgbevf/ipsec.c
+++ b/drivers/net/ethernet/intel/ixgbevf/ipsec.c
@@ -272,6 +272,11 @@ static int ixgbevf_ipsec_add_sa(struct xfrm_state *xs)
                return -EINVAL;
        }
 
+       if (xs->props.mode != XFRM_MODE_TRANSPORT) {
+               netdev_err(dev, "Unsupported mode for ipsec offload\n");
+               return -EINVAL;
+       }
+
        if (xs->xso.flags & XFRM_OFFLOAD_INBOUND) {
                struct rx_sa rsa;