mirror of
https://github.com/freebsd/freebsd-src.git
synced 2024-11-26 20:12:44 +00:00
ef2a572bf6
Inline IPSEC offload moves almost whole IPSEC processing from the CPU/MCU and possibly crypto accelerator, to the network card. The transmitted packet content is not touched by CPU during TX operations, kernel only does the required policy and security association lookups to find out that given flow is offloaded, and then packet is transmitted as plain text to the card. For driver convenience, a metadata is attached to the packet identifying SA which must process the packet. Card does encryption of the payload, padding, calculates authentication, and does the reformat according to the policy. Similarly, on receive, card does the decapsulation, decryption, and authentification. Kernel receives the identifier of SA that was used to process the packet, together with the plain-text packet. Overall, payload octets are only read or written by card DMA engine, removing a lot of memory subsystem overhead, and saving CPU time because IPSEC algos calculations are avoided. If driver declares support for inline IPSEC offload (with the IFCAP2_IPSEC_OFFLOAD capability set and registering method table struct if_ipsec_accel_methods), kernel offers the SPD and SAD to driver. Driver decides which policies and SAs can be offloaded based on hardware capacity, and acks/nacks each SA for given interface to kernel. Kernel needs to keep this information to make a decision to skip software processing on TX, and to assume processing already done on RX. This shadow SPD/SAD database of offloads is rooted from policies (struct secpolicy accel_ifps, struct ifp_handle_sp) and SAs (struct secasvar accel_ipfs, struct ifp_handle_sav). Some extensions to the PF_KEY socket allow to limit interfaces for which given SP/SA could be offloaded (proposed for offload). Also, additional statistics extensions allow to observe allocation/octet/use counters for specific SA. Since SPs and SAs are typically instantiated in non-sleepable context, while offloading them into card is expected to require costly async manipulations of the card state, calls to the driver for offload and termination are executed in the threaded taskqueue. It also solves the issue of allocating resources needed for the offload database. Neither ipf_handle_sp nor ipf_handle_sav do not add reference to the owning SP/SA, the offload must be terminated before last reference is dropped. ipsec_accel only adds transient references to ensure safe pointer ownership by taskqueue. Maintaining the SA counters for hardware-accelerated packets is the duty of the driver. The helper ipsec_accel_drv_sa_lifetime_update() is provided to hide accel infrastructure from drivers which would use expected callout to query hardware periodically for updates. Reviewed by: rscheff (transport, stack integration), np Sponsored by: NVIDIA networking Differential revision: https://reviews.freebsd.org/D44219
107 lines
3.9 KiB
C
107 lines
3.9 KiB
C
/* $KAME: key.h,v 1.21 2001/07/27 03:51:30 itojun Exp $ */
|
|
|
|
/*-
|
|
* SPDX-License-Identifier: BSD-3-Clause
|
|
*
|
|
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
* 3. Neither the name of the project nor the names of its contributors
|
|
* may be used to endorse or promote products derived from this software
|
|
* without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*/
|
|
|
|
#ifndef _NETIPSEC_KEY_H_
|
|
#define _NETIPSEC_KEY_H_
|
|
|
|
#ifdef _KERNEL
|
|
|
|
struct mbuf;
|
|
struct secpolicy;
|
|
struct secpolicyindex;
|
|
struct secasvar;
|
|
struct sockaddr;
|
|
struct socket;
|
|
struct sadb_msg;
|
|
struct sadb_x_policy;
|
|
struct secasindex;
|
|
union sockaddr_union;
|
|
struct xformsw;
|
|
|
|
struct secpolicy *key_newsp(void);
|
|
struct secpolicy *key_allocsp(struct secpolicyindex *, u_int);
|
|
struct secpolicy *key_do_allocsp(struct secpolicyindex *spidx, u_int dir);
|
|
struct secpolicy *key_msg2sp(struct sadb_x_policy *, size_t, int *);
|
|
int key_sp2msg(struct secpolicy *, void *, size_t *);
|
|
void key_addref(struct secpolicy *);
|
|
void key_freesp(struct secpolicy **);
|
|
int key_spdacquire(struct secpolicy *);
|
|
int key_havesp(u_int);
|
|
int key_havesp_any(void);
|
|
void key_bumpspgen(void);
|
|
uint32_t key_getspgen(void);
|
|
uint32_t key_newreqid(void);
|
|
struct mbuf *key_setaccelif(const char *ifname);
|
|
|
|
struct secasvar *key_allocsa(union sockaddr_union *, uint8_t, uint32_t);
|
|
struct secasvar *key_allocsa_tunnel(union sockaddr_union *,
|
|
union sockaddr_union *, uint8_t);
|
|
struct secasvar *key_allocsa_policy(struct secpolicy *,
|
|
const struct secasindex *, int *);
|
|
struct secasvar *key_allocsa_tcpmd5(struct secasindex *);
|
|
void key_freesav(struct secasvar **);
|
|
|
|
int key_sockaddrcmp(const struct sockaddr *, const struct sockaddr *, int);
|
|
int key_sockaddrcmp_withmask(const struct sockaddr *, const struct sockaddr *,
|
|
size_t);
|
|
|
|
int key_register_ifnet(struct secpolicy **, u_int);
|
|
void key_unregister_ifnet(struct secpolicy **, u_int);
|
|
|
|
void key_delete_xform(const struct xformsw *);
|
|
|
|
extern u_long key_random(void);
|
|
extern void key_freereg(struct socket *);
|
|
extern int key_parse(struct mbuf *, struct socket *);
|
|
extern void key_sa_recordxfer(struct secasvar *, struct mbuf *);
|
|
uint16_t key_portfromsaddr(struct sockaddr *);
|
|
void key_porttosaddr(struct sockaddr *, uint16_t port);
|
|
|
|
struct rm_priotracker;
|
|
void ipsec_sahtree_runlock(struct rm_priotracker *);
|
|
void ipsec_sahtree_rlock(struct rm_priotracker *);
|
|
|
|
#ifdef MALLOC_DECLARE
|
|
MALLOC_DECLARE(M_IPSEC_SA);
|
|
MALLOC_DECLARE(M_IPSEC_SAH);
|
|
MALLOC_DECLARE(M_IPSEC_SP);
|
|
MALLOC_DECLARE(M_IPSEC_SR);
|
|
MALLOC_DECLARE(M_IPSEC_MISC);
|
|
MALLOC_DECLARE(M_IPSEC_SAQ);
|
|
MALLOC_DECLARE(M_IPSEC_SAR);
|
|
MALLOC_DECLARE(M_IPSEC_INPCB);
|
|
#endif /* MALLOC_DECLARE */
|
|
|
|
#endif /* defined(_KERNEL) */
|
|
#endif /* _NETIPSEC_KEY_H_ */
|