Gitiles
Code Review Sign In
git01.mediatek.com / openwrt / feeds / mtk-openwrt-feeds / 0b1a6db365884640ac629265848f9ac4f8593368^! / . / feed / kernel / crypto-eip / src / xfrm-offload.c
commit0b1a6db365884640ac629265848f9ac4f8593368[log] [tgz]
authordeveloper <developer@mediatek.com>Mon Jul 01 16:11:43 2024 +0800
committerdeveloper <developer@mediatek.com>Wed Jul 10 10:55:12 2024 +0800
tree56712c50bfa2150c0e769c9131df7195be9a175e
parent6a3eb870d8d47926b91dfed93bca73257130e897 [diff] [blame]
[][openwrt][mt7988][crypto][Add support for route-based IPSec]

[Description]
Add support for route-based IPSec.

1. Refactor dst mac dicover for IPSec
In the past, we use tunnel dst IP to find a nexthop, then use nexthop
to find dst mac. However, for the route-based vti, we can't find the
real nexthop. We should use tunnel dst IP to find dst mac directly.

2. Add check for VTI
If the packet has passed through VTI (ex. route-based IPSec), the
'dev_queue_xmit' function called at network layer will cause both
skb->mac_header and skb->network_header to point to the IP header. In
this situation, 'skb_to_hnat_info' cannot correctly fill in the inner
layer information, and it needs to be filled in by
'hnat_bind_crypto_entry'.

[Release-log]
N/A


Change-Id: Ie63a7d18f0cee5b9caca63251fc5fba5f52f1ee3
Reviewed-on: https://gerrit.mediatek.inc/c/openwrt/feeds/mtk_openwrt_feeds/+/9298628

diff --git a/feed/kernel/crypto-eip/src/xfrm-offload.c b/feed/kernel/crypto-eip/src/xfrm-offload.c
index 4954acc..56908ac 100644
--- a/feed/kernel/crypto-eip/src/xfrm-offload.c
+++ b/feed/kernel/crypto-eip/src/xfrm-offload.c

@@ -306,12 +306,9 @@
 static inline struct neighbour *mtk_crypto_find_dst_mac(struct sk_buff *skb,  struct xfrm_state *xs)
 {
 	struct neighbour *neigh;
-	u32 nexthop;
 	struct dst_entry *dst = skb_dst(skb);
-	struct rtable *rt = (struct rtable *) dst;
 
-	nexthop = (__force u32) rt_nexthop(rt, xs->id.daddr.a4);
-	neigh = __ipv4_neigh_lookup_noref(dst->dev, nexthop);
+	neigh = __ipv4_neigh_lookup_noref(dst->dev, xs->id.daddr.a4);
 	if (unlikely(!neigh)) {
 		CRYPTO_INFO("%s: %s No neigh (daddr=%pI4)\n", __func__, dst->dev->name,
 				&xs->id.daddr.a4);
@@ -329,6 +326,7 @@
 	struct mtk_xfrm_params *xfrm_params;
 	struct neighbour *neigh;
 	struct dst_entry *dst = skb_dst(skb);
+	int fill_inner_info = 0;
 
 	rcu_read_lock_bh();
 
@@ -338,6 +336,14 @@
 		return true;
 	}
 
+	/*
+	 * For packet has pass through VTI (route-based VTI)
+	 * The 'dev_queue_xmit' function called at network layer will cause both
+	 * skb->mac_header and skb->network_header to point to the IP header
+	 */
+	if (skb->mac_header == skb->network_header)
+		fill_inner_info = 1;
+
 	skb_push(skb, sizeof(struct ethhdr));
 	skb_reset_mac_header(skb);
 
@@ -357,7 +363,7 @@
 	 */
 	if (ra_sw_nat_hook_tx &&
 		((is_tops_udp_tunnel(skb) || is_tcp(skb)) && is_hnat_rate_reach(skb)))
-		hnat_bind_crypto_entry(skb, dst->dev);
+		hnat_bind_crypto_entry(skb, dst->dev, fill_inner_info);
 
 	/* Set magic tag for tport setting, reset to 0 after tport is set */
 	skb_hnat_magic_tag(skb) = HNAT_MAGIC_TAG;