Re: [PATCH net-next] flow_dissector: Add IPSEC dissectors
From: Ido Schimmel
Date: Tue Jul 25 2023 - 06:12:56 EST
On Tue, Jul 25, 2023 at 08:54:51AM +0530, Ratheesh Kannoth wrote:
> Support for dissecting IPSEC field SPI (which is
> 32bits in size) for ESP and AH packets.
>
> This implementation does not support NAT-T
> (encapsulation of ESP packets over UDP).
>
> Signed-off-by: Ratheesh Kannoth <rkannoth@xxxxxxxxxxx>
> ---
> include/net/flow_dissector.h | 9 ++++++
> include/net/flow_offload.h | 6 ++++
> include/uapi/linux/pkt_cls.h | 3 ++
> net/core/flow_dissector.c | 53 +++++++++++++++++++++++++++++++++++-
> net/core/flow_offload.c | 7 +++++
> net/sched/cls_flower.c | 18 ++++++++++++
Please split flow dissector and flower changes into separate patches.
Also, you can't add the flow offload bits without a corresponding driver
change. Nobody calls the exported flow_rule_match_ipsec() function.
[...]
> diff --git a/include/uapi/linux/pkt_cls.h b/include/uapi/linux/pkt_cls.h
> index 7865f5a9885b..a90b0e3d351f 100644
> --- a/include/uapi/linux/pkt_cls.h
> +++ b/include/uapi/linux/pkt_cls.h
> @@ -594,6 +594,9 @@ enum {
>
> TCA_FLOWER_KEY_L2TPV3_SID, /* be32 */
>
> + TCA_FLOWER_KEY_SPI, /* be32 */
> + TCA_FLOWER_KEY_SPI_MASK, /* be32 */
> +
This will break existing user space on new kernels. New attributes must
be added at the end.
> TCA_FLOWER_L2_MISS, /* u8 */
>
> TCA_FLOWER_KEY_CFM, /* nested */