Message ID | 20200120201823.887937-3-antoine.tenart@bootlin.com |
---|---|
State | Changes Requested |
Delegated to: | David Ahern |
Headers | show |
Series | macsec: add offloading support | expand |
On 1/20/20 1:18 PM, Antoine Tenart wrote: > MacSEC can now be offloaded to specialized hardware devices. Offloading > is off by default when creating a new MACsec interface, but the mode can > be updated at runtime. This patch adds a new subcommand, > `ip macsec offload`, to allow users to select the offloading mode of a > MACsec interface. It takes the mode to switch to as an argument, which > can for now either be 'off' or 'phy': > > # ip macsec offload macsec0 phy > # ip macsec offload macsec0 off seems like this should fall under 'ip macsec set ...' Sabrina: thoughts?
2020-01-27, 09:44:09 -0700, David Ahern wrote: > On 1/20/20 1:18 PM, Antoine Tenart wrote: > > MacSEC can now be offloaded to specialized hardware devices. Offloading > > is off by default when creating a new MACsec interface, but the mode can > > be updated at runtime. This patch adds a new subcommand, > > `ip macsec offload`, to allow users to select the offloading mode of a > > MACsec interface. It takes the mode to switch to as an argument, which > > can for now either be 'off' or 'phy': > > > > # ip macsec offload macsec0 phy > > # ip macsec offload macsec0 off > > seems like this should fall under 'ip macsec set ...' > > Sabrina: thoughts? The difference is that the other "set" commands also have an "add"/"del" counterpart. "offload" would only have "set", so that would be a bit inconsistent. Either way seems acceptable. Another possibility is to see offloading as a property of the macsec interface. Then it could be set on creation (ip link add ... type macsec offload phy), or modified by link change, like other device-wide properties (say, icvlen). But then I guess the netlink API would need to be different... In that case, the "offload: X" line of the output should also be integrated with the other device properties (icvlen etc).
diff --git a/ip/ipmacsec.c b/ip/ipmacsec.c index db7202ceb0a7..28272bc25a19 100644 --- a/ip/ipmacsec.c +++ b/ip/ipmacsec.c @@ -98,6 +98,7 @@ static void ipmacsec_usage(void) " ip macsec del DEV rx SCI sa { 0..3 }\n" " ip macsec show\n" " ip macsec show DEV\n" + " ip macsec offload DEV [ off | phy ]\n" "where OPTS := [ pn <u32> ] [ on | off ]\n" " ID := 128-bit hex string\n" " KEY := 128-bit or 256-bit hex string\n" @@ -359,6 +360,7 @@ enum cmd { CMD_ADD, CMD_DEL, CMD_UPD, + CMD_OFFLOAD, __CMD_MAX }; @@ -375,6 +377,9 @@ static const enum macsec_nl_commands macsec_commands[__CMD_MAX][2][2] = { [0] = {-1, MACSEC_CMD_DEL_RXSC}, [1] = {MACSEC_CMD_DEL_TXSA, MACSEC_CMD_DEL_RXSA}, }, + [CMD_OFFLOAD] = { + [0] = {-1, MACSEC_CMD_UPD_OFFLOAD }, + }, }; static int do_modify_nl(enum cmd c, enum macsec_nl_commands cmd, int ifindex, @@ -534,6 +539,44 @@ static int do_modify(enum cmd c, int argc, char **argv) return -1; } +static int do_offload(enum cmd c, int argc, char **argv) +{ + enum macsec_offload offload; + struct rtattr *attr; + int ifindex, ret; + + if (argc == 0) + ipmacsec_usage(); + + ifindex = ll_name_to_index(*argv); + if (!ifindex) { + fprintf(stderr, "Device \"%s\" does not exist.\n", *argv); + return -1; + } + argc--; argv++; + + if (argc == 0) + ipmacsec_usage(); + + ret = one_of("offload", *argv, offload_str, ARRAY_SIZE(offload_str), + (int *)&offload); + if (ret) + ipmacsec_usage(); + + MACSEC_GENL_REQ(req, MACSEC_BUFLEN, macsec_commands[c][0][1], NLM_F_REQUEST); + + addattr32(&req.n, MACSEC_BUFLEN, MACSEC_ATTR_IFINDEX, ifindex); + + attr = addattr_nest(&req.n, MACSEC_BUFLEN, MACSEC_ATTR_OFFLOAD); + addattr8(&req.n, MACSEC_BUFLEN, MACSEC_OFFLOAD_ATTR_TYPE, offload); + addattr_nest_end(&req.n, attr); + + if (rtnl_talk(&genl_rth, &req.n, NULL) < 0) + return -2; + + return 0; +} + /* dump/show */ static struct { int ifindex; @@ -1086,6 +1129,8 @@ int do_ipmacsec(int argc, char **argv) return do_modify(CMD_UPD, argc-1, argv+1); if (matches(*argv, "delete") == 0) return do_modify(CMD_DEL, argc-1, argv+1); + if (matches(*argv, "offload") == 0) + return do_offload(CMD_OFFLOAD, argc-1, argv+1); fprintf(stderr, "Command \"%s\" is unknown, try \"ip macsec help\".\n", *argv);
MacSEC can now be offloaded to specialized hardware devices. Offloading is off by default when creating a new MACsec interface, but the mode can be updated at runtime. This patch adds a new subcommand, `ip macsec offload`, to allow users to select the offloading mode of a MACsec interface. It takes the mode to switch to as an argument, which can for now either be 'off' or 'phy': # ip macsec offload macsec0 phy # ip macsec offload macsec0 off Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com> --- ip/ipmacsec.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+)