git: de1da299daaa - main - ipsec_output(): add outcoming ifp argument

From: Konstantin Belousov <kib_at_FreeBSD.org>
Date: Fri, 12 Jul 2024 11:24:54 UTC
The branch main has been updated by kib:

URL: https://cgit.FreeBSD.org/src/commit/?id=de1da299daaa4d26f5a4aba733d9b2880dc0be59

commit de1da299daaa4d26f5a4aba733d9b2880dc0be59
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2023-01-25 10:54:47 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2024-07-12 03:29:31 +0000

    ipsec_output(): add outcoming ifp argument
    
    The information about the interface is needed to coordinate inline
    offloading of IPSEC processing with corresponding driver.
    
    Sponsored by:   NVIDIA networking
    Differential revision:  https://reviews.freebsd.org/D44223
---
 sys/net/if_ipsec.c           |  4 +--
 sys/netinet/ip_output.c      |  2 +-
 sys/netinet6/ip6_output.c    |  2 +-
 sys/netipsec/ipsec.h         |  5 ++--
 sys/netipsec/ipsec6.h        |  5 ++--
 sys/netipsec/ipsec_output.c  | 64 +++++++++++++++++++++++++-------------------
 sys/netipsec/ipsec_support.h | 11 ++++----
 sys/netipsec/subr_ipsec.c    |  4 +--
 8 files changed, 54 insertions(+), 43 deletions(-)

diff --git a/sys/net/if_ipsec.c b/sys/net/if_ipsec.c
index b503d0696691..bdf500431eff 100644
--- a/sys/net/if_ipsec.c
+++ b/sys/net/if_ipsec.c
@@ -415,12 +415,12 @@ ipsec_transmit(struct ifnet *ifp, struct mbuf *m)
 	switch (af) {
 #ifdef INET
 	case AF_INET:
-		error = ipsec4_process_packet(m, sp, NULL);
+		error = ipsec4_process_packet(ifp, m, sp, NULL);
 		break;
 #endif
 #ifdef INET6
 	case AF_INET6:
-		error = ipsec6_process_packet(m, sp, NULL);
+		error = ipsec6_process_packet(ifp, m, sp, NULL);
 		break;
 #endif
 	default:
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 28fb651a0bc9..77708f84c3e9 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -673,7 +673,7 @@ sendit:
 			error = ENOBUFS;
 			goto bad;
 		}
-		if ((error = IPSEC_OUTPUT(ipv4, m, inp)) != 0) {
+		if ((error = IPSEC_OUTPUT(ipv4, ifp, m, inp)) != 0) {
 			if (error == EINPROGRESS)
 				error = 0;
 			goto done;
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index 530f86c36689..800fa691062f 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -462,7 +462,7 @@ ip6_output(struct mbuf *m0, struct ip6_pktopts *opt,
 			error = ENOBUFS;
 			goto bad;
 		}
-		if ((error = IPSEC_OUTPUT(ipv6, m, inp)) != 0) {
+		if ((error = IPSEC_OUTPUT(ipv6, ifp, m, inp)) != 0) {
 			if (error == EINPROGRESS)
 				error = 0;
 			goto done;
diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h
index 88594d250fdb..a90953531b99 100644
--- a/sys/netipsec/ipsec.h
+++ b/sys/netipsec/ipsec.h
@@ -336,8 +336,9 @@ void ipsec_setspidx_inpcb(struct inpcb *, struct secpolicyindex *, u_int);
 void ipsec4_setsockaddrs(const struct mbuf *, union sockaddr_union *,
     union sockaddr_union *);
 int ipsec4_common_input_cb(struct mbuf *, struct secasvar *, int, int);
-int ipsec4_check_pmtu(struct mbuf *, struct secpolicy *, int);
-int ipsec4_process_packet(struct mbuf *, struct secpolicy *, struct inpcb *);
+int ipsec4_check_pmtu(struct ifnet *, struct mbuf *, struct secpolicy *, int);
+int ipsec4_process_packet(struct ifnet *, struct mbuf *, struct secpolicy *,
+    struct inpcb *);
 int ipsec_process_done(struct mbuf *, struct secpolicy *, struct secasvar *,
     u_int);
 
diff --git a/sys/netipsec/ipsec6.h b/sys/netipsec/ipsec6.h
index 3adb332aeb73..9c5d6e695417 100644
--- a/sys/netipsec/ipsec6.h
+++ b/sys/netipsec/ipsec6.h
@@ -66,8 +66,9 @@ struct secpolicy *ipsec6_checkpolicy(const struct mbuf *,
 void ipsec6_setsockaddrs(const struct mbuf *, union sockaddr_union *,
     union sockaddr_union *);
 int ipsec6_common_input_cb(struct mbuf *, struct secasvar *, int, int);
-int ipsec6_check_pmtu(struct mbuf *, struct secpolicy *, int);
-int ipsec6_process_packet(struct mbuf *, struct secpolicy *, struct inpcb *);
+int ipsec6_check_pmtu(struct ifnet *, struct mbuf *, struct secpolicy *, int);
+int ipsec6_process_packet(struct ifnet *, struct mbuf *, struct secpolicy *,
+    struct inpcb *);
 
 int ip6_ipsec_filtertunnel(struct mbuf *);
 int ip6_ipsec_pcbctl(struct inpcb *, struct sockopt *);
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c
index 707fe3421c97..08b6289ec1d5 100644
--- a/sys/netipsec/ipsec_output.c
+++ b/sys/netipsec/ipsec_output.c
@@ -110,7 +110,8 @@ static size_t ipsec_get_pmtu(struct secasvar *sav);
 
 #ifdef INET
 static struct secasvar *
-ipsec4_allocsa(struct mbuf *m, struct secpolicy *sp, u_int *pidx, int *error)
+ipsec4_allocsa(struct ifnet *ifp, struct mbuf *m, struct secpolicy *sp,
+    u_int *pidx, int *error)
 {
 	struct secasindex *saidx, tmpsaidx;
 	struct ipsecrequest *isr;
@@ -186,7 +187,7 @@ next:
  * IPsec output logic for IPv4.
  */
 static int
-ipsec4_perform_request(struct mbuf *m, struct secpolicy *sp,
+ipsec4_perform_request(struct ifnet *ifp, struct mbuf *m, struct secpolicy *sp,
     struct inpcb *inp, u_int idx)
 {
 	struct ipsec_ctx_data ctx;
@@ -206,7 +207,7 @@ ipsec4_perform_request(struct mbuf *m, struct secpolicy *sp,
 	 * determine next transform. At the end of transform we can
 	 * release reference to SP.
 	 */
-	sav = ipsec4_allocsa(m, sp, &idx, &error);
+	sav = ipsec4_allocsa(ifp, m, sp, &idx, &error);
 	if (sav == NULL) {
 		if (error == EJUSTRETURN) { /* No IPsec required */
 			key_freesp(&sp);
@@ -288,15 +289,16 @@ bad:
 }
 
 int
-ipsec4_process_packet(struct mbuf *m, struct secpolicy *sp,
+ipsec4_process_packet(struct ifnet *ifp, struct mbuf *m, struct secpolicy *sp,
     struct inpcb *inp)
 {
 
-	return (ipsec4_perform_request(m, sp, inp, 0));
+	return (ipsec4_perform_request(ifp, m, sp, inp, 0));
 }
 
 int
-ipsec4_check_pmtu(struct mbuf *m, struct secpolicy *sp, int forwarding)
+ipsec4_check_pmtu(struct ifnet *ifp, struct mbuf *m, struct secpolicy *sp,
+    int forwarding)
 {
 	struct secasvar *sav;
 	struct ip *ip;
@@ -317,7 +319,7 @@ ipsec4_check_pmtu(struct mbuf *m, struct secpolicy *sp, int forwarding)
 
 setdf:
 	idx = sp->tcount - 1;
-	sav = ipsec4_allocsa(m, sp, &idx, &error);
+	sav = ipsec4_allocsa(ifp, m, sp, &idx, &error);
 	if (sav == NULL) {
 		key_freesp(&sp);
 		/*
@@ -368,7 +370,8 @@ setdf:
 }
 
 static int
-ipsec4_common_output(struct mbuf *m, struct inpcb *inp, int forwarding)
+ipsec4_common_output(struct ifnet *ifp, struct mbuf *m, struct inpcb *inp,
+    int forwarding)
 {
 	struct secpolicy *sp;
 	int error;
@@ -412,7 +415,7 @@ ipsec4_common_output(struct mbuf *m, struct inpcb *inp, int forwarding)
 #endif
 	}
 	/* NB: callee frees mbuf and releases reference to SP */
-	error = ipsec4_check_pmtu(m, sp, forwarding);
+	error = ipsec4_check_pmtu(ifp, m, sp, forwarding);
 	if (error != 0) {
 		if (error == EJUSTRETURN)
 			return (0);
@@ -420,7 +423,7 @@ ipsec4_common_output(struct mbuf *m, struct inpcb *inp, int forwarding)
 		return (error);
 	}
 
-	error = ipsec4_process_packet(m, sp, inp);
+	error = ipsec4_process_packet(ifp, m, sp, inp);
 	if (error == EJUSTRETURN) {
 		/*
 		 * We had a SP with a level of 'use' and no SA. We
@@ -440,7 +443,7 @@ ipsec4_common_output(struct mbuf *m, struct inpcb *inp, int forwarding)
  * other values - mbuf consumed by IPsec.
  */
 int
-ipsec4_output(struct mbuf *m, struct inpcb *inp)
+ipsec4_output(struct ifnet *ifp, struct mbuf *m, struct inpcb *inp)
 {
 
 	/*
@@ -451,7 +454,7 @@ ipsec4_output(struct mbuf *m, struct inpcb *inp)
 	if (m_tag_find(m, PACKET_TAG_IPSEC_OUT_DONE, NULL) != NULL)
 		return (0);
 
-	return (ipsec4_common_output(m, inp, 0));
+	return (ipsec4_common_output(ifp, m, inp, 0));
 }
 
 /*
@@ -471,7 +474,7 @@ ipsec4_forward(struct mbuf *m)
 		m_freem(m);
 		return (EACCES);
 	}
-	return (ipsec4_common_output(m, NULL, 1));
+	return (ipsec4_common_output(NULL /* XXXKIB */, m, NULL, 1));
 }
 #endif
 
@@ -491,7 +494,8 @@ in6_sa_equal_addrwithscope(const struct sockaddr_in6 *sa,
 }
 
 static struct secasvar *
-ipsec6_allocsa(struct mbuf *m, struct secpolicy *sp, u_int *pidx, int *error)
+ipsec6_allocsa(struct ifnet *ifp, struct mbuf *m, struct secpolicy *sp,
+    u_int *pidx, int *error)
 {
 	struct secasindex *saidx, tmpsaidx;
 	struct ipsecrequest *isr;
@@ -579,7 +583,7 @@ next:
  * IPsec output logic for IPv6.
  */
 static int
-ipsec6_perform_request(struct mbuf *m, struct secpolicy *sp,
+ipsec6_perform_request(struct ifnet *ifp, struct mbuf *m, struct secpolicy *sp,
     struct inpcb *inp, u_int idx)
 {
 	struct ipsec_ctx_data ctx;
@@ -590,7 +594,7 @@ ipsec6_perform_request(struct mbuf *m, struct secpolicy *sp,
 
 	IPSEC_ASSERT(idx < sp->tcount, ("Wrong IPsec request index %d", idx));
 
-	sav = ipsec6_allocsa(m, sp, &idx, &error);
+	sav = ipsec6_allocsa(ifp, m, sp, &idx, &error);
 	if (sav == NULL) {
 		if (error == EJUSTRETURN) { /* No IPsec required */
 			key_freesp(&sp);
@@ -671,18 +675,19 @@ bad:
 }
 
 int
-ipsec6_process_packet(struct mbuf *m, struct secpolicy *sp,
+ipsec6_process_packet(struct ifnet *ifp, struct mbuf *m, struct secpolicy *sp,
     struct inpcb *inp)
 {
 
-	return (ipsec6_perform_request(m, sp, inp, 0));
+	return (ipsec6_perform_request(ifp, m, sp, inp, 0));
 }
 
 /*
  * IPv6 implementation is based on IPv4 implementation.
  */
 int
-ipsec6_check_pmtu(struct mbuf *m, struct secpolicy *sp, int forwarding)
+ipsec6_check_pmtu(struct ifnet *ifp, struct mbuf *m, struct secpolicy *sp,
+    int forwarding)
 {
 	struct secasvar *sav;
 	size_t hlen, pmtu;
@@ -699,7 +704,7 @@ ipsec6_check_pmtu(struct mbuf *m, struct secpolicy *sp, int forwarding)
 		return (0);
 
 	idx = sp->tcount - 1;
-	sav = ipsec6_allocsa(m, sp, &idx, &error);
+	sav = ipsec6_allocsa(ifp, m, sp, &idx, &error);
 	if (sav == NULL) {
 		key_freesp(&sp);
 		/*
@@ -745,7 +750,8 @@ ipsec6_check_pmtu(struct mbuf *m, struct secpolicy *sp, int forwarding)
 }
 
 static int
-ipsec6_common_output(struct mbuf *m, struct inpcb *inp, int forwarding)
+ipsec6_common_output(struct ifnet *ifp, struct mbuf *m, struct inpcb *inp,
+    int forwarding)
 {
 	struct secpolicy *sp;
 	int error;
@@ -779,7 +785,7 @@ ipsec6_common_output(struct mbuf *m, struct inpcb *inp, int forwarding)
 #endif
 	}
 
-	error = ipsec6_check_pmtu(m, sp, forwarding);
+	error = ipsec6_check_pmtu(ifp, m, sp, forwarding);
 	if (error != 0) {
 		if (error == EJUSTRETURN)
 			return (0);
@@ -788,7 +794,7 @@ ipsec6_common_output(struct mbuf *m, struct inpcb *inp, int forwarding)
 	}
 
 	/* NB: callee frees mbuf and releases reference to SP */
-	error = ipsec6_process_packet(m, sp, inp);
+	error = ipsec6_process_packet(ifp, m, sp, inp);
 	if (error == EJUSTRETURN) {
 		/*
 		 * We had a SP with a level of 'use' and no SA. We
@@ -808,7 +814,7 @@ ipsec6_common_output(struct mbuf *m, struct inpcb *inp, int forwarding)
  * other values - mbuf consumed by IPsec.
  */
 int
-ipsec6_output(struct mbuf *m, struct inpcb *inp)
+ipsec6_output(struct ifnet *ifp, struct mbuf *m, struct inpcb *inp)
 {
 
 	/*
@@ -819,7 +825,7 @@ ipsec6_output(struct mbuf *m, struct inpcb *inp)
 	if (m_tag_find(m, PACKET_TAG_IPSEC_OUT_DONE, NULL) != NULL)
 		return (0);
 
-	return (ipsec6_common_output(m, inp, 0));
+	return (ipsec6_common_output(ifp, m, inp, 0));
 }
 
 /*
@@ -839,7 +845,7 @@ ipsec6_forward(struct mbuf *m)
 		m_freem(m);
 		return (EACCES);
 	}
-	return (ipsec6_common_output(m, NULL, 1));
+	return (ipsec6_common_output(NULL /* XXXKIB */, m, NULL, 1));
 }
 #endif /* INET6 */
 
@@ -916,14 +922,16 @@ ipsec_process_done(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
 		case AF_INET:
 			key_freesav(&sav);
 			IPSECSTAT_INC(ips_out_bundlesa);
-			return (ipsec4_perform_request(m, sp, NULL, idx));
+			return (ipsec4_perform_request(NULL, m, sp, NULL,
+			    idx));
 			/* NOTREACHED */
 #endif
 #ifdef INET6
 		case AF_INET6:
 			key_freesav(&sav);
 			IPSEC6STAT_INC(ips_out_bundlesa);
-			return (ipsec6_perform_request(m, sp, NULL, idx));
+			return (ipsec6_perform_request(NULL, m, sp, NULL,
+			    idx));
 			/* NOTREACHED */
 #endif /* INET6 */
 		default:
diff --git a/sys/netipsec/ipsec_support.h b/sys/netipsec/ipsec_support.h
index b7be62104d12..96d753f48f42 100644
--- a/sys/netipsec/ipsec_support.h
+++ b/sys/netipsec/ipsec_support.h
@@ -29,6 +29,7 @@
 
 #ifdef _KERNEL
 #if defined(IPSEC) || defined(IPSEC_SUPPORT)
+struct ifnet;
 struct mbuf;
 struct inpcb;
 struct tcphdr;
@@ -58,7 +59,7 @@ int ipsec4_in_reject(const struct mbuf *, struct inpcb *);
 int ipsec4_input(struct mbuf *, int, int);
 int ipsec4_forward(struct mbuf *);
 int ipsec4_pcbctl(struct inpcb *, struct sockopt *);
-int ipsec4_output(struct mbuf *, struct inpcb *);
+int ipsec4_output(struct ifnet *, struct mbuf *, struct inpcb *);
 int ipsec4_capability(struct mbuf *, u_int);
 int ipsec4_ctlinput(ipsec_ctlinput_param_t);
 #endif /* INET */
@@ -68,7 +69,7 @@ int ipsec6_input(struct mbuf *, int, int);
 int ipsec6_in_reject(const struct mbuf *, struct inpcb *);
 int ipsec6_forward(struct mbuf *);
 int ipsec6_pcbctl(struct inpcb *, struct sockopt *);
-int ipsec6_output(struct mbuf *, struct inpcb *);
+int ipsec6_output(struct ifnet *, struct mbuf *, struct inpcb *);
 int ipsec6_capability(struct mbuf *, u_int);
 int ipsec6_ctlinput(ipsec_ctlinput_param_t);
 #endif /* INET6 */
@@ -77,7 +78,7 @@ struct ipsec_methods {
 	int	(*input)(struct mbuf *, int, int);
 	int	(*check_policy)(const struct mbuf *, struct inpcb *);
 	int	(*forward)(struct mbuf *);
-	int	(*output)(struct mbuf *, struct inpcb *);
+	int	(*output)(struct ifnet *, struct mbuf *, struct inpcb *);
 	int	(*pcbctl)(struct inpcb *, struct sockopt *);
 	size_t	(*hdrsize)(struct inpcb *);
 	int	(*capability)(struct mbuf *, u_int);
@@ -187,8 +188,8 @@ int ipsec_kmod_input(struct ipsec_support * const, struct mbuf *, int, int);
 int ipsec_kmod_check_policy(struct ipsec_support * const, struct mbuf *,
     struct inpcb *);
 int ipsec_kmod_forward(struct ipsec_support * const, struct mbuf *);
-int ipsec_kmod_output(struct ipsec_support * const, struct mbuf *,
-    struct inpcb *);
+int ipsec_kmod_output(struct ipsec_support * const, struct ifnet *,
+    struct mbuf *, struct inpcb *);
 int ipsec_kmod_pcbctl(struct ipsec_support * const, struct inpcb *,
     struct sockopt *);
 int ipsec_kmod_capability(struct ipsec_support * const, struct mbuf *, u_int);
diff --git a/sys/netipsec/subr_ipsec.c b/sys/netipsec/subr_ipsec.c
index a1eb8f220525..46b3439908ce 100644
--- a/sys/netipsec/subr_ipsec.c
+++ b/sys/netipsec/subr_ipsec.c
@@ -369,8 +369,8 @@ IPSEC_KMOD_METHOD(int, ipsec_kmod_ctlinput, sc,
 )
 
 IPSEC_KMOD_METHOD(int, ipsec_kmod_output, sc,
-    output, METHOD_DECL(struct ipsec_support * const sc, struct mbuf *m,
-	struct inpcb *inp), METHOD_ARGS(m, inp)
+    output, METHOD_DECL(struct ipsec_support * const sc, struct ifnet *ifp,
+    struct mbuf *m, struct inpcb *inp), METHOD_ARGS(ifp, m, inp)
 )
 
 IPSEC_KMOD_METHOD(int, ipsec_kmod_pcbctl, sc,