git: 84d688af4e62 - main - mlx5 ipsec: Add VLAN tag to IPSec rules to prevent duplicates

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Konstantin Belousov <kib_at_FreeBSD.org>
Date: Fri, 26 Sep 2025 06:40:58 UTC
The branch main has been updated by kib:

URL: https://cgit.FreeBSD.org/src/commit/?id=84d688af4e625e159af65cd2432af88609d4962a

commit 84d688af4e625e159af65cd2432af88609d4962a
Author:     Ariel Ehrenberg <aehrenberg@nvidia.com>
AuthorDate: 2025-09-17 13:17:46 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2025-09-26 06:32:10 +0000

    mlx5 ipsec: Add VLAN tag to IPSec rules to prevent duplicates
    
    Include VLAN tag in policy and SA outbound rules so that rules from
    VLAN interfaces differ from physical interface rules, preventing
    duplicate rule creation in VLAN configurations.
    
    Sponsored by:   Nvidia networking
    MFC after:      1 week
---
 sys/dev/mlx5/mlx5_accel/mlx5_ipsec_fs.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/sys/dev/mlx5/mlx5_accel/mlx5_ipsec_fs.c b/sys/dev/mlx5/mlx5_accel/mlx5_ipsec_fs.c
index fb9ca94278db..d1f454a5ec41 100644
--- a/sys/dev/mlx5/mlx5_accel/mlx5_ipsec_fs.c
+++ b/sys/dev/mlx5/mlx5_accel/mlx5_ipsec_fs.c
@@ -1134,6 +1134,11 @@ static int tx_add_kspi_rule(struct mlx5e_ipsec_sa_entry *sa_entry,
 	setup_fte_no_frags(spec);
 	setup_fte_reg_a_with_tag(spec, sa_entry->kspi);
 
+	if (sa_entry->vid != VLAN_NONE)
+		setup_fte_vid(spec, sa_entry->vid);
+	else
+		setup_fte_no_vid(spec);
+
 	rule = mlx5_add_flow_rules(tx->ft.sa_kspi, spec, flow_act, dest, num_dest);
 	if (IS_ERR(rule)) {
 		err = PTR_ERR(rule);
@@ -1169,6 +1174,10 @@ static int tx_add_reqid_ip_rules(struct mlx5e_ipsec_sa_entry *sa_entry,
 	flow_act->flags |= FLOW_ACT_IGNORE_FLOW_LEVEL;
 
 	if(attrs->reqid) {
+		if (sa_entry->vid != VLAN_NONE)
+			setup_fte_vid(spec, sa_entry->vid);
+		else
+			setup_fte_no_vid(spec);
 		setup_fte_no_frags(spec);
 		setup_fte_reg_c0(spec, attrs->reqid);
 		rule = mlx5_add_flow_rules(tx->ft.sa, spec, flow_act, dest, num_dest);
@@ -1181,6 +1190,11 @@ static int tx_add_reqid_ip_rules(struct mlx5e_ipsec_sa_entry *sa_entry,
 		memset(spec, 0, sizeof(*spec));
 	}
 
+	if (sa_entry->vid != VLAN_NONE)
+		setup_fte_vid(spec, sa_entry->vid);
+	else
+		setup_fte_no_vid(spec);
+
 	if (attrs->family == AF_INET)
 		setup_fte_addr4(spec, &attrs->saddr.a4, &attrs->daddr.a4);
 	else
@@ -1322,6 +1336,11 @@ static int tx_add_policy(struct mlx5e_ipsec_pol_entry *pol_entry)
                 goto err_mod_header;
         }
 
+        if (attrs->vid != VLAN_NONE)
+                setup_fte_vid(spec, attrs->vid);
+        else
+                setup_fte_no_vid(spec);
+
         flow_act.flags |= FLOW_ACT_NO_APPEND;
         dest[dstn].ft = tx->ft.sa;
         dest[dstn].type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE;