sys/net: Add IPSEC_OFFLOAD interface cap and methods structure

Reviewed by:	glebius
Sponsored by:	NVIDIA networking
Differential revision:	https://reviews.freebsd.org/D44314

sys/net/if.c

@@ -2392,6 +2392,7 @@ const struct ifcap_nv_bit_name ifcap_nv_bit_names[] = {
 const struct ifcap_nv_bit_name ifcap2_nv_bit_names[] = {
 	CAP2NV(RXTLS4),
 	CAP2NV(RXTLS6),
+	CAP2NV(IPSEC_OFFLOAD),
 	{0, NULL}
 };
 #undef CAPNV
@@ -5149,6 +5150,12 @@ if_getl2com(if_t ifp)
 	return (ifp->if_l2com);
 }
 
+void
+if_setipsec_accel_methods(if_t ifp, const struct if_ipsec_accel_methods *m)
+{
+	ifp->if_ipsec_accel_m = m;
+}
+
 #ifdef DDB
 static void
 if_show_ifnet(struct ifnet *ifp)

sys/net/if.h

@@ -255,7 +255,8 @@ struct if_data {
 #define	IFCAP_B_TXTLS_RTLMT	31 /* can do TLS with rate limiting */
 #define	IFCAP_B_RXTLS4		32 /* can to TLS receive for TCP */
 #define	IFCAP_B_RXTLS6		33 /* can to TLS receive for TCP6 */
-#define	__IFCAP_B_SIZE		34
+#define	IFCAP_B_IPSEC_OFFLOAD	34 /* inline IPSEC offload */
+#define	__IFCAP_B_SIZE		35
 
 #define	IFCAP_B_MAX	(__IFCAP_B_MAX - 1)
 #define	IFCAP_B_SIZE	(__IFCAP_B_SIZE)
@@ -298,6 +299,7 @@ struct if_data {
 /* IFCAP2_* are integers, not bits. */
 #define	IFCAP2_RXTLS4		(IFCAP_B_RXTLS4 - 32)
 #define	IFCAP2_RXTLS6		(IFCAP_B_RXTLS6 - 32)
+#define	IFCAP2_IPSEC_OFFLOAD	(IFCAP_B_IPSEC_OFFLOAD - 32)
 
 #define	IFCAP2_BIT(x)		(1UL << (x))
 

sys/net/if_private.h

@@ -138,6 +138,8 @@ struct ifnet {
 	int	(*if_requestencap)	/* make link header from request */
 		(struct ifnet *, struct if_encap_req *);
 
+	const struct if_ipsec_accel_methods *if_ipsec_accel_m;
+
 	/* Statistics. */
 	counter_u64_t	if_counters[IFCOUNTERS];
 

sys/net/if_strings.h

@@ -60,9 +60,11 @@
 #define	IFCAP_TXTLS_RTLMT_NAME		"TXTLS_RTLMT"
 #define	IFCAP_RXTLS4_NAME		"RXTLS4"
 #define	IFCAP_RXTLS6_NAME		"RXTLS6"
+#define	IFCAP_IPSEC_OFFLOAD_NAME	"IPSEC"
 
 #define	IFCAP2_RXTLS4_NAME	IFCAP_RXTLS4_NAME
 #define	IFCAP2_RXTLS6_NAME	IFCAP_RXTLS6_NAME
+#define	IFCAP2_IPSEC_OFFLOAD_NAME IFCAP_IPSEC_OFFLOAD_NAME
 
 static const char *ifcap_bit_names[] = {
 	IFCAP_RXCSUM_NAME,
@@ -99,6 +101,7 @@ static const char *ifcap_bit_names[] = {
 	IFCAP_TXTLS_RTLMT_NAME,
 	IFCAP_RXTLS4_NAME,
 	IFCAP_RXTLS6_NAME,
+	IFCAP_IPSEC_OFFLOAD_NAME,
 };
 
 #ifdef IFCAP_B_SIZE

sys/net/if_var.h

@@ -131,6 +131,23 @@ typedef void (*if_qflush_fn_t)(if_t);
 typedef int (*if_transmit_fn_t)(if_t, struct mbuf *);
 typedef	uint64_t (*if_get_counter_t)(if_t, ift_counter);
 typedef	void (*if_reassign_fn_t)(if_t, struct vnet *, char *);
+typedef int (*if_spdadd_fn_t)(if_t, void *sp, void *inp, void **priv);
+typedef int (*if_spddel_fn_t)(if_t, void *sp, void *priv);
+typedef int (*if_sa_newkey_fn_t)(if_t ifp, void *sav, u_int drv_spi,
+    void **privp);
+typedef int (*if_sa_deinstall_fn_t)(if_t ifp, u_int drv_spi, void *priv);
+struct seclifetime;
+#define	IF_SA_CNT_UPD	0x80000000
+enum IF_SA_CNT_WHICH {
+	IF_SA_CNT_IFP_HW_VAL = 1,
+	IF_SA_CNT_TOTAL_SW_VAL,
+	IF_SA_CNT_TOTAL_HW_VAL,
+	IF_SA_CNT_IFP_HW_UPD = IF_SA_CNT_IFP_HW_VAL | IF_SA_CNT_UPD,
+	IF_SA_CNT_TOTAL_SW_UPD = IF_SA_CNT_TOTAL_SW_VAL | IF_SA_CNT_UPD,
+	IF_SA_CNT_TOTAL_HW_UPD = IF_SA_CNT_TOTAL_HW_VAL | IF_SA_CNT_UPD,
+};
+typedef int (*if_sa_cnt_fn_t)(if_t ifp, void *sa,
+    uint32_t drv_spi, void *priv, struct seclifetime *lt);
 
 struct ifnet_hw_tsomax {
 	u_int	tsomaxbytes;	/* TSO total burst length limit in bytes */
@@ -700,6 +717,19 @@ void if_setdebugnet_methods(if_t, struct debugnet_methods *);
 void if_setreassignfn(if_t ifp, if_reassign_fn_t);
 void if_setratelimitqueryfn(if_t ifp, if_ratelimit_query_t);
 
+/*
+ * NB: The interface is not yet stable, drivers implementing IPSEC
+ * offload need to be prepared to adapt to changes.
+ */
+struct if_ipsec_accel_methods {
+	if_spdadd_fn_t		if_spdadd;
+	if_spddel_fn_t		if_spddel;
+	if_sa_newkey_fn_t	if_sa_newkey;
+	if_sa_deinstall_fn_t	if_sa_deinstall;
+	if_sa_cnt_fn_t		if_sa_cnt;
+};
+void if_setipsec_accel_methods(if_t ifp, const struct if_ipsec_accel_methods *);
+
 /* TSO */
 void if_hw_tsomax_common(if_t ifp, struct ifnet_hw_tsomax *);
 int if_hw_tsomax_update(if_t ifp, struct ifnet_hw_tsomax *);