commit 8748eb382e200ac190f14d6294ede19a637a3db4
author Zhi Chen <zhichen@codeaurora.org> Thu Jun 18 12:58:48 2015 -0700
committer Zhi Chen <zhichen@codeaurora.org> Wed Jun 24 22:55:26 2015 -0700
tree 6607bc4e3805d50f15dd5aba273cbcc0afbc780b
parent 978b37706cfe9be839ba0bbed847a6afeb7b304c

shortcut-fe: fix ipsec forwarding issue

SKBs to IPSEC can't be accelerated because they need further
encapsultion in XFRM stack before leaving a network interface.
But on the other direction, SKBs from IPSEC can be forwarded to
an interface directly. In this fix, we accelerate one direction
of XFRM tunnel flows.

Change-Id: I51a7561a7fb12843f8f4bd9455c43ad7c095081c
Signed-off-by: Zhi Chen <zhichen@codeaurora.org>

shortcut-fe/sfe_cm.c

diff --git a/shortcut-fe/sfe_cm.c b/shortcut-fe/sfe_cm.c
index d463c16..cee000e 100644
--- a/shortcut-fe/sfe_cm.c
+++ b/shortcut-fe/sfe_cm.c
@@ -252,6 +252,16 @@
 		return NF_ACCEPT;
 	}
 
+#ifdef CONFIG_XFRM
+	/*
+	 * Packet to xfrm for encapsulation, we can't process it
+	 */
+	if (unlikely(skb_dst(skb)->xfrm)) {
+		DEBUG_TRACE("packet to xfrm, ignoring\n");
+		return NF_ACCEPT;
+	}
+#endif
+
 	/*
 	 * Don't process packets that are not being forwarded.
 	 */
@@ -392,6 +402,28 @@
 		return NF_ACCEPT;
 	}
 
+#ifdef CONFIG_XFRM
+	sic.original_accel = 1;
+	sic.reply_accel = 1;
+
+	/*
+	 * For packets de-capsulated from xfrm, we still can accelerate it
+	 * on the direction we just received the packet.
+	 */
+	if (unlikely(skb->sp)) {
+		if (sic.protocol == IPPROTO_TCP &&
+			!(sic.flags & SFE_CREATE_FLAG_NO_SEQ_CHECK)) {
+			return NF_ACCEPT;
+		}
+
+		if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL) {
+			sic.reply_accel = 0;
+		} else {
+			sic.original_accel = 0;
+		}
+	}
+#endif
+
 	/*
 	 * Get the net device and MAC addresses that correspond to the various source and
 	 * destination host addresses.