Maybe just hide struct ifcap under _KERNEL?

What is the pros on disabling 100% of a file with preprocessor instead of just not compiling it at all with help of make glue?

But what would be a condition and corresponding error message? It is always ipoptlen - ipsec_optlen != 0, which means that there are options.

I am not sure, and do not see point in investigating if it is used by userspace (header is definitely used).

The big issue is that we have ipsec.ko and it is very ugly to define conditional source for a module Makefile depending on the kernel config.

Also, the file contained some stubs for !IPSEC_ACCEL initially, then it happen to clean.

Well, the header shall not be used. There are some known violators, they also usually define _WANT_INPCB or _WANT_TCPCB. We are aiming towards eliminating its use rather than providing accommodations for its use. So I'd rather remove these lines and I'm pretty sure that buildworld will pass. And that would be enough.

Lets not mix the changes. Moving a struct out of userspace compilation environment is not related to the subject. We can do it later, but I do not want to do it in this scope.

I agree - let's don't mix the changes. But lets make them in order that would not add <stdbool.h> just to be deleted on the next step. Let's do this first:

https://reviews.freebsd.org/D44340

Then your bigger change.

secpolicy is a core netipsec data structure and it would be great to keep its size constant regardless of KERNCONF options.

I don't see IFP_HS_INFLUX getting set anywhere in the code. What is it for? In case it is required and is for sav requests in flux then you might want to rename it to IFP_HS_IN_FLUX ("influx" means something different than "in flux").

Shouldn't we should call ipsec_accel_handle_sav for all error cases? There doesn't seem to be any need to distinguish between EOPNOTSUPP and other errors.

This doesn't look right. Any SA will always only be used in one direction, and the direction isn't known here. We could add an "unknown" direction and use that, with the driver free to interpret that as both directions if it wants. But it is incorrect for the infrastructure to explicitly announce that the SA will be used in both directions.

On a somewhat-related note, this if_sa_newkey call is too early to be actionable for some hardware (not mlx5). Specifically, there are devices that require direction, mode (tunnel/transport), and the IP addresses involved, and not all of that information is available here. With the proposed design those drivers will have to wait for the SPs to be added and then internally figure out the information that is not explicitly provided.

IFP_HS_REJECTED is not handled. This routine unconditionally adds the ifp to accel_ifps.

The IFP_HS_INFLUX flag is used here but is not set anywhere. If something outside this file can set these flags then the IFP_HS_ flags need to be in a header and not in this file.

ipsec_accel_remember_sp added the ifp to sp->accel_ifps and the global list but if this call fails it isn't removed from there.

This seems unrelated to IPsec offload infrastructure.

uma_zfree_pcpu can deal with NULL itself.

NULL check unnecessary.

secasvar is a core netipsec data structure and it would be great to keep its size constant no matter what's in the KERNCONF.

This file seems to have no functional changes.

This is another remnant of the mode where SA were installed on first packet. Since parallel threads could handle the packet with same SA, parallel installation could occur. First winning thread installed placeholder ifp_handle_sav structure, that was eventually filled with real data, while other threads msleep-ed until the flag is cleared.

I do record that driver does not support this SA offload, so EOPNOTSUPP is handled accordingly.

Formally, SA can be created that can be used in any direction, by specifying corresponding networks. In the weirdest case, src == dst == 0/0 would do it.

At the moment where a new key with the MATURE state appearing in kernel, I cannot know which would be a direction for SA use, so I announce both, and mlx5 indeed installs SA into both input and output steering flows.

Are you suggesting to add something like IFP_HS_UKNOWN_DIR? If yes, I prefer to postpone this until the update for driver KPI is worked out.

This is on purpose. I need to record the state of the rejected SA.

Initially, with the SA offload on the first packet mode, that was critical, to avoid scheduling the task on each packet. Now it is useful.

It is added with the _REJECTED flag, as intended.

Well, it is related. Infra refs the SA, but it cannot ref the secasindex that is back-pointed by SA, and that points to secasindex. So if an SA is removed from the tree, but the structure is still kept around by the offload infra reference, we fall into this case of DEAD SA passed to the process_done().

If the direction isn't known then the kernel should announce that it is not known, or simply not provide any direction with the SA. It can't actively provide incorrect information to the drivers by announcing that the SA's direction is both IN and OUT -- it is not, the SA will be used either in IN direction or OUT but not both. Some drivers have direction specific handling and need accurate information from the kernel. Others like mlx5 are always free to ignore the direction and setup the SA the way they prefer.

Also, my reading of specs is that IPsec SAs are unidirectional, period. src = dst = 0 does not seem like a practical use case anyway and certainly not one I'd expect hardware offload to support.

RFC 4301 has this in section 4.1:

An SA is a simplex "connection" that affords security services to the traffic carried by it.
...
To secure typical, bi-directional communication between two IPsec-enabled systems, a pair of SAs (one in each direction) is required.  IKE explicitly creates SA pairs in recognition of this common usage requirement.

The "glossary" in the RFC defines SA:
Security Association (SA)

A simplex (uni-directional) logical connection, created for security purposes.  All traffic traversing an SA is provided the same security processing.  In IPsec, an SA is an Internet-layer  abstraction implemented through the use of AH or ESP.  State data associated with an SA is represented in the SA Database (SAD).

For less perverted example, assume that two hosts are on 192.168.1/24, want to encap all traffic, and created SA with src == dst == 192.168.1/24.

Hm, I'd say if you have such a task "two hosts want encap all traffic between all addresses in 192.168.1/24 network", then you create a Security Policy (SP) that will match all addresses from this network.
And then how it will work later depends from the host configuration:

1. Your host works as gateway, then you can use Tunnel mode SA, it will encapsulate all matched traffic into IP-IP and encrypt it. And you have two SAs - one for each direction IN and OUT and IP addresses of these SAs will be addresses of outer IP header.
2. Your host has many IP addresses from this network prefix configured locally. And each IP address has two SA.

So, when you are going to encrypt some packet, you need to select proper SA using src,dst,proto,spi. Then remote host can find proper SA when a packet arrives and it will be able to decrypt it.

I think there were drv_spi of uint16_t, uint32_t, uint64_t types and now u_int :)
Protocols use u32, I think driver probably can use u64. Maybe it would be better to use u32 in general, even if you limit its value?

It seems this printf was moved from the following function.

It would be good to note that with IPSEC_ACCEL we have only one pass through ipsec_run_hhooks() in if_enc(4). Although it should be obvious...

It is uint64_t in the ifp_handle_sav out of necessity, because tree.h requires the key to be 64bit. Using u_int there allows to avoid the casts in several places (at least no need to shut up the compilers warnings).

I made it consistent in the infra by using u_int except the place(s) where it must be uint64_t for tree.h.

There is no documentation for IPSEC_OFFLOAD at all. Eventually it should be written, and your point is noted.