This patchset adds a kfunc helper, bpf_xdp_get_xfrm_state(), that wraps xfrm_state_lookup(). The intent is to support software RSS (via XDP) for the ongoing/upcoming ipsec pcpu work [0]. Recent experiments performed on (hopefully) reproducible AWS testbeds indicate that single tunnel pcpu ipsec can reach line rate on 100G ENA nics.
More details about that will be presented at netdev next week [1].
Antony did the initial stable bpf helper - I later ported it to unstable kfuncs. So for the series, please apply a Co-developed-by for Antony, provided he acks and signs off on this.
[0]: https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-multi-sa-performanc... [1]: https://netdevconf.info/0x17/sessions/workshop/security-workshop.html
Daniel Xu (6): bpf: xfrm: Add bpf_xdp_get_xfrm_state() kfunc bpf: selftests: test_tunnel: Use ping -6 over ping6 bpf: selftests: test_tunnel: Mount bpffs if necessary bpf: selftests: test_tunnel: Use vmlinux.h declarations bpf: selftests: test_tunnel: Disable CO-RE relocations bpf: xfrm: Add selftest for bpf_xdp_get_xfrm_state()
include/net/xfrm.h | 9 ++ net/xfrm/Makefile | 1 + net/xfrm/xfrm_policy.c | 2 + net/xfrm/xfrm_state_bpf.c | 105 ++++++++++++++++++ .../selftests/bpf/progs/bpf_tracing_net.h | 1 + .../selftests/bpf/progs/test_tunnel_kern.c | 95 +++++++++------- tools/testing/selftests/bpf/test_tunnel.sh | 43 ++++--- 7 files changed, 202 insertions(+), 54 deletions(-) create mode 100644 net/xfrm/xfrm_state_bpf.c