From nobody Fri Sep 26 06:40:58 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cY1F64M4Nz69JGj;
	Fri, 26 Sep 2025 06:40:58 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4cY1F63nK2z3w12;
	Fri, 26 Sep 2025 06:40:58 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1758868858;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=fjIJUjOb5onGVodHqElnEkEX9TtjxpVHbdTksRGu2Lk=;
	b=GEbBXBG7wjWLcD1eEgt5M/M7wsJ6jSFl7dFcr3YC2whWIWhAEEhFo8BrUhW58c7JeIGDxt
	U2ZZUF22XfLwMpdDjeAcipxU5nQq2iqlj3zKEwAA4V8xg+fCAcPUM3COCNtBMKkw0QKUKV
	0u8zYAo3p9VHdJX0sZocdgl3m2ZV0EL8K3jVAJ/rjVytIx3m8oenxCNKJTdloRcX9AhPgM
	RbxmutrrfKJubh9tDq/Y0ggZeKAsHy/eTE2WC9+xPDrqDAtC3oJtCVkua4oa+w5jNA4hvK
	hXMovn+0wiFq3YjbUbDoSQ6bcCxWFeEsN+WddD+Yeyh5ZcIep6UFI3oejVb4Qg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1758868858;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=fjIJUjOb5onGVodHqElnEkEX9TtjxpVHbdTksRGu2Lk=;
	b=xvl3je4CN5eBCGRPq8klfZrvLERMfqb6bH6vb5kfhgfzq2Wdk+4JAb1RNRL3LApw53DKOX
	O6jPi/G24SXYPLc2p+hL5uPn7zE8ECfwMYo9ZLM/DJv+Xfmp3m2M14b9GPJwS+2QiygvgF
	u79V9SSqzNzojTZd/fMd6tQGjdQ+fbku801HudrKd0HzARaWpsSo8LAgwygzia84w8ZEl7
	Lznw0pv0kpN1yskOwJy8vd4CnvBJEeD9SFtreKJZvn1pidhp/m8nz6EUFEACzFWDF4EmXI
	v5EfojDO7RUhnmCsBS/Rqh7ZVjnTjg1OKUCqQehu/+kbmLYtyBCMPR6HtsmJhg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1758868858; a=rsa-sha256; cv=none;
	b=MmiaGb0zhmNJWLbncb7KGS6EjaMD1sZRXEAy1kQno7fCbXPI59NPjs7RrY7YW04T3y1XUY
	fOGpRLsuC6wbwJt/Lm2H1qxuMEQvUPo872cqib+gx/Bxx/+lAwriq3ZKLuPW4OfFUJDgyQ
	WeMk/jW5Q8LxOA7THParZrAUPFBYe7su5LjDL7NBMd0Ckzl2MraMd5MjmlcRz37S5W1LfC
	/HnMFz7RW7wwFv4d2gPx5x4ayxpIyG67fOEy8xCkLKqJVSMtAmQFU58Ubo/jyHldkA1Uj4
	XDPsuinIizzPtM5E7dvfkX/9WsjK/ttose+tBmSOy3O4OebxOMNlDyg7iOoCpw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cY1F63N5pzcC1;
	Fri, 26 Sep 2025 06:40:58 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 58Q6ewCI025202;
	Fri, 26 Sep 2025 06:40:58 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 58Q6ewP6025199;
	Fri, 26 Sep 2025 06:40:58 GMT
	(envelope-from git)
Date: Fri, 26 Sep 2025 06:40:58 GMT
Message-Id: <202509260640.58Q6ewP6025199@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Konstantin Belousov <kib@FreeBSD.org>
Subject: git: 84d688af4e62 - main - mlx5 ipsec: Add VLAN tag to
  IPSec rules to prevent duplicates
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kib
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 84d688af4e625e159af65cd2432af88609d4962a
Auto-Submitted: auto-generated

The branch main has been updated by kib:

URL: https://cgit.FreeBSD.org/src/commit/?id=84d688af4e625e159af65cd2432af88609d4962a

commit 84d688af4e625e159af65cd2432af88609d4962a
Author:     Ariel Ehrenberg <aehrenberg@nvidia.com>
AuthorDate: 2025-09-17 13:17:46 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2025-09-26 06:32:10 +0000

    mlx5 ipsec: Add VLAN tag to IPSec rules to prevent duplicates
    
    Include VLAN tag in policy and SA outbound rules so that rules from
    VLAN interfaces differ from physical interface rules, preventing
    duplicate rule creation in VLAN configurations.
    
    Sponsored by:   Nvidia networking
    MFC after:      1 week
---
 sys/dev/mlx5/mlx5_accel/mlx5_ipsec_fs.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/sys/dev/mlx5/mlx5_accel/mlx5_ipsec_fs.c b/sys/dev/mlx5/mlx5_accel/mlx5_ipsec_fs.c
index fb9ca94278db..d1f454a5ec41 100644
--- a/sys/dev/mlx5/mlx5_accel/mlx5_ipsec_fs.c
+++ b/sys/dev/mlx5/mlx5_accel/mlx5_ipsec_fs.c
@@ -1134,6 +1134,11 @@ static int tx_add_kspi_rule(struct mlx5e_ipsec_sa_entry *sa_entry,
 	setup_fte_no_frags(spec);
 	setup_fte_reg_a_with_tag(spec, sa_entry->kspi);
 
+	if (sa_entry->vid != VLAN_NONE)
+		setup_fte_vid(spec, sa_entry->vid);
+	else
+		setup_fte_no_vid(spec);
+
 	rule = mlx5_add_flow_rules(tx->ft.sa_kspi, spec, flow_act, dest, num_dest);
 	if (IS_ERR(rule)) {
 		err = PTR_ERR(rule);
@@ -1169,6 +1174,10 @@ static int tx_add_reqid_ip_rules(struct mlx5e_ipsec_sa_entry *sa_entry,
 	flow_act->flags |= FLOW_ACT_IGNORE_FLOW_LEVEL;
 
 	if(attrs->reqid) {
+		if (sa_entry->vid != VLAN_NONE)
+			setup_fte_vid(spec, sa_entry->vid);
+		else
+			setup_fte_no_vid(spec);
 		setup_fte_no_frags(spec);
 		setup_fte_reg_c0(spec, attrs->reqid);
 		rule = mlx5_add_flow_rules(tx->ft.sa, spec, flow_act, dest, num_dest);
@@ -1181,6 +1190,11 @@ static int tx_add_reqid_ip_rules(struct mlx5e_ipsec_sa_entry *sa_entry,
 		memset(spec, 0, sizeof(*spec));
 	}
 
+	if (sa_entry->vid != VLAN_NONE)
+		setup_fte_vid(spec, sa_entry->vid);
+	else
+		setup_fte_no_vid(spec);
+
 	if (attrs->family == AF_INET)
 		setup_fte_addr4(spec, &attrs->saddr.a4, &attrs->daddr.a4);
 	else
@@ -1322,6 +1336,11 @@ static int tx_add_policy(struct mlx5e_ipsec_pol_entry *pol_entry)
                 goto err_mod_header;
         }
 
+        if (attrs->vid != VLAN_NONE)
+                setup_fte_vid(spec, attrs->vid);
+        else
+                setup_fte_no_vid(spec);
+
         flow_act.flags |= FLOW_ACT_NO_APPEND;
         dest[dstn].ft = tx->ft.sa;
         dest[dstn].type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE;