net/mlx5e: Ensure that IPsec sequence packet number starts from 1

According to RFC4303, section "3.3.3. Sequence Number Generation",
the first packet sent using a given SA will contain a sequence
number of 1.

However if user didn't set seq/oseq, the HW used zero as first sequence
packet number. Such misconfiguration causes to drop of first packet
if replay window protection was enabled in SA.

To fix it, set sequence number to be at least 1.

Fixes: 7db21ef4566e ("net/mlx5e: Set IPsec replay sequence numbers")
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
index 4028932d93ce57fddcc9c13dc9424f202859ae0a..914b9e6eb7db8a52eba700d8ed1865d6c82405af 100644 (file)
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
@@ -121,7 +121,14 @@ static bool mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry)
        if (x->xso.type == XFRM_DEV_OFFLOAD_CRYPTO)
                esn_msb = xfrm_replay_seqhi(x, htonl(seq_bottom));
 
-       sa_entry->esn_state.esn = esn;
+       if (sa_entry->esn_state.esn_msb)
+               sa_entry->esn_state.esn = esn;
+       else
+               /* According to RFC4303, section "3.3.3. Sequence Number Generation",
+                * the first packet sent using a given SA will contain a sequence
+                * number of 1.
+                */
+               sa_entry->esn_state.esn = max_t(u32, esn, 1);
        sa_entry->esn_state.esn_msb = esn_msb;
 
        if (unlikely(overlap && seq_bottom < MLX5E_IPSEC_ESN_SCOPE_MID)) {