macsec: support the offload property

2024-07-22 02:35:25 +00:00 · 2024-02-08 16:57:28 +01:00 · 2024-02-08 16:57:28 +01:00 · 010c54dce9
parent aa418275cf
commit 010c54dce9
5 changed files with 51 additions and 7 deletions
--- a/man/NetworkManager.conf.xml
+++ b/man/NetworkManager.conf.xml
@ -1032,6 +1032,9 @@ ipv6.ip6-privacy=0
          <term><varname>loopback.mtu</varname></term>
          <listitem><para>If configured explicitly to 0, the MTU is not reconfigured during device activation unless it is required due to IPv6 constraints. If left unspecified, a DHCP/IPv6 SLAAC provided value is used or the MTU is left unspecified on activation.</para></listitem>
        </varlistentry>
+        <varlistentry>
+          <term><varname>macsec.offload</varname></term>
+        </varlistentry>
        <varlistentry>
          <term><varname>sriov.autoprobe-drivers</varname></term>
          <listitem><para>If left unspecified, drivers are autoprobed when the SR-IOV VF gets created.</para></listitem>
--- a/src/core/devices/nm-device-macsec.c
+++ b/src/core/devices/nm-device-macsec.c
@ -10,6 +10,7 @@
 #include <linux/if_ether.h>

 #include "nm-act-request.h"
+#include "nm-config.h"
 #include "nm-device-private.h"
 #include "libnm-platform/nm-platform.h"
 #include "nm-device-factory.h"
@ -190,6 +191,7 @@ build_supplicant_config(NMDeviceMacsec *self, GError **error)
    NMConnection                       *connection;
    const char                         *con_uuid;
    guint32                             mtu;
+    int                                 offload;

    connection = nm_device_get_applied_connection(NM_DEVICE(self));

@ -205,7 +207,20 @@ build_supplicant_config(NMDeviceMacsec *self, GError **error)

    g_return_val_if_fail(s_macsec, NULL);

-    if (!nm_supplicant_config_add_setting_macsec(config, s_macsec, error)) {
+    offload = nm_setting_macsec_get_offload(s_macsec);
+    if (offload == NM_SETTING_MACSEC_OFFLOAD_DEFAULT) {
+        offload = nm_config_data_get_connection_default_int64(NM_CONFIG_GET_DATA,
+                                                              NM_CON_DEFAULT("macsec.offload"),
+                                                              NM_DEVICE(self),
+                                                              NM_SETTING_MACSEC_OFFLOAD_OFF,
+                                                              NM_SETTING_MACSEC_OFFLOAD_MAC,
+                                                              NM_SETTING_MACSEC_OFFLOAD_OFF);
+    }
+
+    if (!nm_supplicant_config_add_setting_macsec(config,
+                                                 s_macsec,
+                                                 (NMSettingMacsecOffload) offload,
+                                                 error)) {
        g_prefix_error(error, "macsec-setting: ");
        return NULL;
    }
--- a/src/core/supplicant/nm-supplicant-config.c
+++ b/src/core/supplicant/nm-supplicant-config.c
@ -396,14 +396,16 @@ again:
 }

 gboolean
-nm_supplicant_config_add_setting_macsec(NMSupplicantConfig *self,
-                                        NMSettingMacsec    *setting,
-                                        GError            **error)
+nm_supplicant_config_add_setting_macsec(NMSupplicantConfig    *self,
+                                        NMSettingMacsec       *setting,
+                                        NMSettingMacsecOffload offload,
+                                        GError               **error)
 {
    const char *value;
    char        buf[32];
    int         port;
    gsize       key_len;
+    const char *offload_str = NULL;

    g_return_val_if_fail(NM_IS_SUPPLICANT_CONFIG(self), FALSE);
    g_return_val_if_fail(setting != NULL, FALSE);
@ -472,6 +474,28 @@ nm_supplicant_config_add_setting_macsec(NMSupplicantConfig *self,
            return FALSE;
    }

+    switch (offload) {
+    case NM_SETTING_MACSEC_OFFLOAD_OFF:
+        /* This is the default in wpa_supplicant. Don't set the option,
+         * so that if user doesn't enable offload, the connection still
+         * works with previous versions of the supplicant.
+         */
+        break;
+    case NM_SETTING_MACSEC_OFFLOAD_PHY:
+        offload_str = "1";
+        break;
+    case NM_SETTING_MACSEC_OFFLOAD_MAC:
+        offload_str = "2";
+        break;
+    case NM_SETTING_MACSEC_OFFLOAD_DEFAULT:
+        nm_assert_not_reached();
+        break;
+    }
+    if (offload_str
+        && !nm_supplicant_config_add_option(self, "macsec_offload", offload_str, -1, NULL, error)) {
+        return FALSE;
+    }
+
    return TRUE;
 }

--- a/src/core/supplicant/nm-supplicant-config.h
+++ b/src/core/supplicant/nm-supplicant-config.h
@ -68,9 +68,10 @@ gboolean nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
                                                gboolean            wired,
                                                GError            **error);

-gboolean nm_supplicant_config_add_setting_macsec(NMSupplicantConfig *self,
-                                                 NMSettingMacsec    *setting,
-                                                 GError            **error);
+gboolean nm_supplicant_config_add_setting_macsec(NMSupplicantConfig    *self,
+                                                 NMSettingMacsec       *setting,
+                                                 NMSettingMacsecOffload offload,
+                                                 GError               **error);

 gboolean nm_supplicant_config_enable_pmf_akm(NMSupplicantConfig *self, GError **error);

--- a/src/core/supplicant/nm-supplicant-settings-verify.c
+++ b/src/core/supplicant/nm-supplicant-settings-verify.c
@ -87,6 +87,7 @@ static const struct Opt opt_table[] = {
                             "OWE",
                             "NONE", )),
    OPT_INT("macsec_integ_only", 0, 1),
+    OPT_INT("macsec_offload", 0, 2),
    OPT_INT("macsec_policy", 0, 1),
    OPT_INT("macsec_port", 1, 65534),
    OPT_BYTES("mka_cak", 65536),