diff --git a/man/NetworkManager.conf.xml b/man/NetworkManager.conf.xml
index 9e4429d0f1..94e3d6b6b2 100644
--- a/man/NetworkManager.conf.xml
+++ b/man/NetworkManager.conf.xml
@@ -1032,6 +1032,9 @@ ipv6.ip6-privacy=0
loopback.mtu
If configured explicitly to 0, the MTU is not reconfigured during device activation unless it is required due to IPv6 constraints. If left unspecified, a DHCP/IPv6 SLAAC provided value is used or the MTU is left unspecified on activation.
+
+ macsec.offload
+
sriov.autoprobe-drivers
If left unspecified, drivers are autoprobed when the SR-IOV VF gets created.
diff --git a/src/core/devices/nm-device-macsec.c b/src/core/devices/nm-device-macsec.c
index 130708bb23..32fab5be63 100644
--- a/src/core/devices/nm-device-macsec.c
+++ b/src/core/devices/nm-device-macsec.c
@@ -10,6 +10,7 @@
#include
#include "nm-act-request.h"
+#include "nm-config.h"
#include "nm-device-private.h"
#include "libnm-platform/nm-platform.h"
#include "nm-device-factory.h"
@@ -190,6 +191,7 @@ build_supplicant_config(NMDeviceMacsec *self, GError **error)
NMConnection *connection;
const char *con_uuid;
guint32 mtu;
+ int offload;
connection = nm_device_get_applied_connection(NM_DEVICE(self));
@@ -205,7 +207,20 @@ build_supplicant_config(NMDeviceMacsec *self, GError **error)
g_return_val_if_fail(s_macsec, NULL);
- if (!nm_supplicant_config_add_setting_macsec(config, s_macsec, error)) {
+ offload = nm_setting_macsec_get_offload(s_macsec);
+ if (offload == NM_SETTING_MACSEC_OFFLOAD_DEFAULT) {
+ offload = nm_config_data_get_connection_default_int64(NM_CONFIG_GET_DATA,
+ NM_CON_DEFAULT("macsec.offload"),
+ NM_DEVICE(self),
+ NM_SETTING_MACSEC_OFFLOAD_OFF,
+ NM_SETTING_MACSEC_OFFLOAD_MAC,
+ NM_SETTING_MACSEC_OFFLOAD_OFF);
+ }
+
+ if (!nm_supplicant_config_add_setting_macsec(config,
+ s_macsec,
+ (NMSettingMacsecOffload) offload,
+ error)) {
g_prefix_error(error, "macsec-setting: ");
return NULL;
}
diff --git a/src/core/supplicant/nm-supplicant-config.c b/src/core/supplicant/nm-supplicant-config.c
index 1d9372e09f..9ad4a8f950 100644
--- a/src/core/supplicant/nm-supplicant-config.c
+++ b/src/core/supplicant/nm-supplicant-config.c
@@ -396,14 +396,16 @@ again:
}
gboolean
-nm_supplicant_config_add_setting_macsec(NMSupplicantConfig *self,
- NMSettingMacsec *setting,
- GError **error)
+nm_supplicant_config_add_setting_macsec(NMSupplicantConfig *self,
+ NMSettingMacsec *setting,
+ NMSettingMacsecOffload offload,
+ GError **error)
{
const char *value;
char buf[32];
int port;
gsize key_len;
+ const char *offload_str = NULL;
g_return_val_if_fail(NM_IS_SUPPLICANT_CONFIG(self), FALSE);
g_return_val_if_fail(setting != NULL, FALSE);
@@ -472,6 +474,28 @@ nm_supplicant_config_add_setting_macsec(NMSupplicantConfig *self,
return FALSE;
}
+ switch (offload) {
+ case NM_SETTING_MACSEC_OFFLOAD_OFF:
+ /* This is the default in wpa_supplicant. Don't set the option,
+ * so that if user doesn't enable offload, the connection still
+ * works with previous versions of the supplicant.
+ */
+ break;
+ case NM_SETTING_MACSEC_OFFLOAD_PHY:
+ offload_str = "1";
+ break;
+ case NM_SETTING_MACSEC_OFFLOAD_MAC:
+ offload_str = "2";
+ break;
+ case NM_SETTING_MACSEC_OFFLOAD_DEFAULT:
+ nm_assert_not_reached();
+ break;
+ }
+ if (offload_str
+ && !nm_supplicant_config_add_option(self, "macsec_offload", offload_str, -1, NULL, error)) {
+ return FALSE;
+ }
+
return TRUE;
}
diff --git a/src/core/supplicant/nm-supplicant-config.h b/src/core/supplicant/nm-supplicant-config.h
index 585cf9588d..c52b756e78 100644
--- a/src/core/supplicant/nm-supplicant-config.h
+++ b/src/core/supplicant/nm-supplicant-config.h
@@ -68,9 +68,10 @@ gboolean nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
gboolean wired,
GError **error);
-gboolean nm_supplicant_config_add_setting_macsec(NMSupplicantConfig *self,
- NMSettingMacsec *setting,
- GError **error);
+gboolean nm_supplicant_config_add_setting_macsec(NMSupplicantConfig *self,
+ NMSettingMacsec *setting,
+ NMSettingMacsecOffload offload,
+ GError **error);
gboolean nm_supplicant_config_enable_pmf_akm(NMSupplicantConfig *self, GError **error);
diff --git a/src/core/supplicant/nm-supplicant-settings-verify.c b/src/core/supplicant/nm-supplicant-settings-verify.c
index 8f2561a6a9..7842365c3c 100644
--- a/src/core/supplicant/nm-supplicant-settings-verify.c
+++ b/src/core/supplicant/nm-supplicant-settings-verify.c
@@ -87,6 +87,7 @@ static const struct Opt opt_table[] = {
"OWE",
"NONE", )),
OPT_INT("macsec_integ_only", 0, 1),
+ OPT_INT("macsec_offload", 0, 2),
OPT_INT("macsec_policy", 0, 1),
OPT_INT("macsec_port", 1, 65534),
OPT_BYTES("mka_cak", 65536),