Re: git: b0e020764aae - main - ipsec + ktls: cannot coexists
Date: Wed, 15 Jan 2025 23:59:58 UTC
On Mon, 13 Jan 2025, Konstantin Belousov wrote: > The branch main has been updated by kib: > > URL: https://cgit.FreeBSD.org/src/commit/?id=b0e020764aae970545357b0f146dcba7b4b55864 > > commit b0e020764aae970545357b0f146dcba7b4b55864 > Author: Konstantin Belousov <kib@FreeBSD.org> > AuthorDate: 2024-12-28 08:30:49 +0000 > Commit: Konstantin Belousov <kib@FreeBSD.org> > CommitDate: 2025-01-13 19:29:31 +0000 > > ipsec + ktls: cannot coexists Ignore my ignorance but that description sounds bad. Do you mean on a per-packet base or in general on a machine, i.e., (1) an individual packet cannot be processed by ktls and ipsec (2) a host can either run ktls or ipsec but not both? Either sounds like (half) a bug to me that should be fixed by the way but I am so out of the ipsec stack that I don't know current implications. What is the reason a packet could not first be KTLS handled and then put into IPsec (for some part of its journey)? /bz > but instead of tripping the assert in debug kernel, and silently falling > into UB for prod, skip IPSEC processing for KTLS framed packets when > mb_unmapped_to_ext() failed. > > Reviewed by: markj > Sponsored by: NVidia networking > MFC after: 1 week > Differential revision: https://reviews.freebsd.org/D48265 > --- > sys/netinet/ip_output.c | 33 +++++++++++++++++++++++++-------- > sys/netinet6/ip6_output.c | 34 ++++++++++++++++++++++++++-------- > 2 files changed, 51 insertions(+), 16 deletions(-) -- Bjoern A. Zeeb r15:7