From nobody Thu Jan 16 00:33:02 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YYP3R3pT3z5ksmN; Thu, 16 Jan 2025 00:33:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx-01.divo.sbone.de (mx-01.divo.sbone.de [IPv6:2003:a:140a:2200:6:594:fffe:19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (prime256v1) client-digest SHA256) (Client CN "mx-01.divo.sbone.de", Issuer "E6" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YYP3R2nlzz3xvs; Thu, 16 Jan 2025 00:33:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Authentication-Results: mx1.freebsd.org; none Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:1025]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by mx-01.divo.sbone.de (Postfix) with ESMTPS id 30584A64805; Thu, 16 Jan 2025 00:32:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=zabbadoz.net; s=20240622; t=1736987579; bh=GilStMJw9r+JXdaZzdDnDQzRdK/J4cnJC/k3Jd6tyeQ=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=jC0NpDAuQzTAV0xRdcWQ2hqYMVHSG8NeoUbzmTPzpagVlnscPpOyx3aNu0oE3g9uj H8YoVd2TQc9x8jdBQZWikD22iy3NwMpX7GNVQ0NiPf7qGRx+rXJSJdsGoIsOPNs6rF 54BaQ/SfUI4fiI1tb7NYxPYs3DqGUhedXNU5Pr3k/eF3bSNGj0XtBdTuWgZrOUnFpA 9emA++t3MX1fDrucYgCvOSYz8fpPu/rzDXRXcH8fF9HN/rwm2+wKhQ34nrUHgGKU9Q Mrv/lp4ntwzftvuQNpcJ2fXAl8GyzrKWH2aAEB9ptrrwP3QSLPIOc0WqjjTEU088cG I45ftprQK/eU/o71a6LKsjRsKRGQq7dvXLRYW63xFzLe+NAxdgNGJ58n7DTOd3Z7yD gYCbcqjZPMKpG7GpDakoxynPxTRWjB/re53OZHoougEJUbGTuXz+RWIfmq4nKZHfaY 2TZQC8Kc4WUHZSvNXeC84yAcD/S5SPEu1MSx5ebk9KpaAdurVAl8GZKuCpR3aFIV+l ibSA1Dg+t5DW+Q2COHsg1uzPVZj2LEV17VjArEtLgIGCRoPDRqsBAXrqFmnAPpvlyO GQOSFuzNdOtYjHi2lg/9Gtift92g/8W+mKGcod0IN1Q8/EBiaEl/lrAZN+T0TGqjGC 8573EdC6jfK4HS5SvyCJXNMk= Received: from content-filter.t4-02.sbone.de (content-filter.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:2742]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 81E1D2D029DD; Thu, 16 Jan 2025 00:33:05 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:4902:0:7404:2:1025]) by content-filter.t4-02.sbone.de (content-filter.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:2742]) (amavisd-new, port 10024) with ESMTP id VP6XVe2mJNC6; Thu, 16 Jan 2025 00:33:04 +0000 (UTC) Received: from strong-aiccu0.sbone.de (strong-aiccu0.sbone.de [IPv6:fde9:577b:c1a9:f491::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 1229D2D029D8; Thu, 16 Jan 2025 00:33:03 +0000 (UTC) Date: Thu, 16 Jan 2025 00:33:02 +0000 (UTC) From: "Bjoern A. Zeeb" To: Konstantin Belousov cc: src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: b0e020764aae - main - ipsec + ktls: cannot coexists In-Reply-To: Message-ID: <3462o4sq-1833-o2r1-5q7p-58502pp2r8s5@yvfgf.mnoonqbm.arg> References: <202501131930.50DJUCFg047113@gitrepo.freebsd.org> <71p14p04-5o5o-1385-1551-7733rr1qo57o@yvfgf.mnoonqbm.arg> X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Rspamd-Queue-Id: 4YYP3R2nlzz3xvs X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:3320, ipnet:2003::/19, country:DE] On Thu, 16 Jan 2025, Konstantin Belousov wrote: > On Wed, Jan 15, 2025 at 11:59:58PM +0000, Bjoern A. Zeeb wrote: >> On Mon, 13 Jan 2025, Konstantin Belousov wrote: >> >>> The branch main has been updated by kib: >>> >>> URL: https://cgit.FreeBSD.org/src/commit/?id=b0e020764aae970545357b0f146dcba7b4b55864 >>> >>> commit b0e020764aae970545357b0f146dcba7b4b55864 >>> Author: Konstantin Belousov >>> AuthorDate: 2024-12-28 08:30:49 +0000 >>> Commit: Konstantin Belousov >>> CommitDate: 2025-01-13 19:29:31 +0000 >>> >>> ipsec + ktls: cannot coexists >> >> Ignore my ignorance but that description sounds bad. >> >> Do you mean on a per-packet base or in general on a machine, i.e., >> (1) an individual packet cannot be processed by ktls and ipsec >> (2) a host can either run ktls or ipsec but not both? > > After this change, we are at the #1. > Before, we were at #2. > > This change maps mbuf chains that are to be processed by sw IPSEC. So > the change makes KTLS and IPSEC compatible. > > Mark said that there are plans to make sw IPSEC to fully handle unmapped > packets. > >> >> Either sounds like (half) a bug to me that should be fixed by the way >> but I am so out of the ipsec stack that I don't know current implications. >> >> What is the reason a packet could not first be KTLS handled and then put >> into IPsec (for some part of its journey)? > > Talking about software implementations, KTLS mbufs are unmapped, and IPSEC > was not prepared to handle that, so we remap them. > > For inline offload on network cards (talking about mlx5), current offload > engines can do only one crypto op on packet as it is processed. In other > words, either KTLS, or IPSEC inline can be done, not both. I see. Thanks a lot for the work and explanations. Goinng from #2 -> #1 seems very good indeed. Lots of joy, /bz -- Bjoern A. Zeeb r15:7