git: c968d55123fa - stable/14 - ipsec + ktls: cannot coexists

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Konstantin Belousov <kib_at_FreeBSD.org>
Date: Mon, 20 Jan 2025 02:40:39 UTC
The branch stable/14 has been updated by kib:

URL: https://cgit.FreeBSD.org/src/commit/?id=c968d55123faf55a26d769847b603330eb51f67c

commit c968d55123faf55a26d769847b603330eb51f67c
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2024-12-28 08:30:49 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2025-01-20 02:40:09 +0000

    ipsec + ktls: cannot coexists
    
    (cherry picked from commit b0e020764aae970545357b0f146dcba7b4b55864)
---
 sys/netinet/ip_output.c   | 33 +++++++++++++++++++++++++--------
 sys/netinet6/ip6_output.c | 34 ++++++++++++++++++++++++++--------
 2 files changed, 51 insertions(+), 16 deletions(-)

diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index bcd4ed4c94c9..892a54eb628d 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -669,17 +669,25 @@ again:
 sendit:
 #if defined(IPSEC) || defined(IPSEC_SUPPORT)
 	if (IPSEC_ENABLED(ipv4)) {
-		m = mb_unmapped_to_ext(m);
-		if (m == NULL) {
-			IPSTAT_INC(ips_odropped);
-			error = ENOBUFS;
-			goto bad;
+		struct mbuf *m1;
+
+		error = mb_unmapped_to_ext(m, &m1);
+		if (error != 0) {
+			if (error == ENOMEM) {
+				IPSTAT_INC(ips_odropped);
+				error = ENOBUFS;
+				goto bad;
+			}
+			/* XXXKIB */
+			goto no_ipsec;
 		}
+		m = m1;
 		if ((error = IPSEC_OUTPUT(ipv4, m, inp)) != 0) {
 			if (error == EINPROGRESS)
 				error = 0;
 			goto done;
 		}
+no_ipsec:;
 	}
 	/*
 	 * Check if there was a route for this packet; return error if not.
@@ -733,11 +741,20 @@ sendit:
 
 	/* Ensure the packet data is mapped if the interface requires it. */
 	if ((ifp->if_capenable & IFCAP_MEXTPG) == 0) {
-		m = mb_unmapped_to_ext(m);
-		if (m == NULL) {
+		struct mbuf *m1;
+
+		error = mb_unmapped_to_ext(m, &m1);
+		if (error != 0) {
+			if (error == EINVAL) {
+				if_printf(ifp, "TLS packet\n");
+				/* XXXKIB */
+			} else if (error == ENOMEM) {
+				error = ENOBUFS;
+			}
 			IPSTAT_INC(ips_odropped);
-			error = ENOBUFS;
 			goto bad;
+		} else {
+			m = m1;
 		}
 	}
 
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index 3c0e7f37b74f..d98d7c5aa928 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -459,17 +459,25 @@ ip6_output(struct mbuf *m0, struct ip6_pktopts *opt,
 	 * XXX: need scope argument.
 	 */
 	if (IPSEC_ENABLED(ipv6)) {
-		m = mb_unmapped_to_ext(m);
-		if (m == NULL) {
-			IP6STAT_INC(ip6s_odropped);
-			error = ENOBUFS;
-			goto bad;
+		struct mbuf *m1;
+
+		error = mb_unmapped_to_ext(m, &m1);
+		if (error != 0) {
+			if (error == ENOMEM) {
+				IP6STAT_INC(ip6s_odropped);
+				error = ENOBUFS;
+				goto bad;
+			}
+			/* XXXKIB */
+			goto no_ipsec;
 		}
+		m = m1;
 		if ((error = IPSEC_OUTPUT(ipv6, m, inp)) != 0) {
 			if (error == EINPROGRESS)
 				error = 0;
 			goto done;
 		}
+no_ipsec:;
 	}
 #endif /* IPSEC */
 
@@ -1102,10 +1110,20 @@ passout:
 
 	/* Ensure the packet data is mapped if the interface requires it. */
 	if ((ifp->if_capenable & IFCAP_MEXTPG) == 0) {
-		m = mb_unmapped_to_ext(m);
-		if (m == NULL) {
+		struct mbuf *m1;
+
+		error = mb_unmapped_to_ext(m, &m1);
+		if (error != 0) {
+			if (error == EINVAL) {
+				if_printf(ifp, "TLS packet\n");
+				/* XXXKIB */
+			} else if (error == ENOMEM) {
+				error = ENOBUFS;
+			}
 			IP6STAT_INC(ip6s_odropped);
-			return (ENOBUFS);
+			return (error);
+		} else {
+			m = m1;
 		}
 	}