On Mon, 13 Jan 2025, Konstantin Belousov wrote:
The branch main has been updated by kib:
URL:
https://cgit.FreeBSD.org/src/commit/?id=b0e020764aae970545357b0f146dcba7b4b55864
commit b0e020764aae970545357b0f146dcba7b4b55864
Author: Konstantin Belousov <k...@freebsd.org>
AuthorDate: 2024-12-28 08:30:49 +0000
Commit: Konstantin Belousov <k...@freebsd.org>
CommitDate: 2025-01-13 19:29:31 +0000
ipsec + ktls: cannot coexists
Ignore my ignorance but that description sounds bad.
Do you mean on a per-packet base or in general on a machine, i.e.,
(1) an individual packet cannot be processed by ktls and ipsec
(2) a host can either run ktls or ipsec but not both?
Either sounds like (half) a bug to me that should be fixed by the way
but I am so out of the ipsec stack that I don't know current implications.
What is the reason a packet could not first be KTLS handled and then put
into IPsec (for some part of its journey)?
/bz
but instead of tripping the assert in debug kernel, and silently falling
into UB for prod, skip IPSEC processing for KTLS framed packets when
mb_unmapped_to_ext() failed.
Reviewed by: markj
Sponsored by: NVidia networking
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D48265
---
sys/netinet/ip_output.c | 33 +++++++++++++++++++++++++--------
sys/netinet6/ip6_output.c | 34 ++++++++++++++++++++++++++--------
2 files changed, 51 insertions(+), 16 deletions(-)
--
Bjoern A. Zeeb r15:7
