On Tue, Sep 10, 2019 at 06:53:30PM -0400, Michael Marley wrote:
>
> StrongSwan has hardware offload disabled by default, and I didn't enable
> it explicitly. I also already tried turning off all those switches with
> ethtool and it has no effect. This doesn't surprise me though, because
> as I said, I don't actually have the IPSec connection running over the
> ixgbe device. The IPSec connection runs over another network adapter
> that doesn't support IPSec offload at all. The problem comes when
> traffic received over the IPSec interface is then routed back out
> (unencrypted) through the ixgbe device into the local network.
Seems like the ixgbe driver tries to use the sec_path
from RX to setup an offload at the TX side.
Can you please try this (completely untested) patch?
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
index 9bcae44e9883..ae31bd57127c 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
@@ -36,6 +36,7 @@
#include <net/vxlan.h>
#include <net/mpls.h>
#include <net/xdp_sock.h>
+#include <net/xfrm.h>
#include "ixgbe.h"
#include "ixgbe_common.h"
@@ -8696,7 +8697,7 @@ netdev_tx_t ixgbe_xmit_frame_ring(struct sk_buff *skb,
#endif /* IXGBE_FCOE */
#ifdef CONFIG_IXGBE_IPSEC
- if (secpath_exists(skb) &&
+ if (xfrm_offload(skb) &&
!ixgbe_ipsec_tx(tx_ring, first, &ipsec_tx))
goto out_drop;
#endif
