On 2019-09-11 02:15, Steffen Klassert wrote:
On Tue, Sep 10, 2019 at 06:53:30PM -0400, Michael Marley wrote:
StrongSwan has hardware offload disabled by default, and I didn't
enable
it explicitly. I also already tried turning off all those switches
with
ethtool and it has no effect. This doesn't surprise me though,
because
as I said, I don't actually have the IPSec connection running over the
ixgbe device. The IPSec connection runs over another network adapter
that doesn't support IPSec offload at all. The problem comes when
traffic received over the IPSec interface is then routed back out
(unencrypted) through the ixgbe device into the local network.
Seems like the ixgbe driver tries to use the sec_path
from RX to setup an offload at the TX side.
Can you please try this (completely untested) patch?
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
index 9bcae44e9883..ae31bd57127c 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
@@ -36,6 +36,7 @@
#include <net/vxlan.h>
#include <net/mpls.h>
#include <net/xdp_sock.h>
+#include <net/xfrm.h>
#include "ixgbe.h"
#include "ixgbe_common.h"
@@ -8696,7 +8697,7 @@ netdev_tx_t ixgbe_xmit_frame_ring(struct sk_buff
*skb,
#endif /* IXGBE_FCOE */
#ifdef CONFIG_IXGBE_IPSEC
- if (secpath_exists(skb) &&
+ if (xfrm_offload(skb) &&
!ixgbe_ipsec_tx(tx_ring, first, &ipsec_tx))
goto out_drop;
#endif
With the patch, the problem is gone. Thanks!
Michael
