Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 15 Jan 2025 23:59:58 +0000 (UTC)
From:      "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To:        Konstantin Belousov <kib@FreeBSD.org>
Cc:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,  dev-commits-src-main@FreeBSD.org
Subject:   Re: git: b0e020764aae - main - ipsec + ktls: cannot coexists
Message-ID:  <71p14p04-5o5o-1385-1551-7733rr1qo57o@yvfgf.mnoonqbm.arg>
In-Reply-To: <202501131930.50DJUCFg047113@gitrepo.freebsd.org>
References:  <202501131930.50DJUCFg047113@gitrepo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, 13 Jan 2025, Konstantin Belousov wrote:

> The branch main has been updated by kib:
>
> URL: https://cgit.FreeBSD.org/src/commit/?id=b0e020764aae970545357b0f146dcba7b4b55864
>
> commit b0e020764aae970545357b0f146dcba7b4b55864
> Author:     Konstantin Belousov <kib@FreeBSD.org>
> AuthorDate: 2024-12-28 08:30:49 +0000
> Commit:     Konstantin Belousov <kib@FreeBSD.org>
> CommitDate: 2025-01-13 19:29:31 +0000
>
>    ipsec + ktls: cannot coexists

Ignore my ignorance but that description sounds bad.

Do you mean on a per-packet base or in general on a machine, i.e.,
(1) an individual packet cannot be processed by ktls and ipsec
(2) a host can either run ktls or ipsec but not both?

Either sounds like (half) a bug to me that should be fixed by the way
but I am so out of the ipsec stack that I don't know current implications.

What is the reason a packet could not first be KTLS handled and then put
into IPsec (for some part of its journey)?

/bz


>    but instead of tripping the assert in debug kernel, and silently falling
>    into UB for prod, skip IPSEC processing for KTLS framed packets when
>    mb_unmapped_to_ext() failed.
>
>    Reviewed by:    markj
>    Sponsored by:   NVidia networking
>    MFC after:      1 week
>    Differential revision:  https://reviews.freebsd.org/D48265
> ---
> sys/netinet/ip_output.c   | 33 +++++++++++++++++++++++++--------
> sys/netinet6/ip6_output.c | 34 ++++++++++++++++++++++++++--------
> 2 files changed, 51 insertions(+), 16 deletions(-)

-- 
Bjoern A. Zeeb                                                     r15:7

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?71p14p04-5o5o-1385-1551-7733rr1qo57o>