On Thu, Mar 17, 2016 at 11:49:53AM +0100, Jiri Bohac wrote: > On Thu, Mar 17, 2016 at 11:24:59AM +0100, Steffen Klassert wrote: > > > > On Wed, Mar 16, 2016 at 05:00:26PM +0100, Jiri Bohac wrote: > > > Fixes my broken case. > > > > Is this IPv4 or IPv6? IPv4 should not create a GSO skb > > if IPsec is done. It checks for rt->dst.header_len > > in __ip_append_data() and does a fallback to the > > standard case if rt->dst.header_len is non zero. > > It's IPv6. > > > In IPv6 this check is missing, so this could be the > > problem if this is IPv6. > > Doesn't the check do exactly the opposite of what the RFC says? > The RFC wants ESP to be performed first and fragmentation after > that. UDPv4 currently seems to be doing the opposite.
No, __ip_append_data() only prepares the packets for fragmentation and enqueues them. Then __ip_make_skb() dequeues and builds one skb with a fraglist. Then the xfrm layer is called, so esp linearizes (unfortunately) the skb and applies the transformation. Fragmentation happens after that.