On Wed, 2019-09-11 at 10:50 -0400, Michael Marley wrote: > On 2019-09-11 02:15, Steffen Klassert wrote: > > On Tue, Sep 10, 2019 at 06:53:30PM -0400, Michael Marley wrote: > > > StrongSwan has hardware offload disabled by default, and I > > > didn't > > > enable > > > it explicitly. I also already tried turning off all those > > > switches > > > with > > > ethtool and it has no effect. This doesn't surprise me though, > > > because > > > as I said, I don't actually have the IPSec connection running > > > over the > > > ixgbe device. The IPSec connection runs over another network > > > adapter > > > that doesn't support IPSec offload at all. The problem comes > > > when > > > traffic received over the IPSec interface is then routed back out > > > (unencrypted) through the ixgbe device into the local network. > > > > Seems like the ixgbe driver tries to use the sec_path > > from RX to setup an offload at the TX side. > > > > Can you please try this (completely untested) patch?
Steffen, can you send your patch to intel-wired-...@lists.osuosl.org mailing list? > > diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c > > b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c > > index 9bcae44e9883..ae31bd57127c 100644 > > --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c > > +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c > > @@ -36,6 +36,7 @@ > > #include <net/vxlan.h> > > #include <net/mpls.h> > > #include <net/xdp_sock.h> > > +#include <net/xfrm.h> > > > > #include "ixgbe.h" > > #include "ixgbe_common.h" > > @@ -8696,7 +8697,7 @@ netdev_tx_t ixgbe_xmit_frame_ring(struct > > sk_buff > > *skb, > > #endif /* IXGBE_FCOE */ > > > > #ifdef CONFIG_IXGBE_IPSEC > > - if (secpath_exists(skb) && > > + if (xfrm_offload(skb) && > > !ixgbe_ipsec_tx(tx_ring, first, &ipsec_tx)) > > goto out_drop; > > #endif > With the patch, the problem is gone. Thanks! > > Michael
signature.asc
Description: This is a digitally signed message part
