On 1 Nov 2024, at 21:47, Aaron Conole wrote:

> Clearing the secpath for internal ports will cause packet drops when
> ipsec offload or early SW ipsec decrypt are used.  Systems that rely
> on these will not be able to actually pass traffic via openvswitch.
>
> There is still an open issue for a flow miss packet - this is because
> we drop the extensions during upcall and there is no facility to
> restore such data (and it is non-trivial to add such functionality
> to the upcall interface).  That means that when a flow miss occurs,
> there will still be packet drops.  With this patch, when a flow is
> found then traffic which has an associated xfrm extension will
> properly flow.
>
> Signed-off-by: Aaron Conole <acon...@redhat.com>

Thanks for debugging and fixing this. The change looks good to me.

Acked-by: Eelco Chaudron <echau...@redhat.com>

_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to