The branch main has been updated by kib:
URL:
https://cgit.FreeBSD.org/src/commit/?id=5be5a0bde5f990dbc680272eee74132bcde815f2
commit 5be5a0bde5f990dbc680272eee74132bcde815f2
Author: Konstantin Belousov <k...@freebsd.org>
AuthorDate: 2025-07-07 18:01:34 +0000
Commit: Konstantin Belousov <k...@freebsd.org>
CommitDate: 2025-07-17 09:36:30 +0000
ipsec offload: make hw-decrypted plain text packet like sw decrypted.
Mark hw-decrypted mbufs with M_DECRYPTED in the CHECK_POLICY() hook,
when the flag is owned by IPSEC.
Convert PACKET_TAG_IPSEC_ACCEL_IN to PACKET_TAG_IPSEC_IN_DONE to
provide the xform history for ipsec transform history check.
The hw-decrypted packets are then subject to exactly the same checks at
CHECK_POLICY() hooks as the sw-decrypted packet. This includes the
policy checking, and updating the corresponding policy' lastused field,
needed for IKE daemons to track association lifetime.
Reviewed by: Ariel Ehrenberg <aehrenb...@nvidia.com>, slavash
Sponsored by: Nvidia networking
---
sys/netipsec/ipsec.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c
index 6bacc68b7441..92d0201b398a 100644
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@@ -636,8 +636,10 @@ ipsec4_in_reject1(const struct mbuf *m, struct ip *ip1,
struct inpcb *inp)
#ifdef IPSEC_OFFLOAD
tag = ipsec_accel_input_tag_lookup(m);
- if (tag != NULL)
- return (0);
+ if (tag != NULL) {
+ tag->tag.m_tag_id = PACKET_TAG_IPSEC_IN_DONE;
+ __DECONST(struct mbuf *, m)->m_flags |= M_DECRYPTED;
+ }
#endif
if (ip1 == NULL) {
