On Wed, Mar 16, 2016 at 05:00:26PM +0100, Jiri Bohac wrote: > xfrm_output() will segment GSO packets, including UDP (UFO) packets. > this is wrong per RFC4303, section 3.3.4. Fragmentation: > > If necessary, fragmentation is performed after ESP > processing within an IPsec implementation. Thus, > transport mode ESP is applied only to whole IP > datagrams (not to IP fragments). > > Prevent xfrm_output() from segmenting UFO packets so that they will be > fragmented after the xfrm transforms. > > Signed-off-by: Jiri Bohac <jbo...@suse.cz>
Fair enough. But I wonder if this is enough. Wouldn't UDP notice that we're doing IPsec and prefragment the packet anyway? So I think this check may also be needed in the UDP output path. Thanks, -- Email: Herbert Xu <herb...@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
