On Thu, Mar 17, 2016 at 10:41:15AM +0100, Jiri Bohac wrote: > On Thu, Mar 17, 2016 at 01:03:59PM +0800, Herbert Xu wrote: > > On Wed, Mar 16, 2016 at 05:00:26PM +0100, Jiri Bohac wrote: > > > Prevent xfrm_output() from segmenting UFO packets so that they will be > > > fragmented after the xfrm transforms. > > > > Fair enough. But I wonder if this is enough. Wouldn't UDP notice > > that we're doing IPsec and prefragment the packet anyway? So I think > > this check may also be needed in the UDP output path. > > Fixes my broken case.
Is this IPv4 or IPv6? IPv4 should not create a GSO skb if IPsec is done. It checks for rt->dst.header_len in __ip_append_data() and does a fallback to the standard case if rt->dst.header_len is non zero. In IPv6 this check is missing, so this could be the problem if this is IPv6.