[Swan-commit] Changes to ref refs/heads/main

Paul Wouters paul at vault.libreswan.fi
Sun Aug 6 00:16:43 EEST 2023 

New commits:
commit 46ce831369f70f740229a3ab0dac9eaeb6ceb6e8
Author: Paul Wouters <paul.wouters at aiven.io>
Date:   Sat Aug 5 17:15:18 2023 -0400

    pluto: re-enable nic-offload=auto
    
    Prior to packet offload support, we already were set to auto,
    so we cannot really switch this to disabled now, as it would
    affect everyone already uses nic crypto offload.

commit aedc17be79b7c328477326dce88ada5f57d712dd
Author: Paul Wouters <paul.wouters at aiven.io>
Date:   Sat Aug 5 17:04:16 2023 -0400

    kernel: Add IKE policy exception support
    
    Based on patches by Raed Salem <raeds at nvidia.com>
    Requires Linux kernel 6.3+
    
    In the HW Packet offload path all traffic that matches the policy will
    pass through IPsec, and does not inherit the non-offload IKE policy
    holes to ensure IKE traffic does not (require to) go through IPsec.
    
    For each nic that supports packet offload, add an IKE policy hole in
    HW. This policy has the second highest priority (2) and the IKE UDP
    udp port number as selector. Two holes are poked (IPv4 and IPv6)

commit 38bda01a5e154835e0e191d752363225ba8d8308
Author: Paul Wouters <paul.wouters at aiven.io>
Date:   Sat Aug 5 16:52:09 2023 -0400

    pluto: Support xfrm policy Packet offload
    
    Based on patches by Raed Salem <raeds at nvidia.com>
    Requires Linux kernel 6.3+
    
    NIC Packet offload support mandates also offloading the policies to HW
    so the IPsec data path entirely is offloaded to HW.
    
    Offload the various policies to HW through the XFRM api.

commit 8e77c72cd4d0cb57990aadbe6ab3a08074d71d2d
Author: Paul Wouters <paul.wouters at aiven.io>
Date:   Sat Aug 5 15:21:48 2023 -0400

    pluto: Add support for nic-offload=packet
    
    Based on patches by Raed Salem <raeds at nvidia.com>
    Requires Linux kernel 6.3+
    
    This offload extends the current crypto offload where in addition
    to the crypto operations, once can now offload the entire cleartext
    packet to be encapsulated and encrypted by hardware offload.
    
    This includes managing the IPsec SA policy in the offload hardware,
    and requires additional IKE holes for the hardware to ensure IKE
    packets are not required to be ESP encrypted.

More information about the Swan-commit mailing list