[Swan-commit] Changes to ref refs/heads/main

Paul Wouters paul at vault.libreswan.fi
Tue Jan 16 03:46:07 EET 2024

New commits:
commit 7db75995d0b24edf320fcca0a99c5d9522f14f67
Author: Paul Wouters <paul.wouters at aiven.io>
Date:   Mon Jan 15 20:42:10 2024 -0500

    pluto: remove nic-offload=auto
    It is complicated to make this work as we need to load the policy
    matching for crypto or packet offload before we know if packet
    offload is supported for the negotiated parameters of the IPsec SA.
    For now, only allow "packet" or "crypto". Don't attempt any fallbacks
    ourselves. On Linux, the kernel provides crypto to none fallback
    for AEADs (or at least for AES-GCM)

commit 27fb7e3f87a0f78db23319804fb4dbef6db1300c
Author: Paul Wouters <paul.wouters at aiven.io>
Date:   Mon Jan 15 19:38:33 2024 -0500

    pluto: handle install_inbound_ipsec_kernel_policy() failure
    This was assumed to never fail, but can fail for various reasons,
    including trying to use hardware offload that does not support the
    current properties of the IPsec SA.
    eg it could install the "in" policy, then try the "fwd" policy and
    fail. But it would continue doing the "out" policy and then claim
    successful IPsec SA.
    This commit does not attempt to cleanup any partially installed
    policies before the failure point.

More information about the Swan-commit mailing list