[Swan-commit] Changes to ref refs/heads/main
Paul Wouters
paul at vault.libreswan.fi
Tue Jan 16 03:46:07 EET 2024
New commits:
commit 7db75995d0b24edf320fcca0a99c5d9522f14f67
Author: Paul Wouters <paul.wouters at aiven.io>
Date: Mon Jan 15 20:42:10 2024 -0500
pluto: remove nic-offload=auto
It is complicated to make this work as we need to load the policy
matching for crypto or packet offload before we know if packet
offload is supported for the negotiated parameters of the IPsec SA.
For now, only allow "packet" or "crypto". Don't attempt any fallbacks
ourselves. On Linux, the kernel provides crypto to none fallback
for AEADs (or at least for AES-GCM)
commit 27fb7e3f87a0f78db23319804fb4dbef6db1300c
Author: Paul Wouters <paul.wouters at aiven.io>
Date: Mon Jan 15 19:38:33 2024 -0500
pluto: handle install_inbound_ipsec_kernel_policy() failure
This was assumed to never fail, but can fail for various reasons,
including trying to use hardware offload that does not support the
current properties of the IPsec SA.
eg it could install the "in" policy, then try the "fwd" policy and
fail. But it would continue doing the "out" policy and then claim
successful IPsec SA.
This commit does not attempt to cleanup any partially installed
policies before the failure point.
More information about the Swan-commit
mailing list