[Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload on the NIC
Ilan Tayari
ilant at mellanox.com
Tue Jul 11 12:52:58 UTC 2017
> -----Original Message-----
> From: Paul Wouters [mailto:paul at nohats.ca]
> Subject: Re: [Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload
> on the NIC
>
> On Wed, 5 Jul 2017, Ilan Tayari wrote:
>
> > I figured out why pluto doesn't complain about NEWSA failure...
> >
> > This line
> >
> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.
> com%2Flibreswan%2Flibreswan%2Fblob%2Fmaster%2Fprograms%2Fpluto%2Fkernel_ne
> tlink.c%23L474&data=02%7C01%7Cilant%40mellanox.com%7Cd96eac0a44394bf1e0160
> 8d4c71d4ca9%7Ca652971c7d2e4d9ba6a4d149256f461b%7C0%7C0%7C63635237605708364
> 6&sdata=99edaYieFwmFaxsbULsHqoIbfF6pW5DAbvpduj6qF4A%3D&reserved=0
> >
> > quiets it because the expected response is NLMSG_NOOP.
> >
> > Do you know why this condition is so? If I remove the NOOP condition
> then
> > it complains properly about failure to add:
> >
> > "myconn" #2: ERROR: netlink response for Add SA esp.fc8faa72 at 192.168.7.1
> included errno 22: Invalid argument
>
> I checked and it seems Hugh made that change in commit id cff15f8d:
>
>
> + netlink_errno = -rsp.u.e.error;
> + if (rsp.n.nlmsg_type != expected_resp_type && rsp.n.nlmsg_type ==
> NLMSG_ERROR) {
> + if (rsp.u.e.error != 0 && expected_resp_type !=
> NLMSG_NOOP) {
>
> Hugh: did you mean:
>
> if (rsp.u.e.error != 0 || expected_resp_type != NLMSG_NOOP) {
>
> Although it seems just leaving out the 2nd condition makes more sense to
> me?
I see NLMSG_NOOP is used only for add/del SA
(e.g. not for GET and policies)
So netlink_kernel.c would silently ignore failures of add_sa/del_sa, and
only detect the failure later in get_sa?
Is this by design? Hugh, can you explain why?
Thanks.
More information about the Swan-dev
mailing list