The inner_ipproto saves the inner IP protocol of the plain
text packet. This allows vendor's IPsec feature making offload
decision at skb's features_check and configuring hardware at
ndo_start_xmit, current code implementation did not handle the
case where IPsec is used in tunnel mode.
Fix by handling the case when IPsec is used in tunnel mode by
reading the protocol of the plain text packet IP protocol.
Fixes: fa4535238fb5 ("net/xfrm: Add inner_ipproto into sec_path")
Signed-off-by: Raed Salem <email address hidden>
Signed-off-by: Steffen Klassert <email address hidden>
(cherry picked from commit 45a98ef4922def8c679ca7c454403d1957fe70e7)
Signed-off-by: Bodong Wang <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Acked-by: Luke Nowakowski-Krijger <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>
The inner_ipproto saves the inner IP protocol of the plain
text packet. This allows vendor's IPsec feature making offload
decision at skb's features_check and configuring hardware at
ndo_start_xmit.
For example, ConnectX6-DX IPsec device needs the plaintext's
IP protocol to support partial checksum offload on
VXLAN/GENEVE packet over IPsec transport mode tunnel.
This option will disable uprivileged BPF by default. It can be reenabled,
though, as it uses the new value 2 for the kernel.unprivileged_bpf_disabled
sysctl. That value disables it, but allows the sysctl knob to be set back
to 0.
This allows sysadmins to enable unprivileged BPF back by using sysctl
config files.
Follow changes made in primary kernel.
Signed-off-by: Stefan Bader <email address hidden>