Thanks! Sorry for the long delay. During testing, I actually noticed a regression.
While my patch fixes the packet drops I observed if the esp4|6_offload module is *not* loaded, by not modifying the skb metadata of the received packets. The latter actually breaks GRO offload for UDP- encapsulated ESP packets if the module *is* loaded (the whole point of that code path :-/). That's because the GRO ESP handling function that follows the patched code looks up the packet's SPI based on skb metadata (transport header) and not GRO metadata (GRO offset). Since my patch indirectly dropped updating the former, the SPI for the ESP state lookup is parsed from the UDP header and not the ESP header. So all these packets fall back to the slow path because no SA is found in the GRO path. So far, no IKE daemon sets the UDP_GRO flag together with UDP_ENCAP_ESPINUDP on UDP sockets, so the current behavior doesn't really change by applying the patch (i.e. UDP-encapsulated ESP packets take the slow path). And if the offload module is not loaded, which is the default, it still fixes the original issue when an IKE daemon actually does set UDP_GRO. So maybe applying the patch already now could still be an option. Anyway, I have submitted a fix on top of the patch. It got applied to the ipsec tree (https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git/commit/?id=3ac9e29211fa2df5539ba0d742c8fe9fe95fdc79) and will eventually get merged/backported to the other trees. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2113868 Title: Backport request for fix for IPsec UDP GRO option issue Status in linux package in Ubuntu: Incomplete Bug description: Since kernel v6.7, GRO offloading of UDP-encapsulated ESP packets is supported. This is enabled for individual UDP sockets via the UDP_ENCAP_ESPINUDP and UDP_GRO options. Unfortunately, the original implementation caused issues in some cases. In particular, if the esp4_offload/esp6_offload modules are not loaded (the default). This could prevent IKE or UDP-encapsulated ESP packets from getting received on such a socket. As this happens in the kernel's GRO layer, there is no indication to the user that a packet was received and dropped (e.g. in tcpdump/Wireshark or Netfilter). So it's difficult to debug. A fix for this issue was included in v6.15 and backported to the two affected stable/longterm trees (6.14 and 6.12): https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e3fd0577768584ece824c8b661c40fb3d912812a But because the kernels in Ubuntu 22.04 LTS (HWE) and 24.04 LTS (HWE) are 6.8 and 6.11, which are both affected but no official longterm kernels, the fix might not get backported automatically. So I'd like to request a backport explicitly because we intend to enable the UDP_GRO option in the next strongSwan release, which some users are likely going to run on Ubuntu LTS. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2113868/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
