On Thu, Dec 27, 2018 at 01:32:14PM +0000, Raed Salem wrote: > In xfrm_input() when called with IPsec hardware offload done and without GRO, > encap_type == 0, we end up skipping esp_input_tail as crypto_done is set only > within GRO code path, fix by move out crypto_done assignment from the GRO > code path and change code accordingly
We currently don't support IPsec hardware offload without GRO enabled. This is because the IPsec hardware offload does not decapsulate the packet. So the reverse policy check is done on the outer header instead of the inner header for tunnel mode. This means that the reverse policy check will fail for almost all tunnel mode configurations. The packet must be decapsulated before we do the policy check, and that's not the case without GRO. How did you test this?
