pluto: check various incompatible settings with nic-offload=packet|auto #1512
Conversation
paulwouters
commented
Jan 3, 2024
paulwouters
commented
- Limit the replay-window size to what is supported in known HW. (but what to do with replay-window=0 and it disabling ESN?)
- Only allow ESP, not AH or IPTFS
- Do not allow compression
- TODO: what about tfcpad= , encap-dscp, nopmtudisc, ikepad, encapsulation,
- Limit the replay-window size to what is supported in known HW. (but what to do with replay-window=0 and it disabling ESN?) - Only allow ESP, not AH or IPTFS - Do not allow compression - TODO: what about tfcpad= , encap-dscp, nopmtudisc, ikepad, encapsulation,
|
Looks good. about replay-window=0 we can't do anything - what happens in that case is defined by rfc, only thing we might do is give warning, but warning like "Warning: reply-window=0 (disable) also disables ESN, not suitable for fast transfer speeds" |
|
Why not probe the hardware. |
|
On Jan 7, 2024, at 12:35, cagney ***@***.***> wrote:
Why not probe the hardware.
Combinatory explosion?
Not guaranteed the hardware throws an error?
It’s worth doing this, once we see more hardware implementations. This is indeed a bit of a bandaid. Perhaps there will be proper features discovery call in Linux in the future ?
Note also technically, you might not know over which nic a future IPsec tunnel would go over, so you might not know which interface probe answers to use.
Paul
|
Or at least the kernel.[hc]. Adding: to generic code should, minimally, raise an eyebrow.
A valid point. Pluto already handles this though with per-interface hw detection vis: However, a grep of where that field is referenced only turns up kernel*.c - shouldn't there be a check in orient() so that a connection with hw-offload=yes only picks those interfaces. Ditto for the above? |
|
BTW
isn't copy the code; rather orient ask the kernel if the interface can support offload with a given set of parameters |
Per libreswan#1512 this should have been stopped during orientation.
