Message ID | 20181011214540.320-1-pablo@netfilter.org |
---|---|
State | Deferred |
Delegated to: | Pablo Neira |
Headers | show |
Series | [nf-next] netfilter: nft_flow_offload: remove secpath check | expand |
On Thu, Oct 11, 2018 at 11:45:40PM +0200, Pablo Neira Ayuso wrote: > It is safe to place a flow that is coming from IPSec into the flowtable. > So decapsulated can benefit from the flowtable fastpath. > > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> > --- > I'm recovering this patch, this enables faster flowtable forwarding from > ingress. Florian has been asking for a way to restore the xfrm cache, > and I remember Steffen mentioned this two liner should be just enough to > combine the flowtable infrastructure with ipsec. Yes, it was this and we need to relax the requirement to see traffic in both directions before offloading to the flowtable (if I remember correct).
diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index d6bab8c3cbb0..bb21748153ae 100644 --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c @@ -54,8 +54,6 @@ static bool nft_flow_offload_skip(struct sk_buff *skb) if (unlikely(opt->optlen)) return true; - if (skb_sec_path(skb)) - return true; return false; }