aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Gallatin <gallatin@FreeBSD.org>2020-05-11 19:17:33 +0000
committerAndrew Gallatin <gallatin@FreeBSD.org>2020-05-11 19:17:33 +0000
commit6043ac201ab3ce0df2342c8453a7375157b0f860 (patch)
tree0b373fe6ed420159f7617654515e540ec9e6f054
parent17dd52dfabf67afde97d032ec897769ed09c76ca (diff)
downloadsrc-6043ac201ab3ce0df2342c8453a7375157b0f860.tar.gz
src-6043ac201ab3ce0df2342c8453a7375157b0f860.zip
Ktls: never skip stamping tags for NIC TLS
The newer RACK and BBR TCP stacks have added a mechanism to disable hardware packet pacing for TCP retransmits. This mechanism works by skipping the send-tag stamp on rate-limited connections when the TCP stack calls ip_output() with the IP_NO_SND_TAG_RL flag set. When doing NIC TLS, we must ignore this flag, as NIC TLS packets must always be stamped. Failure to stamp a NIC TLS packet will result in crypto issues. Reviewed by: hselasky, rrs Sponsored by: Netflix, Mellanox
Notes
Notes: svn path=/head/; revision=360914
-rw-r--r--sys/netinet/ip_output.c4
-rw-r--r--sys/netinet6/ip6_output.c4
2 files changed, 8 insertions, 0 deletions
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 22f223d97d03..6c31793d296b 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -242,6 +242,10 @@ ip_output_send(struct inpcb *inp, struct ifnet *ifp, struct mbuf *m,
error = EAGAIN;
goto done;
}
+ /*
+ * Always stamp tags that include NIC ktls.
+ */
+ stamp_tag = true;
}
#endif
#ifdef RATELIMIT
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index de3c211a11f5..0c46c7944d8e 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -353,6 +353,10 @@ ip6_output_send(struct inpcb *inp, struct ifnet *ifp, struct ifnet *origifp,
error = EAGAIN;
goto done;
}
+ /*
+ * Always stamp tags that include NIC ktls.
+ */
+ stamp_tag = true;
}
#endif
#ifdef RATELIMIT