ipsec offload: make hw-decrypted plain text packet like sw decrypted.

Mark hw-decrypted mbufs with M_DECRYPTED in the CHECK_POLICY() hook, when the flag is owned by IPSEC. Convert PACKET_TAG_IPSEC_ACCEL_IN to PACKET_TAG_IPSEC_IN_DONE to provide the xform history for ipsec transform history check. The hw-decrypted packets are then subject to exactly the same checks at CHECK_POLICY() hooks as the sw-decrypted packet. This includes the policy checking, and updating the corresponding policy' lastused field, needed for IKE daemons to track association lifetime. Reviewed by: Ariel Ehrenberg <aehrenberg@nvidia.com>, slavash Sponsored by: Nvidia networking
2026-01-12 06:54:03 +00:00 · 2025-07-07 21:01:34 +03:00 · 2025-07-07 21:01:34 +03:00 · 5be5a0bde5
commit 5be5a0bde5
parent 72c9ad9331
1 changed files with 4 additions and 2 deletions
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@ -636,8 +636,10 @@ ipsec4_in_reject1(const struct mbuf *m, struct ip *ip1, struct inpcb *inp)

 #ifdef IPSEC_OFFLOAD
 	tag = ipsec_accel_input_tag_lookup(m);
-	if (tag != NULL)
-		return (0);
+	if (tag != NULL) {
+		tag->tag.m_tag_id = PACKET_TAG_IPSEC_IN_DONE;
+		__DECONST(struct mbuf *, m)->m_flags |= M_DECRYPTED;
+	}
 #endif

 	if (ip1 == NULL) {