Revision 7ba0e83acc458e8e3c20cc70e31542c0f22f093f authored by John Fastabend on 17 September 2020, 00:39:02 UTC, committed by christarazi on 29 September 2020, 23:45:25 UTC
Currently, enabling IPsec and a feature that uses a from-netdev program type may conflict when both attempt to load on the network facing device. If this happens then init.sh will load the ipsec program from-network and then after that the golang bpf loader will replace it with the from-netdev program. Which could be OK if the from-netdev program handled IPsec decryption correctly. Unfortunately, it doesn't and what we get is dropped ESP (IPsec encryption protocol) packets and broken connections. To fix teach from-netdev how to handle ingress IPsec decryption. And while doing this cleanup the encryption code blocks so encryption/decryption logic is split into from_host and from_network parts. This way encrypt piece is used in from_host and decrypt is used in from_network case. Signed-off-by: John Fastabend <john.fastabend@gmail.com>
1 parent 9ed106a
Computing file changes ...