Ktls: never skip stamping tags for NIC TLS

The newer RACK and BBR TCP stacks have added a mechanism to disable hardware packet pacing for TCP retransmits. This mechanism works by skipping the send-tag stamp on rate-limited connections when the TCP stack calls ip_output() with the IP_NO_SND_TAG_RL flag set. When doing NIC TLS, we must ignore this flag, as NIC TLS packets must always be stamped. Failure to stamp a NIC TLS packet will result in crypto issues. Reviewed by: hselasky, rrs Sponsored by: Netflix, Mellanox
2020-05-11 19:17:33 +00:00 · 2020-05-11 19:17:33 +00:00 · 6043ac201a
commit 6043ac201a
parent 17dd52dfab
2 changed files with 8 additions and 0 deletions
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@ -242,6 +242,10 @@ ip_output_send(struct inpcb *inp, struct ifnet *ifp, struct mbuf *m,
 			error = EAGAIN;
 			goto done;
 		}
+		/*
+		 * Always stamp tags that include NIC ktls.
+		 */
+		stamp_tag = true;
 	}
 #endif
 #ifdef RATELIMIT
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@ -353,6 +353,10 @@ ip6_output_send(struct inpcb *inp, struct ifnet *ifp, struct ifnet *origifp,
 			error = EAGAIN;
 			goto done;
 		}
+		/*
+		 * Always stamp tags that include NIC ktls.
+		 */
+		stamp_tag = true;
 	}
 #endif
 #ifdef RATELIMIT