Ktls: never skip stamping tags for NIC TLS

The newer RACK and BBR TCP stacks have added a mechanism
to disable hardware packet pacing for TCP retransmits.
This mechanism works by skipping the send-tag stamp
on rate-limited connections when the TCP stack calls
ip_output() with the IP_NO_SND_TAG_RL flag set.

When doing NIC TLS, we must ignore this flag, as
NIC TLS packets must always be stamped.  Failure
to stamp a NIC TLS packet will result in crypto
issues.

Reviewed by:	hselasky, rrs
Sponsored by:	Netflix, Mellanox
This commit is contained in:
Andrew Gallatin 2020-05-11 19:17:33 +00:00
parent 17dd52dfab
commit 6043ac201a
2 changed files with 8 additions and 0 deletions

View File

@ -242,6 +242,10 @@ ip_output_send(struct inpcb *inp, struct ifnet *ifp, struct mbuf *m,
error = EAGAIN; error = EAGAIN;
goto done; goto done;
} }
/*
* Always stamp tags that include NIC ktls.
*/
stamp_tag = true;
} }
#endif #endif
#ifdef RATELIMIT #ifdef RATELIMIT

View File

@ -353,6 +353,10 @@ ip6_output_send(struct inpcb *inp, struct ifnet *ifp, struct ifnet *origifp,
error = EAGAIN; error = EAGAIN;
goto done; goto done;
} }
/*
* Always stamp tags that include NIC ktls.
*/
stamp_tag = true;
} }
#endif #endif
#ifdef RATELIMIT #ifdef RATELIMIT