src/sys/netipsec, branch main

ipsec_offload: add comment stating why ipsec_accel_sa_newkey_cb() returns 0

2026-02-25T17:19:36Z

Reviewed by: slavash Tested by: Wafa Hamzah Sponsored by: NVidia networking MFC after: 1 week

netipsec/ipsec_offload.c: handle failures to install SA nicely

2026-02-25T17:19:36Z

If driver refused to install SA, record rejected handle for SA on the interface always, not only for EOPNOTSUPP case. The ipsec_accel_output() function did the right thing if there is no rejection handle, but not having the handle allows further attempts to install the SA on the interface. If driver installed the SA, but ipsec_accel_handle_sav() returned error, uninstall the SA from the interface. Hardware must not be set up to process packets for which kernel expects no processing is done. In both cases, free the drv_spi if a handle was not installed. But keep drv_spi allocated if the deinstall returned an error from the driver. Reviewed by: slavash Tested by: Wafa Hamzah Sponsored by: NVidia networking MFC after: 1 week

net: Remove the IFF_RENAMING flag

2026-02-10T13:45:06Z

This used to be needed when interface renames were broadcast using the ifnet_departure_event eventhandler, but since commit 349fcf079ca3 ("net: add ifnet_rename_event EVENTHANDLER(9) for interface renaming"), it has no purpose. Remove it. Reviewed by: pouria, zlei Sponsored by: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D55171

sys/netipsec: ensure sah stability during input callback processing

2025-12-22T12:31:25Z

Citing ae: this fixes some rare panics, that are reported in derived projects: `panic: esp_input_cb: Unexpected address family'. Reported by: ae Tested by: ae, Daniel Dubnikov Reviewed by: ae, Ariel Ehrenberg (previous version) Sponsored by: NVidia networking MFC after: 1 week Differential revision: https://reviews.freebsd.org/D54325

ipsec: Fix typos in references to IPsec's ESP

2025-12-04T15:17:12Z

ESP is "Encapsulating Security Payload", not "Encapsulated Security Payload". This patch fixes all the place in the tree I could find with `grep -i encapsulated security`. MFC after: 3 days Reviewed by: ae Differential Revision: https://reviews.freebsd.org/D53769

ipsec_offload: do not leak drv_spi unr

2025-11-04T19:20:39Z

in the ipsec_accel_sa_newkey_cb() when the SA offload is only enabled on a specific different interface, not the current one. Also remove no longer relevant XXX comment. Noted and reviewed by: slavash Sponsored by: NVidia networking MFC after: 1 week

ipsec offload: never return error from the newkey/spdadd callbacks

2025-10-30T14:54:36Z

Returning an error causes premature termination of if_foreach_sleep() loop over the interfaces. Whatever problem we have with the specific interface trying to install an element, should not prevent an attempt to install the same element into all other interfaces. Noted by: Ariel Ehrenberg Sponsored by: NVidia networking MFC after: 1 week

netipsec: Use proper prototype for SYSINIT functions

2025-10-13T10:12:33Z

MFC after: 1 week

ipsec offload: ipsec_accel_fill_xh() should indirect through fn pointer

2025-07-17T10:57:35Z

The config with IPSEC_SUPPORT + IPSEC_OFFLOAD is the valid one. Fixes: 5be5a0bde5f990dbc680272eee74132bcde815f2 Sponsored by: Nvidia networking

ipsec offload: make hw-decrypted plain text packet like sw decrypted.

2025-07-17T09:36:30Z

Mark hw-decrypted mbufs with M_DECRYPTED in the CHECK_POLICY() hook, when the flag is owned by IPSEC. Convert PACKET_TAG_IPSEC_ACCEL_IN to PACKET_TAG_IPSEC_IN_DONE to provide the xform history for ipsec transform history check. The hw-decrypted packets are then subject to exactly the same checks at CHECK_POLICY() hooks as the sw-decrypted packet. This includes the policy checking, and updating the corresponding policy' lastused field, needed for IKE daemons to track association lifetime. Reviewed by: Ariel Ehrenberg , slavash Sponsored by: Nvidia networking