On Thu, Mar 17, 2016 at 10:41:15AM +0100, Jiri Bohac wrote:

On Thu, Mar 17, 2016 at 01:03:59PM +0800, Herbert Xu wrote:

quoted

On Wed, Mar 16, 2016 at 05:00:26PM +0100, Jiri Bohac wrote:

quoted

Prevent xfrm_output() from segmenting UFO packets so that they will be
fragmented after the xfrm transforms.

Fair enough.  But I wonder if this is enough.  Wouldn't UDP notice
that we're doing IPsec and prefragment the packet anyway? So I think
this check may also be needed in the UDP output path.

Fixes my broken case. 

Is this IPv4 or IPv6? IPv4 should not create a GSO skb
if IPsec is done. It checks for rt->dst.header_len
in __ip_append_data() and does a fallback to the
standard case if rt->dst.header_len is non zero.

In IPv6 this check is missing, so this could be the
problem if this is IPv6.