On Thu, Mar 17, 2016 at 11:49:53AM +0100, Jiri Bohac wrote:

On Thu, Mar 17, 2016 at 11:24:59AM +0100, Steffen Klassert wrote:

quoted

quoted

quoted

On Wed, Mar 16, 2016 at 05:00:26PM +0100, Jiri Bohac wrote:

Fixes my broken case. 

Is this IPv4 or IPv6? IPv4 should not create a GSO skb
if IPsec is done. It checks for rt->dst.header_len
in __ip_append_data() and does a fallback to the
standard case if rt->dst.header_len is non zero.

It's IPv6.

quoted

In IPv6 this check is missing, so this could be the
problem if this is IPv6.

Doesn't the check do exactly the opposite of what the RFC says?
The RFC wants ESP to be performed first and fragmentation after
that. UDPv4 currently seems to be doing the opposite. 

No, __ip_append_data() only prepares the packets for fragmentation
and enqueues them. Then __ip_make_skb() dequeues and builds
one skb with a fraglist. Then the xfrm layer is called, so
esp linearizes (unfortunately) the skb and applies the
transformation. Fragmentation happens after that.