make probing nic_offload really on-demand

[cagney]

per:

• 1697

in 4.x and 5.0 the code probes the kernel to see if it supports nic_offload while adding an interface; which effectively means during startup (when ipsec listen is run).

The code should instead probe nic_offload on an interface when a connection tries to orient to it.

[letoams]

On Tue, 21 May 2024, The Libreswan Vault wrote:

Subject: Re: [libreswan/libreswan] make probing nic_offload really on-demand

Closed #1701 as completed via 9a13acb.

This seems wrong?

commit 9a13acb10937b28e823a4cd436f3fad53dbc4281 (HEAD -> main, origin/main) Author: Andrew Cagney @.***> Date: Tue May 21 15:20:04 2024 -0400

 ipsec globalstatus: only list algs approved by ike_alg

 fix #1701 in ipsec stats use ike_alg to select algorithm stats to be shown

I don't see this being related to nic_offload ?

[cagney]

The complication is:

         * Policy Packet nic offload requires us to poke an IPsec policy
         * hole that allows IKE packets. This installs one IPsec policy
         * per interface (that supports offload), this function is called
         * for port 500.

which happens when the interface is detected. If probing the interface is to be made on-demand then so too is poking this hole.

[cagney]

I've been playing probing when adding connections. I find the behaviour a little weird - announcing that an interface supports offload better fits with adding the interface and not the connection. With that in mind, I think adding knobs to:

• enable/disable listen during startup ipsec start invokes addconn which triggers a listen unconditionally; the only way round this is to invoke pluto directly, oops
• globally control the nic_offload kernel probe with yes/no/auto so that for bugs like #1697 we can rule out this code

might be better.

[cagney]

moving to 5.2; #1753 provides an immediate solution