It is safe to place a flow that is coming from IPSec into the flowtable. So decapsulated can benefit from the flowtable fastpath. Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> Signed-off-by: Steffen Klassert <steffen.klassert@xxxxxxxxxxx> --- I'm recovering this patch, this enables faster flowtable forwarding from ingress. Florian has been asking for a way to restore the xfrm cache, and I remember Steffen mentioned this two liner should be just enough to combine the flowtable infrastructure with ipsec. net/netfilter/nft_flow_offload.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index d6bab8c3cbb0..bb21748153ae 100644 --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c @@ -54,8 +54,6 @@ static bool nft_flow_offload_skip(struct sk_buff *skb) if (unlikely(opt->optlen)) return true; - if (skb_sec_path(skb)) - return true; return false; } -- 2.11.0
