On Tue, Jul 30, 2019 at 02:57:18PM +0200, Florian Westphal wrote: > 'flow offload' expression should not offload flows that will be subject > to ipsec, but it does. > > This results in a connectivity blackhole for the affected flows -- first > packets will go through (offload happens after established state is > reached), but all remaining ones bypass ipsec encryption and are thus > discarded by the peer. > > This can be worked around by adding "rt ipsec exists accept" > before the 'flow offload' rule matches. > > This test case will fail, support for such flows is added in > next patch. Applied, thanks Florian.
