Re: [PATCH net v3] net: tls: use sync AEAD for sk_msg BPF sockets

Next message: Luke Howard: "Re: [PATCH net-next v4 2/2] net: dsa: mv88e6xxx: add support for credit based shaper"
Previous message: Chun-Tse Shao: "Re: [PATCH] perf jevents: Add IOMMU metrics for AMD and Intel"
In reply to: John Fastabend: "Re: [PATCH net v3] net: tls: use sync AEAD for sk_msg BPF sockets"
Next in thread: Sabrina Dubroca: "Re: [PATCH net v3] net: tls: use sync AEAD for sk_msg BPF sockets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Kicinski

Date: Thu May 28 2026 - 19:49:04 EST

On Wed, 27 May 2026 12:16:02 -0700 John Fastabend wrote:
> One option we start rejecting these helpers? That would resolve most
> the pain I suspect. The original thought was we do have use cases
> now for userspace proxy where we insert headers.

Rejecting the helpers would solve all the recent security issues, IIRC.
I couldn't think of a clean way to do that, are you thinking adding
a bit into the skmsg like "from ktls" or "fixed stream" (kinda like
we have at_ingress)?

> >>Yes, we asked John F off-list to get his attention and I think there's
> >>only a vague plan to start using kTLS + sockmap, no current user
> >>(sorry if I misread / misremembered).
>
> I'm not against a cleaner solution here.
>
> Another idea: We just add a simple sockops BPF hook with the sk_buff?
> No updating sg lists, manipulating data packet sizes and so on.

TBH I don't think the existing solution is particularly unclean.
It's just complex enough that it'd benefit from getting removed and
re-added, cause the re-add would undergo the modern LLM reviewer
bashing that should hopefully shake out most of the bugs.
Trying to do this surgery now, as urgent fixes is quite constraining.