From: Antony Antony <antony.antony@secunet.com>
To: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
Paul Wouters <paul@nohats.ca>,
Andreas Steffen <andreas.steffen@strongswan.org>,
Tobias Brunner <tobias@strongswan.org>,
Antony Antony <antony@phenome.org>, Tuomo Soini <tis@foobar.fi>,
"David S. Miller" <davem@davemloft.net>, <netdev@vger.kernel.org>,
<devel@linux-ipsec.org>, Leon Romanovsky <leon@kernel.org>
Subject: Re: [devel-ipsec] [PATCH RFC ipsec-next] pfkey: Deprecate pfkey
Date: Wed, 9 Jul 2025 07:42:47 +0200 [thread overview]
Message-ID: <aG4BV8I8ig67NhXS@moon.secunet.de> (raw)
In-Reply-To: <aGd60lOmCtytjTYU@gauss3.secunet.de>
On Fri, Jul 04, 2025 at 08:55:14 +0200, Steffen Klassert via Devel wrote:
> The pfkey user configuration interface was replaced by the netlink
> user configuration interface more than a decade ago. In between
> all maintained IKE implementations moved to the netlink interface.
> So let 'config NET_KEY' default to no in Kconfig. The pfkey code
> will be removed in a second step.
> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: Antony Antony <antony.antony@secunet.com>
I have tested libreswan and strongSwan CONFIG_NET_KEY=n; without HW offload.
And I would also like to get a confirmation Hardware offload, crypt
offload and packet offload works with CONFIG_NET_KEY n.
I undderstand this patch is independent of HW offload.
However, IMHO it is good to confirm now. Otherwise I imagine
distributions will flip CONFIG_NET_KEY=y to get HW offload working,
which will make it harder to depreciate PF_KEY/NET_KEY
Paul or Leon - would you like to confirm with
CONFIG_NET_KEY=n XFRM HW offload still works?
-antony
> ---
> net/xfrm/Kconfig | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
>
> diff --git a/net/xfrm/Kconfig b/net/xfrm/Kconfig
> index f0157702718f..aedea7a892db 100644
> --- a/net/xfrm/Kconfig
> +++ b/net/xfrm/Kconfig
> @@ -110,14 +110,17 @@ config XFRM_IPCOMP
> select CRYPTO_DEFLATE
>
> config NET_KEY
> - tristate "PF_KEY sockets"
> + tristate "PF_KEY sockets (deprecated)"
> select XFRM_ALGO
> + default n
> help
> PF_KEYv2 socket family, compatible to KAME ones.
> - They are required if you are going to use IPsec tools ported
> - from KAME.
>
> - Say Y unless you know what you are doing.
> + The PF_KEYv2 socket interface is deprecated and
> + scheduled for removal. Please use the netlink
> + interface (XFRM_USER) to configure IPsec.
> +
> + If unsure, say N.
>
> config NET_KEY_MIGRATE
> bool "PF_KEY MIGRATE"
> --
> 2.43.0
>
> --
> Devel mailing list -- devel@lists.linux-ipsec.org
> To unsubscribe send an email to devel-leave@lists.linux-ipsec.org
next prev parent reply other threads:[~2025-07-09 5:43 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-04 6:55 [PATCH RFC ipsec-next] pfkey: Deprecate pfkey Steffen Klassert
2025-07-04 8:26 ` Florian Westphal
2025-07-04 9:32 ` Herbert Xu
2025-07-09 5:42 ` Antony Antony [this message]
2025-07-09 5:56 ` Tobias Brunner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aG4BV8I8ig67NhXS@moon.secunet.de \
--to=antony.antony@secunet.com \
--cc=andreas.steffen@strongswan.org \
--cc=antony@phenome.org \
--cc=davem@davemloft.net \
--cc=devel@linux-ipsec.org \
--cc=herbert@gondor.apana.org.au \
--cc=leon@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=paul@nohats.ca \
--cc=steffen.klassert@secunet.com \
--cc=tis@foobar.fi \
--cc=tobias@strongswan.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.