diff --git a/sys/rpc/clnt_rc.c b/sys/rpc/clnt_rc.c index b2ee4551149b..ebd52d305a4b 100644 --- a/sys/rpc/clnt_rc.c +++ b/sys/rpc/clnt_rc.c @@ -42,6 +42,8 @@ #include #include +#include + #include #include #include @@ -212,6 +214,12 @@ clnt_reconnect_connect(CLIENT *cl) goto out; } } + if (newclient != NULL) { + int optval = 1; + + (void)so_setsockopt(so, IPPROTO_TCP, TCP_USE_DDP, + &optval, sizeof(optval)); + } if (newclient != NULL && rc->rc_reconcall != NULL) (*rc->rc_reconcall)(newclient, rc->rc_reconarg, rc->rc_ucred); diff --git a/sys/rpc/svc.c b/sys/rpc/svc.c index f96c00dd2f2a..99678f693a3e 100644 --- a/sys/rpc/svc.c +++ b/sys/rpc/svc.c @@ -50,6 +50,7 @@ #include #include #include +#include #include #include #include @@ -57,6 +58,8 @@ #include #include +#include + #include #include #include @@ -987,6 +990,23 @@ svc_getreq(SVCXPRT *xprt, struct svc_req **rqstp_ret) goto call_done; } + /* + * Defer enabling DDP until the first non-NULLPROC RPC + * is received to allow STARTTLS authentication to + * enable TLS offload first. + */ + if (xprt->xp_doneddp == 0 && r->rq_proc != NULLPROC && + atomic_cmpset_int(&xprt->xp_doneddp, 0, 1)) { + if (xprt->xp_socket->so_proto->pr_protocol == + IPPROTO_TCP) { + int optval = 1; + + (void)so_setsockopt(xprt->xp_socket, + IPPROTO_TCP, TCP_USE_DDP, &optval, + sizeof(optval)); + } + } + /* * Everything checks out, return request to caller. */ diff --git a/sys/rpc/svc.h b/sys/rpc/svc.h index 87862d4b9001..cfeb2a92c54e 100644 --- a/sys/rpc/svc.h +++ b/sys/rpc/svc.h @@ -185,6 +185,7 @@ typedef struct __rpc_svcxprt { int xp_ngrps; /* Cred. from TLS cert. */ uid_t xp_uid; gid_t *xp_gidp; + int xp_doneddp; #else int xp_fd; u_short xp_port; /* associated port number */