Date: Sat, 24 Apr 2004 09:56:01 -0700 From: Sam Leffler <sam@errno.com> To: "Oldach, Helge" <Helge.Oldach@atosorigin.com> Cc: 'Mike Tancsa' <mike@sentex.net> Subject: Re: FAST_IPSEC bug fix Message-ID: <44658B20-9610-11D8-AAEB-000A95AD0668@errno.com> In-Reply-To: <D2CFC58E0F8CB443B54BE72201E8916E94CBB2@dehhx005.hbg.de.int.atosorigin.com> References: <D2CFC58E0F8CB443B54BE72201E8916E94CBB2@dehhx005.hbg.de.int.atosorigin.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail-2--708136844
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
format=flowed
On Apr 24, 2004, at 9:03 AM, Oldach, Helge wrote:
> Hi list,
>
> this is a month-old mail about the lack of a FAST_IPSEC feature
> compared
> to legacy IPSEC. Including a working patch. I haven't seen this being
> committed, or is it? Please also MFC to STABLE.
The fix was not quite right for -current (where it needs to go in
first). I sent out the attached patch for testing but received no
feedback. Until I can get it tested and committed to -current it won't
be MFC'd.
Sam
--Apple-Mail-2--708136844
Content-Transfer-Encoding: 7bit
Content-Type: application/octet-stream;
x-unix-mode=0644;
name="key.patch"
Content-Disposition: attachment;
filename=key.patch
Index: key.c
===================================================================
RCS file: /usr/ncvs/src/sys/netipsec/key.c,v
retrieving revision 1.11
diff -u -r1.11 key.c
--- key.c 16 Feb 2004 17:09:53 -0000 1.11
+++ key.c 5 Apr 2004 16:16:05 -0000
@@ -173,12 +173,11 @@
#define SPACQ_LOCK_ASSERT() mtx_assert(&spacq_lock, MA_OWNED)
/* search order for SAs */
-static u_int saorder_state_valid[] = {
+static const u_int saorder_state_valid_prefer_old[] = {
SADB_SASTATE_DYING, SADB_SASTATE_MATURE,
- /*
- * This order is important because we must select the oldest SA
- * for outbound processing. For inbound, This is not important.
- */
+};
+static const u_int saorder_state_valid_prefer_new[] = {
+ SADB_SASTATE_MATURE, SADB_SASTATE_DYING,
};
static u_int saorder_state_alive[] = {
/* except DEAD */
@@ -285,6 +284,7 @@
SYSCTL_INT(_net_key, KEYCTL_AH_KEYMIN, ah_keymin, CTLFLAG_RW, \
&ipsec_ah_keymin, 0, "");
+/* XXX change should be protected with SAHTREE_LOCK */
/* perfered old SA rather than new SA */
SYSCTL_INT(_net_key, KEYCTL_PREFERED_OLDSA, preferred_oldsa, CTLFLAG_RW,\
&key_preferred_oldsa, 0, "");
@@ -821,15 +821,24 @@
static struct secasvar *
key_allocsa_policy(const struct secasindex *saidx)
{
+#define N(a) _ARRAYLEN(a)
struct secashead *sah;
struct secasvar *sav;
- u_int stateidx, state;
+ u_int stateidx, arraysize;
+ const u_int *state_valid;
SAHTREE_LOCK();
LIST_FOREACH(sah, &sahtree, chain) {
if (sah->state == SADB_SASTATE_DEAD)
continue;
if (key_cmpsaidx(&sah->saidx, saidx, CMP_MODE_REQID)) {
+ if (key_preferred_oldsa) {
+ state_valid = saorder_state_valid_prefer_old;
+ arraysize = N(saorder_state_valid_prefer_old);
+ } else {
+ state_valid = saorder_state_valid_prefer_new;
+ arraysize = N(saorder_state_valid_prefer_new);
+ }
SAHTREE_UNLOCK();
goto found;
}
@@ -839,20 +848,15 @@
return NULL;
found:
-
/* search valid state */
- for (stateidx = 0;
- stateidx < _ARRAYLEN(saorder_state_valid);
- stateidx++) {
-
- state = saorder_state_valid[stateidx];
-
- sav = key_do_allocsa_policy(sah, state);
+ for (stateidx = 0; stateidx < arraysize; stateidx++) {
+ sav = key_do_allocsa_policy(sah, state_valid[stateidx]);
if (sav != NULL)
return sav;
}
return NULL;
+#undef N
}
/*
@@ -1012,7 +1016,8 @@
{
struct secashead *sah;
struct secasvar *sav;
- u_int stateidx, state;
+ u_int stateidx, arraysize, state;
+ const u_int *saorder_state_valid;
IPSEC_ASSERT(dst != NULL, ("null dst address"));
@@ -1026,11 +1031,16 @@
* encrypted so we can't check internal IP header.
*/
SAHTREE_LOCK();
+ if (key_preferred_oldsa) {
+ saorder_state_valid = saorder_state_valid_prefer_old;
+ arraysize = _ARRAYLEN(saorder_state_valid_prefer_old);
+ } else {
+ saorder_state_valid = saorder_state_valid_prefer_new;
+ arraysize = _ARRAYLEN(saorder_state_valid_prefer_new);
+ }
LIST_FOREACH(sah, &sahtree, chain) {
/* search valid state */
- for (stateidx = 0;
- stateidx < _ARRAYLEN(saorder_state_valid);
- stateidx++) {
+ for (stateidx = 0; stateidx < arraysize; stateidx++) {
state = saorder_state_valid[stateidx];
LIST_FOREACH(sav, &sah->savtree[state], chain) {
/* sanity check */
--Apple-Mail-2--708136844
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
format=flowed
--Apple-Mail-2--708136844--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44658B20-9610-11D8-AAEB-000A95AD0668>