Date: Mon, 25 Jun 2007 09:05:47 +0200 From: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> To: freebsd-net@freebsd.org Subject: Re: Questions about PF_KEY interface Message-ID: <20070625070547.GA24243@zen.inc> In-Reply-To: <467F65A0.9010900@zyxel.com.tw> References: <467F65A0.9010900@zyxel.com.tw>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jun 25, 2007 at 02:50:08PM +0800, blue wrote: > Dear all: Hi. > I found there are two directories about PF_KEY interface: netkey and > netipsec under $FreeBSD src$\sys\. > > Looking into the makefile, the one that is currently used and built in > is netkey. > > However, I am wondering what's the purpose for netipsec? netkey is used if you compile with IPSEC (KAME's stack). netipsec is used if you compile with FAST_IPSEC. > Besides, the handling for the global variable "regtree", which is used > for key registery, in netipsec seems more proper to me. > > For example, when a key is needed to register, the static function, > key_register(), which is defined in [netkey/netipsec]/key.c, will be called. > > However, in netkey/key.c, key_register() will not call mtx_lock before > the operation of the global variable, regtree. On the other hand, in > netipsec/key.c, key_register() will mtx_lock. In my opinion, I think the > latter should be correct since there may be various processes to call > the function. Without the protection, race condition will occur! KAME's IPSec stack is still giant locked, so doesn't needs more fined locking. FAST_IPSEC used fined grain locking. KAME's stack will probably be removed in the future (for 7.0 ?) thanks George V. Neville-Neil's work to provide all KAME's stack features on FAST_IPSEC. Yvan. -- NETASQ http://www.netasq.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070625070547.GA24243>