Date: Sat, 24 Apr 2004 18:03:39 +0200 From: "Oldach, Helge" <Helge.Oldach@atosorigin.com> To: freebsd-hackers@freebsd.org Cc: 'Mike Tancsa' <mike@sentex.net> Subject: RE: FAST_IPSEC bug fix Message-ID: <D2CFC58E0F8CB443B54BE72201E8916E94CBB2@dehhx005.hbg.de.int.atosorigin.com>
next in thread | raw e-mail | index | archive | help
Hi list,
this is a month-old mail about the lack of a FAST_IPSEC feature compared
to legacy IPSEC. Including a working patch. I haven't seen this being
committed, or is it? Please also MFC to STABLE.
Regards,
Helge
> -----Original Message-----
> From: owner-freebsd-hackers@freebsd.org
> [mailto:owner-freebsd-hackers@freebsd.org]On Behalf Of Mike Tancsa
> Sent: Tuesday, 30. March 2004 19:14
> To: freebsd-hackers@freebsd.org
> Subject: FAST_IPSEC bug fix
>
>
>
> Well, its not totally a bug, but missing functionality that
> looks like is
> there but is not and is pretty important to keep lossy links
> functioning
> with IPSEC. My colleague gabor@sentex.net created the patch
> below that
> implements net.key.prefered_oldsa when using FAST_IPSEC. The
> discussion
> has come up before about this, but no action. I know
> sam@freebsd.org is
> really busy and cannot help. Is there anyone out there who
> could review and
> commit the patch below ? It works against RELENG_4
>
> I have bcc'd the last 2 committers to touch the code in the
> hopes that they
> might have the time and inclination to review / commit ?
>
>
> *** /usr/src/sys/netipsec/key.c Mon Mar 29 20:11:44 2004
> --- ./key.c Tue Mar 30 12:00:31 2004
> ***************
> *** 133,138 ****
> --- 133,139 ----
> #endif
> static LIST_HEAD(_spacqtree, secspacq) spacqtree; /*
> SP acquiring
> list */
>
> + #if 0
> /* search order for SAs */
> static u_int saorder_state_valid[] = {
> SADB_SASTATE_DYING, SADB_SASTATE_MATURE,
> ***************
> *** 141,146 ****
> --- 142,154 ----
> * for outbound processing. For inbound, This is
> not important.
> */
> };
> + #endif
> + static const u_int saorder_state_valid_prefer_old[] = {
> + SADB_SASTATE_DYING, SADB_SASTATE_MATURE,
> + };
> + static const u_int saorder_state_valid_prefer_new[] = {
> + SADB_SASTATE_MATURE, SADB_SASTATE_DYING,
> + };
> static u_int saorder_state_alive[] = {
> /* except DEAD */
> SADB_SASTATE_MATURE, SADB_SASTATE_DYING, SADB_SASTATE_LARVAL
> ***************
> *** 816,821 ****
> --- 824,831 ----
> struct secashead *sah;
> struct secasvar *sav;
> u_int stateidx, state;
> + const u_int *saorder_state_valid;
> + int arraysize;
>
> LIST_FOREACH(sah, &sahtree, chain) {
> if (sah->state == SADB_SASTATE_DEAD)
> ***************
> *** 828,836 ****
>
> found:
>
> /* search valid state */
> for (stateidx = 0;
> ! stateidx < _ARRAYLEN(saorder_state_valid);
> stateidx++) {
>
> state = saorder_state_valid[stateidx];
> --- 838,853 ----
>
> found:
>
> + if (key_prefered_oldsa) {
> + saorder_state_valid = saorder_state_valid_prefer_old;
> + arraysize = _ARRAYLEN(saorder_state_valid_prefer_old);
> + } else {
> + saorder_state_valid = saorder_state_valid_prefer_new;
> + arraysize = _ARRAYLEN(saorder_state_valid_prefer_new);
> + }
> /* search valid state */
> for (stateidx = 0;
> ! stateidx < arraysize;
> stateidx++) {
>
> state = saorder_state_valid[stateidx];
> ***************
> *** 997,1008 ****
> --- 1014,1034 ----
> struct secasvar *sav;
> u_int stateidx, state;
> int s;
> + const u_int *saorder_state_valid;
> + int arraysize;
>
> KASSERT(dst != NULL, ("key_allocsa: null dst address"));
>
> KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
> printf("DP key_allocsa from %s:%u\n", where, tag));
>
> + if (key_prefered_oldsa) {
> + saorder_state_valid = saorder_state_valid_prefer_old;
> + arraysize = _ARRAYLEN(saorder_state_valid_prefer_old);
> + } else {
> + saorder_state_valid = saorder_state_valid_prefer_new;
> + arraysize = _ARRAYLEN(saorder_state_valid_prefer_new);
> + }
> /*
> * searching SAD.
> * XXX: to be checked internal IP header somewhere.
> Also when
> ***************
> *** 1013,1019 ****
> LIST_FOREACH(sah, &sahtree, chain) {
> /* search valid state */
> for (stateidx = 0;
> ! stateidx < _ARRAYLEN(saorder_state_valid);
> stateidx++) {
> state = saorder_state_valid[stateidx];
> LIST_FOREACH(sav,
> &sah->savtree[state], chain) {
> --- 1039,1045 ----
> LIST_FOREACH(sah, &sahtree, chain) {
> /* search valid state */
> for (stateidx = 0;
> ! stateidx < arraysize;
> stateidx++) {
> state = saorder_state_valid[stateidx];
> LIST_FOREACH(sav,
> &sah->savtree[state], chain) {
> --------------------------------------------------------------------
> Mike Tancsa, tel
> +1 519 651 3400
> Sentex Communications, mike@sentex.net
> Providing Internet since 1994 www.sentex.net
> Cambridge, Ontario Canada www.sentex.net/mike
>
> _______________________________________________
> freebsd-hackers@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to
> "freebsd-hackers-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D2CFC58E0F8CB443B54BE72201E8916E94CBB2>