From owner-freebsd-hackers@FreeBSD.ORG Sat Apr 24 09:56:00 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37F2F16A4CE for ; Sat, 24 Apr 2004 09:56:00 -0700 (PDT) Received: from ebb.errno.com (ebb.errno.com [66.127.85.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id D4BC743D4C for ; Sat, 24 Apr 2004 09:55:59 -0700 (PDT) (envelope-from sam@errno.com) Received: from [66.127.85.89] ([66.127.85.89]) (authenticated bits=0) by ebb.errno.com (8.12.9/8.12.6) with ESMTP id i3OGttWR039964 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO); Sat, 24 Apr 2004 09:55:55 -0700 (PDT) (envelope-from sam@errno.com) In-Reply-To: References: Mime-Version: 1.0 (Apple Message framework v613) Content-Type: multipart/mixed; boundary=Apple-Mail-2--708136844 Message-Id: <44658B20-9610-11D8-AAEB-000A95AD0668@errno.com> From: Sam Leffler Date: Sat, 24 Apr 2004 09:56:01 -0700 To: "Oldach, Helge" X-Mailer: Apple Mail (2.613) X-Mailman-Approved-At: Sun, 25 Apr 2004 04:47:53 -0700 cc: freebsd-hackers@freebsd.org cc: 'Mike Tancsa' Subject: Re: FAST_IPSEC bug fix X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Apr 2004 16:56:00 -0000 --Apple-Mail-2--708136844 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed On Apr 24, 2004, at 9:03 AM, Oldach, Helge wrote: > Hi list, > > this is a month-old mail about the lack of a FAST_IPSEC feature > compared > to legacy IPSEC. Including a working patch. I haven't seen this being > committed, or is it? Please also MFC to STABLE. The fix was not quite right for -current (where it needs to go in first). I sent out the attached patch for testing but received no feedback. Until I can get it tested and committed to -current it won't be MFC'd. Sam --Apple-Mail-2--708136844 Content-Transfer-Encoding: 7bit Content-Type: application/octet-stream; x-unix-mode=0644; name="key.patch" Content-Disposition: attachment; filename=key.patch Index: key.c =================================================================== RCS file: /usr/ncvs/src/sys/netipsec/key.c,v retrieving revision 1.11 diff -u -r1.11 key.c --- key.c 16 Feb 2004 17:09:53 -0000 1.11 +++ key.c 5 Apr 2004 16:16:05 -0000 @@ -173,12 +173,11 @@ #define SPACQ_LOCK_ASSERT() mtx_assert(&spacq_lock, MA_OWNED) /* search order for SAs */ -static u_int saorder_state_valid[] = { +static const u_int saorder_state_valid_prefer_old[] = { SADB_SASTATE_DYING, SADB_SASTATE_MATURE, - /* - * This order is important because we must select the oldest SA - * for outbound processing. For inbound, This is not important. - */ +}; +static const u_int saorder_state_valid_prefer_new[] = { + SADB_SASTATE_MATURE, SADB_SASTATE_DYING, }; static u_int saorder_state_alive[] = { /* except DEAD */ @@ -285,6 +284,7 @@ SYSCTL_INT(_net_key, KEYCTL_AH_KEYMIN, ah_keymin, CTLFLAG_RW, \ &ipsec_ah_keymin, 0, ""); +/* XXX change should be protected with SAHTREE_LOCK */ /* perfered old SA rather than new SA */ SYSCTL_INT(_net_key, KEYCTL_PREFERED_OLDSA, preferred_oldsa, CTLFLAG_RW,\ &key_preferred_oldsa, 0, ""); @@ -821,15 +821,24 @@ static struct secasvar * key_allocsa_policy(const struct secasindex *saidx) { +#define N(a) _ARRAYLEN(a) struct secashead *sah; struct secasvar *sav; - u_int stateidx, state; + u_int stateidx, arraysize; + const u_int *state_valid; SAHTREE_LOCK(); LIST_FOREACH(sah, &sahtree, chain) { if (sah->state == SADB_SASTATE_DEAD) continue; if (key_cmpsaidx(&sah->saidx, saidx, CMP_MODE_REQID)) { + if (key_preferred_oldsa) { + state_valid = saorder_state_valid_prefer_old; + arraysize = N(saorder_state_valid_prefer_old); + } else { + state_valid = saorder_state_valid_prefer_new; + arraysize = N(saorder_state_valid_prefer_new); + } SAHTREE_UNLOCK(); goto found; } @@ -839,20 +848,15 @@ return NULL; found: - /* search valid state */ - for (stateidx = 0; - stateidx < _ARRAYLEN(saorder_state_valid); - stateidx++) { - - state = saorder_state_valid[stateidx]; - - sav = key_do_allocsa_policy(sah, state); + for (stateidx = 0; stateidx < arraysize; stateidx++) { + sav = key_do_allocsa_policy(sah, state_valid[stateidx]); if (sav != NULL) return sav; } return NULL; +#undef N } /* @@ -1012,7 +1016,8 @@ { struct secashead *sah; struct secasvar *sav; - u_int stateidx, state; + u_int stateidx, arraysize, state; + const u_int *saorder_state_valid; IPSEC_ASSERT(dst != NULL, ("null dst address")); @@ -1026,11 +1031,16 @@ * encrypted so we can't check internal IP header. */ SAHTREE_LOCK(); + if (key_preferred_oldsa) { + saorder_state_valid = saorder_state_valid_prefer_old; + arraysize = _ARRAYLEN(saorder_state_valid_prefer_old); + } else { + saorder_state_valid = saorder_state_valid_prefer_new; + arraysize = _ARRAYLEN(saorder_state_valid_prefer_new); + } LIST_FOREACH(sah, &sahtree, chain) { /* search valid state */ - for (stateidx = 0; - stateidx < _ARRAYLEN(saorder_state_valid); - stateidx++) { + for (stateidx = 0; stateidx < arraysize; stateidx++) { state = saorder_state_valid[stateidx]; LIST_FOREACH(sav, &sah->savtree[state], chain) { /* sanity check */ --Apple-Mail-2--708136844 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed --Apple-Mail-2--708136844--