From owner-freebsd-hackers@FreeBSD.ORG Tue Mar 30 09:13:36 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 17A1716A4CF; Tue, 30 Mar 2004 09:13:36 -0800 (PST) Received: from smtp3.sentex.ca (smtp3.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id A533843D31; Tue, 30 Mar 2004 09:13:35 -0800 (PST) (envelope-from mike@sentex.net) Received: from avscan1.sentex.ca (avscan1.sentex.ca [199.212.134.11]) by smtp3.sentex.ca (8.12.10/8.12.10) with ESMTP id i2UHDW7C026631; Tue, 30 Mar 2004 12:13:32 -0500 (EST) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by avscan1.sentex.ca (8.12.10/8.12.10) with ESMTP id i2UHDY3x024750; Tue, 30 Mar 2004 12:13:34 -0500 (EST) (envelope-from mike@sentex.net) Received: from simian.sentex.net ([192.168.43.27]) by lava.sentex.ca (8.12.11/8.12.9) with ESMTP id i2UHDPMD040548; Tue, 30 Mar 2004 12:13:26 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <6.0.3.0.0.20040330120751.10bf1180@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.3.0 Date: Tue, 30 Mar 2004 12:13:58 -0500 To: freebsd-hackers@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new Subject: FAST_IPSEC bug fix X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Mar 2004 17:13:36 -0000 Well, its not totally a bug, but missing functionality that looks like is there but is not and is pretty important to keep lossy links functioning with IPSEC. My colleague gabor@sentex.net created the patch below that implements net.key.prefered_oldsa when using FAST_IPSEC. The discussion has come up before about this, but no action. I know sam@freebsd.org is really busy and cannot help. Is there anyone out there who could review and commit the patch below ? It works against RELENG_4 I have bcc'd the last 2 committers to touch the code in the hopes that they might have the time and inclination to review / commit ? *** /usr/src/sys/netipsec/key.c Mon Mar 29 20:11:44 2004 --- ./key.c Tue Mar 30 12:00:31 2004 *************** *** 133,138 **** --- 133,139 ---- #endif static LIST_HEAD(_spacqtree, secspacq) spacqtree; /* SP acquiring list */ + #if 0 /* search order for SAs */ static u_int saorder_state_valid[] = { SADB_SASTATE_DYING, SADB_SASTATE_MATURE, *************** *** 141,146 **** --- 142,154 ---- * for outbound processing. For inbound, This is not important. */ }; + #endif + static const u_int saorder_state_valid_prefer_old[] = { + SADB_SASTATE_DYING, SADB_SASTATE_MATURE, + }; + static const u_int saorder_state_valid_prefer_new[] = { + SADB_SASTATE_MATURE, SADB_SASTATE_DYING, + }; static u_int saorder_state_alive[] = { /* except DEAD */ SADB_SASTATE_MATURE, SADB_SASTATE_DYING, SADB_SASTATE_LARVAL *************** *** 816,821 **** --- 824,831 ---- struct secashead *sah; struct secasvar *sav; u_int stateidx, state; + const u_int *saorder_state_valid; + int arraysize; LIST_FOREACH(sah, &sahtree, chain) { if (sah->state == SADB_SASTATE_DEAD) *************** *** 828,836 **** found: /* search valid state */ for (stateidx = 0; ! stateidx < _ARRAYLEN(saorder_state_valid); stateidx++) { state = saorder_state_valid[stateidx]; --- 838,853 ---- found: + if (key_prefered_oldsa) { + saorder_state_valid = saorder_state_valid_prefer_old; + arraysize = _ARRAYLEN(saorder_state_valid_prefer_old); + } else { + saorder_state_valid = saorder_state_valid_prefer_new; + arraysize = _ARRAYLEN(saorder_state_valid_prefer_new); + } /* search valid state */ for (stateidx = 0; ! stateidx < arraysize; stateidx++) { state = saorder_state_valid[stateidx]; *************** *** 997,1008 **** --- 1014,1034 ---- struct secasvar *sav; u_int stateidx, state; int s; + const u_int *saorder_state_valid; + int arraysize; KASSERT(dst != NULL, ("key_allocsa: null dst address")); KEYDEBUG(KEYDEBUG_IPSEC_STAMP, printf("DP key_allocsa from %s:%u\n", where, tag)); + if (key_prefered_oldsa) { + saorder_state_valid = saorder_state_valid_prefer_old; + arraysize = _ARRAYLEN(saorder_state_valid_prefer_old); + } else { + saorder_state_valid = saorder_state_valid_prefer_new; + arraysize = _ARRAYLEN(saorder_state_valid_prefer_new); + } /* * searching SAD. * XXX: to be checked internal IP header somewhere. Also when *************** *** 1013,1019 **** LIST_FOREACH(sah, &sahtree, chain) { /* search valid state */ for (stateidx = 0; ! stateidx < _ARRAYLEN(saorder_state_valid); stateidx++) { state = saorder_state_valid[stateidx]; LIST_FOREACH(sav, &sah->savtree[state], chain) { --- 1039,1045 ---- LIST_FOREACH(sah, &sahtree, chain) { /* search valid state */ for (stateidx = 0; ! stateidx < arraysize; stateidx++) { state = saorder_state_valid[stateidx]; LIST_FOREACH(sav, &sah->savtree[state], chain) { -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike