From owner-svn-src-all@FreeBSD.ORG Thu Dec 25 10:25:04 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A491D533; Thu, 25 Dec 2014 10:25:04 +0000 (UTC) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 350891059; Thu, 25 Dec 2014 10:25:04 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 610A125D3871; Thu, 25 Dec 2014 10:25:01 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 75272C76FD3; Thu, 25 Dec 2014 10:25:00 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id w4n7IdeIvR0X; Thu, 25 Dec 2014 10:24:58 +0000 (UTC) Received: from [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3] (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 41718C76FCD; Thu, 25 Dec 2014 10:24:57 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Subject: Re: svn commit: r276188 - head/sys/netipsec From: "Bjoern A. Zeeb" In-Reply-To: <201412241834.sBOIYvrL078222@svn.freebsd.org> Date: Thu, 25 Dec 2014 10:24:51 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <2AA1B085-9974-4AE5-9498-B07469E5A29B@FreeBSD.org> References: <201412241834.sBOIYvrL078222@svn.freebsd.org> To: "Andrey V. Elsukov" X-Mailer: Apple Mail (2.1993) Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Dec 2014 10:25:04 -0000 > On 24 Dec 2014, at 18:34 , Andrey V. Elsukov wrote: >=20 > Author: ae > Date: Wed Dec 24 18:34:56 2014 > New Revision: 276188 > URL: https://svnweb.freebsd.org/changeset/base/276188 >=20 > Log: > Rename ip4_def_policy variable to def_policy. It is used by both IPv4 = and > IPv6. Initialize it only once in def_policy_init(). Remove its > initialization from key_init() and make it static. >=20 > Remove several fields from struct secpolicy: > * lock - it isn't so useful having mutex in the structure, but the = only > thing we do with it is initialization and destroying. > * state - it has only two values - DEAD and ALIVE. Instead of take a = lock > and change the state to DEAD, then take lock again in GC function = and > delete policy from the chain - keep in the chain only ALIVE = policies. > * scangen - it was used in GC function to protect from sending = several > SADB_SPDEXPIRE messages for one SPD entry. Now we don't keep DEAD = entries > in the chain and there is no need to have scangen variable. >=20 > Use TAILQ to implement SPD entries chain. Use rmlock to protect = access > to SPD entries chain. Protect all SP lookup with RLOCK, and use WLOCK > when we are inserting (or removing) SP entry in the chain. >=20 > Instead of using pattern "LOCK(); refcnt++; UNLOCK();", use = refcount(9) > API to implement refcounting in SPD. Merge code from key_delsp() and > _key_delsp() into _key_freesp(). And use KEY_FREESP() macro in all = cases > when we want to release reference or just delete SP entry. >=20 > Obtained from: Yandex LLC > Sponsored by: Yandex LLC >=20 > Modified: > head/sys/netipsec/ipsec.c > head/sys/netipsec/ipsec.h > head/sys/netipsec/key.c > head/sys/netipsec/key_debug.c This broke VIMAGE kernel builds. And I=E2=80=99ll repeat what I said before: I appreciate all your work = but at the same time I remain massively worried by major change commits = to security subsystems without any Reviewed by: lines. Please use = appropriate ways to get extra pairs of eyes. Happy holidays! Bjoern =E2=80=94=20 Bjoern A. Zeeb Charles Haddon Spurgeon: "Friendship is one of the sweetest joys of life. Many might have failed beneath the bitterness of their trial had they not found a friend."