From owner-freebsd-net@FreeBSD.ORG Thu Mar 13 01:35:06 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5A82A106566C for ; Thu, 13 Mar 2008 01:35:06 +0000 (UTC) (envelope-from crahman@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.179]) by mx1.freebsd.org (Postfix) with ESMTP id 3ED8D8FC1B for ; Thu, 13 Mar 2008 01:35:06 +0000 (UTC) (envelope-from crahman@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so3671030waf.3 for ; Wed, 12 Mar 2008 18:35:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=vxQD0+rAIuFljdEB1NJL9Mw6HHtEFV63pCEFVwasEJc=; b=Wanub3klGiEeEuefDfwWA3H7X/y3VZ8WqX61mc9+P/u+iX2hTjMEn7DEX+6J+dMPx6T67g9mvhXMN2RqMdj5qaXIkudxaTYn2HsgVgu/WCiifiM4S/KPQ/w6qUTRalnTqFKnKOZMhmpoS65zpfCbYQ1R6/Ae2p1lkRQIQF8jNyg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=pC5JgFFmrUm/96r2ztAq7Nb0TL5WvdJBBey2gNGpDFS32vCP8IBkEHNKbbTSizPCz0AkYjllIy/x3lDyX5xal/hbQ6xOWWWcMVMTNnxtM9xvpdEeiLyctEC4MHcRlQy1SYyl8eQ7NIunlwmBIv8/EnLOuTUt7IXFSoxWS1JoSJc= Received: by 10.114.157.1 with SMTP id f1mr8302059wae.10.1205372105653; Wed, 12 Mar 2008 18:35:05 -0700 (PDT) Received: by 10.115.19.7 with HTTP; Wed, 12 Mar 2008 18:35:05 -0700 (PDT) Message-ID: <9e77bdb50803121835u33b10d67i30b6f20ec833921@mail.gmail.com> Date: Wed, 12 Mar 2008 19:35:05 -0600 From: "Cyrus Rahman" To: bz@freebsd.org In-Reply-To: <200803082305.m28N5DkU075120@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200803082305.m28N5DkU075120@freefall.freebsd.org> Cc: freebsd-net@freebsd.org Subject: Re: kern/121374: [ipsec] SP refcnt increases with each packet in ipv6 with new IPSEC X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Mar 2008 01:35:06 -0000 > Synopsis: [ipsec] SP refcnt increases with each packet in ipv6 with new IPSEC > > Wait for feedback if the patch presented is fine. > > http://www.freebsd.org/cgi/query-pr.cgi?pr=121374 Ok, I've tested this patch. Exchanging packets through a policy works after a fashion, but after sending one packet the kernel deletes the policy, presumably because the refcnt goes to 0: hostB# setkey -DP hostA[any] hostB[any] any in ipsec esp/transport//require spid=22 seq=1 pid=1037 refcnt=1 hostB[any] hostA[any] any out ipsec esp/transport//require spid=21 seq=0 pid=1037 refcnt=1 hostB# ping6 hostA PING6(56=40+8+8 bytes) hostB --> hostA 16 bytes from hostA, icmp_seq=0 hlim=64 time=12.401 ms ^C --- hostA ping6 statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 12.401/12.401/12.401/0.000 ms hostB# setkey -DP hostA[any] hostB[any] any in ipsec esp/transport//require spid=22 seq=0 pid=1040 refcnt=1 **** So the outbound policy is gone!