Date: Wed, 3 Jan 2007 09:07:05 +0100 From: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> To: freebsd-net@freebsd.org Subject: Re: NAT Taversal bug in kernel patch ? Message-ID: <20070103080704.GA486@zen.inc> In-Reply-To: <369726.48848.qm@web51904.mail.yahoo.com> References: <20070102141351.GA1604@jayce.zen.inc> <369726.48848.qm@web51904.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 02, 2007 at 08:28:01PM -0800, ashoke saha wrote: > not new. 6/7 months old. Ok, please try with the latest version of the patch, it should be fixed. > Also, quite sometime back 1 yr .... looked like there > are issues in PFKEY interface in scalibility . if you > create more than 300 ipsecpolicy and ipsec SA's PFKEY > used to fail as kernel was using one mbuf cluster (2K > or 4k dont remmember) for each policy or SA. That way > it was running out of mbuf cluster limit for process. Yep. > maybe that is also fixed. There is no public patch afaik. However, I have 2 solutions to fix that: - There is a "bug" in a macro in socket code. basically, some long vars are converted to ints to make some checks, then the result is converted to a long again. I already posted a quick patch here a few monthes ago, I'll send it as a pr as soon as I'll have time to do a complete and clean fix (I don't remember exactly what , but I noticed that some calls to that macro would need to be fixed when the macro is fixed). This solution reduces the problem, but doesn't really fix it (but there is *really* a bug which needs to be fixed here). - The way SPD / SAs are dumped between kernel/userland is ugly, because you use 1 message for each entry. We solved the problem by creating a custom PFKey request: userland sends a buffer address/size to the kernel, and the kernel will fill this buffer with results, then will send ONE message to the userland, with the used size. This works well, but is really not RFC compliant ! Yvan. -- NETASQ http://www.netasq.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070103080704.GA486>