Date: Wed, 3 Jan 2007 01:54:04 -0800 (PST) From: ashoke saha <ashoke@rocketmail.com> To: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net>, freebsd-net@freebsd.org Subject: Re: NAT Taversal bug in kernel patch ? Message-ID: <20070103095404.42189.qmail@web51909.mail.yahoo.com> In-Reply-To: <20070103080704.GA486@zen.inc>
next in thread | previous in thread | raw e-mail | index | archive | help
yes, i also did my own pvt patch . i think PFKEY needs to be modified for scalability . We should be able to send multiple commands, SPIs, policy id and different actions for each etc. ashoke. --- VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> wrote: > On Tue, Jan 02, 2007 at 08:28:01PM -0800, ashoke > saha wrote: > > not new. 6/7 months old. > > Ok, please try with the latest version of the patch, > it should be > fixed. > > > > Also, quite sometime back 1 yr .... looked like > there > > are issues in PFKEY interface in scalibility . if > you > > create more than 300 ipsecpolicy and ipsec SA's > PFKEY > > used to fail as kernel was using one mbuf cluster > (2K > > or 4k dont remmember) for each policy or SA. That > way > > it was running out of mbuf cluster limit for > process. > > Yep. > > > > maybe that is also fixed. > > There is no public patch afaik. > > However, I have 2 solutions to fix that: > > - There is a "bug" in a macro in socket code. > basically, some long > vars are converted to ints to make some checks, > then the result is > converted to a long again. I already posted a > quick patch here a few > monthes ago, I'll send it as a pr as soon as I'll > have time to do a > complete and clean fix (I don't remember exactly > what , but I > noticed that some calls to that macro would need > to be fixed when > the macro is fixed). This solution reduces the > problem, but doesn't > really fix it (but there is *really* a bug which > needs to be fixed > here). > > - The way SPD / SAs are dumped between > kernel/userland is ugly, > because you use 1 message for each entry. We > solved the problem by > creating a custom PFKey request: userland sends a > buffer > address/size to the kernel, and the kernel will > fill this buffer > with results, then will send ONE message to the > userland, with the > used size. This works well, but is really not RFC > compliant ! > > > > Yvan. > > -- > NETASQ > http://www.netasq.com > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to > "freebsd-net-unsubscribe@freebsd.org" > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070103095404.42189.qmail>