From owner-freebsd-net@FreeBSD.ORG Wed Jan 3 09:54:05 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B362E16A40F for ; Wed, 3 Jan 2007 09:54:05 +0000 (UTC) (envelope-from ashoke@rocketmail.com) Received: from web51909.mail.yahoo.com (web51909.mail.yahoo.com [206.190.48.72]) by mx1.freebsd.org (Postfix) with SMTP id 6B17E13C44B for ; Wed, 3 Jan 2007 09:54:05 +0000 (UTC) (envelope-from ashoke@rocketmail.com) Received: (qmail 42191 invoked by uid 60001); 3 Jan 2007 09:54:04 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=rocketmail.com; h=Message-ID:X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=2eoXPXnJzVeMBCd7YRaAZcdvBy+D9zTrykZ67GLupnXHoZbLi0GLjLQ8zEejO5DLYpceqHd78cuqHJOaeZ1hKzgvOCZ7elJUKEVUcoC5ucpbYIqylVeBzedjJyAnS0qzGO3kWd//RMJM/NaUDedJkTT9mAY6qFHZgtOxH6v1dIc= ; Message-ID: <20070103095404.42189.qmail@web51909.mail.yahoo.com> X-YMail-OSG: EnuSqlEVM1ms6SudV1G6oPKtleZeluPGw7rw0L9G1dSd3y8rSctQ5pDnQZADXqmgWbpPVM21iuo5zoL9JbY6AFhBTm2wUCfOlkMKDB3v7NeNta0ufnIMag-- Received: from [164.164.171.194] by web51909.mail.yahoo.com via HTTP; Wed, 03 Jan 2007 01:54:04 PST Date: Wed, 3 Jan 2007 01:54:04 -0800 (PST) From: ashoke saha To: VANHULLEBUS Yvan , freebsd-net@freebsd.org In-Reply-To: <20070103080704.GA486@zen.inc> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: NAT Taversal bug in kernel patch ? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jan 2007 09:54:05 -0000 yes, i also did my own pvt patch . i think PFKEY needs to be modified for scalability . We should be able to send multiple commands, SPIs, policy id and different actions for each etc. ashoke. --- VANHULLEBUS Yvan wrote: > On Tue, Jan 02, 2007 at 08:28:01PM -0800, ashoke > saha wrote: > > not new. 6/7 months old. > > Ok, please try with the latest version of the patch, > it should be > fixed. > > > > Also, quite sometime back 1 yr .... looked like > there > > are issues in PFKEY interface in scalibility . if > you > > create more than 300 ipsecpolicy and ipsec SA's > PFKEY > > used to fail as kernel was using one mbuf cluster > (2K > > or 4k dont remmember) for each policy or SA. That > way > > it was running out of mbuf cluster limit for > process. > > Yep. > > > > maybe that is also fixed. > > There is no public patch afaik. > > However, I have 2 solutions to fix that: > > - There is a "bug" in a macro in socket code. > basically, some long > vars are converted to ints to make some checks, > then the result is > converted to a long again. I already posted a > quick patch here a few > monthes ago, I'll send it as a pr as soon as I'll > have time to do a > complete and clean fix (I don't remember exactly > what , but I > noticed that some calls to that macro would need > to be fixed when > the macro is fixed). This solution reduces the > problem, but doesn't > really fix it (but there is *really* a bug which > needs to be fixed > here). > > - The way SPD / SAs are dumped between > kernel/userland is ugly, > because you use 1 message for each entry. We > solved the problem by > creating a custom PFKey request: userland sends a > buffer > address/size to the kernel, and the kernel will > fill this buffer > with results, then will send ONE message to the > userland, with the > used size. This works well, but is really not RFC > compliant ! > > > > Yvan. > > -- > NETASQ > http://www.netasq.com > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to > "freebsd-net-unsubscribe@freebsd.org" > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com