Date: Tue, 30 Mar 2004 12:13:58 -0500 From: Mike Tancsa <mike@sentex.net> To: freebsd-hackers@freebsd.org Subject: FAST_IPSEC bug fix Message-ID: <6.0.3.0.0.20040330120751.10bf1180@209.112.4.2>
next in thread | raw e-mail | index | archive | help
Well, its not totally a bug, but missing functionality that looks like is
there but is not and is pretty important to keep lossy links functioning
with IPSEC. My colleague gabor@sentex.net created the patch below that
implements net.key.prefered_oldsa when using FAST_IPSEC. The discussion
has come up before about this, but no action. I know sam@freebsd.org is
really busy and cannot help. Is there anyone out there who could review and
commit the patch below ? It works against RELENG_4
I have bcc'd the last 2 committers to touch the code in the hopes that they
might have the time and inclination to review / commit ?
*** /usr/src/sys/netipsec/key.c Mon Mar 29 20:11:44 2004
--- ./key.c Tue Mar 30 12:00:31 2004
***************
*** 133,138 ****
--- 133,139 ----
#endif
static LIST_HEAD(_spacqtree, secspacq) spacqtree; /* SP acquiring
list */
+ #if 0
/* search order for SAs */
static u_int saorder_state_valid[] = {
SADB_SASTATE_DYING, SADB_SASTATE_MATURE,
***************
*** 141,146 ****
--- 142,154 ----
* for outbound processing. For inbound, This is not important.
*/
};
+ #endif
+ static const u_int saorder_state_valid_prefer_old[] = {
+ SADB_SASTATE_DYING, SADB_SASTATE_MATURE,
+ };
+ static const u_int saorder_state_valid_prefer_new[] = {
+ SADB_SASTATE_MATURE, SADB_SASTATE_DYING,
+ };
static u_int saorder_state_alive[] = {
/* except DEAD */
SADB_SASTATE_MATURE, SADB_SASTATE_DYING, SADB_SASTATE_LARVAL
***************
*** 816,821 ****
--- 824,831 ----
struct secashead *sah;
struct secasvar *sav;
u_int stateidx, state;
+ const u_int *saorder_state_valid;
+ int arraysize;
LIST_FOREACH(sah, &sahtree, chain) {
if (sah->state == SADB_SASTATE_DEAD)
***************
*** 828,836 ****
found:
/* search valid state */
for (stateidx = 0;
! stateidx < _ARRAYLEN(saorder_state_valid);
stateidx++) {
state = saorder_state_valid[stateidx];
--- 838,853 ----
found:
+ if (key_prefered_oldsa) {
+ saorder_state_valid = saorder_state_valid_prefer_old;
+ arraysize = _ARRAYLEN(saorder_state_valid_prefer_old);
+ } else {
+ saorder_state_valid = saorder_state_valid_prefer_new;
+ arraysize = _ARRAYLEN(saorder_state_valid_prefer_new);
+ }
/* search valid state */
for (stateidx = 0;
! stateidx < arraysize;
stateidx++) {
state = saorder_state_valid[stateidx];
***************
*** 997,1008 ****
--- 1014,1034 ----
struct secasvar *sav;
u_int stateidx, state;
int s;
+ const u_int *saorder_state_valid;
+ int arraysize;
KASSERT(dst != NULL, ("key_allocsa: null dst address"));
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
printf("DP key_allocsa from %s:%u\n", where, tag));
+ if (key_prefered_oldsa) {
+ saorder_state_valid = saorder_state_valid_prefer_old;
+ arraysize = _ARRAYLEN(saorder_state_valid_prefer_old);
+ } else {
+ saorder_state_valid = saorder_state_valid_prefer_new;
+ arraysize = _ARRAYLEN(saorder_state_valid_prefer_new);
+ }
/*
* searching SAD.
* XXX: to be checked internal IP header somewhere. Also when
***************
*** 1013,1019 ****
LIST_FOREACH(sah, &sahtree, chain) {
/* search valid state */
for (stateidx = 0;
! stateidx < _ARRAYLEN(saorder_state_valid);
stateidx++) {
state = saorder_state_valid[stateidx];
LIST_FOREACH(sav, &sah->savtree[state], chain) {
--- 1039,1045 ----
LIST_FOREACH(sah, &sahtree, chain) {
/* search valid state */
for (stateidx = 0;
! stateidx < arraysize;
stateidx++) {
state = saorder_state_valid[stateidx];
LIST_FOREACH(sav, &sah->savtree[state], chain) {
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.0.3.0.0.20040330120751.10bf1180>