NAT Taversal bug in kernel patch ?

[ashoke saha]

not new. 6/7 months old. 

Also, quite sometime back 1 yr .... looked like there 
are issues in PFKEY interface in scalibility . if you
create more than 300 ipsecpolicy and ipsec SA's PFKEY
used to fail as kernel was using one mbuf cluster (2K
or 4k dont remmember) for each policy or SA. That way
it was running out of mbuf cluster limit for process.

maybe that is also fixed.


ashoke.

--- VANHULLEBUS Yvan <vanhu_bsd at zeninc.net> wrote:

> On Tue, Jan 02, 2007 at 02:59:59AM -0800, ashoke
> saha wrote:
> > Hi ,
> 
> Hi.
> 
> 
> > just joined the mailibng list.  I was implementing
> 
> > NAT traversal based on the patch and my kernel was
> > panicking because of wrong ipsec config, which it
> > should not whatever be the config.
> > 
> > Looks like there is a small issue in the code
> >
>
http://ipsec-tools.sourceforge.net/freebsd6-natt.diff
> 
> > which might already be fixed.
> > 
> > Look at the call of the function 
> > udp4_espinudp () in udp append. Now under certain
> > circumstances it is possible that udp4_espinudp ()
> > calls m_pullup() and it would add a new pkt header
> to
> > the mbuf chain. But udp_append() is still holding
> the
> > old head, whose PKTHDR flag is now off. It then
> sends
> > the pkt further up and kernel does as panic as it
> does
> > not see PKTHDR flag.
> 
> I already fixed "something like that" a few months
> ago.
> 
> Are you using the latest version of the patch ?
> 
> MD5 sum of the patch file should be
> 510ac07e6aa95d34e1e05da0695e4059,
> is that what you get ?
> 
> 
> 
> Yvan.
> 
> -- 
> NETASQ
> http://www.netasq.com
> _______________________________________________
> freebsd-net at freebsd.org mailing list
>
http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to
> "freebsd-net-unsubscribe at freebsd.org"
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com