NAT Taversal bug in kernel patch ?

[VANHULLEBUS Yvan]

On Tue, Jan 02, 2007 at 08:28:01PM -0800, ashoke saha wrote:
> not new. 6/7 months old. 

Ok, please try with the latest version of the patch, it should be
fixed.


> Also, quite sometime back 1 yr .... looked like there 
> are issues in PFKEY interface in scalibility . if you
> create more than 300 ipsecpolicy and ipsec SA's PFKEY
> used to fail as kernel was using one mbuf cluster (2K
> or 4k dont remmember) for each policy or SA. That way
> it was running out of mbuf cluster limit for process.

Yep.


> maybe that is also fixed.

There is no public patch afaik.

However, I have 2 solutions to fix that:

- There is a "bug" in a macro in socket code. basically, some long
  vars are converted to ints to make some checks, then the result is
  converted to a long again. I already posted a quick patch here a few
  monthes ago, I'll send it as a pr as soon as I'll have time to do a
  complete and clean fix (I don't remember exactly what , but I
  noticed that some calls to that macro would need to be fixed when
  the macro is fixed). This solution reduces the problem, but doesn't
  really fix it (but there is *really* a bug which needs to be fixed
  here).

- The way SPD / SAs are dumped between kernel/userland is ugly,
  because you use 1 message for each entry. We solved the problem by
  creating a custom PFKey request: userland sends a buffer
  address/size to the kernel, and the kernel will fill this buffer
  with results, then will send ONE message to the userland, with the
  used size. This works well, but is really not RFC compliant !



Yvan.

-- 
NETASQ
http://www.netasq.com