NAT Taversal bug in kernel patch ?
ashoke saha
ashoke at rocketmail.com
Wed Jan 3 01:54:05 PST 2007
yes, i also did my own pvt patch . i think PFKEY needs
to be modified for scalability . We should be able to
send multiple commands, SPIs, policy id and different
actions for each etc.
ashoke.
--- VANHULLEBUS Yvan <vanhu_bsd at zeninc.net> wrote:
> On Tue, Jan 02, 2007 at 08:28:01PM -0800, ashoke
> saha wrote:
> > not new. 6/7 months old.
>
> Ok, please try with the latest version of the patch,
> it should be
> fixed.
>
>
> > Also, quite sometime back 1 yr .... looked like
> there
> > are issues in PFKEY interface in scalibility . if
> you
> > create more than 300 ipsecpolicy and ipsec SA's
> PFKEY
> > used to fail as kernel was using one mbuf cluster
> (2K
> > or 4k dont remmember) for each policy or SA. That
> way
> > it was running out of mbuf cluster limit for
> process.
>
> Yep.
>
>
> > maybe that is also fixed.
>
> There is no public patch afaik.
>
> However, I have 2 solutions to fix that:
>
> - There is a "bug" in a macro in socket code.
> basically, some long
> vars are converted to ints to make some checks,
> then the result is
> converted to a long again. I already posted a
> quick patch here a few
> monthes ago, I'll send it as a pr as soon as I'll
> have time to do a
> complete and clean fix (I don't remember exactly
> what , but I
> noticed that some calls to that macro would need
> to be fixed when
> the macro is fixed). This solution reduces the
> problem, but doesn't
> really fix it (but there is *really* a bug which
> needs to be fixed
> here).
>
> - The way SPD / SAs are dumped between
> kernel/userland is ugly,
> because you use 1 message for each entry. We
> solved the problem by
> creating a custom PFKey request: userland sends a
> buffer
> address/size to the kernel, and the kernel will
> fill this buffer
> with results, then will send ONE message to the
> userland, with the
> used size. This works well, but is really not RFC
> compliant !
>
>
>
> Yvan.
>
> --
> NETASQ
> http://www.netasq.com
> _______________________________________________
> freebsd-net at freebsd.org mailing list
>
http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to
> "freebsd-net-unsubscribe at freebsd.org"
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the freebsd-net
mailing list