Questions about PF_KEY interface
VANHULLEBUS Yvan
vanhu_bsd at zeninc.net
Mon Jun 25 07:05:49 UTC 2007
On Mon, Jun 25, 2007 at 02:50:08PM +0800, blue wrote:
> Dear all:
Hi.
> I found there are two directories about PF_KEY interface: netkey and
> netipsec under $FreeBSD src$\sys\.
>
> Looking into the makefile, the one that is currently used and built in
> is netkey.
>
> However, I am wondering what's the purpose for netipsec?
netkey is used if you compile with IPSEC (KAME's stack).
netipsec is used if you compile with FAST_IPSEC.
> Besides, the handling for the global variable "regtree", which is used
> for key registery, in netipsec seems more proper to me.
>
> For example, when a key is needed to register, the static function,
> key_register(), which is defined in [netkey/netipsec]/key.c, will be called.
>
> However, in netkey/key.c, key_register() will not call mtx_lock before
> the operation of the global variable, regtree. On the other hand, in
> netipsec/key.c, key_register() will mtx_lock. In my opinion, I think the
> latter should be correct since there may be various processes to call
> the function. Without the protection, race condition will occur!
KAME's IPSec stack is still giant locked, so doesn't needs more fined
locking.
FAST_IPSEC used fined grain locking.
KAME's stack will probably be removed in the future (for 7.0 ?) thanks
George V. Neville-Neil's work to provide all KAME's stack features on
FAST_IPSEC.
Yvan.
--
NETASQ
http://www.netasq.com
More information about the freebsd-net
mailing list