Questions about PF_KEY interface

VANHULLEBUS Yvan vanhu_bsd at
Mon Jun 25 07:05:49 UTC 2007

On Mon, Jun 25, 2007 at 02:50:08PM +0800, blue wrote:
> Dear all:


> I found there are two directories about PF_KEY interface: netkey and 
> netipsec under $FreeBSD src$\sys\.
> Looking into the makefile, the one that is currently used and built in 
> is netkey.
> However, I am wondering what's the purpose for netipsec?

netkey is used if you compile with IPSEC (KAME's stack).
netipsec is used if you compile with FAST_IPSEC.

> Besides, the handling for the global variable "regtree", which is used 
> for key registery, in netipsec seems more proper to me.
> For example, when a key is needed to register, the static function, 
> key_register(), which is defined in [netkey/netipsec]/key.c, will be called.
> However, in netkey/key.c, key_register() will not call mtx_lock before 
> the operation of the global variable, regtree. On the other hand, in 
> netipsec/key.c, key_register() will mtx_lock. In my opinion, I think the 
> latter should be correct since there may be various processes to call 
> the function. Without the protection, race condition will occur!

KAME's IPSec stack is still giant locked, so doesn't needs more fined

FAST_IPSEC used fined grain locking.

KAME's stack will probably be removed in the future (for 7.0 ?) thanks
George V. Neville-Neil's work to provide all KAME's stack features on



More information about the freebsd-net mailing list