RELENG_5 and FAST_IPSEC limits
Sam Leffler
sam at errno.com
Thu Mar 17 08:58:27 PST 2005
Hajimu UMEMOTO wrote:
> Hi,
>
>
>>>>>>On Wed, 16 Mar 2005 10:17:14 -0800
>>>>>>Sam Leffler <sam at errno.com> said:
>
>
> sam> Note the change lacks any locking so if your SA db is changing there's a
> sam> good chance you'll blow up.
>
> Ah, yes. I forgot the fact that FAST_IPSEC is mpsafe.
> How about this? This is againt sys/netipsec/key.c with my previous
> patch applied.
>
<...patch removed...>
Possibly; I can't tell from the patch if locks are held across calls
they should not be. I also worry about the effect of holding the various
locks for an extended period of time (will it impact packet processing?)
Note that switching to a sysctl would also eliminate a problem in the
PF_KEY socket code where the raw_cb list is walked w/o holding
rawcb_mtx. Roselyn Lee at Vernier Networks hit this but we didn't apply
a change she had (yet) because there appeared to be issues with LOR's
between the raw cb and SA db locks. In general the PF_KEY code is
desparately in need of a rewrite--if for nothing else but to isolate the
ABI dependence between PF_KEY and the IPsec code. Been on my TODO list
for several years now.
Are you suggesting KAME code can/will change to eliminate the use of
PF_KEY sockets to query the SA db state?
Sam
More information about the freebsd-stable
mailing list