RELENG_5 and FAST_IPSEC limits

Sam Leffler sam at
Thu Mar 17 08:58:27 PST 2005

Hajimu UMEMOTO wrote:
> Hi,
>>>>>>On Wed, 16 Mar 2005 10:17:14 -0800
>>>>>>Sam Leffler <sam at> said:
> sam> Note the change lacks any locking so if your SA db is changing there's a 
> sam> good chance you'll blow up.
> Ah, yes.  I forgot the fact that FAST_IPSEC is mpsafe.
> How about this?  This is againt sys/netipsec/key.c with my previous
> patch applied.
	<...patch removed...>

Possibly; I can't tell from the patch if locks are held across calls 
they should not be. I also worry about the effect of holding the various 
  locks for an extended period of time (will it impact packet processing?)

Note that switching to a sysctl would also eliminate a problem in the 
PF_KEY socket code where the raw_cb list is walked w/o holding 
rawcb_mtx.  Roselyn Lee at Vernier Networks hit this but we didn't apply 
a change she had (yet) because there appeared to be issues with LOR's 
between the raw cb and SA db locks.  In general the PF_KEY code is 
desparately in need of a rewrite--if for nothing else but to isolate the 
ABI dependence between PF_KEY and the IPsec code.  Been on my TODO list 
for several years now.

Are you suggesting KAME code can/will change to eliminate the use of 
PF_KEY sockets to query the SA db state?


More information about the freebsd-stable mailing list