FAST_IPSEC bug fix

Oldach, Helge Helge.Oldach at atosorigin.com
Sat Apr 24 09:03:49 PDT 2004 

Hi list,

this is a month-old mail about the lack of a FAST_IPSEC feature compared
to legacy IPSEC. Including a working patch. I haven't seen this being
committed, or is it? Please also MFC to STABLE.

Regards,
Helge


> -----Original Message-----
> From: owner-freebsd-hackers at freebsd.org
> [mailto:owner-freebsd-hackers at freebsd.org]On Behalf Of Mike Tancsa
> Sent: Tuesday, 30. March 2004 19:14
> To: freebsd-hackers at freebsd.org
> Subject: FAST_IPSEC bug fix
> 
> 
> 
> Well, its not totally a bug, but missing functionality that 
> looks like is 
> there but is not and is pretty important to keep lossy links 
> functioning 
> with IPSEC.  My colleague gabor at sentex.net created the patch 
> below that 
> implements net.key.prefered_oldsa when using FAST_IPSEC.  The 
> discussion 
> has come up before about this, but no action.  I know 
> sam at freebsd.org is 
> really busy and cannot help. Is there anyone out there who 
> could review and 
> commit the patch below ? It works against RELENG_4
> 
> I have bcc'd the last 2 committers to touch the code in the 
> hopes that they 
> might have the time and inclination to review / commit ?
> 
> 
> *** /usr/src/sys/netipsec/key.c Mon Mar 29 20:11:44 2004
> --- ./key.c     Tue Mar 30 12:00:31 2004
> ***************
> *** 133,138 ****
> --- 133,139 ----
>    #endif
>    static LIST_HEAD(_spacqtree, secspacq) spacqtree;     /* 
> SP acquiring 
> list */
> 
> + #if 0
>    /* search order for SAs */
>    static u_int saorder_state_valid[] = {
>          SADB_SASTATE_DYING, SADB_SASTATE_MATURE,
> ***************
> *** 141,146 ****
> --- 142,154 ----
>           * for outbound processing.  For inbound, This is 
> not important.
>           */
>    };
> + #endif
> + static const u_int saorder_state_valid_prefer_old[] = {
> +     SADB_SASTATE_DYING, SADB_SASTATE_MATURE,
> + };
> + static const u_int saorder_state_valid_prefer_new[] = {
> +     SADB_SASTATE_MATURE, SADB_SASTATE_DYING,
> + };
>    static u_int saorder_state_alive[] = {
>          /* except DEAD */
>          SADB_SASTATE_MATURE, SADB_SASTATE_DYING, SADB_SASTATE_LARVAL
> ***************
> *** 816,821 ****
> --- 824,831 ----
>          struct secashead *sah;
>          struct secasvar *sav;
>          u_int stateidx, state;
> +         const u_int *saorder_state_valid;
> +         int arraysize;
> 
>          LIST_FOREACH(sah, &sahtree, chain) {
>                  if (sah->state == SADB_SASTATE_DEAD)
> ***************
> *** 828,836 ****
> 
>        found:
> 
>          /* search valid state */
>          for (stateidx = 0;
> !            stateidx < _ARRAYLEN(saorder_state_valid);
>               stateidx++) {
> 
>                  state = saorder_state_valid[stateidx];
> --- 838,853 ----
> 
>        found:
> 
> +         if (key_prefered_oldsa) {
> +             saorder_state_valid = saorder_state_valid_prefer_old;
> +             arraysize = _ARRAYLEN(saorder_state_valid_prefer_old);
> +         } else {
> +             saorder_state_valid = saorder_state_valid_prefer_new;
> +             arraysize = _ARRAYLEN(saorder_state_valid_prefer_new);
> +         }
>          /* search valid state */
>          for (stateidx = 0;
> !            stateidx < arraysize;
>               stateidx++) {
> 
>                  state = saorder_state_valid[stateidx];
> ***************
> *** 997,1008 ****
> --- 1014,1034 ----
>          struct secasvar *sav;
>          u_int stateidx, state;
>          int s;
> +         const u_int *saorder_state_valid;
> +         int arraysize;
> 
>          KASSERT(dst != NULL, ("key_allocsa: null dst address"));
> 
>          KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
>                  printf("DP key_allocsa from %s:%u\n", where, tag));
> 
> +         if (key_prefered_oldsa) {
> +             saorder_state_valid = saorder_state_valid_prefer_old;
> +             arraysize = _ARRAYLEN(saorder_state_valid_prefer_old);
> +         } else {
> +             saorder_state_valid = saorder_state_valid_prefer_new;
> +             arraysize = _ARRAYLEN(saorder_state_valid_prefer_new);
> +         }
>          /*
>           * searching SAD.
>           * XXX: to be checked internal IP header somewhere.  
> Also when
> ***************
> *** 1013,1019 ****
>          LIST_FOREACH(sah, &sahtree, chain) {
>                  /* search valid state */
>                  for (stateidx = 0;
> !                    stateidx < _ARRAYLEN(saorder_state_valid);
>                       stateidx++) {
>                          state = saorder_state_valid[stateidx];
>                          LIST_FOREACH(sav, 
> &sah->savtree[state], chain) {
> --- 1039,1045 ----
>          LIST_FOREACH(sah, &sahtree, chain) {
>                  /* search valid state */
>                  for (stateidx = 0;
> !                    stateidx < arraysize;
>                       stateidx++) {
>                          state = saorder_state_valid[stateidx];
>                          LIST_FOREACH(sav, 
> &sah->savtree[state], chain) {
> --------------------------------------------------------------------
> Mike Tancsa,                          	          tel 
> +1 519 651 3400
> Sentex Communications,     			  mike at sentex.net
> Providing Internet since 1994                    www.sentex.net
> Cambridge, Ontario Canada			  www.sentex.net/mike
> 
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to 
> "freebsd-hackers-unsubscribe at freebsd.org"
>

More information about the freebsd-hackers mailing list