FAST_IPSEC bug fix
Mike Tancsa
mike at sentex.net
Tue Mar 30 09:13:36 PST 2004
Well, its not totally a bug, but missing functionality that looks like is
there but is not and is pretty important to keep lossy links functioning
with IPSEC. My colleague gabor at sentex.net created the patch below that
implements net.key.prefered_oldsa when using FAST_IPSEC. The discussion
has come up before about this, but no action. I know sam at freebsd.org is
really busy and cannot help. Is there anyone out there who could review and
commit the patch below ? It works against RELENG_4
I have bcc'd the last 2 committers to touch the code in the hopes that they
might have the time and inclination to review / commit ?
*** /usr/src/sys/netipsec/key.c Mon Mar 29 20:11:44 2004
--- ./key.c Tue Mar 30 12:00:31 2004
***************
*** 133,138 ****
--- 133,139 ----
#endif
static LIST_HEAD(_spacqtree, secspacq) spacqtree; /* SP acquiring
list */
+ #if 0
/* search order for SAs */
static u_int saorder_state_valid[] = {
SADB_SASTATE_DYING, SADB_SASTATE_MATURE,
***************
*** 141,146 ****
--- 142,154 ----
* for outbound processing. For inbound, This is not important.
*/
};
+ #endif
+ static const u_int saorder_state_valid_prefer_old[] = {
+ SADB_SASTATE_DYING, SADB_SASTATE_MATURE,
+ };
+ static const u_int saorder_state_valid_prefer_new[] = {
+ SADB_SASTATE_MATURE, SADB_SASTATE_DYING,
+ };
static u_int saorder_state_alive[] = {
/* except DEAD */
SADB_SASTATE_MATURE, SADB_SASTATE_DYING, SADB_SASTATE_LARVAL
***************
*** 816,821 ****
--- 824,831 ----
struct secashead *sah;
struct secasvar *sav;
u_int stateidx, state;
+ const u_int *saorder_state_valid;
+ int arraysize;
LIST_FOREACH(sah, &sahtree, chain) {
if (sah->state == SADB_SASTATE_DEAD)
***************
*** 828,836 ****
found:
/* search valid state */
for (stateidx = 0;
! stateidx < _ARRAYLEN(saorder_state_valid);
stateidx++) {
state = saorder_state_valid[stateidx];
--- 838,853 ----
found:
+ if (key_prefered_oldsa) {
+ saorder_state_valid = saorder_state_valid_prefer_old;
+ arraysize = _ARRAYLEN(saorder_state_valid_prefer_old);
+ } else {
+ saorder_state_valid = saorder_state_valid_prefer_new;
+ arraysize = _ARRAYLEN(saorder_state_valid_prefer_new);
+ }
/* search valid state */
for (stateidx = 0;
! stateidx < arraysize;
stateidx++) {
state = saorder_state_valid[stateidx];
***************
*** 997,1008 ****
--- 1014,1034 ----
struct secasvar *sav;
u_int stateidx, state;
int s;
+ const u_int *saorder_state_valid;
+ int arraysize;
KASSERT(dst != NULL, ("key_allocsa: null dst address"));
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
printf("DP key_allocsa from %s:%u\n", where, tag));
+ if (key_prefered_oldsa) {
+ saorder_state_valid = saorder_state_valid_prefer_old;
+ arraysize = _ARRAYLEN(saorder_state_valid_prefer_old);
+ } else {
+ saorder_state_valid = saorder_state_valid_prefer_new;
+ arraysize = _ARRAYLEN(saorder_state_valid_prefer_new);
+ }
/*
* searching SAD.
* XXX: to be checked internal IP header somewhere. Also when
***************
*** 1013,1019 ****
LIST_FOREACH(sah, &sahtree, chain) {
/* search valid state */
for (stateidx = 0;
! stateidx < _ARRAYLEN(saorder_state_valid);
stateidx++) {
state = saorder_state_valid[stateidx];
LIST_FOREACH(sav, &sah->savtree[state], chain) {
--- 1039,1045 ----
LIST_FOREACH(sah, &sahtree, chain) {
/* search valid state */
for (stateidx = 0;
! stateidx < arraysize;
stateidx++) {
state = saorder_state_valid[stateidx];
LIST_FOREACH(sav, &sah->savtree[state], chain) {
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
More information about the freebsd-hackers
mailing list