Thanks Eitan. Forwarding to -bsd ....
<<On Sat, 14 Dec 2013 16:09:55 -0500, Eitan Adler <[email protected]> said: > On Sat, Dec 14, 2013 at 4:08 PM, Garrett Wollman wrote: >> In article >> <mit.lcs.mail.freebsd-arch/caf6rxgmdjzvrzanscjnqb8yjbhk2mxayw3bvcu7dvmczmwp...@mail.gmail.com> >> you write: >>> The question below has been unanswered since Sat, Sep 14, 2013. >>> >>> Are there any known concerns with enabling IPSEC? Is there any reason >>> to not do so in GENERIC? >> >> In 9.1 I found that it was racy and would panic a server under heavy >> load. Don't know if this has been fixed since then. > Was this only true when used with IPSEC, or did this affect other sub-systems? It was only true when IPsec was compiled into the kernel; we never actually used it. The race is in the IP-input path where packets are checked against the (nonexistent) IPsec policy. Come to think of it, it may not technically be a race, but a cache-coherence issue, since the memory in question is being DMA'ed into. -GAWollman -- Eitan Adler -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
