Hi Martin, 2014-07-11 12:35 GMT+02:00 Martin Willi <[email protected]>: > Christophe, > >> Insert new ike_sas in the sa table as soon as they are created in >> checkout_new. > > Thanks for your patch. > > Unfortunately, it is not unproblematic. The problem is that > checkout_new() is called from threads holding another IKE_SA, for > example during rekeying. This results in the situation that a thread > holds two IKE_SAs, which breaks the golden rule to avoid deadlocks.
I see, this is evil ;-) > If I remember correctly, some years ago we explicitly changed the > behavior to register the IKE_SA not before check-in to exactly avoid > dead-locks resulting from this behavior. > > I don't know if there is a better fix for this issue, but I don't think > there really is one needed. Under high load, packet drops can occur. > This are not ideal, but it will happen anyway. Retransmission should > take care that the SA comes up nonetheless. Admittedly, however I'm a little concerned that this packet drop is due to a problem of scheduling, not of capacity. The retransmission is a little waste. I'll cogitate to see if I can find another solution that does not entail potential deadlocks. Best Regards, Christophe > Regards > Martin _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
