We have a scenario where we're using pluto (for legacy reasons) and a very large number of IP's are configured on the server (or alternately, the server has a large number of public IPs).
We've run into 2 different problems: * exhausting the ifreq[300] array in find_raw_ifaces4(); * exhausting the RLIMIT_NOFILE (the per-process limit on open files) in process_raw_ifaces()/create_socket(); I wanted to do an enhancement where we add a knob like "pluto.maxifs" which would provision the size of ifreq[] (now as a malloc()'d structure, or possibly using getifaddrs()) to the correct size, as well as setting (via setrlimit(RLIMIT_NOFILE)) the number of potential open file descriptors in pluto to be maxifs+epsilon (where epsilon would cover additional file descriptors needed for syslog, stdout, stderr, config files, the control sockets to talk to "ipsec", etc... probably about 20). I would similarly add such a knob for "charon.maxifs". And of course we'd upstream the enhancement once we'd tested it in-house. Does this seem like a reasonable venture? Thanks, -Philip _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
