Well, its not totally a bug, but missing functionality that looks like is there but is not and is pretty important to keep lossy links functioning with IPSEC. My colleague [EMAIL PROTECTED] created the patch below that implements net.key.prefered_oldsa when using FAST_IPSEC. The discussion has come up before about this, but no action. I know [EMAIL PROTECTED] is really busy and cannot help. Is there anyone out there who could review and commit the patch below ? It works against RELENG_4
I have bcc'd the last 2 committers to touch the code in the hopes that they might have the time and inclination to review / commit ?
*** /usr/src/sys/netipsec/key.c Mon Mar 29 20:11:44 2004
--- ./key.c Tue Mar 30 12:00:31 2004
***************
*** 133,138 ****
--- 133,139 ----
#endif
static LIST_HEAD(_spacqtree, secspacq) spacqtree; /* SP acquiring list */
+ #if 0
/* search order for SAs */
static u_int saorder_state_valid[] = {
SADB_SASTATE_DYING, SADB_SASTATE_MATURE,
***************
*** 141,146 ****
--- 142,154 ----
* for outbound processing. For inbound, This is not important.
*/
};
+ #endif
+ static const u_int saorder_state_valid_prefer_old[] = {
+ SADB_SASTATE_DYING, SADB_SASTATE_MATURE,
+ };
+ static const u_int saorder_state_valid_prefer_new[] = {
+ SADB_SASTATE_MATURE, SADB_SASTATE_DYING,
+ };
static u_int saorder_state_alive[] = {
/* except DEAD */
SADB_SASTATE_MATURE, SADB_SASTATE_DYING, SADB_SASTATE_LARVAL
***************
*** 816,821 ****
--- 824,831 ----
struct secashead *sah;
struct secasvar *sav;
u_int stateidx, state;
+ const u_int *saorder_state_valid;
+ int arraysize; LIST_FOREACH(sah, &sahtree, chain) {
if (sah->state == SADB_SASTATE_DEAD)
***************
*** 828,836 ****found:
/* search valid state */
for (stateidx = 0;
! stateidx < _ARRAYLEN(saorder_state_valid);
stateidx++) {state = saorder_state_valid[stateidx]; --- 838,853 ----
found:
+ if (key_prefered_oldsa) {
+ saorder_state_valid = saorder_state_valid_prefer_old;
+ arraysize = _ARRAYLEN(saorder_state_valid_prefer_old);
+ } else {
+ saorder_state_valid = saorder_state_valid_prefer_new;
+ arraysize = _ARRAYLEN(saorder_state_valid_prefer_new);
+ }
/* search valid state */
for (stateidx = 0;
! stateidx < arraysize;
stateidx++) { state = saorder_state_valid[stateidx];
***************
*** 997,1008 ****
--- 1014,1034 ----
struct secasvar *sav;
u_int stateidx, state;
int s;
+ const u_int *saorder_state_valid;
+ int arraysize;KASSERT(dst != NULL, ("key_allocsa: null dst address"));
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
printf("DP key_allocsa from %s:%u\n", where, tag));+ if (key_prefered_oldsa) {
+ saorder_state_valid = saorder_state_valid_prefer_old;
+ arraysize = _ARRAYLEN(saorder_state_valid_prefer_old);
+ } else {
+ saorder_state_valid = saorder_state_valid_prefer_new;
+ arraysize = _ARRAYLEN(saorder_state_valid_prefer_new);
+ }
/*
* searching SAD.
* XXX: to be checked internal IP header somewhere. Also when
***************
*** 1013,1019 ****
LIST_FOREACH(sah, &sahtree, chain) {
/* search valid state */
for (stateidx = 0;
! stateidx < _ARRAYLEN(saorder_state_valid);
stateidx++) {
state = saorder_state_valid[stateidx];
LIST_FOREACH(sav, &sah->savtree[state], chain) {
--- 1039,1045 ----
LIST_FOREACH(sah, &sahtree, chain) {
/* search valid state */
for (stateidx = 0;
! stateidx < arraysize;
stateidx++) {
state = saorder_state_valid[stateidx];
LIST_FOREACH(sav, &sah->savtree[state], chain) {
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, [EMAIL PROTECTED]
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
