Hi list, this is a month-old mail about the lack of a FAST_IPSEC feature compared to legacy IPSEC. Including a working patch. I haven't seen this being committed, or is it? Please also MFC to STABLE.
Regards, Helge > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Mike Tancsa > Sent: Tuesday, 30. March 2004 19:14 > To: [EMAIL PROTECTED] > Subject: FAST_IPSEC bug fix > > > > Well, its not totally a bug, but missing functionality that > looks like is > there but is not and is pretty important to keep lossy links > functioning > with IPSEC. My colleague [EMAIL PROTECTED] created the patch > below that > implements net.key.prefered_oldsa when using FAST_IPSEC. The > discussion > has come up before about this, but no action. I know > [EMAIL PROTECTED] is > really busy and cannot help. Is there anyone out there who > could review and > commit the patch below ? It works against RELENG_4 > > I have bcc'd the last 2 committers to touch the code in the > hopes that they > might have the time and inclination to review / commit ? > > > *** /usr/src/sys/netipsec/key.c Mon Mar 29 20:11:44 2004 > --- ./key.c Tue Mar 30 12:00:31 2004 > *************** > *** 133,138 **** > --- 133,139 ---- > #endif > static LIST_HEAD(_spacqtree, secspacq) spacqtree; /* > SP acquiring > list */ > > + #if 0 > /* search order for SAs */ > static u_int saorder_state_valid[] = { > SADB_SASTATE_DYING, SADB_SASTATE_MATURE, > *************** > *** 141,146 **** > --- 142,154 ---- > * for outbound processing. For inbound, This is > not important. > */ > }; > + #endif > + static const u_int saorder_state_valid_prefer_old[] = { > + SADB_SASTATE_DYING, SADB_SASTATE_MATURE, > + }; > + static const u_int saorder_state_valid_prefer_new[] = { > + SADB_SASTATE_MATURE, SADB_SASTATE_DYING, > + }; > static u_int saorder_state_alive[] = { > /* except DEAD */ > SADB_SASTATE_MATURE, SADB_SASTATE_DYING, SADB_SASTATE_LARVAL > *************** > *** 816,821 **** > --- 824,831 ---- > struct secashead *sah; > struct secasvar *sav; > u_int stateidx, state; > + const u_int *saorder_state_valid; > + int arraysize; > > LIST_FOREACH(sah, &sahtree, chain) { > if (sah->state == SADB_SASTATE_DEAD) > *************** > *** 828,836 **** > > found: > > /* search valid state */ > for (stateidx = 0; > ! stateidx < _ARRAYLEN(saorder_state_valid); > stateidx++) { > > state = saorder_state_valid[stateidx]; > --- 838,853 ---- > > found: > > + if (key_prefered_oldsa) { > + saorder_state_valid = saorder_state_valid_prefer_old; > + arraysize = _ARRAYLEN(saorder_state_valid_prefer_old); > + } else { > + saorder_state_valid = saorder_state_valid_prefer_new; > + arraysize = _ARRAYLEN(saorder_state_valid_prefer_new); > + } > /* search valid state */ > for (stateidx = 0; > ! stateidx < arraysize; > stateidx++) { > > state = saorder_state_valid[stateidx]; > *************** > *** 997,1008 **** > --- 1014,1034 ---- > struct secasvar *sav; > u_int stateidx, state; > int s; > + const u_int *saorder_state_valid; > + int arraysize; > > KASSERT(dst != NULL, ("key_allocsa: null dst address")); > > KEYDEBUG(KEYDEBUG_IPSEC_STAMP, > printf("DP key_allocsa from %s:%u\n", where, tag)); > > + if (key_prefered_oldsa) { > + saorder_state_valid = saorder_state_valid_prefer_old; > + arraysize = _ARRAYLEN(saorder_state_valid_prefer_old); > + } else { > + saorder_state_valid = saorder_state_valid_prefer_new; > + arraysize = _ARRAYLEN(saorder_state_valid_prefer_new); > + } > /* > * searching SAD. > * XXX: to be checked internal IP header somewhere. > Also when > *************** > *** 1013,1019 **** > LIST_FOREACH(sah, &sahtree, chain) { > /* search valid state */ > for (stateidx = 0; > ! stateidx < _ARRAYLEN(saorder_state_valid); > stateidx++) { > state = saorder_state_valid[stateidx]; > LIST_FOREACH(sav, > &sah->savtree[state], chain) { > --- 1039,1045 ---- > LIST_FOREACH(sah, &sahtree, chain) { > /* search valid state */ > for (stateidx = 0; > ! stateidx < arraysize; > stateidx++) { > state = saorder_state_valid[stateidx]; > LIST_FOREACH(sav, > &sah->savtree[state], chain) { > -------------------------------------------------------------------- > Mike Tancsa, tel > +1 519 651 3400 > Sentex Communications, [EMAIL PROTECTED] > Providing Internet since 1994 www.sentex.net > Cambridge, Ontario Canada www.sentex.net/mike > > _______________________________________________ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
