On Mon, 2019-03-25 at 15:27 +0000, Phillips, Tony wrote: > So to me that reads as "1491 outbound UDP packets suffered "send buffer > errors." > That resulted in 1491 IP packets being dropped. > That, in turn yielded 1490 TCP segments (which were inside IPSec UDP packets) > being lost, and thus retransmitted. > > This REALLY smells funny.
Oh, wait. I keep looking at the DTLS code and this isn't DTLS.
Let's look at the ESP code instead.
while ((this = dequeue_packet(&vpninfo->outgoing_queue))) {
int len;
len = encrypt_esp_packet(vpninfo, this);
if (len > 0) {
ret = send(vpninfo->dtls_fd, (void *)&this->esp, len,
0);
if (ret < 0) {
/* Not that this is likely to happen with UDP,
but... */
if (errno == ENOBUFS || errno == EAGAIN ||
errno == EWOULDBLOCK) {
monitor_write_fd(vpninfo, dtls);
/* XXX: Keep the packet somewhere? */
free(this);
return work_done;
} else {
/* A real error in sending. Fall back
to TCP? */
vpn_progress(vpninfo, PRG_ERR,
_("Failed to send ESP
packet: %s\n"),
strerror(errno));
}
} else {
vpninfo->dtls_times.last_tx = time(NULL);
vpn_progress(vpninfo, PRG_TRACE, _("Sent ESP
packet of %d bytes\n"),
len);
}
Stick a printf in next to that "XXX: Keep the packet somewhere?" comment :)
I can't remember why I didn't actually do what the comment says. Was it
just because I need a flag to say it's already encrypted, to avoid
doing so a second time when we resend?
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openconnect-devel mailing list [email protected] http://lists.infradead.org/mailman/listinfo/openconnect-devel
