Hi Tuomo, Could you or someone test these two patches? run Libreswan without PF_KEY support in kernel, [1]
This came up as issue when running on kernel without pfeky support. Pluto do not need pfkey for crypto algorithm lists for while, however these checks are still there. And may be interface code or something is still using pfkey. Since it is not necessary we could remove it from pluto. Also tests by Steffen noticed compiling kernel with pfkey use quite a bit extra cpu. His observation was pfkey_send_new_mapping use "3.69% of my cpu cycles". So I think it is worth removing pfkey completely. e.g this could happen when the NAT mappings for ESP change, pfkey_send_new_mapping is wasted cpu cycles. Note These cycles are lost inside the kernel, so probably it won't show up in a userland perf monitoring. I am wondering if there are more places where pluto depend on pfkey, will this break something else. Should I push this now or hold on until 3.28 is out? -antony [1] in .config it is called CONFIG_NET_KEY │ Location: │ │ -> Networking support (NET [=y]) │ │ -> Networking options | -> PF_KEY sockets check .config for # CONFIG_NET_KEY is not set
>From 8e6eb56365dbb6857ec58be87f26c6fee9a37a85 Mon Sep 17 00:00:00 2001 From: Antony Antony <[email protected]> Date: Thu, 2 May 2019 15:15:26 +0000 Subject: [PATCH 1/2] pluto: netkey don't check for /proc/net/pfkey since b248daa35 and related commits for netkey pluto do not need /proc/net/pfkey --- programs/pluto/kernel.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/programs/pluto/kernel.c b/programs/pluto/kernel.c index a4320042f..bd584d089 100644 --- a/programs/pluto/kernel.c +++ b/programs/pluto/kernel.c @@ -2650,7 +2650,7 @@ void init_kernel(void) { struct utsname un; -#if defined(NETKEY_SUPPORT) || defined(KLIPS) +#if defined(KLIPS) struct stat buf; #endif @@ -2661,11 +2661,6 @@ void init_kernel(void) switch (kern_interface) { #if defined(NETKEY_SUPPORT) case USE_NETKEY: - if (stat("/proc/net/pfkey", &buf) != 0) { - libreswan_log( - "No XFRM/NETKEY kernel interface detected"); - exit_pluto(PLUTO_EXIT_KERNEL_FAIL); - } libreswan_log( "Using Linux XFRM/NETKEY IPsec interface code on %s", kversion); -- 2.20.1
>From 209d616186c404b66d7cea3c6fa59a0526c3f1bd Mon Sep 17 00:00:00 2001 From: Antony Antony <[email protected]> Date: Thu, 2 May 2019 15:17:13 +0000 Subject: [PATCH 2/2] stackmanager: netkey do not need pfkey since b248daa35 netkey stack manager don't check for /proc/net/pfkey --- programs/_stackmanager/_stackmanager.in | 6 ------ 1 file changed, 6 deletions(-) diff --git a/programs/_stackmanager/_stackmanager.in b/programs/_stackmanager/_stackmanager.in index 2da2d781c..c8b98f81b 100644 --- a/programs/_stackmanager/_stackmanager.in +++ b/programs/_stackmanager/_stackmanager.in @@ -149,12 +149,6 @@ startnetkey() { else echo "WARNING: can not change /proc/sys/net/core/xfrm_acq_expires from ${xcur} to ${xfrmlifetime}" >&2 fi - - # Fail on error in loading NETKEY/XFRM stack - if [ ! -f ${kamepfkey} ]; then - echo "FAILURE in loading NETKEY/XFRM stack" >&2 - exit 1 - fi } stopklips() { -- 2.20.1
_______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
