Hi,
On Wed, 16 Mar 2005 10:17:14 -0800 Sam Leffler <[EMAIL PROTECTED]> said:
sam> Note the change lacks any locking so if your SA db is changing there's a sam> good chance you'll blow up.
Ah, yes. I forgot the fact that FAST_IPSEC is mpsafe. How about this? This is againt sys/netipsec/key.c with my previous patch applied.
<...patch removed...>
Possibly; I can't tell from the patch if locks are held across calls they should not be. I also worry about the effect of holding the various locks for an extended period of time (will it impact packet processing?)
Note that switching to a sysctl would also eliminate a problem in the PF_KEY socket code where the raw_cb list is walked w/o holding rawcb_mtx. Roselyn Lee at Vernier Networks hit this but we didn't apply a change she had (yet) because there appeared to be issues with LOR's between the raw cb and SA db locks. In general the PF_KEY code is desparately in need of a rewrite--if for nothing else but to isolate the ABI dependence between PF_KEY and the IPsec code. Been on my TODO list for several years now.
Are you suggesting KAME code can/will change to eliminate the use of PF_KEY sockets to query the SA db state?
Sam _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"