Re: svn commit: r334054 - in head: sys/kern sys/netipsec tools/tools/crypto usr.bin/netstat

On 05/27, Kirill Ponomarev wrote: > > Breaks kernel build with "nooption IPSEC": > > > > ld: error: undefined symbol: vnet_entry_ipsec4stat > > >>> referenced by key.c:933 (/usr/src/sys/netipsec/key.c:933) > > >>> key.o:(key_allocsp) > > > > ld: error: undefined symbol: vnet_entry_i

Re: svn commit: r334054 - in head: sys/kern sys/netipsec tools/tools/crypto usr.bin/netstat

On 05/25, Jan Beich wrote: > Fabien Thomas writes: > > > + IPSECSTAT_INC(ips_spdcache_hits); > > + > > + SPDCACHE_UNLOCK(hashv); > > + goto out; > > + } > > + > > + IPSECSTAT_INC(ips_spdcache_misses); > > Breaks kernel build with "nooption IPSEC": > > ld: error

Re: svn commit: r334054 - in head: sys/kern sys/netipsec tools/tools/crypto usr.bin/netstat

Fabien Thomas writes: > + IPSECSTAT_INC(ips_spdcache_hits); > + > + SPDCACHE_UNLOCK(hashv); > + goto out; > + } > + > + IPSECSTAT_INC(ips_spdcache_misses); Breaks kernel build with "nooption IPSEC": ld: error: undefined symbol: vnet_entry_ipsec4stat >

Re: svn commit: r334054 - in head: sys/kern sys/netipsec tools/tools/crypto usr.bin/netstat

On Thu, May 24, 2018 at 5:30 AM, Emeric POUPON wrote: > Actually we just store traffic profiles and the associated security policy > (SP). > A SP is basically just a bunch of traffic selectors, there is no key or other > sensitive information involved. Ok, thanks! Best, Conrad

Re: svn commit: r334054 - in head: sys/kern sys/netipsec tools/tools/crypto usr.bin/netstat

- Original Message - > From: "Conrad Meyer" > To: "Emeric POUPON" > Cc: svn-src-h...@freebsd.org, svn-src-all@freebsd.org, "src-committers" > > Sent: Wednesday, 23 May, 2018 18:47:57 > Subject: Re: svn commit: r334054 - in head: sys

Re: svn commit: r334054 - in head: sys/kern sys/netipsec tools/tools/crypto usr.bin/netstat

On Wed, May 23, 2018 at 12:23 AM, Emeric POUPON wrote: >> From: "Conrad Meyer" > >> Can users control arbitrary key_allocsp() calls? If so, it seems >> concerning to expose hit/miss stats on cached security keys. > > I am not sure to understand, could you please tell more about what you mean? I

Re: svn commit: r334054 - in head: sys/kern sys/netipsec tools/tools/crypto usr.bin/netstat

- Original Message - > From: "Mateusz Guzik" > To: "Fabien Thomas" > Cc: svn-src-h...@freebsd.org, svn-src-all@freebsd.org, "src-committers" > > Sent: Tuesday, 22 May, 2018 18:45:32 > Subject: Re: svn commit: r334054 - in head: sys

Re: svn commit: r334054 - in head: sys/kern sys/netipsec tools/tools/crypto usr.bin/netstat

Hello, - Original Message - > From: "Conrad Meyer" > To: "Fabien Thomas" > Cc: svn-src-h...@freebsd.org, svn-src-all@freebsd.org, "src-committers" > > Sent: Tuesday, 22 May, 2018 19:05:18 > Subject: Re: svn commit: r334054 - in head: sys

Re: svn commit: r334054 - in head: sys/kern sys/netipsec tools/tools/crypto usr.bin/netstat

Can users control arbitrary key_allocsp() calls? If so, it seems concerning to expose hit/miss stats on cached security keys. On Tue, May 22, 2018 at 8:54 AM, Fabien Thomas wrote: > Author: fabient > Date: Tue May 22 15:54:25 2018 > New Revision: 334054 > URL: https://svnweb.freebsd.org/changese

Re: svn commit: r334054 - in head: sys/kern sys/netipsec tools/tools/crypto usr.bin/netstat

On Tue, May 22, 2018 at 5:54 PM, Fabien Thomas wrote: > Author: fabient > Date: Tue May 22 15:54:25 2018 > New Revision: 334054 > URL: https://svnweb.freebsd.org/changeset/base/334054 > > Log: > Add a SPD cache to speed up lookups. > > When large SPDs are used, we face two problems: > > - t

Re: svn commit: r334054 - in head: sys/kern sys/netipsec tools/tools/crypto usr.bin/netstat

-Original Message- From: Fabien Thomas Date: 2018-05-22, Tuesday at 09:00 To: Fabien Thomas , , Ravi Pokala , , Subject: Re: svn commit: r334054 - in head: sys/kern sys/netipsec tools/tools/crypto usr.bin/netstat > Le 22 mai 2018 à 17:58:10, Ravi Pokala (rpok...@freebsd.org) a éc

Re: svn commit: r334054 - in head: sys/kern sys/netipsec tools/tools/crypto usr.bin/netstat

Le 22 mai 2018 à 17:58:10, Ravi Pokala (rpok...@freebsd.org) a écrit: -Original Message-  From: on behalf of Fabien Thomas   Date: 2018-05-22, Tuesday at 08:54  To: , ,   Subject: svn commit: r334054 - in head: sys/kern sys/netipsec tools/tools/crypto usr.bin/netstat  > Aut

Re: svn commit: r334054 - in head: sys/kern sys/netipsec tools/tools/crypto usr.bin/netstat

-Original Message- From: on behalf of Fabien Thomas Date: 2018-05-22, Tuesday at 08:54 To: , , Subject: svn commit: r334054 - in head: sys/kern sys/netipsec tools/tools/crypto usr.bin/netstat > Author: fabient > Date: Tue May 22 15:54:25 2018 > New Revision: 334054 >

svn commit: r334054 - in head: sys/kern sys/netipsec tools/tools/crypto usr.bin/netstat

Author: fabient Date: Tue May 22 15:54:25 2018 New Revision: 334054 URL: https://svnweb.freebsd.org/changeset/base/334054 Log: Add a SPD cache to speed up lookups. When large SPDs are used, we face two problems: - too many CPU cycles are spent during the linear searches in the SPD