Menu
▾
▴
Re: [Ipsec-tools-devel] [PATCH] Workaround for truncated pfkey dumps
|
From: jamal <ha...@cy...> - 2008-01-07 12:17:14
|
On Mon, 2008-07-01 at 12:34 +0200, Timo Teräs wrote: > > The fix is correct for current kernel implementations. Could you print some indicator when something from the kernel is lost? Something symbolic like "X" in place of an SP/SA may do (will probably mess up some existing scripts, but you could argue they were messed up to begin with if they were not getting some messages) > Though if you > run pfkey on somewhere else then local kernel then this might be a > problem. Ultimately this is a kernel bug. But applications have to live > with the fact that kernels are buggy. Kernels are buggy because the pfkey dump messages are not delivered reliably. Netlink does guarantee reliable delivery. > I do have an experimental FreeBSD kernel patch. And I might look Linux > later. Basically it override the socket size limits for pfkey reply > sequences. And makes thing work in userland without any changes. Can you explain this a little more? Note: The problem is not a challenge of buffer sizes, but one of reliable delivert (which are equivalent if you can come up with infinite memory). So, incrementing the socket size in user space does help - but not guaranteed to solve the problem. Incrementing the socket size from underneath the user (while does sound band-aidish) like its user space counterpart doesnt resolve the problem totaly. Imagine a huuuuuuuuuuuuge SAD or SPD. But you may be thinking something different... >From the linux side: I have some thoughts on how you could get pfkey to improve its reliability. It is non-trivial and requires someone more meticulous and armed with more time than i. From looking at the patches you are putting out, and how your fingers seem to be on what the issues are, you seem to be that person;-> We can talk offline if you are interested. cheers, jamal |