On Thu, 28 Jul 2005, Krzysztof Oledzki wrote:
On Wed, 27 Jul 2005, Andrew Morton wrote:
Please cc netdev@vger.kernel.org, [EMAIL PROTECTED],
[EMAIL PROTECTED]
on any reply.
Begin forwarded message:
Date: Wed, 27 Jul 2005 15:18:39 -0700 (PDT)
From: "David S. Miller" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Cc: netdev@vger.kernel.org, [EMAIL PROTECTED],
[EMAIL PROTECTED]
Subject: Re: [Bugme-new] [Bug 4952] New: IPSec incompabilty. Linux kernel
waits to long to start using new SA for outbound traffic.
From: Andrew Morton <[EMAIL PROTECTED]>
Date: Wed, 27 Jul 2005 14:38:35 -0700
Summary: IPSec incompabilty. Linux kernel waits to long to
start
using new SA for outbound traffic.
I think this is the known bug where we don't notice that a route
attached to a socket is obsolete. It was first pointed out to
me last year by Kazunori Miyazawa, CC:'d here.
The problem is that, when we update IPSEC rules, sockets currently
don't have a way to discover that.
Traditionally, the route "obsolete" flag served this purpose, and that
does work properly for normal route entries. But for IPSEC, we don't
have a way to find all of the stacked routes we created that match a
particular SA, and thus get them fixed up the next time a socket tries
to send a packet.
One idea tossed around between Herbert Xu (also CC:'d) and myself is
to store a generation counter when we attach a route to a socket, then
sk_dst_check() can verify that this generation count matches the
current IPSEC flow cache generation count.
Something like the following, untested patch, demonstrates the
idea.
[NET]: Tie obsolete state of routes also to flow cache generation count.
This fixes the problem wherein IPSEC SA changes do not get noticed
by cached socket routes.
Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
<CUT>
The patch did not fix the problem I described.
Anyway, the idea about route cache is right. I did "ip route flush table
cache" and indeed, kernel started using the newest SA.
Any new patches to test? ;)
Best regards,
Krzysztof Olędzki
