From: Krzysztof Oledzki <[EMAIL PROTECTED]>
Date: Mon, 19 Dec 2005 10:37:14 +0100 (CET)
> OK. With this patch kernel switches to new SA immediately, but only for
> ping. TCP (ssh) session between Cisco and Linux is still protected by the
> old SA.
Ok, we're making progress :-)
When the bundles get flushed, xfrm_prune_bundles() accumulates all
the per-policy bundles into a list and runs dst_free() on each
and every one.
Unless marked obsolete already (these dst's should not be marked
obsolete), it invokes __dst_free() which marks the dst as obsolete
and this in turn should trigger the cached socket route check here
in __sk_dst_check().
static inline struct dst_entry *
__sk_dst_check(struct sock *sk, u32 cookie)
{
struct dst_entry *dst = sk->sk_dst_cache;
if (dst && dst->obsolete && dst->ops->check(dst, cookie) == NULL) {
sk->sk_dst_cache = NULL;
dst_release(dst);
return NULL;
}
return dst;
}
Oh, that's the bug, dst->ops->check() is xfrm_dst_check(). That tests
validity using "stable_bundle()" which thinks the dst is still
valid. Please add these two lines:
if (dst->obsolete)
return NULL;
at the beginning of xfrm_dst_check() and all should be fine.
Dziekuje bardzo for all of your testing so far Krzysztof.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
