From: Damian Pietras <damianp@daper.net>
To: netdev@vger.kernel.org
Subject: "xfrm: Fix the gc threshold value for ipv4" broke my IPSec connections
Date: Tue, 15 Oct 2013 22:40:53 +0200 [thread overview]
Message-ID: <525DA855.1010905@daper.net> (raw)
I've recently upgraded from 3.4.x to 3.10.x and this broke my IPSec
setup in transport mode. The simplest test case is to setup few such
connections with few boxes like this:
spdadd 192.168.1.100 192.168.2.100 any -P out ipsec
esp/transport//require
ah/transport//require;
spdadd 192.168.2.100 192.168.1.100 any -P in ipsec
esp/transport//require
ah/transport//require;
Then set up an HTTP server on one box and run ab on the other box to
create come TCP connections:
ab -n 10000 -c 50 http://192.168.1.100/
Then the connect() call will very quickly start returning ENOBUFS. I
haven't seen anything wrong with my simple setup (just copy of
ipsec-howto.org in transport mode and pre shared keys) and started
bisecting. That way I found this commit to break my case:
703fb94ec58e0e8769380c2877a8a34aeb5b6c97
xfrm: Fix the gc threshold value for ipv4
Reverting it on 3.10.15 fixes my issue. This seems to be there from 3.7
and I don't really believe such simple case stayed broken for so long.
Em I missing something or there is really a bug?
If smeone is interested in details of this configuration and commands
I'm running, just let me know. This was reproduced with few VMs under XEN.
--
Damian Pietras
next reply other threads:[~2013-10-15 20:48 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-15 20:40 Damian Pietras [this message]
2013-10-15 21:02 ` "xfrm: Fix the gc threshold value for ipv4" broke my IPSec connections Eric Dumazet
2013-10-15 22:15 ` Damian Pietras
2013-10-15 22:51 ` Eric Dumazet
2013-10-16 11:35 ` Steffen Klassert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=525DA855.1010905@daper.net \
--to=damianp@daper.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.