regression due to "flush SAD/SPD generate false events"

regression due to "flush SAD/SPD generate false events"

[Alexey Dobriyan]

commit 19f4c7133fc1b94001b997c4843d0a9192ee63e5
xfrm: Flushing empty SAD generates false events

commit 0dca3a843632c2fbb6e358734fb08fc23e800f50
xfrm: Flushing empty SPD generates false events

setkey now takes several seconds to run this simple script
and it spits "recv: Resource temporarily unavailable" messages.

#!/usr/sbin/setkey -f
flush;
spdflush;

add A B ipcomp 44 -m tunnel -C deflate;
add B A ipcomp 45 -m tunnel -C deflate;

spdadd A B any -P in ipsec
        ipcomp/tunnel/192.168.1.2-192.168.1.3/use;
spdadd B A any -P out ipsec
        ipcomp/tunnel/192.168.1.3-192.168.1.2/use;


4909  execve("/root/ipcomp-tunnel.setkey", ["/root/ipcomp-tunnel.setkey"], [/* 22 vars */]) = 0
4909  brk(0)                            = 0x16d0000
4909  mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa171c83000
4909  mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa171c82000
4909  access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
4909  open("/etc/ld.so.cache", O_RDONLY) = 3
4909  fstat(3, {st_mode=S_IFREG|0644, st_size=40409, ...}) = 0
4909  mmap(NULL, 40409, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fa171c78000
4909  close(3)                          = 0
4909  open("/lib/libutil.so.1", O_RDONLY) = 3
4909  read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 \16\0\0\0\0\0\0"..., 832) = 832
4909  fstat(3, {st_mode=S_IFREG|0755, st_size=28959, ...}) = 0
4909  mmap(NULL, 2105608, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fa171865000
4909  mprotect(0x7fa171867000, 2093056, PROT_NONE) = 0
4909  mmap(0x7fa171a66000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x7fa171a66000
4909  close(3)                          = 0
4909  open("/usr/lib/libcrypto.so.0.9.8", O_RDONLY) = 3
4909  read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\221\6\0\0\0\0\0"..., 832) = 832
4909  fstat(3, {st_mode=S_IFREG|0555, st_size=5981705, ...}) = 0
4909  mmap(NULL, 3707672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fa1714db000
4909  mprotect(0x7fa17163c000, 2093056, PROT_NONE) = 0
4909  mmap(0x7fa17183b000, 155648, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x160000) = 0x7fa17183b000
4909  mmap(0x7fa171861000, 13080, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fa171861000
4909  close(3)                          = 0
4909  open("/lib/libresolv.so.2", O_RDONLY) = 3
4909  read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\3208\0\0\0\0\0\0"..., 832) = 832
4909  fstat(3, {st_mode=S_IFREG|0755, st_size=328639, ...}) = 0
4909  mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa171c77000
4909  mmap(NULL, 2189960, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fa1712c4000
4909  mprotect(0x7fa1712d7000, 2097152, PROT_NONE) = 0
4909  mmap(0x7fa1714d7000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x13000) = 0x7fa1714d7000
4909  mmap(0x7fa1714d9000, 6792, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fa1714d9000
4909  close(3)                          = 0
4909  open("/lib/libreadline.so.6", O_RDONLY) = 3
4909  read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240g\1\0\0\0\0\0"..., 832) = 832
4909  fstat(3, {st_mode=S_IFREG|0555, st_size=731087, ...}) = 0
4909  mmap(NULL, 2372136, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fa171080000
4909  mprotect(0x7fa1710bb000, 2093056, PROT_NONE) = 0
4909  mmap(0x7fa1712ba000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3a000) = 0x7fa1712ba000
4909  mmap(0x7fa1712c2000, 4648, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fa1712c2000
4909  close(3)                          = 0
4909  open("/lib/libcrypt.so.1", O_RDONLY) = 3
4909  read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`\n\0\0\0\0\0\0"..., 832) = 832
4909  fstat(3, {st_mode=S_IFREG|0755, st_size=125022, ...}) = 0
4909  mmap(NULL, 2322880, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fa170e48000
4909  mprotect(0x7fa170e50000, 2097152, PROT_NONE) = 0
4909  mmap(0x7fa171050000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x8000) = 0x7fa171050000
4909  mmap(0x7fa171052000, 184768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fa171052000
4909  close(3)                          = 0
4909  open("/lib/libc.so.6", O_RDONLY)  = 3
4909  read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\353\1\0\0\0\0\0"..., 832) = 832
4909  fstat(3, {st_mode=S_IFREG|0755, st_size=8673692, ...}) = 0
4909  mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa171c76000
4909  mmap(NULL, 3508264, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fa170aef000
4909  mprotect(0x7fa170c3e000, 2097152, PROT_NONE) = 0
4909  mmap(0x7fa170e3e000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14f000) = 0x7fa170e3e000
4909  mmap(0x7fa170e43000, 18472, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fa170e43000
4909  close(3)                          = 0
4909  open("/lib/libdl.so.2", O_RDONLY) = 3
4909  read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\r\0\0\0\0\0\0"..., 832) = 832
4909  fstat(3, {st_mode=S_IFREG|0755, st_size=103353, ...}) = 0
4909  mmap(NULL, 2109696, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fa1708eb000
4909  mprotect(0x7fa1708ed000, 2097152, PROT_NONE) = 0
4909  mmap(0x7fa170aed000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7fa170aed000
4909  close(3)                          = 0
4909  open("/lib/libz.so.1", O_RDONLY)  = 3
4909  read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@ \0\0\0\0\0\0"..., 832) = 832
4909  fstat(3, {st_mode=S_IFREG|0755, st_size=217286, ...}) = 0
4909  mmap(NULL, 2183664, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fa1706d5000
4909  mprotect(0x7fa1706ea000, 2093056, PROT_NONE) = 0
4909  mmap(0x7fa1708e9000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14000) = 0x7fa1708e9000
4909  close(3)                          = 0
4909  open("/lib/libncurses.so.5", O_RDONLY) = 3
4909  read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240M\1\0\0\0\0\0"..., 832) = 832
4909  fstat(3, {st_mode=S_IFREG|0755, st_size=1433703, ...}) = 0
4909  mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa171c75000
4909  mmap(NULL, 2426760, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fa170484000
4909  mprotect(0x7fa1704d0000, 2093056, PROT_NONE) = 0
4909  mmap(0x7fa1706cf000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4b000) = 0x7fa1706cf000
4909  mmap(0x7fa1706d4000, 1928, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fa1706d4000
4909  close(3)                          = 0
4909  mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa171c74000
4909  mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa171c73000
4909  arch_prctl(ARCH_SET_FS, 0x7fa171c736f0) = 0
4909  mprotect(0x7fa1706cf000, 16384, PROT_READ) = 0
4909  mprotect(0x7fa1708e9000, 4096, PROT_READ) = 0
4909  mprotect(0x7fa170aed000, 4096, PROT_READ) = 0
4909  mprotect(0x7fa170e3e000, 16384, PROT_READ) = 0
4909  mprotect(0x7fa171050000, 4096, PROT_READ) = 0
4909  mprotect(0x7fa1712ba000, 8192, PROT_READ) = 0
4909  mprotect(0x7fa1714d7000, 4096, PROT_READ) = 0
4909  mprotect(0x7fa17183b000, 57344, PROT_READ) = 0
4909  mprotect(0x7fa171a66000, 4096, PROT_READ) = 0
4909  mprotect(0x616000, 4096, PROT_READ) = 0
4909  mprotect(0x7fa171c84000, 4096, PROT_READ) = 0
4909  munmap(0x7fa171c78000, 40409)     = 0
4909  brk(0)                            = 0x16d0000
4909  brk(0x16f1000)                    = 0x16f1000
4909  open("/etc/localtime", O_RDONLY)  = 3
4909  fstat(3, {st_mode=S_IFREG|0644, st_size=2067, ...}) = 0
4909  fstat(3, {st_mode=S_IFREG|0644, st_size=2067, ...}) = 0
4909  mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa171c81000
4909  read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\v\0\0\0\v\0\0\0\0"..., 4096) = 2067
4909  lseek(3, -1300, SEEK_CUR)         = 767
4909  read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\f\0\0\0\f\0\0\0\0"..., 4096) = 1300
4909  close(3)                          = 0
4909  munmap(0x7fa171c81000, 4096)      = 0
4909  stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2067, ...}) = 0
4909  open("/root/ipcomp-tunnel.setkey", O_RDONLY) = 3
4909  socket(PF_KEY, SOCK_RAW, 2)       = 4
4909  setsockopt(4, SOL_SOCKET, SO_SNDBUF, [131072], 4) = 0
4909  setsockopt(4, SOL_SOCKET, SO_RCVBUF, [131072], 4) = 0
4909  setsockopt(4, SOL_SOCKET, SO_RCVBUF, [262144], 4) = 0
4909  setsockopt(4, SOL_SOCKET, SO_RCVBUF, [524288], 4) = 0
4909  setsockopt(4, SOL_SOCKET, SO_RCVBUF, [1048576], 4) = 0
4909  getpid()                          = 4909
4909  sendto(4, "\2\7\0\0\2\0\0\0\0\0\0\0-\23\0\0", 16, 0, NULL, 0) = 16
4909  recvfrom(4, "\2\7\0\0\v\0\0\0\0\0\0\0-\23\0\0", 16, MSG_PEEK, NULL, NULL) = 16
4909  recvfrom(4, "\2\7\0\0\v\0\0\0\0\0\0\0-\23\0\0\3\0\16\0kkkk\373\0\0\0\0\0\0\0"..., 88, 0, NULL, NULL) = 88
4909  ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, 0x7fffa5d10d90) = -1 ENOTTY (Inappropriate ioctl for device)
4909  fstat(3, {st_mode=S_IFREG|0755, st_size=599, ...}) = 0
4909  mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa171c81000
4909  read(3, "#!/usr/sbin/setkey -f\nflush;\nspd"..., 8192) = 599
4909  read(3, "", 4096)                 = 0
4909  setsockopt(4, SOL_SOCKET, SO_RCVTIMEO, "\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 16) = 0
4909  sendto(4, "\2\t\0\0\2\0\0\0\0\0\0\0-\23\0\0", 16, 0, NULL, 0) = 16
4909  recvfrom(4, 0x7fffa5d08e80, 32768, 0, 0, 0) = -1 EAGAIN (Resource temporarily unavailable)
4909  dup(2)                            = 5
4909  fcntl(5, F_GETFL)                 = 0x8002 (flags O_RDWR|O_LARGEFILE)
4909  fstat(5, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0
4909  mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa171c80000
4909  lseek(5, 0, SEEK_CUR)             = -1 ESPIPE (Illegal seek)
4909  write(5, "recv: Resource temporarily unava"..., 39) = 39
4909  close(5)                          = 0
4909  munmap(0x7fa171c80000, 4096)      = 0
4909  setsockopt(4, SOL_SOCKET, SO_RCVTIMEO, "\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 16) = 0
4909  sendto(4, "\2\23\0\0\2\0\0\0\0\0\0\0-\23\0\0", 16, 0, NULL, 0) = 16
4909  recvfrom(4, 0x7fffa5d08e80, 32768, 0, 0, 0) = -1 EAGAIN (Resource temporarily unavailable)
4909  dup(2)                            = 5
4909  fcntl(5, F_GETFL)                 = 0x8002 (flags O_RDWR|O_LARGEFILE)
4909  fstat(5, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0
4909  mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa171c80000
4909  lseek(5, 0, SEEK_CUR)             = -1 ESPIPE (Illegal seek)
4909  write(5, "recv: Resource temporarily unava"..., 39) = 39
4909  close(5)                          = 0
4909  munmap(0x7fa171c80000, 4096)      = 0
4909  socket(PF_NETLINK, SOCK_RAW, 0)   = 5
4909  bind(5, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
4909  getsockname(5, {sa_family=AF_NETLINK, pid=4909, groups=00000000}, [12]) = 0
4909  sendto(5, "\24\0\0\0\26\0\1\3#7|K\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
4909  recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"8\0\0\0\24\0\2\0#7|K-\23\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 116
4909  recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0#7|K-\23\0\0\0\0\0\0\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20
4909  close(5)                          = 0
4909  socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 5
4909  connect(5, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
4909  close(5)                          = 0
4909  socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 5
4909  connect(5, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
4909  close(5)                          = 0
4909  open("/etc/nsswitch.conf", O_RDONLY) = 5
4909  fstat(5, {st_mode=S_IFREG|0644, st_size=508, ...}) = 0
4909  mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa171c80000
4909  read(5, "# /etc/nsswitch.conf:\n# $Header:"..., 4096) = 508
4909  read(5, "", 4096)                 = 0
4909  close(5)                          = 0
4909  munmap(0x7fa171c80000, 4096)      = 0
4909  open("/etc/host.conf", O_RDONLY)  = 5
4909  fstat(5, {st_mode=S_IFREG|0644, st_size=936, ...}) = 0
4909  mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa171c80000
4909  read(5, "# /etc/host.conf:\n# $Header: /va"..., 4096) = 936
4909  read(5, "", 4096)                 = 0
4909  close(5)                          = 0
4909  munmap(0x7fa171c80000, 4096)      = 0
4909  open("/etc/resolv.conf", O_RDONLY) = 5
4909  fstat(5, {st_mode=S_IFREG|0644, st_size=23, ...}) = 0
4909  mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa171c80000
4909  read(5, "nameserver 192.168.1.1\n", 4096) = 23
4909  read(5, "", 4096)                 = 0
4909  close(5)                          = 0
4909  munmap(0x7fa171c80000, 4096)      = 0
4909  uname({sys="Linux", node="B", ...}) = 0
4909  open("/etc/ld.so.cache", O_RDONLY) = 5
4909  fstat(5, {st_mode=S_IFREG|0644, st_size=40409, ...}) = 0
4909  mmap(NULL, 40409, PROT_READ, MAP_PRIVATE, 5, 0) = 0x7fa171c69000
4909  close(5)                          = 0
4909  open("/lib/libnss_files.so.2", O_RDONLY) = 5
4909  read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p!\0\0\0\0\0\0"..., 832) = 832
4909  fstat(5, {st_mode=S_IFREG|0755, st_size=218643, ...}) = 0
4909  mmap(NULL, 2143632, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7fa170278000
4909  mprotect(0x7fa170283000, 2093056, PROT_NONE) = 0
4909  mmap(0x7fa170482000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0xa000) = 0x7fa170482000
4909  close(5)                          = 0
4909  mprotect(0x7fa170482000, 4096, PROT_READ) = 0
4909  munmap(0x7fa171c69000, 40409)     = 0
4909  open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 5
4909  fcntl(5, F_GETFD)                 = 0x1 (flags FD_CLOEXEC)
4909  fstat(5, {st_mode=S_IFREG|0644, st_size=131, ...}) = 0
4909  mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa171c80000
4909  read(5, "127.0.0.1\tlocalhost\n192.168.1.2\t"..., 4096) = 131
4909  close(5)                          = 0
4909  munmap(0x7fa171c80000, 4096)      = 0
4909  socket(PF_NETLINK, SOCK_RAW, 0)   = 5
4909  bind(5, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
4909  getsockname(5, {sa_family=AF_NETLINK, pid=4909, groups=00000000}, [12]) = 0
4909  sendto(5, "\24\0\0\0\26\0\1\3#7|K\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
4909  recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"8\0\0\0\24\0\2\0#7|K-\23\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 116
4909  recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0#7|K-\23\0\0\0\0\0\0\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20
4909  close(5)                          = 0
4909  stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=23, ...}) = 0
4909  open("/etc/resolv.conf", O_RDONLY) = 5
4909  fstat(5, {st_mode=S_IFREG|0644, st_size=23, ...}) = 0
4909  mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa171c80000
4909  read(5, "nameserver 192.168.1.1\n", 4096) = 23
4909  read(5, "", 4096)                 = 0
4909  close(5)                          = 0
4909  munmap(0x7fa171c80000, 4096)      = 0
4909  uname({sys="Linux", node="B", ...}) = 0
4909  open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 5
4909  fstat(5, {st_mode=S_IFREG|0644, st_size=131, ...}) = 0
4909  mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa171c80000
4909  read(5, "127.0.0.1\tlocalhost\n192.168.1.2\t"..., 4096) = 131
4909  close(5)                          = 0
4909  munmap(0x7fa171c80000, 4096)      = 0
4909  setsockopt(4, SOL_SOCKET, SO_RCVTIMEO, "\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 16) = 0
4909  sendto(4, "\2\3\0\t\f\0\0\0\0\0\0\0-\23\0\0\2\0\1\0\0\0\0,\0\0\0\2@\0\0\0"..., 96, 0, NULL, 0) = 96
4909  recvfrom(4, "\2\3\0\t\33\0\0\0\0\0\0\0-\23\0\0\2\0\1\0\0\0\0,\0\1\0\2\0\0\0\0"..., 32768, 0, NULL, NULL) = 216
4909  socket(PF_NETLINK, SOCK_RAW, 0)   = 5
4909  bind(5, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
4909  getsockname(5, {sa_family=AF_NETLINK, pid=4909, groups=00000000}, [12]) = 0
4909  sendto(5, "\24\0\0\0\26\0\1\3#7|K\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
4909  recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"8\0\0\0\24\0\2\0#7|K-\23\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 116
4909  recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0#7|K-\23\0\0\0\0\0\0\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20
4909  close(5)                          = 0
4909  open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 5
4909  fstat(5, {st_mode=S_IFREG|0644, st_size=131, ...}) = 0
4909  mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa171c80000
4909  read(5, "127.0.0.1\tlocalhost\n192.168.1.2\t"..., 4096) = 131
4909  close(5)                          = 0
4909  munmap(0x7fa171c80000, 4096)      = 0
4909  socket(PF_NETLINK, SOCK_RAW, 0)   = 5
4909  bind(5, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
4909  getsockname(5, {sa_family=AF_NETLINK, pid=4909, groups=00000000}, [12]) = 0
4909  sendto(5, "\24\0\0\0\26\0\1\3#7|K\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
4909  recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"8\0\0\0\24\0\2\0#7|K-\23\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 116
4909  recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0#7|K-\23\0\0\0\0\0\0\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20
4909  close(5)                          = 0
4909  open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 5
4909  fstat(5, {st_mode=S_IFREG|0644, st_size=131, ...}) = 0
4909  mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa171c80000
4909  read(5, "127.0.0.1\tlocalhost\n192.168.1.2\t"..., 4096) = 131
4909  close(5)                          = 0
4909  munmap(0x7fa171c80000, 4096)      = 0
4909  setsockopt(4, SOL_SOCKET, SO_RCVTIMEO, "\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 16) = 0
4909  sendto(4, "\2\3\0\t\f\0\0\0\0\0\0\0-\23\0\0\2\0\1\0\0\0\0-\0\0\0\2@\0\0\0"..., 96, 0, NULL, 0) = 96
4909  recvfrom(4, "\2\3\0\t\33\0\0\0\0\0\0\0-\23\0\0\2\0\1\0\0\0\0-\0\1\0\2\0\0\0\0"..., 32768, 0, NULL, NULL) = 216
4909  socket(PF_NETLINK, SOCK_RAW, 0)   = 5
4909  bind(5, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
4909  getsockname(5, {sa_family=AF_NETLINK, pid=4909, groups=00000000}, [12]) = 0
4909  sendto(5, "\24\0\0\0\26\0\1\3#7|K\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
4909  recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"8\0\0\0\24\0\2\0#7|K-\23\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 116
4909  recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0#7|K-\23\0\0\0\0\0\0\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20
4909  close(5)                          = 0
4909  socket(PF_NETLINK, SOCK_RAW, 0)   = 5
4909  bind(5, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
4909  getsockname(5, {sa_family=AF_NETLINK, pid=4909, groups=00000000}, [12]) = 0
4909  sendto(5, "\24\0\0\0\26\0\1\3#7|K\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
4909  recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"8\0\0\0\24\0\2\0#7|K-\23\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 116
4909  recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0#7|K-\23\0\0\0\0\0\0\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20
4909  close(5)                          = 0
4909  socket(PF_NETLINK, SOCK_RAW, 0)   = 5
4909  bind(5, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
4909  getsockname(5, {sa_family=AF_NETLINK, pid=4909, groups=00000000}, [12]) = 0
4909  sendto(5, "\24\0\0\0\26\0\1\3#7|K\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
4909  recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"8\0\0\0\24\0\2\0#7|K-\23\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 116
4909  recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0#7|K-\23\0\0\0\0\0\0\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20
4909  close(5)                          = 0
4909  open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 5
4909  fstat(5, {st_mode=S_IFREG|0644, st_size=131, ...}) = 0
4909  mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa171c80000
4909  read(5, "127.0.0.1\tlocalhost\n192.168.1.2\t"..., 4096) = 131
4909  close(5)                          = 0
4909  munmap(0x7fa171c80000, 4096)      = 0
4909  socket(PF_NETLINK, SOCK_RAW, 0)   = 5
4909  bind(5, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
4909  getsockname(5, {sa_family=AF_NETLINK, pid=4909, groups=00000000}, [12]) = 0
4909  sendto(5, "\24\0\0\0\26\0\1\3#7|K\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
4909  recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"8\0\0\0\24\0\2\0#7|K-\23\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 116
4909  recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0#7|K-\23\0\0\0\0\0\0\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20
4909  close(5)                          = 0
4909  open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 5
4909  fstat(5, {st_mode=S_IFREG|0644, st_size=131, ...}) = 0
4909  mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa171c80000
4909  read(5, "127.0.0.1\tlocalhost\n192.168.1.2\t"..., 4096) = 131
4909  close(5)                          = 0
4909  munmap(0x7fa171c80000, 4096)      = 0
4909  setsockopt(4, SOL_SOCKET, SO_RCVTIMEO, "\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 16) = 0
4909  sendto(4, "\2\16\0\0\20\0\0\0\0\0\0\0-\23\0\0\10\0\22\0\2\0\1\0\0\0\0\0\0\0\0\200"..., 128, 0, NULL, 0) = 128
4909  recvfrom(4, "\2\16\0\0\34\0\3\0\0\0\0\0-\23\0\0\3\0\5\0\377 \0\0\2\0\0\0\300\250\1\2"..., 32768, 0, NULL, NULL) = 224
4909  setsockopt(4, SOL_SOCKET, SO_RCVTIMEO, "\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 16) = 0
4909  sendto(4, "\2\16\0\0\20\0\0\0\0\0\0\0-\23\0\0\10\0\22\0\2\0\3\0\0\0\0\0\0\0\0\200"..., 128, 0, NULL, 0) = 128
4909  recvfrom(4, "\2\16\0\0\34\0\3\0\0\0\0\0-\23\0\0\3\0\5\0\377 \0\0\2\0\0\0\300\250\1\2"..., 32768, 0, NULL, NULL) = 224
4909  socket(PF_NETLINK, SOCK_RAW, 0)   = 5
4909  bind(5, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
4909  getsockname(5, {sa_family=AF_NETLINK, pid=4909, groups=00000000}, [12]) = 0
4909  sendto(5, "\24\0\0\0\26\0\1\3#7|K\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
4909  recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"8\0\0\0\24\0\2\0#7|K-\23\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 116
4909  recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0#7|K-\23\0\0\0\0\0\0\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20
4909  close(5)                          = 0
4909  socket(PF_NETLINK, SOCK_RAW, 0)   = 5
4909  bind(5, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
4909  getsockname(5, {sa_family=AF_NETLINK, pid=4909, groups=00000000}, [12]) = 0
4909  sendto(5, "\24\0\0\0\26\0\1\3#7|K\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
4909  recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"8\0\0\0\24\0\2\0#7|K-\23\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 116
4909  recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0#7|K-\23\0\0\0\0\0\0\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20
4909  close(5)                          = 0
4909  socket(PF_NETLINK, SOCK_RAW, 0)   = 5
4909  bind(5, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
4909  getsockname(5, {sa_family=AF_NETLINK, pid=4909, groups=00000000}, [12]) = 0
4909  sendto(5, "\24\0\0\0\26\0\1\3#7|K\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
4909  recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"8\0\0\0\24\0\2\0#7|K-\23\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 116
4909  recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0#7|K-\23\0\0\0\0\0\0\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20
4909  close(5)                          = 0
4909  open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 5
4909  fstat(5, {st_mode=S_IFREG|0644, st_size=131, ...}) = 0
4909  mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa171c80000
4909  read(5, "127.0.0.1\tlocalhost\n192.168.1.2\t"..., 4096) = 131
4909  close(5)                          = 0
4909  munmap(0x7fa171c80000, 4096)      = 0
4909  socket(PF_NETLINK, SOCK_RAW, 0)   = 5
4909  bind(5, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
4909  getsockname(5, {sa_family=AF_NETLINK, pid=4909, groups=00000000}, [12]) = 0
4909  sendto(5, "\24\0\0\0\26\0\1\3#7|K\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
4909  recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"8\0\0\0\24\0\2\0#7|K-\23\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 116
4909  recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0#7|K-\23\0\0\0\0\0\0\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20
4909  close(5)                          = 0
4909  open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 5
4909  fstat(5, {st_mode=S_IFREG|0644, st_size=131, ...}) = 0
4909  mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa171c80000
4909  read(5, "127.0.0.1\tlocalhost\n192.168.1.2\t"..., 4096) = 131
4909  close(5)                          = 0
4909  munmap(0x7fa171c80000, 4096)      = 0
4909  setsockopt(4, SOL_SOCKET, SO_RCVTIMEO, "\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 16) = 0
4909  sendto(4, "\2\16\0\0\20\0\0\0\0\0\0\0-\23\0\0\10\0\22\0\2\0\2\0\0\0\0\0\0\0\0\200"..., 128, 0, NULL, 0) = 128
4909  recvfrom(4, "\2\16\0\0\34\0\3\0\0\0\0\0-\23\0\0\3\0\5\0\377 \0\0\2\0\0\0\300\250\1\3"..., 32768, 0, NULL, NULL) = 224
4909  read(3, "", 8192)                 = 0
4909  ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, 0x7fffa5d10d90) = -1 ENOTTY (Inappropriate ioctl for device)
4909  exit_group(0)                     = ?

Re: regression due to "flush SAD/SPD generate false events"

[David Miller]

From: Alexey Dobriyan <adobriyan@gmail.com>
Date: Wed, 17 Feb 2010 21:17:19 +0200

> commit 19f4c7133fc1b94001b997c4843d0a9192ee63e5
> xfrm: Flushing empty SAD generates false events
> 
> commit 0dca3a843632c2fbb6e358734fb08fc23e800f50
> xfrm: Flushing empty SPD generates false events
> 
> setkey now takes several seconds to run this simple script
> and it spits "recv: Resource temporarily unavailable" messages.
> 
> #!/usr/sbin/setkey -f
> flush;
> spdflush;
> 
> add A B ipcomp 44 -m tunnel -C deflate;
> add B A ipcomp 45 -m tunnel -C deflate;
> 
> spdadd A B any -P in ipsec
>         ipcomp/tunnel/192.168.1.2-192.168.1.3/use;
> spdadd B A any -P out ipsec
>         ipcomp/tunnel/192.168.1.3-192.168.1.2/use;

Thanks for the report Alexey.  I'll revert these changes
for now.

Jamal, if you can find a way to do this without breaking
existing applications feel free to send a new version of
these patches.

Thanks.

Re: regression due to "flush SAD/SPD generate false events"

[jamal]

On Wed, 2010-02-17 at 21:17 +0200, Alexey Dobriyan wrote:
> commit 19f4c7133fc1b94001b997c4843d0a9192ee63e5
> xfrm: Flushing empty SAD generates false events
> 
> commit 0dca3a843632c2fbb6e358734fb08fc23e800f50
> xfrm: Flushing empty SPD generates false events
> 
> setkey now takes several seconds to run this simple script
> and it spits "recv: Resource temporarily unavailable" messages.

I will try to reproduce it in about an hour. Do you have
anything like selinux being used etc?
 
BTW, the script seems a little strange because i think 
the template wont match between the SA/SP.. (doesnt
matter if you are testing insertion/flushing)

Does the following look reasonable for testing?
----
#!/usr/sbin/setkey -f
flush;
spdflush;

add 192.168.1.2 192.168.1.3 ipcomp 44 -m tunnel -C deflate;
add 192.168.1.3 192.168.1.2 ipcomp 45 -m tunnel -C deflate;

spdadd 10.0.1.2 10.1.2.3 any -P in ipsec
        ipcomp/tunnel/192.168.1.2-192.168.1.3/use;
spdadd 10.1.2.3 10.0.1.2 any -P out ipsec
        ipcomp/tunnel/192.168.1.3-192.168.1.2/use;
-----

cheers,
jamal

Re: regression due to "flush SAD/SPD generate false events"

[jamal]

On Wed, 2010-02-17 at 16:42 -0500, jamal wrote:

> I will try to reproduce it in about an hour. Do you have
> anything like selinux being used etc?

I have reproduced it - thanks Alexey. When you flush
an empty table, the time goes up from about 1.5s
to 3 secs with pfkey. You also see the EAGAIN for
each flush ...
I am going to dig a little more ..

cheers,
jamal

Re: regression due to "flush SAD/SPD generate false events"

[jamal]

[-- Attachment #1: Type: text/plain, Size: 673 bytes --]

On Wed, 2010-02-17 at 18:07 -0500, jamal wrote:
> When you flush
> an empty table, the time goes up from about 1.5s
> to 3 secs with pfkey. You also see the EAGAIN for
> each flush ...
> I am going to dig a little more ..

Here is a fix. The speed is restored (actually looks a little better
now) - the only thing is if you try to flush an empty table we return
-ESRCH; this seems reasonable, no? So a script like following 

---
#!/usr/sbin/setkey -f
flush;
spdflush;
----

will get:
---
bigismall:~# time setkey -f ./setkey-sample
The result of line 2: No such process.
The result of line 3: No such process.

real	0m0.663s
user	0m0.080s
sys	0m0.128s
----

cheers,
jamal

[-- Attachment #2: incr-flush-pfkey --]
[-- Type: text/x-patch, Size: 759 bytes --]

diff --git a/net/key/af_key.c b/net/key/af_key.c
index 8b8e26a..79d2c0f 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1751,7 +1751,7 @@ static int pfkey_flush(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hd
 	audit_info.secid = 0;
 	err = xfrm_state_flush(net, proto, &audit_info);
 	if (err)
-		return 0;
+		return err;
 	c.data.proto = proto;
 	c.seq = hdr->sadb_msg_seq;
 	c.pid = hdr->sadb_msg_pid;
@@ -2713,7 +2713,7 @@ static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, struct sadb_msg
 	audit_info.secid = 0;
 	err = xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info);
 	if (err)
-		return 0;
+		return err;
 	c.data.type = XFRM_POLICY_TYPE_MAIN;
 	c.event = XFRM_MSG_FLUSHPOLICY;
 	c.pid = hdr->sadb_msg_pid;

Re: regression due to "flush SAD/SPD generate false events"

[jamal]

On Wed, 2010-02-17 at 13:42 -0800, David Miller wrote:

> Jamal, if you can find a way to do this without breaking
> existing applications feel free to send a new version of
> these patches.

I sent incremental patch. If you still want me to resend
the whole thing i could after Alexey responds.

cheers,
jamal

Re: regression due to "flush SAD/SPD generate false events"

[David Miller]

From: jamal <hadi@cyberus.ca>
Date: Wed, 17 Feb 2010 18:34:38 -0500

> On Wed, 2010-02-17 at 13:42 -0800, David Miller wrote:
> 
>> Jamal, if you can find a way to do this without breaking
>> existing applications feel free to send a new version of
>> these patches.
> 
> I sent incremental patch. If you still want me to resend
> the whole thing i could after Alexey responds.

Please do, your changes are reverted so I need the whole
thing back.

Re: regression due to "flush SAD/SPD generate false events"

[jamal]

On Wed, 2010-02-17 at 15:40 -0800, David Miller wrote:

> Please do, your changes are reverted so I need the whole
> thing back.

np.
Q: Something odd i noticed when looking at pfkey (different behavior
from netlink):

pfkey_sendmsg() does at the end:
return err ? : len;

So if err was 0, it will always return the length which is
16 in the flush which was causing the EAGAIN Alexey saw. If i returned
the correct error (ESRCH), it goes unfiltered.
It sounds to me that should just unconditionaly return err, no?

cheers,
jamal

Re: regression due to "flush SAD/SPD generate false events"

[David Miller]

From: jamal <hadi@cyberus.ca>
Date: Wed, 17 Feb 2010 18:49:13 -0500

> On Wed, 2010-02-17 at 15:40 -0800, David Miller wrote:
> 
>> Please do, your changes are reverted so I need the whole
>> thing back.
> 
> np.
> Q: Something odd i noticed when looking at pfkey (different behavior
> from netlink):
> 
> pfkey_sendmsg() does at the end:
> return err ? : len;
> 
> So if err was 0, it will always return the length which is
> 16 in the flush which was causing the EAGAIN Alexey saw. If i returned
> the correct error (ESRCH), it goes unfiltered.
> It sounds to me that should just unconditionaly return err, no?

I don't think any sendmsg() method should return 0 when something
was actually sent.

Re: regression due to "flush SAD/SPD generate false events"

[jamal]

On Wed, 2010-02-17 at 15:55 -0800, David Miller wrote:

> I don't think any sendmsg() method should return 0 when something
> was actually sent.

;-> Ok, I need to call it a day ;->

cheers,
jamal

Re: regression due to "flush SAD/SPD generate false events"

[Alexey Dobriyan]

On Wed, Feb 17, 2010 at 06:32:09PM -0500, jamal wrote:
> On Wed, 2010-02-17 at 18:07 -0500, jamal wrote:
> > When you flush
> > an empty table, the time goes up from about 1.5s
> > to 3 secs with pfkey. You also see the EAGAIN for
> > each flush ...
> > I am going to dig a little more ..
> 
> Here is a fix. The speed is restored (actually looks a little better
> now) - the only thing is if you try to flush an empty table we return
> -ESRCH; this seems reasonable, no? So a script like following 
> 
> ---
> #!/usr/sbin/setkey -f
> flush;
> spdflush;
> ----
> 
> will get:
> ---
> bigismall:~# time setkey -f ./setkey-sample
> The result of line 2: No such process.
> The result of line 3: No such process.

I'd expect flushing empty SAD/SPD to be exact nops. :^)

Re: regression due to "flush SAD/SPD generate false events"

[jamal]

On Thu, 2010-02-18 at 20:55 +0200, Alexey Dobriyan wrote:

> I'd expect flushing empty SAD/SPD to be exact nops. :^)

Agree - that is a better alternative.
I was hoping returning an error code of 0 will do that.
But that triggers the EAGAIN you saw. It doesnt trigger
an EAGAIN for the netlink side (and it is a nop there).
Let me look at it. Clearly the EAGAIN is causing the 
latency.

cheers,
jamal

Re: regression due to "flush SAD/SPD generate false events"

[jamal]

On Thu, 2010-02-18 at 15:53 -0500, jamal wrote:

> Agree - that is a better alternative.
> I was hoping returning an error code of 0 will do that.
> But that triggers the EAGAIN you saw. It doesnt trigger
> an EAGAIN for the netlink side (and it is a nop there).
> Let me look at it. Clearly the EAGAIN is causing the 
> latency.

Ok, looking closely at the strace i think ive figured out
what pfkey is doing. It basically sets non-blocking receive
and expects to see the flush event whether real or bogus
(EAGAIN is because it tries to recvmsg and fails the first
time because we dont send the event when table is empty).

The two options are: 1) Restore old behavior just for pfkey
where bogus event is sent always or 2) return -ESRCH as I
have done in the last patch.
I think #2 is more accurate. But if that is going to break
existing scripts then #1 is the way to go.

Thoughts?

cheers,
jamal

Re: regression due to "flush SAD/SPD generate false events"

[David Miller]

From: jamal <hadi@cyberus.ca>
Date: Thu, 18 Feb 2010 16:45:58 -0500

> The two options are: 1) Restore old behavior just for pfkey
> where bogus event is sent always or 2) return -ESRCH as I
> have done in the last patch.
> I think #2 is more accurate. But if that is going to break
> existing scripts then #1 is the way to go.
> 
> Thoughts?

Let's see how #2 works out, if we get any more breakage
cases reported then we'll have to revert again and go with
#1.

Re: regression due to "flush SAD/SPD generate false events"

[jamal]

On Thu, 2010-02-18 at 14:27 -0800, David Miller wrote:

> Let's see how #2 works out, if we get any more breakage
> cases reported then we'll have to revert again and go with
> #1.

Actually, i think i found the root cause. The sequence should be:

1) pfkey->kernel: flush
kernel flushes SA/SPD
2)kernel->pfkey: respond to flush message
3)kernel->all user space listeners: i just flushed the SA/SPD

#2 is always needed.
#3 is wrong if SA/SPD is empty.
kernel unfortunately sends a single broadcast which combines
#2 and #3. So the proper fix is to break #2 and #3 into
separate messages. And follow the rules above.

I dont have time to fix it right now - but i will send a patch
tommorow.

cheers,
jamal

Re: regression due to "flush SAD/SPD generate false events"

[David Miller]

From: jamal <hadi@cyberus.ca>
Date: Thu, 18 Feb 2010 17:52:41 -0500

> I dont have time to fix it right now - but i will send a patch
> tommorow.

Ok, thanks for the update.