From nobody@FreeBSD.org  Tue Nov  1 15:37:32 2005
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0970416A421
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  1 Nov 2005 15:37:32 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 980FF43D46
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  1 Nov 2005 15:37:31 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id jA1FbV7d023880
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 1 Nov 2005 15:37:31 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id jA1FbV6o023879;
	Tue, 1 Nov 2005 15:37:31 GMT
	(envelope-from nobody)
Message-Id: <200511011537.jA1FbV6o023879@www.freebsd.org>
Date: Tue, 1 Nov 2005 15:37:31 GMT
From: Mats Palmgren <mats.palmgren@bredband.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: setkey -D fails to report all SAs
X-Send-Pr-Version: www-2.3

>Number:         88336
>Category:       kern
>Synopsis:       [ipsec] [patch] setkey(8) -D fails to report all SAs
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    vanhu
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov 01 15:40:17 GMT 2005
>Closed-Date:    
>Last-Modified:  Tue Feb 10 08:40:59 UTC 2009
>Originator:     Mats Palmgren
>Release:        RELENG_5
>Organization:
>Environment:
>Description:
The socket buffer size for pfkey only allows for 342
SAs to be dumped by "setkey -D".
(In our application we have the need for in the order of 10k)
>How-To-Repeat:
Use 'setkey' command to push 10000 SAs into the kernel.
Run 'setkey -D'.

ACTUAL RESULT
Only 342 of the SAs is reported to userland, then an error message:
# setkey -D | grep esp | wc -l
recv: Resource temporarily unavailable
     342

EXPECTED RESULT
# setkey -D | grep esp | wc -l
     10000

>Fix:
This is our workaround for now, probably not the best solution.
Could you at least add the u_quad_t cast since it triggers this
warning when increasing SB_MAX:
uipc_socket2.c:69: warning: integer overflow in expression

The added cast corresponds to uipc_socket2.c:490:
    sb_max_adj = (u_quad_t)sb_max * MCLBYTES / (MSIZE + MCLBYTES);



Index: lib/libipsec/pfkey.c
===================================================================
RCS file: /cvs/src/lib/libipsec/pfkey.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 pfkey.c
--- lib/libipsec/pfkey.c        12 May 2004 20:54:18 -0000      1.1.1.1
+++ lib/libipsec/pfkey.c        31 Oct 2005 19:15:03 -0000
@@ -1582,6 +1582,15 @@
        int so;
        const int bufsiz = 128 * 1024;  /*is 128K enough?*/

+#ifdef FIX
+       const int r_bufsiz = 8 * 1024 * 1024;
+#endif
        if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) {
                __ipsec_set_strerror(strerror(errno));
                return -1;
@@ -1592,7 +1601,11 @@
         * Don't really care even if it fails.
         */
        (void)setsockopt(so, SOL_SOCKET, SO_SNDBUF, &bufsiz, sizeof(bufsiz));
+#ifdef FIX
+       (void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &r_bufsiz, sizeof(r_bufsiz));
+#else
        (void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz));
+#endif

        __ipsec_errcode = EIPSEC_NO_ERROR;
        return so;
Index: sys/kern/uipc_socket2.c
===================================================================
RCS file: /cvs/src/sys/kern/uipc_socket2.c,v
retrieving revision 1.1.1.7
diff -u -r1.1.1.7 uipc_socket2.c
--- sys/kern/uipc_socket2.c     13 Jun 2005 14:54:31 -0000      1.1.1.7
+++ sys/kern/uipc_socket2.c     31 Oct 2005 16:39:25 -0000
@@ -66,7 +66,7 @@

 u_long sb_max = SB_MAX;
 static u_long sb_max_adj =
-    SB_MAX * MCLBYTES / (MSIZE + MCLBYTES); /* adjusted sb_max */
+    (u_quad_t)SB_MAX * MCLBYTES / (MSIZE + MCLBYTES); /* adjusted sb_max */

 static u_long sb_efficiency = 8;       /* parameter for sbreserve() */

Index: sys/sys/socketvar.h
===================================================================
RCS file: /cvs/src/sys/sys/socketvar.h,v
retrieving revision 1.1.1.5
diff -u -r1.1.1.5 socketvar.h
--- sys/sys/socketvar.h 21 Apr 2005 00:19:11 -0000      1.1.1.5
+++ sys/sys/socketvar.h 31 Oct 2005 17:46:30 -0000
@@ -115,7 +115,11 @@
 /*
  * Constants for sb_flags field of struct sockbuf.
  */
+#ifdef FIX
+#define        SB_MAX          (((8*1024*1024)/MCLBYTES)*(MSIZE+MCLBYTES))
+#else
 #define        SB_MAX          (256*1024)      /* default for max chars in sockbuf */
+#endif
 /*
  * Constants for sb_flags field of struct sockbuf.
  */



>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: rwatson 
Responsible-Changed-When: Mon Feb 9 23:26:47 UTC 2009 
Responsible-Changed-Why:  
Tag as ipsec; assign to freebsd-net. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=88336 
Responsible-Changed-From-To: freebsd-net->vanhu 
Responsible-Changed-By: vanhu 
Responsible-Changed-When: Tue Feb 10 08:39:39 UTC 2009 
Responsible-Changed-Why:  
Alraedy working on the problem for ipsec-tools, on which a similar patch 
has been added as a first workaround. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=88336 
>Unformatted:
