The socket buffer size for pfkey only allows for 342 SAs to be dumped by "setkey -D". (In our application we have the need for in the order of 10k) Fix: This is our workaround for now, probably not the best solution. Could you at least add the u_quad_t cast since it triggers this warning when increasing SB_MAX: uipc_socket2.c:69: warning: integer overflow in expression The added cast corresponds to uipc_socket2.c:490: sb_max_adj = (u_quad_t)sb_max * MCLBYTES / (MSIZE + MCLBYTES); +#ifdef FIX + const int r_bufsiz = 8 * 1024 * 1024; +#endif if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) { __ipsec_set_strerror(strerror(errno)); return -1; @@ -1592,7 +1601,11 @@ * Don't really care even if it fails. */ (void)setsockopt(so, SOL_SOCKET, SO_SNDBUF, &bufsiz, sizeof(bufsiz)); +#ifdef FIX + (void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &r_bufsiz, sizeof(r_bufsiz)); +#else (void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz)); +#endif __ipsec_errcode = EIPSEC_NO_ERROR; return so; u_long sb_max = SB_MAX; static u_long sb_max_adj = - SB_MAX * MCLBYTES / (MSIZE + MCLBYTES); /* adjusted sb_max */ + (u_quad_t)SB_MAX * MCLBYTES / (MSIZE + MCLBYTES); /* adjusted sb_max */ static u_long sb_efficiency = 8; /* parameter for sbreserve() */ How-To-Repeat: Use 'setkey' command to push 10000 SAs into the kernel. Run 'setkey -D'. ACTUAL RESULT Only 342 of the SAs is reported to userland, then an error message: # setkey -D | grep esp | wc -l recv: Resource temporarily unavailable 342 EXPECTED RESULT # setkey -D | grep esp | wc -l 10000
Responsible Changed From-To: freebsd-bugs->freebsd-net Tag as ipsec; assign to freebsd-net.
Responsible Changed From-To: freebsd-net->vanhu Alraedy working on the problem for ipsec-tools, on which a similar patch has been added as a first workaround.
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped
A commit references this bug: Author: ae Date: Sun Mar 11 19:26:35 UTC 2018 New revision: 330781 URL: https://svnweb.freebsd.org/changeset/base/330781 Log: Update pfkey_open() function to set socket's write buffer size to 128k and receive buffer size to 2MB. In case if system has bigger default values, do not lower them. This should partially solve the problem, when setkey(8) returns EAGAIN error on systems with many SAs or SPs. PR: 88336 Obtained from: NetBSD/ipsec-tools MFC after: 2 weeks Changes: head/lib/libipsec/pfkey.c
A commit references this bug: Author: ae Date: Sun Mar 25 03:50:38 UTC 2018 New revision: 331527 URL: https://svnweb.freebsd.org/changeset/base/331527 Log: MFC r330781: Update pfkey_open() function to set socket's write buffer size to 128k and receive buffer size to 2MB. In case if system has bigger default values, do not lower them. This should partially solve the problem, when setkey(8) returns EAGAIN error on systems with many SAs or SPs. PR: 88336 Obtained from: NetBSD/ipsec-tools Changes: _U stable/11/ stable/11/lib/libipsec/pfkey.c
Hello, There is a commit referencing this PR but it's not yet closed. Is there any pending work or can it be closed? Thanks
The committed fix is a partial solution, but since there is no pending work, I'm closing it.