port-xen: Re: port-xen/33162 [Re: FAST_IPSEC panics domU kernel]

Subject: Re: port-xen/33162 [Re: FAST_IPSEC panics domU kernel]
To: Pavel Cahyna <pavel.cahyna@st.mff.cuni.cz>
From: Jeff Rizzo <riz@NetBSD.org>
List: port-xen
Date: 03/29/2006 09:56:29
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigE046745E620A08E540AC7853
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Pavel Cahyna wrote:
> On Wed, Mar 29, 2006 at 07:05:07AM -0800, Jeff Rizzo wrote:
>  =20
>> Pavel Cahyna wrote:
>>    =20
>>> I think netipsec is wrong - it is using m_copyback, but can't be real=
ly
>>> sure that the mbuf is not shared.
>>>
>>> Try the following (not even compile-tested) patch.
>>>  =20
>>>      =20
>> I can confirm this patch does, in fact, allow me to perform the simple=

>> test that caused the domU to crash before.
>>
>> Thanks!
>>    =20
>
> Can you test AH and IPCOMP?
>
> Pavel
>  =20

This is AH:

xen5# /etc/rc.d/ipsec forcestart
Installing ipsec manual keys/policies.
uvm_fault(0xc047c6a0, 0xc03f5000, 2) -> 0xe
kernel: supervisor trap page fault, code=3D0
Stopped in pid 1846.1 (setkey) at       netbsd:amap_wipeout+0x59:     =20
movl    %eax,0(%edx)
db> bt
amap_wipeout(caac5d88,0,1,0,10000) at netbsd:amap_wipeout+0x59
uvm_unmap_detach(caa9fc6c,0,bfc00000,caa7be94,0) at
netbsd:uvm_unmap_detach+0xc5

uvmspace_free(c9fc82a0,c9fd7f00,0,0,0) at netbsd:uvmspace_free+0xec
exit1(c9fcb294,0,0,c9fcb294,0) at netbsd:exit1+0x291
sys_exit(c9fcb294,caa7bf64,caa7bf5c,caa3b348,1) at netbsd:sys_exit+0x29
syscall_plain() at netbsd:syscall_plain+0x19b
--- syscall (number 1) ---
0xbbbbc977:
db>

So, a different sort of panic.

As far as IPCOMP goes, there's a couple of issues:

1) as far as I can tell, the KAME ipcomp does not actually *work*.  It
seems to send out uncompressed packets - which is making the test of
interoperability hard to do.

2) using FAST_IPSEC, I get problems, but no crash:

xen5# ping fubar
PING fubar.york.redcrowgroup.com (192.168.3.8): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
ping: sendto: No route to host


(yes, there *is* a route to the host)

If I get some time later, I may set up a "real" host with fast_ipsec to
see if ipcomp works as expected there.

+j



--------------enigE046745E620A08E540AC7853
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQCVAwUBRCrKUbOuUtxCgar5AQOliwP/QciSZBS0JO+tV+4vKgXbeHB7M3J1k+DU
rcgyqM5mm8Mvxp+mBEYsZORM5m9HDSzc1oIYgmkgDAAXApxuiUUOOl7Ci2iDAg2X
kD+uN1lhx8vbeaISwGzrD94PcAG2D0wtDhllz8guFmHotKU8InbfkBfB8tdZ02jz
kUMdnryUKh8=
=lSJR
-----END PGP SIGNATURE-----

--------------enigE046745E620A08E540AC7853--