Re: Recent IPSEC changes

[Ryota Ozaki <ozaki-r%netbsd.org@localhost>]

On Fri, Oct 13, 2017 at 4:41 PM, Robert Swindells <rjs%fdy2.co.uk@localhost> wrote:
>
> Ryota Ozaki <ozaki-r%netbsd.org@localhost> wrote:
>>On Fri, Oct 13, 2017 at 5:49 AM, Robert Swindells <rjs%fdy2.co.uk@localhost> wrote:
>>>
>>> I think something in the recent IPSEC changes is setting the ipsec_used
>>> flag to be always true.
>>
>>Not really on my machine. I guess it depends on environments.
>
> My environment is INET, INET6 & IPSEC in the kernel config, no modules.
>
> I have taken out any other protocols.

My config is similar to GENERIC in in terms of network protocols.

>
>>There is a change that affects the ipsec_used flag:
>>  http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netipsec/key.c#rev1.199
>
> Ok.
>
>>It turns on the flag when a socket is enabled the IP_IPSEC_POLICY option.
>>There was a bug that having such a socket didn't turn on the flag; the
>>above commit fixed the bug.
>
> The flag is on at boot for me.

Heh. ipsec_used is initially 0. And only key_update_used() changes the
value. Could you add KASSERT(0) to at the beginning of key_update_used,
rebuild a kernel and try to boot it? Then, we can know who changes it
(or it's initialized with 1 unexpectedly).

>
>>Do you have any processes having a socket with IP_IPSEC_POLICY on your
>>machine in mind?
>
> No.

Hmm.

  ozaki-r