Pavel Cahyna wrote: > On Wed, Mar 29, 2006 at 07:05:07AM -0800, Jeff Rizzo wrote: > >> Pavel Cahyna wrote: >> >>> I think netipsec is wrong - it is using m_copyback, but can't be really >>> sure that the mbuf is not shared. >>> >>> Try the following (not even compile-tested) patch. >>> >>> >> I can confirm this patch does, in fact, allow me to perform the simple >> test that caused the domU to crash before. >> >> Thanks! >> > > Can you test AH and IPCOMP? > > Pavel > This is AH: xen5# /etc/rc.d/ipsec forcestart Installing ipsec manual keys/policies. uvm_fault(0xc047c6a0, 0xc03f5000, 2) -> 0xe kernel: supervisor trap page fault, code=0 Stopped in pid 1846.1 (setkey) at netbsd:amap_wipeout+0x59: movl %eax,0(%edx) db> bt amap_wipeout(caac5d88,0,1,0,10000) at netbsd:amap_wipeout+0x59 uvm_unmap_detach(caa9fc6c,0,bfc00000,caa7be94,0) at netbsd:uvm_unmap_detach+0xc5 uvmspace_free(c9fc82a0,c9fd7f00,0,0,0) at netbsd:uvmspace_free+0xec exit1(c9fcb294,0,0,c9fcb294,0) at netbsd:exit1+0x291 sys_exit(c9fcb294,caa7bf64,caa7bf5c,caa3b348,1) at netbsd:sys_exit+0x29 syscall_plain() at netbsd:syscall_plain+0x19b --- syscall (number 1) --- 0xbbbbc977: db> So, a different sort of panic. As far as IPCOMP goes, there's a couple of issues: 1) as far as I can tell, the KAME ipcomp does not actually *work*. It seems to send out uncompressed packets - which is making the test of interoperability hard to do. 2) using FAST_IPSEC, I get problems, but no crash: xen5# ping fubar PING fubar.york.redcrowgroup.com (192.168.3.8): 56 data bytes ping: sendto: No route to host ping: sendto: No route to host ping: sendto: No route to host (yes, there *is* a route to the host) If I get some time later, I may set up a "real" host with fast_ipsec to see if ipcomp works as expected there. +j
Attachment:
signature.asc
Description: OpenPGP digital signature