>>	i remember no ad-hoc changes to PF_KEY API/ABI made to netbsd tree.
>>	which one do you think ad-hoc?
>>	i made changes with reasons.  if you call it "ad-hoc" in public it's
>>	quite a insult.
>
>There is a bug in the implementation PF_KEY which is triggered with
>quite modest numbers of simultaneous SAs.  Addding a kernfs hook to
>access SAs in order to sidestep that bug is *definitionally*, ad-hoc.

	aha, socket buffer starvation on SADB_DUMP.  i can't really do anything
	about it from PF_KEY point of view.  btw, PF_KEY message is like
	SOCK_DGRAM messages, they are unreliable so it is (specwise) normal to
	lose some of the messages.  therefore it is not a bug, but a feature.

>I'm not 100% sure its the same bug which manifests on fast-ipsec (both
>NetBSD and FreeBSD) under the same circumstances of medium numbers of
>SAs; but the description sure sounds very similar.

	the code is identical in sys/netipsec.

itojun