[Openswan Users] Could anyone tell me, what the function of can_proc_shunts in the kernel.c doing?

[Paul Wouters]

On Wed, 8 Nov 2006, mix wrote:

> Could anyone please tell me, what the function of can_proc_shunts in the kernel.c doing?
> I only know that it will scan the /proc/net/ipsec_eroute.
>
> But something wrong in my /proc/net/ipsec_eroute(the format seems not correct)
> So i wanna confirm, if the /proc/net/ipsec_eroute format is wrong, will it cause any problem in the function
> of can_proc_shunts in the kernel.c?
> Or no problem and IPSec tunnel will work fine?

Things will work fine. You are probably running Opportunistic Encryption
on a very busy server (busy as in many clients, like a DNS server, not
neccessarilly much traffic), and you are getting a lot of (%pass?) eroutes
in /proc/net/ipsec_eroute. The problem is that the file structure can
change while you are reading it on busy servers, if the eroute file
is more then 4kb. In openswan 3.x.x, the eroute file is currently not
available, and we will come up with an alternative (besides the unreadable
ip xfrm commands). We hope to include the conn name into this information
as well (which the original eroute did not have)

If pluto runs into this, it just logs a warning and re-reads it, so it is not
fatal.

A workaround for this is to use "passive OE" instead of "active OE", so that you
limit the amount of %pass eroutes. This is assuming you dont have just many
staticly configured and/or roadwarrior connections surpassing 4kb lines.

Paul