[Openswan Users] keeping SA made OCF resource leak
David McCullough
David_Mccullough at securecomputing.com
Wed Jul 29 02:33:44 EDT 2009
Jivin Paul Wouters lays it down ...
> On Wed, 22 Jul 2009, willer.wang at cybertan.com.tw wrote:
>
>> 3. I don't know what's the purpose of OPENSWAN keeps all old outbound SAs all the time. Preventing to rebuild a same SA?
>
> To ensure a seamless transition, the old receiving SA's are kept until
> traffic arrives on the new SA. On the outgoing SA, I believe we drop
> the old one as soon as we are ready to use the new one for traffic.
Yep, I thought that to, but it seems that something is definately broken.
I can see the SA's increasing (cat /proc/net/ipsec_spi | wc -l) over time.
Most certainly seems to be rekey related.
Hopefully it won't take too long to track the offending refcount discrepancy
and get this fixed ;-)
Cheers,
Davidm
--
David McCullough, david_mccullough at securecomputing.com, Ph:+61 734352815
McAfee - SnapGear http://www.snapgear.com http://www.uCdot.org
More information about the Users
mailing list