[Openswan Users] keeping SA made OCF resource leak

willer.wang at cybertan.com.tw willer.wang at cybertan.com.tw
Wed Jul 29 04:19:43 EDT 2009 

On 2009-07-29 06:33, David McCullough wrote: 
> 
> Jivin Paul Wouters lays it down ... 
> > On Wed, 22 Jul 2009, willer.wang@??? wrote: 
> > 
> >> 3. I don't know what's the purpose of OPENSWAN keeps all old outbound SAs all the time. Preventing to rebuild a same SA?

> > 
> > To ensure a seamless transition, the old receiving SA's are kept until 
> > traffic arrives on the new SA. On the outgoing SA, I believe we drop 
> > the old one as soon as we are ready to use the new one for traffic. 
> 
> Yep,  I thought that to,  but it seems that something is definately broken. 
> I can see the SA's increasing (cat /proc/net/ipsec_spi | wc -l) over time. 
> Most certainly seems to be rekey related. 
> 
> Hopefully it won't take too long to track the offending refcount discrepancy 
> and get this fixed ;-) 
> 
> Cheers, 
> Davidm 
> 
>

I found a strange point about this problem. 

As I said before, an expired SA did not free related OCF resource.

Here is my observing, an outbound SA like esp.e43d2490 at 10.0.0.1 expired.

Now it enter the function “ipsec_sa_rm( )”with refcount=3 , ocf_in_use=1.

Because of the refcount >1, this SA just be removed from hash table, but will not enter the function “ipsec_sa_wipe( )”.

However, this expired SA finally enter the function   ipsec_sa_wipe( ) because the refcount become 0.

But now, the ocf_in_use flag of this SA also become “0”, and will not enter “ipsec_ocf_sa_free( )”.

So the related OCF resourced became always kept.

I really can not understand why the ocf_in_use of this SA can become 0 before entering ipsec_ocf_sa_free( ).

Can someone give me advice about this problem?

Thx~

====================================================================

This e-mail transmission originated at CyberTAN Technology, Inc., and may contain privileged or
confidential information that is the property of CyberTAN and protected by law from disclosure.
If you are not an intended recipient of this transmission and you received it in error,
please inform the sender by reply e-mail and destroy this and all other copies of this transmission
to which you have access. Thank you.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090729/e119ca71/attachment-0001.html

More information about the Users mailing list