[Swan-dev] Leaks when killing states during crypto; time to drop WIRE_*?
andrew.cagney at gmail.com
Mon Dec 18 16:51:20 UTC 2017
On 15 December 2017 at 12:27, Paul Wouters <paul at nohats.ca> wrote:
> On Fri, 15 Dec 2017, Andrew Cagney wrote:
> Thanks for these updates!
>> - 'inline' is gone; if there are no threads then the work is thrown
>> onto the main event loop
> That's good news, we have had too many weird issues with STF_INLINE.
>> I think the too-much-crypto code path should either be deleted and/or
>> handled by generating a crypto timeout event with delay 0. The above
>> code ignores the problem, if there is too much crypto then low
>> priority tasks will timeout anyway.
>> I suspect there's a bug in the 'importance' code (variable defaulting
>> to 0) - on east the KE computation gets scheduled with no priority at
>> all and I suspect that is wrong. Anyone?
> The original idea was to de-prioritize CPU intensive operations on a
> first received packet which could be a spoofed packet. However, that
> now is handled by the code counting half-open IKE SA's and activating the
> IKEv2 COOKIEs code, and on further overload just stop accepting I1
> packets completely until the load has dropped. I have no problem cutting
> out all this "importance" code.
Ok, I'll ignore the value.
(I was wondering about opportunistic encryption, but looking at the
code it seems to be treated the same).
More information about the Swan-dev