[Swan-dev] remove pfkey checks from pluto and startup scripts

Antony Antony antony at phenome.org
Fri May 3 12:00:19 UTC 2019


Hi Tuomo,

Could you or someone test these two patches? run Libreswan without PF_KEY 
support in kernel, [1]

This came up as issue when running on kernel without pfeky support.
Pluto do not need pfkey for crypto algorithm lists for while, however these 
checks are still there. And may be interface code or something is still 
using pfkey.

Since it is not necessary we could remove it from pluto.  Also tests by 
Steffen noticed compiling kernel with pfkey use quite a bit extra cpu.
His observation was pfkey_send_new_mapping use "3.69% of my cpu cycles".  So 
I think it is worth removing pfkey completely.  e.g this could happen when 
the NAT mappings for ESP change, pfkey_send_new_mapping is wasted cpu 
cycles.

Note These cycles are lost inside the kernel, so probably it won't show up 
in a userland perf monitoring.

I am wondering if there are more places where pluto depend on pfkey, will 
this break something else.

Should I push this now or hold on until 3.28 is out?

-antony

[1] in .config it is called CONFIG_NET_KEY

 │ Location:                                                             │
 │  -> Networking support (NET [=y])                                    │
 │    -> Networking options
 |      -> PF_KEY sockets 

check .config for
# CONFIG_NET_KEY is not set


-------------- next part --------------
>From 8e6eb56365dbb6857ec58be87f26c6fee9a37a85 Mon Sep 17 00:00:00 2001
From: Antony Antony <antony at phenome.org>
Date: Thu, 2 May 2019 15:15:26 +0000
Subject: [PATCH 1/2] pluto: netkey don't check for /proc/net/pfkey

since b248daa35 and related commits for netkey pluto do not need
/proc/net/pfkey
---
 programs/pluto/kernel.c | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/programs/pluto/kernel.c b/programs/pluto/kernel.c
index a4320042f..bd584d089 100644
--- a/programs/pluto/kernel.c
+++ b/programs/pluto/kernel.c
@@ -2650,7 +2650,7 @@ void init_kernel(void)
 {
 	struct utsname un;
 
-#if defined(NETKEY_SUPPORT) || defined(KLIPS)
+#if defined(KLIPS)
 	struct stat buf;
 #endif
 
@@ -2661,11 +2661,6 @@ void init_kernel(void)
 	switch (kern_interface) {
 #if defined(NETKEY_SUPPORT)
 	case USE_NETKEY:
-		if (stat("/proc/net/pfkey", &buf) != 0) {
-			libreswan_log(
-				"No XFRM/NETKEY kernel interface detected");
-			exit_pluto(PLUTO_EXIT_KERNEL_FAIL);
-		}
 		libreswan_log(
 			"Using Linux XFRM/NETKEY IPsec interface code on %s",
 			kversion);
-- 
2.20.1

-------------- next part --------------
>From 209d616186c404b66d7cea3c6fa59a0526c3f1bd Mon Sep 17 00:00:00 2001
From: Antony Antony <antony at phenome.org>
Date: Thu, 2 May 2019 15:17:13 +0000
Subject: [PATCH 2/2] stackmanager: netkey do not need pfkey since b248daa35

netkey stack manager don't check for /proc/net/pfkey
---
 programs/_stackmanager/_stackmanager.in | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/programs/_stackmanager/_stackmanager.in b/programs/_stackmanager/_stackmanager.in
index 2da2d781c..c8b98f81b 100644
--- a/programs/_stackmanager/_stackmanager.in
+++ b/programs/_stackmanager/_stackmanager.in
@@ -149,12 +149,6 @@ startnetkey() {
     else
 	echo "WARNING: can not change /proc/sys/net/core/xfrm_acq_expires from ${xcur} to ${xfrmlifetime}" >&2
     fi
-
-    # Fail on error in loading NETKEY/XFRM stack
-    if [ ! -f ${kamepfkey} ]; then
-	echo "FAILURE in loading NETKEY/XFRM stack" >&2
-	exit 1
-    fi
 }
 
 stopklips() {
-- 
2.20.1



More information about the Swan-dev mailing list