[strongSwan-dev] [PATCH 1/2] Fix packet drop due to race condition on initiator
Martin Willi
martin at strongswan.org
Fri Jul 11 12:35:55 CEST 2014
Christophe,
> Insert new ike_sas in the sa table as soon as they are created in
> checkout_new.
Thanks for your patch.
Unfortunately, it is not unproblematic. The problem is that
checkout_new() is called from threads holding another IKE_SA, for
example during rekeying. This results in the situation that a thread
holds two IKE_SAs, which breaks the golden rule to avoid deadlocks.
If I remember correctly, some years ago we explicitly changed the
behavior to register the IKE_SA not before check-in to exactly avoid
dead-locks resulting from this behavior.
I don't know if there is a better fix for this issue, but I don't think
there really is one needed. Under high load, packet drops can occur.
This are not ideal, but it will happen anyway. Retransmission should
take care that the SA comes up nonetheless.
Regards
Martin
More information about the Dev
mailing list