[strongSwan-dev] Too many interfaces

Philip Prindeville philipp_subx at redfish-solutions.com
Thu May 14 02:12:01 CEST 2015

We have a scenario where we're using pluto (for legacy reasons) and a very large number of IP's are configured on the server (or alternately, the server has a large number of public IPs).

We've run into 2 different problems:

* exhausting the ifreq[300] array in find_raw_ifaces4();

* exhausting the RLIMIT_NOFILE (the per-process limit on open files) in process_raw_ifaces()/create_socket();

I wanted to do an enhancement where we add a knob like "pluto.maxifs" which would provision the size of ifreq[] (now as a malloc()'d structure, or possibly using getifaddrs()) to the correct size, as well as setting (via setrlimit(RLIMIT_NOFILE)) the number of potential open file descriptors in pluto to be maxifs+epsilon (where epsilon would cover additional file descriptors needed for syslog, stdout, stderr, config files, the control sockets to talk to "ipsec", etc... probably about 20).

I would similarly add such a knob for "charon.maxifs".

And of course we'd upstream the enhancement once we'd tested it in-house.

Does this seem like a reasonable venture?



More information about the Dev mailing list