RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1706180 - Remove last usage of old (unused) PF_KEY API
Summary: Remove last usage of old (unused) PF_KEY API
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: libreswan
Version: 8.1
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: rc
: 8.0
Assignee: Paul Wouters
QA Contact: Jaroslav Aster
URL:
Whiteboard:
Depends On:
Blocks: 1706183
TreeView+ depends on / blocked
 
Reported: 2019-05-03 18:10 UTC by Paul Wouters
Modified: 2020-11-14 12:02 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-05 20:59:01 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3391 0 None None None 2019-11-05 20:59:11 UTC

Description Paul Wouters 2019-05-03 18:10:49 UTC 
libreswan has only a few places left where it still uses the old PFKEY API (af_key.ko). These are now being phased out upstream.

With this change, the kernel can be recompiled without CONFIG_NET_KEY support.

Apparently, this can cause a significant performance boost (some numbers say about 5%) likely due to the fact that the kernel is preparing broadcast messages for the PF_KEY API for NAT encapsulation updates in pfkey_send_new_mapping()
Comment 2 Jaroslav Aster 2019-07-30 15:28:19 UTC 
Hi Paul,

I'm not sure how to verify this bug. I checked the code and only thing, I found, is this:

# libreswan-3.27-9.el8.src/libreswan-3.27
1040>> grep af_key -r *
programs/_stackmanager/_stackmanager.in:         xfrm4_tunnel xfrm4_mode_beet esp4 esp6 ah4 ah6 af_key \
programs/_stackmanager/_stackmanager.in:     xfrm4_mode_beet esp4 esp6 ah4 ah6 af_key ip_vti
programs/_realsetup.bsd/_realsetup.in:           lsmod 2>&1 | grep "^af_key" > /dev/null && rmmod af_ke

# libreswan-3.28-1.el8.src/libreswan-3.28
1042>> grep af_key -r *
CHANGES:* _stackmanager: Do not attempt to load PF_KEY (af_key.ko) module [Paul]
programs/_realsetup.bsd/_realsetup.in:          lsmod 2>&1 | grep "^af_key" > /dev/null && rmmod af_key

Is this the only change in the code?
Comment 3 Paul Wouters 2019-07-30 15:51:13 UTC 
There are some more changes.

We used to detect the XFRM/IPsec kernel code by checking for /proc/net/pfkey which is provided by the kernel module af_key.ko. We changed that upstream to use /proc/net/xfrm_stat instead. However, that is provided only when compiled with CONFIG_XFRM_STATISTICS, which is true for fedora/redhat but not for older Debian/Ubuntu systems. So we then switched upstream to checking the XFRM/IPsec kernel code by checking for /proc/sys/net/core/xfrm_acq_expires

For the base test, you should start the ipsec service and bring up a tunnel. If that works, then there is no regresion on XFRM/IPsec stack detection.

But there is one issue. The af_key.ko module (provided by CONFIG_NET_KEY) is getting auto-loaded due to other kernel modules related to XFRM. So we still get this deprecates module loaded by accident. I filed a bug for that for the kernel people to either fix the auto-load or to just disable CONFIG_NET_KEY entirely (both libreswan and strongswan no longer need it, only the ancient ipsec-tools which we haven't supported since RHEL5 needs it)

So if you want to test that libreswan won't break on any future kernel where CONFIG_NET_KEY is disabled or prevented from auto-loading, you should do this additional test:

systemctl stop ipsec
rmmod af_key
rm -f /lib/modules/`uname -r`/kernel/net/key/af_key.ko*
depmod -a
systemctl start ipsec
[bring up the tunnel again]

If that works, then you confirmed that libreswan runs fully without CONFIG_NET_KEY (af_key)


The related kernel bug is: https://bugzilla.redhat.com/show_bug.cgi?id=1706183
Comment 4 Paul Wouters 2019-07-30 15:54:02 UTC 
note that the original reason for ensuring af_key no longer loads, is that there have been reports of 10% CPU load being wasted by the kernel because for XFRM/netlink messages it will create the equivalent PF_KEYv2 messages if the af_key.ko module is loaded, despite there being no process that is listening for PFKEYv2 kernel messages.
Comment 8 errata-xmlrpc 2019-11-05 20:59:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3391
Note You need to log in before you can comment on or make changes to this bug.