Bug 181617 - LTC21679-PF_KEY does not dump all IPsec SPD entries
LTC21679-PF_KEY does not dump all IPsec SPD entries
Product: Fedora
Classification: Fedora
Component: ipsec-tools (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: Harald Hoyer
Depends On:
  Show dependency treegraph
Reported: 2006-02-15 09:46 EST by IBM Bug Proxy
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-09-24 09:48:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description IBM Bug Proxy 2006-02-15 09:46:23 EST
LTC Owner is: bugrobot@linux.ibm.com
LTC Originator is: gcwilson@us.ibm.com

Problem description:  Racoon SPD dump requests via PF_KEY result in a an
incomplete set of entries being returned to userspace then the number of entries
exceeds available socket buffer space.  This is a know PF_KEY issue.  TCS is
working on a solution that involves using netlink for SPD dumps, and PF_KEY for
everything else.  It is an open question whether this approach will be
acceptable to the ipsec-tools maintainers.  This bug report exists to track the
TCS work into FC5 and RHEL5.  Here is a top-level post on ipsec-tools-devel:

If this is a customer issue, please indicate the impact to the customer: 
Customers using ipsec-tools cannot use racoon and setkey to manage all the SPD
entries when the number if entries is large (several thousand entries).

If this is not an installation problem,
       Describe any custom patches installed.

       Provide output from "uname -a", if possible:  NA.  This issue is present
in both the Linux and BSD IPsec implementations.

Hardware Environment
    Machine type (p650, x235, SF2, etc.): NA
    Cpu type (Power4, Power5, IA-64, etc.): NA
    Describe any special hardware you think might be relevant to this problem: NA

Please provide contact information if the submitter is not the primary contact.

Please provide access information for the machine if it is available.

Is this reproducible?
    If so, how long does it (did it) take to reproduce it?  Unknown.
    Describe the steps:  Establish a large SPD, use setkey to dump it, not all
entries are returned.

    If not, describe how the bug was encountered:  Know bug causing issues with
IPsec/SELinux labeled network testing for LSPP.

Is the system (not just the application) hung?  No.
    If so, describe how you determined this:

Did the system produce an OOPS message on the console?  No.
    If so, copy it here:

Is the system sitting in a debugger right now?  No.
    If so, how long may it stay there?

Additional information:
Comment 1 Rahul Sundaram 2006-02-20 06:17:33 EST

These bugs are being closed since a large number of updates have been released
after the FC5 test1 and test2 releases. Kindly update your system by running yum
update as root user or try out the third and final test version of FC5 being
released in a short while and verify if the bugs are still present on the system
.Reopen or file new bug reports as appropriate after confirming the presence of
this issue. Thanks
Comment 2 Steve Grubb 2006-02-20 08:24:42 EST
Rahul, please do not close this bug unless yoou've tested that it works. This
bug blocks our work for LSPP.
Comment 3 Rahul Sundaram 2006-02-20 08:27:27 EST
Can we assign it against fedora-devel instead of one of the test versions. That
would help me triage better. 
Comment 4 Rahul Sundaram 2006-02-20 08:28:38 EST
One more thing. It would also help to change status to assigned instead of new
for reports that the developers are already working on. 
Comment 5 Steve Grubb 2006-09-24 09:48:39 EDT
Patch was applied in April. Closing this bug.

Note You need to log in before you can comment on or make changes to this bug.