Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 526859 - Modify racoon to allow more than 3,000 file handles.
Summary: Modify racoon to allow more than 3,000 file handles.
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: ipsec-tools
Version: 5.4
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact: BaseOS QE
Depends On:
Blocks: 554476
TreeView+ depends on / blocked
Reported: 2009-10-02 06:40 UTC by Wade Mealing
Modified: 2018-10-27 14:11 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed: 2012-03-05 15:20:51 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Wade Mealing 2009-10-02 06:40:17 UTC
Description of problem:

Some customers use more than the standard 1024 file descriptors.  This is a particular problem for racoons IKE daemon binds to each of them separately at least once for its IKE ports.

Unfortunately this is more then the FD_SETSIZE limit for select().

I believe that this can be changed by using poll/epoll, however that would fall into the feature request more so than a bug fix.

Version-Release number of selected component (if applicable):


How reproducible:

Every time.

Steps to Reproduce:
1.  Configure racoon to setup 3000 rules for 3000 different ip addresses for IKE
2.  Start racoon
3.  Wait.
Actual results:

2009-08-25 10:53:21: INFO: fe80::21e:bff:fed1:44bc%bond0[500] used as isakmp port (fd=6114)
2009-08-25 10:53:21: INFO: fe80::fcff:ffff:feff:ffff%vif0.1[500] used as isakmp port (fd=6115)
2009-08-25 10:53:21: INFO: fe80::21e:bff:fed1:44be%bond1[500] used as isakmp port (fd=6116)
2009-08-25 10:53:21: INFO: fe80::200:ff:fe00:0%virbr0[500] used as isakmp port (fd=6117)
2009-08-25 10:53:21: ERROR: fd_set overrun

Expected results:

IKE to continue and finish.

Additional info:

I had previous attempted to modify FD_SETSIZE in a test program with a define, however this didn't seem to work in my application therefore I assume that with racoon being considerably more complicated it would not work either.

Comment 1 Tomas Mraz 2009-10-02 06:58:38 UTC
This would require substantial changes to racoon implementation and it would have to be accepted by upstream first. Could the customer try to use openswan instead of ipsec-tools given that openswan is the preferred IKE solution in RHEL?

Comment 2 R P Herrold 2009-10-02 14:43:27 UTC

Your comment 1 startled me.  Where is this docoed as to 'preferred' applications when multiples exist?

I can get an opened case thru a TAC of course for the answer, but if you know off the top of your head, I'd appreciate it

-- Russ herrold

Comment 3 Tomas Mraz 2009-10-02 15:05:09 UTC
I don't know if this is documented anywhere. It's just that openswan was recently added to RHEL-5 as it supports the Linux kernel interfaces for setting the IPSEC policies better and its design is probably more robust.

Comment 5 R P Herrold 2009-10-07 17:02:04 UTC
Thank you, Tomas for your reply

Comment 7 RHEL Program Management 2009-11-06 18:56:38 UTC
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".

Comment 11 Tomas Mraz 2012-03-05 15:20:51 UTC
We currently do not plan to fix this issue in Red Hat Enterprise Linux 5.

Note You need to log in before you can comment on or make changes to this bug.