From: Michael Rash Date: Tue, 24 Jul 2012 01:13:30 +0000 (-0400) Subject: PCAP_LOOP_SLEEP bug fix to 1/10th of a second X-Git-Tag: fwknop-2.0.1-pre5~3 X-Git-Url: http://www.cipherdyne.com/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff_plain;h=5387242ce99bf705d1f30d63a1b5b7cdfdcf517a PCAP_LOOP_SLEEP bug fix to 1/10th of a second [server] Updated PCAP_LOOP_SLEEP default to 1/10th of a second (in microseconds). This was supposed to be the default anyway, but C Anthony Risinger reported a bug where fwknopd was consuming more resources than necessary, and the cause was PCAP_LOOP_SLEEP set by default to 1/100th of a second - this has been fixed. --- diff --git a/CREDITS b/CREDITS index 1d3c17a..5209259 100644 --- a/CREDITS +++ b/CREDITS @@ -24,3 +24,7 @@ Andy Rowland access.conf file would result in access requests that matched the second stanza to always be treated as a replay attack. This has been fixed for the fwknop-2.0.1 release. + +C Anthony Risinger + - Caught a bug where the default PCAP_LOOP_SLEEP value was 1/100th of a + second instead of the intended default of 1/10th of a second. diff --git a/ChangeLog b/ChangeLog index 09f908f..c2f1ba2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,5 @@ fwknop-2.0.1 (07//2012): - - Bug fix where the same encryption key used for two stanzas in + - [server] Bug fix where the same encryption key used for two stanzas in the access.conf file would result in access requests that matched the second stanza to always be treated as a replay attack. This has been fixed for the fwknop-2.0.1 release, and was reported by Andy Rowland. Now @@ -9,8 +9,13 @@ fwknop-2.0.1 (07//2012): digest list right after the first access.conf stanza match, so when SPA packet data matched the second access.conf stanza a matching replay digest would already be there. - - Added SPA message validation calls to fko decoding routines to help - ensure that SPA messages conform to expected values. + - [server] Updated PCAP_LOOP_SLEEP default to 1/10th of a second (in + microseconds). This was supposed to be the default anyway, but C + Anthony Risinger reported a bug where fwknopd was consuming more + resources than necessary, and the cause was PCAP_LOOP_SLEEP set by + default to 1/100th of a second - this has been fixed. + - [libfko] Added SPA message validation calls to fko decoding routines to + help ensure that SPA messages conform to expected values. - Bug fix for PF firewalls: updated the PF anchor check to not rely on listing the PF policy - fwknopd now uses 'pfctl -s Anchor' instead. - [test suite] Added parsing of valgrind output to produce a listing of @@ -20,8 +25,8 @@ fwknop-2.0.1 (07//2012): instead of libfko.so. This fixes the existence check for libfko. - [test suite] Added tests for --nat-local mode. - [client] Fixed several minor memory leaks caught by valgrind. - - Minor gcc warning fix: fko_decode.c:43:17: warning: variable ‘edata_size’ - set but not used [-Wunused-but-set-variable]. + - [libfko] Minor gcc warning fix: fko_decode.c:43:17: warning: variable + ‘edata_size’ set but not used [-Wunused-but-set-variable]. fwknop-2.0 (01/02/2012): - This is the first production release that has been completely re-written diff --git a/server/config_init.h b/server/config_init.h index cc8b2a7..c3eb94e 100644 --- a/server/config_init.h +++ b/server/config_init.h @@ -36,7 +36,7 @@ /* For integer variable range checking */ -#define RCHK_MAX_PCAP_LOOP_SLEEP 100000 /* microseconds */ +#define RCHK_MAX_PCAP_LOOP_SLEEP 10000000 /* microseconds, 10 seconds */ #define RCHK_MAX_SPA_PACKET_AGE 100000 /* seconds, can disable */ #define RCHK_MAX_SNIFF_BYTES 1514 #define RCHK_MAX_TCPSERV_PORT 65535 diff --git a/server/fwknopd.conf b/server/fwknopd.conf index a9a6046..2b6e268 100644 --- a/server/fwknopd.conf +++ b/server/fwknopd.conf @@ -74,8 +74,8 @@ #PCAP_DISPATCH_COUNT 0; # Sets the number of microseconds to passed as an argument to usleep() in -# the pcap loop. The default is 10000, or 1/10th of a second. -#PCAP_LOOP_SLEEP 10000; +# the pcap loop. The default is 100000 microseconds, or 1/10th of a second. +#PCAP_LOOP_SLEEP 100000; # Allow SPA clients to request access to services through an iptables # firewall instead of just to it (i.e. access through the FWKNOP_FORWARD diff --git a/server/fwknopd_common.h b/server/fwknopd_common.h index 4fe7ec4..d5abd74 100644 --- a/server/fwknopd_common.h +++ b/server/fwknopd_common.h @@ -86,7 +86,7 @@ #define DEF_ENABLE_PCAP_PROMISC "N" #define DEF_PCAP_FILTER "udp port 62201" #define DEF_PCAP_DISPATCH_COUNT "0" -#define DEF_PCAP_LOOP_SLEEP "10000" /* a tenth of a second */ +#define DEF_PCAP_LOOP_SLEEP "100000" /* a tenth of a second (in microseconds) */ #define DEF_ENABLE_SPA_PACKET_AGING "Y" #define DEF_MAX_SPA_PACKET_AGE "120" #define DEF_ENABLE_DIGEST_PERSISTENCE "Y"