By default, pfkey allocates a 2MB buffer that is used for SPD entries. This size is a good choice for a server system where a lot of clients should be handled. But on our embedded systems, an application with that much clients is unlikely and 2MB is a lot of space. So reduce that to the default value of 128kB which should be enough for a small number of ipsec connections.
See https://bugzilla.redhat.com/show_bug.cgi?id=607361 for more details why the upstream project originally increased the size. If someone really needs a bigger size, there is a option in the configuration file of pfkey called `pfkey_buffer` that can overwrite this value. --- ipsec-tools/src/libipsec/pfkey.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/ipsec-tools/src/libipsec/pfkey.c b/ipsec-tools/src/libipsec/pfkey.c index 385a21a9..cc6ad816 100644 --- a/ipsec-tools/src/libipsec/pfkey.c +++ b/ipsec-tools/src/libipsec/pfkey.c @@ -1836,8 +1836,18 @@ pfkey_open(void) (void)setsockopt(so, SOL_SOCKET, SO_SNDBUF, &bufsiz_wanted, sizeof(bufsiz_wanted)); +#ifndef __rtems__ /* Try to have have at least 2MB. If we have more, do not lower it. */ bufsiz_wanted = 2 * 1024 * 1024; +#else /* __rtems__ */ + /* + * The bufsize_wanted has an influence on the maximum number of SPDs. We + * don't really need that much of them on an embedded system. If some + * application really needs it, this can be overwritten with the + * pfkey_buffer option in the config file. + */ + bufsiz_wanted = 128 * 1024; +#endif /* __rtems__ */ len = sizeof(bufsiz_current); ret = getsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz_current, &len); -- 2.31.1 _______________________________________________ devel mailing list devel@rtems.org http://lists.rtems.org/mailman/listinfo/devel
