On Tue, 7 Oct 2003 19:37:24 +1000 Herbert Xu <herbert@gondor.apana.org.au> wrote: > In particular, I'm concerned about the case where you issue a XFRM > request with side-effects (ADD/DEL/REPLACE) and never get a reply > because both the original reply and the subsequent netlink_ack fail > due to memory exhaustion. This leaves the policy/state database in > an unknown state and it is difficult for the KM to recover. Check for -ENOBUFS in the return from your request, if you see that (or other error more specific for your request type) reread the database to resync with the kernel. I would also suggest to increase the socket buffers a little bit, but not much. The feature you think is so great about PFKEY (and thus also with BSD routing sockets) is what those interfaces so synchronous and suck so badly. When you make database dump request to BSD, it has to provide the entire result in a single recvmsg() call regardless of how large the database in question is. - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html