On Mon, 2019-03-25 at 15:27 +0000, Phillips, Tony wrote:
> So to me that reads as "1491 outbound UDP packets suffered "send buffer errors."
> That resulted in 1491 IP packets being dropped.
> That, in turn yielded 1490 TCP segments (which were inside IPSec UDP packets) being lost, and thus retransmitted.
>
> This REALLY smells funny.
Oh, wait. I keep looking at the DTLS code and this isn't DTLS.
Let's look at the ESP code instead.
while ((this = dequeue_packet(&vpninfo->outgoing_queue))) {
int len;
len = encrypt_esp_packet(vpninfo, this);
if (len > 0) {
ret = send(vpninfo->dtls_fd, (void *)&this->esp, len, 0);
if (ret < 0) {
/* Not that this is likely to happen with UDP, but... */
if (errno == ENOBUFS || errno == EAGAIN || errno == EWOULDBLOCK) {
monitor_write_fd(vpninfo, dtls);
/* XXX: Keep the packet somewhere? */
free(this);
return work_done;
} else {
/* A real error in sending. Fall back to TCP? */
vpn_progress(vpninfo, PRG_ERR,
_("Failed to send ESP packet: %s\n"),
strerror(errno));
}
} else {
vpninfo->dtls_times.last_tx = time(NULL);
vpn_progress(vpninfo, PRG_TRACE, _("Sent ESP packet of %d bytes\n"),
len);
}
Stick a printf in next to that "XXX: Keep the packet somewhere?" comment :)
I can't remember why I didn't actually do what the comment says. Was it
just because I need a flag to say it's already encrypted, to avoid
doing so a second time when we resend?
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
