On Thu, Dec 04, 2014 at 05:36:27PM +0100, Smart Weblications GmbH - Florian Wiessner wrote: > Hi, > > Am 04.12.2014 08:56, schrieb Steffen Klassert: > > > > I really wonder why the xfrm_sk_policy_lookup codepath is taken here. > > It looks like this is the processing of an inbound ipv4 packet that > > is going to be rerouted to the output path by ipvs, so this packet > > should not have socket context at all. > > > > xfrm_sk_policy_lookup is called just if the packet has socket context > > and the socket has an IPsec output policy configured. Do you use IPsec > > socket policies? > > > > Yes it is insane i do not know why this happens and i wonder as well - i do not > have IPsec configured. I tried yesterday with only > > CONFIG_XFRM=y > CONFIG_XFRM_ALGO=m > > and all other XFRM modules disabled, same problem. > > I now compiled kernel without xfrm to check if the problem is somewhere else. > > I have seen that on this box (debian squeeze) the racoon tool inserts xfrm > polcies like so: > > ip xfrm policy show > src ::/0 dst ::/0 > dir 4 priority 0 ptype main > src ::/0 dst ::/0 > dir 3 priority 0 ptype main > src ::/0 dst ::/0 > dir 4 priority 0 ptype main > src ::/0 dst ::/0 > dir 3 priority 0 ptype main > src ::/0 dst ::/0 > ... Well, these are socket policies. The ike deamon uses them for SA negotiation. > > I tried without racoon running and with ipsec userspace tools disabled, but the > problem still exists without ipsec userspace tools. Does this mean that it still happens if you have no IPsec policies in the system? > > Interesting is maybe, that the longer the node is running and interfaces are > added to a bridge, the more policies sum up. Here is an overview of other nodes, > but without ipvs running: Would be interesting to see them. -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html