From: Alexander Bluhm <bluhm@openbsd.org>
Subject: Re: ipsec: move `ipsec_expire_acquire' out of netlock
To: Vitaliy Makkoveev <mvs@openbsd.org>
Cc: tech@openbsd.org
Date: Tue, 13 May 2025 21:18:39 +0200

On Sun, May 11, 2025 at 03:31:04PM +0300, Vitaliy Makkoveev wrote:
> It is local to ipsp_acquire_sa().

OK bluhm@

> Index: sys/netinet/ip_spd.c
> ===================================================================
> RCS file: /cvs/src/sys/netinet/ip_spd.c,v
> retrieving revision 1.120
> diff -u -p -r1.120 ip_spd.c
> --- sys/netinet/ip_spd.c	17 Apr 2024 20:48:51 -0000	1.120
> +++ sys/netinet/ip_spd.c	13 May 2025 18:09:12 -0000
> @@ -888,7 +888,8 @@ ipsp_acquire_sa(struct ipsec_policy *ipo
>  
>  	mtx_enter(&ipsec_acquire_mtx);
>  #ifdef IPSEC
> -	if (timeout_add_sec(&ipa->ipa_timeout, ipsec_expire_acquire) == 1)
> +	if (timeout_add_sec(&ipa->ipa_timeout,
> +	    atomic_load_int(&ipsec_expire_acquire)) == 1)
>  		refcnt_take(&ipa->ipa_refcnt);
>  #endif
>  	TAILQ_INSERT_TAIL(&ipsec_acquire_head, ipa, ipa_next);
> Index: sys/netinet/ipsec_input.c
> ===================================================================
> RCS file: /cvs/src/sys/netinet/ipsec_input.c,v
> retrieving revision 1.213
> diff -u -p -r1.213 ipsec_input.c
> --- sys/netinet/ipsec_input.c	13 May 2025 17:27:53 -0000	1.213
> +++ sys/netinet/ipsec_input.c	13 May 2025 18:09:12 -0000
> @@ -116,7 +116,7 @@ int ipsec_soft_timeout = IPSEC_DEFAULT_S
>  int ipsec_exp_timeout = IPSEC_DEFAULT_EXP_TIMEOUT;		/* [a] */
>  int ipsec_soft_first_use = IPSEC_DEFAULT_SOFT_FIRST_USE;	/* [a] */
>  int ipsec_exp_first_use = IPSEC_DEFAULT_EXP_FIRST_USE;		/* [a] */
> -int ipsec_expire_acquire = IPSEC_DEFAULT_EXPIRE_ACQUIRE;
> +int ipsec_expire_acquire = IPSEC_DEFAULT_EXPIRE_ACQUIRE;	/* [a] */
>  
>  int esp_enable = 1;
>  int ah_enable = 1;		/* [a] */
> @@ -174,10 +174,10 @@ int ipsec_def_comp = IPSEC_COMP_DEFLATE;
>  
>  const struct sysctl_bounded_args ipsecctl_vars_locked[] = {
>  	{ IPSEC_ENCDEBUG, &encdebug, 0, 1 },
> -	{ IPSEC_EXPIRE_ACQUIRE, &ipsec_expire_acquire, 0, INT_MAX },
>  };
>  
>  const struct sysctl_bounded_args ipsecctl_vars[] = {
> +	{ IPSEC_EXPIRE_ACQUIRE, &ipsec_expire_acquire, 0, INT_MAX },
>  	{ IPSEC_EMBRYONIC_SA_TIMEOUT, &ipsec_keep_invalid, 0, INT_MAX },
>  	{ IPSEC_REQUIRE_PFS, &ipsec_require_pfs, 0, 1 },
>  	{ IPSEC_SOFT_ALLOCATIONS, &ipsec_soft_allocations, 0, INT_MAX },
> @@ -649,7 +649,6 @@ ipsec_sysctl(int *name, u_int namelen, v
>  	case IPCTL_IPSEC_STATS:
>  		return (ipsec_sysctl_ipsecstat(oldp, oldlenp, newp));
>  	case IPSEC_ENCDEBUG:
> -	case IPSEC_EXPIRE_ACQUIRE:
>  		NET_LOCK();
>  		error = sysctl_bounded_arr(ipsecctl_vars_locked,
>  		    nitems(ipsecctl_vars_locked), name, namelen,