FreeBSD Bugzilla – Attachment 156880 Details for
Bug 200282
[ipsec] [patch] Send SADB_EXPIRE message to keying daemons when hard lifetimes of IPsec SAs are reached
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Check HARD liftime first
ipsec_expired_hard.diff (text/plain), 3.72 KB, created by
Andrey V. Elsukov
on 2015-05-18 15:59:40 UTC
(
hide
)
Description:
Check HARD liftime first
Filename:
MIME Type:
Creator:
Andrey V. Elsukov
Created:
2015-05-18 15:59:40 UTC
Size:
3.72 KB
patch
obsolete
>Index: head/sys/netipsec/key.c >=================================================================== >--- head/sys/netipsec/key.c (revision 283059) >+++ head/sys/netipsec/key.c (working copy) >@@ -537,7 +537,7 @@ static int key_acquire2(struct socket *, struct mb > const struct sadb_msghdr *); > static int key_register(struct socket *, struct mbuf *, > const struct sadb_msghdr *); >-static int key_expire(struct secasvar *); >+static int key_expire(struct secasvar *, int); > static int key_flush(struct socket *, struct mbuf *, > const struct sadb_msghdr *); > static int key_dump(struct socket *, struct mbuf *, >@@ -4243,8 +4243,24 @@ key_flush_sad(time_t now) > continue; > } > >+ /* check HARD lifetime */ >+ if ((sav->lft_h->addtime != 0 && >+ now - sav->created > sav->lft_h->addtime) || >+ (sav->lft_h->bytes != 0 && >+ sav->lft_h->bytes < sav->lft_c->bytes)) { >+ /* >+ * RFC 2367: >+ * HARD lifetimes MUST take precedence over >+ * SOFT lifetimes, meaning if the HARD and >+ * SOFT lifetimes are the same, the HARD >+ * lifetime will appear on the EXPIRE message. >+ */ >+ key_sa_chgstate(sav, SADB_SASTATE_DEAD); >+ key_expire(sav, 1); >+ KEY_FREESAV(&sav); >+ } > /* check SOFT lifetime */ >- if (sav->lft_s->addtime != 0 && >+ else if (sav->lft_s->addtime != 0 && > now - sav->created > sav->lft_s->addtime) { > key_sa_chgstate(sav, SADB_SASTATE_DYING); > /* >@@ -4259,7 +4275,7 @@ key_flush_sad(time_t now) > * (DYING state) > */ > if (sav->lft_c->usetime != 0) >- key_expire(sav); >+ key_expire(sav, 0); > } > /* check SOFT lifetime by bytes */ > /* >@@ -4276,7 +4292,7 @@ key_flush_sad(time_t now) > * message in the status of > * DYING. Do remove below code. > */ >- key_expire(sav); >+ key_expire(sav, 0); > } > } > >@@ -4295,6 +4311,7 @@ key_flush_sad(time_t now) > > if (sav->lft_h->addtime != 0 && > now - sav->created > sav->lft_h->addtime) { >+ key_expire(sav, 1); > key_sa_chgstate(sav, SADB_SASTATE_DEAD); > KEY_FREESAV(&sav); > } >@@ -4311,12 +4328,13 @@ key_flush_sad(time_t now) > * If there is no SA then sending > * expire message. > */ >- key_expire(sav); >+ key_expire(sav, 0); > } > #endif > /* check HARD lifetime by bytes */ > else if (sav->lft_h->bytes != 0 && > sav->lft_h->bytes < sav->lft_c->bytes) { >+ key_expire(sav, 1); > key_sa_chgstate(sav, SADB_SASTATE_DEAD); > KEY_FREESAV(&sav); > } >@@ -6721,7 +6739,7 @@ key_freereg(struct socket *so) > * others : error number > */ > static int >-key_expire(struct secasvar *sav) >+key_expire(struct secasvar *sav, int hard) > { > int satype; > struct mbuf *result = NULL, *m; >@@ -6779,11 +6797,19 @@ static int > lt->sadb_lifetime_usetime = sav->lft_c->usetime; > lt = (struct sadb_lifetime *)(mtod(m, caddr_t) + len / 2); > lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); >- lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; >- lt->sadb_lifetime_allocations = sav->lft_s->allocations; >- lt->sadb_lifetime_bytes = sav->lft_s->bytes; >- lt->sadb_lifetime_addtime = sav->lft_s->addtime; >- lt->sadb_lifetime_usetime = sav->lft_s->usetime; >+ if (hard) { >+ lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; >+ lt->sadb_lifetime_allocations = sav->lft_h->allocations; >+ lt->sadb_lifetime_bytes = sav->lft_h->bytes; >+ lt->sadb_lifetime_addtime = sav->lft_h->addtime; >+ lt->sadb_lifetime_usetime = sav->lft_h->usetime; >+ } else { >+ lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; >+ lt->sadb_lifetime_allocations = sav->lft_s->allocations; >+ lt->sadb_lifetime_bytes = sav->lft_s->bytes; >+ lt->sadb_lifetime_addtime = sav->lft_s->addtime; >+ lt->sadb_lifetime_usetime = sav->lft_s->usetime; >+ } > m_cat(result, m); > > /* set sadb_address for source */
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=156880">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 200282
:
156874
| 156880