From 470b58d897338c89c83f416808cf1ccac38fe028 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 17 Jul 2015 14:08:09 +0200
Subject: [PATCH] ikev1: Assign different job priorities for inbound IKEv1
 messages

---
 src/libcharon/processing/jobs/process_message_job.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/libcharon/processing/jobs/process_message_job.c b/src/libcharon/processing/jobs/process_message_job.c
index a6795e7..31f048d 100644
--- a/src/libcharon/processing/jobs/process_message_job.c
+++ b/src/libcharon/processing/jobs/process_message_job.c
@@ -91,16 +91,26 @@ METHOD(job_t, get_priority, job_priority_t,
 	{
 		case IKE_AUTH:
 			/* IKE auth is rather expensive and often blocking, low priority */
+		case AGGRESSIVE:
+		case ID_PROT:
+			/* AM is basically IKE_SA_INIT/IKE_AUTH combined (without EAP/XAuth)
+			 * MM is similar, but stretched out more */
 			return JOB_PRIO_LOW;
 		case INFORMATIONAL:
+		case INFORMATIONAL_V1:
 			/* INFORMATIONALs are inexpensive, for DPD we should have low
 			 * reaction times */
 			return JOB_PRIO_HIGH;
 		case IKE_SA_INIT:
-		case CREATE_CHILD_SA:
-		default:
 			/* IKE_SA_INIT is expensive, but we will drop them in the receiver
 			 * if we are overloaded */
+		case CREATE_CHILD_SA:
+		case QUICK_MODE:
+			/* these may require DH, but if not they are relatively cheap */
+		case TRANSACTION:
+			/* these are mostly cheap, however, if XAuth via RADIUS is used
+			 * they may block */
+		default:
 			return JOB_PRIO_MEDIUM;
 	}
 }
-- 
2.4.6