1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
From cd83d5c5e51db6c903496369f6edc74901703eb7 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 3 Jun 2015 17:31:30 +0200
Subject: [PATCH] kernel-netlink: When adding a policy do an update if it
already exists
This may be the case when SAs are reestablished after a crash of the
IKE daemon.
---
src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index f22e07d..e41c10a 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -2057,6 +2057,7 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
ipsec_sa_t *ipsec = mapping->sa;
struct xfrm_userpolicy_info *policy_info;
struct nlmsghdr *hdr;
+ status_t status;
int i;
/* clone the policy so we are able to check it out again later */
@@ -2151,7 +2152,14 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
}
this->mutex->unlock(this->mutex);
- if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
+ status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
+ if (status == ALREADY_DONE && !update)
+ {
+ DBG1(DBG_KNL, "policy already exists, try to update it");
+ hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
+ status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
+ }
+ if (status != SUCCESS)
{
return FAILED;
}
|
