From 8fe94be6c0d43e8df28679604f3d0fef550829a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= Date: Thu, 4 Nov 2010 17:00:26 +0200 Subject: main/ipsec-tools: add a patch to improve delete notify handling if phase1 rekeying is enabled, remote side deleting the last phase1 will result in deletion of all the ipsec-sa's and will execute the phase1_dead script hook too (so every one knows the traffic between the two nodes has ceased). --- main/ipsec-tools/95-purge-on-delete-notify.patch | 57 ++++++++++++++++++++++++ main/ipsec-tools/APKBUILD | 6 ++- 2 files changed, 61 insertions(+), 2 deletions(-) create mode 100644 main/ipsec-tools/95-purge-on-delete-notify.patch (limited to 'main') diff --git a/main/ipsec-tools/95-purge-on-delete-notify.patch b/main/ipsec-tools/95-purge-on-delete-notify.patch new file mode 100644 index 000000000..aa92135bc --- /dev/null +++ b/main/ipsec-tools/95-purge-on-delete-notify.patch @@ -0,0 +1,57 @@ +Index: src/racoon/isakmp.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c,v +retrieving revision 1.63 +diff -u -p -r1.63 isakmp.c +--- a/src/racoon/isakmp.c 21 Oct 2010 06:15:28 -0000 1.63 ++++ b/src/racoon/isakmp.c 4 Nov 2010 14:52:39 -0000 +@@ -766,6 +766,20 @@ isakmp_main(msg, remote, local) + return 0; + } + ++static int ++ph1_rekey_enabled(iph1) ++ struct ph1handle *iph1; ++{ ++ if (iph1->rmconf->rekey == REKEY_FORCE) ++ return 1; ++#ifdef ENABLE_DPD ++ if (iph1->rmconf->rekey == REKEY_ON && iph1->dpd_support && ++ iph1->rmconf->dpd_interval) ++ return 1; ++#endif ++ return 0; ++} ++ + /* + * main function of phase 1. + */ +@@ -866,13 +880,7 @@ ph1_main(iph1, msg) + migrate_dying_ph12(iph1); + + /* add to the schedule to expire, and seve back pointer. */ +- if ((iph1->rmconf->rekey == REKEY_FORCE) +-#ifdef ENABLE_DPD +- || +- (iph1->rmconf->rekey == REKEY_ON && iph1->dpd_support && +- iph1->rmconf->dpd_interval) +-#endif +- ) { ++ if (ph1_rekey_enabled(iph1)) { + sched_schedule(&iph1->sce, + iph1->approval->lifetime * + PFKEY_SOFT_LIFETIME_RATE / 100, +@@ -2071,7 +2079,13 @@ isakmp_ph1delete(iph1) + plog(LLV_INFO, LOCATION, NULL, + "ISAKMP-SA deleted %s-%s spi:%s\n", + src, dst, isakmp_pindex(&iph1->index, 0)); ++ + evt_phase1(iph1, EVT_PHASE1_DOWN, NULL); ++ ++ if (new_iph1 == NULL && ph1_rekey_enabled(iph1)) { ++ purge_remote(iph1); ++ script_hook(iph1, SCRIPT_PHASE1_DEAD); ++ } + racoon_free(src); + racoon_free(dst); + diff --git a/main/ipsec-tools/APKBUILD b/main/ipsec-tools/APKBUILD index 8315f484b..286144b66 100644 --- a/main/ipsec-tools/APKBUILD +++ b/main/ipsec-tools/APKBUILD @@ -2,7 +2,7 @@ pkgname=ipsec-tools pkgver=0.8_alpha20101022 _myver=0.8-alpha20101022 -pkgrel=1 +pkgrel=2 pkgdesc="User-space IPsec tools for various IPsec implementations" url="http://ipsec-tools.sourceforge.net/" license="BSD" @@ -17,6 +17,7 @@ source="http://downloads.sourceforge.net/$pkgname/$pkgname-$_myver.tar.gz 75-racoonctl-rcvbuf.patch 80-admin-big-reply-fix.patch 90-dpd-window-fix.patch + 95-purge-on-delete-notify.patch " _builddir="$srcdir"/$pkgname-$_myver @@ -63,4 +64,5 @@ md5sums="1492b83edc944b5d32d2eff51e33399e ipsec-tools-0.8-alpha20101022.tar.gz 94773c94233e14cdce0fa02ff780a43e 70-defer-isakmp-ident-handling.patch 2d5d24c4a3684a38584f88720f71c7d6 75-racoonctl-rcvbuf.patch c3898b162d284bc163f99cc52925b52a 80-admin-big-reply-fix.patch -0391a6967ad19673588302bc8b17e0e2 90-dpd-window-fix.patch" +0391a6967ad19673588302bc8b17e0e2 90-dpd-window-fix.patch +8bc73a15407564321c8f571b5656b28d 95-purge-on-delete-notify.patch" -- cgit v1.2.3