kernel-pfkey: Remove latest IPsec SA mapping when deleting a policy

If IPsec SAs are rekeyed due to an address change (e.g. because
update_sa is not supported) the exact same policy with the same reqid
will be installed, but with different addresses.  After the rekeying the
old SA and its policies are removed, using the first matching mapping
breaks the mapping between the policies and the new SA (at least on
FreeBSD, the Linux kernel might only use the reqid for this).  Using the
oldest matching SA is still an approximation but it solves the above
issue.

0 files changed, 0 insertions, 0 deletions