diff options
| author | Ansis Atteka <aatteka@nicira.com> | 2013-09-22 21:21:39 -0700 |
|---|---|---|
| committer | Martin Willi <martin@revosec.ch> | 2013-09-23 10:45:14 +0200 |
| commit | 255b9dac5dd4ef01574481beab53c12d1fb11b1b (patch) | |
| tree | 2e14cbcd29a11a2b3ded77dc1ff32aca01f94512 /src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c | |
| parent | 2c4d772a79420b5fb606545be5f74e920c32464c (diff) | |
| download | strongswan-255b9dac5dd4ef01574481beab53c12d1fb11b1b.tar.bz2 strongswan-255b9dac5dd4ef01574481beab53c12d1fb11b1b.tar.xz | |
kernel-netlink: Allow to override xfrm_acq_expires value
When using auto=route, current xfrm_acq_expires default value
implies that tunnel can be down for up to 165 seconds, if
other peer rejected first IKE request with an AUTH_FAILED or
NO_PROPOSAL_CHOSEN error message. These error messages are
completely normal in setups where another application
pushes configuration to both strongSwans without waiting
for acknowledgment that they have updated their configurations.
This patch allows strongswan to override xfrm_acq_expires default
value by setting charon.plugins.kernel-netlink.xfrm_acq_expires in
strongswan.conf.
Signed-off-by: Ansis Atteka <aatteka@nicira.com>
Diffstat (limited to 'src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c')
| -rw-r--r-- | src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c index 83f93ec68..e06c8eaa9 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -76,6 +76,9 @@ /** Default replay window size, if not set using charon.replay_window */ #define DEFAULT_REPLAY_WINDOW 32 +/** Default lifetime of an acquire XFRM state (in seconds) */ +#define DEFAULT_ACQUIRE_LIFETIME 165 + /** * Map the limit for bytes and packets to XFRM_INF by default */ @@ -2631,7 +2634,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() { private_kernel_netlink_ipsec_t *this; bool register_for_events = TRUE; - int fd; + FILE *f; INIT(this, .public = { @@ -2673,12 +2676,13 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() register_for_events = FALSE; } - /* disable lifetimes for allocated SPIs in kernel */ - fd = open("/proc/sys/net/core/xfrm_acq_expires", O_WRONLY); - if (fd > 0) + f = fopen("/proc/sys/net/core/xfrm_acq_expires", "w"); + if (f) { - ignore_result(write(fd, "165", 3)); - close(fd); + fprintf(f, "%u", lib->settings->get_int(lib->settings, + "%s.plugins.kernel-netlink.xfrm_acq_expires", + DEFAULT_ACQUIRE_LIFETIME, hydra->daemon)); + fclose(f); } this->socket_xfrm = netlink_socket_create(NETLINK_XFRM); |