Defined functions in the kernel interface to flush SAD and SPD entries.

3 files changed, 50 insertions, 0 deletions

diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c
index 9113d813c..922f27094 100644
--- a/src/libhydra/kernel/kernel_interface.c
+++ b/src/libhydra/kernel/kernel_interface.c
@@ -138,6 +138,16 @@ METHOD(kernel_interface_t, del_sa, status_t,
 	return this->ipsec->del_sa(this->ipsec, src, dst, spi, protocol, cpi, mark);
 }
 
+METHOD(kernel_interface_t, flush_sas, status_t,
+	private_kernel_interface_t *this)
+{
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->ipsec->flush_sas(this->ipsec);
+}
+
 METHOD(kernel_interface_t, add_policy, status_t,
 	private_kernel_interface_t *this, host_t *src, host_t *dst,
 	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
@@ -178,6 +188,16 @@ METHOD(kernel_interface_t, del_policy, status_t,
 								   direction, reqid, mark, priority);
 }
 
+METHOD(kernel_interface_t, flush_policies, status_t,
+	private_kernel_interface_t *this)
+{
+	if (!this->ipsec)
+	{
+		return NOT_SUPPORTED;
+	}
+	return this->ipsec->flush_policies(this->ipsec);
+}
+
 METHOD(kernel_interface_t, get_source_addr, host_t*,
 	private_kernel_interface_t *this, host_t *dest, host_t *src)
 {
@@ -505,9 +525,11 @@ kernel_interface_t *kernel_interface_create()
 			.update_sa = _update_sa,
 			.query_sa = _query_sa,
 			.del_sa = _del_sa,
+			.flush_sas = _flush_sas,
 			.add_policy = _add_policy,
 			.query_policy = _query_policy,
 			.del_policy = _del_policy,
+			.flush_policies = _flush_policies,
 			.get_source_addr = _get_source_addr,
 			.get_nexthop = _get_nexthop,
 			.get_interface = _get_interface,
diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h
index 4c2f7ef99..991cfafd0 100644
--- a/src/libhydra/kernel/kernel_interface.h
+++ b/src/libhydra/kernel/kernel_interface.h
@@ -175,6 +175,13 @@ struct kernel_interface_t {
 						mark_t mark);
 
 	/**
+	 * Flush all SAs from the SAD.
+	 *
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*flush_sas) (kernel_interface_t *this);
+
+	/**
 	 * Add a policy to the SPD.
 	 *
 	 * A policy is always associated to an SA. Traffic which matches a
@@ -241,6 +248,13 @@ struct kernel_interface_t {
 							mark_t mark, policy_priority_t priority);
 
 	/**
+	 * Flush all policies from the SPD.
+	 *
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*flush_policies) (kernel_interface_t *this);
+
+	/**
 	 * Get our outgoing source address for a destination.
 	 *
 	 * Does a route lookup to get the source address used to reach dest.
diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h
index eacf7c79f..ddb63283c 100644
--- a/src/libhydra/kernel/kernel_ipsec.h
+++ b/src/libhydra/kernel/kernel_ipsec.h
@@ -306,6 +306,13 @@ struct kernel_ipsec_t {
 						mark_t mark);
 
 	/**
+	 * Flush all SAs from the SAD.
+	 *
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*flush_sas) (kernel_ipsec_t *this);
+
+	/**
 	 * Add a policy to the SPD.
 	 *
 	 * A policy is always associated to an SA. Traffic which matches a
@@ -373,6 +380,13 @@ struct kernel_ipsec_t {
 							mark_t mark, policy_priority_t priority);
 
 	/**
+	 * Flush all policies from the SPD.
+	 *
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*flush_policies) (kernel_ipsec_t *this);
+
+	/**
 	 * Install a bypass policy for the given socket.
 	 *
 	 * @param fd			socket file descriptor to setup policy for