diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2016-02-17 17:31:51 +0100 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2016-03-03 17:28:03 +0100 |
| commit | 2f3c08d268a6ead9e7d9e74b523600d76e3e5722 (patch) | |
| tree | 92c5feb3413000eec81b7e2777875ecaaaf92b34 /src | |
| parent | 904f93f65562fef83c945348e02fa24600a510ec (diff) | |
| download | strongswan-2f3c08d268a6ead9e7d9e74b523600d76e3e5722.tar.bz2 strongswan-2f3c08d268a6ead9e7d9e74b523600d76e3e5722.tar.xz | |
ikev1: Allow immediate deletion of rekeyed CHILD_SAs
When charon rekeys a CHILD_SA after a soft limit expired, it is only
deleted after the hard limit is reached. In case of packet/byte limits
this may not be the case for a long time since the packets/bytes are
usually sent using the new SA. This may result in a very large number of
stale CHILD_SAs and kernel states. With enough connections configured this
will ultimately exhaust the memory of the system.
This patch adds a strongswan.conf setting that, if enabled, causes the old
CHILD_SA to be deleted by the initiator after a successful rekeying.
Enabling this setting might create problems with implementations that
continue to use rekeyed SAs (e.g. if the DELETE notify is lost).
Diffstat (limited to 'src')
| -rw-r--r-- | src/libcharon/sa/ikev1/tasks/quick_mode.c | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c index e7d26443b..b4fe04663 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_mode.c +++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c @@ -171,6 +171,11 @@ struct private_quick_mode_t { u_int32_t rekey; /** + * Delete old child after successful rekey + */ + bool delete; + + /** * Negotiated mode, tunnel or transport */ ipsec_mode_t mode; @@ -406,8 +411,17 @@ static bool install(private_quick_mode_t *this) if (old) { charon->bus->child_rekey(charon->bus, old, this->child_sa); - /* rekeyed CHILD_SAs stay installed until they expire */ + /* rekeyed CHILD_SAs stay installed until they expire or are deleted + * by the other peer */ old->set_state(old, CHILD_REKEYED); + /* as initiator we delete the CHILD_SA if configured to do so */ + if (this->initiator && this->delete) + { + this->ike_sa->queue_task(this->ike_sa, + (task_t*)quick_delete_create(this->ike_sa, + this->proposal->get_protocol(this->proposal), + this->rekey, TRUE, FALSE)); + } } else { @@ -1450,6 +1464,8 @@ quick_mode_t *quick_mode_create(ike_sa_t *ike_sa, child_cfg_t *config, .tsi = tsi ? tsi->clone(tsi) : NULL, .tsr = tsr ? tsr->clone(tsr) : NULL, .proto = PROTO_ESP, + .delete = lib->settings->get_bool(lib->settings, + "%s.delete_rekeyed", FALSE, lib->ns), ); if (config) |