aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c15
-rw-r--r--src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c6
2 files changed, 16 insertions, 5 deletions
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index afdf7edd9..0758c9632 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -65,6 +65,11 @@
#define PRIO_HIGH 2000
/**
+ * map the limit for bytes and packets to XFRM_INF per default
+ */
+#define XFRM_LIMIT(x) ((x) == 0 ? XFRM_INF : (x))
+
+/**
* Create ORable bitfield of XFRM NL groups
*/
#define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
@@ -788,6 +793,7 @@ static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
process_mapping(this, hdr);
break;
default:
+ DBG1(DBG_KNL, "received unknown event from xfrm event socket: %d", hdr->nlmsg_type);
break;
}
hdr = NLMSG_NEXT(hdr, len);
@@ -965,11 +971,10 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
}
sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
sa->reqid = reqid;
- /* we currently do not expire SAs by volume/packet count */
- sa->lft.soft_byte_limit = XFRM_INF;
- sa->lft.hard_byte_limit = XFRM_INF;
- sa->lft.soft_packet_limit = XFRM_INF;
- sa->lft.hard_packet_limit = XFRM_INF;
+ sa->lft.soft_byte_limit = XFRM_LIMIT(lifetime->rekey_bytes);
+ sa->lft.hard_byte_limit = XFRM_LIMIT(lifetime->life_bytes);
+ sa->lft.soft_packet_limit = XFRM_LIMIT(lifetime->rekey_packets);
+ sa->lft.hard_packet_limit = XFRM_LIMIT(lifetime->life_packets);
/* we use lifetimes since added, not since used */
sa->lft.soft_add_expires_seconds = lifetime->rekey_time;
sa->lft.hard_add_expires_seconds = lifetime->life_time;
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index a37a1b01f..4eff8e259 100644
--- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1287,13 +1287,19 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
+ lft->sadb_lifetime_allocations = lifetime->rekey_packets;
+ lft->sadb_lifetime_bytes = lifetime->rekey_bytes;
lft->sadb_lifetime_addtime = lifetime->rekey_time;
+ lft->sadb_lifetime_usetime = 0; /* we only use addtime */
PFKEY_EXT_ADD(msg, lft);
lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
+ lft->sadb_lifetime_allocations = lifetime->life_packets;
+ lft->sadb_lifetime_bytes = lifetime->life_bytes;
lft->sadb_lifetime_addtime = lifetime->life_time;
+ lft->sadb_lifetime_usetime = 0; /* we only use addtime */
PFKEY_EXT_ADD(msg, lft);
if (enc_alg != ENCR_UNDEFINED)
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-21 10:34:21 +0000