aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c25
-rw-r--r--src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c39
-rw-r--r--src/starter/netkey.c13
-rw-r--r--src/starter/netkey.h1
-rw-r--r--src/starter/starter.c1
5 files changed, 45 insertions, 34 deletions
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 2958b5942..8ea2914e0 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -2024,23 +2024,36 @@ METHOD(kernel_ipsec_t, flush_sas, status_t,
netlink_buf_t request;
struct nlmsghdr *hdr;
struct xfrm_usersa_flush *flush;
+ struct {
+ u_int8_t proto;
+ char *name;
+ } protos[] = {
+ { IPPROTO_AH, "AH" },
+ { IPPROTO_ESP, "ESP" },
+ { IPPROTO_COMP, "IPComp" },
+ };
+ int i;
memset(&request, 0, sizeof(request));
- DBG2(DBG_KNL, "flushing all SAD entries");
-
hdr = &request.hdr;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
hdr->nlmsg_type = XFRM_MSG_FLUSHSA;
hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_flush));
flush = NLMSG_DATA(hdr);
- flush->proto = IPSEC_PROTO_ANY;
- if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
+ for (i = 0; i < countof(protos); i++)
{
- DBG1(DBG_KNL, "unable to flush SAD entries");
- return FAILED;
+ DBG2(DBG_KNL, "flushing all %s SAD entries", protos[i].name);
+
+ flush->proto = protos[i].proto;
+
+ if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to flush %s SAD entries", protos[i].name);
+ return FAILED;
+ }
}
return SUCCESS;
}
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index f1b975e75..3583dfeba 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -2086,31 +2086,44 @@ METHOD(kernel_ipsec_t, flush_sas, status_t,
{
unsigned char request[PFKEY_BUFFER_SIZE];
struct sadb_msg *msg, *out;
+ struct {
+ u_int8_t proto;
+ char *name;
+ } protos[] = {
+ { SADB_SATYPE_AH, "AH" },
+ { SADB_SATYPE_ESP, "ESP" },
+ { SADB_X_SATYPE_IPCOMP, "IPComp" },
+ };
size_t len;
+ int i;
memset(&request, 0, sizeof(request));
- DBG2(DBG_KNL, "flushing all SAD entries");
-
msg = (struct sadb_msg*)request;
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = SADB_FLUSH;
- msg->sadb_msg_satype = SADB_SATYPE_UNSPEC;
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
- if (pfkey_send(this, msg, &out, &len) != SUCCESS)
- {
- DBG1(DBG_KNL, "unable to flush SAD entries");
- return FAILED;
- }
- else if (out->sadb_msg_errno)
+ for (i = 0; i < countof(protos); i++)
{
- DBG1(DBG_KNL, "unable to flush SAD entries: %s (%d)",
- strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+ DBG2(DBG_KNL, "flushing all %s SAD entries", protos[i].name);
+
+ msg->sadb_msg_satype = protos[i].proto;
+ if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to flush %s SAD entries", protos[i].name);
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to flush %s SAD entries: %s (%d)",
+ protos[i].name, strerror(out->sadb_msg_errno),
+ out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
free(out);
- return FAILED;
}
- free(out);
return SUCCESS;
}
diff --git a/src/starter/netkey.c b/src/starter/netkey.c
index 2b500bab4..3eb6973a1 100644
--- a/src/starter/netkey.c
+++ b/src/starter/netkey.c
@@ -55,16 +55,3 @@ bool starter_netkey_init(void)
DBG2(DBG_APP, "found netkey IPsec stack");
return TRUE;
}
-
-void starter_netkey_cleanup(void)
-{
- if (!lib->plugins->load(lib->plugins,
- lib->settings->get_str(lib->settings, "starter.load", PLUGINS)))
- {
- DBG1(DBG_APP, "unable to load kernel plugins");
- return;
- }
- hydra->kernel_interface->flush_sas(hydra->kernel_interface);
- hydra->kernel_interface->flush_policies(hydra->kernel_interface);
- lib->plugins->unload(lib->plugins);
-}
diff --git a/src/starter/netkey.h b/src/starter/netkey.h
index c12924174..bc71af2ed 100644
--- a/src/starter/netkey.h
+++ b/src/starter/netkey.h
@@ -16,7 +16,6 @@
#define _STARTER_NETKEY_H_
extern bool starter_netkey_init (void);
-extern void starter_netkey_cleanup (void);
#endif /* _STARTER_NETKEY_H_ */
diff --git a/src/starter/starter.c b/src/starter/starter.c
index a19298923..ab1ebdd5d 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -703,7 +703,6 @@ int main (int argc, char **argv)
{
starter_stop_charon();
}
- starter_netkey_cleanup();
confread_free(cfg);
unlink(starter_pid_file);
cleanup();
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-18 19:38:46 +0000