From 1087b9cebbc41c0e15c783c95875d8783544e1ce Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Thu, 27 Aug 2009 16:07:30 +0200 Subject: Set the packet and byte limits in the netlink and pfkey kernel interfaces. --- src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) (limited to 'src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c') diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c index afdf7edd9..0758c9632 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -64,6 +64,11 @@ #define PRIO_LOW 3000 #define PRIO_HIGH 2000 +/** + * map the limit for bytes and packets to XFRM_INF per default + */ +#define XFRM_LIMIT(x) ((x) == 0 ? XFRM_INF : (x)) + /** * Create ORable bitfield of XFRM NL groups */ @@ -788,6 +793,7 @@ static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this) process_mapping(this, hdr); break; default: + DBG1(DBG_KNL, "received unknown event from xfrm event socket: %d", hdr->nlmsg_type); break; } hdr = NLMSG_NEXT(hdr, len); @@ -965,11 +971,10 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, } sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32; sa->reqid = reqid; - /* we currently do not expire SAs by volume/packet count */ - sa->lft.soft_byte_limit = XFRM_INF; - sa->lft.hard_byte_limit = XFRM_INF; - sa->lft.soft_packet_limit = XFRM_INF; - sa->lft.hard_packet_limit = XFRM_INF; + sa->lft.soft_byte_limit = XFRM_LIMIT(lifetime->rekey_bytes); + sa->lft.hard_byte_limit = XFRM_LIMIT(lifetime->life_bytes); + sa->lft.soft_packet_limit = XFRM_LIMIT(lifetime->rekey_packets); + sa->lft.hard_packet_limit = XFRM_LIMIT(lifetime->life_packets); /* we use lifetimes since added, not since used */ sa->lft.soft_add_expires_seconds = lifetime->rekey_time; sa->lft.hard_add_expires_seconds = lifetime->life_time; -- cgit v1.2.3