projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
ikev1: Don't handle DPD timeout job if IKE_SA got passive
[strongswan.git] / src / libcharon / processing / jobs / dpd_timeout_job.c
1 /*
2 * Copyright (C) 2012 Martin Willi
3 * Copyright (C) 2012 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include <stdlib.h>
17
18 #include "dpd_timeout_job.h"
19
20 #include <sa/ike_sa.h>
21 #include <daemon.h>
22
23
24 typedef struct private_dpd_timeout_job_t private_dpd_timeout_job_t;
25
26 /**
27 * Private data
28 */
29 struct private_dpd_timeout_job_t {
30
31 /**
32 * public dpd_timeout_job_t interface
33 */
34 dpd_timeout_job_t public;
35
36 /**
37 * IKE_SA identifier
38 */
39 ike_sa_id_t *ike_sa_id;
40
41 /**
42 * Timestamp of first DPD check
43 */
44 time_t check;
45 };
46
47 METHOD(job_t, destroy, void,
48 private_dpd_timeout_job_t *this)
49 {
50 this->ike_sa_id->destroy(this->ike_sa_id);
51 free(this);
52 }
53
54 METHOD(job_t, execute, job_requeue_t,
55 private_dpd_timeout_job_t *this)
56 {
57 time_t use_time, current;
58 enumerator_t *enumerator;
59 child_sa_t *child_sa;
60 ike_sa_t *ike_sa;
61
62 ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
63 this->ike_sa_id);
64 if (ike_sa)
65 {
66 if (ike_sa->get_state(ike_sa) == IKE_PASSIVE)
67 {
68 charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
69 return JOB_REQUEUE_NONE;
70 }
71
72 use_time = ike_sa->get_statistic(ike_sa, STAT_INBOUND);
73
74 enumerator = ike_sa->create_child_sa_enumerator(ike_sa);
75 while (enumerator->enumerate(enumerator, &child_sa))
76 {
77 child_sa->get_usestats(child_sa, TRUE, &current, NULL, NULL);
78 use_time = max(use_time, current);
79 }
80 enumerator->destroy(enumerator);
81
82 /* check if no incoming packet during timeout, reestablish SA */
83 if (use_time < this->check)
84 {
85 DBG1(DBG_JOB, "DPD check timed out, enforcing DPD action");
86 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT, NULL);
87 charon->bus->ike_updown(charon->bus, ike_sa, FALSE);
88 ike_sa->reestablish(ike_sa);
89 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
90 ike_sa);
91 }
92 else
93 {
94 charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
95 }
96 }
97 return JOB_REQUEUE_NONE;
98 }
99
100 METHOD(job_t, get_priority, job_priority_t,
101 private_dpd_timeout_job_t *this)
102 {
103 return JOB_PRIO_HIGH;
104 }
105
106 /*
107 * Described in header
108 */
109 dpd_timeout_job_t *dpd_timeout_job_create(ike_sa_id_t *ike_sa_id)
110 {
111 private_dpd_timeout_job_t *this;
112
113 INIT(this,
114 .public = {
115 .job_interface = {
116 .execute = _execute,
117 .get_priority = _get_priority,
118 .destroy = _destroy,
119 },
120 },
121 .ike_sa_id = ike_sa_id->clone(ike_sa_id),
122 .check = time_monotonic(NULL),
123 );
124
125 return &this->public;
126 }
strongSwan - IPsec VPN