Set the packet and byte limits in the netlink and pfkey kernel interfaces.
authorTobias Brunner <tobias@strongswan.org>
Thu, 27 Aug 2009 14:07:30 +0000 (16:07 +0200)
committerTobias Brunner <tobias@strongswan.org>
Tue, 1 Sep 2009 10:53:44 +0000 (12:53 +0200)
src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c

index afdf7ed..0758c96 100644 (file)
 #define PRIO_HIGH 2000
 
 /**
+ * map the limit for bytes and packets to XFRM_INF per default
+ */
+#define XFRM_LIMIT(x) ((x) == 0 ? XFRM_INF : (x))
+
+/**
  * Create ORable bitfield of XFRM NL groups
  */
 #define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
@@ -788,6 +793,7 @@ static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
                                process_mapping(this, hdr);
                                break;
                        default:
+                               DBG1(DBG_KNL, "received unknown event from xfrm event socket: %d", hdr->nlmsg_type);
                                break;
                }
                hdr = NLMSG_NEXT(hdr, len);
@@ -965,11 +971,10 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
        }
        sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
        sa->reqid = reqid;
-       /* we currently do not expire SAs by volume/packet count */
-       sa->lft.soft_byte_limit = XFRM_INF;
-       sa->lft.hard_byte_limit = XFRM_INF;
-       sa->lft.soft_packet_limit = XFRM_INF;
-       sa->lft.hard_packet_limit = XFRM_INF;
+       sa->lft.soft_byte_limit = XFRM_LIMIT(lifetime->rekey_bytes);
+       sa->lft.hard_byte_limit = XFRM_LIMIT(lifetime->life_bytes);
+       sa->lft.soft_packet_limit = XFRM_LIMIT(lifetime->rekey_packets);
+       sa->lft.hard_packet_limit = XFRM_LIMIT(lifetime->life_packets);
        /* we use lifetimes since added, not since used */
        sa->lft.soft_add_expires_seconds = lifetime->rekey_time;
        sa->lft.hard_add_expires_seconds = lifetime->life_time;
index a37a1b0..4eff8e2 100644 (file)
@@ -1287,13 +1287,19 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
        lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
        lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
        lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
+       lft->sadb_lifetime_allocations = lifetime->rekey_packets;
+       lft->sadb_lifetime_bytes = lifetime->rekey_bytes;
        lft->sadb_lifetime_addtime = lifetime->rekey_time;
+       lft->sadb_lifetime_usetime = 0; /* we only use addtime */
        PFKEY_EXT_ADD(msg, lft);
        
        lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
        lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
        lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
+       lft->sadb_lifetime_allocations = lifetime->life_packets;
+       lft->sadb_lifetime_bytes = lifetime->life_bytes;
        lft->sadb_lifetime_addtime = lifetime->life_time;
+       lft->sadb_lifetime_usetime = 0; /* we only use addtime */
        PFKEY_EXT_ADD(msg, lft);
        
        if (enc_alg != ENCR_UNDEFINED)