/** Default priority of installed policies */
#define PRIO_BASE 512
-/** Default replay window size, if not set using charon.replay_window */
-#define DEFAULT_REPLAY_WINDOW 32
-
/** Default lifetime of an acquire XFRM state (in seconds) */
#define DEFAULT_ACQUIRE_LIFETIME 165
* Whether to track the history of a policy
*/
bool policy_history;
-
- /**
- * Size of the replay window, in packets (= bits)
- */
- u_int32_t replay_window;
-
- /**
- * Size of the replay window bitmap, in number of __u32 blocks
- */
- u_int32_t replay_bmp;
};
typedef struct route_entry_t route_entry_t;
}
/**
- * Return the length of the ESN bitmap
- */
-static inline size_t esn_bmp_len(private_kernel_netlink_ipsec_t *this)
-{
- return this->replay_bmp * sizeof(u_int32_t);
-}
-
-/**
* Convert the general ipsec mode to the one defined in xfrm.h
*/
static u_int8_t mode2kernel(ipsec_mode_t mode)
if (protocol != IPPROTO_COMP)
{
- if (esn || this->replay_window > DEFAULT_REPLAY_WINDOW)
+ if (esn || replay_window > 32)
{
/* for ESN or larger replay windows we need the new
* XFRMA_REPLAY_ESN_VAL attribute to configure a bitmap */
struct xfrm_replay_state_esn *replay;
+ u_int32_t bmp_size;
+ bmp_size = round_up(replay_window, sizeof(u_int32_t) * 8) / 8;
replay = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_ESN_VAL,
- sizeof(*replay) + esn_bmp_len(this));
+ sizeof(*replay) + bmp_size);
if (!replay)
{
goto failed;
}
/* bmp_len contains number uf __u32's */
- replay->bmp_len = this->replay_bmp;
- replay->replay_window = this->replay_window;
- DBG2(DBG_KNL, " using replay window of %u packets",
- this->replay_window);
+ replay->bmp_len = bmp_size / sizeof(u_int32_t);
+ replay->replay_window = replay_window;
+ DBG2(DBG_KNL, " using replay window of %u packets", replay_window);
if (esn)
{
}
else
{
- DBG2(DBG_KNL, " using replay window of %u packets",
- this->replay_window);
- sa->replay_window = this->replay_window;
+ DBG2(DBG_KNL, " using replay window of %u packets", replay_window);
+ sa->replay_window = replay_window;
}
}
u_int32_t spi, u_int8_t protocol,
host_t *dst, mark_t mark,
struct xfrm_replay_state_esn **replay_esn,
+ u_int32_t *replay_esn_len,
struct xfrm_replay_state **replay)
{
netlink_buf_t request;
break;
}
if (rta->rta_type == XFRMA_REPLAY_ESN_VAL &&
- RTA_PAYLOAD(rta) >= sizeof(**replay_esn) + esn_bmp_len(this))
+ RTA_PAYLOAD(rta) >= sizeof(**replay_esn))
{
*replay_esn = malloc(RTA_PAYLOAD(rta));
+ *replay_esn_len = RTA_PAYLOAD(rta);
memcpy(*replay_esn, RTA_DATA(rta), RTA_PAYLOAD(rta));
break;
}
struct xfrm_encap_tmpl* tmpl = NULL;
struct xfrm_replay_state *replay = NULL;
struct xfrm_replay_state_esn *replay_esn = NULL;
+ u_int32_t replay_esn_len;
status_t status = FAILED;
/* if IPComp is used, we first update the IPComp SA */
goto failed;
}
- get_replay_state(this, spi, protocol, dst, mark, &replay_esn, &replay);
+ get_replay_state(this, spi, protocol, dst, mark, &replay_esn, &replay_esn_len, &replay);
/* delete the old SA (without affecting the IPComp SA) */
if (del_sa(this, src, dst, spi, protocol, 0, mark) != SUCCESS)
struct xfrm_replay_state_esn *state;
state = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_ESN_VAL,
- sizeof(*state) + esn_bmp_len(this));
+ replay_esn_len);
if (!state)
{
goto failed;
}
- memcpy(state, replay_esn, sizeof(*state) + esn_bmp_len(this));
+ memcpy(state, replay_esn, replay_esn_len);
}
else if (replay)
{
.policy_history = TRUE,
.install_routes = lib->settings->get_bool(lib->settings,
"%s.install_routes", TRUE, lib->ns),
- .replay_window = lib->settings->get_int(lib->settings,
- "%s.replay_window", DEFAULT_REPLAY_WINDOW, lib->ns),
);
- this->replay_bmp = (this->replay_window + sizeof(u_int32_t) * 8 - 1) /
- (sizeof(u_int32_t) * 8);
-
if (streq(lib->ns, "starter"))
{ /* starter has no threads, so we do not register for kernel events */
register_for_events = FALSE;
projects / strongswan.git / commitdiff