Many of the messages sent by the kernel, including confirmations to our
requests, are sent as broadcasts to all PF_KEY sockets. So if an
external tool is used to manage SAs/policies (e.g. unrelated to IPsec)
the receive buffer might be filled, resulting in errors like these:
error sending to PF_KEY socket: No buffer space available
To avoid this, just clear the buffer before sending any message.
Fixes #3225.
this->mutex_pfkey->lock(this->mutex_pfkey);
+ /* the kernel may broadcast messages not related to our requests (e.g. when
+ * managing SAs and policies via an external tool), so let's clear the
+ * receive buffer so there is room for our request and its reply. */
+ while (TRUE)
+ {
+ len = recv(socket, buf, sizeof(buf), MSG_DONTWAIT);
+
+ if (len < 0)
+ {
+ if (errno == EINTR)
+ { /* interrupted, try again */
+ continue;
+ }
+ break;
+ }
+ }
+
/* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367,
* in particular the behavior in response to an SADB_ACQUIRE. */
in->sadb_msg_seq = ++this->seq;