kernel-netlink: Only flush SAs of types we actually manage
authorTobias Brunner <tobias@strongswan.org>
Thu, 13 Aug 2015 08:34:47 +0000 (10:34 +0200)
committerTobias Brunner <tobias@strongswan.org>
Fri, 21 Aug 2015 16:27:05 +0000 (18:27 +0200)
src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c

index 2958b59..8ea2914 100644 (file)
@@ -2024,23 +2024,36 @@ METHOD(kernel_ipsec_t, flush_sas, status_t,
        netlink_buf_t request;
        struct nlmsghdr *hdr;
        struct xfrm_usersa_flush *flush;
+       struct {
+               u_int8_t proto;
+               char *name;
+       } protos[] = {
+               { IPPROTO_AH, "AH" },
+               { IPPROTO_ESP, "ESP" },
+               { IPPROTO_COMP, "IPComp" },
+       };
+       int i;
 
        memset(&request, 0, sizeof(request));
 
-       DBG2(DBG_KNL, "flushing all SAD entries");
-
        hdr = &request.hdr;
        hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
        hdr->nlmsg_type = XFRM_MSG_FLUSHSA;
        hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_flush));
 
        flush = NLMSG_DATA(hdr);
-       flush->proto = IPSEC_PROTO_ANY;
 
-       if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
+       for (i = 0; i < countof(protos); i++)
        {
-               DBG1(DBG_KNL, "unable to flush SAD entries");
-               return FAILED;
+               DBG2(DBG_KNL, "flushing all %s SAD entries", protos[i].name);
+
+               flush->proto = protos[i].proto;
+
+               if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
+               {
+                       DBG1(DBG_KNL, "unable to flush %s SAD entries", protos[i].name);
+                       return FAILED;
+               }
        }
        return SUCCESS;
 }