child-cfg: Use struct to pass data to constructor
authorTobias Brunner <tobias@strongswan.org>
Mon, 4 Apr 2016 14:09:23 +0000 (16:09 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Sat, 9 Apr 2016 14:51:01 +0000 (16:51 +0200)
16 files changed:
src/charon-cmd/cmd/cmd_connection.c
src/charon-nm/nm/nm_service.c
src/conftest/config.c
src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c
src/frontends/osx/charon-xpc/xpc_dispatch.c
src/libcharon/config/child_cfg.c
src/libcharon/config/child_cfg.h
src/libcharon/plugins/ha/ha_tunnel.c
src/libcharon/plugins/load_tester/load_tester_config.c
src/libcharon/plugins/maemo/maemo_service.c
src/libcharon/plugins/medcli/medcli_config.c
src/libcharon/plugins/sql/sql_config.c
src/libcharon/plugins/stroke/stroke_config.c
src/libcharon/plugins/uci/uci_config.c
src/libcharon/plugins/unity/unity_handler.c
src/libcharon/plugins/vici/vici_config.c

index 23e2b09..48e7dd3 100644 (file)
@@ -335,18 +335,18 @@ static child_cfg_t* create_child_cfg(private_cmd_connection_t *this,
        traffic_selector_t *ts;
        proposal_t *proposal;
        bool has_v4 = FALSE, has_v6 = FALSE;
-       lifetime_cfg_t lifetime = {
-               .time = {
-                       .life = 10800 /* 3h */,
-                       .rekey = 10200 /* 2h50min */,
-                       .jitter = 300 /* 5min */
-               }
+       child_cfg_create_t child = {
+               .lifetime = {
+                       .time = {
+                               .life = 10800 /* 3h */,
+                               .rekey = 10200 /* 2h50min */,
+                               .jitter = 300 /* 5min */
+                       }
+               },
+               .mode = MODE_TUNNEL,
        };
 
-       child_cfg = child_cfg_create("cmd", &lifetime,
-                                                                NULL, FALSE, MODE_TUNNEL, /* updown, hostaccess */
-                                                                ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
-                                                                0, 0, NULL, NULL, 0);
+       child_cfg = child_cfg_create("cmd", &child);
        if (this->child_proposals->get_count(this->child_proposals))
        {
                while (this->child_proposals->remove_first(this->child_proposals,
index 4cbf8d0..f6ef9ec 100644 (file)
@@ -289,7 +289,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
        NMSettingVPN *vpn;
        identification_t *user = NULL, *gateway = NULL;
        const char *address, *str;
-       bool virtual, encap, ipcomp;
+       bool virtual, encap;
        ike_cfg_t *ike_cfg;
        peer_cfg_t *peer_cfg;
        child_cfg_t *child_cfg;
@@ -300,12 +300,15 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
        certificate_t *cert = NULL;
        x509_t *x509;
        bool agent = FALSE, smartcard = FALSE, loose_gateway_id = FALSE;
-       lifetime_cfg_t lifetime = {
-               .time = {
-                       .life = 10800 /* 3h */,
-                       .rekey = 10200 /* 2h50min */,
-                       .jitter = 300 /* 5min */
-               }
+       child_cfg_create_t child = {
+               .lifetime = {
+                       .time = {
+                               .life = 10800 /* 3h */,
+                               .rekey = 10200 /* 2h50min */,
+                               .jitter = 300 /* 5min */
+                       },
+               },
+               .mode = MODE_TUNNEL,
        };
 
        /**
@@ -339,32 +342,29 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
                return FALSE;
        }
        str = nm_setting_vpn_get_data_item(vpn, "virtual");
-       virtual = str && streq(str, "yes");
+       virtual = streq(str, "yes");
        str = nm_setting_vpn_get_data_item(vpn, "encap");
-       encap = str && streq(str, "yes");
+       encap = streq(str, "yes");
        str = nm_setting_vpn_get_data_item(vpn, "ipcomp");
-       ipcomp = str && streq(str, "yes");
+       child.ipcomp = streq(str, "yes");
        str = nm_setting_vpn_get_data_item(vpn, "method");
-       if (str)
+       if (streq(str, "psk"))
        {
-               if (streq(str, "psk"))
-               {
-                       auth_class = AUTH_CLASS_PSK;
-               }
-               else if (streq(str, "agent"))
-               {
-                       auth_class = AUTH_CLASS_PUBKEY;
-                       agent = TRUE;
-               }
-               else if (streq(str, "key"))
-               {
-                       auth_class = AUTH_CLASS_PUBKEY;
-               }
-               else if (streq(str, "smartcard"))
-               {
-                       auth_class = AUTH_CLASS_PUBKEY;
-                       smartcard = TRUE;
-               }
+               auth_class = AUTH_CLASS_PSK;
+       }
+       else if (streq(str, "agent"))
+       {
+               auth_class = AUTH_CLASS_PUBKEY;
+               agent = TRUE;
+       }
+       else if (streq(str, "key"))
+       {
+               auth_class = AUTH_CLASS_PUBKEY;
+       }
+       else if (streq(str, "smartcard"))
+       {
+               auth_class = AUTH_CLASS_PUBKEY;
+               smartcard = TRUE;
        }
 
        /**
@@ -561,10 +561,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
        auth->add(auth, AUTH_RULE_IDENTITY_LOOSE, loose_gateway_id);
        peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
 
-       child_cfg = child_cfg_create(priv->name, &lifetime,
-                                                                NULL, TRUE, MODE_TUNNEL, /* updown, hostaccess */
-                                                                ACTION_NONE, ACTION_NONE, ACTION_NONE, ipcomp,
-                                                                0, 0, NULL, NULL, 0);
+       child_cfg = child_cfg_create(priv->name, &child);
        child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
        child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP));
        ts = traffic_selector_create_dynamic(0, 0, 65535);
index 907bed9..46a21b3 100644 (file)
@@ -139,25 +139,23 @@ static ike_cfg_t *load_ike_config(private_config_t *this,
 static child_cfg_t *load_child_config(private_config_t *this,
                                                        settings_t *settings, char *config, char *child)
 {
+       child_cfg_create_t data = {
+               .mode = MODE_TUNNEL,
+       };
        child_cfg_t *child_cfg;
-       lifetime_cfg_t lifetime = {};
        enumerator_t *enumerator;
        proposal_t *proposal;
        traffic_selector_t *ts;
-       ipsec_mode_t mode = MODE_TUNNEL;
        char *token;
-       uint32_t tfc;
 
        if (settings->get_bool(settings, "configs.%s.%s.transport",
                                                   FALSE, config, child))
        {
-               mode = MODE_TRANSPORT;
+               data.mode = MODE_TRANSPORT;
        }
-       tfc = settings->get_int(settings, "configs.%s.%s.tfc_padding",
-                                                       0, config, child);
-       child_cfg = child_cfg_create(child, &lifetime, NULL, FALSE, mode,
-                                                                ACTION_NONE, ACTION_NONE, ACTION_NONE,
-                                                                FALSE, 0, 0, NULL, NULL, tfc);
+       data.tfc = settings->get_int(settings, "configs.%s.%s.tfc_padding",
+                                                                 0, config, child);
+       child_cfg = child_cfg_create(child, &data);
 
        token = settings->get_str(settings, "configs.%s.%s.proposal",
                                                          NULL, config, child);
index eb3758d..ba5c9e2 100644 (file)
@@ -673,12 +673,17 @@ static job_requeue_t initiate(private_android_service_t *this)
        traffic_selector_t *ts;
        ike_sa_t *ike_sa;
        auth_cfg_t *auth;
-       lifetime_cfg_t lifetime = {
-               .time = {
-                       .life = 3600, /* 1h */
-                       .rekey = 3000, /* 50min */
-                       .jitter = 300 /* 5min */
-               }
+       child_cfg_create_t child = {
+               .lifetime = {
+                       .time = {
+                               .life = 3600, /* 1h */
+                               .rekey = 3000, /* 50min */
+                               .jitter = 300 /* 5min */
+                       },
+               },
+               .mode = MODE_TUNNEL,
+               .dpd_action = ACTION_RESTART,
+               .close_action = ACTION_RESTART,
        };
        char *type, *server;
        int port;
@@ -731,9 +736,7 @@ static job_requeue_t initiate(private_android_service_t *this)
        auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
        peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
 
-       child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL,
-                                                                ACTION_NONE, ACTION_RESTART, ACTION_RESTART,
-                                                                FALSE, 0, 0, NULL, NULL, 0);
+       child_cfg = child_cfg_create("android", &child);
        /* create ESP proposals with and without DH groups, let responder decide
         * if PFS is used */
        child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
index 2e84b0e..c8079cc 100644 (file)
@@ -125,18 +125,18 @@ static child_cfg_t* create_child_cfg(char *name)
 {
        child_cfg_t *child_cfg;
        traffic_selector_t *ts;
-       lifetime_cfg_t lifetime = {
-               .time = {
-                       .life = 10800 /* 3h */,
-                       .rekey = 10200 /* 2h50min */,
-                       .jitter = 300 /* 5min */
-               }
+       child_cfg_create_t child = {
+               .lifetime = {
+                       .time = {
+                               .life = 10800 /* 3h */,
+                               .rekey = 10200 /* 2h50min */,
+                               .jitter = 300 /* 5min */
+                       },
+               },
+               .mode = MODE_TUNNEL,
        };
 
-       child_cfg = child_cfg_create(name, &lifetime,
-                                                                NULL, FALSE, MODE_TUNNEL, /* updown, hostaccess */
-                                                                ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
-                                                                0, 0, NULL, NULL, 0);
+       child_cfg = child_cfg_create(name, &child);
        child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
                                                                                "aes128gcm8-aes128gcm12-aes128gcm16-"
                                                                                "aes256gcm8-aes256gcm12-aes256gcm16"));
index 8e5c522..1a84d30 100644 (file)
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2008-2015 Tobias Brunner
+ * Copyright (C) 2008-2016 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -512,13 +512,6 @@ METHOD(child_cfg_t, set_replay_window, void,
        this->replay_window = replay_window;
 }
 
-METHOD(child_cfg_t, set_mipv6_options, void,
-       private_child_cfg_t *this, bool proxy_mode, bool install_policy)
-{
-       this->proxy_mode = proxy_mode;
-       this->install_policy = install_policy;
-}
-
 METHOD(child_cfg_t, use_proxy_mode, bool,
        private_child_cfg_t *this)
 {
@@ -609,12 +602,7 @@ METHOD(child_cfg_t, destroy, void,
 /*
  * Described in header-file
  */
-child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
-                                                         char *updown, bool hostaccess,
-                                                         ipsec_mode_t mode, action_t start_action,
-                                                         action_t dpd_action, action_t close_action,
-                                                         bool ipcomp, uint32_t inactivity, uint32_t reqid,
-                                                         mark_t *mark_in, mark_t *mark_out, uint32_t tfc)
+child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data)
 {
        private_child_cfg_t *this;
 
@@ -634,7 +622,6 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
                        .get_close_action = _get_close_action,
                        .get_lifetime = _get_lifetime,
                        .get_dh_group = _get_dh_group,
-                       .set_mipv6_options = _set_mipv6_options,
                        .use_ipcomp = _use_ipcomp,
                        .get_inactivity = _get_inactivity,
                        .get_reqid = _get_reqid,
@@ -649,35 +636,28 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
                        .destroy = _destroy,
                },
                .name = strdup(name),
-               .updown = strdupnull(updown),
-               .hostaccess = hostaccess,
-               .mode = mode,
-               .start_action = start_action,
-               .dpd_action = dpd_action,
-               .close_action = close_action,
-               .use_ipcomp = ipcomp,
-               .inactivity = inactivity,
-               .reqid = reqid,
-               .proxy_mode = FALSE,
-               .install_policy = TRUE,
+               .updown = strdupnull(data->updown),
+               .hostaccess = data->hostaccess,
+               .reqid = data->reqid,
+               .mode = data->mode,
+               .proxy_mode = data->proxy_mode,
+               .start_action = data->start_action,
+               .dpd_action = data->dpd_action,
+               .close_action = data->close_action,
+               .mark_in = data->mark_in,
+               .mark_out = data->mark_out,
+               .lifetime = data->lifetime,
+               .inactivity = data->inactivity,
+               .use_ipcomp = data->ipcomp,
+               .tfc = data->tfc,
+               .install_policy = !data->suppress_policies,
                .refcount = 1,
                .proposals = linked_list_create(),
                .my_ts = linked_list_create(),
                .other_ts = linked_list_create(),
-               .tfc = tfc,
                .replay_window = lib->settings->get_int(lib->settings,
-                               "%s.replay_window", DEFAULT_REPLAY_WINDOW, lib->ns),
+                                                       "%s.replay_window", DEFAULT_REPLAY_WINDOW, lib->ns),
        );
 
-       if (mark_in)
-       {
-               this->mark_in = *mark_in;
-       }
-       if (mark_out)
-       {
-               this->mark_out = *mark_out;
-       }
-       memcpy(&this->lifetime, lifetime, sizeof(lifetime_cfg_t));
-
        return &this->public;
 }
index 0281f5a..4eecbf1 100644 (file)
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2008-2015 Tobias Brunner
+ * Copyright (C) 2008-2016 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -25,6 +25,7 @@
 
 typedef enum action_t action_t;
 typedef struct child_cfg_t child_cfg_t;
+typedef struct child_cfg_create_t child_cfg_create_t;
 
 #include <library.h>
 #include <selectors/traffic_selector.h>
@@ -249,15 +250,6 @@ struct child_cfg_t {
        void (*set_replay_window)(child_cfg_t *this, uint32_t window);
 
        /**
-        * Sets two options needed for Mobile IPv6 interoperability.
-        *
-        * @param proxy_mode    use IPsec transport proxy mode (default FALSE)
-        * @param install_policy install IPsec kernel policies (default TRUE)
-        */
-       void (*set_mipv6_options)(child_cfg_t *this, bool proxy_mode,
-                                                                                                bool install_policy);
-
-       /**
         * Check whether IPsec transport SA should be set up in proxy mode.
         *
         * @return                              TRUE, if proxy mode should be used
@@ -297,38 +289,52 @@ struct child_cfg_t {
        void (*destroy) (child_cfg_t *this);
 };
 
+
+/**
+ * Data passed to the constructor of a child_cfg_t object.
+ */
+struct child_cfg_create_t {
+       /** Specific reqid to use for CHILD_SA, 0 for auto assignment */
+       uint32_t reqid;
+       /** Optional inbound mark */
+       mark_t mark_in;
+       /** Optional outbound mark */
+       mark_t mark_out;
+       /** Mode to propose for CHILD_SA */
+       ipsec_mode_t mode;
+       /** Use IPsec transport proxy mode */
+       bool proxy_mode;
+       /** Use IPComp, if peer supports it */
+       bool ipcomp;
+       /** TFC padding size, 0 to disable, -1 to pad to PMTU */
+       uint32_t tfc;
+       /** lifetime_cfg_t for this child_cfg */
+       lifetime_cfg_t lifetime;
+       /** Inactivity timeout in s before closing a CHILD_SA */
+       uint32_t inactivity;
+       /** Start action */
+       action_t start_action;
+       /** DPD action */
+       action_t dpd_action;
+       /** Close action */
+       action_t close_action;
+       /** updown script to execute on up/down event (cloned) */
+       char *updown;
+       /** TRUE to allow access to the local host */
+       bool hostaccess;
+       /** Don't install IPsec policies */
+       bool suppress_policies;
+};
+
 /**
  * Create a configuration template for CHILD_SA setup.
  *
- * The "name" string gets cloned.
- *
- * The lifetime_cfg_t object gets cloned.
- * To prevent two peers to start rekeying at the same time, a jitter may be
- * specified. Rekeying of an SA starts at (x.rekey - random(0, x.jitter)).
- *
  * After a call to create, a reference is obtained (refcount = 1).
  *
- * @param name                         name of the child_cfg
- * @param lifetime                     lifetime_cfg_t for this child_cfg
- * @param updown                       updown script to execute on up/down event
- * @param hostaccess           TRUE to allow access to the local host
- * @param mode                         mode to propose for CHILD_SA, transport, tunnel or BEET
- * @param start_action         start action
- * @param dpd_action           DPD action
- * @param close_action         close action
- * @param ipcomp                       use IPComp, if peer supports it
- * @param inactivity           inactivity timeout in s before closing a CHILD_SA
- * @param reqid                                specific reqid to use for CHILD_SA, 0 for auto assign
- * @param mark_in                      optional inbound mark (can be NULL)
- * @param mark_out                     optional outbound mark (can be NULL)
- * @param tfc                          TFC padding size, 0 to disable, -1 to pad to PMTU
+ * @param name                         name of the child_cfg (cloned)
+ * @param data                         data for this child_cfg
  * @return                                     child_cfg_t object
  */
-child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
-                                                         char *updown, bool hostaccess,
-                                                         ipsec_mode_t mode, action_t start_action,
-                                                         action_t dpd_action, action_t close_action,
-                                                         bool ipcomp, uint32_t inactivity, uint32_t reqid,
-                                                         mark_t *mark_in, mark_t *mark_out, uint32_t tfc);
+child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data);
 
 #endif /** CHILD_CFG_H_ @}*/
index fd8e646..fc956ac 100644 (file)
@@ -183,10 +183,13 @@ static void setup_tunnel(private_ha_tunnel_t *this,
        auth_cfg_t *auth_cfg;
        child_cfg_t *child_cfg;
        traffic_selector_t *ts;
-       lifetime_cfg_t lifetime = {
-               .time = {
-                       .life = 21600, .rekey = 20400, .jitter = 400,
+       child_cfg_create_t child = {
+               .lifetime = {
+                       .time = {
+                               .life = 21600, .rekey = 20400, .jitter = 400,
+                       },
                },
+               .mode = MODE_TRANSPORT,
        };
 
        /* setup credentials */
@@ -224,9 +227,7 @@ static void setup_tunnel(private_ha_tunnel_t *this,
                                  identification_create_from_string(remote));
        peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE);
 
-       child_cfg = child_cfg_create("ha", &lifetime, NULL, TRUE, MODE_TRANSPORT,
-                                                                ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
-                                                                0, 0, NULL, NULL, 0);
+       child_cfg = child_cfg_create("ha", &child);
        ts = traffic_selector_create_dynamic(IPPROTO_UDP, HA_PORT, HA_PORT);
        child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
        ts = traffic_selector_create_dynamic(IPPROTO_ICMP, 0, 65535);
index 9366556..efef3fb 100644 (file)
@@ -688,13 +688,15 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
        peer_cfg_t *peer_cfg;
        char local[32], *remote;
        host_t *addr;
-       ipsec_mode_t mode = MODE_TUNNEL;
-       lifetime_cfg_t lifetime = {
-               .time = {
-                       .life = this->child_rekey * 2,
-                       .rekey = this->child_rekey,
-                       .jitter = 0
-               }
+       child_cfg_create_t child = {
+               .lifetime = {
+                       .time = {
+                               .life = this->child_rekey * 2,
+                               .rekey = this->child_rekey,
+                               .jitter = 0
+                       },
+               },
+               .mode = MODE_TUNNEL,
        };
 
        if (num)
@@ -768,17 +770,15 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
        {
                if (streq(this->mode, "transport"))
                {
-                       mode = MODE_TRANSPORT;
+                       child.mode = MODE_TRANSPORT;
                }
                else if (streq(this->mode, "beet"))
                {
-                       mode = MODE_BEET;
+                       child.mode = MODE_BEET;
                }
        }
 
-       child_cfg = child_cfg_create("load-test", &lifetime, NULL, TRUE, mode,
-                                                                ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
-                                                                0, 0, NULL, NULL, 0);
+       child_cfg = child_cfg_create("load-test", &child);
        child_cfg->add_proposal(child_cfg, this->esp->clone(this->esp));
 
        if (num)
index 2e96f8f..db0ce2c 100644 (file)
@@ -236,12 +236,15 @@ static gboolean initiate_connection(private_maemo_service_t *this,
        traffic_selector_t *ts;
        auth_cfg_t *auth;
        certificate_t *cert;
-       lifetime_cfg_t lifetime = {
-               .time = {
-                       .life = 10800, /* 3h */
-                       .rekey = 10200, /* 2h50min */
-                       .jitter = 300 /* 5min */
-               }
+       child_cfg_create_t child = {
+               .lifetime = {
+                       .time = {
+                               .life = 10800, /* 3h */
+                               .rekey = 10200, /* 2h50min */
+                               .jitter = 300 /* 5min */
+                       },
+               },
+               .mode = MODE_TUNNEL,
        };
 
        if (this->status == VPN_STATUS_CONNECTED ||
@@ -348,9 +351,7 @@ static gboolean initiate_connection(private_maemo_service_t *this,
        auth->add(auth, AUTH_RULE_IDENTITY, gateway);
        peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
 
-       child_cfg = child_cfg_create(this->current, &lifetime, NULL /* updown */,
-                                                                TRUE, MODE_TUNNEL, ACTION_NONE, ACTION_NONE,
-                                                                ACTION_NONE, FALSE, 0, 0, NULL, NULL, 0);
+       child_cfg = child_cfg_create(this->current, &child);
        child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
        child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP));
        ts = traffic_selector_create_dynamic(0, 0, 65535);
index 25b1383..d3476e9 100644 (file)
@@ -82,12 +82,15 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
        child_cfg_t *child_cfg;
        chunk_t me, other;
        char *address, *local_net, *remote_net;
-       lifetime_cfg_t lifetime = {
-               .time = {
-                       .life = this->rekey * 60 + this->rekey,
-                       .rekey = this->rekey,
-                       .jitter = this->rekey
-               }
+       child_cfg_create_t child = {
+               .lifetime = {
+                       .time = {
+                               .life = this->rekey * 60 + this->rekey,
+                               .rekey = this->rekey,
+                               .jitter = this->rekey
+                       },
+               },
+               .mode = MODE_TUNNEL,
        };
 
        /* query mediation server config:
@@ -165,9 +168,7 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
                          identification_create_from_encoding(ID_KEY_ID, other));
        peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
 
-       child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
-                                                                ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
-                                                                0, 0, NULL, NULL, 0);
+       child_cfg = child_cfg_create(name, &child);
        child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
        child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP));
        child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net));
@@ -205,12 +206,15 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool,
        chunk_t me, other;
        child_cfg_t *child_cfg;
        auth_cfg_t *auth;
-       lifetime_cfg_t lifetime = {
-               .time = {
-                       .life = this->rekey * 60 + this->rekey,
-                       .rekey = this->rekey,
-                       .jitter = this->rekey
-               }
+       child_cfg_create_t child = {
+               .lifetime = {
+                       .time = {
+                               .life = this->rekey * 60 + this->rekey,
+                               .rekey = this->rekey,
+                               .jitter = this->rekey
+                       },
+               },
+               .mode = MODE_TUNNEL,
        };
 
        DESTROY_IF(this->current);
@@ -240,9 +244,7 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool,
                          identification_create_from_encoding(ID_KEY_ID, other));
        this->current->add_auth_cfg(this->current, auth, FALSE);
 
-       child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
-                                                                ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
-                                                                0, 0, NULL, NULL, 0);
+       child_cfg = child_cfg_create(name, &child);
        child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
        child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP));
        child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net));
index ce24d18..25704b0 100644 (file)
@@ -170,12 +170,22 @@ static child_cfg_t *build_child_cfg(private_sql_config_t *this, enumerator_t *e)
        if (e->enumerate(e, &id, &name, &lifetime, &rekeytime, &jitter, &updown,
                                                &hostaccess, &mode, &start, &dpd, &close, &ipcomp, &reqid))
        {
-               lifetime_cfg_t lft = {
-                       .time = { .life = lifetime, .rekey = rekeytime, .jitter = jitter }
+               child_cfg_create_t child = {
+                       .mode = mode,
+                       .reqid = reqid,
+                       .ipcomp = ipcomp,
+                       .lifetime = {
+                               .time = {
+                                       .life = lifetime, .rekey = rekeytime, .jitter = jitter
+                               },
+                       },
+                       .start_action = start,
+                       .dpd_action = dpd,
+                       .close_action = close,
+                       .updown = updown,
+                       .hostaccess = hostaccess,
                };
-               child_cfg = child_cfg_create(name, &lft, updown, hostaccess, mode,
-                                                                        start, dpd, close, ipcomp, 0, reqid,
-                                                                        NULL, NULL, 0);
+               child_cfg = child_cfg_create(name, &child);
                add_esp_proposals(this, child_cfg, id);
                add_traffic_selectors(this, child_cfg, id);
                return child_cfg;
index 0e6aee1..9789163 100644 (file)
@@ -1070,45 +1070,50 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
                                                                        stroke_msg_t *msg)
 {
        child_cfg_t *child_cfg;
-       lifetime_cfg_t lifetime = {
-               .time = {
-                       .life = msg->add_conn.rekey.ipsec_lifetime,
-                       .rekey = msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin,
-                       .jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100
+       child_cfg_create_t child = {
+               .lifetime = {
+                       .time = {
+                               .life = msg->add_conn.rekey.ipsec_lifetime,
+                               .rekey = msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin,
+                               .jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100
+                       },
+                       .bytes = {
+                               .life = msg->add_conn.rekey.life_bytes,
+                               .rekey = msg->add_conn.rekey.life_bytes - msg->add_conn.rekey.margin_bytes,
+                               .jitter = msg->add_conn.rekey.margin_bytes * msg->add_conn.rekey.fuzz / 100
+                       },
+                       .packets = {
+                               .life = msg->add_conn.rekey.life_packets,
+                               .rekey = msg->add_conn.rekey.life_packets - msg->add_conn.rekey.margin_packets,
+                               .jitter = msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100
+                       },
                },
-               .bytes = {
-                       .life = msg->add_conn.rekey.life_bytes,
-                       .rekey = msg->add_conn.rekey.life_bytes - msg->add_conn.rekey.margin_bytes,
-                       .jitter = msg->add_conn.rekey.margin_bytes * msg->add_conn.rekey.fuzz / 100
+               .mark_in = {
+                       .value = msg->add_conn.mark_in.value,
+                       .mask = msg->add_conn.mark_in.mask
                },
-               .packets = {
-                       .life = msg->add_conn.rekey.life_packets,
-                       .rekey = msg->add_conn.rekey.life_packets - msg->add_conn.rekey.margin_packets,
-                       .jitter = msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100
-               }
-       };
-       mark_t mark_in = {
-               .value = msg->add_conn.mark_in.value,
-               .mask = msg->add_conn.mark_in.mask
-       };
-       mark_t mark_out = {
-               .value = msg->add_conn.mark_out.value,
-               .mask = msg->add_conn.mark_out.mask
+               .mark_out = {
+                       .value = msg->add_conn.mark_out.value,
+                       .mask = msg->add_conn.mark_out.mask
+               },
+               .reqid = msg->add_conn.reqid,
+               .mode = msg->add_conn.mode,
+               .proxy_mode = msg->add_conn.proxy_mode,
+               .ipcomp = msg->add_conn.ipcomp,
+               .tfc = msg->add_conn.tfc,
+               .inactivity = msg->add_conn.inactivity,
+               .dpd_action = map_action(msg->add_conn.dpd.action),
+               .close_action = map_action(msg->add_conn.close_action),
+               .updown = msg->add_conn.me.updown,
+               .hostaccess = msg->add_conn.me.hostaccess,
+               .suppress_policies = !msg->add_conn.install_policy,
        };
 
-       child_cfg = child_cfg_create(
-                               msg->add_conn.name, &lifetime, msg->add_conn.me.updown,
-                               msg->add_conn.me.hostaccess, msg->add_conn.mode, ACTION_NONE,
-                               map_action(msg->add_conn.dpd.action),
-                               map_action(msg->add_conn.close_action), msg->add_conn.ipcomp,
-                               msg->add_conn.inactivity, msg->add_conn.reqid,
-                               &mark_in, &mark_out, msg->add_conn.tfc);
+       child_cfg = child_cfg_create(msg->add_conn.name, &child);
        if (msg->add_conn.replay_window != -1)
        {
                child_cfg->set_replay_window(child_cfg, msg->add_conn.replay_window);
        }
-       child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode,
-                                                                                       msg->add_conn.install_policy);
        add_ts(this, &msg->add_conn.me, child_cfg, TRUE);
        add_ts(this, &msg->add_conn.other, child_cfg, FALSE);
 
index 2a8e403..8d76bb4 100644 (file)
@@ -126,12 +126,15 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool,
        child_cfg_t *child_cfg;
        ike_cfg_t *ike_cfg;
        auth_cfg_t *auth;
-       lifetime_cfg_t lifetime = {
-               .time = {
-                       .life = create_rekey(esp_rekey) + 300,
-                       .rekey = create_rekey(esp_rekey),
-                       .jitter = 300
-               }
+       child_cfg_create_t child = {
+               .lifetime = {
+                       .time = {
+                               .life = create_rekey(esp_rekey) + 300,
+                               .rekey = create_rekey(esp_rekey),
+                               .jitter = 300
+                       },
+               },
+               .mode = MODE_TUNNEL,
        };
 
        /* defaults */
@@ -179,9 +182,7 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool,
                }
                this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, FALSE);
 
-               child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
-                                                                        ACTION_NONE, ACTION_NONE, ACTION_NONE,
-                                                                        FALSE, 0, 0, NULL, NULL, 0);
+               child_cfg = child_cfg_create(name, &child);
                child_cfg->add_proposal(child_cfg, create_proposal(esp_proposal, PROTO_ESP));
                child_cfg->add_traffic_selector(child_cfg, TRUE, create_ts(local_net));
                child_cfg->add_traffic_selector(child_cfg, FALSE, create_ts(remote_net));
index 9fc9be6..5707278 100644 (file)
@@ -206,7 +206,9 @@ static job_requeue_t add_exclude_async(entry_t *entry)
 {
        enumerator_t *enumerator;
        child_cfg_t *child_cfg;
-       lifetime_cfg_t lft = { .time = { .life = 0 } };
+       child_cfg_create_t child = {
+               .mode = MODE_PASS,
+       };
        ike_sa_t *ike_sa;
        char name[128];
        host_t *host;
@@ -216,9 +218,7 @@ static job_requeue_t add_exclude_async(entry_t *entry)
        {
                create_shunt_name(ike_sa, entry->ts, name, sizeof(name));
 
-               child_cfg = child_cfg_create(name, &lft, NULL, TRUE, MODE_PASS,
-                                                                        ACTION_NONE, ACTION_NONE, ACTION_NONE,
-                                                                        FALSE, 0, 0, NULL, NULL, FALSE);
+               child_cfg = child_cfg_create(name, &child);
                child_cfg->add_traffic_selector(child_cfg, FALSE,
                                                                                entry->ts->clone(entry->ts));
                host = ike_sa->get_my_host(ike_sa);
index f95d157..f1c2fa8 100644 (file)
@@ -422,24 +422,12 @@ static void free_peer_data(peer_data_t *data)
  */
 typedef struct {
        request_data_t *request;
-       lifetime_cfg_t lft;
-       char* updown;
-       bool hostaccess;
-       bool ipcomp;
-       bool policies;
-       ipsec_mode_t mode;
-       uint32_t replay_window;
-       action_t dpd_action;
-       action_t start_action;
-       action_t close_action;
-       uint32_t reqid;
-       uint32_t tfc;
-       mark_t mark_in;
-       mark_t mark_out;
-       uint64_t inactivity;
        linked_list_t *proposals;
        linked_list_t *local_ts;
        linked_list_t *remote_ts;
+       uint32_t replay_window;
+       bool policies;
+       child_cfg_create_t cfg;
 } child_data_t;
 
 /**
@@ -447,35 +435,37 @@ typedef struct {
  */
 static void log_child_data(child_data_t *data, char *name)
 {
+       child_cfg_create_t *cfg = &data->cfg;
+
        DBG2(DBG_CFG, "  child %s:", name);
-       DBG2(DBG_CFG, "   rekey_time = %llu", data->lft.time.rekey);
-       DBG2(DBG_CFG, "   life_time = %llu", data->lft.time.life);
-       DBG2(DBG_CFG, "   rand_time = %llu", data->lft.time.jitter);
-       DBG2(DBG_CFG, "   rekey_bytes = %llu", data->lft.bytes.rekey);
-       DBG2(DBG_CFG, "   life_bytes = %llu", data->lft.bytes.life);
-       DBG2(DBG_CFG, "   rand_bytes = %llu", data->lft.bytes.jitter);
-       DBG2(DBG_CFG, "   rekey_packets = %llu", data->lft.packets.rekey);
-       DBG2(DBG_CFG, "   life_packets = %llu", data->lft.packets.life);
-       DBG2(DBG_CFG, "   rand_packets = %llu", data->lft.packets.jitter);
-       DBG2(DBG_CFG, "   updown = %s", data->updown);
-       DBG2(DBG_CFG, "   hostaccess = %u", data->hostaccess);
-       DBG2(DBG_CFG, "   ipcomp = %u", data->ipcomp);
-       DBG2(DBG_CFG, "   mode = %N", ipsec_mode_names, data->mode);
+       DBG2(DBG_CFG, "   rekey_time = %llu", cfg->lifetime.time.rekey);
+       DBG2(DBG_CFG, "   life_time = %llu", cfg->lifetime.time.life);
+       DBG2(DBG_CFG, "   rand_time = %llu", cfg->lifetime.time.jitter);
+       DBG2(DBG_CFG, "   rekey_bytes = %llu", cfg->lifetime.bytes.rekey);
+       DBG2(DBG_CFG, "   life_bytes = %llu", cfg->lifetime.bytes.life);
+       DBG2(DBG_CFG, "   rand_bytes = %llu", cfg->lifetime.bytes.jitter);
+       DBG2(DBG_CFG, "   rekey_packets = %llu", cfg->lifetime.packets.rekey);
+       DBG2(DBG_CFG, "   life_packets = %llu", cfg->lifetime.packets.life);
+       DBG2(DBG_CFG, "   rand_packets = %llu", cfg->lifetime.packets.jitter);
+       DBG2(DBG_CFG, "   updown = %s", cfg->updown);
+       DBG2(DBG_CFG, "   hostaccess = %u", cfg->hostaccess);
+       DBG2(DBG_CFG, "   ipcomp = %u", cfg->ipcomp);
+       DBG2(DBG_CFG, "   mode = %N", ipsec_mode_names, cfg->mode);
        DBG2(DBG_CFG, "   policies = %u", data->policies);
        if (data->replay_window != REPLAY_UNDEFINED)
        {
                DBG2(DBG_CFG, "   replay_window = %u", data->replay_window);
        }
-       DBG2(DBG_CFG, "   dpd_action = %N", action_names, data->dpd_action);
-       DBG2(DBG_CFG, "   start_action = %N", action_names, data->start_action);
-       DBG2(DBG_CFG, "   close_action = %N", action_names, data->close_action);
-       DBG2(DBG_CFG, "   reqid = %u", data->reqid);
-       DBG2(DBG_CFG, "   tfc = %d", data->tfc);
+       DBG2(DBG_CFG, "   dpd_action = %N", action_names, cfg->dpd_action);
+       DBG2(DBG_CFG, "   start_action = %N", action_names, cfg->start_action);
+       DBG2(DBG_CFG, "   close_action = %N", action_names, cfg->close_action);
+       DBG2(DBG_CFG, "   reqid = %u", cfg->reqid);
+       DBG2(DBG_CFG, "   tfc = %d", cfg->tfc);
        DBG2(DBG_CFG, "   mark_in = %u/%u",
-                data->mark_in.value, data->mark_in.mask);
+                cfg->mark_in.value, cfg->mark_in.mask);
        DBG2(DBG_CFG, "   mark_out = %u/%u",
-                data->mark_out.value, data->mark_out.mask);
-       DBG2(DBG_CFG, "   inactivity = %llu", data->inactivity);
+                cfg->mark_out.value, cfg->mark_out.mask);
+       DBG2(DBG_CFG, "   inactivity = %llu", cfg->inactivity);
        DBG2(DBG_CFG, "   proposals = %#P", data->proposals);
        DBG2(DBG_CFG, "   local_ts = %#R", data->local_ts);
        DBG2(DBG_CFG, "   remote_ts = %#R", data->remote_ts);
@@ -492,7 +482,7 @@ static void free_child_data(child_data_t *data)
                                                                        offsetof(traffic_selector_t, destroy));
        data->remote_ts->destroy_offset(data->remote_ts,
                                                                        offsetof(traffic_selector_t, destroy));
-       free(data->updown);
+       free(data->cfg.updown);
 }
 
 /**
@@ -1327,29 +1317,29 @@ CALLBACK(child_kv, bool,
        child_data_t *child, vici_message_t *message, char *name, chunk_t value)
 {
        parse_rule_t rules[] = {
-               { "updown",                     parse_string,           &child->updown                          },
-               { "hostaccess",         parse_bool,                     &child->hostaccess                      },
-               { "mode",                       parse_mode,                     &child->mode                            },
-               { "policies",           parse_bool,                     &child->policies                        },
-               { "replay_window",      parse_uint32,           &child->replay_window           },
-               { "rekey_time",         parse_time,                     &child->lft.time.rekey          },
-               { "life_time",          parse_time,                     &child->lft.time.life           },
-               { "rand_time",          parse_time,                     &child->lft.time.jitter         },
-               { "rekey_bytes",        parse_bytes,            &child->lft.bytes.rekey         },
-               { "life_bytes",         parse_bytes,            &child->lft.bytes.life          },
-               { "rand_bytes",         parse_bytes,            &child->lft.bytes.jitter        },
-               { "rekey_packets",      parse_uint64,           &child->lft.packets.rekey       },
-               { "life_packets",       parse_uint64,           &child->lft.packets.life        },
-               { "rand_packets",       parse_uint64,           &child->lft.packets.jitter      },
-               { "dpd_action",         parse_action,           &child->dpd_action                      },
-               { "start_action",       parse_action,           &child->start_action            },
-               { "close_action",       parse_action,           &child->close_action            },
-               { "ipcomp",                     parse_bool,                     &child->ipcomp                          },
-               { "inactivity",         parse_time,                     &child->inactivity                      },
-               { "reqid",                      parse_uint32,           &child->reqid                           },
-               { "mark_in",            parse_mark,                     &child->mark_in                         },
-               { "mark_out",           parse_mark,                     &child->mark_out                        },
-               { "tfc_padding",        parse_tfc,                      &child->tfc                                     },
+               { "updown",                     parse_string,           &child->cfg.updown                                      },
+               { "hostaccess",         parse_bool,                     &child->cfg.hostaccess                          },
+               { "mode",                       parse_mode,                     &child->cfg.mode                                        },
+               { "policies",           parse_bool,                     &child->policies                                        },
+               { "replay_window",      parse_uint32,           &child->replay_window                           },
+               { "rekey_time",         parse_time,                     &child->cfg.lifetime.time.rekey         },
+               { "life_time",          parse_time,                     &child->cfg.lifetime.time.life          },
+               { "rand_time",          parse_time,                     &child->cfg.lifetime.time.jitter        },
+               { "rekey_bytes",        parse_bytes,            &child->cfg.lifetime.bytes.rekey        },
+               { "life_bytes",         parse_bytes,            &child->cfg.lifetime.bytes.life         },
+               { "rand_bytes",         parse_bytes,            &child->cfg.lifetime.bytes.jitter       },
+               { "rekey_packets",      parse_uint64,           &child->cfg.lifetime.packets.rekey      },
+               { "life_packets",       parse_uint64,           &child->cfg.lifetime.packets.life       },
+               { "rand_packets",       parse_uint64,           &child->cfg.lifetime.packets.jitter     },
+               { "dpd_action",         parse_action,           &child->cfg.dpd_action                          },
+               { "start_action",       parse_action,           &child->cfg.start_action                        },
+               { "close_action",       parse_action,           &child->cfg.close_action                        },
+               { "ipcomp",                     parse_bool,                     &child->cfg.ipcomp                                      },
+               { "inactivity",         parse_time,                     &child->cfg.inactivity                          },
+               { "reqid",                      parse_uint32,           &child->cfg.reqid                                       },
+               { "mark_in",            parse_mark,                     &child->cfg.mark_in                                     },
+               { "mark_out",           parse_mark,                     &child->cfg.mark_out                            },
+               { "tfc_padding",        parse_tfc,                      &child->cfg.tfc                                         },
        };
 
        return parse_rules(rules, countof(rules), name, value,
@@ -1430,6 +1420,51 @@ CALLBACK(peer_kv, bool,
                                           &peer->request->reply);
 }
 
+/**
+ * Check and update lifetimes
+ */
+static void check_lifetimes(lifetime_cfg_t *lft)
+{
+       /* if no hard lifetime specified, add one at soft lifetime + 10% */
+       if (lft->time.life == LFT_UNDEFINED)
+       {
+               lft->time.life = lft->time.rekey * 110 / 100;
+       }
+       if (lft->bytes.life == LFT_UNDEFINED)
+       {
+               lft->bytes.life = lft->bytes.rekey * 110 / 100;
+       }
+       if (lft->packets.life == LFT_UNDEFINED)
+       {
+               lft->packets.life = lft->packets.rekey * 110 / 100;
+       }
+       /* if no soft lifetime specified, add one at hard lifetime - 10% */
+       if (lft->bytes.rekey == LFT_UNDEFINED)
+       {
+               lft->bytes.rekey = lft->bytes.life * 90 / 100;
+       }
+       if (lft->packets.rekey == LFT_UNDEFINED)
+       {
+               lft->packets.rekey = lft->packets.life * 90 / 100;
+       }
+       /* if no rand time defined, use difference of hard and soft */
+       if (lft->time.jitter == LFT_UNDEFINED)
+       {
+               lft->time.jitter = lft->time.life -
+                                                                       min(lft->time.life, lft->time.rekey);
+       }
+       if (lft->bytes.jitter == LFT_UNDEFINED)
+       {
+               lft->bytes.jitter = lft->bytes.life -
+                                                                       min(lft->bytes.life, lft->bytes.rekey);
+       }
+       if (lft->packets.jitter == LFT_UNDEFINED)
+       {
+               lft->packets.jitter = lft->packets.life -
+                                                                       min(lft->packets.life, lft->packets.rekey);
+       }
+}
+
 CALLBACK(children_sn, bool,
        peer_data_t *peer, vici_message_t *message, vici_parse_context_t *ctx,
        char *name)
@@ -1439,29 +1474,28 @@ CALLBACK(children_sn, bool,
                .proposals = linked_list_create(),
                .local_ts = linked_list_create(),
                .remote_ts = linked_list_create(),
-               .mode = MODE_TUNNEL,
                .policies = TRUE,
                .replay_window = REPLAY_UNDEFINED,
-               .dpd_action = ACTION_NONE,
-               .start_action = ACTION_NONE,
-               .close_action = ACTION_NONE,
-               .lft = {
-                       .time = {
-                               .rekey = LFT_DEFAULT_CHILD_REKEY,
-                               .life = LFT_UNDEFINED,
-                               .jitter = LFT_UNDEFINED,
-                       },
-                       .bytes = {
-                               .rekey = LFT_UNDEFINED,
-                               .life = LFT_UNDEFINED,
-                               .jitter = LFT_UNDEFINED,
+               .cfg = {
+                       .mode = MODE_TUNNEL,
+                       .lifetime = {
+                               .time = {
+                                       .rekey = LFT_DEFAULT_CHILD_REKEY,
+                                       .life = LFT_UNDEFINED,
+                                       .jitter = LFT_UNDEFINED,
+                               },
+                               .bytes = {
+                                       .rekey = LFT_UNDEFINED,
+                                       .life = LFT_UNDEFINED,
+                                       .jitter = LFT_UNDEFINED,
+                               },
+                               .packets = {
+                                       .rekey = LFT_UNDEFINED,
+                                       .life = LFT_UNDEFINED,
+                                       .jitter = LFT_UNDEFINED,
+                               },
                        },
-                       .packets = {
-                               .rekey = LFT_UNDEFINED,
-                               .life = LFT_UNDEFINED,
-                               .jitter = LFT_UNDEFINED,
-                       },
-               }
+               },
        };
        child_cfg_t *cfg;
        proposal_t *proposal;
@@ -1496,55 +1530,13 @@ CALLBACK(children_sn, bool,
                        child.proposals->insert_last(child.proposals, proposal);
                }
        }
+       child.cfg.suppress_policies = !child.policies;
 
-       /* if no hard lifetime specified, add one at soft lifetime + 10% */
-       if (child.lft.time.life == LFT_UNDEFINED)
-       {
-               child.lft.time.life = child.lft.time.rekey * 110 / 100;
-       }
-       if (child.lft.bytes.life == LFT_UNDEFINED)
-       {
-               child.lft.bytes.life = child.lft.bytes.rekey * 110 / 100;
-       }
-       if (child.lft.packets.life == LFT_UNDEFINED)
-       {
-               child.lft.packets.life = child.lft.packets.rekey * 110 / 100;
-       }
-       /* if no soft lifetime specified, add one at hard lifetime - 10% */
-       if (child.lft.bytes.rekey == LFT_UNDEFINED)
-       {
-               child.lft.bytes.rekey = child.lft.bytes.life * 90 / 100;
-       }
-       if (child.lft.packets.rekey == LFT_UNDEFINED)
-       {
-               child.lft.packets.rekey = child.lft.packets.life * 90 / 100;
-       }
-       /* if no rand time defined, use difference of hard and soft */
-       if (child.lft.time.jitter == LFT_UNDEFINED)
-       {
-               child.lft.time.jitter = child.lft.time.life -
-                                               min(child.lft.time.life, child.lft.time.rekey);
-       }
-       if (child.lft.bytes.jitter == LFT_UNDEFINED)
-       {
-               child.lft.bytes.jitter = child.lft.bytes.life -
-                                               min(child.lft.bytes.life, child.lft.bytes.rekey);
-       }
-       if (child.lft.packets.jitter == LFT_UNDEFINED)
-       {
-               child.lft.packets.jitter = child.lft.packets.life -
-                                               min(child.lft.packets.life, child.lft.packets.rekey);
-       }
+       check_lifetimes(&child.cfg.lifetime);
 
        log_child_data(&child, name);
 
-       cfg = child_cfg_create(name, &child.lft, child.updown,
-                                               child.hostaccess, child.mode, child.start_action,
-                                               child.dpd_action, child.close_action, child.ipcomp,
-                                               child.inactivity, child.reqid, &child.mark_in,
-                                               &child.mark_out, child.tfc);
-
-       cfg->set_mipv6_options(cfg, FALSE, child.policies);
+       cfg = child_cfg_create(name, &child.cfg);
 
        if (child.replay_window != REPLAY_UNDEFINED)
        {