Refactored the lifetime_cfg_t struct to be simpler and more expressive. Initializatio...
authorTobias Brunner <tobias@strongswan.org>
Fri, 28 Aug 2009 15:04:35 +0000 (17:04 +0200)
committerTobias Brunner <tobias@strongswan.org>
Tue, 1 Sep 2009 10:54:33 +0000 (12:54 +0200)
12 files changed:
src/charon/config/child_cfg.c
src/charon/config/child_cfg.h
src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
src/charon/plugins/load_tester/load_tester_config.c
src/charon/plugins/medcli/medcli_config.c
src/charon/plugins/nm/nm_service.c
src/charon/plugins/sql/sql_config.c
src/charon/plugins/stroke/stroke_config.c
src/charon/plugins/uci/uci_config.c
src/charon/sa/child_sa.c

index 6cddd92..05c47f7 100644 (file)
@@ -99,7 +99,7 @@ struct private_child_cfg_t {
        /**
         * CHILD_SA lifetime config
         */
-       lifetime_cfg_t *lifetime;
+       lifetime_cfg_t lifetime;
        
        /**
         * enable IPComp
@@ -363,7 +363,7 @@ static u_int64_t apply_jitter(u_int64_t rekey, u_int64_t jitter)
        jitter = (jitter == UINT64_MAX) ? jitter : jitter + 1;
        return rekey - jitter * (random() / (RAND_MAX + 1.0));
 }
-#define APPLY_JITTER(l, f) l->rekey_##f = apply_jitter(l->rekey_##f, l->jitter_##f)
+#define APPLY_JITTER(l) l.rekey = apply_jitter(l.rekey, l.jitter)
 
 /**
  * Implementation of child_cfg_t.get_lifetime.
@@ -371,10 +371,10 @@ static u_int64_t apply_jitter(u_int64_t rekey, u_int64_t jitter)
 static lifetime_cfg_t *get_lifetime(private_child_cfg_t *this)
 {
        lifetime_cfg_t *lft = malloc_thing(lifetime_cfg_t);
-       memcpy(lft, this->lifetime, sizeof(lifetime_cfg_t));
-       APPLY_JITTER(lfttime);
-       APPLY_JITTER(lftbytes);
-       APPLY_JITTER(lftpackets);
+       memcpy(lft, &this->lifetime, sizeof(lifetime_cfg_t));
+       APPLY_JITTER(lft->time);
+       APPLY_JITTER(lft->bytes);
+       APPLY_JITTER(lft->packets);
        return lft;
 }
 
@@ -480,7 +480,6 @@ static void destroy(private_child_cfg_t *this)
                {
                        free(this->updown);
                }
-               free(this->lifetime);
                free(this->name);
                free(this);
        }
@@ -517,7 +516,6 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
        this->public.destroy = (void (*) (child_cfg_t*))destroy;
        
        this->name = strdup(name);
-       this->lifetime = lifetime;
        this->updown = updown ? strdup(updown) : NULL;
        this->hostaccess = hostaccess;
        this->mode = mode;
@@ -530,6 +528,7 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
        this->proposals = linked_list_create();
        this->my_ts = linked_list_create();
        this->other_ts = linked_list_create();
+       memcpy(&this->lifetime, lifetime, sizeof(lifetime_cfg_t));
 
        return &this->public;
 }
index ce6a236..492514e 100644 (file)
@@ -72,57 +72,17 @@ extern enum_name_t *ipcomp_transform_names;
  * Set any of these values to 0 to ignore.
  */
 struct lifetime_cfg_t {
-       /** Time in seconds before the CHILD_SA gets invalid. */
-       u_int64_t       life_time;
-       /** Number of bytes transmitted before the CHILD_SA gets invalid. */
-       u_int64_t       life_bytes;
-       /** Number of packets transmitted before the CHILD_SA gets invalid. */
-       u_int64_t       life_packets;
-       /** Time in seconds before the CHILD_SA gets rekeyed. */
-       u_int64_t       rekey_time;
-       /** Number of bytes transmitted before the CHILD_SA gets rekeyed. */
-       u_int64_t       rekey_bytes;
-       /** Number of packets transmitted before the CHILD_SA gets rekeyed. */
-       u_int64_t       rekey_packets;
-       /** The range of a random value subtracted from rekey_time */
-       u_int64_t       jitter_time;
-       /** The range of a random value subtracted from rekey_bytes */
-       u_int64_t       jitter_bytes;
-       /** The range of a random value subtracted from rekey_packets */
-       u_int64_t       jitter_packets;
+       struct {
+               /** Limit before the CHILD_SA gets invalid. */
+               u_int64_t       life;
+               /** Limit before the CHILD_SA gets rekeyed. */
+               u_int64_t       rekey;
+               /** The range of a random value subtracted from rekey. */
+               u_int64_t       jitter;
+       } time, bytes, packets;
 };
 
 /**
- * Helper macro to easily set all three values of a specified limit (time,
- * bytes, packets).
- */
-#define LIFETIME_CFG_SET(l, limit, life, rekey, jitter) do { \
-       (l)->life_##limit = (life); \
-       (l)->rekey_##limit = (rekey); \
-       (l)->jitter_##limit = (jitter); \
-} while(0)
-
-/**
- * Create a new lifetime_cfg_t object.
- */
-static inline lifetime_cfg_t* lifetime_cfg_create() {
-       lifetime_cfg_t *this = malloc_thing(lifetime_cfg_t);
-       memset(this, 0, sizeof(lifetime_cfg_t));
-       return this;
-}
-
-/**
- * Special constructor for the (currently) most common case.
- */
-static inline lifetime_cfg_t* lifetime_cfg_create_time(u_int64_t life,
-                                                                         u_int64_t rekey, u_int64_t jitter)
-{
-       lifetime_cfg_t *this = lifetime_cfg_create();
-       LIFETIME_CFG_SET(this, time, life, rekey, jitter);
-       return this;
-}
-
-/**
  * A child_cfg_t defines the config template for a CHILD_SA.
  *
  * After creation, proposals and traffic selectors may be added to the config.
@@ -316,9 +276,9 @@ struct child_cfg_t {
  * 
  * The "name" string gets cloned.
  *
- * The lifetime_cfg_t object gets adopted by this config.
+ * The lifetime_cfg_t object gets cloned.
  * To prevent two peers to start rekeying at the same time, a jitter may be
- * specified. Rekeying of an SA starts at (rekey_xxx - random(0, jitter_xxx)).
+ * specified. Rekeying of an SA starts at (x.rekey - random(0, x.jitter)).
  *
  * After a call to create, a reference is obtained (refcount = 1).
  * 
index 5dc08b2..f0362c1 100644 (file)
@@ -1844,14 +1844,14 @@ static status_t add_sa(private_kernel_klips_ipsec_t *this,
        /* Although KLIPS supports SADB_EXT_LIFETIME_SOFT/HARD, we handle the lifetime
         * of SAs manually in the plugin. Refer to the comments in receive_events()
         * for details. */
-       if (lifetime->rekey_time)
+       if (lifetime->time.rekey)
        {
-               schedule_expire(this, protocol, spi, reqid, EXPIRE_TYPE_SOFT, lifetime->rekey_time);
+               schedule_expire(this, protocol, spi, reqid, EXPIRE_TYPE_SOFT, lifetime->time.rekey);
        }
        
-       if (lifetime->life_time)
+       if (lifetime->time.life)
        {
-               schedule_expire(this, protocol, spi, reqid, EXPIRE_TYPE_HARD, lifetime->life_time);
+               schedule_expire(this, protocol, spi, reqid, EXPIRE_TYPE_HARD, lifetime->time.life);
        }
                
        return SUCCESS;
index 0758c96..cdd2436 100644 (file)
@@ -941,7 +941,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
         * we are in the recursive call below */
        if (ipcomp != IPCOMP_NONE && cpi != 0)
        {
-               lifetime_cfg_t lft = { 0,0,0,0,0,0,0,0,0 };
+               lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
                add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, &lft,
                           ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty,
                           mode, ipcomp, 0, FALSE, inbound);
@@ -971,13 +971,13 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
        }
        sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
        sa->reqid = reqid;
-       sa->lft.soft_byte_limit = XFRM_LIMIT(lifetime->rekey_bytes);
-       sa->lft.hard_byte_limit = XFRM_LIMIT(lifetime->life_bytes);
-       sa->lft.soft_packet_limit = XFRM_LIMIT(lifetime->rekey_packets);
-       sa->lft.hard_packet_limit = XFRM_LIMIT(lifetime->life_packets);
+       sa->lft.soft_byte_limit = XFRM_LIMIT(lifetime->bytes.rekey);
+       sa->lft.hard_byte_limit = XFRM_LIMIT(lifetime->bytes.life);
+       sa->lft.soft_packet_limit = XFRM_LIMIT(lifetime->packets.rekey);
+       sa->lft.hard_packet_limit = XFRM_LIMIT(lifetime->packets.life);
        /* we use lifetimes since added, not since used */
-       sa->lft.soft_add_expires_seconds = lifetime->rekey_time;
-       sa->lft.hard_add_expires_seconds = lifetime->life_time;
+       sa->lft.soft_add_expires_seconds = lifetime->time.rekey;
+       sa->lft.hard_add_expires_seconds = lifetime->time.life;
        sa->lft.soft_use_expires_seconds = 0;
        sa->lft.hard_use_expires_seconds = 0;
        
index 4eff8e2..002e1be 100644 (file)
@@ -1287,18 +1287,18 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
        lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
        lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
        lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
-       lft->sadb_lifetime_allocations = lifetime->rekey_packets;
-       lft->sadb_lifetime_bytes = lifetime->rekey_bytes;
-       lft->sadb_lifetime_addtime = lifetime->rekey_time;
+       lft->sadb_lifetime_allocations = lifetime->packets.rekey;
+       lft->sadb_lifetime_bytes = lifetime->bytes.rekey;
+       lft->sadb_lifetime_addtime = lifetime->time.rekey;
        lft->sadb_lifetime_usetime = 0; /* we only use addtime */
        PFKEY_EXT_ADD(msg, lft);
        
        lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
        lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
        lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
-       lft->sadb_lifetime_allocations = lifetime->life_packets;
-       lft->sadb_lifetime_bytes = lifetime->life_bytes;
-       lft->sadb_lifetime_addtime = lifetime->life_time;
+       lft->sadb_lifetime_allocations = lifetime->packets.life;
+       lft->sadb_lifetime_bytes = lifetime->bytes.life;
+       lft->sadb_lifetime_addtime = lifetime->time.life;
        lft->sadb_lifetime_usetime = 0; /* we only use addtime */
        PFKEY_EXT_ADD(msg, lft);
        
index 537301c..aecaf62 100644 (file)
@@ -178,10 +178,16 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
 {
        ike_cfg_t *ike_cfg;
        child_cfg_t *child_cfg;
-       lifetime_cfg_t *lifetime;
        peer_cfg_t *peer_cfg;
        traffic_selector_t *ts;
        proposal_t *proposal;
+       lifetime_cfg_t lifetime = {
+               .time = {
+                       .life = this->child_rekey * 2,
+                       .rekey = this->child_rekey,
+                       .jitter = 0
+               }
+       };
        
        ike_cfg = ike_cfg_create(FALSE, FALSE, "0.0.0.0", this->remote);
        ike_cfg->add_proposal(ike_cfg, this->proposal->clone(this->proposal));
@@ -203,10 +209,7 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
                generate_auth_cfg(this, this->initiator_auth, peer_cfg, FALSE, num);
        }
        
-       lifetime = lifetime_cfg_create_time(this->child_rekey * 2,
-                                                                               this->child_rekey, 0);
-
-       child_cfg = child_cfg_create("load-test", lifetime, NULL, TRUE,
+       child_cfg = child_cfg_create("load-test", &lifetime, NULL, TRUE,
                                                                 MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE);
        proposal = proposal_create_from_string(PROTO_ESP, "aes128-sha1");
        child_cfg->add_proposal(child_cfg, proposal);
index d3b2e38..f96f61c 100644 (file)
@@ -99,8 +99,14 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam
        ike_cfg_t *ike_cfg;
        child_cfg_t *child_cfg;
        chunk_t me, other;
-       lifetime_cfg_t *lifetime;
        char *address, *local_net, *remote_net;
+       lifetime_cfg_t lifetime = {
+               .time = {
+                       .life = this->rekey * 60 + this->rekey,
+                       .rekey = this->rekey,
+                       .jitter = this->rekey
+               }
+       };
        
        /* query mediation server config:
         * - build ike_cfg/peer_cfg for mediation connection on-the-fly 
@@ -174,10 +180,7 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam
                          identification_create_from_encoding(ID_KEY_ID, other));
        peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
        
-       lifetime = lifetime_cfg_create_time(this->rekey * 60 + this->rekey,
-                                                                               this->rekey, this->rekey);
-       
-       child_cfg = child_cfg_create(name, lifetime, NULL, TRUE,
+       child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE,
                                                          MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE);
        child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
        child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net));
@@ -220,8 +223,14 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
        chunk_t me, other;
        child_cfg_t *child_cfg;
        auth_cfg_t *auth;
-       lifetime_cfg_t *lifetime;
-       
+       lifetime_cfg_t lifetime = {
+               .time = {
+                       .life = this->rekey * 60 + this->rekey,
+                       .rekey = this->rekey
+                       .jitter = this->rekey
+               }
+       };
+
        DESTROY_IF(this->current);
        if (!this->inner->enumerate(this->inner, &name, &me, &other,
                                                                &local_net, &remote_net))
@@ -249,10 +258,7 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
                          identification_create_from_encoding(ID_KEY_ID, other));
        this->current->add_auth_cfg(this->current, auth, FALSE);
        
-       lifetime = lifetime_cfg_create_time(this->rekey * 60 + this->rekey,
-                                                                               this->rekey, this->rekey);
-       
-       child_cfg = child_cfg_create(name, lifetime, NULL, TRUE, MODE_TUNNEL,
+       child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
                                                                 ACTION_NONE, ACTION_NONE, FALSE);
        child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
        child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net));
index 8df65d7..6aa5561 100644 (file)
@@ -218,7 +218,6 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
        ike_cfg_t *ike_cfg;
        peer_cfg_t *peer_cfg;
        child_cfg_t *child_cfg;
-       lifetime_cfg_t *lifetime;
        traffic_selector_t *ts;
        ike_sa_t *ike_sa;
        auth_cfg_t *auth;
@@ -226,6 +225,13 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
        certificate_t *cert = NULL;
        x509_t *x509;
        bool agent = FALSE;
+       lifetime_cfg_t lifetime = {
+               .time = {
+                       .life = 10800 /* 3h */,
+                       .rekey = 10200 /* 2h50min */,
+                       .jitter = 300 /* 5min */
+               }
+       };
        
        /**
         * Read parameters
@@ -427,10 +433,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
        auth->add(auth, AUTH_RULE_IDENTITY, gateway);
        peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
        
-       lifetime = lifetime_cfg_create_time(10800 /* 3h */, 10200 /* 2h50min */,
-                                                                               300 /* 5min */);
-       
-       child_cfg = child_cfg_create(priv->name, lifetime,
+       child_cfg = child_cfg_create(priv->name, &lifetime,
                                                                 NULL, TRUE, MODE_TUNNEL, /* updown, hostaccess */
                                                                 ACTION_NONE, ACTION_NONE, ipcomp);
        child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
index 71fb378..67b5c3b 100644 (file)
@@ -130,9 +130,10 @@ static child_cfg_t *build_child_cfg(private_sql_config_t *this, enumerator_t *e)
        if (e->enumerate(e, &id, &name, &lifetime, &rekeytime, &jitter, 
                                                &updown, &hostaccess, &mode, &dpd, &close, &ipcomp))
        {
-               lifetime_cfg_t *lft = lifetime_cfg_create_time(lifetime, rekeytime,
-                                                                                                          jitter);
-               child_cfg = child_cfg_create(name, lft, updown, hostaccess, mode,
+               lifetime_cfg_t lft = {
+                       .time = { .life = lifetime, .rekey = rekeytime, .jitter = jitter }
+               };
+               child_cfg = child_cfg_create(name, &lft, updown, hostaccess, mode,
                                                                         dpd, close, ipcomp);
                /* TODO: read proposal from db */
                child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
index c76fd16..e5c1471 100644 (file)
@@ -752,8 +752,24 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
                                                                        stroke_msg_t *msg)
 {
        child_cfg_t *child_cfg;
-       lifetime_cfg_t *lifetime;
        action_t dpd;
+       lifetime_cfg_t lifetime = {
+               .time = {
+                       .life = msg->add_conn.rekey.ipsec_lifetime,
+                       .rekey = msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin,
+                       .jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100
+               },
+               .bytes = {
+                       .life = msg->add_conn.rekey.life_bytes,
+                       .rekey = msg->add_conn.rekey.life_bytes - msg->add_conn.rekey.margin_bytes,
+                       .jitter = msg->add_conn.rekey.margin_bytes * msg->add_conn.rekey.fuzz / 100
+               },
+               .packets = {
+                       .life = msg->add_conn.rekey.life_packets,
+                       .rekey = msg->add_conn.rekey.life_packets - msg->add_conn.rekey.margin_packets,
+                       .jitter = msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100
+               }
+       };
        
        switch (msg->add_conn.dpd.action)
        {       /* map startes magic values to our action type */
@@ -767,22 +783,9 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
                        dpd = ACTION_NONE;
                        break;
        }
-
-       lifetime = lifetime_cfg_create_time(
-                               msg->add_conn.rekey.ipsec_lifetime,
-                               msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin,
-                               msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100);
-       LIFETIME_CFG_SET(lifetime, bytes,
-               msg->add_conn.rekey.life_bytes,
-               msg->add_conn.rekey.life_bytes - msg->add_conn.rekey.margin_bytes,
-               msg->add_conn.rekey.margin_bytes * msg->add_conn.rekey.fuzz / 100);
-       LIFETIME_CFG_SET(lifetime, packets,
-               msg->add_conn.rekey.life_packets,
-               msg->add_conn.rekey.life_packets - msg->add_conn.rekey.margin_packets,
-               msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100);
        
        child_cfg = child_cfg_create(
-                               msg->add_conn.name, lifetime,
+                               msg->add_conn.name, &lifetime,
                                msg->add_conn.me.updown, msg->add_conn.me.hostaccess,
                                msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp);
        child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode,
index 5c03acb..e2b0b29 100644 (file)
@@ -142,9 +142,15 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
        char *local_id, *local_addr, *local_net;
        char *remote_id, *remote_addr, *remote_net;
        child_cfg_t *child_cfg;
-       lifetime_cfg_t *lifetime;
        ike_cfg_t *ike_cfg;
        auth_cfg_t *auth;
+       lifetime_cfg_t lifetime = {
+               .time = {
+                       .life = create_rekey(esp_rekey) + 300,
+                       .rekey = create_rekey(esp_rekey)
+                       .jitter = 300
+               }
+       };
        
        /* defaults */
        name = "unnamed";
@@ -187,9 +193,8 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
                                          identification_create_from_string(remote_id));
                }
                this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, FALSE);
-               lifetime = lifetime_cfg_create_time(create_rekey(esp_rekey) + 300,
-                                                                                       create_rekey(esp_rekey), 300);
-               child_cfg = child_cfg_create(name, lifetime, NULL, TRUE, MODE_TUNNEL,
+               
+               child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
                                                                         ACTION_NONE, ACTION_NONE, FALSE);
                child_cfg->add_proposal(child_cfg, create_proposal(esp_proposal, PROTO_ESP));
                child_cfg->add_traffic_selector(child_cfg, TRUE, create_ts(local_net));
index 7eee9c4..a3dfeff 100644 (file)
@@ -589,18 +589,18 @@ static status_t install(private_child_sa_t *this, chunk_t encr, chunk_t integ,
        lifetime = this->config->get_lifetime(this->config);
        
        now = time_monotonic(NULL);
-       if (lifetime->rekey_time)
+       if (lifetime->time.rekey)
        {
-               this->rekey_time = now + lifetime->rekey_time;
+               this->rekey_time = now + lifetime->time.rekey;
        }
-       if (lifetime->life_time)
+       if (lifetime->time.life)
        {
-               this->expire_time = now + lifetime->life_time;
+               this->expire_time = now + lifetime->time.life;
        }
        
-       if (!lifetime->jitter_time && !inbound)
+       if (!lifetime->time.jitter && !inbound)
        {       /* avoid triggering multiple rekey events */
-               lifetime->rekey_time = 0;
+               lifetime->time.rekey = 0;
        }
        
        status = charon->kernel_interface->add_sa(charon->kernel_interface,