kernel-netlink: Allow to override xfrm_acq_expires value

When using auto=route, current xfrm_acq_expires default value
implies that tunnel can be down for up to 165 seconds, if
other peer rejected first IKE request with an AUTH_FAILED or
NO_PROPOSAL_CHOSEN error message. These error messages are
completely normal in setups where another application
pushes configuration to both strongSwans without waiting
for acknowledgment that they have updated their configurations.

This patch allows strongswan to override xfrm_acq_expires default
value by setting charon.plugins.kernel-netlink.xfrm_acq_expires in
strongswan.conf.

Signed-off-by: Ansis Atteka <aatteka@nicira.com>

diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
index 9ee82f59490be8152b745a7a96df74dabd15fc72..ff7d8ef5867d92f9ade2c56f5b051f5cc7e9cf47 100644 (file)
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -626,6 +626,11 @@ Set MTU of ipsecN device
 .BR charon.plugins.kernel-netlink.roam_events " [yes]"
 Whether to trigger roam events when interfaces, addresses or routes change
 .TP
+.BR charon.plugins.kernel-netlink.xfrm_acq_expires " [165]"
+Lifetime of XFRM acquire state in kernel, value gets written to
+/proc/sys/net/core/xfrm_acq_expires. Indirecly controls the delay of XFRM
+acquire messages sent.
+.TP
 .BR charon.plugins.kernel-pfroute.vip_wait " [1000]"
 Time in ms to wait until virtual IP addresses appear/disappear before failing.
 .TP

diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 83f93ec683710db4997b9a5618ec7850a00221ab..e06c8eaa93f0a3732031965da54e6041032965f1 100644 (file)
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -76,6 +76,9 @@
 /** Default replay window size, if not set using charon.replay_window */
 #define DEFAULT_REPLAY_WINDOW 32
 
+/** Default lifetime of an acquire XFRM state (in seconds) */
+#define DEFAULT_ACQUIRE_LIFETIME 165
+
 /**
  * Map the limit for bytes and packets to XFRM_INF by default
  */
@@ -2631,7 +2634,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 {
        private_kernel_netlink_ipsec_t *this;
        bool register_for_events = TRUE;
-       int fd;
+       FILE *f;
 
        INIT(this,
                .public = {
@@ -2673,12 +2676,13 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
                register_for_events = FALSE;
        }
 
-       /* disable lifetimes for allocated SPIs in kernel */
-       fd = open("/proc/sys/net/core/xfrm_acq_expires", O_WRONLY);
-       if (fd > 0)
+       f = fopen("/proc/sys/net/core/xfrm_acq_expires", "w");
+       if (f)
        {
-               ignore_result(write(fd, "165", 3));
-               close(fd);
+               fprintf(f, "%u", lib->settings->get_int(lib->settings,
+                                                               "%s.plugins.kernel-netlink.xfrm_acq_expires",
+                                                               DEFAULT_ACQUIRE_LIFETIME, hydra->daemon));
+               fclose(f);
        }
 
        this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);