From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 31 May 2021 13:21:46 +0000 (+0200)
Subject: forecast: Ignore per-CPU CHILD_SAs
X-Git-Tag: 6.0.2dr1~5^2~22
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=17f2188756d27d1b2f0eff5495e983a3c95c55cc;p=thirdparty%2Fstrongswan.git

forecast: Ignore per-CPU CHILD_SAs

Not sure if this combination does make sense as the plugin itself would
be a major bottleneck.

Similar to the connmark plugin, PREROUTING rules list SPIs or UDP ports,
which would be necessary for all SAs while the OUTPUT rules would only be
required once.
---

diff --git a/src/libcharon/plugins/forecast/forecast_listener.c b/src/libcharon/plugins/forecast/forecast_listener.c
index 4983835f19..3d000bc48c 100644
--- a/src/libcharon/plugins/forecast/forecast_listener.c
+++ b/src/libcharon/plugins/forecast/forecast_listener.c
@@ -500,7 +500,8 @@ static bool commit_handle(struct iptc_handle *ipth)
 static bool handle_sa(child_sa_t *child_sa)
 {
 	return child_sa->get_mark(child_sa, TRUE).value &&
-		   child_sa->get_mark(child_sa, FALSE).value;
+		   child_sa->get_mark(child_sa, FALSE).value &&
+		   !child_sa->use_per_cpu(child_sa);
 }
 
 METHOD(listener_t, child_updown, bool,