From: Thomas Egerer Date: Thu, 9 Mar 2017 17:26:35 +0000 (+0100) Subject: kernel-netlink: Try to add new inbound SA if update fails X-Git-Tag: 5.5.3~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d140b3bd3f7ff6f6b7bdc5202bd0dee7f39fa699;p=thirdparty%2Fstrongswan.git kernel-netlink: Try to add new inbound SA if update fails When establishing a traffic-triggered CHILD_SA involves the setup of an IKE_SA more than one exchange is required. As a result the temporary acquire state may have expired -- even if the acquire expiration (xfrm_acq_expires) time is set properly (165 by default). The expire message sent by the kernel is not processed in charon since no trap can be found by the trap manager. A possible solution could be to track allocated SPIs. But since this is a corner case and the tracking introduces quite a bit of overhead, it seems much more sensible to add a new state if the update of a state fails with NOT_FOUND. Signed-off-by: Thomas Egerer --- diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c index 9a40927d21..6f18674fd0 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -1666,10 +1666,19 @@ METHOD(kernel_ipsec_t, add_sa, status_t, } } - if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) + status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr); + if (status == NOT_FOUND && data->update) { - DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x%s", ntohl(id->spi), - markstr); + DBG1(DBG_KNL, "allocated SPI not found anymore, try to add SAD entry"); + hdr->nlmsg_type = XFRM_MSG_NEWSA; + status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr); + } + + if (status != SUCCESS) + { + DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x%s (%N)", ntohl(id->spi), + markstr, status_names, status); + status = FAILED; goto failed; }