From: Martin Willi Date: Wed, 24 Jul 2013 14:20:46 +0000 (+0200) Subject: mem-pool: add option for reusing online leases, and disable it by default X-Git-Tag: 5.1.0~19 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7612a6e42fa4779adbeab74ec044bd554d00c3b3;p=thirdparty%2Fstrongswan.git mem-pool: add option for reusing online leases, and disable it by default Mainly for reauthentication with third party implementations, we allowed to reuse an online lease, but only for the same peer identity and when it explicitly requested the same address. This has always been problematic, because it changes the reqid of the CHILD_SA with the same traffic selectors, breaking the old tunnel. As we now reject such policy overwrites, this usually lets the installation of the new policies fail. We therefore disable reassignment of online leases by default. --- diff --git a/src/libhydra/attributes/mem_pool.c b/src/libhydra/attributes/mem_pool.c index 9b9bc93b5e..77567ce48d 100644 --- a/src/libhydra/attributes/mem_pool.c +++ b/src/libhydra/attributes/mem_pool.c @@ -16,6 +16,8 @@ #include "mem_pool.h" +#include +#include #include #include #include @@ -63,6 +65,11 @@ struct private_mem_pool_t { * lock to safely access the pool */ mutex_t *mutex; + + /** + * Do we reassign online leases to the same identity, if requested? + */ + bool reassign_online; }; /** @@ -258,7 +265,10 @@ static int get_existing(private_mem_pool_t *this, identification_t *id, DBG1(DBG_CFG, "reassigning offline lease to '%Y'", id); return offset; } - + if (!this->reassign_online) + { + return 0; + } /* check for a valid online lease to reassign */ enumerator = array_create_enumerator(entry->online); while (enumerator->enumerate(enumerator, ¤t)) @@ -562,6 +572,8 @@ static private_mem_pool_t *create_generic(char *name) .leases = hashtable_create((hashtable_hash_t)id_hash, (hashtable_equals_t)id_equals, 16), .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + .reassign_online = lib->settings->get_bool(lib->settings, + "%s.mem-pool.reassign_online", FALSE, hydra->daemon), ); return this;