]> git.ipfire.org Git - thirdparty/strongswan.git/commitdiff
projects / thirdparty / strongswan.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a24429c)
ike-sa: Remove expired Child SAs on passive HA node 2905-ha-expired
authorTobias Brunner <tobias@strongswan.org>
Wed, 8 Oct 2025 12:48:13 +0000 (14:48 +0200)
committerTobias Brunner <tobias@strongswan.org>
Wed, 8 Oct 2025 12:48:13 +0000 (14:48 +0200)
Normally, the SA should get removed due to a message from the active
node. However, if that notification was missed somehow (e.g. due to packet
loss or a race with a failover) this makes sure that there are no
lingering Child SAs attached to the IKE SA.

src/libcharon/sa/ike_sa.c patch | blob | blame | history

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 319eca02e619bdb86ed6b5dcaa4bb40939f1ae10..2587ad9cfa2c2a8a5fae2dfdffe3e292cf66e0c6 100644 (file)
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -1897,18 +1897,6 @@ METHOD(ike_sa_t, rekey_child_sa, status_t,
        return this->task_manager->initiate(this->task_manager);
 }
 
-METHOD(ike_sa_t, delete_child_sa, status_t,
-       private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi, bool expired)
-{
-       if (this->state == IKE_PASSIVE)
-       {
-               return INVALID_STATE;
-       }
-       this->task_manager->queue_child_delete(this->task_manager,
-                                                                                  protocol, spi, expired);
-       return this->task_manager->initiate(this->task_manager);
-}
-
 METHOD(ike_sa_t, destroy_child_sa, status_t,
        private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi)
 {
@@ -1932,6 +1920,23 @@ METHOD(ike_sa_t, destroy_child_sa, status_t,
        return status;
 }
 
+METHOD(ike_sa_t, delete_child_sa, status_t,
+       private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi, bool expired)
+{
+       if (this->state == IKE_PASSIVE)
+       {
+               if (expired)
+               {       /* make sure the SA is removed if the notification from the active
+                        * node was missed somehow */
+                       destroy_child_sa(this, protocol, spi);
+               }
+               return INVALID_STATE;
+       }
+       this->task_manager->queue_child_delete(this->task_manager,
+                                                                                  protocol, spi, expired);
+       return this->task_manager->initiate(this->task_manager);
+}
+
 METHOD(ike_sa_t, delete_, status_t,
        private_ike_sa_t *this, bool force)
 {
Unnamed repository; edit this file 'description' to name the repository.