kernel-netlink: Use total retransmit timeout as acquire timeout

author Tobias Brunner <tobias@strongswan.org>

Mon, 13 Mar 2017 11:15:25 +0000 (12:15 +0100)

committer Tobias Brunner <tobias@strongswan.org>

Tue, 23 May 2017 16:05:58 +0000 (18:05 +0200)
author Tobias Brunner <tobias@strongswan.org>
Mon, 13 Mar 2017 11:15:25 +0000 (12:15 +0100)
committer Tobias Brunner <tobias@strongswan.org>
Tue, 23 May 2017 16:05:58 +0000 (18:05 +0200)
diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt

index 1136af1be6f9b171d451e685992fc5817f12ae81..3d9c4a7a9e5889b7c65d1ef89f1fd99eb5536dfd 100644 (file)
--- a/conf/plugins/kernel-netlink.opt
+++ b/conf/plugins/kernel-netlink.opt
@@ -113,6 +113,6 @@ charon.plugins.kernel-netlink.xfrm_acq_expires = 165
         trap policy. The value gets written to /proc/sys/net/core/xfrm_acq_expires.
         Indirectly controls the delay between XFRM acquire messages triggered by the
         kernel for a trap policy. The same value is used as timeout for SPIs
-       allocated by the kernel. The default value equals the default total
-       retransmission timeout for IKE messages, see IKEv2 RETRANSMISSION
-       in **strongswan.conf**(5).
+       allocated by the kernel. The default value equals the total     retransmission
+       timeout for IKE messages, see IKEv2 RETRANSMISSION in
+       **strongswan.conf**(5).
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c

index 6f18674fd00e2111ae9259f865920e3a8af52e25..da05de3049f635188ee4c72f034498ae04a4af03 100644 (file)
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -78,9 +78,6 @@
  /** Base priority for installed policies */
  #define PRIO_BASE 200000
  
-/** Default lifetime of an acquire XFRM state (in seconds) */
-#define DEFAULT_ACQUIRE_LIFETIME 165
-
  /**
   * Map the limit for bytes and packets to XFRM_INF by default
   */
@@ -3231,7 +3228,6 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
  {
         private_kernel_netlink_ipsec_t *this;
         bool register_for_events = TRUE;
-       FILE *f;
  
         INIT(this,
                 .public = {
@@ -3276,15 +3272,6 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
                 register_for_events = FALSE;
         }
  
-       f = fopen("/proc/sys/net/core/xfrm_acq_expires", "w");
-       if (f)
-       {
-               fprintf(f, "%u", lib->settings->get_int(lib->settings,
-                                                               "%s.plugins.kernel-netlink.xfrm_acq_expires",
-                                                               DEFAULT_ACQUIRE_LIFETIME, lib->ns));
-               fclose(f);
-       }
-
         this->socket_xfrm = netlink_socket_create(NETLINK_XFRM, xfrm_msg_names,
                                 lib->settings->get_bool(lib->settings,
                                         "%s.plugins.kernel-netlink.parallel_xfrm", FALSE, lib->ns));
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c

index 8bafc3c55ed418002850c705b4e9b712f4d1f48b..58350028f78c238bcc931ae924dce4a398d91247 100644 (file)
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c
@@ -19,6 +19,8 @@
  #include "kernel_netlink_ipsec.h"
  #include "kernel_netlink_net.h"
  
+#include <sa/task_manager.h>
+
  typedef struct private_kernel_netlink_plugin_t private_kernel_netlink_plugin_t;
  
  /**
@@ -50,6 +52,24 @@ METHOD(plugin_t, get_features, int,
         return countof(f);
  }
  
+METHOD(plugin_t, reload, bool,
+       private_kernel_netlink_plugin_t *this)
+{
+       u_int timeout;
+       FILE *f;
+
+       f = fopen("/proc/sys/net/core/xfrm_acq_expires", "w");
+       if (f)
+       {
+               timeout = lib->settings->get_int(lib->settings,
+                                                       "%s.plugins.kernel-netlink.xfrm_acq_expires",
+                                                       task_manager_total_retransmit_timeout(), lib->ns);
+               fprintf(f, "%u", timeout);
+               fclose(f);
+       }
+       return TRUE;
+}
+
  METHOD(plugin_t, destroy, void,
         private_kernel_netlink_plugin_t *this)
  {
@@ -76,10 +96,13 @@ plugin_t *kernel_netlink_plugin_create()
                         .plugin = {
                                 .get_name = _get_name,
                                 .get_features = _get_features,
+                               .reload = _reload,
                                 .destroy = _destroy,
                         },
                 },
         );
  
+       reload(this);
+
         return &this->public.plugin;
  }
author	Tobias Brunner <tobias@strongswan.org>
	Mon, 13 Mar 2017 11:15:25 +0000 (12:15 +0100)
committer	Tobias Brunner <tobias@strongswan.org>
	Tue, 23 May 2017 16:05:58 +0000 (18:05 +0200)
conf/plugins/kernel-netlink.opt		patch \| blob \| blame \| history
src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c		patch \| blob \| blame \| history
src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c		patch \| blob \| blame \| history