ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

kernel-pfkey: Only set the replay window for inbound SAs 

It is not necessary for outbound SAs and might waste memory when large
window sizes are used.
This commit is contained in:
Tobias Brunner 2016-06-17 14:52:11 +02:00
parent c423d0e8a1
commit 21aa924233
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
View File

@ -1725,12 +1725,17 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
else else
{ {
/* Linux interprets sadb_sa_replay as number of packets/bits in the /* Linux interprets sadb_sa_replay as number of packets/bits in the
* replay window, whereas on BSD it's the size of the window in bytes */ * replay window, whereas on BSD it's the size of the window in bytes.
* Only set for the inbound SA as it's not relevant for the outbound
* SA and might waste memory with large windows. */
if (data->inbound)
{
#ifdef __linux__ #ifdef __linux__
sa->sadb_sa_replay = min(data->replay_window, 32); sa->sadb_sa_replay = min(data->replay_window, 32);
#else #else
sa->sadb_sa_replay = (data->replay_window + 7) / 8; sa->sadb_sa_replay = (data->replay_window + 7) / 8;
#endif #endif
}
sa->sadb_sa_auth = lookup_algorithm(INTEGRITY_ALGORITHM, data->int_alg); sa->sadb_sa_auth = lookup_algorithm(INTEGRITY_ALGORITHM, data->int_alg);
sa->sadb_sa_encrypt = lookup_algorithm(ENCRYPTION_ALGORITHM, sa->sadb_sa_encrypt = lookup_algorithm(ENCRYPTION_ALGORITHM,
data->enc_alg); data->enc_alg);