kernel-netlink: Use total retransmit timeout as acquire timeout
By using the total retransmit timeout, modifications of timeout settings automatically reflect on the value of xfrm_acq_expires. If set, the value of xfrm_acq_expires configured by the user takes precedence over the calculated value.
This commit is contained in:
Tobias Brunner
parent
bfbd3af850
commit
70855696ad
|
|
@ -113,6 +113,6 @@ charon.plugins.kernel-netlink.xfrm_acq_expires = 165
|
|||
trap policy. The value gets written to /proc/sys/net/core/xfrm_acq_expires.
|
||||
Indirectly controls the delay between XFRM acquire messages triggered by the
|
||||
kernel for a trap policy. The same value is used as timeout for SPIs
|
||||
allocated by the kernel. The default value equals the default total
|
||||
retransmission timeout for IKE messages, see IKEv2 RETRANSMISSION
|
||||
in **strongswan.conf**(5).
|
||||
allocated by the kernel. The default value equals the total retransmission
|
||||
timeout for IKE messages, see IKEv2 RETRANSMISSION in
|
||||
**strongswan.conf**(5).
|
||||
|
|
|
|||
|
|
@ -78,9 +78,6 @@
|
|||
/** Base priority for installed policies */
|
||||
#define PRIO_BASE 200000
|
||||
|
||||
/** Default lifetime of an acquire XFRM state (in seconds) */
|
||||
#define DEFAULT_ACQUIRE_LIFETIME 165
|
||||
|
||||
/**
|
||||
* Map the limit for bytes and packets to XFRM_INF by default
|
||||
*/
|
||||
|
|
@ -3231,7 +3228,6 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
|
|||
{
|
||||
private_kernel_netlink_ipsec_t *this;
|
||||
bool register_for_events = TRUE;
|
||||
FILE *f;
|
||||
|
||||
INIT(this,
|
||||
.public = {
|
||||
|
|
@ -3276,15 +3272,6 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
|
|||
register_for_events = FALSE;
|
||||
}
|
||||
|
||||
f = fopen("/proc/sys/net/core/xfrm_acq_expires", "w");
|
||||
if (f)
|
||||
{
|
||||
fprintf(f, "%u", lib->settings->get_int(lib->settings,
|
||||
"%s.plugins.kernel-netlink.xfrm_acq_expires",
|
||||
DEFAULT_ACQUIRE_LIFETIME, lib->ns));
|
||||
fclose(f);
|
||||
}
|
||||
|
||||
this->socket_xfrm = netlink_socket_create(NETLINK_XFRM, xfrm_msg_names,
|
||||
lib->settings->get_bool(lib->settings,
|
||||
"%s.plugins.kernel-netlink.parallel_xfrm", FALSE, lib->ns));
|
||||
|
|
|
|||
|
|
@ -19,6 +19,8 @@
|
|||
#include "kernel_netlink_ipsec.h"
|
||||
#include "kernel_netlink_net.h"
|
||||
|
||||
#include <sa/task_manager.h>
|
||||
|
||||
typedef struct private_kernel_netlink_plugin_t private_kernel_netlink_plugin_t;
|
||||
|
||||
/**
|
||||
|
|
@ -50,6 +52,24 @@ METHOD(plugin_t, get_features, int,
|
|||
return countof(f);
|
||||
}
|
||||
|
||||
METHOD(plugin_t, reload, bool,
|
||||
private_kernel_netlink_plugin_t *this)
|
||||
{
|
||||
u_int timeout;
|
||||
FILE *f;
|
||||
|
||||
f = fopen("/proc/sys/net/core/xfrm_acq_expires", "w");
|
||||
if (f)
|
||||
{
|
||||
timeout = lib->settings->get_int(lib->settings,
|
||||
"%s.plugins.kernel-netlink.xfrm_acq_expires",
|
||||
task_manager_total_retransmit_timeout(), lib->ns);
|
||||
fprintf(f, "%u", timeout);
|
||||
fclose(f);
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
METHOD(plugin_t, destroy, void,
|
||||
private_kernel_netlink_plugin_t *this)
|
||||
{
|
||||
|
|
@ -76,10 +96,13 @@ plugin_t *kernel_netlink_plugin_create()
|
|||
.plugin = {
|
||||
.get_name = _get_name,
|
||||
.get_features = _get_features,
|
||||
.reload = _reload,
|
||||
.destroy = _destroy,
|
||||
},
|
||||
},
|
||||
);
|
||||
|
||||
reload(this);
|
||||
|
||||
return &this->public.plugin;
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue