ike: Restart inactivity counter after doing a CHILD_SA rekey
When doing a rekey for a CHILD_SA, the use counters get reset. An inactivity job is queued for a time unrelated to the rekey time, so it might happen that the inactivity job gets executed just after rekeying. If this happens, inactivity is detected even if we had traffic on the rekeyed CHILD_SA just before rekeying. This change implies that inactivity checks can't handle inactivity timeouts for rekeyed CHILD_SAs, and therefore requires that inactivity timeout is shorter than the rekey time to have any effect.
This commit is contained in:
parent
763e035335
commit
d048a319df
|
@ -386,7 +386,9 @@ retransmission timeout applies, as every exchange is used to detect dead peers.
|
||||||
.TP
|
.TP
|
||||||
.BR inactivity " = <time>"
|
.BR inactivity " = <time>"
|
||||||
defines the timeout interval, after which a CHILD_SA is closed if it did
|
defines the timeout interval, after which a CHILD_SA is closed if it did
|
||||||
not send or receive any traffic.
|
not send or receive any traffic. The inactivity counter is reset during CHILD_SA
|
||||||
|
rekeying. This means that the inactivity timeout must be smaller than the
|
||||||
|
rekeying interval to have any effect.
|
||||||
.TP
|
.TP
|
||||||
.BR eap_identity " = <id>"
|
.BR eap_identity " = <id>"
|
||||||
defines the identity the client uses to reply to an EAP Identity request.
|
defines the identity the client uses to reply to an EAP Identity request.
|
||||||
|
|
|
@ -73,12 +73,13 @@ METHOD(job_t, execute, job_requeue_t,
|
||||||
{
|
{
|
||||||
if (child_sa->get_reqid(child_sa) == this->reqid)
|
if (child_sa->get_reqid(child_sa) == this->reqid)
|
||||||
{
|
{
|
||||||
time_t in, out, diff;
|
time_t in, out, install, diff;
|
||||||
|
|
||||||
child_sa->get_usestats(child_sa, TRUE, &in, NULL, NULL);
|
child_sa->get_usestats(child_sa, TRUE, &in, NULL, NULL);
|
||||||
child_sa->get_usestats(child_sa, FALSE, &out, NULL, NULL);
|
child_sa->get_usestats(child_sa, FALSE, &out, NULL, NULL);
|
||||||
|
install = child_sa->get_installtime(child_sa);
|
||||||
|
|
||||||
diff = time_monotonic(NULL) - max(in, out);
|
diff = time_monotonic(NULL) - max(max(in, out), install);
|
||||||
|
|
||||||
if (diff >= this->timeout)
|
if (diff >= this->timeout)
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in New Issue