[Swan-commit] Changes to ref refs/heads/master

Paul Wouters paul at vault.libreswan.fi
Sun Apr 12 02:46:53 EEST 2015


New commits:
commit e9895349ac2c985930e59ab8c10dab148fe824ae
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Apr 11 19:43:14 2015 -0400

    pluto: don't use an expired reserved kernel SPI as fallback [Herbert Xu]
    
    When IKE negotiation from kernel SA SPI reservation would
    exceeded the default /proc/sys/net/core/xfrm_acq_expires timer of
    30 seconds, the kernel would return an error when we update the SA.
    
    A workaround was added to change the "update SA" into an "add SA",
    but this is wrong, as it will use a SPI that is no longer guaranteed
    to be unique by the kernel. This workaround was in commit 70566d650
    
    Instead, return the failure, but log a message indicated what happened
    with a hint that the system could increase the timer in
    /proc/sys/net/core/xfrm_acq_expires



More information about the Swan-commit mailing list