[Swan-commit] Changes to ref refs/heads/main
Andrew Cagney
cagney at vault.libreswan.fi
Thu Apr 7 15:45:36 EEST 2022
New commits:
commit 6981c796a99cca03f8f12ade5ffe42e98204d0f0
Merge: d9574f54de 57de4ec98e
Author: Andrew Cagney <cagney at gnu.org>
Date: Thu Apr 7 08:28:18 2022 -0400
kernel: eliminate double raw_policy() calls in teardown_ipsec_sa()
teardown_ipsec_sa() could end up calling raw_policy() to update/delete
inbound and outbound kernel policies via one or more of:
- unroute_connection() calling bare_policy_op()
- directly calling bare_policy_op()
- teardown_half_ipsec_sa()
For instance, when tearing down an instance, unroute_connection()
would delete inbound and outbound, followed by teardown_half_ipsec_sa()
re-deleting inbound.
The code's been changed so that teardown_ipsec_sa() calls
teardown_kernel_policy() and that update or deletes outbound,
and always deletes inbound.
(technical nit, raw_policy() still changes behavour - deleting instead
replacing a kernel policy based on shunt; it shouldn't).
Should fix problems such as #612.
Merge commit '57de4ec98ec052e9fa14a18200a857261325116b'
commit 57de4ec98ec052e9fa14a18200a857261325116b
Author: Andrew Cagney <cagney at gnu.org>
Date: Thu Apr 7 08:25:46 2022 -0400
kernel: factor out teardown_kernel_policies()
unlike bare_policy_op() this doesn't try to be smart
commit 66e218dfacc687a04532dd404fd560029dbb8e92
Author: Andrew Cagney <cagney at gnu.org>
Date: Wed Apr 6 19:19:21 2022 -0400
kernel: in teardown_ipsec_sa(), set policy.host.{src,dst} to client.unspec
The updated kernel policy, which is transport mode, needs the
host/client to have the same family, so use client's family's unspec
address.
commit 4c0900ca142917cd0513c63326a064cab2b30231
Author: Andrew Cagney <cagney at gnu.org>
Date: Wed Apr 6 13:04:20 2022 -0400
kernel: cleanup teardown_ipsec_sa()
- drop the redundant .routing update
- use sr, rather than st->st_connection->spd
commit c3f00dd95990e5e3b9037590b1decd51a17abc73
Author: Andrew Cagney <cagney at gnu.org>
Date: Tue Apr 5 17:52:39 2022 -0400
kernel: in teardown_ipsec_sa() drop redundant raw_policy() call
commit d2ef5bd7cdaacd5e799ed951d984183195a57254
Author: Andrew Cagney <cagney at gnu.org>
Date: Tue Apr 5 14:53:02 2022 -0400
kernel: in teardown_ipsec_sa() move "unconditional" delete incoming policy to earlier
Put a copy of the call on all three (uneclipse, instance, other)
code paths. Makes it obvious that the instance codepath is
"deleting" incoming policy twice (the first delete gets
turned into an add by raw_policy, ulgh).
commit 1a584a976864eb33f7906ac052573b9f686fee25
Author: Andrew Cagney <cagney at gnu.org>
Date: Tue Apr 5 12:16:19 2022 -0400
kernel: in teardown_ipsec_sa() simplify replace code path
The replace code path never deletes incoming kernel policy
(it happens later).
commit e03ff8e0b1610aee36f8527405c7c798cc124e16
Author: Andrew Cagney <cagney at gnu.org>
Date: Tue Apr 5 11:25:49 2022 -0400
kernel: in teardown_ipsec_sa(), and a trap connection, call raw_policy() directly
Just note the pexpect()s sprinkled across this code showing
that this specific code path never deletes.
commit b8836dac1333b8a88a3d326dec8add96ec0db1f1
Author: Andrew Cagney <cagney at gnu.org>
Date: Tue Apr 5 09:57:30 2022 -0400
kernel: in teardown_ipsec_sa(), when connection instance, call raw_policy() directly
notice how there are two calls + a third later in the function
commit 446f5ac36bc9685dd680cd79a98254da3a7d0905
Author: Andrew Cagney <cagney at gnu.org>
Date: Tue Apr 5 09:38:53 2022 -0400
kernel: in teardown_ipsec_sa(), for eclipsed connection, call raw_policy() directly
commit fb6b34045c94262a45e415240a57324d30e6641b
Author: Andrew Cagney <cagney at gnu.org>
Date: Mon Apr 4 17:12:39 2022 -0400
kernel: inline unroute_connection() calls in teardown_ipsec_sa()
commit d0651bafaf5743117ffb607cd757f9f751cadaf2
Author: Andrew Cagney <cagney at gnu.org>
Date: Sun Apr 3 11:14:43 2022 -0400
kernel: dump changes to .routing and .eroute_owner
commit 3ad1cdecefbb14b912c39aa8b5390f13a3e43b1d
Author: Andrew Cagney <cagney at gnu.org>
Date: Thu Mar 31 16:01:51 2022 -0400
kernel: dump more details when tearing down an SA
More information about the Swan-commit
mailing list