[Swan-commit] Changes to ref refs/heads/main
Antony Antony
antony at vault.libreswan.fi
Wed Jul 6 09:38:27 EEST 2022
New commits:
commit bca051b598f87813653d1abeb25aa4c05405fc2f
Author: Antony Antony <antony at phenome.org>
Date: Wed Jun 29 14:36:54 2022 +0000
ikev2: use refactored fuzz_margin to calculate margin
use refactored code to calculate fuzzed margin for IKEv2, IKEv1 and IPsec bytes and packets.
change the corner case when margin > dealy
use the delay, instead of bailing out when "margin to small for re-key";
commit 03298b6e65531e75824df11ae7e01a12e66ae3d9
Author: Antony Antony <antony at phenome.org>
Date: Wed Jun 29 14:37:10 2022 +0000
ikev1: use refactored fuzz_margin to calculate margin
use refactored code to calculate fuzzed margin for ikev1, ikev2 and IPsec bytes and packet.
Also make the logic consistant between IKEv1 on the corner case margin >
life time.
xpiring when ranomized margin > configured time is odd. It
- if (delay_ms > marg * 1000) {
- delay_ms -= marg * 1000;
- st->st_replace_margin = deltatime(marg);
- } else {
- kind = EVENT_SA_EXPIRE;
^^ is odd. It is only in IKEv1 and IKEv2 does diffrent things.
- }
now set the delay to without margin + fuzz.
Here is quich history adding EVENT_SA_EXPIRE.
git show 7105897d86b90 programs/pluto/ikev1.c
git show 6fa81707feb18 programs/pluto/ikev1.c
git show 67548e95285fc programs/pluto/ikev1.c kind = EVENT_SA_EXPIRE;
git show 6a3b72d55d831 programs/pluto/demux.c kind = EVENT_SA_EXPIRE;
commit 447cd9c23cfdc38343a85f1558b7969cf9e7cbbf
Merge: bcf232dd27 699b480e90
Author: Antony Antony <antony at phenome.org>
Date: Wed Jul 6 04:16:13 2022 +0000
Merge commit 'sa-expire-20220705'
Linux XFRM support for XFRM_MSG_EXPIRE message and rekey
- add ipsec-max-bytes and ipsec-max-packets
- add IEC 60027-2/ISO 8000 Binary prefix support, KiB, MiB..
- Ki, Mi... for packets
- Also add support to print the above.
commit 699b480e908bb6d875cf9b3c31633f71fae1b75b
Author: Antony Antony <antony at phenome.org>
Date: Thu Jun 23 16:18:51 2022 +0000
testing: update existing tests with ipsec_max_bytes: 16EiB; ipsec_max_packets: 16Ei
fix reference console output and run tests to verify those again.
use the sed lines if the origin/main change and create rebase conflict.
sed -i -e 's/ipsec_life: 28800s; replay_window: 128;/ipsec_life: 28800s; ipsec_max_bytes: 16EiB; ipsec_max_packets: 16Ei; replay_window: 128;/g' ./*/*.console.txt
sed -i -e 's/ipsec_life: 65536s; replay_window: 128;/ipsec_life: 65536s; ipsec_max_bytes: 16EiB; ipsec_max_packets: 16Ei; replay_window: 128;/g' ./*/*.console.txt
sed -i -e 's/ipsec_life: 28800s; replay_window: 256;/ipsec_life: 28800s; ipsec_max_bytes: 16EiB; ipsec_max_packets: 16Ei; replay_window: 256;/g' ./*/*.console.txt
sed -i -e 's/ipsec_life: 60s; replay_window: 128;/ipsec_life: 60s; ipsec_max_bytes: 16EiB; ipsec_max_packets: 16Ei; replay_window: 128;/g' ./*/*.console.txt
sed -i -e 's/ipsec_life: 0s; replay_window: 0;/ipsec_life: 0s; ipsec_max_bytes: 16EiB; ipsec_max_packets: 16Ei; replay_window: 0;/g' ./*/*.console.txt
sed -i -e 's/ipsec_life: 28800s; replay_window: 0;/ipsec_life: 28800s; ipsec_max_bytes: 16EiB; ipsec_max_packets: 16Ei; replay_window: 0;/g' ./*/*.console.txt
sed -i -e 's/inBytes=0, outBytes=0, id=/inBytes=0, outBytes=0, maxBytes=16EiB, id=/g' */*.console.txt
sed -i -e 's/inBytes=64, outBytes=64, id=/inBytes=64, outBytes=64, maxBytes=16EiB, id=/g' */*console.txt
sed -i -e 's/inBytes=84, outBytes=84, id=/inBytes=84, outBytes=84, maxBytes=16EiB, id=/g' */*console.txt
sed -i -e 's/inBytes=104, outBytes=104, id=/inBytes=104, outBytes=104, maxBytes=16EiB, id=/g' */*.console.txt
sed -i -e 's/inBytes=168, outBytes=168, id=/inBytes=168, outBytes=168, maxBytes=16EiB, id=/g' */*.console.txt
sed -i -e 's/inBytes=252, outBytes=252, id=/inBytes=252, outBytes=252, maxBytes=16EiB, id=/g' */*.console.txt
sed -i -e 's/inBytes=336, outBytes=336, id=/inBytes=336, outBytes=336, maxBytes=16EiB, id=/g' */*.console.txt
sed -i -e 's/inBytes=416, outBytes=416, id=/inBytes=416, outBytes=416, maxBytes=16EiB, id=/g' */*.console.txt
sed -i -e 's/inBytes=588, outBytes=588, id=/inBytes=588, outBytes=588, maxBytes=16EiB, id=/g' */*.console.txt
sed -i -e 's/inBytes=6nn, outBytes=6nn, id=/inBytes=6nn, outBytes=6nn, maxBytes=16EiB, id=/g' */*console.txt
sed -i -e 's/inBytes=1nn, outBytes=1nn, id=/inBytes=1nn, outBytes=1nn, maxBytes=16EiB, id=/g' */*console.txt
sed -i -e 's/inBytes=3nn, outBytes=3nn, id=/inBytes=3nn, outBytes=3nn, maxBytes=16EiB, id=/g' */*console.txt
sed -i -e 's/inBytes=84, outBytes=168, id=/inBytes=84, outBytes=168, maxBytes=16EiB, id=/g' */*console.txt
sed -i -e 's/inBytes=20, outBytes=40, id=/inBytes=20, outBytes=40, maxBytes=16EiB, id=/g' */*console.txt
sed -i -e 's/inBytes=20, outBytes=200, id=/inBytes=20, outBytes=200, maxBytes=16EiB, id=/g' */*console.txt
sed -i -e 's/inBytes=84, outBytes=84, lease=/inBytes=84, outBytes=84, maxBytes=16EiB, lease=/g' */*.console.txt
sed -i -e 's/inBytes=168, outBytes=168, lease=/inBytes=168, outBytes=168, maxBytes=16EiB, lease=/g' */*.console.txt
sed -i -e 's/inBytes=252, outBytes=252, lease=/nBytes=252, outBytes=252, maxBytes=16EiB, lease=/g' */*.console.txt
sed -i -e 's/inBytes=336, outBytes=336, lease=/inBytes=336, outBytes=336, maxBytes=16EiB, lease=/g' */*txt
sed -i -e 's/inBytes=0, outBytes=0$/inBytes=0, outBytes=0, maxBytes=16EiB/g' */*console.txt
sed -i -e 's/inBytes=84, outBytes=84$/inBytes=84, outBytes=84, maxBytes=16EiB/g' */*.console.txt
sed -i -e 's/inBytes=168, outBytes=168$/inBytes=168, outBytes=168, maxBytes=16EiB/g' */*.console.txt
sed -i -e 's/inBytes=252, outBytes=252$/inBytes=252, outBytes=252, maxBytes=16EiB/g' */*.console.txt
grep ike_life ./*/*.console.txt | grep -v ipsec_max_bytes
more aggressive sed replacement
sed -i -e 's/\(inBytes=[0-9]*, outBytes=[0-9]*,\) id=/\1 maxBytes=16EiB, id=/g' */*console.txt
sed -i -e 's/ipsec_life: 0s; ipsec_max_bytes: 16EiB; ipsec_max_packets: 16Ei; replay_window: 0/ipsec_life: 0s; ipsec_max_bytes: 0B; ipsec_max_packets: 0; replay_window: 0;/g' ./testing/pluto/*/*.console.txt
this one seems odd, but those are for clear and block policies
sed -i -e 's/ipsec_life: 0s; replay_window: 0/ipsec_life: 0s; ipsec_max_bytes: 0B; ipsec_max_packets: 0; replay_window: 0;/g' ./testing/pluto/*/*.console.txt
sed -i -e 's/replay_window: \([0-9]*\);; rekey_margin/replay_window: \1; rekey_margin/g' */*.console.txt
commit 659e5bd2b3c061cee7531fd1e74c7058baecfd2b
Author: Paul Wouters <paul.wouters at aiven.io>
Date: Thu Jan 6 17:25:51 2022 -0500
documentation: add ipsec-max-bytes ipsec-max-packets
Co-developed-by: Antony Antony <antony at phenome.org>
Signed-off-by: Antony Antony <antony at phenome.org>
commit 613da1cbebf77ec462b443c18bc21ca50e991c57
Author: Antony Antony <antony at phenome.org>
Date: Sat Nov 27 08:17:17 2021 +0000
kernel: refactor setting get_sa_info
Refactor and one minor change to add_time update. add_time should not
change. Only update when pluto recorded add_time is zero.
When it is not non zero call pexpect.
commit e7efdfcf53b660d8544ac34580abca31c5c18e61
Author: Antony Antony <antony at phenome.org>
Date: Wed Nov 24 20:04:05 2021 +0000
kernel: do not delete a hard expired sa from kernel
Do not send a delete request for a (hard) expired xfrm SA, because the
krenel already deleted this SA.
A hard expired SA is already removed by the kernel, before the pluto
recieves a XFRM_MSG_EXPIRE message.
This probably happens rarely in real life, hwoever, in some usecases,
especially in test setup this will show up more often. In normal
situation soft expire should trigger rekey and pluto will delete the SAs
before kernel hit hard expire.
A test setup has low ipsec-max-bytes value, say 2KiB vs 16EiB.
When the traffic is symetric, both SAs will expire one after the other.
While procssing the first hard expire message for one direction the second
SA has alreday expired in the kernel, and netlink message is queued for the pluto
to process.
It is likely a corner case in real life, because traffic is not likely
symetric and margin is big in GiBs. While in a test setup
if you set limit as 2KiB and use 1500 byte packet several corner case
will trigger at once. And appear to cerate chao.
commit a9142c7a4918781261d0f2a6ff00074e3e898fd7
Author: Antony Antony <antony at phenome.org>
Date: Wed Nov 24 19:40:14 2021 +0000
kernel: shortcut get_sa_info if the SA was hard expired
get_sa_info on a expired(hard) SA would fail. Shortcut that!
Also when the traffic is symetric, both SAs could expire one after the other.
While procssing the first hard expire the second one has alreday
expired in the kernel, and netlink message is queued for the pluto to
read. This case get_sa_info() on th esecond xfrm SA could generate an error,
in real life this is unlikely, because traffic is not likely to be symetric?
IKE delete messages could also cross over. Both ends will could send delete message?
Margin + fuzzing gives priority to the initiator to expire first.
commit ecf2cf303f1c7212c0834e07676a39d8f6999403
Author: Antony Antony <antony at phenome.org>
Date: Tue Apr 13 12:20:13 2021 +0000
pluto: extend readable_humber output with ISO binary prefix GiB
Delete "!" trickery for Kilo. It is not used anymore.
It was used for AH and IPcomp, both are corner casses.
Add support for prefies KiB, GiB, TiB, PiB, EiB Binary Prefix. And 16Ei for 2^64
ISO 8000/ IEC 60027-2 standard read at https://en.wikipedia.org/wiki/Binary_prefix
commit 9d89c34b0f8b39aad01d3112c2d4d85cf223f0e6
Author: Antony Antony <antony at phenome.org>
Date: Mon Apr 5 11:50:40 2021 +0200
pluto: xfrm kernel and XFRM_MSG_EXPIRE
add support for XFRM_MSG_EXPIRE message, soft and hard expire
Co-developed-by: Paul Wouters <paul.wouters at aiven.io
commit 1045691b8da5f75c1c05cf4130e33d29964dda06
Author: Antony Antony <antony at phenome.org>
Date: Thu Dec 5 20:23:05 2019 +0000
pluto: add support for xfrm sa expire messages
Add SA "ipsec-max-bytes" and "ipsec-max-packets" support. Set soft and hard expire in
xfrm SA. When the kernel send soft expire message rekey the connection.
When there is a hard expire, delete the related state, and Child SA.
Co-developed-by: Paul Wouters <paul.wouters at aiven.io>
commit a9dce8058f5a1ced8e2ace39cf275f01ba149477
Author: Paul Wouters <paul.wouters at aiven.io>
Date: Thu Nov 25 06:24:36 2021 +0000
libswan: add two new impairs: ignore-soft-expire, ignore-hard-expire
Signed-off-by: Antony Antony <antony at phenome.org>
commit b79030c16674e449dc3187460c5d18aba90b35f2
Author: Antony Antony <antony at phenome.org>
Date: Thu Dec 5 14:23:23 2019 +0000
lib: parser add binary prefix support
needed for ipsec-max-bytes and ipsec-max-packets
- Binary prefixes Ki,Mi,Gi,Ti,Pi,Ei ISO/IEC standard packets
- Bytes prefixes B,KiB,MiB,GiB,TiB,PiB,EiB ISO/IEC standard
https://en.wikipedia.org/wiki/Binary_prefix
commit f48f403a9b2f5dcadb8fa39bdabe8fa9f41cf105
Author: Antony Antony <antony at phenome.org>
Date: Sat Mar 14 11:41:23 2020 +0000
testing: xfrm expire tests
tests for ipsec-max-bytes and ipsec-max-packets
commit 96f40309b3d92ea5bc5295553fa7fa25d5ac57fc
Author: Antony Antony <antony at phenome.org>
Date: Tue May 17 16:11:05 2022 +0000
Revert "kernel_xfrm: dbg log, rather than ignore, EXPIRE event payloads"
This reverts commit e0c8b838abba563e1fb78c023037953916df0101.
revert the minimal netlink_expire() function to prepare for
full support of EVENT_SA_EXPIRE event
More information about the Swan-commit
mailing list