[Swan-dev] pluto: Always delete outbound SA with inbound SA
Herbert Xu
herbert at gondor.apana.org.au
Mon Apr 20 09:17:24 EEST 2015
On Fri, Apr 10, 2015 at 04:44:26PM +0800, Herbert Xu wrote:
> Ever since install_inbound_ipsec_sa was changed to always install
> the outbound SA before the inbound SA, I have been getting outbound
> SAs left behind when a phase 2 negotiation fails. This is because
> pluto will try to delete only the inbound SA if the negotiation
> isn't complete.
Here is a resend since noone responded to the first email.
BTW, do you guys have a public development git tree? The github
tree seems to be infrequently pushed.
pluto: Always delete outbound SA with inbound SA
Ever since install_inbound_ipsec_sa was changed to always install
the outbound SA before the inbound SA, I have been getting outbound
SAs left behind when a phase 2 negotiation fails. This is because
pluto will try to delete only the inbound SA if the negotiation
isn't complete.
Obviously this makes no sense so this patch changes delete_ipsec_sa
to always delete both SAs.
diff --git a/programs/pluto/kernel.c b/programs/pluto/kernel.c
index 0f40248..d58c36b 100644
--- a/programs/pluto/kernel.c
+++ b/programs/pluto/kernel.c
@@ -2952,6 +2952,11 @@ bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS)
void delete_ipsec_sa(struct state *st USED_BY_KLIPS,
bool inbound_only USED_BY_KLIPS)
{
+ /* Because install_inbound_ipsec_sa always sets up the outbound
+ * SA first we always have to delete them both.
+ */
+ inbound_only = FALSE;
+
switch (kern_interface) {
case USE_MASTKLIPS:
case USE_KLIPS:
--
Email: Herbert Xu <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
More information about the Swan-dev
mailing list