[Swan-dev] pluto: Always delete outbound SA with inbound SA

Paul Wouters paul at nohats.ca
Mon Apr 27 04:58:09 EEST 2015

On Tue, 21 Apr 2015, Herbert Xu wrote:

> Subject: Re: [Swan-dev] pluto: Always delete outbound SA with inbound SA
> On Mon, Apr 20, 2015 at 09:45:01AM -0400, Paul Wouters wrote:
>> It's on my todo list. I am puzzled by your "Ever since
>> the outbound SA before the inbound SA", and wanted to track that
>> change down first to get more context. I'm thinking the most likely
>> candidate of this is the removal of the loopback code that did
>> horrible things like only install part of an SA to itself.
> It was added by
> commit f77d044ab9506498d71b266e4495717f677da4d6

Thanks for finding that commit for me. I've updated ipsec_delete_sa() to not
have the bool inbound_only parameter anymore.


> Author: Michael Richardson <mcr at xelerance.com>
> Date:   Wed Feb 22 12:49:49 2006 -0500
>    this include much refactoring of kernel_pfkey.c code into mast vs klips
>    functions. The kernel.c add_sa code now looks at the ref/refhim arguments
>    to the kernel_sa, making sure to install outgoing SA before incoming SA
>    so that we can refer to outgoing SA as the refhim.
>    kernel_mast.c now locates a useful mastXXX device, creating only one
>    if we need it

More information about the Swan-dev mailing list