[Swan-dev] WIP: supporting xfrm SA expire

Antony Antony antony at phenome.org
Mon Jul 4 20:16:13 EEST 2022 

I worked a bit more on sa-expire branch and rebaseed it to the latest main.  
The github PR is updated.

Last two commits on the lateset PR are for pluto to use re-factored function 
to calculate IKEv1 and IKEv2 margins.

Added more robust fping when a kernel SA hard expire SA and reconnect
triggered by next ping there will be some packet loss. The ping packet loss 
and trafficstatus could be unpredictable due to timing and hard expire and 
re-establishing.

I hope the new fping wrapper and "ipsec trafficstatus" wrapper sanitizer the 
noise and make the test output more stable.

Are there any other feedback? I have will start a testrun and there are no 
other issues I plan to merge sa-expire branch to the main in next 12 hours 
or so.

Thanks Paul for the review.

-antony

On Sun, Jun 26, 2022 at 06:51:56PM -0400, Paul Wouters wrote:
> On Jun 26, 2022, at 18:35, Antony Antony <antony at phenome.org> wrote:
> > 
> > On Fri, Jun 24, 2022 at 02:22:14PM -0400, Paul Wouters wrote:
> >>> On Tue, 21 Jun 2022, Antony Antony wrote:
> >>> 
> >>> Hi Paul,
> >>> Here is a new iteration sa-expire branch. I cherry picked changes from
> >>> https://github.com/paulwouters/libreswan/tree/sa-expire-2022-01-06
> >>> 
> >>> and rebased to origin/main.
> >>> 
> >>> I have created a PR to make it easy to review my branch.
> >>> https://github.com/libreswan/libreswan/pull/777
> >> 
> >> Thanks. I'm reviewing it now.
> > 
> > we are making progress. Good review. Let me know I how to access it as 
> > branch.
> 
> It’s not a branch ? You should add one or more commits to you branch and push. Then GitHub should be helpful and show me the changes for a new review. Once done, rebase into 1 commit for merging into main ?
> 
> > I commented on the review message on github.
> 
> Will check.
> 
> >> I prefer <unset> but it is fine. Anything but 18446744073709551615 is in
> >> improvement but I do still think people won't know what 16EiB is.
> > 
> > I vote for 16EiB, May be we could add entry to the man page.
> 
> Yeah that would be okay.
> 
> 
> > 
> >> It basically doubles my work because I have to do those from scratch
> >> again after the merge.
> > 
> > Your work is here and it is not lost!
> > Your commit
> > https://github.com/paulwouters/libreswan/commit/c4c36e3e1dd92fd30a1267fb511
> 
> But since part of it got cherry picked out of commits, it’s not really useful to have. Anyway, don’t worry. I’ll pick that up after the merge to main and before a release.
> 
> Paul

More information about the Swan-dev mailing list