[Openswan dev] [PATCH] Use ip xfrm in preference to setkey

Herbert Xu herbert at gondor.apana.org.au
Sat Mar 12 14:57:08 CET 2005 

Hi:

Now that ip xfrm support has been around for a while, it's time to
use that in preference to setkey(8) since iproute2 is installed on
a lot more machines.

This patch uses ip xfrm if it's available.  Otherwise it uses
setkey as we do now.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
-------------- next part --------------
Index: openswan-2/programs/_realsetup/_realsetup.in
===================================================================
RCS file: /public/cvs/openswan-2/programs/_realsetup/_realsetup.in,v
retrieving revision 1.42
diff -u -r1.42 _realsetup.in
--- openswan-2/programs/_realsetup/_realsetup.in	21 Feb 2005 15:30:08 -0000	1.42
+++ openswan-2/programs/_realsetup/_realsetup.in	12 Mar 2005 03:53:03 -0000
@@ -132,7 +132,12 @@
 
 if test -f $kamepfkey
 then
-	KILLKLIPS='if type setkey > /dev/null 2>&1 ;
+	KILLKLIPS='
+		if ip xfrm state > /dev/null 2>&1 ;
+		then
+			ip xfrm state flush ;
+			ip xfrm policy flush ;
+		elif type setkey > /dev/null 2>&1 ;
 		then
 			setkey -F ;
 			setkey -FP ;
Index: openswan-2/programs/_startklips/_startklips.in
===================================================================
RCS file: /public/cvs/openswan-2/programs/_startklips/_startklips.in,v
retrieving revision 1.41
diff -u -r1.41 _startklips.in
--- openswan-2/programs/_startklips/_startklips.in	6 Mar 2005 18:52:23 -0000	1.41
+++ openswan-2/programs/_startklips/_startklips.in	12 Mar 2005 03:53:04 -0000
@@ -360,25 +360,18 @@
 	ipsec spi --clear
 elif test $netkey
 then
-	# Check that the setkey command is available.
-	setkeycmd=
-	PATH=$PATH:/usr/local/sbin
-	for dir in `echo $PATH | tr ':' ' '`
-	do
-       		if test -f $dir/setkey -a -x $dir/setkey
-        	then
-                	setkeycmd=$dir/setkey
-                	break                   # NOTE BREAK OUT
-        	fi
-	done
-	if ! test "$setkeycmd"
+	if ip xfrm state > /dev/null 2>&1
+	then
+		ip xfrm state flush
+		ip xfrm policy flush
+	elif type setkey > /dev/null 2>&1
 	then
-	
-        	echo "WARNING: cannot find setkey command -- \`$1'" |
-                	logger -s -p daemon.error -t ipsec_setup
-	else
         	$setkeycmd -F
         	$setkeycmd -FP
+	else
+	
+        	echo "WARNING: cannot flush state/policy database -- \`$1'" |
+                	logger -s -p daemon.error -t ipsec_setup
 	fi
 fi

More information about the Dev mailing list