[Openswan dev] [Openswan Users] XFRM policy Update event for Inbound Policy

Paul Wouters paul at xelerance.com
Tue May 5 11:45:56 EDT 2009

On Tue, 5 May 2009, krishna murthy wrote:

(CC:ed Herbert, since he probably knows this code best, and bumping to dev at openswan.org)

> I am looking for Policy update notifications from the XFRM during the IPSec Re-keying. I look for the "XFRM_MSG_UPDPOLICY" event. The issue I see is that i Only get Policy updates for the Outbound Policies and not for the Inbound. Below is the dump of " ip xfrm monitor"
> Updated src dst
> dir out priority 2360
> tmpl src dst
> proto esp reqid 16385 mode tunnel
> never i see a policy update for the "dir=in". Please let me know if i am missing something.

Hmm. All the calls for that are in programs/pluto/kernel_netlink.c.

They are all also located only in one part:

if (sadb_op == ERO_DELETE || sadb_op == ERO_DEL_INBOUND)
else {
         * NEW will fail when an existing policy, UPD always works.
         * This seems to happen in cases with NAT'ed XP clients, or
         * quick recycling/resurfacing of roadwarriors on the same IP.
         * req.n.nlmsg_type = XFRM_MSG_NEWPOLICY;
        req.n.nlmsg_type = XFRM_MSG_UPDPOLICY;

        if (sadb_op == ERO_REPLACE)
            req.n.nlmsg_type = XFRM_MSG_UPDPOLICY;
        req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.u.p)));

What I am now not sure of, is whether XFRM_MSG_UPDPOLICY is just a notification
message, or wether it also has other effects. Perhaps you can look at the
NETKEY kernel code and kernel_netlink.c. It sounds like there might be a bug
either in our code, or in the kernel, that causes some update messages to be


More information about the Dev mailing list