[Openswan dev] [Openswan Users] XFRM policy Update event for Inbound Policy
Paul Wouters
paul at xelerance.com
Tue May 5 11:45:56 EDT 2009
On Tue, 5 May 2009, krishna murthy wrote:
(CC:ed Herbert, since he probably knows this code best, and bumping to dev at openswan.org)
> I am looking for Policy update notifications from the XFRM during the IPSec Re-keying. I look for the "XFRM_MSG_UPDPOLICY" event. The issue I see is that i Only get Policy updates for the Outbound Policies and not for the Inbound. Below is the dump of " ip xfrm monitor"
>
> Updated src 9.1.1.0/24 dst 11.0.0.0/8
> dir out priority 2360
> tmpl src 192.168.10.1 dst 192.168.10.2
> proto esp reqid 16385 mode tunnel
>
> never i see a policy update for the "dir=in". Please let me know if i am missing something.
Hmm. All the calls for that are in programs/pluto/kernel_netlink.c.
They are all also located only in one part:
if (sadb_op == ERO_DELETE || sadb_op == ERO_DEL_INBOUND)
{
[...]
}
else {
[...]
/*
* NEW will fail when an existing policy, UPD always works.
* This seems to happen in cases with NAT'ed XP clients, or
* quick recycling/resurfacing of roadwarriors on the same IP.
* req.n.nlmsg_type = XFRM_MSG_NEWPOLICY;
*/
req.n.nlmsg_type = XFRM_MSG_UPDPOLICY;
if (sadb_op == ERO_REPLACE)
{
req.n.nlmsg_type = XFRM_MSG_UPDPOLICY;
}
req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.u.p)));
}
What I am now not sure of, is whether XFRM_MSG_UPDPOLICY is just a notification
message, or wether it also has other effects. Perhaps you can look at the
NETKEY kernel code and kernel_netlink.c. It sounds like there might be a bug
either in our code, or in the kernel, that causes some update messages to be
missing.
Paul
More information about the Dev
mailing list