diff options
author | Timo Teräs <timo.teras@iki.fi> | 2010-11-04 17:00:26 +0200 |
---|---|---|
committer | Timo Teräs <timo.teras@iki.fi> | 2010-11-05 09:11:20 +0200 |
commit | 7096622cc363cdaa8a0270ac37d27e8473b8bd5b (patch) | |
tree | c393d20b84c1e2d2847f7279fe8d2d1f379d9192 | |
parent | 6708e8870584ff77c2bcf0bad81a8bd0d34eb7d1 (diff) | |
download | alpine_aports-7096622cc363cdaa8a0270ac37d27e8473b8bd5b.tar.bz2 alpine_aports-7096622cc363cdaa8a0270ac37d27e8473b8bd5b.tar.xz alpine_aports-7096622cc363cdaa8a0270ac37d27e8473b8bd5b.zip |
main/ipsec-tools: add a patch to improve delete notify handling
if phase1 rekeying is enabled, remote side deleting the last
phase1 will result in deletion of all the ipsec-sa's and will
execute the phase1_dead script hook too (so every one knows
the traffic between the two nodes has ceased).
(cherry picked from commit 8fe94be6c0d43e8df28679604f3d0fef550829a4)
-rw-r--r-- | main/ipsec-tools/95-purge-on-delete-notify.patch | 57 | ||||
-rw-r--r-- | main/ipsec-tools/APKBUILD | 6 |
2 files changed, 61 insertions, 2 deletions
diff --git a/main/ipsec-tools/95-purge-on-delete-notify.patch b/main/ipsec-tools/95-purge-on-delete-notify.patch new file mode 100644 index 0000000000..aa92135bc4 --- /dev/null +++ b/main/ipsec-tools/95-purge-on-delete-notify.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | Index: src/racoon/isakmp.c | ||
2 | =================================================================== | ||
3 | RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c,v | ||
4 | retrieving revision 1.63 | ||
5 | diff -u -p -r1.63 isakmp.c | ||
6 | --- a/src/racoon/isakmp.c 21 Oct 2010 06:15:28 -0000 1.63 | ||
7 | +++ b/src/racoon/isakmp.c 4 Nov 2010 14:52:39 -0000 | ||
8 | @@ -766,6 +766,20 @@ isakmp_main(msg, remote, local) | ||
9 | return 0; | ||
10 | } | ||
11 | |||
12 | +static int | ||
13 | +ph1_rekey_enabled(iph1) | ||
14 | + struct ph1handle *iph1; | ||
15 | +{ | ||
16 | + if (iph1->rmconf->rekey == REKEY_FORCE) | ||
17 | + return 1; | ||
18 | +#ifdef ENABLE_DPD | ||
19 | + if (iph1->rmconf->rekey == REKEY_ON && iph1->dpd_support && | ||
20 | + iph1->rmconf->dpd_interval) | ||
21 | + return 1; | ||
22 | +#endif | ||
23 | + return 0; | ||
24 | +} | ||
25 | + | ||
26 | /* | ||
27 | * main function of phase 1. | ||
28 | */ | ||
29 | @@ -866,13 +880,7 @@ ph1_main(iph1, msg) | ||
30 | migrate_dying_ph12(iph1); | ||
31 | |||
32 | /* add to the schedule to expire, and seve back pointer. */ | ||
33 | - if ((iph1->rmconf->rekey == REKEY_FORCE) | ||
34 | -#ifdef ENABLE_DPD | ||
35 | - || | ||
36 | - (iph1->rmconf->rekey == REKEY_ON && iph1->dpd_support && | ||
37 | - iph1->rmconf->dpd_interval) | ||
38 | -#endif | ||
39 | - ) { | ||
40 | + if (ph1_rekey_enabled(iph1)) { | ||
41 | sched_schedule(&iph1->sce, | ||
42 | iph1->approval->lifetime * | ||
43 | PFKEY_SOFT_LIFETIME_RATE / 100, | ||
44 | @@ -2071,7 +2079,13 @@ isakmp_ph1delete(iph1) | ||
45 | plog(LLV_INFO, LOCATION, NULL, | ||
46 | "ISAKMP-SA deleted %s-%s spi:%s\n", | ||
47 | src, dst, isakmp_pindex(&iph1->index, 0)); | ||
48 | + | ||
49 | evt_phase1(iph1, EVT_PHASE1_DOWN, NULL); | ||
50 | + | ||
51 | + if (new_iph1 == NULL && ph1_rekey_enabled(iph1)) { | ||
52 | + purge_remote(iph1); | ||
53 | + script_hook(iph1, SCRIPT_PHASE1_DEAD); | ||
54 | + } | ||
55 | racoon_free(src); | ||
56 | racoon_free(dst); | ||
57 | |||
diff --git a/main/ipsec-tools/APKBUILD b/main/ipsec-tools/APKBUILD index 8315f484bd..286144b661 100644 --- a/main/ipsec-tools/APKBUILD +++ b/main/ipsec-tools/APKBUILD | |||
@@ -2,7 +2,7 @@ | |||
2 | pkgname=ipsec-tools | 2 | pkgname=ipsec-tools |
3 | pkgver=0.8_alpha20101022 | 3 | pkgver=0.8_alpha20101022 |
4 | _myver=0.8-alpha20101022 | 4 | _myver=0.8-alpha20101022 |
5 | pkgrel=1 | 5 | pkgrel=2 |
6 | pkgdesc="User-space IPsec tools for various IPsec implementations" | 6 | pkgdesc="User-space IPsec tools for various IPsec implementations" |
7 | url="http://ipsec-tools.sourceforge.net/" | 7 | url="http://ipsec-tools.sourceforge.net/" |
8 | license="BSD" | 8 | license="BSD" |
@@ -17,6 +17,7 @@ source="http://downloads.sourceforge.net/$pkgname/$pkgname-$_myver.tar.gz | |||
17 | 75-racoonctl-rcvbuf.patch | 17 | 75-racoonctl-rcvbuf.patch |
18 | 80-admin-big-reply-fix.patch | 18 | 80-admin-big-reply-fix.patch |
19 | 90-dpd-window-fix.patch | 19 | 90-dpd-window-fix.patch |
20 | 95-purge-on-delete-notify.patch | ||
20 | " | 21 | " |
21 | 22 | ||
22 | _builddir="$srcdir"/$pkgname-$_myver | 23 | _builddir="$srcdir"/$pkgname-$_myver |
@@ -63,4 +64,5 @@ md5sums="1492b83edc944b5d32d2eff51e33399e ipsec-tools-0.8-alpha20101022.tar.gz | |||
63 | 94773c94233e14cdce0fa02ff780a43e 70-defer-isakmp-ident-handling.patch | 64 | 94773c94233e14cdce0fa02ff780a43e 70-defer-isakmp-ident-handling.patch |
64 | 2d5d24c4a3684a38584f88720f71c7d6 75-racoonctl-rcvbuf.patch | 65 | 2d5d24c4a3684a38584f88720f71c7d6 75-racoonctl-rcvbuf.patch |
65 | c3898b162d284bc163f99cc52925b52a 80-admin-big-reply-fix.patch | 66 | c3898b162d284bc163f99cc52925b52a 80-admin-big-reply-fix.patch |
66 | 0391a6967ad19673588302bc8b17e0e2 90-dpd-window-fix.patch" | 67 | 0391a6967ad19673588302bc8b17e0e2 90-dpd-window-fix.patch |
68 | 8bc73a15407564321c8f571b5656b28d 95-purge-on-delete-notify.patch" | ||