kernel-interface: Add support to change the reqid in update_sa()

src/libcharon/kernel/kernel_ipsec.h

@@ -130,6 +130,8 @@ struct kernel_ipsec_update_sa_t {
 	bool encap;
 	/** TRUE to enable UDP encapsulation */
 	bool new_encap;
+	/** New reqid, or 0 if unchanged */
+	uint32_t new_reqid;
 };
 
 /**

src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c

@@ -2329,6 +2329,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 		kernel_ipsec_update_sa_t ipcomp = {
 			.new_src = data->new_src,
 			.new_dst = data->new_dst,
+			.new_reqid = data->new_reqid,
 		};
 		update_sa(this, &ipcomp_id, &ipcomp);
 	}
@@ -2417,6 +2418,10 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	sa = NLMSG_DATA(hdr);
 	memcpy(sa, NLMSG_DATA(out_hdr), sizeof(struct xfrm_usersa_info));
 	sa->family = data->new_dst->get_family(data->new_dst);
+	if (data->new_reqid)
+	{
+		sa->reqid = data->new_reqid;
+	}
 
 	if (!id->src->ip_equals(id->src, data->new_src))
 	{

src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c

@@ -1960,6 +1960,12 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	size_t len;
 	status_t status = FAILED;
 
+	if (data->new_reqid)
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: reqid "
+			 "change is not supported", ntohl(id->spi));
+		return NOT_SUPPORTED;
+	}
 #ifndef SADB_X_EXT_NEW_ADDRESS_SRC
 	/* we can't update the SA if any of the ip addresses have changed.
 	 * that's because we can't use SADB_UPDATE and by deleting and readding the

src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c

@@ -2280,6 +2280,10 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 		key.dst = entry->osa.dst;
 		this->osas->remove(this->osas, &key);
 
+		if (data->new_reqid)
+		{
+			entry->reqid = data->new_reqid;
+		}
 		entry->local->destroy(entry->local);
 		entry->remote->destroy(entry->remote);
 		entry->local = data->new_dst->clone(data->new_dst);