kernel-netlink: Use total retransmit timeout as acquire timeout

By using the total retransmit timeout, modifications of timeout settings automatically reflect on the value of xfrm_acq_expires. If set, the value of xfrm_acq_expires configured by the user takes precedence over the calculated value.
2025-12-05 00:01:49 -05:00 · 2017-03-13 12:15:25 +01:00 · 2017-03-13 12:15:25 +01:00 · 70855696ad
commit 70855696ad
parent bfbd3af850
3 changed files with 26 additions and 16 deletions
--- a/conf/plugins/kernel-netlink.opt
+++ b/conf/plugins/kernel-netlink.opt
@ -113,6 +113,6 @@ charon.plugins.kernel-netlink.xfrm_acq_expires = 165
 	trap policy. The value gets written to /proc/sys/net/core/xfrm_acq_expires.
 	Indirectly controls the delay between XFRM acquire messages triggered by the
 	kernel for a trap policy. The same value is used as timeout for SPIs
-	allocated by the kernel. The default value equals the default total
+	allocated by the kernel. The default value equals the total	retransmission
-	retransmission timeout for IKE messages, see IKEv2 RETRANSMISSION
+	timeout for IKE messages, see IKEv2 RETRANSMISSION in
-	in **strongswan.conf**(5).
+	**strongswan.conf**(5).
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@ -78,9 +78,6 @@
 /** Base priority for installed policies */
 #define PRIO_BASE 200000
 /** Default lifetime of an acquire XFRM state (in seconds) */
 #define DEFAULT_ACQUIRE_LIFETIME 165
 /**
 * Map the limit for bytes and packets to XFRM_INF by default
 */
@ -3231,7 +3228,6 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 {
 	private_kernel_netlink_ipsec_t *this;
 	bool register_for_events = TRUE;
 	FILE *f;
 	INIT(this,
 		.public = {
@ -3276,15 +3272,6 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 		register_for_events = FALSE;
 	}
 	f = fopen("/proc/sys/net/core/xfrm_acq_expires", "w");
 	if (f)
 	{
 		fprintf(f, "%u", lib->settings->get_int(lib->settings,
 								"%s.plugins.kernel-netlink.xfrm_acq_expires",
 								DEFAULT_ACQUIRE_LIFETIME, lib->ns));
 		fclose(f);
 	}
 	this->socket_xfrm = netlink_socket_create(NETLINK_XFRM, xfrm_msg_names,
 				lib->settings->get_bool(lib->settings,
 					"%s.plugins.kernel-netlink.parallel_xfrm", FALSE, lib->ns));
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c
@ -19,6 +19,8 @@
 #include "kernel_netlink_ipsec.h"
 #include "kernel_netlink_net.h"
 #include <sa/task_manager.h>
 typedef struct private_kernel_netlink_plugin_t private_kernel_netlink_plugin_t;
 /**
@ -50,6 +52,24 @@ METHOD(plugin_t, get_features, int,
 	return countof(f);
 }
 METHOD(plugin_t, reload, bool,
 	private_kernel_netlink_plugin_t *this)
 {
 	u_int timeout;
 	FILE *f;
 	f = fopen("/proc/sys/net/core/xfrm_acq_expires", "w");
 	if (f)
 	{
 		timeout = lib->settings->get_int(lib->settings,
 							"%s.plugins.kernel-netlink.xfrm_acq_expires",
 							task_manager_total_retransmit_timeout(), lib->ns);
 		fprintf(f, "%u", timeout);
 		fclose(f);
 	}
 	return TRUE;
 }
 METHOD(plugin_t, destroy, void,
 	private_kernel_netlink_plugin_t *this)
 {
@ -76,10 +96,13 @@ plugin_t *kernel_netlink_plugin_create()
 			.plugin = {
 				.get_name = _get_name,
 				.get_features = _get_features,
 				.reload = _reload,
 				.destroy = _destroy,
 			},
 		},
 	);
 	reload(this);
 	return &this->public.plugin;
 }