__kernel_sa_family_t is defined and used since Linux 3.1, so on systems
with older kernels (like CentOS 6.7, which still ships a 2.6.32 kernel) the
build with the current UAPI headers fails. And using the native headers on
such system does not really work either because we use structs, defines, and
enum values from the newer headers in the kernel-netlink plugin.
__kernel_sa_family_t is defined in linux/socket.h so we ship that too (in
particular the simplified UAPI version from Linux 3.7+).
Fixes#1099.
If only one traffic selector had a port (type/code) the other side had
the port mask set to 0, which canceled out the applied type/code.
It also fixes the installation of ICMP type/code on big-endian hosts.
Fixes#1091.
References #595.
From recvfrom(2) (which UDPSocket#recv backs into):
The return value will be 0 when the peer has performed an orderly
shutdown.
(i.e. it will return an empty string)
Previously in this scenario, Vici::Transport#recv_all would spin
forever trying to pull more data off the socket. I'm not entirely
clear what happened that caused strongSwan to shutdown the socket, but
it probably should not cause vici Ruby apps to spin.
Closesstrongswan/strongswan#13.
Removes flushing of the IPsec state in the kernel when starter
terminates. We can't easily flush only the policies created for
IPsec SAs (and if installpolicies=no is used we don't want to flush
policies anyway). Also, since existing policies don't cause errors
anymore these aren't really an issue anymore (I think this was one of
the main reasons to flush the state). This behavior is also specific to
starter, so nothing is flushed when charon is used via systemd/swanctl.
This will also allow us to merge libhydra with libcharon in a future
release.
If the previous behavior is needed it can easily be replicated with some
external tools (we could also write a simple utility that does this).
Additional checks in the test environment make sure that the daemon
cleans up the state properly.
We can't control which policies we flush, so if policies are installed
and used outside of strongSwan for other protocols we'd flush them too.
And if installpolicies=no is used we probably shouldn't flush policies
either. Luckily already existing policies are not treated as fatal
errors anymore, so not flushing policies should not be that much of an
issue (in case of a crash in dynamic setups, e.g. with virtual IPs,
policies could be left behind even after restarting the connections and
properly terminating the daemon).
IKE_SAs that are initiated are now counted towards the half-open IKE_SAs
limit. Optionally it is possible to enforce limits towards the number of
half-open IKE_SAs and the job load also when initiating SAs. This is
currently only possible via VICI.
