Author: vanhu
Date: Mon Mar 23 20:37:37 2009
New Revision: 190334
URL: http://svn.freebsd.org/changeset/base/190334
Log:
SAs are valid (but dying) when they reached soft lifetime,
even if they have never been used.
Approved by: gnn(mentor)
Modified:
stable/7/sys/ (props changed)
stable/7/sys/contrib/pf/ (props changed)
stable/7/sys/dev/ath/ath_hal/ (props changed)
stable/7/sys/dev/cxgb/ (props changed)
stable/7/sys/netipsec/key.c
Modified: stable/7/sys/netipsec/key.c
==============================================================================
--- stable/7/sys/netipsec/key.c Mon Mar 23 20:29:54 2009 (r190333)
+++ stable/7/sys/netipsec/key.c Mon Mar 23 20:37:37 2009 (r190334)
@@ -4109,22 +4109,20 @@ key_flush_sad(time_t now)
/* check SOFT lifetime */
if (sav->lft_s->addtime != 0 &&
now - sav->created > sav->lft_s->addtime) {
- /*
- * check SA to be used whether or not.
- * when SA hasn't been used, delete it.
+ key_sa_chgstate(sav, SADB_SASTATE_DYING);
+ /*
+ * Actually, only send expire message if
+ * SA has been used, as it was done before,
+ * but should we always send such message,
+ * and let IKE daemon decide if it should be
+ * renegotiated or not ?
+ * XXX expire message will actually NOT be
+ * sent if SA is only used after soft
+ * lifetime has been reached, see below
+ * (DYING state)
*/
- if (sav->lft_c->usetime == 0) {
- key_sa_chgstate(sav, SADB_SASTATE_DEAD);
- KEY_FREESAV(&sav);
- } else {
- key_sa_chgstate(sav,
SADB_SASTATE_DYING);
- /*
- * XXX If we keep to send expire
- * message in the status of
- * DYING. Do remove below code.
- */
+ if (sav->lft_c->usetime != 0)
key_expire(sav);
- }
}
/* check SOFT lifetime by bytes */
/*
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
