New commits:
commit b94b34352c132b17d0be8e02e7e1b8a868ef0c9a
Merge: 115ba40eeb 5dfcbafebd
Author: Andrew Cagney <[email protected]>
Date: Tue Apr 8 13:27:12 2025 -0400
kernel: replace IPsec with bare-shunt
and not delete+add
close #2144 can route.c leak packets?
Merge branch 'main' into HEAD
commit 5dfcbafebdfea3160b61d8df07632f27360f2493
Author: Andrew Cagney <[email protected]>
Date: Mon Apr 7 16:53:52 2025 -0400
kernel: in unrouted_to_routed() always install prospective policy
Skip deleting any bare/orphaned shunt left over by a
previous OE connection.
commit a38d929f3b68d06c9ac73c84a791230a52761251
Author: Andrew Cagney <[email protected]>
Date: Mon Apr 7 15:30:12 2025 -0400
kernel: rename .conflicting.shunt to .conflicting.bare_shunt
Note: per previous comment, this is really an orphaned kernel policy
left over from an OE connection failing.
commit 221165d436d9a20f602641d393e8652530cb4c7a
Author: Andrew Cagney <[email protected]>
Date: Mon Apr 7 15:15:23 2025 -0400
routing: rename replace_ipsec_with_bare_kernel_policy() ...
to uninstall_ipsec_kernel_policy(). Since the kernel policy has
a connection it is not bare.
In the past, any kernel policy with no state, was called
a bare shunt. Since 5.0, only kernel polices with no state
and no connection are bare. Further, they are only
created when an OE connection fails and the OE connection
instance is deleted.
Perhaps bare_shunt should be renamed to orphaned_kernel_policy.
commit adb4842f0e62290b333ad19070c22942ce2909df
Author: Andrew Cagney <[email protected]>
Date: Mon Apr 7 14:50:38 2025 -0400
kernel: clarify that an orphan shunt's connection is a template
(yes the code says bare)
commit 2c8065cf89a166a4ffb03341e224bd6519cfbfb5
Author: Andrew Cagney <[email protected]>
Date: Mon Apr 7 12:49:31 2025 -0400
kernel: remove existing but broken .overlap_supported code
For instance, in unrouted_to_routed(ONDEMAND) the code:
- /*
- * If this is a transport SA, and overlapping SAs are
- * supported, then this route is not necessary at all.
- */
- PEXPECT(c->logger, !kernel_ops->overlap_supported); /* still WIP */
- if (kernel_ops->overlap_supported && c->config->child_sa.encap_mode ==
ENCAP_MODE_TRANSPORT) {
- ldbg(c->logger, "route-unnecessary: overlap and transport");
- return true;
- }
when, overlap_supported=true, stops an on-demand policy being
installed; which is simply wrong
This way someone trying to implement the feature isn't given the
impression that it currently works.
_______________________________________________
Swan-commit mailing list -- [email protected]
To unsubscribe send an email to [email protected]
