[strongSwan-dev] 5.2.2 - Bug in child SA interface to kernel?
Ryan Ruel
ryan at ryanruel.com
Fri Mar 6 14:39:39 CET 2015
Ah ok. That makes sense, thanks Martin.
/Ryan
On Fri, Mar 6, 2015 at 8:22 AM, Martin Willi <martin at strongswan.org> wrote:
> Hi Ryan,
>
> > The 3rd to last argument to "add_sa" is the "update" flag, but the kernel
> > interface specifies this as the "inbound" flag.
>
> The logic is actually correct, because "inbound" SAs must be installed
> as "update" operation in most backends. For inbound SAs, an SPI has been
> previously allocated, and the Netlink and PF_KEY interfaces expect an
> "update" instead of an "add" operation for that SA.
>
> I agree that it makes sense to just pass the inbound flag and let the
> kernel backend decide what is required to do. This has been changed some
> time ago in the master branch with [1].
>
> Regards
> Martin
>
> [1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=698ed656
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150306/c17ef9cd/attachment.html>
More information about the Dev
mailing list