[strongSwan-dev] [PATCH] child-sa: do not install unneeded transport mode policies
Timo Teräs
timo.teras at iki.fi
Fri Aug 22 23:34:11 CEST 2014
If a transport mode wildcard policy is installed, separate per
child-sa with expanded dynamic entries is not needed. This has
great performance benefits as policy database modification is
a heavy operation, and lookups to policy database with lot of
entries is slow. In additionally less memory is used.
Signed-off-by: Timo Teräs <timo.teras at iki.fi>
---
Alternative would be to instead make the child-sa install the original
configuration specified policy, and thus the reference counting mechanism
in policy manager would avoid duplicates. However, in case it makes sense
to install per instance policies if trap policy is not desired.
src/libcharon/sa/child_sa.c | 27 +++++++++++++++++++++------
1 file changed, 21 insertions(+), 6 deletions(-)
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index a96ab4e..4cd1e60 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -135,6 +135,11 @@ struct private_child_sa_t {
bool trap;
/**
+ * TRUE if this CHILD_SA should get routed
+ */
+ bool install_policy;
+
+ /**
* Specifies if UDP encapsulation is enabled (NAT traversal)
*/
bool encap;
@@ -812,7 +817,20 @@ METHOD(child_sa_t, add_policies, status_t,
}
enumerator->destroy(enumerator);
- if (this->config->install_policy(this->config))
+ /* if we're not in state CHILD_INSTALLING (i.e. if there is no SAD
+ * entry) we install a trap policy */
+ this->trap = this->state == CHILD_CREATED;
+
+ /* install policy if so requested in config. with the exception
+ * that transport mode wildcard SAs do not need policy if a trap
+ * policy exists. */
+ this->install_policy =
+ this->config->install_policy(this->config) &&
+ (this->trap ||
+ this->mode != MODE_TRANSPORT ||
+ this->config->get_start_action(this->config) != ACTION_ROUTE);
+
+ if (this->install_policy)
{
policy_priority_t priority;
ipsec_sa_cfg_t my_sa = {
@@ -841,9 +859,6 @@ METHOD(child_sa_t, add_policies, status_t,
other_sa.ah.spi = this->other_spi;
}
- /* if we're not in state CHILD_INSTALLING (i.e. if there is no SAD
- * entry) we install a trap policy */
- this->trap = this->state == CHILD_CREATED;
priority = this->trap ? POLICY_PRIORITY_ROUTED
: POLICY_PRIORITY_DEFAULT;
@@ -955,7 +970,7 @@ METHOD(child_sa_t, update, status_t,
}
}
- if (this->config->install_policy(this->config) && require_policy_update())
+ if (this->install_policy && require_policy_update())
{
ipsec_sa_cfg_t my_sa = {
.mode = this->mode,
@@ -1087,7 +1102,7 @@ METHOD(child_sa_t, destroy, void,
this->mark_out);
}
- if (this->config->install_policy(this->config))
+ if (this->install_policy)
{
/* delete all policies in the kernel */
enumerator = create_policy_enumerator(this);
--
2.1.0
More information about the Dev
mailing list