[strongSwan-dev] [PATCH] child-sa: do not install unneeded transport mode policies

Timo Teras timo.teras at iki.fi
Sat Aug 23 21:45:30 CEST 2014

On Sat, 23 Aug 2014 00:34:11 +0300
Timo Teräs <timo.teras at iki.fi> wrote:

> If a transport mode wildcard policy is installed, separate per
> child-sa with expanded dynamic entries is not needed. This has
> great performance benefits as policy database modification is
> a heavy operation, and lookups to policy database with lot of
> entries is slow. In additionally less memory is used.
> Signed-off-by: Timo Teräs <timo.teras at iki.fi>
> ---
> Alternative would be to instead make the child-sa install the original
> configuration specified policy, and thus the reference counting
> mechanism in policy manager would avoid duplicates. However, in case
> it makes sense to install per instance policies if trap policy is not
> desired.

Forgot to mention that this is on top of trap-sa branch. I also have
now trap-sa patches rebased on top of git master + the previously sent
source/remote hint patch.

I should probably send the my whole set as a patchset, or pull request.
(Any preference on which?) Or perhaps you have some feedback on the
patches if they need changing?

The only thing I'm missing is the variant of notifications that
send the remote certificate along. After that I think I have all the
new core functionality I need (the CFG_REQUEST/CFG_SET vici stuff is
also still missing but I don't need it for the first iteration).

I also figured that I might as well use swanctl to load the connection
entry I need, and specify the IKE profile by name on the quagga/dmvpn
code. This will simplify the first implementation considerably also.

Some minor perf tuning and fixing can be still of course done. E.g. to
generate the event messages only if there's event listeners. Oh, and
there's bug in "swanctl --log" (and also the new --monitor) that if the
daemon exists, swanctl never exists or reconnects.


More information about the Dev mailing list