[strongSwan-dev] [PATCH 8/8] child-sa: do not install unneeded transport mode policies
Timo Teräs
timo.teras at iki.fi
Wed Aug 27 15:05:24 CEST 2014
If a transport mode wildcard policy is installed, separate per
child-sa with expanded dynamic entries is not needed. This has
great performance benefits as policy database modification is
a heavy operation, and lookups to policy database with lot of
entries is slow. In additionally less memory is used.
Signed-off-by: Timo Teräs <timo.teras at iki.fi>
---
src/libcharon/sa/child_sa.c | 49 +++++++++++++++++++++++++++++++++++++++------
1 file changed, 43 insertions(+), 6 deletions(-)
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index a96ab4e..98b5964 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -16,6 +16,28 @@
* for more details.
*/
+/*
+ * Copyright (C) 2014 Timo Teräs <timo.teras at iki.fi>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
#define _GNU_SOURCE
#include "child_sa.h"
@@ -135,6 +157,11 @@ struct private_child_sa_t {
bool trap;
/**
+ * TRUE if this CHILD_SA should get routed
+ */
+ bool install_policy;
+
+ /**
* Specifies if UDP encapsulation is enabled (NAT traversal)
*/
bool encap;
@@ -812,7 +839,20 @@ METHOD(child_sa_t, add_policies, status_t,
}
enumerator->destroy(enumerator);
- if (this->config->install_policy(this->config))
+ /* if we're not in state CHILD_INSTALLING (i.e. if there is no SAD
+ * entry) we install a trap policy */
+ this->trap = this->state == CHILD_CREATED;
+
+ /* install policy if so requested in config. with the exception
+ * that transport mode wildcard SAs do not need policy if a trap
+ * policy exists. */
+ this->install_policy =
+ this->config->install_policy(this->config) &&
+ (this->trap ||
+ this->mode != MODE_TRANSPORT ||
+ this->config->get_start_action(this->config) != ACTION_ROUTE);
+
+ if (this->install_policy)
{
policy_priority_t priority;
ipsec_sa_cfg_t my_sa = {
@@ -841,9 +881,6 @@ METHOD(child_sa_t, add_policies, status_t,
other_sa.ah.spi = this->other_spi;
}
- /* if we're not in state CHILD_INSTALLING (i.e. if there is no SAD
- * entry) we install a trap policy */
- this->trap = this->state == CHILD_CREATED;
priority = this->trap ? POLICY_PRIORITY_ROUTED
: POLICY_PRIORITY_DEFAULT;
@@ -955,7 +992,7 @@ METHOD(child_sa_t, update, status_t,
}
}
- if (this->config->install_policy(this->config) && require_policy_update())
+ if (this->install_policy && require_policy_update())
{
ipsec_sa_cfg_t my_sa = {
.mode = this->mode,
@@ -1087,7 +1124,7 @@ METHOD(child_sa_t, destroy, void,
this->mark_out);
}
- if (this->config->install_policy(this->config))
+ if (this->install_policy)
{
/* delete all policies in the kernel */
enumerator = create_policy_enumerator(this);
--
2.1.0
More information about the Dev
mailing list