[strongSwan-dev] [PATCH 8/8] child-sa: do not install unneeded transport mode policies

Timo Teräs timo.teras at iki.fi
Wed Aug 27 15:05:24 CEST 2014


If a transport mode wildcard policy is installed, separate per
child-sa with expanded dynamic entries is not needed. This has
great performance benefits as policy database modification is
a heavy operation, and lookups to policy database with lot of
entries is slow. In additionally less memory is used.

Signed-off-by: Timo Teräs <timo.teras at iki.fi>
---
 src/libcharon/sa/child_sa.c | 49 +++++++++++++++++++++++++++++++++++++++------
 1 file changed, 43 insertions(+), 6 deletions(-)

diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index a96ab4e..98b5964 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -16,6 +16,28 @@
  * for more details.
  */
 
+/*
+ * Copyright (C) 2014 Timo Teräs <timo.teras at iki.fi>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 #define _GNU_SOURCE
 #include "child_sa.h"
 
@@ -135,6 +157,11 @@ struct private_child_sa_t {
 	bool trap;
 
 	/**
+	 * TRUE if this CHILD_SA should get routed
+	 */
+	bool install_policy;
+
+	/**
 	 * Specifies if UDP encapsulation is enabled (NAT traversal)
 	 */
 	bool encap;
@@ -812,7 +839,20 @@ METHOD(child_sa_t, add_policies, status_t,
 	}
 	enumerator->destroy(enumerator);
 
-	if (this->config->install_policy(this->config))
+	/* if we're not in state CHILD_INSTALLING (i.e. if there is no SAD
+	 * entry) we install a trap policy */
+	this->trap = this->state == CHILD_CREATED;
+
+	/* install policy if so requested in config. with the exception
+	 * that transport mode wildcard SAs do not need policy if a trap
+	 * policy exists. */
+	this->install_policy =
+		this->config->install_policy(this->config) &&
+		(this->trap ||
+		 this->mode != MODE_TRANSPORT ||
+		 this->config->get_start_action(this->config) != ACTION_ROUTE);
+
+	if (this->install_policy)
 	{
 		policy_priority_t priority;
 		ipsec_sa_cfg_t my_sa = {
@@ -841,9 +881,6 @@ METHOD(child_sa_t, add_policies, status_t,
 			other_sa.ah.spi = this->other_spi;
 		}
 
-		/* if we're not in state CHILD_INSTALLING (i.e. if there is no SAD
-		 * entry) we install a trap policy */
-		this->trap = this->state == CHILD_CREATED;
 		priority = this->trap ? POLICY_PRIORITY_ROUTED
 							  : POLICY_PRIORITY_DEFAULT;
 
@@ -955,7 +992,7 @@ METHOD(child_sa_t, update, status_t,
 		}
 	}
 
-	if (this->config->install_policy(this->config) && require_policy_update())
+	if (this->install_policy && require_policy_update())
 	{
 		ipsec_sa_cfg_t my_sa = {
 			.mode = this->mode,
@@ -1087,7 +1124,7 @@ METHOD(child_sa_t, destroy, void,
 					this->mark_out);
 	}
 
-	if (this->config->install_policy(this->config))
+	if (this->install_policy)
 	{
 		/* delete all policies in the kernel */
 		enumerator = create_policy_enumerator(this);
-- 
2.1.0



More information about the Dev mailing list