[strongSwan-dev] [PATCH] charon: per connection replay window configuration
Christophe Gouault
christophe.gouault at 6wind.com
Tue May 13 10:36:38 CEST 2014
Hi strongswan developers,
Just a reminder to be sure this post does not just pass unnoticed.
Is there a chance this patch could be integrated in strongswan?
Thanks in advance,
Christophe
On 04/29/2014 10:14 AM, Christophe Gouault wrote:
> From: Zheng Zhong <zhong.zheng at 6wind.com>
>
> Make replay window configurable per connection.
>
> A new ipsec.conf option is available in the conn section:
> replay_window 32
>
> If unset, then the default value from strongswan.conf is used
> (charon.replay_window).
>
> Like for charon.replay_window, this option is only taken into
> account by the netlink kernel interface.
>
> Signed-off-by: Zheng Zhong <zhong.zheng at 6wind.com>
> Acked-by: Christophe Gouault <christophe.gouault at 6wind.com>
> ---
> src/libcharon/config/child_cfg.c | 20 +++++++
> src/libcharon/config/child_cfg.h | 14 +++++
> src/libcharon/plugins/stroke/stroke_config.c | 1 +
> src/libcharon/sa/child_sa.c | 6 ++-
> src/libhydra/kernel/kernel_interface.c | 9 ++--
> src/libhydra/kernel/kernel_interface.h | 4 +-
> src/libhydra/kernel/kernel_ipsec.h | 4 +-
> .../plugins/kernel_klips/kernel_klips_ipsec.c | 3 +-
> .../plugins/kernel_netlink/kernel_netlink_ipsec.c | 56 +++++++++++++-------
> .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 3 +-
> src/starter/args.c | 1 +
> src/starter/confread.c | 2 +
> src/starter/confread.h | 1 +
> src/starter/keywords.h | 1 +
> src/starter/keywords.txt | 1 +
> src/starter/starterstroke.c | 1 +
> src/stroke/stroke_msg.h | 1 +
> 17 files changed, 99 insertions(+), 29 deletions(-)
>
> diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c
> index 8d8214e..63fea5a 100644
> --- a/src/libcharon/config/child_cfg.c
> +++ b/src/libcharon/config/child_cfg.c
> @@ -138,6 +138,11 @@ struct private_child_cfg_t {
> * enable installation and removal of kernel IPsec policies
> */
> bool install_policy;
> +
> + /**
> + * anti-replay window size
> + */
> + u_int32_t replay_window;
> };
>
> METHOD(child_cfg_t, get_name, char*,
> @@ -478,6 +483,18 @@ METHOD(child_cfg_t, get_tfc, u_int32_t,
> return this->tfc;
> }
>
> +METHOD(child_cfg_t, get_replay_window, u_int32_t,
> + private_child_cfg_t *this)
> +{
> + return this->replay_window;
> +}
> +
> +METHOD(child_cfg_t, set_replay_window, void,
> + private_child_cfg_t *this, u_int32_t replay_window)
> +{
> + this->replay_window = replay_window;
> +}
> +
> METHOD(child_cfg_t, set_mipv6_options, void,
> private_child_cfg_t *this, bool proxy_mode, bool install_policy)
> {
> @@ -555,6 +572,8 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
> .get_reqid = _get_reqid,
> .get_mark = _get_mark,
> .get_tfc = _get_tfc,
> + .get_replay_window = _get_replay_window,
> + .set_replay_window = _set_replay_window,
> .use_proxy_mode = _use_proxy_mode,
> .install_policy = _install_policy,
> .get_ref = _get_ref,
> @@ -577,6 +596,7 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
> .my_ts = linked_list_create(),
> .other_ts = linked_list_create(),
> .tfc = tfc,
> + .replay_window = -1,
> );
>
> if (mark_in)
> diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h
> index 20d1fa8..8e3e4cf 100644
> --- a/src/libcharon/config/child_cfg.h
> +++ b/src/libcharon/config/child_cfg.h
> @@ -235,6 +235,20 @@ struct child_cfg_t {
> u_int32_t (*get_tfc)(child_cfg_t *this);
>
> /**
> + * Get anti-replay window size
> + *
> + * @return anti-replay window size
> + */
> + u_int32_t (*get_replay_window)(child_cfg_t *this);
> +
> + /**
> + * Set anti-replay window size
> + *
> + * @param window anti-replay window size
> + */
> + void (*set_replay_window)(child_cfg_t *this, u_int32_t window);
> +
> + /**
> * Sets two options needed for Mobile IPv6 interoperability.
> *
> * @param proxy_mode use IPsec transport proxy mode (default FALSE)
> diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
> index e5e6d92..ca68e24 100644
> --- a/src/libcharon/plugins/stroke/stroke_config.c
> +++ b/src/libcharon/plugins/stroke/stroke_config.c
> @@ -1149,6 +1149,7 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
> map_action(msg->add_conn.close_action), msg->add_conn.ipcomp,
> msg->add_conn.inactivity, msg->add_conn.reqid,
> &mark_in, &mark_out, msg->add_conn.tfc);
> + child_cfg->set_replay_window(child_cfg, msg->add_conn.replay_window);
> child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode,
> msg->add_conn.install_policy);
> add_ts(this, &msg->add_conn.me, child_cfg, TRUE);
> diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
> index 720a585..0c9a847 100644
> --- a/src/libcharon/sa/child_sa.c
> +++ b/src/libcharon/sa/child_sa.c
> @@ -639,6 +639,7 @@ METHOD(child_sa_t, install, status_t,
> host_t *src, *dst;
> status_t status;
> bool update = FALSE;
> + u_int32_t replay_window = 0;
>
> /* now we have to decide which spi to use. Use self allocated, if "in",
> * or the one in the proposal, if not "in" (others). Additionally,
> @@ -653,6 +654,7 @@ METHOD(child_sa_t, install, status_t,
> }
> this->my_spi = spi;
> this->my_cpi = cpi;
> + replay_window = this->config->get_replay_window(this->config);
> }
> else
> {
> @@ -722,8 +724,8 @@ METHOD(child_sa_t, install, status_t,
> src, dst, spi, proto_ike2ip(this->protocol), this->reqid,
> inbound ? this->mark_in : this->mark_out, tfc,
> lifetime, enc_alg, encr, int_alg, integ, this->mode,
> - this->ipcomp, cpi, initiator, this->encap, esn, update,
> - src_ts, dst_ts);
> + this->ipcomp, replay_window, cpi, initiator, this->encap,
> + esn, update, src_ts, dst_ts);
>
> free(lifetime);
>
> diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c
> index 3e34d20..30e4a45 100644
> --- a/src/libhydra/kernel/kernel_interface.c
> +++ b/src/libhydra/kernel/kernel_interface.c
> @@ -179,9 +179,9 @@ METHOD(kernel_interface_t, add_sa, status_t,
> private_kernel_interface_t *this, host_t *src, host_t *dst,
> u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
> u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
> - u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
> - u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
> - traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
> + u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
> + u_int32_t replay_window, u_int16_t cpi, bool initiator, bool encap, bool esn,
> + bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
> {
> if (!this->ipsec)
> {
> @@ -189,7 +189,8 @@ METHOD(kernel_interface_t, add_sa, status_t,
> }
> return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid,
> mark, tfc, lifetime, enc_alg, enc_key, int_alg, int_key, mode,
> - ipcomp, cpi, initiator, encap, esn, inbound, src_ts, dst_ts);
> + ipcomp, replay_window, cpi, initiator, encap, esn, inbound,
> + src_ts, dst_ts);
> }
>
> METHOD(kernel_interface_t, update_sa, status_t,
> diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h
> index cc47d3c..ad13f6e 100644
> --- a/src/libhydra/kernel/kernel_interface.h
> +++ b/src/libhydra/kernel/kernel_interface.h
> @@ -144,6 +144,7 @@ struct kernel_interface_t {
> * @param int_key key to use for integrity protection
> * @param mode mode of the SA (tunnel, transport)
> * @param ipcomp IPComp transform to use
> + * @param replay_window anti-replay window size
> * @param cpi CPI for IPComp
> * @param initiator TRUE if initiator of the exchange creating this SA
> * @param encap enable UDP encapsulation for NAT traversal
> @@ -159,7 +160,8 @@ struct kernel_interface_t {
> u_int32_t tfc, lifetime_cfg_t *lifetime,
> u_int16_t enc_alg, chunk_t enc_key,
> u_int16_t int_alg, chunk_t int_key,
> - ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
> + ipsec_mode_t mode, u_int16_t ipcomp,
> + u_int32_t replay_window, u_int16_t cpi,
> bool initiator, bool encap, bool esn, bool inbound,
> traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
>
> diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h
> index 25f5b38..43f5f3d 100644
> --- a/src/libhydra/kernel/kernel_ipsec.h
> +++ b/src/libhydra/kernel/kernel_ipsec.h
> @@ -100,6 +100,7 @@ struct kernel_ipsec_t {
> * @param int_key key to use for integrity protection
> * @param mode mode of the SA (tunnel, transport)
> * @param ipcomp IPComp transform to use
> + * @param replay_window anti-replay window size
> * @param cpi CPI for IPComp
> * @param initiator TRUE if initiator of the exchange creating this SA
> * @param encap enable UDP encapsulation for NAT traversal
> @@ -115,7 +116,8 @@ struct kernel_ipsec_t {
> mark_t mark, u_int32_t tfc, lifetime_cfg_t *lifetime,
> u_int16_t enc_alg, chunk_t enc_key,
> u_int16_t int_alg, chunk_t int_key,
> - ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
> + ipsec_mode_t mode, u_int16_t ipcomp,
> + u_int32_t replay_window, u_int16_t cpi,
> bool initiator, bool encap, bool esn, bool inbound,
> traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
>
> diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
> index a75ccf3..fec1410 100644
> --- a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
> +++ b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
> @@ -1682,7 +1682,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
> u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
> lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
> u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
> - u_int16_t ipcomp, u_int16_t cpi, bool initiator, bool encap, bool esn,
> + u_int16_t ipcomp, u_int32_t replay_window, u_int16_t cpi,
> + bool initiator, bool encap, bool esn,
> bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
> {
> unsigned char request[PFKEY_BUFFER_SIZE];
> diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
> index c864a92..76a8c7b 100644
> --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
> +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
> @@ -631,11 +631,12 @@ static inline u_int32_t get_priority(policy_entry_t *policy,
> }
>
> /**
> - * Return the length of the ESN bitmap
> + * Return the length of the replay bitmap in number of __u32 blocks
> */
> -static inline size_t esn_bmp_len(private_kernel_netlink_ipsec_t *this)
> +static inline u_int32_t replay_bmp_len(u_int32_t replay_window)
> {
> - return this->replay_bmp * sizeof(u_int32_t);
> + return (replay_window + sizeof(u_int32_t) * 8 - 1) /
> + (sizeof(u_int32_t) * 8);
> }
>
> /**
> @@ -1195,7 +1196,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
> u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
> u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
> u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
> - u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
> + u_int32_t replay_window, u_int16_t cpi,
> + bool initiator, bool encap, bool esn, bool inbound,
> traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
> {
> netlink_buf_t request;
> @@ -1205,6 +1207,20 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
> u_int16_t icv_size = 64;
> ipsec_mode_t original_mode = mode;
> status_t status = FAILED;
> + u_int32_t replay_bmp;
> +
> + if (replay_window == UINT32_C(-1) ||
> + replay_window == this->replay_window)
> + {
> + /* default replay_window parameters */
> + replay_window = this->replay_window;
> + replay_bmp = this->replay_bmp;
> + }
> + else
> + {
> + /* sa-specific replay_window parameters */
> + replay_bmp = replay_bmp_len(replay_window);
> + }
>
> /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
> * we are in the recursive call below */
> @@ -1213,8 +1229,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
> lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
> add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark,
> tfc, &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED,
> - chunk_empty, mode, ipcomp, 0, initiator, FALSE, FALSE, inbound,
> - src_ts, dst_ts);
> + chunk_empty, mode, ipcomp, replay_window, 0, initiator,
> + FALSE, FALSE, inbound, src_ts, dst_ts);
> ipcomp = IPCOMP_NONE;
> /* use transport mode ESP SA, IPComp uses tunnel mode */
> mode = MODE_TRANSPORT;
> @@ -1480,23 +1496,23 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
>
> if (protocol != IPPROTO_COMP)
> {
> - if (esn || this->replay_window > DEFAULT_REPLAY_WINDOW)
> + if (esn || replay_window > DEFAULT_REPLAY_WINDOW)
> {
> /* for ESN or larger replay windows we need the new
> * XFRMA_REPLAY_ESN_VAL attribute to configure a bitmap */
> struct xfrm_replay_state_esn *replay;
>
> replay = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_ESN_VAL,
> - sizeof(*replay) + esn_bmp_len(this));
> + sizeof(*replay) + replay_bmp * sizeof(u_int32_t));
> if (!replay)
> {
> goto failed;
> }
> /* bmp_len contains number uf __u32's */
> - replay->bmp_len = this->replay_bmp;
> - replay->replay_window = this->replay_window;
> + replay->bmp_len = replay_bmp;
> + replay->replay_window = replay_window;
> DBG2(DBG_KNL, " using replay window of %u packets",
> - this->replay_window);
> + replay_window);
>
> if (esn)
> {
> @@ -1507,8 +1523,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
> else
> {
> DBG2(DBG_KNL, " using replay window of %u packets",
> - this->replay_window);
> - sa->replay_window = this->replay_window;
> + replay_window);
> + sa->replay_window = replay_window;
> }
> }
>
> @@ -1542,6 +1558,7 @@ static void get_replay_state(private_kernel_netlink_ipsec_t *this,
> u_int32_t spi, u_int8_t protocol,
> host_t *dst, mark_t mark,
> struct xfrm_replay_state_esn **replay_esn,
> + u_int32_t *replay_esn_len,
> struct xfrm_replay_state **replay)
> {
> netlink_buf_t request;
> @@ -1618,9 +1635,10 @@ static void get_replay_state(private_kernel_netlink_ipsec_t *this,
> break;
> }
> if (rta->rta_type == XFRMA_REPLAY_ESN_VAL &&
> - RTA_PAYLOAD(rta) >= sizeof(**replay_esn) + esn_bmp_len(this))
> + RTA_PAYLOAD(rta) >= sizeof(**replay_esn))
> {
> *replay_esn = malloc(RTA_PAYLOAD(rta));
> + *replay_esn_len = RTA_PAYLOAD(rta);
> memcpy(*replay_esn, RTA_DATA(rta), RTA_PAYLOAD(rta));
> break;
> }
> @@ -1804,6 +1822,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
> struct xfrm_encap_tmpl* tmpl = NULL;
> struct xfrm_replay_state *replay = NULL;
> struct xfrm_replay_state_esn *replay_esn = NULL;
> + u_int32_t replay_esn_len;
> status_t status = FAILED;
>
> /* if IPComp is used, we first update the IPComp SA */
> @@ -1868,7 +1887,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
> goto failed;
> }
>
> - get_replay_state(this, spi, protocol, dst, mark, &replay_esn, &replay);
> + get_replay_state(this, spi, protocol, dst, mark, &replay_esn, &replay_esn_len, &replay);
>
> /* delete the old SA (without affecting the IPComp SA) */
> if (del_sa(this, src, dst, spi, protocol, 0, mark) != SUCCESS)
> @@ -1936,12 +1955,12 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
> struct xfrm_replay_state_esn *state;
>
> state = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_ESN_VAL,
> - sizeof(*state) + esn_bmp_len(this));
> + replay_esn_len);
> if (!state)
> {
> goto failed;
> }
> - memcpy(state, replay_esn, sizeof(*state) + esn_bmp_len(this));
> + memcpy(state, replay_esn, replay_esn_len);
> }
> else if (replay)
> {
> @@ -2690,8 +2709,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
> "%s.replay_window", DEFAULT_REPLAY_WINDOW, lib->ns),
> );
>
> - this->replay_bmp = (this->replay_window + sizeof(u_int32_t) * 8 - 1) /
> - (sizeof(u_int32_t) * 8);
> + this->replay_bmp = replay_bmp_len(this->replay_window);
>
> if (streq(lib->ns, "starter"))
> { /* starter has no threads, so we do not register for kernel events */
> diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
> index d82d672..9a5c385 100644
> --- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
> +++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
> @@ -1615,7 +1615,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
> u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
> lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
> u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
> - u_int16_t ipcomp, u_int16_t cpi, bool initiator, bool encap, bool esn,
> + u_int16_t ipcomp, u_int32_t replay_window, u_int16_t cpi,
> + bool initiator, bool encap, bool esn,
> bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
> {
> unsigned char request[PFKEY_BUFFER_SIZE];
> diff --git a/src/starter/args.c b/src/starter/args.c
> index f5a617e..0d662f4 100644
> --- a/src/starter/args.c
> +++ b/src/starter/args.c
> @@ -173,6 +173,7 @@ static const token_info_t token_info[] =
> { ARG_STR, offsetof(starter_conn_t, me_mediated_by), NULL },
> { ARG_STR, offsetof(starter_conn_t, me_peerid), NULL },
> { ARG_UINT, offsetof(starter_conn_t, reqid), NULL },
> + { ARG_UINT, offsetof(starter_conn_t, replay_window), NULL },
> { ARG_MISC, 0, NULL /* KW_MARK */ },
> { ARG_MISC, 0, NULL /* KW_MARK_IN */ },
> { ARG_MISC, 0, NULL /* KW_MARK_OUT */ },
> diff --git a/src/starter/confread.c b/src/starter/confread.c
> index 19178a2..0fac895 100644
> --- a/src/starter/confread.c
> +++ b/src/starter/confread.c
> @@ -34,6 +34,7 @@
> #define SA_REPLACEMENT_MARGIN_DEFAULT 540 /* 9 minutes */
> #define SA_REPLACEMENT_FUZZ_DEFAULT 100 /* 100% of margin */
> #define SA_REPLACEMENT_RETRIES_DEFAULT 3
> +#define SA_REPLAY_WINDOW_DEFAULT -1 /* use charon.replay_window */
>
> static const char ike_defaults[] = "aes128-sha1-modp2048,3des-sha1-modp1536";
> static const char esp_defaults[] = "aes128-sha1,3des-sha1";
> @@ -132,6 +133,7 @@ static void default_values(starter_config_t *cfg)
> cfg->conn_default.install_policy = TRUE;
> cfg->conn_default.dpd_delay = 30; /* seconds */
> cfg->conn_default.dpd_timeout = 150; /* seconds */
> + cfg->conn_default.replay_window = SA_REPLAY_WINDOW_DEFAULT;
>
> cfg->conn_default.left.seen = SEEN_NONE;
> cfg->conn_default.right.seen = SEEN_NONE;
> diff --git a/src/starter/confread.h b/src/starter/confread.h
> index d55a17e..a32f8cb 100644
> --- a/src/starter/confread.h
> +++ b/src/starter/confread.h
> @@ -162,6 +162,7 @@ struct starter_conn {
> u_int32_t reqid;
> mark_t mark_in;
> mark_t mark_out;
> + u_int32_t replay_window;
> u_int32_t tfc;
> bool install_policy;
> bool aggressive;
> diff --git a/src/starter/keywords.h b/src/starter/keywords.h
> index 705a7c1..5b6b28b 100644
> --- a/src/starter/keywords.h
> +++ b/src/starter/keywords.h
> @@ -69,6 +69,7 @@ typedef enum {
> KW_MEDIATED_BY,
> KW_ME_PEERID,
> KW_REQID,
> + KW_REPLAY_WINDOW,
> KW_MARK,
> KW_MARK_IN,
> KW_MARK_OUT,
> diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
> index ad915bf..ee0bd31 100644
> --- a/src/starter/keywords.txt
> +++ b/src/starter/keywords.txt
> @@ -69,6 +69,7 @@ mediation, KW_MEDIATION
> mediated_by, KW_MEDIATED_BY
> me_peerid, KW_ME_PEERID
> reqid, KW_REQID
> +replay_window, KW_REPLAY_WINDOW
> mark, KW_MARK
> mark_in, KW_MARK_IN
> mark_out, KW_MARK_OUT
> diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
> index fca4b1e..839e66e 100644
> --- a/src/starter/starterstroke.c
> +++ b/src/starter/starterstroke.c
> @@ -202,6 +202,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
> msg.add_conn.ikeme.mediated_by = push_string(&msg, conn->me_mediated_by);
> msg.add_conn.ikeme.peerid = push_string(&msg, conn->me_peerid);
> msg.add_conn.reqid = conn->reqid;
> + msg.add_conn.replay_window = conn->replay_window;
> msg.add_conn.mark_in.value = conn->mark_in.value;
> msg.add_conn.mark_in.mask = conn->mark_in.mask;
> msg.add_conn.mark_out.value = conn->mark_out.value;
> diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
> index 5ece724..60886cf 100644
> --- a/src/stroke/stroke_msg.h
> +++ b/src/stroke/stroke_msg.h
> @@ -304,6 +304,7 @@ struct stroke_msg_t {
> u_int32_t mask;
> } mark_in, mark_out;
> stroke_end_t me, other;
> + u_int32_t replay_window;
> } add_conn;
>
> /* data for STR_ADD_CA */
>
More information about the Dev
mailing list