[strongSwan-dev] [PATCH] starter: cleanup SAs when deleting a connection
Christophe Gouault
christophe.gouault at 6wind.com
Fri Sep 19 17:15:32 CEST 2014
From: Zheng Zhong <zhong.zheng at 6wind.com>
Do a little cleanup when deleting a connection via "ipsec update"
command:
- delete all established CHILD_SAs
- unroute the connection
- delete IKE_SAs that have no more CHILD_SAs
- delete the connection
- make sure to refuse an undesired negotiation request from the peer,
by deleting the connection before terminating it.
Signed-off-by: Zheng Zhong <zhong.zheng at 6wind.com>
Acked-by: Christophe Gouault <christophe.gouault at 6wind.com>
---
src/starter/starter.c | 8 +++++--
src/starter/starterstroke.c | 49 +++++++++++++++++++++++++++++++++++++++++++
src/starter/starterstroke.h | 2 ++
3 files changed, 57 insertions(+), 2 deletions(-)
diff --git a/src/starter/starter.c b/src/starter/starter.c
index 71f33ae..aa740ba 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -713,11 +713,13 @@ int main (int argc, char **argv)
{
if (starter_charon_pid())
{
+ starter_stroke_del_conn(conn);
+ starter_stroke_terminate_conn(conn);
+ starter_stroke_purge_ike();
if (conn->startup == STARTUP_ROUTE)
{
starter_stroke_unroute_conn(conn);
}
- starter_stroke_del_conn(conn);
}
conn->state = STATE_TO_ADD;
}
@@ -774,11 +776,13 @@ int main (int argc, char **argv)
{
if (starter_charon_pid())
{
+ starter_stroke_del_conn(conn);
+ starter_stroke_terminate_conn(conn);
+ starter_stroke_purge_ike();
if (conn->startup == STARTUP_ROUTE)
{
starter_stroke_unroute_conn(conn);
}
- starter_stroke_del_conn(conn);
}
}
}
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 1e305db..e1b369b 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -16,6 +16,7 @@
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
+#include <stdarg.h>
#include <credentials/auth_cfg.h>
@@ -47,6 +48,28 @@ static char* push_string(stroke_msg_t *msg, char *string)
}
}
+static char* push_format(stroke_msg_t *msg, const char *format, ...)
+{
+ unsigned long string_start = msg->length;
+ size_t room = sizeof(stroke_msg_t) - msg->length;
+ int written;
+ va_list ap;
+
+ va_start(ap, format);
+
+ written = vsnprintf((char*)msg + string_start, room, format, ap);
+
+ if (written >= room)
+ {
+ return NULL;
+ }
+ else
+ {
+ msg->length += written + 1;
+ return (char*)string_start;
+ }
+}
+
static int send_stroke_msg (stroke_msg_t *msg)
{
stream_t *stream;
@@ -280,6 +303,32 @@ int starter_stroke_initiate_conn(starter_conn_t *conn)
return send_stroke_msg(&msg);
}
+/*
+ * Terminate all established CHILD_SAs of a connection
+ */
+int starter_stroke_terminate_conn(starter_conn_t *conn)
+{
+ stroke_msg_t msg;
+
+ msg.type = STR_TERMINATE;
+ msg.length = offsetof(stroke_msg_t, buffer);
+ msg.initiate.name = push_format(&msg, "%s{*}", connection_name(conn));
+ return send_stroke_msg(&msg);
+}
+
+/*
+ * Delete IKE_SAs without a CHILD_SA
+ */
+int starter_stroke_purge_ike(void)
+{
+ stroke_msg_t msg;
+
+ msg.type = STR_PURGE;
+ msg.length = offsetof(stroke_msg_t, buffer);
+ msg.purge.flags = PURGE_IKE;
+ return send_stroke_msg(&msg);
+}
+
int starter_stroke_add_ca(starter_ca_t *ca)
{
stroke_msg_t msg;
diff --git a/src/starter/starterstroke.h b/src/starter/starterstroke.h
index 1264863..4d23b97 100644
--- a/src/starter/starterstroke.h
+++ b/src/starter/starterstroke.h
@@ -23,6 +23,8 @@ int starter_stroke_del_conn(starter_conn_t *conn);
int starter_stroke_route_conn(starter_conn_t *conn);
int starter_stroke_unroute_conn(starter_conn_t *conn);
int starter_stroke_initiate_conn(starter_conn_t *conn);
+int starter_stroke_terminate_conn(starter_conn_t *conn);
+int starter_stroke_purge_ike(void);
int starter_stroke_add_ca(starter_ca_t *ca);
int starter_stroke_del_ca(starter_ca_t *ca);
int starter_stroke_configure(starter_config_t *cfg);
--
1.7.10.4
More information about the Dev
mailing list