[strongSwan-dev] Removed SA/policies flush from starter

Tobias Brunner tobias at strongswan.org
Thu Jun 30 12:51:33 CEST 2016

Hi Emeric,

> Actually, using the pfkey backend we can control which type of SA we can flush (see [3])

Yes, but not which policies [2].  If there was an external tool that
also managed policies starter flushed these policies (even if
installpolicies=no was configured).  And charon should properly clean up
when terminating anyway so there should be no need to flush the kernel
state (if charon restarts after a crash it will now update and adopt
existing policies in the kernel, so that should not result in an error
anymore either).  And in the rare cases where one does want to flush the
SAs and policies in the kernel setkey (or ip xfrm on Linux) may be used.

> I was thinking about restoring this flush during libcharon initialization/deinitialization.



> [1] https://github.com/strongswan/strongswan/commit/d8fdd1018e1654b04b614354a493026a9dad30e5
> [2] https://github.com/strongswan/strongswan/commit/bd24f87d35f505a94814fd93b86816d69761527e
> [3] https://github.com/strongswan/strongswan/commit/603e3b489bb8a448f0dbcad9406fbfb64523abe1

More information about the Dev mailing list