[strongSwan-dev] Removed SA/policies flush from starter

Emeric POUPON emeric.poupon at stormshield.eu
Thu Jun 30 17:30:49 CEST 2016

>> We could imagine an option (disabled by default) to enable this flush during
>> startup?
> Sure, if you think it's worthwhile.  On FreeBSD you could actually use
> charon.start-scripts to implement this:
>  charon {
>    start-scripts {
>      flush-policies = setkey -FP
>      flush-sas = setkey -F
>    }
>  }
> This doesn't work on Linux as the scripts run after the plugins have
> been initialized so `ip xfrm` would flush the bypass policies set on the
> UDP sockets used by the daemon.  On FreeBSD PF_KEY apparently can't
> manage socket specific policies.  One problem could be, though, that
> starter might send the connections before the scripts are executed
> (starter waits for the PID file to appear, which happens even before the
> plugins are loaded), so there is a potential race if you use trap
> policies.  But you could switch to swanctl and run the command to load
> the connections after the ones above.

Thanks for the suggestion: that does the job!
To make sure the race does not occur, I just switched the run_scripts before the engine start.
I created a 'sleep 10' job to test, charon does receive everything just after.

Wouldn't it be safer to commit this by the way?

Thanks again for your support,


diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index cef8b89..56d4d13 100644
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -746,12 +746,12 @@ static void run_scripts(private_daemon_t *this, char *verb)
 METHOD(daemon_t, start, void,
           private_daemon_t *this)
+       run_scripts(this, "start");
        /* start the engine, go multithreaded */
                                                lib->settings->get_int(lib->settings, "%s.threads",
                                                                                           DEFAULT_THREADS, lib->ns));
-       run_scripts(this, "start");

More information about the Dev mailing list