[strongSwan-dev] SP update during CHILD SA rekeying
emeric.poupon at stormshield.eu
Tue May 15 15:00:59 CEST 2018
> So I guess some updates could be avoided by adding some additional
> checks for changes when adding/removing tracked SAs, but I've currently
> no plans to implement that.
Ok, I think I have something that works (see attached patch), but I am not sure of the solution.
Please tell me what you think about it?
>> The problem is that there seems to be a race in FreeBSD: the SP is not really
>> updated, it is removed and then a new one is added, and unfortunately this is
>> not atomic.
>> Therefore some packets may leave using the default policy.
> Hm, the whole point of doing an update instead of manually removing and
> adding policies is to avoid that. So probably should be fixed in the
> kernel, right?
You are right, I will try to fix this asap.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 703 bytes
Desc: not available
More information about the Dev