If a transport mode wildcard policy is installed, separate per child-sa with expanded dynamic entries is not needed. This has great performance benefits as policy database modification is a heavy operation, and lookups to policy database with lot of entries is slow. In additionally less memory is used.
Signed-off-by: Timo Teräs <[email protected]> --- Alternative would be to instead make the child-sa install the original configuration specified policy, and thus the reference counting mechanism in policy manager would avoid duplicates. However, in case it makes sense to install per instance policies if trap policy is not desired. src/libcharon/sa/child_sa.c | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index a96ab4e..4cd1e60 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -135,6 +135,11 @@ struct private_child_sa_t { bool trap; /** + * TRUE if this CHILD_SA should get routed + */ + bool install_policy; + + /** * Specifies if UDP encapsulation is enabled (NAT traversal) */ bool encap; @@ -812,7 +817,20 @@ METHOD(child_sa_t, add_policies, status_t, } enumerator->destroy(enumerator); - if (this->config->install_policy(this->config)) + /* if we're not in state CHILD_INSTALLING (i.e. if there is no SAD + * entry) we install a trap policy */ + this->trap = this->state == CHILD_CREATED; + + /* install policy if so requested in config. with the exception + * that transport mode wildcard SAs do not need policy if a trap + * policy exists. */ + this->install_policy = + this->config->install_policy(this->config) && + (this->trap || + this->mode != MODE_TRANSPORT || + this->config->get_start_action(this->config) != ACTION_ROUTE); + + if (this->install_policy) { policy_priority_t priority; ipsec_sa_cfg_t my_sa = { @@ -841,9 +859,6 @@ METHOD(child_sa_t, add_policies, status_t, other_sa.ah.spi = this->other_spi; } - /* if we're not in state CHILD_INSTALLING (i.e. if there is no SAD - * entry) we install a trap policy */ - this->trap = this->state == CHILD_CREATED; priority = this->trap ? POLICY_PRIORITY_ROUTED : POLICY_PRIORITY_DEFAULT; @@ -955,7 +970,7 @@ METHOD(child_sa_t, update, status_t, } } - if (this->config->install_policy(this->config) && require_policy_update()) + if (this->install_policy && require_policy_update()) { ipsec_sa_cfg_t my_sa = { .mode = this->mode, @@ -1087,7 +1102,7 @@ METHOD(child_sa_t, destroy, void, this->mark_out); } - if (this->config->install_policy(this->config)) + if (this->install_policy) { /* delete all policies in the kernel */ enumerator = create_policy_enumerator(this); -- 2.1.0 _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
