If a transport mode wildcard policy is installed, separate per child-sa with expanded dynamic entries is not needed. This has great performance benefits as policy database modification is a heavy operation, and lookups to policy database with lot of entries is slow. In additionally less memory is used.
Signed-off-by: Timo Teräs <[email protected]> --- src/libcharon/sa/child_sa.c | 49 +++++++++++++++++++++++++++++++++++++++------ 1 file changed, 43 insertions(+), 6 deletions(-) diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index e0db2e6..6a4c7a8 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -16,6 +16,28 @@ * for more details. */ +/* + * Copyright (C) 2014 Timo Teräs <[email protected]> + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + #define _GNU_SOURCE #include "child_sa.h" @@ -147,6 +169,11 @@ struct private_child_sa_t { bool trap; /** + * TRUE if this CHILD_SA should get routed + */ + bool install_policy; + + /** * Specifies if UDP encapsulation is enabled (NAT traversal) */ bool encap; @@ -856,7 +883,20 @@ METHOD(child_sa_t, add_policies, status_t, enumerator->destroy(enumerator); array_sort(this->other_ts, (void*)traffic_selector_cmp, NULL); - if (this->config->install_policy(this->config)) + /* if we're not in state CHILD_INSTALLING (i.e. if there is no SAD + * entry) we install a trap policy */ + this->trap = this->state == CHILD_CREATED; + + /* install policy if so requested in config. with the exception + * that transport mode wildcard SAs do not need policy if a trap + * policy exists. */ + this->install_policy = + this->config->install_policy(this->config) && + (this->trap || + this->mode != MODE_TRANSPORT || + this->config->get_start_action(this->config) != ACTION_ROUTE); + + if (this->install_policy) { policy_priority_t priority; ipsec_sa_cfg_t my_sa = { @@ -885,9 +925,6 @@ METHOD(child_sa_t, add_policies, status_t, other_sa.ah.spi = this->other_spi; } - /* if we're not in state CHILD_INSTALLING (i.e. if there is no SAD - * entry) we install a trap policy */ - this->trap = this->state == CHILD_CREATED; priority = this->trap ? POLICY_PRIORITY_ROUTED : POLICY_PRIORITY_DEFAULT; @@ -999,7 +1036,7 @@ METHOD(child_sa_t, update, status_t, } } - if (this->config->install_policy(this->config) && require_policy_update()) + if (this->install_policy && require_policy_update()) { ipsec_sa_cfg_t my_sa = { .mode = this->mode, @@ -1115,7 +1152,7 @@ METHOD(child_sa_t, destroy, void, set_state(this, CHILD_DESTROYING); - if (this->config->install_policy(this->config)) + if (this->install_policy) { /* delete all policies in the kernel */ enumerator = create_policy_enumerator(this); -- 2.3.6 _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
