Hello,
We have some extension in the FreeBSD kernel that allows the replay window to
be quite big (up to several MB).
Since the replay window is not used on outbound SA, I think we could only set
it on inbound SA in order to save memory.
What do you think?
Please find attached a simple patch proposal applied on 5.3.2
Emeric
diff --git src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index a0be570..fd2abd5 100644
--- src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1694,13 +1694,17 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
}
else
{
- /* Linux interprets sadb_sa_replay as number of packets/bits in the
- * replay window, whereas on BSD it's the size of the window in bytes */
+ /* No need to make the kernel allocate a useless replay window on outbound SA */
+ if (inbound)
+ {
+ /* Linux interprets sadb_sa_replay as number of packets/bits in the
+ * replay window, whereas on BSD it's the size of the window in bytes */
#ifdef __linux__
- sa->sadb_sa_replay = min(replay_window, 32);
+ sa->sadb_sa_replay = min(replay_window, 32);
#else
- sa->sadb_sa_replay = (replay_window + 7) / 8;
+ sa->sadb_sa_replay = (replay_window + 7) / 8;
#endif
+ }
sa->sadb_sa_auth = lookup_algorithm(INTEGRITY_ALGORITHM, int_alg);
sa->sadb_sa_encrypt = lookup_algorithm(ENCRYPTION_ALGORITHM, enc_alg);
}
_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev
