Hi Emeric, > Actually, using the pfkey backend we can control which type of SA we can > flush (see [3])
Yes, but not which policies [2]. If there was an external tool that also managed policies starter flushed these policies (even if installpolicies=no was configured). And charon should properly clean up when terminating anyway so there should be no need to flush the kernel state (if charon restarts after a crash it will now update and adopt existing policies in the kernel, so that should not result in an error anymore either). And in the rare cases where one does want to flush the SAs and policies in the kernel setkey (or ip xfrm on Linux) may be used. > I was thinking about restoring this flush during libcharon > initialization/deinitialization. Why? Regards, Tobias > [1] > https://github.com/strongswan/strongswan/commit/d8fdd1018e1654b04b614354a493026a9dad30e5 > [2] > https://github.com/strongswan/strongswan/commit/bd24f87d35f505a94814fd93b86816d69761527e > [3] > https://github.com/strongswan/strongswan/commit/603e3b489bb8a448f0dbcad9406fbfb64523abe1 _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
