> So I guess some updates could be avoided by adding some additional
> checks for changes when adding/removing tracked SAs, but I've currently
> no plans to implement that.
Ok, I think I have something that works (see attached patch), but I am not sure
of the solution.
Please tell me what you think about it?
>> The problem is that there seems to be a race in FreeBSD: the SP is not really
>> updated, it is removed and then a new one is added, and unfortunately this is
>> not atomic.
>> Therefore some packets may leave using the default policy.
>
> Hm, the whole point of doing an update instead of manually removing and
> adding policies is to avoid that. So probably should be fixed in the
> kernel, right?
You are right, I will try to fix this asap.
Regards,
Emeric
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 79abe587a..92b7f0519 100644
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -2687,6 +2687,12 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
policy->used_by->insert_before(policy->used_by, enumerator, assigned_sa);
enumerator->destroy(enumerator);
+ if (current_sa && found && update)
+ {
+ if (current_sa->type == assigned_sa->type)
+ update = FALSE;
+ }
+
if (!update)
{ /* we don't update the policy if the priority is lower than that of the
* currently installed one */
