CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2011/01/21 04:56:00
Modified files:
sbin/iked : config.c iked.c iked.conf.5 iked.h ikev1.c
ikev2.c ikev2_msg.c parse.y policy.c timer.c
types.h util.c
Log message:
Reimplement the iked(8) policy evaluation for incoming connections to
use the last matching semantics of PF. The previous rbtree-based
implementation was broken and tried to do a longest prefix match. But
instead of prefix match and using radix-trees to fix it I decided with
mikeb@ to implement it as last matching policy evaluation. The last
matching policy wins; the "quick" keyword can enforce first matching;
additional keywords like "skip" are specific to iked(8). See
iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It
significantly speeds up the evaluation of many policies but also adds
a little delay when loading them (only noticeable with thousands of
policies). This allows iked(8) to scale well with thousands of
configured policies but I also liked the fact to have skip steps in
another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c
ok mikeb@, jmc@
