diff options
| author | Mike Belopuhov <mikeb@cvs.openbsd.org> | 2011-01-26 16:59:25 +0000 |
|---|---|---|
| committer | Mike Belopuhov <mikeb@cvs.openbsd.org> | 2011-01-26 16:59:25 +0000 |
| commit | 25a989a96a2690f4420caa3a87206cd093207499 (patch) | |
| tree | 096773da6e87033c3229bb05b92c2ae4610521de /sbin/iked/iked.h | |
| parent | 8209b1916479af05e249e45f22b0525e2ee12cc2 (diff) | |
get rid of acquire flows completely, as they tend to pass traffic
when there's no sa established (as pointed out by reyk). instead
use require mode feature to send acquires from the kernel. this
allows us to get rid of the code that changes flow mode to acquire
and keep all installed flows in the tree and save up on some code
that deals with renegotiation. also several entities were renamed
(iked_acqflows -> iked_activeflows, iked_ipsecsas -> iked_activesas,
ikev2_acquire -> ikev2_acquire_sa). ok reyk
Diffstat (limited to 'sbin/iked/iked.h')
| -rw-r--r-- | sbin/iked/iked.h | 23 |
1 files changed, 11 insertions, 12 deletions
diff --git a/sbin/iked/iked.h b/sbin/iked/iked.h index 0078045943e..d043e7097b5 100644 --- a/sbin/iked/iked.h +++ b/sbin/iked/iked.h @@ -1,4 +1,4 @@ -/* $OpenBSD: iked.h,v 1.33 2011/01/21 17:01:33 reyk Exp $ */ +/* $OpenBSD: iked.h,v 1.34 2011/01/26 16:59:23 mikeb Exp $ */ /* $vantronix: iked.h,v 1.61 2010/06/03 07:57:33 reyk Exp $ */ /* @@ -130,7 +130,6 @@ struct iked_flow { u_int flow_dir; /* in/out */ u_int flow_loaded; /* pfkey done */ - u_int flow_acquire; u_int8_t flow_saproto; u_int8_t flow_ipproto; @@ -142,10 +141,10 @@ struct iked_flow { struct iked_addr *flow_peer; /* outer dest */ struct iked_sa *flow_ikesa; /* parent SA */ - RB_ENTRY(iked_flow) flow_acq_entry; + RB_ENTRY(iked_flow) flow_node; TAILQ_ENTRY(iked_flow) flow_entry; }; -RB_HEAD(iked_acqflows, iked_flow); +RB_HEAD(iked_activeflows, iked_flow); TAILQ_HEAD(iked_flows, iked_flow); struct iked_childsa { @@ -175,10 +174,10 @@ struct iked_childsa { struct iked_childsa *csa_peersa; /* peer */ - RB_ENTRY(iked_childsa) csa_ipsec_entry; + RB_ENTRY(iked_childsa) csa_node; TAILQ_ENTRY(iked_childsa) csa_entry; }; -RB_HEAD(iked_ipsecsas, iked_childsa); +RB_HEAD(iked_activesas, iked_childsa); TAILQ_HEAD(iked_childsas, iked_childsa); @@ -460,8 +459,8 @@ struct iked { struct iked_policy *sc_defaultcon; struct iked_sas sc_sas; - struct iked_ipsecsas sc_ipsecsas; - struct iked_acqflows sc_acqflows; + struct iked_activesas sc_activesas; + struct iked_activeflows sc_activeflows; struct iked_users sc_users; void *sc_priv; /* per-process */ @@ -580,8 +579,8 @@ struct iked_user * RB_PROTOTYPE(iked_sas, iked_sa, sa_entry, sa_cmp); RB_PROTOTYPE(iked_sapeers, iked_sa, sa_peer_entry, sa_peer_cmp); RB_PROTOTYPE(iked_users, iked_user, user_entry, user_cmp); -RB_PROTOTYPE(iked_ipsecsas, iked_childsa, csa_ipsec_entry, childsa_cmp); -RB_PROTOTYPE(iked_acqflows, iked_flow, flow_acq_entry, acquire_flow_cmp); +RB_PROTOTYPE(iked_activesas, iked_childsa, csa_node, childsa_cmp); +RB_PROTOTYPE(iked_activeflows, iked_flow, flow_node, flow_cmp); /* crypto.c */ struct iked_hash * @@ -640,7 +639,7 @@ int ikev2_policy2id(struct iked_static_id *, struct iked_id *, int); int ikev2_childsa_enable(struct iked *, struct iked_sa *); int ikev2_childsa_delete(struct iked *, struct iked_sa *, u_int8_t, u_int64_t, u_int64_t *, int); -int ikev2_flows_delete(struct iked *, struct iked_sa *, u_int8_t, int); +int ikev2_flows_delete(struct iked *, struct iked_sa *, u_int8_t); struct ibuf * ikev2_prfplus(struct iked_hash *, struct ibuf *, struct ibuf *, @@ -658,7 +657,7 @@ struct ikev2_payload * ikev2_add_payload(struct ibuf *); int ikev2_next_payload(struct ikev2_payload *, size_t, u_int8_t); -void ikev2_acquire(struct iked *, struct iked_flow *); +void ikev2_acquire_sa(struct iked *, struct iked_flow *); void ikev2_disable_rekeying(struct iked *, struct iked_sa *); void ikev2_rekey_sa(struct iked *, struct iked_spi *); void ikev2_drop_sa(struct iked *, struct iked_spi *); |