Reimplement the iked(8) policy evaluation for incoming connections to

use the last matching semantics of PF.  The previous rbtree-based
implementation was broken and tried to do a longest prefix match.  But
instead of prefix match and using radix-trees to fix it I decided with
mikeb@ to implement it as last matching policy evaluation.  The last
matching policy wins; the "quick" keyword can enforce first matching;
additional keywords like "skip" are specific to iked(8).  See
iked.conf(5) for more details.

The implementation also uses skip steps based on PF's code.  It
significantly speeds up the evaluation of many policies but also adds
a little delay when loading them (only noticeable with thousands of
policies).  This allows iked(8) to scale well with thousands of
configured policies but I also liked the fact to have skip steps in
another piece of code.

ok dhartmei@ for using his skip step code under the ISC license in policy.c
ok mikeb@, jmc@

1 files changed, 3 insertions, 3 deletions

diff --git a/sbin/iked/timer.c b/sbin/iked/timer.c
index 2664ed41251..d2b1bb084cc 100644
--- a/sbin/iked/timer.c
+++ b/sbin/iked/timer.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: timer.c,v 1.2 2010/06/14 08:10:32 reyk Exp $	*/
+/*	$OpenBSD: timer.c,v 1.3 2011/01/21 11:56:00 reyk Exp $	*/
 
 /*
  * Copyright (c) 2010 Reyk Floeter <reyk@vantronix.net>
@@ -91,10 +91,10 @@ timer_initiator_cb(int fd, short event, void *arg)
 
 	gettimeofday(&tmr->tmr_last, NULL);
 
-	RB_FOREACH(pol, iked_policies, &env->sc_policies) {
+	TAILQ_FOREACH(pol, &env->sc_policies, pol_entry) {
 		if ((pol->pol_flags & IKED_POLICY_ACTIVE) == 0)
 			continue;
-		if (sa_peer_lookup(pol, &pol->pol_peer) != NULL) {
+		if (sa_peer_lookup(pol, &pol->pol_peer.addr) != NULL) {
 			log_debug("%s: \"%s\" is already active",
 			    __func__, pol->pol_name);
 			continue;