From 907b9be609e1fa1832654da6335113c749cf01d1 Mon Sep 17 00:00:00 2001
From: "Angelos D. Keromytis" <angelos@cvs.openbsd.org>
Date: Mon, 10 Jan 2000 04:37:43 +0000
Subject: Only setup an expiration for embryonic SAs if
 net.inet.ip.ipsec-invalid-life >=0

---
 sys/netinet/ip_ipsp.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

(limited to 'sys/netinet/ip_ipsp.c')

diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c
index a7d0d82809c..04df85da61e 100644
--- a/sys/netinet/ip_ipsp.c
+++ b/sys/netinet/ip_ipsp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ipsp.c,v 1.66 2000/01/10 04:30:52 angelos Exp $	*/
+/*	$OpenBSD: ip_ipsp.c,v 1.67 2000/01/10 04:37:42 angelos Exp $	*/
 
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
@@ -500,10 +500,13 @@ reserve_spi(u_int32_t sspi, u_int32_t tspi, union sockaddr_union *src,
 	puttdb(tdbp);
 
 	/* Setup a "silent" expiration (since TDBF_INVALID's set) */
-	tdbp->tdb_flags |= TDBF_TIMER;
-	tdbp->tdb_exp_timeout = time.tv_sec + ipsec_keep_invalid;
-	tdb_expiration(tdbp, TDBEXP_EARLY | TDBEXP_TIMEOUT);
-	
+	if (ipsec_keep_invalid > 0)
+	{
+		tdbp->tdb_flags |= TDBF_TIMER;
+		tdbp->tdb_exp_timeout = time.tv_sec + ipsec_keep_invalid;
+		tdb_expiration(tdbp, TDBEXP_EARLY | TDBEXP_TIMEOUT);
+	}
+
 	return spi;
     }
 
-- 
cgit v1.2.3