[IPSEC] Fix xfrm to pfkey SA state conversion
This patch adjusts the SA state conversion in af_key such that XFRM_STATE_ERROR/XFRM_STATE_DEAD will be converted to SADB_STATE_DEAD instead of SADB_STATE_DYING. According to RFC 2367, SADB_STATE_DYING SAs can be turned into mature ones through updating their lifetime settings. Since SAs which are in the states XFRM_STATE_ERROR/XFRM_STATE_DEAD cannot be resurrected, this value is unsuitable. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This commit is contained in:
parent
4666faab09
commit
4f09f0bbc1
1 changed files with 10 additions and 5 deletions
|
@ -656,13 +656,18 @@ static struct sk_buff * pfkey_xfrm_state2msg(struct xfrm_state *x, int add_keys,
|
||||||
sa->sadb_sa_exttype = SADB_EXT_SA;
|
sa->sadb_sa_exttype = SADB_EXT_SA;
|
||||||
sa->sadb_sa_spi = x->id.spi;
|
sa->sadb_sa_spi = x->id.spi;
|
||||||
sa->sadb_sa_replay = x->props.replay_window;
|
sa->sadb_sa_replay = x->props.replay_window;
|
||||||
sa->sadb_sa_state = SADB_SASTATE_DYING;
|
switch (x->km.state) {
|
||||||
if (x->km.state == XFRM_STATE_VALID && !x->km.dying)
|
case XFRM_STATE_VALID:
|
||||||
sa->sadb_sa_state = SADB_SASTATE_MATURE;
|
sa->sadb_sa_state = x->km.dying ?
|
||||||
else if (x->km.state == XFRM_STATE_ACQ)
|
SADB_SASTATE_DYING : SADB_SASTATE_MATURE;
|
||||||
|
break;
|
||||||
|
case XFRM_STATE_ACQ:
|
||||||
sa->sadb_sa_state = SADB_SASTATE_LARVAL;
|
sa->sadb_sa_state = SADB_SASTATE_LARVAL;
|
||||||
else if (x->km.state == XFRM_STATE_EXPIRED)
|
break;
|
||||||
|
default:
|
||||||
sa->sadb_sa_state = SADB_SASTATE_DEAD;
|
sa->sadb_sa_state = SADB_SASTATE_DEAD;
|
||||||
|
break;
|
||||||
|
}
|
||||||
sa->sadb_sa_auth = 0;
|
sa->sadb_sa_auth = 0;
|
||||||
if (x->aalg) {
|
if (x->aalg) {
|
||||||
struct xfrm_algo_desc *a = xfrm_aalg_get_byname(x->aalg->alg_name, 0);
|
struct xfrm_algo_desc *a = xfrm_aalg_get_byname(x->aalg->alg_name, 0);
|
||||||
|
|
Loading…
Reference in a new issue