New commits: commit e9895349ac2c985930e59ab8c10dab148fe824ae Author: Paul Wouters <pwout...@redhat.com> Date: Sat Apr 11 19:43:14 2015 -0400
pluto: don't use an expired reserved kernel SPI as fallback [Herbert Xu] When IKE negotiation from kernel SA SPI reservation would exceeded the default /proc/sys/net/core/xfrm_acq_expires timer of 30 seconds, the kernel would return an error when we update the SA. A workaround was added to change the "update SA" into an "add SA", but this is wrong, as it will use a SPI that is no longer guaranteed to be unique by the kernel. This workaround was in commit 70566d650 Instead, return the failure, but log a message indicated what happened with a hint that the system could increase the timer in /proc/sys/net/core/xfrm_acq_expires _______________________________________________ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit