New commits: commit 07925c6c44fc2af7a0b9abf18b76630b78e1ff3e Author: Andrew Cagney <cag...@gnu.org> Date: Thu Feb 22 10:11:29 2024 -0500
routing: use .routing_sa to determine connection's owner Replacing .{negotiating,established}_{ike,child}_sa and heuristics. From the comments: As a simple example: <<ipsec route>> - the unowned connection installs kernal trap policy and transitions to on-demand acquire - an IKE SA is created, the trap policy is changed to block and .routing_sa is set to the IKE SA; IKE_SA_INIT is initiated IKE_SA_INIT response - since the IKE SA owns the connection, a failed response deleting the IKE SA will trigger revival - the Child SA is created and .routing_sa is set to that; IKE_AUTH is initiated IKE_AUTH response - since the Child SA owns the connection, a failed response (either IKE or Child) triggers revival - the Child SA installs the IPsec state/policy Child SA deleted (or IKE deleting all children) - since the Child SA owns the connection, it being deleted triggers revival note that this doesn't handle true crossing-streams as that requires higher order logic. commit 59fe05aed0c6139356ca4a0fd47e33d5ae61b836 Author: Andrew Cagney <cag...@gnu.org> Date: Sun Feb 18 11:58:55 2024 -0500 testing: expect the Child SA to revive during IKE_AUTH _______________________________________________ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit