> -----Original Message----- > From: Paul Wouters [mailto:p...@nohats.ca] > Subject: Re: [Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload > on the NIC > > On Wed, 5 Jul 2017, Ilan Tayari wrote: > > > I figured out why pluto doesn't complain about NEWSA failure... > > > > This line > > > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub. > com%2Flibreswan%2Flibreswan%2Fblob%2Fmaster%2Fprograms%2Fpluto%2Fkernel_ne > tlink.c%23L474&data=02%7C01%7Cilant%40mellanox.com%7Cd96eac0a44394bf1e0160 > 8d4c71d4ca9%7Ca652971c7d2e4d9ba6a4d149256f461b%7C0%7C0%7C63635237605708364 > 6&sdata=99edaYieFwmFaxsbULsHqoIbfF6pW5DAbvpduj6qF4A%3D&reserved=0 > > > > quiets it because the expected response is NLMSG_NOOP. > > > > Do you know why this condition is so? If I remove the NOOP condition > then > > it complains properly about failure to add: > > > > "myconn" #2: ERROR: netlink response for Add SA esp.fc8faa72@192.168.7.1 > included errno 22: Invalid argument > > I checked and it seems Hugh made that change in commit id cff15f8d: > > > + netlink_errno = -rsp.u.e.error; > + if (rsp.n.nlmsg_type != expected_resp_type && rsp.n.nlmsg_type == > NLMSG_ERROR) { > + if (rsp.u.e.error != 0 && expected_resp_type != > NLMSG_NOOP) { > > Hugh: did you mean: > > if (rsp.u.e.error != 0 || expected_resp_type != NLMSG_NOOP) { > > Although it seems just leaving out the 2nd condition makes more sense to > me?
I see NLMSG_NOOP is used only for add/del SA (e.g. not for GET and policies) So netlink_kernel.c would silently ignore failures of add_sa/del_sa, and only detect the failure later in get_sa? Is this by design? Hugh, can you explain why? Thanks. _______________________________________________ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev