IPsec Tools

Email Archive: ipsec-tools-devel (read-only)

2003:	_Jan	_Feb	_Mar (3)	_Apr (6)	_May	_Jun (14)	_Jul (4)	_Aug (19)	_Sep (27)	_Oct (7)	_Nov (4)	_Dec (3)
2004:	_Jan (58)	_Feb (20)	_Mar (70)	_Apr (93)	_May (102)	_Jun (130)	_Jul (47)	_Aug (61)	_Sep (149)	_Oct (160)	_Nov (243)	_Dec (94)
2005:	_Jan (199)	_Feb (166)	_Mar (276)	_Apr (422)	_May (289)	_Jun (222)	_Jul (306)	_Aug (154)	_Sep (72)	_Oct (163)	_Nov (113)	_Dec (195)
2006:	_Jan (174)	_Feb (94)	_Mar (130)	_Apr (45)	_May (85)	_Jun (115)	_Jul (120)	_Aug (111)	_Sep (210)	_Oct (56)	_Nov (72)	_Dec (30)
2007:	_Jan (56)	_Feb (49)	_Mar (35)	_Apr (58)	_May (83)	_Jun (101)	_Jul (46)	_Aug (58)	_Sep (47)	_Oct (58)	_Nov (55)	_Dec (54)
2008:	_Jan (52)	_Feb (21)	_Mar (20)	_Apr (49)	_May (20)	_Jun (37)	_Jul (101)	_Aug (49)	_Sep (75)	_Oct (152)	_Nov (34)	_Dec (63)
2009:	_Jan (90)	_Feb (12)	_Mar (88)	_Apr (49)	_May (36)	_Jun (36)	_Jul (52)	_Aug (54)	_Sep (19)	_Oct (45)	_Nov (18)	_Dec (34)

[Ipsec-tools-devel] [PATCH] Track and delete orphaned ph1s

From: Krzysztof Piotr Oledzki <olel@an...> - 2008-08-11 23:13

Currently racoon does not remove orphaned ph1s initiated
by a remote side. This creates a lot of problems, as
such ph1s may stuck nearly forever. With this patch
they will be eventually removed.

Index: src/racoon/handler.c
===================================================================
RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/handler.c,v
retrieving revision 1.19
diff -u -r1.19 handler.c
--- src/racoon/handler.c 6 Mar 2008 00:34:11 -0000 1.19
+++ src/racoon/handler.c 11 Aug 2008 22:56:21 -0000
@@ -266,6 +266,9 @@

iph1->status = PHASE1ST_SPAWN;

+ /* save created date. */
+ (void)time(&iph1->created);
+
#ifdef ENABLE_DPD
iph1->dpd_support = 0;
iph1->dpd_lastack = 0;
@@ -423,6 +426,44 @@
}
}

+/*
+ * Clean orphaned ph1
+ */
+void
+cleanorphanedph1()
+{
+ struct ph1handle *p, *next;
+ time_t t;
+
+ (void)time(&t);
+
+ for (p = LIST_FIRST(&ph1tree); p; p = next) {
+ next = LIST_NEXT(p, chain);
+
+ /* Ignore ph1 in ESTABLISHED state - not orphaned */
+ if (p->status == PHASE1ST_ESTABLISHED)
+ continue;
+
+ /* Check only ph1 initiated by a remote side */
+ if (p->side == INITIATOR)
+ continue;
+
+ /* Is it orphaned or not yet? */
+ if (p->created + PHASE1_ORPHANED_TIMEOUT > t)
+ continue;
+
+ plog(LLV_ERROR, LOCATION, NULL,
+ "phase1 negotiation failed due to time up. %s\n",
+ isakmp_pindex(&p->index, p->msgid));
+
+ EVT_PUSH(p->local, p->remote,
+ EVTT_PEER_NO_RESPONSE, NULL);
+
+ remph1(p);
+ delph1(p);
+ }
+}
+
void
initph1tree()
{
Index: src/racoon/handler.h
===================================================================
RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/handler.h,v
retrieving revision 1.14
diff -u -r1.14 handler.h
--- src/racoon/handler.h 14 Jul 2008 05:45:15 -0000 1.14
+++ src/racoon/handler.h 11 Aug 2008 22:56:21 -0000
@@ -97,6 +97,8 @@
#define PHASE1ST_EXPIRED 10
#define PHASE1ST_MAX 11

+#define PHASE1_ORPHANED_TIMEOUT (3*60)
+
/* About address semantics in each case.
* initiator(addr=I) responder(addr=R)
* src dst src dst
@@ -190,7 +192,7 @@

struct isakmp_pl_hash *pl_hash; /* pointer to hash payload */

- time_t created; /* timestamp for establish */
+ time_t created; /* timestamp: first for spawn then for establish */
int initial_contact_received; /* set if initial contact received */
#ifdef ENABLE_STATS
struct timeval start;
@@ -449,6 +451,7 @@
extern int insph1 __P((struct ph1handle *));
extern void remph1 __P((struct ph1handle *));
extern void flushph1 __P((void));
+extern void cleanorphanedph1 __P((void));
extern void initph1tree __P((void));

extern struct ph2handle *getph2byspidx __P((struct policyindex *));
Index: src/racoon/session.c
===================================================================
RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/session.c,v
retrieving revision 1.15
diff -u -r1.15 session.c
--- src/racoon/session.c 6 Aug 2008 19:14:28 -0000 1.15
+++ src/racoon/session.c 11 Aug 2008 22:56:22 -0000
@@ -236,6 +236,8 @@
else
initfds();
}
+
+ cleanorphanedph1();
}
}