Menu
▾
▴
Re: [Ipsec-tools-devel] SAs not gettin g purged when peer goes down
|
From: <ma...@ne...> - 2006-11-29 17:57:28
|
Darrel Goeddel <dgo...@tr...> wrote: > Can you point me to that patch please? A pointer the the NetBSD code may > be helpful as well. Look for IPSEC_NAT_T in the source tree: src/sys/netinet/udp_usrreq.c:udp4_realinput() -> This is the IPv4 UDP input function. Here we check if the socket was set with ESP over UDP. If it was, then we call udp4_espinudp() src/sys/netinet/udp_usrreq.c:udp4_espinudp() -> Ignore NAT-T keepalives -> If it does not has the non IKE marker, go back to normal UDP processing -> Get the port information and attach it to the mbuf chain with a tag -> Remove the UDP header from the packet -> Call esp4_input() src/sys/netinet6/esp_input.c:esp4_input() -> This is the IPv4 ESP input function. Here we retreive the ports from the mbuf tag, and we use them for looking up the SA. You can look for the output path in src/sys/netinet6/esp_output.c, but it's much more simple. The ugly stuff happens when we have to lookup the SA. -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz ma...@ne... |
