stf_status dpd_init(struct state *st) { /** * Used to store the 1st state */ #ifdef HAVE_LABELED_IPSEC if (st->st_connection->loopback) { libreswan_log( "dpd is not required for ipsec connections over loopback"); return STF_OK; } #endif struct state *p1st; /* find the related Phase 1 state */ p1st = find_state_ikev1(st->st_icookie, st->st_rcookie, 0); if (p1st == NULL) { loglog(RC_LOG_SERIOUS, "could not find phase 1 state for DPD"); /* * if the phase 1 state has gone away, it really should have * deleted all of its children. * Why would this happen? because a quick mode SA can take * some time to create (DNS lookups for instance), and the phase 1 * might have been taken down for some reason in the meantime. * We really can not do anything here --- attempting to invoke * the DPD action would be a good idea, but we really should * do that outside this function. */ return STF_FAIL; } /* if it was enabled, and we haven't turned it on already */ if (p1st->hidden_variables.st_dpd) { time_t n = now(); libreswan_log("Dead Peer Detection (RFC 3706): enabled"); if (st->st_dpd_event == NULL || (st->st_connection->dpd_delay + n) < st->st_dpd_event->ev_time) { if (st->st_dpd_event != NULL) delete_dpd_event(st); event_schedule(EVENT_DPD, st->st_connection->dpd_delay, st); } } else { libreswan_log( "Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it"); } if (p1st != st) { /* st was not a phase 1 SA, so kill the DPD_EVENT on the phase 1 */ if (p1st->st_dpd_event != NULL && p1st->st_dpd_event->ev_type == EVENT_DPD) delete_dpd_event(p1st); } return STF_OK; }
stf_status dpd_init(struct state *st) { /** * Used to store the 1st state */ struct state *p1st; /* find the related Phase 1 state */ p1st = find_state_ikev1(st->st_icookie, st->st_rcookie, 0); if (p1st == NULL) { loglog(RC_LOG_SERIOUS, "could not find phase 1 state for DPD"); /* * if the phase 1 state has gone away, it really should have * deleted all of its children. * Why would this happen? because a quick mode SA can take * some time to create (DNS lookups for instance), and the phase 1 * might have been taken down for some reason in the meantime. * We really cannot do anything here --- attempting to invoke * the DPD action would be a good idea, but we really should * do that outside this function. */ return STF_FAIL; } /* if it was enabled, and we haven't turned it on already */ if (p1st->hidden_variables.st_peer_supports_dpd) { DBG(DBG_DPD, DBG_log("Dead Peer Detection (RFC 3706): enabled")); if (st->st_dpd_event == NULL || ev_before(st->st_dpd_event, st->st_connection->dpd_delay)){ if (st->st_dpd_event != NULL) delete_dpd_event(st); event_schedule(EVENT_DPD, deltasecs(st->st_connection->dpd_delay), st); } } else { loglog(RC_LOG_SERIOUS, "Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support"); } if (p1st != st) { /* st was not a phase 1 SA, so kill the DPD_EVENT on the phase 1 */ if (p1st->st_dpd_event != NULL && p1st->st_dpd_event->ev_type == EVENT_DPD) delete_dpd_event(p1st); } return STF_OK; }