Date: Thu, 26 Jul 2007 11:13:53 +0800 From: blue <susan.lan@zyxel.com.tw> To: freebsd-net@freebsd.org Subject: SADB_X_SPDFLUSH message handling for latest version of IPsec Message-ID: <46A81171.1040107@zyxel.com.tw>
next in thread | raw e-mail | index | archive | help
Hi, all: Recently I found the behavior for the command "setkey -FP" is quite different for the latest version IPsec (known as FAST_IPSEC before). Before the command would erase all the existed SP entries; currently the command would not. After digging the codes, I found the state of the SP entries will be set as IPSEC_SPSTATE_DEAD, but the entries will not be unlink from the SPD. Why needs to keep the entry in SPD? Is there any special purpose? Without the removal, it's hard to tell whether the SP entry still takes effect since "setkey -PD" will not show its status. On the other hand, SA is like usual, once the "setkey -F" is typed in, the SA entries will be erased right away. Thanks. BR, blue
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46A81171.1040107>