[PATCH 1/1] xfrm: Fix state threshold configuration from userspace

[PATCH 1/1] xfrm: Fix state threshold configuration from userspace

[Michael Rossberg]

Allow to change the replay threshold (XFRMA_REPLAY_THRESH) and expiry
timer (XFRMA_ETIMER_THRESH) of a state without having to set other
attributes like replay counter and byte lifetime. Changing these other
values while traffic flows will break the state.

Signed-off-by: Michael Rossberg <michael.rossberg@tu-ilmenau.de>
---
 net/xfrm/xfrm_user.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index a8de9e3..24e06a2 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1928,8 +1928,10 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
 	struct nlattr *rp = attrs[XFRMA_REPLAY_VAL];
 	struct nlattr *re = attrs[XFRMA_REPLAY_ESN_VAL];
 	struct nlattr *lt = attrs[XFRMA_LTIME_VAL];
+	struct nlattr *et = attrs[XFRMA_ETIMER_THRESH];
+	struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH];
 
-	if (!lt && !rp && !re)
+	if (!lt && !rp && !re && !et && !rt)
 		return err;
 
 	/* pedantic mode - thou shalt sayeth replaceth */
-- 
2.1.4

Re: [PATCH 1/1] xfrm: Fix state threshold configuration from userspace

[Steffen Klassert]

On Tue, Sep 29, 2015 at 11:25:08AM +0200, Michael Rossberg wrote:
> Allow to change the replay threshold (XFRMA_REPLAY_THRESH) and expiry
> timer (XFRMA_ETIMER_THRESH) of a state without having to set other
> attributes like replay counter and byte lifetime. Changing these other
> values while traffic flows will break the state.
> 
> Signed-off-by: Michael Rossberg <michael.rossberg@tu-ilmenau.de>

Applied to the ipsec tree, thanks Michael!