€•0g      Œsphinx.addnodes”Œdocument”“”)”}”(Œ	rawsource”Œ ”Œchildren”]”(Œtranslations”ŒLanguagesNode”“”)”}”(hhh]”(h Œpending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ
attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ	refdomain”Œstd”Œreftype”Œdoc”Œ	reftarget”Œ(/translations/zh_CN/networking/xfrm_sync”Œmodname”NŒ	classname”NŒrefexplicit”ˆuŒtagname”hhhubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ(/translations/zh_TW/networking/xfrm_sync”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ(/translations/it_IT/networking/xfrm_sync”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ(/translations/ja_JP/networking/xfrm_sync”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ(/translations/ko_KR/networking/xfrm_sync”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒSpanish”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ(/translations/sp_SP/networking/xfrm_sync”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h
hhŒ	_document”hŒsource”NŒline”NubhŒcomment”“”)”}”(hŒ SPDX-License-Identifier: GPL-2.0”h]”hŒ SPDX-License-Identifier: GPL-2.0”…””}”hh£sbah}”(h]”h ]”h"]”h$]”h&]”Œ	xml:space”Œpreserve”uh1h¡hhhžhhŸŒB/var/lib/git/docbuild/linux/Documentation/networking/xfrm_sync.rst”h KubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒXFRM”h]”hŒXFRM”…””}”(hh»hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hh¶hžhhŸh³h KubhŒ	paragraph”“”)”}”(hŒ”The sync patches work is based on initial patches from
Krisztian <hidden@balabit.hu> and others and additional patches
from Jamal <hadi@cyberus.ca>.”h]”(hŒBThe sync patches work is based on initial patches from
Krisztian <”…””}”(hhËhžhhŸNh NubhŒ	reference”“”)”}”(hŒhidden@balabit.hu”h]”hŒhidden@balabit.hu”…””}”(hhÕhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”Œmailto:hidden@balabit.hu”uh1hÓhhËubhŒ0> and others and additional patches
from Jamal <”…””}”(hhËhžhhŸNh NubhÔ)”}”(hŒhadi@cyberus.ca”h]”hŒhadi@cyberus.ca”…””}”(hhéhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”Œmailto:hadi@cyberus.ca”uh1hÓhhËubhŒ>.”…””}”(hhËhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Khh¶hžhubhÊ)”}”(hX,  The end goal for syncing is to be able to insert attributes + generate
events so that the SA can be safely moved from one machine to another
for HA purposes.
The idea is to synchronize the SA so that the takeover machine can do
the processing of the SA as accurate as possible if it has access to it.”h]”hX,  The end goal for syncing is to be able to insert attributes + generate
events so that the SA can be safely moved from one machine to another
for HA purposes.
The idea is to synchronize the SA so that the takeover machine can do
the processing of the SA as accurate as possible if it has access to it.”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Khh¶hžhubhÊ)”}”(hX6  We already have the ability to generate SA add/del/upd events.
These patches add ability to sync and have accurate lifetime byte (to
ensure proper decay of SAs) and replay counters to avoid replay attacks
with as minimal loss at failover time.
This way a backup stays as closely up-to-date as an active member.”h]”hX6  We already have the ability to generate SA add/del/upd events.
These patches add ability to sync and have accurate lifetime byte (to
ensure proper decay of SAs) and replay counters to avoid replay attacks
with as minimal loss at failover time.
This way a backup stays as closely up-to-date as an active member.”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Khh¶hžhubhÊ)”}”(hXŠ  Because the above items change for every packet the SA receives,
it is possible for a lot of the events to be generated.
For this reason, we also add a nagle-like algorithm to restrict
the events. i.e we are going to set thresholds to say "let me
know if the replay sequence threshold is reached or 10 secs have passed"
These thresholds are set system-wide via sysctls or can be updated
per SA.”h]”hXŽ  Because the above items change for every packet the SA receives,
it is possible for a lot of the events to be generated.
For this reason, we also add a nagle-like algorithm to restrict
the events. i.e we are going to set thresholds to say â€œlet me
know if the replay sequence threshold is reached or 10 secs have passedâ€
These thresholds are set system-wide via sysctls or can be updated
per SA.”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Khh¶hžhubhÊ)”}”(hX7  The identified items that need to be synchronized are:
- the lifetime byte counter
note that: lifetime time limit is not important if you assume the failover
machine is known ahead of time since the decay of the time countdown
is not driven by packet arrival.
- the replay sequence for both inbound and outbound”h]”hX7  The identified items that need to be synchronized are:
- the lifetime byte counter
note that: lifetime time limit is not important if you assume the failover
machine is known ahead of time since the decay of the time countdown
is not driven by packet arrival.
- the replay sequence for both inbound and outbound”…””}”(hj-  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Khh¶hžhubhµ)”}”(hhh]”(hº)”}”(hŒ1) Message Structure”h]”hŒ1) Message Structure”…””}”(hj>  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj;  hžhhŸh³h K'ubhÊ)”}”(hŒ!nlmsghdr:aevent_id:optional-TLVs.”h]”hŒ!nlmsghdr:aevent_id:optional-TLVs.”…””}”(hjL  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K)hj;  hžhubhÊ)”}”(hŒThe netlink message types are:”h]”hŒThe netlink message types are:”…””}”(hjZ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K+hj;  hžhubhÊ)”}”(hŒ"XFRM_MSG_NEWAE and XFRM_MSG_GETAE.”h]”hŒ"XFRM_MSG_NEWAE and XFRM_MSG_GETAE.”…””}”(hjh  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K-hj;  hžhubhÊ)”}”(hŒ$A XFRM_MSG_GETAE does not have TLVs.”h]”hŒ$A XFRM_MSG_GETAE does not have TLVs.”…””}”(hjv  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K/hj;  hžhubhÊ)”}”(hŒMA XFRM_MSG_NEWAE will have at least two TLVs (as is
discussed further below).”h]”hŒMA XFRM_MSG_NEWAE will have at least two TLVs (as is
discussed further below).”…””}”(hj„  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K1hj;  hžhubhÊ)”}”(hŒ aevent_id structure looks like::”h]”hŒaevent_id structure looks like:”…””}”(hj’  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K4hj;  hžhubhŒliteral_block”“”)”}”(hŒÞstruct xfrm_aevent_id {
          struct xfrm_usersa_id           sa_id;
          xfrm_address_t                  saddr;
          __u32                           flags;
          __u32                           reqid;
};”h]”hŒÞstruct xfrm_aevent_id {
          struct xfrm_usersa_id           sa_id;
          xfrm_address_t                  saddr;
          __u32                           flags;
          __u32                           reqid;
};”…””}”hj¢  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j   hŸh³h K6hj;  hžhubhÊ)”}”(hŒRThe unique SA is identified by the combination of xfrm_usersa_id,
reqid and saddr.”h]”hŒRThe unique SA is identified by the combination of xfrm_usersa_id,
reqid and saddr.”…””}”(hj°  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K=hj;  hžhubhÊ)”}”(hŒEflags are used to indicate different things. The possible
flags are::”h]”hŒDflags are used to indicate different things. The possible
flags are:”…””}”(hj¾  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K@hj;  hžhubj¡  )”}”(hX/  XFRM_AE_RTHR=1, /* replay threshold*/
XFRM_AE_RVAL=2, /* replay value */
XFRM_AE_LVAL=4, /* lifetime value */
XFRM_AE_ETHR=8, /* expiry timer threshold */
XFRM_AE_CR=16, /* Event cause is replay update */
XFRM_AE_CE=32, /* Event cause is timer expiry */
XFRM_AE_CU=64, /* Event cause is policy update */”h]”hX/  XFRM_AE_RTHR=1, /* replay threshold*/
XFRM_AE_RVAL=2, /* replay value */
XFRM_AE_LVAL=4, /* lifetime value */
XFRM_AE_ETHR=8, /* expiry timer threshold */
XFRM_AE_CR=16, /* Event cause is replay update */
XFRM_AE_CE=32, /* Event cause is timer expiry */
XFRM_AE_CU=64, /* Event cause is policy update */”…””}”hjÌ  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j   hŸh³h KChj;  hžhubhÊ)”}”(hŒ´How these flags are used is dependent on the direction of the
message (kernel<->user) as well the cause (config, query or event).
This is described below in the different messages.”h]”hŒ´How these flags are used is dependent on the direction of the
message (kernel<->user) as well the cause (config, query or event).
This is described below in the different messages.”…””}”(hjÚ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KKhj;  hžhubhÊ)”}”(hŒ¥The pid will be set appropriately in netlink to recognize direction
(0 to the kernel and pid = processid that created the event
when going from kernel to user space)”h]”hŒ¥The pid will be set appropriately in netlink to recognize direction
(0 to the kernel and pid = processid that created the event
when going from kernel to user space)”…””}”(hjè  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KOhj;  hžhubhÊ)”}”(hŒbA program needs to subscribe to multicast group XFRMNLGRP_AEVENTS
to get notified of these events.”h]”hŒbA program needs to subscribe to multicast group XFRMNLGRP_AEVENTS
to get notified of these events.”…””}”(hjö  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KShj;  hžhubeh}”(h]”Œmessage-structure”ah ]”h"]”Œ1) message structure”ah$]”h&]”uh1h´hh¶hžhhŸh³h K'ubhµ)”}”(hhh]”(hº)”}”(hŒ)2) TLVS reflect the different parameters:”h]”hŒ)2) TLVS reflect the different parameters:”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj  hžhhŸh³h KWubhŒenumerated_list”“”)”}”(hhh]”hŒ	list_item”“”)”}”(hŒbyte value (XFRMA_LTIME_VAL)
”h]”hÊ)”}”(hŒbyte value (XFRMA_LTIME_VAL)”h]”hŒbyte value (XFRMA_LTIME_VAL)”…””}”(hj(  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KYhj$  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hj  hžhhŸh³h Nubah}”(h]”h ]”h"]”h$]”h&]”Œenumtype”Œ
loweralpha”Œprefix”hŒsuffix”Œ)”uh1j  hj  hžhhŸh³h KYubhÊ)”}”(hŒPThis TLV carries the running/current counter for byte lifetime since
last event.”h]”hŒPThis TLV carries the running/current counter for byte lifetime since
last event.”…””}”(hjG  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K[hj  hžhubhÊ)”}”(hŒ!b)replay value (XFRMA_REPLAY_VAL)”h]”hŒ!b)replay value (XFRMA_REPLAY_VAL)”…””}”(hjU  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K^hj  hžhubhÊ)”}”(hŒRThis TLV carries the running/current counter for replay sequence since
last event.”h]”hŒRThis TLV carries the running/current counter for replay sequence since
last event.”…””}”(hjc  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K`hj  hžhubhÊ)”}”(hŒ(c)replay threshold (XFRMA_REPLAY_THRESH)”h]”hŒ(c)replay threshold (XFRMA_REPLAY_THRESH)”…””}”(hjq  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Kchj  hžhubhÊ)”}”(hŒoThis TLV carries the threshold being used by the kernel to trigger events
when the replay sequence is exceeded.”h]”hŒoThis TLV carries the threshold being used by the kernel to trigger events
when the replay sequence is exceeded.”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Kehj  hžhubj  )”}”(hhh]”j#  )”}”(hŒ#expiry timer (XFRMA_ETIMER_THRESH)
”h]”hÊ)”}”(hŒ"expiry timer (XFRMA_ETIMER_THRESH)”h]”hŒ"expiry timer (XFRMA_ETIMER_THRESH)”…””}”(hj”  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Khhj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hj  hžhhŸh³h Nubah}”(h]”h ]”h"]”h$]”h&]”jB  jC  jD  hjE  jF  Œstart”Kuh1j  hj  hžhhŸh³h KhubhÊ)”}”(hŒ`This is a timer value in milliseconds which is used as the nagle
value to rate limit the events.”h]”hŒ`This is a timer value in milliseconds which is used as the nagle
value to rate limit the events.”…””}”(hj¯  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Kjhj  hžhubeh}”(h]”Œ%tlvs-reflect-the-different-parameters”ah ]”h"]”Œ)2) tlvs reflect the different parameters:”ah$]”h&]”uh1h´hh¶hžhhŸh³h KWubhµ)”}”(hhh]”(hº)”}”(hŒ-3) Default configurations for the parameters:”h]”hŒ-3) Default configurations for the parameters:”…””}”(hjÈ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjÅ  hžhhŸh³h KnubhÊ)”}”(hŒ‘By default these events should be turned off unless there is
at least one listener registered to listen to the multicast
group XFRMNLGRP_AEVENTS.”h]”hŒ‘By default these events should be turned off unless there is
at least one listener registered to listen to the multicast
group XFRMNLGRP_AEVENTS.”…””}”(hjÖ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KphjÅ  hžhubhÊ)”}”(hŒíPrograms installing SAs will need to specify the two thresholds, however,
in order to not change existing applications such as racoon
we also provide default threshold values for these different parameters
in case they are not specified.”h]”hŒíPrograms installing SAs will need to specify the two thresholds, however,
in order to not change existing applications such as racoon
we also provide default threshold values for these different parameters
in case they are not specified.”…””}”(hjä  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KthjÅ  hžhubhÊ)”}”(hŒ!the two sysctls/proc entries are:”h]”hŒ!the two sysctls/proc entries are:”…””}”(hjò  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KyhjÅ  hžhubhÊ)”}”(hŒ­a) /proc/sys/net/core/sysctl_xfrm_aevent_etime
used to provide default values for the XFRMA_ETIMER_THRESH in incremental
units of time of 100ms. The default is 10 (1 second)”h]”hŒ­a) /proc/sys/net/core/sysctl_xfrm_aevent_etime
used to provide default values for the XFRMA_ETIMER_THRESH in incremental
units of time of 100ms. The default is 10 (1 second)”…””}”(hj   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K{hjÅ  hžhubhÊ)”}”(hŒ©b) /proc/sys/net/core/sysctl_xfrm_aevent_rseqth
used to provide default values for XFRMA_REPLAY_THRESH parameter
in incremental packet count. The default is two packets.”h]”hŒ©b) /proc/sys/net/core/sysctl_xfrm_aevent_rseqth
used to provide default values for XFRMA_REPLAY_THRESH parameter
in incremental packet count. The default is two packets.”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KhjÅ  hžhubeh}”(h]”Œ)default-configurations-for-the-parameters”ah ]”h"]”Œ-3) default configurations for the parameters:”ah$]”h&]”uh1h´hh¶hžhhŸh³h Knubhµ)”}”(hhh]”(hº)”}”(hŒ4) Message types”h]”hŒ4) Message types”…””}”(hj'  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj$  hžhhŸh³h K„ubj  )”}”(hhh]”j#  )”}”(hŒPXFRM_MSG_GETAE issued by user-->kernel.
XFRM_MSG_GETAE does not carry any TLVs.
”h]”hÊ)”}”(hŒOXFRM_MSG_GETAE issued by user-->kernel.
XFRM_MSG_GETAE does not carry any TLVs.”h]”hŒOXFRM_MSG_GETAE issued by user-->kernel.
XFRM_MSG_GETAE does not carry any TLVs.”…””}”(hj<  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K†hj8  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hj5  hžhhŸh³h Nubah}”(h]”h ]”h"]”h$]”h&]”jB  jC  jD  hjE  jF  uh1j  hj$  hžhhŸh³h K†ubhÊ)”}”(hŒ]The response is a XFRM_MSG_NEWAE which is formatted based on what
XFRM_MSG_GETAE queried for.”h]”hŒ]The response is a XFRM_MSG_NEWAE which is formatted based on what
XFRM_MSG_GETAE queried for.”…””}”(hjV  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K‰hj$  hžhubhÊ)”}”(hŒÜThe response will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.
* if XFRM_AE_RTHR flag is set, then XFRMA_REPLAY_THRESH is also retrieved
* if XFRM_AE_ETHR flag is set, then XFRMA_ETIMER_THRESH is also retrieved”h]”hŒÜThe response will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.
* if XFRM_AE_RTHR flag is set, then XFRMA_REPLAY_THRESH is also retrieved
* if XFRM_AE_ETHR flag is set, then XFRMA_ETIMER_THRESH is also retrieved”…””}”(hjd  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h KŒhj$  hžhubj  )”}”(hhh]”j#  )”}”(hŒxXFRM_MSG_NEWAE is issued by either user space to configure
or kernel to announce events or respond to a XFRM_MSG_GETAE.
”h]”hÊ)”}”(hŒwXFRM_MSG_NEWAE is issued by either user space to configure
or kernel to announce events or respond to a XFRM_MSG_GETAE.”h]”hŒwXFRM_MSG_NEWAE is issued by either user space to configure
or kernel to announce events or respond to a XFRM_MSG_GETAE.”…””}”(hjy  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Khju  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hjr  hžhhŸh³h Nubah}”(h]”h ]”h"]”h$]”h&]”jB  jC  jD  hjE  jF  j®  Kuh1j  hj$  hžhhŸh³h Kubj  )”}”(hhh]”j#  )”}”(hŒ,user --> kernel to configure a specific SA.
”h]”hÊ)”}”(hŒ+user --> kernel to configure a specific SA.”h]”hŒ+user --> kernel to configure a specific SA.”…””}”(hjš  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K“hj–  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hj“  hžhhŸh³h Nubah}”(h]”h ]”h"]”h$]”h&]”jB  Œ
lowerroman”jD  hjE  jF  uh1j  hj$  hžhhŸh³h K“ubhÊ)”}”(hŒXany of the values or threshold parameters can be updated by passing the
appropriate TLV.”h]”hŒXany of the values or threshold parameters can be updated by passing the
appropriate TLV.”…””}”(hjµ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K•hj$  hžhubhÊ)”}”(hŒUA response is issued back to the sender in user space to indicate success
or failure.”h]”hŒUA response is issued back to the sender in user space to indicate success
or failure.”…””}”(hjÃ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K˜hj$  hžhubhÊ)”}”(hŒwIn the case of success, additionally an event with
XFRM_MSG_NEWAE is also issued to any listeners as described in iii).”h]”hŒwIn the case of success, additionally an event with
XFRM_MSG_NEWAE is also issued to any listeners as described in iii).”…””}”(hjÑ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K›hj$  hžhubj  )”}”(hhh]”j#  )”}”(hŒ7kernel->user direction as a response to XFRM_MSG_GETAE
”h]”hÊ)”}”(hŒ6kernel->user direction as a response to XFRM_MSG_GETAE”h]”hŒ6kernel->user direction as a response to XFRM_MSG_GETAE”…””}”(hjæ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h Kžhjâ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hjß  hžhhŸh³h Nubah}”(h]”h ]”h"]”h$]”h&]”jB  j´  jD  hjE  jF  j®  Kuh1j  hj$  hžhhŸh³h KžubhÊ)”}”(hŒHThe response will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.”h]”hŒHThe response will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.”…””}”(hj   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K hj$  hžhubhÊ)”}”(hŒZThe threshold TLVs will be included if explicitly requested in
the XFRM_MSG_GETAE message.”h]”hŒZThe threshold TLVs will be included if explicitly requested in
the XFRM_MSG_GETAE message.”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K¢hj$  hžhubj  )”}”(hhh]”(j#  )”}”(hX8  kernel->user to report as event if someone sets any values or
thresholds for an SA using XFRM_MSG_NEWAE (as described in #i above).
In such a case XFRM_AE_CU flag is set to inform the user that
the change happened as a result of an update.
The message will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.
”h]”hÊ)”}”(hX7  kernel->user to report as event if someone sets any values or
thresholds for an SA using XFRM_MSG_NEWAE (as described in #i above).
In such a case XFRM_AE_CU flag is set to inform the user that
the change happened as a result of an update.
The message will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.”h]”hX7  kernel->user to report as event if someone sets any values or
thresholds for an SA using XFRM_MSG_NEWAE (as described in #i above).
In such a case XFRM_AE_CU flag is set to inform the user that
the change happened as a result of an update.
The message will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.”…””}”(hj#  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K¥hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hj  hžhhŸh³h Nubj#  )”}”(hŒMkernel->user to report event when replay threshold or a timeout
is exceeded.
”h]”hÊ)”}”(hŒLkernel->user to report event when replay threshold or a timeout
is exceeded.”h]”hŒLkernel->user to report event when replay threshold or a timeout
is exceeded.”…””}”(hj;  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K«hj7  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j"  hj  hžhhŸh³h Nubeh}”(h]”h ]”h"]”h$]”h&]”jB  j´  jD  hjE  jF  j®  Kuh1j  hj$  hžhhŸh³h K¥ubhÊ)”}”(hŒïIn such a case either XFRM_AE_CR (replay exceeded) or XFRM_AE_CE (timeout
happened) is set to inform the user what happened.
Note the two flags are mutually exclusive.
The message will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.”h]”hŒïIn such a case either XFRM_AE_CR (replay exceeded) or XFRM_AE_CE (timeout
happened) is set to inform the user what happened.
Note the two flags are mutually exclusive.
The message will always have XFRMA_LTIME_VAL and XFRMA_REPLAY_VAL TLVs.”…””}”(hjU  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K®hj$  hžhubeh}”(h]”Œmessage-types”ah ]”h"]”Œ4) message types”ah$]”h&]”uh1h´hh¶hžhhŸh³h K„ubhµ)”}”(hhh]”(hº)”}”(hŒ Exceptions to threshold settings”h]”hŒ Exceptions to threshold settings”…””}”(hjn  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjk  hžhhŸh³h K´ubhÊ)”}”(hXƒ  If you have an SA that is getting hit by traffic in bursts such that
there is a period where the timer threshold expires with no packets
seen, then an odd behavior is seen as follows:
The first packet arrival after a timer expiry will trigger a timeout
event; i.e we don't wait for a timeout period or a packet threshold
to be reached. This is done for simplicity and efficiency reasons.”h]”hX…  If you have an SA that is getting hit by traffic in bursts such that
there is a period where the timer threshold expires with no packets
seen, then an odd behavior is seen as follows:
The first packet arrival after a timer expiry will trigger a timeout
event; i.e we donâ€™t wait for a timeout period or a packet threshold
to be reached. This is done for simplicity and efficiency reasons.”…””}”(hj|  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K¶hjk  hžhubhÊ)”}”(hŒ-JHS”h]”hŒ-JHS”…””}”(hjŠ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhŸh³h K½hjk  hžhubeh}”(h]”Œ exceptions-to-threshold-settings”ah ]”h"]”Œ exceptions to threshold settings”ah$]”h&]”uh1h´hh¶hžhhŸh³h K´ubeh}”(h]”Œxfrm”ah ]”h"]”Œxfrm”ah$]”h&]”uh1h´hhhžhhŸh³h Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”h³uh1hŒcurrent_source”NŒcurrent_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(h¹NŒ	generator”NŒ	datestamp”NŒsource_link”NŒ
source_url”NŒtoc_backlinks”Œentry”Œfootnote_backlinks”KŒsectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒstrip_classes”NŒreport_level”KŒ
halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ	traceback”ˆŒinput_encoding”Œ	utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”jË  Œerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œlanguage_code”Œen”Œrecord_dependencies”NŒconfig”NŒ	id_prefix”hŒauto_id_prefix”Œid”Œdump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”h³Œ_destination”NŒ_config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒraw_enabled”KŒline_length_limit”M'Œpep_references”NŒpep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒrfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ	tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œsmart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œdocinfo_xform”KŒsectsubtitle_xform”‰Œimage_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”Œnameids”}”(j¥  j¢  j	  j  jÂ  j¿  j!  j  jh  je  j  jš  uŒ	nametypes”}”(j¥  ‰j	  ‰jÂ  ‰j!  ‰jh  ‰j  ‰uh}”(j¢  h¶j  j;  j¿  j  j  jÅ  je  j$  jš  jk  uŒfootnote_refs”}”Œcitation_refs”}”Œautofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ	footnotes”]”Œ	citations”]”Œautofootnote_start”KŒsymbol_footnote_start”K Œ
id_counter”Œcollections”ŒCounter”“”}”…”R”Œparse_messages”]”(hŒsystem_message”“”)”}”(hhh]”hÊ)”}”(hŒ:Enumerated list start value not ordinal-1: "d" (ordinal 4)”h]”hŒ>Enumerated list start value not ordinal-1: â€œdâ€ (ordinal 4)”…””}”(hj2  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhj/  ubah}”(h]”h ]”h"]”h$]”h&]”Œlevel”KŒtype”ŒINFO”Œsource”h³Œline”Kuh1j-  hj  hžhhŸh³h Khubj.  )”}”(hhh]”hÊ)”}”(hŒ:Enumerated list start value not ordinal-1: "b" (ordinal 2)”h]”hŒ>Enumerated list start value not ordinal-1: â€œbâ€ (ordinal 2)”…””}”(hjN  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhjK  ubah}”(h]”h ]”h"]”h$]”h&]”Œlevel”KŒtype”jH  Œsource”h³Œline”Kuh1j-  hj$  hžhhŸh³h Kubj.  )”}”(hhh]”hÊ)”}”(hŒ;Enumerated list start value not ordinal-1: "ii" (ordinal 2)”h]”hŒ?Enumerated list start value not ordinal-1: â€œiiâ€ (ordinal 2)”…””}”(hji  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhjf  ubah}”(h]”h ]”h"]”h$]”h&]”Œlevel”KŒtype”jH  Œsource”h³Œline”Kuh1j-  hj$  hžhhŸh³h Kžubj.  )”}”(hhh]”hÊ)”}”(hŒ<Enumerated list start value not ordinal-1: "iii" (ordinal 3)”h]”hŒ@Enumerated list start value not ordinal-1: â€œiiiâ€ (ordinal 3)”…””}”(hj„  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhj  ubah}”(h]”h ]”h"]”h$]”h&]”Œlevel”KŒtype”jH  Œsource”h³Œline”Kuh1j-  hj$  hžhhŸh³h K¥ubeŒtransform_messages”]”Œtransformer”NŒinclude_log”]”Œ
decoration”Nhžhub.