pluto: change sa_max_* to sa_ipsec_max_*

Similar to sa_ipsec_life_seconds / sa_ike_life_seconds

We do want to configure maximums for IKE later as well, as that
is a FIPS requirement.

include/whack.h

@@ -180,8 +180,8 @@ struct whack_message {
 	deltatime_t sa_ike_life_seconds;
 	deltatime_t sa_ipsec_life_seconds;
 	deltatime_t sa_rekey_margin;
-	uint64_t sa_max_bytes;
-	uint64_t sa_max_packets;
+	uint64_t sa_ipsec_max_bytes;
+	uint64_t sa_ipsec_max_packets;
 	unsigned long sa_rekey_fuzz;
 	unsigned long sa_keying_tries;
 	unsigned long sa_replay_window;

lib/libipsecconf/starterwhack.c

@@ -497,8 +497,8 @@ static int starter_whack_basic_add_conn(struct starter_config *cfg,
 	msg.nic_offload = conn->options[KNCF_NIC_OFFLOAD];
 	msg.sa_ike_life_seconds = deltatime(conn->options[KNCF_IKELIFETIME]);
 	msg.sa_ipsec_life_seconds = deltatime(conn->options[KNCF_SALIFETIME]);
-	msg.sa_max_bytes = conn->options[KNCF_SAMAXBYTES];
-	msg.sa_max_packets = conn->options[KNCF_SAMAXPACKETS];
+	msg.sa_ipsec_max_bytes = conn->options[KNCF_SAMAXBYTES];
+	msg.sa_ipsec_max_packets = conn->options[KNCF_SAMAXPACKETS];
 	msg.sa_rekey_margin = deltatime(conn->options[KNCF_REKEYMARGIN]);
 	msg.sa_rekey_fuzz = conn->options[KNCF_REKEYFUZZ];
 	msg.sa_keying_tries = conn->options[KNCF_KEYINGTRIES];

programs/pluto/connections.c

@@ -1978,8 +1978,8 @@ static bool extract_connection(const struct whack_message *wm,
 		config->nic_offload = wm->nic_offload;
 		c->sa_ike_life_seconds = wm->sa_ike_life_seconds;
 		c->sa_ipsec_life_seconds = wm->sa_ipsec_life_seconds;
-		c->sa_max_bytes = wm->sa_max_bytes;
-		c->sa_max_packets = wm->sa_max_packets;
+		c->sa_ipsec_max_bytes = wm->sa_ipsec_max_bytes;
+		c->sa_ipsec_max_packets = wm->sa_ipsec_max_packets;
 		c->sa_rekey_margin = wm->sa_rekey_margin;
 		c->sa_rekey_fuzz = wm->sa_rekey_fuzz;
 		c->sa_keying_tries = wm->sa_keying_tries;
@@ -2424,8 +2424,8 @@ void add_connection(const struct whack_message *wm, struct logger *logger)
 	    c->sa_keying_tries,
 	    c->sa_replay_window,
 	    str_connection_policies(c, &pb),
-	    c->sa_max_bytes,
-	    c->sa_max_packets);
+	    c->sa_ipsec_max_bytes,
+	    c->sa_ipsec_max_packets);
 	char topo[CONN_BUF_LEN];
 	dbg("%s", format_connection(topo, sizeof(topo), c, &c->spd));
 	/* XXX: something better? */
@@ -3727,8 +3727,8 @@ void show_one_connection(struct show *s,
 
 	char bytesbuf[128];
 	char packetsbuf[128];
-	readable_humber(c->sa_max_bytes, bytesbuf, bytesbuf + sizeof(bytesbuf), "", "");
-	readable_humber(c->sa_max_packets, packetsbuf, packetsbuf + sizeof(packetsbuf), "", "");
+	readable_humber(c->sa_ipsec_max_bytes, bytesbuf, bytesbuf + sizeof(bytesbuf), "", "");
+	readable_humber(c->sa_ipsec_max_packets, packetsbuf, packetsbuf + sizeof(packetsbuf), "", "");
 
 	show_comment(s,
 		"\"%s\"%s:   ike_life: %jds; ipsec_life: %jds; replay_window: %u; rekey_margin: %jds; rekey_fuzz: %lu%%; ipsec_max_bytes: %s; ipsec_max_packets: %s; keyingtries: %lu;",
@@ -3739,8 +3739,8 @@ void show_one_connection(struct show *s,
 		c->sa_replay_window,
 		deltasecs(c->sa_rekey_margin),
 		c->sa_rekey_fuzz,
-		c->sa_max_bytes == (uint64_t)IPSEC_SA_MAX_DEFAULT ? "<unset>" : bytesbuf,
-		c->sa_max_packets == (uint64_t)IPSEC_SA_MAX_DEFAULT  ? "<unset>" : packetsbuf,
+		c->sa_ipsec_max_bytes == (uint64_t)IPSEC_SA_MAX_DEFAULT ? "<unset>" : bytesbuf,
+		c->sa_ipsec_max_packets == (uint64_t)IPSEC_SA_MAX_DEFAULT  ? "<unset>" : packetsbuf,
 		c->sa_keying_tries);
 
 	show_comment(s,

programs/pluto/connections.h

@@ -354,8 +354,8 @@ struct connection {
 	deltatime_t sa_ike_life_seconds;
 	deltatime_t sa_ipsec_life_seconds;
 	deltatime_t sa_rekey_margin;
-	uint64_t sa_max_bytes;
-	uint64_t sa_max_packets;
+	uint64_t sa_ipsec_max_bytes;
+	uint64_t sa_ipsec_max_packets;
 	unsigned long sa_rekey_fuzz;
 	unsigned long sa_keying_tries;
 	uint32_t sa_priority;

programs/pluto/kernel.c

@@ -2143,14 +2143,14 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 		.tunnel = (proto_encap.mode == ENCAP_MODE_TUNNEL),
 		.transport_proto = c->spd.this.client.ipproto,
 		.sa_lifetime = c->sa_ipsec_life_seconds,
-		.sa_max_bytes = c->sa_max_bytes,
-		.sa_max_soft_bytes = compute_sa_soft_limit(st,
-						c->sa_max_bytes,
+		.sa_ipsec_max_bytes = c->sa_ipsec_max_bytes,
+		.sa_ipsec_max_soft_bytes = compute_sa_soft_limit(st,
+						c->sa_ipsec_max_bytes,
 						c->sa_rekey_fuzz,
 						!LIN(POLICY_DONT_REKEY, c->policy)),
-		.sa_max_packets = c->sa_max_packets,
-		.sa_max_soft_packets = compute_sa_soft_limit(st,
-						c->sa_max_packets,
+		.sa_ipsec_max_packets = c->sa_ipsec_max_packets,
+		.sa_ipsec_max_soft_packets = compute_sa_soft_limit(st,
+						c->sa_ipsec_max_packets,
 						c->sa_rekey_fuzz,
 						!LIN(POLICY_DONT_REKEY, c->policy)),
 		.outif = -1,

programs/pluto/kernel.h

@@ -285,10 +285,10 @@ struct kernel_sa {
 	const char *nic_offload_dev;
 	uint32_t xfrm_if_id;
 	struct sa_mark mark_set; /* config keyword mark-out */
-	uint64_t sa_max_bytes;
-	uint64_t sa_max_soft_bytes;
-	uint64_t sa_max_packets;
-	uint64_t sa_max_soft_packets;
+	uint64_t sa_ipsec_max_bytes;
+	uint64_t sa_ipsec_max_soft_bytes;
+	uint64_t sa_ipsec_max_packets;
+	uint64_t sa_ipsec_max_soft_packets;
 	deltatime_t sa_lifetime; /* number of seconds until SA expires */
 };
 

programs/pluto/kernel_xfrm.c

@@ -1358,10 +1358,10 @@ static bool netlink_add_sa(const struct kernel_sa *sa, bool replace,
 	req.p.reqid = sa->reqid;
 	dbg("%s() adding IPsec SA with reqid %d", __func__, sa->reqid);
 
-	req.p.lft.soft_byte_limit = sa->sa_max_soft_bytes;
-	req.p.lft.hard_byte_limit = sa->sa_max_bytes;
-	req.p.lft.hard_packet_limit = sa->sa_max_packets;
-	req.p.lft.soft_packet_limit = sa->sa_max_soft_packets;
+	req.p.lft.soft_byte_limit = sa->sa_ipsec_max_soft_bytes;
+	req.p.lft.hard_byte_limit = sa->sa_ipsec_max_bytes;
+	req.p.lft.hard_packet_limit = sa->sa_ipsec_max_packets;
+	req.p.lft.soft_packet_limit = sa->sa_ipsec_max_soft_packets;
 
 	req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.p)));
 

programs/pluto/state.c

@@ -2244,7 +2244,7 @@ static void show_established_child_details(struct show *s, struct state *st)
 				jam_readable_humber(buf, st->st_ah.our_bytes, false);
 			}
 			jam(buf, " AHmax=");		/* TBD: "The ! is not printed." */
-			jam_readable_humber(buf, c->sa_max_bytes, true);
+			jam_readable_humber(buf, c->sa_ipsec_max_bytes, true);
 		}
 		if (st->st_esp.present) {
 			if (get_sa_info(st, true, NULL)) {
@@ -2256,7 +2256,7 @@ static void show_established_child_details(struct show *s, struct state *st)
 				jam_readable_humber(buf, st->st_esp.peer_bytes, false);
 			}
 			jam(buf, " ESPmax=");		/* TBD: "The ! is not printed." */
-			jam_readable_humber(buf, c->sa_max_bytes, true);
+			jam_readable_humber(buf, c->sa_ipsec_max_bytes, true);
 		}
 		if (st->st_ipcomp.present) {
 			if (get_sa_info(st, false, NULL)) {

programs/whack/whack.c

@@ -1055,8 +1055,8 @@ int main(int argc, char **argv)
 	msg.nic_offload = yna_auto;
 	msg.sa_ike_life_seconds = deltatime(IKE_SA_LIFETIME_DEFAULT);
 	msg.sa_ipsec_life_seconds = deltatime(IPSEC_SA_LIFETIME_DEFAULT);
-	msg.sa_max_bytes = IPSEC_SA_MAX_DEFAULT;
-	msg.sa_max_packets = IPSEC_SA_MAX_DEFAULT;
+	msg.sa_ipsec_max_bytes = IPSEC_SA_MAX_DEFAULT;
+	msg.sa_ipsec_max_packets = IPSEC_SA_MAX_DEFAULT;
 	msg.sa_rekey_margin = deltatime(SA_REPLACEMENT_MARGIN_DEFAULT);
 	msg.sa_rekey_fuzz = SA_REPLACEMENT_FUZZ_DEFAULT;
 	msg.sa_keying_tries = SA_REPLACEMENT_RETRIES_DEFAULT;