diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2016-04-01 17:06:10 +0200 |
|---|---|---|
| committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2016-04-09 16:51:00 +0200 |
| commit | 83312ee5e4eb8f17d7213206eb4a34df2b75c524 (patch) | |
| tree | 7b537a958c3d5d4a1279b457e6cad9b86f897465 /src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c | |
| parent | f7e9e6a3fdda8c714eddf70015f998bb9c370904 (diff) | |
| download | strongswan-83312ee5e4eb8f17d7213206eb4a34df2b75c524.tar.bz2 strongswan-83312ee5e4eb8f17d7213206eb4a34df2b75c524.tar.xz | |
kernel-netlink: Prefer policies with reqid over those without
This allows two CHILD_SAs with reversed subnets to install two FWD
policies each. Since the outbound policy won't have a reqid set we will
end up with the two inbound FWD policies installed in the kernel, with
the correct templates to allow decrypted traffic.
Diffstat (limited to 'src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c')
| -rw-r--r-- | src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c index 22afc6352..b147590e3 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -2403,7 +2403,13 @@ METHOD(kernel_ipsec_t, add_policy, status_t, enumerator = policy->used_by->create_enumerator(policy->used_by); while (enumerator->enumerate(enumerator, (void**)¤t_sa)) { - if (current_sa->priority >= assigned_sa->priority) + if (current_sa->priority > assigned_sa->priority) + { + break; + } + /* prefer SAs with a reqid over those without */ + if (current_sa->priority == assigned_sa->priority && + (!current_sa->sa->cfg.reqid || assigned_sa->sa->cfg.reqid)) { break; } |