aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
diff options
context:
space:
mode:
authorTobias Brunner <tobias@strongswan.org>2016-06-09 15:46:32 +0200
committerTobias Brunner <tobias@strongswan.org>2016-06-10 15:25:05 +0200
commit85fed13c18ca0a6913e90f0426e73caea17da79a (patch)
tree732ef22f9ca5a6580407de24247d9abc9dbab0c6 /src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
parente7369a9dc50d7a81f03c5b0d3418ac66a01e3f05 (diff)
downloadstrongswan-85fed13c18ca0a6913e90f0426e73caea17da79a.tar.bz2
strongswan-85fed13c18ca0a6913e90f0426e73caea17da79a.tar.xz
kernel-pfkey: Don't install routes for drop policies and if protocol/ports are in the selector
Diffstat (limited to 'src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c')
-rw-r--r--src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c13
1 files changed, 10 insertions, 3 deletions
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index a5d3c0a4b..b92a6e541 100644
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -2560,13 +2560,20 @@ static status_t add_policy_internal(private_kernel_pfkey_ipsec_t *this,
/* install a route, if:
* - this is an inbound policy (to just get one for each child)
- * - we are in tunnel mode or install a bypass policy
* - routing is not disabled via strongswan.conf
+ * - the selector is not for a specific protocol/port
+ * - we are in tunnel mode or install a bypass policy
*/
if (policy->direction == POLICY_IN && this->install_routes &&
- (mapping->type != POLICY_IPSEC || ipsec->cfg.mode != MODE_TRANSPORT))
+ policy->src.proto == IPSEC_PROTO_ANY &&
+ !policy->src.net->get_port(policy->src.net) &&
+ !policy->dst.net->get_port(policy->dst.net))
{
- install_route(this, policy, (policy_sa_in_t*)mapping);
+ if (mapping->type == POLICY_PASS ||
+ (mapping->type == POLICY_IPSEC && ipsec->cfg.mode != MODE_TRANSPORT))
+ {
+ install_route(this, policy, (policy_sa_in_t*)mapping);
+ }
}
this->mutex->unlock(this->mutex);
return SUCCESS;