diff options
author | Tobias Brunner <tobias@strongswan.org> | 2016-06-09 15:46:32 +0200 |
---|---|---|
committer | Tobias Brunner <tobias@strongswan.org> | 2016-06-10 15:25:05 +0200 |
commit | 85fed13c18ca0a6913e90f0426e73caea17da79a (patch) | |
tree | 732ef22f9ca5a6580407de24247d9abc9dbab0c6 /src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c | |
parent | e7369a9dc50d7a81f03c5b0d3418ac66a01e3f05 (diff) | |
download | strongswan-85fed13c18ca0a6913e90f0426e73caea17da79a.tar.bz2 strongswan-85fed13c18ca0a6913e90f0426e73caea17da79a.tar.xz |
kernel-pfkey: Don't install routes for drop policies and if protocol/ports are in the selector
Diffstat (limited to 'src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c')
-rw-r--r-- | src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index a5d3c0a4b..b92a6e541 100644 --- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -2560,13 +2560,20 @@ static status_t add_policy_internal(private_kernel_pfkey_ipsec_t *this, /* install a route, if: * - this is an inbound policy (to just get one for each child) - * - we are in tunnel mode or install a bypass policy * - routing is not disabled via strongswan.conf + * - the selector is not for a specific protocol/port + * - we are in tunnel mode or install a bypass policy */ if (policy->direction == POLICY_IN && this->install_routes && - (mapping->type != POLICY_IPSEC || ipsec->cfg.mode != MODE_TRANSPORT)) + policy->src.proto == IPSEC_PROTO_ANY && + !policy->src.net->get_port(policy->src.net) && + !policy->dst.net->get_port(policy->dst.net)) { - install_route(this, policy, (policy_sa_in_t*)mapping); + if (mapping->type == POLICY_PASS || + (mapping->type == POLICY_IPSEC && ipsec->cfg.mode != MODE_TRANSPORT)) + { + install_route(this, policy, (policy_sa_in_t*)mapping); + } } this->mutex->unlock(this->mutex); return SUCCESS; |