kernel-netlink: Add an option to enforce using XFRM_MSG_UPDPOLICY

1 files changed, 12 insertions, 0 deletions

diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 0f88b649e..977d6299a 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -322,6 +322,11 @@ struct private_kernel_netlink_ipsec_t {
 	bool policy_history;
 
 	/**
+	 * Wheter to always use UPDATE to install policies
+	 */
+	bool policy_update;
+
+	/**
 	 * Installed port based IKE bypass policies, as bypass_t
 	 */
 	array_t *bypass;
@@ -2319,6 +2324,11 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 		return SUCCESS;
 	}
 
+	if (this->policy_update)
+	{
+		found = TRUE;
+	}
+
 	DBG2(DBG_KNL, "%s policy %R === %R %N  (mark %u/0x%08x)",
 				   found ? "updating" : "adding", src_ts, dst_ts,
 				   policy_dir_names, direction, mark.value, mark.mask);
@@ -2849,6 +2859,8 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 		.bypass = array_create(sizeof(bypass_t), 0),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.policy_history = TRUE,
+		.policy_update = lib->settings->get_bool(lib->settings,
+					"%s.plugins.kernel-netlink.policy_update", FALSE, lib->ns),
 		.install_routes = lib->settings->get_bool(lib->settings,
 							"%s.install_routes", TRUE, lib->ns),
 		.proto_port_transport = lib->settings->get_bool(lib->settings,