diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2011-07-27 13:44:33 +0200 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2011-07-27 13:44:33 +0200 |
| commit | d7a59f1976f1d917f5cc934a95f1a809148cb160 (patch) | |
| tree | dc86ddef6984aa1b1f0856728b749b0900bd1519 /src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c | |
| parent | fbedc6a45b9c18f13972c8e1a7ada0ef5fb67210 (diff) | |
| download | strongswan-d7a59f1976f1d917f5cc934a95f1a809148cb160.tar.bz2 strongswan-d7a59f1976f1d917f5cc934a95f1a809148cb160.tar.xz | |
Install fallback drop policies to avoid transmitting unencrypted packets.
During the update of a CHILD_SA (e.g. caused by MOBIKE) the old policy
is first uninstalled and then the new one is installed. In the short
time in between, where no policy is available in the kernel, unencrypted
packets could have been transmitted.
Diffstat (limited to 'src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c')
| -rw-r--r-- | src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c index 26919a613..06720a0f4 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -575,6 +575,9 @@ static inline u_int32_t get_priority(policy_entry_t *policy, u_int32_t priority = PRIO_BASE; switch (prio) { + case POLICY_PRIORITY_FALLBACK: + priority <<= 1; + /* fall-through */ case POLICY_PRIORITY_ROUTED: priority <<= 1; /* fall-through */ |