kernel-netlink: When adding a policy do an update if it already exists

This may be the case when SAs are reestablished after a crash of the
IKE daemon.

We could actually always do updates.  The kernel doesn't care, the only
difference is the possible EEXIST if XFRM_MSG_NEWPOLICY is used.  The
advantage of not doing this, though, is that we get a warning in the log
if a policy already exists, as that should usually not be the case.

1 files changed, 9 insertions, 1 deletions

diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index e0f1dd702..2958b5942 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -2059,6 +2059,7 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 	ipsec_sa_t *ipsec = mapping->sa;
 	struct xfrm_userpolicy_info *policy_info;
 	struct nlmsghdr *hdr;
+	status_t status;
 	int i;
 
 	/* clone the policy so we are able to check it out again later */
@@ -2153,7 +2154,14 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 	}
 	this->mutex->unlock(this->mutex);
 
-	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
+	status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
+	if (status == ALREADY_DONE && !update)
+	{
+		DBG1(DBG_KNL, "policy already exists, try to update it");
+		hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
+		status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
+	}
+	if (status != SUCCESS)
 	{
 		return FAILED;
 	}