diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2010-12-07 11:58:09 +0100 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2010-12-07 12:14:50 +0100 |
| commit | e6f42b0721b3376f04f6bef8287abe0188342619 (patch) | |
| tree | ae945ad60a821efc1ab807b6dacf5c7dd54fd3ab /src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c | |
| parent | 4332cd7f95ae93fbe4e3f6328c2b819c262ae049 (diff) | |
| download | strongswan-e6f42b0721b3376f04f6bef8287abe0188342619.tar.bz2 strongswan-e6f42b0721b3376f04f6bef8287abe0188342619.tar.xz | |
Include the destination net in the policy priority calculation.
The resulting priorities are as follows:
IPv6 IPv4
routed normal routed normal
max 4096(+3) 2048(+3) 4096(+3) 2048(+3)
min 3072 1024 3840 1792
Where min is for a policy between two single hosts and max is
for /0 on both ends (lower priorities are preferred by the kernel).
(+3) applies for cases where no protocol and no ports are defined.
Diffstat (limited to 'src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c')
| -rw-r--r-- | src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c index 4e687c0c5..de665dd6b 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -58,8 +58,8 @@ #endif /*IPV6_XFRM_POLICY*/ /** default priority of installed policies */ -#define PRIO_LOW 3000 -#define PRIO_HIGH 2000 +#define PRIO_LOW 1024 +#define PRIO_HIGH 512 /** * map the limit for bytes and packets to XFRM_INF per default @@ -1687,11 +1687,16 @@ METHOD(kernel_ipsec_t, add_policy, status_t, policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr); policy_info->sel = policy->sel; policy_info->dir = policy->direction; - /* calculate priority based on source selector size, small size = high prio */ + + /* calculate priority based on selector size, small size = high prio */ policy_info->priority = routed ? PRIO_LOW : PRIO_HIGH; - policy_info->priority -= policy->sel.prefixlen_s * 10; - policy_info->priority -= policy->sel.proto ? 2 : 0; - policy_info->priority -= policy->sel.sport_mask ? 1 : 0; + policy_info->priority -= policy->sel.prefixlen_s; + policy_info->priority -= policy->sel.prefixlen_d; + policy_info->priority <<= 2; /* make some room for the two flags */ + policy_info->priority += policy->sel.sport_mask || + policy->sel.dport_mask ? 0 : 2; + policy_info->priority += policy->sel.proto ? 0 : 1; + policy_info->action = type != POLICY_DROP ? XFRM_POLICY_ALLOW : XFRM_POLICY_BLOCK; policy_info->share = XFRM_SHARE_ANY; |