vici: Make installation of outbound FWD policies configurable

author: Tobias Brunner <tobias@strongswan.org> 2016-08-18 16:22:51 +0200
committer: Tobias Brunner <tobias@strongswan.org> 2016-09-28 17:56:43 +0200
commit: 50721a61d8cd5d6cad4f8cc308b51fa299808243 (patch)
tree: 2b528413f58d016565b5820a1cb155199cc34096 /src/swanctl
parent: c98e48cf0ecc9563166f2e7d009462c01fc3fb6e (diff)
download: strongswan-50721a61d8cd5d6cad4f8cc308b51fa299808243.tar.bz2
strongswan-50721a61d8cd5d6cad4f8cc308b51fa299808243.tar.xz
1 files changed, 7 insertions, 0 deletions
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index 15cbc6cfc..2a4f5a789 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -659,6 +659,13 @@ connections.<conn>.children.<child>.policies = yes
 	Whether to install IPsec policies or not. Disabling this can be useful in
 	some scenarios e.g. MIPv6, where policies are not managed by the IKE daemon.
 
+connections.<conn>.children.<child>.policies_fwd_out = no
+	Whether to install outbound FWD IPsec policies or not.
+
+	Whether to install outbound FWD IPsec policies or not. Enabling this is
+	required in case there is a drop policy that would match and block forwarded
+	traffic for this CHILD_SA.
+
 connections.<conn>.children.<child>.dpd_action = clear
 	Action to perform on DPD timeout (_clear_, _trap_ or _restart_).
author	Tobias Brunner <tobias@strongswan.org>	2016-08-18 16:22:51 +0200
committer	Tobias Brunner <tobias@strongswan.org>	2016-09-28 17:56:43 +0200
commit	50721a61d8cd5d6cad4f8cc308b51fa299808243 (patch)
tree	2b528413f58d016565b5820a1cb155199cc34096 /src/swanctl
parent	c98e48cf0ecc9563166f2e7d009462c01fc3fb6e (diff)
download	strongswan-50721a61d8cd5d6cad4f8cc308b51fa299808243.tar.bz2 strongswan-50721a61d8cd5d6cad4f8cc308b51fa299808243.tar.xz