2 files changed, 36 insertions, 25 deletions

diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index daefcaae5..224a51923 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -437,6 +437,7 @@ typedef struct {
 	linked_list_t *remote_ts;
 	uint32_t replay_window;
 	bool policies;
+	bool policies_fwd_out;
 	child_cfg_create_t cfg;
 } child_data_t;
 
@@ -462,6 +463,7 @@ static void log_child_data(child_data_t *data, char *name)
 	DBG2(DBG_CFG, "   ipcomp = %u", cfg->ipcomp);
 	DBG2(DBG_CFG, "   mode = %N", ipsec_mode_names, cfg->mode);
 	DBG2(DBG_CFG, "   policies = %u", data->policies);
+	DBG2(DBG_CFG, "   policies_fwd_out = %u", data->policies_fwd_out);
 	if (data->replay_window != REPLAY_UNDEFINED)
 	{
 		DBG2(DBG_CFG, "   replay_window = %u", data->replay_window);
@@ -1330,31 +1332,32 @@ CALLBACK(child_kv, bool,
 	child_data_t *child, vici_message_t *message, char *name, chunk_t value)
 {
 	parse_rule_t rules[] = {
-		{ "updown",			parse_string,		&child->cfg.updown					},
-		{ "hostaccess",		parse_bool,			&child->cfg.hostaccess				},
-		{ "mode",			parse_mode,			&child->cfg.mode					},
-		{ "policies",		parse_bool,			&child->policies					},
-		{ "replay_window",	parse_uint32,		&child->replay_window				},
-		{ "rekey_time",		parse_time,			&child->cfg.lifetime.time.rekey		},
-		{ "life_time",		parse_time,			&child->cfg.lifetime.time.life		},
-		{ "rand_time",		parse_time,			&child->cfg.lifetime.time.jitter	},
-		{ "rekey_bytes",	parse_bytes,		&child->cfg.lifetime.bytes.rekey	},
-		{ "life_bytes",		parse_bytes,		&child->cfg.lifetime.bytes.life		},
-		{ "rand_bytes",		parse_bytes,		&child->cfg.lifetime.bytes.jitter	},
-		{ "rekey_packets",	parse_uint64,		&child->cfg.lifetime.packets.rekey	},
-		{ "life_packets",	parse_uint64,		&child->cfg.lifetime.packets.life	},
-		{ "rand_packets",	parse_uint64,		&child->cfg.lifetime.packets.jitter	},
-		{ "dpd_action",		parse_action,		&child->cfg.dpd_action				},
-		{ "start_action",	parse_action,		&child->cfg.start_action			},
-		{ "close_action",	parse_action,		&child->cfg.close_action			},
-		{ "ipcomp",			parse_bool,			&child->cfg.ipcomp					},
-		{ "inactivity",		parse_time,			&child->cfg.inactivity				},
-		{ "reqid",			parse_uint32,		&child->cfg.reqid					},
-		{ "mark_in",		parse_mark,			&child->cfg.mark_in					},
-		{ "mark_out",		parse_mark,			&child->cfg.mark_out				},
-		{ "tfc_padding",	parse_tfc,			&child->cfg.tfc						},
-		{ "priority",		parse_uint32,		&child->cfg.priority				},
-		{ "interface",		parse_string,		&child->cfg.interface				},
+		{ "updown",				parse_string,		&child->cfg.updown					},
+		{ "hostaccess",			parse_bool,			&child->cfg.hostaccess				},
+		{ "mode",				parse_mode,			&child->cfg.mode					},
+		{ "policies",			parse_bool,			&child->policies					},
+		{ "policies_fwd_out",	parse_bool,			&child->policies_fwd_out			},
+		{ "replay_window",		parse_uint32,		&child->replay_window				},
+		{ "rekey_time",			parse_time,			&child->cfg.lifetime.time.rekey		},
+		{ "life_time",			parse_time,			&child->cfg.lifetime.time.life		},
+		{ "rand_time",			parse_time,			&child->cfg.lifetime.time.jitter	},
+		{ "rekey_bytes",		parse_bytes,		&child->cfg.lifetime.bytes.rekey	},
+		{ "life_bytes",			parse_bytes,		&child->cfg.lifetime.bytes.life		},
+		{ "rand_bytes",			parse_bytes,		&child->cfg.lifetime.bytes.jitter	},
+		{ "rekey_packets",		parse_uint64,		&child->cfg.lifetime.packets.rekey	},
+		{ "life_packets",		parse_uint64,		&child->cfg.lifetime.packets.life	},
+		{ "rand_packets",		parse_uint64,		&child->cfg.lifetime.packets.jitter	},
+		{ "dpd_action",			parse_action,		&child->cfg.dpd_action				},
+		{ "start_action",		parse_action,		&child->cfg.start_action			},
+		{ "close_action",		parse_action,		&child->cfg.close_action			},
+		{ "ipcomp",				parse_bool,			&child->cfg.ipcomp					},
+		{ "inactivity",			parse_time,			&child->cfg.inactivity				},
+		{ "reqid",				parse_uint32,		&child->cfg.reqid					},
+		{ "mark_in",			parse_mark,			&child->cfg.mark_in					},
+		{ "mark_out",			parse_mark,			&child->cfg.mark_out				},
+		{ "tfc_padding",		parse_tfc,			&child->cfg.tfc						},
+		{ "priority",			parse_uint32,		&child->cfg.priority				},
+		{ "interface",			parse_string,		&child->cfg.interface				},
 	};
 
 	return parse_rules(rules, countof(rules), name, value,
@@ -1537,6 +1540,7 @@ CALLBACK(children_sn, bool,
 		}
 	}
 	child.cfg.suppress_policies = !child.policies;
+	child.cfg.fwd_out_policies = child.policies_fwd_out;
 
 	check_lifetimes(&child.cfg.lifetime);
 
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index 15cbc6cfc..2a4f5a789 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -659,6 +659,13 @@ connections.<conn>.children.<child>.policies = yes
 	Whether to install IPsec policies or not. Disabling this can be useful in
 	some scenarios e.g. MIPv6, where policies are not managed by the IKE daemon.
 
+connections.<conn>.children.<child>.policies_fwd_out = no
+	Whether to install outbound FWD IPsec policies or not.
+
+	Whether to install outbound FWD IPsec policies or not. Enabling this is
+	required in case there is a drop policy that would match and block forwarded
+	traffic for this CHILD_SA.
+
 connections.<conn>.children.<child>.dpd_action = clear
 	Action to perform on DPD timeout (_clear_, _trap_ or _restart_).