7 files changed, 43 insertions, 27 deletions

diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index acfdfaf6c..fa95d12f7 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -692,24 +692,24 @@ METHOD(child_sa_t, add_policies, status_t,
 			status |= hydra->kernel_interface->add_policy(
 							hydra->kernel_interface,
 							this->my_addr, this->other_addr, my_ts, other_ts,
-							POLICY_OUT, other_esp, other_ah, this->reqid,
-							this->mark_out, this->mode, this->ipcomp,
-							this->other_cpi, routed);
+							POLICY_OUT, POLICY_IPSEC, other_esp, other_ah,
+							this->reqid, this->mark_out, this->mode,
+							this->ipcomp, this->other_cpi, routed);
 
 			status |= hydra->kernel_interface->add_policy(
 							hydra->kernel_interface,
 							this->other_addr, this->my_addr, other_ts, my_ts,
-							POLICY_IN, my_esp, my_ah, this->reqid,
-							this->mark_in, this->mode, this->ipcomp,
-							this->my_cpi, routed);
+							POLICY_IN, POLICY_IPSEC, my_esp, my_ah,
+							this->reqid, this->mark_in, this->mode,
+							this->ipcomp, this->my_cpi, routed);
 			if (this->mode != MODE_TRANSPORT)
 			{
 				status |= hydra->kernel_interface->add_policy(
 							hydra->kernel_interface,
 							this->other_addr, this->my_addr, other_ts, my_ts,
-							POLICY_FWD, my_esp, my_ah, this->reqid,
-							this->mark_in, this->mode, this->ipcomp,
-							this->my_cpi, routed);
+							POLICY_FWD, POLICY_IPSEC, my_esp, my_ah,
+							this->reqid, this->mark_in, this->mode,
+							this->ipcomp, this->my_cpi, routed);
 			}
 
 			if (status != SUCCESS)
@@ -832,19 +832,19 @@ METHOD(child_sa_t, update, status_t,
 
 				/* reinstall updated policies */
 				hydra->kernel_interface->add_policy(hydra->kernel_interface,
-							me, other, my_ts, other_ts, POLICY_OUT,
-							other_esp, other_ah, this->reqid, this->mark_out,
-							this->mode, this->ipcomp, this->other_cpi, FALSE);
+						me, other, my_ts, other_ts, POLICY_OUT, POLICY_IPSEC,
+						other_esp, other_ah, this->reqid, this->mark_out,
+						this->mode, this->ipcomp, this->other_cpi, FALSE);
 				hydra->kernel_interface->add_policy(hydra->kernel_interface,
-							other, me, other_ts, my_ts, POLICY_IN,
-							my_esp, my_ah, this->reqid, this->mark_in,
-							this->mode, this->ipcomp, this->my_cpi, FALSE);
+						other, me, other_ts, my_ts, POLICY_IN, POLICY_IPSEC,
+						my_esp, my_ah, this->reqid, this->mark_in,
+						this->mode, this->ipcomp, this->my_cpi, FALSE);
 				if (this->mode != MODE_TRANSPORT)
 				{
 					hydra->kernel_interface->add_policy(hydra->kernel_interface,
-							other, me, other_ts, my_ts, POLICY_FWD,
-							my_esp, my_ah, this->reqid, this->mark_in,
-							this->mode, this->ipcomp, this->my_cpi, FALSE);
+						other, me, other_ts, my_ts, POLICY_FWD, POLICY_IPSEC,
+						my_esp, my_ah, this->reqid, this->mark_in,
+						this->mode, this->ipcomp, this->my_cpi, FALSE);
 				}
 			}
 			enumerator->destroy(enumerator);
diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c
index bc9960509..7e16a89cd 100644
--- a/src/libhydra/kernel/kernel_interface.c
+++ b/src/libhydra/kernel/kernel_interface.c
@@ -131,7 +131,7 @@ METHOD(kernel_interface_t, del_sa, status_t,
 METHOD(kernel_interface_t, add_policy, status_t,
 	private_kernel_interface_t *this, host_t *src, host_t *dst,
 	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi,
+	policy_dir_t direction, policy_type_t type, u_int32_t spi, u_int32_t ah_spi,
 	u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
 	u_int16_t cpi,	bool routed)
 {
@@ -140,7 +140,8 @@ METHOD(kernel_interface_t, add_policy, status_t,
 		return NOT_SUPPORTED;
 	}
 	return this->ipsec->add_policy(this->ipsec, src, dst, src_ts, dst_ts,
-			direction, spi, ah_spi, reqid, mark, mode, ipcomp, cpi, routed);
+								   direction, type, spi, ah_spi, reqid, mark,
+								   mode, ipcomp, cpi, routed);
 }
 
 METHOD(kernel_interface_t, query_policy, status_t,
diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h
index c3c3764c4..fdf320be7 100644
--- a/src/libhydra/kernel/kernel_interface.h
+++ b/src/libhydra/kernel/kernel_interface.h
@@ -183,6 +183,7 @@ struct kernel_interface_t {
 	 * @param src_ts		traffic selector to match traffic source
 	 * @param dst_ts		traffic selector to match traffic dest
 	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
+	 * @param type			type of policy, POLICY_(IPSEC|PASS|DROP)
 	 * @param spi			SPI of optional ESP SA
 	 * @param ah_spi		SPI of optional AH SA
 	 * @param reqid			unique ID of an SA to use to enforce policy
@@ -197,8 +198,8 @@ struct kernel_interface_t {
 							host_t *src, host_t *dst,
 							traffic_selector_t *src_ts,
 							traffic_selector_t *dst_ts,
-							policy_dir_t direction, u_int32_t spi,
-							u_int32_t ah_spi, u_int32_t reqid,
+							policy_dir_t direction, policy_type_t type,
+							u_int32_t spi, u_int32_t ah_spi, u_int32_t reqid,
 							mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
 							u_int16_t cpi, bool routed);
 
diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h
index 1a7f7b44d..ff692535d 100644
--- a/src/libhydra/kernel/kernel_ipsec.h
+++ b/src/libhydra/kernel/kernel_ipsec.h
@@ -26,6 +26,7 @@
 
 typedef enum ipsec_mode_t ipsec_mode_t;
 typedef enum policy_dir_t policy_dir_t;
+typedef enum policy_type_t policy_type_t;
 typedef enum ipcomp_transform_t ipcomp_transform_t;
 typedef struct kernel_ipsec_t kernel_ipsec_t;
 typedef struct lifetime_cfg_t lifetime_cfg_t;
@@ -72,6 +73,18 @@ enum policy_dir_t {
 extern enum_name_t *policy_dir_names;
 
 /**
+ * Type of a policy.
+ */
+enum policy_type_t {
+	/** Normal IPsec policy */
+	POLICY_IPSEC = 1,
+	/** Passthrough policy (traffic is ignored by IPsec) */
+	POLICY_PASS,
+	/** Drop policy (traffic is discarded) */
+	POLICY_DROP,
+};
+
+/**
  * IPComp transform IDs, as in RFC 4306
  */
 enum ipcomp_transform_t {
@@ -258,6 +271,7 @@ struct kernel_ipsec_t {
 	 * @param src_ts		traffic selector to match traffic source
 	 * @param dst_ts		traffic selector to match traffic dest
 	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
+	 * @param type			type of policy, POLICY_(IPSEC|PASS|DROP)
 	 * @param spi			SPI of optional ESP SA
 	 * @param ah_spi		SPI of optional AH SA
 	 * @param reqid			unique ID of an SA to use to enforce policy
@@ -272,8 +286,8 @@ struct kernel_ipsec_t {
 							host_t *src, host_t *dst,
 							traffic_selector_t *src_ts,
 							traffic_selector_t *dst_ts,
-							policy_dir_t direction, u_int32_t spi,
-							u_int32_t ah_spi, u_int32_t reqid,
+							policy_dir_t direction, policy_type_t type,
+							u_int32_t spi, u_int32_t ah_spi, u_int32_t reqid,
 							mark_t mark, ipsec_mode_t mode,
 							u_int16_t ipcomp, u_int16_t cpi, bool routed);
 
diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
index f0a9e5504..042d98936 100644
--- a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
+++ b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
@@ -1969,7 +1969,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 METHOD(kernel_ipsec_t, add_policy, status_t,
 	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
 	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi,
+	policy_dir_t direction, policy_type_t type, u_int32_t spi, u_int32_t ah_spi,
 	u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
 	u_int16_t cpi, bool routed)
 {
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 0f243361e..c715d8c73 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1617,7 +1617,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 METHOD(kernel_ipsec_t, add_policy, status_t,
 	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
 	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi,
+	policy_dir_t direction, policy_type_t type, u_int32_t spi, u_int32_t ah_spi,
 	u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
 	u_int16_t cpi, bool routed)
 {
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 5cd06eb2f..20d1b1205 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1593,7 +1593,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 METHOD(kernel_ipsec_t, add_policy, status_t,
 	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
 	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi,
+	policy_dir_t direction, policy_type_t type, u_int32_t spi, u_int32_t ah_spi,
 	u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
 	u_int16_t cpi, bool routed)
 {