1 files changed, 9 insertions, 6 deletions

diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index f5786447b..a2220c48c 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -99,8 +99,8 @@
 #endif
 
 /** default priority of installed policies */
-#define PRIO_LOW 3000
-#define PRIO_HIGH 2000
+#define PRIO_LOW 1024
+#define PRIO_HIGH 512
 
 #ifdef __APPLE__
 /** from xnu/bsd/net/pfkeyv2.h */
@@ -1651,11 +1651,14 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	pol->sadb_x_policy_dir = dir2kernel(direction);
 	pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
 #ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
-	/* calculate priority based on source selector size, small size = high prio */
+	/* calculate priority based on selector size, small size = high prio */
 	pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH;
-	pol->sadb_x_policy_priority -= policy->src.mask * 10;
-	pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
-	pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
+	pol->sadb_x_policy_priority -= policy->src.mask;
+	pol->sadb_x_policy_priority -= policy->dst.mask;
+	pol->sadb_x_policy_priority <<= 2; /* make some room for the flags */
+	pol->sadb_x_policy_priority += policy->src.net->get_port(policy->src.net) ||
+								   policy->dst.net->get_port(policy->dst.net) ? 0 : 2;
+	pol->sadb_x_policy_priority += policy->src.proto != IPSEC_PROTO_ANY ? 0 : 1;
 #endif
 
 	/* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */