aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/libcharon/sa/child_sa.c17
-rw-r--r--src/libhydra/kernel/kernel_ipsec.h2
-rw-r--r--src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c3
-rw-r--r--src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c3
4 files changed, 25 insertions, 0 deletions
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 4c97b52eb..e262a2b8f 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -715,6 +715,17 @@ METHOD(child_sa_t, add_policies, status_t,
enumerator = create_policy_enumerator(this);
while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
{
+ /* install outbound drop policy to avoid packets leaving unencrypted
+ * when updating policies */
+ if (priority == POLICY_PRIORITY_DEFAULT)
+ {
+ status |= hydra->kernel_interface->add_policy(
+ hydra->kernel_interface,
+ this->my_addr, this->other_addr, my_ts, other_ts,
+ POLICY_OUT, POLICY_DROP, &other_sa,
+ this->mark_out, POLICY_PRIORITY_FALLBACK);
+ }
+
/* install 3 policies: out, in and forward */
status |= hydra->kernel_interface->add_policy(
hydra->kernel_interface,
@@ -963,6 +974,12 @@ METHOD(child_sa_t, destroy, void,
other_ts, my_ts, POLICY_FWD, this->reqid,
this->mark_in, priority);
}
+ if (priority == POLICY_PRIORITY_DEFAULT)
+ {
+ hydra->kernel_interface->del_policy(hydra->kernel_interface,
+ my_ts, other_ts, POLICY_OUT, this->reqid,
+ this->mark_out, POLICY_PRIORITY_FALLBACK);
+ }
}
enumerator->destroy(enumerator);
}
diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h
index 375945917..986e21fca 100644
--- a/src/libhydra/kernel/kernel_ipsec.h
+++ b/src/libhydra/kernel/kernel_ipsec.h
@@ -98,6 +98,8 @@ enum policy_priority_t {
POLICY_PRIORITY_DEFAULT,
/** Priority for trap policies */
POLICY_PRIORITY_ROUTED,
+ /** Priority for fallback drop policies */
+ POLICY_PRIORITY_FALLBACK,
};
/**
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 26919a613..06720a0f4 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -575,6 +575,9 @@ static inline u_int32_t get_priority(policy_entry_t *policy,
u_int32_t priority = PRIO_BASE;
switch (prio)
{
+ case POLICY_PRIORITY_FALLBACK:
+ priority <<= 1;
+ /* fall-through */
case POLICY_PRIORITY_ROUTED:
priority <<= 1;
/* fall-through */
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index f96dbcf23..2b07fc2b2 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -509,6 +509,9 @@ static inline u_int32_t get_priority(policy_entry_t *policy,
u_int32_t priority = PRIO_BASE;
switch (prio)
{
+ case POLICY_PRIORITY_FALLBACK:
+ priority <<= 1;
+ /* fall-through */
case POLICY_PRIORITY_ROUTED:
priority <<= 1;
/* fall-through */
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-22 17:53:53 +0000