From 83312ee5e4eb8f17d7213206eb4a34df2b75c524 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 1 Apr 2016 17:06:10 +0200
Subject: kernel-netlink: Prefer policies with reqid over those without

This allows two CHILD_SAs with reversed subnets to install two FWD
policies each.  Since the outbound policy won't have a reqid set we will
end up with the two inbound FWD policies installed in the kernel, with
the correct templates to allow decrypted traffic.
---
 src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c')

diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 22afc6352..b147590e3 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -2403,7 +2403,13 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	enumerator = policy->used_by->create_enumerator(policy->used_by);
 	while (enumerator->enumerate(enumerator, (void**)&current_sa))
 	{
-		if (current_sa->priority >= assigned_sa->priority)
+		if (current_sa->priority > assigned_sa->priority)
+		{
+			break;
+		}
+		/* prefer SAs with a reqid over those without */
+		if (current_sa->priority == assigned_sa->priority &&
+			(!current_sa->sa->cfg.reqid || assigned_sa->sa->cfg.reqid))
 		{
 			break;
 		}
-- 
cgit v1.2.3