From 8925abbec49a6c603ce3417569d7c2392633739f Mon Sep 17 00:00:00 2001
From: Martin Willi <martin@revosec.ch>
Date: Tue, 29 Jul 2014 16:38:45 +0200
Subject: kernel-netlink: Add an option to enforce using XFRM_MSG_UPDPOLICY

---
 src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c')

diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 0f88b649e..977d6299a 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -321,6 +321,11 @@ struct private_kernel_netlink_ipsec_t {
 	 */
 	bool policy_history;
 
+	/**
+	 * Wheter to always use UPDATE to install policies
+	 */
+	bool policy_update;
+
 	/**
 	 * Installed port based IKE bypass policies, as bypass_t
 	 */
@@ -2319,6 +2324,11 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 		return SUCCESS;
 	}
 
+	if (this->policy_update)
+	{
+		found = TRUE;
+	}
+
 	DBG2(DBG_KNL, "%s policy %R === %R %N  (mark %u/0x%08x)",
 				   found ? "updating" : "adding", src_ts, dst_ts,
 				   policy_dir_names, direction, mark.value, mark.mask);
@@ -2849,6 +2859,8 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 		.bypass = array_create(sizeof(bypass_t), 0),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.policy_history = TRUE,
+		.policy_update = lib->settings->get_bool(lib->settings,
+					"%s.plugins.kernel-netlink.policy_update", FALSE, lib->ns),
 		.install_routes = lib->settings->get_bool(lib->settings,
 							"%s.install_routes", TRUE, lib->ns),
 		.proto_port_transport = lib->settings->get_bool(lib->settings,
-- 
cgit v1.2.3