From d7a59f1976f1d917f5cc934a95f1a809148cb160 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 27 Jul 2011 13:44:33 +0200
Subject: Install fallback drop policies to avoid transmitting unencrypted
 packets.

During the update of a CHILD_SA (e.g. caused by MOBIKE) the old policy
is first uninstalled and then the new one is installed.  In the short
time in between, where no policy is available in the kernel, unencrypted
packets could have been transmitted.
---
 src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c')

diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 26919a613..06720a0f4 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -575,6 +575,9 @@ static inline u_int32_t get_priority(policy_entry_t *policy,
 	u_int32_t priority = PRIO_BASE;
 	switch (prio)
 	{
+		case POLICY_PRIORITY_FALLBACK:
+			priority <<= 1;
+			/* fall-through */
 		case POLICY_PRIORITY_ROUTED:
 			priority <<= 1;
 			/* fall-through */
-- 
cgit v1.2.3