From d7a59f1976f1d917f5cc934a95f1a809148cb160 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Wed, 27 Jul 2011 13:44:33 +0200 Subject: Install fallback drop policies to avoid transmitting unencrypted packets. During the update of a CHILD_SA (e.g. caused by MOBIKE) the old policy is first uninstalled and then the new one is installed. In the short time in between, where no policy is available in the kernel, unencrypted packets could have been transmitted. --- src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c') diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c index 26919a613..06720a0f4 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -575,6 +575,9 @@ static inline u_int32_t get_priority(policy_entry_t *policy, u_int32_t priority = PRIO_BASE; switch (prio) { + case POLICY_PRIORITY_FALLBACK: + priority <<= 1; + /* fall-through */ case POLICY_PRIORITY_ROUTED: priority <<= 1; /* fall-through */ -- cgit v1.2.3