kernel-netlink: Set SPI on outbound policy

This should cause the right SA to get used if there are multiple outbound SAs and the policies are installed properly.
2017-07-11 10:59:11 +02:00 · 2017-07-11 10:59:11 +02:00 · 2699c8387a
parent a46d233c0e
commit 2699c8387a
1 changed files with 10 additions and 4 deletions
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@ -1141,7 +1141,7 @@ static bool receive_events(private_kernel_netlink_ipsec_t *this, int fd,
 METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
 	private_kernel_netlink_ipsec_t *this)
 {
-	return KERNEL_ESP_V3_TFC;
+	return KERNEL_ESP_V3_TFC | KERNEL_POLICY_SPI;
 }

 /**
@ -2409,11 +2409,13 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 		struct xfrm_user_tmpl *tmpl;
 		struct {
 			uint8_t proto;
+			uint32_t spi;
 			bool use;
 		} protos[] = {
-			{ IPPROTO_COMP, ipsec->cfg.ipcomp.transform != IPCOMP_NONE },
-			{ IPPROTO_ESP, ipsec->cfg.esp.use },
-			{ IPPROTO_AH, ipsec->cfg.ah.use },
+			{ IPPROTO_COMP, htonl(ntohs(ipsec->cfg.ipcomp.cpi)),
+			  ipsec->cfg.ipcomp.transform != IPCOMP_NONE },
+			{ IPPROTO_ESP, ipsec->cfg.esp.spi, ipsec->cfg.esp.use },
+			{ IPPROTO_AH, ipsec->cfg.ah.spi, ipsec->cfg.ah.use },
 		};
 		ipsec_mode_t proto_mode = ipsec->cfg.mode;
 		int count = 0;
@ -2441,6 +2443,10 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 			}
 			tmpl->reqid = ipsec->cfg.reqid;
 			tmpl->id.proto = protos[i].proto;
+			if (policy->direction == POLICY_OUT)
+			{
+				tmpl->id.spi = protos[i].spi;
+			}
 			tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
 			tmpl->mode = mode2kernel(proto_mode);
 			tmpl->optional = protos[i].proto == IPPROTO_COMP &&