kernel-netlink: Don't install routes for CHILD_SAs with interface ID
This commit is contained in:
parent
5b2078ad09
commit
801a5d3133
|
@ -2846,10 +2846,12 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
|
|||
* - this is an outbound policy (to just get one for each child)
|
||||
* - routing is not disabled via strongswan.conf
|
||||
* - the selector is not for a specific protocol/port
|
||||
* - no XFRM interface ID is configured
|
||||
* - we are in tunnel/BEET mode or install a bypass policy
|
||||
*/
|
||||
if (policy->direction == POLICY_OUT && this->install_routes &&
|
||||
!policy->sel.proto && !policy->sel.dport && !policy->sel.sport)
|
||||
!policy->sel.proto && !policy->sel.dport && !policy->sel.sport &&
|
||||
!policy->if_id)
|
||||
{
|
||||
if (mapping->type == POLICY_PASS ||
|
||||
(mapping->type == POLICY_IPSEC && ipsec->cfg.mode != MODE_TRANSPORT))
|
||||
|
|
|
@ -934,6 +934,8 @@ connections.<conn>.children.<child>.if_id_out = 0
|
|||
instance, beyond that the value _%unique-dir_ assigns a different unique
|
||||
interface ID for each CHILD_SA direction (in/out).
|
||||
|
||||
The daemon will not install routes for CHILD_SAs that have this option set.
|
||||
|
||||
connections.<conn>.children.<child>.set_mark_in = 0/0x00000000
|
||||
Netfilter mark applied to packets after the inbound IPsec SA processed them.
|
||||
|
||||
|
|
Loading…
Reference in New Issue