kernel-netlink: Prefer policies with reqid over those without
This allows two CHILD_SAs with reversed subnets to install two FWD policies each. Since the outbound policy won't have a reqid set we will end up with the two inbound FWD policies installed in the kernel, with the correct templates to allow decrypted traffic.
This commit is contained in:
parent
f7e9e6a3fd
commit
83312ee5e4
|
@ -2403,7 +2403,13 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
|
|||
enumerator = policy->used_by->create_enumerator(policy->used_by);
|
||||
while (enumerator->enumerate(enumerator, (void**)¤t_sa))
|
||||
{
|
||||
if (current_sa->priority >= assigned_sa->priority)
|
||||
if (current_sa->priority > assigned_sa->priority)
|
||||
{
|
||||
break;
|
||||
}
|
||||
/* prefer SAs with a reqid over those without */
|
||||
if (current_sa->priority == assigned_sa->priority &&
|
||||
(!current_sa->sa->cfg.reqid || assigned_sa->sa->cfg.reqid))
|
||||
{
|
||||
break;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue