ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

kernel-netlink: Prefer policies with reqid over those without 

This allows two CHILD_SAs with reversed subnets to install two FWD
policies each.  Since the outbound policy won't have a reqid set we will
end up with the two inbound FWD policies installed in the kernel, with
the correct templates to allow decrypted traffic.
This commit is contained in:
Tobias Brunner 2016-04-01 17:06:10 +02:00 committed by Andreas Steffen
parent f7e9e6a3fd
commit 83312ee5e4
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
View File

@ -2403,7 +2403,13 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
enumerator = policy->used_by->create_enumerator(policy->used_by);
while (enumerator->enumerate(enumerator, (void**)&current_sa))
{
if (current_sa->priority >= assigned_sa->priority)
if (current_sa->priority > assigned_sa->priority)
{
break;
}
/* prefer SAs with a reqid over those without */
if (current_sa->priority == assigned_sa->priority &&
(!current_sa->sa->cfg.reqid || assigned_sa->sa->cfg.reqid))
{
break;
}