kernel-wfp: Install inbound ALE IP-in-IP filters
authorMartin Willi <martin@revosec.ch>
Thu, 27 Nov 2014 18:19:09 +0000 (19:19 +0100)
committerMartin Willi <martin@revosec.ch>
Thu, 4 Dec 2014 10:10:48 +0000 (11:10 +0100)
commita8142a17cff1a420599b30c13568bda1fa0a6653
tree9b104895b091de6f69b90a6b0bedd58ab9480a4c
parent070461b70d7c192bae01a11bf7ee7763bf30fe0e
kernel-wfp: Install inbound ALE IP-in-IP filters

When processing inbound tunnel mode packets, Windows decrypts packets and
filters them as IP-in-IP packets. We therefore require an ALE filter that
calls the FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT callout to allow them
when using a default-drop policy.

Without these rules, any outbound packet created an ALE state that allows
inbound packets as well. Processing inbound packets without any outbound
traffic fails without these rules.
src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c