shunt-manager: Install "outbound" FWD policy
authorTobias Brunner <tobias@strongswan.org>
Mon, 4 Apr 2016 08:49:35 +0000 (10:49 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Sat, 9 Apr 2016 14:51:00 +0000 (16:51 +0200)
If there is a default drop policy forwarded traffic might otherwise not
be allowed by a specific passthrough policy (while local traffic is
allowed).

src/libcharon/sa/shunt_manager.c

index 13c8b5e..36af86b 100644 (file)
@@ -124,6 +124,9 @@ static bool install_shunt_policy(child_cfg_t *child)
                                .sa = &sa,
                        };
                        status |= charon->kernel->add_policy(charon->kernel, &id, &policy);
+                       /* install "outbound" forward policy */
+                       id.dir = POLICY_FWD;
+                       status |= charon->kernel->add_policy(charon->kernel, &id, &policy);
                        /* install in policy */
                        id = (kernel_ipsec_policy_id_t){
                                .dir = POLICY_IN,
@@ -132,7 +135,7 @@ static bool install_shunt_policy(child_cfg_t *child)
                                .mark = child->get_mark(child, TRUE),
                        };
                        status |= charon->kernel->add_policy(charon->kernel, &id, &policy);
-                       /* install forward policy */
+                       /* install "inbound" forward policy */
                        id.dir = POLICY_FWD;
                        status |= charon->kernel->add_policy(charon->kernel, &id, &policy);
                }
@@ -267,6 +270,9 @@ static void uninstall_shunt_policy(child_cfg_t *child)
                                .sa = &sa,
                        };
                        status |= charon->kernel->del_policy(charon->kernel, &id, &policy);
+                       /* uninstall "outbound" forward policy */
+                       id.dir = POLICY_FWD;
+                       status |= charon->kernel->del_policy(charon->kernel, &id, &policy);
                        /* uninstall in policy */
                        id = (kernel_ipsec_policy_id_t){
                                .dir = POLICY_IN,
@@ -275,7 +281,7 @@ static void uninstall_shunt_policy(child_cfg_t *child)
                                .mark = child->get_mark(child, TRUE),
                        };
                        status |= charon->kernel->del_policy(charon->kernel, &id, &policy);
-                       /* uninstall forward policy */
+                       /* uninstall "inbound" forward policy */
                        id.dir = POLICY_FWD;
                        status |= charon->kernel->del_policy(charon->kernel, &id, &policy);
                }