projects / strongswan.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 194b69f)
kernel-netlink: Enable TFC padding only for tunnel mode ESP SAs
authorTobias Brunner <tobias@strongswan.org>
Tue, 19 Nov 2013 11:41:31 +0000 (12:41 +0100)
committerTobias Brunner <tobias@strongswan.org>
Tue, 19 Nov 2013 11:44:16 +0000 (12:44 +0100)
The kernel does not allow them for transport mode SAs or IPComp SAs (and
of course not for AH SAs).

Fixes #446.

src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c patch | blob | history

diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 8352b93..128e657 100644 (file)
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1459,8 +1459,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
                goto failed;
        }
 
-       if (tfc)
-       {
+       if (tfc && protocol == IPPROTO_ESP && mode == MODE_TUNNEL)
+       {       /* the kernel supports TFC padding only for tunnel mode ESP SAs */
                u_int32_t *tfcpad;
 
                tfcpad = netlink_reserve(hdr, sizeof(request), XFRMA_TFCPAD,
strongSwan - IPsec VPN