kernel-netlink: install selectors on SA for transport/BEET mode without proto/port
authorMartin Willi <martin@revosec.ch>
Wed, 5 Jun 2013 09:39:35 +0000 (11:39 +0200)
committerMartin Willi <martin@revosec.ch>
Wed, 19 Jun 2013 14:36:01 +0000 (16:36 +0200)
If a transport/BEET SA has different selectors for different proto/ports,
installing just the proto/port of the first SA would break any additional
selector.

src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c

index 47e725c..2f8cb6b 100644 (file)
@@ -1224,6 +1224,12 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
                        if(src_ts && dst_ts)
                        {
                                sa->sel = ts2selector(src_ts, dst_ts);
+                               /* don't install proto/port on SA. This would break
+                                * potential secondary SAs for the same address using a
+                                * different prot/port. */
+                               sa->sel.proto = 0;
+                               sa->sel.dport = sa->sel.dport_mask = 0;
+                               sa->sel.sport = sa->sel.sport_mask = 0;
                        }
                        break;
                default: