kernel-netlink: Allow IPsec policies to replace shunt policies
authorTobias Brunner <tobias@strongswan.org>
Mon, 5 Oct 2015 12:36:29 +0000 (14:36 +0200)
committerTobias Brunner <tobias@strongswan.org>
Tue, 10 Nov 2015 15:42:53 +0000 (16:42 +0100)
Shunt policies don't have a reqid set, so we allow unequal reqids in
this particular case (i.e. if one of the reqids is 0).

src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c

index 2b965d5..8c506d9 100644 (file)
@@ -2135,7 +2135,7 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
                        {
                                continue;
                        }
-                       tmpl->reqid = policy->reqid;
+                       tmpl->reqid = ipsec->cfg.reqid;
                        tmpl->id.proto = protos[i].proto;
                        tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
                        tmpl->mode = mode2kernel(proto_mode);
@@ -2317,7 +2317,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
        current = this->policies->get(this->policies, policy);
        if (current)
        {
-               if (current->reqid != sa->reqid)
+               if (current->reqid && sa->reqid && current->reqid != sa->reqid)
                {
                        DBG1(DBG_CFG, "unable to install policy %R === %R %N (mark "
                                 "%u/0x%08x) for reqid %u, the same policy for reqid %u exists",
@@ -2503,7 +2503,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
        /* find the policy */
        this->mutex->lock(this->mutex);
        current = this->policies->get(this->policies, &policy);
-       if (!current || current->reqid != sa->reqid)
+       if (!current)
        {
                if (mark.value)
                {