kernel-netlink: Prefer policies with reqid over those without
authorTobias Brunner <tobias@strongswan.org>
Fri, 1 Apr 2016 15:06:10 +0000 (17:06 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Sat, 9 Apr 2016 14:51:00 +0000 (16:51 +0200)
This allows two CHILD_SAs with reversed subnets to install two FWD
policies each.  Since the outbound policy won't have a reqid set we will
end up with the two inbound FWD policies installed in the kernel, with
the correct templates to allow decrypted traffic.

src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c

index 22afc63..b147590 100644 (file)
@@ -2403,7 +2403,13 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
        enumerator = policy->used_by->create_enumerator(policy->used_by);
        while (enumerator->enumerate(enumerator, (void**)&current_sa))
        {
-               if (current_sa->priority >= assigned_sa->priority)
+               if (current_sa->priority > assigned_sa->priority)
+               {
+                       break;
+               }
+               /* prefer SAs with a reqid over those without */
+               if (current_sa->priority == assigned_sa->priority &&
+                       (!current_sa->sa->cfg.reqid || assigned_sa->sa->cfg.reqid))
                {
                        break;
                }