child-sa: Only install outbound FWD policies if explicitly configured
authorTobias Brunner <tobias@strongswan.org>
Thu, 18 Aug 2016 13:09:08 +0000 (15:09 +0200)
committerTobias Brunner <tobias@strongswan.org>
Wed, 28 Sep 2016 15:56:44 +0000 (17:56 +0200)
They are only required if drop policies would otherwise prevent
forwarding traffic.  This reduces the number of policies and avoids
conflicts e.g. with SPD hash thresholds.

src/libcharon/sa/child_sa.c

index 8a405d9..e4364de 100644 (file)
@@ -111,12 +111,17 @@ struct private_child_sa_t {
         */
        bool static_reqid;
 
-       /*
+       /**
         * Unique CHILD_SA identifier
         */
        uint32_t unique_id;
 
        /**
+        * Whether FWD policieis in the outbound direction should be installed
+        */
+       bool policies_fwd_out;
+
+       /**
         * inbound mark used for this child_sa
         */
        mark_t mark_in;
@@ -931,15 +936,19 @@ static status_t install_policies_internal(private_child_sa_t *this,
                 * policies of two SAs we install them with reduced priority.  As they
                 * basically act as bypass policies for drop policies we use a higher
                 * priority than is used for them. */
-               out_id.dir = POLICY_FWD;
-               other_sa->reqid = 0;
-               if (priority == POLICY_PRIORITY_DEFAULT)
+               if (this->policies_fwd_out)
                {
-                       out_policy.prio = POLICY_PRIORITY_ROUTED;
+                       out_id.dir = POLICY_FWD;
+                       other_sa->reqid = 0;
+                       if (priority == POLICY_PRIORITY_DEFAULT)
+                       {
+                               out_policy.prio = POLICY_PRIORITY_ROUTED;
+                       }
+                       status |= charon->kernel->add_policy(charon->kernel, &out_id,
+                                                                                                &out_policy);
+                       /* reset the reqid for any other further policies */
+                       other_sa->reqid = this->reqid;
                }
-               status |= charon->kernel->add_policy(charon->kernel, &out_id, &out_policy);
-               /* reset the reqid for any other further policies */
-               other_sa->reqid = this->reqid;
        }
        return status;
 }
@@ -988,14 +997,17 @@ static void del_policies_internal(private_child_sa_t *this,
                in_id.dir = POLICY_FWD;
                charon->kernel->del_policy(charon->kernel, &in_id, &in_policy);
 
-               out_id.dir = POLICY_FWD;
-               other_sa->reqid = 0;
-               if (priority == POLICY_PRIORITY_DEFAULT)
+               if (this->policies_fwd_out)
                {
-                       out_policy.prio = POLICY_PRIORITY_ROUTED;
+                       out_id.dir = POLICY_FWD;
+                       other_sa->reqid = 0;
+                       if (priority == POLICY_PRIORITY_DEFAULT)
+                       {
+                               out_policy.prio = POLICY_PRIORITY_ROUTED;
+                       }
+                       charon->kernel->del_policy(charon->kernel, &out_id, &out_policy);
+                       other_sa->reqid = this->reqid;
                }
-               charon->kernel->del_policy(charon->kernel, &out_id, &out_policy);
-               other_sa->reqid = this->reqid;
        }
 }
 
@@ -1443,6 +1455,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
                .mark_in = config->get_mark(config, TRUE),
                .mark_out = config->get_mark(config, FALSE),
                .install_time = time_monotonic(NULL),
+               .policies_fwd_out = config->install_fwd_out_policy(config),
        );
 
        this->config = config;