kernel-wfp: Disable IPsec policy updates
authorMartin Willi <martin@revosec.ch>
Wed, 11 Dec 2013 15:02:11 +0000 (16:02 +0100)
committerMartin Willi <martin@revosec.ch>
Wed, 4 Jun 2014 14:32:07 +0000 (16:32 +0200)
It seems that WFP requires an update of the SA context only, but not for the
filters. This allows us to omit support for (fallback) drop policies.

src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c

index 9073dec..a7d8a98 100644 (file)
@@ -996,7 +996,7 @@ static bool install(private_kernel_wfp_ipsec_t *this, entry_t *entry)
 METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
        private_kernel_wfp_ipsec_t *this)
 {
-       return KERNEL_ESP_V3_TFC;
+       return KERNEL_ESP_V3_TFC | KERNEL_NO_POLICY_UPDATES;
 }
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
@@ -1281,6 +1281,15 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
                return NOT_SUPPORTED;
        }
 
+       switch (type)
+       {
+               case POLICY_IPSEC:
+                       break;
+               case POLICY_PASS:
+               case POLICY_DROP:
+                       return NOT_SUPPORTED;
+       }
+
        switch (direction)
        {
                case POLICY_OUT:
@@ -1297,11 +1306,9 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
        {
                case POLICY_PRIORITY_DEFAULT:
                        break;
-               case POLICY_PRIORITY_FALLBACK:
-                       /* TODO: install fallback policy? */
-                       return SUCCESS;
                case POLICY_PRIORITY_ROUTED:
                        /* TODO: install trap policy with low prio */
+               case POLICY_PRIORITY_FALLBACK:
                default:
                        return NOT_SUPPORTED;
        }