kernel-netlink: Selectively add selector on SAs that use IPComp

Don't add a selector to tunnel mode SAs, these might serve multiple
traffic selectors but with only one selector on the SA only the traffic
matching the first one would actually get tunneled.

diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 128e657..8287f9d 100644 (file)
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1203,6 +1203,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
        struct nlmsghdr *hdr;
        struct xfrm_usersa_info *sa;
        u_int16_t icv_size = 64;
+       ipsec_mode_t original_mode = mode;
        status_t status = FAILED;
 
        /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
@@ -1243,7 +1244,12 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
                        break;
                case MODE_BEET:
                case MODE_TRANSPORT:
-                       if(src_ts && dst_ts)
+                       if (original_mode == MODE_TUNNEL)
+                       {       /* don't install selectors for switched SAs.  because only one
+                                * selector can be installed other traffic would get dropped */
+                               break;
+                       }
+                       if (src_ts && dst_ts)
                        {
                                sa->sel = ts2selector(src_ts, dst_ts);
                                /* don't install proto/port on SA. This would break