kernel-netlink: Only associate templates with inbound FWD policies
authorTobias Brunner <tobias@strongswan.org>
Fri, 1 Apr 2016 14:51:51 +0000 (16:51 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Sat, 9 Apr 2016 14:51:00 +0000 (16:51 +0200)
We can't set a template on the outbound FWD policy (or we'd have to make
it optional).  Because if the traffic does not come from another (matching)
IPsec tunnel it would get dropped due to the template mismatch.

src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c

index df79f86..22afc63 100644 (file)
@@ -2156,7 +2156,7 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
        policy_info->lft.soft_use_expires_seconds = 0;
        policy_info->lft.hard_use_expires_seconds = 0;
 
-       if (mapping->type == POLICY_IPSEC)
+       if (mapping->type == POLICY_IPSEC && ipsec->cfg.reqid)
        {
                struct xfrm_user_tmpl *tmpl;
                struct {