kernel-netlink: Only disable DF-flag copying on outbound SAs

This will cause errors on inbound SAs if the SA direction attribute is
used.

diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 3fec329b2a4fa1c212f9041a4f3d3e3814ead317..493a22910a4fb6a33a72738c115adb31367e1586 100644 (file)
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1724,11 +1724,6 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
        sa->family = id->src->get_family(id->src);
        sa->mode = mode2kernel(mode);
 
-       if (!data->copy_df)
-       {
-               sa->flags |= XFRM_STATE_NOPMTUDISC;
-       }
-
        if (!data->copy_ecn)
        {
                sa->flags |= XFRM_STATE_NOECN;
@@ -1748,6 +1743,10 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
        }
        else
        {
+               if (!data->copy_df)
+               {
+                       sa->flags |= XFRM_STATE_NOPMTUDISC;
+               }
                switch (data->copy_dscp)
                {
                        case DSCP_COPY_IN_ONLY: