child-sa: Only install outbound FWD policies if explicitly configured

They are only required if drop policies would otherwise prevent
forwarding traffic.  This reduces the number of policies and avoids
conflicts e.g. with SPD hash thresholds.

diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 8a405d93cefae037a6115d34f8c9a05c0c185b06..e4364de12fd6405e98fcd746a07f9fc13f35d3d9 100644 (file)
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -111,11 +111,16 @@ struct private_child_sa_t {
         */
        bool static_reqid;
 
-       /*
+       /**
         * Unique CHILD_SA identifier
         */
        uint32_t unique_id;
 
+       /**
+        * Whether FWD policieis in the outbound direction should be installed
+        */
+       bool policies_fwd_out;
+
        /**
         * inbound mark used for this child_sa
         */
@@ -931,15 +936,19 @@ static status_t install_policies_internal(private_child_sa_t *this,
                 * policies of two SAs we install them with reduced priority.  As they
                 * basically act as bypass policies for drop policies we use a higher
                 * priority than is used for them. */
-               out_id.dir = POLICY_FWD;
-               other_sa->reqid = 0;
-               if (priority == POLICY_PRIORITY_DEFAULT)
+               if (this->policies_fwd_out)
                {
-                       out_policy.prio = POLICY_PRIORITY_ROUTED;
+                       out_id.dir = POLICY_FWD;
+                       other_sa->reqid = 0;
+                       if (priority == POLICY_PRIORITY_DEFAULT)
+                       {
+                               out_policy.prio = POLICY_PRIORITY_ROUTED;
+                       }
+                       status |= charon->kernel->add_policy(charon->kernel, &out_id,
+                                                                                                &out_policy);
+                       /* reset the reqid for any other further policies */
+                       other_sa->reqid = this->reqid;
                }
-               status |= charon->kernel->add_policy(charon->kernel, &out_id, &out_policy);
-               /* reset the reqid for any other further policies */
-               other_sa->reqid = this->reqid;
        }
        return status;
 }
@@ -988,14 +997,17 @@ static void del_policies_internal(private_child_sa_t *this,
                in_id.dir = POLICY_FWD;
                charon->kernel->del_policy(charon->kernel, &in_id, &in_policy);
 
-               out_id.dir = POLICY_FWD;
-               other_sa->reqid = 0;
-               if (priority == POLICY_PRIORITY_DEFAULT)
+               if (this->policies_fwd_out)
                {
-                       out_policy.prio = POLICY_PRIORITY_ROUTED;
+                       out_id.dir = POLICY_FWD;
+                       other_sa->reqid = 0;
+                       if (priority == POLICY_PRIORITY_DEFAULT)
+                       {
+                               out_policy.prio = POLICY_PRIORITY_ROUTED;
+                       }
+                       charon->kernel->del_policy(charon->kernel, &out_id, &out_policy);
+                       other_sa->reqid = this->reqid;
                }
-               charon->kernel->del_policy(charon->kernel, &out_id, &out_policy);
-               other_sa->reqid = this->reqid;
        }
 }
 
@@ -1443,6 +1455,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
                .mark_in = config->get_mark(config, TRUE),
                .mark_out = config->get_mark(config, FALSE),
                .install_time = time_monotonic(NULL),
+               .policies_fwd_out = config->install_fwd_out_policy(config),
        );
 
        this->config = config;