kernel-wfp: Disable IPsec policy updates

It seems that WFP requires an update of the SA context only, but not for the
filters. This allows us to omit support for (fallback) drop policies.

diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
index 9073dec331bfcf8df9f67d907995f1f7c1377e5a..a7d8a9839484eebd3342459579e3a0a94bbebf11 100644 (file)
--- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
+++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
@@ -996,7 +996,7 @@ static bool install(private_kernel_wfp_ipsec_t *this, entry_t *entry)
 METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
        private_kernel_wfp_ipsec_t *this)
 {
-       return KERNEL_ESP_V3_TFC;
+       return KERNEL_ESP_V3_TFC | KERNEL_NO_POLICY_UPDATES;
 }
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
@@ -1281,6 +1281,15 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
                return NOT_SUPPORTED;
        }
 
+       switch (type)
+       {
+               case POLICY_IPSEC:
+                       break;
+               case POLICY_PASS:
+               case POLICY_DROP:
+                       return NOT_SUPPORTED;
+       }
+
        switch (direction)
        {
                case POLICY_OUT:
@@ -1297,11 +1306,9 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
        {
                case POLICY_PRIORITY_DEFAULT:
                        break;
-               case POLICY_PRIORITY_FALLBACK:
-                       /* TODO: install fallback policy? */
-                       return SUCCESS;
                case POLICY_PRIORITY_ROUTED:
                        /* TODO: install trap policy with low prio */
+               case POLICY_PRIORITY_FALLBACK:
                default:
                        return NOT_SUPPORTED;
        }