From: Martin Willi Date: Wed, 11 Dec 2013 14:57:46 +0000 (+0100) Subject: kernel-interface: Add a flag to indicate no policy updates required X-Git-Tag: 5.2.0dr6~22^2~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7452adfad38f36f2996057237e5588c75dba0766;p=thirdparty%2Fstrongswan.git kernel-interface: Add a flag to indicate no policy updates required --- diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index 847cfc78f7..bbf6259c2a 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -730,6 +730,17 @@ METHOD(child_sa_t, install, status_t, return status; } +/** + * Check kernel interface if policy updates are required + */ +static bool require_policy_update() +{ + kernel_feature_t f; + + f = hydra->kernel_interface->get_features(hydra->kernel_interface); + return !(f & KERNEL_NO_POLICY_UPDATES); +} + /** * Install 3 policies: out, in and forward */ @@ -842,7 +853,7 @@ METHOD(child_sa_t, add_policies, status_t, { /* install outbound drop policy to avoid packets leaving unencrypted * when updating policies */ - if (priority == POLICY_PRIORITY_DEFAULT) + if (priority == POLICY_PRIORITY_DEFAULT && require_policy_update()) { status |= install_policies_internal(this, this->my_addr, this->other_addr, my_ts, other_ts, @@ -936,7 +947,7 @@ METHOD(child_sa_t, update, status_t, } } - if (this->config->install_policy(this->config)) + if (this->config->install_policy(this->config) && require_policy_update()) { ipsec_sa_cfg_t my_sa = { .mode = this->mode, @@ -1075,7 +1086,7 @@ METHOD(child_sa_t, destroy, void, while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) { del_policies_internal(this, my_ts, other_ts, priority); - if (priority == POLICY_PRIORITY_DEFAULT) + if (priority == POLICY_PRIORITY_DEFAULT && require_policy_update()) { del_policies_internal(this, my_ts, other_ts, POLICY_PRIORITY_FALLBACK); diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h index cc47d3c4ab..3b1010d24a 100644 --- a/src/libhydra/kernel/kernel_interface.h +++ b/src/libhydra/kernel/kernel_interface.h @@ -69,6 +69,8 @@ enum kernel_feature_t { KERNEL_REQUIRE_EXCLUDE_ROUTE = (1<<1), /** IPsec implementation requires UDP encapsulation of ESP packets */ KERNEL_REQUIRE_UDP_ENCAPSULATION = (1<<2), + /** IPsec backend does not require a policy reinstall on SA updates */ + KERNEL_NO_POLICY_UPDATES = (1<<3), }; /**