child-cfg: Skip non-matching TS instead of replacing them for transport mode
get_traffic_selectors() is called the same way also as responder when
selecting child configs via peer_cfg_t::select_child_cfg(). Replacing
TS for all child configs could lead to selecting one that later fails
to actually narrow the traffic selectors. Ignoring non-matching TS also
helps if we have a trap config with multiple remote subnets (otherwise,
we'd have to filter duplicates afterwards).
When installing traps, the hosts might be %any, in which case we allow
the configured (technically non-matching) TS for the wildcard use case.
Fixes: da82786b2d8c ("child-cfg: Always apply hosts to traffic selectors if proposing transport mode")
Closes strongswan/strongswan#1143
projects / thirdparty / strongswan.git / commit
