kernel-netlink: Prefer policies with reqid over those without

This allows two CHILD_SAs with reversed subnets to install two FWD
policies each.  Since the outbound policy won't have a reqid set we will
end up with the two inbound FWD policies installed in the kernel, with
the correct templates to allow decrypted traffic.

diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 22afc63529763f19a3ace61bcd5d9c46e5ec26f4..b147590e36fbcd03557b9296de9cd503e84fba3c 100644 (file)
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -2403,7 +2403,13 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
        enumerator = policy->used_by->create_enumerator(policy->used_by);
        while (enumerator->enumerate(enumerator, (void**)&current_sa))
        {
-               if (current_sa->priority >= assigned_sa->priority)
+               if (current_sa->priority > assigned_sa->priority)
+               {
+                       break;
+               }
+               /* prefer SAs with a reqid over those without */
+               if (current_sa->priority == assigned_sa->priority &&
+                       (!current_sa->sa->cfg.reqid || assigned_sa->sa->cfg.reqid))
                {
                        break;
                }