kernel-pfkey: Don't install routes for drop policies and if protocol/ports are in...

diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index a5d3c0a4bf6c843eeb19b0668c77207d29d86479..b92a6e541a9b3183e7b8ba7f7a102dfe07f3adb5 100644 (file)
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -2560,13 +2560,20 @@ static status_t add_policy_internal(private_kernel_pfkey_ipsec_t *this,
 
        /* install a route, if:
         * - this is an inbound policy (to just get one for each child)
-        * - we are in tunnel mode or install a bypass policy
         * - routing is not disabled via strongswan.conf
+        * - the selector is not for a specific protocol/port
+        * - we are in tunnel mode or install a bypass policy
         */
        if (policy->direction == POLICY_IN && this->install_routes &&
-               (mapping->type != POLICY_IPSEC || ipsec->cfg.mode != MODE_TRANSPORT))
+               policy->src.proto == IPSEC_PROTO_ANY &&
+               !policy->src.net->get_port(policy->src.net) &&
+               !policy->dst.net->get_port(policy->dst.net))
        {
-               install_route(this, policy, (policy_sa_in_t*)mapping);
+               if (mapping->type == POLICY_PASS ||
+                  (mapping->type == POLICY_IPSEC && ipsec->cfg.mode != MODE_TRANSPORT))
+               {
+                       install_route(this, policy, (policy_sa_in_t*)mapping);
+               }
        }
        this->mutex->unlock(this->mutex);
        return SUCCESS;