kernel-pfkey: Install routes for shunt policies

author Tobias Brunner <tobias@strongswan.org>

Thu, 26 Jun 2014 13:44:32 +0000 (15:44 +0200)

committer Tobias Brunner <tobias@strongswan.org>

Thu, 26 Jun 2014 16:12:05 +0000 (18:12 +0200)
author Tobias Brunner <tobias@strongswan.org>
Thu, 26 Jun 2014 13:44:32 +0000 (15:44 +0200)
committer Tobias Brunner <tobias@strongswan.org>
Thu, 26 Jun 2014 16:12:05 +0000 (18:12 +0200)
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c

index aa077d36992417247acee8b4750fc9da266ca5ad..4bc2770c129a4fc91ec22993f8dde398647c64dd 100644 (file)
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -2447,12 +2447,12 @@ static status_t add_policy_internal(private_kernel_pfkey_ipsec_t *this,
         free(out);
  
         /* install a route, if:
-        * - this is a forward policy (to just get one for each child)
-        * - we are in tunnel mode
+        * - this is an inbound policy (to just get one for each child)
+        * - we are in tunnel mode or install a bypass policy
          * - routing is not disabled via strongswan.conf
          */
-       if (policy->direction == POLICY_IN &&
-               ipsec->cfg.mode != MODE_TRANSPORT && this->install_routes)
+       if (policy->direction == POLICY_IN && this->install_routes &&
+               (mapping->type != POLICY_IPSEC || ipsec->cfg.mode != MODE_TRANSPORT))
         {
                 install_route(this, policy, (policy_sa_in_t*)mapping);
         }
author	Tobias Brunner <tobias@strongswan.org>
	Thu, 26 Jun 2014 13:44:32 +0000 (15:44 +0200)
committer	Tobias Brunner <tobias@strongswan.org>
	Thu, 26 Jun 2014 16:12:05 +0000 (18:12 +0200)