kernel-netlink: Enable ICMP forwarding on inbound SA and out/fwd policies

diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 3c5d226ce81321e2a7eef01a4a25c05e30f98451..2d6e551c15e24c95b9a054b5112f315da468378d 100644 (file)
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1586,6 +1586,11 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
                sa->flags |= XFRM_STATE_NOECN;
        }
 
+       if (data->inbound && data->forward_icmp)
+       {
+               sa->flags |= XFRM_STATE_ICMP;
+       }
+
        if (data->inbound)
        {
                switch (data->copy_dscp)
@@ -2707,6 +2712,12 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
                                                                                                           : XFRM_POLICY_BLOCK;
        policy_info->share = XFRM_SHARE_ANY;
 
+       if (mapping->type == POLICY_IPSEC && policy->direction != POLICY_IN &&
+               ipsec->cfg.forward_icmp)
+       {
+               policy_info->flags |= XFRM_POLICY_ICMP;
+       }
+
        /* policies don't expire */
        policy_info->lft.soft_byte_limit = XFRM_INF;
        policy_info->lft.soft_packet_limit = XFRM_INF;