kernel-netlink: Only associate templates with inbound FWD policies

We can't set a template on the outbound FWD policy (or we'd have to make
it optional).  Because if the traffic does not come from another (matching)
IPsec tunnel it would get dropped due to the template mismatch.

diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index df79f86fcb6c7c6da43bf331995d75816265b4c7..22afc63529763f19a3ace61bcd5d9c46e5ec26f4 100644 (file)
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -2156,7 +2156,7 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
        policy_info->lft.soft_use_expires_seconds = 0;
        policy_info->lft.hard_use_expires_seconds = 0;
 
-       if (mapping->type == POLICY_IPSEC)
+       if (mapping->type == POLICY_IPSEC && ipsec->cfg.reqid)
        {
                struct xfrm_user_tmpl *tmpl;
                struct {