From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 7 Feb 2022 13:20:39 +0000 (+0100)
Subject: kernel-ipsec: Add flags to enable ICMP error forwarding
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=21e5edab108e2c2b034fbabe8d534956e5afc09e;p=thirdparty%2Fstrongswan.git

kernel-ipsec: Add flags to enable ICMP error forwarding

For the Linux kernel, this has to be enabled on the inbound SA and the
out and fwd policies.
---

diff --git a/src/libcharon/kernel/kernel_ipsec.h b/src/libcharon/kernel/kernel_ipsec.h
index 3ef5811d9d..b6de950071 100644
--- a/src/libcharon/kernel/kernel_ipsec.h
+++ b/src/libcharon/kernel/kernel_ipsec.h
@@ -115,6 +115,8 @@ struct kernel_ipsec_add_sa_t {
 	dscp_copy_t copy_dscp;
 	/** TRUE if the peer doesn't support receiving fragments in AGGFRAG pkts */
 	bool iptfs_dont_frag;
+	/** Whether to automatically forward certain ICMP error messages */
+	bool forward_icmp;
 	/** TRUE if initiator of the exchange creating the SA */
 	bool initiator;
 	/** TRUE if this is an inbound SA */
@@ -190,6 +192,8 @@ struct kernel_ipsec_manage_policy_t {
 	hw_offload_t hw_offload;
 	/** Enable per-CPU acquires */
 	bool pcpu_acquires;
+	/** Whether to automatically forward certain ICMP error messages */
+	bool forward_icmp;
 	/** Source address of the SA(s) tied to this policy */
 	host_t *src;
 	/** Destination address of the SA(s) tied to this policy */