From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 30 Apr 2024 13:11:12 +0000 (+0200)
Subject: kernel-netlink: Only disable DF-flag copying on outbound SAs
X-Git-Tag: 6.0.0rc1~58^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2601fabbb4e137efd0804f4941887c920680e981;p=thirdparty%2Fstrongswan.git

kernel-netlink: Only disable DF-flag copying on outbound SAs

This will cause errors on inbound SAs if the SA direction attribute is
used.
---

diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 3fec329b2a..493a22910a 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1724,11 +1724,6 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	sa->family = id->src->get_family(id->src);
 	sa->mode = mode2kernel(mode);
 
-	if (!data->copy_df)
-	{
-		sa->flags |= XFRM_STATE_NOPMTUDISC;
-	}
-
 	if (!data->copy_ecn)
 	{
 		sa->flags |= XFRM_STATE_NOECN;
@@ -1748,6 +1743,10 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	}
 	else
 	{
+		if (!data->copy_df)
+		{
+			sa->flags |= XFRM_STATE_NOPMTUDISC;
+		}
 		switch (data->copy_dscp)
 		{
 			case DSCP_COPY_IN_ONLY: