From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 19 Nov 2013 11:41:31 +0000 (+0100)
Subject: kernel-netlink: Enable TFC padding only for tunnel mode ESP SAs
X-Git-Tag: 5.1.2dr1~28
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=38a4f1964e98ec9e4e4396c4b3c62855ced6c26a;p=thirdparty%2Fstrongswan.git

kernel-netlink: Enable TFC padding only for tunnel mode ESP SAs

The kernel does not allow them for transport mode SAs or IPComp SAs (and
of course not for AH SAs).

Fixes #446.
---

diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 8352b9311e..128e6571c9 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1459,8 +1459,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		goto failed;
 	}
 
-	if (tfc)
-	{
+	if (tfc && protocol == IPPROTO_ESP && mode == MODE_TUNNEL)
+	{	/* the kernel supports TFC padding only for tunnel mode ESP SAs */
 		u_int32_t *tfcpad;
 
 		tfcpad = netlink_reserve(hdr, sizeof(request), XFRMA_TFCPAD,