From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 9 Jun 2016 13:46:32 +0000 (+0200)
Subject: kernel-pfkey: Don't install routes for drop policies and if protocol/ports are in... 
X-Git-Tag: 5.5.0dr1~29^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=85fed13c18ca0a6913e90f0426e73caea17da79a;p=thirdparty%2Fstrongswan.git

kernel-pfkey: Don't install routes for drop policies and if protocol/ports are in the selector
---

diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index a5d3c0a4bf..b92a6e541a 100644
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -2560,13 +2560,20 @@ static status_t add_policy_internal(private_kernel_pfkey_ipsec_t *this,
 
 	/* install a route, if:
 	 * - this is an inbound policy (to just get one for each child)
-	 * - we are in tunnel mode or install a bypass policy
 	 * - routing is not disabled via strongswan.conf
+	 * - the selector is not for a specific protocol/port
+	 * - we are in tunnel mode or install a bypass policy
 	 */
 	if (policy->direction == POLICY_IN && this->install_routes &&
-		(mapping->type != POLICY_IPSEC || ipsec->cfg.mode != MODE_TRANSPORT))
+		policy->src.proto == IPSEC_PROTO_ANY &&
+		!policy->src.net->get_port(policy->src.net) &&
+		!policy->dst.net->get_port(policy->dst.net))
 	{
-		install_route(this, policy, (policy_sa_in_t*)mapping);
+		if (mapping->type == POLICY_PASS ||
+		   (mapping->type == POLICY_IPSEC && ipsec->cfg.mode != MODE_TRANSPORT))
+		{
+			install_route(this, policy, (policy_sa_in_t*)mapping);
+		}
 	}
 	this->mutex->unlock(this->mutex);
 	return SUCCESS;