From: Martin Willi <martin@revosec.ch>
Date: Wed, 11 Dec 2013 15:02:11 +0000 (+0100)
Subject: kernel-wfp: Disable IPsec policy updates
X-Git-Tag: 5.2.0dr6~22^2~36
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b93492980489fa4ef0664c0ac4669592537ce1c2;p=thirdparty%2Fstrongswan.git

kernel-wfp: Disable IPsec policy updates

It seems that WFP requires an update of the SA context only, but not for the
filters. This allows us to omit support for (fallback) drop policies.
---

diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
index 9073dec331..a7d8a98394 100644
--- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
+++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
@@ -996,7 +996,7 @@ static bool install(private_kernel_wfp_ipsec_t *this, entry_t *entry)
 METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
 	private_kernel_wfp_ipsec_t *this)
 {
-	return KERNEL_ESP_V3_TFC;
+	return KERNEL_ESP_V3_TFC | KERNEL_NO_POLICY_UPDATES;
 }
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
@@ -1281,6 +1281,15 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 		return NOT_SUPPORTED;
 	}
 
+	switch (type)
+	{
+		case POLICY_IPSEC:
+			break;
+		case POLICY_PASS:
+		case POLICY_DROP:
+			return NOT_SUPPORTED;
+	}
+
 	switch (direction)
 	{
 		case POLICY_OUT:
@@ -1297,11 +1306,9 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	{
 		case POLICY_PRIORITY_DEFAULT:
 			break;
-		case POLICY_PRIORITY_FALLBACK:
-			/* TODO: install fallback policy? */
-			return SUCCESS;
 		case POLICY_PRIORITY_ROUTED:
 			/* TODO: install trap policy with low prio */
+		case POLICY_PRIORITY_FALLBACK:
 		default:
 			return NOT_SUPPORTED;
 	}