From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 7 Feb 2022 13:21:01 +0000 (+0100)
Subject: kernel-netlink: Enable ICMP forwarding on inbound SA and out/fwd policies
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c0c4ea0d2dc8331e890f92fab18ede569a1dc890;p=thirdparty%2Fstrongswan.git

kernel-netlink: Enable ICMP forwarding on inbound SA and out/fwd policies
---

diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 3c5d226ce8..2d6e551c15 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1586,6 +1586,11 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		sa->flags |= XFRM_STATE_NOECN;
 	}
 
+	if (data->inbound && data->forward_icmp)
+	{
+		sa->flags |= XFRM_STATE_ICMP;
+	}
+
 	if (data->inbound)
 	{
 		switch (data->copy_dscp)
@@ -2707,6 +2712,12 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 													   : XFRM_POLICY_BLOCK;
 	policy_info->share = XFRM_SHARE_ANY;
 
+	if (mapping->type == POLICY_IPSEC && policy->direction != POLICY_IN &&
+		ipsec->cfg.forward_icmp)
+	{
+		policy_info->flags |= XFRM_POLICY_ICMP;
+	}
+
 	/* policies don't expire */
 	policy_info->lft.soft_byte_limit = XFRM_INF;
 	policy_info->lft.soft_packet_limit = XFRM_INF;