From: Martin Willi <martin@revosec.ch>
Date: Wed, 5 Jun 2013 09:39:35 +0000 (+0200)
Subject: kernel-netlink: install selectors on SA for transport/BEET mode without proto/port
X-Git-Tag: 5.1.0dr1~106^2~2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3d1af879d2b8c4dbb8d87aa5ca478e37dadb6dc8;p=thirdparty%2Fstrongswan.git

kernel-netlink: install selectors on SA for transport/BEET mode without proto/port

If a transport/BEET SA has different selectors for different proto/ports,
installing just the proto/port of the first SA would break any additional
selector.
---

diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 47e725c1c9..2f8cb6b3e2 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1224,6 +1224,12 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			if(src_ts && dst_ts)
 			{
 				sa->sel = ts2selector(src_ts, dst_ts);
+				/* don't install proto/port on SA. This would break
+				 * potential secondary SAs for the same address using a
+				 * different prot/port. */
+				sa->sel.proto = 0;
+				sa->sel.dport = sa->sel.dport_mask = 0;
+				sa->sel.sport = sa->sel.sport_mask = 0;
 			}
 			break;
 		default: