forecast: Ignore per-CPU CHILD_SAs

Not sure if this combination does make sense as the plugin itself would
be a major bottleneck.

Similar to the connmark plugin, PREROUTING rules list SPIs or UDP ports,
which would be necessary for all SAs while the OUTPUT rules would only be
required once.

diff --git a/src/libcharon/plugins/forecast/forecast_listener.c b/src/libcharon/plugins/forecast/forecast_listener.c
index 4983835f1914b376dbe68e85ef81f307b239c36a..3d000bc48c27ce6d860b0c781b7172cc1588e619 100644 (file)
--- a/src/libcharon/plugins/forecast/forecast_listener.c
+++ b/src/libcharon/plugins/forecast/forecast_listener.c
@@ -500,7 +500,8 @@ static bool commit_handle(struct iptc_handle *ipth)
 static bool handle_sa(child_sa_t *child_sa)
 {
        return child_sa->get_mark(child_sa, TRUE).value &&
-                  child_sa->get_mark(child_sa, FALSE).value;
+                  child_sa->get_mark(child_sa, FALSE).value &&
+                  !child_sa->use_per_cpu(child_sa);
 }
 
 METHOD(listener_t, child_updown, bool,