From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 3 Feb 2022 13:46:59 +0000 (+0100)
Subject: child-sa: Support dynamically updating trap policies
X-Git-Tag: 5.9.6rc1~3^2~20
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=9619b1e757bec8276c67c07235816faaec15bf5d;p=thirdparty%2Fstrongswan.git

child-sa: Support dynamically updating trap policies
---

diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 2004b1bfab..0956c40248 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -1636,13 +1636,16 @@ METHOD(child_sa_t, update, status_t,
 		ipsec_sa_cfg_t my_sa, other_sa;
 		enumerator_t *enumerator;
 		traffic_selector_t *my_ts, *other_ts;
+		policy_priority_t priority;
 		uint32_t manual_prio;
 		status_t state;
 		bool outbound;
 
 		prepare_sa_cfg(this, &my_sa, &other_sa);
 		manual_prio = this->config->get_manual_prio(this->config);
-		outbound = (this->outbound_state & CHILD_OUTBOUND_POLICIES);
+		priority = this->trap ? POLICY_PRIORITY_ROUTED
+							  : POLICY_PRIORITY_DEFAULT;
+		outbound = (this->outbound_state & CHILD_OUTBOUND_POLICIES) || this->trap;
 
 		enumerator = create_policy_enumerator(this);
 		while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
@@ -1657,7 +1660,7 @@ METHOD(child_sa_t, update, status_t,
 			/* remove old policies */
 			del_policies_internal(this, this->my_addr, this->other_addr,
 						my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC,
-						POLICY_PRIORITY_DEFAULT, manual_prio, outbound);
+						priority, manual_prio, outbound);
 		}
 		enumerator->destroy(enumerator);
 
@@ -1674,7 +1677,7 @@ METHOD(child_sa_t, update, status_t,
 			{
 				install_policies_internal(this, this->my_addr, this->other_addr,
 						my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC,
-						POLICY_PRIORITY_DEFAULT, manual_prio, outbound);
+						priority, manual_prio, outbound);
 			}
 			else
 			{
@@ -1702,7 +1705,7 @@ METHOD(child_sa_t, update, status_t,
 				/* reinstall updated policies */
 				install_policies_internal(this, me, other, my_ts, other_ts,
 						&my_sa, &other_sa, POLICY_IPSEC,
-						POLICY_PRIORITY_DEFAULT, manual_prio, outbound);
+						priority, manual_prio, outbound);
 			}
 			/* remove the drop policy */
 			if (outbound)