2 files changed, 28 insertions, 19 deletions

diff --git a/src/libcharon/plugins/kernel_pfkey/Makefile.in b/src/libcharon/plugins/kernel_pfkey/Makefile.in
index d00e8b337..b138a9603 100644
--- a/src/libcharon/plugins/kernel_pfkey/Makefile.in
+++ b/src/libcharon/plugins/kernel_pfkey/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 1b22ea549..17878147b 100644
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2016 Tobias Brunner
+ * Copyright (C) 2008-2017 Tobias Brunner
  * Copyright (C) 2008 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -142,7 +142,7 @@
 #endif
 
 /** Base priority for installed policies */
-#define PRIO_BASE 100000
+#define PRIO_BASE 200000
 
 #ifdef __APPLE__
 /** from xnu/bsd/net/pfkeyv2.h */
@@ -597,17 +597,18 @@ static inline bool policy_entry_match_byindex(policy_entry_t *current,
  * This is the same formula we use in the kernel-netlink interface, but some
  * features are currently not or only partially supported by PF_KEY.
  *
- * bits 0-0:  reserved for interface restriction (0..1)     1 bit
- * bits 1-6:  src + dst port mask bits (2 * 0..16)          6 bits
- * bits 7-7:  restriction to protocol (0..1)                1 bit
- * bits 8-16: src + dst network mask bits (2 * 0..128)      9 bits
- *                                                         17 bits
+ * bits 0-0:  separate trap and regular policies (0..1)     1 bit
+ * bits 1-1:  reserved for interface restriction (0..1)     1 bit
+ * bits 2-7:  src + dst port mask bits (2 * 0..16)          6 bits
+ * bits 8-8:  restriction to protocol (0..1)                1 bit
+ * bits 9-17: src + dst network mask bits (2 * 0..128)      9 bits
+ *                                                         18 bits
  *
- * smallest value: 000000000 0 000000 0:      0, lowest priority = 100'000
- * largest value : 100000000 1 100000 0: 65'728, highst priority =  34'272
+ * smallest value: 000000000 0 000000 0 0:       0, lowest priority = 100'000
+ * largest value : 100000000 1 100000 0 1: 131'457, highst priority =  68'543
  */
 static inline uint32_t get_priority(policy_entry_t *policy,
-									 policy_priority_t prio)
+									policy_priority_t prio)
 {
 	uint32_t priority = PRIO_BASE;
 
@@ -617,8 +618,6 @@ static inline uint32_t get_priority(policy_entry_t *policy,
 			priority += PRIO_BASE;
 			/* fall-through */
 		case POLICY_PRIORITY_ROUTED:
-			priority += PRIO_BASE;
-			/* fall-through */
 		case POLICY_PRIORITY_DEFAULT:
 			priority += PRIO_BASE;
 			/* fall-through */
@@ -627,10 +626,11 @@ static inline uint32_t get_priority(policy_entry_t *policy,
 	}
 
 	/* calculate priority */
-	priority -= (policy->src.mask + policy->dst.mask) * 256;
-	priority -=  policy->src.proto != IPSEC_PROTO_ANY ? 128 : 0;
-	priority -= policy->src.net->get_port(policy->src.net) ? 32 : 0;
-	priority -= policy->dst.net->get_port(policy->dst.net) ? 32 : 0;
+	priority -= (policy->src.mask + policy->dst.mask) * 512;
+	priority -=  policy->src.proto != IPSEC_PROTO_ANY ? 256 : 0;
+	priority -= policy->src.net->get_port(policy->src.net) ? 64 : 0;
+	priority -= policy->dst.net->get_port(policy->dst.net) ? 64 : 0;
+	priority -= (prio != POLICY_PRIORITY_ROUTED);
 	return priority;
 }
 
@@ -1586,8 +1586,15 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
 	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
 	uint8_t protocol, uint32_t *spi)
 {
-	if (get_spi_internal(this, src, dst, protocol,
-						 0xc0000000, 0xcFFFFFFF, spi) != SUCCESS)
+	uint32_t spi_min, spi_max;
+
+	spi_min = lib->settings->get_int(lib->settings, "%s.spi_min",
+									 KERNEL_SPI_MIN, lib->ns);
+	spi_max = lib->settings->get_int(lib->settings, "%s.spi_max",
+									 KERNEL_SPI_MAX, lib->ns);
+
+	if (get_spi_internal(this, src, dst, protocol, min(spi_min, spi_max),
+						 max(spi_min, spi_max), spi) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to get SPI");
 		return FAILED;
@@ -1717,6 +1724,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	sa->sadb_sa_exttype = SADB_EXT_SA;
 	sa->sadb_sa_len = PFKEY_LEN(len);
 	sa->sadb_sa_spi = id->spi;
+	sa->sadb_sa_state = SADB_SASTATE_MATURE;
 	if (id->proto == IPPROTO_COMP)
 	{
 		sa->sadb_sa_encrypt = lookup_algorithm(COMPRESSION_ALGORITHM,
@@ -1889,6 +1897,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	sa->sadb_sa_exttype = SADB_EXT_SA;
 	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
 	sa->sadb_sa_spi = id->spi;
+	sa->sadb_sa_state = SADB_SASTATE_MATURE;
 	PFKEY_EXT_ADD(msg, sa);
 
 	/* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though