3 files changed, 46 insertions, 17 deletions

diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.in b/src/libhydra/plugins/kernel_netlink/Makefile.in
index d41ee1456..c7404fe06 100644
--- a/src/libhydra/plugins/kernel_netlink/Makefile.in
+++ b/src/libhydra/plugins/kernel_netlink/Makefile.in
@@ -224,9 +224,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -265,6 +263,8 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 8cc9a6283..4dc80785c 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -58,8 +58,8 @@
 #endif /*IPV6_XFRM_POLICY*/
 
 /** default priority of installed policies */
-#define PRIO_LOW 3000
-#define PRIO_HIGH 2000
+#define PRIO_LOW 1024
+#define PRIO_HIGH 512
 
 /**
  * map the limit for bytes and packets to XFRM_INF per default
@@ -866,7 +866,7 @@ METHOD(kernel_ipsec_t, get_cpi, status_t,
 METHOD(kernel_ipsec_t, add_sa, status_t,
 	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
 	u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
-	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
+	u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
 	u_int16_t cpi, bool encap, bool inbound,
 	traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
@@ -882,7 +882,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	if (ipcomp != IPCOMP_NONE && cpi != 0)
 	{
 		lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
-		add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark,
+		add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark, tfc,
 			   &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty,
 			   mode, ipcomp, 0, FALSE, inbound, NULL, NULL);
 		ipcomp = IPCOMP_NONE;
@@ -920,6 +920,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			sa->flags |= XFRM_STATE_AF_UNSPEC;
 			break;
 		case MODE_BEET:
+		case MODE_TRANSPORT:
 			if(src_ts && dst_ts)
 			{
 				sa->sel = ts2selector(src_ts, dst_ts);
@@ -1153,6 +1154,24 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		rthdr = XFRM_RTA_NEXT(rthdr);
 	}
 
+	if (tfc)
+	{
+		u_int32_t *tfcpad;
+
+		rthdr->rta_type = XFRMA_TFCPAD;
+		rthdr->rta_len = RTA_LENGTH(sizeof(u_int32_t));
+
+		hdr->nlmsg_len += rthdr->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+
+		tfcpad = (u_int32_t*)RTA_DATA(rthdr);
+		*tfcpad = tfc;
+		rthdr = XFRM_RTA_NEXT(rthdr);
+	}
+
 	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
 	{
 		if (mark.value)
@@ -1687,11 +1706,16 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
 	policy_info->sel = policy->sel;
 	policy_info->dir = policy->direction;
-	/* calculate priority based on source selector size, small size = high prio */
+
+	/* calculate priority based on selector size, small size = high prio */
 	policy_info->priority = routed ? PRIO_LOW : PRIO_HIGH;
-	policy_info->priority -= policy->sel.prefixlen_s * 10;
-	policy_info->priority -= policy->sel.proto ? 2 : 0;
-	policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
+	policy_info->priority -= policy->sel.prefixlen_s;
+	policy_info->priority -= policy->sel.prefixlen_d;
+	policy_info->priority <<= 2; /* make some room for the two flags */
+	policy_info->priority += policy->sel.sport_mask ||
+							 policy->sel.dport_mask ? 0 : 2;
+	policy_info->priority += policy->sel.proto ? 0 : 1;
+
 	policy_info->action = type != POLICY_DROP ? XFRM_POLICY_ALLOW
 											  : XFRM_POLICY_BLOCK;
 	policy_info->share = XFRM_SHARE_ANY;
@@ -1813,6 +1837,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 
 			if (route->if_name)
 			{
+				DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s",
+					 src_ts, route->gateway, route->src_ip, route->if_name);
 				switch (hydra->kernel_interface->add_route(
 									hydra->kernel_interface, route->dst_net,
 									route->prefixlen, route->gateway,
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
index 212675d1a..9fc1a03f5 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
@@ -33,10 +33,8 @@ struct private_kernel_netlink_plugin_t {
 	kernel_netlink_plugin_t public;
 };
 
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_kernel_netlink_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_kernel_netlink_plugin_t *this)
 {
 	hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface,
 					(kernel_ipsec_constructor_t)kernel_netlink_ipsec_create);
@@ -50,10 +48,15 @@ static void destroy(private_kernel_netlink_plugin_t *this)
  */
 plugin_t *kernel_netlink_plugin_create()
 {
-	private_kernel_netlink_plugin_t *this = malloc_thing(private_kernel_netlink_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	private_kernel_netlink_plugin_t *this;
 
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 	hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface,
 					(kernel_ipsec_constructor_t)kernel_netlink_ipsec_create);
 	hydra->kernel_interface->add_net_interface(hydra->kernel_interface,