add fwd policies (#145507)

1 files changed, 12 insertions, 0 deletions

diff --git a/sysconfig/network-scripts/ifup-ipsec b/sysconfig/network-scripts/ifup-ipsec
index 4751b5cc..5c836162 100755
--- a/sysconfig/network-scripts/ifup-ipsec
+++ b/sysconfig/network-scripts/ifup-ipsec
@@ -146,6 +146,7 @@ delete $SRC $DST esp $SPI_ESP_OUT;
 delete $DST $SRC esp $SPI_ESP_IN;
 spddelete $SRCNET $DSTNET any -P out;
 spddelete $DSTNET $SRCNET any -P in;
+spddelete $DSTNET $SRCNET any -P fwd;
 
 # ESP
 ${KEY_ESP_IN:+add $DST $SRC esp $SPI_ESP_IN -m tunnel -E ${ESP_PROTO_IN:-$ESP_PROTO} $(echo '"')$KEY_ESP_IN$(echo '"');}
@@ -164,6 +165,11 @@ spdadd $DSTNET $SRCNET any -P in ipsec
 	    ${KEY_ESP_IN:+esp/tunnel/$DST-$SRC/require}
 	    ${KEY_AH_IN:+ah/tunnel/$DST-$SRC/require}
 	    ;
+
+spdadd $DSTNET $SRCNET any -P fwd ipsec
+	    ${KEY_ESP_IN:+esp/tunnel/$DST-$SRC/require}
+	    ${KEY_AH_IN:+ah/tunnel/$DST-$SRC/require}
+	    ;
 EOF
     fi
 fi
@@ -196,6 +202,7 @@ EOF
       /sbin/setkey -c >/dev/null 2>&1 << EOF
 spddelete $SRCNET $DSTNET any -P out;
 spddelete $DSTNET $SRCNET any -P in;
+spddelete $DSTNET $SRCNET any -P fwd;
 
 spdadd $SRCNET $DSTNET any -P out ipsec
 	    esp/tunnel/$SRC-$DST/require
@@ -206,6 +213,11 @@ spdadd $DSTNET $SRCNET any -P in ipsec
 	    esp/tunnel/$DST-$SRC/require
 	    ah/tunnel/$DST-$SRC/require
 	    ;
+
+spdadd $DSTNET $SRCNET any -P fwd ipsec
+	    esp/tunnel/$DST-$SRC/require
+	    ah/tunnel/$DST-$SRC/require
+	    ;
 EOF
     fi
     if [ "$IKE_METHOD" = "PSK" ]; then