Here is the patch as discussed in the "Policy Priority
Syntax" thread. It allows a user to set the priority of
a security policy when using setkey or
ipsec_set_policy. The new syntax is described in the
man pages and basically consists of adding a keyword to
indicate that the priority is being specified (one of
"prio" or "priority") followed by either an integer
which is an offset from the default priority, or a
simple arithmetic expression consisting of one of the
defined priority levels ("low", "def", and "high") with
an unsigned integer added or subtracted from it.
As stated in the manpage, as far as setkey is
concerned, policies with higher priorities are placed
earlier in the SPD than those with lower priorities.
Ties are broken by ordering them in a FIFO manner.
The following two example spdadd statements do exactly
the same thing:
spdadd 126.96.36.199 188.8.131.52 udp -P out prio def + 1 ipsec
spdadd 184.108.40.206 220.127.116.11 udp -P out prio 1 ipsec
If the priority is not specified, all policies will be
inserted at the default priority.
Support for policy priorities will only be enabled if
the kernel support is detected by the configure script
(the 2.6.6 kernel supports it). If you compile setkey
against a kernel that supports priorities and then use
it with a kernel that does not support them, you will
receive a warning message indicating that the kernel
does not support it after inserting your first security
The patch is against ipsec-tools 0.3.1. I will also
place this patch in the patches section of the
Sourceforge project page. If you have any questions
regarding this patch, please feel free to contact me.
5775 Morehouse Dr.
San Diego, CA 92121
WARRANTY DISCLAIMER: LIMITATION OF LIABILITY. THE
SOFTWARE AND CONTENT ARE PROVIDED "AS IS" WITH NO
EXPRESS OR IMPLIED REPRESENTATIONS, GUARANTEES, OR
WARRANTIES, INCLUDING BUT NOT LIMITED TO SUCH
REPRESENTATION, GUARANTEES OR WARRANTIES REGARDING THE
USABILITY, SUITABILITY, CONDITION, OPERATION OR
ALL OTHER WARRANTIES AND CONDITIONS (EXPRESS, IMPLIED
OR STATUTORY) ARE HEREBY DISCLAIMED, SUCH WARRANTIES
AND CONDITIONS INCLUDING WITHOUT LIMITATION, ALL
WARRANTIES AND CONDITIONS OF MERCHANTABILITY, TITLE,
FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT,
COMPATIBILITY, AND SECURITY OR ACCURACY.