Commit 21e5edab10 for strongswan.org

commit 21e5edab108e2c2b034fbabe8d534956e5afc09e
Author: Tobias Brunner <tobias@strongswan.org>
Date:   Mon Feb 7 14:20:39 2022 +0100

    kernel-ipsec: Add flags to enable ICMP error forwarding

    For the Linux kernel, this has to be enabled on the inbound SA and the
    out and fwd policies.

diff --git a/src/libcharon/kernel/kernel_ipsec.h b/src/libcharon/kernel/kernel_ipsec.h
index 3ef5811d9d..b6de950071 100644
--- a/src/libcharon/kernel/kernel_ipsec.h
+++ b/src/libcharon/kernel/kernel_ipsec.h
@@ -115,6 +115,8 @@ struct kernel_ipsec_add_sa_t {
 	dscp_copy_t copy_dscp;
 	/** TRUE if the peer doesn't support receiving fragments in AGGFRAG pkts */
 	bool iptfs_dont_frag;
+	/** Whether to automatically forward certain ICMP error messages */
+	bool forward_icmp;
 	/** TRUE if initiator of the exchange creating the SA */
 	bool initiator;
 	/** TRUE if this is an inbound SA */
@@ -190,6 +192,8 @@ struct kernel_ipsec_manage_policy_t {
 	hw_offload_t hw_offload;
 	/** Enable per-CPU acquires */
 	bool pcpu_acquires;
+	/** Whether to automatically forward certain ICMP error messages */
+	bool forward_icmp;
 	/** Source address of the SA(s) tied to this policy */
 	host_t *src;
 	/** Destination address of the SA(s) tied to this policy */