kernel-netlink: Use interface to next hop for shunt policies
authorTobias Brunner <tobias@strongswan.org>
Fri, 11 Mar 2016 18:09:54 +0000 (19:09 +0100)
committerTobias Brunner <tobias@strongswan.org>
Fri, 10 Jun 2016 11:57:27 +0000 (13:57 +0200)
Using the source address to determine the interface is not correct for
net-to-net shunts between two interfaces on which the host has IP addresses
for each subnet.

src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c

index be0756d..46f94bd 100644 (file)
@@ -2335,19 +2335,22 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 
                        /* get the interface to install the route for. If we have a local
                         * address, use it. Otherwise (for shunt policies) use the
-                        * routes source address. */
+                        * route's source address. */
                        iface = ipsec->dst;
                        if (iface->is_anyaddr(iface))
                        {
-                               iface = route->src_ip;
-                       }
-                       /* install route via outgoing interface */
-                       if (!charon->kernel->get_interface(charon->kernel, iface,
-                                                                                          &route->if_name))
-                       {
-                               policy_change_done(this, policy);
-                               route_entry_destroy(route);
-                               return SUCCESS;
+                               iface = ipsec->dst;
+                               if (iface->is_anyaddr(iface))
+                               {
+                                       iface = route->src_ip;
+                               }
+                               if (!charon->kernel->get_interface(charon->kernel, iface,
+                                                                                                  &route->if_name))
+                               {
+                                       policy_change_done(this, policy);
+                                       route_entry_destroy(route);
+                                       return SUCCESS;
+                               }
                        }
 
                        if (policy->route)