kernel-pfkey: Use subnet and prefix when determining nexthop for shunt policy routes
authorTobias Brunner <tobias@strongswan.org>
Thu, 26 Jun 2014 13:44:54 +0000 (15:44 +0200)
committerTobias Brunner <tobias@strongswan.org>
Thu, 26 Jun 2014 16:13:09 +0000 (18:13 +0200)
This is basically the same as 88f125f5605e54b38cf8913df79e32ec6bddff10.

src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c

index 4bc2770..5715476 100644 (file)
@@ -2223,11 +2223,21 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
        INIT(route,
                .prefixlen = policy->src.mask,
                .src_ip = host,
-               .gateway = hydra->kernel_interface->get_nexthop(
-                                                                               hydra->kernel_interface, dst, -1, src),
                .dst_net = chunk_clone(policy->src.net->get_address(policy->src.net)),
        );
 
+       if (!dst->is_anyaddr(dst))
+       {
+               route->gateway = hydra->kernel_interface->get_nexthop(
+                                                                       hydra->kernel_interface, dst, -1, src);
+       }
+       else
+       {       /* for shunt policies */
+               route->gateway = hydra->kernel_interface->get_nexthop(
+                                                                       hydra->kernel_interface, policy->src.net,
+                                                                       policy->src.mask, route->src_ip);
+       }
+
        /* if the IP is virtual, we install the route over the interface it has
         * been installed on. Otherwise we use the interface we use for IKE, as
         * this is required for example on Linux. */