kernel-netlink: Don't install routes for CHILD_SAs with interface ID
authorTobias Brunner <tobias@strongswan.org>
Fri, 1 Mar 2019 09:19:32 +0000 (10:19 +0100)
committerTobias Brunner <tobias@strongswan.org>
Thu, 4 Apr 2019 07:31:38 +0000 (09:31 +0200)
src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
src/swanctl/swanctl.opt

index 205e772..27bb379 100644 (file)
@@ -2846,10 +2846,12 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
         * - this is an outbound policy (to just get one for each child)
         * - routing is not disabled via strongswan.conf
         * - the selector is not for a specific protocol/port
+        * - no XFRM interface ID is configured
         * - we are in tunnel/BEET mode or install a bypass policy
         */
        if (policy->direction == POLICY_OUT && this->install_routes &&
-               !policy->sel.proto && !policy->sel.dport && !policy->sel.sport)
+               !policy->sel.proto && !policy->sel.dport && !policy->sel.sport &&
+               !policy->if_id)
        {
                if (mapping->type == POLICY_PASS ||
                   (mapping->type == POLICY_IPSEC && ipsec->cfg.mode != MODE_TRANSPORT))
index 3f27fee..c02c574 100644 (file)
@@ -934,6 +934,8 @@ connections.<conn>.children.<child>.if_id_out = 0
        instance, beyond that the value _%unique-dir_ assigns a different unique
        interface ID for each CHILD_SA direction (in/out).
 
+       The daemon will not install routes for CHILD_SAs that have this option set.
+
 connections.<conn>.children.<child>.set_mark_in = 0/0x00000000
        Netfilter mark applied to packets after the inbound IPsec SA processed them.