kernel-netlink: Properly compare routes for policies without gateway/netxhop
authorTobias Brunner <tobias@strongswan.org>
Thu, 5 Dec 2019 15:15:33 +0000 (16:15 +0100)
committerTobias Brunner <tobias@strongswan.org>
Fri, 6 Dec 2019 09:28:13 +0000 (10:28 +0100)
This happened when installing a duplicate bypass policy for a locally
connected subnet.  The destructor and the kernel-net part already
handle this correctly.

src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c

index 4465d41..c1b4418 100644 (file)
@@ -409,10 +409,14 @@ static void route_entry_destroy(route_entry_t *this)
  */
 static bool route_entry_equals(route_entry_t *a, route_entry_t *b)
 {
-       return a->if_name && b->if_name && streq(a->if_name, b->if_name) &&
-                  a->src_ip->ip_equals(a->src_ip, b->src_ip) &&
-                  a->gateway->ip_equals(a->gateway, b->gateway) &&
-                  chunk_equals(a->dst_net, b->dst_net) && a->prefixlen == b->prefixlen;
+       if (a->if_name && b->if_name && streq(a->if_name, b->if_name) &&
+               a->src_ip->ip_equals(a->src_ip, b->src_ip) &&
+               chunk_equals(a->dst_net, b->dst_net) && a->prefixlen == b->prefixlen)
+       {
+               return (!a->gateway && !b->gateway) || (a->gateway && b->gateway &&
+                                       a->gateway->ip_equals(a->gateway, b->gateway));
+       }
+       return FALSE;
 }
 
 typedef struct ipsec_sa_t ipsec_sa_t;