kernel-pfkey: when installing a route for a virtual IP, use its interface
authorMartin Willi <martin@revosec.ch>
Fri, 19 Apr 2013 12:27:31 +0000 (14:27 +0200)
committerMartin Willi <martin@revosec.ch>
Mon, 6 May 2013 14:10:13 +0000 (16:10 +0200)
When installing a route over a tun device for a virtual IP, the route must
be set over the tun, not the IKE interface.

src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c

index 5d059cf..1aa7a6a 100644 (file)
@@ -1923,9 +1923,10 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
 {
        route_entry_t *route, *old;
        host_t *host, *src, *dst;
+       bool is_virtual;
 
        if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
-                                                                               in->dst_ts, &host, NULL) != SUCCESS)
+                                                                       in->dst_ts, &host, &is_virtual) != SUCCESS)
        {
                return FALSE;
        }
@@ -1942,6 +1943,14 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
                .dst_net = chunk_clone(policy->src.net->get_address(policy->src.net)),
        );
 
+       /* if the IP is virtual, we install the route over the interface it has
+        * been installed on. Otherwise we use the interface we use for IKE, as
+        * this is required for example on Linux. */
+       if (is_virtual)
+       {
+               src = route->src_ip;
+       }
+
        /* get interface for route, using source address */
        if (!hydra->kernel_interface->get_interface(hydra->kernel_interface,
                                                                                                src, &route->if_name))