kernel-pfkey: Use subnet and prefix when determining nexthop for shunt policy routes

This is basically the same as 88f125f5605e54b38cf8913df79e32ec6bddff10.

1 files changed, 12 insertions, 2 deletions

diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 4bc2770c1..5715476e1 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -2223,11 +2223,21 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
 	INIT(route,
 		.prefixlen = policy->src.mask,
 		.src_ip = host,
-		.gateway = hydra->kernel_interface->get_nexthop(
-										hydra->kernel_interface, dst, -1, src),
 		.dst_net = chunk_clone(policy->src.net->get_address(policy->src.net)),
 	);
 
+	if (!dst->is_anyaddr(dst))
+	{
+		route->gateway = hydra->kernel_interface->get_nexthop(
+									hydra->kernel_interface, dst, -1, src);
+	}
+	else
+	{	/* for shunt policies */
+		route->gateway = hydra->kernel_interface->get_nexthop(
+									hydra->kernel_interface, policy->src.net,
+									policy->src.mask, route->src_ip);
+	}
+
 	/* if the IP is virtual, we install the route over the interface it has
 	 * been installed on. Otherwise we use the interface we use for IKE, as
 	 * this is required for example on Linux. */