kernel-libipsec: Fail route installation if remote TS matches peer

author: Tobias Brunner <tobias@strongswan.org> 2013-07-18 15:41:13 +0200
committer: Tobias Brunner <tobias@strongswan.org> 2013-07-18 15:41:13 +0200
commit: 29bdfb4086b471394f935542182d3d2da3a02683 (patch)
tree: 1d581677d3b384a5e31dc5d7f3c6e4baae9419e8 /src/libcharon/plugins/kernel_libipsec
parent: dfc99020137e1722ec415d08006424c8b81c3c04 (diff)
download: strongswan-29bdfb4086b471394f935542182d3d2da3a02683.tar.bz2
strongswan-29bdfb4086b471394f935542182d3d2da3a02683.tar.xz
1 files changed, 9 insertions, 0 deletions
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
index 05635b388..40f253d5a 100644
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
@@ -464,6 +464,15 @@ static bool install_route(private_kernel_libipsec_ipsec_t *this,
 		policy->route = NULL;
 	}
 
+	if (dst_ts->is_host(dst_ts, dst))
+	{
+		DBG1(DBG_KNL, "can't install route for %R === %R %N, conflicts with "
+			 "IKE traffic", src_ts, dst_ts, policy_dir_names,
+			 policy->direction);
+		route_entry_destroy(route);
+		this->mutex->unlock(this->mutex);
+		return FALSE;
+	}
 	/* if remote traffic selector covers the IKE peer, add an exclude route */
 	if (dst_ts->includes(dst_ts, dst))
 	{
author	Tobias Brunner <tobias@strongswan.org>	2013-07-18 15:41:13 +0200
committer	Tobias Brunner <tobias@strongswan.org>	2013-07-18 15:41:13 +0200
commit	29bdfb4086b471394f935542182d3d2da3a02683 (patch)
tree	1d581677d3b384a5e31dc5d7f3c6e4baae9419e8 /src/libcharon/plugins/kernel_libipsec
parent	dfc99020137e1722ec415d08006424c8b81c3c04 (diff)
download	strongswan-29bdfb4086b471394f935542182d3d2da3a02683.tar.bz2 strongswan-29bdfb4086b471394f935542182d3d2da3a02683.tar.xz