kernel-pfroute: add a feature flag requesting "exclude" routes

If routes installed along with policies covering the peer address affect local IKE/ESP packets, they won't get routed correctly. To work around this issue, the kernel interface can install "exclude" routes for the IKE peer. Not all networking backends require this workaround, hence we export a flag for it if it is required.
author: Martin Willi <martin@revosec.ch> 2013-04-20 12:28:05 +0200
committer: Martin Willi <martin@revosec.ch> 2013-05-06 17:01:13 +0200
commit: 580b768d03c10f7ce12ebcb4168e58d752b5e0ab (patch)
tree: 34415ebcd4a2772daae881fbf039806da1c2fe1f /src/libhydra/kernel
parent: bd520193a486c6192494f70920702477b843d72e (diff)
download: strongswan-580b768d03c10f7ce12ebcb4168e58d752b5e0ab.tar.bz2
strongswan-580b768d03c10f7ce12ebcb4168e58d752b5e0ab.tar.xz
1 files changed, 2 insertions, 0 deletions
diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h
index f48104322..fd64f50c2 100644
--- a/src/libhydra/kernel/kernel_interface.h
+++ b/src/libhydra/kernel/kernel_interface.h
@@ -65,6 +65,8 @@ typedef enum kernel_feature_t kernel_feature_t;
 enum kernel_feature_t {
 	/** IPsec can process ESPv3 (RFC 4303) TFC padded packets */
 	KERNEL_ESP_V3_TFC = (1<<0),
+	/** Networking requires an "exclude" route for IKE/ESP packets */
+	KERNEL_REQUIRE_EXCLUDE_ROUTE = (1<<1),
 };
 
 /**
author	Martin Willi <martin@revosec.ch>	2013-04-20 12:28:05 +0200
committer	Martin Willi <martin@revosec.ch>	2013-05-06 17:01:13 +0200
commit	580b768d03c10f7ce12ebcb4168e58d752b5e0ab (patch)
tree	34415ebcd4a2772daae881fbf039806da1c2fe1f /src/libhydra/kernel
parent	bd520193a486c6192494f70920702477b843d72e (diff)
download	strongswan-580b768d03c10f7ce12ebcb4168e58d752b5e0ab.tar.bz2 strongswan-580b768d03c10f7ce12ebcb4168e58d752b5e0ab.tar.xz