kernel-pfkey: Fail route installation if remote TS matches peer

author: Tobias Brunner <tobias@strongswan.org> 2013-07-18 15:41:36 +0200
committer: Tobias Brunner <tobias@strongswan.org> 2013-07-18 15:41:36 +0200
commit: e5b5a66712a81f3cbe5f84c0f8980a5f6daa4129 (patch)
tree: 0a5bfcdbce01064da7141a0e3dbeb38dc65aa93c /src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
parent: 29bdfb4086b471394f935542182d3d2da3a02683 (diff)
download: strongswan-e5b5a66712a81f3cbe5f84c0f8980a5f6daa4129.tar.bz2
strongswan-e5b5a66712a81f3cbe5f84c0f8980a5f6daa4129.tar.xz
1 files changed, 8 insertions, 0 deletions
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index fb90f5b21..dd998042c 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -2148,6 +2148,14 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
 	if (hydra->kernel_interface->get_features(
 					hydra->kernel_interface) & KERNEL_REQUIRE_EXCLUDE_ROUTE)
 	{
+		if (in->src_ts->is_host(in->src_ts, dst))
+		{
+			DBG1(DBG_KNL, "can't install route for %R === %R %N, conflicts "
+				 "with IKE traffic", in->src_ts, in->dst_ts, policy_dir_names,
+				 policy->direction);
+			route_entry_destroy(route);
+			return FALSE;
+		}
 		if (in->src_ts->includes(in->src_ts, dst))
 		{
 			add_exclude_route(this, route, in->generic.sa->dst, dst);
author	Tobias Brunner <tobias@strongswan.org>	2013-07-18 15:41:36 +0200
committer	Tobias Brunner <tobias@strongswan.org>	2013-07-18 15:41:36 +0200
commit	e5b5a66712a81f3cbe5f84c0f8980a5f6daa4129 (patch)
tree	0a5bfcdbce01064da7141a0e3dbeb38dc65aa93c /src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
parent	29bdfb4086b471394f935542182d3d2da3a02683 (diff)
download	strongswan-e5b5a66712a81f3cbe5f84c0f8980a5f6daa4129.tar.bz2 strongswan-e5b5a66712a81f3cbe5f84c0f8980a5f6daa4129.tar.xz