From 60f5fb2318bde01128f190d2a5ce4ba787dba1ca Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Thu, 26 Jun 2014 15:44:54 +0200 Subject: kernel-pfkey: Use subnet and prefix when determining nexthop for shunt policy routes This is basically the same as 88f125f5605e54b38cf8913df79e32ec6bddff10. --- src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c') diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index 4bc2770c1..5715476e1 100644 --- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -2223,11 +2223,21 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this, INIT(route, .prefixlen = policy->src.mask, .src_ip = host, - .gateway = hydra->kernel_interface->get_nexthop( - hydra->kernel_interface, dst, -1, src), .dst_net = chunk_clone(policy->src.net->get_address(policy->src.net)), ); + if (!dst->is_anyaddr(dst)) + { + route->gateway = hydra->kernel_interface->get_nexthop( + hydra->kernel_interface, dst, -1, src); + } + else + { /* for shunt policies */ + route->gateway = hydra->kernel_interface->get_nexthop( + hydra->kernel_interface, policy->src.net, + policy->src.mask, route->src_ip); + } + /* if the IP is virtual, we install the route over the interface it has * been installed on. Otherwise we use the interface we use for IKE, as * this is required for example on Linux. */ -- cgit v1.2.3