git.ipfire.org Git - thirdparty/strongswan.git/commit - src/libcharon/plugins/kernel_netlink/kernel_netlink

author	Tobias Brunner <tobias@strongswan.org>
	Mon, 18 Apr 2016 16:39:35 +0000 (18:39 +0200)
committer	Tobias Brunner <tobias@strongswan.org>
	Fri, 6 May 2016 13:48:45 +0000 (15:48 +0200)
commit	3f4cc30b19b0d3294bff0a6306c8c5d6fa75e705
tree	41c51541c4410864dd130885178727c52322e27b	tree \| snapshot
parent	612fe5410b624ab90fa60e36192245f89b60c820	commit \| diff

kernel-netlink: Order routes by prefix before comparing priority/metric

Metrics are basically defined to order routes with equal prefix, so ordering
routes by metric first makes not much sense as that could prefer totally
unspecific routes over very specific ones.

For instance, the previous code did break installation of routes for
passthrough policies with two routes like these in the main routing table:

  default via 192.168.2.1 dev eth0 proto static
  192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.10 metric 1

Because the default route has no metric set (0) it was used, instead of the
more specific other one, to determine src and next hop when installing a route
for a passthrough policy for 192.168.2.0/24.  Therefore, the installed route
in table 220 did then incorrectly redirect all local traffic to "next hop"
192.168.2.1.

The same issue occurred when determining the source address while
installing trap policies.

Fixes 6b57790270fb ("kernel-netlink: Respect kernel routing priorities for IKE routes").
Fixes #1416.