kernel-pfkey: Use subnet and prefix when determining nexthop for shunt policy routes

This is basically the same as 88f125f5605e54b38cf8913df79e32ec6bddff10.

diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 4bc2770c129a4fc91ec22993f8dde398647c64dd..5715476e177bc55d063ca36deae53ce20f3d96d0 100644 (file)
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -2223,11 +2223,21 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
        INIT(route,
                .prefixlen = policy->src.mask,
                .src_ip = host,
-               .gateway = hydra->kernel_interface->get_nexthop(
-                                                                               hydra->kernel_interface, dst, -1, src),
                .dst_net = chunk_clone(policy->src.net->get_address(policy->src.net)),
        );
 
+       if (!dst->is_anyaddr(dst))
+       {
+               route->gateway = hydra->kernel_interface->get_nexthop(
+                                                                       hydra->kernel_interface, dst, -1, src);
+       }
+       else
+       {       /* for shunt policies */
+               route->gateway = hydra->kernel_interface->get_nexthop(
+                                                                       hydra->kernel_interface, policy->src.net,
+                                                                       policy->src.mask, route->src_ip);
+       }
+
        /* if the IP is virtual, we install the route over the interface it has
         * been installed on. Otherwise we use the interface we use for IKE, as
         * this is required for example on Linux. */