updown: Pass the local interface the traffic to the peer actually takes

If the local IP is not on the interface the peer is reached through,
firewall rules will be installed with the wrong interface.

Fixes #3095.

diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c
index 95d5cded441072ad5dd9fed4b8a4b3773a62f295..c7ee7bf87ec8b9966c01e7f103269476154e5704 100644 (file)
--- a/src/libcharon/plugins/updown/updown_listener.c
+++ b/src/libcharon/plugins/updown/updown_listener.c
@@ -289,7 +289,9 @@ static void invoke_once(private_updown_listener_t *this, ike_sa_t *ike_sa,
                         config->get_name(config));
        if (up)
        {
-               if (charon->kernel->get_interface(charon->kernel, me, &iface))
+               host = charon->kernel->get_nexthop(charon->kernel, other, -1, me,
+                                                                                  &iface);
+               if (host && iface)
                {
                        cache_iface(this, child_sa->get_reqid(child_sa), iface);
                }
@@ -297,6 +299,7 @@ static void invoke_once(private_updown_listener_t *this, ike_sa_t *ike_sa,
                {
                        iface = NULL;
                }
+               DESTROY_IF(host);
        }
        else
        {