From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 18 Jul 2013 13:41:13 +0000 (+0200)
Subject: kernel-libipsec: Fail route installation if remote TS matches peer
X-Git-Tag: 5.1.0rc1~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=29bdfb4086b471394f935542182d3d2da3a02683;p=thirdparty%2Fstrongswan.git

kernel-libipsec: Fail route installation if remote TS matches peer
---

diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
index 05635b3881..40f253d5a9 100644
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
@@ -464,6 +464,15 @@ static bool install_route(private_kernel_libipsec_ipsec_t *this,
 		policy->route = NULL;
 	}
 
+	if (dst_ts->is_host(dst_ts, dst))
+	{
+		DBG1(DBG_KNL, "can't install route for %R === %R %N, conflicts with "
+			 "IKE traffic", src_ts, dst_ts, policy_dir_names,
+			 policy->direction);
+		route_entry_destroy(route);
+		this->mutex->unlock(this->mutex);
+		return FALSE;
+	}
 	/* if remote traffic selector covers the IKE peer, add an exclude route */
 	if (dst_ts->includes(dst_ts, dst))
 	{