From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 1 Mar 2019 09:19:32 +0000 (+0100)
Subject: kernel-netlink: Don't install routes for CHILD_SAs with interface ID
X-Git-Tag: 5.8.0rc1~41^2~13
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=801a5d31331a5be47a3225a3a35276fffb12712f;p=thirdparty%2Fstrongswan.git

kernel-netlink: Don't install routes for CHILD_SAs with interface ID
---

diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 205e772ae2..27bb3792dd 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -2846,10 +2846,12 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 	 * - this is an outbound policy (to just get one for each child)
 	 * - routing is not disabled via strongswan.conf
 	 * - the selector is not for a specific protocol/port
+	 * - no XFRM interface ID is configured
 	 * - we are in tunnel/BEET mode or install a bypass policy
 	 */
 	if (policy->direction == POLICY_OUT && this->install_routes &&
-		!policy->sel.proto && !policy->sel.dport && !policy->sel.sport)
+		!policy->sel.proto && !policy->sel.dport && !policy->sel.sport &&
+		!policy->if_id)
 	{
 		if (mapping->type == POLICY_PASS ||
 		   (mapping->type == POLICY_IPSEC && ipsec->cfg.mode != MODE_TRANSPORT))
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index 3f27fee55c..c02c5743ad 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -934,6 +934,8 @@ connections.<conn>.children.<child>.if_id_out = 0
 	instance, beyond that the value _%unique-dir_ assigns a different unique
 	interface ID for each CHILD_SA direction (in/out).
 
+	The daemon will not install routes for CHILD_SAs that have this option set.
+
 connections.<conn>.children.<child>.set_mark_in = 0/0x00000000
 	Netfilter mark applied to packets after the inbound IPsec SA processed them.