From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 5 Dec 2019 15:15:33 +0000 (+0100)
Subject: kernel-netlink: Properly compare routes for policies without gateway/netxhop
X-Git-Tag: 5.8.2rc1~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c81a8a8f3607f2ccc3e503fd7edeea1e543d140f;p=thirdparty%2Fstrongswan.git

kernel-netlink: Properly compare routes for policies without gateway/netxhop

This happened when installing a duplicate bypass policy for a locally
connected subnet.  The destructor and the kernel-net part already
handle this correctly.
---

diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 4465d41f3b..c1b44180b2 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -409,10 +409,14 @@ static void route_entry_destroy(route_entry_t *this)
  */
 static bool route_entry_equals(route_entry_t *a, route_entry_t *b)
 {
-	return a->if_name && b->if_name && streq(a->if_name, b->if_name) &&
-		   a->src_ip->ip_equals(a->src_ip, b->src_ip) &&
-		   a->gateway->ip_equals(a->gateway, b->gateway) &&
-		   chunk_equals(a->dst_net, b->dst_net) && a->prefixlen == b->prefixlen;
+	if (a->if_name && b->if_name && streq(a->if_name, b->if_name) &&
+		a->src_ip->ip_equals(a->src_ip, b->src_ip) &&
+		chunk_equals(a->dst_net, b->dst_net) && a->prefixlen == b->prefixlen)
+	{
+		return (!a->gateway && !b->gateway) || (a->gateway && b->gateway &&
+					a->gateway->ip_equals(a->gateway, b->gateway));
+	}
+	return FALSE;
 }
 
 typedef struct ipsec_sa_t ipsec_sa_t;