kernel-pfkey: Don't install exclude routes for locally connected peers

Such routes with a gateway that equals the peer's address are problematic
on FreeBSD.  And since there is most likely a narrow route for the local
subnet anyway, the exclude routes would be redundant.

diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 3e01e1c90fbb2487806c1c9924865ae0ed858a1a..f32c4f83d8e36b2ef6e13ad79cd2e83035183e51 100644 (file)
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -2339,8 +2339,13 @@ static void add_exclude_route(private_kernel_pfkey_ipsec_t *this,
                {
                        char *if_name = NULL;
 
-                       if (charon->kernel->get_interface(charon->kernel, src, &if_name) &&
-                               charon->kernel->add_route(charon->kernel,
+                       if (gtw->ip_equals(gtw, dst))
+                       {
+                               DBG1(DBG_KNL, "not installing exclude route for directly "
+                                        "connected peer %H", dst);
+                       }
+                       else if (charon->kernel->get_interface(charon->kernel, src, &if_name) &&
+                                        charon->kernel->add_route(charon->kernel,
                                                                        dst->get_address(dst),
                                                                        dst->get_family(dst) == AF_INET ? 32 : 128,
                                                                        gtw, src, if_name, FALSE) == SUCCESS)