]> git.ipfire.org Git - thirdparty/strongswan.git/commitdiff
projects / thirdparty / strongswan.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: bd52019)
kernel-pfroute: add a feature flag requesting "exclude" routes
authorMartin Willi <martin@revosec.ch>
Sat, 20 Apr 2013 10:28:05 +0000 (12:28 +0200)
committerMartin Willi <martin@revosec.ch>
Mon, 6 May 2013 15:01:13 +0000 (17:01 +0200)
If routes installed along with policies covering the peer address affect local
IKE/ESP packets, they won't get routed correctly. To work around this issue,
the kernel interface can install "exclude" routes for the IKE peer. Not all
networking backends require this workaround, hence we export a flag for it
if it is required.

src/libhydra/kernel/kernel_interface.h patch | blob | blame | history
src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c patch | blob | blame | history

diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h
index f481043220d6bbd3cf548863d28839bf59dd4e55..fd64f50c20fb62a92c551ed6bfdd903d46a4a09e 100644 (file)
--- a/src/libhydra/kernel/kernel_interface.h
+++ b/src/libhydra/kernel/kernel_interface.h
@@ -65,6 +65,8 @@ typedef enum kernel_feature_t kernel_feature_t;
 enum kernel_feature_t {
        /** IPsec can process ESPv3 (RFC 4303) TFC padded packets */
        KERNEL_ESP_V3_TFC = (1<<0),
+       /** Networking requires an "exclude" route for IKE/ESP packets */
+       KERNEL_REQUIRE_EXCLUDE_ROUTE = (1<<1),
 };
 
 /**
diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
index b1d3fd88bf9354f466c28ab9872d115f221268aa..8d8d0362ae226358f4ece54241af1c94319ea3f4 100644 (file)
--- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
+++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -770,6 +770,12 @@ METHOD(kernel_net_t, create_address_enumerator, enumerator_t*,
                                (void*)address_enumerator_destroy);
 }
 
+METHOD(kernel_net_t, get_features, kernel_feature_t,
+       private_kernel_pfroute_net_t *this)
+{
+       return KERNEL_REQUIRE_EXCLUDE_ROUTE;
+}
+
 METHOD(kernel_net_t, get_interface_name, bool,
        private_kernel_pfroute_net_t *this, host_t* ip, char **name)
 {
@@ -1276,6 +1282,7 @@ kernel_pfroute_net_t *kernel_pfroute_net_create()
        INIT(this,
                .public = {
                        .interface = {
+                               .get_features = _get_features,
                                .get_interface = _get_interface_name,
                                .create_address_enumerator = _create_address_enumerator,
                                .get_source_addr = _get_source_addr,
Unnamed repository; edit this file 'description' to name the repository.