From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 3 May 2024 13:31:27 +0000 (+0200)
Subject: charon-nm: Use a different routing table than the regular IKE daemon
X-Git-Tag: android-2.5.2~18
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=49cb7b016f762d0283565d3f712ac466ace9905f;p=thirdparty%2Fstrongswan.git

charon-nm: Use a different routing table than the regular IKE daemon

If the regular daemon is running, it creates an unconditional routing
rule for the routing table.  The rule that charon-nm tries to create,
which excludes marked IKE/ESP traffic to avoid a routing loop, then
can't be installed and we'd end up with said loop.

Closes strongswan/strongswan#2230
---

diff --git a/src/charon-nm/charon-nm.c b/src/charon-nm/charon-nm.c
index 9d0a860ef8..4217db2e08 100644
--- a/src/charon-nm/charon-nm.c
+++ b/src/charon-nm/charon-nm.c
@@ -205,11 +205,17 @@ int main(int argc, char *argv[])
 	/* install routes via XFRM interfaces, if we can use them */
 	lib->settings->set_default_str(lib->settings,
 				"charon-nm.plugins.kernel-netlink.install_routes_xfrmi", "yes");
-	/* bypass IKE traffic from these routes in case traffic selectors conflict */
+	/* use a separate routing table to avoid conflicts with regular charon */
 	lib->settings->set_default_str(lib->settings,
-				"charon-nm.plugins.socket-default.fwmark", "220");
+				"charon-nm.routing_table", "210");
+	/* use the same value as priority (higher than charon's default) */
 	lib->settings->set_default_str(lib->settings,
-				"charon-nm.plugins.kernel-netlink.fwmark", "!220");
+				"charon-nm.routing_table_prio", "210");
+	/* bypass IKE/ESP from these routes in case traffic selectors conflict */
+	lib->settings->set_default_str(lib->settings,
+				"charon-nm.plugins.socket-default.fwmark", "210");
+	lib->settings->set_default_str(lib->settings,
+				"charon-nm.plugins.kernel-netlink.fwmark", "!210");
 
 	DBG1(DBG_DMN, "Starting charon NetworkManager backend (strongSwan "VERSION")");
 	if (lib->integrity)
diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
index 8570ef0e3e..5d907ddbfa 100644
--- a/src/charon-nm/nm/nm_service.c
+++ b/src/charon-nm/nm/nm_service.c
@@ -912,10 +912,9 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
 	if (priv->xfrmi_id)
 	{	/* set the same mark as for IKE packets on the ESP packets so no routing
 		 * loop is created if the TS covers the VPN server's IP */
-		child.set_mark_out = (mark_t){
-			.value = 220,
-			.mask = 0xffffffff,
-		};
+		mark_from_string(lib->settings->get_str(lib->settings,
+							"charon-nm.plugins.socket-default.fwmark", NULL),
+						 MARK_OP_NONE, &child.set_mark_out);
 		child.if_id_in = child.if_id_out = priv->xfrmi_id;
 	}