From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 20 Jun 2019 08:02:21 +0000 (+0200)
Subject: updown: Pass the local interface the traffic to the peer actually takes
X-Git-Tag: 5.8.1rc1~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9543a771dda78c57981ecd7f76e05f30e0f18377;p=thirdparty%2Fstrongswan.git

updown: Pass the local interface the traffic to the peer actually takes

If the local IP is not on the interface the peer is reached through,
firewall rules will be installed with the wrong interface.

Fixes #3095.
---

diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c
index 95d5cded44..c7ee7bf87e 100644
--- a/src/libcharon/plugins/updown/updown_listener.c
+++ b/src/libcharon/plugins/updown/updown_listener.c
@@ -289,7 +289,9 @@ static void invoke_once(private_updown_listener_t *this, ike_sa_t *ike_sa,
 			 config->get_name(config));
 	if (up)
 	{
-		if (charon->kernel->get_interface(charon->kernel, me, &iface))
+		host = charon->kernel->get_nexthop(charon->kernel, other, -1, me,
+										   &iface);
+		if (host && iface)
 		{
 			cache_iface(this, child_sa->get_reqid(child_sa), iface);
 		}
@@ -297,6 +299,7 @@ static void invoke_once(private_updown_listener_t *this, ike_sa_t *ike_sa,
 		{
 			iface = NULL;
 		}
+		DESTROY_IF(host);
 	}
 	else
 	{