From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 10 Jul 2013 13:02:48 +0000 (+0200)
Subject: kernel-pfroute: Make sure source addresses are not virtual and usable
X-Git-Tag: 5.1.0rc1~35^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cb082d15eff3948f9bfbb4d43d48cdf8e4ee993e;p=thirdparty%2Fstrongswan.git

kernel-pfroute: Make sure source addresses are not virtual and usable

It seems we sometimes get the virtual IP as source (with
rightsubnet=0.0.0.0/0) even if the exclude route is already
installed.  Might be a timing issue because shortly afterwards the
lookup seems to succeed.
---

diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
index 0760513b8a..c1224cc983 100644
--- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
+++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -1519,12 +1519,28 @@ retry:
 		}
 		DBG1(DBG_KNL, "PF_ROUTE lookup failed: %s", strerror(errno));
 	}
-
-	if (host)
+	if (!host)
 	{
-		DBG2(DBG_KNL, "using %H as %s to reach %H", host,
-			 nexthop ? "nexthop" : "address", dest);
+		return NULL;
+	}
+	if (!nexthop)
+	{	/* make sure the source address is not virtual and usable */
+		addr_entry_t *entry, lookup = {
+			.ip = host,
+		};
+
+		this->lock->read_lock(this->lock);
+		entry = this->addrs->get_match(this->addrs, &lookup,
+									(void*)addr_map_entry_match_up_and_usable);
+		this->lock->unlock(this->lock);
+		if (!entry)
+		{
+			host->destroy(host);
+			return NULL;
+		}
 	}
+	DBG2(DBG_KNL, "using %H as %s to reach %H", host,
+		 nexthop ? "nexthop" : "address", dest);
 	return host;
 }