From: Martin Willi <martin@revosec.ch>
Date: Sat, 20 Apr 2013 10:28:05 +0000 (+0200)
Subject: kernel-pfroute: add a feature flag requesting "exclude" routes
X-Git-Tag: 5.1.0dr1~153^2~5
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=580b768d03c10f7ce12ebcb4168e58d752b5e0ab;p=thirdparty%2Fstrongswan.git

kernel-pfroute: add a feature flag requesting "exclude" routes

If routes installed along with policies covering the peer address affect local
IKE/ESP packets, they won't get routed correctly. To work around this issue,
the kernel interface can install "exclude" routes for the IKE peer. Not all
networking backends require this workaround, hence we export a flag for it
if it is required.
---

diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h
index f481043220..fd64f50c20 100644
--- a/src/libhydra/kernel/kernel_interface.h
+++ b/src/libhydra/kernel/kernel_interface.h
@@ -65,6 +65,8 @@ typedef enum kernel_feature_t kernel_feature_t;
 enum kernel_feature_t {
 	/** IPsec can process ESPv3 (RFC 4303) TFC padded packets */
 	KERNEL_ESP_V3_TFC = (1<<0),
+	/** Networking requires an "exclude" route for IKE/ESP packets */
+	KERNEL_REQUIRE_EXCLUDE_ROUTE = (1<<1),
 };
 
 /**
diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
index b1d3fd88bf..8d8d0362ae 100644
--- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
+++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -770,6 +770,12 @@ METHOD(kernel_net_t, create_address_enumerator, enumerator_t*,
 				(void*)address_enumerator_destroy);
 }
 
+METHOD(kernel_net_t, get_features, kernel_feature_t,
+	private_kernel_pfroute_net_t *this)
+{
+	return KERNEL_REQUIRE_EXCLUDE_ROUTE;
+}
+
 METHOD(kernel_net_t, get_interface_name, bool,
 	private_kernel_pfroute_net_t *this, host_t* ip, char **name)
 {
@@ -1276,6 +1282,7 @@ kernel_pfroute_net_t *kernel_pfroute_net_create()
 	INIT(this,
 		.public = {
 			.interface = {
+				.get_features = _get_features,
 				.get_interface = _get_interface_name,
 				.create_address_enumerator = _create_address_enumerator,
 				.get_source_addr = _get_source_addr,