From 8a76c5af8a3c3dd5fd6d9dc301069a8bdae018ec Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 16 Feb 2022 14:47:40 +0100
Subject: [PATCH] kernel-pfkey: Don't install exclude routes for locally
 connected peers

Such routes with a gateway that equals the peer's address are problematic
on FreeBSD.  And since there is most likely a narrow route for the local
subnet anyway, the exclude routes would be redundant.
---
 src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 3e01e1c90..f32c4f83d 100644
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -2339,8 +2339,13 @@ static void add_exclude_route(private_kernel_pfkey_ipsec_t *this,
 		{
 			char *if_name = NULL;
 
-			if (charon->kernel->get_interface(charon->kernel, src, &if_name) &&
-				charon->kernel->add_route(charon->kernel,
+			if (gtw->ip_equals(gtw, dst))
+			{
+				DBG1(DBG_KNL, "not installing exclude route for directly "
+					 "connected peer %H", dst);
+			}
+			else if (charon->kernel->get_interface(charon->kernel, src, &if_name) &&
+					 charon->kernel->add_route(charon->kernel,
 									dst->get_address(dst),
 									dst->get_family(dst) == AF_INET ? 32 : 128,
 									gtw, src, if_name, FALSE) == SUCCESS)
-- 
2.47.3