kernel-pfkey: Add option to install routes via internal interface

On FreeBSD, enabling this selects the correct source IP when sending
packets from the gateway itself.
This commit is contained in:
Tobias Brunner 2018-03-08 18:34:50 +01:00
parent a4727a01a3
commit e811659323
2 changed files with 19 additions and 1 deletions

View File

@ -5,3 +5,13 @@ charon.plugins.kernel-pfkey.events_buffer_size = 0
Because events are received asynchronously installing e.g. lots of policies
may require a larger buffer than the default on certain platforms in order
to receive all messages.
charon.plugins.kernel-pfkey.route_via_internal = no
Whether to use the internal or external interface in installed routes.
Whether to use the internal or external interface in installed routes.
The internal interface is the one where the IP address contained in the
local traffic selector is located, the external interface is the one over
which the destination address of the IPsec tunnel can be reached.
This is not relevant if virtual IPs are used, for which a TUN device is
created that's used in the routes.

View File

@ -219,6 +219,11 @@ struct private_kernel_pfkey_ipsec_t
*/
bool install_routes;
/**
* whether to install the route via internal interface
*/
bool route_via_internal;
/**
* mutex to lock access to the PF_KEY socket
*/
@ -2361,7 +2366,7 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
/* if the IP is virtual, we install the route over the interface it has
* been installed on. Otherwise we use the interface we use for IKE, as
* this is required for example on Linux. */
if (is_virtual)
if (is_virtual || this->route_via_internal)
{
free(route->if_name);
route->if_name = NULL;
@ -3164,6 +3169,9 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
.install_routes = lib->settings->get_bool(lib->settings,
"%s.install_routes", TRUE,
lib->ns),
.route_via_internal = lib->settings->get_bool(lib->settings,
"%s.plugins.kernel-pfkey.route_via_internal",
FALSE, lib->ns),
);
if (streq(lib->ns, "starter"))