kernel-pfkey: Add option to install routes via internal interface
On FreeBSD, enabling this selects the correct source IP when sending packets from the gateway itself.
This commit is contained in:
parent
a4727a01a3
commit
e811659323
|
@ -5,3 +5,13 @@ charon.plugins.kernel-pfkey.events_buffer_size = 0
|
||||||
Because events are received asynchronously installing e.g. lots of policies
|
Because events are received asynchronously installing e.g. lots of policies
|
||||||
may require a larger buffer than the default on certain platforms in order
|
may require a larger buffer than the default on certain platforms in order
|
||||||
to receive all messages.
|
to receive all messages.
|
||||||
|
|
||||||
|
charon.plugins.kernel-pfkey.route_via_internal = no
|
||||||
|
Whether to use the internal or external interface in installed routes.
|
||||||
|
|
||||||
|
Whether to use the internal or external interface in installed routes.
|
||||||
|
The internal interface is the one where the IP address contained in the
|
||||||
|
local traffic selector is located, the external interface is the one over
|
||||||
|
which the destination address of the IPsec tunnel can be reached.
|
||||||
|
This is not relevant if virtual IPs are used, for which a TUN device is
|
||||||
|
created that's used in the routes.
|
||||||
|
|
|
@ -219,6 +219,11 @@ struct private_kernel_pfkey_ipsec_t
|
||||||
*/
|
*/
|
||||||
bool install_routes;
|
bool install_routes;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* whether to install the route via internal interface
|
||||||
|
*/
|
||||||
|
bool route_via_internal;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* mutex to lock access to the PF_KEY socket
|
* mutex to lock access to the PF_KEY socket
|
||||||
*/
|
*/
|
||||||
|
@ -2361,7 +2366,7 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
|
||||||
/* if the IP is virtual, we install the route over the interface it has
|
/* if the IP is virtual, we install the route over the interface it has
|
||||||
* been installed on. Otherwise we use the interface we use for IKE, as
|
* been installed on. Otherwise we use the interface we use for IKE, as
|
||||||
* this is required for example on Linux. */
|
* this is required for example on Linux. */
|
||||||
if (is_virtual)
|
if (is_virtual || this->route_via_internal)
|
||||||
{
|
{
|
||||||
free(route->if_name);
|
free(route->if_name);
|
||||||
route->if_name = NULL;
|
route->if_name = NULL;
|
||||||
|
@ -3164,6 +3169,9 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
|
||||||
.install_routes = lib->settings->get_bool(lib->settings,
|
.install_routes = lib->settings->get_bool(lib->settings,
|
||||||
"%s.install_routes", TRUE,
|
"%s.install_routes", TRUE,
|
||||||
lib->ns),
|
lib->ns),
|
||||||
|
.route_via_internal = lib->settings->get_bool(lib->settings,
|
||||||
|
"%s.plugins.kernel-pfkey.route_via_internal",
|
||||||
|
FALSE, lib->ns),
|
||||||
);
|
);
|
||||||
|
|
||||||
if (streq(lib->ns, "starter"))
|
if (streq(lib->ns, "starter"))
|
||||||
|
|
Loading…
Reference in New Issue