[Bug 255678] security/strongswan cant add routes via RTM_ADD via PF_ROUTE socket

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 03 Jun 2021 22:11:17 +0000
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255678

--- Comment #18 from Alexander V. Chernikov <melifaro_at_FreeBSD.org> ---
(In reply to Tobias Brunner from comment #17)
> Not exactly. The end goal is to install a route that causes the kernel to select the "internal" IP address (192.168.5.10 on igb0) as source when reaching the remote VPN subnet (10.11.12.0/24).
Got it.

> For comparison, on Linux, we install a route for the remote subnet via external interface but we set the RTA_PREFSRC attribute to the internal IP address, which causes it to get selected when traffic to the remote subnet is generated (we also install that route in a separate routing table that takes precedence over the main table and allows us to even override the default route without conflicts). AFAIK, there is nothing similar on FreeBSD.
*BSD has RTAX_IFA rtsock option allowing to choose the preferred source
address.
FreeBSD has support for multiple routing tables (net.fibs), though there may be
some rough edges.

I'll be able to look and hopefully fix the issue on the weekend.
Re optimal way of specifying the source address - IMO having an explicit
RTAX_IFA + RTAX_IFP (specified by an ifindex) should be more bulletproof, but
let me fix the bug first & verify the proper RTAX_IFA operations.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Received on Thu Jun 03 2021 - 22:11:17 UTC

Original text of this message