mirror of
https://github.com/strongswan/strongswan.git
synced 2025-10-04 00:00:14 -04:00
58f278f932
This allows NM more freedom in regards to how it wants to use the passed device. In particular, if dnsmasq is used with NM as that binds to the interface to send requests via VPN. Installing the VIPs on lo avoids weird address removal/addition events that happen for IPv6 on the physical interface (which would cause the VIP to get incorrectly detected as non-VIP address and ignored during deletion). We could let NM install routes via XFRM interface, however, that causes problems with e.g. the bypass-lan plugin (the throw routes in table 220 wouldn't have any effect). We could let it install regular routes in the main table, but determining the physical interface would be tricky as the routes installed by NM, also in the main table, would conflict. So instead we let the kernel-netlink interface install routes via XFRM interface and to avoid routing the IKE traffic that way, we set a mark on the IKE socket and exclude traffic with that mark from our routing table.