+ /* Packets from the host (client==NULL) may always be routed. Packets
+ from clients with the allow_route option will also be routed. */
+ if (!client || (client && (client->options & OPT_ALLOWROUTE)))
+ allow_route=True;
+
+ /* If !allow_route, we check the routing table anyway, and if
+ there's a suitable route with OPT_ALLOWROUTE set we use it. If
+ there's a suitable route, but none with OPT_ALLOWROUTE set then
+ we generate ICMP 'communication with destination network
+ administratively prohibited'. */
+
+ best_quality=0;
+ best_match=-1;
+ for (i=0; i<st->n_clients; i++) {
+ if (st->routes[i]->up &&
+ ipset_contains_addr(st->routes[i]->networks,dest)) {
+ /* It's an available route to the correct destination. But is
+ it better than the one we already have? */
+
+ /* If we have already found an allowed route then we don't
+ bother looking at routes we're not allowed to use. If
+ we don't yet have an allowed route we'll consider any. */
+ if (!allow_route && found_allowed) {
+ if (!(st->routes[i]->options&OPT_ALLOWROUTE)) continue;
+ }
+
+ if (st->routes[i]->link_quality>best_quality
+ || best_quality==0) {
+ best_quality=st->routes[i]->link_quality;
+ best_match=i;
+ if (st->routes[i]->options&OPT_ALLOWROUTE)
+ found_allowed=True;
+ /* If quality isn't perfect we may wish to
+ consider kicking the tunnel with a 0-length
+ packet to prompt it to perform a key setup.
+ Then it'll eventually decide it's up or
+ down. */
+ /* If quality is perfect and we're allowed to use the
+ route we don't need to search any more. */
+ if (best_quality>=MAXIMUM_LINK_QUALITY &&
+ (allow_route || found_allowed)) break;
+ }
+ }
+ }
+ if (best_match==-1) {
+ /* The packet's not going down a tunnel. It might (ought to)
+ be for the host. */
+ if (ipset_contains_addr(st->networks,dest)) {
+ st->deliver_to_host(st->dst,buf);
+ st->outcount++;
+ BUF_ASSERT_FREE(buf);
+ } else {
+ string_t s,d;
+ s=ipaddr_to_string(source);
+ d=ipaddr_to_string(dest);
+ Message(M_DEBUG,"%s: don't know where to deliver packet "
+ "(s=%s, d=%s)\n", st->name, s, d);
+ free(s); free(d);
+ netlink_icmp_simple(st,buf,client,ICMP_TYPE_UNREACHABLE,
+ ICMP_CODE_NET_UNREACHABLE);
+ BUF_FREE(buf);
+ }
+ } else {
+ if (!allow_route &&
+ !(st->routes[best_match]->options&OPT_ALLOWROUTE)) {
+ string_t s,d;
+ s=ipaddr_to_string(source);
+ d=ipaddr_to_string(dest);
+ /* We have a usable route but aren't allowed to use it.
+ Generate ICMP destination unreachable: communication
+ with destination network administratively prohibited */
+ Message(M_NOTICE,"%s: denied forwarding for packet (s=%s, d=%s)\n",
+ st->name,s,d);
+ free(s); free(d);
+
+ netlink_icmp_simple(st,buf,client,ICMP_TYPE_UNREACHABLE,
+ ICMP_CODE_NET_PROHIBITED);
+ BUF_FREE(buf);
+ } else {
+ if (best_quality>0) {
+ /* XXX Fragment if required */
+ st->routes[best_match]->deliver(
+ st->routes[best_match]->dst, buf);
+ st->routes[best_match]->outcount++;