Given a system administrator configures a VPN connection in NetworkManager and specifies routing rules using `ipv4.routing-rules`, When the VPN connection is established, Then, NetworkManager should correctly apply the specified routing rules to the VPN connection so thatt the rules are reflected in the system's routing table Definition of Done: The implementation meets the acceptance criteria Integration tests are written and pass  The code is part of a downstream build attached to an errata

.NetworkManager can mitigate the impact of CVE-2024-3661 (TunnelVision) in VPN connection profiles VPN connections rely on routes to redirect traffic through a tunnel. However, if a DHCP server uses the classless static route option (121) to add routes to a client's routing table, and the routes propagated by the DHCP server overlap with the VPN, traffic can be transmitted through the physical interface instead of the VPN. CVE-2024-3661 describes this vulnerability, which is also know as TunnelVision. As a consequence, an attacker can access traffic that the user expects to be protected by the VPN. On RHEL, this problem affects LibreSwan IPSec and WireGuard VPN connections. Only LibreSwan IPSec connections with profiles in which both the `ipsec-interface` and `vt-interface` properties are undefined or set to `no` are not affected. The link: https://access.redhat.com/security/cve/cve-2024-3661 [CVE-2024-3661] document describes steps to mitigate the impact of TunnelVision by configuring VPN connection profiles to place the VPN routes in a dedicated routing table with a high priority. The steps work for both LibreSwan IPSec and WireGuard connections. However, to apply the mitigation steps to a LibreSwan IPSec connection profile, you must use NetworkManager 1.40.16-18 or later. On RHEL 8.10, this version is provided by the link: https://access.redhat.com/errata/RHSA-2025:0288 [RHSA-2025:0288] advisory.