Merge branch 'fwmarks'
authorTobias Brunner <tobias@strongswan.org>
Fri, 11 Oct 2013 13:33:06 +0000 (15:33 +0200)
committerTobias Brunner <tobias@strongswan.org>
Fri, 11 Oct 2013 13:33:06 +0000 (15:33 +0200)
commit1ff63f153e5b551ee7ba0670ea4cc8b151432bc5
tree432f90f9526f30af0df15963490ccebc2836f283
parent6d7710a7441dbb3fb839f8c0d04e4c89fc595e3d
parentcd25d291f7fce92d1fe21f86c798bcb77f84b2f6
Merge branch 'fwmarks'

Allows setting a mark on outbound packets and the routing rule
installed by charon.  With those settings it is possible to setup
tunnels with kernel-libipsec where the remote peer is part of the remote
traffic selector.

The following example settings in strongswan.conf show how this can be
configured:

charon {
    plugins {
        kernel-netlink {
            fwmark = !0x42
        }
        socket-default {
            fwmark = 0x42
        }
        kernel-libipsec {
            allow_peer_ts = yes
        }
    }
}

To make it work it is necessary to set

  net.ipv4.conf.all.rp_filter

appropriately, otherwise the kernel drops the packets.

References #380.