connmark: Add CONNMARK rules to select correct output SA based on conntrack
authorMartin Willi <martin@revosec.ch>
Fri, 14 Nov 2014 11:57:53 +0000 (12:57 +0100)
committerMartin Willi <martin@revosec.ch>
Fri, 20 Feb 2015 15:34:53 +0000 (16:34 +0100)
commitb8973b2661310059f80f2e440cb96cc59b491084
tree35ed82cfda53aa42a30154234ef9b636d1eeeb31
parente1fe2781b04be677ec8245ab51d0aee4f1e4b1c4
connmark: Add CONNMARK rules to select correct output SA based on conntrack

Currently supports transport mode connections using IPv4 only, and requires
a unique mark configured on the connection.

To select the correct outbound SA when multiple connections match (i.e.
multiple peers connected from the same IP address / NAT router) marks must be
configured. This mark should usually be unique, which can be configured in
ipsec.conf using mark=0xffffffff.

The plugin inserts CONNMARK netfilter target rules: Any peer-initiated flow
is tagged with the assigned mark as connmark. On the return path, the mark
gets restored from the conntrack entry to select the correct outbound SA.
src/libcharon/plugins/connmark/Makefile.am
src/libcharon/plugins/connmark/connmark_listener.c [new file with mode: 0644]
src/libcharon/plugins/connmark/connmark_listener.h [new file with mode: 0644]
src/libcharon/plugins/connmark/connmark_plugin.c