vici: Make interface ID configurable
authorTobias Brunner <tobias@strongswan.org>
Tue, 12 Feb 2019 11:10:06 +0000 (12:10 +0100)
committerTobias Brunner <tobias@strongswan.org>
Wed, 3 Apr 2019 10:00:08 +0000 (12:00 +0200)
src/libcharon/plugins/vici/vici_config.c
src/swanctl/swanctl.opt

index f1ddde1..5750d87 100644 (file)
@@ -528,6 +528,8 @@ static void log_child_data(child_data_t *data, char *name)
        DBG2(DBG_CFG, "   tfc = %d", cfg->tfc);
        DBG2(DBG_CFG, "   priority = %d", cfg->priority);
        DBG2(DBG_CFG, "   interface = %s", cfg->interface);
+       DBG2(DBG_CFG, "   if_id_in = %u", cfg->if_id_in);
+       DBG2(DBG_CFG, "   if_id_out = %u", cfg->if_id_out);
        DBG2(DBG_CFG, "   mark_in = %u/%u",
                 cfg->mark_in.value, cfg->mark_in.mask);
        DBG2(DBG_CFG, "   mark_in_sa = %u", has_opt(OPT_MARK_IN_SA));
@@ -1221,6 +1223,21 @@ CALLBACK(parse_set_mark, bool,
 }
 
 /**
+ * Parse interface ID
+ */
+CALLBACK(parse_if_id, bool,
+       uint32_t *out, chunk_t v)
+{
+       char buf[32];
+
+       if (!vici_stringify(v, buf, sizeof(buf)))
+       {
+               return FALSE;
+       }
+       return if_id_from_string(buf, out);
+}
+
+/**
  * Parse TFC padding option
  */
 CALLBACK(parse_tfc, bool,
@@ -1688,6 +1705,8 @@ CALLBACK(child_kv, bool,
                { "copy_df",                    parse_opt_copy_df,      &child->cfg.options                                     },
                { "copy_ecn",                   parse_opt_copy_ecn,     &child->cfg.options                                     },
                { "copy_dscp",                  parse_copy_dscp,        &child->cfg.copy_dscp                           },
+               { "if_id_in",                   parse_if_id,            &child->cfg.if_id_in                            },
+               { "if_id_out",                  parse_if_id,            &child->cfg.if_id_out                           },
        };
 
        return parse_rules(rules, countof(rules), name, value,
index 7c71548..3f27fee 100644 (file)
@@ -916,6 +916,24 @@ connections.<conn>.children.<child>.mark_out = 0/0x00000000
        An additional mask may be appended to the mark, separated by _/_. The
        default mask if omitted is 0xffffffff.
 
+connections.<conn>.children.<child>.if_id_in = 0
+       Inbound XFRM interface ID.
+
+       XFRM interface ID set on inbound policies/SA. This allows installing
+       duplicate policies/SAs and associates them with an interface with the same
+       ID. The special value _%unique_ sets a unique interface ID on each CHILD_SA
+       instance, beyond that the value _%unique-dir_ assigns a different unique
+       interface ID for each CHILD_SA direction (in/out).
+
+connections.<conn>.children.<child>.if_id_out = 0
+       Outbound XFRM interface ID.
+
+       XFRM interface ID set on outbound policies/SA. This allows installing
+       duplicate policies/SAs and associates them with an interface with the same
+       ID. The special value _%unique_ sets a unique interface ID on each CHILD_SA
+       instance, beyond that the value _%unique-dir_ assigns a different unique
+       interface ID for each CHILD_SA direction (in/out).
+
 connections.<conn>.children.<child>.set_mark_in = 0/0x00000000
        Netfilter mark applied to packets after the inbound IPsec SA processed them.