configuration of different marks for inbound and outbound direction
authorAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 9 Jul 2010 07:06:02 +0000 (09:06 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 9 Jul 2010 07:06:07 +0000 (09:06 +0200)
17 files changed:
src/libcharon/config/child_cfg.c
src/libcharon/config/child_cfg.h
src/libcharon/plugins/android/android_service.c
src/libcharon/plugins/ha/ha_tunnel.c
src/libcharon/plugins/load_tester/load_tester_config.c
src/libcharon/plugins/medcli/medcli_config.c
src/libcharon/plugins/nm/nm_service.c
src/libcharon/plugins/sql/sql_config.c
src/libcharon/plugins/stroke/stroke_config.c
src/libcharon/plugins/uci/uci_config.c
src/starter/args.c
src/starter/confread.c
src/starter/confread.h
src/starter/keywords.h
src/starter/keywords.txt
src/starter/starterstroke.c
src/stroke/stroke_msg.h

index d3f688a..70f38b2 100644 (file)
@@ -539,7 +539,7 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
                                                          ipsec_mode_t mode, action_t dpd_action,
                                                          action_t close_action, bool ipcomp,
                                                          u_int32_t inactivity, u_int32_t reqid,
-                                                         mark_t *mark)
+                                                         mark_t *mark_in, mark_t *mark_out)
 {
        private_child_cfg_t *this = malloc_thing(private_child_cfg_t);
 
@@ -576,16 +576,21 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
        this->inactivity = inactivity;
        this->reqid = reqid;
 
-       /* TODO configure separate inbound and outbound marks */
-       if (mark)
+       if (mark_in)
        {
-               this->mark_in  = *mark;
-               this->mark_out = *mark;
+               this->mark_in = *mark_in;
+       }
+       else
+       {
+               this->mark_in.value = 0;
+               this->mark_in.mask  = 0;
+       }
+       if (mark_out)
+       {
+               this->mark_out = *mark_out;
        }
        else
        {
-               this->mark_in.value  = 0;
-               this->mark_in.mask   = 0;
                this->mark_out.value = 0;
                this->mark_out.mask  = 0;
        }
index a401918..d34835e 100644 (file)
@@ -326,7 +326,8 @@ struct child_cfg_t {
  * @param ipcomp                       use IPComp, if peer supports it
  * @param inactivity           inactivity timeout in s before closing a CHILD_SA
  * @param reqid                                specific reqid to use for CHILD_SA, 0 for auto assign
- * @param mark                         optional mark (can be NULL)
+ * @param mark_in                      optional inbound mark (can be NULL)
+ * @param mark_out                     optional outbound mark (can be NULL)
  * @return                                     child_cfg_t object
  */
 child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
@@ -334,6 +335,6 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
                                                          ipsec_mode_t mode, action_t dpd_action,
                                                          action_t close_action, bool ipcomp,
                                                          u_int32_t inactivity, u_int32_t reqid,
-                                                         mark_t *mark);
+                                                         mark_t *mark_in, mark_t *mark_out);
 
 #endif /** CHILD_CFG_H_ @}*/
index 80d068c..538c4a9 100644 (file)
@@ -291,7 +291,8 @@ static job_requeue_t initiate(private_android_service_t *this)
        peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
 
        child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL,
-                                                                ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL);
+                                                                ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
+                                                                NULL, NULL);
        child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
        ts = traffic_selector_create_dynamic(0, 0, 65535);
        child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
index e2807c0..89daa4f 100644 (file)
@@ -234,7 +234,8 @@ static void setup_tunnel(private_ha_tunnel_t *this,
        peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE);
 
        child_cfg = child_cfg_create("ha", &lifetime, NULL, TRUE, MODE_TRANSPORT,
-                                                                ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL);
+                                                                ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
+                                                                NULL, NULL);
        ts = traffic_selector_create_dynamic(IPPROTO_UDP, HA_PORT, HA_PORT);
        child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
        ts = traffic_selector_create_dynamic(IPPROTO_ICMP, 0, 65535);
index 528c9a3..a230aa3 100644 (file)
@@ -223,8 +223,9 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
                generate_auth_cfg(this, this->initiator_auth, peer_cfg, FALSE, num);
        }
 
-       child_cfg = child_cfg_create("load-test", &lifetime, NULL, TRUE,
-                                       MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL);
+       child_cfg = child_cfg_create("load-test", &lifetime, NULL, TRUE, MODE_TUNNEL,
+                                                                ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
+                                                                NULL, NULL);
        proposal = proposal_create_from_string(PROTO_ESP, "aes128-sha1");
        child_cfg->add_proposal(child_cfg, proposal);
        ts = traffic_selector_create_dynamic(0, 0, 65535);
index e574910..6cbaf36 100644 (file)
@@ -182,7 +182,8 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam
        peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
 
        child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
-                                                                ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL);
+                                                                ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
+                                                                NULL, NULL);
        child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
        child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net));
        child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net));
@@ -260,7 +261,8 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
        this->current->add_auth_cfg(this->current, auth, FALSE);
 
        child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
-                                                                ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL);
+                                                                ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
+                                                                NULL, NULL);
        child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
        child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net));
        child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net));
index 20e6c15..07318bb 100644 (file)
@@ -444,7 +444,8 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 
        child_cfg = child_cfg_create(priv->name, &lifetime,
                                                                 NULL, TRUE, MODE_TUNNEL, /* updown, hostaccess */
-                                                                ACTION_NONE, ACTION_NONE, ipcomp, 0, 0, NULL);
+                                                                ACTION_NONE, ACTION_NONE, ipcomp, 0, 0,
+                                                                NULL, NULL);
        child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
        ts = traffic_selector_create_dynamic(0, 0, 65535);
        child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
index d9964ce..a47d93f 100644 (file)
@@ -134,7 +134,7 @@ static child_cfg_t *build_child_cfg(private_sql_config_t *this, enumerator_t *e)
                        .time = { .life = lifetime, .rekey = rekeytime, .jitter = jitter }
                };
                child_cfg = child_cfg_create(name, &lft, updown, hostaccess, mode,
-                                                                        dpd, close, ipcomp, 0, 0, NULL);
+                                                                        dpd, close, ipcomp, 0, 0, NULL, NULL);
                /* TODO: read proposal from db */
                child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
                add_traffic_selectors(this, child_cfg, id);
index ded7ac4..4697e5f 100644 (file)
@@ -768,9 +768,13 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
                        .jitter = msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100
                }
        };
-       mark_t mark = {
-               .value = msg->add_conn.mark.value,
-               .mask = msg->add_conn.mark.mask
+       mark_t mark_in = {
+               .value = msg->add_conn.mark_in.value,
+               .mask = msg->add_conn.mark_in.mask
+       };
+       mark_t mark_out = {
+               .value = msg->add_conn.mark_out.value,
+               .mask = msg->add_conn.mark_out.mask
        };
 
        switch (msg->add_conn.dpd.action)
@@ -790,7 +794,8 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
                                msg->add_conn.name, &lifetime,
                                msg->add_conn.me.updown, msg->add_conn.me.hostaccess,
                                msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp,
-                               msg->add_conn.inactivity, msg->add_conn.reqid, &mark);
+                               msg->add_conn.inactivity, msg->add_conn.reqid,
+                               &mark_in, &mark_out);
        child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode,
                                                                                        msg->add_conn.install_policy);
        add_ts(this, &msg->add_conn.me, child_cfg, TRUE);
index ba93d87..ddddae7 100644 (file)
@@ -196,7 +196,8 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
                this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, FALSE);
 
                child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
-                                                                        ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL);
+                                                                        ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
+                                                                        NULL, NULL);
                child_cfg->add_proposal(child_cfg, create_proposal(esp_proposal, PROTO_ESP));
                child_cfg->add_traffic_selector(child_cfg, TRUE, create_ts(local_net));
                child_cfg->add_traffic_selector(child_cfg, FALSE, create_ts(remote_net));
index 4fe9c9d..ab6b605 100644 (file)
@@ -236,6 +236,8 @@ static const token_info_t token_info[] =
        { ARG_STR,  offsetof(starter_conn_t, me_peerid), NULL                          },
        { ARG_UINT, offsetof(starter_conn_t, reqid), NULL                              },
        { ARG_MISC, 0, NULL  /* KW_MARK */                                             },
+       { ARG_MISC, 0, NULL  /* KW_MARK_IN */                                          },
+       { ARG_MISC, 0, NULL  /* KW_MARK_OUT */                                         },
 
        /* ca section keywords */
        { ARG_STR,  offsetof(starter_ca_t, name), NULL                                 },
index 6ebdaf5..399e178 100644 (file)
@@ -461,6 +461,41 @@ static void handle_firewall(const char *label, starter_end_t *end,
        }
 }
 
+static bool handle_mark(char *value, mark_t *mark)     
+{
+       char *pos, *endptr;
+
+       pos = strchr(value, '/');
+       if (pos)
+       {
+               *pos = '\0';
+               mark->mask = strtoul(pos+1, &endptr, 0);
+               if (*endptr != '\0')
+               {
+                       plog("# invalid mark mask: %s", pos+1);
+                       return FALSE;
+               }
+       }
+       else
+       {
+               mark->mask = 0xffffffff;
+       }
+       if (value == '\0')
+       {
+               mark->value = 0;
+       }
+       else
+       {
+               mark->value = strtoul(value, &endptr, 0);
+               if (*endptr != '\0')
+               {
+                       plog("# invalid mark value: %s", value);
+                       return FALSE;
+               }
+       }
+       return TRUE;
+}
+
 /*
  * parse a conn section
  */
@@ -672,40 +707,25 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
                        break;
                }
                case KW_MARK:
-               {
-                       char *pos, *endptr;
-
-                       pos = strchr(kw->value, '/');
-                       if (pos)
+                       if (!handle_mark(kw->value, &conn->mark_in))
                        {
-                               *pos = '\0';
-                               conn->mark_mask = strtoul(pos+1, &endptr, 0);
-                               if (*endptr != '\0')
-                               {
-                                       plog("# invalid mark mask: %s", pos+1);
-                                       cfg->err++;
-                                       break;
-                               }
-                       }
-                       else
-                       {
-                               conn->mark_mask = 0xffffffff;
+                               cfg->err++;
+                               break;
                        }
-                       if (*kw->value == '\0')
+                       conn->mark_out = conn->mark_in;
+                       break;
+               case KW_MARK_IN:
+                       if (!handle_mark(kw->value, &conn->mark_in))
                        {
-                               conn->mark_value = 0;
+                               cfg->err++;
                        }
-                       else
+                       break;
+               case KW_MARK_OUT:
+                       if (!handle_mark(kw->value, &conn->mark_out))
                        {
-                               conn->mark_value = strtoul(kw->value, &endptr, 0);
-                               if (*endptr != '\0')
-                               {
-                                       plog("# invalid mark value: %s", kw->value);
-                                       cfg->err++;
-                               }
+                               cfg->err++;
                        }
                        break;
-               }
                case KW_KEYINGTRIES:
                        if (streq(kw->value, "%forever"))
                        {
index ada155d..5e4356e 100644 (file)
@@ -95,6 +95,13 @@ struct also {
                also_t          *next;
 };
 
+typedef struct mark_t mark_t;
+
+struct mark_t{
+               u_int32_t value;
+               u_int32_t mask;
+};
+
 typedef struct starter_conn starter_conn_t;
 
 struct starter_conn {
@@ -122,8 +129,8 @@ struct starter_conn {
                unsigned long   sa_keying_tries;
                unsigned long   sa_rekey_fuzz;
                u_int32_t       reqid;
-               u_int32_t               mark_value;
-               u_int32_t               mark_mask;
+               mark_t                  mark_in;
+               mark_t                  mark_out;
                sa_family_t     addr_family;
                sa_family_t     tunnel_addr_family;
                bool            install_policy;
index ea702fd..25d2ce4 100644 (file)
@@ -99,9 +99,11 @@ typedef enum {
        KW_ME_PEERID,
        KW_REQID,
        KW_MARK,
+       KW_MARK_IN,
+       KW_MARK_OUT,
 
 #define KW_CONN_FIRST   KW_CONN_SETUP
-#define KW_CONN_LAST    KW_MARK
+#define KW_CONN_LAST    KW_MARK_OUT
 
    /* ca section keywords */
        KW_CA_NAME,
index a9d2af4..fcdc60c 100644 (file)
@@ -90,6 +90,8 @@ mediated_by,       KW_MEDIATED_BY
 me_peerid,         KW_ME_PEERID
 reqid,             KW_REQID
 mark,              KW_MARK
+mark_in,           KW_MARK_IN
+mark_out,          KW_MARK_OUT
 cacert,            KW_CACERT
 ldaphost,          KW_LDAPHOST
 ldapbase,          KW_LDAPBASE
index 475f07c..9c69ab9 100644 (file)
@@ -270,8 +270,10 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
        msg.add_conn.ikeme.mediated_by = push_string(&msg, conn->me_mediated_by);
        msg.add_conn.ikeme.peerid = push_string(&msg, conn->me_peerid);
        msg.add_conn.reqid = conn->reqid;
-       msg.add_conn.mark.value = conn->mark_value;
-       msg.add_conn.mark.mask = conn->mark_mask;
+       msg.add_conn.mark_in.value = conn->mark_in.value;
+       msg.add_conn.mark_in.mask = conn->mark_in.mask;
+       msg.add_conn.mark_out.value = conn->mark_out.value;
+       msg.add_conn.mark_out.mask = conn->mark_out.mask;
 
        starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left);
        starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right);
index e33737b..a36cc90 100644 (file)
@@ -259,7 +259,7 @@ struct stroke_msg_t {
                        struct {
                                u_int32_t value;
                                u_int32_t mask;
-                       } mark;
+                       } mark_in, mark_out;
                        stroke_end_t me, other;
                } add_conn;